237 files changed, 18753 insertions, 15125 deletions
diff --git a/CREDITS b/CREDITS
index 8d7b8a484..092229cf7 100644
--- a/CREDITS
+++ b/CREDITS
@@ -23,7 +23,7 @@ Chris Saia <csaia@wtower.com> - SuSE packaging
 Chris, the Young One <cky@pobox.com> - Password auth fixes
 Christos Zoulas <christos@zoulas.com> - Autoconf fixes
 Chun-Chung Chen <cjj@u.washington.edu> - RPM fixes
-Corinna Vinschen <vinschen@cygnus.com> - Cygwin support
+Corinna Vinschen <vinschen@redhat.com> - Cygwin support
 Dan Brosemer <odin@linuxfreak.com> - Autoconf support, build fixes
 Darren Hall <dhall@virage.org> - AIX patches
 Darren Tucker <dtucker@zip.com.au> - AIX BFF package scripts
@@ -49,6 +49,7 @@ Juergen Keil <jk@tools.de> - scp bugfixing
 KAMAHARA Junzo <kamahara@cc.kshosen.ac.jp> - Configure fixes
 Kees Cook <cook@cpoint.net> - scp fixes
 Kenji Miyake <kenji@miyake.org> - Configure fixes
+Kevin Cawlfield <cawlfiel@us.ibm.com> - AIX fixes.
 Kevin O'Connor <kevin_oconnor@standardandpoors.com> - RSAless operation
 Kevin Steves <stevesk@pobox.com> - HP support, bugfixes, improvements
 Kiyokazu SUTO <suto@ks-and-ks.ne.jp> - Bugfixes
@@ -69,11 +70,13 @@ Pavel Kankovsky <peak@argo.troja.mff.cuni.cz> - Security fixes
 Pavel Troller <patrol@omni.sinus.cz> - Bugfixes
 Pekka Savola <pekkas@netcore.fi> - Bugfixes
 Peter Kocks <peter.kocks@baygate.com> - Makefile fixes
+Peter Stuge <stuge@cdy.org> - mdoc2man.awk script
 Phil Hands <phil@hands.com> - Debian scripts, assorted patches
 Phil Karn <karn@ka9q.ampr.org> - Autoconf fixes
 Philippe WILLEM <Philippe.WILLEM@urssaf.fr> - Bugfixes
 Phill Camp <P.S.S.Camp@ukc.ac.uk> - login code fix
 Rip Loomis <loomisg@cist.saic.com> - Solaris package support, fixes
+Roumen Petrov <openssh@roumenpetrov.info> - Compile & configure fixes
 SAKAI Kiyotaka <ksakai@kso.netwk.ntt-at.co.jp> - Multiple bugfixes
 Simon Wilkinson <sxw@dcs.ed.ac.uk> - PAM fixes, Compat with MIT KrbV
 Solar Designer <solar@openwall.com> - many patches and technical assistance
@@ -91,5 +94,5 @@ Apologies to anyone I have missed.
 Damien Miller <djm@mindrot.org>
-$Id: CREDITS,v 1.67.6.1 2003/04/29 09:12:07 djm Exp $
+$Id: CREDITS,v 1.74 2003/09/07 02:34:54 dtucker Exp $
diff --git a/ChangeLog b/ChangeLog
index 6ccc4d4ed..b5505da19 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,995 @@
+20030916
+ - (dtucker) [acconfig.h configure.ac defines.h session.c] Bug #252: Retrieve
+   PATH (or SUPATH) and UMASK from /etc/default/login on platforms that have it
+   (eg Solaris, Reliant Unix).  Patch from Robert.Dahlem at siemens.com.  
+   ok djm@
+ - (bal) OpenBSD Sync
+   - deraadt@cvs.openbsd.org 2003/09/16 03:03:47
+     [buffer.c]
+     do not expand buffer before attempting to reallocate it; markus ok
+ - (djm) Crank spec versions
+ - (djm) Banish (safe) sprintf from auth-pam.c. Patch from bal
+ - (tim) [configure.ac] Fix portability issues.
+ - (djm) Release 3.7p1
+20030914
+ - (dtucker) [Makefile regress/Makefile] Fix portability issues preventing
+   the regression tests from running with Solaris' make.  Patch from Brian
+   Poole (raj at cerias.purdue.edu).
+ - (dtucker) [regress/Makefile] AIX's make doesn't like " +=", so replace
+   with vanilla "=".
+20030913
+ - (dtucker) [regress/agent-timeout.sh] Timeout of 5 sec is borderline for
+   slower hosts, increase to 10 sec.
+ - (dtucker) [auth-passwd.c] On AIX, call setauthdb() before loginsuccess(),
+   required to correctly reset failed login count when using a password
+   registry other than "files" (eg LDAP, see bug #543).
+ - (tim) [configure.ac] define WITH_ABBREV_NO_TTY for SCO.
+   Report by Roger Cornelius.
+ - (dtucker) [auth-pam.c] Use SSHD_PAM_SERVICE for PAM service name, patch
+   from cjwatson at debian.org.
+20030912
+ - (tim) [regress/agent-ptrace.sh] sh doesn't like "if ! shell_function; then".
+ - (tim) [Makefile.in] only mkdir regress if it does not exist.
+ - (tim) [regress/yes-head.sh] shell portability fix.
+20030911
+ - (dtucker) [configure.ac] Bug #588, #615: Move other libgen tests to after
+   the dirname test, to allow a broken dirname to be detected correctly.
+   Based partially on patch supplied by alex.kiernan at thus.net.  ok djm@
+ - (tim) [configure.ac] Move libgen tests to before libwrap to unbreak
+   UnixWare 2.03 using --with-tcp-wrappers.
+ - (tim) [configure.ac] Prefer setuid/setgid on UnixWare and Open Server.
+ - (tim) [regress/agent-ptrace.sh regress/dynamic-forward.sh
+   regress/sftp-cmds.sh regress/stderr-after-eof.sh regress/test-exec.sh]
+   no longer depends on which(1). patch by dtucker@
+20030910
+ - (dtucker) [configure.ac] Bug #636: Add support for Cray's new X1 machine.
+   Patch from wendyp at cray.com.
+ - (dtucker) [configure.ac] Part of bug #615: tcsendbreak might be a macro.
+ - (dtucker) [regressh/yes-head.sh] Some platforms (eg Solaris) don't have
+   "yes".
+20030909
+ - (tim) [regress/Makefile] Fixes for building outside of a read-only
+   source tree.
+ - (tim) [regress/agent-timeout.sh] s/TIMEOUT/SSHAGENT_TIMEOUT/ Fixes conflict
+   with shell read-only variable.
+ - (tim) [regress/sftp-badcmds.sh regress/sftp-cmds.sh] Fix errors like
+   UX:rm: ERROR: Cannot remove '.' or '..'
+20030908
+ - (tim) [configure.ac openbsd-compat/getrrsetbyname.c] wrap _getshort and
+   _getlong in #ifndef
+ - (tim) [configure.ac acconfig.h openbsd-compat/getrrsetbyname.c] test for
+   HEADER.ad in arpa/nameser.h
+ - (tim) [ssh-keygen.c] s/PATH_MAX/MAXPATHLEN/ ok mouring@
+20030907
+ - (dtucker) [agent-ptrace.sh dynamic-forward.sh (all regress/)]
+   Put "which" inside quotes.
+ - (dtucker) [dynamic-forward.sh forwarding.sh sftp-batch.sh (all regress/)]
+   Add ${EXEEXT}: required to work on Cygwin.
+ - (dtucker) [regress/sftp-batch.sh] Make temporary batch file name more
+   distinctive, so "rm ${BATCH}.*" doesn't match the script itself.
+ - (dtucker) [regress/sftp-cmds.sh] Skip quoted file test on Cygwin.
+ - (dtucker) [openbsd-compat/xcrypt.c] #elsif -> #elif
+ - (dtucker) [acconfig.h] Typo.
+ - (dtucker) [CREDITS Makefile.in configure.ac mdoc2man.awk mdoc2man.pl]
+   Replace mdoc2man.pl with mdoc2man.awk, provided by Peter Stuge.
+20030906
+ - (dtucker) [acconfig.h configure.ac uidswap.c] Prefer setuid/setgid on AIX.
+20030905
+ - (dtucker) [Makefile.in] Add distclean target for regress/, fix clean target.
+20030904
+ - (dtucker) Portablize regression tests.  Parts contributed by Roumen
+   Petrov, David M. Williams and Corinna Vinschen.
+   - [Makefile.in] Add "make tests" target and "make clean" hooks.
+   - [regress/agent-getpeereid.sh] Skip test on platforms that don't support
+     getpeereid.
+   - [regress/agent-ptrace.sh] Skip tests if platform doesn't support it or
+     gdb cannot be found.
+   - [regress/reconfigure/sh] Make path to sshd fully qualified if required.
+   - [regress/rekey.sh] Remove dependence on /dev/zero (not all platforms have
+     it).  The sparse file will take less disk space too.
+   - [regress/sftp-cmds.sh] Ensure files used for test are readable.
+   - [regress/stderr-after-eof.sh] Search for a usable checksum program.
+   - [regress/sftp-badcmds.sh regress/sftp-cmds.sh regress/sftp.sh
+     regress/ssh-com-client.sh regress/ssh-com-sftp.sh regress/stderr-data.sh
+     regress/transfer.sh] Use ${EXEEXT} where appropriate.
+   - [regress/sftp.sh regress/ssh-com-sftp.sh] Remove dependency on /dev/stdin.
+   - [regress/agent-ptrace.sh regress/agent-timeout.sh]
+     "grep -q" -> "grep >/dev/null"
+   - [regress/agent.sh regress/proto-version.sh regress/ssh-com.sh
+     regress/test-exec.sh] Handle different ways of echoing without newlines.
+   - [regress/dynamic-forward.sh] Some "which" programs output on stderr.
+   - [regress/sftp-cmds.sh] Use portable "test" option.
+   - [regress/test-exec.sh] Use sudo, search for "whoami" equivalent, always
+     use Strictmodes no, wait longer for sshd startup.
+   - [regress/Makefile] Remove BSDisms.
+   - [regress/README.regress] Add a basic readme.
+   - [Makefile.in regress/agent-getpeereid.sh] config.h is now in $BUILDDIR
+     not $OBJ.
+   - [Makefile.in regress/agent-ptrace] Fix minor regress issues on Cygwin.
+20030903
+ - (djm) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2003/08/26 09:58:43
+     [auth-passwd.c auth.c auth.h auth1.c auth2-none.c auth2-passwd.c]
+     [auth2.c monitor.c]
+     fix passwd auth for 'username leaks via timing'; with djm@, original 
+     patches from solar
+   - markus@cvs.openbsd.org 2003/08/28 12:54:34
+     [auth.h]
+     remove kerberos support from ssh1, since it has been replaced with GSSAPI;
+     but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
+   - markus@cvs.openbsd.org 2003/09/02 16:40:29
+     [version.h]
+     enter 3.7
+   - jmc@cvs.openbsd.org 2003/09/02 18:50:06
+     [sftp.1 ssh_config.5]
+     escape punctuation;
+     ok deraadt@
+20030902
+ - (djm) OpenBSD CVS Sync
+   - deraadt@cvs.openbsd.org 2003/08/24 17:36:51
+     [auth2-gss.c]
+     64 bit cleanups; markus ok
+   - markus@cvs.openbsd.org 2003/08/28 12:54:34
+     [auth-krb5.c auth.h auth1.c monitor.c monitor.h monitor_wrap.c]
+     [monitor_wrap.h readconf.c servconf.c session.c ssh_config.5]
+     [sshconnect1.c sshd.c sshd_config sshd_config.5]
+     remove kerberos support from ssh1, since it has been replaced with GSSAPI;
+     but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
+   - markus@cvs.openbsd.org 2003/08/29 10:03:15
+     [compat.c compat.h]
+     SSH_BUG_K5USER is unused; ok henning@
+   - markus@cvs.openbsd.org 2003/08/29 10:04:36
+     [channels.c nchan.c]
+     be less chatty; debug -> debug2, cleanup; ok henning@
+   - markus@cvs.openbsd.org 2003/08/31 10:26:04
+     [progressmeter.c]
+     pass file_size + 1 to snprintf: fixes printing of truncated
+     file names; fix based on patch/report from sturm@;
+   - markus@cvs.openbsd.org 2003/08/31 12:14:22
+     [progressmeter.c]
+     do write to buf[-1]
+   - markus@cvs.openbsd.org 2003/08/31 13:29:05
+     [session.c]
+     call ssh_gssapi_storecreds conditionally from do_exec(); 
+     with sxw@inf.ed.ac.uk
+   - markus@cvs.openbsd.org 2003/08/31 13:30:18
+     [gss-serv.c]
+     correct string termination in parse_ename(); sxw@inf.ed.ac.uk
+   - markus@cvs.openbsd.org 2003/08/31 13:31:57
+     [gss-serv.c]
+     whitspace KNF
+   - markus@cvs.openbsd.org 2003/09/01 09:50:04
+     [sshd_config.5]
+     gss kex is not supported; sxw@inf.ed.ac.uk
+   - markus@cvs.openbsd.org 2003/09/01 12:50:46
+     [readconf.c]
+     rm gssapidelegatecreds alias; never supported before
+   - markus@cvs.openbsd.org 2003/09/01 13:52:18
+     [ssh.h]
+     rm whitespace
+   - markus@cvs.openbsd.org 2003/09/01 18:15:50
+     [readconf.c readconf.h servconf.c servconf.h ssh.c]
+     remove unused kerberos code; ok henning@
+   - markus@cvs.openbsd.org 2003/09/01 20:44:54
+     [auth2-gss.c]
+     fix leak
+ - (djm) Don't initialise pam_conv structures inline. Avoids HP/UX compiler
+   error. Part of Bug #423, patch from  michael_steffens AT hp.com
+ - (djm) Bug #423: reorder setting of PAM_TTY and calling of PAM session 
+   management (now done in do_setusercontext). Largely from 
+   michael_steffens AT hp.com
+ - (djm) Fix openbsd-compat/ again - remove references to strl(cpy|cat).h 
+ 
+20030829
+ - (bal) openbsd-compat/ clean up.  Considate headers, add in Id on our
+   files, and added missing license to header.
+20030826
+ - (djm) Bug #629: Mark ssh_config option "pamauthenticationviakbdint"
+   as deprecated. Remove mention from README.privsep. Patch from 
+   aet AT cc.hut.fi
+ - (dtucker) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2003/08/22 10:56:09
+     [auth2.c auth2-gss.c auth.h compat.c compat.h gss-genr.c gss-serv-krb5.c
+     gss-serv.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h readconf.c
+     readconf.h servconf.c servconf.h session.c session.h ssh-gss.h
+     ssh_config.5 sshconnect2.c sshd_config sshd_config.5]
+     support GSS API user authentication; patches from Simon Wilkinson,
+     stripped down and tested by Jakob and myself.
+   - markus@cvs.openbsd.org 2003/08/22 13:20:03
+     [sshconnect2.c]
+     remove support for "kerberos-2@ssh.com"
+   - markus@cvs.openbsd.org 2003/08/22 13:22:27
+     [auth2.c] (auth2-krb5.c removed)
+     nuke "kerberos-2@ssh.com"
+   - markus@cvs.openbsd.org 2003/08/22 20:55:06
+     [LICENCE]
+     add Simon Wilkinson
+   - deraadt@cvs.openbsd.org 2003/08/24 17:36:52
+     [monitor.c monitor_wrap.c sshconnect2.c]
+     64 bit cleanups; markus ok
+   - fgsch@cvs.openbsd.org 2003/08/25 08:13:09
+     [sftp-int.c]
+     fix div by zero when listing for filename lengths longer than width.
+     markus@ ok.
+   - djm@cvs.openbsd.org 2003/08/25 10:33:33
+     [sshconnect2.c]
+     fprintf->logit to silence login banner with "ssh -q"; ok markus@
+ - (dtucker) [Makefile.in acconfig.h auth-krb5.c auth-pam.c auth-pam.h
+   configure.ac defines.h gss-serv-krb5.c session.c ssh-gss.h sshconnect1.c
+   sshconnect2.c] Add Portable GSSAPI support, patch by Simon Wilkinson.
+ - (dtucker) [Makefile.in] Remove auth2-krb5.
+ - (dtucker) [contrib/aix/inventory.sh] Add public domain notice.  ok mouring@
+   (the original author)
+ - (dtucker) [auth.c] Do not check for locked accounts when PAM is enabled.
+20030825
+ - (djm) Bug #621: Select OpenSC keys by usage attributes. Patch from 
+   larsch@trustcenter.de
+ - (bal) openbsd-compat/ OpenBSD updates.  Mostly licensing, ansifications
+   and minor fixes. OK djm@
+ - (bal) redo how we handle 'mysignal()'.  Move it to 
+   openbsd-compat/bsd-misc.c, s/mysignal/signal/ and #define signal to
+   be our 'mysignal' by default.  OK djm@
+ - (dtucker) [acconfig.h auth.c configure.ac sshd.8] Bug #422 again: deny
+   any access to locked accounts.  ok djm@
+ - (djm) Bug #564: Perform PAM account checks for all authentications when
+   UsePAM=yes; ok dtucker
+ - (dtucker) [configure.ac] Bug #533, #551: define BROKEN_GETADDRINFO on
+   Tru64, solves getnameinfo and "bad addr or host" errors.  ok djm@
+ - (dtucker) [README buildbff.sh inventory.sh] (all in contrib/aix)
+   Update package builder: correctly handle config variables, use lsuser
+   rather than /etc/passwd, fix typos, add Id's.
+20030822
+ - (djm) s/get_progname/ssh_get_progname/g to avoid conflict with Heimdal 
+   -lbroken; ok dtucker 
+ - (dtucker) [contrib/cygwin/ssh-user-config] Put keys in authorized_keys
+   rather that authorized_keys2.  Patch from vinschen@redhat.com.
+20030821
+ - (dtucker) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2003/08/14 16:08:58
+     [ssh-keygen.c]
+     exit after primetest, ok djm@
+ - (dtucker) [defines.h] Put CMSG_DATA, CMSG_FIRSTHDR with other CMSG* macros,
+   change CMSG_DATA to use __CMSG_ALIGN (and thus work properly), reformat for
+   consistency.
+ - (dtucker) [configure.ac] Move openpty/ctty test outside of case statement
+   and after normal openpty test.
+20030813
+ - (dtucker) [session.c] Remove #ifdef TIOCSBRK kludge.
+ - (dtucker) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2003/08/13 08:33:02
+     [session.c]
+     use more portable tcsendbreak(3) and ignore break_length;
+     ok deraadt, millert
+   - markus@cvs.openbsd.org 2003/08/13 08:46:31
+     [auth1.c readconf.c readconf.h servconf.c servconf.h ssh.c ssh_config
+     ssh_config.5 sshconnect1.c sshd.8 sshd.c sshd_config sshd_config.5]
+     remove RhostsAuthentication; suggested by djm@ before; ok djm@, deraadt@,
+     fgsch@, miod@, henning@, jakob@ and others
+   - markus@cvs.openbsd.org 2003/08/13 09:07:10
+     [readconf.c ssh.c]
+     socks4->socks, since with support both 4 and 5; dtucker@zip.com.au
+ - (dtucker) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h]
+   Add a tcsendbreak function for platforms that don't have one, based on the
+   one from OpenBSD.
+20030811
+ - (dtucker) OpenBSD CVS Sync
+   (thanks to Simon Wilkinson for help with this -dt)
+   - markus@cvs.openbsd.org 2003/07/16 15:02:06
+     [auth-krb5.c]
+     mcc -> fcc; from Love H�rnquist �strand <lha@it.su.se>
+     otherwise the kerberos credentinal is stored in a memory cache
+     in the privileged sshd. ok jabob@, hin@ (some time ago)
+ - (dtucker) [openbsd-compat/xcrypt.c] Remove Cygwin #ifdef block (duplicate
+   in bsd-cygwin_util.h).
+20030808
+ - (dtucker) [openbsd-compat/fake-rfc2553.h] Older Linuxes have AI_PASSIVE and
+   AI_CANONNAME in netdb.h but not AI_NUMERICHOST, so check each definition
+   separately before defining them.
+ - (dtucker) [auth-pam.c] Don't set PAM_TTY if tty is null.  ok djm@
+20030807
+ - (dtucker) [session.c] Have session_break_req not attempt to send a break
+   if TIOCSBRK and TIOCCBRK are not defined (eg Cygwin).
+ - (dtucker) [canohost.c] Bug #336: Only check ip options if IP_OPTIONS is
+   defined (fixes compile error on really old Linuxes).
+ - (dtucker) [defines.h] Bug #336: Add CMSG_DATA and CMSG_FIRSTHDR macros if
+   not already defined (eg Linux with some versions of libc5), based on those
+   from OpenBSD.
+ - (dtucker) [openbsd-compat/bsd-cygwin_util.c openbsd-compat/bsd-cygwin_util.h]
+   Remove incorrect filenames from comments (file names are in Id tags).
+ - (dtucker) [session.c openbsd-compat/bsd-cygwin_util.h] Move Cygwin
+   specific defines and includes to bsd-cygwin_util.h.  Fixes build error too.
+20030802
+ - (dtucker) [monitor.h monitor_wrap.h] Remove excess ident tags.
+ - (dtucker) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2003/07/22 13:35:22
+     [auth1.c auth.h auth-passwd.c monitor.c monitor.h monitor_wrap.c
+     monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c ssh.1
+     ssh.c ssh_config.5 sshconnect1.c sshd.c sshd_config.5 ssh.h]
+     remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1);
+     test+ok henning@
+ - (dtucker) [Makefile.in acconfig.h configure.ac] Remove KRB4/AFS support.
+ - (dtucker) [auth-krb4.c radix.c radix.h] Remove KRB4/AFS specific files.
+ - (dtucker) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2003/07/23 07:42:43
+     [sshd_config]
+     remove AFS; itojun@
+   - djm@cvs.openbsd.org 2003/07/28 09:49:56
+     [ssh-keygen.1 ssh-keygen.c]
+     Support for generating Diffie-Hellman groups (/etc/moduli) from ssh-keygen.
+     Based on code from Phil Karn, William Allen Simpson and Niels Provos.
+     ok markus@, thanks jmc@
+   - markus@cvs.openbsd.org 2003/07/29 18:24:00
+     [LICENCE progressmeter.c]
+     replace 4 clause BSD licensed progressmeter code with a replacement
+     from Nils Nordman and myself; ok deraadt@
+     (copied from OpenBSD an re-applied portable changes)
+   - markus@cvs.openbsd.org 2003/07/29 18:26:46
+     [progressmeter.c]
+     fix length for "- stalled -" (included with previous import)
+   - markus@cvs.openbsd.org 2003/07/30 07:44:14
+     [progressmeter.c]
+     use only 4 digits in format_size (included with previous import)
+   - markus@cvs.openbsd.org 2003/07/30 07:53:27
+     [progressmeter.c]
+     whitespace (included with previous import)
+   - markus@cvs.openbsd.org 2003/07/31 09:21:02
+     [auth2-none.c]
+     check whether passwd auth is allowd, similar to proto 1; rob@pitman.co.za
+     ok henning
+   - avsm@cvs.openbsd.org 2003/07/31 15:50:16
+     [atomicio.c]
+     correct comment: atomicio takes vwrite, not write; deraadt@ ok
+   - markus@cvs.openbsd.org 2003/07/31 22:34:03
+     [progressmeter.c]
+     print rate similar old version; round instead truncate;
+     (included in previous progressmeter.c commit)
+ - (dtucker) [openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h]
+   Add a tcgetpgrp function.
+ - (dtucker) [Makefile.in moduli.c moduli.h] Add new files and to Makefile.
+ - (dtucker) [openbsd-compat/bsd-misc.c] Fix cut-and-paste bug in tcgetpgrp.
+20030730
+ - (djm) [auth-pam.c] Don't use crappy APIs like sprintf. Thanks bal
+20030726
+ - (dtucker) [openbsd-compat/xcrypt.c] Fix typo: DISABLED_SHADOW ->
+   DISABLE_SHADOW.  Fixes HP-UX compile error.
+20030724
+ - (bal) [auth-passwd.c openbsd-compat/Makefile.in openbsd-compat/xcrypt.c 
+    openbsd-compat/xcrypt.h] Split off encryption into xcrypt() interface,
+    and isolate shadow password functions.  Tested in Solaris, but should
+    not break other platforms too badly (except maybe HP =).  Also brings
+    auth-passwd.c into full sync with OpenBSD tree.
+20030723
+ - (dtucker) [configure.ac] Back out change for bug #620.
+20030719
+ - (dtucker) [configure.ac] Bug #620: Define BROKEN_GETADDRINFO for
+   Solaris/x86.  Patch from jrhett at isite.net.
+ - (dtucker) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2003/07/14 12:36:37
+     [sshd.c]
+     remove undocumented -V option. would be only useful if openssh is used
+     as ssh v1 server for ssh.com's ssh v2.
+   - markus@cvs.openbsd.org 2003/07/16 10:34:53
+     [ssh.c sshd.c]
+     don't exit on multiple -v or -d; ok deraadt@
+   - markus@cvs.openbsd.org 2003/07/16 10:36:28
+     [sshtty.c]
+     clear IUCLC in enter_raw_mode; from rob@pitman.co.za; ok deraadt@, fgs@
+   - deraadt@cvs.openbsd.org 2003/07/18 01:54:25
+     [scp.c]
+     userid is unsigned, but well, force it anyways; andrushock@korovino.net
+   - djm@cvs.openbsd.org 2003/07/19 00:45:53
+     [sftp-int.c]
+     fix sftp filename parsing for arguments with escaped quotes. bz #517;
+     ok markus
+   - djm@cvs.openbsd.org 2003/07/19 00:46:31
+     [regress/sftp-cmds.sh]
+     regress test for sftp arguments with escaped quotes; ok markus
+20030714
+ - (dtucker) [acconfig.h configure.ac port-aix.c] Older AIXes don't declare
+   loginfailed at all, so assume 3-arg loginfailed if not declared.
+ - (dtucker) [port-aix.h] Work around name collision on AIX for r_type by
+   undef'ing it.
+ - (dtucker) Bug #543: [configure.ac port-aix.c port-aix.h]
+   Call setauthdb() before loginfailed(), which may load password registry-
+   specific functions.  Based on patch by cawlfiel at us.ibm.com.
+ - (dtucker) [port-aix.h] Fix prototypes.
+ - (dtucker) OpenBSD CVS Sync
+   - avsm@cvs.openbsd.org 2003/07/09 13:58:19
+     [key.c]
+     minor tweak: when generating the hex fingerprint, give strlcat the full
+     bound to the buffer, and add a comment below explaining why the
+     zero-termination is one less than the bound.  markus@ ok
+   - markus@cvs.openbsd.org 2003/07/10 14:42:28
+     [packet.c]
+     the 2^(blocksize*2) rekeying limit is too expensive for 3DES,
+     blowfish, etc, so enforce a 1GB limit for small blocksizes.
+   - markus@cvs.openbsd.org 2003/07/10 20:05:55
+     [sftp.c]
+     sync usage with manpage, add missing -R
+20030708
+ - (dtucker) [acconfig.h auth-passwd.c configure.ac session.c port-aix.[ch]]
+   Include AIX headers for authentication functions and make calls match
+   prototypes.  Test for and handle 3-arg and 4-arg variants of loginfailed.
+ - (dtucker) [session.c] Check return value of setpcred().
+ - (dtucker) [auth-passwd.c auth.c session.c sshd.c port-aix.c port-aix.h]
+   Convert aixloginmsg into platform-independant Buffer loginmsg.
+20030707
+ - (dtucker) [configure.ac] Bug #600: Check that getrusage is declared before
+   searching libraries for it.  Fixes build errors on NCR MP-RAS.
+20030706
+ - (dtucker) [ssh-rand-helper.c loginrec.c]
+   Apply atomicio typing change to these too.
+20030703
+ - (dtucker) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2003/06/28 07:48:10
+     [sshd.c]
+     report pidfile creation errors, based on patch from Roumen Petrov;
+     ok markus@
+   - deraadt@cvs.openbsd.org 2003/06/28 16:23:06
+     [atomicio.c atomicio.h authfd.c clientloop.c monitor_wrap.c msg.c
+     progressmeter.c scp.c sftp-client.c ssh-keyscan.c ssh.h sshconnect.c
+     sshd.c]
+     deal with typing of write vs read in atomicio
+   - markus@cvs.openbsd.org 2003/06/29 12:44:38
+     [sshconnect.c]
+     memset 0, not \0; andrushock@korovino.net
+   - markus@cvs.openbsd.org 2003/07/02 12:56:34
+     [channels.c]
+     deny dynamic forwarding with -R for v1, too; ok djm@
+   - markus@cvs.openbsd.org 2003/07/02 14:51:16
+     [channels.c ssh.1 ssh_config.5]
+     (re)add socks5 suppport to -D; ok djm@
+     now ssh(1) can act both as a socks 4 and socks 5 server and
+     dynamically forward ports.
+   - markus@cvs.openbsd.org 2003/07/02 20:37:48
+     [ssh.c]
+     convert hostkeyalias to lowercase, otherwise uppercase aliases will
+     not match at all; ok henning@
+   - markus@cvs.openbsd.org 2003/07/03 08:21:46
+     [regress/dynamic-forward.sh]
+     add socks5; speedup; reformat; based on patch from dtucker@zip.com.au
+   - markus@cvs.openbsd.org 2003/07/03 08:24:13
+     [regress/Makefile]
+     enable tests for dynamic fwd via socks (-D), uses nc(1)
+   - djm@cvs.openbsd.org 2003/07/03 08:09:06
+     [readconf.c readconf.h ssh-keysign.c ssh.c]
+     fix AddressFamily option in config file, from brent@graveland.net;
+     ok markus@
+20030630
+ - (djm) Search for support functions necessary to build our 
+   getrrsetbyname() replacement. Patch from Roumen Petrov 
+20030629
+ - (dtucker) [includes.h] Bug #602: move #include of netdb.h to after in.h
+   (fixes compiler warnings on Solaris 2.5.1).
