64 files changed, 592 insertions, 409 deletions
diff --git a/ChangeLog b/ChangeLog
index d6e4a4a25..39e0ba45d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,120 @@
-20100307
+20100410
+ - (dtucker) [configure.ac] Put the check for the existence of getaddrinfo
+   back so we disable the IPv6 tests if we don't have it.
+20100409
+ - (dtucker) [contrib/cygwin/Makefile] Don't overwrite files with the wrong
+   ones.  Based on a patch from Roumen Petrov.
+ - (dtucker) [configure.ac] Bug #1744: use pkg-config for libedit flags if we
+   have it and the path is not provided to --with-libedit.  Based on a patch
+   from Iain Morgan.
+ - (dtucker) [configure.ac defines.h loginrec.c logintest.c] Bug #1732: enable
+   utmpx support on FreeBSD where possible.  Patch from Ed Schouten, ok djm@
+20100326
+ - (djm) [openbsd-compat/bsd-arc4random.c] Fix preprocessor detection
+   for arc4random_buf() and arc4random_uniform(); from Josh Gilkerson
+ - (dtucker) [configure.ac] Bug #1741: Add section for Haiku, patch originally
+   by Ingo Weinhold via Scott McCreary, ok djm@
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2010/03/25 23:38:28
+     [servconf.c]
+     from portable: getcwd(NULL, 0) doesn't work on all platforms, so
+     use a stack buffer; ok dtucker@
+   - djm@cvs.openbsd.org 2010/03/26 00:26:58
+     [ssh.1]
+     mention that -S none disables connection sharing; from Colin Watson
+ - (djm) [session.c] Allow ChrootDirectory to work on SELinux platforms -
+   set up SELinux execution context before chroot() call. From Russell
+   Coker via Colin watson; bz#1726 ok dtucker@
+ - (djm) [channels.c] Check for EPFNOSUPPORT as a socket() errno; bz#1721
+   ok dtucker@
+ - (dtucker) Bug #1725: explicitly link libX11 into gnome-ssh-askpass2 using
+   pkg-config, patch from Colin Watson.  Needed for newer linkers (ie gold).
+ - (djm) [contrib/ssh-copy-id] Don't blow up when the agent has no keys;
+   bz#1723 patch from Adeodato Simóvia Colin Watson; ok dtucker@
+ - (dtucker) OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2010/03/26 01:06:13
+     [ssh_config.5]
+     Reformat default value of PreferredAuthentications entry (current
+     formatting implies ", " is acceptable as a separator, which it's not.
+     ok djm@
+20100324
+ - (dtucker) [contrib/cygwin/ssh-host-config] Mount the Windows directory
+   containing the services file explicitely case-insensitive.  This allows to
+   tweak the Windows services file reliably.  Patch from vinschen at redhat.
+20100321
+ - (djm) OpenBSD CVS Sync
+   - jmc@cvs.openbsd.org 2010/03/08 09:41:27
+     [ssh-keygen.1]
+     sort the list of constraints (to -O); ok djm
+   - jmc@cvs.openbsd.org 2010/03/10 07:40:35
+     [ssh-keygen.1]
+     typos; from Ross Richardson
+     closes prs 6334 and 6335
+   - djm@cvs.openbsd.org 2010/03/10 23:27:17
+     [auth2-pubkey.c]
+     correct certificate logging and make it more consistent between
+     authorized_keys and TrustedCAKeys; ok markus@
+   - djm@cvs.openbsd.org 2010/03/12 01:06:25
+     [servconf.c]
+     unbreak AuthorizedKeys option with a $HOME-relative path; reported by
+     vinschen AT redhat.com, ok dtucker@
+   - markus@cvs.openbsd.org 2010/03/12 11:37:40
+     [servconf.c]
+     do not prepend AuthorizedKeysFile with getcwd(), unbreaks relative paths
+     free() (not xfree()) the buffer returned by getcwd()
+   - djm@cvs.openbsd.org 2010/03/13 21:10:38
+     [clientloop.c]
+     protocol conformance fix: send language tag when disconnecting normally;
+     spotted by 1.41421 AT gmail.com, ok markus@ deraadt@
+   - djm@cvs.openbsd.org 2010/03/13 21:45:46
+     [ssh-keygen.1]
+     Certificates are named *-cert.pub, not *_cert.pub; committing a diff
+     from stevesk@ ok me
+   - jmc@cvs.openbsd.org 2010/03/13 23:38:13
+     [ssh-keygen.1]
+     fix a formatting error (args need quoted); noted by stevesk
+   - stevesk@cvs.openbsd.org 2010/03/15 19:40:02
+     [key.c key.h ssh-keygen.c]
+     also print certificate type (user or host) for ssh-keygen -L
+     ok djm kettenis
+   - stevesk@cvs.openbsd.org 2010/03/16 15:46:52
+     [auth-options.c]
+     spelling in error message. ok djm kettenis
+   - djm@cvs.openbsd.org 2010/03/16 16:36:49
+     [version.h]
+     crank version to openssh-5.5 since we have a few fixes since 5.4;
+     requested deraadt@ kettenis@
+ - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
+   [contrib/suse/openssh.spec] Crank version numbers
+20100314
+ - (djm) [ssh-pkcs11-helper.c] Move #ifdef to after #defines to fix
+   compilation failure when !HAVE_DLOPEN. Reported by felix-mindrot
+   AT fefe.de
+ - (djm) [Makefile.in] Respecify -lssh after -lopenbsd-compat for
+   ssh-pkcs11-helper to repair static builds (we do the same for
+   ssh-keyscan). Reported by felix-mindrot AT fefe.de
+20100312
+ - (tim) [Makefile.in] Now that scard is gone, no need to make $(datadir)
+ - (tim) [Makefile.in] Add missing $(EXEEXT) to install targets.
+   Patch from Corinna Vinschen.
+ - (tim) [contrib/cygwin/Makefile] Fix list of documentation files to install
+   on a Cygwin installation. Patch from Corinna Vinschen.
+20100311
+ - (tim) [contrib/suse/openssh.spec] crank version number here too.
+   report by imorgan AT nas.nasa.gov
+20100309
+ - (dtucker) [configure.ac] Use a proper AC_CHECK_DECL for BROKEN_GETADDRINFO
+   so setting it in CFLAGS correctly skips IPv6 tests.
+20100308
 - (djm) OpenBSD CVS Sync
   - djm@cvs.openbsd.org 2010/03/07 22:16:01
     [ssh-keygen.c]
diff --git a/Makefile.in b/Makefile.in
index f7e05b22e..debebe448 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.306 2010/02/24 07:18:51 djm Exp $
+# $Id: Makefile.in,v 1.309 2010/03/13 21:41:34 djm Exp $
 # uncomment if you run a non bourne compatable shell. Ie. csh
 #SHELL = @SH@
@@ -162,7 +162,7 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readco
        $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
-        $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+        $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
        $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -254,27 +254,26 @@ install-files:
        $(srcdir)/mkinstalldirs $(DESTDIR)$(bindir)
        $(srcdir)/mkinstalldirs $(DESTDIR)$(sbindir)
        $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)
-        $(srcdir)/mkinstalldirs $(DESTDIR)$(datadir)
        $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)1
        $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)5
        $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8
        $(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir)
        (umask 022 ; $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH))
-        $(INSTALL) -m 0755 $(STRIP_OPT) ssh $(DESTDIR)$(bindir)/ssh
+        $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
-        $(INSTALL) -m 0755 $(STRIP_OPT) scp $(DESTDIR)$(bindir)/scp
+        $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
-        $(INSTALL) -m 0755 $(STRIP_OPT) ssh-add $(DESTDIR)$(bindir)/ssh-add
+        $(INSTALL) -m 0755 $(STRIP_OPT) ssh-add$(EXEEXT) $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
-        $(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent $(DESTDIR)$(bindir)/ssh-agent
+        $(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
-        $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen $(DESTDIR)$(bindir)/ssh-keygen
+        $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
-        $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan $(DESTDIR)$(bindir)/ssh-keyscan
+        $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
-        $(INSTALL) -m 0755 $(STRIP_OPT) sshd $(DESTDIR)$(sbindir)/sshd
+        $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
        if test ! -z "$(INSTALL_SSH_RAND_HELPER)" ; then \
-                $(INSTALL) -m 0755 $(STRIP_OPT) ssh-rand-helper $(DESTDIR)$(libexecdir)/ssh-rand-helper ; \
+                $(INSTALL) -m 0755 $(STRIP_OPT) ssh-rand-helper$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-rand-helper$(EXEEXT) ; \
        fi
-        $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign $(DESTDIR)$(SSH_KEYSIGN)
+        $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
-        $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper $(DESTDIR)$(SSH_PKCS11_HELPER)
+        $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
-        $(INSTALL) -m 0755 $(STRIP_OPT) sftp $(DESTDIR)$(bindir)/sftp
+        $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
-        $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server $(DESTDIR)$(SFTP_SERVER)
+        $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-        $(INSTALL) -m 0755 $(STRIP_OPT) ssh-vulnkey $(DESTDIR)$(bindir)/ssh-vulnkey
+        $(INSTALL) -m 0755 $(STRIP_OPT) ssh-vulnkey$(EXEEXT) $(DESTDIR)$(bindir)/ssh-vulnkey$(EXEEXT)
        $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
        $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
        $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
diff --git a/README b/README
index 0ecb670b6..a29f2007d 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
-See http://www.openssh.com/txt/release-5.4 for the release notes.
+See http://www.openssh.com/txt/release-5.5 for the release notes.
