19 files changed, 143 insertions, 61 deletions

diff --git a/ChangeLog b/ChangeLog
index b404849ca..997aa31d0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,32 @@
 20000606
+ - (djm) Fix rsh path in RPMs. Report from Jason L Tibbitts III 
+   <tibbs@math.uh.edu>
+ - (djm) OpenBSD CVS updates:
+  - todd@cvs.openbsd.org
+    [sshconnect2.c]
+    teach protocol v2 to count login failures properly and also enable an
+    explanation of why the password prompt comes up again like v1; this is NOT
+    crypto
+  - markus@cvs.openbsd.org  
+    [readconf.c readconf.h servconf.c servconf.h session.c ssh.1 ssh.c sshd.8]
+    xauth_location support; pr 1234
+    [readconf.c sshconnect2.c]
+    typo, unused
+    [session.c]
+    allow use_login only for login sessions, otherwise remote commands are
+    execed with uid==0
+    [sshd.8]
+    document UseLogin better
+    [version.h]
+    OpenSSH 2.1.1
+    [auth-rsa.c]
+    fix match_hostname() logic for auth-rsa: deny access if we have a 
+    negative match or no match at all
+    [channels.c hostfile.c match.c]
+    don't panic if mkdtemp fails for authfwd; jkb@yahoo-inc.com via 
+    kris@FreeBSD.org
+
+20000606
  - (djm) Added --with-cflags, --with-ldflags and --with-libs options to 
    configure.
 
diff --git a/auth-rsa.c b/auth-rsa.c
index 22e3f01f3..f01c5c920 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -16,7 +16,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: auth-rsa.c,v 1.19 2000/04/30 00:00:53 damien Exp $");
+RCSID("$Id: auth-rsa.c,v 1.20 2000/06/07 09:55:44 djm Exp $");
 
 #include "rsa.h"
 #include "packet.h"
@@ -133,6 +133,7 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
         unsigned long linenum = 0;
         struct stat st;
         RSA *pk;
+        int mname, mip;
 
         /* Temporarily use the user's uid. */
         temporarily_use_uid(pw->pw_uid);
@@ -390,10 +391,17 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
                                         }
                                         patterns[i] = 0;
                                         options++;
-                                        if (!match_hostname(get_canonical_hostname(), patterns,
-                                                     strlen(patterns)) &&
-                                            !match_hostname(get_remote_ipaddr(), patterns,
-                                                     strlen(patterns))) {
+                                        /*
+                                         * Deny access if we get a negative
+                                         * match for the hostname or the ip
+                                         * or if we get not match at all
+                                         */
+                                        mname = match_hostname(get_canonical_hostname(),
+                                            patterns, strlen(patterns));
+                                        mip = match_hostname(get_remote_ipaddr(),
+                                            patterns, strlen(patterns));
+                                        if (mname == -1 || mip == -1 ||
+                                            (mname != 1 && mip != 1)) {
                                                 log("RSA authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).",
                                                     pw->pw_name, get_canonical_hostname(),
                                                     get_remote_ipaddr());
diff --git a/channels.c b/channels.c
index f26b3a65b..bfa025ad7 100644
--- a/channels.c
+++ b/channels.c
@@ -17,7 +17,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: channels.c,v 1.31 2000/05/17 12:34:23 damien Exp $");
+RCSID("$Id: channels.c,v 1.32 2000/06/07 09:55:44 djm Exp $");
 
 #include "ssh.h"
 #include "packet.h"
@@ -2113,11 +2113,11 @@ cleanup_socket(void)
 }
 
 /*
- * This if called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
+ * This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
  * This starts forwarding authentication requests.
  */
 
-void
+int
 auth_input_request_forwarding(struct passwd * pw)
 {
         int sock, newch;
@@ -2135,8 +2135,16 @@ auth_input_request_forwarding(struct passwd * pw)
         strlcpy(channel_forwarded_auth_socket_dir, "/tmp/ssh-XXXXXXXX", MAX_SOCKET_NAME);
 
