164 files changed, 6844 insertions, 3676 deletions
diff --git a/CREDITS b/CREDITS
index ef267530a..0c8668473 100644
--- a/CREDITS
+++ b/CREDITS
@@ -76,6 +76,7 @@ Phill Camp <P.S.S.Camp@ukc.ac.uk> - login code fix
 Rip Loomis <loomisg@cist.saic.com> - Solaris package support, fixes
 SAKAI Kiyotaka <ksakai@kso.netwk.ntt-at.co.jp> - Multiple bugfixes
 Simon Wilkinson <sxw@dcs.ed.ac.uk> - PAM fixes, Compat with MIT KrbV
+Solar Designer <solar@openwall.com> - many patches and technical assistance
 Svante Signell <svante.signell@telia.com> - Bugfixes
 Thomas Neumann <tom@smart.ruhr.de> - Shadow passwords
 Tim Rice <tim@multitalents.net> - Portability & SCO fixes
@@ -90,5 +91,5 @@ Apologies to anyone I have missed.
 Damien Miller <djm@mindrot.org>
-$Id: CREDITS,v 1.66 2002/04/13 01:04:40 djm Exp $
+$Id: CREDITS,v 1.67 2002/07/28 20:31:19 stevesk Exp $
diff --git a/ChangeLog b/ChangeLog
index 67cd6caba..87604663b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,599 @@
+20021003
+ - (djm) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2002/10/01 20:34:12
+     [ssh-agent.c]
+     allow root to access the agent, since there is no protection from root.
+   - markus@cvs.openbsd.org 2002/10/01 13:24:50
+     [version.h]
+     OpenSSH 3.5
+ - (djm) Bump RPM spec version numbers
+ - (djm) Bug #406 s/msg_send/ssh_msh_send/ for Mac OS X 1.2
+20020930
+ - (djm) Tidy contrib/, add Makefile for GNOME passphrase dialogs, 
+   tweak README
+ - (djm) OpenBSD CVS Sync
+   - mickey@cvs.openbsd.org 2002/09/27 10:42:09
+     [compat.c compat.h sshd.c]
+     add a generic match for a prober, such as sie big brother; 
+     idea from stevesk@; markus@ ok
+   - stevesk@cvs.openbsd.org 2002/09/27 15:46:21
+     [ssh.1]
+     clarify compression level protocol 1 only; ok markus@ deraadt@
+20020927
+ - (djm) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2002/09/25 11:17:16
+     [sshd_config]
+     sync LoginGraceTime with default
+   - markus@cvs.openbsd.org 2002/09/25 15:19:02
+     [sshd.c]
+     typo; pilot@monkey.org
+   - markus@cvs.openbsd.org 2002/09/26 11:38:43
+     [auth1.c auth.h auth-krb4.c monitor.c monitor.h monitor_wrap.c]
+     [monitor_wrap.h]
+     krb4 + privsep; ok dugsong@, deraadt@
+20020925
+ - (bal) Fix issue where successfull login does not clear failure counts
+   in AIX.  Patch by dtucker@zip.com.au ok by djm
+ - (tim) Cray fixes (bug 367) based on patch from Wendy Palm @ cray.
+    This does not include the deattack.c fixes.
+20020923
+ - (djm) OpenBSD CVS Sync
+   - stevesk@cvs.openbsd.org 2002/09/23 20:46:27
+     [canohost.c]
+     change get_peer_ipaddr() and get_local_ipaddr() to not return NULL for
+     non-sockets; fixes a problem passing NULL to snprintf(). ok markus@
+   - markus@cvs.openbsd.org 2002/09/23 22:11:05
+     [monitor.c]
+     only call auth_krb5 if kerberos is enabled; ok deraadt@
+   - markus@cvs.openbsd.org 2002/09/24 08:46:04
+     [monitor.c]
+     only call kerberos code for authctxt->valid
+   - todd@cvs.openbsd.org 2002/09/24 20:59:44
+     [sshd.8]
+     tweak the example $HOME/.ssh/rc script to not show on any cmdline the
+     sensitive data it handles. This fixes bug # 402 as reported by
+     kolya@mit.edu (Nickolai Zeldovich).
+     ok markus@ and stevesk@
+20020923
+ - (tim) [configure.ac] s/return/exit/ patch by dtucker@zip.com.au
+20020922
+ - (djm) OpenBSD CVS Sync
+   - stevesk@cvs.openbsd.org 2002/09/19 14:53:14
+     [compat.c]
+   - markus@cvs.openbsd.org 2002/09/19 15:51:23
+     [ssh-add.c]
+     typo; cd@kalkatraz.de
+   - stevesk@cvs.openbsd.org 2002/09/19 16:03:15
+     [serverloop.c]
+     log IP address also; ok markus@
+   - stevesk@cvs.openbsd.org 2002/09/20 18:41:29
+     [auth.c]
+     log illegal user here for missing privsep case (ssh2).
+     this is executed in the monitor. ok markus@
+20020919
+ - (djm) OpenBSD CVS Sync
+   - stevesk@cvs.openbsd.org 2002/09/12 19:11:52
+     [ssh-agent.c]
+     %u for uid print; ok markus@
+   - stevesk@cvs.openbsd.org 2002/09/12 19:50:36
+     [session.c ssh.1]
+     add SSH_CONNECTION and deprecate SSH_CLIENT; bug #384.  ok markus@
+   - stevesk@cvs.openbsd.org 2002/09/13 19:23:09
+     [channels.c sshconnect.c sshd.c]
+     remove use of SO_LINGER, it should not be needed. error check
+     SO_REUSEADDR. fixup comments. ok markus@
+   - stevesk@cvs.openbsd.org 2002/09/16 19:55:33
+     [session.c]
+     log when _PATH_NOLOGIN exists; ok markus@
+   - stevesk@cvs.openbsd.org 2002/09/16 20:12:11
+     [sshd_config.5]
+     more details on X11Forwarding security issues and threats; ok markus@
+   - stevesk@cvs.openbsd.org 2002/09/16 22:03:13
+     [sshd.8]
+     reference moduli(5) in FILES /etc/moduli.
+   - itojun@cvs.openbsd.org 2002/09/17 07:47:02
+     [channels.c]
+     don't quit while creating X11 listening socket.
+     http://mail-index.netbsd.org/current-users/2002/09/16/0005.html
+     got from portable.  markus ok
+   - djm@cvs.openbsd.org 2002/09/19 01:58:18
+     [ssh.c sshconnect.c]
+     bugzilla.mindrot.org #223 - ProxyCommands don't exit.
+     Patch from dtucker@zip.com.au; ok markus@
+20020912
+ - (djm) Made GNOME askpass programs return non-zero if cancel button is 
+   pressed.
+ - (djm) Added getpeereid() replacement. Properly implemented for systems
+   with SO_PEERCRED support. Faked for systems which lack it.
+ - (djm) Sync sys/tree.h with OpenBSD -current. Rename tree.h and 
+   fake-queue.h to sys-tree.h and sys-queue.h
+ - (djm) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2002/09/08 20:24:08
+     [hostfile.h]
+     no comma at end of enumerator list
+   - itojun@cvs.openbsd.org 2002/09/09 06:48:06
+     [auth1.c auth.h auth-krb5.c monitor.c monitor.h]
+     [monitor_wrap.c monitor_wrap.h]
+     kerberos support for privsep.  confirmed to work by lha@stacken.kth.se
+     patch from markus
+   - markus@cvs.openbsd.org 2002/09/09 14:54:15
+     [channels.c kex.h key.c monitor.c monitor_wrap.c radix.c uuencode.c]
+     signed vs unsigned from -pedantic; ok henning@
+   - markus@cvs.openbsd.org 2002/09/10 20:24:47
+     [ssh-agent.c]
+     check the euid of the connecting process with getpeereid(2); 
+     ok provos deraadt stevesk
+   - stevesk@cvs.openbsd.org 2002/09/11 17:55:03
+     [ssh.1]
+     add agent and X11 forwarding warning text from ssh_config.5; ok markus@
+   - stevesk@cvs.openbsd.org 2002/09/11 18:27:26
+     [authfd.c authfd.h ssh.c]
+     don't connect to agent to test for presence if we've previously
+     connected; ok markus@
+   - djm@cvs.openbsd.org 2002/09/11 22:41:50
+     [sftp.1 sftp-client.c sftp-client.h sftp-common.c sftp-common.h]
+     [sftp-glob.c sftp-glob.h sftp-int.c sftp-server.c]
+     support for short/long listings and globbing in "ls"; ok markus@
+   - djm@cvs.openbsd.org 2002/09/12 00:13:06
+     [sftp-int.c]
+     zap unused var introduced in last commit
+20020911
+ - (djm) Sync openbsd-compat with OpenBSD -current
+20020910
+ - (djm) Bug #365: Read /.ssh/environment properly under CygWin. 
+   Patch from Mark Bradshaw <bradshaw@staff.crosswalk.com>
+ - (djm) Bug #138: Make protocol 1 blowfish work with old OpenSSL. 
+   Patch from Robert Halubek <rob@adso.com.pl>
+20020905 
+ - (djm) OpenBSD CVS Sync
+   - stevesk@cvs.openbsd.org 2002/09/04 18:52:42
+     [servconf.c sshd.8 sshd_config.5]
+     default LoginGraceTime to 2m; 1m may be too short for slow systems.
+     ok markus@
+ - (djm) Merge openssh-TODO.patch from Redhat (null) beta
+ - (djm) Add gnome-ssh-askpass2.c (gtk2) by merge with patch from 
+    Nalin Dahyabhai <nalin@redhat.com>
+ - (djm) Add support for building gtk2 password requestor from Redhat beta
+20020903
+ - (djm) Patch from itojun@ for Darwin OS: test getaddrinfo, reorder libcrypt
+ - (djm) Fix Redhat RPM build dependancy test
+ - (djm) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2002/08/12 10:46:35
+     [ssh-agent.c]
+     make ssh-agent setgid, disallow ptrace.
+   - espie@cvs.openbsd.org 2002/08/21 11:20:59
+     [sshd.8]
+     `RSA' updated to refer to `public key', where it matters.
+     okay markus@
+   - stevesk@cvs.openbsd.org 2002/08/21 19:38:06
+     [servconf.c sshd.8 sshd_config sshd_config.5]
+     change LoginGraceTime default to 1 minute; ok mouring@ markus@
+   - stevesk@cvs.openbsd.org 2002/08/21 20:10:28
+     [ssh-agent.c]
+     raise listen backlog; ok markus@
+   - stevesk@cvs.openbsd.org 2002/08/22 19:27:53
+     [ssh-agent.c]
+     use common close function; ok markus@
+   - stevesk@cvs.openbsd.org 2002/08/22 19:38:42
+     [clientloop.c]
+     format with current EscapeChar; bugzilla #388 from wknox@mitre.org.
+     ok markus@
+   - stevesk@cvs.openbsd.org 2002/08/22 20:57:19
+     [ssh-agent.c]
+     shutdown(SHUT_RDWR) not needed before close here; ok markus@
+   - markus@cvs.openbsd.org 2002/08/22 21:33:58
+     [auth1.c auth2.c]
+     auth_root_allowed() is handled by the monitor in the privsep case,
+     so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
+   - markus@cvs.openbsd.org 2002/08/22 21:45:41
+     [session.c]
+     send signal name (not signal number) in "exit-signal" message; noticed
+     by galb@vandyke.com
+   - stevesk@cvs.openbsd.org 2002/08/27 17:13:56
+     [ssh-rsa.c]
+     RSA_public_decrypt() returns -1 on error so len must be signed; 
+     ok markus@
+   - stevesk@cvs.openbsd.org 2002/08/27 17:18:40
+     [ssh_config.5]
+     some warning text for ForwardAgent and ForwardX11; ok markus@
+   - stevesk@cvs.openbsd.org 2002/08/29 15:57:25
+     [monitor.c session.c sshlogin.c sshlogin.h]
+     pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org>
+     NOTE: there are also p-specific parts to this patch. ok markus@
+   - stevesk@cvs.openbsd.org 2002/08/29 16:02:54
+     [ssh.1 ssh.c]
+     deprecate -P as UsePrivilegedPort defaults to no now; ok markus@
+   - stevesk@cvs.openbsd.org 2002/08/29 16:09:02
+     [ssh_config.5]
+     more on UsePrivilegedPort and setuid root; ok markus@
+   - stevesk@cvs.openbsd.org 2002/08/29 19:49:42
+     [ssh.c]
+     shrink initial privilege bracket for setuid case; ok markus@
+   - stevesk@cvs.openbsd.org 2002/08/29 22:54:10
+     [ssh_config.5 sshd_config.5]
+     state XAuthLocation is a full pathname
+20020820
+ - OpenBSD CVS Sync
+   - millert@cvs.openbsd.org 2002/08/02 14:43:15
+     [monitor.c monitor_mm.c]
+     Change mm_zalloc() sanity checks to be more in line with what
+     we do in calloc() and add a check to monitor_mm.c.
+     OK provos@ and markus@
+   - marc@cvs.openbsd.org 2002/08/02 16:00:07
+     [ssh.1 sshd.8]
+     note that .ssh/environment is only read when
+     allowed (PermitUserEnvironment in sshd_config).
+     OK markus@
+   - markus@cvs.openbsd.org 2002/08/02 21:23:41
+     [ssh-rsa.c]
+     diff is u_int (2x); ok deraadt/provos
+   - markus@cvs.openbsd.org 2002/08/02 22:20:30
+     [ssh-rsa.c]
+     replace RSA_verify with our own version and avoid the OpenSSL ASN.1 parser
+     for authentication; ok deraadt/djm
+   - aaron@cvs.openbsd.org 2002/08/08 13:50:23
+     [sshconnect1.c]
+     Use & to test if bits are set, not &&; markus@ ok.
+   - stevesk@cvs.openbsd.org 2002/08/08 23:54:52
+     [auth.c]
+     typo in comment
+   - stevesk@cvs.openbsd.org 2002/08/09 17:21:42
+     [sshd_config.5]
+     use Op for mdoc conformance; from esr@golux.thyrsus.com
+     ok aaron@
+   - stevesk@cvs.openbsd.org 2002/08/09 17:41:12
+     [sshd_config.5]
+     proxy vs. fake display
+   - stevesk@cvs.openbsd.org 2002/08/12 17:30:35
+     [ssh.1 sshd.8 sshd_config.5]
+     more PermitUserEnvironment; ok markus@
+   - stevesk@cvs.openbsd.org 2002/08/17 23:07:14
+     [ssh.1]
+     ForwardAgent has defaulted to no for over 2 years; be more clear here.
+   - stevesk@cvs.openbsd.org 2002/08/17 23:55:01
+     [ssh_config.5]
+     ordered list here
+ - (bal) [defines.h] Some platforms don't have SIZE_T_MAX.  So assign 
+   it to ULONG_MAX.
+20020813
+ - (tim) [configure.ac] Display OpenSSL header/library version.
+   Patch by dtucker@zip.com.au
+20020731
+ - (bal) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2002/07/24 16:11:18
+     [hostfile.c hostfile.h sshconnect.c]
+     print out all known keys for a host if we get a unknown host key,
+     see discussion at http://marc.theaimsgroup.com/?t=101069210100016&r=1&w=4
+     the ssharp mitm tool attacks users in a similar way, so i'd like to
+     pointed out again:
+        A MITM attack is always possible if the ssh client prints:
+        The authenticity of host 'bla' can't be established.
+     (protocol version 2 with pubkey authentication allows you to detect
+     MITM attacks)
+   - mouring@cvs.openbsd.org 2002/07/25 01:16:59
+     [sftp.c]
+     FallBackToRsh does not exist anywhere else.  Remove it from here.
+     OK deraadt.
+   - markus@cvs.openbsd.org 2002/07/29 18:57:30
+     [sshconnect.c]
+     print file:line
+   - markus@cvs.openbsd.org 2002/07/30 17:03:55
+     [auth-options.c servconf.c servconf.h session.c sshd_config sshd_config.5]
+     add PermitUserEnvironment (off by default!); from dot@dotat.at;
+     ok provos, deraadt
+20020730
+ - (bal) [uidswap.c] SCO compile correction by gert@greenie.muc.de
+20020728
+ - (stevesk) [auth-pam.c] should use PAM_MSG_MEMBER(); from solar
+ - (stevesk) [CREDITS] solar
+ - (stevesk) [ssh-rand-helper.c] RAND_bytes() and SHA1_Final() unsigned
+   char arg.
+20020725
+ - (djm) Remove some cruft from INSTALL
+ - (djm) Latest config.guess and config.sub from ftp://ftp.gnu.org/gnu/config/
+20020723
+ - (bal) [bsd-cray.c bsd-cray.h] Part 2 of Cray merger. 
+ - (bal) sync ID w/ ssh-agent.c
+ - (bal) OpenBSD Sync
+   - markus@cvs.openbsd.org 2002/07/19 15:43:33
+     [log.c log.h session.c sshd.c]
+     remove fatal cleanups after fork; based on discussions with and code
+     from solar.
+   - stevesk@cvs.openbsd.org 2002/07/19 17:42:40
+     [ssh.c]
+     display a warning from ssh when XAuthLocation does not exist or xauth
+     returned no authentication data. ok markus@
+   - stevesk@cvs.openbsd.org 2002/07/21 18:32:20
+     [auth-options.c]
+     unneeded includes
+   - stevesk@cvs.openbsd.org 2002/07/21 18:34:43
+     [auth-options.h]
+     remove invalid comment
+   - markus@cvs.openbsd.org 2002/07/22 11:03:06
+     [session.c]
+     fallback to _PATH_STDPATH on setusercontext+LOGIN_SETPATH errors;
+   - stevesk@cvs.openbsd.org 2002/07/22 17:32:56
+     [monitor.c]
+     u_int here; ok provos@
+   - stevesk@cvs.openbsd.org 2002/07/23 16:03:10
+     [sshd.c]
+     utmp_len is unsigned; display error consistent with other options.
+     ok markus@
+   - stevesk@cvs.openbsd.org 2002/07/15 17:15:31
+     [uidswap.c]
+     little more debugging; ok markus@
+20020722
+ - (bal) AIX tty data limiting patch fix by leigh@solinno.co.uk
+ - (stevesk) [xmmap.c] missing prototype for fatal()
+ - (bal) [configure.ac defines.h loginrec.c sshd.c sshpty.c] Partial sync
+   with Cray (mostly #ifdef renaming).  Patch by wendyp@cray.com.
+ - (bal) [configure.ac]  Missing ;; from cray patch.
+ - (bal) [monitor_mm.c openbsd-compat/xmmap.h] Move xmmap() defines
+   into it's own header.
+ - (stevesk) [auth-pam.[ch] session.c] pam_getenvlist() must be
+   freed by the caller; add free_pam_environment() and use it.
+ - (stevesk) [auth-pam.c] typo in comment
+20020721
+ - (stevesk) [auth-pam.c] merge cosmetic changes from solar's
+   openssh-3.4p1-owl-password-changing.diff
+ - (stevesk) [auth-pam.c] merge rest of solar's PAM patch;
+   PAM_NEW_AUTHTOK_REQD remains in #if 0 for now.
+ - (stevesk) [auth-pam.c] cast to avoid initialization type mismatch
+   warning on pam_conv struct conversation function.
+ - (stevesk) [auth-pam.h] license
+ - (stevesk) [auth-pam.h] unneeded include
+ - (stevesk) [auth-pam.[ch] ssh.h] move SSHD_PAM_SERVICE to auth-pam.h
+20020720
+ - (stevesk) [ssh-keygen.c] bug #231: always init/seed_rng().
+20020719
+ - (tim) [contrib/solaris/buildpkg.sh] create privsep user/group if needed.
+   Patch by dtucker@zip.com.au
+ - (tim) [configure.ac]  test for libxnet on HP. Patch by dtucker@zip.com.au
+20020718
+ - (tim) [defines.h] Bug 313 patch by dirk.meyer@dinoex.sub.org
+ - (tim) [monitor_mm.c] add missing declaration for xmmap(). Reported
+   by ayamura@ayamura.org
+ - (tim) [configure.ac] Bug 267 rework int64_t test.
+ - (tim) [includes.h] Bug 267 add stdint.h
+20020717
+ - (bal) aixbff package updated by dtucker@zip.com.au
+ - (tim) [configure.ac] change how we do paths in AC_PATH_PROGS tests
+   for autoconf 2.53. Based on a patch by jrj@purdue.edu
+20020716
+ - (tim) [contrib/solaris/opensshd.in] Only kill sshd if .pid file found
+20020715
+ - (bal) OpenBSD CVS Sync
+   - itojun@cvs.openbsd.org 2002/07/12 13:29:09
+     [sshconnect.c]
+     print connect failure during debugging mode.
+   - markus@cvs.openbsd.org 2002/07/12 15:50:17
+     [cipher.c]
+     EVP_CIPH_CUSTOM_IV for our own rijndael
+ - (bal) Remove unused tty defined in do_setusercontext() pointed out by
+   dtucker@zip.com.au plus a a more KNF since I am near it.
+ - (bal) Privsep user creation support in Solaris buildpkg.sh by 
+   dtucker@zip.com.au
+20020714
+ - (tim) [Makefile.in] replace "id sshd" with "sshd -t"
+ - (bal/tim) [acconfig.h configure.ac monitor_mm.c servconf.c
+   openbsd-compat/Makefile.in] support compression on platforms that
+   have no/broken MAP_ANON. Moved code to openbsd-compat/xmmap.c
+   Based on patch from nalin@redhat.com of code extracted from Owl's package
+ - (tim) [ssh_prng_cmds.in] Bug 323 arp -n flag doesn't exist under Solaris.
+   report by chris@by-design.net
+ - (tim) [loginrec.c] Bug 347: Fix typo (WTMPX_FILE) report by rodney@bond.net
+ - (tim) [loginrec.c] Bug 348: add missing found = 1; to wtmpx_islogin()
+   report by rodney@bond.net
+20020712
+ - (tim) [Makefile.in] quiet down install-files: and check-user:
+ - (tim) [configure.ac] remove unused filepriv line
+20020710
+ - (tim) [contrib/cygwin/ssh-host-config] explicitely sets the permissions
+   on /var/empty to 755 Patch by vinschen@redhat.com
+ - (bal) OpenBSD CVS Sync
+   - itojun@cvs.openbsd.org 2002/07/09 11:56:50
+     [sshconnect.c]
+     silently try next address on connect(2).  markus ok
+   - itojun@cvs.openbsd.org 2002/07/09 11:56:27
+     [canohost.c]
+     suppress log on reverse lookup failiure, as there's no real value in
+     doing so.
+     markus ok
+   - itojun@cvs.openbsd.org 2002/07/09 12:04:02
+     [sshconnect.c]
+     ed static function (less warnings)
+   - stevesk@cvs.openbsd.org 2002/07/09 17:46:25
+     [sshd_config.5]
+     clarify no preference ordering in protocol list; ok markus@
+   - itojun@cvs.openbsd.org 2002/07/10 10:28:15
+     [sshconnect.c]
+     bark if all connection attempt fails.
+   - deraadt@cvs.openbsd.org 2002/07/10 17:53:54
+     [rijndael.c]
+     use right sizeof in memcpy; markus ok
+20020709
+ - (bal) NO_IPPORT_RESERVED_CONCEPT used instead of CYGWIN so other platforms
+   lacking that concept can share it. Patch by vinschen@redhat.com
+20020708
+ - (tim) [openssh/contrib/solaris/buildpkg.sh] add PKG_INSTALL_ROOT to
+   work in a jumpstart environment. patch by kbrint@rufus.net
+ - (tim) [Makefile.in] workaround for broken pakadd on some systems.
+ - (tim) [configure.ac] fix libc89 utimes test. Mention default path for
+   --with-privsep-path=
+20020707
+ - (tim) [Makefile.in] use umask instead of chmod on $(PRIVSEP_PATH)
+ - (tim) [acconfig.h configure.ac sshd.c]
+   s/BROKEN_FD_PASSING/DISABLE_FD_PASSING/
+ - (tim) [contrib/cygwin/ssh-host-config] sshd account creation fixes
+   patch from vinschen@redhat.com
+ - (bal) [realpath.c] Updated with OpenBSD tree.
+ - (bal) OpenBSD CVS Sync
+   - deraadt@cvs.openbsd.org 2002/07/04 04:15:33
+     [key.c monitor_wrap.c sftp-glob.c ssh-dss.c ssh-rsa.c]
+     patch memory leaks; grendel@zeitbombe.org
+   - deraadt@cvs.openbsd.org 2002/07/04 08:12:15
+     [channels.c packet.c]
+     blah blah minor nothing as i read and re-read and re-read...
+   - markus@cvs.openbsd.org 2002/07/04 10:41:47
+     [key.c monitor_wrap.c ssh-dss.c ssh-rsa.c]
+     don't allocate, copy, and discard if there is not interested in the data; 
+     ok deraadt@
+   - deraadt@cvs.openbsd.org 2002/07/06 01:00:49
+     [log.c]
+     KNF
+   - deraadt@cvs.openbsd.org 2002/07/06 01:01:26
+     [ssh-keyscan.c]
+     KNF, realloc fix, and clean usage
+   - stevesk@cvs.openbsd.org 2002/07/06 17:47:58
+     [ssh-keyscan.c]
+     unused variable
+ - (bal) Minor KNF on ssh-keyscan.c
+20020705
+ - (tim) [configure.ac] AIX 4.2.1 has authenticate() in libs.
+   Reported by Darren Tucker <dtucker@zip.com.au>
+ - (tim) [contrib/cygwin/ssh-host-config] double slash corrction
+   from vinschen@redhat.com
+20020704
+ - (bal) Limit data to TTY for AIX only (Newer versions can't handle the
+   faster data rate)  Bug #124
+ - (bal) glob.c defines TILDE and AIX also defines it.  #undef it first.
+   bug #265
+ - (bal) One too many nulls in ports-aix.c
+ 
+20020703
+ - (bal) Updated contrib/cygwin/  patch by vinschen@redhat.com 
+ - (bal) minor correction to utimes() replacement.  Patch by
+   onoe@sm.sony.co.jp
+ - OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2002/06/27 08:49:44
+     [dh.c ssh-keyscan.c sshconnect.c]
+     more checks for NULL pointers; from grendel@zeitbombe.org; ok deraadt@
+   - deraadt@cvs.openbsd.org 2002/06/27 09:08:00
+     [monitor.c]
+     improve mm_zalloc check; markus ok
+   - deraadt@cvs.openbsd.org 2002/06/27 10:35:47
+     [auth2-none.c monitor.c sftp-client.c]
+     use xfree()
+   - stevesk@cvs.openbsd.org 2002/06/27 19:49:08
+     [ssh-keyscan.c]
+     use convtime(); ok markus@
+   - millert@cvs.openbsd.org 2002/06/28 01:49:31
+     [monitor_mm.c]
+     tree(3) wants an int return value for its compare functions and
+     the difference between two pointers is not an int.  Just do the
+     safest thing and store the result in a long and then return 0,
+     -1, or 1 based on that result.
+   - deraadt@cvs.openbsd.org 2002/06/28 01:50:37
+     [monitor_wrap.c]
+     use ssize_t
+   - deraadt@cvs.openbsd.org 2002/06/28 10:08:25
+     [sshd.c]
+     range check -u option at invocation
+   - deraadt@cvs.openbsd.org 2002/06/28 23:05:06
+     [sshd.c]
+     gidset[2] -> gidset[1]; markus ok
+   - deraadt@cvs.openbsd.org 2002/06/30 21:54:16
+     [auth2.c session.c sshd.c]
+     lint asks that we use names that do not overlap
+   - deraadt@cvs.openbsd.org 2002/06/30 21:59:45
+     [auth-bsdauth.c auth-skey.c auth2-chall.c clientloop.c key.c
+      monitor_wrap.c monitor_wrap.h scard.h session.h sftp-glob.c ssh.c
+      sshconnect2.c sshd.c]
+     minor KNF
+   - deraadt@cvs.openbsd.org 2002/07/01 16:15:25
+     [msg.c]
+     %u
+   - markus@cvs.openbsd.org 2002/07/01 19:48:46
+     [sshconnect2.c]
+     for compression=yes, we fallback to no-compression if the server does
+     not support compression, vice versa for compression=no. ok mouring@
+   - markus@cvs.openbsd.org 2002/07/03 09:55:38
+     [ssh-keysign.c]
+     use RSA_blinding_on() for rsa hostkeys (suggested by Bill Sommerfeld)
+     in order to avoid a possible Kocher timing attack pointed out by Charles
+     Hannum; ok provos@
+   - markus@cvs.openbsd.org 2002/07/03 14:21:05
+     [ssh-keysign.8 ssh-keysign.c ssh.c ssh_config]
+     re-enable ssh-keysign's sbit, but make ssh-keysign read 
+     /etc/ssh/ssh_config and exit if HostbasedAuthentication is disabled 
+     globally. based on discussions with deraadt, itojun and sommerfeld; 
+     ok itojun@
+ - (bal) Failed password attempts don't increment counter on AIX. Bug #145
+ - (bal) Missed Makefile.in change.  keysign needs readconf.o
+ - (bal) Clean up aix_usrinfo().  Ignore TTY= period I guess.
+  
+20020702
+ - (djm) Use PAM_MSG_MEMBER for PAM_TEXT_INFO messages, use xmalloc & 
+   friends consistently. Spotted by Solar Designer <solar@openwall.com>
+20020629
+ - (bal) fix to auth2-pam.c to swap fatal() arguments,  A bit of style
+   clean up while I'm near it.
+20020628
+ - (stevesk) [sshd_config] PAMAuthenticationViaKbdInt no; commented
+   options should contain default value.  from solar.
+ - (bal) Cygwin uid0 fix by vinschen@redhat.com
+ - (bal) s/config.h/includes.h/ in openbsd-compat/ for *.c.  Otherwise wise
+   have issues of our fixes not propogating right (ie bcopy instead of
+   memmove).  OK tim
+ - (bal) FreeBSD needs <sys/types.h> to detect if mmap() is supported.
+   Bug #303
+20020627
+ - OpenBSD CVS Sync
+   - deraadt@cvs.openbsd.org 2002/06/26 14:49:36
+     [monitor.c]
+     correct %u
+   - deraadt@cvs.openbsd.org 2002/06/26 14:50:04
+     [monitor_fdpass.c]
+     use ssize_t for recvmsg() and sendmsg() return
+   - markus@cvs.openbsd.org 2002/06/26 14:51:33
+     [ssh-add.c]
+     fix exit code for -X/-x
+   - deraadt@cvs.openbsd.org 2002/06/26 15:00:32
+     [monitor_wrap.c]
+     more %u
+   - markus@cvs.openbsd.org 2002/06/26 22:27:32
+     [ssh-keysign.c]
+     bug #304, xfree(data) called to early; openssh@sigint.cs.purdue.edu
 20020626
 - (stevesk) [monitor.c] remove duplicate proto15 dispatch entry for PAM
 - (bal) OpenBSD CVS Sync
@@ -68,6 +664,8 @@
 - (djm) Update spec files for release 
 - (djm) Fix int overflow in auth2-pam.c, similar to one discovered by ISS
 - (djm) Release 3.4p1
+ - (tim) [contrib/caldera/openssh.spec] remove 2 configure options I put in
+   by mistake
 20020625
 - (stevesk) [INSTALL acconfig.h configure.ac defines.h] remove --with-rsh
@@ -159,1012 +757,4 @@
     save auth method before monitor_reset_key_state(); bugzilla bug #284;
     ok provos@
-20020622
+$Id: ChangeLog,v 1.2491.2.1 2002/10/03 05:45:53 djm Exp $
- - (djm) Update README.privsep; spotted by fries@
- - (djm) Release 3.3p1
- - (bal) getopt now can be staticly compiled on those platforms missing
-   optreset.  Patch by binder@arago.de
-20020621
- - (djm) Sync:
-   - djm@cvs.openbsd.org 2002/06/21 05:50:51
-     [monitor.c]
-     Don't initialise compression buffers when compression=no in sshd_config;
-     ok Niels@
-  - ID sync for auth-passwd.c
- - (djm) Warn and disable compression on platforms which can't handle both
-   useprivilegeseparation=yes and compression=yes
- - (djm) contrib/redhat/openssh.spec hacking:
-   - Merge in spec changes from seba@iq.pl (Sebastian Pachuta)
-   - Add new {ssh,sshd}_config.5 manpages
-   - Add new ssh-keysign program and remove setuid from ssh client
-20020620
- - (bal) Fixed AIX environment handling, use setpcred() instead of existing
-   code.  (Bugzilla Bug 261)
- - (bal) OpenBSD CVS Sync
-   - todd@cvs.openbsd.org 2002/06/14 21:35:00
-     [monitor_wrap.c]
-     spelling; from Brian Poole <raj@cerias.purdue.edu>
-   - markus@cvs.openbsd.org 2002/06/15 00:01:36
-     [authfd.c authfd.h ssh-add.c ssh-agent.c]
-     break agent key lifetime protocol and allow other contraints for key
-     usage.
-   - markus@cvs.openbsd.org 2002/06/15 00:07:38
-     [authfd.c authfd.h ssh-add.c ssh-agent.c]
-     fix stupid typo
-   - markus@cvs.openbsd.org 2002/06/15 01:27:48
-     [authfd.c authfd.h ssh-add.c ssh-agent.c]
-     remove the CONSTRAIN_IDENTITY messages and introduce a new
-     ADD_ID message with contraints instead. contraints can be
-     only added together with the private key.
-   - itojun@cvs.openbsd.org 2002/06/16 21:30:58
-     [ssh-keyscan.c]
-     use TAILQ_xx macro.  from lukem@netbsd.  markus ok
-   - deraadt@cvs.openbsd.org 2002/06/17 06:05:56
-     [scp.c]
-     make usage like man page
-   - deraadt@cvs.openbsd.org 2002/06/19 00:27:55
-     [auth-bsdauth.c auth-skey.c auth1.c auth2-chall.c auth2-none.c authfd.c
-      authfd.h monitor_wrap.c msg.c nchan.c radix.c readconf.c scp.c sftp.1
-      ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c
-      ssh-keysign.c ssh.1 sshconnect.c sshconnect.h sshconnect2.c ttymodes.c
-      xmalloc.h]
-     KNF done automatically while reading....
-   - markus@cvs.openbsd.org 2002/06/19 18:01:00
-     [cipher.c monitor.c monitor_wrap.c packet.c packet.h]
-     make the monitor sync the transfer ssh1 session key;
-     transfer keycontext only for RC4 (this is still depends on EVP
-     implementation details and is broken).
-   - stevesk@cvs.openbsd.org 2002/06/20 19:56:07
-     [ssh.1 sshd.8]
-     move configuration file options from ssh.1/sshd.8 to
-     ssh_config.5/sshd_config.5; ok deraadt@ millert@
-   - stevesk@cvs.openbsd.org 2002/06/20 20:00:05
-     [scp.1 sftp.1]
-     ssh_config(5)
-   - stevesk@cvs.openbsd.org 2002/06/20 20:03:34
-     [ssh_config sshd_config]
-     refer to config file man page
-   - markus@cvs.openbsd.org 2002/06/20 23:05:56
-     [servconf.c servconf.h session.c sshd.c]
-     allow Compression=yes/no in sshd_config
-   - markus@cvs.openbsd.org 2002/06/20 23:37:12
-     [sshd_config]
-     add Compression
-   - stevesk@cvs.openbsd.org 2002/05/25 20:40:08
-     [LICENCE]
-     missed Per Allansson (auth2-chall.c)
- - (bal) Cygwin special handling of empty passwords wrong.  Patch by
-   vinschen@redhat.com
- - (bal) Missed integrating ssh_config.5 and sshd_config.5
- - (bal) Still more Makefile.in updates for ssh{d}_config.5
-20020613
- - (bal) typo of setgroup for cygwin.  Patch by vinschen@redhat.com
-20020612
- - (bal) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2002/06/11 23:03:54
-     [ssh.c]
-     remove unused cruft.
-   - markus@cvs.openbsd.org 2002/06/12 01:09:52
-     [ssh.c]
-     ssh_connect returns 0 on success
- - (bal) Build noop setgroups() for cygwin to clean up code (For other
-   platforms without the setgroups() requirement, you MUST define
-   SETGROUPS_NOOP in the configure.ac) Based on patch by vinschen@redhat.com
- - (bal) Some platforms don't have ONLCR (Notable Mint)
-20020611
- - (bal) ssh-agent.c RCSD fix (|unexpand already done)
- - (bal) OpenBSD CVS Sync
-   - stevesk@cvs.openbsd.org 2002/06/09 22:15:15
-     [ssh.1]
-     update for no setuid root and ssh-keysign; ok deraadt@
-   - itojun@cvs.openbsd.org 2002/06/09 22:17:21
-     [sshconnect.c]
-     pass salen to sockaddr_ntop so that we are happy on linux/solaris
-   - stevesk@cvs.openbsd.org 2002/06/10 16:53:06
-     [auth-rsa.c ssh-rsa.c]
-     display minimum RSA modulus in error(); ok markus@
-   - stevesk@cvs.openbsd.org 2002/06/10 16:56:30
-     [ssh-keysign.8]
-     merge in stuff from my man page; ok markus@
-   - stevesk@cvs.openbsd.org 2002/06/10 17:36:23
-     [ssh-add.1 ssh-add.c]
-     use convtime() to parse and validate key lifetime.  can now
-     use '-t 2h' etc.  ok markus@ provos@
-   - stevesk@cvs.openbsd.org 2002/06/10 17:45:20
-     [readconf.c ssh.1]
-     change RhostsRSAAuthentication and RhostsAuthentication default to no
-     since ssh is no longer setuid root by default; ok markus@
-   - stevesk@cvs.openbsd.org 2002/06/10 21:21:10
-     [ssh_config]
-     update defaults for RhostsRSAAuthentication and RhostsAuthentication
-     here too (all options commented out with default value).
-   - markus@cvs.openbsd.org 2002/06/10 22:28:41
-     [channels.c channels.h session.c]
-     move creation of agent socket to session.c; no need for uidswapping
-     in channel.c.
-   - markus@cvs.openbsd.org 2002/06/11 04:14:26
-     [ssh.c sshconnect.c sshconnect.h]
-     no longer use uidswap.[ch] from the ssh client
-     run less code with euid==0 if ssh is installed setuid root
-     just switch the euid, don't switch the complete set of groups
-     (this is only needed by sshd). ok provos@
-   - mpech@cvs.openbsd.org 2002/06/11 05:46:20
-     [auth-krb4.c monitor.h serverloop.c session.c ssh-agent.c sshd.c]
-     pid_t cleanup. Markus need this now to keep hacking.
-     markus@, millert@ ok
-   - itojun@cvs.openbsd.org 2002/06/11 08:11:45
-     [canohost.c]
-     use "ntop" only after initialized
- - (bal) Cygwin fix up from swap uid clean up in ssh.c patch by
-   vinschen@redhat.com
-20020609
- - (bal) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2002/06/08 05:07:56
-     [ssh.c]
-     nuke ptrace comment
-   - markus@cvs.openbsd.org 2002/06/08 05:07:09
-     [ssh-keysign.c]
-     only accept 20 byte session ids
-   - markus@cvs.openbsd.org 2002/06/08 05:17:01
-     [readconf.c readconf.h ssh.1 ssh.c]
-     deprecate FallBackToRsh and UseRsh; patch from djm@
-   - markus@cvs.openbsd.org 2002/06/08 05:40:01
-     [readconf.c]
-     just warn about Deprecated options for now
-   - markus@cvs.openbsd.org 2002/06/08 05:41:18
-     [ssh_config]
-     remove FallBackToRsh/UseRsh
-   - markus@cvs.openbsd.org 2002/06/08 12:36:53
-     [scp.c]
-     remove FallBackToRsh
-   - markus@cvs.openbsd.org 2002/06/08 12:46:14
-     [readconf.c]
-     silently ignore deprecated options, since FallBackToRsh might be passed
-     by remote scp commands.
-  - itojun@cvs.openbsd.org 2002/06/08 21:15:27
-     [sshconnect.c]
-     always use getnameinfo.  (diag message only)
-   - markus@cvs.openbsd.org 2002/06/09 04:33:27
-     [sshconnect.c]
-     abort() - > fatal()
- - (bal) RCSID tag updates on channels.c, clientloop.c, nchan.c,
-   sftp-client.c, ssh-agenet.c, ssh-keygen.c and connect.h (we did unexpand
-   independant of them)
-20020607
- - (bal) Removed --{enable/disable}-suid-ssh
- - (bal) Missed __progname in ssh-keysign.c  patch by dtucker@zip.com.au
- - (bal) use 'LOGIN_PROGRAM'  not '/usr/bin/login' in session.c patch by
-   Bertrand.Velle@apogee-com.fr
-20020606
- - (bal) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2002/05/15 21:56:38
-     [servconf.c sshd.8 sshd_config]
-     re-enable privsep and disable setuid for post-3.2.2
-   - markus@cvs.openbsd.org 2002/05/16 22:02:50
-     [cipher.c kex.h mac.c]
-     fix warnings (openssl 0.9.7 requires const)
-   - stevesk@cvs.openbsd.org 2002/05/16 22:09:59
-     [session.c ssh.c]
-     don't limit xauth pathlen on client side and longer print length on
-     server when debug; ok markus@
-   - deraadt@cvs.openbsd.org 2002/05/19 20:54:52
-     [log.h]
-     extra commas in enum not 100% portable
-   - deraadt@cvs.openbsd.org 2002/05/22 23:18:25
-     [ssh.c sshd.c]
-     spelling; abishoff@arc.nasa.gov
-   - markus@cvs.openbsd.org 2002/05/23 19:24:30
-     [authfile.c authfile.h pathnames.h ssh.c sshconnect.c sshconnect.h 
-      sshconnect1.c sshconnect2.c ssh-keysign.8 ssh-keysign.c Makefile.in]
-     add /usr/libexec/ssh-keysign: a setuid helper program for hostbased 
-     authentication in protocol v2 (needs to access the hostkeys).
-   - markus@cvs.openbsd.org 2002/05/23 19:39:34
-     [ssh.c]
-     add comment about ssh-keysign
-   - markus@cvs.openbsd.org 2002/05/24 08:45:14
-     [sshconnect2.c]
-     stat ssh-keysign first, print error if stat fails;
-     some debug->error; fix comment
-   - markus@cvs.openbsd.org 2002/05/25 08:50:39
-     [sshconnect2.c]
-     execlp->execl; from stevesk
-   - markus@cvs.openbsd.org 2002/05/25 18:51:07
-     [auth.h auth2.c auth2-hostbased.c auth2-kbdint.c auth2-none.c
-      auth2-passwd.c auth2-pubkey.c Makefile.in]
-     split auth2.c into one file per method; ok provos@/deraadt@
-   - stevesk@cvs.openbsd.org 2002/05/26 20:35:10
-     [ssh.1]
-     sort ChallengeResponseAuthentication; ok markus@
-   - stevesk@cvs.openbsd.org 2002/05/28 16:45:27
-     [monitor_mm.c]
-     print strerror(errno) on mmap/munmap error; ok markus@
-   - stevesk@cvs.openbsd.org 2002/05/28 17:28:02
-     [uidswap.c]
-     format spec change/casts and some KNF; ok markus@
-   - stevesk@cvs.openbsd.org 2002/05/28 21:24:00
-     [uidswap.c]
-     use correct function name in fatal()
-   - stevesk@cvs.openbsd.org 2002/05/29 03:06:30
-     [ssh.1 sshd.8]
-     spelling
-   - markus@cvs.openbsd.org 2002/05/29 11:21:57
-     [sshd.c]
-     don't start if privsep is enabled and SSH_PRIVSEP_USER or
-     _PATH_PRIVSEP_CHROOT_DIR are missing; ok deraadt@
-   - markus@cvs.openbsd.org 2002/05/30 08:07:31
-     [cipher.c]
-     use rijndael/aes from libcrypto (openssl >= 0.9.7) instead of
-     our own implementation. allow use of AES hardware via libcrypto, 
-     ok deraadt@
-   - markus@cvs.openbsd.org 2002/05/31 10:30:33
-     [sshconnect2.c]
-     extent ssh-keysign protocol:
-     pass # of socket-fd to ssh-keysign, keysign verfies locally used
-     ip-address using this socket-fd, restricts fake local hostnames
-     to actual local hostnames; ok stevesk@
-   - markus@cvs.openbsd.org 2002/05/31 11:35:15
-     [auth.h auth2.c]
-     move Authmethod definitons to per-method file.
-   - markus@cvs.openbsd.org 2002/05/31 13:16:48
-     [key.c]
-     add comment:
-     key_verify returns 1 for a correct signature, 0 for an incorrect signature
-     and -1 on error.
-   - markus@cvs.openbsd.org 2002/05/31 13:20:50
-     [ssh-rsa.c]
-     pad received signature with leading zeros, because RSA_verify expects
-     a signature of RSA_size. the drafts says the signature is transmitted
-     unpadded (e.g. putty does not pad), reported by anakin@pobox.com
-   - deraadt@cvs.openbsd.org 2002/06/03 12:04:07
-     [ssh.h]
-     compatiblity -> compatibility
-     decriptor -> descriptor
-     authentciated -> authenticated
-     transmition -> transmission
-   - markus@cvs.openbsd.org 2002/06/04 19:42:35
-     [monitor.c]
-     only allow enabled authentication methods; ok provos@
-   - markus@cvs.openbsd.org 2002/06/04 19:53:40
-     [monitor.c]
-     save the session id (hash) for ssh2 (it will be passed with the 
-     initial sign request) and verify that this value is used during 
-     authentication; ok provos@
-   - markus@cvs.openbsd.org 2002/06/04 23:02:06
-     [packet.c]
-     remove __FUNCTION__
-   - markus@cvs.openbsd.org 2002/06/04 23:05:49
-     [cipher.c monitor.c monitor_fdpass.c monitor_mm.c monitor_wrap.c]
-     __FUNCTION__ -> __func__
-   - markus@cvs.openbsd.org 2002/06/05 16:08:07
-     [ssh-agent.1 ssh-agent.c]
-     '-a bind_address' binds the agent to user-specified unix-domain
-     socket instead of /tmp/ssh-XXXXXXXX/agent.<pid>; ok djm@ (some time ago).
-   - markus@cvs.openbsd.org 2002/06/05 16:08:07
-     [ssh-agent.1 ssh-agent.c]
-     '-a bind_address' binds the agent to user-specified unix-domain
-     socket instead of /tmp/ssh-XXXXXXXX/agent.<pid>; ok djm@ (some time ago).
-   - markus@cvs.openbsd.org 2002/06/05 16:48:54
-     [ssh-agent.c]
-     copy current request into an extra buffer and just flush this
-     request on errors, ok provos@
-   - markus@cvs.openbsd.org 2002/06/05 19:57:12
-     [authfd.c authfd.h ssh-add.1 ssh-add.c ssh-agent.c]
-     ssh-add -x for lock and -X for unlocking the agent.
-     todo: encrypt private keys with locked...
-   - markus@cvs.openbsd.org 2002/06/05 20:56:39
-     [ssh-add.c]
-     add -x/-X to usage
-   - markus@cvs.openbsd.org 2002/06/05 21:55:44
-     [authfd.c authfd.h ssh-add.1 ssh-add.c ssh-agent.c]
-     ssh-add -t life,  Set lifetime (in seconds) when adding identities; 
-     ok provos@
-   - stevesk@cvs.openbsd.org 2002/06/06 01:09:41
-     [monitor.h]
-     no trailing comma in enum; china@thewrittenword.com
-   - markus@cvs.openbsd.org 2002/06/06 17:12:44
-     [sftp-server.c]
-     discard remaining bytes of current request; ok provos@
-   - markus@cvs.openbsd.org 2002/06/06 17:30:11
-     [sftp-server.c]
-     use get_int() macro (hide iqueue)
- - (bal) Missed msg.[ch] in merge.  Required for ssh-keysign.
- - (bal) Forgot to add msg.c Makefile.in.
- - (bal) monitor_mm.c typos.
- - (bal) Refixed auth2.c.  It was never fully commited while spliting out
-   authentication to different files.
- - (bal) ssh-keysign should build and install correctly now.  Phase two
-   would be to clean out any dead wood and disable ssh setuid on install.
- - (bal) Reverse logic, use __func__ first since it's C99
-20020604
- - (stevesk) [channels.c] bug #164 patch from YOSHIFUJI Hideaki (changed
-   setsockopt from debug to error for now).
-20020527
- - (tim) [configure.ac.orig monitor_fdpass.c] Enahnce msghdr tests to address
-   build problem on Irix reported by Dave Love <d.love@dl.ac.uk>. Back out
-   last monitor_fdpass.c changes that are no longer needed with new tests.
-   Patch tested on Irix by Jan-Frode Myklebust <janfrode@parallab.uib.no>
-20020522
- - (djm) Fix spelling mistakes, spotted by Solar Designer i
-   <solar@openwall.com>
- - Sync scard/ (not sure when it drifted)
- - (djm) OpenBSD CVS Sync:
-   [auth.c]
-   Fix typo/thinko.  Pass in as to auth_approval(), not NULL.
-   Closes PR 2659.
- - Crank version
- - Crank RPM spec versions
-20020521
- - (stevesk) [sshd.c] bug 245; disable setsid() for now
- - (stevesk) [sshd.c] #ifndef HAVE_CYGWIN for setgroups()
-20020517
- - (tim) [configure.ac] remove extra MD5_MSG="no" line.
-20020515
- - (bal) CVS ID fix up on auth-passwd.c
- - (bal) OpenBSD CVS Sync
-   - deraadt@cvs.openbsd.org 2002/05/07 19:54:36
-     [ssh.h]
-     use ssh uid
-   - deraadt@cvs.openbsd.org 2002/05/08 21:06:34
-     [ssh.h]
-     move to sshd.sshd instead
-   - stevesk@cvs.openbsd.org 2002/05/11 20:24:48
-     [ssh.h]
-     typo in comment
-   - itojun@cvs.openbsd.org 2002/05/13 02:37:39
-     [auth-skey.c auth2.c]
-     less warnings.  skey_{respond,query} are public (in auth.h)
-   - markus@cvs.openbsd.org 2002/05/13 20:44:58
-     [auth-options.c auth.c auth.h]
-     move the packet_send_debug handling from auth-options.c to auth.c; 
-     ok provos@
-   - millert@cvs.openbsd.org 2002/05/13 15:53:19
-     [sshd.c]
-     Call setsid() in the child after sshd accepts the connection and forks.
-     This is needed for privsep which calls setlogin() when it changes uids.
-     Without this, there is a race where the login name of an existing 
-     connection, as returned by getlogin(), may be changed to the privsep 
-     user (sshd).  markus@ OK
-   - markus@cvs.openbsd.org 2002/05/13 21:26:49
-     [auth-rhosts.c]
-     handle debug messages during rhosts-rsa and hostbased authentication; 
-     ok provos@
-   - mouring@cvs.openbsd.org 2002/05/15 15:47:49
-     [kex.c monitor.c monitor_wrap.c sshd.c]
-     'monitor' variable clashes with at least one lame platform (NeXT).  i
-     Renamed to 'pmonitor'.  provos@
-   - deraadt@cvs.openbsd.org 2002/05/04 02:39:35
-     [servconf.c sshd.8 sshd_config]
-     enable privsep by default; provos ok
-   - millert@cvs.openbsd.org 2002/05/06 23:34:33
-     [ssh.1 sshd.8]
-     Kill/adjust r(login|exec)d? references now that those are no longer in
-     the tree.
-   - markus@cvs.openbsd.org 2002/05/15 21:02:53
-     [servconf.c sshd.8 sshd_config]
-     disable privsep and enable setuid for the 3.2.2 release
- - (bal) Fixed up PAM case.  I think.
- - (bal) Clarified openbsd-compat/*-cray.* Licence provided by Wendy
- - (bal) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2002/05/15 21:05:29
-     [version.h]
-     enter OpenSSH_3.2.2
- - (bal) Caldara, Suse, and Redhat openssh.specs updated.
-20020514
- - (stevesk) [README.privsep] PAM+privsep works with Solaris 8.
- - (tim) [sshpty.c] set tty modes when allocating old style bsd ptys to
-   match what newer style ptys have when allocated. Based on a patch by
-   Roger Cornelius <rac@tenzing.org>
- - (tim) [README.privsep] UnixWare 7 and OpenUNIX 8 work.
- - (tim) [README.privsep] remove reference to UnixWare 7 and OpenUNIX 8
-   from PAM-enabled pragraph. UnixWare has no PAM.
- - (tim) [contrib/caldera/openssh.spec] update version.
-20020513
- - (stevesk) add initial README.privsep
- - (stevesk) [configure.ac] nicer message: --with-privsep-user=user
- - (djm) Add --with-superuser-path=xxx configure option to specify 
-   what $PATH the superuser receives.
- - (djm) Bug #231: UsePrivilegeSeparation turns off Banner.
- - (djm) Add --with-privsep-path configure option
- - (djm) Update RPM spec file: different superuser path, use
-   /var/empty/sshd for privsep
- - (djm) Bug #234: missing readpassphrase declaration and defines
- - (djm) Add INSTALL warning about SSH protocol 1 blowfish w/ 
-    OpenSSL < 0.9.6
-20020511
- - (tim) [configure.ac] applied a rework of djm's OpenSSL search cleanup patch.
-   Now only searches system and /usr/local/ssl (OpenSSL's default install path)
-   Others must use --with-ssl-dir=....
- - (tim) [monitor_fdpass.c] fix for systems that have both
-   HAVE_ACCRIGHTS_IN_MSGHDR and HAVE_CONTROL_IN_MSGHDR. Ie. sys/socket.h 
-   has #define msg_accrights msg_control
-20020510
- - (stevesk) [auth.c] Shadow account and expiration cleanup.  Now
-   check for root forced expire.  Still don't check for inactive.
- - (djm) Rework RedHat RPM files. Based on spec from Nalin 
-   Dahyabhai <nalin@redhat.com> and patches from 
-   Pekka Savola <pekkas@netcore.fi>
- - (djm) Try to drop supplemental groups at daemon startup. Patch from 
-   RedHat
- - (bal) Back all the way out of auth-passwd.c changes.  Breaks too many
-   things that don't set pw->pw_passwd.
-20020509
- - (tim) [Makefile.in] Unbreak make -f Makefile.in distprep
-20020508
- - (tim) [openbsd-compat/bsd-arc4random.c] fix logic on when seed_rng() is
-   called. Report by Chris Maxwell <maxwell@cs.dal.ca>
- - (tim) [Makefile.in configure.ac] set SHELL variable in Makefile
- - (djm) Disable PAM kbd-int auth if privsep is turned on (it doesn't work)
-20020507
- - (tim) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h]
-   Add truncate() emulation to address Bug 208
-20020506
- - (djm) Unbreak auth-passwd.c for PAM and SIA
- - (djm) Unbreak PAM auth for protocol 1. Report from Pekka Savola 
-   <pekkas@netcore.fi>
- - (djm) Don't reinitialise PAM credentials before we have started PAM.
-   Report from Pekka Savola <pekkas@netcore.fi>
-   
-20020506
- - (bal) Fixed auth-passwd.c to resolve PermitEmptyPassword issue
- 
-20020501
- - (djm) Import OpenBSD regression tests. Requires BSD make to run
- - (djm) Fix readpassphase compilation for systems which have it
-20020429
- - (tim) [contrib/caldera/openssh.spec] update fixUP to reflect changes in
-   sshd_config.
- - (tim) [contrib/cygwin/README] remove reference to regex.
-   patch from Corinna Vinschen <vinschen@redhat.com>
-20020426
- - (djm) Bug #137, #209: fix make problems for scard/Ssh.bin, do uudecode
-   during distprep only
- - (djm) Disable PAM password expiry until a complete fix for bug #188 
-   exists
- - (djm) Bug #180: Set ToS bits on IPv4-in-IPv6 mapped addresses. Based on 
-   patch from openssh@misc.tecq.org
-20020425
- - (stevesk) [defines.h] remove USE_TIMEVAL; unused
- - (stevesk) [acconfig.h auth-passwd.c configure.ac sshd.c] HP-UX 10.26
-   support.  bug #184.  most from dcole@keysoftsys.com.
-20020424
- - (djm) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2002/04/23 12:54:10
-     [version.h]
-     3.2.1
-   - djm@cvs.openbsd.org 2002/04/23 22:16:29
-     [sshd.c]
-     Improve error message; ok markus@ stevesk@
-20020423
- - (stevesk) [acconfig.h configure.ac session.c] LOGIN_NO_ENDOPT for HP-UX
- - (stevesk) [acconfig.h] NEED_IN_SYSTM_H unused
- - (markus) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2002/04/23 12:58:26
-     [radix.c]
-     send complete ticket; semerad@ss1000.ms.mff.cuni.cz
- - (djm) Trim ChangeLog to include only post-3.1 changes
- - (djm) Update RPM spec file versions
- - (djm) Redhat spec enables KrbV by default
- - (djm) Applied OpenSC smartcard updates from Markus & 
-   Antti Tapaninen <aet@cc.hut.fi>
- - (djm) Define BROKEN_REALPATH for AIX, patch from 
-   Antti Tapaninen <aet@cc.hut.fi>
- - (djm) Bug #214: Fix utmp for Irix (don't strip "tty"). Patch from 
-   Kevin Taylor <no@nowhere.org> (??) via Philipp Grau
-   <phgrau@zedat.fu-berlin.de>
- - (djm) Bug #213: Simplify CMSG_ALIGN macros to avoid symbol clashes. 
-   Reported by Doug Manton <dmanton@emea.att.com>
- - (djm) Bug #222: Fix tests for getaddrinfo on OSF/1. Spotted by
-   Robert Urban <urban@spielwiese.de>
- - (djm) Bug #206 - blibpath isn't always needed for AIX ld, avoid 
-   sizeof(long long int) == 4 breakage. Patch from Matthew Clarke
-   <Matthew_Clarke@mindlink.bc.ca>
- - (djm) Make privsep work with PAM (still experimental)
- - (djm) OpenBSD CVS Sync
-   - deraadt@cvs.openbsd.org 2002/04/20 09:02:03
-     [servconf.c]
-     No, afs requires explicit enabling
-   - markus@cvs.openbsd.org 2002/04/20 09:14:58
-     [bufaux.c bufaux.h]
-     add buffer_{get,put}_short
-   - markus@cvs.openbsd.org 2002/04/20 09:17:19
-     [radix.c]
-     rewrite using the buffer_* API, fixes overflow; ok deraadt@
-   - stevesk@cvs.openbsd.org 2002/04/21 16:19:27
-     [sshd.8 sshd_config]
-     document default AFSTokenPassing no; ok deraadt@
-   - stevesk@cvs.openbsd.org 2002/04/21 16:25:06
-     [sshconnect1.c]
-     spelling in error message; ok markus@
-   - markus@cvs.openbsd.org 2002/04/22 06:15:47
-     [radix.c]
-     fix check for overflow
-   - markus@cvs.openbsd.org 2002/04/22 16:16:53
-     [servconf.c sshd.8 sshd_config]
-     do not auto-enable KerberosAuthentication; ok djm@, provos@, deraadt@
-   - markus@cvs.openbsd.org 2002/04/22 21:04:52
-     [channels.c clientloop.c clientloop.h ssh.c]
-     request reply (success/failure) for -R style fwd in protocol v2,
-     depends on ordered replies.
-     fixes http://bugzilla.mindrot.org/show_bug.cgi?id=215; ok provos@
-20020421
- - (tim) [entropy.c.] Portability fix for SCO Unix 3.2v4.x (SCO OSR 3.0).
-   entropy.c needs seteuid(getuid()) for the setuid(original_uid) to 
-   succeed. Patch by gert@greenie.muc.de. This fixes one part of Bug 208
-20020418
- - (djm) Avoid SIGCHLD breakage when run from rsync. Fix from 
-   Sturle Sunde <sturle.sunde@usit.uio.no>
-20020417
- - (djm) Tell users to configure /dev/random support into OpenSSL in 
-   INSTALL
- - (djm) Fix .Nm in mdoc2man.pl from pspencer@fields.utoronto.ca
- - (tim) [configure.ac] Issue warning on --with-default-path=/some_path
-   if LOGIN_CAP is enabled. Report & testing by Tuc <tuc@ttsg.com>
-20020415
- - (djm) Unbreak "make install". Fix from Darren Tucker 
-   <dtucker@zip.com.au>
- - (stevesk) bsd-cygwin_util.[ch] BSD license from Corinna Vinschen
- - (tim) [configure.ac] add tests for recvmsg and sendmsg.
-   [monitor_fdpass.c] add checks for HAVE_SENDMSG and HAVE_RECVMSG for
-   systems that HAVE_ACCRIGHTS_IN_MSGHDR but no recvmsg or sendmsg.
-20020414
- - (djm) ssh-rand-helper improvements
-   - Add commandline debugging options
-   - Don't write binary data if stdout is a tty (use hex instead)
-   - Give it a manpage
- - (djm) Random number collection doc fixes from Ben
-20020413
- - (djm) Add KrbV support patch from Simon Wilkinson <simon@sxw.org.uk>
-20020412
- - (stevesk) [auth-sia.[ch]] add BSD license from Chris Adams
- - (tim) [configure.ac] add <sys/types.h> to msghdr tests. Change -L
-   to -h on testing for /bin being symbolic link
- - (bal) Mistaken in Cygwin scripts for ssh starting.  Patch by
-   Corinna Vinschen <vinschen@redhat.com> 
- - (bal) disable privsep if no MAP_ANON.  We can re-enable it
-   after the release when we can do more testing.
-20020411
- - (stevesk) [auth-sia.c] cleanup
- - (tim) [acconfig.h defines.h includes.h] put includes in includes.h and
-   defines in defines.h [rijndael.c openbsd-compat/fake-socket.h
-   openbsd-compat/inet_aton.c] include "includes.h" instead of "config.h"
-   ok stevesk@
-20020410
- - (stevesk) [configure.ac monitor.c] HAVE_SOCKETPAIR
- - (stevesk) [auth-sia.c] compile fix Chris Adams <cmadams@hiwaay.net>
- - (bal) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2002/04/10 08:21:47
-     [auth1.c compat.c compat.h]
-     strip '@' from username only for KerbV and known broken clients, 
-     bug #204
-   - markus@cvs.openbsd.org 2002/04/10 08:56:01
-     [version.h]
-     OpenSSH_3.2
- - Added p1 to idenify Portable release version.
-20020408
- - (bal) Minor OpenSC updates.  Fix up header locations and update
-   README.smartcard provided by Juha Yrj�l� <jyrjola@cc.hut.fi>
-20020407
- - (stevesk) HAVE_CONTROL_IN_MSGHDR; not used right now.
-   Future: we may want to test if fd passing works correctly.
- - (stevesk) [monitor_fdpass.c] fatal() for UsePrivilegeSeparation=yes
-   and no fd passing support.
- - (stevesk) HAVE_MMAP and HAVE_SYS_MMAN_H and use them in
-   monitor_mm.c
- - (stevesk) remove configure support for poll.h; it was removed
-   from sshd.c a long time ago.
- - (stevesk) --with-privsep-user; default sshd
- - (stevesk) wrap munmap() with HAVE_MMAP also.
-20020406
- - (djm) Typo in Suse SPEC file. Fix from Carsten Grohmann 
-   <carsten.grohmann@dr-baldeweg.de>
- - (bal) Added MAP_FAILED to allow AIX and Trusted HP to compile.
- - (bal) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2002/04/06 00:30:08
-     [sftp-client.c]
-     Fix occasional corruption on upload due to bad reuse of request 
-     id, spotted by chombier@mac.com; ok markus@
-   - mouring@cvs.openbsd.org 2002/04/06 18:24:09
-     [scp.c]
-     Fixes potental double // within path.
-     http://bugzilla.mindrot.org/show_bug.cgi?id=76
- - (bal) Slight update to OpenSC support.  Better version checking. patch
-   by Juha Yrj�l� <jyrjola@cc.hut.fi> 
- - (bal) Revered out of runtime IRIX detection of joblimits.  Code is
-   incomplete.
- - (bal) Quiet down configure.ac if /bin/test does not exist.
- - (bal) We no longer use atexit()/xatexit()/on_exit()
-20020405
- - (bal) Patch for OpenSC SmartCard library; ok markus@; patch by
-   Juha Yrj�l� <jyrjola@cc.hut.fi>
- - (bal) Minor documentation update to reflect smartcard library
-   support changes.
- - (bal) Too many <sys/queue.h> issues.  Remove all workarounds and
-   using internal version only.
- - (bal) OpenBSD CVS Sync
-   - stevesk@cvs.openbsd.org 2002/04/05 20:56:21
-     [sshd.8]
-     clarify sshrc some and handle X11UseLocalhost=yes; ok markus@
-20020404
- - (stevesk) [auth-pam.c auth-pam.h auth-passwd.c auth-sia.c auth-sia.h
-    auth1.c auth2.c] PAM, OSF_SIA password auth cleanup; from djm.
- - (bal) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2002/04/03 09:26:11
-     [cipher.c myproposal.h]
-     re-add rijndael-cbc@lysator.liu.se for MacSSH; ash@lab.poc.net
-20020402
- - (bal) Hand Sync of scp.c (reverted to upstream code)
-   - deraadt@cvs.openbsd.org 2002/03/30 17:45:46
-     [scp.c]
-     stretch banners
- - (bal) CVS ID sync of uidswap.c
- - (bal) OpenBSD CVS Sync (now for the real sync)
-   - markus@cvs.openbsd.org 2002/03/27 22:21:45
-     [ssh-keygen.c]
-     try to import keys with extra trailing === (seen with ssh.com < 
-     2.0.12)
-   - markus@cvs.openbsd.org 2002/03/28 15:34:51
-     [session.c]
-     do not call record_login twice (for use_privsep)
-   - markus@cvs.openbsd.org 2002/03/29 18:59:32
-     [session.c session.h]
-     retrieve last login time before the pty is allocated, store per 
-     session
-   - stevesk@cvs.openbsd.org 2002/03/29 19:16:22
-     [sshd.8]
-     RSA key modulus size minimum 768; ok markus@
-   - stevesk@cvs.openbsd.org 2002/03/29 19:18:33
-     [auth-rsa.c ssh-rsa.c ssh.h]
-     make RSA modulus minimum #define; ok markus@
-   - markus@cvs.openbsd.org 2002/03/30 18:51:15
-     [monitor.c serverloop.c sftp-int.c sftp.c sshd.c]
-     check waitpid for EINTR; based on patch from peter@ifm.liu.se
-   - markus@cvs.openbsd.org 2002/04/01 22:02:16
-     [sftp-client.c]
-     20480 is an upper limit for older server
-   - markus@cvs.openbsd.org 2002/04/01 22:07:17
-     [sftp-client.c]
-     fallback to stat if server does not support lstat
-   - markus@cvs.openbsd.org 2002/04/02 11:49:39
-     [ssh-agent.c]
-     check $SHELL for -k and -d, too;
-     http://bugzilla.mindrot.org/show_bug.cgi?id=199
-   - markus@cvs.openbsd.org 2002/04/02 17:37:48
-     [sftp.c]
-     always call log_init()
-   - markus@cvs.openbsd.org 2002/04/02 20:11:38
-     [ssh-rsa.c]
-     ignore SSH_BUG_SIGBLOB for ssh-rsa; #187
- - (bal) mispelling in uidswap.c (portable only)
-20020401
- - (stevesk) [monitor.c] PAM should work again; will *not* work with
-   UsePrivilegeSeparation=yes.
- - (stevesk) [auth1.c] fix password auth for protocol 1 when
-   !USE_PAM && !HAVE_OSF_SIA; merge issue.
-20020331
- - (tim) [configure.ac] use /bin/test -L to work around broken builtin on
-   Solaris 8
- - (tim) [sshconnect2.c] change uint32_t to u_int32_t
-20020330
- - (stevesk) [configure.ac] remove header check for sys/ttcompat.h
-   bug 167
-20020327
- - (bal) 'pw' should be 'authctxt->pw' in auth1.c spotted by 
-   kent@lysator.liu.se
- - (bal) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2002/03/26 11:34:49
-     [ssh.1 sshd.8]
-     update to recent drafts
-   - markus@cvs.openbsd.org 2002/03/26 11:37:05
-     [ssh.c]
-     update Copyright
-   - markus@cvs.openbsd.org 2002/03/26 15:23:40
-     [bufaux.c]
-     do not talk about packets in bufaux
-   - rees@cvs.openbsd.org 2002/03/26 18:46:59
-     [scard.c]
-     try_AUT0 in read_pubkey too, for those paranoid few who want to 
-     acl 'sh'
-   - markus@cvs.openbsd.org 2002/03/26 22:50:39
-     [channels.h]
-     CHANNEL_EFD_OUTPUT_ACTIVE is false for CHAN_CLOSE_RCVD, too
-   - markus@cvs.openbsd.org 2002/03/26 23:13:03
-     [auth-rsa.c]
-     disallow RSA keys < 768 for protocol 1, too (rhosts-rsa and rsa auth)
-   - markus@cvs.openbsd.org 2002/03/26 23:14:51
-     [kex.c]
-     generate a new cookie for each SSH2_MSG_KEXINIT message we send out
-   - mouring@cvs.openbsd.org 2002/03/27 11:45:42
-     [monitor.c]
-     monitor_allowed_key() returns int instead of pointer.  ok markus@
-  
-20020325
- - (stevesk) import OpenBSD <sys/tree.h> as "openbsd-compat/tree.h"
- - (bal) OpenBSD CVS Sync
-   - stevesk@cvs.openbsd.org 2002/03/23 20:57:26
-     [sshd.c]
-     setproctitle() after preauth child; ok markus@
-   - markus@cvs.openbsd.org 2002/03/24 16:00:27
-     [serverloop.c]
-     remove unused debug
-   - markus@cvs.openbsd.org 2002/03/24 16:01:13
-     [packet.c]
-     debug->debug3 for extra padding
-   - stevesk@cvs.openbsd.org 2002/03/24 17:27:03
-     [kexgex.c]
-     typo; ok markus@
-   - stevesk@cvs.openbsd.org 2002/03/24 17:53:16
-     [monitor_fdpass.c]
-     minor cleanup and more error checking; ok markus@
-   - markus@cvs.openbsd.org 2002/03/24 18:05:29
-     [scard.c]
-     we need to figure out AUT0 for sc_private_encrypt, too
-   - stevesk@cvs.openbsd.org 2002/03/24 23:20:00
-     [monitor.c]
-     remove "\n" from fatal()
-   - markus@cvs.openbsd.org 2002/03/25 09:21:13
-     [auth-rsa.c]
-     return 0 (not NULL); tomh@po.crl.go.jp
-   - markus@cvs.openbsd.org 2002/03/25 09:25:06
-     [auth-rh-rsa.c]
-     rm bogus comment
-   - markus@cvs.openbsd.org 2002/03/25 17:34:27
-     [scard.c scard.h ssh-agent.c ssh-keygen.c ssh.c]
-     change sc_get_key to sc_get_keys and hide smartcard details in scard.c
-   - stevesk@cvs.openbsd.org 2002/03/25 20:12:10
-     [monitor_mm.c monitor_wrap.c]
-     ssize_t args use "%ld" and cast to (long)
-     size_t args use "%lu" and cast to (u_long)
-     ok markus@ and thanks millert@
-   - markus@cvs.openbsd.org 2002/03/25 21:04:02
-     [ssh.c]
-     simplify num_identity_files handling
-   - markus@cvs.openbsd.org 2002/03/25 21:13:51
-     [channels.c channels.h compat.c compat.h nchan.c]
-     don't send stderr data after EOF, accept this from older known 
-     (broken) sshd servers only, fixes
-     http://bugzilla.mindrot.org/show_bug.cgi?id=179
-   - stevesk@cvs.openbsd.org 2002/03/26 03:24:01
-     [monitor.h monitor_fdpass.h monitor_mm.h monitor_wrap.h]
-     $OpenBSD$
-20020324
- - (stevesk) [session.c] disable LOGIN_NEEDS_TERM until we are sure
-   it can be removed. only used on solaris. will no longer compile with
-   privsep shuffling.
-20020322
- - (stevesk) HAVE_ACCRIGHTS_IN_MSGHDR configure support
- - (stevesk) [monitor.c monitor_wrap.c] #ifdef HAVE_PW_CLASS_IN_PASSWD
- - (stevesk) configure and cpp __FUNCTION__ gymnastics to handle nielsisms
- - (stevesk) [monitor_fdpass.c] support for access rights style file
-   descriptor passing
- - (stevesk) [auth2.c] merge cleanup/sync
- - (stevesk) [defines.h] hp-ux 11 has ancillary data style fd passing, but
-   is missing CMSG_LEN() and CMSG_SPACE() macros.
- - (stevesk) [defines.h] #define MAP_ANON MAP_ANONYMOUS for HP-UX; other
-   platforms may need this--I'm not sure.  mmap() issues will need to be
-   addressed further.
- - (tim) [cipher.c] fix problem with OpenBSD sync
- - (stevesk) [LICENCE] OpenBSD sync
-20020321
- - (bal) OpenBSD CVS Sync
-   - itojun@cvs.openbsd.org 2002/03/08 06:10:16
-     [sftp-client.c]
-     printf type mismatch
-   - itojun@cvs.openbsd.org 2002/03/11 03:18:49
-     [sftp-client.c]
-     correct type mismatches (u_int64_t != unsigned long long)
-   - itojun@cvs.openbsd.org 2002/03/11 03:19:53
-     [sftp-client.c]
-     indent
-   - markus@cvs.openbsd.org 2002/03/14 15:24:27
-     [sshconnect1.c]
-     don't trust size sent by (rogue) server; noted by 
-     s.esser@e-matters.de
-   - markus@cvs.openbsd.org 2002/03/14 16:38:26
-     [sshd.c]
-     split out ssh1 session key decryption; ok provos@
-   - markus@cvs.openbsd.org 2002/03/14 16:56:33
-     [auth-rh-rsa.c auth-rsa.c auth.h]
-     split auth_rsa() for better readability and privsep; ok provos@
-   - itojun@cvs.openbsd.org 2002/03/15 11:00:38
-     [auth.c]
-     fix file type checking (use S_ISREG).  ok by markus
-   - markus@cvs.openbsd.org 2002/03/16 11:24:53
-     [compress.c]
-     skip inflateEnd if inflate fails; ok provos@
-   - markus@cvs.openbsd.org 2002/03/16 17:22:09
-     [auth-rh-rsa.c auth.h]
-     split auth_rhosts_rsa(), ok provos@
-   - stevesk@cvs.openbsd.org 2002/03/16 17:41:25
-     [auth-krb5.c]
-     BSD license.  from Daniel Kouril via Dug Song.  ok markus@
-   - provos@cvs.openbsd.org 2002/03/17 20:25:56
-     [auth.c auth.h auth1.c auth2.c]
-     getpwnamallow returns struct passwd * only if user valid; 
-     okay markus@
-   - provos@cvs.openbsd.org 2002/03/18 01:12:14
-     [auth.h auth1.c auth2.c sshd.c]
-     have the authentication functions return the authentication context
-     and then do_authenticated; okay millert@
-   - dugsong@cvs.openbsd.org 2002/03/18 01:30:10
-     [auth-krb4.c]
-     set client to NULL after xfree(), from Rolf Braun 
-     <rbraun+ssh@andrew.cmu.edu>
-   - provos@cvs.openbsd.org 2002/03/18 03:41:08
-     [auth.c session.c]
-     move auth_approval into getpwnamallow with help from millert@
-   - markus@cvs.openbsd.org 2002/03/18 17:13:15
-     [cipher.c cipher.h]
-     export/import cipher states; needed by ssh-privsep
-   - markus@cvs.openbsd.org 2002/03/18 17:16:38
-     [packet.c packet.h]
-     export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep
-   - markus@cvs.openbsd.org 2002/03/18 17:23:31
-     [key.c key.h]
-     add key_demote() for ssh-privsep
-   - provos@cvs.openbsd.org 2002/03/18 17:25:29
-     [bufaux.c bufaux.h]
-     buffer_skip_string and extra sanity checking; needed by ssh-privsep
-   - provos@cvs.openbsd.org 2002/03/18 17:31:54
-     [compress.c]
-     export compression streams for ssh-privsep
-   - provos@cvs.openbsd.org 2002/03/18 17:50:31
-     [auth-bsdauth.c auth-options.c auth-rh-rsa.c auth-rsa.c]
-     [auth-skey.c auth.h auth1.c auth2-chall.c auth2.c kex.c kex.h kexdh.c]
-     [kexgex.c servconf.c]
-     [session.h servconf.h serverloop.c session.c sshd.c]
-     integrate privilege separated openssh; its turned off by default 
-     for now. work done by me and markus@
-   - provos@cvs.openbsd.org 2002/03/18 17:53:08
-     [sshd.8]
-     credits for privsep
-   - provos@cvs.openbsd.org 2002/03/18 17:59:09
-     [sshd.8]
-     document UsePrivilegeSeparation
-   - stevesk@cvs.openbsd.org 2002/03/18 23:52:51
-     [servconf.c]
-     UnprivUser/UnprivGroup usable now--specify numeric user/group; ok
-     provos@
-   - stevesk@cvs.openbsd.org 2002/03/19 03:03:43
-     [pathnames.h servconf.c servconf.h sshd.c]
-     _PATH_PRIVSEP_CHROOT_DIR; ok provos@
-   - stevesk@cvs.openbsd.org 2002/03/19 05:23:08
-     [sshd.8]
-     Banner has no default.
-   - mpech@cvs.openbsd.org 2002/03/19 06:32:56
-     [sftp-int.c]
-     use xfree() after xstrdup().
-     markus@ ok
-   - markus@cvs.openbsd.org 2002/03/19 10:35:39
-     [auth-options.c auth.h session.c session.h sshd.c]
-     clean up prototypes
-   - markus@cvs.openbsd.org 2002/03/19 10:49:35
-     [auth-krb5.c auth-rh-rsa.c auth.c cipher.c key.c misc.h]
-     [packet.c session.c sftp-client.c sftp-glob.h sftp.c ssh-add.c ssh.c]
-     [sshconnect2.c sshd.c ttymodes.c]
-     KNF whitespace
-   - markus@cvs.openbsd.org 2002/03/19 14:27:39
-     [auth.c auth1.c auth2.c]
-     make getpwnamallow() allways call pwcopy()
-   - markus@cvs.openbsd.org 2002/03/19 15:31:47
-     [auth.c]
-     check for NULL; from provos@
-   - stevesk@cvs.openbsd.org 2002/03/20 19:12:25
-     [servconf.c servconf.h ssh.h sshd.c]
-     for unprivileged user, group do:
-     pw=getpwnam(SSH_PRIVSEP_USER); do_setusercontext(pw).  ok provos@
-   - stevesk@cvs.openbsd.org 2002/03/20 21:08:08
-     [sshd.c]
-     strerror() on chdir() fail; ok provos@
-   - markus@cvs.openbsd.org 2002/03/21 10:21:20
-     [ssh-add.c]
-     ignore errors for nonexisting default keys in ssh-add,
-     fixes http://bugzilla.mindrot.org/show_bug.cgi?id=158
-   - jakob@cvs.openbsd.org 2002/03/21 15:17:26
-     [clientloop.c ssh.1]
-     add built-in command line for adding new port forwardings on the fly.
-     based on a patch from brian wellington. ok markus@.
-   - markus@cvs.openbsd.org 2002/03/21 16:38:06
-     [scard.c]
-     make compile w/ openssl 0.9.7
-   - markus@cvs.openbsd.org 2002/03/21 16:54:53
-     [scard.c scard.h ssh-keygen.c]
-     move key upload to scard.[ch]
-   - markus@cvs.openbsd.org 2002/03/21 16:57:15
-     [scard.c]
-     remove const
-   - markus@cvs.openbsd.org 2002/03/21 16:58:13
-     [clientloop.c]
-     remove unused
-   - rees@cvs.openbsd.org 2002/03/21 18:08:15
-     [scard.c]
-     In sc_put_key(), sc_reader_id should be id.
-   - markus@cvs.openbsd.org 2002/03/21 20:51:12
-     [sshd_config]
-     add privsep (off)
-   - markus@cvs.openbsd.org 2002/03/21 21:23:34
-     [sshd.c]
-     add privsep_preauth() and remove 1 goto; ok provos@
-   - rees@cvs.openbsd.org 2002/03/21 21:54:34
-     [scard.c scard.h ssh-keygen.c]
-     Add PIN-protection for secret key.
-   - rees@cvs.openbsd.org 2002/03/21 22:44:05
-     [authfd.c authfd.h ssh-add.c ssh-agent.c ssh.c]
-     Add PIN-protection for secret key.
-   - markus@cvs.openbsd.org 2002/03/21 23:07:37
-     [clientloop.c]
-     remove unused, sync w/ cmdline patch in my tree.
-20020317
- - (tim) [configure.ac] Assume path given with --with-pid-dir=PATH is 
-   wanted, warn if directory does not exist. Put system directories in 
-   front of PATH for finding entorpy commands.
- - (tim) [contrib/aix/buildbff.sh contrib/aix/inventory.sh] AIX package
-   build fixes.  Patch by Darren Tucker <dtucker@zip.com.au>
-   [contrib/solaris/buildpkg.sh] add missing dirs to SYSTEM_DIR. Have
-   postinstall check for $piddir and add if necessary.
-20020311
- - (tim) [contrib/solaris/buildpkg.sh, contrib/solaris/README] Updated to
-   build on all platforms that support SVR4 style package tools. Now runs
-   from build dir. Parts are based on patches from Antonio Navarro, and
-   Darren Tucker.
-20020308
- - (djm) Revert bits of Markus' OpenSSL compat patch which was 
-   accidentally committed.
- - (djm) Add Markus' patch for compat wih OpenSSL < 0.9.6. 
-   Known issue: Blowfish for SSH1 does not work
- - (stevesk) entropy.c: typo in debug message
- - (djm) ssh-keygen -i needs seeded RNG; report from markus@
-$Id: ChangeLog,v 1.2301 2002/06/26 13:59:10 djm Exp $
diff --git a/INSTALL b/INSTALL
index 07da06b56..f5ab0dbd3 100644
--- a/INSTALL
+++ b/INSTALL
@@ -10,11 +10,7 @@ OpenSSL 0.9.6 or greater:
 http://www.openssl.org/
 (OpenSSL 0.9.5a is partially supported, but some ciphers (SSH protocol 1 
-Blowfish included) do not work correctly.)
+Blowfish) do not work correctly.)
-RPMs of OpenSSL are available at http://violet.ibs.com.au/openssh/files/support.
-For Red Hat Linux 6.2, they have been released as errata.  RHL7 includes
-these.
 OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system
 supports it. PAM is standard on Redhat and Debian Linux, Solaris and
@@ -221,4 +217,4 @@ Please refer to the "reporting bugs" section of the webpage at
 http://www.openssh.com/
-$Id: INSTALL,v 1.54 2002/06/24 16:26:49 stevesk Exp $
+$Id: INSTALL,v 1.55 2002/07/25 04:36:25 djm Exp $
diff --git a/Makefile.in b/Makefile.in
index e7faa1591..89d02c959 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.217 2002/06/25 23:45:42 tim Exp $
+# $Id: Makefile.in,v 1.222 2002/07/14 17:02:21 tim Exp $
 # uncomment if you run a non bourne compatable shell. Ie. csh
 #SHELL = @SH@
@@ -129,7 +129,7 @@ ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
        $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) 
 ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o
-        $(LD) -o $@ ssh-keysign.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) 
+        $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) 
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
        $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) 
@@ -198,12 +198,11 @@ distprep: catman-do
        $(AUTORECONF)
        (cd scard && $(MAKE) -f Makefile.in distprep)
-install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files host-key check-user
+install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files host-key check-config
 install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
-check-user:
+check-config:
-        id $(SSH_PRIVSEP_USER) || \
+        -$(DESTDIR)$(sbindir)/sshd -t -f $(DESTDIR)$(sysconfdir)/sshd_config
-                echo "WARNING: Privilege separation user \"$(SSH_PRIVSEP_USER)\" does not exist"
 scard-install:
        (cd scard && $(MAKE) DESTDIR=$(DESTDIR) install)
@@ -217,8 +216,7 @@ install-files: scard-install
        $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)5
        $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8
        $(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir)
-        $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH)
+        (umask 022 ; $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH))
-        chmod 0700 $(DESTDIR)$(PRIVSEP_PATH)
        $(INSTALL) -m 0755 -s ssh $(DESTDIR)$(bindir)/ssh
        $(INSTALL) -m 0755 -s scp $(DESTDIR)$(bindir)/scp
        $(INSTALL) -m 0755 -s ssh-add $(DESTDIR)$(bindir)/ssh-add
@@ -248,23 +246,23 @@ install-files: scard-install
        @NO_SFTP@$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
        $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
        -rm -f $(DESTDIR)$(bindir)/slogin
-        ln -s ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
+        ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
-        ln -s ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
+        ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
        if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
                $(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \
        fi
-        if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_config ]; then \
+        @if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_config ]; then \
                $(INSTALL) -m 644 ssh_config.out $(DESTDIR)$(sysconfdir)/ssh_config; \
        else \
                echo "$(DESTDIR)$(sysconfdir)/ssh_config already exists, install will not overwrite"; \
        fi
-        if [ ! -f $(DESTDIR)$(sysconfdir)/sshd_config ]; then \
+        @if [ ! -f $(DESTDIR)$(sysconfdir)/sshd_config ]; then \
                $(INSTALL) -m 644 sshd_config.out $(DESTDIR)$(sysconfdir)/sshd_config; \
        else \
                echo "$(DESTDIR)$(sysconfdir)/sshd_config already exists, install will not overwrite"; \
        fi
-        if [ -f ssh_prng_cmds -a ! -z "$(INSTALL_SSH_PRNG_CMDS)" ]; then \
+        @if [ -f ssh_prng_cmds -a ! -z "$(INSTALL_SSH_PRNG_CMDS)" ]; then \
                $(PERL) $(srcdir)/fixprogs ssh_prng_cmds $(ENT); \
                if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_prng_cmds ] ; then \
                        $(INSTALL) -m 644 ssh_prng_cmds.out $(DESTDIR)$(sysconfdir)/ssh_prng_cmds; \
@@ -272,7 +270,7 @@ install-files: scard-install
                        echo "$(DESTDIR)$(sysconfdir)/ssh_prng_cmds already exists, install will not overwrite"; \
                fi ; \
        fi
-        if [ ! -f $(DESTDIR)$(sysconfdir)/moduli ]; then \
+        @if [ ! -f $(DESTDIR)$(sysconfdir)/moduli ]; then \
                if [ -f $(DESTDIR)$(sysconfdir)/primes ]; then \
                        echo "moving $(DESTDIR)$(sysconfdir)/primes to $(DESTDIR)$(sysconfdir)/moduli"; \
                        mv "$(DESTDIR)$(sysconfdir)/primes" "$(DESTDIR)$(sysconfdir)/moduli"; \
@@ -284,7 +282,7 @@ install-files: scard-install
        fi
 host-key: ssh-keygen$(EXEEXT)
-        if [ -z "$(DESTDIR)" ] ; then \
+        @if [ -z "$(DESTDIR)" ] ; then \
                if [ -f "$(DESTDIR)$(sysconfdir)/ssh_host_key" ] ; then \
                        echo "$(DESTDIR)$(sysconfdir)/ssh_host_key already exists, skipping." ; \
                else \
diff --git a/TODO b/TODO
index 4331a1364..f667d59d6 100644
--- a/TODO
+++ b/TODO
@@ -18,7 +18,7 @@ Programming:
 - Handle changing passwords for the non-PAM expired password case
 - Improve PAM support (a pam_lastlog module will cause sshd to exit)
-  and maybe support alternate forms of authenications like OPIE via
+  and maybe support alternate forms of authentications like OPIE via
  pam?
 - Rework PAM ChallengeResponseAuthentication
@@ -42,8 +42,38 @@ Programming:
  solutions break scp or leaves processes hanging around after the ssh
  connection has ended.  It seems to be linked to two things.  One
  select() under Linux is not as nice as others, and two the children
-  of the shell are not killed on exiting the shell. Redhat have an excellent
+  of the shell are not killed on exiting the shell.
-  description of this in their RPM package.
+  A short run-down of what happens:
+  - The shell starts up, and starts its own session.  As a side-effect, it
+    gets its own process group.