 - A Japanese translation of this document and of the OpenSSH FAQ is
 - available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@@ -62,4 +62,4 @@ References -
 [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
 [7] http://www.openssh.com/faq.html
-$Id: README,v 1.72 2010/03/07 22:41:02 djm Exp $
+$Id: README,v 1.73 2010/03/21 19:11:55 djm Exp $
diff --git a/auth-options.c b/auth-options.c
index 129301765..69b314fbd 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-options.c,v 1.48 2010/03/07 11:57:13 dtucker Exp $ */
+/* $OpenBSD: auth-options.c,v 1.49 2010/03/16 15:46:52 stevesk Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -434,7 +434,7 @@ auth_cert_constraints(Buffer *c_orig, struct passwd *pw)
                                goto out;
                        }
                        if (strlen(command) != clen) {
-                                error("force-command constrain contains \\0");
+                                error("force-command constraint contains \\0");
                                goto out;
                        }
                        if (cert_forced_command != NULL) {
@@ -454,7 +454,7 @@ auth_cert_constraints(Buffer *c_orig, struct passwd *pw)
                                goto out;
                        }
                        if (strlen(allowed) != clen) {
-                                error("source-address constrain contains \\0");
+                                error("source-address constraint contains \\0");
                                goto out;
                        }
                        if (cert_source_address_done++) {
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index b6ed62857..49bb062af 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.21 2010/03/04 10:36:03 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.22 2010/03/10 23:27:17 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@@ -240,22 +240,26 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file)
                                continue;
                        if (!key_equal(found, key->cert->signature_key))
                                continue;
-                        debug("matching CA found: file %s, line %lu",
-                            file, linenum);
                        fp = key_fingerprint(found, SSH_FP_MD5,
                            SSH_FP_HEX);
-                        verbose("Found matching %s CA: %s",
+                        debug("matching CA found: file %s, line %lu, %s %s",
-                            key_type(found), fp);
+                            file, linenum, key_type(found), fp);
-                        xfree(fp);
                        if (key_cert_check_authority(key, 0, 0, pw->pw_name,
                            &reason) != 0) {
+                                xfree(fp);
                                error("%s", reason);
                                auth_debug_add("%s", reason);
                                continue;
                        }
                        if (auth_cert_constraints(&key->cert->constraints,
-                            pw) != 0)
+                            pw) != 0) {
+                                xfree(fp);
                                continue;
+                        }
+                        verbose("Accepted certificate ID \"%s\" "
+                            "signed by %s CA %s via %s", key->cert->key_id,
+                            key_type(found), fp, file);
+                        xfree(fp);
                        found_key = 1;
                        break;
                } else if (!key_is_cert_authority && key_equal(found, key)) {
@@ -281,15 +285,15 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file)
 static int
 user_cert_trusted_ca(struct passwd *pw, Key *key)
 {
-        char *key_fp, *ca_fp;
+        char *ca_fp;
        const char *reason;
        int ret = 0;
        if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL)
                return 0;
-        key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+        ca_fp = key_fingerprint(key->cert->signature_key,
-        ca_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+            SSH_FP_MD5, SSH_FP_HEX);
        if (key_in_file(key->cert->signature_key,
            options.trusted_user_ca_keys, 1) != 1) {
@@ -306,13 +310,12 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
        if (auth_cert_constraints(&key->cert->constraints, pw) != 0)
                goto out;
-        verbose("%s certificate %s allowed by trusted %s key %s",
+        verbose("Accepted certificate ID \"%s\" signed by %s CA %s via %s",
-            key_type(key), key_fp, key_type(key->cert->signature_key), ca_fp);
+            key->cert->key_id, key_type(key->cert->signature_key), ca_fp,
+            options.trusted_user_ca_keys);
        ret = 1;
 out:
-        if (key_fp != NULL)
-                xfree(key_fp);
        if (ca_fp != NULL)
                xfree(ca_fp);
        return ret;
diff --git a/clientloop.c b/clientloop.c
index 56f8dd2f8..05e7de067 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.218 2010/01/28 00:21:18 djm Exp $ */
+/* $OpenBSD: clientloop.c,v 1.219 2010/03/13 21:10:38 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1502,6 +1502,7 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
                packet_start(SSH2_MSG_DISCONNECT);
                packet_put_int(SSH2_DISCONNECT_BY_APPLICATION);
                packet_put_cstring("disconnected by user");
+                packet_put_cstring(""); /* language tag */
                packet_send();
                packet_write_wait();
        }
diff --git a/config.h.in b/config.h.in
index a61f0a6b5..a609d72ba 100644
--- a/config.h.in
+++ b/config.h.in
@@ -80,9 +80,6 @@
 /* Define if you want to specify the path to your lastlog file */
 #undef CONF_LASTLOG_FILE
-/* Define if you want to specify the path to your utmpx file */
-#undef CONF_UTMPX_FILE
 /* Define if you want to specify the path to your utmp file */
 #undef CONF_UTMP_FILE
@@ -455,6 +452,9 @@
 /* Define to 1 if you have the `getutxline' function. */
 #undef HAVE_GETUTXLINE
+/* Define to 1 if you have the `getutxuser' function. */
+#undef HAVE_GETUTXUSER
 /* Define to 1 if you have the `get_default_context_with_level' function. */
 #undef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
@@ -551,6 +551,9 @@
 /* Define if system has libiaf that supports set_id */
 #undef HAVE_LIBIAF
+/* Define to 1 if you have the `network' library (-lnetwork). */
+#undef HAVE_LIBNETWORK
 /* Define to 1 if you have the `nsl' library (-lnsl). */
 #undef HAVE_LIBNSL
@@ -804,6 +807,9 @@
 /* Define to 1 if you have the `setutent' function. */
 #undef HAVE_SETUTENT
+/* Define to 1 if you have the `setutxdb' function. */
+#undef HAVE_SETUTXDB
 /* Define to 1 if you have the `setutxent' function. */
 #undef HAVE_SETUTXENT
diff --git a/configure b/configure
index 7c19fc204..5ebdb15c6 100755
--- a/configure
+++ b/configure
@@ -1,5 +1,5 @@
 #! /bin/sh
-# From configure.ac Revision: 1.444 .
+# From configure.ac Revision: 1.449 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.61 for OpenSSH Portable.
 #
@@ -693,6 +693,7 @@ LOGIN_PROGRAM_FALLBACK
 PATH_PASSWD_PROG
 LD
 SSHDLIBS
+PKGCONFIG
 LIBEDIT
 INSTALL_SSH_RAND_HELPER
 SSH_PRIVSEP_USER
@@ -7435,6 +7436,85 @@ fi
 *-*-dragonfly*)
        SSHDLIBS="$SSHDLIBS -lcrypt"
        ;;
+*-*-haiku*)
+    LIBS="$LIBS -lbsd "
+{ echo "$as_me:$LINENO: checking for socket in -lnetwork" >&5
+echo $ECHO_N "checking for socket in -lnetwork... $ECHO_C" >&6; }
+if test "${ac_cv_lib_network_socket+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lnetwork  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char socket ();
+int
+main ()
+{
+return socket ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+         test -z "$ac_c_werror_flag" ||
+         test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_network_socket=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+        ac_cv_lib_network_socket=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_network_socket" >&5
+echo "${ECHO_T}$ac_cv_lib_network_socket" >&6; }
+if test $ac_cv_lib_network_socket = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBNETWORK 1
+_ACEOF
+  LIBS="-lnetwork $LIBS"
+fi
+    cat >>confdefs.h <<\_ACEOF
+#define HAVE_U_INT64_T 1
+_ACEOF
+    MANTYPE=man
+    ;;
 *-*-hpux*)
        # first we define all of the options common to all HP-UX releases
        CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
@@ -12326,7 +12406,61 @@ LIBEDIT_MSG="no"
 # Check whether --with-libedit was given.
 if test "${with_libedit+set}" = set; then
  withval=$with_libedit;  if test "x$withval" != "xno" ; then
-                if test "x$withval" != "xyes"; then
+                if test "x$withval" = "xyes" ; then
+                        # Extract the first word of "pkg-config", so it can be a program name with args.