+ - (dtucker) [configure.ac] Add sanity test after system-dependant compiler
+   flag modifications.
+   
+20030628
+ - (djm) Bug #591: use PKCS#15 private key label as a comment in case 
+   of OpenSC. Report and patch from larsch@trustcenter.de
+ - (djm) Bug #593: Sanity check OpenSC card reader number; patch from 
+   aj@dungeon.inka.de
+ - (dtucker) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2003/06/23 09:02:44
+     [ssh_config.5]
+     document EnableSSHKeysign; bugzilla #599; ok deraadt@, jmc@
+   - markus@cvs.openbsd.org 2003/06/24 08:23:46
+     [auth2-hostbased.c auth2-pubkey.c auth2.c channels.c key.c key.h
+      monitor.c packet.c packet.h serverloop.c sshconnect2.c sshd.c]
+     int -> u_int; ok djm@, deraadt@, mouring@
+   - miod@cvs.openbsd.org 2003/06/25 22:39:36
+     [sftp-server.c]
+     Typo police: attribute is better written with an 'r'.
+   - markus@cvs.openbsd.org 2003/06/26 20:08:33
+     [readconf.c]
+     do not dump core for 'ssh -o proxycommand host'; ok deraadt@
+ - (dtucker) [regress/dynamic-forward.sh] Import new regression test.
+ - (dtucker) [configure.ac] Bug #570: Have ./configure --enable-FEATURE 
+   actually enable the feature, for those normally disabled.  Patch by
+   openssh (at) roumenpetrov.info.
+20030624
+ - (dtucker) Have configure refer the user to config.log and
+   contrib/findssl.sh for OpenSSL header/library mismatches.
+20030622
+ - (dtucker) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2003/06/21 09:14:05
+     [regress/reconfigure.sh]
+     missing $SUDO; from dtucker@zip.com.au
+   - markus@cvs.openbsd.org 2003/06/18 11:28:11
+     [ssh-rsa.c]
+     backout last change, since it violates pkcs#1
+     switch to share/misc/license.template
+   - djm@cvs.openbsd.org 2003/06/20 05:47:58
+     [sshd_config.5]
+     sync description of protocol 2 cipher proposal; ok markus
+   - djm@cvs.openbsd.org 2003/06/20 05:48:21
+     [sshd_config]
+     sync some implemented options; ok markus@
+ - (dtucker) [regress/authorized_keys_root] Remove temp data file from CVS.
+ - (dtucker) [openbsd-compat/setproctitle.c] Ensure SPT_TYPE is defined before
+   testing its value.
+20030618
+ - (djm) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2003/06/12 07:57:38
+     [monitor.c sshlogin.c sshpty.c]
+     typos; dtucker at zip.com.au
+   - djm@cvs.openbsd.org 2003/06/12 12:22:47
+     [LICENCE]
+     mention more copyright holders; ok markus@
+   - nino@cvs.openbsd.org 2003/06/12 15:34:09
+     [scp.c]
+     Typo. Ok markus@.
+   - markus@cvs.openbsd.org 2003/06/12 19:12:03
+     [scard.c scard.h ssh-agent.c ssh.c]
+     add sc_get_key_label; larsch at trustcenter.de; bugzilla#591
+   - markus@cvs.openbsd.org 2003/06/16 08:22:35
+     [ssh-rsa.c]
+     make sure the signature has at least the expected length (don't
+     insist on len == hlen + oidlen, since this breaks some smartcards)
+     bugzilla #592; ok djm@
+   - markus@cvs.openbsd.org 2003/06/16 10:22:45
+     [ssh-add.c]
+     print out key comment on each prompt; make ssh-askpass more useable; ok djm@
+   - markus@cvs.openbsd.org 2003/06/17 18:14:23
+     [cipher-ctr.c]
+     use license from /usr/share/misc/license.template for new code
+ - (dtucker) [reconfigure.sh rekey.sh sftp-badcmds.sh]
+   Import new regression tests from OpenBSD
+ - (dtucker) [regress/copy.1 regress/copy.2] Remove temp data files from CVS.
+ - (dtucker) OpenBSD CVS Sync (regress/)
+   - markus@cvs.openbsd.org 2003/04/02 12:21:13
+     [Makefile]
+     enable rekey test
+   - djm@cvs.openbsd.org 2003/04/04 09:34:22
+     [Makefile sftp-cmds.sh]
+     More regression tests, including recent directory rename bug; ok markus@
+   - markus@cvs.openbsd.org 2003/05/14 22:08:27
+     [ssh-com-client.sh ssh-com-keygen.sh ssh-com-sftp.sh ssh-com.sh]
+     test against some new commerical versions
+   - mouring@cvs.openbsd.org 2003/05/15 04:07:12
+     [sftp-cmds.sh]
+     Advanced put/get testing for sftp.  OK @djm
+   - markus@cvs.openbsd.org 2003/06/12 15:40:01
+     [try-ciphers.sh]
+     add ctr
+   - markus@cvs.openbsd.org 2003/06/12 15:43:32
+     [Makefile]
+     test -HUP; dtucker at zip.com.au
+20030614
+ - (djm) Update license on fake-rfc2553.[ch]; ok itojun@
+20030611
+ - (djm) Mention portable copyright holders in LICENSE
+ - (djm) Put licenses on substantial header files
+ - (djm) Sync LICENSE against OpenBSD
+ - (djm) OpenBSD CVS Sync
+   - jmc@cvs.openbsd.org 2003/06/10 09:12:11
+     [scp.1 sftp-server.8 ssh.1 ssh-add.1 ssh-agent.1 ssh_config.5]
+     [sshd.8 sshd_config.5 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8]
+     - section reorder
+     - COMPATIBILITY merge
+     - macro cleanup
+     - kill whitespace at EOL
+     - new sentence, new line
+     ssh pages ok markus@
+   - deraadt@cvs.openbsd.org 2003/06/10 22:20:52
+     [packet.c progressmeter.c]
+     mostly ansi cleanup; pval ok
+   - jakob@cvs.openbsd.org 2003/06/11 10:16:16
+     [sshconnect.c]
+     clean up check_host_key() and improve SSHFP feedback. ok markus@
+   - jakob@cvs.openbsd.org 2003/06/11 10:18:47
+     [dns.c]
+     sync with check_host_key() change
+   - djm@cvs.openbsd.org 2003/06/11 11:18:38
+     [authfd.c authfd.h ssh-add.c ssh-agent.c]
+     make agent constraints (lifetime, confirm) work with smartcard keys; 
+     ok markus@
+20030609
+ - (djm) Sync README.smartcard with OpenBSD -current
+ - (djm) Re-merge OpenSC info into README.smartcard
+20030606
+ - (dtucker) [uidswap.c] Fix setreuid and add missing args to fatal(). ok djm@
+20030605
+ - (djm) Support AI_NUMERICHOST in fake-getaddrinfo.c. Needed for recent
+   canohost.c changes.
+ - (djm) Implement paranoid priv dropping checks, based on:
+   "SetUID demystified" - Hao Chen, David Wagner and Drew Dean
+   Proceedings of USENIX Security Symposium 2002
+ - (djm) Don't use xmalloc() or pull in toplevel headers in fake-* code
+ - (djm) Merge all the openbsd/fake-* into fake-rfc2553.[ch]
+ - (djm) Bug #588 - Add scard-opensc.o back to Makefile.in
+   Patch from larsch@trustcenter.de
+ - (djm) Bug #589 - scard-opensc: load only keys with a private keys
+   Patch from larsch@trustcenter.de
+ - (dtucker) Add includes.h to fake-rfc2553.c so it will build.
+ - (dtucker) Define EAI_NONAME in fake-rfc2553.h (used by fake-rfc2553.c).
+20030604
+ - (djm) Bug #573 - Remove unneeded Krb headers and compat goop. Patch from
+   simon@sxw.org.uk (Also matches a change in OpenBSD a while ago)
+ - (djm) Bug #577 - wrong flag in scard-opensc.c sc_private_decrypt. 
+   Patch from larsch@trustcenter.de; ok markus@
+ - (djm) Bug #584: scard-opensc.c doesn't work without PIN. Patch from 
+   larsch@trustcenter.de; ok markus@
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2003/06/04 08:25:18
+     [sshconnect.c]
+     disable challenge/response and keyboard-interactive auth methods 
+     upon hostkey mismatch. based on patch from fcusack AT fcusack.com. 
+     bz #580; ok markus@
+   - djm@cvs.openbsd.org 2003/06/04 10:23:48
+     [sshd.c]
+     remove duplicated group-dropping code; ok markus@
+   - djm@cvs.openbsd.org 2003/06/04 12:03:59
+     [serverloop.c]
+     remove bitrotten commet; ok markus@
+   - djm@cvs.openbsd.org 2003/06/04 12:18:49
+     [scp.c]
+     ansify; ok markus@
+   - djm@cvs.openbsd.org 2003/06/04 12:40:39
+     [scp.c]
+     kill ssh process upon receipt of signal, bz #241.
+     based on patch from esb AT hawaii.edu; ok markus@
+   - djm@cvs.openbsd.org 2003/06/04 12:41:22
+     [sftp.c]
+     kill ssh process on receipt of signal; ok markus@
+ - (djm) Update to fix of bug #584: lock card before return. 
+   From larsch@trustcenter.de
+ - (djm) Always use mysignal() for SIGALRM
+20030603
+ - (djm) Replace setproctitle replacement with code derived from 
+   UCB sendmail
+ - (djm) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2003/06/02 09:17:34
+     [auth2-hostbased.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c]
+     [canohost.c monitor.c servconf.c servconf.h session.c sshd_config]
+     [sshd_config.5]
+     deprecate VerifyReverseMapping since it's dangerous if combined
+     with IP based access control as noted by Mike Harding; replace with
+     a UseDNS option, UseDNS is on by default and includes the
+     VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
+     ok deraadt@, djm@
+   - millert@cvs.openbsd.org 2003/06/03 02:56:16
+     [scp.c]
+     Remove the advertising clause in the UCB license which Berkeley
+     rescinded 22 July 1999.  Proofed by myself and Theo.
+ - (djm) Fix portable-specific uses of verify_reverse_mapping too
+ - (djm) Sync openbsd-compat with OpenBSD CVS. 
+    - No more 4-term BSD licenses in linked code
+ - (dtucker) [port-aix.c bsd-cray.c] Fix uses of verify_reverse_mapping.
+20030602
+ - (djm) Fix segv from bad reordering in auth-pam.c
+ - (djm) Always use saved_argv in sshd.c as compat_init_setproctitle may 
+   clobber
+ - (tim) openbsd-compat/xmmap.[ch] License clarifications. Add missing
+   CVS ID.
+ - (djm) Remove "noip6" option from RedHat spec file. This may now be 
+   set at runtime using AddressFamily option.
+ - (djm) Fix use of macro before #define in cipher-aes.c
+ - (djm) Sync license on openbsd-compat/bindresvport.c with OpenBSD CVS
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2003/05/26 12:54:40
+     [sshconnect.c]
+     fix format strings; ok markus@
+   - deraadt@cvs.openbsd.org 2003/05/29 16:58:45
+     [sshd.c uidswap.c]
+     seteuid and setegid; markus ok
+   - jakob@cvs.openbsd.org 2003/06/02 08:31:10
+     [ssh_config.5]
+     VerifyHostKeyDNS is v2 only. ok markus@
+20030530
+ - (dtucker) Add missing semicolon in md5crypt.c, patch from openssh at
+   roumenpetrov.info
+ - (dtucker) Define SSHD_ACQUIRES_CTTY for NCR MP-RAS and Reliant Unix.
+20030526
+ - (djm) Avoid auth2-chall.c warning when compiling without 
+   PAM, BSD_AUTH and SKEY
+20030525
+- (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2003/05/24 09:02:22
+     [log.c]
+     pass logged data through strnvis; ok markus
+   - djm@cvs.openbsd.org 2003/05/24 09:30:40
+     [authfile.c monitor.c sftp-common.c sshpty.c]
+     cast some types for printing; ok markus@
+20030524
+ - (dtucker) Correct --osfsia in INSTALL.  Patch by skeleten at shillest.net
+20030523
+ - (djm) Use VIS_SAFE on logged strings rather than default strnvis 
+   encoding (which encodes many more characters)
+ - OpenBSD CVS Sync
+   - jmc@cvs.openbsd.org 2003/05/20 12:03:35
+     [sftp.1]
+     - new sentence, new line
+     - added .Xr's
+     - typos
+     ok djm@
+   - jmc@cvs.openbsd.org 2003/05/20 12:09:31
+     [ssh.1 ssh_config.5 sshd.8 sshd_config.5 ssh-keygen.1]
+     new sentence, new line
+   - djm@cvs.openbsd.org 2003/05/23 08:29:30
+     [sshconnect.c]
+     fix leak; ok markus@
+20030520
+ - (djm) OpenBSD CVS Sync
+   - deraadt@cvs.openbsd.org 2003/05/18 23:22:01
+     [log.c]
+     use syslog_r() in a signal handler called place; markus ok
+ - (djm) Configure logic to detect syslog_r and friends
+20030519
+ - (djm) Sync auth-pam.h with what we actually implement
+20030518
+ - (djm) Return of the dreaded PAM_TTY_KLUDGE, which went missing in 
+   recent merge
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2003/05/16 03:27:12
+     [readconf.c ssh_config ssh_config.5 ssh-keysign.c]
+     add AddressFamily option to ssh_config (like -4, -6 on commandline).
+     Portable bug #534; ok markus@
+   - itojun@cvs.openbsd.org 2003/05/17 03:25:58
+     [auth-rhosts.c]
+     just in case, put numbers to sscanf %s arg.
+   - markus@cvs.openbsd.org 2003/05/17 04:27:52
+     [cipher.c cipher-ctr.c myproposal.h]
+     experimental support for aes-ctr modes from
+     http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt
+     ok djm@
+ - (djm) Remove IPv4 by default hack now that we can specify AF in config
+ - (djm) Tidy and trim TODO
+ - (djm) Sync openbsd-compat/ with OpenBSD CVS head
+ - (djm) Big KNF on openbsd-compat/
+ - (djm) KNF on md5crypt.[ch]
+ - (djm) KNF on auth-sia.[ch]
+20030517
+ - (bal) strcat -> strlcat on openbsd-compat/realpath.c (rev 1.8 OpenBSD)
+20030516
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2003/05/15 13:52:10
+     [ssh.c]
+     Make "ssh -V" print the OpenSSL version in a human readable form. Patch
+     from Craig Leres (mindrot at ee.lbl.gov); ok markus@
+   - jakob@cvs.openbsd.org 2003/05/15 14:02:47
+     [readconf.c servconf.c]
+     warn for unsupported config option. ok markus@
+   - markus@cvs.openbsd.org 2003/05/15 14:09:21
+     [auth2-krb5.c]
+     fix 64bit issue; report itojun@
+   - djm@cvs.openbsd.org 2003/05/15 14:55:25
+     [readconf.c readconf.h ssh_config ssh_config.5 sshconnect.c]
+     add a ConnectTimeout option to ssh, based on patch from
+     Jean-Charles Longuet (jclonguet at free.fr); portable #207 ok markus@
+ - (djm) Add warning for UsePAM when built without PAM support
+ - (djm) A few type mismatch fixes from Bug #565
+ - (djm) Guard free_pam_environment against NULL argument. Works around
+   HP/UX PAM problems debugged by dtucker
+20030515
+ - (djm) OpenBSD CVS Sync
+   - jmc@cvs.openbsd.org 2003/05/14 13:11:56
+     [ssh-agent.1]
+     setup -> set up;
+     from wiz@netbsd
+   - jakob@cvs.openbsd.org 2003/05/14 18:16:20
+     [key.c key.h readconf.c readconf.h ssh_config.5 sshconnect.c]
+     [dns.c dns.h README.dns ssh-keygen.1 ssh-keygen.c]
+     add experimental support for verifying hos keys using DNS as described
+     in draft-ietf-secsh-dns-xx.txt. more information in README.dns.
+     ok markus@ and henning@
+   - markus@cvs.openbsd.org 2003/05/14 22:24:42
+     [clientloop.c session.c ssh.1]
+     allow to send a BREAK to the remote system; ok various
+   - markus@cvs.openbsd.org 2003/05/15 00:28:28
+     [sshconnect2.c]
+     cleanup unregister of per-method packet handlers; ok djm@
+   - jakob@cvs.openbsd.org 2003/05/15 01:48:10
+     [readconf.c readconf.h servconf.c servconf.h]
+     always parse kerberos options. ok djm@ markus@
+   - jakob@cvs.openbsd.org 2003/05/15 02:27:15
+     [dns.c]
+     add missing freerrset
+   - markus@cvs.openbsd.org 2003/05/15 03:08:29
+     [cipher.c cipher-bf1.c cipher-aes.c cipher-3des1.c]
+     split out custom EVP ciphers
+   - djm@cvs.openbsd.org 2003/05/15 03:10:52
+     [ssh-keygen.c]
+     avoid warning; ok jakob@
+   - mouring@cvs.openbsd.org 2003/05/15 03:39:07
+     [sftp-int.c]
+     Make put/get (globed and nonglobed) code more consistant. OK djm@
+   - mouring@cvs.openbsd.org 2003/05/15 03:43:59
+     [sftp-int.c sftp.c]
+     Teach ls how to display multiple column display and allow users 
+     to return to single column format via 'ls -1'.  OK @djm
+   - jakob@cvs.openbsd.org 2003/05/15 04:08:44
+     [readconf.c servconf.c]
+     disable kerberos when not supported. ok markus@
+   - markus@cvs.openbsd.org 2003/05/15 04:08:41
+     [ssh.1]
+     ~B is ssh2 only
+ - (djm) Always parse UsePAM
+ - (djm) Configure glue for DNS support (code doesn't work in portable yet)
+ - (djm) Import getrrsetbyname() function from OpenBSD libc (for DNS support)
+ - (djm) Tidy Makefile clean targets
+ - (djm) Adapt README.dns for portable
+ - (djm) Avoid uuencode.c warnings
+ - (djm) Enable UsePAM when built --with-pam
+ - (djm) Only build getrrsetbyname replacement when using --with-dns
+ - (djm) Bug #529: sshd doesn't work correctly after SIGHUP (copy argv 
+         correctly)
+ - (djm) Bug #444: Wrong paths after reconfigure
+ - (dtucker) HP-UX needs to include <sys/strtio.h> for TIOCSBRK
+20030514
+ - (djm) Bug #117: Don't lie to PAM about username
+ - (djm) RCSID sync w/ OpenBSD
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2003/04/09 12:00:37
+     [readconf.c]
+     strip trailing whitespace from config lines before parsing. 
+     Fixes bz 528; ok markus@
+   - markus@cvs.openbsd.org 2003/04/12 10:13:57
+     [cipher.c]
+     hide cipher details; ok djm@
+   - markus@cvs.openbsd.org 2003/04/12 10:15:36
+     [misc.c]
+     debug->debug2
+   - naddy@cvs.openbsd.org 2003/04/12 11:40:15
+     [ssh.1]
+     document -V switch, fix wording; ok markus@
+   - markus@cvs.openbsd.org 2003/04/14 14:17:50
+     [channels.c sshconnect.c sshd.c ssh-keyscan.c]
+     avoid hardcoded SOCK_xx; with itojun@; should allow ssh over SCTP
+   - mouring@cvs.openbsd.org 2003/04/14 21:31:27
+     [sftp-int.c]
+     Missing globfree(&g) in process_put() spotted by Vince Brimhall
+     <VBrimhall@novell.com>.  ok@ Theo
+   - markus@cvs.openbsd.org 2003/04/16 14:35:27
+     [auth.h]
+     document struct Authctxt; with solar
+   - deraadt@cvs.openbsd.org 2003/04/26 04:29:49
+     [ssh-keyscan.c]
+     -t in usage(); rogier@quaak.org
+   - mouring@cvs.openbsd.org 2003/04/30 01:16:20
+     [sshd.8 sshd_config.5]
+     Escape ?, * and ! in .Ql for nroff compatibility.  OpenSSH Portable 
+     Bug #550 and * escaping suggested by jmc@.
+   - david@cvs.openbsd.org 2003/04/30 20:41:07
+     [sshd.8]
+     fix invalid .Pf macro usage introduced in previous commit
+     ok jmc@ mouring@
+   - markus@cvs.openbsd.org 2003/05/11 16:56:48
+     [authfile.c ssh-keygen.c]
+     change key_load_public to try to read a public from:
+     rsa1 private or rsa1 public and ssh2 keys.
+     this makes ssh-keygen -e fail for ssh1 keys more gracefully
+     for example; report from itojun (netbsd pr 20550).
+   - markus@cvs.openbsd.org 2003/05/11 20:30:25
+     [channels.c clientloop.c serverloop.c session.c ssh.c]
+     make channel_new() strdup the 'remote_name' (not the caller); ok theo
+   - markus@cvs.openbsd.org 2003/05/12 16:55:37
+     [sshconnect2.c]
+     for pubkey authentication try the user keys in the following order:
+        1. agent keys that are found in the config file
+        2. other agent keys
+        3. keys that are only listed in the config file
+     this helps when an agent has many keys, where the server might
+     close the connection before the correct key is used. report & ok pb@
+   - markus@cvs.openbsd.org 2003/05/12 18:35:18
+     [ssh-keyscan.1]
+     typo: DSA keys are of type ssh-dss; Brian Poole
+   - markus@cvs.openbsd.org 2003/05/14 00:52:59
+     [ssh2.h]
+     ranges for per auth method messages
+   - djm@cvs.openbsd.org 2003/05/14 01:00:44
+     [sftp.1]
+     emphasise the batchmode functionality and make reference to pubkey auth,
+     both of which are FAQs; ok markus@
+   - markus@cvs.openbsd.org 2003/05/14 02:15:47
+     [auth2.c monitor.c sshconnect2.c auth2-krb5.c]
+     implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@
+     server interops with commercial client; ok jakob@ djm@
+   - jmc@cvs.openbsd.org 2003/05/14 08:25:39
+     [sftp.1]
+     - better formatting in SYNOPSIS
+     - whitespace at EOL
+     ok djm@
+   - markus@cvs.openbsd.org 2003/05/14 08:57:49
+     [monitor.c]
+     http://bugzilla.mindrot.org/show_bug.cgi?id=560
+     Privsep child continues to run after monitor killed.
+     Pass monitor signals through to child; Darren Tucker
+ - (djm) Make portable build with MIT krb5 (some issues remain)
+ - (djm) Add new UsePAM configuration directive to allow runtime control
+   over usage of PAM. This allows non-root use of sshd when built with
+   --with-pam
+ - (djm) Die screaming if start_pam() is called when UsePAM=no
+ - (djm) Avoid KrbV leak for MIT Kerberos
+ - (dtucker) Set ai_socktype and ai_protocol in fake-getaddrinfo.c. ok djm@
+ - (djm) Bug #258: sscanf("[0-9]") -> sscanf("[0123456789]") for portability
+20030512
+ - (djm) Redhat spec: Don't install profile.d scripts when not 
+   building with GNOME/GTK askpass (patch from bet@rahul.net)
+20030510
+ - (dtucker) Bug #318: Create ssh_prng_cmds.out during "make" rather than
+   "make install".  Patch by roth@feep.net.
+ - (dtucker) Bug #536: Test for and work around openpty/controlling tty
+   problem on Linux (fixes "could not set controlling tty" errors).
+ - (djm) Merge FreeBSD PAM code: replaces PAM password auth kludge with 
+   proper challenge-response module
+ - (djm) 2-clause license on loginrec.c, with permission from
+   andre@ae-35.com
+20030504
+ - (dtucker) Bug #497: Move #include of bsd-cygwin_util.h to openbsd-compat.h.
+   Patch from vinschen@redhat.com.
+20030503
+ - (dtucker) Add missing "void" to record_failed_login in bsd-cray.c.  Noted
+   by wendyp@cray.com.
+20030502
+ - (dtucker) Bug #544: ignore invalid cmsg_type on Linux 2.0 kernels,
+   privsep should now work.
+ - (dtucker) Move handling of bad password authentications into a platform
+   specific record_failed_login() function (affects AIX & Unicos). ok mouring@
 20030429
 - (djm) Add back radix.o (used by AFS support), after it went missing from
   Makefile many moons ago
@@ -5,6 +997,60 @@
 - (djm) Fix blibpath specification for AIX/gcc
 - (djm) Some systems have basename in -lgen. Fix from ayamura@ayamura.org
+20030428
+ - (bal) [defines.h progressmeter.c scp.c] Some more culling of non 64bit 
+   hacked code.
+20030427
+ - (bal) Bug #541: return; was dropped by mistake.  Reported by 
+   furrier@iglou.com
+ - (bal) Since we don't support platforms lacking u_int_64.  We may
+   as well clean out some of those evil #ifdefs
+ - (bal) auth1.c minor resync while looking at the code.
+ - (bal) auth2.c same changed as above.
+20030409
+ - (djm) Bug #539: Specify creation mode with O_CREAT for lastlog. Report 
+   from matth@eecs.berkeley.edu
+ - (djm) Make the spec work with Redhat 9.0 (which renames sharutils)
+ - (djm) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2003/04/02 09:48:07
+     [clientloop.c monitor.c monitor_wrap.c packet.c packet.h readconf.c]
+     [readconf.h serverloop.c sshconnect2.c]
+     reapply rekeying chage, tested by henning@, ok djm@
+   - markus@cvs.openbsd.org 2003/04/02 14:36:26
+     [ssh-keysign.c]
+     potential segfault if KEY_UNSPEC; cjwatson@debian.org; bug #526
+   - itojun@cvs.openbsd.org 2003/04/03 07:25:27
+     [progressmeter.c]
+     $OpenBSD$
+   - itojun@cvs.openbsd.org 2003/04/03 10:17:35
+     [progressmeter.c]
+     remove $OpenBSD$, as other *.c does not have it.
+   - markus@cvs.openbsd.org 2003/04/07 08:29:57
+     [monitor_wrap.c]
+     typo: get correct counters; introduced during rekeying change.
+   - millert@cvs.openbsd.org 2003/04/07 21:58:05
+     [progressmeter.c]
+     The UCB copyright here is incorrect.  This code did not originate
+     at UCB, it was written by Luke Mewburn.  Updated the copyright at
+     the author's request.  markus@ OK
+   - itojun@cvs.openbsd.org 2003/04/08 20:21:29
+     [*.c *.h]
+     rename log() into logit() to avoid name conflict.  markus ok, from
+     netbsd
+     - (djm) XXX - Performed locally using:
+       "perl -p -i -e 's/(\s|^)log\(/$1logit\(/g' *.c *.h"
+   - hin@cvs.openbsd.org 2003/04/09 08:23:52
+     [servconf.c]
+     Don't include <krb.h> when compiling with Kerberos 5 support
+   - (djm) Fix up missing include for packet.c
+   - (djm) Fix missed log => logit occurance (reference by function pointer)
+20030402
+ - (bal) if IP_TOS is not found or broken don't try to compile in
+   packet_set_tos() function call.  bug #527
 20030401
 - (djm) OpenBSD CVS Sync
   - jmc@cvs.openbsd.org 2003/03/28 10:11:43
@@ -61,1245 +1107,4 @@
 - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
   Report from murple@murple.net, diagnosis from dtucker@zip.com.au
-20030320
+$Id: ChangeLog,v 1.2994.2.4 2003/09/16 06:00:52 djm Exp $
- - (djm) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2003/03/17 10:38:38
-     [progressmeter.c]
-     don't print \n if backgrounded; from ho@
-   - markus@cvs.openbsd.org 2003/03/17 11:43:47
-     [version.h]
-     enter 3.6
- - (bal) The days of lack of int64_t support are over.  Sorry kids.
- - (bal) scp.c 'limit' conflicts with Cray.  Rename to 'limitbw'
- - (bal) Collection of Cray patches (bsd-cray.h fix for CRAYT3E and improved
-   guessing rules)
- - (bal) Disable Privsep for Tru64 after pre-authentication due to issues
-   with SIA.  Also, clean up of tru64 support patch by Chris Adams
-   <cmadams@hiwaay.net>
- - (tim) [contrib/caldera/openssh.spec] workaround RPM quirk. Fix %files
-20030318
- - (tim) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h]
-   add nanosleep(). testing/corrections by Darren Tucker <dtucker@zip.com.au>
-20030317
- - (djm) Fix return value checks for RAND_bytes. Report from 
-   Steve G <linux_4ever@yahoo.com>
-20030315
- - (djm) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2003/03/13 11:42:19
-     [authfile.c ssh-keysign.c]
-     move RSA_blinding_on to generic key load method
-   - markus@cvs.openbsd.org 2003/03/13 11:44:50
-     [ssh-agent.c]
-     ssh-agent is similar to ssh-keysign (allows other processes to use
-     private rsa keys). however, it gets key over socket and not from
-     a file, so we have to do blinding here as well.
-20030310
- (djm) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2003/03/05 22:33:43
-     [channels.c monitor.c scp.c session.c sftp-client.c sftp-int.c]
-     [sftp-server.c ssh-add.c sshconnect2.c]
-     fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@
- - (djm) One more portable-specific one from dlheine@suif.Stanford.EDU/
-   CLOUSEAU
- - (djm) Bug #245: TTY problems on Solaris. Fix by stevesk@ and 
-   dtucker@zip.com.au
- - (djm) AIX package builder update from dtucker@zip.com.au
-20030225
- - (djm) Fix some compile errors spotted by dtucker and his fabulous 
-   tinderbox
-20030224
- - (djm) Tweak gnome-ssh-askpass2:
-   - Retry kb and mouse grab a couple of times, so passphrase dialog doesn't 
-     immediately fail if you are doing something else when it appears (e.g. 
-     dragging a window)
-   - Perform server grab after we have the keyboard and/or pointer to avoid 
-     races.