+  - The child forks off sleep, and because it's in the background, puts it
+    into its own process group.  The sleep command inherits a copy of the
+    shell's descriptor for the tty as its stdout.
+  - The shell exits, but doesn't SIGHUP all of its child PIDs like it probably
+    should(?)
+  - The sshd server attempts to read from the master side of the pty, and
+    while there are still process with the pty open, no EOF is produced.
+  - The sleep command exits, closes its descriptor, sshd detects the EOF, and
+    the connection gets closed.
+  Ways we've tried fixing this in sshd, and why they didn't work out:
+  - SIGHUP the sshd's process group.
+    - The shell is in its own process group.
+  - Track process group IDs of all children before we reap them (via an extra
+    field in Session structures which holds the pgid for each child pid), and
+    SIGHUP the pgid when we reap.
+    - Background commands are in yet another process group.
+  - Close the connection when the child dies.
+    - Background commands may need to write data to the connection.  Also
+      prematurely truncates output from some commands (scp server, the
+      famous "dd if=/dev/zero bs=1000 count=100" case).
+  Known workarounds:
+  - bash: shopt huponexit on
+  - tcsh: none
+  - zsh: setopt HUP (usually the default setting)
+    (taken from email from Jason Stone to openssh-unix-dev, 5 May 2001)
+  - pdksh: ?
+  This appears to affect NetKit rsh under Linux as well: it behaves the same
+  with 'sleep 20 & exit'.
 - Build an automated test suite
@@ -103,4 +133,4 @@ PrivSep Issues:
 - Cygwin
  + Privsep for Pre-auth only (no fd passing)
-$Id: TODO,v 1.50 2002/06/25 17:12:27 mouring Exp $
+$Id: TODO,v 1.51 2002/09/05 06:32:03 djm Exp $
diff --git a/acconfig.h b/acconfig.h
index 3e51d6112..3e058f3ea 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -1,4 +1,4 @@
-/* $Id: acconfig.h,v 1.141 2002/06/25 22:35:16 tim Exp $ */
+/* $Id: acconfig.h,v 1.145 2002/09/26 00:38:48 tim Exp $ */
 #ifndef _CONFIG_H
 #define _CONFIG_H
@@ -150,6 +150,9 @@
 /* Define if you don't want to use lastlog */
 #undef DISABLE_LASTLOG
+/* Define if you don't want to use lastlog in session.c */
+#undef NO_SSH_LASTLOG
 /* Define if you don't want to use utmp */
 #undef DISABLE_UTMP
@@ -310,6 +313,9 @@
 /* Define if X11 doesn't support AF_UNIX sockets on that system */
 #undef NO_X11_UNIX_SOCKETS
+/* Define if the concept of ports only accessible to superusers isn't known */
+#undef NO_IPPORT_RESERVED_CONCEPT
 /* Needed for SCO and NeXT */
 #undef BROKEN_SAVED_UIDS
@@ -355,11 +361,8 @@
 /* Path that unprivileged child will chroot() to in privep mode */
 #undef PRIVSEP_PATH
-/* Define if you have the `mmap' function that supports MAP_ANON|SHARED */
+/* Define if your platform needs to skip post auth file descriptor passing */
-#undef HAVE_MMAP_ANON_SHARED
+#undef DISABLE_FD_PASSING
-/* Define if sendmsg()/recvmsg() has problems passing file descriptors */
-#undef BROKEN_FD_PASSING
 @BOTTOM@
diff --git a/auth-bsdauth.c b/auth-bsdauth.c
index 4f1b452b7..2ac27a7a2 100644
--- a/auth-bsdauth.c
+++ b/auth-bsdauth.c
@@ -22,7 +22,7 @@
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth-bsdauth.c,v 1.4 2002/06/19 00:27:55 deraadt Exp $");
+RCSID("$OpenBSD: auth-bsdauth.c,v 1.5 2002/06/30 21:59:45 deraadt Exp $");
 #ifdef BSD_AUTH
 #include "xmalloc.h"
@@ -69,7 +69,7 @@ bsdauth_query(void *ctx, char **name, char **infotxt,
        *name = xstrdup("");
        *infotxt = xstrdup("");
        *numprompts = 1;
-        *prompts = xmalloc(*numprompts * sizeof(char*));
+        *prompts = xmalloc(*numprompts * sizeof(char *));
        *echo_on = xmalloc(*numprompts * sizeof(u_int));
        (*echo_on)[0] = 0;
        (*prompts)[0] = xstrdup(challenge);
diff --git a/auth-krb4.c b/auth-krb4.c
index 1cc528aa0..b86ce7e49 100644
--- a/auth-krb4.c
+++ b/auth-krb4.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth-krb4.c,v 1.27 2002/06/11 05:46:20 mpech Exp $");
+RCSID("$OpenBSD: auth-krb4.c,v 1.28 2002/09/26 11:38:43 markus Exp $");
 #include "ssh.h"
 #include "ssh1.h"
@@ -210,10 +210,9 @@ krb4_cleanup_proc(void *context)
 }
 int
-auth_krb4(Authctxt *authctxt, KTEXT auth, char **client)
+auth_krb4(Authctxt *authctxt, KTEXT auth, char **client, KTEXT reply)
 {
        AUTH_DAT adat = {0};
-        KTEXT_ST reply;
        Key_schedule schedule;
        struct sockaddr_in local, foreign;
        char instance[INST_SZ];
@@ -263,21 +262,16 @@ auth_krb4(Authctxt *authctxt, KTEXT auth, char **client)
        /* If we can't successfully encrypt the checksum, we send back an
           empty message, admitting our failure. */
-        if ((r = krb_mk_priv((u_char *) & cksum, reply.dat, sizeof(cksum) + 1,
+        if ((r = krb_mk_priv((u_char *) & cksum, reply->dat, sizeof(cksum) + 1,
            schedule, &adat.session, &local, &foreign)) < 0) {
                debug("Kerberos v4 mk_priv: (%d) %s", r, krb_err_txt[r]);
-                reply.dat[0] = 0;
+                reply->dat[0] = 0;
-                reply.length = 0;
+                reply->length = 0;
        } else
-                reply.length = r;
+                reply->length = r;
        /* Clear session key. */
        memset(&adat.session, 0, sizeof(&adat.session));
-        packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
-        packet_put_string((char *) reply.dat, reply.length);
-        packet_send();
-        packet_write_wait();
        return (1);
 }
 #endif /* KRB4 */
diff --git a/auth-krb5.c b/auth-krb5.c
index 308a6d5f9..512f70b78 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -28,7 +28,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth-krb5.c,v 1.8 2002/03/19 10:49:35 markus Exp $");
+RCSID("$OpenBSD: auth-krb5.c,v 1.9 2002/09/09 06:48:06 itojun Exp $");
 #include "ssh.h"
 #include "ssh1.h"
@@ -73,18 +73,17 @@ krb5_init(void *context)
 * from the ticket
 */
 int
-auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client)
+auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *reply)
 {
        krb5_error_code problem;
        krb5_principal server;
-        krb5_data reply;
        krb5_ticket *ticket;
        int fd, ret;
        ret = 0;
        server = NULL;
        ticket = NULL;
-        reply.length = 0;
+        reply->length = 0;
        problem = krb5_init(authctxt);
        if (problem)
@@ -131,7 +130,7 @@ auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client)
        /* if client wants mutual auth */
        problem = krb5_mk_rep(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
-            &reply);
+            reply);
        if (problem)
                goto err;
@@ -144,19 +143,16 @@ auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client)
                krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
                    client);
-        packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
-        packet_put_string((char *) reply.data, reply.length);
-        packet_send();
-        packet_write_wait();
        ret = 1;
 err:
        if (server)
                krb5_free_principal(authctxt->krb5_ctx, server);
        if (ticket)
                krb5_free_ticket(authctxt->krb5_ctx, ticket);
-        if (reply.length)
+        if (!ret && reply->length) {
-                xfree(reply.data);
+                xfree(reply->data);
+                memset(reply, 0, sizeof(*reply));
+        }
        if (problem) {
                if (authctxt->krb5_ctx != NULL)
diff --git a/auth-options.c b/auth-options.c
index 2787d2948..8595fdc14 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -10,9 +10,8 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth-options.c,v 1.24 2002/05/13 20:44:58 markus Exp $");
+RCSID("$OpenBSD: auth-options.c,v 1.26 2002/07/30 17:03:55 markus Exp $");
-#include "packet.h"
 #include "xmalloc.h"
 #include "match.h"
 #include "log.h"
@@ -20,7 +19,6 @@ RCSID("$OpenBSD: auth-options.c,v 1.24 2002/05/13 20:44:58 markus Exp $");
 #include "channels.h"
 #include "auth-options.h"
 #include "servconf.h"
-#include "bufaux.h"
 #include "misc.h"
 #include "monitor_wrap.h"
 #include "auth.h"
@@ -135,7 +133,8 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
                        goto next_option;
                }
                cp = "environment=\"";
-                if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+                if (options.permit_user_env &&
+                    strncasecmp(opts, cp, strlen(cp)) == 0) {
                        char *s;
                        struct envstring *new_envstring;
diff --git a/auth-options.h b/auth-options.h
index aa6270fd6..15fb21255 100644
--- a/auth-options.h
+++ b/auth-options.h
@@ -1,10 +1,9 @@
-/*      $OpenBSD: auth-options.h,v 1.11 2002/03/04 17:27:39 stevesk Exp $       */
+/*      $OpenBSD: auth-options.h,v 1.12 2002/07/21 18:34:43 stevesk Exp $       */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
- * Functions to interface with the SSH_AUTHENTICATION_FD socket.
 *
 * As far as I am concerned, the code I have written for this software
 * can be used freely for any purpose.  Any derived versions of this
diff --git a/auth-pam.c b/auth-pam.c
index 490990dec..99b03f45b 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -25,10 +25,10 @@
 #include "includes.h"
 #ifdef USE_PAM
-#include "ssh.h"
 #include "xmalloc.h"
 #include "log.h"
 #include "auth.h"
+#include "auth-options.h"
 #include "auth-pam.h"
 #include "servconf.h"
 #include "canohost.h"
@@ -36,17 +36,21 @@
 extern char *__progname;
-RCSID("$Id: auth-pam.c,v 1.46 2002/05/08 02:27:56 djm Exp $");
+extern int use_privsep;
+RCSID("$Id: auth-pam.c,v 1.54 2002/07/28 20:24:08 stevesk Exp $");
 #define NEW_AUTHTOK_MSG \
-        "Warning: Your password has expired, please change it now"
+        "Warning: Your password has expired, please change it now."
+#define NEW_AUTHTOK_MSG_PRIVSEP \
+        "Your password has expired, the session cannot proceed."
 static int do_pam_conversation(int num_msg, const struct pam_message **msg,
        struct pam_response **resp, void *appdata_ptr);
 /* module-local variables */
 static struct pam_conv conv = {
-        do_pam_conversation,
+        (int (*)())do_pam_conversation,
        NULL
 };
 static char *__pam_msg = NULL;
@@ -55,7 +59,7 @@ static const char *__pampasswd = NULL;
 /* states for do_pam_conversation() */
 enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN;
-/* remember whether pam_acct_mgmt() returned PAM_NEWAUTHTOK_REQD */
+/* remember whether pam_acct_mgmt() returned PAM_NEW_AUTHTOK_REQD */
 static int password_change_required = 0;
 /* remember whether the last pam_authenticate() succeeded or not */
 static int was_authenticated = 0;
@@ -100,9 +104,7 @@ static int do_pam_conversation(int num_msg, const struct pam_message **msg,
        char buf[1024];
        /* PAM will free this later */
-        reply = malloc(num_msg * sizeof(*reply));
+        reply = xmalloc(num_msg * sizeof(*reply));
-        if (reply == NULL)
-                return PAM_CONV_ERR;
        for (count = 0; count < num_msg; count++) {
                if (pamstate == INITIAL_LOGIN) {
@@ -112,11 +114,11 @@ static int do_pam_conversation(int num_msg, const struct pam_message **msg,
                         */
                        switch(PAM_MSG_MEMBER(msg, count, msg_style)) {
                        case PAM_PROMPT_ECHO_ON:
-                                free(reply);
+                                xfree(reply);
                                return PAM_CONV_ERR;
                        case PAM_PROMPT_ECHO_OFF:
                                if (__pampasswd == NULL) {
-                                        free(reply);
+                                        xfree(reply);
                                        return PAM_CONV_ERR;
                                }
                                reply[count].resp = xstrdup(__pampasswd);
@@ -124,7 +126,7 @@ static int do_pam_conversation(int num_msg, const struct pam_message **msg,
                                break;
                        case PAM_ERROR_MSG:
                        case PAM_TEXT_INFO:
-                                if ((*msg)[count].msg != NULL) {
+                                if (PAM_MSG_MEMBER(msg, count, msg) != NULL) {
                                        message_cat(&__pam_msg, 
                                            PAM_MSG_MEMBER(msg, count, msg));
                                }
@@ -132,7 +134,7 @@ static int do_pam_conversation(int num_msg, const struct pam_message **msg,
                                reply[count].resp_retcode = PAM_SUCCESS;
                                break;
                        default:
-                                free(reply);
+                                xfree(reply);
                                return PAM_CONV_ERR;
                        }
                } else {
@@ -154,14 +156,14 @@ static int do_pam_conversation(int num_msg, const struct pam_message **msg,
                                break;
                        case PAM_ERROR_MSG:
                        case PAM_TEXT_INFO:
-                                if ((*msg)[count].msg != NULL)
+                                if (PAM_MSG_MEMBER(msg, count, msg) != NULL)
                                        fprintf(stderr, "%s\n", 
                                            PAM_MSG_MEMBER(msg, count, msg));
                                reply[count].resp = xstrdup("");
                                reply[count].resp_retcode = PAM_SUCCESS;
                                break;
                        default:
-                                free(reply);
+                                xfree(reply);
                                return PAM_CONV_ERR;
                        }
                }
@@ -256,9 +258,14 @@ int do_pam_account(char *username, char *remote_user)
                        break;
 #if 0
                case PAM_NEW_AUTHTOK_REQD:
-                        message_cat(&__pam_msg, NEW_AUTHTOK_MSG);
+                        message_cat(&__pam_msg, use_privsep ?
+                            NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG);
                        /* flag that password change is necessary */
                        password_change_required = 1;
+                        /* disallow other functionality for now */
+                        no_port_forwarding_flag |= 2;
+                        no_agent_forwarding_flag |= 2;
+                        no_x11_forwarding_flag |= 2;
                        break;
 #endif
                default:
@@ -328,7 +335,7 @@ int is_pam_password_change_required(void)
 * Have user change authentication token if pam_acct_mgmt() indicated
 * it was expired.  This needs to be called after an interactive
 * session is established and the user's pty is connected to
- * stdin/stout/stderr.
+ * stdin/stdout/stderr.
 */
 void do_pam_chauthtok(void)
 {
@@ -337,11 +344,23 @@ void do_pam_chauthtok(void)
        do_pam_set_conv(&conv);
        if (password_change_required) {
+                if (use_privsep)
+                        fatal("Password changing is currently unsupported"
+                            " with privilege separation");
                pamstate = OTHER;
                pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
                if (pam_retval != PAM_SUCCESS)
                        fatal("PAM pam_chauthtok failed[%d]: %.200s",
                            pam_retval, PAM_STRERROR(__pamh, pam_retval));
+#if 0
+                /* XXX: This would need to be done in the parent process,
+                 * but there's currently no way to pass such request. */
+                no_port_forwarding_flag &= ~2;
+                no_agent_forwarding_flag &= ~2;
+                no_x11_forwarding_flag &= ~2;
+                if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
+                        channel_permit_all_opens();
+#endif
        }
 }
@@ -392,7 +411,7 @@ void start_pam(const char *user)
        fatal_add_cleanup(&do_pam_cleanup_proc, NULL);
 }
-/* Return list of PAM enviornment strings */
+/* Return list of PAM environment strings */
 char **fetch_pam_environment(void)
 {
 #ifdef HAVE_PAM_GETENVLIST
@@ -402,6 +421,16 @@ char **fetch_pam_environment(void)
 #endif /* HAVE_PAM_GETENVLIST */
 }
+void free_pam_environment(char **env)
+{
+        int i;
+        if (env != NULL) {
+                for (i = 0; env[i] != NULL; i++)
+                        xfree(env[i]);
+        }
+}
 /* Print any messages that have been generated during authentication */
 /* or account checking to stderr */
 void print_pam_messages(void)
diff --git a/auth-pam.h b/auth-pam.h
index 6b1f35add..7881b6b80 100644
--- a/auth-pam.h
+++ b/auth-pam.h
@@ -1,14 +1,41 @@
-/* $Id: auth-pam.h,v 1.12 2002/04/04 19:02:28 stevesk Exp $ */
+/* $Id: auth-pam.h,v 1.16 2002/07/23 00:44:07 stevesk Exp $ */
+/*
+ * Copyright (c) 2000 Damien Miller.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
 #include "includes.h"
 #ifdef USE_PAM
-#include <pwd.h> /* For struct passwd */
+#if !defined(SSHD_PAM_SERVICE)
+# define SSHD_PAM_SERVICE               __progname
+#endif
 void start_pam(const char *user);
 void finish_pam(void);
 int auth_pam_password(Authctxt *authctxt, const char *password);
 char **fetch_pam_environment(void);
+void free_pam_environment(char **env);
 int do_pam_authenticate(int flags);
 int do_pam_account(char *username, char *remote_user);
 void do_pam_session(char *username, const char *ttyname);
diff --git a/auth-passwd.c b/auth-passwd.c
index 17bbd2ceb..185db7d6d 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -81,6 +81,9 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $");
 #endif /* !USE_PAM && !HAVE_OSF_SIA */
 extern ServerOptions options;
+#ifdef WITH_AIXAUTHENTICATE
+extern char *aixloginmsg;
+#endif
 /*
 * Tries to authenticate the user using password.  Returns true if
@@ -113,7 +116,7 @@ auth_password(Authctxt *authctxt, const char *password)
 #endif
 #ifdef WITH_AIXAUTHENTICATE
        char *authmsg;
-        char *loginmsg;
+        int authsuccess;
        int reenter = 1;
 #endif
@@ -145,7 +148,16 @@ auth_password(Authctxt *authctxt, const char *password)
        }
 #endif
 #ifdef WITH_AIXAUTHENTICATE
-        return (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
+        authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
+        if (authsuccess)
+                /* We don't have a pty yet, so just label the line as "ssh" */
+                if (loginsuccess(authctxt->user,
+                        get_canonical_hostname(options.verify_reverse_mapping),
+                        "ssh", &aixloginmsg) < 0)
+                                aixloginmsg = NULL;
+        return(authsuccess);
 #endif
 #ifdef KRB4
        if (options.kerberos_authentication == 1) {
diff --git a/auth-skey.c b/auth-skey.c
index eb13c5cc5..f9ea03fd1 100644
--- a/auth-skey.c
+++ b/auth-skey.c
@@ -22,7 +22,7 @@
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth-skey.c,v 1.19 2002/06/19 00:27:55 deraadt Exp $");
+RCSID("$OpenBSD: auth-skey.c,v 1.20 2002/06/30 21:59:45 deraadt Exp $");
 #ifdef SKEY
@@ -53,7 +53,7 @@ skey_query(void *ctx, char **name, char **infotxt,
        *name  = xstrdup("");
        *infotxt  = xstrdup("");
        *numprompts = 1;
-        *prompts = xmalloc(*numprompts * sizeof(char*));
+        *prompts = xmalloc(*numprompts * sizeof(char *));
        *echo_on = xmalloc(*numprompts * sizeof(u_int));
        (*echo_on)[0] = 0;
diff --git a/auth.c b/auth.c
index 066b50d6b..48720da8f 100644
--- a/auth.c
+++ b/auth.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.43 2002/05/17 14:27:55 millert Exp $");
+RCSID("$OpenBSD: auth.c,v 1.45 2002/09/20 18:41:29 stevesk Exp $");
 #ifdef HAVE_LOGIN_H
 #include <login.h>
@@ -256,6 +256,14 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
            get_remote_ipaddr(),
            get_remote_port(),
            info);
+#ifdef WITH_AIXAUTHENTICATE
+        if (authenticated == 0 && strcmp(method, "password") == 0)
+            loginfailed(authctxt->user,
+                get_canonical_hostname(options.verify_reverse_mapping),
+                "ssh");
+#endif /* WITH_AIXAUTHENTICATE */
 }
 /*
@@ -392,7 +400,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
 /*
 * Check a given file for security. This is defined as all components
- * of the path to the file must either be owned by either the owner of
+ * of the path to the file must be owned by either the owner of
 * of the file or root and no directories must be group or world writable.
 *
 * XXX Should any specific check be done for sym links ?
@@ -476,7 +484,12 @@ getpwnamallow(const char *user)
        struct passwd *pw;
        pw = getpwnam(user);
-        if (pw == NULL || !allowed_user(pw))
+        if (pw == NULL) {
+                log("Illegal user %.100s from %.100s",
+                    user, get_remote_ipaddr());
+                return (NULL);
+        }
+        if (!allowed_user(pw))
                return (NULL);
 #ifdef HAVE_LOGIN_CAP
        if ((lc = login_getclass(pw->pw_class)) == NULL) {
diff --git a/auth.h b/auth.h
index d98547d02..c75d75366 100644
--- a/auth.h
+++ b/auth.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: auth.h,v 1.39 2002/05/31 11:35:15 markus Exp $        */
+/*      $OpenBSD: auth.h,v 1.41 2002/09/26 11:38:43 markus Exp $        */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -113,7 +113,7 @@ int	 user_key_allowed(struct passwd *, Key *);
 #ifdef KRB4
 #include <krb.h>
-int     auth_krb4(Authctxt *, KTEXT, char **);
+int     auth_krb4(Authctxt *, KTEXT, char **, KTEXT);
 int     auth_krb4_password(Authctxt *, const char *);
 void    krb4_cleanup_proc(void *);
@@ -126,7 +126,7 @@ int     auth_afs_token(Authctxt *, const char *);
 #endif /* KRB4 */
 #ifdef KRB5
-int     auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client);
+int     auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
 int     auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
 int     auth_krb5_password(Authctxt *authctxt, const char *password);
 void    krb5_cleanup_proc(void *authctxt);
diff --git a/auth1.c b/auth1.c
index 2ebc8d039..9527ba004 100644
--- a/auth1.c
+++ b/auth1.c
@@ -10,7 +10,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.41 2002/06/19 00:27:55 deraadt Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.44 2002/09/26 11:38:43 markus Exp $");
 #include "xmalloc.h"
 #include "rsa.h"
@@ -118,30 +118,49 @@ do_authloop(Authctxt *authctxt)
                                if (kdata[0] == 4) { /* KRB_PROT_VERSION */
 #ifdef KRB4
-                                        KTEXT_ST tkt;
+                                        KTEXT_ST tkt, reply;
                                        tkt.length = dlen;
                                        if (tkt.length < MAX_KTXT_LEN)
                                                memcpy(tkt.dat, kdata, tkt.length);
-                                        if (auth_krb4(authctxt, &tkt, &client_user)) {
+                                        if (PRIVSEP(auth_krb4(authctxt, &tkt,
+                                            &client_user, &reply))) {
                                                authenticated = 1;
                                                snprintf(info, sizeof(info),
                                                    " tktuser %.100s",
                                                    client_user);
+                                                packet_start(
+                                                    SSH_SMSG_AUTH_KERBEROS_RESPONSE);
+                                                packet_put_string((char *)
+                                                    reply.dat, reply.length);
+                                                packet_send();
+                                                packet_write_wait();
                                        }
 #endif /* KRB4 */
                                } else {
 #ifdef KRB5
-                                        krb5_data tkt;
+                                        krb5_data tkt, reply;
                                        tkt.length = dlen;
                                        tkt.data = kdata;
-                                        if (auth_krb5(authctxt, &tkt, &client_user)) {
+                                        if (PRIVSEP(auth_krb5(authctxt, &tkt,
+                                            &client_user, &reply))) {
                                                authenticated = 1;
                                                snprintf(info, sizeof(info),
                                                    " tktuser %.100s",
                                                    client_user);
+ 
+                                                /* Send response to client */
+                                                packet_start(
+                                                    SSH_SMSG_AUTH_KERBEROS_RESPONSE);
+                                                packet_put_string((char *)
+                                                    reply.data, reply.length);
+                                                packet_send();
+                                                packet_write_wait();
+                                                if (reply.length)
+                                                        xfree(reply.data);
                                        }
 #endif /* KRB5 */
                                }
@@ -292,6 +311,15 @@ do_authloop(Authctxt *authctxt)
                        fatal("INTERNAL ERROR: authenticated invalid user %s",
                            authctxt->user);
+#ifdef _UNICOS
+                if (type == SSH_CMSG_AUTH_PASSWORD && !authenticated)
+                        cray_login_failure(authctxt->user, IA_UDBERR);
+                if (authenticated && cray_access_denied(authctxt->user)) {
+                        authenticated = 0;
+                        fatal("Access denied for user %s.",authctxt->user);
+                }
+#endif /* _UNICOS */
 #ifdef HAVE_CYGWIN
                if (authenticated &&
                    !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD, pw)) {
@@ -301,7 +329,8 @@ do_authloop(Authctxt *authctxt)
                }
 #else
                /* Special handling for root */
-                if (authenticated && authctxt->pw->pw_uid == 0 &&
+                if (!use_privsep &&
+                    authenticated && authctxt->pw->pw_uid == 0 &&
                    !auth_root_allowed(get_authname(type)))
                        authenticated = 0;
 #endif
@@ -323,12 +352,6 @@ do_authloop(Authctxt *authctxt)
                        return;
                if (authctxt->failures++ > AUTH_FAIL_MAX) {
-#ifdef WITH_AIXAUTHENTICATE
-                        /* XXX: privsep */
-                        loginfailed(authctxt->user,
-                            get_canonical_hostname(options.verify_reverse_mapping),
-                            "ssh");
-#endif /* WITH_AIXAUTHENTICATE */
                        packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
                }
diff --git a/auth2-chall.c b/auth2-chall.c
index e1440f47d..0d1709307 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -23,7 +23,7 @@
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth2-chall.c,v 1.19 2002/06/26 13:55:37 markus Exp $");
+RCSID("$OpenBSD: auth2-chall.c,v 1.20 2002/06/30 21:59:45 deraadt Exp $");
 #include "ssh2.h"
 #include "auth.h"
@@ -263,7 +263,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
        if (nresp > 100)
                fatal("input_userauth_info_response: too many replies");
        if (nresp > 0) {
-                response = xmalloc(nresp * sizeof(char*));
+                response = xmalloc(nresp * sizeof(char *));
                for (i = 0; i < nresp; i++)
                        response[i] = packet_get_string(NULL);
        }
diff --git a/auth2-none.c b/auth2-none.c
index 720d3c10f..c07b2dd81 100644
--- a/auth2-none.c
+++ b/auth2-none.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth2-none.c,v 1.3 2002/06/19 00:27:55 deraadt Exp $");
+RCSID("$OpenBSD: auth2-none.c,v 1.4 2002/06/27 10:35:47 deraadt Exp $");
 #include "auth.h"
 #include "xmalloc.h"
@@ -61,7 +61,7 @@ auth2_read_banner(void)
        close(fd);
        if (n != len) {
-                free(banner);
+                xfree(banner);
                return (NULL);
        }
        banner[n] = '\0';
diff --git a/auth2-pam.c b/auth2-pam.c
index 99aedeaeb..a2daf96b7 100644
--- a/auth2-pam.c
+++ b/auth2-pam.c
@@ -1,5 +1,5 @@
 #include "includes.h"
-RCSID("$Id: auth2-pam.c,v 1.13 2002/06/26 13:58:00 djm Exp $");
+RCSID("$Id: auth2-pam.c,v 1.14 2002/06/28 16:48:12 mouring Exp $");
 #ifdef USE_PAM
 #include <security/pam_appl.h>
@@ -116,11 +116,11 @@ do_pam_conversation_kbd_int(int num_msg, const struct pam_message **msg,
        while(context_pam2.finished == 0) {
                done = 1;
                dispatch_run(DISPATCH_BLOCK, &done, appdata_ptr);
-                if(context_pam2.finished == 0)
+                if (context_pam2.finished == 0)
                        debug("extra packet during conversation");
        }
-        if(context_pam2.num_received == context_pam2.num_expected) {
+        if (context_pam2.num_received == context_pam2.num_expected) {
                *resp = context_pam2.responses;
                return PAM_SUCCESS;
        } else
@@ -143,8 +143,8 @@ input_userauth_info_response_pam(int type, u_int32_t seqnr, void *ctxt)
        if (nresp != context_pam2.num_expected)
                fatal("%s: Received incorrect number of responses "
-                    "(expected %u, received %u)", __func__, nresp,
+                    "(expected %d, received %u)", __func__, 
-                    context_pam2.num_expected);
+                    context_pam2.num_expected, nresp);
        if (nresp > 100)
                fatal("%s: too many replies", __func__);
@@ -163,5 +163,4 @@ input_userauth_info_response_pam(int type, u_int32_t seqnr, void *ctxt)
        packet_check_eom();
 }
 #endif
diff --git a/auth2.c b/auth2.c
index 6dfd91f74..17c58552a 100644
--- a/auth2.c
+++ b/auth2.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.93 2002/05/31 11:35:15 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.95 2002/08/22 21:33:58 markus Exp $");
 #include "ssh2.h"
 #include "xmalloc.h"
@@ -102,7 +102,7 @@ input_service_request(int type, u_int32_t seq, void *ctxt)
 {
        Authctxt *authctxt = ctxt;
        u_int len;
-        int accept = 0;
+        int acceptit = 0;
        char *service = packet_get_string(&len);
        packet_check_eom();
@@ -111,14 +111,14 @@ input_service_request(int type, u_int32_t seq, void *ctxt)
        if (strcmp(service, "ssh-userauth") == 0) {
                if (!authctxt->success) {
-                        accept = 1;
+                        acceptit = 1;
                        /* now we can handle user-auth requests */
                        dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request);
                }
        }
        /* XXX all other service requests are denied */
-        if (accept) {
+        if (acceptit) {
                packet_start(SSH2_MSG_SERVICE_ACCEPT);
                packet_put_cstring(service);
                packet_send();
@@ -205,7 +205,8 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
                    authctxt->user);
        /* Special handling for root */
-        if (authenticated && authctxt->pw->pw_uid == 0 &&
+        if (!use_privsep &&
+            authenticated && authctxt->pw->pw_uid == 0 &&
            !auth_root_allowed(method))
                authenticated = 0;
@@ -215,6 +216,13 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
                authenticated = 0;
 #endif /* USE_PAM */
+#ifdef _UNICOS
+        if (authenticated && cray_access_denied(authctxt->user)) {
+                authenticated = 0;
+                fatal("Access denied for user %s.",authctxt->user);
+        }
+#endif /* _UNICOS */
        /* Log before sending the reply */
        auth_log(authctxt, authenticated, method, " ssh2");
@@ -232,14 +240,12 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
                authctxt->success = 1;
        } else {
                if (authctxt->failures++ > AUTH_FAIL_MAX) {
-#ifdef WITH_AIXAUTHENTICATE
-                        /* XXX: privsep */
-                        loginfailed(authctxt->user,
-                            get_canonical_hostname(options.verify_reverse_mapping),
-                            "ssh");
-#endif /* WITH_AIXAUTHENTICATE */
                        packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
                }
+#ifdef _UNICOS
+                if (strcmp(method, "password") == 0)
+                        cray_login_failure(authctxt->user, IA_UDBERR);
+#endif /* _UNICOS */
                methods = authmethods_get();
                packet_start(SSH2_MSG_USERAUTH_FAILURE);
                packet_put_cstring(methods);
diff --git a/authfd.c b/authfd.c
index 4c4552d52..f04e0858b 100644
--- a/authfd.c
+++ b/authfd.c
@@ -35,7 +35,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: authfd.c,v 1.56 2002/06/25 16:22:42 markus Exp $");
+RCSID("$OpenBSD: authfd.c,v 1.57 2002/09/11 18:27:26 stevesk Exp $");
 #include <openssl/evp.h>
@@ -53,6 +53,8 @@ RCSID("$OpenBSD: authfd.c,v 1.56 2002/06/25 16:22:42 markus Exp $");
 #include "log.h"
 #include "atomicio.h"
+static int agent_present = 0;
 /* helper */
 int     decode_reply(int type);
@@ -61,6 +63,21 @@ int	decode_reply(int type);
    ((x == SSH_AGENT_FAILURE) || (x == SSH_COM_AGENT2_FAILURE) || \
    (x == SSH2_AGENT_FAILURE))
+int
+ssh_agent_present(void)
+{
+        int authfd;
+        if (agent_present)
+                return 1;
+        if ((authfd = ssh_get_authentication_socket()) == -1)
+                return 0;
+        else {
+                ssh_close_authentication_socket(authfd);
+                return 1;
+        }
+}
 /* Returns the number of the authentication fd, or -1 if there is none. */
 int
@@ -90,6 +107,7 @@ ssh_get_authentication_socket(void)
                close(sock);
                return -1;
        }
+        agent_present = 1;
        return sock;
 }
diff --git a/authfd.h b/authfd.h
index b2767e5c1..38ee49e88 100644
--- a/authfd.h
+++ b/authfd.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: authfd.h,v 1.30 2002/06/19 00:27:55 deraadt Exp $     */
+/*      $OpenBSD: authfd.h,v 1.31 2002/09/11 18:27:25 stevesk Exp $     */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -66,6 +66,7 @@ typedef struct {
        int     howmany;
 }       AuthenticationConnection;
+int     ssh_agent_present(void);
 int     ssh_get_authentication_socket(void);
 void    ssh_close_authentication_socket(int);
diff --git a/autom4te-2.53.cache/output.0 b/autom4te-2.53.cache/output.0
index 921978182..97d453542 100644
--- a/autom4te-2.53.cache/output.0
+++ b/autom4te-2.53.cache/output.0
@@ -862,7 +862,7 @@ Optional Packages:
  --with-kerberos5=PATH   Enable Kerberos 5 support
  --with-kerberos4=PATH   Enable Kerberos 4 support
  --with-afs=PATH         Enable AFS support
-  --with-privsep-path=xxx Path for privilege separation chroot 
+  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
  --with-xauth=PATH       Specify path to xauth program 
  --with-mantype=man|cat|doc  Set man page type
  --with-md5-passwords    Enable use of MD5 passwords
@@ -2760,52 +2760,6 @@ echo "${ECHO_T}no" >&6
 fi
-for ac_prog in filepriv
-do
-  # Extract the first word of "$ac_prog", so it can be a program name with args.
-set dummy $ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_path_FILEPRIV+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  case $FILEPRIV in
-  [\\/]* | ?:[\\/]*)
-  ac_cv_path_FILEPRIV="$FILEPRIV" # Let the user override the test with a path.
-  ;;
-  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-as_dummy="/sbin:/usr/sbin"
-for as_dir in $as_dummy
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_path_FILEPRIV="$as_dir/$ac_word$ac_exec_ext"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-  ;;
-esac
-fi
-FILEPRIV=$ac_cv_path_FILEPRIV
-if test -n "$FILEPRIV"; then
-  echo "$as_me:$LINENO: result: $FILEPRIV" >&5
-echo "${ECHO_T}$FILEPRIV" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-  test -n "$FILEPRIV" && break
-done
-test -n "$FILEPRIV" || FILEPRIV="true"
 # Extract the first word of "bash", so it can be a program name with args.
 set dummy bash; ac_word=$2
 echo "$as_me:$LINENO: checking for $ac_word" >&5
@@ -3622,6 +3576,72 @@ if test $ac_cv_func_authenticate = yes; then
 @%:@define WITH_AIXAUTHENTICATE 1
 _ACEOF
+else
+  echo "$as_me:$LINENO: checking for authenticate in -ls" >&5
+echo $ECHO_N "checking for authenticate in -ls... $ECHO_C" >&6
+if test "${ac_cv_lib_s_authenticate+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ls  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line $LINENO "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char authenticate ();
+#ifdef F77_DUMMY_MAIN
+#  ifdef __cplusplus
+     extern "C"
+#  endif
+   int F77_DUMMY_MAIN() { return 1; }
+#endif
+int
+main ()
+{
+authenticate ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_s_authenticate=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_s_authenticate=no
+fi
+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_s_authenticate" >&5
+echo "${ECHO_T}$ac_cv_lib_s_authenticate" >&6
+if test $ac_cv_lib_s_authenticate = yes; then
+   cat >>confdefs.h <<\_ACEOF
+@%:@define WITH_AIXAUTHENTICATE 1
+_ACEOF
+                                LIBS="$LIBS -ls"
+                        
+fi
+                
 fi
        cat >>confdefs.h <<\_ACEOF
@@ -3668,7 +3688,11 @@ _ACEOF
 _ACEOF
        cat >>confdefs.h <<\_ACEOF
-@%:@define BROKEN_FD_PASSING 1
+@%:@define NO_IPPORT_RESERVED_CONCEPT 1
+_ACEOF
+        cat >>confdefs.h <<\_ACEOF
+@%:@define DISABLE_FD_PASSING 1
 _ACEOF
        cat >>confdefs.h <<\_ACEOF
@@ -3683,10 +3707,49 @@ _ACEOF
        ;;
 *-*-darwin*)
+        echo "$as_me:$LINENO: checking if we have working getaddrinfo" >&5
+echo $ECHO_N "checking if we have working getaddrinfo... $ECHO_C" >&6
+        if test "$cross_compiling" = yes; then
+  echo "$as_me:$LINENO: result: assume it is working" >&5
+echo "${ECHO_T}assume it is working" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line $LINENO "configure"
+#include "confdefs.h"
+#include <mach-o/dyld.h>
+main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
+                exit(0);
+        else
+                exit(1);
+}
+_ACEOF
+rm -f conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  echo "$as_me:$LINENO: result: working" >&5
+echo "${ECHO_T}working" >&6
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+( exit $ac_status )
+echo "$as_me:$LINENO: result: buggy" >&5
+echo "${ECHO_T}buggy" >&6
        cat >>confdefs.h <<\_ACEOF
 @%:@define BROKEN_GETADDRINFO 1
 _ACEOF
+fi
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+fi
        ;;
 *-*-hpux10.26)
        if test -z "$GCC"; then
@@ -3722,7 +3785,76 @@ _ACEOF
 @%:@define SPT_TYPE SPT_PSTAT
 _ACEOF
-        LIBS="$LIBS -lxnet -lsec -lsecpw"
+        LIBS="$LIBS -lsec -lsecpw"
+        
+echo "$as_me:$LINENO: checking for t_error in -lxnet" >&5
+echo $ECHO_N "checking for t_error in -lxnet... $ECHO_C" >&6
+if test "${ac_cv_lib_xnet_t_error+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lxnet  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line $LINENO "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char t_error ();
+#ifdef F77_DUMMY_MAIN
+#  ifdef __cplusplus
+     extern "C"
+#  endif
+   int F77_DUMMY_MAIN() { return 1; }
+#endif
+int
+main ()
+{
+t_error ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_xnet_t_error=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_xnet_t_error=no
+fi
+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_xnet_t_error" >&5
+echo "${ECHO_T}$ac_cv_lib_xnet_t_error" >&6
+if test $ac_cv_lib_xnet_t_error = yes; then
+  cat >>confdefs.h <<_ACEOF
+@%:@define HAVE_LIBXNET 1
+_ACEOF
+  LIBS="-lxnet $LIBS"
+else
+  { { echo "$as_me:$LINENO: error: *** -lxnet needed on HP-UX - check config.log ***" >&5
+echo "$as_me: error: *** -lxnet needed on HP-UX - check config.log ***" >&2;}
+   { (exit 1); exit 1; }; }
+fi
        disable_ptmx_check=yes
        ;;
 *-*-hpux10*)
@@ -3755,7 +3887,76 @@ _ACEOF
 @%:@define SPT_TYPE SPT_PSTAT
 _ACEOF
-        LIBS="$LIBS -lxnet -lsec"
+        LIBS="$LIBS -lsec"
+        
+echo "$as_me:$LINENO: checking for t_error in -lxnet" >&5
+echo $ECHO_N "checking for t_error in -lxnet... $ECHO_C" >&6
+if test "${ac_cv_lib_xnet_t_error+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lxnet  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line $LINENO "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char t_error ();
+#ifdef F77_DUMMY_MAIN
+#  ifdef __cplusplus
+     extern "C"
+#  endif
+   int F77_DUMMY_MAIN() { return 1; }
+#endif
+int
+main ()
+{
+t_error ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_xnet_t_error=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_xnet_t_error=no
+fi
+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_xnet_t_error" >&5
+echo "${ECHO_T}$ac_cv_lib_xnet_t_error" >&6
+if test $ac_cv_lib_xnet_t_error = yes; then
+  cat >>confdefs.h <<_ACEOF
+@%:@define HAVE_LIBXNET 1
+_ACEOF
+  LIBS="-lxnet $LIBS"
+else
+  { { echo "$as_me:$LINENO: error: *** -lxnet needed on HP-UX - check config.log ***" >&5
+echo "$as_me: error: *** -lxnet needed on HP-UX - check config.log ***" >&2;}
+   { (exit 1); exit 1; }; }
+fi
        ;;
 *-*-hpux11*)
        CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
@@ -3788,7 +3989,76 @@ _ACEOF
 @%:@define SPT_TYPE SPT_PSTAT
 _ACEOF
-        LIBS="$LIBS -lxnet -lsec"
+        LIBS="$LIBS -lsec"
+        
+echo "$as_me:$LINENO: checking for t_error in -lxnet" >&5
+echo $ECHO_N "checking for t_error in -lxnet... $ECHO_C" >&6
+if test "${ac_cv_lib_xnet_t_error+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lxnet  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line $LINENO "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char t_error ();
+#ifdef F77_DUMMY_MAIN
+#  ifdef __cplusplus
+     extern "C"
+#  endif
+   int F77_DUMMY_MAIN() { return 1; }
+#endif
+int
+main ()
+{
+t_error ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_xnet_t_error=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_xnet_t_error=no
+fi
+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_xnet_t_error" >&5
+echo "${ECHO_T}$ac_cv_lib_xnet_t_error" >&6
+if test $ac_cv_lib_xnet_t_error = yes; then
+  cat >>confdefs.h <<_ACEOF
+@%:@define HAVE_LIBXNET 1
+_ACEOF
+  LIBS="-lxnet $LIBS"
+else
+  { { echo "$as_me:$LINENO: error: *** -lxnet needed on HP-UX - check config.log ***" >&5
+echo "$as_me: error: *** -lxnet needed on HP-UX - check config.log ***" >&2;}
+   { (exit 1); exit 1; }; }
+fi
        ;;
 *-*-irix5*)
        CPPFLAGS="$CPPFLAGS -I/usr/local/include"
@@ -3920,6 +4190,7 @@ _ACEOF
        SONY=1
        ;;
 *-*-netbsd*)
+        check_for_libcrypt_before=1
        need_dash_r=1
        ;;
 *-*-freebsd*)
@@ -4250,7 +4521,7 @@ _ACEOF
 _ACEOF
        cat >>confdefs.h <<\_ACEOF
-@%:@define BROKEN_FD_PASSING 1
+@%:@define DISABLE_FD_PASSING 1
 _ACEOF
        
@@ -4332,6 +4603,21 @@ done
        MANTYPE=man
        ;;
+*-*-unicosmk*)
+        no_libsocket=1
+        no_libnsl=1
+        cat >>confdefs.h <<\_ACEOF
+@%:@define USE_PIPES 1
+_ACEOF
+        cat >>confdefs.h <<\_ACEOF
+@%:@define DISABLE_FD_PASSING 1
+_ACEOF
+        LDFLAGS="$LDFLAGS"
+        LIBS="$LIBS -lgen -lrsc -lshare -luex -lacm"
+        MANTYPE=cat
+        ;;
 *-*-unicos*)
        no_libsocket=1
        no_libnsl=1
@@ -4340,11 +4626,16 @@ done
 _ACEOF
        cat >>confdefs.h <<\_ACEOF
-@%:@define BROKEN_FD_PASSING 1
+@%:@define DISABLE_FD_PASSING 1
+_ACEOF
+        cat >>confdefs.h <<\_ACEOF
+@%:@define NO_SSH_LASTLOG 1
 _ACEOF
-        LDFLAGS="$LDFLAGS -Wl,-Dmsglevel=334:fatal,-L/usr/local/lib"
+        LDFLAGS="$LDFLAGS -Wl,-Dmsglevel=334:fatal"
-        LIBS="$LIBS -lgen -lrsc"
+        LIBS="$LIBS -lgen -lrsc -lshare -luex -lacm"
+        MANTYPE=cat
        ;;
 *-dec-osf*)
        echo "$as_me:$LINENO: checking for Digital Unix SIA" >&5
@@ -4691,15 +4982,17 @@ done
 for ac_header in bstring.h crypt.h endian.h floatingpoint.h \
-        getopt.h glob.h lastlog.h limits.h login.h \
+        getopt.h glob.h ia.h lastlog.h limits.h login.h \
        login_cap.h maillock.h netdb.h netgroup.h \
        netinet/in_systm.h paths.h pty.h readpassphrase.h \
        rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \
        strings.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h \
        sys/mman.h sys/select.h sys/stat.h \
        sys/stropts.h sys/sysmacros.h sys/time.h \
-        sys/un.h time.h ttyent.h usersec.h \
+        sys/un.h time.h tmpdir.h ttyent.h usersec.h \
        util.h utime.h utmp.h utmpx.h
 do
 as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
@@ -5646,7 +5939,11 @@ fi
 echo "$as_me:$LINENO: result: $ac_cv_lib_c89_utimes" >&5
 echo "${ECHO_T}$ac_cv_lib_c89_utimes" >&6
 if test $ac_cv_lib_c89_utimes = yes; then
-  LIBS="$LIBS -lc89"
+  cat >>confdefs.h <<\_ACEOF
+@%:@define HAVE_UTIMES 1
+_ACEOF
+                                        LIBS="$LIBS -lc89"
 fi
 
@@ -6176,7 +6473,7 @@ else
 #include <sys/types.h>
 #include <dirent.h>
-int main(void){struct dirent d;return(sizeof(d.d_name)<=sizeof(char));}
+int main(void){struct dirent d;exit(sizeof(d.d_name)<=sizeof(char));}
        
 _ACEOF
 rm -f conftest$ac_exeext
@@ -6244,7 +6541,7 @@ else
 #include <stdio.h>
 #include <skey.h>
-int main() { char *ff = skey_keyinfo(""); ff=""; return 0; }
+int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); }
                                
 _ACEOF
 rm -f conftest$ac_exeext
@@ -6442,9 +6739,10 @@ fi;
 for ac_func in arc4random b64_ntop bcopy bindresvport_sa \
        clock fchmod fchown freeaddrinfo futimes gai_strerror \
-        getaddrinfo getcwd getgrouplist getnameinfo getopt \
+        getaddrinfo getcwd getgrouplist getnameinfo getopt getpeereid\
        getrlimit getrusage getttyent glob inet_aton inet_ntoa \
        inet_ntop innetgr login_getcapbool md5_crypt memmove \
        mkdtemp mmap ngetaddrinfo openpty ogetaddrinfo readpassphrase \
@@ -6528,63 +6826,6 @@ fi
 done
-if test $ac_cv_func_mmap = yes ; then
-echo "$as_me:$LINENO: checking for mmap anon shared" >&5
-echo $ECHO_N "checking for mmap anon shared... $ECHO_C" >&6
-if test "$cross_compiling" = yes; then
-  { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling" >&5
-echo "$as_me: error: cannot run test program while cross compiling" >&2;}
-   { (exit 1); exit 1; }; }
-else
-  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-#include "confdefs.h"
-#include <stdio.h>
-#include <sys/mman.h>
-#if !defined(MAP_ANON) && defined(MAP_ANONYMOUS)
-#define MAP_ANON MAP_ANONYMOUS
-#endif
-main() { char *p;
-p = (char *) mmap(NULL, 10, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, -1, 0);
-if (p == (char *)-1)
-        exit(1);
-exit(0);
-}
-        
-_ACEOF
-rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  
-                echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-                cat >>confdefs.h <<\_ACEOF
-@%:@define HAVE_MMAP_ANON_SHARED 1
-_ACEOF
-        
-else
-  echo "$as_me: program exited with status $ac_status" >&5
-echo "$as_me: failed program was:" >&5
-cat conftest.$ac_ext >&5
-( exit $ac_status )
- echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6  
-fi
-rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
-fi
-fi
 for ac_func in dirname
 do
@@ -7697,7 +7938,7 @@ else
 #include "confdefs.h"
 #include <stdio.h>
-int main(void){char b[5];snprintf(b,5,"123456789");return(b[4]!='\0');}
+int main(void){char b[5];snprintf(b,5,"123456789");exit(b[4]!='\0');}
                
 _ACEOF
 rm -f conftest$ac_exeext
@@ -8090,6 +8331,76 @@ fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
+# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
+# because the system crypt() is more featureful.
+if test "x$check_for_libcrypt_before" = "x1"; then
+        
+echo "$as_me:$LINENO: checking for crypt in -lcrypt" >&5
+echo $ECHO_N "checking for crypt in -lcrypt... $ECHO_C" >&6
+if test "${ac_cv_lib_crypt_crypt+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lcrypt  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line $LINENO "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char crypt ();
+#ifdef F77_DUMMY_MAIN
+#  ifdef __cplusplus
+     extern "C"
+#  endif
+   int F77_DUMMY_MAIN() { return 1; }
+#endif
+int
+main ()
+{
+crypt ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_crypt_crypt=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_crypt_crypt=no
+fi
+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_crypt_crypt" >&5
+echo "${ECHO_T}$ac_cv_lib_crypt_crypt" >&6
+if test $ac_cv_lib_crypt_crypt = yes; then
+  cat >>confdefs.h <<_ACEOF
+@%:@define HAVE_LIBCRYPT 1
+_ACEOF
+  LIBS="-lcrypt $LIBS"
+fi
+fi
 # Search for OpenSSL
 saved_CPPFLAGS="$CPPFLAGS"
 saved_LDFLAGS="$LDFLAGS"
@@ -8230,6 +8541,134 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
+# Determine OpenSSL header version
+echo "$as_me:$LINENO: checking OpenSSL header version" >&5
+echo $ECHO_N "checking OpenSSL header version... $ECHO_C" >&6
+if test "$cross_compiling" = yes; then
+  { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling" >&5
+echo "$as_me: error: cannot run test program while cross compiling" >&2;}
+   { (exit 1); exit 1; }; }
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line $LINENO "configure"
+#include "confdefs.h"
+#include <stdio.h>
+#include <string.h>
+#include <openssl/opensslv.h>
+#define DATA "conftest.sslincver"
+int main(void) {
+        FILE *fd;
+        int rc;
+        fd = fopen(DATA,"w");
+        if(fd == NULL)
+                exit(1);
+        if ((rc = fprintf(fd ,"%x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
+                exit(1);
+        exit(0);
+}
+        
+_ACEOF
+rm -f conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  
+                ssl_header_ver=`cat conftest.sslincver`
+                echo "$as_me:$LINENO: result: $ssl_header_ver" >&5
+echo "${ECHO_T}$ssl_header_ver" >&6
+        
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+( exit $ac_status )
+                echo "$as_me:$LINENO: result: not found" >&5
+echo "${ECHO_T}not found" >&6
+                { { echo "$as_me:$LINENO: error: OpenSSL version header not found." >&5
+echo "$as_me: error: OpenSSL version header not found." >&2;}
+   { (exit 1); exit 1; }; }
+        
+fi
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+fi
+# Determine OpenSSL library version
+echo "$as_me:$LINENO: checking OpenSSL library version" >&5
+echo $ECHO_N "checking OpenSSL library version... $ECHO_C" >&6
+if test "$cross_compiling" = yes; then
+  { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling" >&5
+echo "$as_me: error: cannot run test program while cross compiling" >&2;}
+   { (exit 1); exit 1; }; }
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line $LINENO "configure"
+#include "confdefs.h"
+#include <stdio.h>
+#include <string.h>
+#include <openssl/opensslv.h>
+#include <openssl/crypto.h>
+#define DATA "conftest.ssllibver"
+int main(void) {
+        FILE *fd;
+        int rc;
+        fd = fopen(DATA,"w");
+        if(fd == NULL)
+                exit(1);
+        if ((rc = fprintf(fd ,"%x (%s)\n", SSLeay(), SSLeay_version(SSLEAY_VERSION))) <0)
+                exit(1);
+        exit(0);
+}
+        
+_ACEOF
+rm -f conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  
+                ssl_library_ver=`cat conftest.ssllibver`
+                echo "$as_me:$LINENO: result: $ssl_library_ver" >&5
+echo "${ECHO_T}$ssl_library_ver" >&6
+        
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+( exit $ac_status )
+                echo "$as_me:$LINENO: result: not found" >&5
+echo "${ECHO_T}not found" >&6
+                { { echo "$as_me:$LINENO: error: OpenSSL library not found." >&5
+echo "$as_me: error: OpenSSL library not found." >&2;}
+   { (exit 1); exit 1; }; }
+        
+fi
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+fi
 # Sanity check OpenSSL headers
 echo "$as_me:$LINENO: checking whether OpenSSL's headers match the library" >&5
@@ -8245,7 +8684,7 @@ else
 #include <string.h>
 #include <openssl/opensslv.h>
-int main(void) { return(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); }
+int main(void) { exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); }
        
 _ACEOF
 rm -f conftest$ac_exeext
@@ -8361,7 +8800,7 @@ else
 #include <string.h>
 #include <openssl/rand.h>
-int main(void) { return(RAND_status() == 1 ? 0 : 1); }
+int main(void) { exit(RAND_status() == 1 ? 0 : 1); }
        
 _ACEOF
 rm -f conftest$ac_exeext
@@ -11321,7 +11760,16 @@ else
        cat >conftest.$ac_ext <<_ACEOF
 #line $LINENO "configure"
 #include "confdefs.h"
- #include <sys/types.h> 
+#include <sys/types.h>
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#include <sys/socket.h>
+#ifdef HAVE_SYS_BITYPES_H
+# include <sys/bitypes.h>
+#endif
+                
 #ifdef F77_DUMMY_MAIN
 #  ifdef __cplusplus
     extern "C"
@@ -11365,109 +11813,6 @@ if test "x$ac_cv_have_int64_t" = "xyes" ; then
 @%:@define HAVE_INT64_T 1
 _ACEOF
-        have_int64_t=1
-fi
-        
-if test -z "$have_int64_t" ; then
-    echo "$as_me:$LINENO: checking for int64_t type in sys/socket.h" >&5
-echo $ECHO_N "checking for int64_t type in sys/socket.h... $ECHO_C" >&6
-        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-#include "confdefs.h"
- #include <sys/socket.h> 
-#ifdef F77_DUMMY_MAIN
-#  ifdef __cplusplus
-     extern "C"
-#  endif
-   int F77_DUMMY_MAIN() { return 1; }
-#endif
-int
-main ()
-{
- int64_t a; a = 1
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  
-                        cat >>confdefs.h <<\_ACEOF
-@%:@define HAVE_INT64_T 1
-_ACEOF
-                        echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-                
-else
-  echo "$as_me: failed program was:" >&5
-cat conftest.$ac_ext >&5
- echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6 
-        
-fi
-rm -f conftest.$ac_objext conftest.$ac_ext
-fi
-if test -z "$have_int64_t" ; then
-    echo "$as_me:$LINENO: checking for int64_t type in sys/bitypes.h" >&5
-echo $ECHO_N "checking for int64_t type in sys/bitypes.h... $ECHO_C" >&6
-        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-#include "confdefs.h"
- #include <sys/bitypes.h> 
-#ifdef F77_DUMMY_MAIN
-#  ifdef __cplusplus
-     extern "C"
-#  endif
-   int F77_DUMMY_MAIN() { return 1; }
-#endif
-int
-main ()
-{
- int64_t a; a = 1
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  
-                        cat >>confdefs.h <<\_ACEOF
-@%:@define HAVE_INT64_T 1
-_ACEOF
-                        echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-                
-else
-  echo "$as_me: failed program was:" >&5
-cat conftest.$ac_ext >&5
- echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6 
-        
-fi
-rm -f conftest.$ac_objext conftest.$ac_ext
 fi
 echo "$as_me:$LINENO: checking for u_intXX_t types" >&5
@@ -15334,6 +15679,11 @@ if test "${with_xauth+set}" = set; then
        
 else
  
+                TestPath="$PATH"
+                TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin"
+                TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11"
+                TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin"
+                TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin"
                # Extract the first word of "xauth", so it can be a program name with args.
 set dummy xauth; ac_word=$2
 echo "$as_me:$LINENO: checking for $ac_word" >&5
@@ -15347,7 +15697,7 @@ else
  ;;
  *)
  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH:/usr/X/bin:/usr/bin/X11:/usr/X11R6/bin:/usr/openwin/bin
+for as_dir in $TestPath
 do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
@@ -15482,6 +15832,7 @@ echo "$as_me: error: invalid man type: $withval" >&2;}
 fi; 
 if test -z "$MANTYPE"; then
+        TestPath="/usr/bin${PATH_SEPARATOR}/usr/ucb"
        for ac_prog in nroff awf
 do
  # Extract the first word of "$ac_prog", so it can be a program name with args.
@@ -15497,8 +15848,7 @@ else
  ;;
  *)
  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-as_dummy="/usr/bin:/usr/ucb"
+for as_dir in $TestPath
-for as_dir in $as_dummy
 do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
@@ -16997,7 +17347,6 @@ s,@INSTALL_DATA@,$INSTALL_DATA,;t t
 s,@AR@,$AR,;t t
 s,@PERL@,$PERL,;t t
 s,@ENT@,$ENT,;t t
-s,@FILEPRIV@,$FILEPRIV,;t t
 s,@TEST_MINUS_S_SH@,$TEST_MINUS_S_SH,;t t
 s,@SH@,$SH,;t t
 s,@LOGIN_PROGRAM_FALLBACK@,$LOGIN_PROGRAM_FALLBACK,;t t
diff --git a/autom4te-2.53.cache/traces.0 b/autom4te-2.53.cache/traces.0
index 6eb0daac7..3fcfab66c 100644
--- a/autom4te-2.53.cache/traces.0
+++ b/autom4te-2.53.cache/traces.0
@@ -94,283 +94,314 @@ m4trace:configure.ac:16: -1- AC_SUBST([PERL], [$ac_cv_path_PERL])
 m4trace:configure.ac:17: -1- AC_SUBST([PERL])
 m4trace:configure.ac:18: -1- AC_SUBST([ENT], [$ac_cv_path_ENT])
 m4trace:configure.ac:19: -1- AC_SUBST([ENT])
-m4trace:configure.ac:20: -1- AC_SUBST([FILEPRIV], [$ac_cv_path_FILEPRIV])
+m4trace:configure.ac:20: -1- AC_SUBST([TEST_MINUS_S_SH], [$ac_cv_path_TEST_MINUS_S_SH])
 m4trace:configure.ac:21: -1- AC_SUBST([TEST_MINUS_S_SH], [$ac_cv_path_TEST_MINUS_S_SH])
 m4trace:configure.ac:22: -1- AC_SUBST([TEST_MINUS_S_SH], [$ac_cv_path_TEST_MINUS_S_SH])
-m4trace:configure.ac:23: -1- AC_SUBST([TEST_MINUS_S_SH], [$ac_cv_path_TEST_MINUS_S_SH])
+m4trace:configure.ac:23: -1- AC_SUBST([SH], [$ac_cv_path_SH])
-m4trace:configure.ac:24: -1- AC_SUBST([SH], [$ac_cv_path_SH])
+m4trace:configure.ac:26: -1- AC_DEFINE_TRACE_LITERAL([_FILE_OFFSET_BITS])
-m4trace:configure.ac:27: -1- AC_DEFINE_TRACE_LITERAL([_FILE_OFFSET_BITS])
+m4trace:configure.ac:26: -1- AH_OUTPUT([_FILE_OFFSET_BITS], [/* Number of bits in a file offset, on hosts where this is settable. */
-m4trace:configure.ac:27: -1- AH_OUTPUT([_FILE_OFFSET_BITS], [/* Number of bits in a file offset, on hosts where this is settable. */
 #undef _FILE_OFFSET_BITS])
-m4trace:configure.ac:27: -1- AC_DEFINE_TRACE_LITERAL([_LARGE_FILES])
+m4trace:configure.ac:26: -1- AC_DEFINE_TRACE_LITERAL([_LARGE_FILES])
-m4trace:configure.ac:27: -1- AH_OUTPUT([_LARGE_FILES], [/* Define for large files, on AIX-style hosts. */
+m4trace:configure.ac:26: -1- AH_OUTPUT([_LARGE_FILES], [/* Define for large files, on AIX-style hosts. */
 #undef _LARGE_FILES])
-m4trace:configure.ac:35: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_PROGRAM_FALLBACK])
+m4trace:configure.ac:34: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_PROGRAM_FALLBACK])
-m4trace:configure.ac:38: -1- AC_SUBST([LOGIN_PROGRAM_FALLBACK], [$ac_cv_path_LOGIN_PROGRAM_FALLBACK])
+m4trace:configure.ac:37: -1- AC_SUBST([LOGIN_PROGRAM_FALLBACK], [$ac_cv_path_LOGIN_PROGRAM_FALLBACK])
-m4trace:configure.ac:40: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_PROGRAM_FALLBACK])
+m4trace:configure.ac:39: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_PROGRAM_FALLBACK])
-m4trace:configure.ac:47: -1- AC_SUBST([LD])
+m4trace:configure.ac:46: -1- AC_SUBST([LD])
-m4trace:configure.ac:49: -1- AC_C_INLINE
+m4trace:configure.ac:48: -1- AC_C_INLINE
-m4trace:configure.ac:49: -1- AC_DEFINE_TRACE_LITERAL([inline])
+m4trace:configure.ac:48: -1- AC_DEFINE_TRACE_LITERAL([inline])
-m4trace:configure.ac:49: -1- AH_OUTPUT([inline], [/* Define as \`__inline' if that's what the C compiler calls it, or to nothing
+m4trace:configure.ac:48: -1- AH_OUTPUT([inline], [/* Define as \`__inline' if that's what the C compiler calls it, or to nothing
   if it is not supported. */
 #undef inline])
-m4trace:configure.ac:49: -1- AC_DEFINE_TRACE_LITERAL([inline])
+m4trace:configure.ac:48: -1- AC_DEFINE_TRACE_LITERAL([inline])
-m4trace:configure.ac:74: -1- AC_DEFINE_TRACE_LITERAL([WITH_AIXAUTHENTICATE])
+m4trace:configure.ac:78: -1- AC_DEFINE_TRACE_LITERAL([WITH_AIXAUTHENTICATE])
-m4trace:configure.ac:75: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_GETADDRINFO])
+m4trace:configure.ac:78: -1- AC_CHECK_LIB([s], [authenticate], [ AC_DEFINE(WITH_AIXAUTHENTICATE)
-m4trace:configure.ac:76: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_REALPATH])
+                                LIBS="$LIBS -ls"
-m4trace:configure.ac:78: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LASTLOG])
+                        ])
-m4trace:configure.ac:79: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_UTMPX])
+m4trace:configure.ac:78: -1- AC_DEFINE_TRACE_LITERAL([WITH_AIXAUTHENTICATE])
-m4trace:configure.ac:83: -1- AC_DEFINE_TRACE_LITERAL([HAVE_CYGWIN])
+m4trace:configure.ac:79: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_GETADDRINFO])
-m4trace:configure.ac:84: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
+m4trace:configure.ac:80: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_REALPATH])
-m4trace:configure.ac:85: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW])
+m4trace:configure.ac:82: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LASTLOG])
-m4trace:configure.ac:86: -1- AC_DEFINE_TRACE_LITERAL([IPV4_DEFAULT])
+m4trace:configure.ac:83: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_UTMPX])
-m4trace:configure.ac:87: -1- AC_DEFINE_TRACE_LITERAL([IP_TOS_IS_BROKEN])
+m4trace:configure.ac:87: -1- AC_DEFINE_TRACE_LITERAL([HAVE_CYGWIN])
-m4trace:configure.ac:88: -1- AC_DEFINE_TRACE_LITERAL([NO_X11_UNIX_SOCKETS])
+m4trace:configure.ac:88: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
-m4trace:configure.ac:89: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_FD_PASSING])
+m4trace:configure.ac:89: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW])
-m4trace:configure.ac:90: -1- AC_DEFINE_TRACE_LITERAL([SETGROUPS_NOOP])
+m4trace:configure.ac:90: -1- AC_DEFINE_TRACE_LITERAL([IPV4_DEFAULT])
-m4trace:configure.ac:93: -1- AC_DEFINE_TRACE_LITERAL([IP_TOS_IS_BROKEN])
+m4trace:configure.ac:91: -1- AC_DEFINE_TRACE_LITERAL([IP_TOS_IS_BROKEN])
-m4trace:configure.ac:96: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_GETADDRINFO])
+m4trace:configure.ac:92: -1- AC_DEFINE_TRACE_LITERAL([NO_X11_UNIX_SOCKETS])
-m4trace:configure.ac:104: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SECUREWARE])
+m4trace:configure.ac:93: -1- AC_DEFINE_TRACE_LITERAL([NO_IPPORT_RESERVED_CONCEPT])
-m4trace:configure.ac:105: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
+m4trace:configure.ac:94: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_FD_PASSING])
-m4trace:configure.ac:106: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NO_ENDOPT])
+m4trace:configure.ac:95: -1- AC_DEFINE_TRACE_LITERAL([SETGROUPS_NOOP])
-m4trace:configure.ac:107: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_UTMPX])
+m4trace:configure.ac:98: -1- AC_DEFINE_TRACE_LITERAL([IP_TOS_IS_BROKEN])
-m4trace:configure.ac:108: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW])
+m4trace:configure.ac:110: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_GETADDRINFO])
-m4trace:configure.ac:109: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP])
+m4trace:configure.ac:118: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SECUREWARE])
-m4trace:configure.ac:110: -1- AC_DEFINE_TRACE_LITERAL([SPT_TYPE])
+m4trace:configure.ac:119: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
-m4trace:configure.ac:120: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
+m4trace:configure.ac:120: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NO_ENDOPT])
-m4trace:configure.ac:121: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NO_ENDOPT])
+m4trace:configure.ac:121: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_UTMPX])
-m4trace:configure.ac:122: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_UTMPX])
+m4trace:configure.ac:122: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW])
-m4trace:configure.ac:123: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW])
+m4trace:configure.ac:123: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP])
-m4trace:configure.ac:124: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP])
+m4trace:configure.ac:124: -1- AC_DEFINE_TRACE_LITERAL([SPT_TYPE])
-m4trace:configure.ac:125: -1- AC_DEFINE_TRACE_LITERAL([SPT_TYPE])
+m4trace:configure.ac:126: -1- AC_CHECK_LIB([xnet], [t_error], [], [{ { echo "$as_me:$LINENO: error: *** -lxnet needed on HP-UX - check config.log ***" >&5
-m4trace:configure.ac:131: -1- AC_DEFINE_TRACE_LITERAL([PAM_SUN_CODEBASE])
+echo "$as_me: error: *** -lxnet needed on HP-UX - check config.log ***" >&2;}
-m4trace:configure.ac:132: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
+   { (exit 1); exit 1; }; }])
-m4trace:configure.ac:133: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NO_ENDOPT])
+m4trace:configure.ac:126: -1- AH_OUTPUT([HAVE_LIBXNET], [/* Define to 1 if you have the \`xnet' library (-lxnet). */
-m4trace:configure.ac:134: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_UTMPX])
+#undef HAVE_LIBXNET])
-m4trace:configure.ac:135: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW])
+m4trace:configure.ac:126: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBXNET])
-m4trace:configure.ac:136: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP])
+m4trace:configure.ac:135: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
-m4trace:configure.ac:137: -1- AC_DEFINE_TRACE_LITERAL([SPT_TYPE])
+m4trace:configure.ac:136: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NO_ENDOPT])
-m4trace:configure.ac:144: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_INET_NTOA])
+m4trace:configure.ac:137: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_UTMPX])
-m4trace:configure.ac:145: -1- AC_DEFINE_TRACE_LITERAL([WITH_ABBREV_NO_TTY])
+m4trace:configure.ac:138: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW])
-m4trace:configure.ac:151: -1- AC_DEFINE_TRACE_LITERAL([WITH_IRIX_ARRAY])
+m4trace:configure.ac:139: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP])
-m4trace:configure.ac:152: -1- AC_DEFINE_TRACE_LITERAL([WITH_IRIX_PROJECT])
+m4trace:configure.ac:140: -1- AC_DEFINE_TRACE_LITERAL([SPT_TYPE])
-m4trace:configure.ac:153: -1- AC_DEFINE_TRACE_LITERAL([WITH_IRIX_AUDIT])
+m4trace:configure.ac:142: -1- AC_CHECK_LIB([xnet], [t_error], [], [{ { echo "$as_me:$LINENO: error: *** -lxnet needed on HP-UX - check config.log ***" >&5
-m4trace:configure.ac:154: -1- AC_DEFINE_TRACE_LITERAL([WITH_IRIX_JOBS])
+echo "$as_me: error: *** -lxnet needed on HP-UX - check config.log ***" >&2;}
-m4trace:configure.ac:155: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_INET_NTOA])
+   { (exit 1); exit 1; }; }])
-m4trace:configure.ac:156: -1- AC_DEFINE_TRACE_LITERAL([WITH_ABBREV_NO_TTY])
+m4trace:configure.ac:142: -1- AH_OUTPUT([HAVE_LIBXNET], [/* Define to 1 if you have the \`xnet' library (-lxnet). */
-m4trace:configure.ac:161: -1- AC_DEFINE_TRACE_LITERAL([DONT_TRY_OTHER_AF])
+#undef HAVE_LIBXNET])
-m4trace:configure.ac:162: -1- AC_DEFINE_TRACE_LITERAL([PAM_TTY_KLUDGE])
+m4trace:configure.ac:142: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBXNET])
-m4trace:configure.ac:166: -1- AC_DEFINE_TRACE_LITERAL([HAVE_NEWS4])
+m4trace:configure.ac:147: -1- AC_DEFINE_TRACE_LITERAL([PAM_SUN_CODEBASE])
-m4trace:configure.ac:180: -1- AC_DEFINE_TRACE_LITERAL([HAVE_NEXT])
+m4trace:configure.ac:148: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
-m4trace:configure.ac:181: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_REALPATH])
+m4trace:configure.ac:149: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NO_ENDOPT])
-m4trace:configure.ac:182: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
+m4trace:configure.ac:150: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_UTMPX])
-m4trace:configure.ac:183: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_SAVED_UIDS])
+m4trace:configure.ac:151: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW])
-m4trace:configure.ac:191: -1- AC_DEFINE_TRACE_LITERAL([PAM_SUN_CODEBASE])
+m4trace:configure.ac:152: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP])
-m4trace:configure.ac:192: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_UTMPX])
+m4trace:configure.ac:153: -1- AC_DEFINE_TRACE_LITERAL([SPT_TYPE])
-m4trace:configure.ac:193: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_TERM])
+m4trace:configure.ac:155: -1- AC_CHECK_LIB([xnet], [t_error], [], [{ { echo "$as_me:$LINENO: error: *** -lxnet needed on HP-UX - check config.log ***" >&5
-m4trace:configure.ac:194: -1- AC_DEFINE_TRACE_LITERAL([PAM_TTY_KLUDGE])
+echo "$as_me: error: *** -lxnet needed on HP-UX - check config.log ***" >&2;}
-m4trace:configure.ac:201: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP])
+   { (exit 1); exit 1; }; }])
-m4trace:configure.ac:202: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMP])
+m4trace:configure.ac:155: -1- AH_OUTPUT([HAVE_LIBXNET], [/* Define to 1 if you have the \`xnet' library (-lxnet). */
-m4trace:configure.ac:209: -1- AC_CHECK_FUNCS([getpwanam])
+#undef HAVE_LIBXNET])
-m4trace:configure.ac:209: -1- AH_OUTPUT([HAVE_GETPWANAM], [/* Define to 1 if you have the \`getpwanam' function. */
+m4trace:configure.ac:155: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBXNET])
+m4trace:configure.ac:161: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_INET_NTOA])
+m4trace:configure.ac:162: -1- AC_DEFINE_TRACE_LITERAL([WITH_ABBREV_NO_TTY])
+m4trace:configure.ac:168: -1- AC_DEFINE_TRACE_LITERAL([WITH_IRIX_ARRAY])
+m4trace:configure.ac:169: -1- AC_DEFINE_TRACE_LITERAL([WITH_IRIX_PROJECT])
+m4trace:configure.ac:170: -1- AC_DEFINE_TRACE_LITERAL([WITH_IRIX_AUDIT])
+m4trace:configure.ac:171: -1- AC_DEFINE_TRACE_LITERAL([WITH_IRIX_JOBS])
+m4trace:configure.ac:172: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_INET_NTOA])
+m4trace:configure.ac:173: -1- AC_DEFINE_TRACE_LITERAL([WITH_ABBREV_NO_TTY])
+m4trace:configure.ac:178: -1- AC_DEFINE_TRACE_LITERAL([DONT_TRY_OTHER_AF])
+m4trace:configure.ac:179: -1- AC_DEFINE_TRACE_LITERAL([PAM_TTY_KLUDGE])
+m4trace:configure.ac:183: -1- AC_DEFINE_TRACE_LITERAL([HAVE_NEWS4])
+m4trace:configure.ac:198: -1- AC_DEFINE_TRACE_LITERAL([HAVE_NEXT])
+m4trace:configure.ac:199: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_REALPATH])
+m4trace:configure.ac:200: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
+m4trace:configure.ac:201: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_SAVED_UIDS])
+m4trace:configure.ac:209: -1- AC_DEFINE_TRACE_LITERAL([PAM_SUN_CODEBASE])
+m4trace:configure.ac:210: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_UTMPX])
+m4trace:configure.ac:211: -1- AC_DEFINE_TRACE_LITERAL([LOGIN_NEEDS_TERM])
+m4trace:configure.ac:212: -1- AC_DEFINE_TRACE_LITERAL([PAM_TTY_KLUDGE])
+m4trace:configure.ac:219: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP])
+m4trace:configure.ac:220: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMP])
+m4trace:configure.ac:227: -1- AC_CHECK_FUNCS([getpwanam])
+m4trace:configure.ac:227: -1- AH_OUTPUT([HAVE_GETPWANAM], [/* Define to 1 if you have the \`getpwanam' function. */
 #undef HAVE_GETPWANAM])
-m4trace:configure.ac:210: -1- AC_DEFINE_TRACE_LITERAL([PAM_SUN_CODEBASE])
+m4trace:configure.ac:228: -1- AC_DEFINE_TRACE_LITERAL([PAM_SUN_CODEBASE])
-m4trace:configure.ac:214: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
+m4trace:configure.ac:232: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
-m4trace:configure.ac:220: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
+m4trace:configure.ac:238: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
-m4trace:configure.ac:227: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
+m4trace:configure.ac:245: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
-m4trace:configure.ac:228: -1- AC_DEFINE_TRACE_LITERAL([IP_TOS_IS_BROKEN])
+m4trace:configure.ac:246: -1- AC_DEFINE_TRACE_LITERAL([IP_TOS_IS_BROKEN])
-m4trace:configure.ac:236: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
-m4trace:configure.ac:241: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
-m4trace:configure.ac:253: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_SYS_TERMIO_H])
 m4trace:configure.ac:254: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
-m4trace:configure.ac:255: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SECUREWARE])
+m4trace:configure.ac:259: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
-m4trace:configure.ac:256: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW])
+m4trace:configure.ac:271: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_SYS_TERMIO_H])
-m4trace:configure.ac:257: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_SAVED_UIDS])
+m4trace:configure.ac:272: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
-m4trace:configure.ac:258: -1- AC_CHECK_FUNCS([getluid setluid])
+m4trace:configure.ac:273: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SECUREWARE])
-m4trace:configure.ac:258: -1- AH_OUTPUT([HAVE_GETLUID], [/* Define to 1 if you have the \`getluid' function. */
+m4trace:configure.ac:274: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW])
+m4trace:configure.ac:275: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_SAVED_UIDS])
+m4trace:configure.ac:276: -1- AC_CHECK_FUNCS([getluid setluid])
+m4trace:configure.ac:276: -1- AH_OUTPUT([HAVE_GETLUID], [/* Define to 1 if you have the \`getluid' function. */
 #undef HAVE_GETLUID])
-m4trace:configure.ac:258: -1- AH_OUTPUT([HAVE_SETLUID], [/* Define to 1 if you have the \`setluid' function. */
+m4trace:configure.ac:276: -1- AH_OUTPUT([HAVE_SETLUID], [/* Define to 1 if you have the \`setluid' function. */
 #undef HAVE_SETLUID])
-m4trace:configure.ac:267: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
+m4trace:configure.ac:285: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
-m4trace:configure.ac:268: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SECUREWARE])
+m4trace:configure.ac:286: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SECUREWARE])
-m4trace:configure.ac:269: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW])
+m4trace:configure.ac:287: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW])
-m4trace:configure.ac:270: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_FD_PASSING])
+m4trace:configure.ac:288: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_FD_PASSING])
-m4trace:configure.ac:271: -1- AC_CHECK_FUNCS([getluid setluid])
+m4trace:configure.ac:289: -1- AC_CHECK_FUNCS([getluid setluid])
-m4trace:configure.ac:271: -1- AH_OUTPUT([HAVE_GETLUID], [/* Define to 1 if you have the \`getluid' function. */
+m4trace:configure.ac:289: -1- AH_OUTPUT([HAVE_GETLUID], [/* Define to 1 if you have the \`getluid' function. */
 #undef HAVE_GETLUID])
-m4trace:configure.ac:271: -1- AH_OUTPUT([HAVE_SETLUID], [/* Define to 1 if you have the \`setluid' function. */
+m4trace:configure.ac:289: -1- AH_OUTPUT([HAVE_SETLUID], [/* Define to 1 if you have the \`setluid' function. */
 #undef HAVE_SETLUID])
-m4trace:configure.ac:277: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
+m4trace:configure.ac:295: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
-m4trace:configure.ac:278: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_FD_PASSING])
+m4trace:configure.ac:296: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_FD_PASSING])
-m4trace:configure.ac:297: -1- AC_DEFINE_TRACE_LITERAL([HAVE_OSF_SIA])
+m4trace:configure.ac:304: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
-m4trace:configure.ac:298: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LOGIN])
+m4trace:configure.ac:305: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_FD_PASSING])
-m4trace:configure.ac:307: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
+m4trace:configure.ac:306: -1- AC_DEFINE_TRACE_LITERAL([NO_SSH_LASTLOG])
-m4trace:configure.ac:308: -1- AC_DEFINE_TRACE_LITERAL([NO_X11_UNIX_SOCKETS])
+m4trace:configure.ac:326: -1- AC_DEFINE_TRACE_LITERAL([HAVE_OSF_SIA])
-m4trace:configure.ac:309: -1- AC_DEFINE_TRACE_LITERAL([MISSING_NFDBITS])
+m4trace:configure.ac:327: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LOGIN])
-m4trace:configure.ac:310: -1- AC_DEFINE_TRACE_LITERAL([MISSING_HOWMANY])
+m4trace:configure.ac:336: -1- AC_DEFINE_TRACE_LITERAL([USE_PIPES])
-m4trace:configure.ac:311: -1- AC_DEFINE_TRACE_LITERAL([MISSING_FD_MASK])
+m4trace:configure.ac:337: -1- AC_DEFINE_TRACE_LITERAL([NO_X11_UNIX_SOCKETS])
-m4trace:configure.ac:359: -1- AC_CHECK_HEADERS([bstring.h crypt.h endian.h floatingpoint.h \
+m4trace:configure.ac:338: -1- AC_DEFINE_TRACE_LITERAL([MISSING_NFDBITS])
-        getopt.h glob.h lastlog.h limits.h login.h \
+m4trace:configure.ac:339: -1- AC_DEFINE_TRACE_LITERAL([MISSING_HOWMANY])
+m4trace:configure.ac:340: -1- AC_DEFINE_TRACE_LITERAL([MISSING_FD_MASK])
+m4trace:configure.ac:388: -1- AC_CHECK_HEADERS([bstring.h crypt.h endian.h floatingpoint.h \
+        getopt.h glob.h ia.h lastlog.h limits.h login.h \
        login_cap.h maillock.h netdb.h netgroup.h \
        netinet/in_systm.h paths.h pty.h readpassphrase.h \
        rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \
        strings.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h \
        sys/mman.h sys/select.h sys/stat.h \
        sys/stropts.h sys/sysmacros.h sys/time.h \
-        sys/un.h time.h ttyent.h usersec.h \
+        sys/un.h time.h tmpdir.h ttyent.h usersec.h \
        util.h utime.h utmp.h utmpx.h])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_BSTRING_H], [/* Define to 1 if you have the <bstring.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_BSTRING_H], [/* Define to 1 if you have the <bstring.h> header file. */
 #undef HAVE_BSTRING_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_CRYPT_H], [/* Define to 1 if you have the <crypt.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_CRYPT_H], [/* Define to 1 if you have the <crypt.h> header file. */
 #undef HAVE_CRYPT_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_ENDIAN_H], [/* Define to 1 if you have the <endian.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_ENDIAN_H], [/* Define to 1 if you have the <endian.h> header file. */
 #undef HAVE_ENDIAN_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_FLOATINGPOINT_H], [/* Define to 1 if you have the <floatingpoint.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_FLOATINGPOINT_H], [/* Define to 1 if you have the <floatingpoint.h> header file. */
 #undef HAVE_FLOATINGPOINT_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_GETOPT_H], [/* Define to 1 if you have the <getopt.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_GETOPT_H], [/* Define to 1 if you have the <getopt.h> header file. */
 #undef HAVE_GETOPT_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_GLOB_H], [/* Define to 1 if you have the <glob.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_GLOB_H], [/* Define to 1 if you have the <glob.h> header file. */
 #undef HAVE_GLOB_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_LASTLOG_H], [/* Define to 1 if you have the <lastlog.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_IA_H], [/* Define to 1 if you have the <ia.h> header file. */
+#undef HAVE_IA_H])
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_LASTLOG_H], [/* Define to 1 if you have the <lastlog.h> header file. */
 #undef HAVE_LASTLOG_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_LIMITS_H], [/* Define to 1 if you have the <limits.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_LIMITS_H], [/* Define to 1 if you have the <limits.h> header file. */
 #undef HAVE_LIMITS_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_LOGIN_H], [/* Define to 1 if you have the <login.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_LOGIN_H], [/* Define to 1 if you have the <login.h> header file. */
 #undef HAVE_LOGIN_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_LOGIN_CAP_H], [/* Define to 1 if you have the <login_cap.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_LOGIN_CAP_H], [/* Define to 1 if you have the <login_cap.h> header file. */
 #undef HAVE_LOGIN_CAP_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_MAILLOCK_H], [/* Define to 1 if you have the <maillock.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_MAILLOCK_H], [/* Define to 1 if you have the <maillock.h> header file. */
 #undef HAVE_MAILLOCK_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_NETDB_H], [/* Define to 1 if you have the <netdb.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_NETDB_H], [/* Define to 1 if you have the <netdb.h> header file. */
 #undef HAVE_NETDB_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_NETGROUP_H], [/* Define to 1 if you have the <netgroup.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_NETGROUP_H], [/* Define to 1 if you have the <netgroup.h> header file. */
 #undef HAVE_NETGROUP_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_NETINET_IN_SYSTM_H], [/* Define to 1 if you have the <netinet/in_systm.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_NETINET_IN_SYSTM_H], [/* Define to 1 if you have the <netinet/in_systm.h> header file. */
 #undef HAVE_NETINET_IN_SYSTM_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_PATHS_H], [/* Define to 1 if you have the <paths.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_PATHS_H], [/* Define to 1 if you have the <paths.h> header file. */
 #undef HAVE_PATHS_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_PTY_H], [/* Define to 1 if you have the <pty.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_PTY_H], [/* Define to 1 if you have the <pty.h> header file. */
 #undef HAVE_PTY_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_READPASSPHRASE_H], [/* Define to 1 if you have the <readpassphrase.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_READPASSPHRASE_H], [/* Define to 1 if you have the <readpassphrase.h> header file. */
 #undef HAVE_READPASSPHRASE_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_RPC_TYPES_H], [/* Define to 1 if you have the <rpc/types.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_RPC_TYPES_H], [/* Define to 1 if you have the <rpc/types.h> header file. */
 #undef HAVE_RPC_TYPES_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_SECURITY_PAM_APPL_H], [/* Define to 1 if you have the <security/pam_appl.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_SECURITY_PAM_APPL_H], [/* Define to 1 if you have the <security/pam_appl.h> header file. */
 #undef HAVE_SECURITY_PAM_APPL_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_SHADOW_H], [/* Define to 1 if you have the <shadow.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_SHADOW_H], [/* Define to 1 if you have the <shadow.h> header file. */
 #undef HAVE_SHADOW_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_STDDEF_H], [/* Define to 1 if you have the <stddef.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_STDDEF_H], [/* Define to 1 if you have the <stddef.h> header file. */
 #undef HAVE_STDDEF_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_STDINT_H], [/* Define to 1 if you have the <stdint.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_STDINT_H], [/* Define to 1 if you have the <stdint.h> header file. */
 #undef HAVE_STDINT_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_STRINGS_H], [/* Define to 1 if you have the <strings.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_STRINGS_H], [/* Define to 1 if you have the <strings.h> header file. */
 #undef HAVE_STRINGS_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_SYS_BITYPES_H], [/* Define to 1 if you have the <sys/bitypes.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_SYS_BITYPES_H], [/* Define to 1 if you have the <sys/bitypes.h> header file. */
 #undef HAVE_SYS_BITYPES_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_SYS_BSDTTY_H], [/* Define to 1 if you have the <sys/bsdtty.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_SYS_BSDTTY_H], [/* Define to 1 if you have the <sys/bsdtty.h> header file. */
 #undef HAVE_SYS_BSDTTY_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_SYS_CDEFS_H], [/* Define to 1 if you have the <sys/cdefs.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_SYS_CDEFS_H], [/* Define to 1 if you have the <sys/cdefs.h> header file. */
 #undef HAVE_SYS_CDEFS_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_SYS_MMAN_H], [/* Define to 1 if you have the <sys/mman.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_SYS_MMAN_H], [/* Define to 1 if you have the <sys/mman.h> header file. */
 #undef HAVE_SYS_MMAN_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_SYS_SELECT_H], [/* Define to 1 if you have the <sys/select.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_SYS_SELECT_H], [/* Define to 1 if you have the <sys/select.h> header file. */
 #undef HAVE_SYS_SELECT_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_SYS_STAT_H], [/* Define to 1 if you have the <sys/stat.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_SYS_STAT_H], [/* Define to 1 if you have the <sys/stat.h> header file. */
 #undef HAVE_SYS_STAT_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_SYS_STROPTS_H], [/* Define to 1 if you have the <sys/stropts.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_SYS_STROPTS_H], [/* Define to 1 if you have the <sys/stropts.h> header file. */
 #undef HAVE_SYS_STROPTS_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_SYS_SYSMACROS_H], [/* Define to 1 if you have the <sys/sysmacros.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_SYS_SYSMACROS_H], [/* Define to 1 if you have the <sys/sysmacros.h> header file. */
 #undef HAVE_SYS_SYSMACROS_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_SYS_TIME_H], [/* Define to 1 if you have the <sys/time.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_SYS_TIME_H], [/* Define to 1 if you have the <sys/time.h> header file. */
 #undef HAVE_SYS_TIME_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_SYS_UN_H], [/* Define to 1 if you have the <sys/un.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_SYS_UN_H], [/* Define to 1 if you have the <sys/un.h> header file. */
 #undef HAVE_SYS_UN_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_TIME_H], [/* Define to 1 if you have the <time.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_TIME_H], [/* Define to 1 if you have the <time.h> header file. */
 #undef HAVE_TIME_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_TTYENT_H], [/* Define to 1 if you have the <ttyent.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_TMPDIR_H], [/* Define to 1 if you have the <tmpdir.h> header file. */
+#undef HAVE_TMPDIR_H])
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_TTYENT_H], [/* Define to 1 if you have the <ttyent.h> header file. */
 #undef HAVE_TTYENT_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_USERSEC_H], [/* Define to 1 if you have the <usersec.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_USERSEC_H], [/* Define to 1 if you have the <usersec.h> header file. */
 #undef HAVE_USERSEC_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_UTIL_H], [/* Define to 1 if you have the <util.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_UTIL_H], [/* Define to 1 if you have the <util.h> header file. */
 #undef HAVE_UTIL_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_UTIME_H], [/* Define to 1 if you have the <utime.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_UTIME_H], [/* Define to 1 if you have the <utime.h> header file. */
 #undef HAVE_UTIME_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_UTMP_H], [/* Define to 1 if you have the <utmp.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_UTMP_H], [/* Define to 1 if you have the <utmp.h> header file. */
 #undef HAVE_UTMP_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_UTMPX_H], [/* Define to 1 if you have the <utmpx.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_UTMPX_H], [/* Define to 1 if you have the <utmpx.h> header file. */
 #undef HAVE_UTMPX_H])
-m4trace:configure.ac:359: -1- AC_HEADER_STDC
+m4trace:configure.ac:388: -1- AC_HEADER_STDC
-m4trace:configure.ac:359: -1- AC_DEFINE_TRACE_LITERAL([STDC_HEADERS])
+m4trace:configure.ac:388: -1- AC_DEFINE_TRACE_LITERAL([STDC_HEADERS])
-m4trace:configure.ac:359: -1- AH_OUTPUT([STDC_HEADERS], [/* Define to 1 if you have the ANSI C header files. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([STDC_HEADERS], [/* Define to 1 if you have the ANSI C header files. */
 #undef STDC_HEADERS])
-m4trace:configure.ac:359: -1- AC_CHECK_HEADERS([sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
+m4trace:configure.ac:388: -1- AC_CHECK_HEADERS([sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
                  inttypes.h stdint.h unistd.h], [], [], [$ac_includes_default])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_SYS_TYPES_H], [/* Define to 1 if you have the <sys/types.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_SYS_TYPES_H], [/* Define to 1 if you have the <sys/types.h> header file. */
 #undef HAVE_SYS_TYPES_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_SYS_STAT_H], [/* Define to 1 if you have the <sys/stat.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_SYS_STAT_H], [/* Define to 1 if you have the <sys/stat.h> header file. */
 #undef HAVE_SYS_STAT_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_STDLIB_H], [/* Define to 1 if you have the <stdlib.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_STDLIB_H], [/* Define to 1 if you have the <stdlib.h> header file. */
 #undef HAVE_STDLIB_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_STRING_H], [/* Define to 1 if you have the <string.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_STRING_H], [/* Define to 1 if you have the <string.h> header file. */
 #undef HAVE_STRING_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_MEMORY_H], [/* Define to 1 if you have the <memory.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_MEMORY_H], [/* Define to 1 if you have the <memory.h> header file. */
 #undef HAVE_MEMORY_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_STRINGS_H], [/* Define to 1 if you have the <strings.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_STRINGS_H], [/* Define to 1 if you have the <strings.h> header file. */
 #undef HAVE_STRINGS_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_INTTYPES_H], [/* Define to 1 if you have the <inttypes.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_INTTYPES_H], [/* Define to 1 if you have the <inttypes.h> header file. */
 #undef HAVE_INTTYPES_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_STDINT_H], [/* Define to 1 if you have the <stdint.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_STDINT_H], [/* Define to 1 if you have the <stdint.h> header file. */
 #undef HAVE_STDINT_H])
-m4trace:configure.ac:359: -1- AH_OUTPUT([HAVE_UNISTD_H], [/* Define to 1 if you have the <unistd.h> header file. */
+m4trace:configure.ac:388: -1- AH_OUTPUT([HAVE_UNISTD_H], [/* Define to 1 if you have the <unistd.h> header file. */
 #undef HAVE_UNISTD_H])
-m4trace:configure.ac:362: -2- AC_CHECK_LIB([nsl], [yp_match])
+m4trace:configure.ac:391: -2- AC_CHECK_LIB([nsl], [yp_match])
-m4trace:configure.ac:362: -2- AH_OUTPUT([HAVE_LIBNSL], [/* Define to 1 if you have the \`nsl' library (-lnsl). */
+m4trace:configure.ac:391: -2- AH_OUTPUT([HAVE_LIBNSL], [/* Define to 1 if you have the \`nsl' library (-lnsl). */
 #undef HAVE_LIBNSL])
-m4trace:configure.ac:362: -2- AC_DEFINE_TRACE_LITERAL([HAVE_LIBNSL])
+m4trace:configure.ac:391: -2- AC_DEFINE_TRACE_LITERAL([HAVE_LIBNSL])
-m4trace:configure.ac:363: -2- AC_CHECK_LIB([socket], [setsockopt])
+m4trace:configure.ac:392: -2- AC_CHECK_LIB([socket], [setsockopt])
-m4trace:configure.ac:363: -2- AH_OUTPUT([HAVE_LIBSOCKET], [/* Define to 1 if you have the \`socket' library (-lsocket). */
+m4trace:configure.ac:392: -2- AH_OUTPUT([HAVE_LIBSOCKET], [/* Define to 1 if you have the \`socket' library (-lsocket). */
 #undef HAVE_LIBSOCKET])
-m4trace:configure.ac:363: -2- AC_DEFINE_TRACE_LITERAL([HAVE_LIBSOCKET])
+m4trace:configure.ac:392: -2- AC_DEFINE_TRACE_LITERAL([HAVE_LIBSOCKET])
-m4trace:configure.ac:368: -1- AC_CHECK_LIB([rpc], [innetgr], [LIBS="-lrpc -lyp -lrpc $LIBS" ], [], [-lyp -lrpc])
+m4trace:configure.ac:397: -1- AC_CHECK_LIB([rpc], [innetgr], [LIBS="-lrpc -lyp -lrpc $LIBS" ], [], [-lyp -lrpc])
-m4trace:configure.ac:373: -2- AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"])
+m4trace:configure.ac:402: -2- AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"])
-m4trace:configure.ac:415: -1- AC_CHECK_LIB([z], [deflate], [], [{ { echo "$as_me:$LINENO: error: *** zlib missing - please install first or check config.log ***" >&5
+m4trace:configure.ac:444: -1- AC_CHECK_LIB([z], [deflate], [], [{ { echo "$as_me:$LINENO: error: *** zlib missing - please install first or check config.log ***" >&5
 echo "$as_me: error: *** zlib missing - please install first or check config.log ***" >&2;}
   { (exit 1); exit 1; }; }])
-m4trace:configure.ac:415: -1- AH_OUTPUT([HAVE_LIBZ], [/* Define to 1 if you have the \`z' library (-lz). */
+m4trace:configure.ac:444: -1- AH_OUTPUT([HAVE_LIBZ], [/* Define to 1 if you have the \`z' library (-lz). */
 #undef HAVE_LIBZ])
-m4trace:configure.ac:415: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBZ])
+m4trace:configure.ac:444: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBZ])
-m4trace:configure.ac:420: -1- AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"])
+m4trace:configure.ac:449: -1- AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"])
-m4trace:configure.ac:423: -1- AC_CHECK_LIB([c89], [utimes], [LIBS="$LIBS -lc89"])
+m4trace:configure.ac:453: -1- AC_CHECK_LIB([c89], [utimes], [AC_DEFINE(HAVE_UTIMES)
-m4trace:configure.ac:426: -1- AC_CHECK_HEADERS([libutil.h])
+                                        LIBS="$LIBS -lc89"])
-m4trace:configure.ac:426: -1- AH_OUTPUT([HAVE_LIBUTIL_H], [/* Define to 1 if you have the <libutil.h> header file. */
+m4trace:configure.ac:453: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UTIMES])
+m4trace:configure.ac:456: -1- AC_CHECK_HEADERS([libutil.h])
+m4trace:configure.ac:456: -1- AH_OUTPUT([HAVE_LIBUTIL_H], [/* Define to 1 if you have the <libutil.h> header file. */
 #undef HAVE_LIBUTIL_H])
-m4trace:configure.ac:427: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LOGIN])
+m4trace:configure.ac:457: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LOGIN])
-m4trace:configure.ac:428: -1- AC_CHECK_FUNCS([logout updwtmp logwtmp])
+m4trace:configure.ac:458: -1- AC_CHECK_FUNCS([logout updwtmp logwtmp])
-m4trace:configure.ac:428: -1- AH_OUTPUT([HAVE_LOGOUT], [/* Define to 1 if you have the \`logout' function. */
+m4trace:configure.ac:458: -1- AH_OUTPUT([HAVE_LOGOUT], [/* Define to 1 if you have the \`logout' function. */
 #undef HAVE_LOGOUT])
-m4trace:configure.ac:428: -1- AH_OUTPUT([HAVE_UPDWTMP], [/* Define to 1 if you have the \`updwtmp' function. */
+m4trace:configure.ac:458: -1- AH_OUTPUT([HAVE_UPDWTMP], [/* Define to 1 if you have the \`updwtmp' function. */
 #undef HAVE_UPDWTMP])
-m4trace:configure.ac:428: -1- AH_OUTPUT([HAVE_LOGWTMP], [/* Define to 1 if you have the \`logwtmp' function. */
+m4trace:configure.ac:458: -1- AH_OUTPUT([HAVE_LOGWTMP], [/* Define to 1 if you have the \`logwtmp' function. */
 #undef HAVE_LOGWTMP])
-m4trace:configure.ac:430: -1- AC_FUNC_STRFTIME
+m4trace:configure.ac:460: -1- AC_FUNC_STRFTIME
-m4trace:configure.ac:430: -1- AC_CHECK_FUNCS([strftime], [], [# strftime is in -lintl on SCO UNIX.