+set dummy pkg-config; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_path_PKGCONFIG+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case $PKGCONFIG in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_PKGCONFIG="$PKGCONFIG" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_path_PKGCONFIG="$as_dir/$ac_word$ac_exec_ext"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+  test -z "$ac_cv_path_PKGCONFIG" && ac_cv_path_PKGCONFIG="no"
+  ;;
+esac
+fi
+PKGCONFIG=$ac_cv_path_PKGCONFIG
+if test -n "$PKGCONFIG"; then
+  { echo "$as_me:$LINENO: result: $PKGCONFIG" >&5
+echo "${ECHO_T}$PKGCONFIG" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+                        if test "x$PKGCONFIG" != "xno"; then
+                                { echo "$as_me:$LINENO: checking if $PKGCONFIG knows about libedit" >&5
+echo $ECHO_N "checking if $PKGCONFIG knows about libedit... $ECHO_C" >&6; }
+                                if "$PKGCONFIG" libedit; then
+                                        { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+                                        use_pkgconfig_for_libedit=yes
+                                else
+                                        { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+                                fi
+                        fi
+                else
                        CPPFLAGS="$CPPFLAGS -I${withval}/include"
                        if test -n "${need_dash_r}"; then
                                LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
@@ -12334,13 +12468,20 @@ if test "${with_libedit+set}" = set; then
                                LDFLAGS="-L${withval}/lib ${LDFLAGS}"
                        fi
                fi
+                if test "x$use_pkgconfig_for_libedit" == "xyes"; then
+                        LIBEDIT=`$PKGCONFIG --libs-only-l libedit`
+                        CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
+                else
+                        LIBEDIT="-ledit -lcurses"
+                fi
+                OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'`
                { echo "$as_me:$LINENO: checking for el_init in -ledit" >&5
 echo $ECHO_N "checking for el_init in -ledit... $ECHO_C" >&6; }
 if test "${ac_cv_lib_edit_el_init+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ledit  -lcurses
+LIBS="-ledit  $OTHERLIBS
                 $LIBS"
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -12402,7 +12543,6 @@ cat >>confdefs.h <<\_ACEOF
 #define USE_LIBEDIT 1
 _ACEOF
-                          LIBEDIT="-ledit -lcurses"
                          LIBEDIT_MSG="yes"
@@ -14961,7 +15101,8 @@ done
-for ac_func in endutxent getutxent getutxid getutxline pututxline
+for ac_func in endutxent getutxent getutxid getutxline getutxuser pututxline
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
 { echo "$as_me:$LINENO: checking for $ac_func" >&5
@@ -15056,7 +15197,8 @@ done
-for ac_func in setutxent utmpxname
+for ac_func in setutxdb setutxent utmpxname
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
 { echo "$as_me:$LINENO: checking for $ac_func" >&5
@@ -29373,8 +29515,8 @@ _ACEOF
 fi
-{ echo "$as_me:$LINENO: checking if your system defines UTMPX_FILE" >&5
+{ echo "$as_me:$LINENO: checking if your system defines WTMPX_FILE" >&5
-echo $ECHO_N "checking if your system defines UTMPX_FILE... $ECHO_C" >&6; }
+echo $ECHO_N "checking if your system defines WTMPX_FILE... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -29394,7 +29536,7 @@ cat >>conftest.$ac_ext <<_ACEOF
 int
 main ()
 {
- char *utmpx = UTMPX_FILE;
+ char *wtmpx = WTMPX_FILE;
  ;
  return 0;
 }
@@ -29424,48 +29566,59 @@ sed 's/^/| /' conftest.$ac_ext >&5
         { echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6; }
-          system_utmpx_path=no
+          system_wtmpx_path=no
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-if test -z "$conf_utmpx_location"; then
+if test -z "$conf_wtmpx_location"; then
-        if test x"$system_utmpx_path" = x"no" ; then
+        if test x"$system_wtmpx_path" = x"no" ; then
                cat >>confdefs.h <<\_ACEOF
-#define DISABLE_UTMPX 1
+#define DISABLE_WTMPX 1
 _ACEOF
        fi
 else
 cat >>confdefs.h <<_ACEOF
-#define CONF_UTMPX_FILE "$conf_utmpx_location"
+#define CONF_WTMPX_FILE "$conf_wtmpx_location"
 _ACEOF
 fi
-{ echo "$as_me:$LINENO: checking if your system defines WTMPX_FILE" >&5
-echo $ECHO_N "checking if your system defines WTMPX_FILE... $ECHO_C" >&6; }
+if test ! -z "$blibpath" ; then
-cat >conftest.$ac_ext <<_ACEOF
+        LDFLAGS="$LDFLAGS $blibflags$blibpath"
+        { echo "$as_me:$LINENO: WARNING: Please check and edit blibpath in LDFLAGS in Makefile" >&5
+echo "$as_me: WARNING: Please check and edit blibpath in LDFLAGS in Makefile" >&2;}
+fi
+CFLAGS="$CFLAGS $werror_flags"
+if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
+        TEST_SSH_IPV6=no
+else
+        TEST_SSH_IPV6=yes
+fi
+{ echo "$as_me:$LINENO: checking whether BROKEN_GETADDRINFO is declared" >&5
+echo $ECHO_N "checking whether BROKEN_GETADDRINFO is declared... $ECHO_C" >&6; }
+if test "${ac_cv_have_decl_BROKEN_GETADDRINFO+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
+$ac_includes_default
-#include <sys/types.h>
-#include <utmp.h>
-#ifdef HAVE_UTMPX_H
-#include <utmpx.h>
-#endif
-#ifdef HAVE_PATHS_H
-#  include <paths.h>
-#endif
 int
 main ()
 {
- char *wtmpx = WTMPX_FILE;
+#ifndef BROKEN_GETADDRINFO
+  (void) BROKEN_GETADDRINFO;
+#endif
  ;
  return 0;
 }
@@ -29487,51 +29640,24 @@ eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
         test -z "$ac_c_werror_flag" ||
         test ! -s conftest.err
       } && test -s conftest.$ac_objext; then
-   { echo "$as_me:$LINENO: result: yes" >&5
+  ac_cv_have_decl_BROKEN_GETADDRINFO=yes
-echo "${ECHO_T}yes" >&6; }
 else
  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
-         { echo "$as_me:$LINENO: result: no" >&5
+        ac_cv_have_decl_BROKEN_GETADDRINFO=no
-echo "${ECHO_T}no" >&6; }
-          system_wtmpx_path=no
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-if test -z "$conf_wtmpx_location"; then
-        if test x"$system_wtmpx_path" = x"no" ; then
-                cat >>confdefs.h <<\_ACEOF
-#define DISABLE_WTMPX 1
-_ACEOF
-        fi
-else
-cat >>confdefs.h <<_ACEOF
-#define CONF_WTMPX_FILE "$conf_wtmpx_location"
-_ACEOF
 fi
+{ echo "$as_me:$LINENO: result: $ac_cv_have_decl_BROKEN_GETADDRINFO" >&5
+echo "${ECHO_T}$ac_cv_have_decl_BROKEN_GETADDRINFO" >&6; }
-if test ! -z "$blibpath" ; then
+if test $ac_cv_have_decl_BROKEN_GETADDRINFO = yes; then
-        LDFLAGS="$LDFLAGS $blibflags$blibpath"
+  TEST_SSH_IPV6=no
-        { echo "$as_me:$LINENO: WARNING: Please check and edit blibpath in LDFLAGS in Makefile" >&5
-echo "$as_me: WARNING: Please check and edit blibpath in LDFLAGS in Makefile" >&2;}
 fi
-CFLAGS="$CFLAGS $werror_flags"
+TEST_SSH_IPV6=$TEST_SSH_IPV6
-if grep "#define BROKEN_GETADDRINFO 1" confdefs.h >/dev/null || \
-    test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
-        TEST_SSH_IPV6=no
-else
-        TEST_SSH_IPV6=yes
-fi
 ac_config_files="$ac_config_files Makefile buildpkg.sh opensshd.init openssh.xml openbsd-compat/Makefile openbsd-compat/regress/Makefile ssh_prng_cmds survey.sh"
@@ -30236,6 +30362,7 @@ LOGIN_PROGRAM_FALLBACK!$LOGIN_PROGRAM_FALLBACK$ac_delim
 PATH_PASSWD_PROG!$PATH_PASSWD_PROG$ac_delim
 LD!$LD$ac_delim
 SSHDLIBS!$SSHDLIBS$ac_delim
+PKGCONFIG!$PKGCONFIG$ac_delim
 LIBEDIT!$LIBEDIT$ac_delim
 INSTALL_SSH_RAND_HELPER!$INSTALL_SSH_RAND_HELPER$ac_delim
 SSH_PRIVSEP_USER!$SSH_PRIVSEP_USER$ac_delim
@@ -30255,7 +30382,6 @@ PROG_VMSTAT!$PROG_VMSTAT$ac_delim
 PROG_UPTIME!$PROG_UPTIME$ac_delim
 PROG_IPCS!$PROG_IPCS$ac_delim
 PROG_TAIL!$PROG_TAIL$ac_delim
-INSTALL_SSH_PRNG_CMDS!$INSTALL_SSH_PRNG_CMDS$ac_delim
 _ACEOF
  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
@@ -30297,6 +30423,7 @@ _ACEOF
 ac_delim='%!_!# '
 for ac_last_try in false false false false false :; do
  cat >conf$$subs.sed <<_ACEOF
+INSTALL_SSH_PRNG_CMDS!$INSTALL_SSH_PRNG_CMDS$ac_delim
 KRB5CONF!$KRB5CONF$ac_delim
 PRIVSEP_PATH!$PRIVSEP_PATH$ac_delim
 xauth_path!$xauth_path$ac_delim
@@ -30312,7 +30439,7 @@ LIBOBJS!$LIBOBJS$ac_delim
 LTLIBOBJS!$LTLIBOBJS$ac_delim
 _ACEOF
-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 13; then
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 14; then
    break
  elif $ac_last_try; then
    { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
diff --git a/configure.ac b/configure.ac
index dfd63765b..b82d48356 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.444 2010/03/05 04:04:35 djm Exp $
+# $Id: configure.ac,v 1.449 2010/04/10 12:58:01 dtucker Exp $
 #
 # Copyright (c) 1999-2004 Damien Miller
 #
@@ -15,7 +15,7 @@
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
-AC_REVISION($Revision: 1.444 $)
+AC_REVISION($Revision: 1.449 $)
 AC_CONFIG_SRCDIR([ssh.c])
 AC_CONFIG_HEADER(config.h)
@@ -512,6 +512,12 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
 *-*-dragonfly*)
        SSHDLIBS="$SSHDLIBS -lcrypt"
        ;;
+*-*-haiku*) 
+    LIBS="$LIBS -lbsd "
+    AC_CHECK_LIB(network, socket)
+    AC_DEFINE(HAVE_U_INT64_T)
+    MANTYPE=man 
+    ;; 
 *-*-hpux*)
        # first we define all of the options common to all HP-UX releases
        CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
@@ -1272,7 +1278,18 @@ LIBEDIT_MSG="no"
 AC_ARG_WITH(libedit,
        [  --with-libedit[[=PATH]]   Enable libedit support for sftp],
        [ if test "x$withval" != "xno" ; then
-                if test "x$withval" != "xyes"; then
+                if test "x$withval" = "xyes" ; then
+                        AC_PATH_PROG(PKGCONFIG, pkg-config, no)
+                        if test "x$PKGCONFIG" != "xno"; then
+                                AC_MSG_CHECKING(if $PKGCONFIG knows about libedit)
+                                if "$PKGCONFIG" libedit; then
+                                        AC_MSG_RESULT(yes)
+                                        use_pkgconfig_for_libedit=yes
+                                else
+                                        AC_MSG_RESULT(no)
+                                fi
+                        fi
+                else
                        CPPFLAGS="$CPPFLAGS -I${withval}/include"
                        if test -n "${need_dash_r}"; then
                                LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
@@ -1280,14 +1297,20 @@ AC_ARG_WITH(libedit,
                                LDFLAGS="-L${withval}/lib ${LDFLAGS}"
                        fi
                fi
+                if test "x$use_pkgconfig_for_libedit" == "xyes"; then
+                        LIBEDIT=`$PKGCONFIG --libs-only-l libedit`
+                        CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
+                else
+                        LIBEDIT="-ledit -lcurses"
+                fi
+                OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'`
                AC_CHECK_LIB(edit, el_init,
                        [ AC_DEFINE(USE_LIBEDIT, 1, [Use libedit for sftp])
-                          LIBEDIT="-ledit -lcurses"
                          LIBEDIT_MSG="yes"
                          AC_SUBST(LIBEDIT)
                        ],
                        [ AC_MSG_ERROR(libedit not found) ],
-                        [ -lcurses ]
+                        [ $OTHERLIBS ]
                )
                AC_MSG_CHECKING(if libedit version is compatible)
                AC_COMPILE_IFELSE(
@@ -1558,8 +1581,8 @@ dnl    Checks for utmp functions
 AC_CHECK_FUNCS(endutent getutent getutid getutline pututline setutent)
 AC_CHECK_FUNCS(utmpname)
 dnl    Checks for utmpx functions
-AC_CHECK_FUNCS(endutxent getutxent getutxid getutxline pututxline )
+AC_CHECK_FUNCS(endutxent getutxent getutxid getutxline getutxuser pututxline)
-AC_CHECK_FUNCS(setutxent utmpxname)
+AC_CHECK_FUNCS(setutxdb setutxent utmpxname)
 dnl    Checks for lastlog functions
 AC_CHECK_FUNCS(getlastlogxbyname)
@@ -4088,34 +4111,6 @@ if test -n "$conf_wtmp_location"; then
 fi
-dnl utmpx detection - I don't know any system so perverse as to require
-dnl  utmpx, but not define UTMPX_FILE (ditto wtmpx.) No doubt it's out
-dnl  there, though.