         /* Create private directory for socket */
-        if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL)
-                packet_disconnect("mkdtemp: %.100s", strerror(errno));
+        if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL) {
+                packet_send_debug("Agent forwarding disabled: mkdtemp() failed: %.100s",
+                    strerror(errno));
+                restore_uid();
+                xfree(channel_forwarded_auth_socket_name);
+                xfree(channel_forwarded_auth_socket_dir);
+                channel_forwarded_auth_socket_name = NULL;
+                channel_forwarded_auth_socket_dir = NULL;
+                return 0;
+        }
         snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, "%s/agent.%d",
                  channel_forwarded_auth_socket_dir, (int) getpid());
 
@@ -2171,6 +2179,7 @@ auth_input_request_forwarding(struct passwd * pw)
                                  xstrdup("auth socket"));
         strlcpy(channels[newch].path, channel_forwarded_auth_socket_name,
             sizeof(channels[newch].path));
+        return 1;
 }
 
 /* This is called to process an SSH_SMSG_AGENT_OPEN message. */
diff --git a/channels.h b/channels.h
index 9763edf8e..922c5d0ae 100644
--- a/channels.h
+++ b/channels.h
@@ -1,4 +1,4 @@
-/* RCSID("$Id: channels.h,v 1.9 2000/05/07 02:03:15 damien Exp $"); */
+/* RCSID("$Id: channels.h,v 1.10 2000/06/07 09:55:44 djm Exp $"); */
 
 #ifndef CHANNELS_H
 #define CHANNELS_H
@@ -222,10 +222,10 @@ void    auth_request_forwarding(void);
 char   *auth_get_socket_name(void);
 
 /*
- * This if called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
+ * This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
  * This starts forwarding authentication requests.
  */
-void    auth_input_request_forwarding(struct passwd * pw);
+int     auth_input_request_forwarding(struct passwd * pw);
 
 /* This is called to process an SSH_SMSG_AGENT_OPEN message. */
 void    auth_input_open_request(int type, int plen);
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index 8b1d0989f..ff12699f5 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -152,7 +152,8 @@ This package contains the GNOME passphrase dialog.
 
 CFLAGS="$RPM_OPT_FLAGS" \
         ./configure --prefix=/usr --sysconfdir=/etc/ssh \
-               --with-tcp-wrappers --with-ipv4-default
+               --with-tcp-wrappers --with-ipv4-default \
+                                        --with-rsh=/usr/bin/rsh
 
 make
 
diff --git a/hostfile.c b/hostfile.c
index bac285da5..f58e1d67d 100644
--- a/hostfile.c
+++ b/hostfile.c
@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: hostfile.c,v 1.18 2000/04/29 18:11:52 markus Exp $");
+RCSID("$OpenBSD: hostfile.c,v 1.19 2000/06/06 19:32:13 markus Exp $");
 
 #include "packet.h"
 #include "match.h"
@@ -129,7 +129,7 @@ check_host_in_hostfile(const char *filename, const char *host, Key *key, Key *fo
                         ;
 
                 /* Check if the host name matches. */
-                if (!match_hostname(host, cp, (unsigned int) (cp2 - cp)))
+                if (match_hostname(host, cp, (unsigned int) (cp2 - cp)) != 1)
                         continue;
 
                 /* Got a match.  Skip host name. */
diff --git a/match.c b/match.c
index ef9498599..1551ed574 100644
--- a/match.c
+++ b/match.c
@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: match.c,v 1.5 2000/04/16 01:18:43 damien Exp $");
+RCSID("$Id: match.c,v 1.6 2000/06/07 09:55:44 djm Exp $");
 
 #include "ssh.h"
 