+m4trace:configure.ac:460: -1- AC_CHECK_FUNCS([strftime], [], [# strftime is in -lintl on SCO UNIX.
 AC_CHECK_LIB(intl, strftime,
             [AC_DEFINE(HAVE_STRFTIME)
 LIBS="-lintl $LIBS"])])
-m4trace:configure.ac:430: -1- AH_OUTPUT([HAVE_STRFTIME], [/* Define to 1 if you have the \`strftime' function. */
+m4trace:configure.ac:460: -1- AH_OUTPUT([HAVE_STRFTIME], [/* Define to 1 if you have the \`strftime' function. */
 #undef HAVE_STRFTIME])
-m4trace:configure.ac:430: -1- AC_CHECK_LIB([intl], [strftime], [AC_DEFINE(HAVE_STRFTIME)
+m4trace:configure.ac:460: -1- AC_CHECK_LIB([intl], [strftime], [AC_DEFINE(HAVE_STRFTIME)
 LIBS="-lintl $LIBS"])
-m4trace:configure.ac:430: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRFTIME])
+m4trace:configure.ac:460: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRFTIME])
-m4trace:configure.ac:448: -1- AC_DEFINE_TRACE_LITERAL([GLOB_HAS_ALTDIRFUNC])
+m4trace:configure.ac:478: -1- AC_DEFINE_TRACE_LITERAL([GLOB_HAS_ALTDIRFUNC])
-m4trace:configure.ac:464: -1- AC_DEFINE_TRACE_LITERAL([GLOB_HAS_GL_MATCHC])
+m4trace:configure.ac:494: -1- AC_DEFINE_TRACE_LITERAL([GLOB_HAS_GL_MATCHC])
-m4trace:configure.ac:478: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_ONE_BYTE_DIRENT_D_NAME])
+m4trace:configure.ac:508: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_ONE_BYTE_DIRENT_D_NAME])
-m4trace:configure.ac:511: -1- AC_DEFINE_TRACE_LITERAL([SKEY])
+m4trace:configure.ac:541: -1- AC_DEFINE_TRACE_LITERAL([SKEY])
-m4trace:configure.ac:565: -1- AC_DEFINE_TRACE_LITERAL([LIBWRAP])
+m4trace:configure.ac:595: -1- AC_DEFINE_TRACE_LITERAL([LIBWRAP])
-m4trace:configure.ac:565: -1- AC_SUBST([LIBWRAP])
+m4trace:configure.ac:595: -1- AC_SUBST([LIBWRAP])
-m4trace:configure.ac:578: -1- AC_CHECK_FUNCS([arc4random b64_ntop bcopy bindresvport_sa \
+m4trace:configure.ac:608: -1- AC_CHECK_FUNCS([arc4random b64_ntop bcopy bindresvport_sa \
        clock fchmod fchown freeaddrinfo futimes gai_strerror \
-        getaddrinfo getcwd getgrouplist getnameinfo getopt \
+        getaddrinfo getcwd getgrouplist getnameinfo getopt getpeereid\
        getrlimit getrusage getttyent glob inet_aton inet_ntoa \
        inet_ntop innetgr login_getcapbool md5_crypt memmove \
        mkdtemp mmap ngetaddrinfo openpty ogetaddrinfo readpassphrase \
@@ -379,142 +410,143 @@ m4trace:configure.ac:578: -1- AC_CHECK_FUNCS([arc4random b64_ntop bcopy bindresv
        setrlimit setsid setpcred setvbuf sigaction sigvec snprintf \
        socketpair strerror strlcat strlcpy strmode strsep sysconf tcgetpgrp \
        truncate utimes vhangup vsnprintf waitpid __b64_ntop _getpty])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_ARC4RANDOM], [/* Define to 1 if you have the \`arc4random' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_ARC4RANDOM], [/* Define to 1 if you have the \`arc4random' function. */
 #undef HAVE_ARC4RANDOM])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_B64_NTOP], [/* Define to 1 if you have the \`b64_ntop' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_B64_NTOP], [/* Define to 1 if you have the \`b64_ntop' function. */
 #undef HAVE_B64_NTOP])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_BCOPY], [/* Define to 1 if you have the \`bcopy' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_BCOPY], [/* Define to 1 if you have the \`bcopy' function. */
 #undef HAVE_BCOPY])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_BINDRESVPORT_SA], [/* Define to 1 if you have the \`bindresvport_sa' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_BINDRESVPORT_SA], [/* Define to 1 if you have the \`bindresvport_sa' function. */
 #undef HAVE_BINDRESVPORT_SA])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_CLOCK], [/* Define to 1 if you have the \`clock' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_CLOCK], [/* Define to 1 if you have the \`clock' function. */
 #undef HAVE_CLOCK])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_FCHMOD], [/* Define to 1 if you have the \`fchmod' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_FCHMOD], [/* Define to 1 if you have the \`fchmod' function. */
 #undef HAVE_FCHMOD])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_FCHOWN], [/* Define to 1 if you have the \`fchown' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_FCHOWN], [/* Define to 1 if you have the \`fchown' function. */
 #undef HAVE_FCHOWN])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_FREEADDRINFO], [/* Define to 1 if you have the \`freeaddrinfo' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_FREEADDRINFO], [/* Define to 1 if you have the \`freeaddrinfo' function. */
 #undef HAVE_FREEADDRINFO])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_FUTIMES], [/* Define to 1 if you have the \`futimes' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_FUTIMES], [/* Define to 1 if you have the \`futimes' function. */
 #undef HAVE_FUTIMES])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_GAI_STRERROR], [/* Define to 1 if you have the \`gai_strerror' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_GAI_STRERROR], [/* Define to 1 if you have the \`gai_strerror' function. */
 #undef HAVE_GAI_STRERROR])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_GETADDRINFO], [/* Define to 1 if you have the \`getaddrinfo' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_GETADDRINFO], [/* Define to 1 if you have the \`getaddrinfo' function. */
 #undef HAVE_GETADDRINFO])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_GETCWD], [/* Define to 1 if you have the \`getcwd' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_GETCWD], [/* Define to 1 if you have the \`getcwd' function. */
 #undef HAVE_GETCWD])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_GETGROUPLIST], [/* Define to 1 if you have the \`getgrouplist' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_GETGROUPLIST], [/* Define to 1 if you have the \`getgrouplist' function. */
 #undef HAVE_GETGROUPLIST])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_GETNAMEINFO], [/* Define to 1 if you have the \`getnameinfo' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_GETNAMEINFO], [/* Define to 1 if you have the \`getnameinfo' function. */
 #undef HAVE_GETNAMEINFO])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_GETOPT], [/* Define to 1 if you have the \`getopt' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_GETOPT], [/* Define to 1 if you have the \`getopt' function. */
 #undef HAVE_GETOPT])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_GETRLIMIT], [/* Define to 1 if you have the \`getrlimit' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_GETPEEREID], [/* Define to 1 if you have the \`getpeereid' function. */
+#undef HAVE_GETPEEREID])
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_GETRLIMIT], [/* Define to 1 if you have the \`getrlimit' function. */
 #undef HAVE_GETRLIMIT])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_GETRUSAGE], [/* Define to 1 if you have the \`getrusage' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_GETRUSAGE], [/* Define to 1 if you have the \`getrusage' function. */
 #undef HAVE_GETRUSAGE])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_GETTTYENT], [/* Define to 1 if you have the \`getttyent' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_GETTTYENT], [/* Define to 1 if you have the \`getttyent' function. */
 #undef HAVE_GETTTYENT])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_GLOB], [/* Define to 1 if you have the \`glob' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_GLOB], [/* Define to 1 if you have the \`glob' function. */
 #undef HAVE_GLOB])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_INET_ATON], [/* Define to 1 if you have the \`inet_aton' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_INET_ATON], [/* Define to 1 if you have the \`inet_aton' function. */
 #undef HAVE_INET_ATON])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_INET_NTOA], [/* Define to 1 if you have the \`inet_ntoa' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_INET_NTOA], [/* Define to 1 if you have the \`inet_ntoa' function. */
 #undef HAVE_INET_NTOA])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_INET_NTOP], [/* Define to 1 if you have the \`inet_ntop' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_INET_NTOP], [/* Define to 1 if you have the \`inet_ntop' function. */
 #undef HAVE_INET_NTOP])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_INNETGR], [/* Define to 1 if you have the \`innetgr' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_INNETGR], [/* Define to 1 if you have the \`innetgr' function. */
 #undef HAVE_INNETGR])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_LOGIN_GETCAPBOOL], [/* Define to 1 if you have the \`login_getcapbool' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_LOGIN_GETCAPBOOL], [/* Define to 1 if you have the \`login_getcapbool' function. */
 #undef HAVE_LOGIN_GETCAPBOOL])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_MD5_CRYPT], [/* Define to 1 if you have the \`md5_crypt' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_MD5_CRYPT], [/* Define to 1 if you have the \`md5_crypt' function. */
 #undef HAVE_MD5_CRYPT])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_MEMMOVE], [/* Define to 1 if you have the \`memmove' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_MEMMOVE], [/* Define to 1 if you have the \`memmove' function. */
 #undef HAVE_MEMMOVE])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_MKDTEMP], [/* Define to 1 if you have the \`mkdtemp' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_MKDTEMP], [/* Define to 1 if you have the \`mkdtemp' function. */
 #undef HAVE_MKDTEMP])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_MMAP], [/* Define to 1 if you have the \`mmap' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_MMAP], [/* Define to 1 if you have the \`mmap' function. */
 #undef HAVE_MMAP])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_NGETADDRINFO], [/* Define to 1 if you have the \`ngetaddrinfo' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_NGETADDRINFO], [/* Define to 1 if you have the \`ngetaddrinfo' function. */
 #undef HAVE_NGETADDRINFO])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_OPENPTY], [/* Define to 1 if you have the \`openpty' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_OPENPTY], [/* Define to 1 if you have the \`openpty' function. */
 #undef HAVE_OPENPTY])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_OGETADDRINFO], [/* Define to 1 if you have the \`ogetaddrinfo' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_OGETADDRINFO], [/* Define to 1 if you have the \`ogetaddrinfo' function. */
 #undef HAVE_OGETADDRINFO])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_READPASSPHRASE], [/* Define to 1 if you have the \`readpassphrase' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_READPASSPHRASE], [/* Define to 1 if you have the \`readpassphrase' function. */
 #undef HAVE_READPASSPHRASE])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_REALPATH], [/* Define to 1 if you have the \`realpath' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_REALPATH], [/* Define to 1 if you have the \`realpath' function. */
 #undef HAVE_REALPATH])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_RECVMSG], [/* Define to 1 if you have the \`recvmsg' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_RECVMSG], [/* Define to 1 if you have the \`recvmsg' function. */
 #undef HAVE_RECVMSG])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_RRESVPORT_AF], [/* Define to 1 if you have the \`rresvport_af' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_RRESVPORT_AF], [/* Define to 1 if you have the \`rresvport_af' function. */
 #undef HAVE_RRESVPORT_AF])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_SENDMSG], [/* Define to 1 if you have the \`sendmsg' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SENDMSG], [/* Define to 1 if you have the \`sendmsg' function. */
 #undef HAVE_SENDMSG])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_SETDTABLESIZE], [/* Define to 1 if you have the \`setdtablesize' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SETDTABLESIZE], [/* Define to 1 if you have the \`setdtablesize' function. */
 #undef HAVE_SETDTABLESIZE])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_SETEGID], [/* Define to 1 if you have the \`setegid' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SETEGID], [/* Define to 1 if you have the \`setegid' function. */
 #undef HAVE_SETEGID])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_SETENV], [/* Define to 1 if you have the \`setenv' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SETENV], [/* Define to 1 if you have the \`setenv' function. */
 #undef HAVE_SETENV])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_SETEUID], [/* Define to 1 if you have the \`seteuid' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SETEUID], [/* Define to 1 if you have the \`seteuid' function. */
 #undef HAVE_SETEUID])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_SETGROUPS], [/* Define to 1 if you have the \`setgroups' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SETGROUPS], [/* Define to 1 if you have the \`setgroups' function. */
 #undef HAVE_SETGROUPS])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_SETLOGIN], [/* Define to 1 if you have the \`setlogin' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SETLOGIN], [/* Define to 1 if you have the \`setlogin' function. */
 #undef HAVE_SETLOGIN])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_SETPROCTITLE], [/* Define to 1 if you have the \`setproctitle' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SETPROCTITLE], [/* Define to 1 if you have the \`setproctitle' function. */
 #undef HAVE_SETPROCTITLE])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_SETRESGID], [/* Define to 1 if you have the \`setresgid' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SETRESGID], [/* Define to 1 if you have the \`setresgid' function. */
 #undef HAVE_SETRESGID])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_SETREUID], [/* Define to 1 if you have the \`setreuid' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SETREUID], [/* Define to 1 if you have the \`setreuid' function. */
 #undef HAVE_SETREUID])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_SETRLIMIT], [/* Define to 1 if you have the \`setrlimit' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SETRLIMIT], [/* Define to 1 if you have the \`setrlimit' function. */
 #undef HAVE_SETRLIMIT])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_SETSID], [/* Define to 1 if you have the \`setsid' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SETSID], [/* Define to 1 if you have the \`setsid' function. */
 #undef HAVE_SETSID])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_SETPCRED], [/* Define to 1 if you have the \`setpcred' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SETPCRED], [/* Define to 1 if you have the \`setpcred' function. */
 #undef HAVE_SETPCRED])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_SETVBUF], [/* Define to 1 if you have the \`setvbuf' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SETVBUF], [/* Define to 1 if you have the \`setvbuf' function. */
 #undef HAVE_SETVBUF])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_SIGACTION], [/* Define to 1 if you have the \`sigaction' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SIGACTION], [/* Define to 1 if you have the \`sigaction' function. */
 #undef HAVE_SIGACTION])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_SIGVEC], [/* Define to 1 if you have the \`sigvec' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SIGVEC], [/* Define to 1 if you have the \`sigvec' function. */
 #undef HAVE_SIGVEC])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_SNPRINTF], [/* Define to 1 if you have the \`snprintf' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SNPRINTF], [/* Define to 1 if you have the \`snprintf' function. */
 #undef HAVE_SNPRINTF])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_SOCKETPAIR], [/* Define to 1 if you have the \`socketpair' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SOCKETPAIR], [/* Define to 1 if you have the \`socketpair' function. */
 #undef HAVE_SOCKETPAIR])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_STRERROR], [/* Define to 1 if you have the \`strerror' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_STRERROR], [/* Define to 1 if you have the \`strerror' function. */
 #undef HAVE_STRERROR])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_STRLCAT], [/* Define to 1 if you have the \`strlcat' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_STRLCAT], [/* Define to 1 if you have the \`strlcat' function. */
 #undef HAVE_STRLCAT])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_STRLCPY], [/* Define to 1 if you have the \`strlcpy' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_STRLCPY], [/* Define to 1 if you have the \`strlcpy' function. */
 #undef HAVE_STRLCPY])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_STRMODE], [/* Define to 1 if you have the \`strmode' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_STRMODE], [/* Define to 1 if you have the \`strmode' function. */
 #undef HAVE_STRMODE])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_STRSEP], [/* Define to 1 if you have the \`strsep' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_STRSEP], [/* Define to 1 if you have the \`strsep' function. */
 #undef HAVE_STRSEP])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_SYSCONF], [/* Define to 1 if you have the \`sysconf' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_SYSCONF], [/* Define to 1 if you have the \`sysconf' function. */
 #undef HAVE_SYSCONF])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_TCGETPGRP], [/* Define to 1 if you have the \`tcgetpgrp' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_TCGETPGRP], [/* Define to 1 if you have the \`tcgetpgrp' function. */
 #undef HAVE_TCGETPGRP])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_TRUNCATE], [/* Define to 1 if you have the \`truncate' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_TRUNCATE], [/* Define to 1 if you have the \`truncate' function. */
 #undef HAVE_TRUNCATE])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_UTIMES], [/* Define to 1 if you have the \`utimes' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_UTIMES], [/* Define to 1 if you have the \`utimes' function. */
 #undef HAVE_UTIMES])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_VHANGUP], [/* Define to 1 if you have the \`vhangup' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_VHANGUP], [/* Define to 1 if you have the \`vhangup' function. */
 #undef HAVE_VHANGUP])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_VSNPRINTF], [/* Define to 1 if you have the \`vsnprintf' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_VSNPRINTF], [/* Define to 1 if you have the \`vsnprintf' function. */
 #undef HAVE_VSNPRINTF])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE_WAITPID], [/* Define to 1 if you have the \`waitpid' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE_WAITPID], [/* Define to 1 if you have the \`waitpid' function. */
 #undef HAVE_WAITPID])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE___B64_NTOP], [/* Define to 1 if you have the \`__b64_ntop' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE___B64_NTOP], [/* Define to 1 if you have the \`__b64_ntop' function. */
 #undef HAVE___B64_NTOP])
-m4trace:configure.ac:578: -1- AH_OUTPUT([HAVE__GETPTY], [/* Define to 1 if you have the \`_getpty' function. */
+m4trace:configure.ac:608: -1- AH_OUTPUT([HAVE__GETPTY], [/* Define to 1 if you have the \`_getpty' function. */
 #undef HAVE__GETPTY])
-m4trace:configure.ac:601: -1- AC_DEFINE_TRACE_LITERAL([HAVE_MMAP_ANON_SHARED])
+m4trace:configure.ac:645: -1- AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS(libgen.h) ], [
-m4trace:configure.ac:639: -1- AC_CHECK_FUNCS([dirname], [AC_CHECK_HEADERS(libgen.h) ], [
        AC_CHECK_LIB(gen, dirname,[
                AC_CACHE_CHECK([for broken dirname],
                        ac_cv_have_broken_dirname, [
@@ -549,12 +581,12 @@ int main(int argc, char **argv) {
                fi
        ])
 ])
-m4trace:configure.ac:639: -1- AH_OUTPUT([HAVE_DIRNAME], [/* Define to 1 if you have the \`dirname' function. */
+m4trace:configure.ac:645: -1- AH_OUTPUT([HAVE_DIRNAME], [/* Define to 1 if you have the \`dirname' function. */
 #undef HAVE_DIRNAME])
-m4trace:configure.ac:639: -1- AC_CHECK_HEADERS([libgen.h])
+m4trace:configure.ac:645: -1- AC_CHECK_HEADERS([libgen.h])
-m4trace:configure.ac:639: -1- AH_OUTPUT([HAVE_LIBGEN_H], [/* Define to 1 if you have the <libgen.h> header file. */
+m4trace:configure.ac:645: -1- AH_OUTPUT([HAVE_LIBGEN_H], [/* Define to 1 if you have the <libgen.h> header file. */
 #undef HAVE_LIBGEN_H])
-m4trace:configure.ac:639: -1- AC_CHECK_LIB([gen], [dirname], [
+m4trace:configure.ac:645: -1- AC_CHECK_LIB([gen], [dirname], [
                AC_CACHE_CHECK([for broken dirname],
                        ac_cv_have_broken_dirname, [
                        save_LIBS="$LIBS"
@@ -587,285 +619,287 @@ int main(int argc, char **argv) {
                        AC_CHECK_HEADERS(libgen.h)
                fi
        ])
-m4trace:configure.ac:639: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DIRNAME])
+m4trace:configure.ac:645: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DIRNAME])
-m4trace:configure.ac:639: -1- AC_CHECK_HEADERS([libgen.h])
+m4trace:configure.ac:645: -1- AC_CHECK_HEADERS([libgen.h])
-m4trace:configure.ac:639: -1- AH_OUTPUT([HAVE_LIBGEN_H], [/* Define to 1 if you have the <libgen.h> header file. */
+m4trace:configure.ac:645: -1- AH_OUTPUT([HAVE_LIBGEN_H], [/* Define to 1 if you have the <libgen.h> header file. */
 #undef HAVE_LIBGEN_H])
-m4trace:configure.ac:642: -1- AC_CHECK_FUNCS([gettimeofday time])
+m4trace:configure.ac:648: -1- AC_CHECK_FUNCS([gettimeofday time])
-m4trace:configure.ac:642: -1- AH_OUTPUT([HAVE_GETTIMEOFDAY], [/* Define to 1 if you have the \`gettimeofday' function. */
+m4trace:configure.ac:648: -1- AH_OUTPUT([HAVE_GETTIMEOFDAY], [/* Define to 1 if you have the \`gettimeofday' function. */
 #undef HAVE_GETTIMEOFDAY])
-m4trace:configure.ac:642: -1- AH_OUTPUT([HAVE_TIME], [/* Define to 1 if you have the \`time' function. */
+m4trace:configure.ac:648: -1- AH_OUTPUT([HAVE_TIME], [/* Define to 1 if you have the \`time' function. */
 #undef HAVE_TIME])
-m4trace:configure.ac:644: -1- AC_CHECK_FUNCS([endutent getutent getutid getutline pututline setutent])
+m4trace:configure.ac:650: -1- AC_CHECK_FUNCS([endutent getutent getutid getutline pututline setutent])
-m4trace:configure.ac:644: -1- AH_OUTPUT([HAVE_ENDUTENT], [/* Define to 1 if you have the \`endutent' function. */
+m4trace:configure.ac:650: -1- AH_OUTPUT([HAVE_ENDUTENT], [/* Define to 1 if you have the \`endutent' function. */
 #undef HAVE_ENDUTENT])
-m4trace:configure.ac:644: -1- AH_OUTPUT([HAVE_GETUTENT], [/* Define to 1 if you have the \`getutent' function. */
+m4trace:configure.ac:650: -1- AH_OUTPUT([HAVE_GETUTENT], [/* Define to 1 if you have the \`getutent' function. */
 #undef HAVE_GETUTENT])
-m4trace:configure.ac:644: -1- AH_OUTPUT([HAVE_GETUTID], [/* Define to 1 if you have the \`getutid' function. */
+m4trace:configure.ac:650: -1- AH_OUTPUT([HAVE_GETUTID], [/* Define to 1 if you have the \`getutid' function. */
 #undef HAVE_GETUTID])
-m4trace:configure.ac:644: -1- AH_OUTPUT([HAVE_GETUTLINE], [/* Define to 1 if you have the \`getutline' function. */
+m4trace:configure.ac:650: -1- AH_OUTPUT([HAVE_GETUTLINE], [/* Define to 1 if you have the \`getutline' function. */
 #undef HAVE_GETUTLINE])
-m4trace:configure.ac:644: -1- AH_OUTPUT([HAVE_PUTUTLINE], [/* Define to 1 if you have the \`pututline' function. */
+m4trace:configure.ac:650: -1- AH_OUTPUT([HAVE_PUTUTLINE], [/* Define to 1 if you have the \`pututline' function. */
 #undef HAVE_PUTUTLINE])
-m4trace:configure.ac:644: -1- AH_OUTPUT([HAVE_SETUTENT], [/* Define to 1 if you have the \`setutent' function. */
+m4trace:configure.ac:650: -1- AH_OUTPUT([HAVE_SETUTENT], [/* Define to 1 if you have the \`setutent' function. */
 #undef HAVE_SETUTENT])
-m4trace:configure.ac:645: -1- AC_CHECK_FUNCS([utmpname])
+m4trace:configure.ac:651: -1- AC_CHECK_FUNCS([utmpname])
-m4trace:configure.ac:645: -1- AH_OUTPUT([HAVE_UTMPNAME], [/* Define to 1 if you have the \`utmpname' function. */
+m4trace:configure.ac:651: -1- AH_OUTPUT([HAVE_UTMPNAME], [/* Define to 1 if you have the \`utmpname' function. */
 #undef HAVE_UTMPNAME])
-m4trace:configure.ac:647: -1- AC_CHECK_FUNCS([endutxent getutxent getutxid getutxline pututxline ])
+m4trace:configure.ac:653: -1- AC_CHECK_FUNCS([endutxent getutxent getutxid getutxline pututxline ])
-m4trace:configure.ac:647: -1- AH_OUTPUT([HAVE_ENDUTXENT], [/* Define to 1 if you have the \`endutxent' function. */
+m4trace:configure.ac:653: -1- AH_OUTPUT([HAVE_ENDUTXENT], [/* Define to 1 if you have the \`endutxent' function. */
 #undef HAVE_ENDUTXENT])
-m4trace:configure.ac:647: -1- AH_OUTPUT([HAVE_GETUTXENT], [/* Define to 1 if you have the \`getutxent' function. */
+m4trace:configure.ac:653: -1- AH_OUTPUT([HAVE_GETUTXENT], [/* Define to 1 if you have the \`getutxent' function. */
 #undef HAVE_GETUTXENT])
-m4trace:configure.ac:647: -1- AH_OUTPUT([HAVE_GETUTXID], [/* Define to 1 if you have the \`getutxid' function. */
+m4trace:configure.ac:653: -1- AH_OUTPUT([HAVE_GETUTXID], [/* Define to 1 if you have the \`getutxid' function. */
 #undef HAVE_GETUTXID])
-m4trace:configure.ac:647: -1- AH_OUTPUT([HAVE_GETUTXLINE], [/* Define to 1 if you have the \`getutxline' function. */
+m4trace:configure.ac:653: -1- AH_OUTPUT([HAVE_GETUTXLINE], [/* Define to 1 if you have the \`getutxline' function. */
 #undef HAVE_GETUTXLINE])
-m4trace:configure.ac:647: -1- AH_OUTPUT([HAVE_PUTUTXLINE], [/* Define to 1 if you have the \`pututxline' function. */
+m4trace:configure.ac:653: -1- AH_OUTPUT([HAVE_PUTUTXLINE], [/* Define to 1 if you have the \`pututxline' function. */
 #undef HAVE_PUTUTXLINE])
-m4trace:configure.ac:648: -1- AC_CHECK_FUNCS([setutxent utmpxname])
+m4trace:configure.ac:654: -1- AC_CHECK_FUNCS([setutxent utmpxname])
-m4trace:configure.ac:648: -1- AH_OUTPUT([HAVE_SETUTXENT], [/* Define to 1 if you have the \`setutxent' function. */
+m4trace:configure.ac:654: -1- AH_OUTPUT([HAVE_SETUTXENT], [/* Define to 1 if you have the \`setutxent' function. */
 #undef HAVE_SETUTXENT])
-m4trace:configure.ac:648: -1- AH_OUTPUT([HAVE_UTMPXNAME], [/* Define to 1 if you have the \`utmpxname' function. */
+m4trace:configure.ac:654: -1- AH_OUTPUT([HAVE_UTMPXNAME], [/* Define to 1 if you have the \`utmpxname' function. */
 #undef HAVE_UTMPXNAME])
-m4trace:configure.ac:653: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DAEMON])
+m4trace:configure.ac:659: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DAEMON])
-m4trace:configure.ac:653: -1- AC_CHECK_LIB([bsd], [daemon], [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_DAEMON)])
+m4trace:configure.ac:659: -1- AC_CHECK_LIB([bsd], [daemon], [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_DAEMON)])
-m4trace:configure.ac:653: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DAEMON])
+m4trace:configure.ac:659: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DAEMON])
-m4trace:configure.ac:658: -1- AC_DEFINE_TRACE_LITERAL([HAVE_GETPAGESIZE])
+m4trace:configure.ac:664: -1- AC_DEFINE_TRACE_LITERAL([HAVE_GETPAGESIZE])
-m4trace:configure.ac:658: -1- AC_CHECK_LIB([ucb], [getpagesize], [LIBS="$LIBS -lucb"; AC_DEFINE(HAVE_GETPAGESIZE)])
+m4trace:configure.ac:664: -1- AC_CHECK_LIB([ucb], [getpagesize], [LIBS="$LIBS -lucb"; AC_DEFINE(HAVE_GETPAGESIZE)])
-m4trace:configure.ac:658: -1- AC_DEFINE_TRACE_LITERAL([HAVE_GETPAGESIZE])
+m4trace:configure.ac:664: -1- AC_DEFINE_TRACE_LITERAL([HAVE_GETPAGESIZE])
-m4trace:configure.ac:674: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_SNPRINTF])
+m4trace:configure.ac:680: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_SNPRINTF])
-m4trace:configure.ac:677: -1- AC_FUNC_GETPGRP
+m4trace:configure.ac:683: -1- AC_FUNC_GETPGRP
-m4trace:configure.ac:677: -1- AC_DEFINE_TRACE_LITERAL([GETPGRP_VOID])
+m4trace:configure.ac:683: -1- AC_DEFINE_TRACE_LITERAL([GETPGRP_VOID])
-m4trace:configure.ac:677: -1- AH_OUTPUT([GETPGRP_VOID], [/* Define to 1 if the \`getpgrp' function requires zero arguments. */
+m4trace:configure.ac:683: -1- AH_OUTPUT([GETPGRP_VOID], [/* Define to 1 if the \`getpgrp' function requires zero arguments. */
 #undef GETPGRP_VOID])
-m4trace:configure.ac:705: -1- AC_CHECK_LIB([dl], [dlopen], [], [])
+m4trace:configure.ac:711: -1- AC_CHECK_LIB([dl], [dlopen], [], [])
-m4trace:configure.ac:705: -1- AH_OUTPUT([HAVE_LIBDL], [/* Define to 1 if you have the \`dl' library (-ldl). */
+m4trace:configure.ac:711: -1- AH_OUTPUT([HAVE_LIBDL], [/* Define to 1 if you have the \`dl' library (-ldl). */
 #undef HAVE_LIBDL])
-m4trace:configure.ac:705: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBDL])
+m4trace:configure.ac:711: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBDL])
-m4trace:configure.ac:705: -1- AC_CHECK_LIB([pam], [pam_set_item], [], [{ { echo "$as_me:$LINENO: error: *** libpam missing" >&5
+m4trace:configure.ac:711: -1- AC_CHECK_LIB([pam], [pam_set_item], [], [{ { echo "$as_me:$LINENO: error: *** libpam missing" >&5
 echo "$as_me: error: *** libpam missing" >&2;}
   { (exit 1); exit 1; }; }])
-m4trace:configure.ac:705: -1- AH_OUTPUT([HAVE_LIBPAM], [/* Define to 1 if you have the \`pam' library (-lpam). */
+m4trace:configure.ac:711: -1- AH_OUTPUT([HAVE_LIBPAM], [/* Define to 1 if you have the \`pam' library (-lpam). */
 #undef HAVE_LIBPAM])
-m4trace:configure.ac:705: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBPAM])
+m4trace:configure.ac:711: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBPAM])
-m4trace:configure.ac:705: -1- AC_CHECK_FUNCS([pam_getenvlist])
+m4trace:configure.ac:711: -1- AC_CHECK_FUNCS([pam_getenvlist])
-m4trace:configure.ac:705: -1- AH_OUTPUT([HAVE_PAM_GETENVLIST], [/* Define to 1 if you have the \`pam_getenvlist' function. */
+m4trace:configure.ac:711: -1- AH_OUTPUT([HAVE_PAM_GETENVLIST], [/* Define to 1 if you have the \`pam_getenvlist' function. */
 #undef HAVE_PAM_GETENVLIST])
-m4trace:configure.ac:705: -1- AC_DEFINE_TRACE_LITERAL([USE_PAM])
+m4trace:configure.ac:711: -1- AC_DEFINE_TRACE_LITERAL([USE_PAM])
-m4trace:configure.ac:705: -1- AC_SUBST([LIBPAM])
+m4trace:configure.ac:711: -1- AC_SUBST([LIBPAM])
-m4trace:configure.ac:723: -1- AC_DEFINE_TRACE_LITERAL([HAVE_OLD_PAM])
+m4trace:configure.ac:729: -1- AC_DEFINE_TRACE_LITERAL([HAVE_OLD_PAM])
-m4trace:configure.ac:755: -2- AC_DEFINE_TRACE_LITERAL([HAVE_OPENSSL])
+m4trace:configure.ac:735: -1- AC_CHECK_LIB([crypt], [crypt])
-m4trace:configure.ac:770: -2- AC_DEFINE_TRACE_LITERAL([HAVE_OPENSSL])
+m4trace:configure.ac:735: -1- AH_OUTPUT([HAVE_LIBCRYPT], [/* Define to 1 if you have the \`crypt' library (-lcrypt). */
-m4trace:configure.ac:793: -1- AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
+#undef HAVE_LIBCRYPT])
-m4trace:configure.ac:841: -1- AC_DEFINE_TRACE_LITERAL([OPENSSL_PRNG_ONLY])
+m4trace:configure.ac:735: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBCRYPT])
-m4trace:configure.ac:849: -1- AC_SUBST([INSTALL_SSH_RAND_HELPER])
+m4trace:configure.ac:767: -2- AC_DEFINE_TRACE_LITERAL([HAVE_OPENSSL])
-m4trace:configure.ac:872: -1- AC_DEFINE_TRACE_LITERAL([PRNGD_PORT])
+m4trace:configure.ac:782: -2- AC_DEFINE_TRACE_LITERAL([HAVE_OPENSSL])
-m4trace:configure.ac:922: -1- AC_DEFINE_TRACE_LITERAL([PRNGD_SOCKET])
+m4trace:configure.ac:869: -1- AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
-m4trace:configure.ac:922: -1- AC_DEFINE_TRACE_LITERAL([PRNGD_SOCKET])
+m4trace:configure.ac:917: -1- AC_DEFINE_TRACE_LITERAL([OPENSSL_PRNG_ONLY])
-m4trace:configure.ac:934: -1- AC_DEFINE_TRACE_LITERAL([ENTROPY_TIMEOUT_MSEC])
+m4trace:configure.ac:925: -1- AC_SUBST([INSTALL_SSH_RAND_HELPER])
-m4trace:configure.ac:945: -1- AC_DEFINE_TRACE_LITERAL([SSH_PRIVSEP_USER])
+m4trace:configure.ac:948: -1- AC_DEFINE_TRACE_LITERAL([PRNGD_PORT])
-m4trace:configure.ac:946: -1- AC_SUBST([SSH_PRIVSEP_USER])
+m4trace:configure.ac:998: -1- AC_DEFINE_TRACE_LITERAL([PRNGD_SOCKET])
-m4trace:configure.ac:963: -1- AC_SUBST([PROG_LS], [$ac_cv_path_PROG_LS])
+m4trace:configure.ac:998: -1- AC_DEFINE_TRACE_LITERAL([PRNGD_SOCKET])
-m4trace:configure.ac:963: -1- AC_SUBST([PROG_LS])
+m4trace:configure.ac:1010: -1- AC_DEFINE_TRACE_LITERAL([ENTROPY_TIMEOUT_MSEC])
-m4trace:configure.ac:964: -1- AC_SUBST([PROG_NETSTAT], [$ac_cv_path_PROG_NETSTAT])
+m4trace:configure.ac:1021: -1- AC_DEFINE_TRACE_LITERAL([SSH_PRIVSEP_USER])
-m4trace:configure.ac:964: -1- AC_SUBST([PROG_NETSTAT])
+m4trace:configure.ac:1022: -1- AC_SUBST([SSH_PRIVSEP_USER])
-m4trace:configure.ac:965: -1- AC_SUBST([PROG_ARP], [$ac_cv_path_PROG_ARP])
+m4trace:configure.ac:1039: -1- AC_SUBST([PROG_LS], [$ac_cv_path_PROG_LS])
-m4trace:configure.ac:965: -1- AC_SUBST([PROG_ARP])
+m4trace:configure.ac:1039: -1- AC_SUBST([PROG_LS])
-m4trace:configure.ac:966: -1- AC_SUBST([PROG_IFCONFIG], [$ac_cv_path_PROG_IFCONFIG])
+m4trace:configure.ac:1040: -1- AC_SUBST([PROG_NETSTAT], [$ac_cv_path_PROG_NETSTAT])
-m4trace:configure.ac:966: -1- AC_SUBST([PROG_IFCONFIG])
+m4trace:configure.ac:1040: -1- AC_SUBST([PROG_NETSTAT])
-m4trace:configure.ac:967: -1- AC_SUBST([PROG_JSTAT], [$ac_cv_path_PROG_JSTAT])
+m4trace:configure.ac:1041: -1- AC_SUBST([PROG_ARP], [$ac_cv_path_PROG_ARP])
-m4trace:configure.ac:967: -1- AC_SUBST([PROG_JSTAT])
+m4trace:configure.ac:1041: -1- AC_SUBST([PROG_ARP])
-m4trace:configure.ac:968: -1- AC_SUBST([PROG_PS], [$ac_cv_path_PROG_PS])
+m4trace:configure.ac:1042: -1- AC_SUBST([PROG_IFCONFIG], [$ac_cv_path_PROG_IFCONFIG])
-m4trace:configure.ac:968: -1- AC_SUBST([PROG_PS])
+m4trace:configure.ac:1042: -1- AC_SUBST([PROG_IFCONFIG])
-m4trace:configure.ac:969: -1- AC_SUBST([PROG_SAR], [$ac_cv_path_PROG_SAR])
+m4trace:configure.ac:1043: -1- AC_SUBST([PROG_JSTAT], [$ac_cv_path_PROG_JSTAT])
-m4trace:configure.ac:969: -1- AC_SUBST([PROG_SAR])
+m4trace:configure.ac:1043: -1- AC_SUBST([PROG_JSTAT])
-m4trace:configure.ac:970: -1- AC_SUBST([PROG_W], [$ac_cv_path_PROG_W])
+m4trace:configure.ac:1044: -1- AC_SUBST([PROG_PS], [$ac_cv_path_PROG_PS])
-m4trace:configure.ac:970: -1- AC_SUBST([PROG_W])
+m4trace:configure.ac:1044: -1- AC_SUBST([PROG_PS])
-m4trace:configure.ac:971: -1- AC_SUBST([PROG_WHO], [$ac_cv_path_PROG_WHO])
+m4trace:configure.ac:1045: -1- AC_SUBST([PROG_SAR], [$ac_cv_path_PROG_SAR])
-m4trace:configure.ac:971: -1- AC_SUBST([PROG_WHO])
+m4trace:configure.ac:1045: -1- AC_SUBST([PROG_SAR])
-m4trace:configure.ac:972: -1- AC_SUBST([PROG_LAST], [$ac_cv_path_PROG_LAST])
+m4trace:configure.ac:1046: -1- AC_SUBST([PROG_W], [$ac_cv_path_PROG_W])
-m4trace:configure.ac:972: -1- AC_SUBST([PROG_LAST])
+m4trace:configure.ac:1046: -1- AC_SUBST([PROG_W])
-m4trace:configure.ac:973: -1- AC_SUBST([PROG_LASTLOG], [$ac_cv_path_PROG_LASTLOG])
+m4trace:configure.ac:1047: -1- AC_SUBST([PROG_WHO], [$ac_cv_path_PROG_WHO])
-m4trace:configure.ac:973: -1- AC_SUBST([PROG_LASTLOG])
+m4trace:configure.ac:1047: -1- AC_SUBST([PROG_WHO])
-m4trace:configure.ac:974: -1- AC_SUBST([PROG_DF], [$ac_cv_path_PROG_DF])
+m4trace:configure.ac:1048: -1- AC_SUBST([PROG_LAST], [$ac_cv_path_PROG_LAST])
-m4trace:configure.ac:974: -1- AC_SUBST([PROG_DF])
+m4trace:configure.ac:1048: -1- AC_SUBST([PROG_LAST])
-m4trace:configure.ac:975: -1- AC_SUBST([PROG_VMSTAT], [$ac_cv_path_PROG_VMSTAT])
+m4trace:configure.ac:1049: -1- AC_SUBST([PROG_LASTLOG], [$ac_cv_path_PROG_LASTLOG])
-m4trace:configure.ac:975: -1- AC_SUBST([PROG_VMSTAT])
+m4trace:configure.ac:1049: -1- AC_SUBST([PROG_LASTLOG])
-m4trace:configure.ac:976: -1- AC_SUBST([PROG_UPTIME], [$ac_cv_path_PROG_UPTIME])
+m4trace:configure.ac:1050: -1- AC_SUBST([PROG_DF], [$ac_cv_path_PROG_DF])
-m4trace:configure.ac:976: -1- AC_SUBST([PROG_UPTIME])
+m4trace:configure.ac:1050: -1- AC_SUBST([PROG_DF])
-m4trace:configure.ac:977: -1- AC_SUBST([PROG_IPCS], [$ac_cv_path_PROG_IPCS])
+m4trace:configure.ac:1051: -1- AC_SUBST([PROG_VMSTAT], [$ac_cv_path_PROG_VMSTAT])
-m4trace:configure.ac:977: -1- AC_SUBST([PROG_IPCS])
+m4trace:configure.ac:1051: -1- AC_SUBST([PROG_VMSTAT])
-m4trace:configure.ac:978: -1- AC_SUBST([PROG_TAIL], [$ac_cv_path_PROG_TAIL])
+m4trace:configure.ac:1052: -1- AC_SUBST([PROG_UPTIME], [$ac_cv_path_PROG_UPTIME])
-m4trace:configure.ac:978: -1- AC_SUBST([PROG_TAIL])
+m4trace:configure.ac:1052: -1- AC_SUBST([PROG_UPTIME])
-m4trace:configure.ac:995: -1- AC_SUBST([INSTALL_SSH_PRNG_CMDS])
+m4trace:configure.ac:1053: -1- AC_SUBST([PROG_IPCS], [$ac_cv_path_PROG_IPCS])
-m4trace:configure.ac:1004: -1- AC_DEFINE_TRACE_LITERAL([SIZEOF_CHAR])
+m4trace:configure.ac:1053: -1- AC_SUBST([PROG_IPCS])
-m4trace:configure.ac:1004: -1- AH_OUTPUT([SIZEOF_CHAR], [/* The size of a \`char', as computed by sizeof. */
+m4trace:configure.ac:1054: -1- AC_SUBST([PROG_TAIL], [$ac_cv_path_PROG_TAIL])
+m4trace:configure.ac:1054: -1- AC_SUBST([PROG_TAIL])
+m4trace:configure.ac:1071: -1- AC_SUBST([INSTALL_SSH_PRNG_CMDS])
+m4trace:configure.ac:1080: -1- AC_DEFINE_TRACE_LITERAL([SIZEOF_CHAR])
+m4trace:configure.ac:1080: -1- AH_OUTPUT([SIZEOF_CHAR], [/* The size of a \`char', as computed by sizeof. */
 #undef SIZEOF_CHAR])
-m4trace:configure.ac:1005: -1- AC_DEFINE_TRACE_LITERAL([SIZEOF_SHORT_INT])
+m4trace:configure.ac:1081: -1- AC_DEFINE_TRACE_LITERAL([SIZEOF_SHORT_INT])
-m4trace:configure.ac:1005: -1- AH_OUTPUT([SIZEOF_SHORT_INT], [/* The size of a \`short int', as computed by sizeof. */
+m4trace:configure.ac:1081: -1- AH_OUTPUT([SIZEOF_SHORT_INT], [/* The size of a \`short int', as computed by sizeof. */
 #undef SIZEOF_SHORT_INT])
-m4trace:configure.ac:1006: -1- AC_DEFINE_TRACE_LITERAL([SIZEOF_INT])
+m4trace:configure.ac:1082: -1- AC_DEFINE_TRACE_LITERAL([SIZEOF_INT])
-m4trace:configure.ac:1006: -1- AH_OUTPUT([SIZEOF_INT], [/* The size of a \`int', as computed by sizeof. */
+m4trace:configure.ac:1082: -1- AH_OUTPUT([SIZEOF_INT], [/* The size of a \`int', as computed by sizeof. */
 #undef SIZEOF_INT])
-m4trace:configure.ac:1007: -1- AC_DEFINE_TRACE_LITERAL([SIZEOF_LONG_INT])
+m4trace:configure.ac:1083: -1- AC_DEFINE_TRACE_LITERAL([SIZEOF_LONG_INT])
-m4trace:configure.ac:1007: -1- AH_OUTPUT([SIZEOF_LONG_INT], [/* The size of a \`long int', as computed by sizeof. */
+m4trace:configure.ac:1083: -1- AH_OUTPUT([SIZEOF_LONG_INT], [/* The size of a \`long int', as computed by sizeof. */
 #undef SIZEOF_LONG_INT])
-m4trace:configure.ac:1008: -1- AC_DEFINE_TRACE_LITERAL([SIZEOF_LONG_LONG_INT])
+m4trace:configure.ac:1084: -1- AC_DEFINE_TRACE_LITERAL([SIZEOF_LONG_LONG_INT])
-m4trace:configure.ac:1008: -1- AH_OUTPUT([SIZEOF_LONG_LONG_INT], [/* The size of a \`long long int', as computed by sizeof. */
+m4trace:configure.ac:1084: -1- AH_OUTPUT([SIZEOF_LONG_LONG_INT], [/* The size of a \`long long int', as computed by sizeof. */
 #undef SIZEOF_LONG_LONG_INT])
-m4trace:configure.ac:1025: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT])
+m4trace:configure.ac:1101: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT])
-m4trace:configure.ac:1038: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INTXX_T])
+m4trace:configure.ac:1114: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INTXX_T])
-m4trace:configure.ac:1054: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INTXX_T])
+m4trace:configure.ac:1130: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INTXX_T])
-m4trace:configure.ac:1066: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INT64_T])
+m4trace:configure.ac:1151: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INT64_T])
-m4trace:configure.ac:1080: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INT64_T])
+m4trace:configure.ac:1163: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INTXX_T])
-m4trace:configure.ac:1093: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INT64_T])
+m4trace:configure.ac:1177: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INTXX_T])
-m4trace:configure.ac:1105: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INTXX_T])
+m4trace:configure.ac:1189: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT64_T])
-m4trace:configure.ac:1119: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INTXX_T])
+m4trace:configure.ac:1203: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT64_T])
-m4trace:configure.ac:1131: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT64_T])
+m4trace:configure.ac:1218: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UINTXX_T])
-m4trace:configure.ac:1145: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INT64_T])
+m4trace:configure.ac:1232: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UINTXX_T])
-m4trace:configure.ac:1160: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UINTXX_T])
+m4trace:configure.ac:1254: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INTXX_T])
-m4trace:configure.ac:1174: -1- AC_DEFINE_TRACE_LITERAL([HAVE_UINTXX_T])
+m4trace:configure.ac:1254: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INTXX_T])
-m4trace:configure.ac:1196: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_INTXX_T])
+m4trace:configure.ac:1269: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_CHAR])
-m4trace:configure.ac:1196: -1- AC_DEFINE_TRACE_LITERAL([HAVE_INTXX_T])
+m4trace:configure.ac:1272: -1- AC_DEFINE_TRACE_LITERAL([socklen_t])
-m4trace:configure.ac:1211: -1- AC_DEFINE_TRACE_LITERAL([HAVE_U_CHAR])
+m4trace:configure.ac:1272: -1- AH_OUTPUT([socklen_t], [/* type to use in place of socklen_t if not defined */
-m4trace:configure.ac:1214: -1- AC_DEFINE_TRACE_LITERAL([socklen_t])
-m4trace:configure.ac:1214: -1- AH_OUTPUT([socklen_t], [/* type to use in place of socklen_t if not defined */
 #undef socklen_t])
-m4trace:configure.ac:1216: -1- AC_CHECK_TYPES([sig_atomic_t], [], [], [#include <signal.h>])
+m4trace:configure.ac:1274: -1- AC_CHECK_TYPES([sig_atomic_t], [], [], [#include <signal.h>])
-m4trace:configure.ac:1216: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SIG_ATOMIC_T])
+m4trace:configure.ac:1274: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SIG_ATOMIC_T])
-m4trace:configure.ac:1216: -1- AH_OUTPUT([HAVE_SIG_ATOMIC_T], [/* Define to 1 if the system has the type \`sig_atomic_t'. */
+m4trace:configure.ac:1274: -1- AH_OUTPUT([HAVE_SIG_ATOMIC_T], [/* Define to 1 if the system has the type \`sig_atomic_t'. */
 #undef HAVE_SIG_ATOMIC_T])
-m4trace:configure.ac:1229: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SIZE_T])
+m4trace:configure.ac:1287: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SIZE_T])
-m4trace:configure.ac:1243: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SSIZE_T])
+m4trace:configure.ac:1301: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SSIZE_T])
-m4trace:configure.ac:1257: -1- AC_DEFINE_TRACE_LITERAL([HAVE_CLOCK_T])
+m4trace:configure.ac:1315: -1- AC_DEFINE_TRACE_LITERAL([HAVE_CLOCK_T])
-m4trace:configure.ac:1282: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SA_FAMILY_T])
+m4trace:configure.ac:1340: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SA_FAMILY_T])
-m4trace:configure.ac:1296: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PID_T])
+m4trace:configure.ac:1354: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PID_T])
-m4trace:configure.ac:1310: -1- AC_DEFINE_TRACE_LITERAL([HAVE_MODE_T])
+m4trace:configure.ac:1368: -1- AC_DEFINE_TRACE_LITERAL([HAVE_MODE_T])
-m4trace:configure.ac:1326: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_SOCKADDR_STORAGE])
+m4trace:configure.ac:1384: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_SOCKADDR_STORAGE])
-m4trace:configure.ac:1341: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_SOCKADDR_IN6])
+m4trace:configure.ac:1399: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_SOCKADDR_IN6])
-m4trace:configure.ac:1356: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_IN6_ADDR])
+m4trace:configure.ac:1414: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_IN6_ADDR])
-m4trace:configure.ac:1372: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_ADDRINFO])
+m4trace:configure.ac:1430: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_ADDRINFO])
-m4trace:configure.ac:1384: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_TIMEVAL])
+m4trace:configure.ac:1442: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_TIMEVAL])
-m4trace:configure.ac:1421: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_SNPRINTF])
+m4trace:configure.ac:1479: -1- AC_DEFINE_TRACE_LITERAL([BROKEN_SNPRINTF])
-m4trace:configure.ac:1423: -1- AC_SUBST([NO_SFTP])
+m4trace:configure.ac:1481: -1- AC_SUBST([NO_SFTP])
-m4trace:configure.ac:1426: -1- AC_DEFINE_TRACE_LITERAL([HAVE_HOST_IN_UTMP])
+m4trace:configure.ac:1484: -1- AC_DEFINE_TRACE_LITERAL([HAVE_HOST_IN_UTMP])
-m4trace:configure.ac:1427: -1- AC_DEFINE_TRACE_LITERAL([HAVE_HOST_IN_UTMPX])
+m4trace:configure.ac:1485: -1- AC_DEFINE_TRACE_LITERAL([HAVE_HOST_IN_UTMPX])
-m4trace:configure.ac:1428: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SYSLEN_IN_UTMPX])
+m4trace:configure.ac:1486: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SYSLEN_IN_UTMPX])
-m4trace:configure.ac:1429: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PID_IN_UTMP])
+m4trace:configure.ac:1487: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PID_IN_UTMP])
-m4trace:configure.ac:1430: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TYPE_IN_UTMP])
+m4trace:configure.ac:1488: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TYPE_IN_UTMP])
-m4trace:configure.ac:1431: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TYPE_IN_UTMPX])
+m4trace:configure.ac:1489: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TYPE_IN_UTMPX])
-m4trace:configure.ac:1432: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TV_IN_UTMP])
+m4trace:configure.ac:1490: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TV_IN_UTMP])
-m4trace:configure.ac:1433: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ID_IN_UTMP])
+m4trace:configure.ac:1491: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ID_IN_UTMP])
-m4trace:configure.ac:1434: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ID_IN_UTMPX])
+m4trace:configure.ac:1492: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ID_IN_UTMPX])
-m4trace:configure.ac:1435: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ADDR_IN_UTMP])
+m4trace:configure.ac:1493: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ADDR_IN_UTMP])
-m4trace:configure.ac:1436: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ADDR_IN_UTMPX])
+m4trace:configure.ac:1494: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ADDR_IN_UTMPX])
-m4trace:configure.ac:1437: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ADDR_V6_IN_UTMP])
+m4trace:configure.ac:1495: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ADDR_V6_IN_UTMP])
-m4trace:configure.ac:1438: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ADDR_V6_IN_UTMPX])
+m4trace:configure.ac:1496: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ADDR_V6_IN_UTMPX])
-m4trace:configure.ac:1439: -1- AC_DEFINE_TRACE_LITERAL([HAVE_EXIT_IN_UTMP])
+m4trace:configure.ac:1497: -1- AC_DEFINE_TRACE_LITERAL([HAVE_EXIT_IN_UTMP])
-m4trace:configure.ac:1440: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TIME_IN_UTMP])
+m4trace:configure.ac:1498: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TIME_IN_UTMP])
-m4trace:configure.ac:1441: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TIME_IN_UTMPX])
+m4trace:configure.ac:1499: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TIME_IN_UTMPX])
-m4trace:configure.ac:1442: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TV_IN_UTMPX])
+m4trace:configure.ac:1500: -1- AC_DEFINE_TRACE_LITERAL([HAVE_TV_IN_UTMPX])
-m4trace:configure.ac:1444: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_STAT_ST_BLKSIZE])
+m4trace:configure.ac:1502: -1- AC_DEFINE_TRACE_LITERAL([HAVE_STRUCT_STAT_ST_BLKSIZE])
-m4trace:configure.ac:1444: -1- AH_OUTPUT([HAVE_STRUCT_STAT_ST_BLKSIZE], [/* Define to 1 if \`st_blksize' is member of \`struct stat'. */
+m4trace:configure.ac:1502: -1- AH_OUTPUT([HAVE_STRUCT_STAT_ST_BLKSIZE], [/* Define to 1 if \`st_blksize' is member of \`struct stat'. */
 #undef HAVE_STRUCT_STAT_ST_BLKSIZE])
-m4trace:configure.ac:1459: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SS_FAMILY_IN_SS])
+m4trace:configure.ac:1517: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SS_FAMILY_IN_SS])
-m4trace:configure.ac:1475: -1- AC_DEFINE_TRACE_LITERAL([HAVE___SS_FAMILY_IN_SS])
+m4trace:configure.ac:1533: -1- AC_DEFINE_TRACE_LITERAL([HAVE___SS_FAMILY_IN_SS])
-m4trace:configure.ac:1490: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PW_CLASS_IN_PASSWD])
+m4trace:configure.ac:1548: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PW_CLASS_IN_PASSWD])
-m4trace:configure.ac:1505: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PW_EXPIRE_IN_PASSWD])
+m4trace:configure.ac:1563: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PW_EXPIRE_IN_PASSWD])
-m4trace:configure.ac:1520: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PW_CHANGE_IN_PASSWD])
+m4trace:configure.ac:1578: -1- AC_DEFINE_TRACE_LITERAL([HAVE_PW_CHANGE_IN_PASSWD])
-m4trace:configure.ac:1545: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ACCRIGHTS_IN_MSGHDR])
+m4trace:configure.ac:1603: -1- AC_DEFINE_TRACE_LITERAL([HAVE_ACCRIGHTS_IN_MSGHDR])
-m4trace:configure.ac:1569: -1- AC_DEFINE_TRACE_LITERAL([HAVE_CONTROL_IN_MSGHDR])
+m4trace:configure.ac:1627: -1- AC_DEFINE_TRACE_LITERAL([HAVE_CONTROL_IN_MSGHDR])
-m4trace:configure.ac:1580: -1- AC_DEFINE_TRACE_LITERAL([HAVE___PROGNAME])
+m4trace:configure.ac:1638: -1- AC_DEFINE_TRACE_LITERAL([HAVE___PROGNAME])
-m4trace:configure.ac:1593: -1- AC_DEFINE_TRACE_LITERAL([HAVE___FUNCTION__])
+m4trace:configure.ac:1651: -1- AC_DEFINE_TRACE_LITERAL([HAVE___FUNCTION__])
-m4trace:configure.ac:1606: -1- AC_DEFINE_TRACE_LITERAL([HAVE___func__])
+m4trace:configure.ac:1664: -1- AC_DEFINE_TRACE_LITERAL([HAVE___func__])
-m4trace:configure.ac:1621: -1- AC_DEFINE_TRACE_LITERAL([HAVE_GETOPT_OPTRESET])
+m4trace:configure.ac:1679: -1- AC_DEFINE_TRACE_LITERAL([HAVE_GETOPT_OPTRESET])
-m4trace:configure.ac:1632: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SYS_ERRLIST])
+m4trace:configure.ac:1690: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SYS_ERRLIST])
-m4trace:configure.ac:1644: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SYS_NERR])
+m4trace:configure.ac:1702: -1- AC_DEFINE_TRACE_LITERAL([HAVE_SYS_NERR])
-m4trace:configure.ac:1677: -1- AC_CHECK_HEADERS([sectok.h])
+m4trace:configure.ac:1735: -1- AC_CHECK_HEADERS([sectok.h])
-m4trace:configure.ac:1677: -1- AH_OUTPUT([HAVE_SECTOK_H], [/* Define to 1 if you have the <sectok.h> header file. */
+m4trace:configure.ac:1735: -1- AH_OUTPUT([HAVE_SECTOK_H], [/* Define to 1 if you have the <sectok.h> header file. */
 #undef HAVE_SECTOK_H])
-m4trace:configure.ac:1677: -1- AC_CHECK_LIB([sectok], [sectok_open])
+m4trace:configure.ac:1735: -1- AC_CHECK_LIB([sectok], [sectok_open])
-m4trace:configure.ac:1677: -1- AH_OUTPUT([HAVE_LIBSECTOK], [/* Define to 1 if you have the \`sectok' library (-lsectok). */
+m4trace:configure.ac:1735: -1- AH_OUTPUT([HAVE_LIBSECTOK], [/* Define to 1 if you have the \`sectok' library (-lsectok). */
 #undef HAVE_LIBSECTOK])
-m4trace:configure.ac:1677: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBSECTOK])
+m4trace:configure.ac:1735: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBSECTOK])
-m4trace:configure.ac:1677: -1- AC_DEFINE_TRACE_LITERAL([SMARTCARD])
+m4trace:configure.ac:1735: -1- AC_DEFINE_TRACE_LITERAL([SMARTCARD])
-m4trace:configure.ac:1677: -1- AC_DEFINE_TRACE_LITERAL([USE_SECTOK])
+m4trace:configure.ac:1735: -1- AC_DEFINE_TRACE_LITERAL([USE_SECTOK])
-m4trace:configure.ac:1686: -1- AC_SUBST([OPENSC_CONFIG], [$ac_cv_path_OPENSC_CONFIG])
+m4trace:configure.ac:1744: -1- AC_SUBST([OPENSC_CONFIG], [$ac_cv_path_OPENSC_CONFIG])
-m4trace:configure.ac:1692: -1- AC_DEFINE_TRACE_LITERAL([SMARTCARD])
+m4trace:configure.ac:1750: -1- AC_DEFINE_TRACE_LITERAL([SMARTCARD])
-m4trace:configure.ac:1693: -1- AC_DEFINE_TRACE_LITERAL([USE_OPENSC])
+m4trace:configure.ac:1751: -1- AC_DEFINE_TRACE_LITERAL([USE_OPENSC])
-m4trace:configure.ac:1735: -1- AC_DEFINE_TRACE_LITERAL([KRB5])
+m4trace:configure.ac:1793: -1- AC_DEFINE_TRACE_LITERAL([KRB5])
-m4trace:configure.ac:1735: -1- AC_DEFINE_TRACE_LITERAL([HEIMDAL])
+m4trace:configure.ac:1793: -1- AC_DEFINE_TRACE_LITERAL([HEIMDAL])
-m4trace:configure.ac:1735: -1- AC_CHECK_LIB([resolv], [dn_expand], [], [])
+m4trace:configure.ac:1793: -1- AC_CHECK_LIB([resolv], [dn_expand], [], [])
-m4trace:configure.ac:1735: -1- AH_OUTPUT([HAVE_LIBRESOLV], [/* Define to 1 if you have the \`resolv' library (-lresolv). */
+m4trace:configure.ac:1793: -1- AH_OUTPUT([HAVE_LIBRESOLV], [/* Define to 1 if you have the \`resolv' library (-lresolv). */
 #undef HAVE_LIBRESOLV])
-m4trace:configure.ac:1735: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBRESOLV])
+m4trace:configure.ac:1793: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBRESOLV])
-m4trace:configure.ac:1789: -1- AC_CHECK_HEADERS([krb.h])
+m4trace:configure.ac:1847: -1- AC_CHECK_HEADERS([krb.h])
-m4trace:configure.ac:1789: -1- AH_OUTPUT([HAVE_KRB_H], [/* Define to 1 if you have the <krb.h> header file. */
+m4trace:configure.ac:1847: -1- AH_OUTPUT([HAVE_KRB_H], [/* Define to 1 if you have the <krb.h> header file. */
 #undef HAVE_KRB_H])
-m4trace:configure.ac:1789: -1- AC_CHECK_LIB([krb], [main])
+m4trace:configure.ac:1847: -1- AC_CHECK_LIB([krb], [main])
-m4trace:configure.ac:1789: -1- AH_OUTPUT([HAVE_LIBKRB], [/* Define to 1 if you have the \`krb' library (-lkrb). */
+m4trace:configure.ac:1847: -1- AH_OUTPUT([HAVE_LIBKRB], [/* Define to 1 if you have the \`krb' library (-lkrb). */
 #undef HAVE_LIBKRB])
-m4trace:configure.ac:1789: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBKRB])
+m4trace:configure.ac:1847: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBKRB])
-m4trace:configure.ac:1789: -1- AC_CHECK_LIB([krb4], [main])
+m4trace:configure.ac:1847: -1- AC_CHECK_LIB([krb4], [main])
-m4trace:configure.ac:1789: -1- AH_OUTPUT([HAVE_LIBKRB4], [/* Define to 1 if you have the \`krb4' library (-lkrb4). */
+m4trace:configure.ac:1847: -1- AH_OUTPUT([HAVE_LIBKRB4], [/* Define to 1 if you have the \`krb4' library (-lkrb4). */
 #undef HAVE_LIBKRB4])
-m4trace:configure.ac:1789: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBKRB4])
+m4trace:configure.ac:1847: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBKRB4])
-m4trace:configure.ac:1789: -1- AC_CHECK_LIB([des], [des_cbc_encrypt])
+m4trace:configure.ac:1847: -1- AC_CHECK_LIB([des], [des_cbc_encrypt])
-m4trace:configure.ac:1789: -1- AH_OUTPUT([HAVE_LIBDES], [/* Define to 1 if you have the \`des' library (-ldes). */
+m4trace:configure.ac:1847: -1- AH_OUTPUT([HAVE_LIBDES], [/* Define to 1 if you have the \`des' library (-ldes). */
 #undef HAVE_LIBDES])
-m4trace:configure.ac:1789: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBDES])
+m4trace:configure.ac:1847: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBDES])
-m4trace:configure.ac:1789: -1- AC_CHECK_LIB([des425], [des_cbc_encrypt])
+m4trace:configure.ac:1847: -1- AC_CHECK_LIB([des425], [des_cbc_encrypt])
-m4trace:configure.ac:1789: -1- AH_OUTPUT([HAVE_LIBDES425], [/* Define to 1 if you have the \`des425' library (-ldes425). */
+m4trace:configure.ac:1847: -1- AH_OUTPUT([HAVE_LIBDES425], [/* Define to 1 if you have the \`des425' library (-ldes425). */
 #undef HAVE_LIBDES425])
-m4trace:configure.ac:1789: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBDES425])
+m4trace:configure.ac:1847: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBDES425])
-m4trace:configure.ac:1789: -1- AC_CHECK_LIB([resolv], [dn_expand], [], [])
+m4trace:configure.ac:1847: -1- AC_CHECK_LIB([resolv], [dn_expand], [], [])
-m4trace:configure.ac:1789: -1- AH_OUTPUT([HAVE_LIBRESOLV], [/* Define to 1 if you have the \`resolv' library (-lresolv). */
+m4trace:configure.ac:1847: -1- AH_OUTPUT([HAVE_LIBRESOLV], [/* Define to 1 if you have the \`resolv' library (-lresolv). */
 #undef HAVE_LIBRESOLV])
-m4trace:configure.ac:1789: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBRESOLV])
+m4trace:configure.ac:1847: -1- AC_DEFINE_TRACE_LITERAL([HAVE_LIBRESOLV])
-m4trace:configure.ac:1789: -1- AC_DEFINE_TRACE_LITERAL([KRB4])
+m4trace:configure.ac:1847: -1- AC_DEFINE_TRACE_LITERAL([KRB4])
-m4trace:configure.ac:1815: -1- AC_DEFINE_TRACE_LITERAL([AFS])
+m4trace:configure.ac:1873: -1- AC_DEFINE_TRACE_LITERAL([AFS])
-m4trace:configure.ac:1829: -1- AC_SUBST([PRIVSEP_PATH])
+m4trace:configure.ac:1887: -1- AC_SUBST([PRIVSEP_PATH])
-m4trace:configure.ac:1844: -1- AC_SUBST([xauth_path], [$ac_cv_path_xauth_path])
+m4trace:configure.ac:1907: -1- AC_SUBST([xauth_path], [$ac_cv_path_xauth_path])
-m4trace:configure.ac:1848: -1- AC_SUBST([XAUTH_PATH])
+m4trace:configure.ac:1911: -1- AC_SUBST([XAUTH_PATH])
-m4trace:configure.ac:1850: -1- AC_DEFINE_TRACE_LITERAL([XAUTH_PATH])
+m4trace:configure.ac:1913: -1- AC_DEFINE_TRACE_LITERAL([XAUTH_PATH])
-m4trace:configure.ac:1852: -1- AC_SUBST([XAUTH_PATH])
+m4trace:configure.ac:1915: -1- AC_SUBST([XAUTH_PATH])
-m4trace:configure.ac:1858: -1- AC_DEFINE_TRACE_LITERAL([MAIL_DIRECTORY])
+m4trace:configure.ac:1921: -1- AC_DEFINE_TRACE_LITERAL([MAIL_DIRECTORY])
-m4trace:configure.ac:1868: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DEV_PTMX])
+m4trace:configure.ac:1931: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DEV_PTMX])
-m4trace:configure.ac:1876: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DEV_PTS_AND_PTC])
+m4trace:configure.ac:1939: -1- AC_DEFINE_TRACE_LITERAL([HAVE_DEV_PTS_AND_PTC])
-m4trace:configure.ac:1893: -1- AC_SUBST([NROFF], [$ac_cv_path_NROFF])
+m4trace:configure.ac:1957: -1- AC_SUBST([NROFF], [$ac_cv_path_NROFF])
-m4trace:configure.ac:1902: -1- AC_SUBST([MANTYPE])
+m4trace:configure.ac:1966: -1- AC_SUBST([MANTYPE])
-m4trace:configure.ac:1908: -1- AC_SUBST([mansubdir])
+m4trace:configure.ac:1972: -1- AC_SUBST([mansubdir])
-m4trace:configure.ac:1920: -1- AC_DEFINE_TRACE_LITERAL([HAVE_MD5_PASSWORDS])
+m4trace:configure.ac:1984: -1- AC_DEFINE_TRACE_LITERAL([HAVE_MD5_PASSWORDS])
-m4trace:configure.ac:1931: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW])
+m4trace:configure.ac:1995: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_SHADOW])
-m4trace:configure.ac:1946: -1- AC_DEFINE_TRACE_LITERAL([HAS_SHADOW_EXPIRE])
+m4trace:configure.ac:2010: -1- AC_DEFINE_TRACE_LITERAL([HAS_SHADOW_EXPIRE])
-m4trace:configure.ac:1955: -1- AC_DEFINE_TRACE_LITERAL([IPADDR_IN_DISPLAY])
+m4trace:configure.ac:2019: -1- AC_DEFINE_TRACE_LITERAL([IPADDR_IN_DISPLAY])
-m4trace:configure.ac:1966: -1- AC_DEFINE_TRACE_LITERAL([IPADDR_IN_DISPLAY])
+m4trace:configure.ac:2030: -1- AC_DEFINE_TRACE_LITERAL([IPADDR_IN_DISPLAY])
-m4trace:configure.ac:2043: -1- AC_DEFINE_TRACE_LITERAL([USER_PATH])
+m4trace:configure.ac:2107: -1- AC_DEFINE_TRACE_LITERAL([USER_PATH])
-m4trace:configure.ac:2044: -1- AC_SUBST([user_path])
+m4trace:configure.ac:2108: -1- AC_SUBST([user_path])
-m4trace:configure.ac:2056: -1- AC_DEFINE_TRACE_LITERAL([SUPERUSER_PATH])
+m4trace:configure.ac:2120: -1- AC_DEFINE_TRACE_LITERAL([SUPERUSER_PATH])
-m4trace:configure.ac:2069: -1- AC_DEFINE_TRACE_LITERAL([IPV4_DEFAULT])
+m4trace:configure.ac:2133: -1- AC_DEFINE_TRACE_LITERAL([IPV4_DEFAULT])
-m4trace:configure.ac:2092: -1- AC_DEFINE_TRACE_LITERAL([IPV4_IN_IPV6])
+m4trace:configure.ac:2156: -1- AC_DEFINE_TRACE_LITERAL([IPV4_IN_IPV6])
-m4trace:configure.ac:2092: -1- AC_DEFINE_TRACE_LITERAL([IPV4_IN_IPV6])
+m4trace:configure.ac:2156: -1- AC_DEFINE_TRACE_LITERAL([IPV4_IN_IPV6])
-m4trace:configure.ac:2104: -1- AC_DEFINE_TRACE_LITERAL([BSD_AUTH])
+m4trace:configure.ac:2168: -1- AC_DEFINE_TRACE_LITERAL([BSD_AUTH])
-m4trace:configure.ac:2128: -1- AC_DEFINE_TRACE_LITERAL([_PATH_SSH_PIDDIR])
+m4trace:configure.ac:2192: -1- AC_DEFINE_TRACE_LITERAL([_PATH_SSH_PIDDIR])
-m4trace:configure.ac:2129: -1- AC_SUBST([piddir])
+m4trace:configure.ac:2193: -1- AC_SUBST([piddir])
-m4trace:configure.ac:2135: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LASTLOG])
+m4trace:configure.ac:2199: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LASTLOG])
-m4trace:configure.ac:2139: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP])
+m4trace:configure.ac:2203: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP])
-m4trace:configure.ac:2143: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMPX])
+m4trace:configure.ac:2207: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMPX])
-m4trace:configure.ac:2147: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMP])
+m4trace:configure.ac:2211: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMP])
-m4trace:configure.ac:2151: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMPX])
+m4trace:configure.ac:2215: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMPX])
-m4trace:configure.ac:2155: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LOGIN])
+m4trace:configure.ac:2219: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LOGIN])
-m4trace:configure.ac:2159: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_PUTUTLINE])
+m4trace:configure.ac:2223: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_PUTUTLINE])
-m4trace:configure.ac:2163: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_PUTUTXLINE])
+m4trace:configure.ac:2227: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_PUTUTXLINE])
-m4trace:configure.ac:2173: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LASTLOG])
+m4trace:configure.ac:2237: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_LASTLOG])
-m4trace:configure.ac:2235: -1- AC_DEFINE_TRACE_LITERAL([CONF_LASTLOG_FILE])
+m4trace:configure.ac:2299: -1- AC_DEFINE_TRACE_LITERAL([CONF_LASTLOG_FILE])
-m4trace:configure.ac:2260: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP])
+m4trace:configure.ac:2324: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMP])
-m4trace:configure.ac:2265: -1- AC_DEFINE_TRACE_LITERAL([CONF_UTMP_FILE])
+m4trace:configure.ac:2329: -1- AC_DEFINE_TRACE_LITERAL([CONF_UTMP_FILE])
-m4trace:configure.ac:2290: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMP])
+m4trace:configure.ac:2354: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMP])
-m4trace:configure.ac:2295: -1- AC_DEFINE_TRACE_LITERAL([CONF_WTMP_FILE])
+m4trace:configure.ac:2359: -1- AC_DEFINE_TRACE_LITERAL([CONF_WTMP_FILE])
-m4trace:configure.ac:2320: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMPX])
+m4trace:configure.ac:2384: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_UTMPX])
-m4trace:configure.ac:2323: -1- AC_DEFINE_TRACE_LITERAL([CONF_UTMPX_FILE])
+m4trace:configure.ac:2387: -1- AC_DEFINE_TRACE_LITERAL([CONF_UTMPX_FILE])
-m4trace:configure.ac:2345: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMPX])
+m4trace:configure.ac:2409: -1- AC_DEFINE_TRACE_LITERAL([DISABLE_WTMPX])
-m4trace:configure.ac:2348: -1- AC_DEFINE_TRACE_LITERAL([CONF_WTMPX_FILE])
+m4trace:configure.ac:2412: -1- AC_DEFINE_TRACE_LITERAL([CONF_WTMPX_FILE])
-m4trace:configure.ac:2366: -1- AC_CONFIG_FILES([Makefile openbsd-compat/Makefile scard/Makefile ssh_prng_cmds])
+m4trace:configure.ac:2430: -1- AC_CONFIG_FILES([Makefile openbsd-compat/Makefile scard/Makefile ssh_prng_cmds])
diff --git a/canohost.c b/canohost.c
index 00c499ca0..a457d3c52 100644
--- a/canohost.c
+++ b/canohost.c
@@ -12,7 +12,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: canohost.c,v 1.32 2002/06/11 08:11:45 itojun Exp $");
+RCSID("$OpenBSD: canohost.c,v 1.34 2002/09/23 20:46:27 stevesk Exp $");
 #include "packet.h"
 #include "xmalloc.h"
@@ -77,7 +77,9 @@ get_remote_hostname(int socket, int verify_reverse_mapping)
        if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
            NULL, 0, NI_NAMEREQD) != 0) {
                /* Host name not found.  Use ip address. */
+#if 0
                log("Could not reverse map address %.100s.", ntop);
+#endif
                return xstrdup(ntop);
        }
@@ -216,18 +218,12 @@ get_socket_address(int socket, int remote, int flags)
        if (remote) {
                if (getpeername(socket, (struct sockaddr *)&addr, &addrlen)
-                    < 0) {
+                    < 0)
-                        debug("get_socket_ipaddr: getpeername failed: %.100s",
-                            strerror(errno));
                        return NULL;
-                }
        } else {
                if (getsockname(socket, (struct sockaddr *)&addr, &addrlen)
-                    < 0) {
+                    < 0)
-                        debug("get_socket_ipaddr: getsockname failed: %.100s",
-                            strerror(errno));
                        return NULL;
-                }
        }
        /* Get the address in ascii. */
        if (getnameinfo((struct sockaddr *)&addr, addrlen, ntop, sizeof(ntop),
@@ -241,13 +237,21 @@ get_socket_address(int socket, int remote, int flags)
 char *
 get_peer_ipaddr(int socket)
 {
-        return get_socket_address(socket, 1, NI_NUMERICHOST);
+        char *p;
+        if ((p = get_socket_address(socket, 1, NI_NUMERICHOST)) != NULL)
+                return p;
+        return xstrdup("UNKNOWN");
 }
 char *
 get_local_ipaddr(int socket)
 {
-        return get_socket_address(socket, 0, NI_NUMERICHOST);
+        char *p;
+        if ((p = get_socket_address(socket, 0, NI_NUMERICHOST)) != NULL)
+                return p;
+        return xstrdup("UNKNOWN");
 }
 char *
diff --git a/channels.c b/channels.c
index 29eaee7c4..6ff9e2583 100644
--- a/channels.c
+++ b/channels.c
@@ -39,7 +39,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: channels.c,v 1.179 2002/06/26 08:55:02 markus Exp $");
+RCSID("$OpenBSD: channels.c,v 1.183 2002/09/17 07:47:02 itojun Exp $");
 #include "ssh.h"
 #include "ssh1.h"
@@ -186,6 +186,7 @@ channel_register_fds(Channel *c, int rfd, int wfd, int efd,
        } else {
                c->isatty = 0;
        }
+        c->wfd_isatty = isatty(c->wfd);
        /* enable nonblocking mode */
        if (nonblock) {
@@ -572,6 +573,7 @@ void
 channel_send_open(int id)
 {
        Channel *c = channel_lookup(id);
        if (c == NULL) {
                log("channel_send_open: %d: bad id", id);
                return;
@@ -589,6 +591,7 @@ void
 channel_request_start(int local_id, char *service, int wantconfirm)
 {
        Channel *c = channel_lookup(local_id);
        if (c == NULL) {
                log("channel_request_start: %d: unknown channel id", local_id);
                return;
@@ -603,6 +606,7 @@ void
 channel_register_confirm(int id, channel_callback_fn *fn)
 {
        Channel *c = channel_lookup(id);
        if (c == NULL) {
                log("channel_register_comfirm: %d: bad id", id);
                return;
@@ -613,6 +617,7 @@ void
 channel_register_cleanup(int id, channel_callback_fn *fn)
 {
        Channel *c = channel_lookup(id);
        if (c == NULL) {
                log("channel_register_cleanup: %d: bad id", id);
                return;
@@ -623,6 +628,7 @@ void
 channel_cancel_cleanup(int id)
 {
        Channel *c = channel_lookup(id);
        if (c == NULL) {
                log("channel_cancel_cleanup: %d: bad id", id);
                return;
@@ -633,6 +639,7 @@ void
 channel_register_filter(int id, channel_filter_fn *fn)
 {
        Channel *c = channel_lookup(id);
        if (c == NULL) {
                log("channel_register_filter: %d: bad id", id);
                return;
@@ -645,6 +652,7 @@ channel_set_fds(int id, int rfd, int wfd, int efd,
    int extusage, int nonblock, u_int window_max)
 {
        Channel *c = channel_lookup(id);
        if (c == NULL || c->type != SSH_CHANNEL_LARVAL)
                fatal("channel_activate for non-larval channel %d.", id);
        channel_register_fds(c, rfd, wfd, efd, extusage, nonblock);
@@ -815,6 +823,7 @@ static void
 channel_pre_x11_open_13(Channel *c, fd_set * readset, fd_set * writeset)
 {
        int ret = x11_open_helper(&c->output);
        if (ret == 1) {
                /* Start normal processing for the channel. */
                c->type = SSH_CHANNEL_OPEN;
@@ -866,7 +875,7 @@ channel_pre_x11_open(Channel *c, fd_set * readset, fd_set * writeset)
 static int
 channel_decode_socks4(Channel *c, fd_set * readset, fd_set * writeset)
 {
-        u_char *p, *host;
+        char *p, *host;
        int len, have, i, found;
        char username[256];
        struct {
@@ -1278,6 +1287,11 @@ channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset)
            buffer_len(&c->output) > 0) {
                data = buffer_ptr(&c->output);
                dlen = buffer_len(&c->output);
+#ifdef _AIX
+                /* XXX: Later AIX versions can't push as much data to tty */ 
+                if (compat20 && c->wfd_isatty && dlen > 8*1024)
+                        dlen = 8*1024;
+#endif
                len = write(c->wfd, data, dlen);
                if (len < 0 && (errno == EINTR || errno == EAGAIN))
                        return 1;
@@ -1395,6 +1409,7 @@ static void
 channel_post_output_drain_13(Channel *c, fd_set * readset, fd_set * writeset)
 {
        int len;
        /* Send buffered output data to the socket. */
        if (FD_ISSET(c->sock, writeset) && buffer_len(&c->output) > 0) {
                len = write(c->sock, buffer_ptr(&c->output),
@@ -1472,6 +1487,7 @@ static void
 channel_handler_init(void)
 {
        int i;
        for (i = 0; i < SSH_CHANNEL_MAX_TYPE; i++) {
                channel_pre[i] = NULL;
                channel_post[i] = NULL;
@@ -2006,7 +2022,6 @@ channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_por
        struct addrinfo hints, *ai, *aitop;
        const char *host;
        char ntop[NI_MAXHOST], strport[NI_MAXSERV];
-        struct linger linger;
        success = 0;
        host = (type == SSH_CHANNEL_RPORT_LISTENER) ?