- - (djm) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2003/01/27 17:06:31
-     [sshd.c]
-     more specific error message when /var/empty has wrong permissions;
-     bug #46, map@appgate.com; ok henning@, provos@, stevesk@
-   - markus@cvs.openbsd.org 2003/01/28 16:11:52
-     [scp.1]
-     document -l; pekkas@netcore.fi
-   - stevesk@cvs.openbsd.org 2003/01/28 17:24:51
-     [scp.1]
-     remove example not pertinent with -1 addition; ok markus@
-   - jmc@cvs.openbsd.org 2003/01/31 21:54:40
-     [sshd.8]
-     typos; sshd(8): help and ok markus@
-     help and ok millert@
-   - markus@cvs.openbsd.org 2003/02/02 10:51:13
-     [scp.c]
-     call okname() only when using system(3) for remote-remote copy;
-     fixes bugs #483, #472; ok deraadt@, mouring@
-   - markus@cvs.openbsd.org 2003/02/02 10:56:08
-     [kex.c]
-     add support for key exchange guesses; based on work by
-     avraham.fraenkel@commatch.com; fixes bug #148; ok deraadt@
-   - markus@cvs.openbsd.org 2003/02/03 08:56:16
-     [sshpty.c]
-     don't call error() for readonly /dev; from soekris list; ok mcbride,
-     henning, deraadt.
-   - markus@cvs.openbsd.org 2003/02/04 09:32:08
-     [key.c]
-     better debug3 message
-   - markus@cvs.openbsd.org 2003/02/04 09:33:22
-     [monitor.c monitor_wrap.c]
-     skey/bsdauth: use 0 to indicate failure instead of -1, because
-     the buffer API only supports unsigned ints.
-   - markus@cvs.openbsd.org 2003/02/05 09:02:28
-     [readconf.c]
-     simplify ProxyCommand parsing, remove strcat/xrealloc; ok henning@, djm@
-   - markus@cvs.openbsd.org 2003/02/06 09:26:23
-     [session.c]
-     missing call to setproctitle() after authentication; ok provos@
-   - markus@cvs.openbsd.org 2003/02/06 09:27:29
-     [ssh.c ssh_config.5]
-     support 'ProxyCommand none'; bugzilla #433; binder@arago.de; ok djm@
-   - markus@cvs.openbsd.org 2003/02/06 09:29:18
-     [sftp-server.c]
-     fix races in rename/symlink; from Tony Finch; ok djm@
-   - markus@cvs.openbsd.org 2003/02/06 21:22:43
-     [auth1.c auth2.c]
-     undo broken fix for #387, fixes #486
-   - markus@cvs.openbsd.org 2003/02/10 11:51:47
-     [ssh-add.1]
-     xref sshd_config.5 (not sshd.8); mark@summersault.com; bug #490
-   - markus@cvs.openbsd.org 2003/02/12 09:33:04
-     [key.c key.h ssh-dss.c ssh-rsa.c]
-     merge ssh-dss.h ssh-rsa.h into key.h; ok deraadt@
-   - markus@cvs.openbsd.org 2003/02/12 21:39:50
-     [crc32.c crc32.h]
-     replace crc32.c with a BSD licensed version; noted by David Turner
-   - markus@cvs.openbsd.org 2003/02/16 17:09:57
-     [kex.c kexdh.c kexgex.c kex.h sshconnect2.c sshd.c ssh-keyscan.c]
-     split kex into client and server code, no need to link
-     server code into the client; ok provos@
-   - markus@cvs.openbsd.org 2003/02/16 17:30:33
-     [monitor.c monitor_wrap.c]
-     fix permitrootlogin forced-commands-only for privsep; bux #387; 
-     ok provos@
-   - markus@cvs.openbsd.org 2003/02/21 09:05:53
-     [servconf.c]
-     print sshd_config filename in debug2 mode.
-   - mpech@cvs.openbsd.org 2003/02/21 10:34:48
-     [auth-krb4.c]
-     ...sizeof(&adat.session) is not good here.
-     henning@, deraadt@, millert@
- - (djm) Add new object files to Makefile and reorder
- - (djm) Bug #501: gai_strerror should return char*; 
-   fix from dtucker@zip.com.au
- - (djm) Most of Bug #499: Cygwin compile fixes for new progressmeter;
-   From vinschen@redhat.com
- - (djm) Rest of Bug #499: Import a basename() function from OpenBSD libc
- - (djm) Bug #494: Allow multiple accounts on Windows 9x/Me; 
-   From vinschen@redhat.com
- - (djm) Bug #456: Support for NEC SX6 with Unicos; from wendyp@cray.com
-20030211
- - (djm) Cygwin needs libcrypt too. Patch from vinschen@redhat.com
-20030206
- - (djm) Teach fake-getaddrinfo to use getservbyname() when provided a 
-   string service name. Suggested by markus@, review by itojun@
-20030131
- - (bal) AIX 4.2.1 lacks nanosleep().  Patch to use nsleep() provided by
-   dtucker@zip.com.au
-20030130
- - (djm) Unbreak root password auth. Spotted by dtucker@zip.com.au
-200301028
- - (djm) Search libposix4 and librt for nanosleep. From dtucker@zip.com.au 
-   and openssh-unix-dev@thewrittenword.com 
-200301027
- - (bal) Bugzilla 477 patch by wendyp@cray.com.  Define TIOCGPGRP for
-   cray.  Also removed test for tcgetpgrp in configure.ac since it
-   is no longer used.
-20030124
- - (djm) OpenBSD CVS Sync
-   - jmc@cvs.openbsd.org 2003/01/23 08:58:47
-     [sshd_config.5]
-     typos; ok millert@
-   - markus@cvs.openbsd.org 2003/01/23 13:50:27
-     [authfd.c authfd.h readpass.c ssh-add.1 ssh-add.c ssh-agent.c]
-     ssh-add -c, prompt user for confirmation (using ssh-askpass) when
-     private agent key is used; with djm@; test by dugsong@, djm@; 
-     ok deraadt@
-   - markus@cvs.openbsd.org 2003/01/23 14:01:53
-     [scp.c]
-     bandwidth limitation patch (scp -l) from niels@; ok todd@, deraadt@
-   - markus@cvs.openbsd.org 2003/01/23 14:06:15
-     [scp.1 scp.c]
-     scp -12; Sam Smith and others; ok provos@, deraadt@
- - (djm) Add TIMEVAL_TO_TIMESPEC macros
-20030123
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2003/01/23 00:03:00
-     [auth1.c]
-     Don't log TIS auth response; "get rid of it" - markus@
-20030122
- - (djm) OpenBSD CVS Sync
-   - marc@cvs.openbsd.org 2003/01/21 18:14:36
-     [ssh-agent.1 ssh-agent.c]
-     Add a -t life option to ssh-agent that set the default lifetime.
-     The default can still be overriden by using -t in ssh-add.
-     OK markus@
- - (djm) Reorganise PAM & SIA password handling to eliminate some common code
- - (djm) Sync regress with OpenBSD -current
-20030120
- - (djm) Fix compilation for NetBSD from dtucker@zip.com.au
- - (tim) [progressmeter.c] make compilers without long long happy.
- - (tim) [configure.ac] Add -belf to build ELF binaries on OpenServer 5 when
-   using cc. (gcc already did)
-20030118
- - (djm) Revert fix for Bug #442 for now.
-20030117
- - (djm) Bug #470: Detect strnvis, not strvis in configure.
-    From d_wllms@lanl.gov
-20030116
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2003/01/16 03:41:55
-     [sftp-int.c]
-     explicitly use first glob result
-20030114
- - (djm) OpenBSD CVS Sync
-   - fgsch@cvs.openbsd.org 2003/01/10 23:23:24
-     [sftp-int.c]
-     typo; from Nils Nordman <nino at nforced dot com>.
-   - markus@cvs.openbsd.org 2003/01/11 18:29:43
-     [log.c]
-     set fatal_cleanups to NULL in fatal_remove_all_cleanups(); 
-     dtucker@zip.com.au
-   - markus@cvs.openbsd.org 2003/01/12 16:57:02
-     [progressmeter.c]
-     allow WARNINGS=yes; ok djm@
-   - djm@cvs.openbsd.org 2003/01/13 11:04:04
-     [sftp-int.c]
-     make cmds[] array static to avoid conflict with BSDI libc.
-     mindrot bug #466. Fix from mdev@idg.nl; ok markus@
-   - djm@cvs.openbsd.org 2003/01/14 10:58:00
-     [sftp-client.c sftp-int.c]
-     Don't try to upload or download non-regular files. Report from
-     apoloval@pantuflo.escet.urjc.es; ok markus@
-20030113
- - (djm) Rework openbsd-compat/setproctitle.c a bit: move emulation type
-   detection to configure.ac. Prompted by stevesk@
- - (djm) Bug #467: Add a --disable-strip option to turn off stripping of 
-   installed binaries. From mdev@idg.nl
-20030110
- - (djm) Enable new setproctitle emulation for Linux, AIX and HP/UX. More 
-   systems may be added later.
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2003/01/08 23:53:26
-     [sftp.1 sftp.c sftp-int.c sftp-int.h]
-     Cleanup error handling for batchmode
-     Allow blank lines and comments in input
-     Ability to suppress abort on error in batchmode ("-put blah")
-     Fixes mindrot bug #452; markus@ ok
-   - fgsch@cvs.openbsd.org 2003/01/10 08:19:07
-     [scp.c sftp.1 sftp.c sftp-client.c sftp-int.c  progressmeter.c]
-     [progressmeter.h]
-     sftp progress meter support.
-     original diffs by Nils Nordman <nino at nforced dot com> via 
-     markus@, merged to -current by me, djm@ ok.
-   - djm@cvs.openbsd.org 2003/01/10 08:48:15
-     [sftp-client.c]
-     Simplify and avoid redundancy in packet send and receive 
-     functions; ok fgs@
-   - djm@cvs.openbsd.org 2003/01/10 10:29:35
-     [scp.c]
-     Don't ftruncate after write error, creating sparse files of 
-     incorrect length
-     mindrot bug #403, reported by rusr@cup.hp.com; ok markus@
-   - djm@cvs.openbsd.org 2003/01/10 10:32:54
-     [channels.c]
-     hush socket() errors, except last. Fixes mindrot bug #408; ok markus@
-20030108
- - (djm) Sync openbsd-compat/ with OpenBSD -current
- - (djm) Avoid redundant xstrdup/xfree in auth2-pam.c. From Solar via markus@
- - (djm) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2003/01/01 18:08:52
-     [channels.c]
-     move big output buffer messages to debug2
-   - djm@cvs.openbsd.org 2003/01/06 23:51:22
-     [sftp-client.c]
-     Fix "get -p" download to not add user-write perm. mindrot bug #426
-     reported by gfernandez@livevault.com; ok markus@
-   - fgsch@cvs.openbsd.org 2003/01/07 23:42:54
-     [sftp.1]
-     add version; from Nils Nordman <nino at nforced dot com> via markus@.
-     markus@ ok
- - (djm) Update README to reflect AIX's status as a well supported platform.
-   From dtucker@zip.com.au
- - (tim) [Makefile.in configure.ac] replace fixpath with sed script. Patch
-   by Mo DeJong.
- - (tim) [auth.c] declare today at top of allowed_user() to keep
-   older compilers happy.
- - (tim) [scp.c] make compilers without long long happy.
-20030107
- - (djm) Bug #401: Work around Linux breakage with IPv6 mapped addresses. 
-   Based on fix from yoshfuji@linux-ipv6.org
- - (djm) Bug #442: Check for and deny access to accounts with locked 
-   passwords. Patch from dtucker@zip.com.au
- - (djm) Bug #44: Use local mkstemp() rather than glibc's silly one. Fixes
-   Can't pass KRB4 TGT passing. Fix from: jan.iven@cern.ch
- - (djm) Fix Bug #442 for PAM case
- - (djm) Bug #110: bogus error messages in lastlog_get_entry(). Fix based
-   on one by peak@argo.troja.mff.cuni.cz
- - (djm) Bug #111: Run syslog and stderr logging through strnvis to eliminate
-   nasties. Report from peak@argo.troja.mff.cuni.cz
- - (djm) Bug #178: On AIX /etc/nologin wasnt't shown to users. Fix from 
-   Ralf.Wenk@fh-karlsruhe.de and dtucker@zip.com.au
- - (djm) Fix my fix of the fix for the Bug #442 for PAM case. Spotted by 
-   dtucker@zip.com.au. Reorder for clarity too.
-20030103
- - (djm) Bug #461: ssh-copy-id fails with no arguments. Patch from 
-   cjwatson@debian.org
- - (djm) Bug #460: Filling utmp[x]->ut_addr_v6 if present. Patch from 
-   cjwatson@debian.org
- - (djm) Bug #446: Set LOGIN env var to pw_name on AIX. Patch from 
-   mii@ornl.gov 
-20030101
-  - (stevesk) [session.c sshlogin.c sshlogin.h] complete portable
-    parts of pass addrlen with sockaddr * fix.
-    from Hajimu UMEMOTO <ume@FreeBSD.org>
-20021222
- - (bal) OpenBSD CVS Sync
-   - fgsch@cvs.openbsd.org 2002/11/15 10:03:09
-     [authfile.c]
-     lseek(2) may return -1 when getting the public/private key lenght.
-     Simplify the code and check for errors using fstat(2).
-     Problem reported by Mauricio Sanchez, markus@ ok.
-   - markus@cvs.openbsd.org 2002/11/18 16:43:44
-     [clientloop.c]
-     don't overwrite SIG{INT,QUIT,TERM} handler if set to SIG_IGN;
-     e.g. if ssh is used for backup; report Joerg Schilling; ok millert@
-   - markus@cvs.openbsd.org 2002/11/21 22:22:50
-     [dh.c]
-     debug->debug2
-   - markus@cvs.openbsd.org 2002/11/21 22:45:31
-     [cipher.c kex.c packet.c sshconnect.c sshconnect2.c]
-     debug->debug2, unify debug messages
-   - deraadt@cvs.openbsd.org 2002/11/21 23:03:51
-     [auth-krb5.c auth1.c hostfile.h monitor_wrap.c sftp-client.c sftp-int.c ssh-add.c ssh-rsa.c 
-      sshconnect.c]
-     KNF
-   - markus@cvs.openbsd.org 2002/11/21 23:04:33
-     [ssh.c]
-     debug->debug2
-   - stevesk@cvs.openbsd.org 2002/11/24 21:46:24
-     [ssh-keysign.8]
-     typo: "the the"
-   - wcobb@cvs.openbsd.org 2002/11/26 00:45:03
-     [scp.c ssh-keygen.c]
-     Remove unnecessary fflush(stderr) calls, stderr is unbuffered by default.
-     ok markus@
-   - stevesk@cvs.openbsd.org 2002/11/26 02:35:30
-     [ssh-keygen.1]
-     remove outdated statement; ok markus@ deraadt@
-   - stevesk@cvs.openbsd.org 2002/11/26 02:38:54
-     [canohost.c]
-     KNF, comment and error message repair; ok markus@
-   - markus@cvs.openbsd.org 2002/11/27 17:53:35
-     [scp.c sftp.c ssh.c]
-     allow usernames with embedded '@', e.g. scp user@vhost@realhost:file /tmp;
-     http://bugzilla.mindrot.org/show_bug.cgi?id=447; ok mouring@, millert@
-   - stevesk@cvs.openbsd.org 2002/12/04 04:36:47
-     [session.c]
-     remove xauth entries before add; PR 2994 from janjaap@stack.nl.
-     ok markus@
-   - markus@cvs.openbsd.org 2002/12/05 11:08:35
-     [scp.c]
-     use roundup() similar to rcp/util.c and avoid problems with strange
-     filesystem block sizes, noted by tjr@freebsd.org; ok djm@
-   - djm@cvs.openbsd.org 2002/12/06 05:20:02
-     [sftp.1]
-     Fix cut'n'paste error, spotted by matthias.riese@b-novative.de; ok deraadt@
-   - millert@cvs.openbsd.org 2002/12/09 16:50:30
-     [ssh.c]
-     Avoid setting optind to 0 as GNU getopt treats that like we do optreset.
-     markus@ OK
-   - markus@cvs.openbsd.org 2002/12/10 08:56:00
-     [session.c]
-     Make sure $SHELL points to the shell from the password file, even if shell
-     is overridden from login.conf; bug#453; semen at online.sinor.ru; ok millert@
-   - markus@cvs.openbsd.org 2002/12/10 19:26:50
-     [packet.c]
-     move tos handling to packet_set_tos; ok provos/henning/deraadt
-   - markus@cvs.openbsd.org 2002/12/10 19:47:14
-     [packet.c]
-     static
-   - markus@cvs.openbsd.org 2002/12/13 10:03:15
-     [channels.c misc.c sshconnect2.c]
-     cleanup debug messages, more useful information for the client user.
-   - markus@cvs.openbsd.org 2002/12/13 15:20:52
-     [scp.c]
-     1) include stalling time in total time
-     2) truncate filenames to 45 instead of 20 characters
-     3) print rate instead of progress bar, no more stars
-     4) scale output to tty width
-     based on a patch from Niels; ok fries@ lebel@ fgs@ millert@
- - (bal) [msg.c msg.h scp.c ssh-keysign.c sshconnect2.c]  Resync CVS IDs since 
-   we already did s/msg_send/ssh_msg_send/
-20021205
- - (djm) PERL-free fixpaths from stuge-openssh-unix-dev@cdy.org
-20021122
- - (tim) [configure.ac] fix STDPATH test for IRIX. First reported by
-   advax@triumf.ca. This type of solution tested by <herb@sgi.com>
-20021113
- - (tim) [configure.ac] remove unused variables no_libsocket and no_libnsl
-20021111
- - (tim) [contrib/solaris/opensshd.in] add umask 022 so sshd.pid is
-   not world writable.
-20021109
- - (bal) OpenBSD CVS Sync
-   - itojun@cvs.openbsd.org 2002/10/16 14:31:48
-     [sftp-common.c]
-     64bit pedant.  %llu is "unsigned long long".  markus ok
-   - markus@cvs.openbsd.org 2002/10/23 10:32:13
-     [packet.c]
-     use %u for u_int
-   - markus@cvs.openbsd.org 2002/10/23 10:40:16
-     [bufaux.c]
-     %u for u_int
-   - markus@cvs.openbsd.org 2002/11/04 10:07:53
-     [auth.c]
-     don't compare against pw_home if realpath fails for pw_home (seen 
-     on AFS); ok djm@
-   - markus@cvs.openbsd.org 2002/11/04 10:09:51
-     [packet.c]
-     log before send disconnect; ok djm@
-   - markus@cvs.openbsd.org 2002/11/05 19:45:20
-     [monitor.c]
-     handle overflows for size_t larger than u_int; siw@goneko.de, bug #425
-   - markus@cvs.openbsd.org 2002/11/05 20:10:37
-     [sftp-client.c]
-     typo; GaryF@livevault.com
-   - markus@cvs.openbsd.org 2002/11/07 16:28:47
-     [sshd.c]
-     log to stderr if -ie is given, bug #414, prj@po.cwru.edu
-   - markus@cvs.openbsd.org 2002/11/07 22:08:07
-     [readconf.c readconf.h ssh-keysign.8 ssh-keysign.c]
-     we cannot use HostbasedAuthentication for enabling ssh-keysign(8),
-     because HostbasedAuthentication might be enabled based on the
-     target host and ssh-keysign(8) does not know the remote hostname
-     and not trust ssh(1) about the hostname, so we add a new option
-     EnableSSHKeysign; ok djm@, report from zierke@informatik.uni-hamburg.de
-   - markus@cvs.openbsd.org 2002/11/07 22:35:38
-     [scp.c]
-     check exit status from ssh, and exit(1) if ssh fails; bug#369; 
-     binder@arago.de
- - (bal) Update ssh-host-config and minor rewrite of bsd-cygwin_util.c
-   ntsec now default if cygwin version beginning w/ version 56.  Patch
-   by Corinna Vinschen <vinschen@redhat.com> 
- - (bal) AIX does not log login attempts for unknown users (bug #432).
-   patch by dtucker@zip.com.au
-20021021
- - (djm) Bug #400: Kill ssh-rand-helper children on timeout, patch from 
-   dtucker@zip.com.au
- - (djm) Bug #317: FreeBSD needs libutil.h for openpty() Report from 
-   dirk.meyer@dinoex.sub.org
-20021015
- - (bal) Fix bug id 383 and only call loginrestrict for AIX if not root.
- - (bal) More advanced strsep test by Darren Tucker <dtucker@zip.com.au>
-20021015
- - (tim) [contrib/caldera/openssh.spec] make ssh-agent setgid nobody
-20021004
- - (bal) Disable post-authentication Privsep for OSF/1.  It conflicts with
-   SIA.
-20021003
- - (djm) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2002/10/01 20:34:12
-     [ssh-agent.c]
-     allow root to access the agent, since there is no protection from root.
-   - markus@cvs.openbsd.org 2002/10/01 13:24:50
-     [version.h]
-     OpenSSH 3.5
- - (djm) Bump RPM spec version numbers
- - (djm) Bug #406: s/msg_send/ssh_msg_send/ for Mac OS X 1.2
-20020930
- - (djm) Tidy contrib/, add Makefile for GNOME passphrase dialogs, 
-   tweak README
- - (djm) OpenBSD CVS Sync
-   - mickey@cvs.openbsd.org 2002/09/27 10:42:09
-     [compat.c compat.h sshd.c]
-     add a generic match for a prober, such as sie big brother; 
-     idea from stevesk@; markus@ ok
-   - stevesk@cvs.openbsd.org 2002/09/27 15:46:21
-     [ssh.1]
-     clarify compression level protocol 1 only; ok markus@ deraadt@
-20020927
- - (djm) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2002/09/25 11:17:16
-     [sshd_config]
-     sync LoginGraceTime with default
-   - markus@cvs.openbsd.org 2002/09/25 15:19:02
-     [sshd.c]
-     typo; pilot@monkey.org
-   - markus@cvs.openbsd.org 2002/09/26 11:38:43
-     [auth1.c auth.h auth-krb4.c monitor.c monitor.h monitor_wrap.c]
-     [monitor_wrap.h]
-     krb4 + privsep; ok dugsong@, deraadt@
-20020925
- - (bal) Fix issue where successfull login does not clear failure counts
-   in AIX.  Patch by dtucker@zip.com.au ok by djm
- - (tim) Cray fixes (bug 367) based on patch from Wendy Palm @ cray.
-    This does not include the deattack.c fixes.
-20020923
- - (djm) OpenBSD CVS Sync
-   - stevesk@cvs.openbsd.org 2002/09/23 20:46:27
-     [canohost.c]
-     change get_peer_ipaddr() and get_local_ipaddr() to not return NULL for
-     non-sockets; fixes a problem passing NULL to snprintf(). ok markus@
-   - markus@cvs.openbsd.org 2002/09/23 22:11:05
-     [monitor.c]
-     only call auth_krb5 if kerberos is enabled; ok deraadt@
-   - markus@cvs.openbsd.org 2002/09/24 08:46:04
-     [monitor.c]
-     only call kerberos code for authctxt->valid
-   - todd@cvs.openbsd.org 2002/09/24 20:59:44
-     [sshd.8]
-     tweak the example $HOME/.ssh/rc script to not show on any cmdline the
-     sensitive data it handles. This fixes bug # 402 as reported by
-     kolya@mit.edu (Nickolai Zeldovich).
-     ok markus@ and stevesk@
-20020923
- - (tim) [configure.ac] s/return/exit/ patch by dtucker@zip.com.au
-20020922
- - (djm) OpenBSD CVS Sync
-   - stevesk@cvs.openbsd.org 2002/09/19 14:53:14
-     [compat.c]
-   - markus@cvs.openbsd.org 2002/09/19 15:51:23
-     [ssh-add.c]
-     typo; cd@kalkatraz.de
-   - stevesk@cvs.openbsd.org 2002/09/19 16:03:15
-     [serverloop.c]
-     log IP address also; ok markus@
-   - stevesk@cvs.openbsd.org 2002/09/20 18:41:29
-     [auth.c]
-     log illegal user here for missing privsep case (ssh2).
-     this is executed in the monitor. ok markus@
-20020919
- - (djm) OpenBSD CVS Sync
-   - stevesk@cvs.openbsd.org 2002/09/12 19:11:52
-     [ssh-agent.c]
-     %u for uid print; ok markus@
-   - stevesk@cvs.openbsd.org 2002/09/12 19:50:36
-     [session.c ssh.1]
-     add SSH_CONNECTION and deprecate SSH_CLIENT; bug #384.  ok markus@
-   - stevesk@cvs.openbsd.org 2002/09/13 19:23:09
-     [channels.c sshconnect.c sshd.c]
-     remove use of SO_LINGER, it should not be needed. error check
-     SO_REUSEADDR. fixup comments. ok markus@
-   - stevesk@cvs.openbsd.org 2002/09/16 19:55:33
-     [session.c]
-     log when _PATH_NOLOGIN exists; ok markus@
-   - stevesk@cvs.openbsd.org 2002/09/16 20:12:11
-     [sshd_config.5]
-     more details on X11Forwarding security issues and threats; ok markus@
-   - stevesk@cvs.openbsd.org 2002/09/16 22:03:13
-     [sshd.8]
-     reference moduli(5) in FILES /etc/moduli.
-   - itojun@cvs.openbsd.org 2002/09/17 07:47:02
-     [channels.c]
-     don't quit while creating X11 listening socket.
-     http://mail-index.netbsd.org/current-users/2002/09/16/0005.html
-     got from portable.  markus ok
-   - djm@cvs.openbsd.org 2002/09/19 01:58:18
-     [ssh.c sshconnect.c]
-     bugzilla.mindrot.org #223 - ProxyCommands don't exit.
-     Patch from dtucker@zip.com.au; ok markus@
-20020912
- - (djm) Made GNOME askpass programs return non-zero if cancel button is 
-   pressed.
- - (djm) Added getpeereid() replacement. Properly implemented for systems
-   with SO_PEERCRED support. Faked for systems which lack it.
- - (djm) Sync sys/tree.h with OpenBSD -current. Rename tree.h and 
-   fake-queue.h to sys-tree.h and sys-queue.h
- - (djm) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2002/09/08 20:24:08
-     [hostfile.h]
-     no comma at end of enumerator list
-   - itojun@cvs.openbsd.org 2002/09/09 06:48:06
-     [auth1.c auth.h auth-krb5.c monitor.c monitor.h]
-     [monitor_wrap.c monitor_wrap.h]
-     kerberos support for privsep.  confirmed to work by lha@stacken.kth.se
-     patch from markus
-   - markus@cvs.openbsd.org 2002/09/09 14:54:15
-     [channels.c kex.h key.c monitor.c monitor_wrap.c radix.c uuencode.c]
-     signed vs unsigned from -pedantic; ok henning@
-   - markus@cvs.openbsd.org 2002/09/10 20:24:47
-     [ssh-agent.c]
-     check the euid of the connecting process with getpeereid(2); 
-     ok provos deraadt stevesk
-   - stevesk@cvs.openbsd.org 2002/09/11 17:55:03
-     [ssh.1]
-     add agent and X11 forwarding warning text from ssh_config.5; ok markus@
-   - stevesk@cvs.openbsd.org 2002/09/11 18:27:26
-     [authfd.c authfd.h ssh.c]
-     don't connect to agent to test for presence if we've previously
-     connected; ok markus@
-   - djm@cvs.openbsd.org 2002/09/11 22:41:50
-     [sftp.1 sftp-client.c sftp-client.h sftp-common.c sftp-common.h]
-     [sftp-glob.c sftp-glob.h sftp-int.c sftp-server.c]
-     support for short/long listings and globbing in "ls"; ok markus@
-   - djm@cvs.openbsd.org 2002/09/12 00:13:06
-     [sftp-int.c]
-     zap unused var introduced in last commit
-20020911
- - (djm) Sync openbsd-compat with OpenBSD -current
-20020910
- - (djm) Bug #365: Read /.ssh/environment properly under CygWin. 
-   Patch from Mark Bradshaw <bradshaw@staff.crosswalk.com>
- - (djm) Bug #138: Make protocol 1 blowfish work with old OpenSSL. 
-   Patch from Robert Halubek <rob@adso.com.pl>
-20020905 
- - (djm) OpenBSD CVS Sync
-   - stevesk@cvs.openbsd.org 2002/09/04 18:52:42
-     [servconf.c sshd.8 sshd_config.5]
-     default LoginGraceTime to 2m; 1m may be too short for slow systems.
-     ok markus@
- - (djm) Merge openssh-TODO.patch from Redhat (null) beta
- - (djm) Add gnome-ssh-askpass2.c (gtk2) by merge with patch from 
-    Nalin Dahyabhai <nalin@redhat.com>
- - (djm) Add support for building gtk2 password requestor from Redhat beta
-20020903
- - (djm) Patch from itojun@ for Darwin OS: test getaddrinfo, reorder libcrypt
- - (djm) Fix Redhat RPM build dependancy test
- - (djm) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2002/08/12 10:46:35
-     [ssh-agent.c]
-     make ssh-agent setgid, disallow ptrace.
-   - espie@cvs.openbsd.org 2002/08/21 11:20:59
-     [sshd.8]
-     `RSA' updated to refer to `public key', where it matters.
-     okay markus@
-   - stevesk@cvs.openbsd.org 2002/08/21 19:38:06
-     [servconf.c sshd.8 sshd_config sshd_config.5]
-     change LoginGraceTime default to 1 minute; ok mouring@ markus@
-   - stevesk@cvs.openbsd.org 2002/08/21 20:10:28
-     [ssh-agent.c]
-     raise listen backlog; ok markus@
-   - stevesk@cvs.openbsd.org 2002/08/22 19:27:53
-     [ssh-agent.c]
-     use common close function; ok markus@
-   - stevesk@cvs.openbsd.org 2002/08/22 19:38:42
-     [clientloop.c]
-     format with current EscapeChar; bugzilla #388 from wknox@mitre.org.