@@ -84,8 +84,8 @@ match_pattern(const char *s, const char *pattern)
 /*
  * Tries to match the host name (which must be in all lowercase) against the
  * comma-separated sequence of subpatterns (each possibly preceded by ! to
- * indicate negation).  Returns true if there is a positive match; zero
- * otherwise.
+ * indicate negation).  Returns -1 if negation matches, 1 if there is
+ * a positive match, 0 if there is no match at all.
  */
 
 int
@@ -127,15 +127,15 @@ match_hostname(const char *host, const char *pattern, unsigned int len)
                 /* Try to match the subpattern against the host name. */
                 if (match_pattern(host, sub)) {
                         if (negated)
-                                return 0;       /* Fail */
+                                return -1;              /* Negative */
                         else
-                                got_positive = 1;
+                                got_positive = 1;       /* Positive */
                 }
         }
 
         /*
          * Return success if got a positive match.  If there was a negative
-         * match, we have already returned zero and never get here.
+         * match, we have already returned -1 and never get here.
          */
         return got_positive;
 }
diff --git a/match.h b/match.h
index 4625d9769..8eac0a502 100644
--- a/match.h
+++ b/match.h
@@ -10,8 +10,8 @@ int     match_pattern(const char *s, const char *pattern);
 /*
  * Tries to match the host name (which must be in all lowercase) against the
  * comma-separated sequence of subpatterns (each possibly preceded by ! to
- * indicate negation).  Returns true if there is a positive match; zero
- * otherwise.
+ * indicate negation).  Returns -1 if negation matches, 1 if there is
+ * a positive match, 0 if there is no match at all.
  */
 int     match_hostname(const char *host, const char *pattern, unsigned int len);
 
diff --git a/readconf.c b/readconf.c
index d7011d7f7..2751db345 100644
--- a/readconf.c
+++ b/readconf.c
@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: readconf.c,v 1.15 2000/05/30 03:44:53 damien Exp $");
+RCSID("$Id: readconf.c,v 1.16 2000/06/07 09:55:44 djm Exp $");
 
 #include "ssh.h"
 #include "cipher.h"
@@ -92,7 +92,7 @@ typedef enum {
         oBadOption,
         oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
         oPasswordAuthentication, oRSAAuthentication, oFallBackToRsh, oUseRsh,
-        oSkeyAuthentication,
+        oSkeyAuthentication, oXAuthLocation,
 #ifdef KRB4
         oKerberosAuthentication,
 #endif /* KRB4 */
@@ -116,6 +116,7 @@ static struct {
 } keywords[] = {
         { "forwardagent", oForwardAgent },
         { "forwardx11", oForwardX11 },
+        { "xauthlocation", oXAuthLocation },
         { "gatewayports", oGatewayPorts },
         { "useprivilegedport", oUsePrivilegedPort },
         { "rhostsauthentication", oRhostsAuthentication },
@@ -396,6 +397,10 @@ parse_flag:
                 }
                 break;
 
+        case oXAuthLocation:
+                charptr=&options->xauth_location;
+                goto parse_string;
+
         case oUser:
                 charptr = &options->user;
 parse_string:
@@ -644,6 +649,7 @@ initialize_options(Options * options)
         memset(options, 'X', sizeof(*options));
         options->forward_agent = -1;
         options->forward_x11 = -1;
+        options->xauth_location = NULL;
         options->gateway_ports = -1;
         options->use_privileged_port = -1;
         options->rhosts_authentication = -1;
@@ -700,6 +706,10 @@ fill_default_options(Options * options)
                 options->forward_agent = 0;
         if (options->forward_x11 == -1)
                 options->forward_x11 = 0;
+#ifdef XAUTH_PATH
+        if (options->xauth_location == NULL)
+                options->xauth_location = XAUTH_PATH;
+#endif /* XAUTH_PATH */
         if (options->gateway_ports == -1)
                 options->gateway_ports = 0;
         if (options->use_privileged_port == -1)
diff --git a/readconf.h b/readconf.h
index 3f0e44254..aeaf39a1c 100644
--- a/readconf.h
+++ b/readconf.h
@@ -13,7 +13,7 @@
  *
  */
 