@@ -2049,13 +2064,13 @@ channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_por
                        continue;
                }
                /*
-                 * Set socket options.  We would like the socket to disappear
+                 * Set socket options.
-                 * as soon as it has been closed for whatever reason.
+                 * Allow local port reuse in TIME_WAIT.
                 */
-                setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on));
+                if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on,
-                linger.l_onoff = 1;
+                    sizeof(on)) == -1)
-                linger.l_linger = 5;
+                        error("setsockopt SO_REUSEADDR: %s", strerror(errno));
-                setsockopt(sock, SOL_SOCKET, SO_LINGER, &linger, sizeof(linger));
                debug("Local forwarding listening on %s port %s.", ntop, strport);
                /* Bind the socket to the address. */
@@ -2605,6 +2620,7 @@ void
 deny_input_open(int type, u_int32_t seq, void *ctxt)
 {
        int rchan = packet_get_int();
        switch (type) {
        case SSH_SMSG_AGENT_OPEN:
                error("Warning: ssh server tried agent forwarding.");
diff --git a/channels.h b/channels.h
index dd54114d6..bd2e92589 100644
--- a/channels.h
+++ b/channels.h
@@ -77,6 +77,7 @@ struct Channel {
        int     efd;            /* extended fd */
        int     sock;           /* sock fd */
        int     isatty;         /* rfd is a tty */
+        int     wfd_isatty;     /* wfd is a tty */
        int     force_drain;    /* force close on iEOF */
        int     delayed;                /* fdset hack */
        Buffer  input;          /* data read from socket, to be sent over
diff --git a/cipher.c b/cipher.c
index 6db340d7a..1933d3eab 100644
--- a/cipher.c
+++ b/cipher.c
@@ -35,7 +35,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: cipher.c,v 1.60 2002/06/23 03:26:52 deraadt Exp $");
+RCSID("$OpenBSD: cipher.c,v 1.61 2002/07/12 15:50:17 markus Exp $");
 #include "xmalloc.h"
 #include "log.h"
@@ -437,6 +437,18 @@ swap_bytes(const u_char *src, u_char *dst, int n)
        }
 }
+#ifdef SSH_OLD_EVP
+static void bf_ssh1_init (EVP_CIPHER_CTX * ctx, const unsigned char *key,
+                          const unsigned char *iv, int enc)
+{
+        if (iv != NULL)
+                memcpy (&(ctx->oiv[0]), iv, 8);
+        memcpy (&(ctx->iv[0]), &(ctx->oiv[0]), 8);
+        if (key != NULL)
+                BF_set_key (&(ctx->c.bf_ks), EVP_CIPHER_CTX_key_length (ctx),
+                            key);
+}
+#endif
 static int (*orig_bf)(EVP_CIPHER_CTX *, u_char *, const u_char *, u_int) = NULL;
 static int
@@ -458,6 +470,9 @@ evp_ssh1_bf(void)
        memcpy(&ssh1_bf, EVP_bf_cbc(), sizeof(EVP_CIPHER));
        orig_bf = ssh1_bf.do_cipher;
        ssh1_bf.nid = NID_undef;
+#ifdef SSH_OLD_EVP
+        ssh1_bf.init = bf_ssh1_init;
+#endif
        ssh1_bf.do_cipher = bf_ssh1_cipher;
        ssh1_bf.key_len = 32;
        return (&ssh1_bf);
@@ -567,7 +582,7 @@ evp_rijndael(void)
        rijndal_cbc.do_cipher = ssh_rijndael_cbc;
 #ifndef SSH_OLD_EVP
        rijndal_cbc.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
-            EVP_CIPH_ALWAYS_CALL_INIT;
+            EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
 #endif
        return (&rijndal_cbc);
 }
diff --git a/clientloop.c b/clientloop.c
index 6d19b4a25..8b1976171 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -59,7 +59,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: clientloop.c,v 1.102 2002/06/24 14:33:27 markus Exp $");
+RCSID("$OpenBSD: clientloop.c,v 1.104 2002/08/22 19:38:42 stevesk Exp $");
 #include "ssh.h"
 #include "ssh1.h"
@@ -654,16 +654,18 @@ process_escapes(Buffer *bin, Buffer *bout, Buffer *berr, char *buf, int len)
                                snprintf(string, sizeof string,
 "%c?\r\n\
 Supported escape sequences:\r\n\
-~.  - terminate connection\r\n\
+%c.  - terminate connection\r\n\
-~C  - open a command line\r\n\
+%cC  - open a command line\r\n\
-~R  - Request rekey (SSH protocol 2 only)\r\n\
+%cR  - Request rekey (SSH protocol 2 only)\r\n\
-~^Z - suspend ssh\r\n\
+%c^Z - suspend ssh\r\n\
-~#  - list forwarded connections\r\n\
+%c#  - list forwarded connections\r\n\
-~&  - background ssh (when waiting for connections to terminate)\r\n\
+%c&  - background ssh (when waiting for connections to terminate)\r\n\
-~?  - this message\r\n\
+%c?  - this message\r\n\
-~~  - send the escape character by typing it twice\r\n\
+%c%c  - send the escape character by typing it twice\r\n\
 (Note that escapes are only recognized immediately after newline.)\r\n",
-                                         escape_char);
+                                    escape_char, escape_char, escape_char, escape_char,
+                                    escape_char, escape_char, escape_char, escape_char,
+                                    escape_char, escape_char);
                                buffer_append(berr, string, strlen(string));
                                continue;
@@ -1149,7 +1151,7 @@ client_input_exit_status(int type, u_int32_t seq, void *ctxt)
 static Channel *
 client_request_forwarded_tcpip(const char *request_type, int rchan)
 {
-        Channel* c = NULL;
+        Channel *c = NULL;
        char *listen_address, *originator_address;
        int listen_port, originator_port;
        int sock;
@@ -1179,7 +1181,7 @@ client_request_forwarded_tcpip(const char *request_type, int rchan)
        return c;
 }
-static Channel*
+static Channel *
 client_request_x11(const char *request_type, int rchan)
 {
        Channel *c = NULL;
@@ -1215,7 +1217,7 @@ client_request_x11(const char *request_type, int rchan)
        return c;
 }
-static Channel*
+static Channel *
 client_request_agent(const char *request_type, int rchan)
 {
        Channel *c = NULL;
diff --git a/compat.c b/compat.c
index 406b47c25..757b0e679 100644
--- a/compat.c
+++ b/compat.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: compat.c,v 1.63 2002/04/10 08:21:47 markus Exp $");
+RCSID("$OpenBSD: compat.c,v 1.65 2002/09/27 10:42:09 mickey Exp $");
 #include "buffer.h"
 #include "packet.h"
@@ -39,13 +39,13 @@ int datafellows = 0;
 void
 enable_compat20(void)
 {
-        verbose("Enabling compatibility mode for protocol 2.0");
+        debug("Enabling compatibility mode for protocol 2.0");
        compat20 = 1;
 }
 void
 enable_compat13(void)
 {
-        verbose("Enabling compatibility mode for protocol 1.3");
+        debug("Enabling compatibility mode for protocol 1.3");
        compat13 = 1;
 }
 /* datafellows bug compatibility */
@@ -146,6 +146,8 @@ compat_datafellows(const char *version)
                  "OSU_1.5alpha3*",     SSH_BUG_PASSWORDPAD },
                { "*SSH_Version_Mapper*",
                                        SSH_BUG_SCANNER },
+                { "Probe-*",
+                                        SSH_BUG_PROBE },
                { NULL,                 0 }
        };
diff --git a/compat.h b/compat.h
index 7afca0460..9299805af 100644
--- a/compat.h
+++ b/compat.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: compat.h,v 1.32 2002/04/10 08:21:47 markus Exp $      */
+/*      $OpenBSD: compat.h,v 1.33 2002/09/27 10:42:09 mickey Exp $      */
 /*
 * Copyright (c) 1999, 2000, 2001 Markus Friedl.  All rights reserved.
@@ -54,6 +54,7 @@
 #define SSH_BUG_DUMMYCHAN       0x00100000
 #define SSH_BUG_EXTEOF          0x00200000
 #define SSH_BUG_K5USER          0x00400000
+#define SSH_BUG_PROBE           0x00800000
 void     enable_compat13(void);
 void     enable_compat20(void);
diff --git a/config.guess b/config.guess
index 83c544d97..fd30ab031 100755
--- a/config.guess
+++ b/config.guess
@@ -3,7 +3,7 @@
 #   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
 #   2000, 2001, 2002 Free Software Foundation, Inc.
-timestamp='2002-01-30'
+timestamp='2002-07-23'
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -88,30 +88,40 @@ if test $# != 0; then
  exit 1
 fi
+trap 'exit 1' 1 2 15
-dummy=dummy-$$
+# CC_FOR_BUILD -- compiler used by this script. Note that the use of a
-trap 'rm -f $dummy.c $dummy.o $dummy.rel $dummy; exit 1' 1 2 15
+# compiler to aid in system detection is discouraged as it requires
+# temporary files to be created and, as you can see below, it is a
+# headache to deal with in a portable fashion.
-# CC_FOR_BUILD -- compiler used by this script.
 # Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still
 # use `HOST_CC' if defined, but it is deprecated.
-set_cc_for_build='case $CC_FOR_BUILD,$HOST_CC,$CC in
+# This shell variable is my proudest work .. or something. --bje
- ,,)    echo "int dummy(){}" > $dummy.c ;
-        for c in cc gcc c89 ; do
+set_cc_for_build='tmpdir=${TMPDIR-/tmp}/config-guess-$$ ;
-          ($c $dummy.c -c -o $dummy.o) >/dev/null 2>&1 ;
+(old=`umask` && umask 077 && mkdir $tmpdir && umask $old && unset old)
-          if test $? = 0 ; then
+   || (echo "$me: cannot create $tmpdir" >&2 && exit 1) ;
+dummy=$tmpdir/dummy ;
+files="$dummy.c $dummy.o $dummy.rel $dummy" ;
+trap '"'"'rm -f $files; rmdir $tmpdir; exit 1'"'"' 1 2 15 ;
+case $CC_FOR_BUILD,$HOST_CC,$CC in
+ ,,)    echo "int x;" > $dummy.c ;
+        for c in cc gcc c89 c99 ; do
+          if ($c $dummy.c -c -o $dummy.o) >/dev/null 2>&1 ; then
             CC_FOR_BUILD="$c"; break ;
          fi ;
        done ;
-        rm -f $dummy.c $dummy.o $dummy.rel ;
+        rm -f $files ;
        if test x"$CC_FOR_BUILD" = x ; then
          CC_FOR_BUILD=no_compiler_found ;
        fi
        ;;
 ,,*)   CC_FOR_BUILD=$CC ;;
 ,*,*)  CC_FOR_BUILD=$HOST_CC ;;
-esac'
+esac ;
+unset files'
 # This is needed to find uname on a Pyramid OSx when run in the BSD universe.
 # (ghazi@noc.rutgers.edu 1994-08-24)
@@ -138,9 +148,11 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
        #
        # Note: NetBSD doesn't particularly care about the vendor
        # portion of the name.  We always set it to "unknown".
-        UNAME_MACHINE_ARCH=`(uname -p) 2>/dev/null` || \
+        sysctl="sysctl -n hw.machine_arch"
-            UNAME_MACHINE_ARCH=unknown
+        UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \
+            /usr/sbin/$sysctl 2>/dev/null || echo unknown)`
        case "${UNAME_MACHINE_ARCH}" in
+            armeb) machine=armeb-unknown ;;
            arm*) machine=arm-unknown ;;
            sh3el) machine=shl-unknown ;;
            sh3eb) machine=sh-unknown ;;
@@ -219,6 +231,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
        # A Tn.n version is a released field test version.
        # A Xn.n version is an unreleased experimental baselevel.
        # 1.2 uses "1.2" for uname -r.
+        eval $set_cc_for_build
        cat <<EOF >$dummy.s
        .data
 \$Lformat:
@@ -244,10 +257,9 @@ main:
        jsr \$26,exit
        .end main
 EOF
-        eval $set_cc_for_build
        $CC_FOR_BUILD $dummy.s -o $dummy 2>/dev/null
        if test "$?" = 0 ; then
-                case `./$dummy` in
+                case `$dummy` in
                        0-0)
                                UNAME_MACHINE="alpha"
                                ;;
@@ -269,9 +281,12 @@ EOF
                        2-1307)
                                UNAME_MACHINE="alphaev68"
                                ;;
+                        3-1307)
+                                UNAME_MACHINE="alphaev7"
+                                ;;
                esac
        fi
-        rm -f $dummy.s $dummy
+        rm -f $dummy.s $dummy && rmdir $tmpdir
        echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[VTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
        exit 0 ;;
    Alpha\ *:Windows_NT*:*)
@@ -312,6 +327,10 @@ EOF
    NILE*:*:*:dcosx)
        echo pyramid-pyramid-svr4
        exit 0 ;;
+    DRS?6000:UNIX_SV:4.2*:7*)
+        case `/usr/bin/uname -p` in
+            sparc) echo sparc-icl-nx7 && exit 0 ;;
+        esac ;;
    sun4H:SunOS:5.*:*)
        echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
        exit 0 ;;
@@ -340,7 +359,7 @@ EOF
        echo m68k-sun-sunos${UNAME_RELEASE}
        exit 0 ;;
    sun*:*:4.2BSD:*)
-        UNAME_RELEASE=`(head -1 /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
+        UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
        test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3
        case "`/bin/arch`" in
            sun3)
@@ -419,14 +438,17 @@ EOF
        }
 EOF
        $CC_FOR_BUILD $dummy.c -o $dummy \
-          && ./$dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \
+          && $dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \
-          && rm -f $dummy.c $dummy && exit 0
+          && rm -f $dummy.c $dummy && rmdir $tmpdir && exit 0
-        rm -f $dummy.c $dummy
+        rm -f $dummy.c $dummy && rmdir $tmpdir
        echo mips-mips-riscos${UNAME_RELEASE}
        exit 0 ;;
    Motorola:PowerMAX_OS:*:*)
        echo powerpc-motorola-powermax
        exit 0 ;;
+    Night_Hawk:*:*:PowerMAX_OS)
+        echo powerpc-harris-powermax
+        exit 0 ;;
    Night_Hawk:Power_UNIX:*:*)
        echo powerpc-harris-powerunix
        exit 0 ;;
@@ -499,8 +521,8 @@ EOF
                        exit(0);
                        }
 EOF
-                $CC_FOR_BUILD $dummy.c -o $dummy && ./$dummy && rm -f $dummy.c $dummy && exit 0
+                $CC_FOR_BUILD $dummy.c -o $dummy && $dummy && rm -f $dummy.c $dummy && rmdir $tmpdir && exit 0
-                rm -f $dummy.c $dummy
+                rm -f $dummy.c $dummy && rmdir $tmpdir
                echo rs6000-ibm-aix3.2.5
        elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then
                echo rs6000-ibm-aix3.2.4
@@ -509,7 +531,7 @@ EOF
        fi
        exit 0 ;;
    *:AIX:*:[45])
-        IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | head -1 | awk '{ print $1 }'`
+        IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'`
        if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then
                IBM_ARCH=rs6000
        else
@@ -598,9 +620,9 @@ EOF
                  exit (0);
              }
 EOF
-                    (CCOPTS= $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null) && HP_ARCH=`./$dummy`
+                    (CCOPTS= $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null) && HP_ARCH=`$dummy`
                    if test -z "$HP_ARCH"; then HP_ARCH=hppa; fi
-                    rm -f $dummy.c $dummy
+                    rm -f $dummy.c $dummy && rmdir $tmpdir
                fi ;;
        esac
        echo ${HP_ARCH}-hp-hpux${HPUX_REV}
@@ -636,8 +658,8 @@ EOF
          exit (0);
        }
 EOF
-        $CC_FOR_BUILD $dummy.c -o $dummy && ./$dummy && rm -f $dummy.c $dummy && exit 0
+        $CC_FOR_BUILD $dummy.c -o $dummy && $dummy && rm -f $dummy.c $dummy && rmdir $tmpdir && exit 0
-        rm -f $dummy.c $dummy
+        rm -f $dummy.c $dummy && rmdir $tmpdir
        echo unknown-hitachi-hiuxwe2
        exit 0 ;;
    9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* )
@@ -683,9 +705,6 @@ EOF
    C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
        echo c4-convex-bsd
        exit 0 ;;
-    CRAY*X-MP:*:*:*)
-        echo xmp-cray-unicos
-        exit 0 ;;
    CRAY*Y-MP:*:*:*)
        echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
        exit 0 ;;
@@ -707,9 +726,6 @@ EOF
    CRAY*SV1:*:*:*)
        echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
        exit 0 ;;
-    CRAY-2:*:*:*)
-        echo cray2-cray-unicos
-        exit 0 ;;
    F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
        FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
@@ -726,7 +742,19 @@ EOF
        echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
        exit 0 ;;
    *:FreeBSD:*:*)
-        echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
+        # Determine whether the default compiler uses glibc.
+        eval $set_cc_for_build
+        sed 's/^        //' << EOF >$dummy.c
+        #include <features.h>
+        #if __GLIBC__ >= 2
+        LIBC=gnu
+        #else
+        LIBC=
+        #endif
+EOF
+        eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=`
+        rm -f $dummy.c && rmdir $tmpdir
+        echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`${LIBC:+-$LIBC}
        exit 0 ;;
    i*:CYGWIN*:*)
        echo ${UNAME_MACHINE}-pc-cygwin
@@ -765,7 +793,7 @@ EOF
        echo ${UNAME_MACHINE}-unknown-linux-gnu
        exit 0 ;;
    ia64:Linux:*:*)
-        echo ${UNAME_MACHINE}-unknown-linux
+        echo ${UNAME_MACHINE}-unknown-linux-gnu
        exit 0 ;;
    m68*:Linux:*:*)
        echo ${UNAME_MACHINE}-unknown-linux-gnu
@@ -776,18 +804,18 @@ EOF
        #undef CPU
        #undef mips
        #undef mipsel
-        #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) 
+        #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
-        CPU=mipsel 
+        CPU=mipsel
        #else
-        #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) 
+        #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
        CPU=mips
        #else
        CPU=
        #endif
-        #endif 
+        #endif
 EOF
        eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=`
-        rm -f $dummy.c
+        rm -f $dummy.c && rmdir $tmpdir
        test x"${CPU}" != x && echo "${CPU}-pc-linux-gnu" && exit 0
        ;;
    ppc:Linux:*:*)
@@ -837,9 +865,8 @@ EOF
        # The BFD linker knows what the default object file format is, so
        # first see if it will tell us. cd to the root directory to prevent
        # problems with other programs or directories called `ld' in the path.
-        # Export LANG=C to prevent ld from outputting information in other
+        # Set LC_ALL=C to ensure ld outputs messages in English.
-        # languages.
+        ld_supported_targets=`cd /; LC_ALL=C ld --help 2>&1 \
-        ld_supported_targets=`LANG=C; export LANG; cd /; ld --help 2>&1 \
                         | sed -ne '/supported targets:/!d
                                    s/[         ][      ]*/ /g
                                    s/.*supported targets: *//
@@ -851,7 +878,7 @@ EOF
                ;;
          a.out-i386-linux)
                echo "${UNAME_MACHINE}-pc-linux-gnuaout"
-                exit 0 ;;               
+                exit 0 ;;
          coff-i386)
                echo "${UNAME_MACHINE}-pc-linux-gnucoff"
                exit 0 ;;
@@ -884,7 +911,7 @@ EOF
        #endif
 EOF
        eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=`
-        rm -f $dummy.c
+        rm -f $dummy.c && rmdir $tmpdir
        test x"${LIBC}" != x && echo "${UNAME_MACHINE}-pc-linux-${LIBC}" && exit 0
        test x"${TENTATIVE}" != x && echo "${TENTATIVE}" && exit 0
        ;;
@@ -923,13 +950,13 @@ EOF
                UNAME_REL=`sed -n 's/.*Version //p' </usr/options/cb.name`
                echo ${UNAME_MACHINE}-pc-isc$UNAME_REL
        elif /bin/uname -X 2>/dev/null >/dev/null ; then
-                UNAME_REL=`(/bin/uname -X|egrep Release|sed -e 's/.*= //')`
+                UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')`
-                (/bin/uname -X|egrep i80486 >/dev/null) && UNAME_MACHINE=i486
+                (/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486
-                (/bin/uname -X|egrep '^Machine.*Pentium' >/dev/null) \
+                (/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \
                        && UNAME_MACHINE=i586
-                (/bin/uname -X|egrep '^Machine.*Pent ?II' >/dev/null) \
+                (/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \
                        && UNAME_MACHINE=i686
-                (/bin/uname -X|egrep '^Machine.*Pentium Pro' >/dev/null) \
+                (/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \
                        && UNAME_MACHINE=i686
                echo ${UNAME_MACHINE}-pc-sco$UNAME_REL
        else
@@ -964,7 +991,7 @@ EOF
        exit 0 ;;
    M68*:*:R3V[567]*:*)
        test -r /sysV68 && echo 'm68k-motorola-sysv' && exit 0 ;;
-    3[34]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0)
+    3[34]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0)
        OS_REL=''
        test -r /etc/.relid \
        && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
@@ -1065,12 +1092,12 @@ EOF
        echo `uname -p`-apple-darwin${UNAME_RELEASE}
        exit 0 ;;
    *:procnto*:*:* | *:QNX:[0123456789]*:*)
-        if test "${UNAME_MACHINE}" = "x86pc"; then
+        UNAME_PROCESSOR=`uname -p`
+        if test "$UNAME_PROCESSOR" = "x86"; then
+                UNAME_PROCESSOR=i386
                UNAME_MACHINE=pc
-                echo i386-${UNAME_MACHINE}-nto-qnx
-        else
-                echo `uname -p`-${UNAME_MACHINE}-nto-qnx
        fi
+        echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE}
        exit 0 ;;
    *:QNX:*:4*)
        echo i386-pc-qnx
@@ -1247,8 +1274,8 @@ main ()
 }
 EOF
-$CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null && ./$dummy && rm -f $dummy.c $dummy && exit 0
+$CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null && $dummy && rm -f $dummy.c $dummy && rmdir $tmpdir && exit 0
-rm -f $dummy.c $dummy
+rm -f $dummy.c $dummy && rmdir $tmpdir
 # Apollos put the system type in the environment.
diff --git a/config.h.in b/config.h.in
index d42ad8e55..e87309415 100644
--- a/config.h.in
+++ b/config.h.in
@@ -1,5 +1,5 @@
 /* config.h.in.  Generated from configure.ac by autoheader.  */
-/* $Id: acconfig.h,v 1.141 2002/06/25 22:35:16 tim Exp $ */
+/* $Id: acconfig.h,v 1.145 2002/09/26 00:38:48 tim Exp $ */
 #ifndef _CONFIG_H
 #define _CONFIG_H
@@ -150,6 +150,9 @@
 /* Define if you don't want to use lastlog */
 #undef DISABLE_LASTLOG
+/* Define if you don't want to use lastlog in session.c */
+#undef NO_SSH_LASTLOG
 /* Define if you don't want to use utmp */
 #undef DISABLE_UTMP
@@ -310,6 +313,9 @@
 /* Define if X11 doesn't support AF_UNIX sockets on that system */
 #undef NO_X11_UNIX_SOCKETS
+/* Define if the concept of ports only accessible to superusers isn't known */
+#undef NO_IPPORT_RESERVED_CONCEPT
 /* Needed for SCO and NeXT */
 #undef BROKEN_SAVED_UIDS
@@ -355,11 +361,8 @@
 /* Path that unprivileged child will chroot() to in privep mode */
 #undef PRIVSEP_PATH
-/* Define if you have the `mmap' function that supports MAP_ANON|SHARED */
+/* Define if your platform needs to skip post auth file descriptor passing */
-#undef HAVE_MMAP_ANON_SHARED
+#undef DISABLE_FD_PASSING
-/* Define if sendmsg()/recvmsg() has problems passing file descriptors */
-#undef BROKEN_FD_PASSING
 /* Define to 1 if the `getpgrp' function requires zero arguments. */
@@ -437,6 +440,9 @@
 /* Define to 1 if you have the <getopt.h> header file. */
 #undef HAVE_GETOPT_H
+/* Define to 1 if you have the `getpeereid' function. */
+#undef HAVE_GETPEEREID
 /* Define to 1 if you have the `getpwanam' function. */
 #undef HAVE_GETPWANAM
@@ -476,6 +482,9 @@
 /* Define to 1 if you have the <glob.h> header file. */
 #undef HAVE_GLOB_H
+/* Define to 1 if you have the <ia.h> header file. */
+#undef HAVE_IA_H
 /* Define to 1 if you have the `inet_aton' function. */
 #undef HAVE_INET_ATON
@@ -497,6 +506,9 @@
 /* Define to 1 if you have the <lastlog.h> header file. */
 #undef HAVE_LASTLOG_H
+/* Define to 1 if you have the `crypt' library (-lcrypt). */
+#undef HAVE_LIBCRYPT
 /* Define to 1 if you have the `des' library (-ldes). */
 #undef HAVE_LIBDES
@@ -533,6 +545,9 @@
 /* Define to 1 if you have the <libutil.h> header file. */
 #undef HAVE_LIBUTIL_H
+/* Define to 1 if you have the `xnet' library (-lxnet). */
+#undef HAVE_LIBXNET
 /* Define to 1 if you have the `z' library (-lz). */
 #undef HAVE_LIBZ
@@ -779,6 +794,9 @@
 /* Define to 1 if you have the <time.h> header file. */
 #undef HAVE_TIME_H
+/* Define to 1 if you have the <tmpdir.h> header file. */
+#undef HAVE_TMPDIR_H
 /* Define to 1 if you have the `truncate' function. */
 #undef HAVE_TRUNCATE
diff --git a/config.sub b/config.sub
index a06a480ad..9ff085efa 100755
--- a/config.sub
+++ b/config.sub
@@ -1,9 +1,9 @@
 #! /bin/sh
 # Configuration validation subroutine script.
-#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001
+#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   Free Software Foundation, Inc.
+#   2000, 2001, 2002 Free Software Foundation, Inc.
-timestamp='2001-04-20'
+timestamp='2002-07-03'
 # This file is (in principle) common to ALL GNU software.
 # The presence of a machine in this file suggests that SOME GNU software
@@ -29,7 +29,8 @@ timestamp='2001-04-20'
 # configuration script generated by Autoconf, you may include it under
 # the same distribution terms that you use for the rest of that program.
-# Please send patches to <config-patches@gnu.org>.
+# Please send patches to <config-patches@gnu.org>.  Submit a context
+# diff and a properly formatted ChangeLog entry.
 #
 # Configuration subroutine to validate and canonicalize a configuration type.
 # Supply the specified configuration type as an argument.
@@ -117,7 +118,7 @@ esac
 # Here we must recognize all the valid KERNEL-OS combinations.
 maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
 case $maybe_os in
-  nto-qnx* | linux-gnu* | storm-chaos* | os2-emx*)
+  nto-qnx* | linux-gnu* | freebsd*-gnu* | storm-chaos* | os2-emx* | windows32-* | rtmk-nova*)
    os=-$maybe_os
    basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
    ;;
@@ -157,6 +158,14 @@ case $os in
                os=-vxworks
                basic_machine=$1
                ;;
+        -chorusos*)
+                os=-chorusos
+                basic_machine=$1
+                ;;
+        -chorusrdb)
+                os=-chorusrdb
+                basic_machine=$1
+                ;;
        -hiux*)
                os=-hiuxwe2
                ;;
@@ -215,26 +224,44 @@ esac
 case $basic_machine in
        # Recognize the basic CPU types without company name.
        # Some are omitted here because they have special meanings below.
-        tahoe | i860 | ia64 | m32r | m68k | m68000 | m88k | ns32k | arc \
+        1750a | 580 \
-                | arm | arme[lb] | arm[bl]e | armv[2345] | armv[345][lb] | strongarm | xscale \
+        | a29k \
-                | pyramid | mn10200 | mn10300 | tron | a29k \
+        | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
-                | 580 | i960 | h8300 \
+        | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
-                | x86 | ppcbe | mipsbe | mipsle | shbe | shle \
+        | arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr \
-                | hppa | hppa1.0 | hppa1.1 | hppa2.0 | hppa2.0w | hppa2.0n \
+        | c4x | clipper \
-                | hppa64 \
+        | d10v | d30v | dlx | dsp16xx \
-                | alpha | alphaev[4-8] | alphaev56 | alphapca5[67] \
+        | fr30 | frv \
-                | alphaev6[78] \
+        | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
-                | we32k | ns16k | clipper | i370 | sh | sh[34] \
+        | i370 | i860 | i960 | ia64 \
-                | powerpc | powerpcle \
+        | ip2k \
-                | 1750a | dsp16xx | pdp10 | pdp11 \
+        | m32r | m68000 | m68k | m88k | mcore \
-                | mips16 | mips64 | mipsel | mips64el \
+        | mips | mipsbe | mipseb | mipsel | mipsle \
-                | mips64orion | mips64orionel | mipstx39 | mipstx39el \
+        | mips16 \
-                | mips64vr4300 | mips64vr4300el | mips64vr4100 | mips64vr4100el \
+        | mips64 | mips64el \
-                | mips64vr5000 | miprs64vr5000el | mcore | s390 | s390x \
+        | mips64orion | mips64orionel \
-                | sparc | sparclet | sparclite | sparc64 | sparcv9 | sparcv9b \
+        | mips64vr4100 | mips64vr4100el \
-                | v850 | c4x \
+        | mips64vr4300 | mips64vr4300el \
-                | thumb | d10v | d30v | fr30 | avr | openrisc | tic80 \
+        | mips64vr5000 | mips64vr5000el \
-                | pj | pjl | h8500)
+        | mipsisa32 | mipsisa32el \
+        | mipsisa64 | mipsisa64el \
+        | mipsisa64sb1 | mipsisa64sb1el \
+        | mipstx39 | mipstx39el \
+        | mn10200 | mn10300 \
+        | ns16k | ns32k \
+        | openrisc | or32 \
+        | pdp10 | pdp11 | pj | pjl \
+        | powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
+        | pyramid \
+        | sh | sh[1234] | sh3e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \
+        | sh64 | sh64le \
+        | sparc | sparc64 | sparc86x | sparclet | sparclite | sparcv9 | sparcv9b \
+        | strongarm \
+        | tahoe | thumb | tic80 | tron \
+        | v850 | v850e \
+        | we32k \
+        | x86 | xscale | xstormy16 | xtensa \
+        | z8k)
                basic_machine=$basic_machine-unknown
                ;;
        m6811 | m68hc11 | m6812 | m68hc12)
@@ -242,7 +269,7 @@ case $basic_machine in
                basic_machine=$basic_machine-unknown
                os=-none
                ;;
-        m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | z8k | v70 | w65)
+        m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k)
                ;;
        # We use `pc' rather than `unknown'
@@ -257,31 +284,54 @@ case $basic_machine in
                exit 1
                ;;
        # Recognize the basic CPU types with company name.
-        # FIXME: clean up the formatting here.
+        580-* \
-        vax-* | tahoe-* | i*86-* | i860-* | ia64-* | m32r-* | m68k-* | m68000-* \
+        | a29k-* \
-              | m88k-* | sparc-* | ns32k-* | fx80-* | arc-* | c[123]* \
+        | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
-              | arm-*  | armbe-* | armle-* | armv*-* | strongarm-* | xscale-* \
+        | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
-              | mips-* | pyramid-* | tron-* | a29k-* | romp-* | rs6000-* \
+        | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
-              | power-* | none-* | 580-* | cray2-* | h8300-* | h8500-* | i960-* \
+        | arm-*  | armbe-* | armle-* | armeb-* | armv*-* \
-              | xmp-* | ymp-* \
+        | avr-* \
-              | x86-* | ppcbe-* | mipsbe-* | mipsle-* | shbe-* | shle-* \
+        | bs2000-* \
-              | hppa-* | hppa1.0-* | hppa1.1-* | hppa2.0-* | hppa2.0w-* \
+        | c[123]* | c30-* | [cjt]90-* | c54x-* \
-              | hppa2.0n-* | hppa64-* \
+        | clipper-* | cydra-* \
-              | alpha-* | alphaev[4-8]-* | alphaev56-* | alphapca5[67]-* \
+        | d10v-* | d30v-* | dlx-* \
-              | alphaev6[78]-* \
+        | elxsi-* \
-              | we32k-* | cydra-* | ns16k-* | pn-* | np1-* | xps100-* \
+        | f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \
-              | clipper-* | orion-* \
+        | h8300-* | h8500-* \
-              | sparclite-* | pdp10-* | pdp11-* | sh-* | powerpc-* | powerpcle-* \
+        | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
-              | sparc64-* | sparcv9-* | sparcv9b-* | sparc86x-* \
+        | i*86-* | i860-* | i960-* | ia64-* \
-              | mips16-* | mips64-* | mipsel-* \
+        | ip2k-* \
-              | mips64el-* | mips64orion-* | mips64orionel-* \
+        | m32r-* \
-              | mips64vr4100-* | mips64vr4100el-* | mips64vr4300-* | mips64vr4300el-* \
+        | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
-              | mipstx39-* | mipstx39el-* | mcore-* \
+        | m88110-* | m88k-* | mcore-* \
-              | f30[01]-* | f700-* | s390-* | s390x-* | sv1-* | t3e-* \
+        | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
-              | [cjt]90-* \
+        | mips16-* \
-              | m88110-* | m680[01234]0-* | m683?2-* | m68360-* | z8k-* | d10v-* \
+        | mips64-* | mips64el-* \
-              | thumb-* | v850-* | d30v-* | tic30-* | tic80-* | c30-* | fr30-* \
+        | mips64orion-* | mips64orionel-* \
-              | bs2000-* | tic54x-* | c54x-* | x86_64-* | pj-* | pjl-*)
+        | mips64vr4100-* | mips64vr4100el-* \
+        | mips64vr4300-* | mips64vr4300el-* \
+        | mips64vr5000-* | mips64vr5000el-* \
+        | mipsisa32-* | mipsisa32el-* \
+        | mipsisa64-* | mipsisa64el-* \
+        | mipsisa64sb1-* | mipsisa64sb1el-* \
+        | mipstx39 | mipstx39el \
+        | none-* | np1-* | ns16k-* | ns32k-* \
+        | orion-* \
+        | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
+        | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
+        | pyramid-* \
+        | romp-* | rs6000-* \
+        | sh-* | sh[1234]-* | sh3e-* | sh[34]eb-* | shbe-* \
+        | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
+        | sparc-* | sparc64-* | sparc86x-* | sparclet-* | sparclite-* \
+        | sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \
+        | tahoe-* | thumb-* | tic30-* | tic54x-* | tic80-* | tron-* \
+        | v850-* | v850e-* | vax-* \
+        | we32k-* \
+        | x86-* | x86_64-* | xps100-* | xscale-* | xstormy16-* \
+        | xtensa-* \
+        | ymp-* \
+        | z8k-*)
                ;;
        # Recognize the various machine names and aliases which stand
        # for a CPU type and a company and sometimes even an OS.
@@ -344,6 +394,10 @@ case $basic_machine in
                basic_machine=ns32k-sequent
                os=-dynix
                ;;
+        c90)
+                basic_machine=c90-cray
+                os=-unicos
+                ;;
        convex-c1)
                basic_machine=c1-convex
                os=-bsd
@@ -364,16 +418,8 @@ case $basic_machine in
                basic_machine=c38-convex
                os=-bsd
                ;;
-        cray | ymp)
+        cray | j90)
-                basic_machine=ymp-cray
+                basic_machine=j90-cray
-                os=-unicos
-                ;;
-        cray2)
-                basic_machine=cray2-cray
-                os=-unicos
-                ;;
-        [cjt]90)
-                basic_machine=${basic_machine}-cray
                os=-unicos
                ;;
        crds | unos)
@@ -388,6 +434,14 @@ case $basic_machine in
        decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn)
                basic_machine=mips-dec
                ;;
+        decsystem10* | dec10*)
+                basic_machine=pdp10-dec
+                os=-tops10
+                ;;
+        decsystem20* | dec20*)
+                basic_machine=pdp10-dec
+                os=-tops20
+                ;;
        delta | 3300 | motorola-3300 | motorola-delta \
              | 3300-motorola | delta-motorola)
                basic_machine=m68k-motorola
@@ -568,14 +622,6 @@ case $basic_machine in
                basic_machine=m68k-atari
                os=-mint
                ;;
-        mipsel*-linux*)
-                basic_machine=mipsel-unknown
-                os=-linux-gnu
-                ;;
-        mips*-linux*)
-                basic_machine=mips-unknown
-                os=-linux-gnu
-                ;;
        mips3*-*)
                basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`
                ;;
@@ -590,6 +636,10 @@ case $basic_machine in
                basic_machine=m68k-rom68k
                os=-coff
                ;;
+        morphos)
+                basic_machine=powerpc-unknown
+                os=-morphos
+                ;;
        msdos)
                basic_machine=i386-pc
                os=-msdos
@@ -669,6 +719,10 @@ case $basic_machine in
                basic_machine=hppa1.1-oki
                os=-proelf
                ;;
+        or32 | or32-*)
+                basic_machine=or32-unknown
+                os=-coff
+                ;;
        OSE68000 | ose68000)
                basic_machine=m68000-ericsson
                os=-ose
@@ -694,7 +748,7 @@ case $basic_machine in
        pc532 | pc532-*)
                basic_machine=ns32k-pc532
                ;;
-        pentium | p5 | k5 | k6 | nexgen)
+        pentium | p5 | k5 | k6 | nexgen | viac3)
                basic_machine=i586-pc
                ;;
        pentiumpro | p6 | 6x86 | athlon)
@@ -703,7 +757,7 @@ case $basic_machine in
        pentiumii | pentium2)
                basic_machine=i686-pc
                ;;
-        pentium-* | p5-* | k5-* | k6-* | nexgen-*)
+        pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*)
                basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'`
                ;;
        pentiumpro-* | p6-* | 6x86-* | athlon-*)
@@ -727,6 +781,16 @@ case $basic_machine in
        ppcle-* | powerpclittle-*)
                basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'`
                ;;
+        ppc64)  basic_machine=powerpc64-unknown
+                ;;
+        ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'`
+                ;;
+        ppc64le | powerpc64little | ppc64-le | powerpc64-little)
+                basic_machine=powerpc64le-unknown
+                ;;
+        ppc64le-* | powerpc64little-*)
+                basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'`
+                ;;
        ps2)
                basic_machine=i386-ibm
                ;;
@@ -744,6 +808,12 @@ case $basic_machine in
        rtpc | rtpc-*)
                basic_machine=romp-ibm
                ;;
+        s390 | s390-*)
+                basic_machine=s390-ibm
+                ;;
+        s390x | s390x-*)
+                basic_machine=s390x-ibm
+                ;;
        sa29200)
                basic_machine=a29k-amd
                os=-udi
@@ -755,7 +825,7 @@ case $basic_machine in
                basic_machine=sh-hitachi
                os=-hms
                ;;
-        sparclite-wrs)
+        sparclite-wrs | simso-wrs)
                basic_machine=sparclite-wrs
                os=-vxworks
                ;;
@@ -813,7 +883,7 @@ case $basic_machine in
        sun386 | sun386i | roadrunner)
                basic_machine=i386-sun
                ;;
-        sv1)
+        sv1)
                basic_machine=sv1-cray
                os=-unicos
                ;;
@@ -821,8 +891,16 @@ case $basic_machine in
                basic_machine=i386-sequent
                os=-dynix
                ;;
+        t3d)
+                basic_machine=alpha-cray
+                os=-unicos
+                ;;
        t3e)
-                basic_machine=t3e-cray
+                basic_machine=alphaev5-cray
+                os=-unicos
+                ;;
+        t90)
+                basic_machine=t90-cray
                os=-unicos
                ;;
        tic54x | c54x*)
@@ -835,6 +913,10 @@ case $basic_machine in
        tx39el)
                basic_machine=mipstx39el-unknown
                ;;
+        toad1)
+                basic_machine=pdp10-xkl
+                os=-tops20
+                ;;
        tower | tower-32)
                basic_machine=m68k-ncr
                ;;
@@ -881,13 +963,17 @@ case $basic_machine in
                basic_machine=hppa1.1-winbond
                os=-proelf
                ;;
-        xmp)
+        windows32)
-                basic_machine=xmp-cray
+                basic_machine=i386-pc
-                os=-unicos
+                os=-windows32-msvcrt
                ;;
        xps | xps100)
                basic_machine=xps100-honeywell
                ;;
+        ymp)
+                basic_machine=ymp-cray
+                os=-unicos
+                ;;
        z8k-*-coff)
                basic_machine=z8k-unknown
                os=-sim
@@ -908,13 +994,6 @@ case $basic_machine in
        op60c)
                basic_machine=hppa1.1-oki
                ;;
-        mips)
-                if [ x$os = x-linux-gnu ]; then
-                        basic_machine=mips-unknown
-                else
-                        basic_machine=mips-mips
-                fi
-                ;;
        romp)
                basic_machine=romp-ibm
                ;;
@@ -934,9 +1013,12 @@ case $basic_machine in
        we32k)
                basic_machine=we32k-att
                ;;
-        sh3 | sh4)
+        sh3 | sh4 | sh3eb | sh4eb | sh[1234]le | sh3ele)
                basic_machine=sh-unknown
                ;;
+        sh64)
+                basic_machine=sh64-unknown
+                ;;
        sparc | sparcv9 | sparcv9b)
                basic_machine=sparc-sun
                ;;
@@ -1018,11 +1100,14 @@ case $os in
              | -lynxos* | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
              | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
              | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
+              | -chorusos* | -chorusrdb* \
              | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
              | -mingw32* | -linux-gnu* | -uxpv* | -beos* | -mpeix* | -udk* \
              | -interix* | -uwin* | -rhapsody* | -darwin* | -opened* \
              | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
-              | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* | -os2*)
+              | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
+              | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
+              | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* | -powermax*)
        # Remember, each alternative MUST END IN *, to match a version number.
                ;;
        -qnx*)
@@ -1074,12 +1159,18 @@ case $os in
        -acis*)
                os=-aos
                ;;
+        -atheos*)
+                os=-atheos
+                ;;
        -386bsd)
                os=-bsd
                ;;
        -ctix* | -uts*)
                os=-sysv
                ;;
+        -nova*)
+                os=-rtmk-nova
+                ;;
        -ns2 )
                os=-nextstep2
                ;;
@@ -1154,6 +1245,7 @@ case $basic_machine in
        arm*-semi)
                os=-aout
                ;;
+        # This must come before the *-dec entry.
        pdp10-*)
                os=-tops20
                ;;
@@ -1184,6 +1276,9 @@ case $basic_machine in
        mips*-*)
                os=-elf
                ;;
+        or32-*)
+                os=-coff
+                ;;
        *-tti)  # must be before sparc entry or we get the wrong os.
                os=-sysv3
                ;;
@@ -1331,7 +1426,7 @@ case $basic_machine in
                        -ptx*)
                                vendor=sequent
                                ;;
-                        -vxsim* | -vxworks*)
+                        -vxsim* | -vxworks* | -windiss*)
                                vendor=wrs
                                ;;
                        -aux*)
@@ -1346,6 +1441,9 @@ case $basic_machine in
                        -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
                                vendor=atari
                                ;;
+                        -vos*)
+                                vendor=stratus
+                                ;;
                esac
                basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"`
                ;;
diff --git a/configure b/configure
index ad13a1610..565e9ee79 100755
--- a/configure
+++ b/configure
@@ -862,7 +862,7 @@ Optional Packages:
  --with-kerberos5=PATH   Enable Kerberos 5 support
  --with-kerberos4=PATH   Enable Kerberos 4 support
  --with-afs=PATH         Enable AFS support
-  --with-privsep-path=xxx Path for privilege separation chroot
+  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
  --with-xauth=PATH       Specify path to xauth program
  --with-mantype=man|cat|doc  Set man page type
  --with-md5-passwords    Enable use of MD5 passwords
@@ -2760,52 +2760,6 @@ echo "${ECHO_T}no" >&6
 fi
-for ac_prog in filepriv
-do
-  # Extract the first word of "$ac_prog", so it can be a program name with args.
-set dummy $ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_path_FILEPRIV+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  case $FILEPRIV in
-  [\\/]* | ?:[\\/]*)
-  ac_cv_path_FILEPRIV="$FILEPRIV" # Let the user override the test with a path.
-  ;;
-  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-as_dummy="/sbin:/usr/sbin"
-for as_dir in $as_dummy
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_path_FILEPRIV="$as_dir/$ac_word$ac_exec_ext"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-  ;;
-esac
-fi
-FILEPRIV=$ac_cv_path_FILEPRIV
-if test -n "$FILEPRIV"; then
-  echo "$as_me:$LINENO: result: $FILEPRIV" >&5
-echo "${ECHO_T}$FILEPRIV" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-  test -n "$FILEPRIV" && break
-done
-test -n "$FILEPRIV" || FILEPRIV="true"
 # Extract the first word of "bash", so it can be a program name with args.
 set dummy bash; ac_word=$2
 echo "$as_me:$LINENO: checking for $ac_word" >&5
@@ -3622,6 +3576,72 @@ if test $ac_cv_func_authenticate = yes; then
 #define WITH_AIXAUTHENTICATE 1
 _ACEOF
+else
+  echo "$as_me:$LINENO: checking for authenticate in -ls" >&5
+echo $ECHO_N "checking for authenticate in -ls... $ECHO_C" >&6
+if test "${ac_cv_lib_s_authenticate+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ls  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line $LINENO "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char authenticate ();
+#ifdef F77_DUMMY_MAIN
+#  ifdef __cplusplus
+     extern "C"
+#  endif
+   int F77_DUMMY_MAIN() { return 1; }
+#endif
+int
+main ()
+{
+authenticate ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_s_authenticate=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_s_authenticate=no
+fi
+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_s_authenticate" >&5
+echo "${ECHO_T}$ac_cv_lib_s_authenticate" >&6
+if test $ac_cv_lib_s_authenticate = yes; then
+   cat >>confdefs.h <<\_ACEOF
+#define WITH_AIXAUTHENTICATE 1
+_ACEOF
+                                LIBS="$LIBS -ls"
+fi
 fi
        cat >>confdefs.h <<\_ACEOF
@@ -3668,7 +3688,11 @@ _ACEOF
 _ACEOF
        cat >>confdefs.h <<\_ACEOF
-#define BROKEN_FD_PASSING 1
+#define NO_IPPORT_RESERVED_CONCEPT 1
+_ACEOF
+        cat >>confdefs.h <<\_ACEOF
+#define DISABLE_FD_PASSING 1
 _ACEOF
        cat >>confdefs.h <<\_ACEOF
@@ -3683,10 +3707,49 @@ _ACEOF
        ;;
 *-*-darwin*)
+        echo "$as_me:$LINENO: checking if we have working getaddrinfo" >&5
+echo $ECHO_N "checking if we have working getaddrinfo... $ECHO_C" >&6
+        if test "$cross_compiling" = yes; then
+  echo "$as_me:$LINENO: result: assume it is working" >&5
+echo "${ECHO_T}assume it is working" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line $LINENO "configure"
+#include "confdefs.h"
+#include <mach-o/dyld.h>
+main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
+                exit(0);
+        else
+                exit(1);
+}
+_ACEOF
+rm -f conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  echo "$as_me:$LINENO: result: working" >&5
+echo "${ECHO_T}working" >&6
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+( exit $ac_status )
+echo "$as_me:$LINENO: result: buggy" >&5
+echo "${ECHO_T}buggy" >&6
        cat >>confdefs.h <<\_ACEOF
 #define BROKEN_GETADDRINFO 1
 _ACEOF
+fi
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+fi
        ;;
 *-*-hpux10.26)
        if test -z "$GCC"; then
@@ -3722,7 +3785,76 @@ _ACEOF
 #define SPT_TYPE SPT_PSTAT
 _ACEOF
-        LIBS="$LIBS -lxnet -lsec -lsecpw"
+        LIBS="$LIBS -lsec -lsecpw"
+echo "$as_me:$LINENO: checking for t_error in -lxnet" >&5
+echo $ECHO_N "checking for t_error in -lxnet... $ECHO_C" >&6
+if test "${ac_cv_lib_xnet_t_error+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lxnet  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line $LINENO "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char t_error ();
+#ifdef F77_DUMMY_MAIN
+#  ifdef __cplusplus
+     extern "C"
+#  endif
+   int F77_DUMMY_MAIN() { return 1; }
+#endif
+int
+main ()
+{
+t_error ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_xnet_t_error=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_xnet_t_error=no
+fi
+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_xnet_t_error" >&5
+echo "${ECHO_T}$ac_cv_lib_xnet_t_error" >&6
+if test $ac_cv_lib_xnet_t_error = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBXNET 1
+_ACEOF
+  LIBS="-lxnet $LIBS"
+else
+  { { echo "$as_me:$LINENO: error: *** -lxnet needed on HP-UX - check config.log ***" >&5
+echo "$as_me: error: *** -lxnet needed on HP-UX - check config.log ***" >&2;}
+   { (exit 1); exit 1; }; }
+fi
        disable_ptmx_check=yes
        ;;
 *-*-hpux10*)
@@ -3755,7 +3887,76 @@ _ACEOF
 #define SPT_TYPE SPT_PSTAT
 _ACEOF
-        LIBS="$LIBS -lxnet -lsec"
+        LIBS="$LIBS -lsec"
+echo "$as_me:$LINENO: checking for t_error in -lxnet" >&5
+echo $ECHO_N "checking for t_error in -lxnet... $ECHO_C" >&6
+if test "${ac_cv_lib_xnet_t_error+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lxnet  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line $LINENO "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char t_error ();
+#ifdef F77_DUMMY_MAIN
+#  ifdef __cplusplus
+     extern "C"
+#  endif
+   int F77_DUMMY_MAIN() { return 1; }
+#endif
+int
+main ()
+{
+t_error ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_xnet_t_error=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_xnet_t_error=no
+fi
+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_xnet_t_error" >&5
+echo "${ECHO_T}$ac_cv_lib_xnet_t_error" >&6
+if test $ac_cv_lib_xnet_t_error = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBXNET 1
+_ACEOF
+  LIBS="-lxnet $LIBS"
+else
+  { { echo "$as_me:$LINENO: error: *** -lxnet needed on HP-UX - check config.log ***" >&5
+echo "$as_me: error: *** -lxnet needed on HP-UX - check config.log ***" >&2;}
+   { (exit 1); exit 1; }; }
+fi
        ;;
 *-*-hpux11*)
        CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
@@ -3788,7 +3989,76 @@ _ACEOF
 #define SPT_TYPE SPT_PSTAT
 _ACEOF
-        LIBS="$LIBS -lxnet -lsec"
+        LIBS="$LIBS -lsec"
+echo "$as_me:$LINENO: checking for t_error in -lxnet" >&5
+echo $ECHO_N "checking for t_error in -lxnet... $ECHO_C" >&6
+if test "${ac_cv_lib_xnet_t_error+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lxnet  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line $LINENO "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char t_error ();
+#ifdef F77_DUMMY_MAIN
+#  ifdef __cplusplus
+     extern "C"
+#  endif
+   int F77_DUMMY_MAIN() { return 1; }
+#endif
+int
+main ()
+{
+t_error ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_xnet_t_error=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_xnet_t_error=no
+fi
+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_xnet_t_error" >&5
+echo "${ECHO_T}$ac_cv_lib_xnet_t_error" >&6
+if test $ac_cv_lib_xnet_t_error = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBXNET 1
+_ACEOF
+  LIBS="-lxnet $LIBS"
+else
+  { { echo "$as_me:$LINENO: error: *** -lxnet needed on HP-UX - check config.log ***" >&5
+echo "$as_me: error: *** -lxnet needed on HP-UX - check config.log ***" >&2;}
+   { (exit 1); exit 1; }; }
+fi
        ;;
 *-*-irix5*)
        CPPFLAGS="$CPPFLAGS -I/usr/local/include"
@@ -3920,6 +4190,7 @@ _ACEOF
        SONY=1
        ;;
 *-*-netbsd*)
+        check_for_libcrypt_before=1
        need_dash_r=1
        ;;
 *-*-freebsd*)
@@ -4250,7 +4521,7 @@ _ACEOF
 _ACEOF
        cat >>confdefs.h <<\_ACEOF
-#define BROKEN_FD_PASSING 1
+#define DISABLE_FD_PASSING 1
 _ACEOF
@@ -4332,6 +4603,21 @@ done
        MANTYPE=man
        ;;
+*-*-unicosmk*)
+        no_libsocket=1
+        no_libnsl=1
+        cat >>confdefs.h <<\_ACEOF
+#define USE_PIPES 1
+_ACEOF
+        cat >>confdefs.h <<\_ACEOF
+#define DISABLE_FD_PASSING 1
+_ACEOF
+        LDFLAGS="$LDFLAGS"
+        LIBS="$LIBS -lgen -lrsc -lshare -luex -lacm"
+        MANTYPE=cat
+        ;;
 *-*-unicos*)
        no_libsocket=1
        no_libnsl=1
@@ -4340,11 +4626,16 @@ done
 _ACEOF
        cat >>confdefs.h <<\_ACEOF
-#define BROKEN_FD_PASSING 1
+#define DISABLE_FD_PASSING 1
+_ACEOF
+        cat >>confdefs.h <<\_ACEOF
+#define NO_SSH_LASTLOG 1
 _ACEOF
-        LDFLAGS="$LDFLAGS -Wl,-Dmsglevel=334:fatal,-L/usr/local/lib"
+        LDFLAGS="$LDFLAGS -Wl,-Dmsglevel=334:fatal"
-        LIBS="$LIBS -lgen -lrsc"
+        LIBS="$LIBS -lgen -lrsc -lshare -luex -lacm"
+        MANTYPE=cat
        ;;
 *-dec-osf*)
        echo "$as_me:$LINENO: checking for Digital Unix SIA" >&5
@@ -4691,15 +4982,17 @@ done
 for ac_header in bstring.h crypt.h endian.h floatingpoint.h \
-        getopt.h glob.h lastlog.h limits.h login.h \
+        getopt.h glob.h ia.h lastlog.h limits.h login.h \
        login_cap.h maillock.h netdb.h netgroup.h \
        netinet/in_systm.h paths.h pty.h readpassphrase.h \
        rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \
        strings.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h \
        sys/mman.h sys/select.h sys/stat.h \
        sys/stropts.h sys/sysmacros.h sys/time.h \
-        sys/un.h time.h ttyent.h usersec.h \
+        sys/un.h time.h tmpdir.h ttyent.h usersec.h \
        util.h utime.h utmp.h utmpx.h
 do
 as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
@@ -5646,7 +5939,11 @@ fi
 echo "$as_me:$LINENO: result: $ac_cv_lib_c89_utimes" >&5
 echo "${ECHO_T}$ac_cv_lib_c89_utimes" >&6
 if test $ac_cv_lib_c89_utimes = yes; then
-  LIBS="$LIBS -lc89"
+  cat >>confdefs.h <<\_ACEOF
+#define HAVE_UTIMES 1
+_ACEOF
+                                        LIBS="$LIBS -lc89"
 fi
@@ -6176,7 +6473,7 @@ else
 #include <sys/types.h>
 #include <dirent.h>
-int main(void){struct dirent d;return(sizeof(d.d_name)<=sizeof(char));}
+int main(void){struct dirent d;exit(sizeof(d.d_name)<=sizeof(char));}
 _ACEOF
 rm -f conftest$ac_exeext
@@ -6244,7 +6541,7 @@ else
 #include <stdio.h>
 #include <skey.h>
-int main() { char *ff = skey_keyinfo(""); ff=""; return 0; }
+int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); }
 _ACEOF
 rm -f conftest$ac_exeext
@@ -6442,9 +6739,10 @@ fi;
 for ac_func in arc4random b64_ntop bcopy bindresvport_sa \
        clock fchmod fchown freeaddrinfo futimes gai_strerror \
-        getaddrinfo getcwd getgrouplist getnameinfo getopt \
+        getaddrinfo getcwd getgrouplist getnameinfo getopt getpeereid\
        getrlimit getrusage getttyent glob inet_aton inet_ntoa \
        inet_ntop innetgr login_getcapbool md5_crypt memmove \
        mkdtemp mmap ngetaddrinfo openpty ogetaddrinfo readpassphrase \
@@ -6528,63 +6826,6 @@ fi
 done
-if test $ac_cv_func_mmap = yes ; then
-echo "$as_me:$LINENO: checking for mmap anon shared" >&5
-echo $ECHO_N "checking for mmap anon shared... $ECHO_C" >&6
-if test "$cross_compiling" = yes; then
-  { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling" >&5
-echo "$as_me: error: cannot run test program while cross compiling" >&2;}
-   { (exit 1); exit 1; }; }
-else
-  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-#include "confdefs.h"
-#include <stdio.h>
-#include <sys/mman.h>
-#if !defined(MAP_ANON) && defined(MAP_ANONYMOUS)
-#define MAP_ANON MAP_ANONYMOUS
-#endif
-main() { char *p;
-p = (char *) mmap(NULL, 10, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, -1, 0);
-if (p == (char *)-1)
-        exit(1);
-exit(0);
-}
-_ACEOF
-rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-                echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-                cat >>confdefs.h <<\_ACEOF
-#define HAVE_MMAP_ANON_SHARED 1
-_ACEOF
-else
-  echo "$as_me: program exited with status $ac_status" >&5
-echo "$as_me: failed program was:" >&5
-cat conftest.$ac_ext >&5
-( exit $ac_status )
- echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
-fi
-fi
 for ac_func in dirname
 do
@@ -7697,7 +7938,7 @@ else
 #include "confdefs.h"
 #include <stdio.h>
-int main(void){char b[5];snprintf(b,5,"123456789");return(b[4]!='\0');}
+int main(void){char b[5];snprintf(b,5,"123456789");exit(b[4]!='\0');}
 _ACEOF
 rm -f conftest$ac_exeext
@@ -8090,6 +8331,76 @@ fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
+# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
+# because the system crypt() is more featureful.
+if test "x$check_for_libcrypt_before" = "x1"; then
+echo "$as_me:$LINENO: checking for crypt in -lcrypt" >&5
+echo $ECHO_N "checking for crypt in -lcrypt... $ECHO_C" >&6
+if test "${ac_cv_lib_crypt_crypt+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lcrypt  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line $LINENO "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char crypt ();
+#ifdef F77_DUMMY_MAIN
+#  ifdef __cplusplus
+     extern "C"
+#  endif
+   int F77_DUMMY_MAIN() { return 1; }
+#endif
+int
+main ()
+{
+crypt ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_crypt_crypt=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_crypt_crypt=no
+fi
+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_crypt_crypt" >&5
+echo "${ECHO_T}$ac_cv_lib_crypt_crypt" >&6
+if test $ac_cv_lib_crypt_crypt = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBCRYPT 1
+_ACEOF
+  LIBS="-lcrypt $LIBS"
+fi
+fi
 # Search for OpenSSL
 saved_CPPFLAGS="$CPPFLAGS"
 saved_LDFLAGS="$LDFLAGS"
@@ -8230,6 +8541,134 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
+# Determine OpenSSL header version
+echo "$as_me:$LINENO: checking OpenSSL header version" >&5
+echo $ECHO_N "checking OpenSSL header version... $ECHO_C" >&6
+if test "$cross_compiling" = yes; then
+  { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling" >&5
+echo "$as_me: error: cannot run test program while cross compiling" >&2;}
+   { (exit 1); exit 1; }; }
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line $LINENO "configure"
+#include "confdefs.h"
+#include <stdio.h>
+#include <string.h>
+#include <openssl/opensslv.h>
+#define DATA "conftest.sslincver"
+int main(void) {
+        FILE *fd;
+        int rc;
+        fd = fopen(DATA,"w");
+        if(fd == NULL)
+                exit(1);
+        if ((rc = fprintf(fd ,"%x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
+                exit(1);
+        exit(0);
+}
+_ACEOF
+rm -f conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+                ssl_header_ver=`cat conftest.sslincver`
+                echo "$as_me:$LINENO: result: $ssl_header_ver" >&5
+echo "${ECHO_T}$ssl_header_ver" >&6
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+( exit $ac_status )
+                echo "$as_me:$LINENO: result: not found" >&5
+echo "${ECHO_T}not found" >&6
+                { { echo "$as_me:$LINENO: error: OpenSSL version header not found." >&5
+echo "$as_me: error: OpenSSL version header not found." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+fi
+# Determine OpenSSL library version
+echo "$as_me:$LINENO: checking OpenSSL library version" >&5
+echo $ECHO_N "checking OpenSSL library version... $ECHO_C" >&6
+if test "$cross_compiling" = yes; then
+  { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling" >&5
+echo "$as_me: error: cannot run test program while cross compiling" >&2;}
+   { (exit 1); exit 1; }; }
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line $LINENO "configure"
+#include "confdefs.h"
+#include <stdio.h>
+#include <string.h>
+#include <openssl/opensslv.h>
+#include <openssl/crypto.h>
+#define DATA "conftest.ssllibver"
+int main(void) {
+        FILE *fd;
+        int rc;
+        fd = fopen(DATA,"w");
+        if(fd == NULL)
+                exit(1);
+        if ((rc = fprintf(fd ,"%x (%s)\n", SSLeay(), SSLeay_version(SSLEAY_VERSION))) <0)
+                exit(1);
+        exit(0);
+}
+_ACEOF
+rm -f conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+                ssl_library_ver=`cat conftest.ssllibver`
+                echo "$as_me:$LINENO: result: $ssl_library_ver" >&5
+echo "${ECHO_T}$ssl_library_ver" >&6
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+( exit $ac_status )
+                echo "$as_me:$LINENO: result: not found" >&5
+echo "${ECHO_T}not found" >&6
+                { { echo "$as_me:$LINENO: error: OpenSSL library not found." >&5
+echo "$as_me: error: OpenSSL library not found." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+fi
 # Sanity check OpenSSL headers
 echo "$as_me:$LINENO: checking whether OpenSSL's headers match the library" >&5
@@ -8245,7 +8684,7 @@ else
 #include <string.h>
 #include <openssl/opensslv.h>
-int main(void) { return(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); }
+int main(void) { exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); }
 _ACEOF
 rm -f conftest$ac_exeext
@@ -8361,7 +8800,7 @@ else
 #include <string.h>
 #include <openssl/rand.h>
-int main(void) { return(RAND_status() == 1 ? 0 : 1); }
+int main(void) { exit(RAND_status() == 1 ? 0 : 1); }
 _ACEOF
 rm -f conftest$ac_exeext
@@ -11321,7 +11760,16 @@ else
        cat >conftest.$ac_ext <<_ACEOF
 #line $LINENO "configure"
 #include "confdefs.h"
- #include <sys/types.h>
+#include <sys/types.h>
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#include <sys/socket.h>
+#ifdef HAVE_SYS_BITYPES_H
+# include <sys/bitypes.h>
+#endif
 #ifdef F77_DUMMY_MAIN
 #  ifdef __cplusplus
     extern "C"
@@ -11365,109 +11813,6 @@ if test "x$ac_cv_have_int64_t" = "xyes" ; then
 #define HAVE_INT64_T 1
 _ACEOF
-        have_int64_t=1
-fi
-if test -z "$have_int64_t" ; then
-    echo "$as_me:$LINENO: checking for int64_t type in sys/socket.h" >&5
-echo $ECHO_N "checking for int64_t type in sys/socket.h... $ECHO_C" >&6
-        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-#include "confdefs.h"
- #include <sys/socket.h>
-#ifdef F77_DUMMY_MAIN
-#  ifdef __cplusplus
-     extern "C"
-#  endif
-   int F77_DUMMY_MAIN() { return 1; }
-#endif
-int
-main ()
-{
- int64_t a; a = 1
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-                        cat >>confdefs.h <<\_ACEOF
-#define HAVE_INT64_T 1
-_ACEOF
-                        echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-else
-  echo "$as_me: failed program was:" >&5
-cat conftest.$ac_ext >&5
- echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-rm -f conftest.$ac_objext conftest.$ac_ext
-fi
-if test -z "$have_int64_t" ; then
-    echo "$as_me:$LINENO: checking for int64_t type in sys/bitypes.h" >&5
-echo $ECHO_N "checking for int64_t type in sys/bitypes.h... $ECHO_C" >&6
-        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-#include "confdefs.h"
- #include <sys/bitypes.h>
-#ifdef F77_DUMMY_MAIN
-#  ifdef __cplusplus
-     extern "C"
-#  endif
-   int F77_DUMMY_MAIN() { return 1; }
-#endif
-int
-main ()
-{
- int64_t a; a = 1
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-                        cat >>confdefs.h <<\_ACEOF
-#define HAVE_INT64_T 1
-_ACEOF
-                        echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-else
-  echo "$as_me: failed program was:" >&5
-cat conftest.$ac_ext >&5
- echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-rm -f conftest.$ac_objext conftest.$ac_ext
 fi
 echo "$as_me:$LINENO: checking for u_intXX_t types" >&5
@@ -15334,6 +15679,11 @@ if test "${with_xauth+set}" = set; then
 else
+                TestPath="$PATH"
+                TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin"
+                TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11"
+                TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin"
+                TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin"
                # Extract the first word of "xauth", so it can be a program name with args.
 set dummy xauth; ac_word=$2
 echo "$as_me:$LINENO: checking for $ac_word" >&5
@@ -15347,7 +15697,7 @@ else
  ;;
  *)
  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH:/usr/X/bin:/usr/bin/X11:/usr/X11R6/bin:/usr/openwin/bin
+for as_dir in $TestPath
 do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
@@ -15482,6 +15832,7 @@ echo "$as_me: error: invalid man type: $withval" >&2;}
 fi;
 if test -z "$MANTYPE"; then
+        TestPath="/usr/bin${PATH_SEPARATOR}/usr/ucb"
        for ac_prog in nroff awf
 do
  # Extract the first word of "$ac_prog", so it can be a program name with args.
@@ -15497,8 +15848,7 @@ else
  ;;
  *)
  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-as_dummy="/usr/bin:/usr/ucb"
+for as_dir in $TestPath
-for as_dir in $as_dummy
 do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
@@ -16997,7 +17347,6 @@ s,@INSTALL_DATA@,$INSTALL_DATA,;t t
 s,@AR@,$AR,;t t
 s,@PERL@,$PERL,;t t
 s,@ENT@,$ENT,;t t
-s,@FILEPRIV@,$FILEPRIV,;t t
 s,@TEST_MINUS_S_SH@,$TEST_MINUS_S_SH,;t t
 s,@SH@,$SH,;t t
 s,@LOGIN_PROGRAM_FALLBACK@,$LOGIN_PROGRAM_FALLBACK,;t t
diff --git a/configure.ac b/configure.ac
index ad5d5cde9..5fe50e56b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.72 2002/06/25 22:35:16 tim Exp $
+# $Id: configure.ac,v 1.89 2002/09/26 00:38:47 tim Exp $
 AC_INIT
 AC_CONFIG_SRCDIR([ssh.c])
@@ -17,7 +17,6 @@ AC_PATH_PROGS(PERL, perl5 perl)
 AC_SUBST(PERL)
 AC_PATH_PROG(ENT, ent)
 AC_SUBST(ENT)
-AC_PATH_PROGS(FILEPRIV, filepriv, true, /sbin:/usr/sbin)
 AC_PATH_PROG(TEST_MINUS_S_SH, bash)
 AC_PATH_PROG(TEST_MINUS_S_SH, ksh)
 AC_PATH_PROG(TEST_MINUS_S_SH, sh)
@@ -71,7 +70,12 @@ case "$host" in
                )
                LDFLAGS="$saved_LDFLAGS"
        fi
-        AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)])
+        AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)],
+                [AC_CHECK_LIB(s,authenticate,
+                        [ AC_DEFINE(WITH_AIXAUTHENTICATE)
+                                LIBS="$LIBS -ls"
+                        ])
+                ])
        AC_DEFINE(BROKEN_GETADDRINFO)
        AC_DEFINE(BROKEN_REALPATH)
        dnl AIX handles lastlog as part of its login message
@@ -86,14 +90,24 @@ case "$host" in
        AC_DEFINE(IPV4_DEFAULT)
        AC_DEFINE(IP_TOS_IS_BROKEN)
        AC_DEFINE(NO_X11_UNIX_SOCKETS)
-        AC_DEFINE(BROKEN_FD_PASSING)
+        AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT)
+        AC_DEFINE(DISABLE_FD_PASSING)
        AC_DEFINE(SETGROUPS_NOOP)
        ;;
 *-*-dgux*)
        AC_DEFINE(IP_TOS_IS_BROKEN)
        ;;
 *-*-darwin*)
-        AC_DEFINE(BROKEN_GETADDRINFO)
+        AC_MSG_CHECKING(if we have working getaddrinfo)
+        AC_TRY_RUN([#include <mach-o/dyld.h>
+main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
+                exit(0);
+        else
+                exit(1);
+}], [AC_MSG_RESULT(working)],
+        [AC_MSG_RESULT(buggy)
+        AC_DEFINE(BROKEN_GETADDRINFO)],
+        [AC_MSG_RESULT(assume it is working)])
        ;;
 *-*-hpux10.26)
        if test -z "$GCC"; then
@@ -108,7 +122,8 @@ case "$host" in
        AC_DEFINE(DISABLE_SHADOW)
        AC_DEFINE(DISABLE_UTMP)
        AC_DEFINE(SPT_TYPE,SPT_PSTAT)
-        LIBS="$LIBS -lxnet -lsec -lsecpw"
+        LIBS="$LIBS -lsec -lsecpw"
+        AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
        disable_ptmx_check=yes
        ;;
 *-*-hpux10*)
@@ -123,7 +138,8 @@ case "$host" in
        AC_DEFINE(DISABLE_SHADOW)
        AC_DEFINE(DISABLE_UTMP)
        AC_DEFINE(SPT_TYPE,SPT_PSTAT)
-        LIBS="$LIBS -lxnet -lsec"
+        LIBS="$LIBS -lsec"
+        AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
        ;;
 *-*-hpux11*)
        CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
@@ -135,7 +151,8 @@ case "$host" in
        AC_DEFINE(DISABLE_SHADOW)
        AC_DEFINE(DISABLE_UTMP)
        AC_DEFINE(SPT_TYPE,SPT_PSTAT)
-        LIBS="$LIBS -lxnet -lsec"
+        LIBS="$LIBS -lsec"
+        AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
        ;;
 *-*-irix5*)
        CPPFLAGS="$CPPFLAGS -I/usr/local/include"
@@ -167,6 +184,7 @@ mips-sony-bsd|mips-sony-newsos4)
        SONY=1
        ;;
 *-*-netbsd*)
+        check_for_libcrypt_before=1
        need_dash_r=1
        ;;
 *-*-freebsd*)
@@ -267,17 +285,28 @@ mips-sony-bsd|mips-sony-newsos4)
        AC_DEFINE(USE_PIPES)
        AC_DEFINE(HAVE_SECUREWARE)
        AC_DEFINE(DISABLE_SHADOW)
-        AC_DEFINE(BROKEN_FD_PASSING)
+        AC_DEFINE(DISABLE_FD_PASSING)
        AC_CHECK_FUNCS(getluid setluid)
        MANTYPE=man
        ;;
+*-*-unicosmk*)
+        no_libsocket=1
+        no_libnsl=1
+        AC_DEFINE(USE_PIPES)
+        AC_DEFINE(DISABLE_FD_PASSING)
+        LDFLAGS="$LDFLAGS"
+        LIBS="$LIBS -lgen -lrsc -lshare -luex -lacm"
+        MANTYPE=cat
+        ;;
 *-*-unicos*)
        no_libsocket=1
        no_libnsl=1
        AC_DEFINE(USE_PIPES)
-        AC_DEFINE(BROKEN_FD_PASSING)
+        AC_DEFINE(DISABLE_FD_PASSING)
-        LDFLAGS="$LDFLAGS -Wl,-Dmsglevel=334:fatal,-L/usr/local/lib"
+        AC_DEFINE(NO_SSH_LASTLOG)
-        LIBS="$LIBS -lgen -lrsc"
+        LDFLAGS="$LDFLAGS -Wl,-Dmsglevel=334:fatal"
+        LIBS="$LIBS -lgen -lrsc -lshare -luex -lacm"
+        MANTYPE=cat
        ;;
 *-dec-osf*)
        AC_MSG_CHECKING(for Digital Unix SIA)
@@ -348,14 +377,14 @@ AC_ARG_WITH(libs,
 # Checks for header files.
 AC_CHECK_HEADERS(bstring.h crypt.h endian.h floatingpoint.h \
-        getopt.h glob.h lastlog.h limits.h login.h \
+        getopt.h glob.h ia.h lastlog.h limits.h login.h \
        login_cap.h maillock.h netdb.h netgroup.h \
        netinet/in_systm.h paths.h pty.h readpassphrase.h \
        rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \
        strings.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h \
        sys/mman.h sys/select.h sys/stat.h \
        sys/stropts.h sys/sysmacros.h sys/time.h \
-        sys/un.h time.h ttyent.h usersec.h \
+        sys/un.h time.h tmpdir.h ttyent.h usersec.h \
        util.h utime.h utmp.h utmpx.h)
 # Checks for libraries.
@@ -419,7 +448,8 @@ AC_CHECK_FUNC(strcasecmp,
        [], [ AC_CHECK_LIB(resolv, strcasecmp, LIBS="$LIBS -lresolv") ]
 )
 AC_CHECK_FUNC(utimes, 
-        [], [ AC_CHECK_LIB(c89, utimes, LIBS="$LIBS -lc89") ]
+        [], [ AC_CHECK_LIB(c89, utimes, [AC_DEFINE(HAVE_UTIMES)
+                                        LIBS="$LIBS -lc89"]) ]
 )
 dnl    Checks for libutil functions
@@ -468,7 +498,7 @@ AC_TRY_RUN(
        [
 #include <sys/types.h>
 #include <dirent.h>
-int main(void){struct dirent d;return(sizeof(d.d_name)<=sizeof(char));}
+int main(void){struct dirent d;exit(sizeof(d.d_name)<=sizeof(char));}
        ],
        [AC_MSG_RESULT(yes)], 
        [
@@ -499,7 +529,7 @@ AC_ARG_WITH(skey,
                                [
 #include <stdio.h>
 #include <skey.h>
-int main() { char *ff = skey_keyinfo(""); ff=""; return 0; }
+int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); }
                                ],
                                [AC_MSG_RESULT(yes)],
                                [
@@ -567,7 +597,7 @@ AC_ARG_WITH(tcp-wrappers,
 dnl    Checks for library functions.
 AC_CHECK_FUNCS(arc4random b64_ntop bcopy bindresvport_sa \
        clock fchmod fchown freeaddrinfo futimes gai_strerror \
-        getaddrinfo getcwd getgrouplist getnameinfo getopt \
+        getaddrinfo getcwd getgrouplist getnameinfo getopt getpeereid\
        getrlimit getrusage getttyent glob inet_aton inet_ntoa \
        inet_ntop innetgr login_getcapbool md5_crypt memmove \
        mkdtemp mmap ngetaddrinfo openpty ogetaddrinfo readpassphrase \
@@ -577,30 +607,6 @@ AC_CHECK_FUNCS(arc4random b64_ntop bcopy bindresvport_sa \
        socketpair strerror strlcat strlcpy strmode strsep sysconf tcgetpgrp \
        truncate utimes vhangup vsnprintf waitpid __b64_ntop _getpty)
-if test $ac_cv_func_mmap = yes ; then
-AC_MSG_CHECKING([for mmap anon shared])
-AC_TRY_RUN(
-        [
-#include <stdio.h>
-#include <sys/mman.h>
-#if !defined(MAP_ANON) && defined(MAP_ANONYMOUS)
-#define MAP_ANON MAP_ANONYMOUS
-#endif
-main() { char *p;
-p = (char *) mmap(NULL, 10, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, -1, 0);
-if (p == (char *)-1)
-        exit(1);
-exit(0);
-}
-        ],
-        [
-                AC_MSG_RESULT(yes)
-                AC_DEFINE(HAVE_MMAP_ANON_SHARED)
-        ],
-        [ AC_MSG_RESULT(no) ] 
-)
-fi
 dnl IRIX and Solaris 2.5.1 have dirname() in libgen
 AC_CHECK_FUNCS(dirname, [AC_CHECK_HEADERS(libgen.h)] ,[
        AC_CHECK_LIB(gen, dirname,[
@@ -663,7 +669,7 @@ if test "x$ac_cv_func_snprintf" = "xyes" ; then
        AC_TRY_RUN(
                [
 #include <stdio.h>
-int main(void){char b[5];snprintf(b,5,"123456789");return(b[4]!='\0');}
+int main(void){char b[5];snprintf(b,5,"123456789");exit(b[4]!='\0');}
                ],
                [AC_MSG_RESULT(yes)], 
                [
@@ -723,6 +729,12 @@ if test "x$PAM_MSG" = "xyes" ; then
        )
 fi
+# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
+# because the system crypt() is more featureful.
+if test "x$check_for_libcrypt_before" = "x1"; then
+        AC_CHECK_LIB(crypt, crypt)
+fi
 # Search for OpenSSL
 saved_CPPFLAGS="$CPPFLAGS"
 saved_LDFLAGS="$LDFLAGS"
@@ -769,6 +781,70 @@ AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL),
        ]
 )
+# Determine OpenSSL header version
+AC_MSG_CHECKING([OpenSSL header version])
+AC_TRY_RUN(
+        [
+#include <stdio.h>
+#include <string.h>
+#include <openssl/opensslv.h>
+#define DATA "conftest.sslincver"
+int main(void) {
+        FILE *fd;
+        int rc;
+        fd = fopen(DATA,"w");
+        if(fd == NULL)
+                exit(1);
+        if ((rc = fprintf(fd ,"%x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
+                exit(1);
+        exit(0);
+}
+        ],
+        [
+                ssl_header_ver=`cat conftest.sslincver`
+                AC_MSG_RESULT($ssl_header_ver)
+        ],
+        [
+                AC_MSG_RESULT(not found)
+                AC_MSG_ERROR(OpenSSL version header not found.)
+        ]
+)
+# Determine OpenSSL library version
+AC_MSG_CHECKING([OpenSSL library version])
+AC_TRY_RUN(
+        [
+#include <stdio.h>
+#include <string.h>
+#include <openssl/opensslv.h>
+#include <openssl/crypto.h>
+#define DATA "conftest.ssllibver"
+int main(void) {
+        FILE *fd;
+        int rc;
+        fd = fopen(DATA,"w");
+        if(fd == NULL)
+                exit(1);
+        if ((rc = fprintf(fd ,"%x (%s)\n", SSLeay(), SSLeay_version(SSLEAY_VERSION))) <0)
+                exit(1);
+        exit(0);
+}
+        ],
+        [
+                ssl_library_ver=`cat conftest.ssllibver`
+                AC_MSG_RESULT($ssl_library_ver)
+        ],
+        [
+                AC_MSG_RESULT(not found)
+                AC_MSG_ERROR(OpenSSL library not found.)
+        ]
+)
 # Sanity check OpenSSL headers
 AC_MSG_CHECKING([whether OpenSSL's headers match the library])
@@ -776,7 +852,7 @@ AC_TRY_RUN(
        [
 #include <string.h>
 #include <openssl/opensslv.h>
-int main(void) { return(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); }
+int main(void) { exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); }
        ],
        [
                AC_MSG_RESULT(yes)
@@ -802,7 +878,7 @@ AC_TRY_RUN(
        [
 #include <string.h>
 #include <openssl/rand.h>
-int main(void) { return(RAND_status() == 1 ? 0 : 1); }
+int main(void) { exit(RAND_status() == 1 ? 0 : 1); }
        ],
        [
                OPENSSL_SEEDS_ITSELF=yes
@@ -1056,7 +1132,16 @@ fi
 AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [
        AC_TRY_COMPILE(
-                [ #include <sys/types.h> ], 
+                [
+#include <sys/types.h>
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#include <sys/socket.h>
+#ifdef HAVE_SYS_BITYPES_H
+# include <sys/bitypes.h>
+#endif
+                ], 
                [ int64_t a; a = 1;], 
                [ ac_cv_have_int64_t="yes" ],
                [ ac_cv_have_int64_t="no" ]
@@ -1064,33 +1149,6 @@ AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [
 ])
 if test "x$ac_cv_have_int64_t" = "xyes" ; then
        AC_DEFINE(HAVE_INT64_T)
-        have_int64_t=1
-fi
-        
-if test -z "$have_int64_t" ; then
-    AC_MSG_CHECKING([for int64_t type in sys/socket.h])
-        AC_TRY_COMPILE(
-                [ #include <sys/socket.h> ], 
-                [ int64_t a; a = 1],
-                [
-                        AC_DEFINE(HAVE_INT64_T)
-                        AC_MSG_RESULT(yes)
-                ],
-                [ AC_MSG_RESULT(no) ]
-        )
-fi
-if test -z "$have_int64_t" ; then
-    AC_MSG_CHECKING([for int64_t type in sys/bitypes.h])
-        AC_TRY_COMPILE(
-                [ #include <sys/bitypes.h> ], 
-                [ int64_t a; a = 1],
-                [
-                        AC_DEFINE(HAVE_INT64_T)
-                        AC_MSG_RESULT(yes)
-                ],
-                [ AC_MSG_RESULT(no) ]
-        )
 fi
 AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
@@ -1819,7 +1877,7 @@ LIBS="$LIBS $KLIBS $K5LIBS"
 PRIVSEP_PATH=/var/empty
 AC_ARG_WITH(privsep-path,
-        [  --with-privsep-path=xxx Path for privilege separation chroot ],
+        [  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
        [
                if test "x$withval" != "$no" ; then
                        PRIVSEP_PATH=$withval
@@ -1836,7 +1894,12 @@ AC_ARG_WITH(xauth,
                fi
        ],
        [
-                AC_PATH_PROG(xauth_path, xauth,,$PATH:/usr/X/bin:/usr/bin/X11:/usr/X11R6/bin:/usr/openwin/bin)
+                TestPath="$PATH"
+                TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin"
+                TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11"
+                TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin"
+                TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin"
+                AC_PATH_PROG(xauth_path, xauth, , $TestPath)
                if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then
                        xauth_path="/usr/openwin/bin/xauth"
                fi
@@ -1890,7 +1953,8 @@ AC_ARG_WITH(mantype,
        ]
 )
 if test -z "$MANTYPE"; then
-        AC_PATH_PROGS(NROFF, nroff awf, /bin/false, /usr/bin:/usr/ucb)
+        TestPath="/usr/bin${PATH_SEPARATOR}/usr/ucb"
+        AC_PATH_PROGS(NROFF, nroff awf, /bin/false, $TestPath)
        if ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then
                MANTYPE=doc
        elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then
diff --git a/contrib/Makefile b/contrib/Makefile
new file mode 100644
index 000000000..2cef46f6c
--- /dev/null
+++ b/contrib/Makefile
@@ -0,0 +1,15 @@
+all:
+        @echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2"
+gnome-ssh-askpass1: gnome-ssh-askpass1.c
+        $(CC) `gnome-config --cflags gnome gnomeui` \
+                gnome-ssh-askpass1.c -o gnome-ssh-askpass1 \
+                `gnome-config --libs gnome gnomeui`
+gnome-ssh-askpass2: gnome-ssh-askpass2.c
+        $(CC) `pkg-config --cflags gtk+-2.0` \
+                gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
+                `pkg-config --libs gtk+-2.0`
+clean:
+        rm -f *.o gnome-ssh-askpass1 gnome-ssh-askpass2 gnome-ssh-askpass
diff --git a/contrib/README b/contrib/README
index 648bb2f3a..67dbbd277 100644
--- a/contrib/README
+++ b/contrib/README
@@ -1,30 +1,39 @@
 Other patches and addons for OpenSSH. Please send submissions to 
-djm@ibs.com.au
+djm@mindrot.org
-Elsewhere
+Externally maintained
---------
+---------------------
-http://www.imasy.or.jp/~gotoh/connect.c is a Unix and Windows 
+SSH Proxy Command -- connect.c
-ProxyCommand which allows OpenSSH to make connections through a SOCKS5
-or http proxy which supports the CONNECT method (eg. Squid).
-In this directory
+Shun-ichi GOTO <gotoh@imasy.or.jp> has written a very useful ProxyCommand
-----------------
+which allows the use of outbound SSH from behind a SOCKS4, SOCKS5 or 
+https CONNECT style proxy server. His page for connect.c has extensive
+documentation on its use as well as compiled versions for Win32.
-chroot.diff: 
+http://www.taiyo.co.jp/~gotoh/ssh/connect.html
-Due to the fact the patch is never in sync with the rest of the tree.  It was
-removed. 
+X11 SSH Askpass:
+Jim Knoble <jmknoble@pobox.com> has written an excellent X11
+passphrase requester. This is highly recommended:
+http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/index.html
+In this directory
+-----------------
 ssh-copy-id:
 Phil Hands' <phil@hands.com> shell script to automate the process of adding
 your public key to a remote machine's ~/.ssh/authorized_keys file.
-gnome-ssh-askpass:
+gnome-ssh-askpass[12]:
-A GNOME passphrase requester of my own creation. Compilation instructions
+A GNOME and Gtk2 passphrase requesters. Use "make gnome-ssh-askpass1" or
-are in the top of the file.
+"make gnome-ssh-askpass2" to build.
 sshd.pam.generic:
@@ -43,19 +52,9 @@ Contributed by Mark D. Roth <roth@feep.net>
 redhat:
-RPM spec file an scripts for building Redhat packages
+RPM spec file and scripts for building Redhat packages
 suse:
-RPM spec file an scripts for building SuSE packages
+RPM spec file and scripts for building SuSE packages
-Externally maintained
---------------------
-X11 SSH Askpass:
-Jim Knoble <jmknoble@pobox.com> has written an excellent X11
-passphrase requester. This is highly recommended:
-http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/index.html
diff --git a/contrib/aix/buildbff.sh b/contrib/aix/buildbff.sh
index d531e53f4..5c09c6b75 100755
--- a/contrib/aix/buildbff.sh
+++ b/contrib/aix/buildbff.sh
@@ -18,6 +18,16 @@ X11_FORWARDING=no
 umask 022
+startdir=`pwd`
+# Path to inventory.sh: same place as buildbff.sh
+if  echo $0 | egrep '^/'
+then
+        inventory=`dirname $0`/inventory.sh             # absolute path
+else
+        inventory=`pwd`/`dirname $0`/inventory.sh       # relative path
+fi
 #
 # We still support running from contrib/aix, but this is depreciated
 #
@@ -45,14 +55,6 @@ objdir=`pwd`
 PKGNAME=openssh
 PKGDIR=package
-# Path to inventory.sh: same place as buildbff.sh
-if  echo $0 | egrep '^/'
-then
-        inventory=`dirname $0`/inventory.sh             # absolute path
-else
-        inventory=`pwd`/`dirname $0`/inventory.sh       # relative path
-fi
 #
 # Collect local configuration settings to override defaults
 #
@@ -328,15 +330,10 @@ rm -f $PKGNAME-$VERSION.bff
 ) | backup  -i -q -f ../$PKGNAME-$VERSION.bff $filelist
 #
-# Move package into final location
+# Move package into final location and clean up
 #
-if [ "$contribaix" = "1" ]
+mv ../$PKGNAME-$VERSION.bff $startdir
-then
+cd $startdir
-        mv ../$PKGNAME-$VERSION.bff $objdir/contrib/aix
-else
-        mv ../$PKGNAME-$VERSION.bff $objdir
-fi
 rm -rf $objdir/$PKGDIR
 echo $0: done.
diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec
index e7473947e..b7de22e8b 100644
--- a/contrib/caldera/openssh.spec
+++ b/contrib/caldera/openssh.spec
@@ -17,7 +17,7 @@
 #old cvs stuff.  please update before use.  may be deprecated.