-AC_MSG_CHECKING([if your system defines UTMPX_FILE])
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <utmp.h>
-#ifdef HAVE_UTMPX_H
-#include <utmpx.h>
-#endif
-#ifdef HAVE_PATHS_H
-#  include <paths.h>
-#endif
-        ],
-        [ char *utmpx = UTMPX_FILE; ],
-        [ AC_MSG_RESULT(yes) ],
-        [ AC_MSG_RESULT(no)
-          system_utmpx_path=no ]
-)
-if test -z "$conf_utmpx_location"; then
-        if test x"$system_utmpx_path" = x"no" ; then
-                AC_DEFINE(DISABLE_UTMPX)
-        fi
-else
-        AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location",
-                [Define if you want to specify the path to your utmpx file])
-fi
 dnl wtmpx detection
 AC_MSG_CHECKING([if your system defines WTMPX_FILE])
 AC_TRY_COMPILE([
@@ -4152,12 +4147,13 @@ dnl Adding -Werror to CFLAGS early prevents configure tests from running.
 dnl Add now.
 CFLAGS="$CFLAGS $werror_flags"
-if grep "#define BROKEN_GETADDRINFO 1" confdefs.h >/dev/null || \
+if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
-    test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
+        TEST_SSH_IPV6=no
-        AC_SUBST(TEST_SSH_IPV6, no)
 else
-        AC_SUBST(TEST_SSH_IPV6, yes)
+        TEST_SSH_IPV6=yes
 fi
+AC_CHECK_DECL(BROKEN_GETADDRINFO,  TEST_SSH_IPV6=no)
+AC_SUBST(TEST_SSH_IPV6, $TEST_SSH_IPV6)
 AC_EXEEXT
 AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
diff --git a/contrib/Makefile b/contrib/Makefile
index 00e96e7b9..8b34eb221 100644
--- a/contrib/Makefile
+++ b/contrib/Makefile
@@ -7,7 +7,7 @@ gnome-ssh-askpass1: gnome-ssh-askpass1.c
                `gnome-config --libs gnome gnomeui`
 gnome-ssh-askpass2: gnome-ssh-askpass2.c
-        $(CC) `pkg-config --cflags gtk+-2.0 x11` \
+        $(CC) `pkg-config --cflags gtk+-2.0` \
                gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
                `pkg-config --libs gtk+-2.0 x11`
diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec
index 7c291a0eb..6bea9a40f 100644
--- a/contrib/caldera/openssh.spec
+++ b/contrib/caldera/openssh.spec
@@ -17,11 +17,11 @@
 #old cvs stuff.  please update before use.  may be deprecated.
 %define use_stable      1
 %if %{use_stable}
-  %define version       5.4p1
+  %define version       5.5p1
  %define cvs           %{nil}
  %define release       1
 %else
-  %define version       5.4p1
+  %define version       5.5p1
  %define cvs           cvs20050315
  %define release       0r1
 %endif
@@ -360,4 +360,4 @@ fi
 * Mon Jan 01 1998 ...
 Template Version: 1.31
-$Id: openssh.spec,v 1.69 2010/03/07 22:41:03 djm Exp $
+$Id: openssh.spec,v 1.70 2010/03/21 19:11:58 djm Exp $
diff --git a/contrib/cygwin/Makefile b/contrib/cygwin/Makefile
index 9f680c16c..dc857f2ed 100644
--- a/contrib/cygwin/Makefile
+++ b/contrib/cygwin/Makefile
@@ -42,11 +42,13 @@ install-sshdoc:
        $(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW
        $(INSTALL) -m 644 $(srcdir)/PROTOCOL $(DESTDIR)$(sshdocdir)/PROTOCOL
        $(INSTALL) -m 644 $(srcdir)/PROTOCOL.agent $(DESTDIR)$(sshdocdir)/PROTOCOL.agent
+        $(INSTALL) -m 644 $(srcdir)/PROTOCOL.certkeys $(DESTDIR)$(sshdocdir)/PROTOCOL.certkeys
+        $(INSTALL) -m 644 $(srcdir)/PROTOCOL.mux $(DESTDIR)$(sshdocdir)/PROTOCOL.mux
        $(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README
        $(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns
        $(INSTALL) -m 644 $(srcdir)/README.platform $(DESTDIR)$(sshdocdir)/README.platform
        $(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep
-        $(INSTALL) -m 644 $(srcdir)/README.smartcard $(DESTDIR)$(sshdocdir)/README.smartcard
+        $(INSTALL) -m 644 $(srcdir)/README.tun $(DESTDIR)$(sshdocdir)/README.tun
        $(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO
        $(INSTALL) -m 644 $(srcdir)/WARNING.RNG $(DESTDIR)$(sshdocdir)/WARNING.RNG
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index b6f9511e2..d968d4619 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -90,7 +90,7 @@ update_services_file() {
  fi
  _serv_tmp="${_my_etcdir}/srv.out.$$"
-  mount -o text -f "${_win_etcdir}" "${_my_etcdir}"
+  mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}"
  # Depends on the above mount
  _wservices=`cygpath -w "${_services}"`
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index de24f1c5d..c13cfe60d 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,4 +1,4 @@
-%define ver 5.4p1
+%define ver 5.5p1
 %define rel 1
 # OpenSSH privilege separation requires a user & group ID
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec
index c09246d1f..52ed915dc 100644
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@@ -13,7 +13,7 @@
 Summary:        OpenSSH, a free Secure Shell (SSH) protocol implementation
 Name:           openssh
-Version:        5.3p1
+Version:        5.5p1
 URL:            http://www.openssh.com/
 Release:        1
 Source0:        openssh-%{version}.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 29a5c76f2..a116a76eb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+openssh (1:5.5p1-1) UNRELEASED; urgency=low
+  * New upstream release:
+    - Unbreak sshd_config's AuthorizedKeysFile option for $HOME-relative
+      paths.
+    - Include a language tag when sending a protocol 2 disconnection
+      message.
+    - Make logging of certificates used for user authentication more clear
+      and consistent between CAs specified using TrustedUserCAKeys and
+      authorized_keys.
+ -- Colin Watson <cjwatson@ubuntu.com>  Fri, 16 Apr 2010 10:21:10 +0100
 openssh (1:5.4p1-2) unstable; urgency=low
  * Borrow patch from Fedora to add DNSSEC support: if glibc 2.11 is
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index 32b1dcc72..34535f001 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -8,7 +8,7 @@ Index: b/Makefile.in
 ===================================================================
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -285,6 +285,7 @@
+@@ -284,6 +284,7 @@
        $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
        $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
        $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index c0567f264..e608bd20d 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -43,7 +43,7 @@ Index: b/servconf.c
        { NULL, sBadOption, 0 }
 };
 
-@@ -1377,6 +1382,10 @@
+@@ -1386,6 +1391,10 @@
                charptr = &options->revoked_keys_file;
                goto parse_filename;
 
diff --git a/debian/patches/doc-connection-sharing.patch b/debian/patches/doc-connection-sharing.patch
deleted file mode 100644
index d08f3d01f..000000000
--- a/debian/patches/doc-connection-sharing.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-Description: ssh(1): Document that '-S none' disables connection sharing.
-Author: martin f krafft <madduck@debian.org>
-Author: Colin Watson <cjwatson@debian.org>
-Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1724
-Bug-Debian: http://bugs.debian.org/471437
-Last-Update: 2010-03-01
-Index: b/ssh.1
-===================================================================
--- a/ssh.1
-+++ b/ssh.1
-@@ -558,7 +558,10 @@
- the listen port will be dynamically allocated on the server and reported
- to the client at run time.
- .It Fl S Ar ctl_path
-Specifies the location of a control socket for connection sharing.
-+Specifies the location of a control socket for connection sharing,
-+or the string
-+.Dq none
-+to disable connection sharing.
- Refer to the description of
- .Cm ControlPath
- and
diff --git a/debian/patches/gnome-ssh-askpass2-link.patch b/debian/patches/gnome-ssh-askpass2-link.patch
deleted file mode 100644
index 6b9909641..000000000
--- a/debian/patches/gnome-ssh-askpass2-link.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-Description: Use x11.pc when compiling/linking gnome-ssh-askpass2
- This fixes linking with binutils-gold.