-/* RCSID("$Id: readconf.h,v 1.11 2000/05/09 01:03:01 damien Exp $"); */
+/* RCSID("$Id: readconf.h,v 1.12 2000/06/07 09:55:44 djm Exp $"); */
 
 #ifndef READCONF_H
 #define READCONF_H
@@ -30,6 +30,7 @@ typedef struct {
 typedef struct {
         int     forward_agent;  /* Forward authentication agent. */
         int     forward_x11;    /* Forward X11 display. */
+        char   *xauth_location; /* Location for xauth program */
         int     gateway_ports;  /* Allow remote connects to forwarded ports. */
         int     use_privileged_port;    /* Don't use privileged port if false. */
         int     rhosts_authentication;  /* Try rhosts authentication. */
diff --git a/servconf.c b/servconf.c
index 1aa4fe06d..6583829e7 100644
--- a/servconf.c
+++ b/servconf.c
@@ -12,7 +12,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: servconf.c,v 1.17 2000/05/30 03:44:53 damien Exp $");
+RCSID("$Id: servconf.c,v 1.18 2000/06/07 09:55:44 djm Exp $");
 
 #include "ssh.h"
 #include "servconf.h"
@@ -44,6 +44,7 @@ initialize_server_options(ServerOptions *options)
         options->check_mail = -1;
         options->x11_forwarding = -1;
         options->x11_display_offset = -1;
+        options->xauth_location = NULL;
         options->strict_modes = -1;
         options->keepalives = -1;
         options->log_facility = (SyslogFacility) - 1;
@@ -109,6 +110,10 @@ fill_default_server_options(ServerOptions *options)
                 options->x11_forwarding = 0;
         if (options->x11_display_offset == -1)
                 options->x11_display_offset = 10;
+#ifdef XAUTH_PATH
+        if (options->xauth_location == NULL)
+                options->xauth_location = XAUTH_PATH;
+#endif /* XAUTH_PATH */
         if (options->strict_modes == -1)
                 options->strict_modes = 1;
         if (options->keepalives == -1)
@@ -177,7 +182,7 @@ typedef enum {
         sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
         sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
         sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile,
-        sGatewayPorts, sDSAAuthentication
+        sGatewayPorts, sDSAAuthentication, sXAuthLocation
 } ServerOpCodes;
 
 /* Textual representation of the tokens. */
@@ -219,6 +224,7 @@ static struct {
         { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
         { "x11forwarding", sX11Forwarding },
         { "x11displayoffset", sX11DisplayOffset },
+        { "xauthlocation", sXAuthLocation },
         { "strictmodes", sStrictModes },
         { "permitemptypasswords", sEmptyPasswd },
         { "uselogin", sUseLogin },
@@ -365,6 +371,7 @@ parse_int:
                 case sHostDSAKeyFile:
                         charptr = (opcode == sHostKeyFile ) ?
                             &options->host_key_file : &options->host_dsa_key_file;
+parse_filename:
                         cp = strtok(NULL, WHITESPACE);
                         if (!cp) {
                                 fprintf(stderr, "%s line %d: missing file name.\n",
@@ -377,15 +384,7 @@ parse_int:
 
                 case sPidFile:
                         charptr = &options->pid_file;
-                        cp = strtok(NULL, WHITESPACE);
-                        if (!cp) {
-                                fprintf(stderr, "%s line %d: missing file name.\n",
-                                    filename, linenum);
-                                exit(1);
-                        }
-                        if (*charptr == NULL)
-                                *charptr = tilde_expand_filename(cp, getuid());
-                        break;
+                        goto parse_filename;
 
                 case sRandomSeedFile:
                         fprintf(stderr, "%s line %d: \"randomseed\" option is obsolete.\n",
@@ -508,6 +507,10 @@ parse_flag:
                         intptr = &options->x11_display_offset;
                         goto parse_int;
 