 %define use_stable      1
 %if %{use_stable}
-  %define version       3.4p1
+  %define version       3.5p1
  %define cvs           %{nil}
  %define release       2
 %else
@@ -181,8 +181,6 @@ CFLAGS="$RPM_OPT_FLAGS" \
            --with-pam \
            --with-tcp-wrappers \
            --with-ipv4-default \
-            --sysconfdir=%{_sysconfdir}/ssh \
-            --libexecdir=%{_libexecdir}/openssh \
            --with-privsep-path=%{_var}/empty/sshd \
            #leave this line for easy edits.
@@ -355,4 +353,4 @@ fi
 * Mon Jan 01 1998 ...
 Template Version: 1.31
-$Id: openssh.spec,v 1.36 2002/06/26 13:57:13 djm Exp $
+$Id: openssh.spec,v 1.38 2002/10/03 01:56:59 djm Exp $
diff --git a/contrib/cygwin/README b/contrib/cygwin/README
index 9021ba2b0..71ea3455f 100644
--- a/contrib/cygwin/README
+++ b/contrib/cygwin/README
@@ -1,6 +1,30 @@
 This package is the actual port of OpenSSH to Cygwin 1.3.
 ===========================================================================
+Important change since 3.4p1-2:
+This version adds privilege separation as default setting, see
+/usr/doc/openssh/README.privsep.  According to that document the
+privsep feature requires a non-privileged account called 'sshd'.
+The new ssh-host-config file which is part of this version asks
+to create 'sshd' as local user if you want to use privilege
+separation.  If you confirm, it creates that NT user and adds
+the necessary entry to /etc/passwd.
+On 9x/Me systems the script just sets UsePrivilegeSeparation to "no"
+since that feature doesn't make any sense on a system which doesn't
+differ between privileged and unprivileged users.
+The new ssh-host-config script also adds the /var/empty directory
+needed by privilege separation.  When creating the /var/empty directory
+by yourself, please note that in contrast to the README.privsep document
+the owner sshould not be "root" but the user which is running sshd.  So,
+in the standard configuration this is SYSTEM.  The ssh-host-config script
+chowns /var/empty accordingly.
+===========================================================================
+===========================================================================
 Important change since 3.0.1p1-2:
 This version introduces the ability to register sshd as service on
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index da6011267..4df5aa969 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -18,6 +18,11 @@ progname=$0
 auto_answer=""
 port_number=22
+privsep_configured=no
+privsep_used=yes
+sshd_in_passwd=no
+sshd_in_sam=no
 request()
 {
  if [ "${auto_answer}" = "yes" ]
@@ -90,6 +95,10 @@ do
  esac
 done
+# Check if running on NT
+_sys="`uname -a`"
+_nt=`expr "$_sys" : "CYGWIN_NT"`
 # Check for running ssh/sshd processes first. Refuse to do anything while
 # some ssh processes are still running
@@ -98,7 +107,7 @@ then
  echo
  echo "There are still ssh processes running. Please shut them down first."
  echo
-  #exit 1
+  exit 1
 fi
 # Check for ${SYSCONFDIR} directory
@@ -126,6 +135,39 @@ then
  fi
 fi
+# Create /var/log and /var/log/lastlog if not already existing
+if [ -f /var/log ]
+then
+  echo "Creating /var/log failed\!"
+else
+  if [ ! -d /var/log ]
+  then
+    mkdir -p /var/log
+  fi
+  if [ -d /var/log/lastlog ]
+  then
+    echo "Creating /var/log/lastlog failed\!"
+  elif [ ! -f /var/log/lastlog ]
+  then
+    cat /dev/null > /var/log/lastlog
+  fi
+fi
+# Create /var/empty file used as chroot jail for privilege separation
+if [ -f /var/empty ]
+then
+  echo "Creating /var/empty failed\!"
+else
+  mkdir -p /var/empty
+  # On NT change ownership of that dir to user "system"
+  if [ $_nt -gt 0 ]
+  then
+    chmod 755 /var/empty
+    chown system.system /var/empty
+  fi
+fi
 # Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't
 # the same as ${PREFIX}
@@ -219,9 +261,10 @@ if [ ! -f "${SYSCONFDIR}/ssh_config" ]
 then
  echo "Generating ${SYSCONFDIR}/ssh_config file"
  cat > ${SYSCONFDIR}/ssh_config << EOF
-# This is ssh client systemwide configuration file.  This file provides 
+# This is the ssh client system-wide configuration file.  See
-# defaults for users, and the values can be changed in per-user configuration
+# ssh_config(5) for more information.  This file provides defaults for
-# files or on the command line.
+# users, and the values can be changed in per-user configuration files
+# or on the command line.
 # Configuration data is parsed as follows:
 #  1. command line options
@@ -237,20 +280,19 @@ then
 #   ForwardAgent no
 #   ForwardX11 no
 #   RhostsAuthentication no
-#   RhostsRSAAuthentication yes
+#   RhostsRSAAuthentication no
 #   RSAAuthentication yes
 #   PasswordAuthentication yes
-#   FallBackToRsh no
-#   UseRsh no
 #   BatchMode no
 #   CheckHostIP yes
-#   StrictHostKeyChecking yes
+#   StrictHostKeyChecking ask
 #   IdentityFile ~/.ssh/identity
 #   IdentityFile ~/.ssh/id_dsa
 #   IdentityFile ~/.ssh/id_rsa
 #   Port 22
 #   Protocol 2,1
-#   Cipher blowfish
+#   Cipher 3des
+#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
 #   EscapeChar ~
 EOF
  if [ "$port_number" != "22" ]
@@ -271,17 +313,75 @@ then
    then
      echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected."
    fi
+  else
+    grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
  fi
 fi
-# Create default sshd_config from here script
+# Prior to creating or modifying sshd_config, care for privilege separation
+if [ "$privsep_configured" != "yes" ]
+then
+  if [ $_nt -gt 0 ]
+  then
+    echo "Privilege separation is set to yes by default since OpenSSH 3.3."
+    echo "However, this requires a non-privileged account called 'sshd'."
+    echo "For more info on privilege separation read /usr/doc/openssh/README.privsep."
+    echo
+    if request "Shall privilege separation be used?"
+    then
+      privsep_used=yes
+      grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes
+      net user sshd >/dev/null 2>&1 && sshd_in_sam=yes
+      if [ "$sshd_in_passwd" != "yes" ]
+      then
+        if [ "$sshd_in_sam" != "yes" ]
+        then
+          echo "Warning: The following function requires administrator privileges!"
+          if request "Shall this script create a local user 'sshd' on this machine?"
+          then
+            dos_var_empty=`cygpath -w /var/empty`
+            net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes
+            if [ "$sshd_in_sam" != "yes" ]
+            then
+              echo "Warning: Creating the user 'sshd' failed!"
+            fi
+          fi
+        fi
+        if [ "$sshd_in_sam" != "yes" ]
+        then
+          echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!"
+          echo "         Privilege separation set to 'no' again!"
+          echo "         Check your ${SYSCONFDIR}/sshd_config file!"
+          privsep_used=no
+        else
+          mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd
+        fi
+      fi
+    else
+      privsep_used=no
+    fi
+  else
+    # On 9x don't use privilege separation.  Since security isn't
+    # available it just adds useless addtional processes.
+    privsep_used=no
+  fi
+fi
+# Create default sshd_config from here script or modify to add the
+# missing privsep configuration option
 if [ ! -f "${SYSCONFDIR}/sshd_config" ]
 then
  echo "Generating ${SYSCONFDIR}/sshd_config file"
  cat > ${SYSCONFDIR}/sshd_config << EOF
-# This is the sshd server system-wide configuration file.  See sshd(8)
+# This is the sshd server system-wide configuration file.  See
-# for more information.
+# sshd_config(5) for more information.
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options change a
+# default value.
 Port $port_number
 #Protocol 2,1
@@ -289,66 +389,77 @@ Port $port_number
 #ListenAddress ::
 # HostKey for protocol version 1
-HostKey /etc/ssh_host_key
+#HostKey ${SYSCONFDIR}/ssh_host_key
 # HostKeys for protocol version 2
-HostKey /etc/ssh_host_rsa_key
+#HostKey ${SYSCONFDIR}/ssh_host_rsa_key
-HostKey /etc/ssh_host_dsa_key
+#HostKey ${SYSCONFDIR}/ssh_host_dsa_key
 # Lifetime and size of ephemeral version 1 server ke
-KeyRegenerationInterval 3600
+#KeyRegenerationInterval 3600
-ServerKeyBits 768
+#ServerKeyBits 768
 # Logging
-SyslogFacility AUTH
-LogLevel INFO
 #obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+#LogLevel INFO
 # Authentication:
-LoginGraceTime 600
+#LoginGraceTime 600
-PermitRootLogin yes
+#PermitRootLogin yes
 # The following setting overrides permission checks on host key files
 # and directories. For security reasons set this to "yes" when running
 # NT/W2K, NTFS and CYGWIN=ntsec.
 StrictModes no
-RSAAuthentication yes
+#RSAAuthentication yes
-PubkeyAuthentication yes
+#PubkeyAuthentication yes
 #AuthorizedKeysFile     %h/.ssh/authorized_keys
 # rhosts authentication should not be used
-RhostsAuthentication no
+#RhostsAuthentication no
 # Don't read ~/.rhosts and ~/.shosts files
-IgnoreRhosts yes
+#IgnoreRhosts yes
-# For this to work you will also need host keys in /etc/ssh_known_hosts
+# For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts
-RhostsRSAAuthentication no
+#RhostsRSAAuthentication no
 # similar for protocol version 2
-HostbasedAuthentication no
+#HostbasedAuthentication no
-# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+# Change to yes if you don't trust ~/.ssh/known_hosts for
-#IgnoreUserKnownHosts yes
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
 # To disable tunneled clear text passwords, change to no here!
-PasswordAuthentication yes
+#PasswordAuthentication yes
-PermitEmptyPasswords no
+#PermitEmptyPasswords no
-X11Forwarding no
+# Change to no to disable s/key passwords
-X11DisplayOffset 10
+#ChallengeResponseAuthentication yes
-PrintMotd yes
-#PrintLastLog no
+#X11Forwarding no
-KeepAlive yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PrintMotd yes
+#PrintLastLog yes
+#KeepAlive yes
 #UseLogin no
+UsePrivilegeSeparation $privsep_used
+#Compression yes
-#MaxStartups 10:30:60
+#MaxStartups 10
-#Banner /etc/issue.net
+# no default banner path
-#ReverseMappingCheck yes
+#Banner /some/path
+#VerifyReverseMapping no
+# override default of no subsystems
 Subsystem      sftp    /usr/sbin/sftp-server
 EOF
+elif [ "$privsep_configured" != "yes" ]
+then
+  echo >> ${SYSCONFDIR}/sshd_config
+  echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config
 fi
 # Care for services file
-_sys="`uname -a`"
-_nt=`expr "$_sys" : "CYGWIN_NT"`
 if [ $_nt -gt 0 ]
 then
  _wservices="${SYSTEMROOT}\\system32\\drivers\\etc\\services"
@@ -403,8 +514,8 @@ umount "${_services}"
 umount "${_serv_tmp}"
 # Care for inetd.conf file
-_inetcnf="/etc/inetd.conf"
+_inetcnf="${SYSCONFDIR}/inetd.conf"
-_inetcnf_tmp="/etc/inetd.conf.$$"
+_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
 if [ -f "${_inetcnf}" ]
 then
@@ -442,25 +553,6 @@ then
  fi
 fi
-# Create /var/log and /var/log/lastlog if not already existing
-if [ -f /var/log ]
-then
-  echo "Creating /var/log failed\!"
-else
-  if [ ! -d /var/log ]
-  then
-    mkdir /var/log
-  fi
-  if [ -d /var/log/lastlog ]
-  then
-    echo "Creating /var/log/lastlog failed\!"
-  elif [ ! -f /var/log/lastlog ]
-  then
-    cat /dev/null > /var/log/lastlog
-  fi
-fi
 # On NT ask if sshd should be installed as service
 if [ $_nt -gt 0 ]
 then
@@ -477,7 +569,7 @@ then
    [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty"
    if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}"
    then
-      chown system /etc/ssh*
+      chown system ${SYSCONFDIR}/ssh*
      echo
      echo "The service has been installed under LocalSystem account."
    fi
diff --git a/contrib/gnome-ssh-askpass.c b/contrib/gnome-ssh-askpass1.c
index 7cece5620..b6b342b84 100644
--- a/contrib/gnome-ssh-askpass.c
+++ b/contrib/gnome-ssh-askpass1.c
@@ -38,7 +38,7 @@
 * Compile with:
 *
 * cc `gnome-config --cflags gnome gnomeui` \
- *    gnome-ssh-askpass.c -o gnome-ssh-askpass \
+ *    gnome-ssh-askpass1.c -o gnome-ssh-askpass \
 *    `gnome-config --libs gnome gnomeui`
 *
 */
@@ -64,7 +64,7 @@ report_failed_grab (void)
        gnome_dialog_run_and_close(GNOME_DIALOG(err));
 }
-void
+int
 passphrase_dialog(char *message)
 {
        char *passphrase;
@@ -135,7 +135,7 @@ passphrase_dialog(char *message)
        gtk_entry_set_text(GTK_ENTRY(entry), passphrase);
                        
        gnome_dialog_close(GNOME_DIALOG(dialog));
-        return;
+        return (result == 0 ? 0 : -1);
        /* At least one grab failed - ungrab what we got, and report
           the failure to the user.  Note that XGrabServer() cannot
@@ -148,13 +148,15 @@ passphrase_dialog(char *message)
        gnome_dialog_close(GNOME_DIALOG(dialog));
        
        report_failed_grab();
+        return (-1);
 }
 int
 main(int argc, char **argv)
 {
        char *message;
-        
+        int result;
        gnome_init("GNOME ssh-askpass", "0.1", argc, argv);
        if (argc == 2)
@@ -163,6 +165,7 @@ main(int argc, char **argv)
                message = "Enter your OpenSSH passphrase:";
        setvbuf(stdout, 0, _IONBF, 0);
-        passphrase_dialog(message);
+        result = passphrase_dialog(message);
-        return 0;
+        return (result);
 }
diff --git a/contrib/gnome-ssh-askpass2.c b/contrib/gnome-ssh-askpass2.c
new file mode 100644
index 000000000..89a412aa8
--- /dev/null
+++ b/contrib/gnome-ssh-askpass2.c
@@ -0,0 +1,204 @@
+/*
+ * Copyright (c) 2000-2002 Damien Miller.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/* GTK2 support by Nalin Dahyabhai <nalin@redhat.com> */
+/*
+ * This is a simple GNOME SSH passphrase grabber. To use it, set the 
+ * environment variable SSH_ASKPASS to point to the location of 
+ * gnome-ssh-askpass before calling "ssh-add < /dev/null". 
+ *
+ * There is only two run-time options: if you set the environment variable
+ * "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab
+ * the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the 
+ * pointer will be grabbed too. These may have some benefit to security if 
+ * you don't trust your X server. We grab the keyboard always.
+ */
+/*
+ * Compile with:
+ *
+ * cc `pkg-config --cflags gtk+-2.0` \
+ *    gnome-ssh-askpass2.c -o gnome-ssh-askpass \
+ *    `pkg-config --libs gtk+-2.0`
+ *
+ */
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <X11/Xlib.h>
+#include <gtk/gtk.h>
+#include <gdk/gdkx.h>
+static void
+report_failed_grab (const char *what)
+{
+        GtkWidget *err;
+        err = gtk_message_dialog_new(NULL, 0,
+                                     GTK_MESSAGE_ERROR,
+                                     GTK_BUTTONS_CLOSE,
+                                     "Could not grab %s. "
+                                     "A malicious client may be eavesdropping "
+                                     "on your session.", what);
+        gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
+        gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(err))->label),
+                                TRUE);
+        gtk_dialog_run(GTK_DIALOG(err));
+        gtk_widget_destroy(err);
+}
+static void
+ok_dialog(GtkWidget *entry, gpointer dialog)
+{
+        g_return_if_fail(GTK_IS_DIALOG(dialog));
+        gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
+}
+static int
+passphrase_dialog(char *message)
+{
+        const char *failed;
+        char *passphrase, *local;
+        char **messages;
+        int result, i, grab_server, grab_pointer;
+        GtkWidget *dialog, *entry, *label;
+        GdkGrabStatus status;
+        grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
+        grab_pointer = (getenv("GNOME_SSH_ASKPASS_GRAB_POINTER") != NULL);
+        dialog = gtk_message_dialog_new(NULL, 0,
+                                        GTK_MESSAGE_QUESTION,
+                                        GTK_BUTTONS_OK_CANCEL,
+                                        "%s",
+                                        message);
+        entry = gtk_entry_new();
+        gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), entry, FALSE, 
+            FALSE, 0);
+        gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
+        gtk_widget_grab_focus(entry);
+        gtk_widget_show(entry);
+        gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH");
+        gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
+        gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(dialog))->label),
+                                TRUE);
+        /* Make <enter> close dialog */
+        gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
+        g_signal_connect(G_OBJECT(entry), "activate",
+                         G_CALLBACK(ok_dialog), dialog);
+        /* Grab focus */
+        gtk_widget_show_now(dialog);
+        if (grab_server) {
+                gdk_x11_grab_server();
+        }
+        if (grab_pointer) {
+                status =  gdk_pointer_grab((GTK_WIDGET(dialog))->window, TRUE,
+                                           0, NULL, NULL, GDK_CURRENT_TIME);
+                if (status != GDK_GRAB_SUCCESS) {
+                        failed = "mouse";
+                        goto nograb;
+                }
+        }
+        status = gdk_keyboard_grab((GTK_WIDGET(dialog))->window, FALSE,
+                                   GDK_CURRENT_TIME);
+        if (status != GDK_GRAB_SUCCESS) {
+                failed = "keyboard";
+                goto nograbkb;
+        }
+        result = gtk_dialog_run(GTK_DIALOG(dialog));
+        /* Ungrab */
+        if (grab_server)
+                XUngrabServer(GDK_DISPLAY());
+        if (grab_pointer)
+                gdk_pointer_ungrab(GDK_CURRENT_TIME);
+        gdk_keyboard_ungrab(GDK_CURRENT_TIME);
+        gdk_flush();
+        /* Report passphrase if user selected OK */
+        passphrase = g_strdup(gtk_entry_get_text(GTK_ENTRY(entry)));
+        if (result == GTK_RESPONSE_OK) {
+                local = g_locale_from_utf8(passphrase, strlen(passphrase),
+                                           NULL, NULL, NULL);
+                if (local != NULL) {
+                        puts(local);
+                        memset(local, '\0', strlen(local));
+                        g_free(local);
+                } else {
+                        puts(passphrase);
+                }
+        }
+                
+        /* Zero passphrase in memory */
+        memset(passphrase, '\b', strlen(passphrase));
+        gtk_entry_set_text(GTK_ENTRY(entry), passphrase);
+        memset(passphrase, '\0', strlen(passphrase));
+        g_free(passphrase);
+                        
+        gtk_widget_destroy(dialog);
+        return (result == GTK_RESPONSE_OK ? 0 : -1);
+        /* At least one grab failed - ungrab what we got, and report
+           the failure to the user.  Note that XGrabServer() cannot
+           fail.  */
+ nograbkb:
+        gdk_pointer_ungrab(GDK_CURRENT_TIME);
+ nograb:
+        if (grab_server)
+                XUngrabServer(GDK_DISPLAY());
+        gtk_widget_destroy(dialog);
+        
+        report_failed_grab(failed);
+        return (-1);
+}
+int
+main(int argc, char **argv)
+{
+        char *message;
+        int result;
+        gtk_init(&argc, &argv);
+        if (argc > 1) {
+                message = g_strjoinv(" ", argv + 1);
+        } else {
+                message = g_strdup("Enter your OpenSSH passphrase:");
+        }
+        setvbuf(stdout, 0, _IONBF, 0);
+        result = passphrase_dialog(message);
+        g_free(message);
+        return (result);
+}
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index b73fb929f..e7005064d 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,4 +1,4 @@
-%define ver 3.4p1
+%define ver 3.5p1
 %define rel 1
 # OpenSSH privilege separation requires a user & group ID
@@ -20,6 +20,9 @@
 # Do we want smartcard support (1=yes 0=no)
 %define scard 0
+# Use GTK2 instead of GNOME in gnome-ssh-askpass
+%define gtk2 0
 # Is this build for RHL 6.x?
 %define build6x 0
@@ -86,7 +89,7 @@ PreReq: initscripts >= 5.20
 %endif
 BuildPreReq: perl, openssl-devel, sharutils, tcp_wrappers
 BuildPreReq: /bin/login
-%if %{build6x}
+%if ! %{build6x}
 BuildPreReq: glibc-devel, pam
 %else
 BuildPreReq: db1-devel, /usr/include/security/pam_appl.h
@@ -95,7 +98,7 @@ BuildPreReq: db1-devel, /usr/include/security/pam_appl.h
 BuildPreReq: XFree86-devel
 %endif
 %if ! %{no_gnome_askpass}
-BuildPreReq: gnome-libs-devel
+BuildPreReq: pkgconfig
 %endif
 %if %{kerberos5}
 BuildPreReq: krb5-devel
@@ -220,11 +223,23 @@ make
 popd
 %endif
+# Define a variable to toggle gnome1/gtk2 building.  This is necessary
+# because RPM doesn't handle nested %if statements.
+%if %{gtk2}
+        gtk2=yes
+%else
+        gtk2=no
+%endif
 %if ! %{no_gnome_askpass}
 pushd contrib
-gcc $RPM_OPT_FLAGS `gnome-config --cflags gnome gnomeui` \
+if [ $gtk2 = yes ] ; then
-        gnome-ssh-askpass.c -o gnome-ssh-askpass \
+        make gnome-ssh-askpass2
-        `gnome-config --libs gnome gnomeui`
+        mv gnome-ssh-askpass2 gnome-ssh-askpass
+else
+        make gnome-ssh-askpass1
+        mv gnome-ssh-askpass1 gnome-ssh-askpass
+fi
 popd
 %endif
@@ -255,6 +270,10 @@ ln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
 install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
 %endif
+%if ! %{scard}
+         rm -f $RPM_BUILD_ROOT/usr/share/openssh/Ssh.bin
+%endif
 install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
 install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
 install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
@@ -338,7 +357,7 @@ fi
 %attr(-,root,root) %{_bindir}/slogin
 %attr(-,root,root) %{_mandir}/man1/slogin.1*
 %if ! %{rescue}
-%attr(0755,root,root) %{_bindir}/ssh-agent
+%attr(2755,root,nobody) %{_bindir}/ssh-agent
 %attr(0755,root,root) %{_bindir}/ssh-add
 %attr(0755,root,root) %{_bindir}/ssh-keyscan
 %attr(0755,root,root) %{_bindir}/sftp
@@ -381,6 +400,12 @@ fi
 %endif
 %changelog
+* Wed Oct 01 2002 Damien Miller <djm@mindrot.org>
+- Install ssh-agent setgid nobody to prevent ptrace() key theft attacks
+* Mon Sep 30 2002 Damien Miller <djm@mindrot.org>
+- Use contrib/ Makefile for building askpass programs
 * Fri Jun 21 2002 Damien Miller <djm@mindrot.org>
 - Merge in spec changes from seba@iq.pl (Sebastian Pachuta)
 - Add new {ssh,sshd}_config.5 manpages
diff --git a/contrib/solaris/buildpkg.sh b/contrib/solaris/buildpkg.sh
index 1be6ed8d1..c41b3f963 100755
--- a/contrib/solaris/buildpkg.sh
+++ b/contrib/solaris/buildpkg.sh
@@ -11,13 +11,18 @@ umask 022
 # Options for building the package
 # You can create a config.local with your customized options
 #
-# uncommenting TEST_DIR and using configure--prefix=/var/tmp and 
+# uncommenting TEST_DIR and using
+# configure --prefix=/var/tmp --with-privsep-path=/var/tmp/empty
+# and 
 # PKGNAME=tOpenSSH should allow testing a package without interfering
-# with a real OpenSSH package on a system.
+# with a real OpenSSH package on a system. This is not needed on systems
+# that support the -R option to pkgadd.
 #TEST_DIR=/var/tmp      # leave commented out for production build
 PKGNAME=OpenSSH
 SYSVINIT_NAME=opensshd
 MAKE=${MAKE:="make"}
+SSHDUID=67      # Default privsep uid
+SSHDGID=67      # Default privsep gid
 # uncomment these next two as needed
 #PERMIT_ROOT_LOGIN=no
 #X11_FORWARDING=yes
@@ -55,7 +60,7 @@ SYSTEM_DIR="/etc	\
 /var/tmp                \
 /tmp"
-# We may need to buiild as root so we make sure PATH is set up
+# We may need to build as root so we make sure PATH is set up
 # only set the path if it's not set already
 [ -d /usr/local/bin ]  &&  {
        echo $PATH | grep ":/usr/local/bin"  > /dev/null 2>&1
@@ -96,6 +101,19 @@ do
        eval $confvar=`grep "^$confvar=" Makefile | cut -d = -f 2`
 done
+## Collect value of privsep user
+for confvar in SSH_PRIVSEP_USER
+do
+        eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' config.h`
+done
+## Set privsep defaults if not defined
+if [ -z "$SSH_PRIVSEP_USER" ]
+then
+        SSH_PRIVSEP_USER=sshd
+fi
 ## Extract common info requires for the 'info' part of the package.
 VERSION=`./ssh -V 2>&1 | sed -e 's/,.*//'`
@@ -106,7 +124,8 @@ case ${UNAME_S} in
                RCS_D=yes
                DEF_MSG="(default: n)"
                ;;
-        *)      ARCH=`uname -m` ;;
+        *)      ARCH=`uname -m`
+                DEF_MSG="\n" ;;
 esac
 ## Setup our run level stuff while we are at it.
@@ -171,13 +190,16 @@ echo "Building postinstall file..."
 cat > postinstall << _EOF
 #! /sbin/sh
 #
-[ -f ${sysconfdir}/ssh_config ]  ||  \\
+[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config ]  ||  \\
-        cp -p ${sysconfdir}/ssh_config.default ${sysconfdir}/ssh_config
+        cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config.default \\
-[ -f ${sysconfdir}/sshd_config ]  ||  \\
+                \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config
-        cp -p ${sysconfdir}/sshd_config.default ${sysconfdir}/sshd_config
+[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config ]  ||  \\
-[ -f ${sysconfdir}/ssh_prng_cmds.default ]  &&  {
+        cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config.default \\
-        [ -f ${sysconfdir}/ssh_prng_cmds ]  ||  \\
+                \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config
-        cp -p ${sysconfdir}/ssh_prng_cmds.default ${sysconfdir}/ssh_prng_cmds
+[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds.default ]  &&  {
+        [ -f \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds ]  ||  \\
+        cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds.default \\
+                \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds
 }
 # make rc?.d dirs only if we are doing a test install
@@ -191,23 +213,75 @@ cat > postinstall << _EOF
 if [ "\${USE_SYM_LINKS}" = yes ]
 then
        [ "$RCS_D" = yes ]  &&  \
-installf ${PKGNAME} $TEST_DIR/etc/rcS.d/K30${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
+installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/K30${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
-        installf ${PKGNAME} $TEST_DIR/etc/rc0.d/K30${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
+        installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/K30${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
-        installf ${PKGNAME} $TEST_DIR/etc/rc1.d/K30${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
+        installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/K30${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
-        installf ${PKGNAME} $TEST_DIR/etc/rc2.d/S98${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
+        installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/S98${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
 else
        [ "$RCS_D" = yes ]  &&  \
-installf ${PKGNAME} $TEST_DIR/etc/rcS.d/K30${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
+installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/K30${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
-        installf ${PKGNAME} $TEST_DIR/etc/rc0.d/K30${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
+        installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/K30${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
-        installf ${PKGNAME} $TEST_DIR/etc/rc1.d/K30${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
+        installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/K30${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
-        installf ${PKGNAME} $TEST_DIR/etc/rc2.d/S98${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
+        installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/S98${SYSVINIT_NAME}=$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
 fi
 # If piddir doesn't exist we add it. (Ie. --with-pid-dir=/var/opt/ssh)
-[ -d $piddir ]  ||  installf ${PKGNAME} $TEST_DIR$piddir d 755 root sys
+[ -d $piddir ]  ||  installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR$piddir d 755 root sys
 installf -f ${PKGNAME}
+# Use chroot to handle PKG_INSTALL_ROOT
+if [ ! -z "\${PKG_INSTALL_ROOT}" ]
+then
+        chroot="chroot \${PKG_INSTALL_ROOT}"
+fi
+# If this is a test build, we will skip the groupadd/useradd/passwd commands
+if [ ! -z "${TEST_DIR}" ]
+then
+        chroot=echo
+fi
+if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' \${PKG_INSTALL_ROOT}/$sysconfdir/sshd_config >/dev/null
+then
+        echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user"
+        echo "or group."
+else
+        echo "UsePrivilegeSeparation enabled in config (or defaulting to on)."
+        # create group if required
+        if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
+        then
+                echo "PrivSep group $SSH_PRIVSEP_USER already exists."
+        else
+                # Use gid of 67 if possible
+                if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSHDGID'\$' >/dev/null
+                then
+                        :
+                else
+                        sshdgid="-g $SSHDGID"
+                fi
+                echo "Creating PrivSep group $SSH_PRIVSEP_USER."
+                \$chroot /usr/sbin/groupadd \$sshdgid $SSH_PRIVSEP_USER
+        fi
+        # Create user if required
+        if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
+        then
+                echo "PrivSep user $SSH_PRIVSEP_USER already exists."
+        else
+                # Use uid of 67 if possible
+                if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDGID'\$' >/dev/null
+                then
+                        :
+                else
+                        sshduid="-u $SSHDUID"
+                fi
+                echo "Creating PrivSep user $SSH_PRIVSEP_USER."
+                \$chroot /usr/sbin/useradd -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER \$sshduid $SSH_PRIVSEP_USER
+                \$chroot /usr/bin/passwd -l $SSH_PRIVSEP_USER
+        fi
+fi
 [ "\${POST_INS_START}" = "yes" ]  &&  ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} start
 exit 0
 _EOF
diff --git a/contrib/solaris/opensshd.in b/contrib/solaris/opensshd.in
index 212254dc8..e7ca2489f 100755
--- a/contrib/solaris/opensshd.in
+++ b/contrib/solaris/opensshd.in
@@ -3,11 +3,8 @@
 #
 # Stripped PRNGd out of it for the time being.
-AWK=/usr/bin/awk
 CAT=/usr/bin/cat
 KILL=/usr/bin/kill
-PS=/usr/bin/ps
-XARGS=/usr/bin/xargs
 prefix=%%openSSHDir%%
 etcdir=%%configDir%%
@@ -20,12 +17,6 @@ HOST_KEY_RSA1=$etcdir/ssh_host_key
 HOST_KEY_DSA=$etcdir/ssh_host_dsa_key
 HOST_KEY_RSA=$etcdir/ssh_host_rsa_key
-killproc() {
-   _procname=$1
-   _signal=$2
-   ${PS} -u root | ${AWK} '/'"$_procname"'$/ {print $1}' | ${XARGS} ${KILL}
-}
 checkkeys() {
    if [ ! -f $HOST_KEY_RSA1 ]; then
@@ -46,8 +37,7 @@ stop_service() {
    if [  ${PID:=0} -gt 1 -a  ! "X$PID" = "X "  ]; then
        ${KILL} ${PID}
    else
-        echo "Unable to read PID file, killing using alternate method"
+        echo "Unable to read PID file"
-        killproc sshd TERM
    fi
 }
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec
index 126dac335..3ae1dfc80 100644
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@@ -1,6 +1,6 @@
 Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
 Name: openssh
-Version: 3.4p1
+Version: 3.5p1
 URL: http://www.openssh.com/
 Release: 1
 Source0: openssh-%{version}.tar.gz
diff --git a/debian/changelog b/debian/changelog
index e5651eb28..6a6a6eb0c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,33 @@
+openssh (1:3.5p1-1) unstable; urgency=low
+  * New upstream release.
+    - Fixes typo in ssh-add usage (closes: #152239).
+    - Fixes 'PermitRootLogin forced-commands-only' (closes: #166184).
+    - ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys
+      are deprecated for security reasons and will eventually go away. For
+      now they can be re-enabled by setting 'PermitUserEnvironment yes' in
+      sshd_config.
+    - ssh-agent is installed setgid to prevent ptrace() attacks. The group
+      actually doesn't matter, as it drops privileges immediately, but to
+      avoid confusion the postinst creates a new 'ssh' group for it.
+  * Obsolete patches:
+    - Solar Designer's privsep+compression patch for Linux 2.2 (see
+      1:3.3p1-0.0woody1).
+    - Hostbased auth ssh-keysign backport (see 1:3.4p1-4).
+  * Remove duplicated phrase in ssh_config(5) (closes: #152404).
+  * Source the debconf confmodule at the top of the postrm rather than at
+    the bottom, to avoid making future non-idempotency problems worse (see
+    #151035).
+  * Debconf templates:
+    - Add Polish (thanks, Grzegorz Kusnierz).
+    - Update French (thanks, Denis Barbier; closes: #132509).
+    - Update Spanish (thanks, Carlos Valdivia Yag�e; closes: #164716).
+  * Write a man page for gnome-ssh-askpass, and link it to ssh-askpass.1 if
+    this is the selected ssh-askpass alternative (closes: #67775).
+ -- Colin Watson <cjwatson@debian.org>  Sat, 26 Oct 2002 19:41:51 +0100
 openssh (1:3.4p1-4) unstable; urgency=low
  * Allow ssh-krb5 in ssh-askpass-gnome's dependencies (closes: #129532).
diff --git a/debian/gnome-ssh-askpass.1 b/debian/gnome-ssh-askpass.1
new file mode 100644
index 000000000..b74c410a8
--- /dev/null
+++ b/debian/gnome-ssh-askpass.1
@@ -0,0 +1,51 @@
+.TH GNOME-SSH-ASKPASS 1
+.SH NAME
+gnome\-ssh\-askpass \- prompts a user for a passphrase using GNOME
+.SH SYNOPSIS
+.B gnome\-ssh\-askpass
+.SH DESCRIPTION
+.B gnome\-ssh\-askpass
+is a GNOME-based passphrase dialog for use with OpenSSH.
+It is intended to be called by the
+.BR ssh\-add (1)
+program and not invoked directly.
+It allows
+.BR ssh\-add (1)
+to obtain a passphrase from a user, even if not connected to a terminal
+(assuming that an X display is available).
+This happens automatically in the case where
+.B ssh\-add
+is invoked from one's
+.B ~/.xsession
+or as one of the GNOME startup programs, for example.
+.PP
+In order to be called automatically by
+.BR ssh\-add ,
+.B gnome\-ssh\-askpass
+should be installed as
+.IR /usr/bin/ssh\-askpass .
+.SH "ENVIRONMENT VARIABLES"
+The following environment variables are recognized:
+.TP
+.I GNOME_SSH_ASKPASS_GRAB_SERVER
+Causes
+.B gnome\-ssh\-askpass
+to grab the X server before asking for a passphrase.
+.TP
+.I GNOME_SSH_ASKPASS_GRAB_POINTER
+Causes
+.B gnome\-ssh\-askpass
+to grab the mouse pointer using
+.IR gdk_pointer_grab ()
+before asking for a passphrase.
+.PP
+Regardless of whether either of these environment variables is set,
+.B gnome\-ssh\-askpass
+will grab the keyboard using
+.IR gdk_keyboard_grab ().
+.SH AUTHOR
+This manual page was written by Colin Watson <cjwatson@debian.org>
+for the Debian system (but may be used by others).
+It was based on that for
+.B x11\-ssh\-askpass
+by Philip Hands.
diff --git a/debian/postinst b/debian/postinst
index 10d61d86e..1b741c203 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -280,6 +280,18 @@ set_sshd_permissions() {
 }
+set_ssh_agent_permissions() {
+        if ! getent group | grep -q '^ssh:'; then
+                addgroup --quiet ssh
+        fi
+        if ! [ -x /usr/sbin/dpkg-statoverride ] || \
+            ! dpkg-statoverride --list /usr/bin/ssh-agent >/dev/null ; then
+                chgrp ssh /usr/bin/ssh-agent
+                chmod 2755 /usr/bin/ssh-agent
+        fi
+}
 setup_startup() {
        start=yes
        [ -e /usr/share/debconf/confmodule ] && {
@@ -311,6 +323,7 @@ fix_statoverride
 create_alternatives
 setup_sshd_user
 set_sshd_permissions
+set_ssh_agent_permissions
 setup_startup
 setup_init
diff --git a/debian/postrm b/debian/postrm
index bd0bbee38..c76f662df 100644
--- a/debian/postrm
+++ b/debian/postrm
@@ -1,5 +1,7 @@
 #!/bin/sh -e
+#DEBHELPER#
 if [ "$1" = "purge" ]
 then
  rm -rf /etc/ssh
@@ -11,6 +13,7 @@ fi
 if [ "$1" = "purge" ] ; then
        deluser --quiet sshd > /dev/null || true
+        delgroup --quiet ssh > /dev/null || true
 fi
-#DEBHELPER#
+exit 0
diff --git a/debian/rules b/debian/rules
index 7615c8708..fb60b2270 100755
--- a/debian/rules
+++ b/debian/rules
@@ -23,9 +23,7 @@ build-stamp:
                --with-privsep-path=/var/run/sshd  --without-rand-helper
        $(MAKE) -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' CFLAGS='-O2 -g -Wall -DLOGIN_PROGRAM=\"/bin/login\" -DSSHD_PAM_SERVICE=\"ssh\" -D__FILE_OFFSET_BITS=64 -DHAVE_MMAP_ANON_SHARED' \
                SSH_KEYSIGN='/usr/lib/ssh-keysign'
-        gcc -O2 `gnome-config --cflags gnome gnomeui` \
+        $(MAKE) -C contrib gnome-ssh-askpass1 CC='gcc -O2'
-           contrib/gnome-ssh-askpass.c -o contrib/gnome-ssh-askpass \
-           `gnome-config --libs gnome gnomeui`
        touch build-stamp
@@ -33,7 +31,8 @@ clean:
        dh_testdir
        rm -f build-stamp
        -$(MAKE) -i distclean
-        rm -f contrib/gnome-ssh-askpass config.log
+        -$(MAKE) -C contrib clean
+        rm -f config.log
        if [ -f version.h.upstream ]; then mv version.h.upstream version.h; \
        fi
        dh_clean
@@ -54,9 +53,10 @@ install: build
        rm -f debian/tmp/usr/share/Ssh.bin
        install -m 755 contrib/ssh-copy-id debian/tmp/usr/bin/ssh-copy-id
-        install -m644 -c contrib/ssh-copy-id.1 debian/tmp/usr/share/man/man1/ssh-copy-id.1
+        install -m 644 -c contrib/ssh-copy-id.1 debian/tmp/usr/share/man/man1/ssh-copy-id.1
+        install -m 644 debian/gnome-ssh-askpass.1 debian/tmp/usr/share/man/man1/gnome-ssh-askpass.1
-        install -s -o root -g root -m 755 contrib/gnome-ssh-askpass debian/ssh-askpass-gnome/usr/lib/ssh/gnome-ssh-askpass
+        install -s -o root -g root -m 755 contrib/gnome-ssh-askpass1 debian/ssh-askpass-gnome/usr/lib/ssh/gnome-ssh-askpass
        install -o root -g root debian/init debian/tmp/etc/init.d/ssh
diff --git a/debian/ssh-askpass-gnome.postinst b/debian/ssh-askpass-gnome.postinst
index 3a52d3005..7441cca29 100644
--- a/debian/ssh-askpass-gnome.postinst
+++ b/debian/ssh-askpass-gnome.postinst
@@ -24,7 +24,11 @@ set -e
 case "$1" in
    configure)
-        update-alternatives --quiet --install /usr/bin/ssh-askpass ssh-askpass /usr/lib/ssh/gnome-ssh-askpass 30
+        update-alternatives --quiet \
+            --install /usr/bin/ssh-askpass ssh-askpass \
+                      /usr/lib/ssh/gnome-ssh-askpass 30 \
+            --slave /usr/share/man/man1/ssh-askpass.1.gz \
+                    ssh-askpass.1.gz /usr/share/man/man1/gnome-ssh-askpass.1.gz
    ;;
diff --git a/debian/templates.es b/debian/templates.es
index c3cc971ca..8d7b25a34 100644
--- a/debian/templates.es
+++ b/debian/templates.es
@@ -1,78 +1,24 @@
-Template: ssh/new_config
+Template: ssh/run_sshd
-Type: boolean
-Default: true
-Description: Generate new configuration file
- This version of OpenSSH has a considerably changed configuration file from
- the version shipped in Debian 'Potato', which you appear to be upgrading
- from. I can now generate you a new configuration file
- (/etc/ssh/sshd.config), which will work with the new server version, but
- will not contain any customisations you made with the old version. 
- .
- Please note that this new configuration file will set the value of
- 'PermitRootLogin' to yes (meaning that anyone knowing the root password
- can ssh directly in as root). It is the opinion of the maintainer that
- this is the correct default (see README.Debian for more details), but you
- can always edit sshd_config and set it to no if you wish.
- .
- It is strongly recommended that you let me generate a new configuration
- file for you 
-Description-es: Generar un fichero de configuraci�n nuevo
- Esta versi�n de OpenSSH tiene un fichero de configuraci�n muy distinto del
- que inclu�a la versi�n de 'Potato'. Parece que est� actualizando desde esa
- versi�n, por lo que puede generar un nuevo fichero de configuraci�n
- (/etc/ssh/sshd.config), que funcionar� con la nueva versi�n del servidor,
- pero no tendr� ninguno de los cambios que hubiera hecho a la versi�n
- antigua.
- .
- Debe saber que este nuevo fichero de configuraci�n pondr� el valor de
- 'PermitRootLogin' a "yes" (por lo que root podr� entrar directamente por
- ssh). El mantenedor opina que �sta es la opci�n por defecto m�s adecuada
- (consulte README.Debian para conocer m�s detalles), pero recuerde que
- siempre puede editar sshd_config y cambiarlo.
- .
- Es muy recomendable generar ahora autom�ticamente un nuevo fichero de
- configuraci�n.
-Template: ssh/protocol2_only
 Type: boolean
 Default: true
-Description: Allow SSH protocol 2 only
+Description: Do you want to run the sshd server ?
- This version of OpenSSH supports version 2 of the ssh protocol, which is
+ This package contains both the ssh client, and the sshd server.
- much more secure.  Disabling ssh 1 is encouraged, however this will slow
- things down on low end machines and might prevent older clients from
- connecting (the ssh client shipped with "potato" is affected).
 .
- Also please note that keys used for protocol 1 are different so you will
+ Normally the sshd Secure Shell Server will be run to allow remote logins
- not be able to use them if you only allow protocol 2 connections.
+ via ssh.
 .
- If you later change your mind about this setting, README.Debian has
+ If you are only interested in using the ssh client for outbound
- instructions on what to do to your sshd_config file.
+ connections on this machine, and don't want to log into it at all using
-Description-es: Permitir s�lo la versi�n 2 del protocolo SSH
+ ssh, then you can disable sshd here.
- Esta versi�n de OpenSSH soporta la versi�n 2 del protocolo ssh, que es
+Description-es: �Quiere ejecutar el servidor sshd?
- mucho m�s segura que la anterior. Se recomienda no usar ssh versi�n 1,
+ Este paquete contiene el cliente ssh y el servidor sshd.
- aunque ir� m�s lento en m�quinas modestas y puede impedir que se conecten
- clientes antiguos, como por ejemplo el cliente de ssh incluido en
- "potato".
 .
- Tambi�n tenga en cuenta que las claves utilizadas para el protocolo 1 son
+ Generalmente, el servidor de ssh (Secure Shell Server) se ejecuta para
- diferentes, por lo que no podr� usarlas si �nicamente permite conexiones
+ permitir el acceso remoto mediante ssh.
- mediante el protocolo 2.
 .
- Si cambia de opini�n m�s tarde, el fichero README.Debian contiene
+ Si s�lo est� interesado en usar el cliente ssh en conexiones salientes del
- instrucciones sobre qu� ha de cambiar en el fichero sshd_config.
+ sistema y no quiere acceder a �l mediante ssh, entonces puede desactivar
+ sshd.
-Template: ssh/ssh2_keys_merged
-Type: note
-Description: ssh2 keys merged in configuration files
- As of version 3 OpenSSH no longer uses separate files for ssh1 and ssh2
- keys. This means the authorized_keys2 and known_hosts2 files are no longer
- needed. They will still be read in order to maintain backwards
- compatibility
-Description-es: Las claves ssh2 ya se incluyen en los ficheros de configuraci�n
- A partir de la versi�n 3, OpenSSH ya no utiliza ficheros diferentes para
- las claves ssh1 y ssh2. Esto quiere decir que ya no son necesarios los
- ficheros authorized_keys2 y known_hosts2, aunque a�n se seguir�n leyendo
- para mantener compatibilidad hacia atr�s.
 Template: ssh/use_old_init_script
 Type: boolean
@@ -84,13 +30,63 @@ Description: Do you want to continue (and risk killing active ssh sessions) ?
 .
 You can fix this by adding "--pidfile /var/run/sshd.pid" to the
 start-stop-daemon line in the stop section of the file.
-Description-es: �Desea continuar, a�n a riesgo de matar todas las sesiones ssh?
+Description-es: �Desea continuar, a�n a riesgo de matar las sesiones ssh activas?
- La versi�n de /etc/init.d/ssh que tiene instalada, es muy probable que
+ La versi�n de /etc/init.d/ssh que tiene instalada es muy probable que
- mate el demonio ssh. Si est� actualizando mediante una sesi�n ssh, puede
+ mate el demonio ssh. Si est� actualizando a trav�s de una sesi�n ssh,
- no ser muy buena idea.
+ puede que no sea muy buena idea.
 .
 Puede arreglarlo a�adiendo "--pidfile /var/run/sshd.pid" a la l�nea
- 'start-stop-daemon' en la secci�n 'stop' del fichero.
+ 'start-stop-daemon', en la secci�n 'stop' del fichero.
+Template: ssh/SUID_client
+Type: boolean
+Default: true
+Description: Do you want /usr/lib/ssh-keysign to be installed SUID root?
+ You have the option of installing the ssh-keysign helper with the SUID bit
+ set.
+ .
+ If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2
+ host-based authentication.
+ .
+ If in doubt, I suggest you install it with SUID.  If it causes problems
+ you can change your mind later by running:   dpkg-reconfigure ssh
+Description-es: �Quiere instalar /usr/lib/ssh-keysign SUID root?
+ Puede instalar ssh-keysign con el bit SUID (se ejecutar� con privilegios
+ de root).
+ .
+ Si hace ssh-keysign SUID, podr� usar la autentificiaci�n basada en
+ servidor de la versi�n 2 del protocolo SSH.
+ .
+ Si duda, se recomienda que lo instale SUID. Si surgen problemas puede
+ cambiar de opini�n posteriormente ejecutando �dpkg-reconfigure ssh�.
+Template: ssh/encrypted_host_key_but_no_keygen
+Type: note
+Description: Warning: you must create a new host key
+ There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted. OpenSSH
+ can not handle this host key file, and I can't find the ssh-keygen utility
+ from the old (non-free) SSH installation.
+ .
+ You will need to generate a new host key.
+Description-es: Aviso: debe crear una nueva clave para su servidor
+ Su sistema tiene un /etc/ssh/ssh_host_key antiguo, que usa cifrado IDEA.
+ OpenSSH no puede manejar este fichero de claves y tampoco se encuentra la
+ utilidad ssh-keygen incluida en el paquete ssh no libre.
+ .
+ Necesitar� generar una nueva clave para su servidor.
+Template: ssh/insecure_telnetd
+Type: note
+Description: Warning: telnetd is installed --- probably not a good idea
+ I'd advise you to either remove the telnetd package (if you don't actually
+ need to offer telnet access) or install telnetd-ssl so that there is at
+ least some chance that telnet sessions will not be sending unencrypted
+ login/password and session information over the network.
+Description-es: Aviso: tiene telnetd instalado
+ Es muy aconsejable que borre el paquete telnetd si no necesita realmente
+ ofrecer acceso mediante telnet o instalar telnetd-ssl para que las
+ contrase�as, nombres de usuario y dem�s informaci�n de las sesiones telnet
+ no viajen sin cifrar por la red.
 Template: ssh/forward_warning
 Type: note
@@ -104,104 +100,167 @@ Description: NOTE: Forwarding of X11 and Authorization disabled by default.
 More details can be found in /usr/share/doc/ssh/README.Debian
 Description-es: NOTA: Reenv�o de X11 y Autorizaci�n desactivadas por defecto.
 Por razones de seguridad, la versi�n de ssh de Debian tiene por defecto
- ForwardX11 y ForwardAgent puestas a ``off''.
+ ForwardX11 y ForwardAgent desactivadas.
 .
- Puede activar estas opciones para los servidores en los que conf�e, en
+ Puede activar estas opciones para los servidores en los que conf�e, en los
- los ficheros de configuraci�n o con la opci�n -X en l�nea de comandos.
+ ficheros de configuraci�n o con la opci�n -X en l�nea de comandos.
 .
 Puede encontrar m�s detalles en /usr/share/doc/ssh/README.Debian.
+Template: ssh/privsep_tell
+Type: note
+Description: Privilege separation
+ This version of OpenSSH contains the new privilege separation option. This
+ significantly reduces the quantity of code that runs as root, and
+ therefore reduces the impact of security holes in sshd.
+ .
+ Unfortunately, privilege separation interacts badly with PAM. Any PAM
+ session modules that need to run as root (pam_mkhomedir, for example) will
+ fail, and PAM keyboard-interactive authentication won't work.
+ .
+ Privilege separation is turned on by default, so if you decide you want it
+ turned off, you need to add "UsePrivilegeSeparation no" to
+ /etc/ssh/sshd_config.
+ .
+ NB! If you are running a 2.0 series Linux kernel, then privilege
+ separation will not work at all, and your sshd will fail to start unless
+ you explicitly turn privilege separation off.
+Description-es: Separaci�n de privilegios
+ Esta versi�n de OpenSSH incluye una nueva opci�n de separaci�n de
+ privilegios que reduce significativamente la cantidad de c�digo que se
+ ejecuta como root, por lo que reduce el impacto de posibles agujeros de
+ seguridad en sshd.
+ .
+ Desafortunadamente, la separaci�n de privilegios no interact�a
+ correctamente con PAM. Cualquier m�dulo PAM que necesite ejecutarse como
+ root (como, por ejemplo, pam_mkhomedir) y la autentificaci�n interactiva
+ PAM con teclado no funcionar�n.
+ .
+ La separaci�n de privilegios est� activa por defecto, por lo que si decide
+ desactivarla, tiene que a�adir "UsePrivilegeSeparation no" al fichero
+ /etc/ssh/sshd_config.
+ .
+ Nota: Si utiliza un n�cleo Linux de la serie 2.0, la separaci�n de
+ privilegios fallar� estrepitosamente y sshd no funcionar� a no ser que la
+ desactive.
+Template: ssh/ssh2_keys_merged
+Type: note
+Description: ssh2 keys merged in configuration files
+ As of version 3 OpenSSH no longer uses separate files for ssh1 and ssh2
+ keys. This means the authorized_keys2 and known_hosts2 files are no longer
+ needed. They will still be read in order to maintain backwards
+ compatibility
+Description-es: Las claves ssh2 ya se incluyen en los ficheros de configuraci�n
+ A partir de la versi�n 3, OpenSSH ya no utiliza ficheros diferentes para
+ las claves ssh1 y ssh2. Esto quiere decir que ya no son necesarios los
+ ficheros authorized_keys2 y known_hosts2, aunque a�n se seguir�n leyendo
+ para mantener compatibilidad hacia atr�s.
+Template: ssh/protocol2_only
+Type: boolean
+Default: true
+Description: Allow SSH protocol 2 only
+ This version of OpenSSH supports version 2 of the ssh protocol, which is
+ much more secure.  Disabling ssh 1 is encouraged, however this will slow
+ things down on low end machines and might prevent older clients from
+ connecting (the ssh client shipped with "potato" is affected).
+ .
+ Also please note that keys used for protocol 1 are different so you will
+ not be able to use them if you only allow protocol 2 connections.
+ .
+ If you later change your mind about this setting, README.Debian has
+ instructions on what to do to your sshd_config file.
+Description-es: Permitir s�lo la versi�n 2 del protocolo SSH
+ Esta versi�n de OpenSSH soporta la versi�n 2 del protocolo ssh, que es
+ mucho m�s segura que la anterior. Se recomienda desactivar la versi�n 1,
+ aunque funcionar� m�s lento en m�quinas modestas y puede impedir que se
+ conecten clientes antiguos, como, por ejemplo, el incluido en "potato".
+ .
+ Tambi�n tenga en cuenta que las claves utilizadas para el protocolo 1 son
+ diferentes, por lo que no podr� usarlas si �nicamente permite conexiones
+ mediante la versi�n 2 del protocolo.
+ .
+ Si m�s tarde cambia de opini�n, el fichero README.Debian contiene
+ instrucciones sobre c�mo modificar en el fichero sshd_config.
 Template: ssh/insecure_rshd
 Type: note
 Description: Warning: rsh-server is installed --- probably not a good idea
 having rsh-server installed undermines the security that you were probably
 wanting to obtain by installing ssh.  I'd advise you to remove that
 package.
-Description-es: Aviso: tiene rsh-server instalado (no es una buena idea)
+Description-es: Aviso: tiene rsh-server instalado
 Tener rsh-server instalado representa un menoscabo de la seguridad que
- probablemente desea obtener instalando ssh. Le aconsejar�a borrar ese
+ probablemente desea obtener instalando ssh. Es muy aconsejable que borre
- paquete.
+ ese paquete.
-Template: ssh/insecure_telnetd
+Template: ssh/privsep_ask
-Type: note
-Description: Warning: telnetd is installed --- probably not a good idea
- I'd advise you to either remove the telnetd package (if you don't actually
- need to offer telnet access) or install telnetd-ssl so that there is at
- least some chance that telnet sessions will not be sending unencrypted
- login/password and session information over the network.
-Description-es: Aviso: tiene telnetd instalado (no es una buena idea)
- Le aconsejar�a borrar el paquete telnetd si no necesita realmente
- ofrecer acceso mediante telnet o instalar telnetd-ssl para que las
- contrase�as, login y dem�s informaci�n de las sesiones telnet no viajen
- sin cifrar por la red.
-Template: ssh/encrypted_host_key_but_no_keygen
-Type: note
-Description: Warning: you must create a new host key
- There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted. OpenSSH
- can not handle this host key file, and I can't find the ssh-keygen utility
- from the old (non-free) SSH installation.
- .
- You will need to generate a new host key.
-Description-es: Aviso: debe crear una nueva clave para su servidor
- Su sistema tiene un /etc/ssh/ssh_host_key antiguo, que usa cifrado IDEA.
- OpenSSH no puede manejar este fichero de claves y tampoco se encuentra la
- utilidad ssh-keygen incluida en el paquete ssh no libre.
- .
- Necesitar� generar una nueva clave para su servidor.
-Template: ssh/SUID_client
 Type: boolean
 Default: true
-Description: Do you want /usr/bin/ssh to be installed SUID root?
+Description: Enable Privilege separation
- You have the option of installing the ssh client with the SUID bit set.
+ This version of OpenSSH contains the new privilege separation option. This
+ significantly reduces the quantity of code that runs as root, and
+ therefore reduces the impact of security holes in sshd.
 .
- If you make ssh SUID, you will be able to use Rhosts/RhostsRSA
+ Unfortunately, privilege separation interacts badly with PAM. Any PAM
- authentication, but will not be able to use socks via the LD_PRELOAD
+ session modules that need to run as root (pam_mkhomedir, for example) will
- trick.  This is the traditional approach.
+ fail, and PAM keyboard-interactive authentication won't work.
 .
- If you do not make ssh SUID, you will be able to use socks, but
+ Since you've opted to have me generate an sshd_config file for you, you
- Rhosts/RhostsRSA authentication will stop working, which may stop you
+ can choose whether or not to have Privilege Separation turned on or not.
- logging in to remote systems.  It will also mean that the source port will
+ Unless you are running 2.0 (in which case you *must* say no here or your
- be above 1024, which may confound firewall rules you've set up.
+ sshd won't start at all) or know you need to use PAM features that won't
+ work with this option, you should say yes here.
+Description-es: Activar separaci�n de privilegios
+ Esta versi�n de OpenSSH incluye una nueva opci�n de separaci�n de
+ privilegios que reduce significativamente la cantidad de c�digo que se
+ ejecuta como root, por lo que reduce el impacto de posibles agujeros de
+ seguridad en sshd.
 .
- If in doubt, I suggest you install it with SUID.  If it causes problems
+ Desafortunadamente, la separaci�n de privilegios no interact�a
- you can change your mind later by running:   dpkg-reconfigure ssh 
+ correctamente con PAM. Cualquier m�dulo PAM que necesite ejecutarse como
-Description-es: �Desea hacer que /usr/bin/ssh se ejecute con permisos de root?
+ root (como, por ejemplo, pam_mkhomedir) y la autentificaci�n PAM mediante
- Tiene la posibilidad de instalar el cliente ssh setuid root.
+ teclado no funcionar�n.
- .
+ .
- Instalarlo setuid root le permitir� usar la autentificaci�n
+ Puesto que ha elegido crear autom�ticamente el fichero sshd_config, puede
- Rhosts/RhostsRSA, pero no podr� usar socks mediante el truco de
+ decidir ahora si quiere activar la opci�n de separaci�n de privilegios. A
- LD_PRELOAD. Tradicionalmente, este ha sido el enfoque m�s habitual.
+ menos que utilice la versi�n 2.0 (en cuyo caso debe responer no aqu� o
- .
+ sshd no arrancar�) o sepa que necesita usar ciertas caracter�sticas de PAM
- Si no hace ssh setuid, podr� usar socks pero la autentificaci�n
+ que funcionan con esta opci�n, deber�a responder s� a esta pregunta.
- Rhosts/RhostsRSA dejar� de funcionar, lo cual le puede impedir el acceso
- a sistemas remotos. Tambi�n significar� que el puerto de origen se
- encontrar� por encima del 1024, lo cual puede confundir a las reglas del
- cortafuegos que haya configurado.
- .
- Si tiene dudas, le sugiero que lo instale sin setuid. Si esto le causa
- alg�n problema puede cambiar posteriormente la configuraci�n ejecutando:
- dpkg-reconfigure ssh
-Template: ssh/run_sshd
+Template: ssh/new_config
 Type: boolean
 Default: true
-Description: Do you want to run the sshd server ?
+Description: Generate new configuration file
- This package contains both the ssh client, and the sshd server.
+ This version of OpenSSH has a considerably changed configuration file from
+ the version shipped in Debian 'Potato', which you appear to be upgrading
+ from. I can now generate you a new configuration file
+ (/etc/ssh/sshd.config), which will work with the new server version, but
+ will not contain any customisations you made with the old version.
 .
- Normally the sshd Secure Shell Server will be run to allow remote logins
+ Please note that this new configuration file will set the value of
- via ssh.
+ 'PermitRootLogin' to yes (meaning that anyone knowing the root password
+ can ssh directly in as root). It is the opinion of the maintainer that
+ this is the correct default (see README.Debian for more details), but you
+ can always edit sshd_config and set it to no if you wish.
 .
- If you are only interested in using the ssh client for outbound
+ It is strongly recommended that you let me generate a new configuration
- connections on this machine, and don't want to log into it at all using
+ file for you.
- ssh, then you can disable sshd here.
+Description-es: Generar un nuevo fichero de configuraci�n
-Description-es: �Quiere ejecutar el servidor sshd?
+ Esta versi�n de OpenSSH tiene un fichero de configuraci�n
- Este paquete contiene el cliente ssh y el servidor sshd.
+ considerablemente diferente del incluido en Debian Potato, que es la
+ versi�n desde la que parece estar actualizando. Puede crear
+ autom�ticamente un nuevo fichero de configuraci�n (/etc/ssh/sshd_config),
+ que funcionar� con la nueva versi�n del servidor, pero no incuir� las
+ modificaciones que hiciera en la versi�n antigua.
 .
- Generalmente, el servidor de ssh se ejecuta para permitir el acceso
+ Adem�s, recuerde que este nuevo fichero de configuraci�n dir� s� en la
- mediante ssh.
+ opci�n 'PermitRootLogin', por lo que cualquiera que conozca la contrase�a
+ de root podr� entrar mediante ssh directamente como root. En opini�n del
+ mantenedor �sta es la opci�n predeterminada m�s adecuada (puede leer
+ README.Debian si quiere conocer m�s detalles), pero siempre puede editar
+ sshd_config y poner no si lo desea.
 .
- Si s�lo est� interesado en usar el cliente ssh en conexiones salientes de
+ Es muy recomendable que permita que se genere un nuevo fichero de
- esta m�quina, y no quiere acceder a ella mediante ssh, entonces puede
+ configuraci�n ahora.
- desactivar sshd.
diff --git a/debian/templates.fr b/debian/templates.fr
index f23a83ae1..5eee0f92a 100644
--- a/debian/templates.fr
+++ b/debian/templates.fr
@@ -12,30 +12,29 @@ Description: Privilege separation
 .
 Privilege separation is turned on by default, so if you decide you
 want it turned off, you need to add "UsePrivilegeSeparation no" to
- /etc/ssh/sshd_config 
+ /etc/ssh/sshd_config.
 .
 NB! If you are running a 2.0 series Linux kernel, then privilege
 separation will not work at all, and your sshd will fail to start
- unless you explicity turn privilege separation off.
+ unless you explicitly turn privilege separation off.
-Description-fr: La s�paration des privil�ges
+Description-fr: S�paration des privil�ges
- Cette version d'OpenSSH est livr�e avec la nouvelle option de 
+ Cette version d'OpenSSH est livr�e avec la nouvelle option de
- s�paration des privil�ges. Cel� r�duit de mani�re signifiante la 
+ s�paration des privil�ges. Cela r�duit de mani�re significative la
- quantit� de code s'ex�ctutant en tant que root, et donc r�duit 
+ quantit� de code s'ex�cutant en tant que super-utilisateur, et donc
- l'impact des trous de s�curit� dans sshd.
+ r�duit l'impact des trous de s�curit� dans sshd.
- .
+ .
- Malheureusement, la s�paration des privil�ges int�ragit mal avec PAM.
+ Malheureusement, la s�paration des privil�ges interagit mal avec PAM.
- Tous les modules de session PAM ayant besoin d'�tre ex�cut� en tant que
+ Tous les modules de session PAM qui doivent �tre ex�cut�s en tant
- root (pam_mkhomedir, par exemple) ne s'ex�cutera pas, et
+ que super-utilisateur (pam_mkhomedir, par exemple) ne s'ex�cuteront
- l'authentification int�ractive au clavier ne fonctionnera pas.
+ pas, et l'authentification interactive au clavier ne fonctionnera pas.
- .
+ .
- La s�paration des privil�ges est activ�e par d�faut, donc si vous
+ La s�paration des privil�ges est activ�e par d�faut ; si vous
- souhaitez la d�sactiver, vous devez ajouter �UsePrivilegeSeparation no� 
+ souhaitez la d�sactiver, vous devez ajouter ��UsePrivilegeSeparation
- dans /etc/ssh/sshd_config
+ no�� dans /etc/ssh/sshd_config.
- .
+ .
- NB! Si vous avez un noyau Linux de la s�rie des 2.0, alors la
+ NB�! Si vous avez un noyau Linux de la s�rie des 2.0, la s�paration
- s�paration des privil�ges ne fonctionnera pas, et votre d�mon sshd ne
+ des privil�ges ne fonctionne pas, et votre d�mon sshd ne se lancera
- se lancera pas jusqu'� ce que vous d�sactiviez explicitement la
+ que si vous avez explicitement d�sactiv� la s�paration des privil�ges.
- s�paration des privil�ges.
 Template: ssh/privsep_ask
 Type: boolean
@@ -55,23 +54,24 @@ Description: Enable Privilege separation
 or not. Unless you are running 2.0 (in which case you *must* say no
 here or your sshd won't start at all) or know you need to use PAM
 features that won't work with this option, you should say yes here.
-Description-fr: Activation de la s�paration des privil�ges
+Description-fr: Activer la s�paration des privil�ges
- Cette version d'OpenSSH est livr�e avec la nouvelle option de 
+ Cette version d'OpenSSH est livr�e avec la nouvelle option de
- s�paration des privil�ges. Cel� r�duit de mani�re signifiante la 
+ s�paration des privil�ges. Cela r�duit de mani�re significative la
- quantit� de code s'ex�ctutant en tant que root, et donc r�duit 
+ quantit� de code s'ex�cutant en tant que super-utilisateur, et donc
- l'impact des trous de s�curit� dans sshd.
+ r�duit l'impact des trous de s�curit� dans sshd.
- .
+ .
- Malheureusement, la s�paration des privil�ges int�ragit mal avec PAM.
+ Malheureusement, la s�paration des privil�ges interagit mal avec PAM.
- Tous les modules de session PAM ayant besoin d'�tre ex�cut� en tant que
+ Tous les modules de session PAM qui doivent �tre ex�cut�s en tant
- root (pam_mkhomedir, par exemple) ne s'ex�cutera pas, et
+ que super-utilisateur (pam_mkhomedir, par exemple) ne s'ex�cuteront
- l'authentification int�ractive au clavier ne fonctionnera pas.
+ pas, et l'authentification interactive au clavier ne fonctionnera pas.
- .
+ .
- Comme vous souhaitez que je g�n�re le fichier de configuration � votre
+ Comme vous souhaitez que je g�n�re le fichier de configuration
- place, vous pouvez choisir d'activer ou non l'option de s�paration des
+ sshd_config � votre place, vous pouvez choisir d'activer ou non
- privil�ges. Si vous utilisez un noyau 2.0 (dans ce cas vous *devez*
+ l'option de s�paration des privil�ges. Si vous utilisez un noyau 2.0
- r�pondre non ici ou bien sshd ne se lancera pas) ou bien si vous avez
+ (dans ce cas vous *devez* d�sactiver cette option ou alors sshd ne se
- besoin de fonctionnalit�s PAM, cela ne fonctionnera pas avec cette
+ lancera pas) ou bien si vous avez besoin de fonctionnalit�s PAM, cela
- option d'activ�e, dans le cas contraire vous pouvez dire oui.
+ ne fonctionnera pas si cette option est activ�e, dans le cas contraire
+ vous devriez l'activer.
 Template: ssh/new_config
 Type: boolean
@@ -90,26 +90,26 @@ Description: Generate new configuration file
 edit sshd_config and set it to no if you wish.
 .
 It is strongly recommended that you let me generate a new configuration file 
- for you 
+ for you.
-Description-fr: G�n�ration du fichier de configuration
+Description-fr: Cr�er un nouveau fichier de configuration
- Cette version d'OpenSSH poss�de un fichier de configuration
+ Cette version d'OpenSSH utilise un fichier de configuration qui a
- consid�rablement diff�rent de celui fournit avec la Debian 'Potato',
+ �norm�ment chang� depuis la version contenue dans la distribution
- qui apparement est la version � partir de laquelle vous effectuez la
+ Debian ��Potato��, depuis laquelle vous semblez faire une mise � jour.
- mise � jour. Je peux g�n�rer pour vous un nouveau fichier de
+ Je peux g�n�rer maintenant pour vous un nouveau fichier de
- configuration (/etc/ssh/sshd_config), lequel fonctionnera avec la
+ configuration (/etc/ssh/sshd.config) qui marchera avec la nouvelle
- nouvelle version du serveur, mais ne contiendra aucuns des param�trages
+ version du serveur, mais ne contiendra aucun des r�glages que vous avez
- personnels que vous avaient d�j� fait.
+ faits sur l'ancienne version.
- .
+ .
- Notez que le nouveau fichier de configuration mettre l'option
+ Veuillez noter que ce nouveau fichier de configuration positionnera la
- 'PermitRootLogin' � yes (signifiant que toute personne connaissant le
+ valeur de ��PermitRootLogin�� � ��yes�� (ce qui signifie que quiconque
- mot de passe root pourra directement se connecter en tant que root).
+ connaissant le mot de passe du super-utilisateur peut se connecter
- C'est ce que consid�re comme option par d�faut le mainteneur (voir le
+ en tant que tel sur la machine). Le responsable du paquet
- fichier README.Debian pour plus de d�tails), mais vous pouvez toujours
+ pense que c'est l� un comportement par d�faut normal (lisez
- �diter le fichier sshd_config et mettre la valeur � no si vous le
+ README.Debian pour plus d'informations), mais vous pouvez toujours
- souhaitez.
+ �diter le fichier sshd_config et changer cela.
- .
+ .
- Il est fortement conseill� de me laisser g�n�rer le nouveau fichier de
+ Il est fortement recommand� que vous me laissiez g�n�rer le nouveau
- configuration � votre place.
+ fichier de configuration.
 Template: ssh/protocol2_only
 Type: boolean
@@ -126,20 +126,19 @@ Description: Allow SSH protocol 2 only
 If you later change your mind about this setting, README.Debian has 
 instructions on what to do to your sshd_config file.
 Description-fr: Permettre seulement la version 2 du protocole SSH
- Cette version d'OpenSSH supporte la version 2 du protocole ssh, lequel
+ Cette version d'OpenSSH conna�t la version 2 du protocole ssh, qui est
- �tant beaucoup plus s�curis�. D�sactiver ssh 1 est conseill�, sinon
+ bien plus s�re. D�sactiver ssh 1 est une bonne chose, cependant cela
- cela risque de ralentir les transactions et les machines et cela peut
+ peut ralentir les machines peu puissantes et pourrait emp�cher ceux qui
- pr�venir de la connexion d'anciens client (le client ssh fournit dans
+ utilisent des vieilles versions de la partie cliente de se connecter
- la �potato� est affect�).
+ (le client ssh de la distribution Debian ��Potato�� en fait partie).
- .
+ .
- De plus, les cl�s utilis�s par la version 1 du protocol sont
+ De plus, les cl�s utilis�es par la version 1 du protocole sont
- diff�rentes et vous ne serez donc plus capable de les utiliser si vous
+ diff�rentes et vous ne pourrez pas les utiliser si vous
- n'autoriser seulement que les connexions utilisant la version 2 du
+ n'autorisez que les connexions utilisant la version 2 du protocole.
- protocole.
+ .
- .
+ Si vous changez d'avis ult�rieurement et d�cidez de modifier ce
- Si vous changez d'avis ult�rieurement par rapport � ce point de
+ r�glage, les instructions fournies dans le fichier README.Debian vous
- configuration, les instructions sur ce que vous devez modifier dans le
+ indiquent comment modifier le fichier sshd_config.
- fichier sshd_config sont fournies dans le README.Debian.
 Template: ssh/ssh2_keys_merged
 Type: note
@@ -148,11 +147,11 @@ Description: ssh2 keys merged in configuration files
 ssh2 keys. This means the authorized_keys2 and known_hosts2 files
 are no longer needed. They will still be read in order to maintain
 backwards compatibility
-Description-fr: Agr�gation des cl�s ssh2 dans le fichier de configuration
+Description-fr: Cl�s pour ssh2 fusionn�es dans les fichiers de configuration
- �tant donn� que la version 3 d'OpenSSH n'utilise plus de fichiers
+ OpenSSH, depuis sa version 3, n'utilise plus de fichiers distincts pour
- s�par� pour les cl�s ssh1 et ssh2. Cela signifie que les fichier
+ les cl�s ssh1 et ssh2. Cela signifie que les fichiers authorized_keys2
- authorized_key2 et known_hosts2 ne sont plus n�cessaires. Ils sont
+ et known_hosts2 ne sont plus utiles. Ils seront n�anmoins lus afin de
- quand m�me lus afin de concerver une compatibilit� ascendante.
+ pr�server la compatibilit� descendante.
 Template: ssh/use_old_init_script
 Type: boolean
@@ -164,13 +163,14 @@ Description: Do you want to continue (and risk killing active ssh sessions) ?
 .
 You can fix this by adding "--pidfile /var/run/sshd.pid" to the
 start-stop-daemon line in the stop section of the file.
-Description-fr: Voulez vous continuer (et risquer de rompre les sessions ssh actives) ?
+Description-fr: Voulez-vous continuer (et risquer de rompre les sessions ssh actives)�?
 Il est probable que la version de /etc/init.d/ssh install�e en ce moment
- tue toutes les instances de sshd lanc�es en ce moment. Si vous faite une
+ tue toutes les instances de sshd en cours. En cas de mise � jour par ssh,
- mise � jour via ssh, ca serait une Mauvaise Chose(tm).
+ �a serait une mauvaise id�e.
 .
- Vous pouvez corriger /etc/init.d/ssh en ajoutant '--pidfile /var/run/sshd.pid'
+ Vous pouvez corriger cela en ajoutant dans /etc/init.d/ssh ��--pidfile
- a la ligne 'start-stop-daemon' dans la section 'stop' du fichier.
+ /var/run/sshd.pid�� � la ligne ��start-stop-daemon�� dans la section
+ ��stop�� du fichier.
 Template: ssh/forward_warning
 Type: note
@@ -182,11 +182,11 @@ Description: NOTE: Forwarding of X11 and Authorization disabled by default.
 in one of the configuration files, or with the -X command line option.
 .
 More details can be found in /usr/share/doc/ssh/README.Debian
-Description-fr: NOTE: Suivi de session X11 et d'agent d'autorisation d�sactiv�s par d�faut.
+Description-fr: NOTE�: suivi de session X11 et d'agent d'autorisation d�sactiv�s par d�faut.
 Pour des raisons de s�curit�, la version Debian de ssh positionne les
- options ForwardX11 et ForwardAgent a ``Off'' par d�faut.
+ options ForwardX11 et ForwardAgent � ��Off�� par d�faut.
 .
- Vous pouvez activer ces options pour les serveurs en lesquels vous avez
+ Vous pouvez activer ces options pour les serveurs en qui vous avez
 confiance, soit dans un des fichiers de configuration, soit avec l'option
 -X de la ligne de commande.
 .
@@ -197,10 +197,10 @@ Type: note
 Description: Warning: rsh-server is installed --- probably not a good idea
 having rsh-server installed undermines the security that you were probably
 wanting to obtain by installing ssh.  I'd advise you to remove that package.
-Description-fr: Attention: le paquet rsh-server est install� --- ce n'est probablement pas une bonne id�e
+Description-fr: Attention�: rsh-server est install� -- ce n'est probablement pas une bonne id�e
- Avoir un serveur rsh install� affaibli la s�curit� que vous vouliez
+ Avoir un serveur rsh install� affaiblit la s�curit� que vous vouliez
- probablement obtenir en installant ssh. Je vous conseillerais de
+ probablement obtenir en installant ssh. Je vous conseille de
- d�installer ce paquet.
+ supprimer ce paquet.
 Template: ssh/insecure_telnetd
 Type: note
@@ -209,12 +209,12 @@ Description: Warning: telnetd is installed --- probably not a good idea
 need to offer telnet access) or install telnetd-ssl so that there is at
 least some chance that telnet sessions will not be sending unencrypted
 login/password and session information over the network.
-Description-fr: Attention: le paquet telnetd est install� --- ce n'est probablement pas une bonne id�e
+Description-fr: Attention�: telnetd est install� -- ce n'est probablement pas une bonne id�e
- Je vous conseillerais de, soit enlever le paquet telnetd (si ce service
+ Je vous conseille soit d'enlever le paquet telnetd (si ce service
- n'est pas n�cessaire), soit de le remplacer par le paquet telnetd-ssl
+ n'est pas n�cessaire), soit de le remplacer par le paquet telnetd-ssl pour
- pour qu'il y ait au moins une chance que les sessions telnet soient
+ qu'il y ait au moins une chance que les sessions telnet soient chiffr�es
- encrypt�es et que les mot de passes et logins ne passent pas en clair sur
+ et que les mots de passe et noms d'utilisateurs ne passent pas en clair
- le r�seau.
+ sur le r�seau.
 Template: ssh/encrypted_host_key_but_no_keygen
 Type: note
@@ -224,10 +224,12 @@ Description: Warning: you must create a new host key
 ssh-keygen utility from the old (non-free) SSH installation.
 .
 You will need to generate a new host key.
-Description-fr: Attention: vous devez cr�er une nouvelle cl� d'h�te
+Description-fr: Attention�: vous devez cr�er une nouvelle cl� d'h�te
- Il existe un vieux /etc/ssh/ssh_host_key qui est encrypt� avec IDEA.
+ Il existe un vieux /etc/ssh/ssh_host_key qui est chiffr� avec IDEA.
 OpenSSH ne peut utiliser ce fichier de cl�, et je ne peux trouver
 l'utilitaire ssh-keygen de l'installation pr�c�dente (non libre) de SSH.
+ .
+ Vous aurez besoin de g�n�rer une nouvelle cl� d'h�te.
 Template: ssh/SUID_client
 Type: boolean
@@ -241,16 +243,17 @@ Description: Do you want /usr/lib/ssh-keysign to be installed SUID root?
 .
 If in doubt, I suggest you install it with SUID.  If it causes
 problems you can change your mind later by running:   dpkg-reconfigure ssh 
-Description-fr: Souhaitez-vous que /usr/lib/ssh-keysign soit install� avec le bit SETUID root d'activ� ?
+Description-fr: Voulez-vous que /usr/lib/ssh-keysign soit install� avec le bit SETUID activ��?
- Vous avez la possibilit� d'installer ssh-keysign avec le bit SETIUD
+ Vous avez la possibilit� d'installer ssh-keysign avec le bit SETUID
- d'activ�.
+ activ�.
 .
- Si vous mettez ssh�keysign avec le bit SETUID, vous permettrez
+ Si vous mettez ssh-keysign avec le bit SETUID, vous permettrez
- l'authentification bas� sur les h�tes de la version 2 du protocole ssh.
+ l'authentification bas�e sur les h�tes, disponible dans la version 2 du
+ protocole SSH.
 .
 Dans le doute, je vous sugg�re de l'installer avec le bit SETUID
- d'activ�. Si cela vous cause des probl�mes vous pourrez revenir sur
+ activ�. Si cela vous cause des probl�mes, vous pourrez revenir sur
- votre d�sicion: dpkg-reconfigure ssh
+ votre d�cision avec ��dpkg-reconfigure ssh��.
 Template: ssh/run_sshd
 Type: boolean
@@ -264,13 +267,12 @@ Description: Do you want to run the sshd server ?
 If you are only interested in using the ssh client for outbound
 connections on this machine, and don't want to log into it at all
 using ssh, then you can disable sshd here.
-Description-fr: Voulez vous utiliser le serveur sshd ?
+Description-fr: Voulez-vous utiliser le serveur sshd�?
- Ce paquet contient a la fois le client ssh et le serveur sshd.
+ Ce paquet contient � la fois le client ssh et le serveur sshd.
 .
- Normalement le serveur sshd sera lanc� pour permettre les logins distants
+ Normalement le serveur sshd est lanc� pour permettre les connexions
- via ssh.
+ distantes via ssh.
 .
- Si vous d�sirez seulement utiliser le client ssh pour vous connecter a
+ Si vous d�sirez seulement utiliser le client ssh pour des connexions vers
- distance sur d'autres machines a partir de celle-ci, et que vous ne
+ l'ext�rieur, ou si vous ne voulez pas vous connecter sur cette machine 
- voulez pas vous logguer sur cette machine a distance via ssh, alors vous
+ via ssh, vous pouvez d�sactiver sshd maintenant.
- pouvez d�sactiver sshd maintenant.
diff --git a/debian/templates.pl b/debian/templates.pl
new file mode 100644
index 000000000..d4b8fda6d
--- /dev/null
+++ b/debian/templates.pl
@@ -0,0 +1,264 @@
+Template: ssh/privsep_tell
+Type: note
+Description: Privilege separation
+ This version of OpenSSH contains the new privilege separation
+ option. This significantly reduces the quantity of code that runs as
+ root, and therefore reduces the impact of security holes in sshd.
+ .
+ Unfortunately, privilege separation interacts badly with PAM. Any
+ PAM session modules that need to run as root (pam_mkhomedir, for
+ example) will fail, and PAM keyboard-interactive authentication 
+ won't work.
+ .
+ Privilege separation is turned on by default, so if you decide you
+ want it turned off, you need to add "UsePrivilegeSeparation no" to
+ /etc/ssh/sshd_config.
+ .
+ NB! If you are running a 2.0 series Linux kernel, then privilege
+ separation will not work at all, and your sshd will fail to start
+ unless you explicitly turn privilege separation off.
+Description-pl: Separacja uprawnie�
+ Ta wersja OpenSSH zawiera now� opcj� separacji uprawnie�. Znacz�co
+ zmniejsza ona ilo�� kodu, kt�ry jest uruchamiany jako root i co
+ za tym idzie redukuje efekty luk bezpiecze�stwa w sshd.
+ .
+ Niestety separacja uprawnie� �le reaguje z PAMem. Jakikolwiek modu�
+ sesji PAM, kt�ry musi by� uruchamiany jako root (pam_mkhomedir, na
+ przyk�ad) zawiedzie. Nie b�dzie dzia�a� r�wnie� interaktywna 
+ autentykacja z klawiatury (keyboard-interactive authentication).
+ .
+ Separacja uprawnie� jest domy�lnie w��czona, wi�c je�li zdecydujesz
+ si� j� wy��czy�, musisz doda� "UsePrivilegeSeparation no" do pliku
+ /etc/ssh/sshd_config.
+ .
+ UWAGA! Je�eli u�ywasz j�dra Linux'a z serii 2.0, to separacja uprawnie�
+ w og�le nie b�dzie dzia�a� i sshd nie wystartuje dop�ki w�asnor�cznie
+ nie wy��czysz separacji uprawnie� w /etc/ssh/sshd_config.
+Template: ssh/privsep_ask
+Type: boolean
+Default: true
+Description: Enable Privilege separation
+ This version of OpenSSH contains the new privilege separation
+ option. This significantly reduces the quantity of code that runs as
+ root, and therefore reduces the impact of security holes in sshd.
+ .
+ Unfortunately, privilege separation interacts badly with PAM. Any
+ PAM session modules that need to run as root (pam_mkhomedir, for
+ example) will fail, and PAM keyboard-interactive authentication 
+ won't work.
+ .
+ Since you've opted to have me generate an sshd_config file for you,
+ you can choose whether or not to have Privilege Separation turned on
+ or not. Unless you are running 2.0 (in which case you *must* say no
+ here or your sshd won't start at all) or know you need to use PAM
+ features that won't work with this option, you should say yes here.
+Description-pl: W��czenie separacji uprawnie�
+ Ta wersja OpenSSH zawiera now� opcj� separacji uprawnie�. Znacz�co
+ zmniejsza ona ilo�� kodu, kt�ry jest uruchamiany jako root i co
+ za tym idzie redukuje efekty luk bezpiecze�stwa w sshd.
+ .
+ Niestety separacja uprawnie� �le reaguje z PAMem. Jakikolwiek modu�
+ sesji PAM, kt�ry musi by� uruchamiany jako root (pam_mkhomedir, na
+ przyk�ad) zawiedzie. Nie b�dzie dzia�a� r�wnie� interaktywna 
+ autentykacja z klawiatury (keyboard-interactive authentication).
+ .
+ Zdecydowa�e� si� na to abym wygenerowa� dla ciebie plik sshd_config,
+ i mo�esz wybra� czy chcesz w��czy� Separacj� Uprawnie�, czy te� nie.
+ Je�li nie u�ywasz j�dra z serii 2.0 (w kt�rym to przypadku *musisz*
+ odpowiedzie� tutaj 'nie' albo sshd w og�le nie ruszy) i je�li nie 
+ musisz korzysta� z mo�liwo�ci PAMa, kt�re nie b�d� dzia�a�y z t� opcj�,
+ powiniene� odpowiedzie� tutaj 'tak'.
+Template: ssh/new_config
+Type: boolean
+Default: true
+Description: Generate new configuration file
+ This version of OpenSSH has a considerably changed configuration file from 
+ the version shipped in Debian 'Potato', which you appear to be upgrading from.
+ I can now generate you a new configuration file (/etc/ssh/sshd.config), which
+ will work with the new server version, but will not contain any customisations
+ you made with the old version. 
+ .
+ Please note that this new configuration file will set the value of 
+ 'PermitRootLogin' to yes (meaning that anyone knowing the root password can
+ ssh directly in as root). It is the opinion of the maintainer that this is
+ the correct default (see README.Debian for more details), but you can always
+ edit sshd_config and set it to no if you wish.
+ .
+ It is strongly recommended that you let me generate a new configuration file 
+ for you.
+Description-pl: Wygeneruj nowy plik konfiguracyjny
+ W tej wersji OpenSSH zmieni� si� plik konfiguracyjny w stosunku do wersji 
+ dostarczanej z Debianem 'Potato', kt�r� zdajesz si� aktualizowa�. Mog� teraz 
+ wygenerowa� nowy plik konfiguracyjny (/etc/ssh/sshd.config), kt�ry b�dzie
+ dzia�a� z now� wersj� serwera, ale nie b�dzie zawiera� �adnych dokonanych
+ przez ciebie w starej wersji zmian.
+ .
+ Zauwa� prosz�, �e nowy plik konfiguracyjny b�dzie ustawia� warto�� opcji
+ 'PermitRootLogin' na 'tak' (co oznacza, �e ka�dy kto zna has�o root'a mo�e
+ zdalnie zalogowa� si� przez ssh jako root). W opinii opiekuna pakietu to
+ jest poprawna warto�� domy�lna (szczeg�y w README.Debian), ale mo�esz sobie
+ wyedytowa� sshd_config i ustawi� t� opcj� na 'nie' je�li si� z t� opini� nie
+ zgadzasz.
+ .
+ Jest bardzo wskazane aby� pozwoli� mi wygenerowa� nowy plik konfiguracyjny.
+Template: ssh/protocol2_only
+Type: boolean
+Default: true
+Description: Allow SSH protocol 2 only
+ This version of OpenSSH supports version 2 of the ssh protocol, which
+ is much more secure.  Disabling ssh 1 is encouraged, however this
+ will slow things down on low end machines and might prevent older
+ clients from connecting (the ssh client shipped with "potato" is affected).
+ .
+ Also please note that keys used for protocol 1 are different so you will
+ not be able to use them if you only allow protocol 2 connections.
+ .
+ If you later change your mind about this setting, README.Debian has 
+ instructions on what to do to your sshd_config file.
+Description-pl: Zezwalaj wy��cznie na wersj� 2 protoko�u SSH
+ Ta wersja OpenSSH wspiera drug� wersj� protoko�u ssh, kt�ra jest znacznie
+ bardziej bezpieczna. Wy��czenie ssh 1 jest zalecane, cho� spowalnia to
+ dzia�anie na starych maszynach i mo�e uniemo�liwi� po��czenie starszym
+ wersjom klient�w (dotyczy to np. klienta ssh do��czanego do "potato").
+ .
+ Ponadto, zauwa� prosz�, �e klucze u�ywane przez protok� 1 s� inne, wi�c
+ nie b�dziesz m�g� ich u�ywa� je�li zezwolisz na korzystanie wy��cznie z
+ wersji 2 protoko�u.
+ .
+ Je�li p�niej zmienisz zdanie co do tego ustawienia, to instrukcje co 
+ zmieni� w sshd_config znajduj� si� w README.Debian.