-Author: Colin Watson <cjwatson@debian.org>
-Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1725
-Bug-Debian: http://bugs.debian.org/555951
-Last-Update: 2010-03-01
-Index: b/contrib/Makefile
-===================================================================
--- a/contrib/Makefile
-+++ b/contrib/Makefile
-@@ -7,9 +7,9 @@
-                `gnome-config --libs gnome gnomeui`
- 
- gnome-ssh-askpass2: gnome-ssh-askpass2.c
-       $(CC) `pkg-config --cflags gtk+-2.0` \
-+       $(CC) `pkg-config --cflags gtk+-2.0 x11` \
-                gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
-               `pkg-config --libs gtk+-2.0`
-+               `pkg-config --libs gtk+-2.0 x11`
- 
- clean:
-        rm -f *.o gnome-ssh-askpass1 gnome-ssh-askpass2 gnome-ssh-askpass
diff --git a/debian/patches/gssapi-autoconf.patch b/debian/patches/gssapi-autoconf.patch
index 5ef959de7..3ea221834 100644
--- a/debian/patches/gssapi-autoconf.patch
+++ b/debian/patches/gssapi-autoconf.patch
@@ -7,7 +7,7 @@ Index: b/config.h.in
 ===================================================================
 --- a/config.h.in
 +++ b/config.h.in
-@@ -1378,6 +1378,9 @@
+@@ -1384,6 +1384,9 @@
 /* Use btmp to log bad logins */
 #undef USE_BTMP
 
@@ -17,7 +17,7 @@ Index: b/config.h.in
 /* Use libedit for sftp */
 #undef USE_LIBEDIT
 
-@@ -1390,6 +1393,9 @@
+@@ -1396,6 +1399,9 @@
 /* Use PIPES instead of a socketpair() */
 #undef USE_PIPES
 
diff --git a/debian/patches/gssapi-dump.patch b/debian/patches/gssapi-dump.patch
index 9ed033359..6e09df484 100644
--- a/debian/patches/gssapi-dump.patch
+++ b/debian/patches/gssapi-dump.patch
@@ -11,7 +11,7 @@ Index: b/servconf.c
 ===================================================================
 --- a/servconf.c
 +++ b/servconf.c
-@@ -1668,7 +1668,10 @@
+@@ -1677,7 +1677,10 @@
 #endif
 #ifdef GSSAPI
        dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 5c1b83415..e39239fbd 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1918,7 +1918,7 @@ Index: b/key.c
 ===================================================================
 --- a/key.c
 +++ b/key.c
-@@ -969,6 +969,8 @@
+@@ -982,6 +982,8 @@
                return KEY_RSA_CERT;
        } else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) {
                return KEY_DSA_CERT;
@@ -2387,7 +2387,7 @@ Index: b/servconf.c
 #endif
        { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
        { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
-@@ -925,10 +942,22 @@
+@@ -924,10 +941,22 @@
                intptr = &options->gss_authentication;
                goto parse_flag;
 
diff --git a/debian/patches/hurd-epfnosupport.patch b/debian/patches/hurd-epfnosupport.patch
deleted file mode 100644
index e06b46309..000000000
--- a/debian/patches/hurd-epfnosupport.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Description: Fix X forwarding on the Hurd
- socket() may return EPFNOSUPPORT, which != EAFNOSUPPORT on the Hurd.
-Author: Robert Bihlmeyer <robbe@orcus.priv.at>
-Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1721
-Bug-Debian: http://bugs.debian.org/102991
-Last-Update: 2010-03-01
-Index: b/channels.c
-===================================================================
--- a/channels.c
-+++ b/channels.c
-@@ -3252,7 +3252,11 @@
-                        sock = socket(ai->ai_family, ai->ai_socktype,
-                            ai->ai_protocol);
-                        if (sock < 0) {
-                               if ((errno != EINVAL) && (errno != EAFNOSUPPORT)) {
-+                               if ((errno != EINVAL) && (errno != EAFNOSUPPORT)
-+#ifdef EPFNOSUPPORT
-+                                   && (errno != EPFNOSUPPORT)
-+#endif 
-+                                   ) {
-                                        error("socket: %.100s", strerror(errno));
-                                        freeaddrinfo(aitop);
-                                        return -1;
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 55d07e0d6..36335f475 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -68,8 +68,8 @@ Index: b/ssh_config.5
 If set to
 .Dq yes ,
 passphrase/password querying will be disabled.
-+In addition, the 
+In addition, the
-+.Cm ServerAliveInterval 
+.Cm ServerAliveInterval
 +option will be set to 300 seconds by default.
 This option is useful in scripts and other batch jobs where no user
 -is present to supply the password.
@@ -78,7 +78,7 @@ Index: b/ssh_config.5
 The argument must be
 .Dq yes
 or
-@@ -967,8 +971,15 @@
+@@ -963,8 +967,15 @@
 will send a message through the encrypted
 channel to request a response from the server.
 The default
@@ -95,7 +95,7 @@ Index: b/ssh_config.5
 .It Cm StrictHostKeyChecking
 If this flag is set to
 .Dq yes ,
-@@ -1007,6 +1018,12 @@
+@@ -1003,6 +1014,12 @@
 other side.
 If they are sent, death of the connection or crash of one
 of the machines will be properly noticed.
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch
index 5949e3b94..955d38b50 100644
--- a/debian/patches/lintian-symlink-pickiness.patch
+++ b/debian/patches/lintian-symlink-pickiness.patch
@@ -9,7 +9,7 @@ Index: b/Makefile.in
 ===================================================================
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -295,9 +295,9 @@
+@@ -294,9 +294,9 @@
        $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
        $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1
        -rm -f $(DESTDIR)$(bindir)/slogin
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 0898c6ed3..dea370a1b 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -45,7 +45,7 @@ Index: b/ssh-keygen.1
 .Pp
 Normally this program generates the key and asks for a file in which
 to store the private key.
-@@ -368,9 +366,7 @@
+@@ -367,9 +365,7 @@
 .It Fl q
 Silence
 .Nm ssh-keygen .
@@ -60,7 +60,7 @@ Index: b/ssh.1
 ===================================================================
 --- a/ssh.1
 +++ b/ssh.1
-@@ -759,6 +759,10 @@
+@@ -762,6 +762,10 @@
 .Sx HISTORY
 section of
 .Xr ssl 8
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index b1162bfec..f45cc6968 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -38,7 +38,7 @@ Index: b/version.h
 --- a/version.h
 +++ b/version.h
 @@ -3,4 +3,9 @@
- #define SSH_VERSION    "OpenSSH_5.4"
+ #define SSH_VERSION    "OpenSSH_5.5"
 
 #define SSH_PORTABLE   "p1"
 -#define SSH_RELEASE    SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index 572a6e67c..96a26cf7e 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -16,7 +16,7 @@ Index: b/clientloop.c
 ===================================================================
 --- a/clientloop.c
 +++ b/clientloop.c
-@@ -1529,8 +1529,10 @@
+@@ -1530,8 +1530,10 @@
                exit_status = 0;
        }
 
diff --git a/debian/patches/selinux-fix-chroot-directory.patch b/debian/patches/selinux-fix-chroot-directory.patch
deleted file mode 100644
index 03942392b..000000000
--- a/debian/patches/selinux-fix-chroot-directory.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-Description: Make ChrootDirectory work with SELinux
- After chroot() is called the SE Linux context setting won't work unless
- /selinux and /proc are mounted in the chroot environment.  Even worse, if
- the user has control over the chroot environment then they may be able to
- control the context that they get (I haven't verified this).
-Author: Russell Coker <russell@coker.com.au>
-Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1726
-Bug-Debian: http://bugs.debian.org/556644
-Last-Update: 2010-03-01
-Index: b/session.c
-===================================================================
--- a/session.c
-+++ b/session.c
-@@ -1551,6 +1551,10 @@
-                }
- #endif /* HAVE_SETPCRED */
- 
-+#ifdef WITH_SELINUX
-+               ssh_selinux_setup_exec_context(pw->pw_name);
-+#endif
-+
-                if (options.chroot_directory != NULL &&
-                    strcasecmp(options.chroot_directory, "none") != 0) {
-                         tmp = tilde_expand_filename(options.chroot_directory,
-@@ -1575,10 +1579,6 @@
- 
-        if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
-                fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
-
-#ifdef WITH_SELINUX
-       ssh_selinux_setup_exec_context(pw->pw_name);
-#endif
- }
- 
- static void
diff --git a/debian/patches/series b/debian/patches/series
index a75b0a0f5..699dbaa98 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,7 +6,6 @@ gssapi-dump.patch
 # SELinux
 selinux-role.patch
-selinux-fix-chroot-directory.patch
 # Key blacklisting
 ssh-vulnkey.patch
@@ -21,12 +20,9 @@ quieter-signals.patch
 helpful-wait-terminate.patch
 # Miscellaneous bug fixes
-gnome-ssh-askpass2-link.patch
 user-group-modes.patch
-hurd-epfnosupport.patch
 scp-quoting.patch
 shell-path.patch
-ssh-copy-id-status-check.patch
 ssh-copy-id-trailing-colons.patch
 dnssec-sshfp.patch
@@ -41,7 +37,6 @@ lintian-symlink-pickiness.patch
 # Documentation
 openbsd-docs.patch
 ssh-argv0.patch
-doc-connection-sharing.patch
 doc-hash-tab-completion.patch
 # Debian-specific configuration
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 7caeff704..851687dfd 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -11,7 +11,7 @@ Index: b/ssh.1
 ===================================================================
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1427,6 +1427,7 @@
+@@ -1430,6 +1430,7 @@
 .Xr sftp 1 ,
 .Xr ssh-add 1 ,
 .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-copy-id-status-check.patch b/debian/patches/ssh-copy-id-status-check.patch
deleted file mode 100644
index efc76d0fc..000000000
--- a/debian/patches/ssh-copy-id-status-check.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Description: ssh-copy-id: Check exit status of 'ssh-add -L'
- This fixes behaviour when an agent is running with no identities loaded.