-     ok markus@
-   - stevesk@cvs.openbsd.org 2002/08/22 20:57:19
-     [ssh-agent.c]
-     shutdown(SHUT_RDWR) not needed before close here; ok markus@
-   - markus@cvs.openbsd.org 2002/08/22 21:33:58
-     [auth1.c auth2.c]
-     auth_root_allowed() is handled by the monitor in the privsep case,
-     so skip this for use_privsep, ok stevesk@, fixes bugzilla #387/325
-   - markus@cvs.openbsd.org 2002/08/22 21:45:41
-     [session.c]
-     send signal name (not signal number) in "exit-signal" message; noticed
-     by galb@vandyke.com
-   - stevesk@cvs.openbsd.org 2002/08/27 17:13:56
-     [ssh-rsa.c]
-     RSA_public_decrypt() returns -1 on error so len must be signed; 
-     ok markus@
-   - stevesk@cvs.openbsd.org 2002/08/27 17:18:40
-     [ssh_config.5]
-     some warning text for ForwardAgent and ForwardX11; ok markus@
-   - stevesk@cvs.openbsd.org 2002/08/29 15:57:25
-     [monitor.c session.c sshlogin.c sshlogin.h]
-     pass addrlen with sockaddr *; from Hajimu UMEMOTO <ume@FreeBSD.org>
-     NOTE: there are also p-specific parts to this patch. ok markus@
-   - stevesk@cvs.openbsd.org 2002/08/29 16:02:54
-     [ssh.1 ssh.c]
-     deprecate -P as UsePrivilegedPort defaults to no now; ok markus@
-   - stevesk@cvs.openbsd.org 2002/08/29 16:09:02
-     [ssh_config.5]
-     more on UsePrivilegedPort and setuid root; ok markus@
-   - stevesk@cvs.openbsd.org 2002/08/29 19:49:42
-     [ssh.c]
-     shrink initial privilege bracket for setuid case; ok markus@
-   - stevesk@cvs.openbsd.org 2002/08/29 22:54:10
-     [ssh_config.5 sshd_config.5]
-     state XAuthLocation is a full pathname
-20020820
- - OpenBSD CVS Sync
-   - millert@cvs.openbsd.org 2002/08/02 14:43:15
-     [monitor.c monitor_mm.c]
-     Change mm_zalloc() sanity checks to be more in line with what
-     we do in calloc() and add a check to monitor_mm.c.
-     OK provos@ and markus@
-   - marc@cvs.openbsd.org 2002/08/02 16:00:07
-     [ssh.1 sshd.8]
-     note that .ssh/environment is only read when
-     allowed (PermitUserEnvironment in sshd_config).
-     OK markus@
-   - markus@cvs.openbsd.org 2002/08/02 21:23:41
-     [ssh-rsa.c]
-     diff is u_int (2x); ok deraadt/provos
-   - markus@cvs.openbsd.org 2002/08/02 22:20:30
-     [ssh-rsa.c]
-     replace RSA_verify with our own version and avoid the OpenSSL ASN.1 parser
-     for authentication; ok deraadt/djm
-   - aaron@cvs.openbsd.org 2002/08/08 13:50:23
-     [sshconnect1.c]
-     Use & to test if bits are set, not &&; markus@ ok.
-   - stevesk@cvs.openbsd.org 2002/08/08 23:54:52
-     [auth.c]
-     typo in comment
-   - stevesk@cvs.openbsd.org 2002/08/09 17:21:42
-     [sshd_config.5]
-     use Op for mdoc conformance; from esr@golux.thyrsus.com
-     ok aaron@
-   - stevesk@cvs.openbsd.org 2002/08/09 17:41:12
-     [sshd_config.5]
-     proxy vs. fake display
-   - stevesk@cvs.openbsd.org 2002/08/12 17:30:35
-     [ssh.1 sshd.8 sshd_config.5]
-     more PermitUserEnvironment; ok markus@
-   - stevesk@cvs.openbsd.org 2002/08/17 23:07:14
-     [ssh.1]
-     ForwardAgent has defaulted to no for over 2 years; be more clear here.
-   - stevesk@cvs.openbsd.org 2002/08/17 23:55:01
-     [ssh_config.5]
-     ordered list here
- - (bal) [defines.h] Some platforms don't have SIZE_T_MAX.  So assign 
-   it to ULONG_MAX.
-20020813
- - (tim) [configure.ac] Display OpenSSL header/library version.
-   Patch by dtucker@zip.com.au
-20020731
- - (bal) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2002/07/24 16:11:18
-     [hostfile.c hostfile.h sshconnect.c]
-     print out all known keys for a host if we get a unknown host key,
-     see discussion at http://marc.theaimsgroup.com/?t=101069210100016&r=1&w=4
-     the ssharp mitm tool attacks users in a similar way, so i'd like to
-     pointed out again:
-        A MITM attack is always possible if the ssh client prints:
-        The authenticity of host 'bla' can't be established.
-     (protocol version 2 with pubkey authentication allows you to detect
-     MITM attacks)
-   - mouring@cvs.openbsd.org 2002/07/25 01:16:59
-     [sftp.c]
-     FallBackToRsh does not exist anywhere else.  Remove it from here.
-     OK deraadt.
-   - markus@cvs.openbsd.org 2002/07/29 18:57:30
-     [sshconnect.c]
-     print file:line
-   - markus@cvs.openbsd.org 2002/07/30 17:03:55
-     [auth-options.c servconf.c servconf.h session.c sshd_config sshd_config.5]
-     add PermitUserEnvironment (off by default!); from dot@dotat.at;
-     ok provos, deraadt
-20020730
- - (bal) [uidswap.c] SCO compile correction by gert@greenie.muc.de
-20020728
- - (stevesk) [auth-pam.c] should use PAM_MSG_MEMBER(); from solar
- - (stevesk) [CREDITS] solar
- - (stevesk) [ssh-rand-helper.c] RAND_bytes() and SHA1_Final() unsigned
-   char arg.
-20020725
- - (djm) Remove some cruft from INSTALL
- - (djm) Latest config.guess and config.sub from ftp://ftp.gnu.org/gnu/config/
-20020723
- - (bal) [bsd-cray.c bsd-cray.h] Part 2 of Cray merger. 
- - (bal) sync ID w/ ssh-agent.c
- - (bal) OpenBSD Sync
-   - markus@cvs.openbsd.org 2002/07/19 15:43:33
-     [log.c log.h session.c sshd.c]
-     remove fatal cleanups after fork; based on discussions with and code
-     from solar.
-   - stevesk@cvs.openbsd.org 2002/07/19 17:42:40
-     [ssh.c]
-     display a warning from ssh when XAuthLocation does not exist or xauth
-     returned no authentication data. ok markus@
-   - stevesk@cvs.openbsd.org 2002/07/21 18:32:20
-     [auth-options.c]
-     unneeded includes
-   - stevesk@cvs.openbsd.org 2002/07/21 18:34:43
-     [auth-options.h]
-     remove invalid comment
-   - markus@cvs.openbsd.org 2002/07/22 11:03:06
-     [session.c]
-     fallback to _PATH_STDPATH on setusercontext+LOGIN_SETPATH errors;
-   - stevesk@cvs.openbsd.org 2002/07/22 17:32:56
-     [monitor.c]
-     u_int here; ok provos@
-   - stevesk@cvs.openbsd.org 2002/07/23 16:03:10
-     [sshd.c]
-     utmp_len is unsigned; display error consistent with other options.
-     ok markus@
-   - stevesk@cvs.openbsd.org 2002/07/15 17:15:31
-     [uidswap.c]
-     little more debugging; ok markus@
-20020722
- - (bal) AIX tty data limiting patch fix by leigh@solinno.co.uk
- - (stevesk) [xmmap.c] missing prototype for fatal()
- - (bal) [configure.ac defines.h loginrec.c sshd.c sshpty.c] Partial sync
-   with Cray (mostly #ifdef renaming).  Patch by wendyp@cray.com.
- - (bal) [configure.ac]  Missing ;; from cray patch.
- - (bal) [monitor_mm.c openbsd-compat/xmmap.h] Move xmmap() defines
-   into it's own header.
- - (stevesk) [auth-pam.[ch] session.c] pam_getenvlist() must be
-   freed by the caller; add free_pam_environment() and use it.
- - (stevesk) [auth-pam.c] typo in comment
-20020721
- - (stevesk) [auth-pam.c] merge cosmetic changes from solar's
-   openssh-3.4p1-owl-password-changing.diff
- - (stevesk) [auth-pam.c] merge rest of solar's PAM patch;
-   PAM_NEW_AUTHTOK_REQD remains in #if 0 for now.
- - (stevesk) [auth-pam.c] cast to avoid initialization type mismatch
-   warning on pam_conv struct conversation function.
- - (stevesk) [auth-pam.h] license
- - (stevesk) [auth-pam.h] unneeded include
- - (stevesk) [auth-pam.[ch] ssh.h] move SSHD_PAM_SERVICE to auth-pam.h
-20020720
- - (stevesk) [ssh-keygen.c] bug #231: always init/seed_rng().
-20020719
- - (tim) [contrib/solaris/buildpkg.sh] create privsep user/group if needed.
-   Patch by dtucker@zip.com.au
- - (tim) [configure.ac]  test for libxnet on HP. Patch by dtucker@zip.com.au
-20020718
- - (tim) [defines.h] Bug 313 patch by dirk.meyer@dinoex.sub.org
- - (tim) [monitor_mm.c] add missing declaration for xmmap(). Reported
-   by ayamura@ayamura.org
- - (tim) [configure.ac] Bug 267 rework int64_t test.
- - (tim) [includes.h] Bug 267 add stdint.h
-20020717
- - (bal) aixbff package updated by dtucker@zip.com.au
- - (tim) [configure.ac] change how we do paths in AC_PATH_PROGS tests
-   for autoconf 2.53. Based on a patch by jrj@purdue.edu
-20020716
- - (tim) [contrib/solaris/opensshd.in] Only kill sshd if .pid file found
-20020715
- - (bal) OpenBSD CVS Sync
-   - itojun@cvs.openbsd.org 2002/07/12 13:29:09
-     [sshconnect.c]
-     print connect failure during debugging mode.
-   - markus@cvs.openbsd.org 2002/07/12 15:50:17
-     [cipher.c]
-     EVP_CIPH_CUSTOM_IV for our own rijndael
- - (bal) Remove unused tty defined in do_setusercontext() pointed out by
-   dtucker@zip.com.au plus a a more KNF since I am near it.
- - (bal) Privsep user creation support in Solaris buildpkg.sh by 
-   dtucker@zip.com.au
-20020714
- - (tim) [Makefile.in] replace "id sshd" with "sshd -t"
- - (bal/tim) [acconfig.h configure.ac monitor_mm.c servconf.c
-   openbsd-compat/Makefile.in] support compression on platforms that
-   have no/broken MAP_ANON. Moved code to openbsd-compat/xmmap.c
-   Based on patch from nalin@redhat.com of code extracted from Owl's package
- - (tim) [ssh_prng_cmds.in] Bug 323 arp -n flag doesn't exist under Solaris.
-   report by chris@by-design.net
- - (tim) [loginrec.c] Bug 347: Fix typo (WTMPX_FILE) report by rodney@bond.net
- - (tim) [loginrec.c] Bug 348: add missing found = 1; to wtmpx_islogin()
-   report by rodney@bond.net
-20020712
- - (tim) [Makefile.in] quiet down install-files: and check-user:
- - (tim) [configure.ac] remove unused filepriv line
-20020710
- - (tim) [contrib/cygwin/ssh-host-config] explicitely sets the permissions
-   on /var/empty to 755 Patch by vinschen@redhat.com
- - (bal) OpenBSD CVS Sync
-   - itojun@cvs.openbsd.org 2002/07/09 11:56:50
-     [sshconnect.c]
-     silently try next address on connect(2).  markus ok
-   - itojun@cvs.openbsd.org 2002/07/09 11:56:27
-     [canohost.c]
-     suppress log on reverse lookup failiure, as there's no real value in
-     doing so.
-     markus ok
-   - itojun@cvs.openbsd.org 2002/07/09 12:04:02
-     [sshconnect.c]
-     ed static function (less warnings)
-   - stevesk@cvs.openbsd.org 2002/07/09 17:46:25
-     [sshd_config.5]
-     clarify no preference ordering in protocol list; ok markus@
-   - itojun@cvs.openbsd.org 2002/07/10 10:28:15
-     [sshconnect.c]
-     bark if all connection attempt fails.
-   - deraadt@cvs.openbsd.org 2002/07/10 17:53:54
-     [rijndael.c]
-     use right sizeof in memcpy; markus ok
-20020709
- - (bal) NO_IPPORT_RESERVED_CONCEPT used instead of CYGWIN so other platforms
-   lacking that concept can share it. Patch by vinschen@redhat.com
-20020708
- - (tim) [openssh/contrib/solaris/buildpkg.sh] add PKG_INSTALL_ROOT to
-   work in a jumpstart environment. patch by kbrint@rufus.net
- - (tim) [Makefile.in] workaround for broken pakadd on some systems.
- - (tim) [configure.ac] fix libc89 utimes test. Mention default path for
-   --with-privsep-path=
-20020707
- - (tim) [Makefile.in] use umask instead of chmod on $(PRIVSEP_PATH)
- - (tim) [acconfig.h configure.ac sshd.c]
-   s/BROKEN_FD_PASSING/DISABLE_FD_PASSING/
- - (tim) [contrib/cygwin/ssh-host-config] sshd account creation fixes
-   patch from vinschen@redhat.com
- - (bal) [realpath.c] Updated with OpenBSD tree.
- - (bal) OpenBSD CVS Sync
-   - deraadt@cvs.openbsd.org 2002/07/04 04:15:33
-     [key.c monitor_wrap.c sftp-glob.c ssh-dss.c ssh-rsa.c]
-     patch memory leaks; grendel@zeitbombe.org
-   - deraadt@cvs.openbsd.org 2002/07/04 08:12:15
-     [channels.c packet.c]
-     blah blah minor nothing as i read and re-read and re-read...
-   - markus@cvs.openbsd.org 2002/07/04 10:41:47
-     [key.c monitor_wrap.c ssh-dss.c ssh-rsa.c]
-     don't allocate, copy, and discard if there is not interested in the data; 
-     ok deraadt@
-   - deraadt@cvs.openbsd.org 2002/07/06 01:00:49
-     [log.c]
-     KNF
-   - deraadt@cvs.openbsd.org 2002/07/06 01:01:26
-     [ssh-keyscan.c]
-     KNF, realloc fix, and clean usage
-   - stevesk@cvs.openbsd.org 2002/07/06 17:47:58
-     [ssh-keyscan.c]
-     unused variable
- - (bal) Minor KNF on ssh-keyscan.c
-20020705
- - (tim) [configure.ac] AIX 4.2.1 has authenticate() in libs.
-   Reported by Darren Tucker <dtucker@zip.com.au>
- - (tim) [contrib/cygwin/ssh-host-config] double slash corrction
-   from vinschen@redhat.com
-20020704
- - (bal) Limit data to TTY for AIX only (Newer versions can't handle the
-   faster data rate)  Bug #124
- - (bal) glob.c defines TILDE and AIX also defines it.  #undef it first.
-   bug #265
- - (bal) One too many nulls in ports-aix.c
- 
-20020703
- - (bal) Updated contrib/cygwin/  patch by vinschen@redhat.com 
- - (bal) minor correction to utimes() replacement.  Patch by
-   onoe@sm.sony.co.jp
- - OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2002/06/27 08:49:44
-     [dh.c ssh-keyscan.c sshconnect.c]
-     more checks for NULL pointers; from grendel@zeitbombe.org; ok deraadt@
-   - deraadt@cvs.openbsd.org 2002/06/27 09:08:00
-     [monitor.c]
-     improve mm_zalloc check; markus ok
-   - deraadt@cvs.openbsd.org 2002/06/27 10:35:47
-     [auth2-none.c monitor.c sftp-client.c]
-     use xfree()
-   - stevesk@cvs.openbsd.org 2002/06/27 19:49:08
-     [ssh-keyscan.c]
-     use convtime(); ok markus@
-   - millert@cvs.openbsd.org 2002/06/28 01:49:31
-     [monitor_mm.c]
-     tree(3) wants an int return value for its compare functions and
-     the difference between two pointers is not an int.  Just do the
-     safest thing and store the result in a long and then return 0,
-     -1, or 1 based on that result.
-   - deraadt@cvs.openbsd.org 2002/06/28 01:50:37
-     [monitor_wrap.c]
-     use ssize_t
-   - deraadt@cvs.openbsd.org 2002/06/28 10:08:25
-     [sshd.c]
-     range check -u option at invocation
-   - deraadt@cvs.openbsd.org 2002/06/28 23:05:06
-     [sshd.c]
-     gidset[2] -> gidset[1]; markus ok
-   - deraadt@cvs.openbsd.org 2002/06/30 21:54:16
-     [auth2.c session.c sshd.c]
-     lint asks that we use names that do not overlap
-   - deraadt@cvs.openbsd.org 2002/06/30 21:59:45
-     [auth-bsdauth.c auth-skey.c auth2-chall.c clientloop.c key.c
-      monitor_wrap.c monitor_wrap.h scard.h session.h sftp-glob.c ssh.c
-      sshconnect2.c sshd.c]
-     minor KNF
-   - deraadt@cvs.openbsd.org 2002/07/01 16:15:25
-     [msg.c]
-     %u
-   - markus@cvs.openbsd.org 2002/07/01 19:48:46
-     [sshconnect2.c]
-     for compression=yes, we fallback to no-compression if the server does
-     not support compression, vice versa for compression=no. ok mouring@
-   - markus@cvs.openbsd.org 2002/07/03 09:55:38
-     [ssh-keysign.c]
-     use RSA_blinding_on() for rsa hostkeys (suggested by Bill Sommerfeld)
-     in order to avoid a possible Kocher timing attack pointed out by Charles
-     Hannum; ok provos@
-   - markus@cvs.openbsd.org 2002/07/03 14:21:05
-     [ssh-keysign.8 ssh-keysign.c ssh.c ssh_config]
-     re-enable ssh-keysign's sbit, but make ssh-keysign read 
-     /etc/ssh/ssh_config and exit if HostbasedAuthentication is disabled 
-     globally. based on discussions with deraadt, itojun and sommerfeld; 
-     ok itojun@
- - (bal) Failed password attempts don't increment counter on AIX. Bug #145
- - (bal) Missed Makefile.in change.  keysign needs readconf.o
- - (bal) Clean up aix_usrinfo().  Ignore TTY= period I guess.
-  
-20020702
- - (djm) Use PAM_MSG_MEMBER for PAM_TEXT_INFO messages, use xmalloc & 
-   friends consistently. Spotted by Solar Designer <solar@openwall.com>
-20020629
- - (bal) fix to auth2-pam.c to swap fatal() arguments,  A bit of style
-   clean up while I'm near it.
-20020628
- - (stevesk) [sshd_config] PAMAuthenticationViaKbdInt no; commented
-   options should contain default value.  from solar.
- - (bal) Cygwin uid0 fix by vinschen@redhat.com
- - (bal) s/config.h/includes.h/ in openbsd-compat/ for *.c.  Otherwise wise
-   have issues of our fixes not propogating right (ie bcopy instead of
-   memmove).  OK tim
- - (bal) FreeBSD needs <sys/types.h> to detect if mmap() is supported.
-   Bug #303
-20020627
- - OpenBSD CVS Sync
-   - deraadt@cvs.openbsd.org 2002/06/26 14:49:36
-     [monitor.c]
-     correct %u
-   - deraadt@cvs.openbsd.org 2002/06/26 14:50:04
-     [monitor_fdpass.c]
-     use ssize_t for recvmsg() and sendmsg() return
-   - markus@cvs.openbsd.org 2002/06/26 14:51:33
-     [ssh-add.c]
-     fix exit code for -X/-x
-   - deraadt@cvs.openbsd.org 2002/06/26 15:00:32
-     [monitor_wrap.c]
-     more %u
-   - markus@cvs.openbsd.org 2002/06/26 22:27:32
-     [ssh-keysign.c]
-     bug #304, xfree(data) called to early; openssh@sigint.cs.purdue.edu
-20020626
- - (stevesk) [monitor.c] remove duplicate proto15 dispatch entry for PAM
- - (bal) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2002/06/23 21:34:07
-     [channels.c]
-     tcode is u_int
-   - markus@cvs.openbsd.org 2002/06/24 13:12:23
-     [ssh-agent.1]
-     the socket name contains ssh-agent's ppid; via mpech@ from form@
-   - markus@cvs.openbsd.org 2002/06/24 14:33:27
-     [channels.c channels.h clientloop.c serverloop.c]
-     move channel counter to u_int
-   - markus@cvs.openbsd.org 2002/06/24 14:55:38
-     [authfile.c kex.c ssh-agent.c]
-     cat to (void) when output from buffer_get_X is ignored
-   - itojun@cvs.openbsd.org 2002/06/24 15:49:22
-     [msg.c]
-     printf type pedant
-   - deraadt@cvs.openbsd.org 2002/06/24 17:57:20
-     [sftp-server.c sshpty.c]
-     explicit (u_int) for uid and gid
-   - markus@cvs.openbsd.org 2002/06/25 16:22:42
-     [authfd.c]
-     unnecessary cast
-   - markus@cvs.openbsd.org 2002/06/25 18:51:04
-     [sshd.c]
-     lightweight do_setusercontext after chroot()
- - (bal) Updated AIX package build.  Patch by dtucker@zip.com.au
- - (tim) [Makefile.in] fix test on installing ssh-rand-helper.8
- - (bal) added back in error check for mmap().  I screwed up, Pointed
-   out by stevesk@
- - (tim) [README.privsep] UnixWare tip no longer needed.
- - (bal) fixed NeXTStep missing munmap() issue. It defines HAVE_MMAP,
-   but it all damned lies.
- - (stevesk) [README.privsep] more for sshd pseudo-account.
- - (tim) [contrib/caldera/openssh.spec] add support for privsep
- - (djm) setlogin needs pgid==pid on BSD/OS; from itojun@
- - (djm) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2002/06/26 08:53:12
-     [bufaux.c]
-     limit size of BNs to 8KB; ok provos/deraadt
-   - markus@cvs.openbsd.org 2002/06/26 08:54:18
-     [buffer.c]
-     limit append to 1MB and buffers to 10MB
-   - markus@cvs.openbsd.org 2002/06/26 08:55:02
-     [channels.c]
-     limit # of channels to 10000
-   - markus@cvs.openbsd.org 2002/06/26 08:58:26
-     [session.c]
-     limit # of env vars to 1000; ok deraadt/djm
-   - deraadt@cvs.openbsd.org 2002/06/26 13:20:57
-     [monitor.c]
-     be careful in mm_zalloc
-   - deraadt@cvs.openbsd.org 2002/06/26 13:49:26
-     [session.c]
-     disclose less information from environment files; based on input 
-     from djm, and dschultz@uclink.Berkeley.EDU
-   - markus@cvs.openbsd.org 2002/06/26 13:55:37
-     [auth2-chall.c]
-     make sure # of response matches # of queries, fixes int overflow; 
-     from ISS
-   - markus@cvs.openbsd.org 2002/06/26 13:56:27
-     [version.h]
-     3.4
- - (djm) Require krb5 devel for RPM build w/ KrbV 
- - (djm) Improve PAMAuthenticationViaKbdInt text from Nalin Dahyabhai 
-   <nalin@redhat.com>
- - (djm) Update spec files for release 
- - (djm) Fix int overflow in auth2-pam.c, similar to one discovered by ISS
- - (djm) Release 3.4p1
- - (tim) [contrib/caldera/openssh.spec] remove 2 configure options I put in
-   by mistake
-20020625
- - (stevesk) [INSTALL acconfig.h configure.ac defines.h] remove --with-rsh
- - (stevesk) [README.privsep] minor updates
- - (djm) Create privsep directory and warn if privsep user is missing 
-   during make install
- - (bal) Started list of PrivSep issues in TODO
- - (bal) if mmap() is substandard, don't allow compression on server side.
-   Post 'event' we will add more options.
- - (tim) [contrib/caldera/openssh.spec] Sync with Caldera
- - (bal) moved aix_usrinfo() and noted not setting real TTY.  Patch by
-   dtucker@zip.com.au
- - (tim) [acconfig.h configure.ac sshd.c] BROKEN_FD_PASSING fix from Markus
-   for Cygwin, Cray, & SCO
-20020624
- - OpenBSD CVS Sync
-   - deraadt@cvs.openbsd.org 2002/06/23 03:25:50
-     [tildexpand.c]
-     KNF
-   - deraadt@cvs.openbsd.org 2002/06/23 03:26:19
-     [cipher.c key.c]
-     KNF
-   - deraadt@cvs.openbsd.org 2002/06/23 03:30:58
-     [scard.c ssh-dss.c ssh-rsa.c sshconnect.c sshconnect2.c sshd.c sshlogin.c
-      sshpty.c]
-     various KNF and %d for unsigned
-   - deraadt@cvs.openbsd.org 2002/06/23 09:30:14
-     [sftp-client.c sftp-client.h sftp-common.c sftp-int.c sftp-server.c
-      sftp.c]
-     bunch of u_int vs int stuff
-   - deraadt@cvs.openbsd.org 2002/06/23 09:39:55
-     [ssh-keygen.c]
-     u_int stuff
-   - deraadt@cvs.openbsd.org 2002/06/23 09:46:51
-     [bufaux.c servconf.c]
-     minor KNF.  things the fingers do while you read
-   - deraadt@cvs.openbsd.org 2002/06/23 10:29:52
-     [ssh-agent.c sshd.c]
-     some minor KNF and %u
-   - deraadt@cvs.openbsd.org 2002/06/23 20:39:45
-     [session.c]
-     compression_level is u_int
-   - deraadt@cvs.openbsd.org 2002/06/23 21:06:13
-     [sshpty.c]
-     KNF
-   - deraadt@cvs.openbsd.org 2002/06/23 21:06:41
-     [channels.c channels.h session.c session.h]
-     display, screen, row, col, xpixel, ypixel are u_int; markus ok
-   - deraadt@cvs.openbsd.org 2002/06/23 21:10:02
-     [packet.c]
-     packet_get_int() returns unsigned for reason & seqnr
-  - (bal) Also fixed IPADDR_IN_DISPLAY case where display, screen, row, col,
-    xpixel are u_int.
-20020623
- - (stevesk) [configure.ac] bug #255 LOGIN_NEEDS_UTMPX for AIX.
- - (bal) removed GNUism for getops in ssh-agent since glibc lacks optreset.
- - (bal) add extern char *getopt.  Based on report by dtucker@zip.com.au 
- - OpenBSD CVS Sync
-   - stevesk@cvs.openbsd.org 2002/06/22 02:00:29
-     [ssh.h]
-     correct comment
-   - stevesk@cvs.openbsd.org 2002/06/22 02:40:23
-     [ssh.1]
-     section 5 not 4 for ssh_config
-   - naddy@cvs.openbsd.org 2002/06/22 11:51:39
-     [ssh.1]
-     typo
-   - stevesk@cvs.openbsd.org 2002/06/22 16:32:54
-     [sshd.8]
-     add /var/empty in FILES section
-   - stevesk@cvs.openbsd.org 2002/06/22 16:40:19
-     [sshd.c]
-     check /var/empty owner mode; ok provos@
-   - stevesk@cvs.openbsd.org 2002/06/22 16:41:57
-     [scp.1]
-     typo
-   - stevesk@cvs.openbsd.org 2002/06/22 16:45:29
-     [ssh-agent.1 sshd.8 sshd_config.5]
-     use process ID vs. pid/PID/process identifier
-   - stevesk@cvs.openbsd.org 2002/06/22 20:05:27
-     [sshd.c]
-     don't call setsid() if debugging or run from inetd; no "Operation not
-     permitted" errors now; ok millert@ markus@
-   - stevesk@cvs.openbsd.org 2002/06/22 23:09:51
-     [monitor.c]
-     save auth method before monitor_reset_key_state(); bugzilla bug #284;
-     ok provos@
-$Id: ChangeLog,v 1.2648.2.1 2003/04/29 09:12:07 djm Exp $
diff --git a/INSTALL b/INSTALL
index f5ab0dbd3..93070b105 100644
--- a/INSTALL
+++ b/INSTALL
@@ -123,7 +123,7 @@ it if lastlog is installed in a different place.
 --without-lastlog will disable lastlog support entirely.
--with-sia, --without-sia will enable or disable OSF1's Security 
+--with-osfsia, --without-osfsia will enable or disable OSF1's Security 
 Integration Architecture.  The default for OSF1 machines is enable.
 --with-kerberos4=PATH will enable Kerberos IV support. You will need
@@ -217,4 +217,4 @@ Please refer to the "reporting bugs" section of the webpage at
 http://www.openssh.com/
-$Id: INSTALL,v 1.55 2002/07/25 04:36:25 djm Exp $
+$Id: INSTALL,v 1.56 2003/05/24 01:41:16 dtucker Exp $
diff --git a/LICENCE b/LICENCE
index 19d4c74e6..b47556dda 100644
--- a/LICENCE
+++ b/LICENCE
@@ -76,14 +76,6 @@ OpenSSH contains no GPL code.
    POSSIBILITY OF SUCH DAMAGES.
 2)
-    The 32-bit CRC implementation in crc32.c is due to Gary S. Brown.
-    Comments in the file indicate it may be used for any purpose without
-    restrictions:
-     * COPYRIGHT (C) 1986 Gary S. Brown.  You may use this program, or
-     * code or tables extracted from it, as desired without restriction.
-3)
    The 32-bit CRC compensation attack detector in deattack.c was
    contributed by CORE SDI S.A. under a BSD-style license.
@@ -104,7 +96,7 @@ OpenSSH contains no GPL code.
     * Ariel Futoransky <futo@core-sdi.com>
     * <http://www.core-sdi.com>
-4)
+3)
    ssh-keygen was contributed by David Mazieres under a BSD-style
    license.
@@ -114,7 +106,7 @@ OpenSSH contains no GPL code.
     * permitted provided that due credit is given to the author and the
     * OpenBSD project by leaving this copyright notice intact.
-5)
+4)
    The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers
    and Paulo Barreto is in the public domain and distributed
    with the following license:
@@ -141,12 +133,10 @@ OpenSSH contains no GPL code.
     * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
     * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-6)
+5)
-    One component of the ssh source code is under a 4-clause BSD license,
+    One component of the ssh source code is under a 3-clause BSD license,
    held by the University of California, since we pulled these parts from
-    original Berkeley code.  The Regents of the University of California
+    original Berkeley code.
-    have declared that term 3 is no longer enforceable on their source code,
-    but we retain that license as is.
     * Copyright (c) 1983, 1990, 1992, 1993, 1995
     *      The Regents of the University of California.  All rights reserved.
@@ -159,11 +149,7 @@ OpenSSH contains no GPL code.
     * 2. Redistributions in binary form must reproduce the above copyright
     *    notice, this list of conditions and the following disclaimer in the
     *    documentation and/or other materials provided with the distribution.
-     * 3. All advertising materials mentioning features or use of this software
+     * 3. Neither the name of the University nor the names of its contributors
-     *    must display the following acknowledgement:
-     *      This product includes software developed by the University of
-     *      California, Berkeley and its contributors.
-     * 4. Neither the name of the University nor the names of its contributors
     *    may be used to endorse or promote products derived from this software
     *    without specific prior written permission.
     *
@@ -179,7 +165,7 @@ OpenSSH contains no GPL code.
     * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     * SUCH DAMAGE.
-7)
+6)
    Remaining components of the software are provided under a standard
    2-term BSD licence with the following names as copyright holders:
@@ -192,6 +178,31 @@ OpenSSH contains no GPL code.
        Kevin Steves
        Daniel Kouril
        Per Allansson
+        Wesley Griffin
+        Per Allansson
+        Nils Nordman
+        Simon Wilkinson
+    Portable OpenSSH additionally includes code from the following copyright 
+    holders, also under the 2-term BSD license:
+        Ben Lindstrom
+        Tim Rice
+        Andre Lucas
+        Chris Adams
+        Corinna Vinschen
+        Cray Inc.
+        Denis Parker
+        Gert Doering
+        Jakob Schlyter
+        Jason Downs
+        Juha Yrj�l�
+        Michael Stone
+        Networks Associates Technology, Inc.
+        Solar Designer
+        Todd C. Miller
+        Wayne Schroeder
+        William Jones
     * Redistribution and use in source and binary forms, with or without
     * modification, are permitted provided that the following conditions
@@ -212,3 +223,110 @@ OpenSSH contains no GPL code.
     * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
     * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
     * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+8) Portable OpenSSH contains the following additional licenses:
+    a) md5crypt.c, md5crypt.h
+         * "THE BEER-WARE LICENSE" (Revision 42):
+         * <phk@login.dknet.dk> wrote this file.  As long as you retain this 
+         * notice you can do whatever you want with this stuff. If we meet 
+         * some day, and you think this stuff is worth it, you can buy me a 
+         * beer in return.   Poul-Henning Kamp
+    b) snprintf replacement
+        * Copyright Patrick Powell 1995
+        * This code is based on code written by Patrick Powell 
+        * (papowell@astart.com) It may be used for any purpose as long as this 
+        * notice remains intact on all source code distributions
+    c) Compatibility code (openbsd-compat)
+       Apart from the previously mentioned licenses, various pieces of code 
+       in the openbsd-compat/ subdirectory are licensed as follows:
+       Some code is licensed under a 3-term BSD license, to the following 
+       copyright holders:
+        Todd C. Miller
+        Theo de Raadt
+        Damien Miller
+        Eric P. Allman
+        The Regents of the University of California
+        * Redistribution and use in source and binary forms, with or without
+        * modification, are permitted provided that the following conditions
+        * are met:
+        * 1. Redistributions of source code must retain the above copyright
+        *    notice, this list of conditions and the following disclaimer.
+        * 2. Redistributions in binary form must reproduce the above copyright
+        *    notice, this list of conditions and the following disclaimer in the
+        *    documentation and/or other materials provided with the distribution.
+        * 3. Neither the name of the University nor the names of its contributors
+        *    may be used to endorse or promote products derived from this software
+        *    without specific prior written permission.
+        *
+        * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+        * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+        * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+        * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+        * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+        * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+        * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+        * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+        * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+        * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+        * SUCH DAMAGE.
+       Some code is licensed under an ISC-style license, to the following 
+       copyright holders:
+        Internet Software Consortium.
+        Todd C. Miller
+        * Permission to use, copy, modify, and distribute this software for any
+        * purpose with or without fee is hereby granted, provided that the above
+        * copyright notice and this permission notice appear in all copies.
+        *
+        * THE SOFTWARE IS PROVIDED "AS IS" AND TODD C. MILLER DISCLAIMS ALL
+        * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+        * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL TODD C. MILLER BE LIABLE
+        * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+        * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+        * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+        * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+       Some code is licensed under a MIT-style license to the following 
+       copyright holders:
+        Free Software Foundation, Inc.
+        * Permission is hereby granted, free of charge, to any person obtaining a  *
+        * copy of this software and associated documentation files (the            *
+        * "Software"), to deal in the Software without restriction, including      *
+        * without limitation the rights to use, copy, modify, merge, publish,      *
+        * distribute, distribute with modifications, sublicense, and/or sell       *
+        * copies of the Software, and to permit persons to whom the Software is    *
+        * furnished to do so, subject to the following conditions:                 *
+        *                                                                          *
+        * The above copyright notice and this permission notice shall be included  *
+        * in all copies or substantial portions of the Software.                   *
+        *                                                                          *
+        * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS  *
+        * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF               *
+        * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.   *
+        * IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,   *
+        * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR    *
+        * OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR    *
+        * THE USE OR OTHER DEALINGS IN THE SOFTWARE.                               *
+        *                                                                          *
+        * Except as contained in this notice, the name(s) of the above copyright   *
+        * holders shall not be used in advertising or otherwise to promote the     *
+        * sale, use or other dealings in this Software without prior written       *
+        * authorization.                                                           *
+        ****************************************************************************/
+------
+$OpenBSD: LICENCE,v 1.17 2003/08/22 20:55:06 markus Exp $
diff --git a/Makefile.in b/Makefile.in
index 39bbf344d..8a8774461 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.228.2.1 2003/04/29 09:12:08 djm Exp $
+# $Id: Makefile.in,v 1.249 2003/09/14 01:40:36 dtucker Exp $
 # uncomment if you run a non bourne compatable shell. Ie. csh
 #SHELL = @SH@
@@ -46,6 +46,7 @@ LIBS=@LIBS@
 LIBPAM=@LIBPAM@
 LIBWRAP=@LIBWRAP@
 AR=@AR@
+AWK=@AWK@
 RANLIB=@RANLIB@
 INSTALL=@INSTALL@
 PERL=@PERL@
@@ -61,13 +62,14 @@ INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@
 TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT)
 LIBSSH_OBJS=authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o \
-        cipher.o compat.o compress.o crc32.o deattack.o fatal.o \
+        cipher.o  cipher-aes.o cipher-bf1.o cipher-ctr.o cipher-3des1.o \
-        hostfile.o log.o match.o mpaux.o nchan.o packet.o radix.o readpass.o \
+        compat.o compress.o crc32.o deattack.o fatal.o \
-        rsa.o tildexpand.o ttymodes.o xmalloc.o atomicio.o \
+        hostfile.o log.o match.o moduli.o mpaux.o nchan.o packet.o \
+        readpass.o rsa.o tildexpand.o ttymodes.o xmalloc.o atomicio.o \
        key.o dispatch.o kex.o mac.o uuencode.o misc.o \
        rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \
-        kexdhc.o kexgexc.o scard.o msg.o progressmeter.o \
+        kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \
-        entropy.o
+        entropy.o scard-opensc.o gss-genr.o
 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
        sshconnect.o sshconnect1.o sshconnect2.o
@@ -80,8 +82,9 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
        auth2-none.o auth2-passwd.o auth2-pubkey.o \
        monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o \
        kexdhs.o kexgexs.o \
-        auth-krb5.o auth-krb4.o \
+        auth-krb5.o \
-        loginrec.o auth-pam.o auth2-pam.o auth-sia.o md5crypt.o
+        auth2-gss.o gss-serv.o gss-serv-krb5.o \
+        loginrec.o auth-pam.o auth-sia.o md5crypt.o
 MANPAGES        = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
 MANPAGES_IN     = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
@@ -109,11 +112,11 @@ PATHSUBS	= \
 FIXPATHSCMD     = $(SED) $(PATHSUBS)
-all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
+all: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS)
-$(LIBSSH_OBJS): config.h
+$(LIBSSH_OBJS): Makefile.in config.h
-$(SSHOBJS): config.h
+$(SSHOBJS): Makefile.in config.h
-$(SSHDOBJS): config.h
+$(SSHDOBJS): Makefile.in config.h
 .c.o:
        $(CC) $(CFLAGS) $(CPPFLAGS) -c $<
@@ -171,7 +174,7 @@ $(MANPAGES): $(MANPAGES_IN)
                manpage=$(srcdir)/`echo $@ | sed 's/\.out$$//'`; \
        fi; \
        if test "$(MANTYPE)" = "man"; then \
-                $(FIXPATHSCMD) $${manpage} | $(PERL) $(srcdir)/mdoc2man.pl > $@; \
+                $(FIXPATHSCMD) $${manpage} | $(AWK) -f $(srcdir)/mdoc2man.awk > $@; \
        else \
                $(FIXPATHSCMD) $${manpage} > $@; \
        fi
@@ -180,10 +183,20 @@ $(CONFIGFILES): $(CONFIGFILES_IN)
        conffile=`echo $@ | sed 's/.out$$//'`; \
        $(FIXPATHSCMD) $(srcdir)/$${conffile} > $@
+ssh_prng_cmds.out:      ssh_prng_cmds
+        if test ! -z "$(INSTALL_SSH_PRNG_CMDS)"; then \
+                $(PERL) $(srcdir)/fixprogs ssh_prng_cmds $(ENT); \
+        fi
+# fake rule to stop make trying to compile moduli.o into a binary "modulo"
+moduli:
+        echo
 clean:
        rm -f *.o *.a $(TARGETS) logintest config.cache config.log 
        rm -f *.out core 
        (cd openbsd-compat && $(MAKE) clean)
+        (cd regress && $(MAKE) clean)
 distclean:
        rm -f *.o *.a $(TARGETS) logintest config.cache config.log 
@@ -192,16 +205,14 @@ distclean:
        rm -rf autom4te.cache
        (cd openbsd-compat && $(MAKE) distclean)
        (cd scard && $(MAKE) distclean)
+        (cd regress && $(MAKE) distclean)
-veryclean:
+veryclean: distclean
        rm -f configure config.h.in *.0
-        rm -f *.o *.a $(TARGETS) logintest config.cache config.log 
-        rm -f *.out core
-        rm -f Makefile config.h config.status ssh_prng_cmds *~
-        (cd openbsd-compat && $(MAKE) distclean)
-        (cd scard && $(MAKE) distclean)
-mrproper: distclean
+mrproper: veryclean
+realclean: veryclean
 catman-do:
        @for f in $(MANPAGES_IN) ; do \
@@ -215,8 +226,8 @@ distprep: catman-do
        $(AUTORECONF)
        (cd scard && $(MAKE) -f Makefile.in distprep)
-install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files host-key check-config
+install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files host-key check-config
-install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
+install-nokeys: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files
 check-config:
        -$(DESTDIR)$(sbindir)/sshd -t -f $(DESTDIR)$(sysconfdir)/sshd_config
@@ -280,7 +291,6 @@ install-files: scard-install
                echo "$(DESTDIR)$(sysconfdir)/sshd_config already exists, install will not overwrite"; \
        fi
        @if [ -f ssh_prng_cmds -a ! -z "$(INSTALL_SSH_PRNG_CMDS)" ]; then \
-                $(PERL) $(srcdir)/fixprogs ssh_prng_cmds $(ENT); \
                if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_prng_cmds ] ; then \
                        $(INSTALL) -m 644 ssh_prng_cmds.out $(DESTDIR)$(sysconfdir)/ssh_prng_cmds; \
                else \
@@ -359,3 +369,32 @@ uninstall:
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
+tests:  $(TARGETS)
+        BUILDDIR=`pwd`; \
+        [ -d `pwd`/regress ]  ||  mkdir -p `pwd`/regress; \
+        TEST_SSH_SSH="$${BUILDDIR}/ssh"; \
+        TEST_SSH_SSHD="$${BUILDDIR}/sshd"; \
+        TEST_SSH_SSHAGENT="$${BUILDDIR}/ssh-agent"; \
+        TEST_SSH_SSHADD="$${BUILDDIR}/ssh-add"; \
+        TEST_SSH_SSHKEYGEN="$${BUILDDIR}/ssh-keygen"; \
+        TEST_SSH_SSHKEYSCAN="$${BUILDDIR}/ssh-keyscan"; \
+        TEST_SSH_SFTP="$${BUILDDIR}/sftp"; \
+        TEST_SSH_SFTPSERVER="$${BUILDDIR}/sftp-server"; \
+        cd $(srcdir)/regress || exit $$?; \
+        $(MAKE) \
+                .OBJDIR="$${BUILDDIR}/regress" \
+                .CURDIR="`pwd`" \
+                BUILDDIR="$${BUILDDIR}" \
+                OBJ="$${BUILDDIR}/regress/" \
+                PATH="$${BUILDDIR}:$${PATH}" \
+                TEST_SSH_SSH="$${TEST_SSH_SSH}" \
+                TEST_SSH_SSHD="$${TEST_SSH_SSHD}" \
+                TEST_SSH_SSHAGENT="$${TEST_SSH_SSHAGENT}" \
+                TEST_SSH_SSHADD="$${TEST_SSH_SSHADD}" \
+                TEST_SSH_SSHKEYGEN="$${TEST_SSH_SSHKEYGEN}" \
+                TEST_SSH_SSHKEYSCAN="$${TEST_SSH_SSHKEYSCAN}" \
+                TEST_SSH_SFTP="$${TEST_SSH_SFTP}" \
+                TEST_SSH_SFTPSERVER="$${TEST_SSH_SFTPSERVER}" \
+                EXEEXT="$(EXEEXT)" \
+                $@
diff --git a/README.dns b/README.dns
new file mode 100644
index 000000000..e24092e03
--- /dev/null
+++ b/README.dns
@@ -0,0 +1,52 @@
+How to verify host keys using OpenSSH and DNS
+---------------------------------------------
+OpenSSH contains experimental support for verifying host keys using DNS
+as described in draft-ietf-secsh-dns-xx.txt. The document contains
+very brief instructions on how to test this feature. Configuring DNS
+and DNSSEC is out of the scope of this document.
+(1) Enable DNS fingerprint support in OpenSSH
+        configure --with-dns
+(2) Generate and publish the DNS RR
+To create a DNS resource record (RR) containing a fingerprint of the
+public host key, use the following command:
+        ssh-keygen -r hostname -f keyfile -g
+where "hostname" is your fully qualified hostname and "keyfile" is the
+file containing the public host key file. If you have multiple keys,
+you should generate one RR for each key.
+In the example above, ssh-keygen will print the fingerprint in a
+generic DNS RR format parsable by most modern name server
+implementations. If your nameserver has support for the SSHFP RR, as
+defined by the draft, you can omit the -g flag and ssh-keygen will
+print a standard RR.
+To publish the fingerprint using the DNS you must add the generated RR
+to your DNS zone file and sign your zone.
+(3) Enable the ssh client to verify host keys using DNS
+To enable the ssh client to verify host keys using DNS, you have to
+add the following option to the ssh configuration file
+($HOME/.ssh/config or /etc/ssh/ssh_config):
+    VerifyHostKeyDNS yes
+Upon connection the client will try to look up the fingerprint RR
+using DNS. If the fingerprint received from the DNS server matches
+the remote host key, the user will be notified.
+        Jakob Schlyter
+        Wesley Griffin
+$OpenBSD: README.dns,v 1.1 2003/05/14 18:16:20 jakob Exp $
diff --git a/README.privsep b/README.privsep
index e8bf1db34..64adad83b 100644
--- a/README.privsep
+++ b/README.privsep
@@ -40,8 +40,7 @@ Compression will be disabled on systems without a working mmap MAP_ANON.
 PAM-enabled OpenSSH is known to function with privsep on Linux.  
 It does not function on HP-UX with a trusted system
-configuration.  PAMAuthenticationViaKbdInt does not function with
+configuration. 
-privsep.
 On Compaq Tru64 Unix, only the pre-authentication part of privsep is
 supported.  Post-authentication privsep is disabled automatically (so
@@ -62,4 +61,4 @@ process 1005 is the sshd process listening for new connections.
 process 6917 is the privileged monitor process, 6919 is the user owned
 sshd process and 6921 is the shell process.
-$Id: README.privsep,v 1.11 2003/03/21 01:18:09 mouring Exp $
+$Id: README.privsep,v 1.12 2003/08/26 00:48:15 djm Exp $
diff --git a/README.smartcard b/README.smartcard
index 29bec8dc6..88810fc83 100644
--- a/README.smartcard
+++ b/README.smartcard
@@ -1,62 +1,66 @@
 How to use smartcards with OpenSSH?
-OpenSSH contains experimental support for authentication using Cyberflex
+OpenSSH contains experimental support for authentication using
-smartcards and TODOS card readers, in addition to the cards with PKCS#15
+Cyberflex smartcards and TODOS card readers, in addition to the cards 
-structure supported by OpenSC.
+with PKCS#15 structure supported by OpenSC. To enable this you
+need to:
-WARNING: Smartcard support is still in development.
+Using libsectok:
-Keyfile formats, etc are still subject to change.
-To enable sectok support:
+(1) enable sectok support in OpenSSH:
-(1) install sectok:
+        $ ./configure --with-sectok
-        Sources and instructions are available from
+(2) If you have used a previous version of ssh with your card, you
-        http://www.citi.umich.edu/projects/smartcard/sectok.html
+    must remove the old applet and keys.
-(2) enable sectok support in OpenSSH:
-        $ ./configure --with-sectok[=/path/to/libsectok] [options]
+        $ sectok
+        sectok> login -d
+        sectok> junload Ssh.bin
+        sectok> delete 0012
+        sectok> delete sh
+        sectok> quit
-(3) load the Java Cardlet to the Cyberflex card:
+(3) load the Java Cardlet to the Cyberflex card and set card passphrase:
        $ sectok
        sectok> login -d
        sectok> jload /usr/libdata/ssh/Ssh.bin
+        sectok> setpass
+        Enter new AUT0 passphrase: 
+        Re-enter passphrase: 
        sectok> quit
-(4) load a RSA key to the card:
+        Do not forget the passphrase.  There is no way to
+        recover if you do.
-        Please don't use your production RSA keys, since
+        IMPORTANT WARNING: If you attempt to login with the
-        with the current version of sectok/ssh-keygen
+        wrong passphrase three times in a row, you will
-        the private key file is still readable.
+        destroy your card.
-        $ ssh-keygen -f /path/to/rsakey -U <readernum, eg. 0>
+(4) load a RSA key to the card:
+        $ ssh-keygen -f /path/to/rsakey -U 1
+        (where 1 is the reader number, you can also try 0)
        In spite of the name, this does not generate a key.
        It just loads an already existing key on to the card.
-(5) optional:
+(5) Optional: If you don't want to use a card passphrase, change the
+    acl on the private key file:
-        Change the card password so that only you can
-        read the private key:
        $ sectok
        sectok> login -d
-        sectok> setpass
+        sectok> acl 0012 world: w 
+         world: w 
+         AUT0: w inval 
        sectok> quit
-        This prevents reading the key but not use of the
+        If you do this, anyone who has access to your card
-        key by the card applet.
+        can assume your identity.  This is not recommended.
-        Do not forget the passphrase.  There is no way to
-        recover if you do.
-        IMPORTANT WARNING: If you attempt to login with the
-        wrong passphrase three times in a row, you will
-        destroy your card.
-To enable OpenSC support:
+Using OpenSC:
 (1) install OpenSC:
@@ -71,15 +75,19 @@ To enable OpenSC support:
        Not supported yet.
-Common smartcard options:
+Common operations:
 (1) tell the ssh client to use the card reader:
-        $ ssh -I <readernum, eg. 0> otherhost
+        $ ssh -I 1 otherhost
 (2) or tell the agent (don't forget to restart) to use the smartcard:
-        $ ssh-add -s <readernum, eg. 0>
+        $ ssh-add -s 1
 -markus,
-Sat Apr 13 13:48:10 EEST 2002
+Tue Jul 17 23:54:51 CEST 2001
+$OpenBSD: README.smartcard,v 1.8 2002/03/26 18:56:23 rees Exp $
diff --git a/TODO b/TODO
index de83000f5..bca818523 100644
--- a/TODO
+++ b/TODO
@@ -1,4 +1,19 @@
+Documentation:
+- Update the docs
+  - Update README
+  - Update INSTALL
+  - Merge INSTALL & README.privsep
+- Install FAQ?
+- General FAQ on S/Key, TIS, RSA, RSA2, DSA, etc and suggestions on when it
+  would be best to use them.  
+- Create a Documentation/ directory?
 Programming:
 - Grep for 'XXX' comments and fix
 - Link order is incorrect for some systems using Kerberos 4 and AFS. Result
@@ -21,8 +36,9 @@ Programming:
  and maybe support alternate forms of authentications like OPIE via
  pam?
- Rework PAM ChallengeResponseAuthentication
+- Improve PAM ChallengeResponseAuthentication
- - Use kbdint request packet with 0 prompts for informational messages
+ - Informational messages
+ - chauthtok
 - Use different PAM service name for kbdint vs regular auth (suggest from
   Solar Designer)
 - Ability to select which ChallengeResponseAuthentications may be used
@@ -35,70 +51,17 @@ Programming:
 - Finish integrating kernel-level auditing code for IRIX and SOLARIS
  (Gilbert.r.loomis@saic.com)
- sftp-server:  Rework to step down to 32bit ints if the platform
-  lacks 'long long' == 64bit (Notable SCO w/ SCO compiler)
- Linux hangs for 20 seconds when you do "sleep 20&exit".  All current
-  solutions break scp or leaves processes hanging around after the ssh
-  connection has ended.  It seems to be linked to two things.  One
-  select() under Linux is not as nice as others, and two the children
-  of the shell are not killed on exiting the shell.
-  A short run-down of what happens:
-  - The shell starts up, and starts its own session.  As a side-effect, it
-    gets its own process group.
-  - The child forks off sleep, and because it's in the background, puts it
-    into its own process group.  The sleep command inherits a copy of the
-    shell's descriptor for the tty as its stdout.
-  - The shell exits, but doesn't SIGHUP all of its child PIDs like it probably
-    should(?)
-  - The sshd server attempts to read from the master side of the pty, and
-    while there are still process with the pty open, no EOF is produced.
-  - The sleep command exits, closes its descriptor, sshd detects the EOF, and
-    the connection gets closed.
-  Ways we've tried fixing this in sshd, and why they didn't work out:
-  - SIGHUP the sshd's process group.
-    - The shell is in its own process group.
-  - Track process group IDs of all children before we reap them (via an extra
-    field in Session structures which holds the pgid for each child pid), and
-    SIGHUP the pgid when we reap.
-    - Background commands are in yet another process group.
-  - Close the connection when the child dies.
-    - Background commands may need to write data to the connection.  Also
-      prematurely truncates output from some commands (scp server, the
-      famous "dd if=/dev/zero bs=1000 count=100" case).
-  Known workarounds:
-  - bash: shopt huponexit on
-  - tcsh: none
-  - zsh: setopt HUP (usually the default setting)
-    (taken from email from Jason Stone to openssh-unix-dev, 5 May 2001)
-  - pdksh: ?
-  This appears to affect NetKit rsh under Linux as well: it behaves the same
-  with 'sleep 20 & exit'.
- Build an automated test suite
 - 64-bit builds on HP-UX 11.X (stevesk@pobox.com):
  - utmp/wtmp get corrupted (something in loginrec?)
  - can't build with PAM (no 64-bit libpam yet)
-Documentation:
- More and better
- Install FAQ?
- General FAQ on S/Key, TIS, RSA, RSA2, DSA, etc and suggestions on when it
-  would be best to use them.  
- Create a Documentation/ directory?
 Clean up configure/makefiles:
 - Clean up configure.ac - There are a few double #defined variables
  left to do.  HAVE_LOGIN is one of them.  Consider NOT looking for
  information in wtmpx or utmpx or any of that stuff if it's not detected
  from the start
- Fails to compile when cross compile.
+- Fails to compile when cross compile. (vinschen@redhat.com)
-  (vinschen@redhat.com)
 - Replace the whole u_intXX_t evilness in acconfig.h with something better???
 - Do it in configure.ac
@@ -118,7 +81,6 @@ Packaging:
 - HP-UX: Provide DEPOT package scripts.
  (gilbert.r.loomis@saic.com)
 PrivSep Issues:
 - mmap() issues.
  + /dev/zero solution (Solaris)
@@ -127,11 +89,11 @@ PrivSep Issues:
 - PAM 
  + See above PAM notes
 - AIX
-  + usrinfo() does not set TTY, but only required for legicy systems.  Works
+  + usrinfo() does not set TTY, but only required for legacy systems.  Works
    with PrivSep.
 - OSF
  + SIA is broken
 - Cygwin
  + Privsep for Pre-auth only (no fd passing)
-$Id: TODO,v 1.53 2003/01/12 23:00:34 djm Exp $
+$Id: TODO,v 1.55 2003/06/11 13:56:41 dtucker Exp $
diff --git a/acconfig.h b/acconfig.h
index b6e4b37cc..9bfb9b6c9 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -1,4 +1,28 @@
-/* $Id: acconfig.h,v 1.149 2003/03/10 00:38:10 djm Exp $ */
+/* $Id: acconfig.h,v 1.166 2003/09/16 01:52:19 dtucker Exp $ */
+/*
+ * Copyright (c) 1999-2003 Damien Miller.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
 #ifndef _CONFIG_H
 #define _CONFIG_H
@@ -8,9 +32,19 @@
 @TOP@
+/* Define if your platform breaks doing a seteuid before a setuid */
+#undef SETEUID_BREAKS_SETUID
+/* Define if your setreuid() is broken */
+#undef BROKEN_SETREUID
+/* Define if your setregid() is broken */
+#undef BROKEN_SETREGID
 /* Define to a Set Process Title type if your system is */
 /* supported by bsd-setproctitle.c */
 #undef SPT_TYPE
+#undef SPT_PADCHAR
 /* setgroups() NOOP allowed */
 #undef SETGROUPS_NOOP
@@ -82,6 +116,9 @@
 /* Define if you want to enable AIX4's authenticate function */
 #undef WITH_AIXAUTHENTICATE
+/* Define if your AIX loginfailed() function takes 4 arguments (AIX >= 5.2) */
+#undef AIX_LOGINFAILED_4ARG
 /* Define if you have/want arrays (cluster-wide session managment, not C arrays) */
 #undef WITH_IRIX_ARRAY
@@ -201,18 +238,15 @@
 /* Define if compiler implements __func__ */
 #undef HAVE___func__
+/* Define this is you want GSSAPI support in the version 2 protocol */
+#undef GSSAPI
 /* Define if you want Kerberos 5 support */
 #undef KRB5
 /* Define this if you are using the Heimdal version of Kerberos V5 */
 #undef HEIMDAL
-/* Define if you want Kerberos 4 support */
-#undef KRB4
-/* Define if you want AFS support */
-#undef AFS
 /* Define if you want S/Key support */
 #undef SKEY
@@ -295,9 +329,6 @@
 /* Specify location of ssh.pid */
 #undef _PATH_SSH_PIDDIR
-/* Use IPv4 for connection by default, IPv6 can still if explicity asked */
-#undef IPV4_DEFAULT
 /* getaddrinfo is broken (if present) */
 #undef BROKEN_GETADDRINFO
@@ -328,6 +359,9 @@
 /* Define in your struct dirent expects you to allocate extra space for d_name */
 #undef BROKEN_ONE_BYTE_DIRENT_D_NAME
+/* Define if your system has /etc/default/login */
+#undef HAVE_ETC_DEFAULT_LOGIN
 /* Define if your getopt(3) defines and uses optreset */
 #undef HAVE_GETOPT_OPTRESET
@@ -367,15 +401,28 @@
 /* Silly mkstemp() */
 #undef HAVE_STRICT_MKSTEMP
-/* Setproctitle emulation */
-#undef SETPROCTITLE_STRATEGY
-#undef SETPROCTITLE_PS_PADDING
 /* Some systems put this outside of libc */
 #undef HAVE_NANOSLEEP
-/* Pushing STREAMS modules incorrectly acquires a controlling TTY */
+/* Define if sshd somehow reacquires a controlling TTY after setsid() */
-#undef STREAMS_PUSH_ACQUIRES_CTTY
+#undef SSHD_ACQUIRES_CTTY
+/* Define if cmsg_type is not passed correctly */
+#undef BROKEN_CMSG_TYPE
+/* Strings used in /etc/passwd to denote locked account */
+#undef LOCKED_PASSWD_STRING
+#undef LOCKED_PASSWD_PREFIX
+#undef LOCKED_PASSWD_SUBSTR
+/* Define if DNS support is to be activated */
+#undef DNS
+/* Define if getrrsetbyname() exists */
+#undef HAVE_GETRRSETBYNAME
+/* Define if HEADER.ad exists in arpa/nameser.h */
+#undef HAVE_HEADER_AD
 @BOTTOM@
diff --git a/atomicio.c b/atomicio.c
index 47161eb3a..7637e1671 100644
--- a/atomicio.c
+++ b/atomicio.c
@@ -24,16 +24,16 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: atomicio.c,v 1.10 2001/05/08 22:48:07 markus Exp $");
+RCSID("$OpenBSD: atomicio.c,v 1.12 2003/07/31 15:50:16 avsm Exp $");
 #include "atomicio.h"
 /*
- * ensure all of data on socket comes through. f==read || f==write
+ * ensure all of data on socket comes through. f==read || f==vwrite
 */
 ssize_t
 atomicio(f, fd, _s, n)
-        ssize_t (*f) ();
+        ssize_t (*f) (int, void *, size_t);
        int fd;
        void *_s;
        size_t n;
diff --git a/atomicio.h b/atomicio.h
index e569d38c6..5c0f392ef 100644
--- a/atomicio.h
+++ b/atomicio.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: atomicio.h,v 1.4 2001/06/26 06:32:46 itojun Exp $     */
+/*      $OpenBSD: atomicio.h,v 1.5 2003/06/28 16:23:06 deraadt Exp $    */
 /*
 * Copyright (c) 1995,1999 Theo de Raadt.  All rights reserved.