+Template: ssh/ssh2_keys_merged
+Type: note
+Description: ssh2 keys merged in configuration files
+ As of version 3 OpenSSH no longer uses separate files for ssh1 and
+ ssh2 keys. This means the authorized_keys2 and known_hosts2 files
+ are no longer needed. They will still be read in order to maintain
+ backwards compatibility
+Description-pl: klucze ssh2 w��czone do plik�w konfiguracyjnych
+ Pocz�wszy od wersji 3 OpenSSH nie u�ywa ju� osobnych plik�w dla kluczy
+ ssh1 i ssh2. Oznacza to, �e pliki authorized_keys2 i known_hosts2 nie
+ s� ju� potrzebne. B�d� one jednak odczytywane aby zachowa� wsteczn�
+ kompatybilno��.
+Template: ssh/use_old_init_script
+Type: boolean
+Default: false
+Description: Do you want to continue (and risk killing active ssh sessions) ?
+ The version of /etc/init.d/ssh that you have installed, is likely to kill
+ all running sshd instances.  If you are doing this upgrade via an ssh
+ session, that would be a Bad Thing(tm).
+ .
+ You can fix this by adding "--pidfile /var/run/sshd.pid" to the
+ start-stop-daemon line in the stop section of the file.
+Description-pl: Czy chcesz kontynuowa� (i ryzykowa� zabicie aktywnych sesji ssh) ?
+ Zainstalowana w�a�nie wersja /etc/init.d/ssh mo�e zabi� wszystkie dzia�aj�ce
+ obecnie kopie sshd. Je�li robisz ten upgrade via ssh, to by�aby Z�a Rzecz(tm).
+ .
+ Mo�esz to naprawi� dodaj�c "--pidfile /var/run/sshd.pid" do linijki
+ start-stop-daemon w sekcji stop tego pliku.
+Template: ssh/forward_warning
+Type: note
+Description: NOTE: Forwarding of X11 and Authorization disabled by default.
+ For security reasons, the Debian version of ssh has ForwardX11 and
+ ForwardAgent set to ``off'' by default.
+ .
+ You can enable it for servers you trust, either
+ in one of the configuration files, or with the -X command line option.
+ .
+ More details can be found in /usr/share/doc/ssh/README.Debian
+Description-pl: UWAGA: Przekazywanie (forwarding) X11 i Autoryzacji jest domy�lnie wy��czone.
+ Ze wzgl�d�w bezpiecze�stwa Debianowa wersja ssh ma ForwardX11 i ForwardAgent
+ ustawione  domy�lnie na 'off'.
+ .
+ Dla zaufanych serwer�w mo�esz w��czy� te opcje w pliku konfiguracyjnym lub
+ przy pomocy opcji -X z linii komend.
+ .
+ Wi�cej szczeg��w znajdziesz w /usr/share/doc/ssh/README.Debian.
+Template: ssh/insecure_rshd
+Type: note
+Description: Warning: rsh-server is installed --- probably not a good idea
+ having rsh-server installed undermines the security that you were probably
+ wanting to obtain by installing ssh.  I'd advise you to remove that package.
+Description-pl: Uwaga: serwer rsh jest zainstalowany --- prawdopodobnie nienajlepszy pomys�
+ Posiadanie zainstalowanego serwera rsh podminowuje zabezpieczenia, kt�re 
+ prawdopodobnie starasz si� uzyska� instaluj�c ssh. Radzi�bym usun�� ten 
+ pakiet.
+Template: ssh/insecure_telnetd
+Type: note
+Description: Warning: telnetd is installed --- probably not a good idea
+ I'd advise you to either remove the telnetd package (if you don't actually
+ need to offer telnet access) or install telnetd-ssl so that there is at
+ least some chance that telnet sessions will not be sending unencrypted
+ login/password and session information over the network.
+Description-pl: Uwaga: telnetd jest zainstalowany --- prawdopodobnie nienajlepszy pomys�
+ Radzi�bym albo usun�� pakiet telnetd (je�li nie potrzebujesz koniecznie
+ udost�pnia� telnet'a) albo zainstalowa� telnetd-ssl aby by�a cho� szansza,
+ �e sesje telnet nie b�d� przesy�a� niezaszyfrowanego loginu/has�a oraz 
+ danych sesji przez sie�.
+Template: ssh/encrypted_host_key_but_no_keygen
+Type: note
+Description: Warning: you must create a new host key
+ There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted.
+ OpenSSH can not handle this host key file, and I can't find the
+ ssh-keygen utility from the old (non-free) SSH installation.
+ .
+ You will need to generate a new host key.
+Description-pl: Uwaga: musisz utworzy� nowy klucz hosta 
+ Istnieje stary /etc/ssh/ssh_host_key, kt�ry jest zaszyfrowany przez
+ IDEA. OpenSSH nie umie korzysta� z tak zaszyfrowanego klucza, a nie
+ mo�e znale�� polecenia ssh-keygen ze starego SSH (non-free).
+ .
+ B�dziesz musia� wygenerowa� nowy klucz hosta.
+Template: ssh/SUID_client
+Type: boolean
+Default: true
+Description: Do you want /usr/lib/ssh-keysign to be installed SUID root?
+ You have the option of installing the ssh-keysign helper with the SUID
+ bit set.
+ .
+ If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2
+ host-based authentication.
+ .
+ If in doubt, I suggest you install it with SUID.  If it causes
+ problems you can change your mind later by running:   dpkg-reconfigure ssh 
+Description-pl: Czy chcesz aby /usr/lib/ssh-keysign by� zainstalowany jako SUID root? 
+ Masz mo�liwo�� zainstalowania pomocniczego programu ssh-keysign z w��czonym
+ bitem SETUID.
+ .
+ Je�li uczynisz ssh-keysign SUIDowym, b�dziesz m�g� u�ywa� opartej na hostach
+ autentykacji drugiej wersji protoko�u SSH.
+ .
+ Je�li masz w�tpliwo�ci, radz� zainstalowa� go z SUIDem. Je�li to sprawia
+ problemy, mo�esz zmieni� swoje zdanie uruchamiaj�c p�niej polecenie:
+ dpkg-reconfigure ssh
+Template: ssh/run_sshd
+Type: boolean
+Default: true
+Description: Do you want to run the sshd server ?
+ This package contains both the ssh client, and the sshd server.
+ .
+ Normally the sshd Secure Shell Server will be run to allow remote
+ logins via ssh.
+ .
+ If you are only interested in using the ssh client for outbound
+ connections on this machine, and don't want to log into it at all
+ using ssh, then you can disable sshd here.
+Description-pl: Czy chcesz uruchamia� serwer sshd ?
+ Ten pakiet zawiera zar�wno klienta ssh, jak i serwer sshd.
+ .
+ Normalnie serwer sshd (Secure Shell Server) b�dzie uruchomiony aby
+ umo�liwi� zdalny dost�p przez ssh.
+ .
+ Je�li jeste� zainteresowny u�ywaniem wy��cznie klienta ssh dla po��cze�
+ wychodz�cych z tej maszyny, i nie chcesz si� na ni� logowa� przy pomocy
+ ssh, to mo�esz teraz wy��czy� serwer sshd.
diff --git a/defines.h b/defines.h
index b87dbc51e..ab19a077c 100644
--- a/defines.h
+++ b/defines.h
@@ -1,7 +1,7 @@
 #ifndef _DEFINES_H
 #define _DEFINES_H
-/* $Id: defines.h,v 1.92 2002/06/24 16:26:49 stevesk Exp $ */
+/* $Id: defines.h,v 1.96 2002/09/26 00:38:48 tim Exp $ */
 /* Constants */
@@ -102,7 +102,7 @@ SCO Open Server 3 has INADDR_LOOPBACK defined in rpc/rpc.h but
 including rpc/rpc.h breaks Solaris 6
 */
 #ifndef INADDR_LOOPBACK
-#define INADDR_LOOPBACK ((ulong)0x7f000001)
+#define INADDR_LOOPBACK ((u_long)0x7f000001)
 #endif
 /* Types */
@@ -124,7 +124,7 @@ typedef char int8_t;
 # if (SIZEOF_SHORT_INT == 2)
 typedef short int int16_t;
 # else
-#  ifdef _CRAY
+#  ifdef _UNICOS
 #   if (SIZEOF_SHORT_INT == 4)
 typedef short int16_t;
 #   else
@@ -132,16 +132,16 @@ typedef long  int16_t;
 #   endif
 #  else
 #   error "16 bit int type not found."
-#  endif /* _CRAY */
+#  endif /* _UNICOS */
 # endif
 # if (SIZEOF_INT == 4)
 typedef int int32_t;
 # else
-#  ifdef _CRAY
+#  ifdef _UNICOS
 typedef long  int32_t;
 #  else
 #   error "32 bit int type not found."
-#  endif /* _CRAY */
+#  endif /* _UNICOS */
 # endif
 #endif
@@ -161,7 +161,7 @@ typedef unsigned char u_int8_t;
 #  if (SIZEOF_SHORT_INT == 2)
 typedef unsigned short int u_int16_t;
 #  else
-#   ifdef _CRAY
+#   ifdef _UNICOS
 #    if (SIZEOF_SHORT_INT == 4)
 typedef unsigned short u_int16_t;
 #    else
@@ -174,7 +174,7 @@ typedef unsigned long  u_int16_t;
 #  if (SIZEOF_INT == 4)
 typedef unsigned int u_int32_t;
 #  else
-#   ifdef _CRAY
+#   ifdef _UNICOS
 typedef unsigned long  u_int32_t;
 #   else
 #    error "32 bit int type not found."
@@ -216,6 +216,10 @@ typedef unsigned char u_char;
 # define HAVE_U_CHAR
 #endif /* HAVE_U_CHAR */
+#ifndef SIZE_T_MAX
+#define SIZE_T_MAX ULONG_MAX
+#endif /* SIZE_T_MAX */
 #ifndef HAVE_SIZE_T
 typedef unsigned int size_t;
 # define HAVE_SIZE_T
diff --git a/dh.c b/dh.c
index 33187e028..6ec37867a 100644
--- a/dh.c
+++ b/dh.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: dh.c,v 1.21 2002/03/06 00:23:27 markus Exp $");
+RCSID("$OpenBSD: dh.c,v 1.22 2002/06/27 08:49:44 markus Exp $");
 #include "xmalloc.h"
@@ -50,7 +50,7 @@ parse_prime(int linenum, char *line, struct dhgroup *dhg)
        /* Ignore leading whitespace */
        if (*arg == '\0')
                arg = strdelim(&cp);
-        if (!*arg || *arg == '#')
+        if (!arg || !*arg || *arg == '#')
                return 0;
        /* time */
diff --git a/hostfile.c b/hostfile.c
index cefff8d62..dcee03448 100644
--- a/hostfile.c
+++ b/hostfile.c
@@ -36,7 +36,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: hostfile.c,v 1.29 2001/12/18 10:04:21 jakob Exp $");
+RCSID("$OpenBSD: hostfile.c,v 1.30 2002/07/24 16:11:18 markus Exp $");
 #include "packet.h"
 #include "match.h"
@@ -91,11 +91,14 @@ hostfile_check_key(int bits, Key *key, const char *host, const char *filename, i
 * in the list of our known hosts. Returns HOST_OK if the host is known and
 * has the specified key, HOST_NEW if the host is not known, and HOST_CHANGED
 * if the host is known but used to have a different host key.
+ *
+ * If no 'key' has been specified and a key of type 'keytype' is known
+ * for the specified host, then HOST_FOUND is returned.
 */
-HostStatus
+static HostStatus
-check_host_in_hostfile(const char *filename, const char *host, Key *key,
+check_host_in_hostfile_by_key_or_type(const char *filename,
-    Key *found, int *numret)
+    const char *host, Key *key, int keytype, Key *found, int *numret)
 {
        FILE *f;
        char line[8192];
@@ -105,8 +108,7 @@ check_host_in_hostfile(const char *filename, const char *host, Key *key,
        HostStatus end_return;
        debug3("check_host_in_hostfile: filename %s", filename);
-        if (key == NULL)
-                fatal("no key to look up");
        /* Open the file containing the list of known hosts. */
        f = fopen(filename, "r");
        if (!f)
@@ -147,12 +149,20 @@ check_host_in_hostfile(const char *filename, const char *host, Key *key,
                 */
                if (!hostfile_read_key(&cp, &kbits, found))
                        continue;
-                if (!hostfile_check_key(kbits, found, host, filename, linenum))
-                        continue;
                if (numret != NULL)
                        *numret = linenum;
+                if (key == NULL) {
+                        /* we found a key of the requested type */
+                        if (found->type == keytype)
+                                return HOST_FOUND;
+                        continue;
+                }
+                if (!hostfile_check_key(kbits, found, host, filename, linenum))
+                        continue;
                /* Check if the current key is the same as the given key. */
                if (key_equal(key, found)) {
                        /* Ok, they match. */
@@ -177,6 +187,24 @@ check_host_in_hostfile(const char *filename, const char *host, Key *key,
        return end_return;
 }
+HostStatus
+check_host_in_hostfile(const char *filename, const char *host, Key *key,
+    Key *found, int *numret)
+{
+        if (key == NULL)
+                fatal("no key to look up");
+        return (check_host_in_hostfile_by_key_or_type(filename, host, key, 0,
+            found, numret));
+}
+int
+lookup_key_in_hostfile_by_type(const char *filename, const char *host,
+    int keytype, Key *found, int *numret)
+{
+        return (check_host_in_hostfile_by_key_or_type(filename, host, NULL,
+            keytype, found, numret) == HOST_FOUND);
+}
 /*
 * Appends an entry to the host file.  Returns false if the entry could not
 * be appended.
diff --git a/hostfile.h b/hostfile.h
index 0244fdb53..1df7a22f2 100644
--- a/hostfile.h
+++ b/hostfile.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: hostfile.h,v 1.10 2001/12/18 10:04:21 jakob Exp $     */
+/*      $OpenBSD: hostfile.h,v 1.12 2002/09/08 20:24:08 markus Exp $    */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -15,12 +15,14 @@
 #define HOSTFILE_H
 typedef enum {
-        HOST_OK, HOST_NEW, HOST_CHANGED
+        HOST_OK, HOST_NEW, HOST_CHANGED, HOST_FOUND
 }       HostStatus;
 int      hostfile_read_key(char **, u_int *, Key *);
 HostStatus
 check_host_in_hostfile(const char *, const char *, Key *, Key *, int *);
 int      add_host_to_hostfile(const char *, const char *, Key *);
+int     
+lookup_key_in_hostfile_by_type(const char *, const char *, int , Key *, int *);
 #endif
diff --git a/includes.h b/includes.h
index e20d7a519..d7b875c52 100644
--- a/includes.h
+++ b/includes.h
@@ -115,6 +115,9 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
 #ifdef HAVE_SYS_UN_H
 # include <sys/un.h> /* For sockaddr_un */
 #endif
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
 #ifdef HAVE_SYS_BITYPES_H
 # include <sys/bitypes.h> /* For u_intXX_t */
 #endif
@@ -146,6 +149,14 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
 # include <readpassphrase.h>
 #endif
+#ifdef HAVE_IA_H
+# include <ia.h>
+#endif
+#ifdef HAVE_TMPDIR_H
+# include <tmpdir.h>
+#endif
 #include <openssl/opensslv.h> /* For OPENSSL_VERSION_NUMBER */
 #include "defines.h"
diff --git a/kex.h b/kex.h
index 12edcdc63..93a529e12 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: kex.h,v 1.31 2002/05/16 22:02:50 markus Exp $ */
+/*      $OpenBSD: kex.h,v 1.32 2002/09/09 14:54:14 markus Exp $ */
 /*
 * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -96,7 +96,7 @@ struct Newkeys {
 };
 struct Kex {
        u_char  *session_id;
-        int     session_id_len;
+        u_int   session_id_len;
        Newkeys *newkeys[MODE_MAX];
        int     we_need;
        int     server;
diff --git a/key.c b/key.c
index fb1f8410a..9806a729a 100644
--- a/key.c
+++ b/key.c
@@ -32,7 +32,7 @@
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 #include "includes.h"
-RCSID("$OpenBSD: key.c,v 1.45 2002/06/23 03:26:19 deraadt Exp $");
+RCSID("$OpenBSD: key.c,v 1.49 2002/09/09 14:54:14 markus Exp $");
 #include <openssl/evp.h>
@@ -171,7 +171,7 @@ key_equal(Key *a, Key *b)
        return 0;
 }
-static u_char*
+static u_char *
 key_fingerprint_raw(Key *k, enum fp_type dgst_type, u_int *dgst_raw_length)
 {
        const EVP_MD *md = NULL;
@@ -227,8 +227,8 @@ key_fingerprint_raw(Key *k, enum fp_type dgst_type, u_int *dgst_raw_length)
        return retval;
 }
-static char*
+static char *
-key_fingerprint_hex(u_char* dgst_raw, u_int dgst_raw_len)
+key_fingerprint_hex(u_char *dgst_raw, u_int dgst_raw_len)
 {
        char *retval;
        int i;
@@ -244,8 +244,8 @@ key_fingerprint_hex(u_char* dgst_raw, u_int dgst_raw_len)
        return retval;
 }
-static char*
+static char *
-key_fingerprint_bubblebabble(u_char* dgst_raw, u_int dgst_raw_len)
+key_fingerprint_bubblebabble(u_char *dgst_raw, u_int dgst_raw_len)
 {
        char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' };
        char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm',
@@ -291,7 +291,7 @@ key_fingerprint_bubblebabble(u_char* dgst_raw, u_int dgst_raw_len)
        return retval;
 }
-char*
+char *
 key_fingerprint(Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
 {
        char *retval = NULL;
@@ -494,7 +494,8 @@ key_write(Key *key, FILE *f)
 {
        int n, success = 0;
        u_int len, bits = 0;
-        u_char *blob, *uu;
+        u_char *blob;
+        char *uu;
        if (key->type == KEY_RSA1 && key->rsa != NULL) {
                /* size of modulus 'n' */
@@ -729,7 +730,6 @@ key_to_blob(Key *key, u_char **blobp, u_int *lenp)
 {
        Buffer b;
        int len;
-        u_char *buf;
        if (key == NULL) {
                error("key_to_blob: key == NULL");
@@ -755,14 +755,14 @@ key_to_blob(Key *key, u_char **blobp, u_int *lenp)
                return 0;
        }
        len = buffer_len(&b);
-        buf = xmalloc(len);
-        memcpy(buf, buffer_ptr(&b), len);
-        memset(buffer_ptr(&b), 0, len);
-        buffer_free(&b);
        if (lenp != NULL)
                *lenp = len;
-        if (blobp != NULL)
+        if (blobp != NULL) {
-                *blobp = buf;
+                *blobp = xmalloc(len);
+                memcpy(*blobp, buffer_ptr(&b), len);
+        }
+        memset(buffer_ptr(&b), 0, len);
+        buffer_free(&b);
        return len;
 }
diff --git a/log.c b/log.c
index be0868fde..12ac11df7 100644
--- a/log.c
+++ b/log.c
@@ -34,7 +34,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: log.c,v 1.22 2002/02/22 12:20:34 markus Exp $");
+RCSID("$OpenBSD: log.c,v 1.24 2002/07/19 15:43:33 markus Exp $");
 #include "log.h"
 #include "xmalloc.h"
@@ -93,6 +93,7 @@ SyslogFacility
 log_facility_number(char *name)
 {
        int i;
        if (name != NULL)
                for (i = 0; log_facilities[i].name; i++)
                        if (strcasecmp(log_facilities[i].name, name) == 0)
@@ -104,6 +105,7 @@ LogLevel
 log_level_number(char *name)
 {
        int i;
        if (name != NULL)
                for (i = 0; log_levels[i].name; i++)
                        if (strcasecmp(log_levels[i].name, name) == 0)
@@ -117,6 +119,7 @@ void
 error(const char *fmt,...)
 {
        va_list args;
        va_start(args, fmt);
        do_log(SYSLOG_LEVEL_ERROR, fmt, args);
        va_end(args);
@@ -128,6 +131,7 @@ void
 log(const char *fmt,...)
 {
        va_list args;
        va_start(args, fmt);
        do_log(SYSLOG_LEVEL_INFO, fmt, args);
        va_end(args);
@@ -139,6 +143,7 @@ void
 verbose(const char *fmt,...)
 {
        va_list args;
        va_start(args, fmt);
        do_log(SYSLOG_LEVEL_VERBOSE, fmt, args);
        va_end(args);
@@ -150,6 +155,7 @@ void
 debug(const char *fmt,...)
 {
        va_list args;
        va_start(args, fmt);
        do_log(SYSLOG_LEVEL_DEBUG1, fmt, args);
        va_end(args);
@@ -159,6 +165,7 @@ void
 debug2(const char *fmt,...)
 {
        va_list args;
        va_start(args, fmt);
        do_log(SYSLOG_LEVEL_DEBUG2, fmt, args);
        va_end(args);
@@ -168,6 +175,7 @@ void
 debug3(const char *fmt,...)
 {
        va_list args;
        va_start(args, fmt);
        do_log(SYSLOG_LEVEL_DEBUG3, fmt, args);
        va_end(args);
@@ -216,6 +224,18 @@ fatal_remove_cleanup(void (*proc) (void *context), void *context)
            (u_long) proc, (u_long) context);
 }
+/* Remove all cleanups, to be called after fork() */
+void
+fatal_remove_all_cleanups(void)
+{
+        struct fatal_cleanup *cu, *next_cu;
+        for (cu = fatal_cleanups; cu; cu = next_cu) {
+                next_cu = cu->next;
+                xfree(cu);
+        }
+}
 /* Cleanup and exit */
 void
 fatal_cleanup(void)
diff --git a/log.h b/log.h
index 0aa7932b4..9819eceaa 100644
--- a/log.h
+++ b/log.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: log.h,v 1.7 2002/05/19 20:54:52 deraadt Exp $ */
+/*      $OpenBSD: log.h,v 1.8 2002/07/19 15:43:33 markus Exp $  */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -65,6 +65,7 @@ void     debug3(const char *, ...) __attribute__((format(printf, 1, 2)));
 void     fatal_cleanup(void);
 void     fatal_add_cleanup(void (*) (void *), void *);
 void     fatal_remove_cleanup(void (*) (void *), void *);
+void     fatal_remove_all_cleanups(void);
 void     do_log(LogLevel, const char *, va_list);
diff --git a/loginrec.c b/loginrec.c
index 609e84768..02c3106a3 100644
--- a/loginrec.c
+++ b/loginrec.c
@@ -163,7 +163,7 @@
 #include "log.h"
 #include "atomicio.h"
-RCSID("$Id: loginrec.c,v 1.40 2002/04/23 13:09:19 djm Exp $");
+RCSID("$Id: loginrec.c,v 1.44 2002/09/26 00:38:49 tim Exp $");
 #ifdef HAVE_UTIL_H
 #  include <util.h>
@@ -622,13 +622,13 @@ construct_utmp(struct logininfo *li,
        switch (li->type) {
        case LTYPE_LOGIN:
                ut->ut_type = USER_PROCESS;
-#ifdef _CRAY
+#ifdef _UNICOS
                cray_set_tmpdir(ut);
 #endif
                break;
        case LTYPE_LOGOUT:
                ut->ut_type = DEAD_PROCESS;
-#ifdef _CRAY
+#ifdef _UNICOS
                cray_retain_utmp(ut, li->pid);
 #endif
                break;
@@ -1249,7 +1249,7 @@ wtmpx_get_entry(struct logininfo *li)
        }
        if (fstat(fd, &st) != 0) {
                log("wtmpx_get_entry: couldn't stat %s: %s",
-                    WTMP_FILE, strerror(errno));
+                    WTMPX_FILE, strerror(errno));
                close(fd);
                return 0;
        }
@@ -1271,6 +1271,7 @@ wtmpx_get_entry(struct logininfo *li)
                /* Logouts are recorded as a blank username on a particular line.
                 * So, we just need to find the username in struct utmpx */
                if ( wtmpx_islogin(li, &utx) ) {
+                        found = 1;
 # ifdef HAVE_TV_IN_UTMPX
                        li->tv_sec = utx.ut_tv.tv_sec;
 # else
diff --git a/monitor.c b/monitor.c
index 89b712f2d..4ad3f3d21 100644
--- a/monitor.c
+++ b/monitor.c
@@ -25,7 +25,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.18 2002/06/26 13:20:57 deraadt Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.29 2002/09/26 11:38:43 markus Exp $");
 #include <openssl/dh.h>
@@ -120,6 +120,13 @@ int mm_answer_sessid(int, Buffer *);
 int mm_answer_pam_start(int, Buffer *);
 #endif
+#ifdef KRB4
+int mm_answer_krb4(int, Buffer *);
+#endif
+#ifdef KRB5
+int mm_answer_krb5(int, Buffer *);
+#endif
 static Authctxt *authctxt;
 static BIGNUM *ssh1_challenge = NULL;   /* used for ssh1 rsa auth */
@@ -127,8 +134,8 @@ static BIGNUM *ssh1_challenge = NULL;	/* used for ssh1 rsa auth */
 static u_char *key_blob = NULL;
 static u_int key_bloblen = 0;
 static int key_blobtype = MM_NOKEY;
-static u_char *hostbased_cuser = NULL;
+static char *hostbased_cuser = NULL;
-static u_char *hostbased_chost = NULL;
+static char *hostbased_chost = NULL;
 static char *auth_method = "unknown";
 static int session_id2_len = 0;
 static u_char *session_id2 = NULL;
@@ -199,6 +206,12 @@ struct mon_table mon_dispatch_proto15[] = {
 #ifdef USE_PAM
    {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
 #endif
+#ifdef KRB4
+    {MONITOR_REQ_KRB4, MON_ONCE|MON_AUTH, mm_answer_krb4},
+#endif
+#ifdef KRB5
+    {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
+#endif
    {0, 0, NULL}
 };
@@ -455,7 +468,7 @@ mm_answer_sign(int socket, Buffer *m)
        p = buffer_get_string(m, &datlen);
        if (datlen != 20)
-                fatal("%s: data length incorrect: %d", __func__, datlen);
+                fatal("%s: data length incorrect: %u", __func__, datlen);
        /* save session id, it will be passed on the first call */
        if (session_id2_len == 0) {
@@ -469,7 +482,7 @@ mm_answer_sign(int socket, Buffer *m)
        if (key_sign(key, &signature, &siglen, p, datlen) < 0)
                fatal("%s: key_sign failed", __func__);
-        debug3("%s: signature %p(%d)", __func__, signature, siglen);
+        debug3("%s: signature %p(%u)", __func__, signature, siglen);
        buffer_clear(m);
        buffer_put_string(m, signature, siglen);
@@ -559,7 +572,7 @@ int mm_answer_auth2_read_banner(int socket, Buffer *m)
        mm_request_send(socket, MONITOR_ANS_AUTH2_READ_BANNER, m);
        if (banner != NULL)
-                free(banner);
+                xfree(banner);
        return (0);
 }
@@ -587,7 +600,8 @@ mm_answer_authpassword(int socket, Buffer *m)
 {
        static int call_count;
        char *passwd;
-        int authenticated, plen;
+        int authenticated;
+        u_int plen;
        passwd = buffer_get_string(m, &plen);
        /* Only authenticate if the context is valid */
@@ -750,7 +764,8 @@ int
 mm_answer_keyallowed(int socket, Buffer *m)
 {
        Key *key;
-        u_char *cuser, *chost, *blob;
+        char *cuser, *chost;
+        u_char *blob;
        u_int bloblen;
        enum mm_keytype type = 0;
        int allowed = 0;
@@ -826,7 +841,7 @@ static int
 monitor_valid_userblob(u_char *data, u_int datalen)
 {
        Buffer b;
-        u_char *p;
+        char *p;
        u_int len;
        int fail = 0;
@@ -879,11 +894,11 @@ monitor_valid_userblob(u_char *data, u_int datalen)
 }
 static int
-monitor_valid_hostbasedblob(u_char *data, u_int datalen, u_char *cuser,
+monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
-    u_char *chost)
+    char *chost)
 {
        Buffer b;
-        u_char *p;
+        char *p;
        u_int len;
        int fail = 0;
@@ -1001,8 +1016,8 @@ mm_record_login(Session *s, struct passwd *pw)
         * the address be 0.0.0.0.
         */
        memset(&from, 0, sizeof(from));
+        fromlen = sizeof(from);
        if (packet_connection_is_on_socket()) {
-                fromlen = sizeof(from);
                if (getpeername(packet_get_connection_in(),
                        (struct sockaddr *) & from, &fromlen) < 0) {
                        debug("getpeername: %.100s", strerror(errno));
@@ -1012,7 +1027,7 @@ mm_record_login(Session *s, struct passwd *pw)
        /* Record that there was a login on that tty from the remote host. */
        record_login(s->pid, s->tty, pw->pw_name, pw->pw_uid,
            get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping),
-            (struct sockaddr *)&from);
+            (struct sockaddr *)&from, fromlen);
 }
 static void
@@ -1276,6 +1291,89 @@ mm_answer_rsa_response(int socket, Buffer *m)
        return (success);
 }
+#ifdef KRB4
+int
+mm_answer_krb4(int socket, Buffer *m)
+{
+        KTEXT_ST auth, reply;
+        char  *client, *p;
+        int success;
+        u_int alen;
+        reply.length = auth.length = 0;
+ 
+        p = buffer_get_string(m, &alen);
+        if (alen >=  MAX_KTXT_LEN)
+                 fatal("%s: auth too large", __func__);
+        memcpy(auth.dat, p, alen);
+        auth.length = alen;
+        memset(p, 0, alen);
+        xfree(p);
+        success = options.kerberos_authentication &&
+            authctxt->valid &&
+            auth_krb4(authctxt, &auth, &client, &reply);
+        memset(auth.dat, 0, alen);
+        buffer_clear(m);
+        buffer_put_int(m, success);
+        if (success) {
+                buffer_put_cstring(m, client);
+                buffer_put_string(m, reply.dat, reply.length);
+                if (client)
+                        xfree(client);
+                if (reply.length)
+                        memset(reply.dat, 0, reply.length);
+        }
+        debug3("%s: sending result %d", __func__, success);
+        mm_request_send(socket, MONITOR_ANS_KRB4, m);
+        auth_method = "kerberos";
+        /* Causes monitor loop to terminate if authenticated */
+        return (success);
+}
+#endif
+#ifdef KRB5
+int
+mm_answer_krb5(int socket, Buffer *m)
+{
+        krb5_data tkt, reply;
+        char *client_user;
+        u_int len;
+        int success;
+        /* use temporary var to avoid size issues on 64bit arch */
+        tkt.data = buffer_get_string(m, &len);
+        tkt.length = len;
+        success = options.kerberos_authentication &&
+            authctxt->valid &&
+            auth_krb5(authctxt, &tkt, &client_user, &reply);
+        if (tkt.length)
+                xfree(tkt.data);
+        buffer_clear(m);
+        buffer_put_int(m, success);
+        if (success) {
+                buffer_put_cstring(m, client_user);
+                buffer_put_string(m, reply.data, reply.length);
+                if (client_user)
+                        xfree(client_user);
+                if (reply.length)
+                        xfree(reply.data);
+        }
+        mm_request_send(socket, MONITOR_ANS_KRB5, m);
+        return success;
+}
+#endif
 int
 mm_answer_term(int socket, Buffer *req)
 {
@@ -1453,10 +1551,10 @@ mm_get_keystate(struct monitor *pmonitor)
 void *
 mm_zalloc(struct mm_master *mm, u_int ncount, u_int size)
 {
-        int len = size * ncount;
+        size_t len = size * ncount;
        void *address;
-        if (len <= 0)
+        if (len == 0 || ncount > SIZE_T_MAX / size)
                fatal("%s: mm_zalloc(%u, %u)", __func__, ncount, size);
        address = mm_malloc(mm, len);
diff --git a/monitor.h b/monitor.h
index 69114b532..668ac9897 100644
--- a/monitor.h
+++ b/monitor.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: monitor.h,v 1.6 2002/06/11 05:46:20 mpech Exp $       */
+/*      $OpenBSD: monitor.h,v 1.8 2002/09/26 11:38:43 markus Exp $      */
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -49,6 +49,8 @@ enum monitor_reqtype {
        MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED,
        MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
        MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
+        MONITOR_REQ_KRB4, MONITOR_ANS_KRB4,
+        MONITOR_REQ_KRB5, MONITOR_ANS_KRB5,
        MONITOR_REQ_PAM_START,
        MONITOR_REQ_TERM
 };
diff --git a/monitor_fdpass.c b/monitor_fdpass.c
index 0d7628fa2..641ce721e 100644
--- a/monitor_fdpass.c
+++ b/monitor_fdpass.c
@@ -24,7 +24,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: monitor_fdpass.c,v 1.3 2002/06/04 23:05:49 markus Exp $");
+RCSID("$OpenBSD: monitor_fdpass.c,v 1.4 2002/06/26 14:50:04 deraadt Exp $");
 #include <sys/uio.h>
@@ -38,7 +38,7 @@ mm_send_fd(int socket, int fd)
        struct msghdr msg;
        struct iovec vec;
        char ch = '\0';
-        int n;
+        ssize_t n;
 #ifndef HAVE_ACCRIGHTS_IN_MSGHDR
        char tmp[CMSG_SPACE(sizeof(int))];
        struct cmsghdr *cmsg;
@@ -67,8 +67,8 @@ mm_send_fd(int socket, int fd)
                fatal("%s: sendmsg(%d): %s", __func__, fd,
                    strerror(errno));
        if (n != 1)
-                fatal("%s: sendmsg: expected sent 1 got %d",
+                fatal("%s: sendmsg: expected sent 1 got %ld",
-                    __func__, n);
+                    __func__, (long)n);
 #else
        fatal("%s: UsePrivilegeSeparation=yes not supported",
            __func__);
@@ -81,8 +81,9 @@ mm_receive_fd(int socket)
 #if defined(HAVE_RECVMSG) && (defined(HAVE_ACCRIGHTS_IN_MSGHDR) || defined(HAVE_CONTROL_IN_MSGHDR))
        struct msghdr msg;
        struct iovec vec;
+        ssize_t n;
        char ch;
-        int fd, n;
+        int fd;
 #ifndef HAVE_ACCRIGHTS_IN_MSGHDR
        char tmp[CMSG_SPACE(sizeof(int))];
        struct cmsghdr *cmsg;
@@ -104,8 +105,8 @@ mm_receive_fd(int socket)
        if ((n = recvmsg(socket, &msg, 0)) == -1)
                fatal("%s: recvmsg: %s", __func__, strerror(errno));
        if (n != 1)
-                fatal("%s: recvmsg: expected received 1 got %d",
+                fatal("%s: recvmsg: expected received 1 got %ld",
-                    __func__, n);
+                    __func__, (long)n);
 #ifdef HAVE_ACCRIGHTS_IN_MSGHDR
        if (msg.msg_accrightslen != sizeof(fd))
diff --git a/monitor_mm.c b/monitor_mm.c
index 55d1e8e52..b4a6e40c9 100644
--- a/monitor_mm.c
+++ b/monitor_mm.c
@@ -24,13 +24,13 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: monitor_mm.c,v 1.6 2002/06/04 23:05:49 markus Exp $");
+RCSID("$OpenBSD: monitor_mm.c,v 1.8 2002/08/02 14:43:15 millert Exp $");
 #ifdef HAVE_SYS_MMAN_H
 #include <sys/mman.h>
 #endif
-#include <sys/shm.h>
+#include "openbsd-compat/xmmap.h"
 #include "ssh.h"
 #include "xmalloc.h"
 #include "log.h"
@@ -39,7 +39,14 @@ RCSID("$OpenBSD: monitor_mm.c,v 1.6 2002/06/04 23:05:49 markus Exp $");
 static int
 mm_compare(struct mm_share *a, struct mm_share *b)
 {
-        return ((char *)a->address - (char *)b->address);
+        long diff = (char *)a->address - (char *)b->address;
+        if (diff == 0)
+                return (0);
+        else if (diff < 0)
+                return (-1);
+        else
+                return (1);
 }
 RB_GENERATE(mmtree, mm_share, next, mm_compare)
@@ -85,48 +92,9 @@ mm_create(struct mm_master *mmalloc, size_t size)
         */
        mm->mmalloc = mmalloc;
-#ifdef HAVE_MMAP_ANON_SHARED
+        address = xmmap(size);
-        mm->shm_not_mmap = 0;
-        address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED,
-            -1, 0);
-        if (address == MAP_FAILED) {
-                int shmid;
-                shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|S_IRUSR|S_IWUSR);
-                if (shmid != -1) {
-                        address = shmat(shmid, NULL, 0);
-                        shmctl(shmid, IPC_RMID, NULL);
-                        if (address != MAP_FAILED)
-                                mm->shm_not_mmap = 1;
-                }
-        }
-        if (address == MAP_FAILED) {
-                char tmpname[sizeof(MM_SWAP_TEMPLATE)] = MM_SWAP_TEMPLATE;
-                int tmpfd;
-                int save_errno;
-                tmpfd = mkstemp(tmpname);
-                if (tmpfd == -1)
-                        fatal("mkstemp(\"%s\"): %s",
-                           MM_SWAP_TEMPLATE, strerror(errno));
-                unlink(tmpname);
-                ftruncate(tmpfd, size);
-                address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_SHARED,
-                   tmpfd, 0);
-                save_errno = errno;
-                close(tmpfd);
-                errno = save_errno;
-        }
        if (address == MAP_FAILED)
                fatal("mmap(%lu): %s", (u_long)size, strerror(errno));
-#else
-        fatal("%s: UsePrivilegeSeparation=yes and Compression=yes not supported",
-            __func__);
-#endif
        mm->address = address;
        mm->size = size;
@@ -164,11 +132,7 @@ mm_destroy(struct mm_master *mm)
        mm_freelist(mm->mmalloc, &mm->rb_free);
        mm_freelist(mm->mmalloc, &mm->rb_allocated);
-#ifdef HAVE_MMAP_ANON_SHARED
+#ifdef HAVE_MMAP
-        if (mm->shm_not_mmap) {
-                if (shmdt(mm->address) == -1)
-                        fatal("shmdt(%p): %s", mm->address, strerror(errno));
-        } else
        if (munmap(mm->address, mm->size) == -1)
                fatal("munmap(%p, %lu): %s", mm->address, (u_long)mm->size,
                    strerror(errno));
@@ -203,8 +167,10 @@ mm_malloc(struct mm_master *mm, size_t size)
        if (size == 0)
                fatal("mm_malloc: try to allocate 0 space");
+        if (size > SIZE_T_MAX - MM_MINSIZE + 1)
+                fatal("mm_malloc: size too big");
-        size = ((size + MM_MINSIZE - 1) / MM_MINSIZE) * MM_MINSIZE;
+        size = ((size + (MM_MINSIZE - 1)) / MM_MINSIZE) * MM_MINSIZE;
        RB_FOREACH(mms, mmtree, &mm->rb_free) {
                if (mms->size >= size)
diff --git a/monitor_mm.h b/monitor_mm.h
index b0e6d5f22..a1323b9a8 100644
--- a/monitor_mm.h
+++ b/monitor_mm.h
@@ -27,7 +27,7 @@
 #ifndef _MM_H_
 #define _MM_H_
-#include "openbsd-compat/tree.h"
+#include "openbsd-compat/sys-tree.h"
 struct mm_share {
        RB_ENTRY(mm_share) next;
@@ -40,7 +40,6 @@ struct mm_master {
        struct mmtree rb_allocated;
        void *address;
        size_t size;
-        int shm_not_mmap;
        struct mm_master *mmalloc;      /* Used to completely share */
@@ -54,8 +53,6 @@ RB_PROTOTYPE(mmtree, mm_share, next, mm_compare)
 #define MM_ADDRESS_END(x)       (void *)((u_char *)(x)->address + (x)->size)
-#define MM_SWAP_TEMPLATE        "/var/run/sshd.mm.XXXXXXXX"
 struct mm_master *mm_create(struct mm_master *, size_t);
 void mm_destroy(struct mm_master *);
diff --git a/monitor_wrap.c b/monitor_wrap.c
index f7e332d8e..4c53bfd13 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -25,7 +25,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: monitor_wrap.c,v 1.11 2002/06/19 18:01:00 markus Exp $");
+RCSID("$OpenBSD: monitor_wrap.c,v 1.19 2002/09/26 11:38:43 markus Exp $");
 #include <openssl/bn.h>
 #include <openssl/dh.h>
@@ -62,8 +62,8 @@ extern Buffer input, output;
 void
 mm_request_send(int socket, enum monitor_reqtype type, Buffer *m)
 {
-        u_char buf[5];
        u_int mlen = buffer_len(m);
+        u_char buf[5];
        debug3("%s entering: type %d", __func__, type);
@@ -79,8 +79,8 @@ void
 mm_request_receive(int socket, Buffer *m)
 {
        u_char buf[4];
-        ssize_t res;
        u_int msg_len;
+        ssize_t res;
        debug3("%s entering", __func__);
@@ -207,7 +207,7 @@ mm_getpwnamallow(const char *login)
        return (pw);
 }
-char* mm_auth2_read_banner(void)
+char *mm_auth2_read_banner(void)
 {
        Buffer m;
        char *banner;
@@ -411,7 +411,7 @@ mm_newkeys_from_blob(u_char *blob, int blen)
        enc->key = buffer_get_string(&b, &enc->key_len);
        enc->iv = buffer_get_string(&b, &len);
        if (len != enc->block_size)
-                fatal("%s: bad ivlen: expected %d != %d", __func__,
+                fatal("%s: bad ivlen: expected %u != %u", __func__,
                    enc->block_size, len);
        if (enc->name == NULL || cipher_by_name(enc->name) != enc->cipher)
@@ -425,7 +425,7 @@ mm_newkeys_from_blob(u_char *blob, int blen)
        mac->enabled = buffer_get_int(&b);
        mac->key = buffer_get_string(&b, &len);
        if (len > mac->key_len)
-                fatal("%s: bad mac key length: %d > %d", __func__, len,
+                fatal("%s: bad mac key length: %u > %d", __func__, len,
                    mac->key_len);
        mac->key_len = len;
@@ -436,7 +436,7 @@ mm_newkeys_from_blob(u_char *blob, int blen)
        len = buffer_len(&b);
        if (len != 0)
-                error("newkeys_from_blob: remaining bytes in blob %d", len);
+                error("newkeys_from_blob: remaining bytes in blob %u", len);
        buffer_free(&b);
        return (newkey);
 }
@@ -446,7 +446,6 @@ mm_newkeys_to_blob(int mode, u_char **blobp, u_int *lenp)
 {
        Buffer b;
        int len;
-        u_char *buf;
        Enc *enc;
        Mac *mac;
        Comp *comp;
@@ -484,14 +483,14 @@ mm_newkeys_to_blob(int mode, u_char **blobp, u_int *lenp)
        buffer_put_cstring(&b, comp->name);
        len = buffer_len(&b);
-        buf = xmalloc(len);
-        memcpy(buf, buffer_ptr(&b), len);
-        memset(buffer_ptr(&b), 0, len);
-        buffer_free(&b);
        if (lenp != NULL)
                *lenp = len;
-        if (blobp != NULL)
+        if (blobp != NULL) {
-                *blobp = buf;
+                *blobp = xmalloc(len);
+                memcpy(*blobp, buffer_ptr(&b), len);
+        }
+        memset(buffer_ptr(&b), 0, len);
+        buffer_free(&b);
        return len;
 }
@@ -600,7 +599,7 @@ int
 mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen)
 {
        Buffer m;
-        u_char *p;
+        char *p;
        int success = 0;
        buffer_init(&m);
@@ -705,7 +704,7 @@ mm_chall_setup(char **name, char **infotxt, u_int *numprompts,
        *name = xstrdup("");
        *infotxt = xstrdup("");
        *numprompts = 1;
-        *prompts = xmalloc(*numprompts * sizeof(char*));
+        *prompts = xmalloc(*numprompts * sizeof(char *));
        *echo_on = xmalloc(*numprompts * sizeof(u_int));
        (*echo_on)[0] = 0;
 }
@@ -937,3 +936,74 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16])
        return (success);
 }
+#ifdef KRB4
+int
+mm_auth_krb4(Authctxt *authctxt, void *_auth, char **client, void *_reply)
+{
+        KTEXT auth, reply;
+        Buffer m;
+        u_int rlen;
+        int success = 0;
+        char *p;
+        debug3("%s entering", __func__);
+        auth = _auth;
+        reply = _reply;
+        buffer_init(&m);
+        buffer_put_string(&m, auth->dat, auth->length);
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB4, &m);
+        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB4, &m);
+        success = buffer_get_int(&m);
+        if (success) {
+                *client = buffer_get_string(&m, NULL);
+                p = buffer_get_string(&m, &rlen);
+                if (rlen >= MAX_KTXT_LEN)
+                        fatal("%s: reply from monitor too large", __func__);
+                reply->length = rlen;
+                memcpy(reply->dat, p, rlen);
+                memset(p, 0, rlen);
+                xfree(p);
+        }
+        buffer_free(&m);
+        return (success); 
+}
+#endif
+#ifdef KRB5
+int
+mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp)
+{
+        krb5_data *tkt, *reply;
+        Buffer m;
+        int success;
+        debug3("%s entering", __func__);
+        tkt = (krb5_data *) argp;
+        reply = (krb5_data *) resp;
+        buffer_init(&m);
+        buffer_put_string(&m, tkt->data, tkt->length);
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB5, &m);
+        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB5, &m);
+        success = buffer_get_int(&m);
+        if (success) {
+                u_int len;
+                *userp = buffer_get_string(&m, NULL);
+                reply->data = buffer_get_string(&m, &len);
+                reply->length = len;
+        } else {
+                memset(reply, 0, sizeof(*reply));
+                *userp = NULL;
+        }
+        buffer_free(&m);
+        return (success);
+}
+#endif
diff --git a/monitor_wrap.h b/monitor_wrap.h
index ce721247b..d960a3d0b 100644
--- a/monitor_wrap.h
+++ b/monitor_wrap.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: monitor_wrap.h,v 1.5 2002/05/12 23:53:45 djm Exp $    */
+/*      $OpenBSD: monitor_wrap.h,v 1.8 2002/09/26 11:38:43 markus Exp $ */
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -44,7 +44,7 @@ DH *mm_choose_dh(int, int, int);
 int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
 void mm_inform_authserv(char *, char *);
 struct passwd *mm_getpwnamallow(const char *);
-char* mm_auth2_read_banner(void);
+char *mm_auth2_read_banner(void);
 int mm_auth_password(struct Authctxt *, char *);
 int mm_key_allowed(enum mm_keytype, char *, char *, Key *);
 int mm_user_key_allowed(struct passwd *, Key *);
@@ -83,6 +83,16 @@ int mm_bsdauth_respond(void *, u_int, char **);
 int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
 int mm_skey_respond(void *, u_int, char **);
+/* auth_krb */
+#ifdef KRB4
+int mm_auth_krb4(struct Authctxt *, void *, char **, void *);
+#endif
+#ifdef KRB5
+/* auth and reply are really krb5_data objects, but we don't want to
+ * include all of the krb5 headers here */
+int mm_auth_krb5(void *authctxt, void *auth, char **client, void *reply);
+#endif
 /* zlib allocation hooks */
 void *mm_zalloc(struct mm_master *, u_int, u_int);
diff --git a/msg.c b/msg.c
index 7275c847d..107a37691 100644
--- a/msg.c
+++ b/msg.c
@@ -22,7 +22,7 @@
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 #include "includes.h"
-RCSID("$OpenBSD: msg.c,v 1.3 2002/06/24 15:49:22 itojun Exp $");
+RCSID("$OpenBSD: msg.c,v 1.4 2002/07/01 16:15:25 deraadt Exp $");
 #include "buffer.h"
 #include "getput.h"
@@ -31,43 +31,43 @@ RCSID("$OpenBSD: msg.c,v 1.3 2002/06/24 15:49:22 itojun Exp $");
 #include "msg.h"
 void
-msg_send(int fd, u_char type, Buffer *m)
+ssh_msg_send(int fd, u_char type, Buffer *m)
 {
        u_char buf[5];
        u_int mlen = buffer_len(m);
-        debug3("msg_send: type %u", (unsigned int)type & 0xff);
+        debug3("ssh_msg_send: type %u", (unsigned int)type & 0xff);
        PUT_32BIT(buf, mlen + 1);
        buf[4] = type;          /* 1st byte of payload is mesg-type */
        if (atomicio(write, fd, buf, sizeof(buf)) != sizeof(buf))
-                fatal("msg_send: write");
+                fatal("ssh_msg_send: write");
        if (atomicio(write, fd, buffer_ptr(m), mlen) != mlen)
-                fatal("msg_send: write");
+                fatal("ssh_msg_send: write");
 }
 int
-msg_recv(int fd, Buffer *m)
+ssh_msg_recv(int fd, Buffer *m)
 {
        u_char buf[4];
        ssize_t res;
        u_int msg_len;
-        debug3("msg_recv entering");
+        debug3("ssh_msg_recv entering");
        res = atomicio(read, fd, buf, sizeof(buf));
        if (res != sizeof(buf)) {
                if (res == 0)
                        return -1;
-                fatal("msg_recv: read: header %ld", (long)res);
+                fatal("ssh_msg_recv: read: header %ld", (long)res);
        }
        msg_len = GET_32BIT(buf);
        if (msg_len > 256 * 1024)
-                fatal("msg_recv: read: bad msg_len %d", msg_len);
+                fatal("ssh_msg_recv: read: bad msg_len %u", msg_len);
        buffer_clear(m);
        buffer_append_space(m, msg_len);
        res = atomicio(read, fd, buffer_ptr(m), msg_len);
        if (res != msg_len)
-                fatal("msg_recv: read: %ld != msg_len", (long)res);
+                fatal("ssh_msg_recv: read: %ld != msg_len", (long)res);
        return 0;
 }
diff --git a/msg.h b/msg.h
index 13fa95b27..8980e254e 100644
--- a/msg.h
+++ b/msg.h
@@ -25,7 +25,7 @@
 #ifndef SSH_MSG_H
 #define SSH_MSG_H
-void     msg_send(int, u_char, Buffer *);
+void     ssh_msg_send(int, u_char, Buffer *);
-int      msg_recv(int, Buffer *);
+int      ssh_msg_recv(int, Buffer *);
 #endif
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
index 3e09cfefe..5229e7e20 100644
--- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.21 2002/02/19 20:27:57 mouring Exp $
+# $Id: Makefile.in,v 1.23 2002/09/12 00:33:02 djm Exp $
 sysconfdir=@sysconfdir@
 piddir=@piddir@
@@ -18,7 +18,7 @@ LDFLAGS=-L. @LDFLAGS@
 OPENBSD=base64.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o
-COMPAT=bsd-arc4random.o bsd-cray.o bsd-cygwin_util.o bsd-misc.o bsd-nextstep.o bsd-snprintf.o bsd-waitpid.o fake-getaddrinfo.o fake-getnameinfo.o
+COMPAT=bsd-arc4random.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-snprintf.o bsd-waitpid.o fake-getaddrinfo.o fake-getnameinfo.o xmmap.o
 PORTS=port-irix.o port-aix.o
diff --git a/openbsd-compat/base64.c b/openbsd-compat/base64.c
index d12b993b7..005170b80 100644
--- a/openbsd-compat/base64.c
+++ b/openbsd-compat/base64.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: base64.c,v 1.3 1997/11/08 20:46:55 deraadt Exp $      */
+/*      $OpenBSD: base64.c,v 1.4 2002/01/02 23:00:10 deraadt Exp $      */
 /*
 * Copyright (c) 1996 by Internet Software Consortium.
@@ -42,7 +42,7 @@
 * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
 */
-#include "config.h"
+#include "includes.h"
 #if !defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP)
@@ -60,6 +60,7 @@
 #include "base64.h"
+/* XXX abort illegal in library */
 #define Assert(Cond) if (!(Cond)) abort()
 static const char Base64[] =
diff --git a/openbsd-compat/bindresvport.c b/openbsd-compat/bindresvport.c
index 332bcb016..620f980ed 100644
--- a/openbsd-compat/bindresvport.c
+++ b/openbsd-compat/bindresvport.c
@@ -29,7 +29,7 @@
 * Mountain View, California  94043
 */
-#include "config.h"
+#include "includes.h"
 #ifndef HAVE_BINDRESVPORT_SA
diff --git a/openbsd-compat/bsd-cray.c b/openbsd-compat/bsd-cray.c
index 9bab75b41..edb3112b3 100644
--- a/openbsd-compat/bsd-cray.c
+++ b/openbsd-compat/bsd-cray.c
@@ -1,5 +1,5 @@
 /* 
- * $Id: bsd-cray.c,v 1.6 2002/05/15 16:39:51 mouring Exp $
+ * $Id: bsd-cray.c,v 1.8 2002/09/26 00:38:51 tim Exp $
 *
 * bsd-cray.c
 *
@@ -34,8 +34,8 @@
 * on UNICOS systems.
 *
 */
+#ifdef _UNICOS
-#ifdef _CRAY
 #include <udb.h>
 #include <tmpdir.h>
 #include <unistd.h>
@@ -45,19 +45,33 @@
 #include <signal.h>
 #include <sys/priv.h>
 #include <sys/secparm.h>
+#include <sys/tfm.h>
 #include <sys/usrv.h>
 #include <sys/sysv.h>
 #include <sys/sectab.h>
+#include <sys/secstat.h>
 #include <sys/stat.h>
+#include <sys/session.h>
 #include <stdlib.h>
 #include <pwd.h>
 #include <fcntl.h>
 #include <errno.h>
+#include <ia.h>
+#include <urm.h>
+#include "ssh.h"
+#include "log.h"
+#include "servconf.h"
 #include "bsd-cray.h"
+#define MAXACID 80
+extern ServerOptions options;
 char cray_tmpdir[TPATHSIZ+1];               /* job TMPDIR path */
+struct          sysv sysv;      /* system security structure */
+struct          usrv usrv;      /* user   security structure */
 /*
 * Functions.
 */
@@ -65,68 +79,538 @@ void cray_retain_utmp(struct utmp *, int);
 void cray_delete_tmpdir(char *, int, uid_t);
 void cray_init_job(struct passwd *);
 void cray_set_tmpdir(struct utmp *);
+void cray_login_failure(char *, int);
+int cray_setup(uid_t, char *, const char *);
+int cray_access_denied(char *);
+void
+cray_login_failure(char *username, int errcode)
+{
+        struct udb      *ueptr;         /* UDB pointer for username */
+        ia_failure_t    fsent;          /* ia_failure structure */
+        ia_failure_ret_t fret;          /* ia_failure return stuff */
+        struct jtab     jtab;           /* job table structure */
+        int             jid = 0;        /* job id */
+        if ((jid = getjtab(&jtab)) < 0) {
+                debug("cray_login_failure(): getjtab error");
+        }
+        getsysudb();
+        if ((ueptr = getudbnam(username)) == UDB_NULL) {
+                debug("cray_login_failure(): getudbname() returned NULL");
+        }
+        endudb();
+        fsent.revision  = 0;
+        fsent.uname     = username;
+        fsent.host      = (char *)get_canonical_hostname(options.verify_reverse_mapping);
+        fsent.ttyn      = "sshd";
+        fsent.caller    = IA_SSHD;
+        fsent.flags     = IA_INTERACTIVE;
+        fsent.ueptr     = ueptr;
+        fsent.jid       = jid;
+        fsent.errcode   = errcode;
+        fsent.pwdp      = NULL;
+        fsent.exitcode  = 0;    /* dont exit in ia_failure() */
+        fret.revision   = 0;
+        fret.normal     = 0;
+        /*
+         * Call ia_failure because of an login failure.
+         */
+        ia_failure(&fsent,&fret);
+}
 /*
- * Orignal written by:
+ *  Cray access denied
- *     Wayne Schroeder
+ */
- *     San Diego Supercomputer Center
+int
- *     schroeder@sdsc.edu
+cray_access_denied(char *username)
-*/
-void
-cray_setup(uid_t uid, char *username)
 {
-        struct udb *p;
+        struct udb      *ueptr;         /* UDB pointer for username */
+        int             errcode;        /* IA errorcode */
+        errcode = 0;
+        getsysudb();
+        if ((ueptr = getudbnam(username)) == UDB_NULL) {
+                debug("cray_login_failure(): getudbname() returned NULL");
+        }
+        endudb();
+        if (ueptr && ueptr->ue_disabled)
+                errcode = IA_DISABLED;
+        if (errcode)
+                cray_login_failure(username, errcode);
+        return (errcode);
+}
+int
+cray_setup (uid_t uid, char *username, const char *command)
+{
+        extern struct udb *getudb();
        extern char *setlimits();
-        int i, j;
-        int accts[MAXVIDS];
-        int naccts;
-        int err;
-        char *sr;
-        int pid;
-        struct jtab jbuf;
-        int jid;
-        if ((jid = getjtab(&jbuf)) < 0)
+        int err;                      /* error return */
-                fatal("getjtab: no jid");
+        time_t          system_time;    /* current system clock */
+        time_t          expiration_time; /* password expiration time */
-        err = setudb();    /* open and rewind the Cray User DataBase */
+        int             maxattempts;    /* maximum no. of failed login attempts */
-        if (err != 0)
+        int             SecureSys;      /* unicos security flag */
-                fatal("UDB open failure");
+        int             minslevel = 0;  /* system minimum security level */
-        naccts = 0;
+        int             i, j;
-        p = getudbnam(username);
+        int             valid_acct = -1; /* flag for reading valid acct */
-        if (p == NULL)
+        char acct_name[MAXACID]  = { "" }; /* used to read acct name */
-                fatal("No UDB entry for %.100s", username);
+        struct          jtab jtab;      /* Job table struct */
-        if (uid != p->ue_uid)
+        struct          udb ue;         /* udb entry for logging-in user */
-                fatal("UDB entry %.100s uid(%d) does not match uid %d",
+        struct          udb *up;        /* pointer to UDB entry */
-                    username, (int) p->ue_uid, (int) uid);
+        struct          secstat secinfo; /* file  security attributes */
-        for (j = 0; p->ue_acids[j] != -1 && j < MAXVIDS; j++) {
+        struct          servprov init_info; /* used for sesscntl() call */
-                accts[naccts] = p->ue_acids[j];
+        int             jid;            /* job ID */
-                naccts++;
+        int             pid;            /* process ID */
+        char            *sr;            /* status return from setlimits() */
+        char            *ttyn = NULL;   /* ttyname or command name*/
+        char            hostname[MAXHOSTNAMELEN];
+        passwd_t        pwdacm,
+                        pwddialup,
+                        pwdudb,
+                        pwdwal,
+                        pwddce;         /* passwd stuff for ia_user */
+        ia_user_ret_t   uret;           /* stuff returned from ia_user */
+        ia_user_t       usent;          /* ia_user main structure */
+        int             ia_rcode;       /* ia_user return code */
+        ia_failure_t    fsent;          /* ia_failure structure */
+        ia_failure_ret_t fret;          /* ia_failure return stuff */
+        ia_success_t    ssent;          /* ia_success structure */
+        ia_success_ret_t sret;          /* ia_success return stuff */
+        int             ia_mlsrcode;    /* ia_mlsuser return code */
+        int             secstatrc;      /* [f]secstat return code */
+        if (SecureSys = (int)sysconf(_SC_CRAY_SECURE_SYS)) {
+                getsysv(&sysv, sizeof(struct sysv));
+                minslevel = sysv.sy_minlvl;
+                if (getusrv(&usrv) < 0) {
+                        debug("getusrv() failed, errno = %d",errno);
+                        exit(1);
+                }
        }
-        endudb();        /* close the udb */
+        hostname[0] = '\0';
+        strncpy(hostname,
-        if (naccts != 0) {
+           (char *)get_canonical_hostname(options.verify_reverse_mapping),
-                /* Perhaps someday we'll prompt users who have multiple accounts
+           MAXHOSTNAMELEN);
-                   to let them pick one (like CRI's login does), but for now just set
+        /*
-                   the account to the first entry. */
+         *  Fetch user's UDB entry.
-                if (acctid(0, accts[0]) < 0)
+         */
-                        fatal("System call acctid failed, accts[0]=%d", accts[0]);
+        getsysudb();
+        if ((up = getudbnam(username)) == UDB_NULL) {
+                debug("cannot fetch user's UDB entry");
+                exit(1);
+        }
+        /*
+         *  Prevent any possible fudging so perform a data
+         *  safety check and compare the supplied uid against
+         *  the udb's uid.
+         */
+        if (up->ue_uid != uid) {
+                debug("IA uid missmatch");
+                exit(1);
+        }
+        endudb();
+        if ((jid = getjtab (&jtab)) < 0) {
+                debug("getjtab");
+                return -1;
+        }
+        pid = getpid();
+        ttyn = ttyname(0);
+        if (SecureSys) {
+                if (ttyn) {
+                        secstatrc = secstat(ttyn, &secinfo);
+                } else {
+                        secstatrc = fsecstat(1, &secinfo);
+                }
+                if (secstatrc == 0) {
+                        debug("[f]secstat() successful");
+                } else {
+                        debug("[f]secstat() error, rc = %d", secstatrc);
+                        exit(1);
+                }
+        }
+        if ((ttyn == NULL) && ((char *)command != NULL))
+                ttyn = (char *)command;
+        /*
+         *  Initialize all structures to call ia_user
+         */
+        usent.revision = 0;
+        usent.uname    = username;
+        usent.host     = hostname;
+        usent.ttyn     = ttyn;
+        usent.caller   = IA_SSHD; 
+        usent.pswdlist = &pwdacm;
+        usent.ueptr    = &ue;
+        usent.flags    = IA_INTERACTIVE | IA_FFLAG;
+        pwdacm.atype   = IA_SECURID;
+        pwdacm.pwdp    = NULL;
+        pwdacm.next    = &pwdudb;
+        pwdudb.atype   = IA_UDB;
+        pwdudb.pwdp    = NULL;
+        pwdudb.next    = &pwddce;
+        pwddce.atype   = IA_DCE;
+        pwddce.pwdp    = NULL;
+        pwddce.next    = &pwddialup;
+        pwddialup.atype = IA_DIALUP;
+        pwddialup.pwdp  = NULL;
+        /* pwddialup.next  = &pwdwal; */
+        pwddialup.next  = NULL;
+        pwdwal.atype = IA_WAL;
+        pwdwal.pwdp  = NULL;
+        pwdwal.next  = NULL;
+        uret.revision = 0;
+        uret.pswd     = NULL;
+        uret.normal   = 0;
+        ia_rcode = ia_user(&usent, &uret);
+        switch (ia_rcode) {
+                /*
+                 *  These are acceptable return codes from ia_user()
+                 */
+                case IA_UDBWEEK:        /* Password Expires in 1 week */
+                     expiration_time = ue.ue_pwage.time + ue.ue_pwage.maxage;
+                     printf ("WARNING - your current password will expire %s\n",
+                     ctime((const time_t *)&expiration_time));
+                     break;
+                case IA_UDBEXPIRED:
+                     if (ttyname(0) != NULL) {
+                     /* Force a password change */
+                         printf("Your password has expired; Choose a new one.\n");
+                         execl("/bin/passwd", "passwd", username, 0);
+                         exit(9);
+                     }
+                     break;
+                case IA_NORMAL:         /* Normal Return Code */
+                     break;
+                case IA_BACKDOOR:
+                     strcpy(ue.ue_name, "root");
+                     strcpy(ue.ue_passwd, "");
+                     strcpy(ue.ue_dir, "/");
+                     strcpy(ue.ue_shell, "/bin/sh");
+                     strcpy(ue.ue_age, "");
+                     strcpy(ue.ue_comment, "");
+                     strcpy(ue.ue_loghost, "");
+                     strcpy(ue.ue_logline, "");
+                     ue.ue_uid=-1;
+                     ue.ue_nice[UDBRC_INTER]=0;
+                     for (i=0;i<MAXVIDS;i++)
+                         ue.ue_gids[i]=0;
+                     ue.ue_logfails=0;
+                     ue.ue_minlvl=minslevel; 
+                     ue.ue_maxlvl=minslevel;
+                     ue.ue_deflvl=minslevel;
+                     ue.ue_defcomps=0;
+                     ue.ue_comparts=0;
+                     ue.ue_permits=0;
+                     ue.ue_trap=0;
+                     ue.ue_disabled=0;
+                     ue.ue_logtime=0;
+                     break;
+                case IA_CONSOLE:        /* Superuser not from Console */
+                case IA_TRUSTED:        /* Trusted user */
+                     if (options.permit_root_login > PERMIT_NO)
+                        break;          /* Accept root login */
+                default:
+                /*
+                 *  These are failed return codes from ia_user()
+                 */
+                     switch (ia_rcode) 
+                       {
+                       case IA_BADAUTH:
+                         printf ("Bad authorization, access denied.\n");
+                         break;
+                       case IA_DIALUPERR:
+                         break;
+                       case IA_DISABLED:
+                         printf ("Your login has been disabled. Contact the system ");
+                         printf ("administrator for assistance.\n");
+                         break;
+                       case IA_GETSYSV:
+                         printf ("getsysv() failed - errno = %d\n", errno);
+                         break;
+                       case IA_LOCALHOST:
+                         break;
+                       case IA_MAXLOGS:
+                         printf ("Maximum number of failed login attempts exceeded.\n");
+                         printf ("Access denied.\n");
+                         break;
+                       case IA_NOPASS:
+                         break;
+                       case IA_PUBLIC:
+                         break;
+                       case IA_SECURIDERR:
+                         break;
+                       case IA_CONSOLE:
+                         break;
+                       case IA_TRUSTED:
+                         break;
+                       case IA_UDBERR:
+                         break;
+                       case IA_UDBPWDNULL:
+                         /* 
+                          * NULL password not allowed on MLS systems
+                          */
+                         if (SecureSys) {
+                           printf("NULL Password not allowed on MLS systems.\n");
+                         }
+                         break;
+                       case IA_UNKNOWN:
+                         break;
+                       case IA_UNKNOWNYP:
+                         break;
+                       case IA_WALERR:
+                         break;
+                       default:
+                         /* nothing special */
+                         ;
+                       }   /* 2. switch  (ia_rcode) */
+                     /*
+                      *  Authentication failed.
+                      */
+                     printf("sshd: Login incorrect, (0%o)\n",
+                            ia_rcode-IA_ERRORCODE);
+                     
+                     /*
+                      *  Initialize structure for ia_failure
+                      *  which will exit.
+                      */
+                     fsent.revision = 0;
+                     fsent.uname    = username;
+                     fsent.host     = hostname;
+                     fsent.ttyn     = ttyn;
+                     fsent.caller   = IA_SSHD;
+                     fsent.flags    = IA_INTERACTIVE;
+                     fsent.ueptr    = &ue;
+                     fsent.jid      = jid;
+                     fsent.errcode  = ia_rcode;
+                     fsent.pwdp     = uret.pswd;
+                     fsent.exitcode = 1;
+                     
+                     fret.revision  = 0;
+                     fret.normal    = 0;
+                     
+                     /*
+                      *  Call ia_failure because of an IA failure.
+                      *  There is no return because ia_failure exits.
+                      */
+        
+                     ia_failure(&fsent,&fret);
+                     exit(1); 
+        }   /* 1. switch  (ia_rcode) */
+        ia_mlsrcode = IA_NORMAL;
+        if (SecureSys) {
+                debug("calling ia_mlsuser()");
+                ia_mlsrcode = ia_mlsuser (&ue, &secinfo, &usrv, NULL, 0);
+        }
+        if (ia_mlsrcode != IA_NORMAL) {
+                printf("sshd: Login incorrect, (0%o)\n",
+                ia_mlsrcode-IA_ERRORCODE);
+                /*
+                 *  Initialize structure for ia_failure
+                 *  which will exit.
+                */
+                fsent.revision = 0;
+                fsent.uname    = username;
+                fsent.host     = hostname;
+                fsent.ttyn     = ttyn;
+                fsent.caller   = IA_SSHD;
+                fsent.flags    = IA_INTERACTIVE;
+                fsent.ueptr    = &ue;
+                fsent.jid      = jid;
+                fsent.errcode  = ia_mlsrcode;
+                fsent.pwdp     = uret.pswd;
+                fsent.exitcode = 1;
+                fret.revision  = 0;
+                fret.normal    = 0;
+                /*
+                *  Call ia_failure because of an IA failure.
+                *  There is no return because ia_failure exits.
+                */
+                ia_failure(&fsent,&fret);
+                exit(1); 
        }
-        /* Now set limits, including CPU time for the (interactive) job and process,
+        /* Provide login status information */
-           and set up permissions (for chown etc), etc.  This is via an internal CRI
+        if (options.print_lastlog && ue.ue_logtime != 0) {
-           routine, setlimits, used by CRI's login. */
+            printf("Last successful login was : %.*s ",
+                    19, (char *)ctime(&ue.ue_logtime));
+  
+           if (*ue.ue_loghost != '\0')
+                printf("from %.*s\n", sizeof(ue.ue_loghost), ue.ue_loghost);
+ 
+            else printf("on %.*s\n", sizeof(ue.ue_logline), ue.ue_logline);
+ 
+            if ( SecureSys && (ue.ue_logfails != 0)) 
+                printf("  followed by %d failed attempts\n", ue.ue_logfails);
+        }
+        
+        /*
+         * Call ia_success to process successful I/A.
+         */
+        ssent.revision = 0;
+        ssent.uname = username;
+        ssent.host = hostname;
+        ssent.ttyn = ttyn;
+        ssent.caller = IA_SSHD;
+        ssent.flags = IA_INTERACTIVE;
+        ssent.ueptr = &ue;
+        ssent.jid = jid;
+        ssent.errcode = ia_rcode;
+        ssent.us = NULL;
+        ssent.time = 1;                  /* Set ue_logtime */
+        sret.revision = 0;
+        sret.normal = 0;
+        ia_success(&ssent,&sret);
+        /*
+         * Query for account, iff > 1 valid acid & askacid permbit
+         */
+        if (((ue.ue_permbits & PERMBITS_ACCTID) ||
+             (ue.ue_acids[0] >= 0) && (ue.ue_acids[1] >= 0)) &&
+            ue.ue_permbits & PERMBITS_ASKACID) {
+                if (ttyname(0) != NULL) {
+                  debug("cray_setup: ttyname true case, %.100s", ttyname);
+                  while (valid_acct == -1) {
+                        printf("Account (? for available accounts)"
+                               " [%s]: ", acid2nam(ue.ue_acids[0]));
+                        gets(acct_name);
+                        switch (acct_name[0]) {
+                        case EOF:
+                                exit(0);
+                                break;
+                        case '\0':
+                                valid_acct = ue.ue_acids[0];
+                                strcpy(acct_name, acid2nam(valid_acct));
+                                break;
+                        case '?':
+                                /* Print the list 3 wide */
+                                for (i = 0, j = 0; i < MAXVIDS; i++) {
+                                        if (ue.ue_acids[i] == -1) {
+                                                printf("\n");
+                                                break;
+                                        }
+                                        if (++j == 4) {
+                                                j = 1;
+                                                printf("\n");
+                                        }
+                                        printf(" %s",
+                                               acid2nam(ue.ue_acids[i]));
+                                }
+                                if (ue.ue_permbits & PERMBITS_ACCTID)
+                                        printf("\"acctid\" permbit also allows"
+                                               " you to select any valid "
+                                               "account name.\n");
+                                printf("\n");
+                                break;
+                        default:
+                                if ((valid_acct = nam2acid(acct_name)) == -1)                                        printf("Account id not found for"
+                                               " account name \"%s\"\n\n",
+                                               acct_name);
+                                break;
+                        }
+                        /*
+                         * If an account was given, search the user's
+                         * acids array to verify they can use this account.
+                         */
+                        if ((valid_acct != -1) &&
+                            !(ue.ue_permbits & PERMBITS_ACCTID)) {
+                                for (i = 0; i < MAXVIDS; i++) {
+                                        if (ue.ue_acids[i] == -1)
+                                                break;
+                                        if (valid_acct == ue.ue_acids[i])
+                                                break;
+                                }
+                                if (i == MAXVIDS ||
+                                    ue.ue_acids[i] == -1) {
+                                        fprintf(stderr, "Cannot set"
+                                                " account name to "
+                                                "\"%s\", permission "
+                                                "denied\n\n", acct_name);
+                                        valid_acct = -1;
+                                }
+                        }
+                  }
+                } else {
+                        /*
+                         * The client isn't connected to a terminal and can't
+                         * respond to an acid prompt.  Use default acid.
+                         */
+                        debug("cray_setup: ttyname false case, %.100s", ttyname);
+                        valid_acct = ue.ue_acids[0];
+                }
+        } else {
+                /*
+                 * The user doesn't have the askacid permbit set or
+                 * only has one valid account to use.
+                 */
+                valid_acct = ue.ue_acids[0];
+        }
+        if (acctid(0, valid_acct) < 0) {
+                printf ("Bad account id: %d\n", valid_acct);
+                exit(1);
+        }
+/* set up shares and quotas */
+/* Now set shares, quotas, limits, including CPU time for the (interactive) 
+ * job and process, and set up permissions (for chown etc), etc.
+ */
+        if (setshares(ue.ue_uid, valid_acct, printf, 0, 0)) {
+                printf("Unable to give %d shares to <%s>(%d/%d)\n", ue.ue_shares, ue.ue_name, ue.ue_uid, valid_acct);
+                exit(1);
+        }
-        pid = getpid();
        sr = setlimits(username, C_PROC, pid, UDBRC_INTER);
-        if (sr != NULL)
+        if (sr != NULL) {
-                fatal("%.200s", sr);
+                debug("%.200s", sr);
+                exit(1);
+        }
        sr = setlimits(username, C_JOB, jid, UDBRC_INTER);
-        if (sr != NULL)
+        if (sr != NULL) {
-                fatal("%.200s", sr);
+                debug("%.200s", sr);
+                exit(1);
+        }
+        /*
+         * Place the service provider information into
+         * the session table (Unicos) or job table (Unicos/mk).
+         * There exist double defines for the job/session table in
+         * unicos/mk (jtab.h) so no need for a compile time switch.
+         */
+        bzero((char *)&init_info, sizeof(struct servprov));
+        init_info.s_sessinit.si_id  = URM_SPT_LOGIN;
+        init_info.s_sessinit.si_pid = getpid();
+        init_info.s_sessinit.si_sid = jid;
+        init_info.s_routing.seqno = 0;
+        init_info.s_routing.iadrs = 0;
+        sesscntl(0, S_SETSERVPO, (int)&init_info);
+        /*
+         * Set user and controlling tty security attributes.
+         */
+        if (SecureSys) {
+                if (setusrv(&usrv) == -1) {
+                        debug("setusrv() failed, errno = %d",errno);
+                        exit(1);
+                }
+        }
+        return(0);
 }
 /*
@@ -143,7 +627,6 @@ drop_cray_privs()
        int                       result;
        extern      int           priv_set_proc();
        extern      priv_proc_t*  priv_init_proc();
-        struct      usrv          usrv;
        /*
         * If ether of theses two flags are not set
@@ -154,9 +637,23 @@ drop_cray_privs()
        if (!sysconf(_SC_CRAY_POSIX_PRIV))
                fatal("Not POSIX_PRIV.");
-        debug("Dropping privileges.");
+        debug("Setting MLS labels.");;
+        if (sysconf(_SC_CRAY_SECURE_MAC)) {
+                usrv.sv_minlvl = SYSLOW;
+                usrv.sv_actlvl = SYSHIGH;
+                usrv.sv_maxlvl = SYSHIGH;
+        } else {
+                usrv.sv_minlvl = sysv.sy_minlvl;
+                usrv.sv_actlvl = sysv.sy_minlvl;
+                usrv.sv_maxlvl = sysv.sy_maxlvl;
+        }       
+        usrv.sv_actcmp = 0;
+        usrv.sv_valcmp = sysv.sy_valcmp;
+        usrv.sv_intcat = TFM_SYSTEM;
+        usrv.sv_valcat |= (TFM_SYSTEM | TFM_SYSFILE);
-        memset(&usrv, 0, sizeof(usrv));
        if (setusrv(&usrv) < 0)
                fatal("%s(%d): setusrv(): %s", __FILE__, __LINE__,
                    strerror(errno));
@@ -189,7 +686,6 @@ cray_retain_utmp(struct utmp *ut, int pid)
                while (read(fd, (char *)&utmp, sizeof(utmp)) == sizeof(utmp)) {
                        if (pid == utmp.ut_pid) {
                                ut->ut_jid = utmp.ut_jid;
-                                /* XXX: MIN_SIZEOF here? can this go in loginrec? */
                                strncpy(ut->ut_tpath, utmp.ut_tpath, sizeof(utmp.ut_tpath));
                                strncpy(ut->ut_host, utmp.ut_host, sizeof(utmp.ut_host));
                                strncpy(ut->ut_name, utmp.ut_name, sizeof(utmp.ut_name));
@@ -198,7 +694,8 @@ cray_retain_utmp(struct utmp *ut, int pid)
                }
                close(fd);
        }
-        /* XXX: error message? */
+        else
+        fatal("Unable to open utmp file");
 }
 /*
@@ -245,7 +742,7 @@ cray_job_termination_handler(int sig)
        char *login = NULL;
        struct jtab jtab;
-        debug("Received SIG JOB.");
+        debug("received signal %d",sig);
        if ((jid = waitjob(&jtab)) == -1 ||
            (login = uid2nam(jtab.j_uid)) == NULL)
diff --git a/openbsd-compat/bsd-cray.h b/openbsd-compat/bsd-cray.h
index 9067a389a..8868b4364 100644
--- a/openbsd-compat/bsd-cray.h
+++ b/openbsd-compat/bsd-cray.h
@@ -1,5 +1,5 @@
 /* 
- * $Id: bsd-cray.h,v 1.3 2002/05/15 16:39:52 mouring Exp $
+ * $Id: bsd-cray.h,v 1.5 2002/09/26 00:38:51 tim Exp $
 *
 * bsd-cray.h
 *
@@ -37,11 +37,18 @@
 #ifndef _BSD_CRAY_H
 #define _BSD_CRAY_H
-#ifdef _CRAY
+#ifdef _UNICOS
-void    cray_init_job(struct passwd *);         /* init cray job */
+void cray_init_job(struct passwd *);            /* init cray job */
-void    cray_job_termination_handler(int);      /* process end of job signal */
+void cray_job_termination_handler(int);         /* process end of job signal */
-void    cray_setup(uid_t, char *);              /* set cray limits */
+void cray_login_failure(char *username, int errcode);
+int cray_access_denied(char *username);
 extern  char   cray_tmpdir[];                   /* cray tmpdir */
+#ifndef IA_SSHD
+#define IA_SSHD IA_LOGIN
+#endif
+#ifndef MAXHOSTNAMELEN
+#define MAXHOSTNAMELEN  64
+#endif
 #endif
 #endif /* _BSD_CRAY_H */
diff --git a/openbsd-compat/bsd-getpeereid.c b/openbsd-compat/bsd-getpeereid.c
new file mode 100644
index 000000000..c7876823d
--- /dev/null
+++ b/openbsd-compat/bsd-getpeereid.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 2002 Damien Miller.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "includes.h"
+RCSID("$Id: bsd-getpeereid.c,v 1.1 2002/09/12 00:33:02 djm Exp $");
+#if !defined(HAVE_GETPEEREID)
+#if defined(SO_PEERCRED)
+int
+getpeereid(int s, uid_t *euid, gid_t *gid)
+{
+        struct ucred cred;
+        size_t len = sizeof(cred);
+        if (getsockopt(s, SOL_SOCKET, SO_PEERCRED, &cred, &len) < 0)
+                return (-1);
+        *euid = cred.uid;
+        *gid = cred.gid;
+        return (0);
+}
+#else
+int
+getpeereid(int s, uid_t *euid, gid_t *gid)
+{
+        *euid = geteuid();
+        *gid = getgid();
+        return (0);
+}
+#endif /* defined(SO_PEERCRED) */
+#endif /* !defined(HAVE_GETPEEREID) */
diff --git a/openbsd-compat/bsd-getpeereid.h b/openbsd-compat/bsd-getpeereid.h
new file mode 100644
index 000000000..2e9f077f9
--- /dev/null
+++ b/openbsd-compat/bsd-getpeereid.h
@@ -0,0 +1,14 @@
+/* $Id: bsd-getpeereid.h,v 1.1 2002/09/12 00:33:02 djm Exp $ */
+#ifndef _BSD_GETPEEREID_H
+#define _BSD_GETPEEREID_H
+#include "config.h"
+#include <sys/types.h> /* For uid_t, gid_t */
+#ifndef HAVE_GETPEEREID
+int      getpeereid(int , uid_t *, gid_t *);
+#endif /* HAVE_GETPEEREID */
+#endif /* _BSD_GETPEEREID_H */
diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c
index fa48afea9..1c1e43a52 100644
--- a/openbsd-compat/bsd-misc.c
+++ b/openbsd-compat/bsd-misc.c
@@ -24,7 +24,7 @@
 #include "includes.h"
-RCSID("$Id: bsd-misc.c,v 1.8 2002/06/13 21:34:58 mouring Exp $");
+RCSID("$Id: bsd-misc.c,v 1.10 2002/07/08 21:09:41 mouring Exp $");
 char *get_progname(char *argv0)
 {
@@ -93,8 +93,8 @@ int utimes(char *filename, struct timeval *tvp)
 {
        struct utimbuf ub;
-        ub.actime = tvp->tv_sec;
+        ub.actime = tvp[0].tv_sec;
-        ub.modtime = tvp->tv_usec;
+        ub.modtime = tvp[1].tv_sec;
        
        return(utime(filename, &ub));
 }
diff --git a/openbsd-compat/dirname.c b/openbsd-compat/dirname.c
index 391b2dd81..35c7d8ec7 100644
--- a/openbsd-compat/dirname.c
+++ b/openbsd-compat/dirname.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: dirname.c,v 1.6 2001/06/28 04:27:19 pjanzen Exp $     */
+/*      $OpenBSD: dirname.c,v 1.7 2002/05/24 21:22:37 deraadt Exp $     */
 /*
 * Copyright (c) 1997 Todd C. Miller <Todd.Miller@courtesan.com>
@@ -31,7 +31,7 @@
 #ifndef HAVE_DIRNAME
 #if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$OpenBSD: dirname.c,v 1.6 2001/06/28 04:27:19 pjanzen Exp $";
+static char rcsid[] = "$OpenBSD: dirname.c,v 1.7 2002/05/24 21:22:37 deraadt Exp $";
 #endif /* LIBC_SCCS and not lint */
 #include <errno.h>
@@ -47,7 +47,7 @@ dirname(path)
        /* Empty or NULL string gets treated as "." */
        if (path == NULL || *path == '\0') {
-                (void)strcpy(bname, ".");
+                (void)strlcpy(bname, ".", sizeof bname);
                return(bname);
        }
@@ -62,7 +62,7 @@ dirname(path)
        /* Either the dir is "/" or there are no slashes */
        if (endp == path) {
-                (void)strcpy(bname, *endp == '/' ? "/" : ".");
+                (void)strlcpy(bname, *endp == '/' ? "/" : ".", sizeof bname);
                return(bname);
        } else {
                do {
diff --git a/openbsd-compat/getcwd.c b/openbsd-compat/getcwd.c
index de3baccbb..6fd8543a5 100644
--- a/openbsd-compat/getcwd.c
+++ b/openbsd-compat/getcwd.c
@@ -24,7 +24,7 @@
 * SUCH DAMAGE.
 */
-#include "config.h"
+#include "includes.h"
 #if !defined(HAVE_GETCWD)
diff --git a/openbsd-compat/getopt.c b/openbsd-compat/getopt.c
index f4fbc9bac..4a5cfe5f0 100644
--- a/openbsd-compat/getopt.c
+++ b/openbsd-compat/getopt.c
@@ -31,7 +31,7 @@
 * SUCH DAMAGE.
 */
-#include "config.h"
+#include "includes.h"
 #if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET)
 #if defined(LIBC_SCCS) && !defined(lint)
diff --git a/openbsd-compat/glob.c b/openbsd-compat/glob.c
index 365d4334f..e928a2272 100644
--- a/openbsd-compat/glob.c
+++ b/openbsd-compat/glob.c
@@ -56,7 +56,7 @@ get_arg_max(void)
 #if 0
 static char sccsid[] = "@(#)glob.c      8.3 (Berkeley) 10/13/93";
 #else
-static char rcsid[] = "$OpenBSD: glob.c,v 1.16 2001/04/05 18:36:12 deraadt Exp $";
+static char rcsid[] = "$OpenBSD: glob.c,v 1.20 2002/06/14 21:34:58 todd Exp $";
 #endif
 #endif /* LIBC_SCCS and not lint */
@@ -97,6 +97,7 @@ static char rcsid[] = "$OpenBSD: glob.c,v 1.16 2001/04/05 18:36:12 deraadt Exp $
 #define RBRACKET        ']'
 #define SEP             '/'
 #define STAR            '*'
+#undef TILDE                    /* Some platforms may already define it */
 #define TILDE           '~'
 #define UNDERSCORE      '_'
 #define LBRACE          '{'
@@ -136,32 +137,32 @@ typedef char Char;
 #define ismeta(c)       (((c)&M_QUOTE) != 0)
-static int       compare __P((const void *, const void *));
+static int       compare(const void *, const void *);
-static int       g_Ctoc __P((const Char *, char *, u_int));
+static int       g_Ctoc(const Char *, char *, u_int);
-static int       g_lstat __P((Char *, struct stat *, glob_t *));
+static int       g_lstat(Char *, struct stat *, glob_t *);
-static DIR      *g_opendir __P((Char *, glob_t *));
+static DIR      *g_opendir(Char *, glob_t *);
-static Char     *g_strchr __P((Char *, int));
+static Char     *g_strchr(Char *, int);
-static int       g_stat __P((Char *, struct stat *, glob_t *));
+static int       g_stat(Char *, struct stat *, glob_t *);
-static int       glob0 __P((const Char *, glob_t *));
+static int       glob0(const Char *, glob_t *);
-static int       glob1 __P((Char *, Char *, glob_t *, size_t *));
+static int       glob1(Char *, Char *, glob_t *, size_t *);
-static int       glob2 __P((Char *, Char *, Char *, Char *, Char *, Char *,
+static int       glob2(Char *, Char *, Char *, Char *, Char *, Char *,
-                    glob_t *, size_t *));
+                    glob_t *, size_t *);
-static int       glob3 __P((Char *, Char *, Char *, Char *, Char *, Char *,
+static int       glob3(Char *, Char *, Char *, Char *, Char *, Char *,
-                    Char *, Char *, glob_t *, size_t *));
+                    Char *, Char *, glob_t *, size_t *);
-static int       globextend __P((const Char *, glob_t *, size_t *));
+static int       globextend(const Char *, glob_t *, size_t *);
 static const Char *
-                 globtilde __P((const Char *, Char *, size_t, glob_t *));
+                 globtilde(const Char *, Char *, size_t, glob_t *);
-static int       globexp1 __P((const Char *, glob_t *));
+static int       globexp1(const Char *, glob_t *);
-static int       globexp2 __P((const Char *, const Char *, glob_t *, int *));
+static int       globexp2(const Char *, const Char *, glob_t *, int *);
-static int       match __P((Char *, Char *, Char *));
+static int       match(Char *, Char *, Char *);
 #ifdef DEBUG
-static void      qprintf __P((const char *, Char *));
+static void      qprintf(const char *, Char *);
 #endif
 int
 glob(pattern, flags, errfunc, pglob)
        const char *pattern;
-        int flags, (*errfunc) __P((const char *, int));
+        int flags, (*errfunc)(const char *, int);
        glob_t *pglob;
 {
        const u_char *patnext;
@@ -676,7 +677,7 @@ glob3(pathbuf, pathbuf_last, pathend, pathend_last, pattern, pattern_last,
 /*
- * Extend the gl_pathv member of a glob_t structure to accomodate a new item,
+ * Extend the gl_pathv member of a glob_t structure to accommodate a new item,
 * add the new item, and update gl_pathc.