-Author: Adeodato Simó <asp16@alu.ua.es>
-Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1723
-Bug-Debian: http://bugs.debian.org/221675
-Last-Update: 2010-03-01
-Index: b/contrib/ssh-copy-id
-===================================================================
--- a/contrib/ssh-copy-id
-+++ b/contrib/ssh-copy-id
-@@ -19,7 +19,7 @@
-     shift         # and this should leave $1 as the target name
-   fi
- else
-  if [ x$SSH_AUTH_SOCK != x ] ; then
-+  if [ x$SSH_AUTH_SOCK != x ] && ssh-add -L >/dev/null 2>&1; then
-     GET_ID="$GET_ID ssh-add -L"
-   fi
- fi
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch
index 73a30186b..af56dc031 100644
--- a/debian/patches/ssh-vulnkey.patch
+++ b/debian/patches/ssh-vulnkey.patch
@@ -62,15 +62,15 @@ Index: b/Makefile.in
 # test driver for the loginrec code - not built by default
 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
        $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
-@@ -269,6 +274,7 @@
+@@ -268,6 +273,7 @@
-        $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper $(DESTDIR)$(SSH_PKCS11_HELPER)
+        $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
-        $(INSTALL) -m 0755 $(STRIP_OPT) sftp $(DESTDIR)$(bindir)/sftp
+        $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
-        $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server $(DESTDIR)$(SFTP_SERVER)
+        $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-+       $(INSTALL) -m 0755 $(STRIP_OPT) ssh-vulnkey $(DESTDIR)$(bindir)/ssh-vulnkey
+       $(INSTALL) -m 0755 $(STRIP_OPT) ssh-vulnkey$(EXEEXT) $(DESTDIR)$(bindir)/ssh-vulnkey$(EXEEXT)
        $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
        $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
        $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-@@ -286,6 +292,7 @@
+@@ -285,6 +291,7 @@
        $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
        $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
        $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@@ -78,7 +78,7 @@ Index: b/Makefile.in
        -rm -f $(DESTDIR)$(bindir)/slogin
        ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
-@@ -367,6 +374,7 @@
+@@ -366,6 +373,7 @@
        -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
        -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
        -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
@@ -86,7 +86,7 @@ Index: b/Makefile.in
        -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
        -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
        -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-@@ -380,6 +388,7 @@
+@@ -379,6 +387,7 @@
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
@@ -198,7 +198,7 @@ Index: b/auth2-pubkey.c
 ===================================================================
 --- a/auth2-pubkey.c
 +++ b/auth2-pubkey.c
-@@ -325,9 +325,10 @@
+@@ -328,9 +328,10 @@
        int success;
        char *file;
 
@@ -498,7 +498,7 @@ Index: b/servconf.c
        { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
        { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
        { "uselogin", sUseLogin, SSHCFG_GLOBAL },
-@@ -1010,6 +1014,10 @@
+@@ -1009,6 +1013,10 @@
                intptr = &options->tcp_keep_alive;
                goto parse_flag;
 
@@ -509,7 +509,7 @@ Index: b/servconf.c
        case sEmptyPasswd:
                intptr = &options->permit_empty_passwd;
                goto parse_flag;
-@@ -1688,6 +1696,7 @@
+@@ -1697,6 +1705,7 @@
        dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
        dump_cfg_fmtint(sStrictModes, o->strict_modes);
        dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
@@ -584,7 +584,7 @@ Index: b/ssh-keygen.1
 ===================================================================
 --- a/ssh-keygen.1
 +++ b/ssh-keygen.1
-@@ -629,6 +629,7 @@
+@@ -628,6 +628,7 @@
 .Xr ssh 1 ,
 .Xr ssh-add 1 ,
 .Xr ssh-agent 1 ,
@@ -1236,7 +1236,7 @@ Index: b/ssh.1
 ===================================================================
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1423,6 +1423,7 @@
+@@ -1426,6 +1426,7 @@
 .Xr ssh-agent 1 ,
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
@@ -1284,7 +1284,7 @@ Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1055,6 +1055,23 @@
+@@ -1051,6 +1051,23 @@
 .Dq any .
 The default is
 .Dq any:any .
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch
index ccd9a668e..7682c0761 100644
--- a/debian/patches/ssh1-keepalive.patch
+++ b/debian/patches/ssh1-keepalive.patch
@@ -52,7 +52,7 @@ Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -956,7 +956,10 @@
+@@ -952,7 +952,10 @@
 .Cm ServerAliveCountMax
 is left at the default, if the server becomes unresponsive,
 ssh will disconnect after approximately 45 seconds.
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 22cb3084a..4d7ebe566 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -60,7 +60,7 @@ Index: b/ssh.1
 ===================================================================
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1321,6 +1321,8 @@
+@@ -1324,6 +1324,8 @@
 .Xr ssh_config 5 .
 Because of the potential for abuse, this file must have strict permissions:
 read/write for the user, and not accessible by others.
@@ -73,7 +73,7 @@ Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1208,6 +1208,8 @@
+@@ -1204,6 +1204,8 @@
 This file is used by the SSH client.
 Because of the potential for abuse, this file must have strict permissions:
 read/write for the user, and not accessible by others.
diff --git a/defines.h b/defines.h
index c9b93bf71..fe25170e6 100644
--- a/defines.h
+++ b/defines.h
@@ -25,7 +25,7 @@
 #ifndef _DEFINES_H
 #define _DEFINES_H
-/* $Id: defines.h,v 1.159 2010/01/13 23:44:34 tim Exp $ */
+/* $Id: defines.h,v 1.160 2010/04/09 08:13:27 dtucker Exp $ */
 /* Constants */
@@ -674,7 +674,7 @@ struct winsize {
 #else
 /* Simply select your favourite login types. */
 /* Can't do if-else because some systems use several... <sigh> */
-#  if defined(UTMPX_FILE) && !defined(DISABLE_UTMPX)
+#  if !defined(DISABLE_UTMPX)
 #    define USE_UTMPX
 #  endif
 #  if defined(UTMP_FILE) && !defined(DISABLE_UTMP)
diff --git a/key.c b/key.c
index f67a799c1..768c55549 100644
--- a/key.c
+++ b/key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: key.c,v 1.85 2010/03/04 01:44:57 djm Exp $ */
+/* $OpenBSD: key.c,v 1.86 2010/03/15 19:40:02 stevesk Exp $ */
 /*
 * read_bignum():
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -802,6 +802,19 @@ key_type(const Key *k)
 }
 const char *
+key_cert_type(const Key *k)
+{
+        switch (k->cert->type) {
+        case SSH2_CERT_TYPE_USER:
+                return "user";
+        case SSH2_CERT_TYPE_HOST:
+                return "host";
+        default:
+                return "unknown";
+        }
+}
+const char *
 key_ssh_name(const Key *k)
 {
        switch (k->type) {
diff --git a/key.h b/key.h
index aaf4b56bd..69254cf12 100644
--- a/key.h
+++ b/key.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: key.h,v 1.28 2010/02/26 20:29:54 djm Exp $ */
+/* $OpenBSD: key.h,v 1.29 2010/03/15 19:40:02 stevesk Exp $ */
 /*
 * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -83,6 +83,7 @@ int		 key_equal(const Key *, const Key *);
 char            *key_fingerprint(Key *, enum fp_type, enum fp_rep);
 u_char          *key_fingerprint_raw(Key *, enum fp_type, u_int *);
 const char      *key_type(const Key *);
+const char      *key_cert_type(const Key *);
 int              key_write(const Key *, FILE *);
 int              key_read(Key *, char **);
 u_int            key_size(const Key *);
diff --git a/loginrec.c b/loginrec.c
index bca959707..6f655cb16 100644
--- a/loginrec.c
+++ b/loginrec.c
@@ -207,6 +207,7 @@ int syslogin_write_entry(struct logininfo *li);
 int getlast_entry(struct logininfo *li);
 int lastlog_get_entry(struct logininfo *li);
+int utmpx_get_entry(struct logininfo *li);
 int wtmp_get_entry(struct logininfo *li);
 int wtmpx_get_entry(struct logininfo *li);
@@ -508,6 +509,10 @@ getlast_entry(struct logininfo *li)
 #ifdef USE_LASTLOG
        return(lastlog_get_entry(li));
 #else /* !USE_LASTLOG */
+#if defined(USE_UTMPX) && defined(HAVE_SETUTXDB) && \
+    defined(UTXDB_LASTLOGIN) && defined(HAVE_GETUTXUSER)
+        return (utmpx_get_entry(li));
+#endif
 #if defined(DISABLE_LASTLOG)
        /* On some systems we shouldn't even try to obtain last login
@@ -1608,6 +1613,32 @@ lastlog_get_entry(struct logininfo *li)
 #endif /* HAVE_GETLASTLOGXBYNAME */
 #endif /* USE_LASTLOG */
+#if defined(USE_UTMPX) && defined(HAVE_SETUTXDB) && \
+    defined(UTXDB_LASTLOGIN) && defined(HAVE_GETUTXUSER)
+int
+utmpx_get_entry(struct logininfo *li)
+{
+        struct utmpx *utx;
+        if (setutxdb(UTXDB_LASTLOGIN, NULL) != 0)
+                return (0);
+        utx = getutxuser(li->username);
+        if (utx == NULL) {
+                endutxent();
+                return (0);
+        }
+        line_fullname(li->line, utx->ut_line,
+            MIN_SIZEOF(li->line, utx->ut_line));
+        strlcpy(li->hostname, utx->ut_host,
+            MIN_SIZEOF(li->hostname, utx->ut_host));
+        li->tv_sec = utx->ut_tv.tv_sec;
+        li->tv_usec = utx->ut_tv.tv_usec;
+        endutxent();
+        return (1);
+}
+#endif /* USE_UTMPX && HAVE_SETUTXDB && UTXDB_LASTLOGIN && HAVE_GETUTXUSER */
 #ifdef USE_BTMP
  /*
   * Logs failed login attempts in _PATH_BTMP if that exists.
diff --git a/logintest.c b/logintest.c
index 7e9fbbfbb..4897ae0f9 100644
--- a/logintest.c
+++ b/logintest.c
@@ -264,7 +264,7 @@ showOptions(void)
        printf("\tUSE_UTMP (UTMP_FILE=%s)\n", UTMP_FILE);
 #endif
 #ifdef USE_UTMPX
-        printf("\tUSE_UTMPX (UTMPX_FILE=%s)\n", UTMPX_FILE);
+        printf("\tUSE_UTMPX\n");
 #endif
 #ifdef USE_WTMP
        printf("\tUSE_WTMP (WTMP_FILE=%s)\n", WTMP_FILE);
diff --git a/moduli.0 b/moduli.0
index 63e6f9eb1..e3fea22a9 100644
--- a/moduli.0
+++ b/moduli.0
@@ -69,4 +69,4 @@ SEE ALSO
     Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer
     Protocol, RFC 4419, 2006.