@@ -26,6 +26,8 @@
 */
 /*
- * Ensure all of data on socket comes through. f==read || f==write
+ * Ensure all of data on socket comes through. f==read || f==vwrite
 */
-ssize_t atomicio(ssize_t (*)(), int, void *, size_t);
+ssize_t atomicio(ssize_t (*)(int, void *, size_t), int, void *, size_t);
+#define vwrite (ssize_t (*)(int, void *, size_t))write
diff --git a/auth-chall.c b/auth-chall.c
index 45e0c3452..6b7c8bd13 100644
--- a/auth-chall.c
+++ b/auth-chall.c
@@ -76,7 +76,33 @@ verify_response(Authctxt *authctxt, const char *response)
                return 0;
        resp[0] = (char *)response;
        res = device->respond(authctxt->kbdintctxt, 1, resp);
+        if (res == 1) {
+                /* postponed - send a null query just in case */
+                char *name, *info, **prompts;
+                u_int i, numprompts, *echo_on;
+                res = device->query(authctxt->kbdintctxt, &name, &info,
+                    &numprompts, &prompts, &echo_on);
+                if (res == 0) {
+                        for (i = 0; i < numprompts; i++)
+                                xfree(prompts[i]);
+                        xfree(prompts);
+                        xfree(name);
+                        xfree(echo_on);
+                        xfree(info);
+                }
+                /* if we received more prompts, we're screwed */
+                res = (numprompts != 0);
+        }
        device->free_ctx(authctxt->kbdintctxt);
        authctxt->kbdintctxt = NULL;
        return res ? 0 : 1;
 }
+void
+abandon_challenge_response(Authctxt *authctxt)
+{
+        if (authctxt->kbdintctxt != NULL) {
+                device->free_ctx(authctxt->kbdintctxt);
+                authctxt->kbdintctxt = NULL;
+        }
+}
diff --git a/auth-krb5.c b/auth-krb5.c
index e3e2d9751..0aa5195b8 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -28,7 +28,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth-krb5.c,v 1.10 2002/11/21 23:03:51 deraadt Exp $");
+RCSID("$OpenBSD: auth-krb5.c,v 1.12 2003/08/28 12:54:34 markus Exp $");
 #include "ssh.h"
 #include "ssh1.h"
@@ -40,10 +40,8 @@ RCSID("$OpenBSD: auth-krb5.c,v 1.10 2002/11/21 23:03:51 deraadt Exp $");
 #include "auth.h"
 #ifdef KRB5
 #include <krb5.h>
-#ifndef HEIMDAL
-#define krb5_get_err_text(context,code) error_message(code)
-#endif /* !HEIMDAL */
 extern ServerOptions     options;
@@ -67,193 +65,6 @@ krb5_init(void *context)
        return (0);
 }
-/*
- * Try krb5 authentication. server_user is passed for logging purposes
- * only, in auth is received ticket, in client is returned principal
- * from the ticket
- */
-int
-auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *reply)
-{
-        krb5_error_code problem;
-        krb5_principal server;
-        krb5_ticket *ticket;
-        int fd, ret;
-        ret = 0;
-        server = NULL;
-        ticket = NULL;
-        reply->length = 0;
-        problem = krb5_init(authctxt);
-        if (problem)
-                goto err;
-        problem = krb5_auth_con_init(authctxt->krb5_ctx,
-            &authctxt->krb5_auth_ctx);
-        if (problem)
-                goto err;
-        fd = packet_get_connection_in();
-#ifdef HEIMDAL
-        problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx,
-            authctxt->krb5_auth_ctx, &fd);
-#else
-        problem = krb5_auth_con_genaddrs(authctxt->krb5_ctx, 
-            authctxt->krb5_auth_ctx,fd,
-            KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR |
-            KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
-#endif
-        if (problem)
-                goto err;
-        problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
-            KRB5_NT_SRV_HST, &server);
-        if (problem)
-                goto err;
-        problem = krb5_rd_req(authctxt->krb5_ctx, &authctxt->krb5_auth_ctx,
-            auth, server, NULL, NULL, &ticket);
-        if (problem)
-                goto err;
-#ifdef HEIMDAL
-        problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client,
-            &authctxt->krb5_user);
-#else
-        problem = krb5_copy_principal(authctxt->krb5_ctx, 
-                                      ticket->enc_part2->client,
-                                      &authctxt->krb5_user);
-#endif
-        if (problem)
-                goto err;
-        /* if client wants mutual auth */
-        problem = krb5_mk_rep(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
-            reply);
-        if (problem)
-                goto err;
-        /* Check .k5login authorization now. */
-        if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
-            authctxt->pw->pw_name))
-                goto err;
-        if (client)
-                krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
-                    client);
-        ret = 1;
- err:
-        if (server)
-                krb5_free_principal(authctxt->krb5_ctx, server);
-        if (ticket)
-                krb5_free_ticket(authctxt->krb5_ctx, ticket);
-        if (!ret && reply->length) {
-                xfree(reply->data);
-                memset(reply, 0, sizeof(*reply));
-        }
-        if (problem) {
-                if (authctxt->krb5_ctx != NULL)
-                        debug("Kerberos v5 authentication failed: %s",
-                            krb5_get_err_text(authctxt->krb5_ctx, problem));
-                else
-                        debug("Kerberos v5 authentication failed: %d",
-                            problem);
-        }
-        return (ret);
-}
-int
-auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt)
-{
-        krb5_error_code problem;
-        krb5_ccache ccache = NULL;
-        char *pname;
-        krb5_creds **creds;
-        if (authctxt->pw == NULL || authctxt->krb5_user == NULL)
-                return (0);
-        temporarily_use_uid(authctxt->pw);
-#ifdef HEIMDAL
-        problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache);
-#else
-{
-        char ccname[40];
-        int tmpfd;
-        
-        snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
-        
-        if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
-                log("mkstemp(): %.100s", strerror(errno));
-                problem = errno;
-                goto fail;
-        }
-        if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
-                log("fchmod(): %.100s", strerror(errno));
-                close(tmpfd);
-                problem = errno;
-                goto fail;
-        }
-        close(tmpfd);
-        problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &ccache);
-}
-#endif
-        if (problem)
-                goto fail;
-        problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
-            authctxt->krb5_user);
-        if (problem)
-                goto fail;
-#ifdef HEIMDAL
-        problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
-            ccache, tgt);
-        if (problem)
-                goto fail;
-#else
-        problem = krb5_rd_cred(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
-            tgt, &creds, NULL);
-        if (problem)
-                goto fail;
-        problem = krb5_cc_store_cred(authctxt->krb5_ctx, ccache, *creds);
-        if (problem)
-                goto fail;
-#endif
-        authctxt->krb5_fwd_ccache = ccache;
-        ccache = NULL;
-        authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
-        problem = krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
-            &pname);
-        if (problem)
-                goto fail;
-        debug("Kerberos v5 TGT accepted (%s)", pname);
-        restore_uid();
-        return (1);
- fail:
-        if (problem)
-                debug("Kerberos v5 TGT passing failed: %s",
-                    krb5_get_err_text(authctxt->krb5_ctx, problem));
-        if (ccache)
-                krb5_cc_destroy(authctxt->krb5_ctx, ccache);
-        restore_uid();
-        return (0);
-}
 int
 auth_krb5_password(Authctxt *authctxt, const char *password)
 {
@@ -264,6 +75,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
        int tmpfd;
 #endif  
        krb5_error_code problem;
+        krb5_ccache ccache = NULL;
        if (authctxt->pw == NULL)
                return (0);
@@ -280,23 +92,35 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
                goto out;
 #ifdef HEIMDAL
-        problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops,
+        problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
-            &authctxt->krb5_fwd_ccache);
        if (problem)
                goto out;
-        problem = krb5_cc_initialize(authctxt->krb5_ctx,
+        problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
-            authctxt->krb5_fwd_ccache, authctxt->krb5_user);
+                authctxt->krb5_user);
        if (problem)
                goto out;
        restore_uid();
+        
        problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
-            authctxt->krb5_fwd_ccache, password, 1, NULL);
+            ccache, password, 1, NULL);
+        
        temporarily_use_uid(authctxt->pw);
        if (problem)
                goto out;
+        problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
+            &authctxt->krb5_fwd_ccache);
+        if (problem)
+                goto out;
+        problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
+            authctxt->krb5_fwd_ccache);
+        krb5_cc_destroy(authctxt->krb5_ctx, ccache);
+        ccache = NULL;
+        if (problem)
+                goto out;
 #else
        problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
@@ -326,13 +150,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
        snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
        
        if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
-                log("mkstemp(): %.100s", strerror(errno));
+                logit("mkstemp(): %.100s", strerror(errno));
                problem = errno;
                goto out;
        }
        
        if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
-                log("fchmod(): %.100s", strerror(errno));
+                logit("fchmod(): %.100s", strerror(errno));
                close(tmpfd);
                problem = errno;
                goto out;
@@ -360,6 +184,9 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
        restore_uid();
        if (problem) {
+                if (ccache)
+                        krb5_cc_destroy(authctxt->krb5_ctx, ccache);
                if (authctxt->krb5_ctx != NULL && problem!=-1)
                        debug("Kerberos password authentication failed: %s",
                            krb5_get_err_text(authctxt->krb5_ctx, problem));
@@ -391,11 +218,6 @@ krb5_cleanup_proc(void *context)
                krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
                authctxt->krb5_user = NULL;
        }
-        if (authctxt->krb5_auth_ctx) {
-                krb5_auth_con_free(authctxt->krb5_ctx,
-                    authctxt->krb5_auth_ctx);
-                authctxt->krb5_auth_ctx = NULL;
-        }
        if (authctxt->krb5_ctx) {
                krb5_free_context(authctxt->krb5_ctx);
                authctxt->krb5_ctx = NULL;
diff --git a/auth-options.c b/auth-options.c
index 8595fdc14..0e146ab15 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -10,7 +10,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth-options.c,v 1.26 2002/07/30 17:03:55 markus Exp $");
+RCSID("$OpenBSD: auth-options.c,v 1.28 2003/06/02 09:17:34 markus Exp $");
 #include "xmalloc.h"
 #include "match.h"
@@ -173,7 +173,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
                if (strncasecmp(opts, cp, strlen(cp)) == 0) {
                        const char *remote_ip = get_remote_ipaddr();
                        const char *remote_host = get_canonical_hostname(
-                            options.verify_reverse_mapping);
+                            options.use_dns);
                        char *patterns = xmalloc(strlen(opts) + 1);
                        opts += strlen(cp);
@@ -201,7 +201,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
                        if (match_host_and_ip(remote_host, remote_ip,
                            patterns) != 1) {
                                xfree(patterns);
-                                log("Authentication tried for %.100s with "
+                                logit("Authentication tried for %.100s with "
                                    "correct key but not from a permitted "
                                    "host (host=%.200s, ip=%.200s).",
                                    pw->pw_name, remote_host, remote_ip);
@@ -287,7 +287,7 @@ next_option:
        return 1;
 bad_option:
-        log("Bad options in %.100s file, line %lu: %.50s",
+        logit("Bad options in %.100s file, line %lu: %.50s",
            file, linenum, opts);
        auth_debug_add("Bad options in %.100s file, line %lu: %.50s",
            file, linenum, opts);
diff --git a/auth-pam.c b/auth-pam.c
index cb57ba110..754cbf6df 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -1,5 +1,11 @@
-/*
+/*-
- * Copyright (c) 2000 Damien Miller.  All rights reserved.
+ * Copyright (c) 2002 Networks Associates Technology, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -10,446 +16,706 @@
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
 */
+/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
 #include "includes.h"
+RCSID("$Id: auth-pam.c,v 1.72.2.1 2003/09/16 06:00:52 djm Exp $");
 #ifdef USE_PAM
-#include "xmalloc.h"
+#include <security/pam_appl.h>
-#include "log.h"
 #include "auth.h"
-#include "auth-options.h"
 #include "auth-pam.h"
-#include "servconf.h"
+#include "buffer.h"
+#include "bufaux.h"
 #include "canohost.h"
+#include "log.h"
+#include "monitor_wrap.h"
+#include "msg.h"
+#include "packet.h"
 #include "readpass.h"
+#include "servconf.h"
+#include "ssh2.h"
+#include "xmalloc.h"
+#include "auth-options.h"
-extern char *__progname;
+extern ServerOptions options;
-extern int use_privsep;
+#define __unused
-RCSID("$Id: auth-pam.c,v 1.55.4.1 2003/04/29 09:12:08 djm Exp $");
+#ifdef USE_POSIX_THREADS
+#include <pthread.h>
+/*
+ * Avoid namespace clash when *not* using pthreads for systems *with* 
+ * pthreads, which unconditionally define pthread_t via sys/types.h 
+ * (e.g. Linux)
+ */
+typedef pthread_t sp_pthread_t; 
+#else
+/*
+ * Simulate threads with processes.
+ */
+typedef pid_t sp_pthread_t;
-#define NEW_AUTHTOK_MSG \
+static void
-        "Warning: Your password has expired, please change it now."
+pthread_exit(void *value __unused)
-#define NEW_AUTHTOK_MSG_PRIVSEP \
+{
-        "Your password has expired, the session cannot proceed."
+        _exit(0);
+}
-static int do_pam_conversation(int num_msg, const struct pam_message **msg,
+static int
-        struct pam_response **resp, void *appdata_ptr);
+pthread_create(sp_pthread_t *thread, const void *attr __unused,
+    void *(*thread_start)(void *), void *arg)
+{
+        pid_t pid;
+        switch ((pid = fork())) {
+        case -1:
+                error("fork(): %s", strerror(errno));
+                return (-1);
+        case 0:
+                thread_start(arg);
+                _exit(1);
+        default:
+                *thread = pid;
+                return (0);
+        }
+}
-/* module-local variables */
+static int
-static struct pam_conv conv = {
+pthread_cancel(sp_pthread_t thread)
-        (int (*)())do_pam_conversation,
-        NULL
-};
-static char *__pam_msg = NULL;
-static pam_handle_t *__pamh = NULL;
-static const char *__pampasswd = NULL;
-/* states for do_pam_conversation() */
-enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN;
-/* remember whether pam_acct_mgmt() returned PAM_NEW_AUTHTOK_REQD */
-static int password_change_required = 0;
-/* remember whether the last pam_authenticate() succeeded or not */
-static int was_authenticated = 0;
-/* Remember what has been initialised */
-static int session_opened = 0;
-static int creds_set = 0;
-/* accessor which allows us to switch conversation structs according to
- * the authentication method being used */
-void do_pam_set_conv(struct pam_conv *conv)
 {
-        pam_set_item(__pamh, PAM_CONV, conv);
+        return (kill(thread, SIGTERM));
 }
-/* start an authentication run */
+static int
-int do_pam_authenticate(int flags)
+pthread_join(sp_pthread_t thread, void **value __unused)
 {
-        int retval = pam_authenticate(__pamh, flags);
+        int status;
-        was_authenticated = (retval == PAM_SUCCESS);
-        return retval;
+        waitpid(thread, &status, 0);
+        return (status);
 }
+#endif
+static pam_handle_t *sshpam_handle;
+static int sshpam_err;
+static int sshpam_authenticated;
+static int sshpam_new_authtok_reqd;
+static int sshpam_session_open;
+static int sshpam_cred_established;
+struct pam_ctxt {
+        sp_pthread_t     pam_thread;
+        int              pam_psock;
+        int              pam_csock;
+        int              pam_done;
+};
+static void sshpam_free_ctx(void *);
 /*
- * PAM conversation function.
+ * Conversation function for authentication thread.
- * There are two states this can run in.
- *
- * INITIAL_LOGIN mode simply feeds the password from the client into
- * PAM in response to PAM_PROMPT_ECHO_OFF, and collects output
- * messages with into __pam_msg.  This is used during initial
- * authentication to bypass the normal PAM password prompt.
- *
- * OTHER mode handles PAM_PROMPT_ECHO_OFF with read_passphrase()
- * and outputs messages to stderr. This mode is used if pam_chauthtok()
- * is called to update expired passwords.
 */
-static int do_pam_conversation(int num_msg, const struct pam_message **msg,
+static int
-        struct pam_response **resp, void *appdata_ptr)
+sshpam_thread_conv(int n, const struct pam_message **msg,
+    struct pam_response **resp, void *data)
 {
-        struct pam_response *reply;
+        Buffer buffer;
-        int count;
+        struct pam_ctxt *ctxt;
-        char buf[1024];
+        int i;
-        /* PAM will free this later */
+        ctxt = data;
-        reply = xmalloc(num_msg * sizeof(*reply));
+        if (n <= 0 || n > PAM_MAX_NUM_MSG)
+                return (PAM_CONV_ERR);
-        for (count = 0; count < num_msg; count++) {
+        *resp = xmalloc(n * sizeof **resp);
-                if (pamstate == INITIAL_LOGIN) {
+        buffer_init(&buffer);
-                        /*
+        for (i = 0; i < n; ++i) {
-                         * We can't use stdio yet, queue messages for 
+                resp[i]->resp_retcode = 0;
-                         * printing later
+                resp[i]->resp = NULL;
-                         */
+                switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
-                        switch(PAM_MSG_MEMBER(msg, count, msg_style)) {
+                case PAM_PROMPT_ECHO_OFF:
-                        case PAM_PROMPT_ECHO_ON:
+                        buffer_put_cstring(&buffer, PAM_MSG_MEMBER(msg, i, msg));
-                                xfree(reply);
+                        ssh_msg_send(ctxt->pam_csock, 
-                                return PAM_CONV_ERR;
+                            PAM_MSG_MEMBER(msg, i, msg_style), &buffer);
-                        case PAM_PROMPT_ECHO_OFF:
+                        ssh_msg_recv(ctxt->pam_csock, &buffer);
-                                if (__pampasswd == NULL) {
+                        if (buffer_get_char(&buffer) != PAM_AUTHTOK)
-                                        xfree(reply);
+                                goto fail;
-                                        return PAM_CONV_ERR;
+                        resp[i]->resp = buffer_get_string(&buffer, NULL);
-                                }
+                        break;
-                                reply[count].resp = xstrdup(__pampasswd);
+                case PAM_PROMPT_ECHO_ON:
-                                reply[count].resp_retcode = PAM_SUCCESS;
+                        buffer_put_cstring(&buffer, PAM_MSG_MEMBER(msg, i, msg));
-                                break;
+                        ssh_msg_send(ctxt->pam_csock, 
-                        case PAM_ERROR_MSG:
+                            PAM_MSG_MEMBER(msg, i, msg_style), &buffer);
-                        case PAM_TEXT_INFO:
+                        ssh_msg_recv(ctxt->pam_csock, &buffer);
-                                if (PAM_MSG_MEMBER(msg, count, msg) != NULL) {
+                        if (buffer_get_char(&buffer) != PAM_AUTHTOK)
-                                        message_cat(&__pam_msg, 
+                                goto fail;
-                                            PAM_MSG_MEMBER(msg, count, msg));
+                        resp[i]->resp = buffer_get_string(&buffer, NULL);
-                                }
+                        break;
-                                reply[count].resp = xstrdup("");
+                case PAM_ERROR_MSG:
-                                reply[count].resp_retcode = PAM_SUCCESS;
+                        buffer_put_cstring(&buffer, PAM_MSG_MEMBER(msg, i, msg));
-                                break;
+                        ssh_msg_send(ctxt->pam_csock, 
-                        default:
+                            PAM_MSG_MEMBER(msg, i, msg_style), &buffer);
-                                xfree(reply);
+                        break;
-                                return PAM_CONV_ERR;
+                case PAM_TEXT_INFO:
-                        }
+                        buffer_put_cstring(&buffer, PAM_MSG_MEMBER(msg, i, msg));
-                } else {
+                        ssh_msg_send(ctxt->pam_csock, 
-                        /*
+                            PAM_MSG_MEMBER(msg, i, msg_style), &buffer);
-                         * stdio is connected, so interact directly
+                        break;
-                         */
+                default:
-                        switch(PAM_MSG_MEMBER(msg, count, msg_style)) {
+                        goto fail;
-                        case PAM_PROMPT_ECHO_ON:
-                                fputs(PAM_MSG_MEMBER(msg, count, msg), stderr);
-                                fgets(buf, sizeof(buf), stdin);
-                                reply[count].resp = xstrdup(buf);
-                                reply[count].resp_retcode = PAM_SUCCESS;
-                                break;
-                        case PAM_PROMPT_ECHO_OFF:
-                                reply[count].resp = 
-                                    read_passphrase(PAM_MSG_MEMBER(msg, count,
-                                        msg), RP_ALLOW_STDIN);
-                                reply[count].resp_retcode = PAM_SUCCESS;
-                                break;
-                        case PAM_ERROR_MSG:
-                        case PAM_TEXT_INFO:
-                                if (PAM_MSG_MEMBER(msg, count, msg) != NULL)
-                                        fprintf(stderr, "%s\n", 
-                                            PAM_MSG_MEMBER(msg, count, msg));
-                                reply[count].resp = xstrdup("");
-                                reply[count].resp_retcode = PAM_SUCCESS;
-                                break;
-                        default:
-                                xfree(reply);
-                                return PAM_CONV_ERR;
-                        }
                }
+                buffer_clear(&buffer);
        }
+        buffer_free(&buffer);
-        *resp = reply;
+        return (PAM_SUCCESS);
+ fail:
-        return PAM_SUCCESS;
+        while (i)
+                xfree(resp[--i]);
+        xfree(*resp);
+        *resp = NULL;
+        buffer_free(&buffer);
+        return (PAM_CONV_ERR);
 }
-/* Called at exit to cleanly shutdown PAM */
+/*
-void do_pam_cleanup_proc(void *context)
+ * Authentication thread.
+ */
+static void *
+sshpam_thread(void *ctxtp)
 {
-        int pam_retval = PAM_SUCCESS;
+        struct pam_ctxt *ctxt = ctxtp;
+        Buffer buffer;
+        struct pam_conv sshpam_conv;
+#ifndef USE_POSIX_THREADS
+        const char *pam_user;
+        pam_get_item(sshpam_handle, PAM_USER, (const void **)&pam_user);
+        setproctitle("%s [pam]", pam_user);
+#endif
-        if (__pamh && session_opened) {
+        sshpam_conv.conv = sshpam_thread_conv;
-                pam_retval = pam_close_session(__pamh, 0);
+        sshpam_conv.appdata_ptr = ctxt;
-                if (pam_retval != PAM_SUCCESS)
-                        log("Cannot close PAM session[%d]: %.200s",
+        buffer_init(&buffer);
-                            pam_retval, PAM_STRERROR(__pamh, pam_retval));
+        sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
-        }
+            (const void *)&sshpam_conv);
+        if (sshpam_err != PAM_SUCCESS)
+                goto auth_fail;
+        sshpam_err = pam_authenticate(sshpam_handle, 0);
+        if (sshpam_err != PAM_SUCCESS)
+                goto auth_fail;
+        buffer_put_cstring(&buffer, "OK");
+        ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer);
+        buffer_free(&buffer);
+        pthread_exit(NULL);
+ auth_fail:
+        buffer_put_cstring(&buffer,
+            pam_strerror(sshpam_handle, sshpam_err));
+        ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
+        buffer_free(&buffer);
+        pthread_exit(NULL);
+        
+        return (NULL); /* Avoid warning for non-pthread case */
+}
-        if (__pamh && creds_set) {
+static void
-                pam_retval = pam_setcred(__pamh, PAM_DELETE_CRED);
+sshpam_thread_cleanup(void *ctxtp)
-                if (pam_retval != PAM_SUCCESS)
+{
-                        debug("Cannot delete credentials[%d]: %.200s", 
+        struct pam_ctxt *ctxt = ctxtp;
-                            pam_retval, PAM_STRERROR(__pamh, pam_retval));
-        }
-        if (__pamh) {
+        pthread_cancel(ctxt->pam_thread);
-                pam_retval = pam_end(__pamh, pam_retval);
+        pthread_join(ctxt->pam_thread, NULL);
-                if (pam_retval != PAM_SUCCESS)
+        close(ctxt->pam_psock);
-                        log("Cannot release PAM authentication[%d]: %.200s",
+        close(ctxt->pam_csock);
-                            pam_retval, PAM_STRERROR(__pamh, pam_retval));
-        }
 }
-/* Attempt password authentication using PAM */
+static int
-int auth_pam_password(Authctxt *authctxt, const char *password)
+sshpam_null_conv(int n, const struct pam_message **msg,
+    struct pam_response **resp, void *data)
 {
-        extern ServerOptions options;
+        return (PAM_CONV_ERR);
-        int pam_retval;
+}
-        struct passwd *pw = authctxt->pw;
-        do_pam_set_conv(&conv);
+static struct pam_conv null_conv = { sshpam_null_conv, NULL };
-        __pampasswd = password;
+static void
+sshpam_cleanup(void *arg)
+{
+        (void)arg;
+        debug("PAM: cleanup");
+        pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
+        if (sshpam_cred_established) {
+                pam_setcred(sshpam_handle, PAM_DELETE_CRED);
+                sshpam_cred_established = 0;
+        }
+        if (sshpam_session_open) {
+                pam_close_session(sshpam_handle, PAM_SILENT);
+                sshpam_session_open = 0;
+        }
+        sshpam_authenticated = sshpam_new_authtok_reqd = 0;
+        pam_end(sshpam_handle, sshpam_err);
+        sshpam_handle = NULL;
+}
-        pamstate = INITIAL_LOGIN;
+static int
-        pam_retval = do_pam_authenticate(
+sshpam_init(const char *user)
-            options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);
+{
-        if (pam_retval == PAM_SUCCESS && pw) {
+        extern u_int utmp_len;
-                debug("PAM password authentication accepted for "
+        extern char *__progname;
-                    "%.100s", pw->pw_name);
+        const char *pam_rhost, *pam_user;
-                return 1;
-        } else {
+        if (sshpam_handle != NULL) {
-                debug("PAM password authentication failed for "
+                /* We already have a PAM context; check if the user matches */
-                    "%.100s: %s", pw ? pw->pw_name : "an illegal user",
+                sshpam_err = pam_get_item(sshpam_handle,
-                    PAM_STRERROR(__pamh, pam_retval));
+                    PAM_USER, (const void **)&pam_user);
-                return 0;
+                if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0)
+                        return (0);
+                fatal_remove_cleanup(sshpam_cleanup, NULL);
+                pam_end(sshpam_handle, sshpam_err);
+                sshpam_handle = NULL;
+        }
+        debug("PAM: initializing for \"%s\"", user);
+        sshpam_err =
+            pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle);
+        if (sshpam_err != PAM_SUCCESS) {
+                pam_end(sshpam_handle, sshpam_err);
+                sshpam_handle = NULL;
+                return (-1);
        }
+        pam_rhost = get_remote_name_or_ip(utmp_len, options.use_dns);
+        debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost);
+        sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost);
+        if (sshpam_err != PAM_SUCCESS) {
+                pam_end(sshpam_handle, sshpam_err);
+                sshpam_handle = NULL;
+                return (-1);
+        }
+#ifdef PAM_TTY_KLUDGE
+        /*
+         * Some silly PAM modules (e.g. pam_time) require a TTY to operate.
+         * sshd doesn't set the tty until too late in the auth process and 
+         * may not even set one (for tty-less connections)
+         */
+        debug("PAM: setting PAM_TTY to \"ssh\"");
+        sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, "ssh");
+        if (sshpam_err != PAM_SUCCESS) {
+                pam_end(sshpam_handle, sshpam_err);
+                sshpam_handle = NULL;
+                return (-1);
+        }
+#endif
+        fatal_add_cleanup(sshpam_cleanup, NULL);
+        return (0);
 }
-/* Do account management using PAM */
+static void *
-int do_pam_account(char *username, char *remote_user)
+sshpam_init_ctx(Authctxt *authctxt)
 {
-        int pam_retval;
+        struct pam_ctxt *ctxt;
+        int socks[2];
-        do_pam_set_conv(&conv);
+        /* Refuse to start if we don't have PAM enabled */
+        if (!options.use_pam)
+                return NULL;
-        if (remote_user) {
+        /* Initialize PAM */
-                debug("PAM setting ruser to \"%.200s\"", remote_user);
+        if (sshpam_init(authctxt->user) == -1) {
-                pam_retval = pam_set_item(__pamh, PAM_RUSER, remote_user);
+                error("PAM: initialization failed");
-                if (pam_retval != PAM_SUCCESS)
+                return (NULL);
-                        fatal("PAM set ruser failed[%d]: %.200s", pam_retval, 
-                            PAM_STRERROR(__pamh, pam_retval));
        }
-        pam_retval = pam_acct_mgmt(__pamh, 0);
+        ctxt = xmalloc(sizeof *ctxt);
-        debug2("pam_acct_mgmt() = %d", pam_retval);
+        ctxt->pam_done = 0;
-        switch (pam_retval) {
-                case PAM_SUCCESS:
+        /* Start the authentication thread */
-                        /* This is what we want */
+        if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
-                        break;
+                error("PAM: failed create sockets: %s", strerror(errno));
-#if 0
+                xfree(ctxt);
-                case PAM_NEW_AUTHTOK_REQD:
+                return (NULL);
-                        message_cat(&__pam_msg, use_privsep ?