 *
 * This assumes the BSD realloc, which only copies the block when its size
@@ -821,7 +822,7 @@ g_opendir(str, pglob)
        char buf[MAXPATHLEN];
        if (!*str)
-                strcpy(buf, ".");
+                strlcpy(buf, ".", sizeof buf);
        else {
                if (g_Ctoc(str, buf, sizeof(buf)))
                        return(NULL);
diff --git a/openbsd-compat/glob.h b/openbsd-compat/glob.h
index b4c8f7aaa..6421f7049 100644
--- a/openbsd-compat/glob.h
+++ b/openbsd-compat/glob.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: glob.h,v 1.5 2001/03/18 17:18:58 deraadt Exp $        */
+/*      $OpenBSD: glob.h,v 1.7 2002/02/17 19:42:21 millert Exp $        */
 /*      $NetBSD: glob.h,v 1.5 1994/10/26 00:55:56 cgd Exp $     */
 /*
@@ -53,18 +53,18 @@ typedef struct {
        int gl_flags;           /* Copy of flags parameter to glob. */
        char **gl_pathv;        /* List of paths matching pattern. */
                                /* Copy of errfunc parameter to glob. */
-        int (*gl_errfunc) __P((const char *, int));
+        int (*gl_errfunc)(const char *, int);
        /*
         * Alternate filesystem access methods for glob; replacement
         * versions of closedir(3), readdir(3), opendir(3), stat(2)
         * and lstat(2).
         */
-        void (*gl_closedir) __P((void *));
+        void (*gl_closedir)(void *);
-        struct dirent *(*gl_readdir) __P((void *));     
+        struct dirent *(*gl_readdir)(void *);   
-        void *(*gl_opendir) __P((const char *));
+        void *(*gl_opendir)(const char *);
-        int (*gl_lstat) __P((const char *, struct stat *));
+        int (*gl_lstat)(const char *, struct stat *);
-        int (*gl_stat) __P((const char *, struct stat *));
+        int (*gl_stat)(const char *, struct stat *);
 } glob_t;
 /* Flags */
@@ -91,8 +91,8 @@ typedef struct {
 #define GLOB_NOSYS      (-4)    /* Function not supported. */
 #define GLOB_ABEND      GLOB_ABORTED
-int     glob __P((const char *, int, int (*)(const char *, int), glob_t *));
+int     glob(const char *, int, int (*)(const char *, int), glob_t *);
-void    globfree __P((glob_t *));
+void    globfree(glob_t *);
 #endif /* !_GLOB_H_ */
diff --git a/openbsd-compat/inet_ntoa.c b/openbsd-compat/inet_ntoa.c
index 8a8b3c846..ac5f56708 100644
--- a/openbsd-compat/inet_ntoa.c
+++ b/openbsd-compat/inet_ntoa.c
@@ -31,12 +31,12 @@
 * SUCH DAMAGE.
 */
-#include "config.h"
+#include "includes.h"
 #if defined(BROKEN_INET_NTOA) || !defined(HAVE_INET_NTOA)
 #if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$OpenBSD: inet_ntoa.c,v 1.2 1996/08/19 08:29:16 tholo Exp $";
+static char rcsid[] = "$OpenBSD: inet_ntoa.c,v 1.3 2002/06/27 10:14:01 itojun Exp $";
 #endif /* LIBC_SCCS and not lint */
 /*
@@ -57,7 +57,7 @@ char *inet_ntoa(struct in_addr in)
        p = (char *)&in;
 #define UC(b)   (((int)b)&0xff)
        (void)snprintf(b, sizeof(b),
-            "%d.%d.%d.%d", UC(p[0]), UC(p[1]), UC(p[2]), UC(p[3]));
+            "%u.%u.%u.%u", UC(p[0]), UC(p[1]), UC(p[2]), UC(p[3]));
        return (b);
 }
diff --git a/openbsd-compat/inet_ntop.c b/openbsd-compat/inet_ntop.c
index 2b8d31f8d..3bea519af 100644
--- a/openbsd-compat/inet_ntop.c
+++ b/openbsd-compat/inet_ntop.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: inet_ntop.c,v 1.1 1997/03/13 19:07:32 downsj Exp $    */
+/*      $OpenBSD: inet_ntop.c,v 1.5 2002/08/23 16:27:31 itojun Exp $    */
 /* Copyright (c) 1996 by Internet Software Consortium.
 *
@@ -16,7 +16,7 @@
 * SOFTWARE.
 */
-#include "config.h"
+#include "includes.h"
 #ifndef HAVE_INET_NTOP
@@ -24,7 +24,7 @@
 #if 0
 static char rcsid[] = "$From: inet_ntop.c,v 8.7 1996/08/05 08:41:18 vixie Exp $";
 #else
-static char rcsid[] = "$OpenBSD: inet_ntop.c,v 1.1 1997/03/13 19:07:32 downsj Exp $";
+static char rcsid[] = "$OpenBSD: inet_ntop.c,v 1.5 2002/08/23 16:27:31 itojun Exp $";
 #endif
 #endif /* LIBC_SCCS and not lint */
@@ -54,8 +54,8 @@ static char rcsid[] = "$OpenBSD: inet_ntop.c,v 1.1 1997/03/13 19:07:32 downsj Ex
 * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
 */
-static const char *inet_ntop4 __P((const u_char *src, char *dst, size_t size));
+static const char *inet_ntop4(const u_char *src, char *dst, size_t size);
-static const char *inet_ntop6 __P((const u_char *src, char *dst, size_t size));
+static const char *inet_ntop6(const u_char *src, char *dst, size_t size);
 /* char *
 * inet_ntop(af, src, dst, size)
@@ -103,13 +103,14 @@ inet_ntop4(src, dst, size)
 {
        static const char fmt[] = "%u.%u.%u.%u";
        char tmp[sizeof "255.255.255.255"];
+        int l;
-        if (snprintf(tmp, sizeof(tmp), fmt, src[0], src[1], src[2],
+        l = snprintf(tmp, size, fmt, src[0], src[1], src[2], src[3]);
-            src[3]) > size) {
+        if (l <= 0 || l >= size) {
                errno = ENOSPC;
                return (NULL);
        }
-        strcpy(dst, tmp);
+        strlcpy(dst, tmp, size);
        return (dst);
 }
@@ -132,10 +133,12 @@ inet_ntop6(src, dst, size)
         * Keep this in mind if you think this function should have been coded
         * to use pointer overlays.  All the world's not a VAX.
         */
-        char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255"], *tp;
+        char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255"];
+        char *tp, *ep;
        struct { int base, len; } best, cur;
        u_int words[IN6ADDRSZ / INT16SZ];
        int i;
+        int advance;
        /*
         * Preprocess:
@@ -172,31 +175,45 @@ inet_ntop6(src, dst, size)
         * Format the result.
         */
        tp = tmp;
-        for (i = 0; i < (IN6ADDRSZ / INT16SZ); i++) {
+        ep = tmp + sizeof(tmp);
+        for (i = 0; i < (IN6ADDRSZ / INT16SZ) && tp < ep; i++) {
                /* Are we inside the best run of 0x00's? */
                if (best.base != -1 && i >= best.base &&
                    i < (best.base + best.len)) {
-                        if (i == best.base)
+                        if (i == best.base) {
+                                if (tp + 1 >= ep)
+                                        return (NULL);
                                *tp++ = ':';
+                        }
                        continue;
                }
                /* Are we following an initial run of 0x00s or any real hex? */
-                if (i != 0)
+                if (i != 0) {
+                        if (tp + 1 >= ep)
+                                return (NULL);
                        *tp++ = ':';
+                }
                /* Is this address an encapsulated IPv4? */
                if (i == 6 && best.base == 0 &&
                    (best.len == 6 || (best.len == 5 && words[5] == 0xffff))) {
-                        if (!inet_ntop4(src+12, tp, sizeof tmp - (tp - tmp)))
+                        if (!inet_ntop4(src+12, tp, (size_t)(ep - tp)))
                                return (NULL);
                        tp += strlen(tp);
                        break;
                }
-                snprintf(tp, sizeof(tmp - (tp - tmp)), "%x", words[i]);
+                advance = snprintf(tp, ep - tp, "%x", words[i]);
-                tp += strlen(tp);
+                if (advance <= 0 || advance >= ep - tp)
+                        return (NULL);
+                tp += advance;
        }
        /* Was it a trailing run of 0x00's? */
-        if (best.base != -1 && (best.base + best.len) == (IN6ADDRSZ / INT16SZ))
+        if (best.base != -1 && (best.base + best.len) == (IN6ADDRSZ / INT16SZ)) {
+                if (tp + 1 >= ep)
+                        return (NULL);
                *tp++ = ':';
+        }
+        if (tp + 1 >= ep)
+                return (NULL);
        *tp++ = '\0';
        /*
@@ -206,7 +223,7 @@ inet_ntop6(src, dst, size)
                errno = ENOSPC;
                return (NULL);
        }
-        strcpy(dst, tmp);
+        strlcpy(dst, tmp, size);
        return (dst);
 }
diff --git a/openbsd-compat/mktemp.c b/openbsd-compat/mktemp.c
index d69dc5c24..d256ee448 100644
--- a/openbsd-compat/mktemp.c
+++ b/openbsd-compat/mktemp.c
@@ -39,7 +39,7 @@
 #ifndef HAVE_MKDTEMP
 #if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$OpenBSD: mktemp.c,v 1.14 2002/01/02 20:18:32 deraadt Exp $";
+static char rcsid[] = "$OpenBSD: mktemp.c,v 1.16 2002/05/27 18:20:45 millert Exp $";
 #endif /* LIBC_SCCS and not lint */
 #ifdef HAVE_CYGWIN
@@ -102,11 +102,11 @@ _gettemp(path, doopen, domkdir, slen)
                return (0);
        }
        pid = getpid();
-        while (*trv == 'X' && pid != 0) {
+        while (trv >= path && *trv == 'X' && pid != 0) {
                *trv-- = (pid % 10) + '0';
                pid /= 10;
        }
-        while (*trv == 'X') {
+        while (trv >= path && *trv == 'X') {
                char c;
                pid = (arc4random() & 0xffff) % (26+26);
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
index 11918443d..ae18afd34 100644
--- a/openbsd-compat/openbsd-compat.h
+++ b/openbsd-compat/openbsd-compat.h
@@ -1,4 +1,4 @@
-/* $Id: openbsd-compat.h,v 1.16 2002/02/19 20:27:57 mouring Exp $ */
+/* $Id: openbsd-compat.h,v 1.17 2002/09/12 00:33:02 djm Exp $ */
 #ifndef _OPENBSD_H
 #define _OPENBSD_H
@@ -29,6 +29,7 @@
 /* Home grown routines */
 #include "bsd-arc4random.h"
+#include "bsd-getpeereid.h"
 #include "bsd-misc.h"
 #include "bsd-snprintf.h"
 #include "bsd-waitpid.h"
diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c
index ca0a88e69..4c96a3171 100644
--- a/openbsd-compat/port-aix.c
+++ b/openbsd-compat/port-aix.c
@@ -1,3 +1,28 @@
+/*
+ *
+ * Copyright (c) 2001 Gert Doering.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
 #include "includes.h"
 #ifdef _AIX
@@ -6,21 +31,21 @@
 #include <../xmalloc.h>
 /*
- * AIX has a "usrinfo" area where logname and
+ * AIX has a "usrinfo" area where logname and other stuff is stored - 
- * other stuff is stored - a few applications
+ * a few applications actually use this and die if it's not set
- * actually use this and die if it's not set
+ *
+ * NOTE: TTY= should be set, but since no one uses it and it's hard to
+ * acquire due to privsep code.  We will just drop support.
 */
 void
-aix_usrinfo(struct passwd *pw, char *tty, int ttyfd) 
+aix_usrinfo(struct passwd *pw)
 {
        u_int i;
-        char *cp=NULL;
+        char *cp;
-        if (ttyfd == -1)
+        cp = xmalloc(16 + 2 * strlen(pw->pw_name));
-                tty[0] = '\0';
+        i = sprintf(cp, "LOGNAME=%s%cNAME=%s%c", pw->pw_name, 0, 
-        cp = xmalloc(22 + strlen(tty) + 2 * strlen(pw->pw_name));
+            pw->pw_name, 0);
-        i = sprintf(cp, "LOGNAME=%s%cNAME=%s%cTTY=%s%c%c", pw->pw_name, 0, 
-            pw->pw_name, 0, tty, 0, 0);
        if (usrinfo(SETUINFO, cp, i) == -1)
                fatal("Couldn't set usrinfo: %s", strerror(errno));
        debug3("AIX/UsrInfo: set len %d", i);
diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h
index e4d14f4ae..79570a206 100644
--- a/openbsd-compat/port-aix.h
+++ b/openbsd-compat/port-aix.h
@@ -1,5 +1,29 @@
-#ifdef _AIX
+/*
+ *
-void aix_usrinfo(struct passwd *pw, char *tty, int ttyfd);
+ * Copyright (c) 2001 Gert Doering.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+#ifdef _AIX
+void aix_usrinfo(struct passwd *pw);
 #endif /* _AIX */
diff --git a/openbsd-compat/readpassphrase.c b/openbsd-compat/readpassphrase.c
index 8c2f5f841..4e549b62b 100644
--- a/openbsd-compat/readpassphrase.c
+++ b/openbsd-compat/readpassphrase.c
@@ -1,7 +1,7 @@
-/*      $OpenBSD: readpassphrase.c,v 1.12 2001/12/15 05:41:00 millert Exp $     */
+/*      $OpenBSD: readpassphrase.c,v 1.14 2002/06/28 01:43:58 millert Exp $     */
 /*
- * Copyright (c) 2000 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 2000-2002 Todd C. Miller <Todd.Miller@courtesan.com>
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -28,7 +28,7 @@
 */
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$OpenBSD: readpassphrase.c,v 1.12 2001/12/15 05:41:00 millert Exp $";
+static const char rcsid[] = "$OpenBSD: readpassphrase.c,v 1.14 2002/06/28 01:43:58 millert Exp $";
 #endif /* LIBC_SCCS and not lint */
 #include "includes.h"
@@ -60,8 +60,8 @@ readpassphrase(const char *prompt, char *buf, size_t bufsiz, int flags)
        int input, output, save_errno;
        char ch, *p, *end;
        struct termios term, oterm;
-        struct sigaction sa, saveint, savehup, savequit, saveterm;
+        struct sigaction sa, savealrm, saveint, savehup, savequit, saveterm;
-        struct sigaction savetstp, savettin, savettou;
+        struct sigaction savetstp, savettin, savettou, savepipe;
        /* I suppose we could alloc on demand in this case (XXX). */
        if (bufsiz == 0) {
@@ -70,11 +70,13 @@ readpassphrase(const char *prompt, char *buf, size_t bufsiz, int flags)
        }
 restart:
+        signo = 0;
        /*
         * Read and write to /dev/tty if available.  If not, read from
         * stdin and write to stderr unless a tty is required.
         */
-        if ((input = output = open(_PATH_TTY, O_RDWR)) == -1) {
+        if ((flags & RPP_STDIN) ||
+            (input = output = open(_PATH_TTY, O_RDWR)) == -1) {
                if (flags & RPP_REQUIRE_TTY) {
                        errno = ENOTTY;
                        return(NULL);
@@ -86,13 +88,15 @@ restart:
        /*
         * Catch signals that would otherwise cause the user to end
         * up with echo turned off in the shell.  Don't worry about
-         * things like SIGALRM and SIGPIPE for now.
+         * things like SIGXCPU and SIGVTALRM for now.
         */
        sigemptyset(&sa.sa_mask);
        sa.sa_flags = 0;                /* don't restart system calls */
        sa.sa_handler = handler;
-        (void)sigaction(SIGINT, &sa, &saveint);
+        (void)sigaction(SIGALRM, &sa, &savealrm);
        (void)sigaction(SIGHUP, &sa, &savehup);
+        (void)sigaction(SIGINT, &sa, &saveint);
+        (void)sigaction(SIGPIPE, &sa, &savepipe);
        (void)sigaction(SIGQUIT, &sa, &savequit);
        (void)sigaction(SIGTERM, &sa, &saveterm);
        (void)sigaction(SIGTSTP, &sa, &savetstp);
@@ -100,7 +104,7 @@ restart:
        (void)sigaction(SIGTTOU, &sa, &savettou);
        /* Turn off echo if possible. */
-        if (tcgetattr(input, &oterm) == 0) {
+        if (input != STDIN_FILENO && tcgetattr(input, &oterm) == 0) {
                memcpy(&term, &oterm, sizeof(term));
                if (!(flags & RPP_ECHO_ON))
                        term.c_lflag &= ~(ECHO | ECHONL);
@@ -111,10 +115,13 @@ restart:
                (void)tcsetattr(input, _T_FLUSH, &term);
        } else {
                memset(&term, 0, sizeof(term));
+                term.c_lflag |= ECHO;
                memset(&oterm, 0, sizeof(oterm));
+                oterm.c_lflag |= ECHO;
        }
-        (void)write(output, prompt, strlen(prompt));
+        if (!(flags & RPP_STDIN))
+                (void)write(output, prompt, strlen(prompt));
        end = buf + bufsiz - 1;
        for (p = buf; (nr = read(input, &ch, 1)) == 1 && ch != '\n' && ch != '\r';) {
                if (p < end) {
@@ -137,13 +144,14 @@ restart:
        /* Restore old terminal settings and signals. */
        if (memcmp(&term, &oterm, sizeof(term)) != 0)
                (void)tcsetattr(input, _T_FLUSH, &oterm);
-        (void)sigaction(SIGINT, &saveint, NULL);
+        (void)sigaction(SIGALRM, &savealrm, NULL);
        (void)sigaction(SIGHUP, &savehup, NULL);
+        (void)sigaction(SIGINT, &saveint, NULL);
        (void)sigaction(SIGQUIT, &savequit, NULL);
+        (void)sigaction(SIGPIPE, &savepipe, NULL);
        (void)sigaction(SIGTERM, &saveterm, NULL);
        (void)sigaction(SIGTSTP, &savetstp, NULL);
        (void)sigaction(SIGTTIN, &savettin, NULL);
-        (void)sigaction(SIGTTOU, &savettou, NULL);
        if (input != STDIN_FILENO)
                (void)close(input);
@@ -152,12 +160,11 @@ restart:
         * now that we have restored the signal handlers.
         */
        if (signo) {
-                kill(getpid(), signo); 
+                kill(getpid(), signo);
                switch (signo) {
                case SIGTSTP:
                case SIGTTIN:
                case SIGTTOU:
-                        signo = 0;
                        goto restart;
                }
        }
diff --git a/openbsd-compat/readpassphrase.h b/openbsd-compat/readpassphrase.h
index 9077b6e08..92908a489 100644
--- a/openbsd-compat/readpassphrase.h
+++ b/openbsd-compat/readpassphrase.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: readpassphrase.h,v 1.1 2000/11/21 00:48:38 millert Exp $      */
+/*      $OpenBSD: readpassphrase.h,v 1.3 2002/06/28 12:32:22 millert Exp $      */
 /*
 * Copyright (c) 2000 Todd C. Miller <Todd.Miller@courtesan.com>
@@ -40,8 +40,9 @@
 #define RPP_FORCELOWER  0x04            /* Force input to lower case. */
 #define RPP_FORCEUPPER  0x08            /* Force input to upper case. */
 #define RPP_SEVENBIT    0x10            /* Strip the high bit from input. */
+#define RPP_STDIN       0x20            /* Read from stdin, not /dev/tty */
-char *readpassphrase(const char *, char *, size_t, int);
+char * readpassphrase(const char *, char *, size_t, int);
 #endif /* HAVE_READPASSPHRASE */
diff --git a/openbsd-compat/realpath.c b/openbsd-compat/realpath.c
index b4a05db95..b9035ca22 100644
--- a/openbsd-compat/realpath.c
+++ b/openbsd-compat/realpath.c
@@ -32,7 +32,7 @@
 #if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
 #if defined(LIBC_SCCS) && !defined(lint)
-static char *rcsid = "$OpenBSD: realpath.c,v 1.6 2002/01/12 16:24:35 millert Exp $";
+static char *rcsid = "$OpenBSD: realpath.c,v 1.7 2002/05/24 21:22:37 deraadt Exp $";
 #endif /* LIBC_SCCS and not lint */
 #include <sys/param.h>
@@ -69,7 +69,7 @@ realpath(const char *path, char *resolved)
        /* Save the starting point. */
        getcwd(start,MAXPATHLEN);       
        if ((fd = open(".", O_RDONLY)) < 0) {
-                (void)strcpy(resolved, ".");
+                (void)strlcpy(resolved, ".", MAXPATHLEN);
                return (NULL);
        }
        close(fd);
@@ -129,7 +129,7 @@ loop:
         * Save the last component name and get the full pathname of
         * the current directory.
         */
-        (void)strcpy(wbuf, p);
+        (void)strlcpy(wbuf, p, sizeof wbuf);
        if (getcwd(resolved, MAXPATHLEN) == 0)
                goto err1;
diff --git a/openbsd-compat/rresvport.c b/openbsd-compat/rresvport.c
index 44eac2036..9f058961d 100644
--- a/openbsd-compat/rresvport.c
+++ b/openbsd-compat/rresvport.c
@@ -33,7 +33,7 @@
 * SUCH DAMAGE.
 */
-#include "config.h"
+#include "includes.h"
 #ifndef HAVE_RRESVPORT_AF
diff --git a/openbsd-compat/setenv.c b/openbsd-compat/setenv.c
index 6c2d5cd31..1dff15c73 100644
--- a/openbsd-compat/setenv.c
+++ b/openbsd-compat/setenv.c
@@ -31,7 +31,7 @@
 * SUCH DAMAGE.
 */
-#include "config.h"
+#include "includes.h"
 #ifndef HAVE_SETENV
 #if defined(LIBC_SCCS) && !defined(lint)
diff --git a/openbsd-compat/sigact.c b/openbsd-compat/sigact.c
index 806eb02b6..35fbab0eb 100644
--- a/openbsd-compat/sigact.c
+++ b/openbsd-compat/sigact.c
@@ -33,7 +33,7 @@
 *     and: Eric S. Raymond <esr@snark.thyrsus.com>                         *
 ****************************************************************************/
-#include "config.h"
+#include "includes.h"
 #include <signal.h>
 #include "sigact.h"
diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c
index 6ff65c19b..3a9b5d1a7 100644
--- a/openbsd-compat/strlcat.c
+++ b/openbsd-compat/strlcat.c
@@ -27,7 +27,7 @@
 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
-#include "config.h"
+#include "includes.h"
 #ifndef HAVE_STRLCAT
 #if defined(LIBC_SCCS) && !defined(lint)
diff --git a/openbsd-compat/strlcpy.c b/openbsd-compat/strlcpy.c
index b5e5a552e..2f87eca44 100644
--- a/openbsd-compat/strlcpy.c
+++ b/openbsd-compat/strlcpy.c
@@ -27,7 +27,7 @@
 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
-#include "config.h"
+#include "includes.h"
 #ifndef HAVE_STRLCPY
 #if defined(LIBC_SCCS) && !defined(lint)
diff --git a/openbsd-compat/strsep.c b/openbsd-compat/strsep.c
index c03649cff..d0afc44ae 100644
--- a/openbsd-compat/strsep.c
+++ b/openbsd-compat/strsep.c
@@ -33,7 +33,7 @@
 * SUCH DAMAGE.
 */
-#include "config.h"
+#include "includes.h"
 #if !defined(HAVE_STRSEP)
diff --git a/openbsd-compat/fake-queue.h b/openbsd-compat/sys-queue.h
index 176fe3174..176fe3174 100644
--- a/openbsd-compat/fake-queue.h
+++ b/openbsd-compat/sys-queue.h
diff --git a/openbsd-compat/tree.h b/openbsd-compat/sys-tree.h
index 30b4a8561..0a58710c9 100644
--- a/openbsd-compat/tree.h
+++ b/openbsd-compat/sys-tree.h
@@ -1,3 +1,4 @@
+/*      $OpenBSD: tree.h,v 1.6 2002/06/11 22:09:52 provos Exp $ */
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
 * All rights reserved.
@@ -113,8 +114,47 @@ struct {								\
 #define SPLAY_PROTOTYPE(name, type, field, cmp)                         \
 void name##_SPLAY(struct name *, struct type *);                        \
 void name##_SPLAY_MINMAX(struct name *, int);                           \
+struct type *name##_SPLAY_INSERT(struct name *, struct type *);         \
+struct type *name##_SPLAY_REMOVE(struct name *, struct type *);         \
                                                                        \
-static __inline void                                                    \
+/* Finds the node with the same key as elm */                           \
+static __inline struct type *                                           \
+name##_SPLAY_FIND(struct name *head, struct type *elm)                  \
+{                                                                       \
+        if (SPLAY_EMPTY(head))                                          \
+                return(NULL);                                           \
+        name##_SPLAY(head, elm);                                        \
+        if ((cmp)(elm, (head)->sph_root) == 0)                          \
+                return (head->sph_root);                                \
+        return (NULL);                                                  \
+}                                                                       \
+                                                                        \
+static __inline struct type *                                           \
+name##_SPLAY_NEXT(struct name *head, struct type *elm)                  \
+{                                                                       \
+        name##_SPLAY(head, elm);                                        \
+        if (SPLAY_RIGHT(elm, field) != NULL) {                          \
+                elm = SPLAY_RIGHT(elm, field);                          \
+                while (SPLAY_LEFT(elm, field) != NULL) {                \
+                        elm = SPLAY_LEFT(elm, field);                   \
+                }                                                       \
+        } else                                                          \
+                elm = NULL;                                             \
+        return (elm);                                                   \
+}                                                                       \
+                                                                        \
+static __inline struct type *                                           \
+name##_SPLAY_MIN_MAX(struct name *head, int val)                        \
+{                                                                       \
+        name##_SPLAY_MINMAX(head, val);                                 \
+        return (SPLAY_ROOT(head));                                      \
+}
+/* Main splay operation.
+ * Moves node close to the key of elm to top
+ */
+#define SPLAY_GENERATE(name, type, field, cmp)                          \
+struct type *                                                           \
 name##_SPLAY_INSERT(struct name *head, struct type *elm)                \
 {                                                                       \
    if (SPLAY_EMPTY(head)) {                                            \
@@ -132,17 +172,18 @@ name##_SPLAY_INSERT(struct name *head, struct type *elm)		\
                    SPLAY_LEFT(elm, field) = (head)->sph_root;          \
                    SPLAY_RIGHT((head)->sph_root, field) = NULL;        \
            } else                                                      \
-                    return;                                             \
+                    return ((head)->sph_root);                          \
    }                                                                   \
    (head)->sph_root = (elm);                                           \
+    return (NULL);                                                      \
 }                                                                       \
                                                                        \
-static __inline void                                                    \
+struct type *                                                           \
 name##_SPLAY_REMOVE(struct name *head, struct type *elm)                \
 {                                                                       \
        struct type *__tmp;                                             \
        if (SPLAY_EMPTY(head))                                          \
-                return;                                                 \
+                return (NULL);                                          \
        name##_SPLAY(head, elm);                                        \
        if ((cmp)(elm, (head)->sph_root) == 0) {                        \
                if (SPLAY_LEFT((head)->sph_root, field) == NULL) {      \
@@ -153,47 +194,13 @@ name##_SPLAY_REMOVE(struct name *head, struct type *elm)		\
                        name##_SPLAY(head, elm);                        \
                        SPLAY_RIGHT((head)->sph_root, field) = __tmp;   \
                }                                                       \
+                return (elm);                                           \
        }                                                               \
-}                                                                       \
-                                                                        \
-/* Finds the node with the same key as elm */                           \
-static __inline struct type *                                           \
-name##_SPLAY_FIND(struct name *head, struct type *elm)                  \
-{                                                                       \
-        if (SPLAY_EMPTY(head))                                          \
-                return(NULL);                                           \
-        name##_SPLAY(head, elm);                                        \
-        if ((cmp)(elm, (head)->sph_root) == 0)                          \
-                return (head->sph_root);                                \
        return (NULL);                                                  \
 }                                                                       \
                                                                        \
-static __inline struct type *                                           \
+void                                                                    \
-name##_SPLAY_NEXT(struct name *head, struct type *elm)                  \
+name##_SPLAY(struct name *head, struct type *elm)                       \
-{                                                                       \
-        name##_SPLAY(head, elm);                                        \
-        if (SPLAY_RIGHT(elm, field) != NULL) {                          \
-                elm = SPLAY_RIGHT(elm, field);                          \
-                while (SPLAY_LEFT(elm, field) != NULL) {                \
-                        elm = SPLAY_LEFT(elm, field);                   \
-                }                                                       \
-        } else                                                          \
-                elm = NULL;                                             \
-        return (elm);                                                   \
-}                                                                       \
-                                                                        \
-static __inline struct type *                                           \
-name##_SPLAY_MIN_MAX(struct name *head, int val)                        \
-{                                                                       \
-        name##_SPLAY_MINMAX(head, val);                                 \
-        return (SPLAY_ROOT(head));                                      \
-}
-/* Main splay operation.
- * Moves node close to the key of elm to top
- */
-#define SPLAY_GENERATE(name, type, field, cmp)                          \
-void name##_SPLAY(struct name *head, struct type *elm)                  \
 {                                                                       \
        struct type __node, *__left, *__right, *__tmp;                  \
        int __comp;                                                     \
@@ -367,7 +374,7 @@ struct {								\
 #define RB_PROTOTYPE(name, type, field, cmp)                            \
 void name##_RB_INSERT_COLOR(struct name *, struct type *);      \
 void name##_RB_REMOVE_COLOR(struct name *, struct type *, struct type *);\
-void name##_RB_REMOVE(struct name *, struct type *);                    \
+struct type *name##_RB_REMOVE(struct name *, struct type *);            \
 struct type *name##_RB_INSERT(struct name *, struct type *);            \
 struct type *name##_RB_FIND(struct name *, struct type *);              \
 struct type *name##_RB_NEXT(struct name *, struct type *);              \
@@ -498,17 +505,17 @@ name##_RB_REMOVE_COLOR(struct name *head, struct type *parent, struct type *elm)
                RB_COLOR(elm, field) = RB_BLACK;                        \
 }                                                                       \
                                                                        \
-void                                                                    \
+struct type *                                                           \
 name##_RB_REMOVE(struct name *head, struct type *elm)                   \
 {                                                                       \
-        struct type *child, *parent;                                    \
+        struct type *child, *parent, *old = elm;                        \
        int color;                                                      \
        if (RB_LEFT(elm, field) == NULL)                                \
                child = RB_RIGHT(elm, field);                           \
        else if (RB_RIGHT(elm, field) == NULL)                          \
                child = RB_LEFT(elm, field);                            \
        else {                                                          \
-                struct type *old = elm, *left;                          \
+                struct type *left;                                      \
                elm = RB_RIGHT(elm, field);                             \
                while ((left = RB_LEFT(elm, field)))                    \
                        elm = left;                                     \
@@ -562,6 +569,7 @@ name##_RB_REMOVE(struct name *head, struct type *elm)			\
 color:                                                                  \
        if (color == RB_BLACK)                                          \
                name##_RB_REMOVE_COLOR(head, parent, child);            \
+        return (old);                                                   \
 }                                                                       \
                                                                        \
 /* Inserts a node into the RB tree */                                   \
diff --git a/openbsd-compat/xmmap.c b/openbsd-compat/xmmap.c
new file mode 100644
index 000000000..8f1d2022c
--- /dev/null
+++ b/openbsd-compat/xmmap.c
@@ -0,0 +1,67 @@
+/*
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "includes.h"
+#ifdef HAVE_SYS_MMAN_H
+#include <sys/mman.h>
+#endif
+#include "log.h"
+void *xmmap(size_t size)
+{
+        void *address;
+#ifdef HAVE_MMAP
+# ifdef MAP_ANON
+        address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED,
+            -1, 0);
+# else
+        address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_SHARED,
+            open("/dev/zero", O_RDWR), 0);
+# endif
+#define MM_SWAP_TEMPLATE "/var/run/sshd.mm.XXXXXXXX"
+        if (address == MAP_FAILED) {
+                char tmpname[sizeof(MM_SWAP_TEMPLATE)] = MM_SWAP_TEMPLATE;
+                int tmpfd;
+                tmpfd = mkstemp(tmpname);
+                if (tmpfd == -1)
+                        fatal("mkstemp(\"%s\"): %s",
+                            MM_SWAP_TEMPLATE, strerror(errno));
+                unlink(tmpname);
+                ftruncate(tmpfd, size);
+                address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_SHARED,
+                    tmpfd, 0);
+                close(tmpfd);
+        }
+        return (address);
+#else
+        fatal("%s: UsePrivilegeSeparation=yes and Compression=yes not supported",
+            __func__);
+#endif /* HAVE_MMAP */
+}
diff --git a/openbsd-compat/xmmap.h b/openbsd-compat/xmmap.h
new file mode 100644
index 000000000..c0fa04aca
--- /dev/null
+++ b/openbsd-compat/xmmap.h
@@ -0,0 +1,23 @@
+/*
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+void *xmmap(size_t size);
diff --git a/packet.c b/packet.c
index 273ffea58..dbd3791d2 100644
--- a/packet.c
+++ b/packet.c
@@ -37,7 +37,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: packet.c,v 1.96 2002/06/23 21:10:02 deraadt Exp $");
+RCSID("$OpenBSD: packet.c,v 1.97 2002/07/04 08:12:15 deraadt Exp $");
 #include "xmalloc.h"
 #include "buffer.h"
@@ -136,6 +136,7 @@ void
 packet_set_connection(int fd_in, int fd_out, int new_setup_timeout)
 {
        Cipher *none = cipher_by_name("none");
        if (none == NULL)
                fatal("packet_set_connection: cannot load cipher 'none'");
        connection_in = fd_in;
@@ -405,6 +406,7 @@ packet_set_encryption_key(const u_char *key, u_int keylen,
    int number)
 {
        Cipher *cipher = cipher_by_number(number);
        if (cipher == NULL)
                fatal("packet_set_encryption_key: unknown cipher number %d", number);
        if (keylen < 20)
@@ -446,6 +448,7 @@ void
 packet_put_char(int value)
 {
        char ch = value;
        buffer_append(&outgoing_packet, &ch, 1);
 }
 void
@@ -1008,7 +1011,8 @@ packet_read_poll2(u_int32_t *seqnr_p)
                buffer_clear(&incoming_packet);
                buffer_append(&incoming_packet, buffer_ptr(&compression_buffer),
                    buffer_len(&compression_buffer));
-                DBG(debug("input: len after de-compress %d", buffer_len(&incoming_packet)));
+                DBG(debug("input: len after de-compress %d",
+                    buffer_len(&incoming_packet)));
        }
        /*
         * get packet type, implies consume.
@@ -1116,6 +1120,7 @@ u_int
 packet_get_char(void)
 {
        char ch;
        buffer_get(&incoming_packet, &ch, 1);
        return (u_char) ch;
 }
@@ -1149,6 +1154,7 @@ void *
 packet_get_raw(int *length_ptr)
 {
        int bytes = buffer_len(&incoming_packet);
        if (length_ptr != NULL)
                *length_ptr = bytes;
        return buffer_ptr(&incoming_packet);
@@ -1221,6 +1227,7 @@ packet_disconnect(const char *fmt,...)
        char buf[1024];
        va_list args;
        static int disconnecting = 0;
        if (disconnecting)      /* Guard against recursive invocations. */
                fatal("packet_disconnect called recursively.");
        disconnecting = 1;
@@ -1263,6 +1270,7 @@ void
 packet_write_poll(void)
 {
        int len = buffer_len(&output);
        if (len > 0) {
                len = write(connection_out, buffer_ptr(&output), len);
                if (len <= 0) {
@@ -1382,6 +1390,7 @@ int
 packet_set_maxsize(int s)
 {
        static int called = 0;
        if (called) {
                log("packet_set_maxsize: called twice: old %d new %d",
                    max_packet_size, s);
diff --git a/radix.c b/radix.c
index 580e7e07f..c680d6bf3 100644
--- a/radix.c
+++ b/radix.c
@@ -26,7 +26,7 @@
 #include "includes.h"
 #include "uuencode.h"
-RCSID("$OpenBSD: radix.c,v 1.21 2002/06/19 00:27:55 deraadt Exp $");
+RCSID("$OpenBSD: radix.c,v 1.22 2002/09/09 14:54:15 markus Exp $");
 #ifdef AFS
 #include <krb.h>
@@ -93,9 +93,10 @@ int
 radix_to_creds(const char *buf, CREDENTIALS *creds)
 {
        Buffer b;
-        char c, version, *space, *p;
+        u_char *space;
-        u_int endTime;
+        char c, version, *p;
-        int len, blen, ret;
+        u_int endTime, len;
+        int blen, ret;
        ret = 0;
        blen = strlen(buf);
diff --git a/readconf.c b/readconf.c
index 399855bd4..097d4082d 100644
--- a/readconf.c
+++ b/readconf.c
@@ -204,7 +204,7 @@ add_local_forward(Options *options, u_short port, const char *host,
                  u_short host_port)
 {
        Forward *fwd;
-#ifndef HAVE_CYGWIN
+#ifndef NO_IPPORT_RESERVED_CONCEPT
        extern uid_t original_real_uid;
        if (port < IPPORT_RESERVED && original_real_uid != 0)
                fatal("Privileged ports can only be forwarded by root.");
diff --git a/rijndael.c b/rijndael.c
index 448048ea6..6965ca3b0 100644
--- a/rijndael.c
+++ b/rijndael.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: rijndael.c,v 1.13 2001/12/19 07:18:56 deraadt Exp $ */
+/*      $OpenBSD: rijndael.c,v 1.14 2002/07/10 17:53:54 deraadt Exp $ */
 /**
 * rijndael-alg-fst.c
@@ -1226,7 +1226,7 @@ rijndael_set_key(rijndael_ctx *ctx, u_char *key, int bits, int encrypt)
                memset(ctx->dk, 0, sizeof(ctx->dk));
        } else {
                ctx->decrypt = 1;
-                memcpy(ctx->dk, ctx->ek, sizeof(ctx->ek));
+                memcpy(ctx->dk, ctx->ek, sizeof(ctx->dk));
                rijndaelKeySetupDec(ctx->dk, key, bits, ctx->Nr);
        }
 }
diff --git a/scard.h b/scard.h
index c0aa9ed30..00999cb09 100644
--- a/scard.h
+++ b/scard.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: scard.h,v 1.10 2002/03/25 17:34:27 markus Exp $       */
+/*      $OpenBSD: scard.h,v 1.11 2002/06/30 21:59:45 deraadt Exp $      */
 /*
 * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -33,8 +33,8 @@
 #define SCARD_ERROR_NOCARD      -2
 #define SCARD_ERROR_APPLET      -3
-Key     **sc_get_keys(const char*, const char*);
+Key     **sc_get_keys(const char *, const char *);
 void     sc_close(void);
-int      sc_put_key(Key *, const char*);
+int      sc_put_key(Key *, const char *);
 #endif
diff --git a/servconf.c b/servconf.c
index f311ae48d..e3939df40 100644
--- a/servconf.c
+++ b/servconf.c
@@ -10,7 +10,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.112 2002/06/23 09:46:51 deraadt Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.115 2002/09/04 18:52:42 stevesk Exp $");
 #if defined(KRB4)
 #include <krb.h>
@@ -101,6 +101,7 @@ initialize_server_options(ServerOptions *options)
        options->kbd_interactive_authentication = -1;
        options->challenge_response_authentication = -1;
        options->permit_empty_passwd = -1;
+        options->permit_user_env = -1;
        options->use_login = -1;
        options->compression = -1;
        options->allow_tcp_forwarding = -1;
@@ -158,7 +159,7 @@ fill_default_server_options(ServerOptions *options)
        if (options->server_key_bits == -1)
                options->server_key_bits = 768;
        if (options->login_grace_time == -1)
-                options->login_grace_time = 600;
+                options->login_grace_time = 120;
        if (options->key_regeneration_time == -1)
                options->key_regeneration_time = 3600;
        if (options->permit_root_login == PERMIT_NOT_SET)
@@ -223,6 +224,8 @@ fill_default_server_options(ServerOptions *options)
                options->challenge_response_authentication = 1;
        if (options->permit_empty_passwd == -1)
                options->permit_empty_passwd = 0;
+        if (options->permit_user_env == -1)
+                options->permit_user_env = 0;
        if (options->use_login == -1)
                options->use_login = 0;
        if (options->compression == -1)
@@ -257,7 +260,7 @@ fill_default_server_options(ServerOptions *options)
        if (use_privsep == -1)
                use_privsep = 1;
-#if !defined(HAVE_MMAP_ANON_SHARED)
+#ifndef HAVE_MMAP
        if (use_privsep && options->compression == 1) {
                error("This platform does not support both privilege "
                    "separation and compression");
@@ -291,7 +294,7 @@ typedef enum {
        sPrintMotd, sPrintLastLog, sIgnoreRhosts,
        sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
        sStrictModes, sEmptyPasswd, sKeepAlives,
-        sUseLogin, sAllowTcpForwarding, sCompression,
+        sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
        sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
        sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
        sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
@@ -354,6 +357,7 @@ static struct {
        { "xauthlocation", sXAuthLocation },
        { "strictmodes", sStrictModes },
        { "permitemptypasswords", sEmptyPasswd },
+        { "permituserenvironment", sPermitUserEnvironment },
        { "uselogin", sUseLogin },
        { "compression", sCompression },
        { "keepalive", sKeepAlives },
@@ -713,6 +717,10 @@ parse_flag:
                intptr = &options->permit_empty_passwd;
                goto parse_flag;
+        case sPermitUserEnvironment:
+                intptr = &options->permit_user_env;
+                goto parse_flag;
        case sUseLogin:
                intptr = &options->use_login;
                goto parse_flag;
diff --git a/servconf.h b/servconf.h
index c94f541d0..024987dd6 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: servconf.h,v 1.58 2002/06/20 23:05:55 markus Exp $    */
+/*      $OpenBSD: servconf.h,v 1.59 2002/07/30 17:03:55 markus Exp $    */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -97,6 +97,7 @@ typedef struct {
        int     challenge_response_authentication;
        int     permit_empty_passwd;    /* If false, do not permit empty
                                         * passwords. */
+        int     permit_user_env;        /* If true, read ~/.ssh/environment */
        int     use_login;      /* If true, login(1) is used */
        int     compression;    /* If true, compression is allowed */
        int     allow_tcp_forwarding;
diff --git a/serverloop.c b/serverloop.c
index d327ff702..e66d529e9 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -35,13 +35,14 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: serverloop.c,v 1.103 2002/06/24 14:33:27 markus Exp $");
+RCSID("$OpenBSD: serverloop.c,v 1.104 2002/09/19 16:03:15 stevesk Exp $");
 #include "xmalloc.h"
 #include "packet.h"
 #include "buffer.h"
 #include "log.h"
 #include "servconf.h"
+#include "canohost.h"
 #include "sshpty.h"
 #include "channels.h"
 #include "compat.h"
@@ -143,7 +144,9 @@ sigchld_handler(int sig)
        int save_errno = errno;
        debug("Received SIGCHLD.");
        child_terminated = 1;
+#ifndef _UNICOS
        mysignal(SIGCHLD, sigchld_handler);
+#endif
        notify_parent();
        errno = save_errno;
 }
@@ -347,14 +350,17 @@ process_input(fd_set * readset)
        if (FD_ISSET(connection_in, readset)) {
                len = read(connection_in, buf, sizeof(buf));
                if (len == 0) {
-                        verbose("Connection closed by remote host.");
+                        verbose("Connection closed by %.100s",
+                            get_remote_ipaddr());
                        connection_closed = 1;
                        if (compat20)
                                return;
                        fatal_cleanup();
                } else if (len < 0) {
                        if (errno != EINTR && errno != EAGAIN) {
-                                verbose("Read error from remote host: %.100s", strerror(errno));
+                                verbose("Read error from remote host "
+                                    "%.100s: %.100s",
+                                    get_remote_ipaddr(), strerror(errno));
                                fatal_cleanup();
                        }
                } else {
@@ -972,8 +978,11 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
                /* check permissions */
                if (!options.allow_tcp_forwarding ||
-                    no_port_forwarding_flag ||
+                    no_port_forwarding_flag
-                    (listen_port < IPPORT_RESERVED && pw->pw_uid != 0)) {
+#ifndef NO_IPPORT_RESERVED_CONCEPT
+                    || (listen_port < IPPORT_RESERVED && pw->pw_uid != 0)
+#endif
+                   ) {
                        success = 0;
                        packet_send_debug("Server has disabled port forwarding.");
                } else {
diff --git a/session.c b/session.c
index 747a00afa..9074525a4 100644
--- a/session.c
+++ b/session.c
@@ -33,7 +33,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.142 2002/06/26 13:49:26 deraadt Exp $");
+RCSID("$OpenBSD: session.c,v 1.150 2002/09/16 19:55:33 stevesk Exp $");
 #include "ssh.h"
 #include "ssh1.h"
@@ -210,13 +210,6 @@ do_authenticated(Authctxt *authctxt)
                close(startup_pipe);
                startup_pipe = -1;
        }
-#ifdef WITH_AIXAUTHENTICATE
-        /* We don't have a pty yet, so just label the line as "ssh" */
-        if (loginsuccess(authctxt->user,
-            get_canonical_hostname(options.verify_reverse_mapping),
-            "ssh", &aixloginmsg) < 0)
-                aixloginmsg = NULL;
-#endif /* WITH_AIXAUTHENTICATE */
        /* setup the channel layer */
        if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
@@ -470,6 +463,8 @@ do_exec_no_pty(Session *s, const char *command)
        /* Fork the child. */
        if ((pid = fork()) == 0) {
+                fatal_remove_all_cleanups();
                /* Child.  Reinitialize the log since the pid has changed. */
                log_init(__progname, options.log_level, options.log_facility, log_stderr);
@@ -517,10 +512,17 @@ do_exec_no_pty(Session *s, const char *command)
                        perror("dup2 stderr");
 #endif /* USE_PIPES */
+#ifdef _UNICOS
+                cray_init_job(s->pw); /* set up cray jid and tmpdir */
+#endif
                /* Do processing for the child (exec command etc). */
                do_child(s, command);
                /* NOTREACHED */
        }
+#ifdef _UNICOS
+        signal(WJSIGNAL, cray_job_termination_handler);
+#endif /* _UNICOS */
 #ifdef HAVE_CYGWIN
        if (is_winnt)
                cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
@@ -585,6 +587,7 @@ do_exec_pty(Session *s, const char *command)
        /* Fork the child. */
        if ((pid = fork()) == 0) {
+                fatal_remove_all_cleanups();
                /* Child.  Reinitialize the log because the pid has changed. */
                log_init(__progname, options.log_level, options.log_facility, log_stderr);
@@ -607,8 +610,12 @@ do_exec_pty(Session *s, const char *command)
                /* record login, etc. similar to login(1) */
 #ifndef HAVE_OSF_SIA
-                if (!(options.use_login && command == NULL))
+                if (!(options.use_login && command == NULL)) {
+#ifdef _UNICOS
+                        cray_init_job(s->pw); /* set up cray jid and tmpdir */
+#endif /* _UNICOS */
                        do_login(s, command);
+                }
 # ifdef LOGIN_NEEDS_UTMPX
                else
                        do_pre_login(s);
@@ -619,6 +626,9 @@ do_exec_pty(Session *s, const char *command)
                do_child(s, command);
                /* NOTREACHED */
        }
+#ifdef _UNICOS
+        signal(WJSIGNAL, cray_job_termination_handler);
+#endif /* _UNICOS */
 #ifdef HAVE_CYGWIN
        if (is_winnt)
                cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
@@ -668,8 +678,8 @@ do_pre_login(Session *s)
         * the address be 0.0.0.0.
         */
        memset(&from, 0, sizeof(from));
+        fromlen = sizeof(from);
        if (packet_connection_is_on_socket()) {
-                fromlen = sizeof(from);
                if (getpeername(packet_get_connection_in(),
                    (struct sockaddr *) & from, &fromlen) < 0) {
                        debug("getpeername: %.100s", strerror(errno));
@@ -734,7 +744,7 @@ do_login(Session *s, const char *command)
                record_login(pid, s->tty, pw->pw_name, pw->pw_uid,
                    get_remote_name_or_ip(utmp_len,
                    options.verify_reverse_mapping),
-                    (struct sockaddr *)&from);
+                    (struct sockaddr *)&from, fromlen);
 #ifdef USE_PAM
        /*
@@ -759,6 +769,7 @@ do_login(Session *s, const char *command)
                printf("%s\n", aixloginmsg);
 #endif /* WITH_AIXAUTHENTICATE */
+#ifndef NO_SSH_LASTLOG
        if (options.print_lastlog && s->last_login_time != 0) {
                time_string = ctime(&s->last_login_time);
                if (strchr(time_string, '\n'))
@@ -769,6 +780,7 @@ do_login(Session *s, const char *command)
                        printf("Last login: %s from %s\r\n", time_string,
                            s->hostname);
        }
+#endif /* NO_SSH_LASTLOG */
        do_motd();
 }
@@ -959,8 +971,10 @@ do_setup_env(Session *s, const char *shell)
                child_set_env(&env, &envsize, "LOGNAME", pw->pw_name);
                child_set_env(&env, &envsize, "HOME", pw->pw_dir);
 #ifdef HAVE_LOGIN_CAP
-                (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH);
+                if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0)
-                child_set_env(&env, &envsize, "PATH", getenv("PATH"));
+                        child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
+                else
+                        child_set_env(&env, &envsize, "PATH", getenv("PATH"));
 #else /* HAVE_LOGIN_CAP */
 # ifndef HAVE_CYGWIN
                /*
@@ -992,13 +1006,13 @@ do_setup_env(Session *s, const char *shell)
        if (!options.use_login) {
                while (custom_environment) {
                        struct envstring *ce = custom_environment;
-                        char *s = ce->s;
+                        char *str = ce->s;
-                        for (i = 0; s[i] != '=' && s[i]; i++)
+                        for (i = 0; str[i] != '=' && str[i]; i++)
                                ;
-                        if (s[i] == '=') {
+                        if (str[i] == '=') {
-                                s[i] = 0;
+                                str[i] = 0;
-                                child_set_env(&env, &envsize, s, s + i + 1);
+                                child_set_env(&env, &envsize, str, str + i + 1);
                        }
                        custom_environment = ce->next;
                        xfree(ce->s);
@@ -1006,10 +1020,16 @@ do_setup_env(Session *s, const char *shell)
                }
        }
+        /* SSH_CLIENT deprecated */
        snprintf(buf, sizeof buf, "%.50s %d %d",
            get_remote_ipaddr(), get_remote_port(), get_local_port());
        child_set_env(&env, &envsize, "SSH_CLIENT", buf);
+        snprintf(buf, sizeof buf, "%.50s %d %.50s %d",
+            get_remote_ipaddr(), get_remote_port(),
+            get_local_ipaddr(packet_get_connection_in()), get_local_port());
+        child_set_env(&env, &envsize, "SSH_CONNECTION", buf);
        if (s->ttyfd != -1)
                child_set_env(&env, &envsize, "SSH_TTY", s->tty);
        if (s->term)
@@ -1020,6 +1040,11 @@ do_setup_env(Session *s, const char *shell)
                child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
                    original_command);
+#ifdef _UNICOS
+        if (cray_tmpdir[0] != '\0')
+                child_set_env(&env, &envsize, "TMPDIR", cray_tmpdir);
+#endif /* _UNICOS */
 #ifdef _AIX
        {
                char *cp;
@@ -1042,8 +1067,17 @@ do_setup_env(Session *s, const char *shell)
                    s->authctxt->krb5_ticket_file);
 #endif
 #ifdef USE_PAM
-        /* Pull in any environment variables that may have been set by PAM. */
+        /*
-        copy_environment(fetch_pam_environment(), &env, &envsize);
+         * Pull in any environment variables that may have
+         * been set by PAM.
+         */
+        {
+                char **p;
+                p = fetch_pam_environment();
+                copy_environment(p, &env, &envsize);
+                free_pam_environment(p);
+        }
 #endif /* USE_PAM */
        if (auth_sock_name != NULL)
@@ -1051,9 +1085,9 @@ do_setup_env(Session *s, const char *shell)
                    auth_sock_name);
        /* read $HOME/.ssh/environment. */
-        if (!options.use_login) {
+        if (options.permit_user_env && !options.use_login) {
                snprintf(buf, sizeof buf, "%.200s/.ssh/environment",
-                    pw->pw_dir);
+                    strcmp(pw->pw_dir, "/") ? pw->pw_dir : "");
                read_environment_file(&env, &envsize, buf);
        }
        if (debug_flag) {
@@ -1148,6 +1182,8 @@ do_nologin(struct passwd *pw)
 #endif
        if (f) {
                /* /etc/nologin exists.  Print its contents and exit. */
+                log("User %.100s not allowed because %s exists",
+                    pw->pw_name, _PATH_NOLOGIN);
                while (fgets(buf, sizeof(buf), f))
                        fputs(buf, stderr);
                fclose(f);
@@ -1159,8 +1195,6 @@ do_nologin(struct passwd *pw)
 void
 do_setusercontext(struct passwd *pw)
 {
-        char tty='\0';
 #ifdef HAVE_CYGWIN
        if (is_winnt) {
 #else /* HAVE_CYGWIN */
@@ -1170,9 +1204,9 @@ do_setusercontext(struct passwd *pw)
                setpcred(pw->pw_name);
 #endif /* HAVE_SETPCRED */
 #ifdef HAVE_LOGIN_CAP
-#ifdef __bsdi__
+# ifdef __bsdi__
                setpgid(0, 0);
-#endif
+# endif
                if (setusercontext(lc, pw, pw->pw_uid,
                    (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) {
                        perror("unable to set user context");
@@ -1209,8 +1243,7 @@ do_setusercontext(struct passwd *pw)
                irix_setusercontext(pw);
 #  endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */
 # ifdef _AIX
-                /* XXX: Disable tty setting.  Enabled if required later */
+                aix_usrinfo(pw);
-                aix_usrinfo(pw, &tty, -1);
 # endif /* _AIX */
                /* Permanently switch to the desired uid. */
                permanently_set_uid(pw);
@@ -1263,6 +1296,10 @@ do_child(Session *s, const char *command)
        if (options.use_login && command != NULL)
                options.use_login = 0;
+#ifdef _UNICOS
+        cray_setup(pw->pw_uid, pw->pw_name, command);
+#endif /* _UNICOS */
        /*
         * Login(1) does this as well, and it needs uid 0 for the "-h"
         * switch, so we let login(1) to this for us.
@@ -1798,6 +1835,27 @@ session_pty_cleanup(void *session)
        PRIVSEP(session_pty_cleanup2(session));
 }
+static char *
+sig2name(int sig)
+{
+#define SSH_SIG(x) if (sig == SIG ## x) return #x
+        SSH_SIG(ABRT);
+        SSH_SIG(ALRM);
+        SSH_SIG(FPE);
+        SSH_SIG(HUP);
+        SSH_SIG(ILL);
+        SSH_SIG(INT);
+        SSH_SIG(KILL);
+        SSH_SIG(PIPE);
+        SSH_SIG(QUIT);
+        SSH_SIG(SEGV);
+        SSH_SIG(TERM);
+        SSH_SIG(USR1);
+        SSH_SIG(USR2);
+#undef  SSH_SIG
+        return "SIG@openssh.com";
+}
 static void
 session_exit_message(Session *s, int status)
 {
@@ -1815,7 +1873,7 @@ session_exit_message(Session *s, int status)
                packet_send();
        } else if (WIFSIGNALED(status)) {
                channel_request_start(s->chanid, "exit-signal", 0);
-                packet_put_int(WTERMSIG(status));
+                packet_put_cstring(sig2name(WTERMSIG(status)));
 #ifdef WCOREDUMP
                packet_put_char(WCOREDUMP(status));
 #else /* WCOREDUMP */
diff --git a/session.h b/session.h
index 3bce97891..d3ddfab75 100644
--- a/session.h
+++ b/session.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: session.h,v 1.18 2002/06/23 21:06:41 deraadt Exp $    */
+/*      $OpenBSD: session.h,v 1.19 2002/06/30 21:59:45 deraadt Exp $    */
 /*
 * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -57,7 +57,7 @@ struct Session {
 void     do_authenticated(Authctxt *);
-int      session_open(Authctxt*, int);
+int      session_open(Authctxt *, int);
 int      session_input_channel_req(Channel *, const char *);
 void     session_close_by_pid(pid_t, int);
 void     session_close_by_channel(int, void *);
diff --git a/sftp-client.c b/sftp-client.c
index 10b7992d0..f6a73f379 100644
--- a/sftp-client.c
+++ b/sftp-client.c
@@ -28,9 +28,9 @@
 /* XXX: copy between two remote sites */
 #include "includes.h"
-RCSID("$OpenBSD: sftp-client.c,v 1.33 2002/06/23 09:30:14 deraadt Exp $");
+RCSID("$OpenBSD: sftp-client.c,v 1.35 2002/09/11 22:41:49 djm Exp $");
-#include "openbsd-compat/fake-queue.h"
+#include "openbsd-compat/sys-queue.h"
 #include "buffer.h"
 #include "bufaux.h"
@@ -415,12 +415,6 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int printflag,
 }
 int
-do_ls(struct sftp_conn *conn, char *path)
-{
-        return(do_lsreaddir(conn, path, 1, NULL));
-}
-int
 do_readdir(struct sftp_conn *conn, char *path, SFTP_DIRENT ***dir)
 {
        return(do_lsreaddir(conn, path, 0, dir));
@@ -1095,7 +1089,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
                        debug3("In write loop, ack for %u %u bytes at %llu",
                           ack->id, ack->len, (unsigned long long)ack->offset);
                        ++ackid;
-                        free(ack);
+                        xfree(ack);
                }
                offset += len;
        }
diff --git a/sftp-client.h b/sftp-client.h
index b06171168..98e08ffa7 100644
--- a/sftp-client.h
+++ b/sftp-client.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp-client.h,v 1.10 2002/06/23 09:30:14 deraadt Exp $ */
+/* $OpenBSD: sftp-client.h,v 1.11 2002/09/11 22:41:50 djm Exp $ */
 /*
 * Copyright (c) 2001,2002 Damien Miller.  All rights reserved.
@@ -48,9 +48,6 @@ u_int sftp_proto_version(struct sftp_conn *);
 /* Close file referred to by 'handle' */
 int do_close(struct sftp_conn *, char *, u_int);
-/* List contents of directory 'path' to stdout */
-int do_ls(struct sftp_conn *, char *);
 /* Read contents of 'path' to NULL-terminated array 'dir' */
 int do_readdir(struct sftp_conn *, char *, SFTP_DIRENT ***);
diff --git a/sftp-common.c b/sftp-common.c
index 6bed0ab8a..082345486 100644
--- a/sftp-common.c
+++ b/sftp-common.c
@@ -24,7 +24,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sftp-common.c,v 1.6 2002/06/23 09:30:14 deraadt Exp $");
+RCSID("$OpenBSD: sftp-common.c,v 1.7 2002/09/11 22:41:50 djm Exp $");
 #include "buffer.h"
 #include "bufaux.h"
@@ -65,6 +65,26 @@ stat_to_attrib(struct stat *st, Attrib *a)
        a->mtime = st->st_mtime;
 }
+/* Convert from filexfer attribs to struct stat */
+void
+attrib_to_stat(Attrib *a, struct stat *st)
+{
+        memset(st, 0, sizeof(*st));
+        if (a->flags & SSH2_FILEXFER_ATTR_SIZE)
+                st->st_size = a->size;
+        if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) {
+                st->st_uid = a->uid;
+                st->st_gid = a->gid;
+        }
+        if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS)
+                st->st_mode = a->perm;
+        if (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME) {
+                st->st_atime = a->atime;
+                st->st_mtime = a->mtime;
+        }
+}
 /* Decode attributes in buffer */
 Attrib *
 decode_attrib(Buffer *b)
@@ -149,3 +169,45 @@ fx2txt(int status)
        }
        /* NOTREACHED */
 }
+/*
+ * drwxr-xr-x    5 markus   markus       1024 Jan 13 18:39 .ssh
+ */
+char *
+ls_file(char *name, struct stat *st, int remote)
+{
+        int ulen, glen, sz = 0;
+        struct passwd *pw;
+        struct group *gr;
+        struct tm *ltime = localtime(&st->st_mtime);
+        char *user, *group;
+        char buf[1024], mode[11+1], tbuf[12+1], ubuf[11+1], gbuf[11+1];
+        strmode(st->st_mode, mode);
+        if (!remote && (pw = getpwuid(st->st_uid)) != NULL) {
+                user = pw->pw_name;
+        } else {
+                snprintf(ubuf, sizeof ubuf, "%u", (u_int)st->st_uid);
+                user = ubuf;
+        }
+        if (!remote && (gr = getgrgid(st->st_gid)) != NULL) {
+                group = gr->gr_name;
+        } else {
+                snprintf(gbuf, sizeof gbuf, "%u", (u_int)st->st_gid);
+                group = gbuf;
+        }
+        if (ltime != NULL) {
+                if (time(NULL) - st->st_mtime < (365*24*60*60)/2)
+                        sz = strftime(tbuf, sizeof tbuf, "%b %e %H:%M", ltime);
+                else
+                        sz = strftime(tbuf, sizeof tbuf, "%b %e  %Y", ltime);
+        }
+        if (sz == 0)
+                tbuf[0] = '\0';
+        ulen = MAX(strlen(user), 8);
+        glen = MAX(strlen(group), 8);
+        snprintf(buf, sizeof buf, "%s %3d %-*s %-*s %8llu %s %s", mode,
+            st->st_nlink, ulen, user, glen, group,
+            (u_int64_t)st->st_size, tbuf, name);
+        return xstrdup(buf);
+}
diff --git a/sftp-common.h b/sftp-common.h
index 4c126bf10..201611cc4 100644
--- a/sftp-common.h
+++ b/sftp-common.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: sftp-common.h,v 1.3 2001/06/26 17:27:24 markus Exp $  */
+/*      $OpenBSD: sftp-common.h,v 1.4 2002/09/11 22:41:50 djm Exp $     */
 /*
 * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -40,7 +40,9 @@ struct Attrib {
 void     attrib_clear(Attrib *);
 void     stat_to_attrib(struct stat *, Attrib *);
+void     attrib_to_stat(Attrib *, struct stat *);
 Attrib  *decode_attrib(Buffer *);
 void     encode_attrib(Buffer *, Attrib *);
+char    *ls_file(char *, struct stat *, int);
 const char *fx2txt(int);
diff --git a/sftp-glob.c b/sftp-glob.c
index 1234074c4..ee122a2cd 100644
--- a/sftp-glob.c
+++ b/sftp-glob.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sftp-glob.c,v 1.10 2002/02/13 00:59:23 djm Exp $");
+RCSID("$OpenBSD: sftp-glob.c,v 1.13 2002/09/11 22:41:50 djm Exp $");
 #include "buffer.h"
 #include "bufaux.h"
@@ -51,12 +51,14 @@ fudge_opendir(const char *path)
        r = xmalloc(sizeof(*r));
-        if (do_readdir(cur.conn, (char*)path, &r->dir))
+        if (do_readdir(cur.conn, (char *)path, &r->dir)) {
+                xfree(r);
                return(NULL);
+        }
        r->offset = 0;
-        return((void*)r);
+        return((void *)r);
 }
 static struct dirent *
@@ -105,31 +107,12 @@ fudge_closedir(struct SFTP_OPENDIR *od)
        xfree(od);
 }
-static void
-attrib_to_stat(Attrib *a, struct stat *st)
-{
-        memset(st, 0, sizeof(*st));
-        if (a->flags & SSH2_FILEXFER_ATTR_SIZE)
-                st->st_size = a->size;
-        if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) {
-                st->st_uid = a->uid;
-                st->st_gid = a->gid;
-        }
-        if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS)
-                st->st_mode = a->perm;
-        if (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME) {
-                st->st_atime = a->atime;
-                st->st_mtime = a->mtime;
-        }
-}
 static int
 fudge_lstat(const char *path, struct stat *st)
 {
        Attrib *a;
-        if (!(a = do_lstat(cur.conn, (char*)path, 0)))
+        if (!(a = do_lstat(cur.conn, (char *)path, 0)))
                return(-1);
        attrib_to_stat(a, st);
@@ -142,7 +125,7 @@ fudge_stat(const char *path, struct stat *st)
 {
        Attrib *a;
-        if (!(a = do_stat(cur.conn, (char*)path, 0)))
+        if (!(a = do_stat(cur.conn, (char *)path, 0)))
                return(-1);
        attrib_to_stat(a, st);
diff --git a/sftp-glob.h b/sftp-glob.h
index 9c754912c..f879e8719 100644
--- a/sftp-glob.h
+++ b/sftp-glob.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp-glob.h,v 1.7 2002/03/19 10:49:35 markus Exp $ */
+/* $OpenBSD: sftp-glob.h,v 1.8 2002/09/11 22:41:50 djm Exp $ */
 /*
 * Copyright (c) 2001,2002 Damien Miller.  All rights reserved.
@@ -31,8 +31,7 @@
 #include "sftp-client.h"
-int
+int remote_glob(struct sftp_conn *, const char *, int,
-remote_glob(struct sftp_conn *, const char *, int,
    int (*)(const char *, int), glob_t *);
 #endif
diff --git a/sftp-int.c b/sftp-int.c
index b13e5da5d..6a2012910 100644
--- a/sftp-int.c
+++ b/sftp-int.c
@@ -22,11 +22,10 @@
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
-/* XXX: globbed ls */
 /* XXX: recursive operations */
 #include "includes.h"
-RCSID("$OpenBSD: sftp-int.c,v 1.47 2002/06/23 09:30:14 deraadt Exp $");
+RCSID("$OpenBSD: sftp-int.c,v 1.49 2002/09/12 00:13:06 djm Exp $");
 #include "buffer.h"
 #include "xmalloc.h"
@@ -201,6 +200,25 @@ local_do_ls(const char *args)
        }
 }
+/* Strip one path (usually the pwd) from the start of another */
+static char *
+path_strip(char *path, char *strip)
+{
+        size_t len;
+        if (strip == NULL)
+                return (xstrdup(path));
+        len = strlen(strip);
+        if (strip != NULL && strncmp(path, strip, len) == 0) {
+                if (strip[len - 1] != '/' && path[len] == '/')
+                        len++;
+                return (xstrdup(path + len));
+        }
+        return (xstrdup(path));
+}
 static char *
 path_append(char *p1, char *p2)
 {
@@ -209,7 +227,7 @@ path_append(char *p1, char *p2)
        ret = xmalloc(len);
        strlcpy(ret, p1, len);
-        if (strcmp(p1, "/") != 0)
+        if (p1[strlen(p1) - 1] != '/')
                strlcat(ret, "/", len);
        strlcat(ret, p2, len);
@@ -274,6 +292,29 @@ parse_getput_flags(const char **cpp, int *pflag)
 }
 static int
+parse_ls_flags(const char **cpp, int *lflag)
+{
+        const char *cp = *cpp;
+        /* Check for flags */
+        if (cp++[0] == '-') {
+                for(; strchr(WHITESPACE, *cp) == NULL; cp++) {
+                        switch (*cp) {
+                        case 'l':
+                                *lflag = 1;
+                                break;
+                        default:
+                                error("Invalid flag -%c", *cp);
+                                return(-1);
+                        }
+                }
+                *cpp = cp + strspn(cp, WHITESPACE);
+        }
+        return(0);
+}
+static int
 get_pathname(const char **cpp, char **path)
 {
        const char *cp = *cpp, *end;
@@ -504,8 +545,129 @@ out:
 }
 static int
-parse_args(const char **cpp, int *pflag, unsigned long *n_arg,
+sdirent_comp(const void *aa, const void *bb)
-    char **path1, char **path2)
+{
+        SFTP_DIRENT *a = *(SFTP_DIRENT **)aa;
+        SFTP_DIRENT *b = *(SFTP_DIRENT **)bb;
+        return (strcmp(a->filename, b->filename));      
+}
+/* sftp ls.1 replacement for directories */
+static int
+do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
+{
+        int n;
+        SFTP_DIRENT **d;
+        if ((n = do_readdir(conn, path, &d)) != 0)
+                return (n);
+        /* Count entries for sort */    
+        for (n = 0; d[n] != NULL; n++)
+                ;
+        qsort(d, n, sizeof(*d), sdirent_comp);
+        for (n = 0; d[n] != NULL; n++) {
+                char *tmp, *fname;
+                
+                tmp = path_append(path, d[n]->filename);
+                fname = path_strip(tmp, strip_path);
+                xfree(tmp);
+                if (lflag) {
+                        char *lname;
+                        struct stat sb;
+                        memset(&sb, 0, sizeof(sb));
+                        attrib_to_stat(&d[n]->a, &sb);
+                        lname = ls_file(fname, &sb, 1);
+                        printf("%s\n", lname);
+                        xfree(lname);
+                } else {
+                        /* XXX - multicolumn display would be nice here */
+                        printf("%s\n", fname);
+                }
+                
+                xfree(fname);
+        }
+        free_sftp_dirents(d);
+        return (0);
+}
+/* sftp ls.1 replacement which handles path globs */
+static int
+do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path, 
+    int lflag)
+{
+        glob_t g;
+        int i;
+        Attrib *a;
+        struct stat sb;
+        memset(&g, 0, sizeof(g));
+        if (remote_glob(conn, path, GLOB_MARK|GLOB_NOCHECK|GLOB_BRACE, 
+            NULL, &g)) {
+                error("Can't ls: \"%s\" not found", path);
+                return (-1);
+        }
+        /*
+         * If the glob returns a single match, which is the same as the 
+         * input glob, and it is a directory, then just list its contents
+         */
+        if (g.gl_pathc == 1 && 
+            strncmp(path, g.gl_pathv[0], strlen(g.gl_pathv[0]) - 1) == 0) {
+                if ((a = do_lstat(conn, path, 1)) == NULL) {
+                        globfree(&g);
+                        return (-1);
+                }
+                if ((a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) && 
+                    S_ISDIR(a->perm)) {
+                        globfree(&g);
+                        return (do_ls_dir(conn, path, strip_path, lflag));
+                }
+        }
+        for (i = 0; g.gl_pathv[i]; i++) {
+                char *fname, *lname;
+                fname = path_strip(g.gl_pathv[i], strip_path);
+                if (lflag) {
+                        /*
+                         * XXX: this is slow - 1 roundtrip per path
+                         * A solution to this is to fork glob() and 
+                         * build a sftp specific version which keeps the 
+                         * attribs (which currently get thrown away)
+                         * that the server returns as well as the filenames.
+                         */
+                        memset(&sb, 0, sizeof(sb));
+                        a = do_lstat(conn, g.gl_pathv[i], 1);
+                        if (a != NULL)
+                                attrib_to_stat(a, &sb);
+                        lname = ls_file(fname, &sb, 1);
+                        printf("%s\n", lname);
+                        xfree(lname);
+                } else {
+                        /* XXX - multicolumn display would be nice here */
+                        printf("%s\n", fname);
+                }
+                xfree(fname);
+        }
+        if (g.gl_pathc)
+                globfree(&g);
+        return (0);
+}
+static int
+parse_args(const char **cpp, int *pflag, int *lflag, 
+    unsigned long *n_arg, char **path1, char **path2)
 {
        const char *cmd, *cp = *cpp;
        char *cp2;
@@ -545,7 +707,7 @@ parse_args(const char **cpp, int *pflag, unsigned long *n_arg,
        }
        /* Get arguments and parse flags */
-        *pflag = *n_arg = 0;
+        *lflag = *pflag = *n_arg = 0;
        *path1 = *path2 = NULL;
        switch (cmdnum) {
        case I_GET:
@@ -592,6 +754,8 @@ parse_args(const char **cpp, int *pflag, unsigned long *n_arg,
                }
                break;
        case I_LS:
+                if (parse_ls_flags(&cp, lflag))
+                        return(-1);
                /* Path is optional */
                if (get_pathname(&cp, path1))
                        return(-1);
@@ -652,7 +816,7 @@ static int
 parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd)
 {
        char *path1, *path2, *tmp;
-        int pflag, cmdnum, i;
+        int pflag, lflag, cmdnum, i;
        unsigned long n_arg;
        Attrib a, *aa;
        char path_buf[MAXPATHLEN];
@@ -660,7 +824,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd)
        glob_t g;
        path1 = path2 = NULL;
-        cmdnum = parse_args(&cmd, &pflag, &n_arg, &path1, &path2);
+        cmdnum = parse_args(&cmd, &pflag, &lflag, &n_arg,
+            &path1, &path2);
        memset(&g, 0, sizeof(g));
@@ -732,22 +897,18 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd)
                break;
        case I_LS:
                if (!path1) {
-                        do_ls(conn, *pwd);
+                        do_globbed_ls(conn, *pwd, *pwd, lflag);
                        break;
                }
+                
+                /* Strip pwd off beginning of non-absolute paths */
+                tmp = NULL;
+                if (*path1 != '/')
+                        tmp = *pwd;
                path1 = make_absolute(path1, *pwd);
-                if ((tmp = do_realpath(conn, path1)) == NULL)
-                        break;
+                do_globbed_ls(conn, path1, tmp, lflag);
-                xfree(path1);
-                path1 = tmp;
-                if ((aa = do_stat(conn, path1, 0)) == NULL)
-                        break;
-                if ((aa->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) &&
-                    !S_ISDIR(aa->perm)) {
-                        error("Can't ls: \"%s\" is not a directory", path1);
-                        break;
-                }
-                do_ls(conn, path1);
                break;
        case I_LCHDIR:
                if (chdir(path1) == -1) {
diff --git a/sftp-server.c b/sftp-server.c
index a5c325561..84264693d 100644
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -22,7 +22,7 @@
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 #include "includes.h"
-RCSID("$OpenBSD: sftp-server.c,v 1.37 2002/06/24 17:57:20 deraadt Exp $");
+RCSID("$OpenBSD: sftp-server.c,v 1.38 2002/09/11 22:41:50 djm Exp $");
 #include "buffer.h"
 #include "bufaux.h"
@@ -695,48 +695,6 @@ process_opendir(void)
        xfree(path);
 }
-/*
- * drwxr-xr-x    5 markus   markus       1024 Jan 13 18:39 .ssh
- */
-static char *
-ls_file(char *name, struct stat *st)
-{
-        int ulen, glen, sz = 0;
-        struct passwd *pw;
-        struct group *gr;
-        struct tm *ltime = localtime(&st->st_mtime);
-        char *user, *group;
-        char buf[1024], mode[11+1], tbuf[12+1], ubuf[11+1], gbuf[11+1];
-        strmode(st->st_mode, mode);
-        if ((pw = getpwuid(st->st_uid)) != NULL) {
-                user = pw->pw_name;
-        } else {
-                snprintf(ubuf, sizeof ubuf, "%u", (u_int)st->st_uid);
-                user = ubuf;
-        }
-        if ((gr = getgrgid(st->st_gid)) != NULL) {
-                group = gr->gr_name;
-        } else {
-                snprintf(gbuf, sizeof gbuf, "%u", (u_int)st->st_gid);
-                group = gbuf;
-        }
-        if (ltime != NULL) {
-                if (time(NULL) - st->st_mtime < (365*24*60*60)/2)
-                        sz = strftime(tbuf, sizeof tbuf, "%b %e %H:%M", ltime);
-                else
-                        sz = strftime(tbuf, sizeof tbuf, "%b %e  %Y", ltime);
-        }
-        if (sz == 0)
-                tbuf[0] = '\0';
-        ulen = MAX(strlen(user), 8);
-        glen = MAX(strlen(group), 8);
-        snprintf(buf, sizeof buf, "%s %3d %-*s %-*s %8llu %s %s", mode,
-            st->st_nlink, ulen, user, glen, group,
-            (u_int64_t)st->st_size, tbuf, name);
-        return xstrdup(buf);
-}
 static void
 process_readdir(void)
 {
@@ -772,7 +730,7 @@ process_readdir(void)
                                continue;
                        stat_to_attrib(&st, &(stats[count].attrib));
                        stats[count].name = xstrdup(dp->d_name);
-                        stats[count].long_name = ls_file(dp->d_name, &st);
+                        stats[count].long_name = ls_file(dp->d_name, &st, 0);
                        count++;
                        /* send up to 100 entries in one message */
                        /* XXX check packet size instead */
diff --git a/sftp.0 b/sftp.0
index 562b685e4..d0c6086ba 100644
--- a/sftp.0
+++ b/sftp.0
@@ -117,9 +117,11 @@ INTERACTIVE COMMANDS
     lpwd    Print local working directory.
-     ls [path]
+     ls [flags] [path]
             Display remote directory listing of either path or current direcM--
-             tory if path is not specified.
+             tory if path is not specified. If the -l flag is specified, then
+             display additional details including permissions and ownership
+             information.
     lumask umask
             Set local umask to umask.
diff --git a/sftp.1 b/sftp.1
index 0e6d741a9..33ceb6596 100644
--- a/sftp.1
+++ b/sftp.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: sftp.1,v 1.35 2002/06/20 20:00:05 stevesk Exp $
+.\" $OpenBSD: sftp.1,v 1.36 2002/09/11 22:41:50 djm Exp $
 .\"
 .\" Copyright (c) 2001 Damien Miller.  All rights reserved.
 .\"
@@ -203,12 +203,18 @@ to
 .Ar newpath .
 .It Ic lpwd
 Print local working directory.
-.It Ic ls Op Ar path
+.It Xo Ic ls
+.Op Ar flags
+.Op Ar path
+.Xc
 Display remote directory listing of either
 .Ar path
 or current directory if
 .Ar path
-is not specified.
+is not specified. If the
+.Fl l
+flag is specified, then display additional details including permissions
+and ownership information.
 .It Ic lumask Ar umask
 Set local umask to
 .Ar umask .
diff --git a/sftp.c b/sftp.c
index fac2564de..c4055b91e 100644
--- a/sftp.c
+++ b/sftp.c
@@ -24,7 +24,7 @@
 #include "includes.h"
-RCSID("$OpenBSD: sftp.c,v 1.30 2002/06/23 09:30:14 deraadt Exp $");
+RCSID("$OpenBSD: sftp.c,v 1.31 2002/07/25 01:16:59 mouring Exp $");
 /* XXX: short-form remote directory listings (like 'ls -C') */
@@ -122,7 +122,6 @@ main(int argc, char **argv)
        __progname = get_progname(argv[0]);
        args.list = NULL;
        addargs(&args, "ssh");          /* overwritten with ssh_program */
-        addargs(&args, "-oFallBackToRsh no");
        addargs(&args, "-oForwardX11 no");
        addargs(&args, "-oForwardAgent no");
        addargs(&args, "-oClearAllForwardings yes");
diff --git a/ssh-add.c b/ssh-add.c
index 176fd85c8..9c729752a 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -35,7 +35,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-add.c,v 1.61 2002/06/19 00:27:55 deraadt Exp $");
+RCSID("$OpenBSD: ssh-add.c,v 1.63 2002/09/19 15:51:23 markus Exp $");
 #include <openssl/evp.h>
@@ -264,7 +264,7 @@ lock_agent(AuthenticationConnection *ac, int lock)
                fprintf(stderr, "Failed to %slock agent.\n", lock ? "" : "un");
        memset(p1, 0, strlen(p1));
        xfree(p1);
-        return -1;
+        return (ret);
 }
 static int
@@ -290,7 +290,7 @@ usage(void)
        fprintf(stderr, "  -d          Delete identity.\n");
        fprintf(stderr, "  -D          Delete all identities.\n");
        fprintf(stderr, "  -x          Lock agent.\n");
-        fprintf(stderr, "  -x          Unlock agent.\n");
+        fprintf(stderr, "  -X          Unlock agent.\n");
        fprintf(stderr, "  -t life     Set lifetime (in seconds) when adding identities.\n");
 #ifdef SMARTCARD
        fprintf(stderr, "  -s reader   Add key in smartcard reader.\n");
diff --git a/ssh-agent.c b/ssh-agent.c
index ac16bae40..cca720ee2 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -34,8 +34,8 @@
 */
 #include "includes.h"
-#include "openbsd-compat/fake-queue.h"
+#include "openbsd-compat/sys-queue.h"
-RCSID("$OpenBSD: ssh-agent.c,v 1.97 2002/06/24 14:55:38 markus Exp $");
+RCSID("$OpenBSD: ssh-agent.c,v 1.105 2002/10/01 20:34:12 markus Exp $");
 #include <openssl/evp.h>
 #include <openssl/md5.h>
@@ -107,6 +107,17 @@ char *__progname;
 #endif
 static void
+close_socket(SocketEntry *e)
+{
+        close(e->fd);
+        e->fd = -1;
+        e->type = AUTH_UNUSED;
+        buffer_free(&e->input);
+        buffer_free(&e->output);
+        buffer_free(&e->request);
+}
+static void
 idtab_init(void)
 {
        int i;
@@ -617,13 +628,7 @@ process_message(SocketEntry *e)
        cp = buffer_ptr(&e->input);
        msg_len = GET_32BIT(cp);
        if (msg_len > 256 * 1024) {
-                shutdown(e->fd, SHUT_RDWR);
+                close_socket(e);
-                close(e->fd);
-                e->fd = -1;
-                e->type = AUTH_UNUSED;
-                buffer_free(&e->input);
-                buffer_free(&e->output);
-                buffer_free(&e->request);
                return;
        }
        if (buffer_len(&e->input) < msg_len + 4)
@@ -805,6 +810,8 @@ after_select(fd_set *readset, fd_set *writeset)
        char buf[1024];
        int len, sock;
        u_int i;
+        uid_t euid;
+        gid_t egid;
        for (i = 0; i < sockets_alloc; i++)
                switch (sockets[i].type) {
@@ -820,6 +827,19 @@ after_select(fd_set *readset, fd_set *writeset)
                                            strerror(errno));
                                        break;
                                }
+                                if (getpeereid(sock, &euid, &egid) < 0) {
+                                        error("getpeereid %d failed: %s",
+                                            sock, strerror(errno));
+                                        close(sock);
+                                        break;
+                                }
+                                if ((euid != 0) && (getuid() != euid)) {
+                                        error("uid mismatch: "
+                                            "peer euid %u != uid %u",
+                                            (u_int) euid, (u_int) getuid());
+                                        close(sock);
+                                        break;
+                                }
                                new_socket(AUTH_CONNECTION, sock);
                        }
                        break;
@@ -836,13 +856,7 @@ after_select(fd_set *readset, fd_set *writeset)
                                        break;
                                } while (1);
                                if (len <= 0) {
-                                        shutdown(sockets[i].fd, SHUT_RDWR);
+                                        close_socket(&sockets[i]);
-                                        close(sockets[i].fd);
-                                        sockets[i].fd = -1;
-                                        sockets[i].type = AUTH_UNUSED;
-                                        buffer_free(&sockets[i].input);
-                                        buffer_free(&sockets[i].output);
-                                        buffer_free(&sockets[i].request);
                                        break;
                                }
                                buffer_consume(&sockets[i].output, len);
@@ -856,13 +870,7 @@ after_select(fd_set *readset, fd_set *writeset)
                                        break;
                                } while (1);
                                if (len <= 0) {
-                                        shutdown(sockets[i].fd, SHUT_RDWR);
+                                        close_socket(&sockets[i]);
-                                        close(sockets[i].fd);
-                                        sockets[i].fd = -1;
-                                        sockets[i].type = AUTH_UNUSED;
-                                        buffer_free(&sockets[i].input);
-                                        buffer_free(&sockets[i].output);
-                                        buffer_free(&sockets[i].request);
                                        break;
                                }
                                buffer_append(&sockets[i].input, buf, len);
@@ -943,6 +951,10 @@ main(int ac, char **av)
        pid_t pid;
        char pidstrbuf[1 + 3 * sizeof pid];
+        /* drop */
+        setegid(getgid());
+        setgid(getgid());
        SSLeay_add_all_algorithms();
        __progname = get_progname(av[0]);
@@ -1052,7 +1064,7 @@ main(int ac, char **av)
 #ifdef HAVE_CYGWIN
        umask(prev_mask);
 #endif
-        if (listen(sock, 5) < 0) {
+        if (listen(sock, 128) < 0) {
                perror("listen");
                cleanup_exit(1);
        }
diff --git a/ssh-dss.c b/ssh-dss.c
index dbf8465ba..9ba2584dd 100644
--- a/ssh-dss.c
+++ b/ssh-dss.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-dss.c,v 1.15 2002/06/23 03:30:17 deraadt Exp $");
+RCSID("$OpenBSD: ssh-dss.c,v 1.17 2002/07/04 10:41:47 markus Exp $");
 #include <openssl/bn.h>
 #include <openssl/evp.h>
@@ -46,7 +46,7 @@ ssh_dss_sign(Key *key, u_char **sigp, u_int *lenp,
        DSA_SIG *sig;
        const EVP_MD *evp_md = EVP_sha1();
        EVP_MD_CTX md;
-        u_char *ret, digest[EVP_MAX_MD_SIZE], sigblob[SIGBLOB_LEN];
+        u_char digest[EVP_MAX_MD_SIZE], sigblob[SIGBLOB_LEN];
        u_int rlen, slen, len, dlen;
        Buffer b;
@@ -79,25 +79,25 @@ ssh_dss_sign(Key *key, u_char **sigp, u_int *lenp,
        DSA_SIG_free(sig);
        if (datafellows & SSH_BUG_SIGBLOB) {
-                ret = xmalloc(SIGBLOB_LEN);
-                memcpy(ret, sigblob, SIGBLOB_LEN);
                if (lenp != NULL)
                        *lenp = SIGBLOB_LEN;
-                if (sigp != NULL)
+                if (sigp != NULL) {
-                        *sigp = ret;
+                        *sigp = xmalloc(SIGBLOB_LEN);
+                        memcpy(*sigp, sigblob, SIGBLOB_LEN);
+                }
        } else {
                /* ietf-drafts */
                buffer_init(&b);
                buffer_put_cstring(&b, "ssh-dss");
                buffer_put_string(&b, sigblob, SIGBLOB_LEN);
                len = buffer_len(&b);
-                ret = xmalloc(len);
-                memcpy(ret, buffer_ptr(&b), len);
-                buffer_free(&b);
                if (lenp != NULL)
                        *lenp = len;
-                if (sigp != NULL)
+                if (sigp != NULL) {
-                        *sigp = ret;
+                        *sigp = xmalloc(len);
+                        memcpy(*sigp, buffer_ptr(&b), len);
+                }
+                buffer_free(&b);
        }
        return 0;
 }
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 4273c1132..3478e3723 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -761,6 +761,8 @@ main(int ac, char **av)
        __progname = get_progname(av[0]);
        SSLeay_add_all_algorithms();
+        init_rng();
+        seed_rng();
        /* we need this for the home * directory.  */
        pw = getpwuid(getuid());
@@ -855,10 +857,12 @@ main(int ac, char **av)
                do_fingerprint(pw);
        if (change_passphrase)
                do_change_passphrase(pw);
-        if (convert_to_ssh2)
-                do_convert_to_ssh2(pw);
        if (change_comment)
                do_change_comment(pw);
+        if (convert_to_ssh2)
+                do_convert_to_ssh2(pw);
+        if (convert_from_ssh2)
+                do_convert_from_ssh2(pw);
        if (print_public)
                do_print_public(pw);
        if (reader_id != NULL) {
@@ -872,13 +876,8 @@ main(int ac, char **av)
 #endif /* SMARTCARD */
        }
-        init_rng();
-        seed_rng();
        arc4random_stir();
-        if (convert_from_ssh2)
-                do_convert_from_ssh2(pw);
        if (key_type_name == NULL) {
                printf("You must specify a key type (-t).\n");
                usage();
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index 1fd011282..788953705 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -7,9 +7,9 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keyscan.c,v 1.36 2002/06/16 21:30:58 itojun Exp $");
+RCSID("$OpenBSD: ssh-keyscan.c,v 1.40 2002/07/06 17:47:58 stevesk Exp $");
-#include "openbsd-compat/fake-queue.h"
+#include "openbsd-compat/sys-queue.h"
 #include <openssl/bn.h>
@@ -116,7 +116,8 @@ Linebuf_alloc(const char *filename, void (*errfun) (const char *,...))
        if (!(lb = malloc(sizeof(*lb)))) {
                if (errfun)
-                        (*errfun) ("linebuf (%s): malloc failed\n", lb->filename);
+                        (*errfun) ("linebuf (%s): malloc failed\n",
+                            filename ? filename : "(stdin)");
                return (NULL);
        }
        if (filename) {
@@ -171,13 +172,14 @@ static char *
 Linebuf_getline(Linebuf * lb)
 {
        int n = 0;
+        void *p;
        lb->lineno++;
        for (;;) {
                /* Read a line */
                if (!fgets(&lb->buf[n], lb->size - n, lb->stream)) {
                        if (ferror(lb->stream) && lb->errfun)
-                                (*lb->errfun) ("%s: %s\n", lb->filename,
+                                (*lb->errfun)("%s: %s\n", lb->filename,
                                    strerror(errno));
                        return (NULL);
                }
@@ -190,17 +192,20 @@ Linebuf_getline(Linebuf * lb)
                }
                if (n != lb->size - 1) {
                        if (lb->errfun)
-                                (*lb->errfun) ("%s: skipping incomplete last line\n",
+                                (*lb->errfun)("%s: skipping incomplete last line\n",
                                    lb->filename);
                        return (NULL);
                }
                /* Double the buffer if we need more space */
-                if (!(lb->buf = realloc(lb->buf, (lb->size *= 2)))) {
+                lb->size *= 2;
+                if ((p = realloc(lb->buf, lb->size)) == NULL) {
+                        lb->size /= 2;
                        if (lb->errfun)
-                                (*lb->errfun) ("linebuf (%s): realloc failed\n",
+                                (*lb->errfun)("linebuf (%s): realloc failed\n",
                                    lb->filename);
                        return (NULL);
                }
+                lb->buf = p;
        }
 }
@@ -229,6 +234,7 @@ fdlim_set(int lim)
 #if defined(HAVE_SETRLIMIT) && defined(RLIMIT_NOFILE)
        struct rlimit rlfd;
 #endif
        if (lim <= 0)
                return (-1);
 #if defined(HAVE_SETRLIMIT) && defined(RLIMIT_NOFILE)
@@ -411,8 +417,8 @@ tcpconnect(char *host)
 static int
 conalloc(char *iname, char *oname, int keytype)
 {
-        int s;
        char *namebase, *name, *namelist;
+        int s;
        namebase = namelist = xstrdup(iname);
@@ -476,8 +482,8 @@ contouch(int s)
 static int
 conrecycle(int s)
 {
-        int ret;
        con *c = &fdcon[s];
+        int ret;
        ret = conalloc(c->c_namelist, c->c_output_name, c->c_keytype);
        confree(s);
@@ -487,10 +493,10 @@ conrecycle(int s)
 static void
 congreet(int s)
 {
+        int remote_major, remote_minor, n = 0;
        char buf[256], *cp;
        char remote_version[sizeof buf];
        size_t bufsiz;
-        int remote_major, remote_minor, n = 0;
        con *c = &fdcon[s];
        bufsiz = sizeof(buf);
@@ -554,8 +560,8 @@ congreet(int s)
 static void
 conread(int s)
 {
-        int n;
        con *c = &fdcon[s];
+        int n;
        if (c->c_status == CS_CON) {
                congreet(s);
@@ -594,10 +600,10 @@ conread(int s)
 static void
 conloop(void)
 {
-        fd_set *r, *e;
        struct timeval seltime, now;
-        int i;
+        fd_set *r, *e;
        con *c;
+        int i;
        gettimeofday(&now, NULL);
        c = TAILQ_FIRST(&tq);
@@ -664,6 +670,7 @@ void
 fatal(const char *fmt,...)