+                case sXAuthLocation:
+                        charptr = &options->xauth_location;
+                        goto parse_filename;
+                        
                 case sStrictModes:
                         intptr = &options->strict_modes;
                         goto parse_flag;
diff --git a/servconf.h b/servconf.h
index 107438c05..5c6212f2d 100644
--- a/servconf.h
+++ b/servconf.h
@@ -13,7 +13,7 @@
  *
  */
 
-/* RCSID("$Id: servconf.h,v 1.11 2000/05/07 02:03:18 damien Exp $"); */
+/* RCSID("$Id: servconf.h,v 1.12 2000/06/07 09:55:44 djm Exp $"); */
 
 #ifndef SERVCONF_H
 #define SERVCONF_H
@@ -47,6 +47,7 @@ typedef struct {
         int     x11_forwarding; /* If true, permit inet (spoofing) X11 fwd. */
         int     x11_display_offset;     /* What DISPLAY number to start
                                          * searching at */
+        char   *xauth_location; /* Location of xauth program */
         int     strict_modes;   /* If true, require string home dir modes. */
         int     keepalives;     /* If true, set SO_KEEPALIVE. */
         char   *ciphers;        /* Ciphers in order of preference. */
diff --git a/session.c b/session.c
index 4791857c0..0fdd613a5 100644
--- a/session.c
+++ b/session.c
@@ -812,6 +812,10 @@ do_child(const char *command, struct passwd * pw, const char *term,
         struct stat st;
         char *argv[10];
 
+        /* login(1) is only called if we execute the login shell */
+        if (options.use_login && command != NULL)
+                options.use_login = 0;
+
 #ifndef USE_PAM /* pam_nologin handles this */
         f = fopen("/etc/nologin", "r");
         if (f) {
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 351036dd4..621b9c143 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -7,7 +7,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: ssh-keygen.c,v 1.18 2000/05/09 01:03:02 damien Exp $");
+RCSID("$Id: ssh-keygen.c,v 1.19 2000/06/07 09:55:44 djm Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/pem.h>
@@ -520,7 +520,7 @@ main(int ac, char **av)
         extern int optind;
         extern char *optarg;
 
-        OpenSSL_add_all_algorithms();
+        SSLeay_add_all_algorithms();
 
         /* we need this for the home * directory.  */
         pw = getpwuid(getuid());
diff --git a/ssh.1 b/ssh.1
index 6c1d3763e..cd56e7bef 100644
--- a/ssh.1
+++ b/ssh.1
@@ -9,7 +9,7 @@
 .\"
 .\" Created: Sat Apr 22 21:55:14 1995 ylo
 .\"
-.\" $Id: ssh.1,v 1.27 2000/05/30 03:44:54 damien Exp $
+.\" $Id: ssh.1,v 1.28 2000/06/07 09:55:44 djm Exp $
 .\"
 .Dd September 25, 1999
 .Dt SSH 1
@@ -940,6 +940,12 @@ The argument must be
 .Dq yes
 or
 .Dq no .
+.It Cm XAuthLocation
+Specifies the location of the
+.Xr xauth 1
+program.
+The default is
+.Pa /usr/X11R6/bin/xauth .
 .Sh ENVIRONMENT
 .Nm
 will normally set the following environment variables:
diff --git a/ssh.c b/ssh.c
index 2934c3a4a..a5c1ac6ba 100644
--- a/ssh.c
+++ b/ssh.c
@@ -11,7 +11,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: ssh.c,v 1.33 2000/05/30 03:44:54 damien Exp $");
+RCSID("$Id: ssh.c,v 1.34 2000/06/07 09:55:44 djm Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/dsa.h>
@@ -438,7 +438,7 @@ main(int ac, char **av)
         /* Initialize the command to execute on remote host. */
         buffer_init(&command);
 
-        OpenSSL_add_all_algorithms();
+        SSLeay_add_all_algorithms();
 