+        }
-                            NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG);
+        ctxt->pam_psock = socks[0];
-                        /* flag that password change is necessary */
+        ctxt->pam_csock = socks[1];
-                        password_change_required = 1;
+        if (pthread_create(&ctxt->pam_thread, NULL, sshpam_thread, ctxt) == -1) {
-                        /* disallow other functionality for now */
+                error("PAM: failed to start authentication thread: %s",
-                        no_port_forwarding_flag |= 2;
+                    strerror(errno));
-                        no_agent_forwarding_flag |= 2;
+                close(socks[0]);
-                        no_x11_forwarding_flag |= 2;
+                close(socks[1]);
+                xfree(ctxt);
+                return (NULL);
+        }
+        fatal_add_cleanup(sshpam_thread_cleanup, ctxt);
+        return (ctxt);
+}
+static int
+sshpam_query(void *ctx, char **name, char **info,
+    u_int *num, char ***prompts, u_int **echo_on)
+{
+        Buffer buffer;
+        struct pam_ctxt *ctxt = ctx;
+        size_t plen;
+        u_char type;
+        char *msg;
+        size_t len;
+        buffer_init(&buffer);
+        *name = xstrdup("");
+        *info = xstrdup("");
+        *prompts = xmalloc(sizeof(char *));
+        **prompts = NULL;
+        plen = 0;
+        *echo_on = xmalloc(sizeof(u_int));
+        while (ssh_msg_recv(ctxt->pam_psock, &buffer) == 0) {
+                type = buffer_get_char(&buffer);
+                msg = buffer_get_string(&buffer, NULL);
+                switch (type) {
+                case PAM_PROMPT_ECHO_ON:
+                case PAM_PROMPT_ECHO_OFF:
+                        *num = 1;
+                        len = plen + strlen(msg) + 1;
+                        **prompts = xrealloc(**prompts, len);
+                        plen += snprintf(**prompts + plen, len, "%s", msg);
+                        **echo_on = (type == PAM_PROMPT_ECHO_ON);
+                        xfree(msg);
+                        return (0);
+                case PAM_ERROR_MSG:
+                case PAM_TEXT_INFO:
+                        /* accumulate messages */
+                        len = plen + strlen(msg) + 1;
+                        **prompts = xrealloc(**prompts, len);
+                        plen += snprintf(**prompts + plen, len, "%s", msg);
+                        xfree(msg);
                        break;
+                case PAM_SUCCESS:
+                case PAM_AUTH_ERR:
+                        if (**prompts != NULL) {
+                                /* drain any accumulated messages */
+#if 0 /* XXX - not compatible with privsep */
+                                packet_start(SSH2_MSG_USERAUTH_BANNER);
+                                packet_put_cstring(**prompts);
+                                packet_put_cstring("");
+                                packet_send();
+                                packet_write_wait();
 #endif
+                                xfree(**prompts);
+                                **prompts = NULL;
+                        }
+                        if (type == PAM_SUCCESS) {
+                                *num = 0;
+                                **echo_on = 0;
+                                ctxt->pam_done = 1;
+                                xfree(msg);
+                                return (0);
+                        }
+                        error("PAM: %s", msg);
                default:
-                        log("PAM rejected by account configuration[%d]: "
+                        *num = 0;
-                            "%.200s", pam_retval, PAM_STRERROR(__pamh, 
+                        **echo_on = 0;
-                            pam_retval));
+                        xfree(msg);
-                        return(0);
+                        ctxt->pam_done = -1;
+                        return (-1);
+                }
        }
+        return (-1);
+}
-        return(1);
+/* XXX - see also comment in auth-chall.c:verify_response */
+static int
+sshpam_respond(void *ctx, u_int num, char **resp)
+{
+        Buffer buffer;
+        struct pam_ctxt *ctxt = ctx;
+        debug2("PAM: %s", __func__);
+        switch (ctxt->pam_done) {
+        case 1:
+                sshpam_authenticated = 1;
+                return (0);
+        case 0:
+                break;
+        default:
+                return (-1);
+        }
+        if (num != 1) {
+                error("PAM: expected one response, got %u", num);
+                return (-1);
+        }
+        buffer_init(&buffer);
+        buffer_put_cstring(&buffer, *resp);
+        ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer);
+        buffer_free(&buffer);
+        return (1);
 }
-/* Do PAM-specific session initialisation */
+static void
-void do_pam_session(char *username, const char *ttyname)
+sshpam_free_ctx(void *ctxtp)
 {
-        int pam_retval;
+        struct pam_ctxt *ctxt = ctxtp;
-        do_pam_set_conv(&conv);
+        fatal_remove_cleanup(sshpam_thread_cleanup, ctxt);
+        sshpam_thread_cleanup(ctxtp);
+        xfree(ctxt);
+        /*
+         * We don't call sshpam_cleanup() here because we may need the PAM
+         * handle at a later stage, e.g. when setting up a session.  It's
+         * still on the cleanup list, so pam_end() *will* be called before
+         * the server process terminates.
+         */
+}
-        if (ttyname != NULL) {
+KbdintDevice sshpam_device = {
-                debug("PAM setting tty to \"%.200s\"", ttyname);
+        "pam",
-                pam_retval = pam_set_item(__pamh, PAM_TTY, ttyname);
+        sshpam_init_ctx,
-                if (pam_retval != PAM_SUCCESS)
+        sshpam_query,
-                        fatal("PAM set tty failed[%d]: %.200s",
+        sshpam_respond,
-                            pam_retval, PAM_STRERROR(__pamh, pam_retval));
+        sshpam_free_ctx
-        }
+};
-        pam_retval = pam_open_session(__pamh, 0);
+KbdintDevice mm_sshpam_device = {
-        if (pam_retval != PAM_SUCCESS)
+        "pam",
-                fatal("PAM session setup failed[%d]: %.200s",
+        mm_sshpam_init_ctx,
-                    pam_retval, PAM_STRERROR(__pamh, pam_retval));
+        mm_sshpam_query,
+        mm_sshpam_respond,
+        mm_sshpam_free_ctx
+};
+/*
+ * This replaces auth-pam.c
+ */
+void
+start_pam(const char *user)
+{
+        if (!options.use_pam)
+                fatal("PAM: initialisation requested when UsePAM=no");
-        session_opened = 1;
+        if (sshpam_init(user) == -1)
+                fatal("PAM: initialisation failed");
 }
-/* Set PAM credentials */
+void
-void do_pam_setcred(int init)
+finish_pam(void)
 {
-        int pam_retval;
+        fatal_remove_cleanup(sshpam_cleanup, NULL);
+        sshpam_cleanup(NULL);
+}
-        if (__pamh == NULL)
+u_int
-                return;
+do_pam_account(void)
+{
+        sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
+        debug3("%s: pam_acct_mgmt = %d", __func__, sshpam_err);
+        
+        if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD)
+                return (0);
+        if (sshpam_err == PAM_NEW_AUTHTOK_REQD) {
+                sshpam_new_authtok_reqd = 1;
+                /* Prevent forwardings until password changed */
+                no_port_forwarding_flag |= 2;
+                no_agent_forwarding_flag |= 2;
+                no_x11_forwarding_flag |= 2;
+        }
-        do_pam_set_conv(&conv);
+        return (1);
-        debug("PAM establishing creds");
-        pam_retval = pam_setcred(__pamh, 
-            init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED);
-        if (pam_retval != PAM_SUCCESS) {
-                if (was_authenticated)
-                        fatal("PAM setcred failed[%d]: %.200s",
-                            pam_retval, PAM_STRERROR(__pamh, pam_retval));
-                else
-                        debug("PAM setcred failed[%d]: %.200s",
-                            pam_retval, PAM_STRERROR(__pamh, pam_retval));
-        } else
-                creds_set = 1;
 }
-/* accessor function for file scope static variable */
+void
-int is_pam_password_change_required(void)
+do_pam_session(void)
 {
-        return password_change_required;
+        sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, 
+            (const void *)&null_conv);
+        if (sshpam_err != PAM_SUCCESS)
+                fatal("PAM: failed to set PAM_CONV: %s",
+                    pam_strerror(sshpam_handle, sshpam_err));
+        sshpam_err = pam_open_session(sshpam_handle, 0);
+        if (sshpam_err != PAM_SUCCESS)
+                fatal("PAM: pam_open_session(): %s",
+                    pam_strerror(sshpam_handle, sshpam_err));
+        sshpam_session_open = 1;
 }
-/*
+void
- * Have user change authentication token if pam_acct_mgmt() indicated
+do_pam_set_tty(const char *tty)
- * it was expired.  This needs to be called after an interactive
- * session is established and the user's pty is connected to
- * stdin/stdout/stderr.
- */
-void do_pam_chauthtok(void)
 {
-        int pam_retval;
+        if (tty != NULL) {
+                debug("PAM: setting PAM_TTY to \"%s\"", tty);
-        do_pam_set_conv(&conv);
+                sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, tty);
+                if (sshpam_err != PAM_SUCCESS)
-        if (password_change_required) {
+                        fatal("PAM: failed to set PAM_TTY: %s",
-                if (use_privsep)
+                            pam_strerror(sshpam_handle, sshpam_err));
-                        fatal("Password changing is currently unsupported"
+        }
-                            " with privilege separation");
+}
-                pamstate = OTHER;
-                pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+void
-                if (pam_retval != PAM_SUCCESS)
+do_pam_setcred(int init)
-                        fatal("PAM pam_chauthtok failed[%d]: %.200s",
+{
-                            pam_retval, PAM_STRERROR(__pamh, pam_retval));
+        sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
-#if 0
+            (const void *)&null_conv);
-                /* XXX: This would need to be done in the parent process,
+        if (sshpam_err != PAM_SUCCESS)
-                 * but there's currently no way to pass such request. */
+                fatal("PAM: failed to set PAM_CONV: %s",
-                no_port_forwarding_flag &= ~2;
+                    pam_strerror(sshpam_handle, sshpam_err));
-                no_agent_forwarding_flag &= ~2;
+        if (init) {
-                no_x11_forwarding_flag &= ~2;
+                debug("PAM: establishing credentials");
-                if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
+                sshpam_err = pam_setcred(sshpam_handle, PAM_ESTABLISH_CRED);
-                        channel_permit_all_opens();
+        } else {
-#endif
+                debug("PAM: reinitializing credentials");
+                sshpam_err = pam_setcred(sshpam_handle, PAM_REINITIALIZE_CRED);
+        }
+        if (sshpam_err == PAM_SUCCESS) {
+                sshpam_cred_established = 1;
+                return;
        }
+        if (sshpam_authenticated)
+                fatal("PAM: pam_setcred(): %s",
+                    pam_strerror(sshpam_handle, sshpam_err));
+        else
+                debug("PAM: pam_setcred(): %s",
+                    pam_strerror(sshpam_handle, sshpam_err));
 }
-/* Cleanly shutdown PAM */
+int
-void finish_pam(void)
+is_pam_password_change_required(void)
 {
-        do_pam_cleanup_proc(NULL);
+        return (sshpam_new_authtok_reqd);
-        fatal_remove_cleanup(&do_pam_cleanup_proc, NULL);
 }
-/* Start PAM authentication for specified account */
+static int
-void start_pam(const char *user)
+pam_chauthtok_conv(int n, const struct pam_message **msg,
+    struct pam_response **resp, void *data)
 {
-        int pam_retval;
+        char input[PAM_MAX_MSG_SIZE];
-        extern ServerOptions options;
+        int i;
-        extern u_int utmp_len;
-        const char *rhost;
-        debug("Starting up PAM with username \"%.200s\"", user);
+        if (n <= 0 || n > PAM_MAX_NUM_MSG)
+                return (PAM_CONV_ERR);
+        *resp = xmalloc(n * sizeof **resp);
+        for (i = 0; i < n; ++i) {
+                switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
+                case PAM_PROMPT_ECHO_OFF:
+                        resp[i]->resp =
+                            read_passphrase(PAM_MSG_MEMBER(msg, i, msg), 
+                            RP_ALLOW_STDIN);
+                        resp[i]->resp_retcode = PAM_SUCCESS;
+                        break;
+                case PAM_PROMPT_ECHO_ON:
+                        fputs(PAM_MSG_MEMBER(msg, i, msg), stderr);
+                        fgets(input, sizeof input, stdin);
+                        resp[i]->resp = xstrdup(input);
+                        resp[i]->resp_retcode = PAM_SUCCESS;
+                        break;
+                case PAM_ERROR_MSG:
+                case PAM_TEXT_INFO:
+                        fputs(PAM_MSG_MEMBER(msg, i, msg), stderr);
+                        resp[i]->resp_retcode = PAM_SUCCESS;
+                        break;
+                default:
+                        goto fail;
+                }
+        }
+        return (PAM_SUCCESS);
+ fail:
+        while (i)
+                xfree(resp[--i]);
+        xfree(*resp);
+        *resp = NULL;
+        return (PAM_CONV_ERR);
+}
-        pam_retval = pam_start(SSHD_PAM_SERVICE, user, &conv, &__pamh);
+/*
+ * XXX this should be done in the authentication phase, but ssh1 doesn't
+ * support that
+ */
+void
+do_pam_chauthtok(void)
+{
+        struct pam_conv pam_conv;
+        pam_conv.conv = pam_chauthtok_conv;
+        pam_conv.appdata_ptr = NULL;
+        if (use_privsep)
+                fatal("Password expired (unable to change with privsep)");
+        sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
+            (const void *)&pam_conv);
+        if (sshpam_err != PAM_SUCCESS)
+                fatal("PAM: failed to set PAM_CONV: %s",
+                    pam_strerror(sshpam_handle, sshpam_err));
+        debug("PAM: changing password");
+        sshpam_err = pam_chauthtok(sshpam_handle, PAM_CHANGE_EXPIRED_AUTHTOK);
+        if (sshpam_err != PAM_SUCCESS)
+                fatal("PAM: pam_chauthtok(): %s",
+                    pam_strerror(sshpam_handle, sshpam_err));
+}
-        if (pam_retval != PAM_SUCCESS)
+/* 
-                fatal("PAM initialisation failed[%d]: %.200s",
+ * Set a PAM environment string. We need to do this so that the session
-                    pam_retval, PAM_STRERROR(__pamh, pam_retval));
+ * modules can handle things like Kerberos/GSI credentials that appear
+ * during the ssh authentication process.
+ */
-        rhost = get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping);
+int
-        debug("PAM setting rhost to \"%.200s\"", rhost);
+do_pam_putenv(char *name, char *value) 
+{
+        int ret = 1;
+#ifdef HAVE_PAM_PUTENV  
+        char *compound;
+        size_t len;
-        pam_retval = pam_set_item(__pamh, PAM_RHOST, rhost);
+        len = strlen(name) + strlen(value) + 2;
-        if (pam_retval != PAM_SUCCESS)
+        compound = xmalloc(len);
-                fatal("PAM set rhost failed[%d]: %.200s", pam_retval,
-                    PAM_STRERROR(__pamh, pam_retval));
-#ifdef PAM_TTY_KLUDGE
-        /*
-         * Some PAM modules (e.g. pam_time) require a TTY to operate,
-         * and will fail in various stupid ways if they don't get one.
-         * sshd doesn't set the tty until too late in the auth process and may
-         * not even need one (for tty-less connections)
-         * Kludge: Set a fake PAM_TTY
-         */
-        pam_retval = pam_set_item(__pamh, PAM_TTY, "NODEVssh");
-        if (pam_retval != PAM_SUCCESS)
-                fatal("PAM set tty failed[%d]: %.200s",
-                    pam_retval, PAM_STRERROR(__pamh, pam_retval));
-#endif /* PAM_TTY_KLUDGE */
-        fatal_add_cleanup(&do_pam_cleanup_proc, NULL);
+        snprintf(compound, len, "%s=%s", name, value);
-}
+        ret = pam_putenv(sshpam_handle, compound);
+        xfree(compound);
+#endif
-/* Return list of PAM environment strings */
+        return (ret);
-char **fetch_pam_environment(void)
-{
-#ifdef HAVE_PAM_GETENVLIST
-        return(pam_getenvlist(__pamh));
-#else /* HAVE_PAM_GETENVLIST */
-        return(NULL);
-#endif /* HAVE_PAM_GETENVLIST */
 }
-void free_pam_environment(char **env)
+void
+print_pam_messages(void)
 {
-        int i;
+        /* XXX */
-        if (env != NULL) {
-                for (i = 0; env[i] != NULL; i++)
-                        xfree(env[i]);
-        }
 }
-/* Print any messages that have been generated during authentication */
+char **
-/* or account checking to stderr */
+fetch_pam_environment(void)
-void print_pam_messages(void)
 {
-        if (__pam_msg != NULL)
+#ifdef HAVE_PAM_GETENVLIST
-                fputs(__pam_msg, stderr);
+        debug("PAM: retrieving environment");
+        return (pam_getenvlist(sshpam_handle));
+#else
+        return (NULL);
+#endif
 }
-/* Append a message to buffer */
+void
-void message_cat(char **p, const char *a)
+free_pam_environment(char **env)
 {
-        char *cp;
+        char **envp;
-        size_t new_len;
-        new_len = strlen(a);
-        if (*p) {
+        if (env == NULL)
-                size_t len = strlen(*p);
+                return;
-                *p = xrealloc(*p, new_len + len + 2);
-                cp = *p + len;
-        } else
-                *p = cp = xmalloc(new_len + 2);
-        memcpy(cp, a, new_len);
+        for (envp = env; *envp; envp++)
-        cp[new_len] = '\n';
+                xfree(*envp);
-        cp[new_len + 1] = '\0';
+        xfree(env);
 }
 #endif /* USE_PAM */
diff --git a/auth-pam.h b/auth-pam.h
index 7881b6b80..5c952f305 100644
--- a/auth-pam.h
+++ b/auth-pam.h
@@ -1,4 +1,4 @@
-/* $Id: auth-pam.h,v 1.16 2002/07/23 00:44:07 stevesk Exp $ */
+/* $Id: auth-pam.h,v 1.21 2003/09/02 13:18:53 djm Exp $ */
 /*
 * Copyright (c) 2000 Damien Miller.  All rights reserved.
@@ -31,19 +31,17 @@
 # define SSHD_PAM_SERVICE               __progname
 #endif
-void start_pam(const char *user);
+void start_pam(const char *);
 void finish_pam(void);
-int auth_pam_password(Authctxt *authctxt, const char *password);
+u_int do_pam_account(void);
-char **fetch_pam_environment(void);
+void do_pam_session(void);
-void free_pam_environment(char **env);
+void do_pam_set_tty(const char *);
-int do_pam_authenticate(int flags);
+void do_pam_setcred(int );
-int do_pam_account(char *username, char *remote_user);
-void do_pam_session(char *username, const char *ttyname);
-void do_pam_setcred(int init);
-void print_pam_messages(void);
 int is_pam_password_change_required(void);
 void do_pam_chauthtok(void);
-void do_pam_set_conv(struct pam_conv *);
+int do_pam_putenv(char *, char *);
-void message_cat(char **p, const char *a);
+void print_pam_messages(void);
+char ** fetch_pam_environment(void);
+void free_pam_environment(char **);
 #endif /* USE_PAM */
diff --git a/auth-passwd.c b/auth-passwd.c
index 62ea3a52d..95cc134de 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -36,55 +36,20 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $");
+RCSID("$OpenBSD: auth-passwd.c,v 1.29 2003/08/26 09:58:43 markus Exp $");
 #include "packet.h"
 #include "log.h"
 #include "servconf.h"
 #include "auth.h"
-#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA)
-/* Don't need any of these headers for the PAM or SIA cases */
-# ifdef HAVE_CRYPT_H
-#  include <crypt.h>
-# endif
-# ifdef WITH_AIXAUTHENTICATE
-#  include <login.h>
-# endif
-# ifdef __hpux
-#  include <hpsecurity.h>
-#  include <prot.h>
-# endif
-# ifdef HAVE_SECUREWARE
-#  include <sys/security.h>
-#  include <sys/audit.h>
-#  include <prot.h>
-# endif /* HAVE_SECUREWARE */
-# if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
-#  include <shadow.h>
-# endif
-# if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
-#  include <sys/label.h>
-#  include <sys/audit.h>
-#  include <pwdadj.h>
-# endif
-# if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
-#  include "md5crypt.h"
-# endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */
-# ifdef HAVE_CYGWIN
-#  undef ERROR
-#  include <windows.h>
-#  include <sys/cygwin.h>
-#  define is_winnt       (GetVersion() < 0x80000000)
-# endif
-#endif /* !USE_PAM && !HAVE_OSF_SIA */
-extern ServerOptions options;
 #ifdef WITH_AIXAUTHENTICATE
-extern char *aixloginmsg;
+# include "buffer.h"
+# include "canohost.h"
+extern Buffer loginmsg;
 #endif
+extern ServerOptions options;
 /*
 * Tries to authenticate the user using password.  Returns true if
 * authentication succeeds.
@@ -94,50 +59,25 @@ auth_password(Authctxt *authctxt, const char *password)
 {
        struct passwd * pw = authctxt->pw;
        int ok = authctxt->valid;
-#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA)
-        char *encrypted_password;
-        char *pw_password;
-        char *salt;
-# if defined(__hpux) || defined(HAVE_SECUREWARE)
-        struct pr_passwd *spw;
-# endif /* __hpux || HAVE_SECUREWARE */
-# if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
-        struct spwd *spw;
-# endif
-# if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
-        struct passwd_adjunct *spw;
-# endif
-# ifdef WITH_AIXAUTHENTICATE
-        char *authmsg;
-        int authsuccess;
-        int reenter = 1;
-# endif
-#endif /* !defined(USE_PAM) && !defined(HAVE_OSF_SIA) */
        /* deny if no user. */
        if (pw == NULL)
-                ok = 0;
+                return 0;
 #ifndef HAVE_CYGWIN
        if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
                ok = 0;
 #endif
        if (*password == '\0' && options.permit_empty_passwd == 0)
-                ok = 0;
-#if defined(USE_PAM)
-        return auth_pam_password(authctxt, password) && ok;
-#elif defined(HAVE_OSF_SIA)
-        if (!ok)
                return 0;
-        return auth_sia_password(authctxt, password);
+#if defined(HAVE_OSF_SIA)
+        return auth_sia_password(authctxt, password) && ok;
 #else
-        if (!ok)
-                return 0;
 # ifdef KRB5
        if (options.kerberos_authentication == 1) {
                int ret = auth_krb5_password(authctxt, password);
                if (ret == 1 || ret == 0)
-                        return ret;
+                        return ret && ok;
                /* Fall back to ordinary passwd authentication. */
        }
 # endif
@@ -148,27 +88,47 @@ auth_password(Authctxt *authctxt, const char *password)
                if (hToken == INVALID_HANDLE_VALUE)
                        return 0;
                cygwin_set_impersonation_token(hToken);
-                return 1;
+                return ok;
        }
 # endif
 # ifdef WITH_AIXAUTHENTICATE
-        authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
+        {
+                char *authmsg = NULL;
-        if (authsuccess)
+                int reenter = 1;
-                /* We don't have a pty yet, so just label the line as "ssh" */
+                int authsuccess = 0;
-                if (loginsuccess(authctxt->user,
-                        get_canonical_hostname(options.verify_reverse_mapping),
+                if (authenticate(pw->pw_name, password, &reenter,
-                        "ssh", &aixloginmsg) < 0)
+                    &authmsg) == 0 && ok) {
-                                aixloginmsg = NULL;
+                        char *msg;
+                        char *host = 
-        return(authsuccess);
+                            (char *)get_canonical_hostname(options.use_dns);
-# endif
-# ifdef KRB4
+                        authsuccess = 1;
-        if (options.kerberos_authentication == 1) {
+                        aix_remove_embedded_newlines(authmsg);  
-                int ret = auth_krb4_password(authctxt, password);
-                if (ret == 1 || ret == 0)
+                        debug3("AIX/authenticate succeeded for user %s: %.100s",
-                        return ret;
+                                pw->pw_name, authmsg);
-                /* Fall back to ordinary passwd authentication. */
+                        /* No pty yet, so just label the line as "ssh" */
+                        aix_setauthdb(authctxt->user);
+                        if (loginsuccess(authctxt->user, host, "ssh", 
+                            &msg) == 0) {
+                                if (msg != NULL) {
+                                        debug("%s: msg %s", __func__, msg);
+                                        buffer_append(&loginmsg, msg, 
+                                            strlen(msg));
+                                        xfree(msg);
+                                }
+                        }
+                } else {
+                        debug3("AIX/authenticate failed for user %s: %.100s",
+                            pw->pw_name, authmsg);
+                }
+                if (authmsg != NULL)
+                        xfree(authmsg);
+                return authsuccess;
        }
 # endif
 # ifdef BSD_AUTH
@@ -176,64 +136,28 @@ auth_password(Authctxt *authctxt, const char *password)
            (char *)password) == 0)
                return 0;
        else
-                return 1;
+                return ok;
-# endif
+# else
-        pw_password = pw->pw_passwd;
+        {
+        /* Just use the supplied fake password if authctxt is invalid */
-        /*
+        char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
-         * Various interfaces to shadow or protected password data
-         */
-# if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
-        spw = getspnam(pw->pw_name);
-        if (spw != NULL)
-                pw_password = spw->sp_pwdp;
-# endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
-# if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
-        if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL)
-                pw_password = spw->pwa_passwd;
-# endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */
-# ifdef HAVE_SECUREWARE
-        if ((spw = getprpwnam(pw->pw_name)) != NULL)
-                pw_password = spw->ufld.fd_encrypt;
-# endif /* HAVE_SECUREWARE */
-# if defined(__hpux) && !defined(HAVE_SECUREWARE)
-        if (iscomsec() && (spw = getprpwnam(pw->pw_name)) != NULL)
-                pw_password = spw->ufld.fd_encrypt;
-# endif /* defined(__hpux) && !defined(HAVE_SECUREWARE) */
        /* Check for users with no password. */
-        if ((password[0] == '\0') && (pw_password[0] == '\0'))
+        if (strcmp(pw_password, "") == 0 && strcmp(pw->pw_passwd, "") == 0)
-                return 1;
+                return ok;
+        else {
-        if (pw_password[0] != '\0')
+                /* Encrypt the candidate password using the proper salt. */
-                salt = pw_password;
+                char *encrypted_password = xcrypt(password,
-        else
+                    (pw_password[0] && pw_password[1]) ? pw_password : "xx");
-                salt = "xx";
+                /*
+                 * Authentication is accepted if the encrypted passwords
+                 * are identical.
+                 */
+                return (strcmp(encrypted_password, pw_password) == 0) && ok;
+        }
-# ifdef HAVE_MD5_PASSWORDS
+        }
-        if (is_md5_salt(salt))
+# endif
-                encrypted_password = md5_crypt(password, salt);
+#endif /* !HAVE_OSF_SIA */
-        else
-                encrypted_password = crypt(password, salt);
-# else /* HAVE_MD5_PASSWORDS */
-#  if defined(__hpux) && !defined(HAVE_SECUREWARE)
-        if (iscomsec())
-                encrypted_password = bigcrypt(password, salt);
-        else
-                encrypted_password = crypt(password, salt);
-#  else
-#   ifdef HAVE_SECUREWARE
-        encrypted_password = bigcrypt(password, salt);
-#   else
-        encrypted_password = crypt(password, salt);
-#   endif /* HAVE_SECUREWARE */
-#  endif /* __hpux && !defined(HAVE_SECUREWARE) */
-# endif /* HAVE_MD5_PASSWORDS */
-        /* Authentication is accepted if the encrypted passwords are identical. */
-        return (strcmp(encrypted_password, pw_password) == 0);
-#endif /* !USE_PAM && !HAVE_OSF_SIA */
 }
diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c
index d7848d04c..2eb7e6e2d 100644
--- a/auth-rh-rsa.c
+++ b/auth-rh-rsa.c
@@ -13,7 +13,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth-rh-rsa.c,v 1.34 2002/03/25 09:25:06 markus Exp $");
+RCSID("$OpenBSD: auth-rh-rsa.c,v 1.36 2003/06/02 09:17:34 markus Exp $");
 #include "packet.h"
 #include "uidswap.h"
@@ -63,7 +63,7 @@ auth_rhosts_rsa(struct passwd *pw, char *cuser, Key *client_host_key)
            client_host_key->rsa == NULL)
                return 0;
-        chost = (char *)get_canonical_hostname(options.verify_reverse_mapping);
+        chost = (char *)get_canonical_hostname(options.use_dns);
        debug("Rhosts RSA authentication: canonical host %.900s", chost);
        if (!PRIVSEP(auth_rhosts_rsa_key_allowed(pw, cuser, chost, client_host_key))) {
@@ -75,7 +75,7 @@ auth_rhosts_rsa(struct passwd *pw, char *cuser, Key *client_host_key)
        /* Perform the challenge-response dialog with the client for the host key. */
        if (!auth_rsa_challenge_dialog(client_host_key)) {
-                log("Client on %.800s failed to respond correctly to host authentication.",
+                logit("Client on %.800s failed to respond correctly to host authentication.",
                    chost);
                return 0;
        }
diff --git a/auth-rhosts.c b/auth-rhosts.c
index afca1f7c6..b42a64c90 100644
--- a/auth-rhosts.c
+++ b/auth-rhosts.c
@@ -14,7 +14,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth-rhosts.c,v 1.28 2002/05/13 21:26:49 markus Exp $");
+RCSID("$OpenBSD: auth-rhosts.c,v 1.31 2003/06/02 09:17:34 markus Exp $");
 #include "packet.h"
 #include "uidswap.h"
@@ -68,7 +68,8 @@ check_rhosts_file(const char *filename, const char *hostname,
                 * This should be safe because each buffer is as big as the
                 * whole string, and thus cannot be overwritten.
                 */
-                switch (sscanf(buf, "%s %s %s", hostbuf, userbuf, dummy)) {
+                switch (sscanf(buf, "%1023s %1023s %1023s", hostbuf, userbuf,
+                    dummy)) {
                case 0:
                        auth_debug_add("Found empty line in %.100s.", filename);
                        continue;
@@ -155,7 +156,7 @@ auth_rhosts(struct passwd *pw, const char *client_user)
 {
        const char *hostname, *ipaddr;
-        hostname = get_canonical_hostname(options.verify_reverse_mapping);
+        hostname = get_canonical_hostname(options.use_dns);
        ipaddr = get_remote_ipaddr();
        return auth_rhosts2(pw, client_user, hostname, ipaddr);
 }
@@ -220,7 +221,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam
         * not group or world writable.