 {
        va_list args;
        va_start(args, fmt);
        do_log(SYSLOG_LEVEL_FATAL, fmt, args);
        va_end(args);
@@ -676,16 +683,9 @@ fatal(const char *fmt,...)
 static void
 usage(void)
 {
-        fprintf(stderr, "Usage: %s [options] host ...\n",
+        fprintf(stderr, "usage: %s [-v46] [-p port] [-T timeout] [-f file]\n"
+            "\t\t   [host | addrlist namelist] [...]\n",
            __progname);
-        fprintf(stderr, "Options:\n");
-        fprintf(stderr, "  -f file     Read hosts or addresses from file.\n");
-        fprintf(stderr, "  -p port     Connect to the specified port.\n");
-        fprintf(stderr, "  -t keytype  Specify the host key type.\n");
-        fprintf(stderr, "  -T timeout  Set connection timeout.\n");
-        fprintf(stderr, "  -v          Verbose; display verbose debugging messages.\n");
-        fprintf(stderr, "  -4          Use IPv4 only.\n");
-        fprintf(stderr, "  -6          Use IPv6 only.\n");
        exit(1);
 }
@@ -717,9 +717,11 @@ main(int argc, char **argv)
                        }
                        break;
                case 'T':
-                        timeout = atoi(optarg);
+                        timeout = convtime(optarg);
-                        if (timeout <= 0)
+                        if (timeout == -1 || timeout == 0) {
+                                fprintf(stderr, "Bad timeout '%s'\n", optarg);
                                usage();
+                        }
                        break;
                case 'v':
                        if (!debug_flag) {
diff --git a/ssh-keysign.0 b/ssh-keysign.0
index d6a59c068..b5ad6627a 100644
--- a/ssh-keysign.0
+++ b/ssh-keysign.0
@@ -9,11 +9,20 @@ SYNOPSIS
 DESCRIPTION
     ssh-keysign is used by ssh(1) to access the local host keys and generate
     the digital signature required during hostbased authentication with SSH
-     protocol version 2.  ssh-keysign is not intended to be invoked by the
+     protocol version 2.
-     user, but from ssh(1).  See ssh(1) and sshd(8) for more information about
-     hostbased authentication.
+     ssh-keysign is disabled by default and can only be enabled in the the
+     global client configuration file /etc/ssh/ssh_config by setting
+     HostbasedAuthentication to ``yes''.
+     ssh-keysign is not intended to be invoked by the user, but from ssh(1).
+     See ssh(1) and sshd(8) for more information about hostbased authenticaM--
+     tion.
 FILES
+     /etc/ssh/ssh_config
+             Controls whether ssh-keysign is enabled.
     /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key
             These files contain the private parts of the host keys used to
             generate the digital signature.  They should be owned by root,
@@ -22,7 +31,7 @@ FILES
             hostbased authentication is used.
 SEE ALSO
-     ssh(1), ssh-keygen(1), sshd(8)
+     ssh(1), ssh-keygen(1), ssh_config(5), sshd(8)
 AUTHORS
     Markus Friedl <markus@openbsd.org>
diff --git a/ssh-keysign.8 b/ssh-keysign.8
index ab2cf21ba..cea4a8244 100644
--- a/ssh-keysign.8
+++ b/ssh-keysign.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-keysign.8,v 1.2 2002/06/10 16:56:30 stevesk Exp $
+.\" $OpenBSD: ssh-keysign.8,v 1.3 2002/07/03 14:21:05 markus Exp $
 .\"
 .\" Copyright (c) 2002 Markus Friedl.  All rights reserved.
 .\"
@@ -36,6 +36,16 @@ is used by
 .Xr ssh 1
 to access the local host keys and generate the digital signature
 required during hostbased authentication with SSH protocol version 2.
+.Pp
+.Nm
+is disabled by default and can only be enabled in the
+the global client configuration file
+.Pa /etc/ssh/ssh_config
+by setting
+.Cm HostbasedAuthentication
+to
+.Dq yes .
+.Pp
 .Nm
 is not intended to be invoked by the user, but from
 .Xr ssh 1 .
@@ -46,6 +56,10 @@ and
 for more information about hostbased authentication.
 .Sh FILES
 .Bl -tag -width Ds
+.It Pa /etc/ssh/ssh_config
+Controls whether
+.Nm
+is enabled.
 .It Pa /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key
 These files contain the private parts of the host keys used to
 generate the digital signature.  They
@@ -58,6 +72,7 @@ must be set-uid root if hostbased authentication is used.
 .Sh SEE ALSO
 .Xr ssh 1 ,
 .Xr ssh-keygen 1 ,
+.Xr ssh_config 5 ,
 .Xr sshd 8
 .Sh AUTHORS
 Markus Friedl <markus@openbsd.org>
diff --git a/ssh-keysign.c b/ssh-keysign.c
index fffa7bbdc..79aee17c0 100644
--- a/ssh-keysign.c
+++ b/ssh-keysign.c
@@ -22,12 +22,15 @@
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keysign.c,v 1.4 2002/06/19 00:27:55 deraadt Exp $");
+RCSID("$OpenBSD: ssh-keysign.c,v 1.7 2002/07/03 14:21:05 markus Exp $");
 #include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/rsa.h>
 #include "log.h"
 #include "key.h"
+#include "ssh.h"
 #include "ssh2.h"
 #include "misc.h"
 #include "xmalloc.h"
@@ -37,6 +40,9 @@ RCSID("$OpenBSD: ssh-keysign.c,v 1.4 2002/06/19 00:27:55 deraadt Exp $");
 #include "msg.h"
 #include "canohost.h"
 #include "pathnames.h"
+#include "readconf.h"
+uid_t original_real_uid;        /* XXX readconf.c needs this */
 #ifdef HAVE___PROGNAME
 extern char *__progname;
@@ -134,12 +140,14 @@ int
 main(int argc, char **argv)
 {
        Buffer b;
+        Options options;
        Key *keys[2], *key;
        struct passwd *pw;
        int key_fd[2], i, found, version = 2, fd;
        u_char *signature, *data;
        char *host;
        u_int slen, dlen;
+        u_int32_t rnd[256];
        key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
        key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
@@ -155,6 +163,15 @@ main(int argc, char **argv)
        log_init("ssh-keysign", SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
 #endif
+        /* verify that ssh-keysign is enabled by the admin */
+        original_real_uid = getuid();   /* XXX readconf.c needs this */
+        initialize_options(&options);
+        (void)read_config_file(_PATH_HOST_CONFIG_FILE, "", &options);
+        fill_default_options(&options);
+        if (options.hostbased_authentication != 1)
+                fatal("Hostbased authentication not enabled in %s",
+                    _PATH_HOST_CONFIG_FILE);
        if (key_fd[0] == -1 && key_fd[1] == -1)
                fatal("could not open any host key");
@@ -163,6 +180,9 @@ main(int argc, char **argv)
        pw = pwcopy(pw);
        SSLeay_add_all_algorithms();
+        for (i = 0; i < 256; i++)
+                rnd[i] = arc4random();
+        RAND_seed(rnd, sizeof(rnd));
        found = 0;
        for (i = 0; i < 2; i++) {
@@ -172,6 +192,13 @@ main(int argc, char **argv)
                keys[i] = key_load_private_pem(key_fd[i], KEY_UNSPEC,
                    NULL, NULL);
                close(key_fd[i]);
+                if (keys[i] != NULL && keys[i]->type == KEY_RSA) {
+                        if (RSA_blinding_on(keys[i]->rsa, NULL) != 1) {
+                                error("RSA_blinding_on failed");
+                                key_free(keys[i]);
+                                keys[i] = NULL;
+                        }
+                }
                if (keys[i] != NULL)
                        found = 1;
        }
@@ -179,8 +206,8 @@ main(int argc, char **argv)
                fatal("no hostkey found");
        buffer_init(&b);
-        if (msg_recv(STDIN_FILENO, &b) < 0)
+        if (ssh_msg_recv(STDIN_FILENO, &b) < 0)
-                fatal("msg_recv failed");
+                fatal("ssh_msg_recv failed");
        if (buffer_get_char(&b) != version)
                fatal("bad version");
        fd = buffer_get_int(&b);
@@ -212,7 +239,7 @@ main(int argc, char **argv)
        /* send reply */
        buffer_clear(&b);
        buffer_put_string(&b, signature, slen);
-        msg_send(STDOUT_FILENO, version, &b);
+        ssh_msg_send(STDOUT_FILENO, version, &b);
        return (0);
 }
diff --git a/ssh-rand-helper.c b/ssh-rand-helper.c
index 364d5d270..e6c52b546 100644
--- a/ssh-rand-helper.c
+++ b/ssh-rand-helper.c
@@ -39,7 +39,7 @@
 #include "pathnames.h"
 #include "log.h"
-RCSID("$Id: ssh-rand-helper.c,v 1.7 2002/06/09 19:41:49 mouring Exp $");
+RCSID("$Id: ssh-rand-helper.c,v 1.8 2002/07/28 20:42:24 stevesk Exp $");
 /* Number of bytes we write out */
 #define OUTPUT_SEED_SIZE        48
@@ -63,7 +63,6 @@ RCSID("$Id: ssh-rand-helper.c,v 1.7 2002/06/09 19:41:49 mouring Exp $");
 # define SSH_PRNG_COMMAND_FILE   SSHDIR "/ssh_prng_cmds"
 #endif
 #ifdef HAVE___PROGNAME
 extern char *__progname;
 #else
@@ -115,7 +114,7 @@ double stir_from_programs(void);
 double stir_gettimeofday(double entropy_estimate);
 double stir_clock(double entropy_estimate);
 double stir_rusage(int who, double entropy_estimate);
-double hash_command_output(entropy_cmd_t *src, char *hash);
+double hash_command_output(entropy_cmd_t *src, unsigned char *hash);
 int get_random_bytes_prngd(unsigned char *buf, int len, 
    unsigned short tcp_port, char *socket_path);
@@ -274,7 +273,7 @@ timeval_diff(struct timeval *t1, struct timeval *t2)
 }
 double
-hash_command_output(entropy_cmd_t *src, char *hash)
+hash_command_output(entropy_cmd_t *src, unsigned char *hash)
 {
        char buf[8192];
        fd_set rdset;
@@ -460,7 +459,7 @@ stir_from_programs(void)
 {
        int c;
        double entropy, total_entropy;
-        char hash[SHA_DIGEST_LENGTH];
+        unsigned char hash[SHA_DIGEST_LENGTH];
        total_entropy = 0;
        for(c = 0; entropy_cmds[c].path != NULL; c++) {
@@ -543,7 +542,8 @@ void
 prng_write_seedfile(void)
 {
        int fd;
-        char seed[SEED_FILE_SIZE], filename[MAXPATHLEN];
+        unsigned char seed[SEED_FILE_SIZE];
+        char filename[MAXPATHLEN];
        struct passwd *pw;
        pw = getpwuid(getuid());
@@ -862,4 +862,3 @@ main(int argc, char **argv)
        
        return ret == bytes ? 0 : 1;
 }
diff --git a/ssh-rsa.c b/ssh-rsa.c
index 782279bad..d7b2918f9 100644
--- a/ssh-rsa.c
+++ b/ssh-rsa.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-rsa.c,v 1.21 2002/06/23 03:30:17 deraadt Exp $");
+RCSID("$OpenBSD: ssh-rsa.c,v 1.26 2002/08/27 17:13:56 stevesk Exp $");
 #include <openssl/evp.h>
 #include <openssl/err.h>
@@ -37,6 +37,8 @@ RCSID("$OpenBSD: ssh-rsa.c,v 1.21 2002/06/23 03:30:17 deraadt Exp $");
 #include "compat.h"
 #include "ssh.h"
+static int openssh_RSA_verify(int, u_char *, u_int, u_char *, u_int , RSA *);
 /* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */
 int
 ssh_rsa_sign(Key *key, u_char **sigp, u_int *lenp,
@@ -44,7 +46,7 @@ ssh_rsa_sign(Key *key, u_char **sigp, u_int *lenp,
 {
        const EVP_MD *evp_md;
        EVP_MD_CTX md;
-        u_char digest[EVP_MAX_MD_SIZE], *sig, *ret;
+        u_char digest[EVP_MAX_MD_SIZE], *sig;
        u_int slen, dlen, len;
        int ok, nid;
        Buffer b;
@@ -76,7 +78,7 @@ ssh_rsa_sign(Key *key, u_char **sigp, u_int *lenp,
                return -1;
        }
        if (len < slen) {
-                int diff = slen - len;
+                u_int diff = slen - len;
                debug("slen %u > len %u", slen, len);
                memmove(sig + diff, sig, len);
                memset(sig, 0, diff);
@@ -90,16 +92,16 @@ ssh_rsa_sign(Key *key, u_char **sigp, u_int *lenp,
        buffer_put_cstring(&b, "ssh-rsa");
        buffer_put_string(&b, sig, slen);
        len = buffer_len(&b);
-        ret = xmalloc(len);
+        if (lenp != NULL)
-        memcpy(ret, buffer_ptr(&b), len);
+                *lenp = len;
+        if (sigp != NULL) {
+                *sigp = xmalloc(len);
+                memcpy(*sigp, buffer_ptr(&b), len);
+        }
        buffer_free(&b);
        memset(sig, 's', slen);
        xfree(sig);
-        if (lenp != NULL)
-                *lenp = len;
-        if (sigp != NULL)
-                *sigp = ret;
        return 0;
 }
@@ -149,7 +151,7 @@ ssh_rsa_verify(Key *key, u_char *signature, u_int signaturelen,
                xfree(sigblob);
                return -1;
        } else if (len < modlen) {
-                int diff = modlen - len;
+                u_int diff = modlen - len;
                debug("ssh_rsa_verify: add padding: modlen %u > len %u",
                    modlen, len);
                sigblob = xrealloc(sigblob, modlen);
@@ -167,15 +169,100 @@ ssh_rsa_verify(Key *key, u_char *signature, u_int signaturelen,
        EVP_DigestUpdate(&md, data, datalen);
        EVP_DigestFinal(&md, digest, &dlen);
-        ret = RSA_verify(nid, digest, dlen, sigblob, len, key->rsa);
+        ret = openssh_RSA_verify(nid, digest, dlen, sigblob, len, key->rsa);
        memset(digest, 'd', sizeof(digest));
        memset(sigblob, 's', len);
        xfree(sigblob);
-        if (ret == 0) {
-                int ecode = ERR_get_error();
-                error("ssh_rsa_verify: RSA_verify failed: %s",
-                    ERR_error_string(ecode, NULL));
-        }
        debug("ssh_rsa_verify: signature %scorrect", (ret==0) ? "in" : "");
        return ret;
 }
+/*
+ * See:
+ * http://www.rsasecurity.com/rsalabs/pkcs/pkcs-1/
+ * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.asn
+ */
+/*
+ * id-sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
+ *      oiw(14) secsig(3) algorithms(2) 26 }
+ */
+static const u_char id_sha1[] = {
+        0x30, 0x21, /* type Sequence, length 0x21 (33) */
+        0x30, 0x09, /* type Sequence, length 0x09 */
+        0x06, 0x05, /* type OID, length 0x05 */
+        0x2b, 0x0e, 0x03, 0x02, 0x1a, /* id-sha1 OID */
+        0x05, 0x00, /* NULL */
+        0x04, 0x14  /* Octet string, length 0x14 (20), followed by sha1 hash */
+};
+/*
+ * id-md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
+ *      rsadsi(113549) digestAlgorithm(2) 5 }
+ */
+static const u_char id_md5[] = {
+        0x30, 0x20, /* type Sequence, length 0x20 (32) */
+        0x30, 0x0c, /* type Sequence, length 0x09 */
+        0x06, 0x08, /* type OID, length 0x05 */
+        0x2a, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, /* id-md5 */
+        0x05, 0x00, /* NULL */
+        0x04, 0x10  /* Octet string, length 0x10 (16), followed by md5 hash */
+};
+static int
+openssh_RSA_verify(int type, u_char *hash, u_int hashlen,
+    u_char *sigbuf, u_int siglen, RSA *rsa)
+{
+        u_int ret, rsasize, oidlen = 0, hlen = 0;
+        int len;
+        const u_char *oid = NULL;
+        u_char *decrypted = NULL;
+        ret = 0;
+        switch (type) {
+        case NID_sha1:
+                oid = id_sha1;
+                oidlen = sizeof(id_sha1);
+                hlen = 20;
+                break;
+        case NID_md5:
+                oid = id_md5;
+                oidlen = sizeof(id_md5);
+                hlen = 16;
+                break;
+        default:
+                goto done;
+                break;
+        }
+        if (hashlen != hlen) {
+                error("bad hashlen");
+                goto done;
+        }
+        rsasize = RSA_size(rsa);
+        if (siglen == 0 || siglen > rsasize) {
+                error("bad siglen");
+                goto done;
+        }
+        decrypted = xmalloc(rsasize);
+        if ((len = RSA_public_decrypt(siglen, sigbuf, decrypted, rsa,
+            RSA_PKCS1_PADDING)) < 0) {
+                error("RSA_public_decrypt failed: %s",
+                    ERR_error_string(ERR_get_error(), NULL));
+                goto done;
+        }
+        if (len != hlen + oidlen) {
+                error("bad decrypted len: %d != %d + %d", len, hlen, oidlen);
+                goto done;
+        }
+        if (memcmp(decrypted, oid, oidlen) != 0) {
+                error("oid mismatch");
+                goto done;
+        }
+        if (memcmp(decrypted + oidlen, hash, hlen) != 0) {
+                error("hash mismatch");
+                goto done;
+        }
+        ret = 1;
+done:
+        if (decrypted)
+                xfree(decrypted);
+        return ret;
+}
diff --git a/ssh.0 b/ssh.0
index 175f9c424..18136aef4 100644
--- a/ssh.0
+++ b/ssh.0
@@ -6,7 +6,7 @@ NAME
 SYNOPSIS
     ssh [-l login_name] hostname | user@hostname [command]
-     ssh [-afgknqstvxACNPTX1246] [-b bind_address] [-c cipher_spec]
+     ssh [-afgknqstvxACNTX1246] [-b bind_address] [-c cipher_spec]
         [-e escape_char] [-i identity_file] [-l login_name] [-m mac_spec]
         [-o option] [-p port] [-F configfile] [-L port:host:hostport] [-R
         port:host:hostport] [-D port] hostname | user@hostname [command]
@@ -183,9 +183,10 @@ DESCRIPTION
     is opened.  The real authentication cookie is never sent to the server
     machine (and no cookies are sent in the plain).
-     If the user is using an authentication agent, the connection to the agent
+     If the ForwardAgent variable is set to ``yes'' (or, see the description
-     is automatically forwarded to the remote side unless disabled on the comM--
+     of the -A and -a options described later) and the user is using an
-     mand line or in a configuration file.
+     authentication agent, the connection to the agent is automatically forM--
+     warded to the remote side.
     Forwarding of arbitrary TCP/IP connections over the secure channel can be
     specified either on the command line or in a configuration file.  One
@@ -214,6 +215,14 @@ DESCRIPTION
             can also be specified on a per-host basis in a configuration
             file.
+             Agent forwarding should be enabled with caution.  Users with the
+             ability to bypass file permissions on the remote host (for the
+             agent's Unix-domain socket) can access the local agent through
+             the forwarded connection.  An attacker cannot obtain key material
+             from the agent, however they can perform operations on the keys
+             that enable them to authenticate using the identities loaded into
+             the agent.
     -b bind_address
             Specify the interface to transmit from on machines with multiple
             interfaces or aliased addresses.
@@ -298,11 +307,6 @@ DESCRIPTION
             Port to connect to on the remote host.  This can be specified on
             a per-host basis in the configuration file.
-     -P      Use a non-privileged port for outgoing connections.  This can be
-             used if a firewall does not permit connections from privileged
-             ports.  Note that this option turns off RhostsAuthentication and
-             RhostsRSAAuthentication for older servers.
     -q      Quiet mode.  Causes all warning and diagnostic messages to be
             suppressed.
@@ -329,14 +333,20 @@ DESCRIPTION
     -X      Enables X11 forwarding.  This can also be specified on a per-host
             basis in a configuration file.
+             X11 forwarding should be enabled with caution.  Users with the
+             ability to bypass file permissions on the remote host (for the
+             user's X authorization database) can access the local X11 display
+             through the forwarded connection.  An attacker may then be able
+             to perform activities such as keystroke monitoring.
     -C      Requests compression of all data (including stdin, stdout,
             stderr, and data for forwarded X11 and TCP/IP connections).  The
             compression algorithm is the same used by gzip(1), and the
-             ``level'' can be controlled by the CompressionLevel option.  ComM--
+             ``level'' can be controlled by the CompressionLevel option for
-             pression is desirable on modem lines and other slow connections,
+             protocol version 1.  Compression is desirable on modem lines and
-             but will only slow down things on fast networks.  The default
+             other slow connections, but will only slow down things on fast
-             value can be set on a host-by-host basis in the configuration
+             networks.  The default value can be set on a host-by-host basis
-             files; see the Compression option.
+             in the configuration files; see the Compression option.
     -F configfile
             Specifies an alternative per-user configuration file.  If a conM--
@@ -428,10 +438,10 @@ ENVIRONMENT
             Identifies the path of a unix-domain socket used to communicate
             with the agent.
-     SSH_CLIENT
+     SSH_CONNECTION
-             Identifies the client end of the connection.  The variable conM--
+             Identifies the client and server ends of the connection.  The
-             tains three space-separated values: client ip-address, client
+             variable contains four space-separated values: client ip-address,
-             port number, and server port number.
+             client port number, server ip-address and server port number.
     SSH_ORIGINAL_COMMAND
             The variable contains the original command line if a forced comM--
@@ -450,7 +460,9 @@ ENVIRONMENT
     USER    Set to the name of the user logging in.
     Additionally, ssh reads $HOME/.ssh/environment, and adds lines of the
-     format ``VARNAME=value'' to the environment.
+     format ``VARNAME=value'' to the environment if the file exists and if
+     users are allowed to change their environment.  See the
+     PermitUserEnvironment option in sshd_config(5).
 FILES
     $HOME/.ssh/known_hosts
diff --git a/ssh.1 b/ssh.1
index 1c407c5bd..d8999da48 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.160 2002/06/22 11:51:39 naddy Exp $
+.\" $OpenBSD: ssh.1,v 1.167 2002/09/27 15:46:21 stevesk Exp $
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@@ -48,7 +48,7 @@
 .Op Ar command
 .Pp
 .Nm ssh
-.Op Fl afgknqstvxACNPTX1246
+.Op Fl afgknqstvxACNTX1246
 .Op Fl b Ar bind_address
 .Op Fl c Ar cipher_spec
 .Op Fl e Ar escape_char
@@ -353,9 +353,17 @@ the connection is opened.
 The real authentication cookie is never
 sent to the server machine (and no cookies are sent in the plain).
 .Pp
-If the user is using an authentication agent, the connection to the agent
+If the
-is automatically forwarded to the remote side unless disabled on
+.Cm ForwardAgent
-the command line or in a configuration file.
+variable is set to
+.Dq yes
+(or, see the description of the
+.Fl A
+and
+.Fl a
+options described later) and 
+the user is using an authentication agent, the connection to the agent
+is automatically forwarded to the remote side.
 .Pp
 Forwarding of arbitrary TCP/IP connections over the secure channel can
 be specified either on the command line or in a configuration file.
@@ -394,6 +402,13 @@ Disables forwarding of the authentication agent connection.
 .It Fl A
 Enables forwarding of the authentication agent connection.
 This can also be specified on a per-host basis in a configuration file.
+.Pp
+Agent forwarding should be enabled with caution.  Users with the
+ability to bypass file permissions on the remote host (for the agent's
+Unix-domain socket) can access the local agent through the forwarded
+connection.  An attacker cannot obtain key material from the agent,
+however they can perform operations on the keys that enable them to
+authenticate using the identities loaded into the agent.
 .It Fl b Ar bind_address
 Specify the interface to transmit from on machines with multiple
 interfaces or aliased addresses.
@@ -515,15 +530,6 @@ command-line flag.
 Port to connect to on the remote host.
 This can be specified on a
 per-host basis in the configuration file.
-.It Fl P
-Use a non-privileged port for outgoing connections.
-This can be used if a firewall does
-not permit connections from privileged ports.
-Note that this option turns off
-.Cm RhostsAuthentication
-and
-.Cm RhostsRSAAuthentication
-for older servers.
 .It Fl q
 Quiet mode.
 Causes all warning and diagnostic messages to be suppressed.
@@ -563,6 +569,12 @@ Disables X11 forwarding.
 .It Fl X
 Enables X11 forwarding.
 This can also be specified on a per-host basis in a configuration file.
+.Pp
+X11 forwarding should be enabled with caution.  Users with the ability
+to bypass file permissions on the remote host (for the user's X
+authorization database) can access the local X11 display through the
+forwarded connection.  An attacker may then be able to perform
+activities such as keystroke monitoring.
 .It Fl C
 Requests compression of all data (including stdin, stdout, stderr, and
 data for forwarded X11 and TCP/IP connections).
@@ -572,7 +584,7 @@ and the
 .Dq level
 can be controlled by the
 .Cm CompressionLevel
-option.
+option for protocol version 1.
 Compression is desirable on modem lines and other
 slow connections, but will only slow down things on fast networks.
 The default value can be set on a host-by-host basis in the
@@ -718,11 +730,11 @@ to make this work.)
 .It Ev SSH_AUTH_SOCK
 Identifies the path of a unix-domain socket used to communicate with the
 agent.
-.It Ev SSH_CLIENT
+.It Ev SSH_CONNECTION
-Identifies the client end of the connection.
+Identifies the client and server ends of the connection.
 The variable contains
-three space-separated values: client ip-address, client port number,
+four space-separated values: client ip-address, client port number,
-and server port number.
+server ip-address and server port number.
 .It Ev SSH_ORIGINAL_COMMAND
 The variable contains the original command line if a forced command
 is executed.
@@ -746,7 +758,12 @@ reads
 .Pa $HOME/.ssh/environment ,
 and adds lines of the format
 .Dq VARNAME=value
-to the environment.
+to the environment if the file exists and if users are allowed to
+change their environment.
+See the
+.Cm PermitUserEnvironment
+option in
+.Xr sshd_config 5 .
 .Sh FILES
 .Bl -tag -width Ds
 .It Pa $HOME/.ssh/known_hosts
diff --git a/ssh.c b/ssh.c
index 25d51c31f..24e541bc6 100644
--- a/ssh.c
+++ b/ssh.c
@@ -40,7 +40,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.179 2002/06/12 01:09:52 markus Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.186 2002/09/19 01:58:18 djm Exp $");
 #include <openssl/evp.h>
 #include <openssl/err.h>
@@ -146,6 +146,9 @@ int subsystem_flag = 0;
 /* # of replies received for global requests */
 static int client_global_request_id = 0;
+/* pid of proxycommand child process */
+pid_t proxy_command_pid = 0;
 /* Prints a help message to the user.  This function never returns. */
 static void
@@ -174,7 +177,6 @@ usage(void)
        fprintf(stderr, "  -v          Verbose; display verbose debugging messages.\n");
        fprintf(stderr, "              Multiple -v increases verbosity.\n");
        fprintf(stderr, "  -V          Display version number only.\n");
-        fprintf(stderr, "  -P          Don't allocate a privileged port.\n");
        fprintf(stderr, "  -q          Quiet; don't display any warning messages.\n");
        fprintf(stderr, "  -f          Fork into background after authentication.\n");
        fprintf(stderr, "  -e char     Set escape character; ``none'' = disable (default: ~).\n");
@@ -229,6 +231,15 @@ main(int ac, char **av)
         */
        original_real_uid = getuid();
        original_effective_uid = geteuid();
+ 
+        /*
+         * Use uid-swapping to give up root privileges for the duration of
+         * option processing.  We will re-instantiate the rights when we are
+         * ready to create the privileged port, and will permanently drop
+         * them when the port has been created (actually, when the connection
+         * has been made, as we may need to create the port several times).
+         */
+        PRIV_END;
 #ifdef HAVE_SETRLIMIT
        /* If we are installed setuid root be careful to not drop core. */
@@ -249,15 +260,6 @@ main(int ac, char **av)
        pw = pwcopy(pw);
        /*
-         * Use uid-swapping to give up root privileges for the duration of
-         * option processing.  We will re-instantiate the rights when we are
-         * ready to create the privileged port, and will permanently drop
-         * them when the port has been created (actually, when the connection
-         * has been made, as we may need to create the port several times).
-         */
-        PRIV_END;
-        /*
         * Set our umask to something reasonable, as some files are created
         * with the default umask.  This will make them world-readable but
         * writable only by the owner, which is ok for all files for which we
@@ -303,7 +305,7 @@ again:
                case 'g':
                        options.gateway_ports = 1;
                        break;
-                case 'P':
+                case 'P':       /* deprecated */
                        options.use_privileged_port = 0;
                        break;
                case 'a':
@@ -557,7 +559,7 @@ again:
        if (buffer_len(&command) == 0)
                tty_flag = 1;
-        /* Force no tty*/
+        /* Force no tty */
        if (no_tty_flag)
                tty_flag = 0;
        /* Do not allocate a tty if stdin is not a tty. */
@@ -642,7 +644,8 @@ again:
        if (options.rhosts_rsa_authentication ||
            options.hostbased_authentication) {
                sensitive_data.nkeys = 3;
-                sensitive_data.keys = xmalloc(sensitive_data.nkeys*sizeof(Key));
+                sensitive_data.keys = xmalloc(sensitive_data.nkeys *
+                    sizeof(Key));
                PRIV_START;
                sensitive_data.keys[0] = key_load_private_type(KEY_RSA1,
@@ -653,7 +656,8 @@ again:
                    _PATH_HOST_RSA_KEY_FILE, "", NULL);
                PRIV_END;
-                if (sensitive_data.keys[0] == NULL &&
+                if (options.hostbased_authentication == 1 &&
+                    sensitive_data.keys[0] == NULL &&
                    sensitive_data.keys[1] == NULL &&
                    sensitive_data.keys[2] == NULL) {
                        sensitive_data.keys[1] = key_load_public(
@@ -726,6 +730,14 @@ again:
        exit_status = compat20 ? ssh_session2() : ssh_session();
        packet_close();
+        /*
+         * Send SIGHUP to proxy command if used. We don't wait() in 
+         * case it hangs and instead rely on init to reap the child
+         */
+        if (proxy_command_pid > 1)
+                kill(proxy_command_pid, SIGHUP);
        return exit_status;
 }
@@ -737,11 +749,19 @@ x11_get_proto(char **_proto, char **_data)
        FILE *f;
        int got_data = 0, i;
        char *display;
+        struct stat st;
        *_proto = proto;
        *_data = data;
        proto[0] = data[0] = '\0';
-        if (options.xauth_location && (display = getenv("DISPLAY"))) {
+        if (!options.xauth_location ||
+            (stat(options.xauth_location, &st) == -1)) {
+                debug("No xauth program.");
+        } else {
+                if ((display = getenv("DISPLAY")) == NULL) {
+                        debug("x11_get_proto: DISPLAY not set");
+                        return;
+                }
                /* Try to get Xauthority information for the display. */
                if (strncmp(display, "localhost:", 10) == 0)
                        /*
@@ -756,7 +776,7 @@ x11_get_proto(char **_proto, char **_data)
                else
                        snprintf(line, sizeof line, "%s list %.200s 2>"
                            _PATH_DEVNULL, options.xauth_location, display);
-                debug2("x11_get_proto %s", line);
+                debug2("x11_get_proto: %s", line);
                f = popen(line, "r");
                if (f && fgets(line, sizeof(line), f) &&
                    sscanf(line, "%*s %511s %511s", proto, data) == 2)
@@ -775,6 +795,7 @@ x11_get_proto(char **_proto, char **_data)
        if (!got_data) {
                u_int32_t rand = 0;
+                log("Warning: No xauth data; using fake authentication data for X11 forwarding.");
                strlcpy(proto, "MIT-MAGIC-COOKIE-1", sizeof proto);
                for (i = 0; i < 16; i++) {
                        if (i % 4 == 0)
@@ -824,11 +845,8 @@ check_agent_present(void)
 {
        if (options.forward_agent) {
                /* Clear agent forwarding if we don\'t have an agent. */
-                int authfd = ssh_get_authentication_socket();
+                if (!ssh_agent_present())
-                if (authfd < 0)
                        options.forward_agent = 0;
-                else
-                        ssh_close_authentication_socket(authfd);
        }
 }
diff --git a/ssh.h b/ssh.h
index 07eee78b6..0a6ad1317 100644
--- a/ssh.h
+++ b/ssh.h
@@ -60,10 +60,6 @@
 */
 #define SSH_SERVICE_NAME        "ssh"
-#if defined(USE_PAM) && !defined(SSHD_PAM_SERVICE)
-# define SSHD_PAM_SERVICE       __progname
-#endif
 /*
 * Name of the environment variable containing the process ID of the
 * authentication agent.
diff --git a/ssh_config b/ssh_config
index ef31d4336..94cffbf39 100644
--- a/ssh_config
+++ b/ssh_config
@@ -1,4 +1,4 @@
-#       $OpenBSD: ssh_config,v 1.15 2002/06/20 20:03:34 stevesk Exp $
+#       $OpenBSD: ssh_config,v 1.16 2002/07/03 14:21:05 markus Exp $
 # This is the ssh client system-wide configuration file.  See
 # ssh_config(5) for more information.  This file provides defaults for
@@ -22,6 +22,7 @@
 #   RhostsRSAAuthentication no
 #   RSAAuthentication yes
 #   PasswordAuthentication yes
+#   HostbasedAuthentication no
 #   BatchMode no
 #   CheckHostIP yes
 #   StrictHostKeyChecking ask
diff --git a/ssh_config.0 b/ssh_config.0
index 9822ce8d2..a5a44da14 100644
--- a/ssh_config.0
+++ b/ssh_config.0
@@ -9,9 +9,10 @@ SYNOPSIS
 DESCRIPTION
     ssh obtains configuration data from the following sources in the followM--
-     ing order: command line options, user's configuration file
+     ing order:
-     ($HOME/.ssh/config), and system-wide configuration file
+           1.   command-line options
-     (/etc/ssh/ssh_config).
+           2.   user's configuration file ($HOME/.ssh/config)
+           3.   system-wide configuration file (/etc/ssh/ssh_config)
     For each parameter, the first obtained value will be used.  The configuM--
     ration files contain sections bracketed by ``Host'' specifications, and
@@ -133,11 +134,25 @@ DESCRIPTION
             any) will be forwarded to the remote machine.  The argument must
             be ``yes'' or ``no''.  The default is ``no''.
+             Agent forwarding should be enabled with caution.  Users with the
+             ability to bypass file permissions on the remote host (for the
+             agent's Unix-domain socket) can access the local agent through
+             the forwarded connection.  An attacker cannot obtain key material
+             from the agent, however they can perform operations on the keys
+             that enable them to authenticate using the identities loaded into
+             the agent.
     ForwardX11
             Specifies whether X11 connections will be automatically rediM--
             rected over the secure channel and DISPLAY set.  The argument
             must be ``yes'' or ``no''.  The default is ``no''.
+             X11 forwarding should be enabled with caution.  Users with the
+             ability to bypass file permissions on the remote host (for the
+             user's X authorization database) can access the local X11 display
+             through the forwarded connection.  An attacker may then be able
+             to perform activities such as keystroke monitoring.
     GatewayPorts
             Specifies whether remote hosts are allowed to connect to local
             forwarded ports.  By default, ssh binds local port forwardings to
@@ -301,7 +316,8 @@ DESCRIPTION
             tication because it is not secure (see RhostsRSAAuthentication).
             The argument to this keyword must be ``yes'' or ``no''.  The
             default is ``no''.  This option applies to protocol version 1
-             only.
+             only and requires ssh to be setuid root and UsePrivilegedPort to
+             be set to ``yes''.
     RhostsRSAAuthentication
             Specifies whether to try rhosts based authentication with RSA
@@ -342,9 +358,10 @@ DESCRIPTION
     UsePrivilegedPort
             Specifies whether to use a privileged port for outgoing connecM--
             tions.  The argument must be ``yes'' or ``no''.  The default is
-             ``no''.  Note that this option must be set to ``yes'' if
+             ``no''.  If set to ``yes'' ssh must be setuid root.  Note that
-             RhostsAuthentication and RhostsRSAAuthentication authentications
+             this option must be set to ``yes'' if RhostsAuthentication and
-             are needed with older servers.
+             RhostsRSAAuthentication authentications are needed with older
+             servers.
     User    Specifies the user to log in as.  This can be useful when a difM--
             ferent user name is used on different machines.  This saves the
@@ -356,8 +373,8 @@ DESCRIPTION
             $HOME/.ssh/known_hosts.
     XAuthLocation
-             Specifies the location of the xauth(1) program.  The default is
+             Specifies the full pathname of the xauth(1) program.  The default
-             /usr/X11R6/bin/xauth.
+             is /usr/X11R6/bin/xauth.
 FILES
     $HOME/.ssh/config
diff --git a/ssh_config.5 b/ssh_config.5
index 6d94220b0..67fa0845c 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.1 2002/06/20 19:56:07 stevesk Exp $
+.\" $OpenBSD: ssh_config.5,v 1.5 2002/08/29 22:54:10 stevesk Exp $
 .Dd September 25, 1999
 .Dt SSH_CONFIG 5
 .Os
@@ -50,10 +50,16 @@
 .Nm ssh
 obtains configuration data from the following sources in
 the following order:
-command line options, user's configuration file
+.Bl -enum -offset indent -compact
-.Pq Pa $HOME/.ssh/config ,
+.It
-and system-wide configuration file
+command-line options
-.Pq Pa /etc/ssh/ssh_config .
+.It
+user's configuration file
+.Pq Pa $HOME/.ssh/config
+.It
+system-wide configuration file
+.Pq Pa /etc/ssh/ssh_config
+.El
 .Pp
 For each parameter, the first obtained value
 will be used.
@@ -259,6 +265,13 @@ or
 .Dq no .
 The default is
 .Dq no .
+.Pp
+Agent forwarding should be enabled with caution.  Users with the
+ability to bypass file permissions on the remote host (for the agent's
+Unix-domain socket) can access the local agent through the forwarded
+connection.  An attacker cannot obtain key material from the agent,
+however they can perform operations on the keys that enable them to
+authenticate using the identities loaded into the agent.
 .It Cm ForwardX11
 Specifies whether X11 connections will be automatically redirected
 over the secure channel and
@@ -270,6 +283,12 @@ or
 .Dq no .
 The default is
 .Dq no .
+.Pp
+X11 forwarding should be enabled with caution.  Users with the ability
+to bypass file permissions on the remote host (for the user's X
+authorization database) can access the local X11 display through the
+forwarded connection.  An attacker may then be able to perform
+activities such as keystroke monitoring.
 .It Cm GatewayPorts
 Specifies whether remote hosts are allowed to connect to local
 forwarded ports.
@@ -342,7 +361,6 @@ identities will be tried in sequence.
 Specifies whether the system should send TCP keepalive messages to the
 other side.
 If they are sent, death of the connection or crash of one
-of the machines will be properly noticed.
 of the machines will be properly noticed.  This option only uses TCP
 keepalives (as opposed to using ssh level keepalives), so takes a long
 time to notice when the connection dies.  As such, you probably want
@@ -512,7 +530,12 @@ or
 .Dq no .
 The default is
 .Dq no .
-This option applies to protocol version 1 only.
+This option applies to protocol version 1 only and requires
+.Nm ssh
+to be setuid root and
+.Cm UsePrivilegedPort
+to be set to
+.Dq yes .
 .It Cm RhostsRSAAuthentication
 Specifies whether to try rhosts based authentication with RSA host
 authentication.
@@ -600,6 +623,10 @@ or
 .Dq no .
 The default is
 .Dq no .
+If set to
+.Dq yes
+.Nm ssh
+must be setuid root.
 Note that this option must be set to
 .Dq yes
 if
@@ -617,7 +644,7 @@ Specifies a file to use for the user
 host key database instead of
 .Pa $HOME/.ssh/known_hosts .
 .It Cm XAuthLocation
-Specifies the location of the
+Specifies the full pathname of the
 .Xr xauth 1
 program.
 The default is
diff --git a/ssh_prng_cmds.in b/ssh_prng_cmds.in
index 03fa5408e..50e7771f9 100644
--- a/ssh_prng_cmds.in
+++ b/ssh_prng_cmds.in
@@ -5,7 +5,7 @@
 # The "rate" represents the number of bits of usuable entropy per 
 # byte of command output. Be conservative.
 #
-# $Id: ssh_prng_cmds.in,v 1.7 2001/07/22 19:32:01 mouring Exp $
+# $Id: ssh_prng_cmds.in,v 1.8 2002/07/14 21:43:58 tim Exp $
 "ls -alni /var/log"                     @PROG_LS@       0.02
 "ls -alni /var/adm"                     @PROG_LS@       0.02
@@ -37,7 +37,7 @@
 "netstat -s"                            @PROG_NETSTAT@  0.02
 "netstat -is"                           @PROG_NETSTAT@  0.07
-"arp -a -n"                             @PROG_ARP@      0.02
+"arp -n -a"                             @PROG_ARP@      0.02
 "ifconfig -a"                           @PROG_IFCONFIG@ 0.02
diff --git a/sshconnect.c b/sshconnect.c
index 8eb5fda7d..95e0f6d77 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -13,7 +13,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect.c,v 1.126 2002/06/23 03:30:17 deraadt Exp $");
+RCSID("$OpenBSD: sshconnect.c,v 1.135 2002/09/19 01:58:18 djm Exp $");
 #include <openssl/bn.h>
@@ -41,6 +41,7 @@ extern Options options;
 extern char *__progname;
 extern uid_t original_real_uid;
 extern uid_t original_effective_uid;
+extern pid_t proxy_command_pid;
 #ifndef INET6_ADDRSTRLEN                /* for non IPv6 machines */
 #define INET6_ADDRSTRLEN 46
@@ -48,22 +49,13 @@ extern uid_t original_effective_uid;
 static sig_atomic_t banner_timedout;
-static const char *
-sockaddr_ntop(struct sockaddr *sa, socklen_t salen)
-{
-        static char addrbuf[NI_MAXHOST];
-        if (getnameinfo(sa, salen, addrbuf, sizeof(addrbuf), NULL, 0,
-            NI_NUMERICHOST) != 0)
-                fatal("sockaddr_ntop: getnameinfo NI_NUMERICHOST failed");
-        return addrbuf;
-}
 static void banner_alarm_catch (int signum)
 {
        banner_timedout = 1;
 }
+static int show_other_keys(const char *, Key *);
 /*
 * Connect to the given ssh server using a proxy command.
 */
@@ -80,9 +72,16 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
        /* Convert the port number into a string. */
        snprintf(strport, sizeof strport, "%hu", port);
-        /* Build the final command string in the buffer by making the
+        /*
-           appropriate substitutions to the given proxy command. */
+         * Build the final command string in the buffer by making the
+         * appropriate substitutions to the given proxy command.
+         *
+         * Use "exec" to avoid "sh -c" processes on some platforms 
+         * (e.g. Solaris)
+         */
        buffer_init(&command);
+        buffer_append(&command, "exec ", 5);
        for (cp = proxy_command; *cp; cp++) {
                if (cp[0] == '%' && cp[1] == '%') {
                        buffer_append(&command, "%", 1);
@@ -150,6 +149,8 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
        /* Parent. */
        if (pid < 0)
                fatal("fork failed: %.100s", strerror(errno));
+        else
+                proxy_command_pid = pid; /* save pid to clean up later */
        /* Close child side of the descriptors. */
        close(pin[0]);
@@ -245,7 +246,6 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
        int sock = -1, attempt;
        char ntop[NI_MAXHOST], strport[NI_MAXSERV];
        struct addrinfo hints, *ai, *aitop;
-        struct linger linger;
        struct servent *sp;
        /*
         * Did we get only other errors than "Connection refused" (which
@@ -314,9 +314,8 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
                        } else {
                                if (errno == ECONNREFUSED)
                                        full_failure = 0;
-                                log("ssh: connect to address %s port %s: %s",
+                                debug("connect to address %s port %s: %s",
-                                    sockaddr_ntop(ai->ai_addr, ai->ai_addrlen),
+                                    ntop, strport, strerror(errno));
-                                    strport, strerror(errno));
                                /*
                                 * Close the failed socket; there appear to
                                 * be some problems when reusing a socket for
@@ -339,20 +338,14 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
        freeaddrinfo(aitop);
        /* Return failure if we didn't get a successful connection. */
-        if (attempt >= connection_attempts)
+        if (attempt >= connection_attempts) {
+                log("ssh: connect to host %s port %s: %s",
+                    host, strport, strerror(errno));
                return full_failure ? ECONNABORTED : ECONNREFUSED;
+        }
        debug("Connection established.");
-        /*
-         * Set socket options.  We would like the socket to disappear as soon
-         * as it has been closed for whatever reason.
-         */
-        /* setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)); */
-        linger.l_onoff = 1;
-        linger.l_linger = 5;
-        setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *)&linger, sizeof(linger));
        /* Set keepalives if requested. */
        if (options.keepalives &&
            setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&on,
@@ -508,7 +501,7 @@ confirm(const char *prompt)
                    (p[0] == '\0') || (p[0] == '\n') ||
                    strncasecmp(p, "no", 2) == 0)
                        ret = 0;
-                if (strncasecmp(p, "yes", 3) == 0)
+                if (p && strncasecmp(p, "yes", 3) == 0)
                        ret = 1;
                if (p)
                        xfree(p);
@@ -535,7 +528,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
        int salen;
        char ntop[NI_MAXHOST];
        char msg[1024];
-        int len, host_line, ip_line;
+        int len, host_line, ip_line, has_keys;
        const char *host_file = NULL, *ip_file = NULL;
        /*
@@ -679,14 +672,19 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
                            "have requested strict checking.", type, host);
                        goto fail;
                } else if (options.strict_host_key_checking == 2) {
+                        has_keys = show_other_keys(host, host_key);
                        /* The default */
                        fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
                        snprintf(msg, sizeof(msg),
                            "The authenticity of host '%.200s (%s)' can't be "
-                            "established.\n"
+                            "established%s\n"
                            "%s key fingerprint is %s.\n"
                            "Are you sure you want to continue connecting "
-                            "(yes/no)? ", host, ip, type, fp);
+                            "(yes/no)? ",
+                             host, ip,
+                             has_keys ? ",\nbut keys of different type are already "
+                             "known for this host." : ".",
+                             type, fp);
                        xfree(fp);
                        if (!confirm(msg))
                                goto fail;
@@ -789,6 +787,9 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
                 * accept the authentication.
                 */
                break;
+        case HOST_FOUND:
+                fatal("internal error");
+                break;
        }
        if (options.check_host_ip && host_status != HOST_CHANGED &&
@@ -900,3 +901,58 @@ ssh_put_password(char *password)
        memset(padded, 0, size);
        xfree(padded);
 }
+static int
+show_key_from_file(const char *file, const char *host, int keytype)
+{
+        Key *found;
+        char *fp;
+        int line, ret;
+        found = key_new(keytype);
+        if ((ret = lookup_key_in_hostfile_by_type(file, host,
+            keytype, found, &line))) {
+                fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
+                log("WARNING: %s key found for host %s\n"
+                    "in %s:%d\n"
+                    "%s key fingerprint %s.",
+                    key_type(found), host, file, line,
+                    key_type(found), fp);
+                xfree(fp);
+        }
+        key_free(found);
+        return (ret);
+}
+/* print all known host keys for a given host, but skip keys of given type */
+static int
+show_other_keys(const char *host, Key *key)
+{
+        int type[] = { KEY_RSA1, KEY_RSA, KEY_DSA, -1};
+        int i, found = 0;
+        for (i = 0; type[i] != -1; i++) {
+                if (type[i] == key->type)
+                        continue;
+                if (type[i] != KEY_RSA1 &&
+                    show_key_from_file(options.user_hostfile2, host, type[i])) {
+                        found = 1;
+                        continue;
+                }
+                if (type[i] != KEY_RSA1 &&
+                    show_key_from_file(options.system_hostfile2, host, type[i])) {
+                        found = 1;
+                        continue;
+                }
+                if (show_key_from_file(options.user_hostfile, host, type[i])) {
+                        found = 1;
+                        continue;
+                }
+                if (show_key_from_file(options.system_hostfile, host, type[i])) {
+                        found = 1;
+                        continue;
+                }
+                debug2("no key of type %d for host %s", type[i], host);
+        }
+        return (found);
+}
diff --git a/sshconnect1.c b/sshconnect1.c
index e28b7fc72..2fc9a981a 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -13,7 +13,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.51 2002/05/23 19:24:30 markus Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.52 2002/08/08 13:50:23 aaron Exp $");
 #include <openssl/bn.h>
 #include <openssl/md5.h>
@@ -254,7 +254,7 @@ try_rsa_authentication(int idx)
         * load the private key.  Try first with empty passphrase; if it
         * fails, ask for a passphrase.
         */
-        if (public->flags && KEY_FLAG_EXT)
+        if (public->flags & KEY_FLAG_EXT)
                private = public;
        else
                private = key_load_private_type(KEY_RSA1, authfile, "", NULL);
diff --git a/sshconnect2.c b/sshconnect2.c
index 215f76ca2..703d0721f 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.105 2002/06/23 03:30:17 deraadt Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.107 2002/07/01 19:48:46 markus Exp $");
 #include "ssh.h"
 #include "ssh2.h"
@@ -95,10 +95,10 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
            compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]);
        if (options.compression) {
                myproposal[PROPOSAL_COMP_ALGS_CTOS] =
-                myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib";
+                myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib,none";
        } else {
                myproposal[PROPOSAL_COMP_ALGS_CTOS] =
-                myproposal[PROPOSAL_COMP_ALGS_STOC] = "none";
+                myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib";
        }
        if (options.macs != NULL) {
                myproposal[PROPOSAL_MAC_ALGS_CTOS] =
@@ -422,7 +422,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
        clear_auth_state(authctxt);
        dispatch_set(SSH2_MSG_USERAUTH_PK_OK, NULL);
-        /* try another method if we did not send a packet*/
+        /* try another method if we did not send a packet */
        if (sent == 0)
                userauth(authctxt, NULL);
@@ -947,9 +947,9 @@ ssh_keysign(Key *key, u_char **sigp, u_int *lenp,
        buffer_init(&b);
        buffer_put_int(&b, packet_get_connection_in()); /* send # of socket */
        buffer_put_string(&b, data, datalen);
-        msg_send(to[1], version, &b);
+        ssh_msg_send(to[1], version, &b);
-        if (msg_recv(from[0], &b) < 0) {
+        if (ssh_msg_recv(from[0], &b) < 0) {
                error("ssh_keysign: no reply");
                buffer_clear(&b);
                return -1;
diff --git a/sshd.0 b/sshd.0
index cf9fc8ae6..7c88c953f 100644
--- a/sshd.0
+++ b/sshd.0
@@ -115,7 +115,7 @@ DESCRIPTION
     -g login_grace_time
             Gives the grace time for clients to authenticate themselves
-             (default 600 seconds).  If the client fails to authenticate the
+             (default 120 seconds).  If the client fails to authenticate the
             user within this many seconds, the server disconnects and exits.
             A value of zero indicates no limit.
@@ -206,7 +206,9 @@ LOGIN PROCESS
           5.   Sets up basic environment.
-           6.   Reads $HOME/.ssh/environment if it exists.
+           6.   Reads $HOME/.ssh/environment if it exists and users are
+                allowed to change their environment.  See the
+                PermitUserEnvironment option in sshd_config(5).
           7.   Changes to user's home directory.
@@ -227,16 +229,16 @@ AUTHORIZED_KEYS FILE FORMAT
     with a `#' are ignored as comments).  Each RSA public key consists of the
     following fields, separated by spaces: options, bits, exponent, modulus,
     comment.  Each protocol version 2 public key consists of: options, keyM--
-     type, base64 encoded key, comment.  The options fields are optional; its
+     type, base64 encoded key, comment.  The options field is optional; its
     presence is determined by whether the line starts with a number or not
-     (the option field never starts with a number).  The bits, exponent, moduM--
+     (the options field never starts with a number).  The bits, exponent, modM--
-     lus and comment fields give the RSA key for protocol version 1; the comM--
+     ulus and comment fields give the RSA key for protocol version 1; the comM--
     ment field is not used for anything (but may be convenient for the user
     to identify the key).  For protocol version 2 the keytype is ``ssh-dss''
     or ``ssh-rsa''.
     Note that lines in this file are usually several hundred bytes long
-     (because of the size of the RSA key modulus).  You don't want to type
+     (because of the size of the public key encoding).  You don't want to type
     them in; instead, copy the identity.pub, id_dsa.pub or the id_rsa.pub
     file and edit it.
@@ -249,18 +251,19 @@ AUTHORIZED_KEYS FILE FORMAT
     case-insensitive):
     from="pattern-list"
-             Specifies that in addition to RSA authentication, the canonical
+             Specifies that in addition to public key authentication, the
-             name of the remote host must be present in the comma-separated
+             canonical name of the remote host must be present in the comma-
-             list of patterns (`*' and `'?  serve as wildcards).  The list may
+             separated list of patterns (`*' and `'?  serve as wildcards).
-             also contain patterns negated by prefixing them with `'!; if the
+             The list may also contain patterns negated by prefixing them with
-             canonical host name matches a negated pattern, the key is not
+             `'!; if the canonical host name matches a negated pattern, the
-             accepted.  The purpose of this option is to optionally increase
+             key is not accepted.  The purpose of this option is to optionally
-             security: RSA authentication by itself does not trust the network
+             increase security: public key authentication by itself does not
-             or name servers or anything (but the key); however, if somebody
+             trust the network or name servers or anything (but the key); howM--
-             somehow steals the key, the key permits an intruder to log in
+             ever, if somebody somehow steals the key, the key permits an
-             from anywhere in the world.  This additional option makes using a
+             intruder to log in from anywhere in the world.  This additional
-             stolen key more difficult (name servers and/or routers would have
+             option makes using a stolen key more difficult (name servers
-             to be compromised in addition to just the key).
+             and/or routers would have to be compromised in addition to just
+             the key).
     command="command"
             Specifies that the command is executed whenever this key is used
@@ -269,9 +272,9 @@ AUTHORIZED_KEYS FILE FORMAT
             pty; otherwise it is run without a tty.  If a 8-bit clean channel
             is required, one must not request a pty or should specify no-pty.
             A quote may be included in the command by quoting it with a backM--
-             slash.  This option might be useful to restrict certain RSA keys
+             slash.  This option might be useful to restrict certain public
-             to perform just a specific operation.  An example might be a key
+             keys to perform just a specific operation.  An example might be a
-             that permits remote backups but nothing else.  Note that the
+             key that permits remote backups but nothing else.  Note that the
             client may specify TCP/IP and/or X11 forwarding unless they are
             explicitly prohibited.  Note that this option applies to shell,
             command or subsystem execution.
@@ -280,8 +283,9 @@ AUTHORIZED_KEYS FILE FORMAT
             Specifies that the string is to be added to the environment when
             logging in using this key.  Environment variables set this way
             override other default environment values.  Multiple options of
-             this type are permitted.  This option is automatically disabled
+             this type are permitted.  Environment processing is disabled by
-             if UseLogin is enabled.
+             default and is controlled via the PermitUserEnvironment option.
+             This option is automatically disabled if UseLogin is enabled.
     no-port-forwarding
             Forbids TCP/IP forwarding when this key is used for authenticaM--
@@ -381,7 +385,7 @@ FILES
     /etc/moduli
             Contains Diffie-Hellman groups used for the "Diffie-Hellman Group
-             Exchange".
+             Exchange".  The file format is described in moduli(5).
     /var/empty
             chroot(2) directory used by sshd during privilege separation in
@@ -478,7 +482,8 @@ FILES
             It can only contain empty lines, comment lines (that start with
             `#'), and assignment lines of the form name=value.  The file
             should be writable only by the user; it need not be readable by
-             anyone else.
+             anyone else.  Environment processing is disabled by default and
+             is controlled via the PermitUserEnvironment option.
     $HOME/.ssh/rc
             If this file exists, it is run with /bin/sh after reading the
@@ -500,12 +505,12 @@ FILES
             if read proto cookie && [ -n "$DISPLAY" ]; then
                     if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
                             # X11UseLocalhost=yes
-                             xauth add unix:`echo $DISPLAY |
+                             echo add unix:`echo $DISPLAY |
                                 cut -c11-` $proto $cookie
                     else
                             # X11UseLocalhost=no
-                             xauth add $DISPLAY $proto $cookie
+                             echo add $DISPLAY $proto $cookie
-                     fi
+                     fi | xauth -q -
             fi
             If this file does not exist, /etc/ssh/sshrc is run, and if that
diff --git a/sshd.8 b/sshd.8
index 99fd6a131..1605922fb 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.186 2002/06/22 16:45:29 stevesk Exp $
+.\" $OpenBSD: sshd.8,v 1.193 2002/09/24 20:59:44 todd Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -203,7 +203,7 @@ The default is
 refuses to start if there is no configuration file.
 .It Fl g Ar login_grace_time
 Gives the grace time for clients to authenticate themselves (default
-600 seconds).
+120 seconds).
 If the client fails to authenticate the user within
 this many seconds, the server disconnects and exits.
 A value of zero indicates no limit.
@@ -353,7 +353,11 @@ Sets up basic environment.
 .It
 Reads
 .Pa $HOME/.ssh/environment
-if it exists.
+if it exists and users are allowed to change their environment.
+See the
+.Cm PermitUserEnvironment
+option in
+.Xr sshd_config 5 .
 .It
 Changes to user's home directory.
 .It
@@ -388,9 +392,9 @@ Each RSA public key consists of the following fields, separated by
 spaces: options, bits, exponent, modulus, comment.
 Each protocol version 2 public key consists of:
 options, keytype, base64 encoded key, comment.
-The options fields
+The options field
-are optional; its presence is determined by whether the line starts
+is optional; its presence is determined by whether the line starts
-with a number or not (the option field never starts with a number).
+with a number or not (the options field never starts with a number).
 The bits, exponent, modulus and comment fields give the RSA key for
 protocol version 1; the
 comment field is not used for anything (but may be convenient for the
@@ -401,7 +405,7 @@ or
 .Dq ssh-rsa .
 .Pp
 Note that lines in this file are usually several hundred bytes long
-(because of the size of the RSA key modulus).
+(because of the size of the public key encoding).
 You don't want to type them in; instead, copy the
 .Pa identity.pub ,
 .Pa id_dsa.pub
@@ -420,7 +424,7 @@ The following option specifications are supported (note
 that option keywords are case-insensitive):
 .Bl -tag -width Ds
 .It Cm from="pattern-list"
-Specifies that in addition to RSA authentication, the canonical name
+Specifies that in addition to public key authentication, the canonical name
 of the remote host must be present in the comma-separated list of
 patterns
 .Pf ( Ql *
@@ -432,7 +436,7 @@ patterns negated by prefixing them with
 .Ql ! ;
 if the canonical host name matches a negated pattern, the key is not accepted.
 The purpose
-of this option is to optionally increase security: RSA authentication
+of this option is to optionally increase security: public key authentication
 by itself does not trust the network or name servers or anything (but
 the key); however, if somebody somehow steals the key, the key
 permits an intruder to log in from anywhere in the world.
@@ -450,7 +454,7 @@ one must not request a pty or should specify
 .Cm no-pty .
 A quote may be included in the command by quoting it with a backslash.
 This option might be useful
-to restrict certain RSA keys to perform just a specific operation.
+to restrict certain public keys to perform just a specific operation.
 An example might be a key that permits remote backups but nothing else.
 Note that the client may specify TCP/IP and/or X11
 forwarding unless they are explicitly prohibited.
@@ -461,6 +465,10 @@ logging in using this key.
 Environment variables set this way
 override other default environment values.
 Multiple options of this type are permitted.
+Environment processing is disabled by default and is
+controlled via the
+.Cm PermitUserEnvironment
+option.
 This option is automatically disabled if
 .Cm UseLogin
 is enabled.
@@ -581,6 +589,8 @@ These files are created using
 .Xr ssh-keygen 1 .
 .It Pa /etc/moduli
 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
+The file format is described in
+.Xr moduli 5 .
 .It Pa /var/empty
 .Xr chroot 2
 directory used by
@@ -701,6 +711,10 @@ It can only contain empty lines, comment lines (that start with
 and assignment lines of the form name=value.
 The file should be writable
 only by the user; it need not be readable by anyone else.
+Environment processing is disabled by default and is
+controlled via the
+.Cm PermitUserEnvironment
+option.
 .It Pa $HOME/.ssh/rc
 If this file exists, it is run with /bin/sh after reading the
 environment files but before starting the user's shell or command.
@@ -726,12 +740,12 @@ something similar to:
 if read proto cookie && [ -n "$DISPLAY" ]; then
        if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
                # X11UseLocalhost=yes
-                xauth add unix:`echo $DISPLAY |
+                echo add unix:`echo $DISPLAY |
                    cut -c11-` $proto $cookie
        else
                # X11UseLocalhost=no
-                xauth add $DISPLAY $proto $cookie
+                echo add $DISPLAY $proto $cookie
-        fi
+        fi | xauth -q -
 fi
 .Ed
 .Pp
diff --git a/sshd.c b/sshd.c
index 904629e95..35685643f 100644
--- a/sshd.c
+++ b/sshd.c
@@ -42,7 +42,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.251 2002/06/25 18:51:04 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.260 2002/09/27 10:42:09 mickey Exp $");
 #include <openssl/dh.h>
 #include <openssl/bn.h>
@@ -303,11 +303,8 @@ grace_alarm_handler(int sig)
 {
        /* XXX no idea how fix this signal handler */
-        /* Close the connection. */
-        packet_close();
        /* Log error and exit. */
-        fatal("Timeout before authentication for %s.", get_remote_ipaddr());
+        fatal("Timeout before authentication for %s", get_remote_ipaddr());
 }
 /*
@@ -320,7 +317,7 @@ grace_alarm_handler(int sig)
 static void
 generate_ephemeral_server_key(void)
 {
-        u_int32_t rand = 0;
+        u_int32_t rnd = 0;
        int i;
        verbose("Generating %s%d bit RSA key.",
@@ -333,9 +330,9 @@ generate_ephemeral_server_key(void)
        for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) {
                if (i % 4 == 0)
-                        rand = arc4random();
+                        rnd = arc4random();
-                sensitive_data.ssh1_cookie[i] = rand & 0xff;
+                sensitive_data.ssh1_cookie[i] = rnd & 0xff;
-                rand >>= 8;
+                rnd >>= 8;
        }
        arc4random_stir();
 }
@@ -427,6 +424,12 @@ sshd_exchange_identification(int sock_in, int sock_out)
        compat_datafellows(remote_version);
+        if (datafellows & SSH_BUG_PROBE) {
+                log("probed from %s with %s.  Don't panic.",
+                    get_remote_ipaddr(), client_version_string);
+                fatal_cleanup();
+        }
        if (datafellows & SSH_BUG_SCANNER) {
                log("scanned from %s with %s.  Don't panic.",
                    get_remote_ipaddr(), client_version_string);
@@ -529,8 +532,8 @@ demote_sensitive_data(void)
 static void
 privsep_preauth_child(void)
 {
-        u_int32_t rand[256];
+        u_int32_t rnd[256];
-        gid_t gidset[2];
+        gid_t gidset[1];
        struct passwd *pw;
        int i;
@@ -538,8 +541,8 @@ privsep_preauth_child(void)
        privsep_challenge_enable();
        for (i = 0; i < 256; i++)
-                rand[i] = arc4random();
+                rnd[i] = arc4random();
-        RAND_seed(rand, sizeof(rand));
+        RAND_seed(rnd, sizeof(rnd));
        /* Demote the private keys to public keys. */
        demote_sensitive_data();
@@ -550,7 +553,7 @@ privsep_preauth_child(void)
        memset(pw->pw_passwd, 0, strlen(pw->pw_passwd));
        endpwent();
-        /* Change our root directory*/
+        /* Change our root directory */
        if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
                fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
                    strerror(errno));
@@ -573,7 +576,7 @@ privsep_preauth_child(void)
 #endif
 }
-static Authctxt*
+static Authctxt *
 privsep_preauth(void)
 {
        Authctxt *authctxt = NULL;
@@ -589,6 +592,8 @@ privsep_preauth(void)
        if (pid == -1) {
                fatal("fork of unprivileged child failed");
        } else if (pid != 0) {
+                fatal_remove_cleanup((void (*) (void *)) packet_close, NULL);
                debug2("Network child is on pid %ld", (long)pid);
                close(pmonitor->m_recvfd);
@@ -602,6 +607,10 @@ privsep_preauth(void)
                while (waitpid(pid, &status, 0) < 0)
                        if (errno != EINTR)
                                break;
+                /* Reinstall, since the child has finished */
+                fatal_add_cleanup((void (*) (void *)) packet_close, NULL);
                return (authctxt);
        } else {
                /* child */
@@ -624,7 +633,7 @@ privsep_postauth(Authctxt *authctxt)
        /* XXX - Remote port forwarding */
        x_authctxt = authctxt;
-#ifdef BROKEN_FD_PASSING
+#ifdef DISABLE_FD_PASSING
        if (1) {
 #else
        if (authctxt->pw->pw_uid == 0 || options.use_login) {
@@ -649,6 +658,8 @@ privsep_postauth(Authctxt *authctxt)
        if (pmonitor->m_pid == -1)
                fatal("fork of unprivileged child failed");
        else if (pmonitor->m_pid != 0) {
+                fatal_remove_cleanup((void (*) (void *)) packet_close, NULL);
                debug2("User child is on pid %ld", (long)pmonitor->m_pid);
                close(pmonitor->m_recvfd);
                monitor_child_postauth(pmonitor);
@@ -801,7 +812,6 @@ main(int ac, char **av)
        const char *remote_ip;
        int remote_port;
        FILE *f;
-        struct linger linger;
        struct addrinfo *ai;
        char ntop[NI_MAXHOST], strport[NI_MAXSERV];
        int listen_sock, maxfd;
@@ -911,6 +921,10 @@ main(int ac, char **av)
                        break;
                case 'u':
                        utmp_len = atoi(optarg);
+                        if (utmp_len > MAXHOSTNAMELEN) {
+                                fprintf(stderr, "Invalid utmp length.\n");
+                                exit(1);
+                        }
                        break;
                case 'o':
                        if (process_server_config_line(&options, optarg,
@@ -937,7 +951,7 @@ main(int ac, char **av)
            SYSLOG_FACILITY_AUTH : options.log_facility,
            !inetd_flag);
-#ifdef _CRAY
+#ifdef _UNICOS
        /* Cray can define user privs drop all prives now!
         * Not needed on PRIV_SU systems!
         */
@@ -961,7 +975,8 @@ main(int ac, char **av)
        debug("sshd version %.100s", SSH_VERSION);
        /* load private host keys */
-        sensitive_data.host_keys = xmalloc(options.num_host_key_files*sizeof(Key*));
+        sensitive_data.host_keys = xmalloc(options.num_host_key_files *
+            sizeof(Key *));
        for (i = 0; i < options.num_host_key_files; i++)
                sensitive_data.host_keys[i] = NULL;
        sensitive_data.server_key = NULL;
@@ -1040,7 +1055,14 @@ main(int ac, char **av)
                    (S_ISDIR(st.st_mode) == 0))
                        fatal("Missing privilege separation directory: %s",
                            _PATH_PRIVSEP_CHROOT_DIR);
+#ifdef HAVE_CYGWIN
+                if (check_ntsec(_PATH_PRIVSEP_CHROOT_DIR) &&
+                    (st.st_uid != getuid () ||
+                    (st.st_mode & (S_IWGRP|S_IWOTH)) != 0))
+#else
                if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
+#endif
                        fatal("Bad owner or mode for %s",
                            _PATH_PRIVSEP_CHROOT_DIR);
        }
@@ -1140,17 +1162,12 @@ main(int ac, char **av)
                                continue;
                        }
                        /*
-                         * Set socket options.  We try to make the port
+                         * Set socket options.
-                         * reusable and have it close as fast as possible
+                         * Allow local port reuse in TIME_WAIT.
-                         * without waiting in unnecessary wait states on
-                         * close.
                         */
-                        setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR,
+                        if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR,
-                            &on, sizeof(on));
+                            &on, sizeof(on)) == -1)
-                        linger.l_onoff = 1;
+                                error("setsockopt SO_REUSEADDR: %s", strerror(errno));
-                        linger.l_linger = 5;
-                        setsockopt(listen_sock, SOL_SOCKET, SO_LINGER,
-                            &linger, sizeof(linger));
                        debug("Bind to port %s on %s.", strport, ntop);
@@ -1399,16 +1416,6 @@ main(int ac, char **av)
        signal(SIGCHLD, SIG_DFL);
        signal(SIGINT, SIG_DFL);
-        /*
-         * Set socket options for the connection.  We want the socket to
-         * close as fast as possible without waiting for anything.  If the
-         * connection is not a socket, these will do nothing.
-         */
-        /* setsockopt(sock_in, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)); */
-        linger.l_onoff = 1;
-        linger.l_linger = 5;
-        setsockopt(sock_in, SOL_SOCKET, SO_LINGER, &linger, sizeof(linger));
        /* Set keepalives if requested. */
        if (options.keepalives &&
            setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on,
@@ -1596,7 +1603,7 @@ do_ssh1_kex(void)
        u_char session_key[SSH_SESSION_KEY_LENGTH];
        u_char cookie[8];
        u_int cipher_type, auth_mask, protocol_flags;
-        u_int32_t rand = 0;
+        u_int32_t rnd = 0;
        /*
         * Generate check bytes that the client must send back in the user
@@ -1609,9 +1616,9 @@ do_ssh1_kex(void)
         */
        for (i = 0; i < 8; i++) {
                if (i % 4 == 0)
-                        rand = arc4random();
+                        rnd = arc4random();
-                cookie[i] = rand & 0xff;
+                cookie[i] = rnd & 0xff;
-                rand >>= 8;
+                rnd >>= 8;
        }
        /*
diff --git a/sshd_config b/sshd_config
index d57346bef..36429c9d0 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
-#       $OpenBSD: sshd_config,v 1.56 2002/06/20 23:37:12 markus Exp $
+#       $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -32,7 +32,7 @@
 # Authentication:
-#LoginGraceTime 600
+#LoginGraceTime 120
 #PermitRootLogin yes
 #StrictModes yes
@@ -71,7 +71,7 @@
 # Set this to 'yes' to enable PAM keyboard-interactive authentication 
 # Warning: enabling this may bypass the setting of 'PasswordAuthentication'
-#PAMAuthenticationViaKbdInt yes
+#PAMAuthenticationViaKbdInt no
 #X11Forwarding no
 #X11DisplayOffset 10
@@ -81,6 +81,7 @@
 #KeepAlive yes
 #UseLogin no
 #UsePrivilegeSeparation yes
+#PermitUserEnvironment no
 #Compression yes
 #MaxStartups 10
diff --git a/sshd_config.0 b/sshd_config.0
index 720cc3f80..a4e31be0f 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -219,7 +219,7 @@ DESCRIPTION
     LoginGraceTime
             The server disconnects after this time if the user has not sucM--
             cessfully logged in.  If the value is 0, there is no time limit.
-             The default is 600 (seconds).
+             The default is 120 seconds.
     LogLevel
             Gives the verbosity level that is used when logging messages from
@@ -280,6 +280,13 @@ DESCRIPTION
             If this option is set to ``no'' root is not allowed to login.
+     PermitUserEnvironment
+             Specifies whether ~/.ssh/environment and environment= options in
+             ~/.ssh/authorized_keys are processed by sshd.  The default is
+             ``no''.  Enabling environment processing may enable users to
+             bypass access restrictions in some configurations using mechaM--
+             nisms such as LD_PRELOAD.
     PidFile
             Specifies the file that contains the process ID of the sshd daeM--
             mon.  The default is /var/run/sshd.pid.
@@ -298,9 +305,12 @@ DESCRIPTION
             /etc/profile, or equivalent.)  The default is ``yes''.
     Protocol
-             Specifies the protocol versions sshd should support.  The possiM--
+             Specifies the protocol versions sshd supports.  The possible valM--
-             ble values are ``1'' and ``2''.  Multiple versions must be comma-
+             ues are ``1'' and ``2''.  Multiple versions must be comma-sepaM--
-             separated.  The default is ``2,1''.
+             rated.  The default is ``2,1''.  Note that the order of the proM--
+             tocol list does not indicate preference, because the client
+             selects among multiple protocol versions offered by the server.
+             Specifying ``2,1'' is identical to ``1,2''.
     PubkeyAuthentication
             Specifies whether public key authentication is allowed.  The
@@ -380,11 +390,26 @@ DESCRIPTION
             servers.  The default is 10.
     X11Forwarding
-             Specifies whether X11 forwarding is permitted.  The default is
+             Specifies whether X11 forwarding is permitted.  The argument must
-             ``no''.  Note that disabling X11 forwarding does not improve
+             be ``yes'' or ``no''.  The default is ``no''.
-             security in any way, as users can always install their own forM--
-             warders.  X11 forwarding is automatically disabled if UseLogin is
+             When X11 forwarding is enabled, there may be additional exposure
-             enabled.
+             to the server and to client displays if the sshd proxy display is
+             configured to listen on the wildcard address (see X11UseLocalhost
+             below), however this is not the default.  Additionally, the
+             authentication spoofing and authentication data verification and
+             substitution occur on the client side.  The security risk of
+             using X11 forwarding is that the client's X11 display server may
+             be exposed to attack when the ssh client requests forwarding (see
+             the warnings for ForwardX11 in ssh_config(5) ). A system adminisM--
+             trator may have a stance in which they want to protect clients
+             that may expose themselves to attack by unwittingly requesting
+             X11 forwarding, which can warrant a ``no'' setting.
+             Note that disabling X11 forwarding does not prevent users from
+             forwarding X11 traffic, as users can always install their own
+             forwarders.  X11 forwarding is automatically disabled if UseLogin
+             is enabled.
     X11UseLocalhost
             Specifies whether sshd should bind the X11 forwarding server to
@@ -392,15 +417,15 @@ DESCRIPTION
             sshd binds the forwarding server to the loopback address and sets
             the hostname part of the DISPLAY environment variable to
             ``localhost''.  This prevents remote hosts from connecting to the
-             fake display.  However, some older X11 clients may not function
+             proxy display.  However, some older X11 clients may not function
             with this configuration.  X11UseLocalhost may be set to ``no'' to
             specify that the forwarding server should be bound to the wildM--
             card address.  The argument must be ``yes'' or ``no''.  The
             default is ``yes''.
     XAuthLocation
-             Specifies the location of the xauth(1) program.  The default is
+             Specifies the full pathname of the xauth(1) program.  The default
-             /usr/X11R6/bin/xauth.
+             is /usr/X11R6/bin/xauth.
   Time Formats
diff --git a/sshd_config.5 b/sshd_config.5
index aa7b7c7d4..0944ba076 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.4 2002/06/22 16:45:29 stevesk Exp $
+.\" $OpenBSD: sshd_config.5,v 1.13 2002/09/16 20:12:11 stevesk Exp $
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@@ -379,7 +379,7 @@ options must precede this option for non port qualified addresses.
 The server disconnects after this time if the user has not
 successfully logged in.
 If the value is 0, there is no time limit.
-The default is 600 (seconds).
+The default is 120 seconds.
 .It Cm LogLevel
 Gives the verbosity level that is used when logging messages from
 .Nm sshd .
@@ -465,6 +465,20 @@ for root.
 If this option is set to
 .Dq no
 root is not allowed to login.
+.It Cm PermitUserEnvironment
+Specifies whether
+.Pa ~/.ssh/environment
+and
+.Cm environment=
+options in
+.Pa ~/.ssh/authorized_keys
+are processed by
+.Nm sshd .
+The default is
+.Dq no .
+Enabling environment processing may enable users to bypass access
+restrictions in some configurations using mechanisms such as
+.Ev LD_PRELOAD .
 .It Cm PidFile
 Specifies the file that contains the process ID of the
 .Nm sshd
@@ -499,7 +513,7 @@ The default is
 .It Cm Protocol
 Specifies the protocol versions
 .Nm sshd
-should support.
+supports.
 The possible values are
 .Dq 1
 and
@@ -507,6 +521,13 @@ and
 Multiple versions must be comma-separated.
 The default is
 .Dq 2,1 .
+Note that the order of the protocol list does not indicate preference,
+because the client selects among multiple protocol versions offered
+by the server.
+Specifying
+.Dq 2,1
+is identical to
+.Dq 1,2 .
 .It Cm PubkeyAuthentication
 Specifies whether public key authentication is allowed.
 The default is
@@ -609,10 +630,35 @@ from interfering with real X11 servers.
 The default is 10.
 .It Cm X11Forwarding
 Specifies whether X11 forwarding is permitted.
+The argument must be
+.Dq yes
+or
+.Dq no .
 The default is
 .Dq no .
-Note that disabling X11 forwarding does not improve security in any
+.Pp
-way, as users can always install their own forwarders.
+When X11 forwarding is enabled, there may be additional exposure to
+the server and to client displays if the
+.Nm sshd
+proxy display is configured to listen on the wildcard address (see
+.Cm X11UseLocalhost
+below), however this is not the default.
+Additionally, the authentication spoofing and authentication data
+verification and substitution occur on the client side.
+The security risk of using X11 forwarding is that the client's X11
+display server may be exposed to attack when the ssh client requests
+forwarding (see the warnings for
+.Cm ForwardX11
+in
+.Xr ssh_config 5 ).
+A system administrator may have a stance in which they want to
+protect clients that may expose themselves to attack by unwittingly
+requesting X11 forwarding, which can warrant a
+.Dq no
+setting.
+.Pp
+Note that disabling X11 forwarding does not prevent users from
+forwarding X11 traffic, as users can always install their own forwarders.
 X11 forwarding is automatically disabled if
 .Cm UseLogin
 is enabled.
@@ -627,7 +673,7 @@ hostname part of the
 .Ev DISPLAY
 environment variable to
 .Dq localhost .
-This prevents remote hosts from connecting to the fake display.
+This prevents remote hosts from connecting to the proxy display.
 However, some older X11 clients may not function with this
 configuration.
 .Cm X11UseLocalhost
@@ -642,7 +688,7 @@ or
 The default is
 .Dq yes .
 .It Cm XAuthLocation
-Specifies the location of the
+Specifies the full pathname of the
 .Xr xauth 1
 program.
 The default is
@@ -654,7 +700,7 @@ The default is
 command-line arguments and configuration file options that specify time
 may be expressed using a sequence of the form:
 .Sm off
-.Ar time Oo Ar qualifier Oc ,
+.Ar time Op Ar qualifier ,
 .Sm on
 where
 .Ar time
diff --git a/sshlogin.c b/sshlogin.c
index e76f94534..4cd1c0059 100644
--- a/sshlogin.c
+++ b/sshlogin.c
@@ -39,7 +39,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshlogin.c,v 1.4 2002/06/23 03:30:17 deraadt Exp $");
+RCSID("$OpenBSD: sshlogin.c,v 1.5 2002/08/29 15:57:25 stevesk Exp $");
 #include "loginrec.h"
@@ -65,7 +65,7 @@ get_last_login_time(uid_t uid, const char *logname,
 */
 void
 record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid,
-    const char *host, struct sockaddr * addr)
+    const char *host, struct sockaddr * addr, socklen_t addrlen)
 {
  struct logininfo *li;
diff --git a/sshlogin.h b/sshlogin.h
index bd30278e0..287c0d9f6 100644
--- a/sshlogin.h
+++ b/sshlogin.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: sshlogin.h,v 1.3 2001/06/26 17:27:25 markus Exp $     */
+/*      $OpenBSD: sshlogin.h,v 1.4 2002/08/29 15:57:25 stevesk Exp $    */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -16,7 +16,7 @@
 void
 record_login(pid_t, const char *, const char *, uid_t,
-    const char *, struct sockaddr *);
+    const char *, struct sockaddr *, socklen_t);
 void   record_logout(pid_t, const char *, const char *);
 u_long         get_last_login_time(uid_t, const char *, char *, u_int);
diff --git a/sshpty.c b/sshpty.c
index 64ac4e599..28d0e310c 100644
--- a/sshpty.c
+++ b/sshpty.c
@@ -162,7 +162,7 @@ pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen)
        }
        return 1;
 #else /* HAVE_DEV_PTS_AND_PTC */
-#ifdef _CRAY
+#ifdef _UNICOS
        char buf[64];
        int i;
        int highpty;
@@ -268,7 +268,7 @@ pty_make_controlling_tty(int *ttyfd, const char *ttyname)
        void *old;
 #endif /* USE_VHANGUP */
-#ifdef _CRAY
+#ifdef _UNICOS
        if (setsid() < 0)
                error("setsid: %.100s", strerror(errno));
@@ -290,7 +290,7 @@ pty_make_controlling_tty(int *ttyfd, const char *ttyname)
                error("%.100s: %.100s", ttyname, strerror(errno));
        close(*ttyfd);
        *ttyfd = fd;
-#else /* _CRAY */
+#else /* _UNICOS */
        /* First disconnect from the old controlling tty. */
 #ifdef TIOCNOTTY
@@ -345,7 +345,7 @@ pty_make_controlling_tty(int *ttyfd, const char *ttyname)
                    strerror(errno));
        else 
                close(fd);
-#endif /* _CRAY */
+#endif /* _UNICOS */
 }
 /* Changes the window size associated with the pty. */
diff --git a/uidswap.c b/uidswap.c
index 0a772c7b3..86c61a4b0 100644
--- a/uidswap.c
+++ b/uidswap.c
@@ -12,7 +12,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: uidswap.c,v 1.22 2002/05/28 21:24:00 stevesk Exp $");
+RCSID("$OpenBSD: uidswap.c,v 1.23 2002/07/15 17:15:31 stevesk Exp $");
 #include "log.h"
 #include "uidswap.h"
@@ -52,8 +52,9 @@ temporarily_use_uid(struct passwd *pw)
 #ifdef SAVED_IDS_WORK_WITH_SETEUID
        saved_euid = geteuid();
        saved_egid = getegid();
-        debug("temporarily_use_uid: %u/%u (e=%u)",
+        debug("temporarily_use_uid: %u/%u (e=%u/%u)",
-            (u_int)pw->pw_uid, (u_int)pw->pw_gid, (u_int)saved_euid);
+            (u_int)pw->pw_uid, (u_int)pw->pw_gid,
+            (u_int)saved_euid, (u_int)saved_egid);
        if (saved_euid != 0) {
                privileged = 0;
                return;
@@ -105,14 +106,16 @@ temporarily_use_uid(struct passwd *pw)
 void
 restore_uid(void)
 {
-        debug("restore_uid");
        /* it's a no-op unless privileged */
-        if (!privileged)
+        if (!privileged) {
+                debug("restore_uid: (unprivileged)");
                return;
+        }
        if (!temporarily_use_uid_effective)
                fatal("restore_uid: temporarily_use_uid not effective");
 #ifdef SAVED_IDS_WORK_WITH_SETEUID
+        debug("restore_uid: %u/%u", (u_int)saved_euid, (u_int)saved_egid);
        /* Set the effective uid back to the saved privileged uid. */
        if (seteuid(saved_euid) < 0)
                fatal("seteuid %u: %.100s", (u_int)saved_euid, strerror(errno));
@@ -142,6 +145,8 @@ permanently_set_uid(struct passwd *pw)
 {
        if (temporarily_use_uid_effective)
                fatal("permanently_set_uid: temporarily_use_uid effective");
+        debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid,
+            (u_int)pw->pw_gid);
        if (setgid(pw->pw_gid) < 0)
                fatal("setgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
        if (setuid(pw->pw_uid) < 0)
diff --git a/uuencode.c b/uuencode.c
index 89fcb0815..21eaf4d3f 100644
--- a/uuencode.c
+++ b/uuencode.c
@@ -23,9 +23,10 @@
 */
 #include "includes.h"
+RCSID("$OpenBSD: uuencode.c,v 1.16 2002/09/09 14:54:15 markus Exp $");
 #include "xmalloc.h"
 #include "uuencode.h"
-RCSID("$OpenBSD: uuencode.c,v 1.15 2002/03/04 17:27:39 stevesk Exp $");
 int
 uuencode(u_char *src, u_int srclength,
@@ -57,7 +58,7 @@ uudecode(const char *src, u_char *target, size_t targsize)
 void
 dump_base64(FILE *fp, u_char *data, u_int len)
 {
-        u_char *buf = xmalloc(2*len);
+        char *buf = xmalloc(2*len);
        int i, n;
        n = uuencode(data, len, buf, 2*len);
diff --git a/version.h b/version.h
index 1e9b43128..1f1129924 100644
--- a/version.h
+++ b/version.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: version.h,v 1.34 2002/06/26 13:56:27 markus Exp $ */
+/* $OpenBSD: version.h,v 1.35 2002/10/01 13:24:50 markus Exp $ */
-#define SSH_VERSION     "OpenSSH_3.4p1"
+#define SSH_VERSION     "OpenSSH_3.5p1"