-OpenBSD 4.6                      June 26, 2008                               2
+OpenBSD 4.7                      June 26, 2008                               2
diff --git a/openbsd-compat/bsd-arc4random.c b/openbsd-compat/bsd-arc4random.c
index 9d4c8690e..d7c586253 100644
--- a/openbsd-compat/bsd-arc4random.c
+++ b/openbsd-compat/bsd-arc4random.c
@@ -84,7 +84,7 @@ arc4random_stir(void)
 }
 #endif /* !HAVE_ARC4RANDOM */
-#ifndef ARC4RANDOM_BUF
+#ifndef HAVE_ARC4RANDOM_BUF
 void
 arc4random_buf(void *_buf, size_t n)
 {
@@ -102,7 +102,7 @@ arc4random_buf(void *_buf, size_t n)
 }
 #endif /* !HAVE_ARC4RANDOM_BUF */
-#ifndef ARC4RANDOM_UNIFORM
+#ifndef HAVE_ARC4RANDOM_UNIFORM
 /*
 * Calculate a uniformly distributed random number less than upper_bound
 * avoiding "modulo bias".
diff --git a/scp.0 b/scp.0
index 74dcf81da..fc9f75594 100644
--- a/scp.0
+++ b/scp.0
@@ -145,4 +145,4 @@ AUTHORS
     Timo Rinne <tri@iki.fi>
     Tatu Ylonen <ylo@cs.hut.fi>
-OpenBSD 4.6                    February 8, 2010                              3
+OpenBSD 4.7                    February 8, 2010                              3
diff --git a/servconf.c b/servconf.c
index 62417def7..d42dd527b 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.204 2010/03/04 10:36:03 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.207 2010/03/25 23:38:28 djm Exp $ */
 /*
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
@@ -500,15 +500,14 @@ parse_token(const char *cp, const char *filename,
 char *
 derelativise_path(const char *path)
 {
-        char *expanded, *ret, *cwd;
+        char *expanded, *ret, cwd[MAXPATHLEN];
        expanded = tilde_expand_filename(path, getuid());
        if (*expanded == '/')
                return expanded;
-        if ((cwd = getcwd(NULL, 0)) == NULL)
+        if (getcwd(cwd, sizeof(cwd)) == NULL)
                fatal("%s: getcwd: %s", __func__, strerror(errno));
        xasprintf(&ret, "%s/%s", cwd, expanded);
-        xfree(cwd);
        xfree(expanded);
        return ret;
 }
@@ -1269,7 +1268,17 @@ process_server_config_line(ServerOptions *options, char *line,
                charptr = (opcode == sAuthorizedKeysFile) ?
                    &options->authorized_keys_file :
                    &options->authorized_keys_file2;
-                goto parse_filename;
+                arg = strdelim(&cp);
+                if (!arg || *arg == '\0')
+                        fatal("%s line %d: missing file name.",
+                            filename, linenum);
+                if (*activep && *charptr == NULL) {
+                        *charptr = tilde_expand_filename(arg, getuid());
+                        /* increase optional counter */
+                        if (intptr != NULL)
+                                *intptr = *intptr + 1;
+                }
+                break;
        case sClientAliveInterval:
                intptr = &options->client_alive_interval;
diff --git a/sftp-server.0 b/sftp-server.0
index 6628dcfca..0c2654c8d 100644
--- a/sftp-server.0
+++ b/sftp-server.0
@@ -60,4 +60,4 @@ HISTORY
 AUTHORS
     Markus Friedl <markus@openbsd.org>
-OpenBSD 4.6                     January 9, 2010                              1
+OpenBSD 4.7                     January 9, 2010                              1
diff --git a/sftp.0 b/sftp.0
index cb1bb033e..488548a6e 100644
--- a/sftp.0
+++ b/sftp.0
@@ -316,4 +316,4 @@ SEE ALSO
     T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
     filexfer-00.txt, January 2001, work in progress material.
-OpenBSD 4.6                    February 8, 2010                              5
+OpenBSD 4.7                    February 8, 2010                              5
diff --git a/ssh-add.0 b/ssh-add.0
index 8fbd1e100..0d49c5ea3 100644
--- a/ssh-add.0
+++ b/ssh-add.0
@@ -106,4 +106,4 @@ AUTHORS
     ated OpenSSH.  Markus Friedl contributed the support for SSH protocol
     versions 1.5 and 2.0.
-OpenBSD 4.6                      March 5, 2010                               2
+OpenBSD 4.7                      March 5, 2010                               2
diff --git a/ssh-agent.0 b/ssh-agent.0
index c178dcd01..536eac756 100644
--- a/ssh-agent.0
+++ b/ssh-agent.0
@@ -115,4 +115,4 @@ AUTHORS
     ated OpenSSH.  Markus Friedl contributed the support for SSH protocol
     versions 1.5 and 2.0.
-OpenBSD 4.6                    January 17, 2010                              2
+OpenBSD 4.7                    January 17, 2010                              2
diff --git a/ssh-keygen.0 b/ssh-keygen.0
index c9877300e..aed4a14ad 100644
--- a/ssh-keygen.0
+++ b/ssh-keygen.0
@@ -165,8 +165,14 @@ DESCRIPTION
             section for details.  The constraints that are valid for user
             certificates are:
-             no-x11-forwarding
+             clear   Clear all enabled permissions.  This is useful for clear-
-                     Disable X11 forwarding (permitted by default).
+                     ing the default set of permissions so permissions may be
+                     added individually.
+             force-command=command
+                     Forces the execution of command instead of any shell or
+                     command specified by the user when the certificate is
+                     used for authentication.
             no-agent-forwarding
                     Disable ssh-agent(1) forwarding (permitted by default).
@@ -180,12 +186,8 @@ DESCRIPTION
                     Disable execution of ~/.ssh/rc by sshd(8) (permitted by
                     default).
-             clear   Clear all enabled permissions.  This is useful for clear-
+             no-x11-forwarding
-                     ing the default set of permissions so permissions may be
+                     Disable X11 forwarding (permitted by default).
-                     added individually.
-             permit-x11-forwarding
-                     Allows X11 forwarding.
             permit-agent-forwarding
                     Allows ssh-agent(1) forwarding.
@@ -199,16 +201,14 @@ DESCRIPTION
             permit-user-rc
                     Allows execution of ~/.ssh/rc by sshd(8).
-             force-command=command
+             permit-x11-forwarding
-                     Forces the execution of command instead of any shell or
+                     Allows X11 forwarding.
-                     command specified by the user when the certificate is
-                     used for authentication.
             source-address=address_list
                     Restrict the source addresses from which the certificate
-                     is considered valid from.  The address_list is a comma-
+                     is considered valid.  The address_list is a comma-sepa-
-                     separated list of one or more address/netmask pairs in
+                     rated list of one or more address/netmask pairs in CIDR
-                     CIDR format.
+                     format.
             At present, no constraints are valid for host keys.
@@ -257,9 +257,9 @@ DESCRIPTION
             in YYYYMMDD format, a time in YYYYMMDDHHMMSS format or a relative
             time (to the current time) consisting of a minus sign followed by
             a relative time in the format described in the TIME FORMATS sec-
-             tion of ssh_config(5).  The end time may be specified as a YYYYM-
+             tion of sshd_config(5).  The end time may be specified as a
-             MDD date, a YYYYMMDDHHMMSS time or a relative time starting with
+             YYYYMMDD date, a YYYYMMDDHHMMSS time or a relative time starting
-             a plus character.
+             with a plus character.
             For example: ``+52w1d'' (valid from now to 52 weeks and one day
             from now), ``-4w:+4w'' (valid from four weeks ago to four weeks
@@ -329,12 +329,12 @@ CERTIFICATES
           $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
-     The resultant certificate will be placed in /path/to/user_key_cert.pub.
+     The resultant certificate will be placed in /path/to/user_key-cert.pub.
     A host certificate requires the -h option:
           $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
-     The host certificate will be output to /path/to/host_key_cert.pub.  In
+     The host certificate will be output to /path/to/host_key-cert.pub.  In
     both cases, key_id is a "key identifier" that is logged by the server
     when the certificate is used for authentication.
@@ -344,7 +344,7 @@ CERTIFICATES
     pals:
           $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
-           $ ssh-keygen -s ca_key -I key_id -h -n host.domain $0
+           $ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub
     Additional limitations on the validity and use of user certificates may
     be specified through certificate constraints.  A constrained certificate
@@ -431,4 +431,4 @@ AUTHORS
     created OpenSSH.  Markus Friedl contributed the support for SSH protocol
     versions 1.5 and 2.0.
-OpenBSD 4.6                      March 8, 2010                               7
+OpenBSD 4.7                     March 13, 2010                               7
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 9dec5a098..64638aa9c 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.88 2010/03/08 00:28:55 djm Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.92 2010/03/13 23:38:13 jmc Exp $
 .\"
 .\"  -*- nroff -*-
 .\"
@@ -37,7 +37,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 8 2010 $
+.Dd $Mdocdate: March 13 2010 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -305,8 +305,15 @@ Please see the
 section for details.
 The constraints that are valid for user certificates are:
 .Bl -tag -width Ds
-.It Ic no-x11-forwarding
+.It Ic clear
-Disable X11 forwarding (permitted by default).
+Clear all enabled permissions.
+This is useful for clearing the default set of permissions so permissions may
+be added individually.
+.It Ic force-command Ns = Ns Ar command
+Forces the execution of
+.Ar command
+instead of any shell or command specified by the user when
+the certificate is used for authentication.
 .It Ic no-agent-forwarding
 Disable
 .Xr ssh-agent 1
@@ -321,12 +328,8 @@ Disable execution of
 by
 .Xr sshd 8
 (permitted by default).
-.It Ic clear
+.It Ic no-x11-forwarding
-Clear all enabled permissions.
+Disable X11 forwarding (permitted by default).
-This is useful for clearing the default set of permissions so permissions may
-be added individually.
-.It Ic permit-x11-forwarding
-Allows X11 forwarding.
 .It Ic permit-agent-forwarding
 Allows
 .Xr ssh-agent 1
@@ -340,14 +343,10 @@ Allows execution of
 .Pa ~/.ssh/rc
 by
 .Xr sshd 8 .
-.It Ic force-command=command
+.It Ic permit-x11-forwarding
-Forces the execution of
+Allows X11 forwarding.