         /*
          * Save the command to execute on the remote host in a buffer. There
@@ -677,17 +677,17 @@ x11_get_proto(char *proto, int proto_len, char *data, int data_len)
         FILE *f;
         int got_data = 0, i;
 
-#ifdef XAUTH_PATH
-        /* Try to get Xauthority information for the display. */
-        snprintf(line, sizeof line, "%.100s list %.200s 2>/dev/null",
-                 XAUTH_PATH, getenv("DISPLAY"));
-        f = popen(line, "r");
-        if (f && fgets(line, sizeof(line), f) &&
-            sscanf(line, "%*s %s %s", proto, data) == 2)
-                got_data = 1;
-        if (f)
-                pclose(f);
-#endif /* XAUTH_PATH */
+        if (options.xauth_location) {
+                /* Try to get Xauthority information for the display. */
+                snprintf(line, sizeof line, "%.100s list %.200s 2>/dev/null",
+                    options.xauth_location, getenv("DISPLAY"));
+                f = popen(line, "r");
+                if (f && fgets(line, sizeof(line), f) &&
+                    sscanf(line, "%*s %s %s", proto, data) == 2)
+                        got_data = 1;
+                if (f)
+                        pclose(f);
+        }
         /*
          * If we didn't get authentication data, just make up some
          * data.  The forwarding code will check the validity of the
diff --git a/sshconnect2.c b/sshconnect2.c
index 0abcf89a0..77b8652ea 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -28,7 +28,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.11 2000/05/25 20:45:20 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.13 2000/06/02 02:00:19 todd Exp $");
 
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
@@ -71,7 +71,6 @@ void
 ssh_kex_dh(Kex *kex, char *host, struct sockaddr *hostaddr,
     Buffer *client_kexinit, Buffer *server_kexinit)
 {
-        int i;
         int plen, dlen;
         unsigned int klen, kout;
         char *signature = NULL;
@@ -265,9 +264,12 @@ ssh2_try_passwd(const char *server_user, const char *host, const char *service)
         char prompt[80];
         char *password;
 
-        if (attempt++ > options.number_of_password_prompts)
+        if (attempt++ >= options.number_of_password_prompts)
                 return 0;
 
+        if(attempt != 1)
+                error("Permission denied, please try again.");
+
         snprintf(prompt, sizeof(prompt), "%.30s@%.40s's password: ",
             server_user, host);
         password = read_passphrase(prompt, 0);
diff --git a/sshd.8 b/sshd.8
index 003f29124..deb72e447 100644
--- a/sshd.8
+++ b/sshd.8
@@ -9,7 +9,7 @@
 .\"
 .\" Created: Sat Apr 22 21:55:14 1995 ylo
 .\"
-.\" $Id: sshd.8,v 1.22 2000/05/09 01:03:03 damien Exp $
+.\" $Id: sshd.8,v 1.23 2000/06/07 09:55:44 djm Exp $
 .\"
 .Dd September 25, 1999
 .Dt SSHD 8
@@ -552,7 +552,10 @@ The default is AUTH.
 .It Cm UseLogin
 Specifies whether
 .Xr login 1
-is used.
+is used for interactive login sessions.
+Note that
+.Xr login 1
+is not never for remote command execution.
 The default is
 .Dq no .
 .It Cm X11DisplayOffset
@@ -569,6 +572,12 @@ The default is
 .Dq no .
 Note that disabling X11 forwarding does not improve security in any
 way, as users can always install their own forwarders.
+.It Cm XAuthLocation
+Specifies the location of the
+.Xr xauth 1
+program.
+The default is
+.Pa /usr/X11R6/bin/xauth .
 .El
 .Sh LOGIN PROCESS
 When a user successfully logs in,
diff --git a/version.h b/version.h
index d577644d6..fc63bc105 100644
--- a/version.h
+++ b/version.h
@@ -1 +1 @@
-#define SSH_VERSION     "OpenSSH-2.1"
+#define SSH_VERSION     "OpenSSH_2.1.1"