-.Ar command
+.It Ic source-address Ns = Ns Ar address_list
-instead of any shell or command specified by the user when
+Restrict the source addresses from which the certificate is considered valid.
-the certificate is used for authentication.
-.It Ic source-address=address_list
-Restrict the source addresses from which the certificate is considered valid
-from.
 The
 .Ar address_list
 is a comma-separated list of one or more address/netmask pairs in CIDR
@@ -410,7 +409,7 @@ in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting
 of a minus sign followed by a relative time in the format described in the
 .Sx TIME FORMATS
 section of
-.Xr ssh_config 5 .
+.Xr sshd_config 5 .
 The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or
 a relative time starting with a plus character.
 .Pp
@@ -515,7 +514,7 @@ To generate a user certificate:
 .Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
 .Pp
 The resultant certificate will be placed in
-.Pa /path/to/user_key_cert.pub .
+.Pa /path/to/user_key-cert.pub .
 A host certificate requires the
 .Fl h
 option:
@@ -523,7 +522,7 @@ option:
 .Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
 .Pp
 The host certificate will be output to
-.Pa /path/to/host_key_cert.pub .
+.Pa /path/to/host_key-cert.pub .
 In both cases,
 .Ar key_id
 is a "key identifier" that is logged by the server when the certificate
@@ -535,7 +534,7 @@ By default, generated certificates are valid for all users or hosts.
 To generate a certificate for a specified set of principals:
 .Pp
 .Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
-.Dl $ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub
+.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub"
 .Pp
 Additional limitations on the validity and use of user certificates may
 be specified through certificate constraints.
diff --git a/ssh-keygen.c b/ssh-keygen.c
index dd662c907..37e516ff2 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.184 2010/03/07 22:16:01 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.185 2010/03/15 19:40:02 stevesk Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1393,7 +1393,8 @@ do_show_cert(struct passwd *pw)
            SSH_FP_MD5, SSH_FP_HEX);
        printf("%s:\n", identity_file);
-        printf("        %s certificate %s\n", key_type(key), key_fp);
+        printf("        %s %s certificate %s\n", key_type(key),
+            key_cert_type(key), key_fp);
        printf("        Signed by %s CA %s\n",
            key_type(key->cert->signature_key), ca_fp);
        printf("        Key ID \"%s\"\n", key->cert->key_id);
diff --git a/ssh-keyscan.0 b/ssh-keyscan.0
index 1100a69b6..8a0ef60e4 100644
--- a/ssh-keyscan.0
+++ b/ssh-keyscan.0
@@ -104,4 +104,4 @@ BUGS
     This is because it opens a connection to the ssh port, reads the public
     key, and drops the connection as soon as it gets the key.
-OpenBSD 4.6                     January 9, 2010                              2
+OpenBSD 4.7                     January 9, 2010                              2
diff --git a/ssh-keysign.0 b/ssh-keysign.0
index ab15e88bc..20a8eaa87 100644
--- a/ssh-keysign.0
+++ b/ssh-keysign.0
@@ -39,4 +39,4 @@ HISTORY
 AUTHORS
     Markus Friedl <markus@openbsd.org>
-OpenBSD 4.6                      May 31, 2007                                1
+OpenBSD 4.7                      May 31, 2007                                1
diff --git a/ssh-pkcs11-helper.0 b/ssh-pkcs11-helper.0
index 2760cad94..9eb2bc96a 100644
--- a/ssh-pkcs11-helper.0
+++ b/ssh-pkcs11-helper.0
@@ -22,4 +22,4 @@ HISTORY
 AUTHORS
     Markus Friedl <markus@openbsd.org>
-OpenBSD 4.6                    February 10, 2010                             1
+OpenBSD 4.7                    February 10, 2010                             1
diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c
index d3bfb9838..8e3f57ace 100644
--- a/ssh-pkcs11-helper.c
+++ b/ssh-pkcs11-helper.c
@@ -17,8 +17,6 @@
 #include "includes.h"
-#ifdef ENABLE_PKCS11
 #include <sys/types.h>
 #ifdef HAVE_SYS_TIME_H
 # include <sys/time.h>
@@ -39,6 +37,8 @@
 #include "authfd.h"
 #include "ssh-pkcs11.h"
+#ifdef ENABLE_PKCS11
 /* borrows code from sftp-server and ssh-agent */
 struct pkcs11_keyinfo {
diff --git a/ssh-rand-helper.0 b/ssh-rand-helper.0
index 72bfcdf64..51b6f5571 100644
--- a/ssh-rand-helper.0
+++ b/ssh-rand-helper.0
@@ -48,4 +48,4 @@ AUTHORS
 SEE ALSO
     ssh(1), ssh-add(1), ssh-keygen(1), sshd(8)
-OpenBSD 4.6                     April 14, 2002                               1
+OpenBSD 4.7                     April 14, 2002                               1
diff --git a/ssh.0 b/ssh.0
index deab90e73..9c793b843 100644
--- a/ssh.0
+++ b/ssh.0
@@ -308,9 +308,10 @@ DESCRIPTION
             allocated on the server and reported to the client at run time.
     -S ctl_path
-             Specifies the location of a control socket for connection shar-
+             Specifies the location of a control socket for connection sharing
-             ing.  Refer to the description of ControlPath and ControlMaster
+             or the string ``none'' to disable connection sharing.  Refer to
-             in ssh_config(5) for details.
+             the description of ControlPath and ControlMaster in ssh_config(5)
+             for details.
     -s      May be used to request invocation of a subsystem on the remote
             system.  Subsystems are a feature of the SSH2 protocol which fa-
@@ -876,4 +877,4 @@ AUTHORS
     created OpenSSH.  Markus Friedl contributed the support for SSH protocol
     versions 1.5 and 2.0.
-OpenBSD 4.6                      March 5, 2010                              14
+OpenBSD 4.7                     March 26, 2010                              14
diff --git a/ssh.1 b/ssh.1
index 7426c7180..1581be52f 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.302 2010/03/05 10:28:21 djm Exp $
+.\" $OpenBSD: ssh.1,v 1.303 2010/03/26 00:26:58 djm Exp $
-.Dd $Mdocdate: March 5 2010 $
+.Dd $Mdocdate: March 26 2010 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -558,7 +558,7 @@ argument is
 the listen port will be dynamically allocated on the server and reported
 to the client at run time.
 .It Fl S Ar ctl_path
-Specifies the location of a control socket for connection sharing,
+Specifies the location of a control socket for connection sharing
 or the string
 .Dq none
 to disable connection sharing.
diff --git a/ssh_config.0 b/ssh_config.0
index 48969a22a..1a2c64ce1 100644
--- a/ssh_config.0
+++ b/ssh_config.0
@@ -425,8 +425,8 @@ DESCRIPTION
             Specifies the order in which the client should try protocol 2 au-
             thentication methods.  This allows a client to prefer one method
             (e.g. keyboard-interactive) over another method (e.g. password)
-             The default for this option is: ``gssapi-with-mic,hostbased,
+             The default for this option is: ``gssapi-with-
-             publickey, keyboard-interactive, password''.
+             mic,hostbased,publickey,keyboard-interactive,password''.
     Protocol
             Specifies the protocol versions ssh(1) should support in order of
@@ -673,4 +673,4 @@ AUTHORS
     ated OpenSSH.  Markus Friedl contributed the support for SSH protocol
     versions 1.5 and 2.0.
-OpenBSD 4.6                      March 5, 2010                              11
+OpenBSD 4.7                     March 26, 2010                              11
diff --git a/ssh_config.5 b/ssh_config.5
index 91c0e1bb0..45496cfbc 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.129 2010/03/05 10:28:21 djm Exp $
+.\" $OpenBSD: ssh_config.5,v 1.130 2010/03/26 01:06:13 dtucker Exp $
-.Dd $Mdocdate: March 5 2010 $
+.Dd $Mdocdate: March 26 2010 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -144,8 +144,8 @@ Valid arguments are
 If set to
 .Dq yes ,
 passphrase/password querying will be disabled.
-In addition, the 
+In addition, the
-.Cm ServerAliveInterval 
+.Cm ServerAliveInterval
 option will be set to 300 seconds by default.
 This option is useful in scripts and other batch jobs where no user
 is present to supply the password,
@@ -785,11 +785,7 @@ This allows a client to prefer one method (e.g.\&
 over another method (e.g.\&
 .Cm password )
 The default for this option is:
-.Do gssapi-with-mic ,
+.Do gssapi-with-mic,hostbased,publickey,keyboard-interactive,password
-hostbased,
-publickey,
-keyboard-interactive,
-password
 .Dc .
 .It Cm Protocol
 Specifies the protocol versions
diff --git a/sshd.0 b/sshd.0
index 34eaafc92..30bf6dede 100644
--- a/sshd.0
+++ b/sshd.0
@@ -614,4 +614,4 @@ CAVEATS
     System security is not improved unless rshd, rlogind, and rexecd are dis-
     abled (thus completely disabling rlogin and rsh into the machine).
-OpenBSD 4.6                      March 5, 2010                              10
+OpenBSD 4.7                      March 5, 2010                              10
diff --git a/sshd_config.0 b/sshd_config.0
index a9162f18d..94935c07f 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -656,4 +656,4 @@ AUTHORS
     versions 1.5 and 2.0.  Niels Provos and Markus Friedl contributed support
     for privilege separation.
-OpenBSD 4.6                      March 4, 2010                              10
+OpenBSD 4.7                      March 4, 2010                              10
diff --git a/version.h b/version.h
index bda322e7f..54d82559a 100644
--- a/version.h
+++ b/version.h
@@ -1,6 +1,6 @@
-/* $OpenBSD: version.h,v 1.57 2010/03/07 22:01:32 djm Exp $ */
+/* $OpenBSD: version.h,v 1.58 2010/03/16 16:36:49 djm Exp $ */
-#define SSH_VERSION     "OpenSSH_5.4"
+#define SSH_VERSION     "OpenSSH_5.5"
 #define SSH_PORTABLE    "p1"
 #define SSH_RELEASE_MINIMUM     SSH_VERSION SSH_PORTABLE