         */
        if (stat(pw->pw_dir, &st) < 0) {
-                log("Rhosts authentication refused for %.100s: "
+                logit("Rhosts authentication refused for %.100s: "
                    "no home directory %.200s", pw->pw_name, pw->pw_dir);
                auth_debug_add("Rhosts authentication refused for %.100s: "
                    "no home directory %.200s", pw->pw_name, pw->pw_dir);
@@ -229,7 +230,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam
        if (options.strict_modes &&
            ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
            (st.st_mode & 022) != 0)) {
-                log("Rhosts authentication refused for %.100s: "
+                logit("Rhosts authentication refused for %.100s: "
                    "bad ownership or modes for home directory.", pw->pw_name);
                auth_debug_add("Rhosts authentication refused for %.100s: "
                    "bad ownership or modes for home directory.", pw->pw_name);
@@ -256,7 +257,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam
                if (options.strict_modes &&
                    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
                    (st.st_mode & 022) != 0)) {
-                        log("Rhosts authentication refused for %.100s: bad modes for %.200s",
+                        logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
                            pw->pw_name, buf);
                        auth_debug_add("Bad file modes for %.200s", buf);
                        continue;
diff --git a/auth-rsa.c b/auth-rsa.c
index 92f6277f9..5631d238c 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -14,7 +14,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth-rsa.c,v 1.56 2002/06/10 16:53:06 stevesk Exp $");
+RCSID("$OpenBSD: auth-rsa.c,v 1.57 2003/04/08 20:21:28 itojun Exp $");
 #include <openssl/rsa.h>
 #include <openssl/md5.h>
@@ -187,7 +187,7 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
            secure_filename(f, file, pw, line, sizeof(line)) != 0) {
                xfree(file);
                fclose(f);
-                log("Authentication refused: %s", line);
+                logit("Authentication refused: %s", line);
                restore_uid();
                return (0);
        }
@@ -246,7 +246,7 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
                /* check the real bits  */
                if (bits != BN_num_bits(key->rsa->n))
-                        log("Warning: %s, line %lu: keysize mismatch: "
+                        logit("Warning: %s, line %lu: keysize mismatch: "
                            "actual %d vs. announced %d.",
                            file, linenum, BN_num_bits(key->rsa->n), bits);
diff --git a/auth-sia.c b/auth-sia.c
index 5c9b3f5de..cae5f0912 100644
--- a/auth-sia.c
+++ b/auth-sia.c
@@ -52,26 +52,27 @@ auth_sia_password(Authctxt *authctxt, char *pass)
        SIAENTITY *ent = NULL;
        const char *host;
-        host = get_canonical_hostname(options.verify_reverse_mapping);
+        host = get_canonical_hostname(options.use_dns);
-        if (!authctxt->user || !pass || pass[0] == '\0')
+        if (!authctxt->user || pass == NULL || pass[0] == '\0')
-                return(0);
+                return (0);
        if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user,
            NULL, 0, NULL) != SIASUCCESS)
-                return(0);
+                return (0);
        if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) {
-                error("Couldn't authenticate %s from %s", authctxt->user,
+                error("Couldn't authenticate %s from %s",
-                    host);
+                    authctxt->user, host);
                if (ret & SIASTOP)
                        sia_ses_release(&ent);
-                return(0);
+                return (0);
        }
        sia_ses_release(&ent);
-        return(1);
+        return (1);
 }
 void
@@ -80,10 +81,10 @@ session_setup_sia(struct passwd *pw, char *tty)
        SIAENTITY *ent = NULL;
        const char *host;
-        host = get_canonical_hostname(options.verify_reverse_mapping);
+        host = get_canonical_hostname(options.use_dns);
-        if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name, tty,
+        if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name, 
-            0, NULL) != SIASUCCESS)
+            tty, 0, NULL) != SIASUCCESS)
                fatal("sia_ses_init failed");
        if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) {
@@ -97,8 +98,8 @@ session_setup_sia(struct passwd *pw, char *tty)
                    pw->pw_name, host);
        if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS)
-                fatal("Couldn't launch session for %s from %s", pw->pw_name,
+                fatal("Couldn't launch session for %s from %s",
-                    host);
+                    pw->pw_name, host);
        
        sia_ses_release(&ent);
diff --git a/auth-sia.h b/auth-sia.h
index 7aecce940..38164ff81 100644
--- a/auth-sia.h
+++ b/auth-sia.h
@@ -26,7 +26,7 @@
 #ifdef HAVE_OSF_SIA
-int     auth_sia_password(Authctxt *authctxt, char *pass);
+int     auth_sia_password(Authctxt *, char *);
-void    session_setup_sia(struct passwd *pw, char *tty);
+void    session_setup_sia(struct passwd *, char *);
 #endif /* HAVE_OSF_SIA */
diff --git a/auth.c b/auth.c
index 1268accb1..46e495adf 100644
--- a/auth.c
+++ b/auth.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.46 2002/11/04 10:07:53 markus Exp $");
+RCSID("$OpenBSD: auth.c,v 1.49 2003/08/26 09:58:43 markus Exp $");
 #ifdef HAVE_LOGIN_H
 #include <login.h>
@@ -54,6 +54,7 @@ RCSID("$OpenBSD: auth.c,v 1.46 2002/11/04 10:07:53 markus Exp $");
 /* import */
 extern ServerOptions options;
+extern Buffer loginmsg;
 /* Debugging messages */
 Buffer auth_debug;
@@ -72,26 +73,25 @@ int
 allowed_user(struct passwd * pw)
 {
        struct stat st;
-        const char *hostname = NULL, *ipaddr = NULL;
+        const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
        char *shell;
        int i;
-#ifdef WITH_AIXAUTHENTICATE
+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
-        char *loginmsg;
+        struct spwd *spw = NULL;
-#endif /* WITH_AIXAUTHENTICATE */
-#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
-    !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
-        struct spwd *spw;
-        time_t today;
 #endif
        /* Shouldn't be called if pw is NULL, but better safe than sorry... */
        if (!pw || !pw->pw_name)
                return 0;
-#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
-    !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
+        if (!options.use_pam)
+                spw = getspnam(pw->pw_name);
+#ifdef HAS_SHADOW_EXPIRE
 #define DAY             (24L * 60 * 60) /* 1 day in seconds */
-        if ((spw = getspnam(pw->pw_name)) != NULL) {
+        if (!options.use_pam && spw != NULL) {
+                time_t today;
                today = time(NULL) / DAY;
                debug3("allowed_user: today %d sp_expire %d sp_lstchg %d"
                    " sp_max %d", (int)today, (int)spw->sp_expire,
@@ -102,25 +102,58 @@ allowed_user(struct passwd * pw)
                 * day after the day specified.
                 */
                if (spw->sp_expire != -1 && today > spw->sp_expire) {
-                        log("Account %.100s has expired", pw->pw_name);
+                        logit("Account %.100s has expired", pw->pw_name);
                        return 0;
                }
                if (spw->sp_lstchg == 0) {
-                        log("User %.100s password has expired (root forced)",
+                        logit("User %.100s password has expired (root forced)",
                            pw->pw_name);
                        return 0;
                }
                if (spw->sp_max != -1 &&
                    today > spw->sp_lstchg + spw->sp_max) {
-                        log("User %.100s password has expired (password aged)",
+                        logit("User %.100s password has expired (password aged)",
                            pw->pw_name);
                        return 0;
                }
        }
+#endif /* HAS_SHADOW_EXPIRE */
+#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
+        /* grab passwd field for locked account check */
+#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
+        if (spw != NULL)
+                passwd = spw->sp_pwdp;
+#else
+        passwd = pw->pw_passwd;
 #endif
+        /* check for locked account */ 
+        if (!options.use_pam && passwd && *passwd) {
+                int locked = 0;
+#ifdef LOCKED_PASSWD_STRING
+                if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
+                         locked = 1;
+#endif
+#ifdef LOCKED_PASSWD_PREFIX
+                if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
+                    strlen(LOCKED_PASSWD_PREFIX)) == 0)
+                         locked = 1;
+#endif
+#ifdef LOCKED_PASSWD_SUBSTR
+                if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
+                        locked = 1;
+#endif
+                if (locked) {
+                        logit("User %.100s not allowed because account is locked",
+                            pw->pw_name);
+                        return 0;
+                }
+        }
        /*
         * Get the shell from the password data.  An empty shell field is
         * legal, and means /bin/sh.
@@ -129,19 +162,19 @@ allowed_user(struct passwd * pw)
        /* deny if shell does not exists or is not executable */
        if (stat(shell, &st) != 0) {
-                log("User %.100s not allowed because shell %.100s does not exist",
+                logit("User %.100s not allowed because shell %.100s does not exist",
                    pw->pw_name, shell);
                return 0;
        }
        if (S_ISREG(st.st_mode) == 0 ||
            (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) {
-                log("User %.100s not allowed because shell %.100s is not executable",
+                logit("User %.100s not allowed because shell %.100s is not executable",
                    pw->pw_name, shell);
                return 0;
        }
        if (options.num_deny_users > 0 || options.num_allow_users > 0) {
-                hostname = get_canonical_hostname(options.verify_reverse_mapping);
+                hostname = get_canonical_hostname(options.use_dns);
                ipaddr = get_remote_ipaddr();
        }
@@ -150,7 +183,7 @@ allowed_user(struct passwd * pw)
                for (i = 0; i < options.num_deny_users; i++)
                        if (match_user(pw->pw_name, hostname, ipaddr,
                            options.deny_users[i])) {
-                                log("User %.100s not allowed because listed in DenyUsers",
+                                logit("User %.100s not allowed because listed in DenyUsers",
                                    pw->pw_name);
                                return 0;
                        }
@@ -163,7 +196,7 @@ allowed_user(struct passwd * pw)
                                break;
                /* i < options.num_allow_users iff we break for loop */
                if (i >= options.num_allow_users) {
-                        log("User %.100s not allowed because not listed in AllowUsers",
+                        logit("User %.100s not allowed because not listed in AllowUsers",
                            pw->pw_name);
                        return 0;
                }
@@ -171,7 +204,7 @@ allowed_user(struct passwd * pw)
        if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
                /* Get the user's group access list (primary and supplementary) */
                if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
-                        log("User %.100s not allowed because not in any group",
+                        logit("User %.100s not allowed because not in any group",
                            pw->pw_name);
                        return 0;
                }
@@ -181,7 +214,7 @@ allowed_user(struct passwd * pw)
                        if (ga_match(options.deny_groups,
                            options.num_deny_groups)) {
                                ga_free();
-                                log("User %.100s not allowed because a group is listed in DenyGroups",
+                                logit("User %.100s not allowed because a group is listed in DenyGroups",
                                    pw->pw_name);
                                return 0;
                        }
@@ -193,7 +226,7 @@ allowed_user(struct passwd * pw)
                        if (!ga_match(options.allow_groups,
                            options.num_allow_groups)) {
                                ga_free();
-                                log("User %.100s not allowed because none of user's groups are listed in AllowGroups",
+                                logit("User %.100s not allowed because none of user's groups are listed in AllowGroups",
                                    pw->pw_name);
                                return 0;
                        }
@@ -206,26 +239,23 @@ allowed_user(struct passwd * pw)
         * PermitRootLogin to control logins via ssh), or if running as
         * non-root user (since loginrestrictions will always fail).
         */
-        if ((pw->pw_uid != 0) && (geteuid() == 0) &&
+        if ((pw->pw_uid != 0) && (geteuid() == 0)) {
-            loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) {
+                char *msg;
-                int loginrestrict_errno = errno;
+                if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg) != 0) {
-                if (loginmsg && *loginmsg) {
+                        int loginrestrict_errno = errno;
-                        /* Remove embedded newlines (if any) */
-                        char *p;
+                        if (msg && *msg) {
-                        for (p = loginmsg; *p; p++) {
+                                buffer_append(&loginmsg, msg, strlen(msg));
-                                if (*p == '\n')
+                                aix_remove_embedded_newlines(msg);
-                                        *p = ' ';
+                                logit("Login restricted for %s: %.100s",
+                                    pw->pw_name, msg);
                        }
-                        /* Remove trailing newline */
+                        /* Don't fail if /etc/nologin  set */
-                        *--p = '\0';
+                        if (!(loginrestrict_errno == EPERM && 
-                        log("Login restricted for %s: %.100s", pw->pw_name, 
+                            stat(_PATH_NOLOGIN, &st) == 0))
-                            loginmsg);
+                                return 0;
                }
-                /* Don't fail if /etc/nologin  set */
-                if (!(loginrestrict_errno == EPERM && 
-                    stat(_PATH_NOLOGIN, &st) == 0))
-                        return 0;
        }
 #endif /* WITH_AIXAUTHENTICATE */
@@ -252,7 +282,7 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
            !authctxt->valid ||
            authctxt->failures >= AUTH_FAIL_LOG ||
            strcmp(method, "password") == 0)
-                authlog = log;
+                authlog = logit;
        if (authctxt->postponed)
                authmsg = "Postponed";
@@ -268,13 +298,10 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
            get_remote_port(),
            info);
-#ifdef WITH_AIXAUTHENTICATE
+#ifdef CUSTOM_FAILED_LOGIN
        if (authenticated == 0 && strcmp(method, "password") == 0)
-            loginfailed(authctxt->user,
+                record_failed_login(authctxt->user, "ssh");
-                get_canonical_hostname(options.verify_reverse_mapping),
+#endif
-                "ssh");
-#endif /* WITH_AIXAUTHENTICATE */
 }
 /*
@@ -293,12 +320,12 @@ auth_root_allowed(char *method)
                break;
        case PERMIT_FORCED_ONLY:
                if (forced_command) {
-                        log("Root login accepted for forced command.");
+                        logit("Root login accepted for forced command.");
                        return 1;
                }
                break;
        }
-        log("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
+        logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
        return 0;
 }
@@ -390,7 +417,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
                    (stat(user_hostfile, &st) == 0) &&
                    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
                    (st.st_mode & 022) != 0)) {
-                        log("Authentication refused for %.100s: "
+                        logit("Authentication refused for %.100s: "
                            "bad owner or modes for %.200s",
                            pw->pw_name, user_hostfile);
                } else {
@@ -494,12 +521,10 @@ getpwnamallow(const char *user)
        pw = getpwnam(user);
        if (pw == NULL) {
-                log("Illegal user %.100s from %.100s",
+                logit("Illegal user %.100s from %.100s",
                    user, get_remote_ipaddr());
-#ifdef WITH_AIXAUTHENTICATE
+#ifdef CUSTOM_FAILED_LOGIN
-                loginfailed(user,
+                record_failed_login(user, "ssh");
-                    get_canonical_hostname(options.verify_reverse_mapping),
-                    "ssh");
 #endif
                return (NULL);
        }
@@ -564,3 +589,24 @@ auth_debug_reset(void)
                auth_debug_init = 1;
        }
 }
+struct passwd *
+fakepw(void)
+{
+        static struct passwd fake;
+        memset(&fake, 0, sizeof(fake));
+        fake.pw_name = "NOUSER";
+        fake.pw_passwd =
+            "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK";     
+        fake.pw_gecos = "NOUSER";
+        fake.pw_uid = -1;
+        fake.pw_gid = -1;
+#ifdef HAVE_PW_CLASS_IN_PASSWD
+        fake.pw_class = "";
+#endif
+        fake.pw_dir = "/nonexist";
+        fake.pw_shell = "/nonexist";
+        return (&fake);
+}
diff --git a/auth.h b/auth.h
index c75d75366..beaacb8bc 100644
--- a/auth.h
+++ b/auth.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: auth.h,v 1.41 2002/09/26 11:38:43 markus Exp $        */
+/*      $OpenBSD: auth.h,v 1.46 2003/08/28 12:54:34 markus Exp $        */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -48,29 +48,32 @@ typedef struct KbdintDevice KbdintDevice;
 struct Authctxt {
        int              success;
-        int              postponed;
+        int              postponed;     /* authentication needs another step */
-        int              valid;
+        int              valid;         /* user exists and is allowed to login */
        int              attempt;
        int              failures;
-        char            *user;
+        char            *user;          /* username sent by the client */
        char            *service;
-        struct passwd   *pw;
+        struct passwd   *pw;            /* set if 'valid' */
        char            *style;
        void            *kbdintctxt;
 #ifdef BSD_AUTH
        auth_session_t  *as;
 #endif
-#ifdef KRB4
-        char            *krb4_ticket_file;
-#endif
 #ifdef KRB5
        krb5_context     krb5_ctx;
-        krb5_auth_context krb5_auth_ctx;
        krb5_ccache      krb5_fwd_ccache;
        krb5_principal   krb5_user;
        char            *krb5_ticket_file;
 #endif
+        void            *methoddata;
 };
+/*
+ * Every authentication method has to handle authentication requests for
+ * non-existing users, or for users that are not allowed to login. In this
+ * case 'valid' is set to 0, but 'user' points to the username requested by
+ * the client.
+ */
 struct Authmethod {
        char    *name;
@@ -111,20 +114,6 @@ int	 auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
 int      hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
 int      user_key_allowed(struct passwd *, Key *);
-#ifdef KRB4
-#include <krb.h>
-int     auth_krb4(Authctxt *, KTEXT, char **, KTEXT);
-int     auth_krb4_password(Authctxt *, const char *);
-void    krb4_cleanup_proc(void *);
-#ifdef AFS
-#include <kafs.h>
-int     auth_krb4_tgt(Authctxt *, const char *);
-int     auth_afs_token(Authctxt *, const char *);
-#endif /* AFS */
-#endif /* KRB4 */
 #ifdef KRB5
 int     auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
 int     auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
@@ -133,7 +122,6 @@ void	krb5_cleanup_proc(void *authctxt);
 #endif /* KRB5 */
 #include "auth-pam.h"
-#include "auth2-pam.h"
 Authctxt *do_authentication(void);
 Authctxt *do_authentication2(void);
@@ -159,6 +147,7 @@ struct passwd * getpwnamallow(const char *user);
 char    *get_challenge(Authctxt *);
 int     verify_response(Authctxt *, const char *);
+void    abandon_challenge_response(Authctxt *);
 struct passwd * auth_get_user(void);
@@ -184,6 +173,8 @@ void	 auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
 void     auth_debug_send(void);
 void     auth_debug_reset(void);
+struct passwd *fakepw(void);
 #define AUTH_FAIL_MAX 6
 #define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2)
 #define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
diff --git a/auth1.c b/auth1.c
index c273f2fb6..dfe944dd1 100644
--- a/auth1.c
+++ b/auth1.c
@@ -10,7 +10,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.47 2003/02/06 21:22:42 markus Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.52 2003/08/28 12:54:34 markus Exp $");
 #include "xmalloc.h"
 #include "rsa.h"
@@ -49,10 +49,6 @@ get_authname(int type)
        case SSH_CMSG_AUTH_TIS:
        case SSH_CMSG_AUTH_TIS_RESPONSE:
                return "challenge-response";
-#if defined(KRB4) || defined(KRB5)
-        case SSH_CMSG_AUTH_KERBEROS:
-                return "kerberos";
-#endif
        }
        snprintf(buf, sizeof buf, "bad-auth-msg-%d", type);
        return buf;
@@ -73,7 +69,7 @@ do_authloop(Authctxt *authctxt)
        char info[1024];
        u_int dlen;
        u_int ulen;
-        int type = 0;
+        int prev, type = 0;
        struct passwd *pw = authctxt->pw;
        debug("Attempting authentication for %s%.100s.",
@@ -81,7 +77,7 @@ do_authloop(Authctxt *authctxt)
        /* If the user has no password, accept authentication immediately. */
        if (options.password_authentication &&
-#if defined(KRB4) || defined(KRB5)
+#ifdef KRB5
            (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
 #endif
            PRIVSEP(auth_password(authctxt, ""))) {
@@ -103,104 +99,22 @@ do_authloop(Authctxt *authctxt)
                info[0] = '\0';
                /* Get a packet from the client. */
+                prev = type;
                type = packet_read();
+                /*
+                 * If we started challenge-response authentication but the
+                 * next packet is not a response to our challenge, release
+                 * the resources allocated by get_challenge() (which would
+                 * normally have been released by verify_response() had we
+                 * received such a response)
+                 */
+                if (prev == SSH_CMSG_AUTH_TIS &&
+                    type != SSH_CMSG_AUTH_TIS_RESPONSE)
+                        abandon_challenge_response(authctxt);
                /* Process the packet. */
                switch (type) {
-#if defined(KRB4) || defined(KRB5)
-                case SSH_CMSG_AUTH_KERBEROS:
-                        if (!options.kerberos_authentication) {
-                                verbose("Kerberos authentication disabled.");
-                        } else {
-                                char *kdata = packet_get_string(&dlen);
-                                packet_check_eom();
-                                if (kdata[0] == 4) { /* KRB_PROT_VERSION */
-#ifdef KRB4
-                                        KTEXT_ST tkt, reply;
-                                        tkt.length = dlen;
-                                        if (tkt.length < MAX_KTXT_LEN)
-                                                memcpy(tkt.dat, kdata, tkt.length);
-                                        if (PRIVSEP(auth_krb4(authctxt, &tkt,
-                                            &client_user, &reply))) {
-                                                authenticated = 1;
-                                                snprintf(info, sizeof(info),
-                                                    " tktuser %.100s",
-                                                    client_user);
-                                                packet_start(
-                                                    SSH_SMSG_AUTH_KERBEROS_RESPONSE);
-                                                packet_put_string((char *)
-                                                    reply.dat, reply.length);
-                                                packet_send();
-                                                packet_write_wait();
-                                        }
-#endif /* KRB4 */
-                                } else {
-#ifdef KRB5
-                                        krb5_data tkt, reply;
-                                        tkt.length = dlen;
-                                        tkt.data = kdata;
-                                        if (PRIVSEP(auth_krb5(authctxt, &tkt,
-                                            &client_user, &reply))) {
-                                                authenticated = 1;
-                                                snprintf(info, sizeof(info),
-                                                    " tktuser %.100s",
-                                                    client_user);
-                                                /* Send response to client */
-                                                packet_start(
-                                                    SSH_SMSG_AUTH_KERBEROS_RESPONSE);
-                                                packet_put_string((char *)
-                                                    reply.data, reply.length);
-                                                packet_send();
-                                                packet_write_wait();
-                                                if (reply.length)
-                                                        xfree(reply.data);
-                                        }
-#endif /* KRB5 */
-                                }
-                                xfree(kdata);
-                        }
-                        break;
-#endif /* KRB4 || KRB5 */
-#if defined(AFS) || defined(KRB5)
-                        /* XXX - punt on backward compatibility here. */
-                case SSH_CMSG_HAVE_KERBEROS_TGT:
-                        packet_send_debug("Kerberos TGT passing disabled before authentication.");
-                        break;
-#ifdef AFS
-                case SSH_CMSG_HAVE_AFS_TOKEN:
-                        packet_send_debug("AFS token passing disabled before authentication.");
-                        break;
-#endif /* AFS */
-#endif /* AFS || KRB5 */
-                case SSH_CMSG_AUTH_RHOSTS:
-                        if (!options.rhosts_authentication) {
-                                verbose("Rhosts authentication disabled.");
-                                break;
-                        }
-                        /*
-                         * Get client user name.  Note that we just have to
-                         * trust the client; this is one reason why rhosts
-                         * authentication is insecure. (Another is
-                         * IP-spoofing on a local network.)
-                         */
-                        client_user = packet_get_string(&ulen);
-                        packet_check_eom();
-                        /* Try to authenticate using /etc/hosts.equiv and .rhosts. */
-                        authenticated = auth_rhosts(pw, client_user);
-                        snprintf(info, sizeof info, " ruser %.100s", client_user);
-                        break;
                case SSH_CMSG_AUTH_RHOSTS_RSA:
                        if (!options.rhosts_rsa_authentication) {
                                verbose("Rhosts with RSA authentication disabled.");
@@ -297,7 +211,7 @@ do_authloop(Authctxt *authctxt)
                         * Any unknown messages will be ignored (and failure
                         * returned) during authentication.
                         */
-                        log("Unknown message during authentication: type %d", type);
+                        logit("Unknown message during authentication: type %d", type);
                        break;
                }
 #ifdef BSD_AUTH
@@ -311,8 +225,6 @@ do_authloop(Authctxt *authctxt)
                            authctxt->user);
 #ifdef _UNICOS
-                if (type == SSH_CMSG_AUTH_PASSWORD && !authenticated)
-                        cray_login_failure(authctxt->user, IA_UDBERR);
                if (authenticated && cray_access_denied(authctxt->user)) {
                        authenticated = 0;
                        fatal("Access denied for user %s.",authctxt->user);
@@ -332,9 +244,10 @@ do_authloop(Authctxt *authctxt)
                    !auth_root_allowed(get_authname(type)))
                        authenticated = 0;
 #endif
 #ifdef USE_PAM
-                if (!use_privsep && authenticated && 
+                if (options.use_pam && authenticated && 
-                    !do_pam_account(pw->pw_name, client_user))
+                    !PRIVSEP(do_pam_account()))
                        authenticated = 0;
 #endif
@@ -349,9 +262,8 @@ do_authloop(Authctxt *authctxt)
                if (authenticated)
                        return;
-                if (authctxt->failures++ > AUTH_FAIL_MAX) {
+                if (authctxt->failures++ > AUTH_FAIL_MAX)
                        packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
-                }
                packet_start(SSH_SMSG_FAILURE);
                packet_send();
@@ -380,16 +292,6 @@ do_authentication(void)
        if ((style = strchr(user, ':')) != NULL)
                *style++ = '\0';
-#ifdef KRB5
-        /* XXX - SSH.com Kerberos v5 braindeath. */
-        if ((datafellows & SSH_BUG_K5USER) &&
-            options.kerberos_authentication) {
-                char *p;
-                if ((p = strchr(user, '@')) != NULL)
-                        *p = '\0';
-        }
-#endif
        authctxt = authctxt_new();
        authctxt->user = user;
        authctxt->style = style;
@@ -397,14 +299,17 @@ do_authentication(void)
        /* Verify that the user is a valid user. */
        if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
                authctxt->valid = 1;
-        else
+        else {
                debug("do_authentication: illegal user %s", user);
+                authctxt->pw = fakepw();
+        }
        setproctitle("%s%s", authctxt->pw ? user : "unknown",
            use_privsep ? " [net]" : "");
 #ifdef USE_PAM
-        PRIVSEP(start_pam(authctxt->pw == NULL ? "NOUSER" : user));
+        if (options.use_pam)
+                PRIVSEP(start_pam(user));
 #endif
        /*
diff --git a/auth2-chall.c b/auth2-chall.c
index 0d1709307..aacbf0bcc 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -41,6 +41,9 @@ static void input_userauth_info_response(int, u_int32_t, void *);
 #ifdef BSD_AUTH
 extern KbdintDevice bsdauth_device;
 #else
+#ifdef USE_PAM
+extern KbdintDevice sshpam_device;
+#endif
 #ifdef SKEY
 extern KbdintDevice skey_device;
 #endif
@@ -50,6 +53,9 @@ KbdintDevice *devices[] = {
 #ifdef BSD_AUTH
        &bsdauth_device,
 #else
+#ifdef USE_PAM
+        &sshpam_device,
+#endif
 #ifdef SKEY
        &skey_device,
 #endif
@@ -320,18 +326,27 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
 void
 privsep_challenge_enable(void)
 {
+#if defined(BSD_AUTH) || defined(USE_PAM) || defined(SKEY)
+        int n = 0;
+#endif
 #ifdef BSD_AUTH
        extern KbdintDevice mm_bsdauth_device;
 #endif
+#ifdef USE_PAM
+        extern KbdintDevice mm_sshpam_device;
+#endif
 #ifdef SKEY
        extern KbdintDevice mm_skey_device;
 #endif
-        /* As long as SSHv1 has devices[0] hard coded this is fine */
 #ifdef BSD_AUTH
-        devices[0] = &mm_bsdauth_device;
+        devices[n++] = &mm_bsdauth_device;
 #else
+#ifdef USE_PAM
+        devices[n++] = &mm_sshpam_device;
+#endif
 #ifdef SKEY
-        devices[0] = &mm_skey_device;
+        devices[n++] = &mm_skey_device;
 #endif
 #endif
 }
diff --git a/auth2-gss.c b/auth2-gss.c
new file mode 100644
index 000000000..75b94b009
--- /dev/null
+++ b/auth2-gss.c
@@ -0,0 +1,247 @@
+/*      $OpenBSD: auth2-gss.c,v 1.3 2003/09/01 20:44:54 markus Exp $    */
+/*
+ * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "includes.h"
+#ifdef GSSAPI
+#include "auth.h"
+#include "ssh2.h"
+#include "xmalloc.h"
+#include "log.h"
+#include "dispatch.h"
+#include "servconf.h"
+#include "compat.h"
+#include "packet.h"
+#include "monitor_wrap.h"
+#include "ssh-gss.h"
+extern ServerOptions options;
+static void input_gssapi_token(int type, u_int32_t plen, void *ctxt);
+static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
+static void input_gssapi_errtok(int, u_int32_t, void *);
+/*
+ * We only support those mechanisms that we know about (ie ones that we know
+ * how to check local user kuserok and the like
+ */
+static int
+userauth_gssapi(Authctxt *authctxt)
+{
+        gss_OID_desc oid = {0, NULL};
+        Gssctxt *ctxt = NULL;
+        int mechs;
+        gss_OID_set supported;
+        int present;
+        OM_uint32 ms;
+        u_int len;
+        char *doid = NULL;
+        if (!authctxt->valid || authctxt->user == NULL)
+                return (0);
+        mechs = packet_get_int();
+        if (mechs == 0) {
+                debug("Mechanism negotiation is not supported");
+                return (0);
+        }
+        ssh_gssapi_supported_oids(&supported);
+        do {
+                mechs--;
+                if (doid)
+                        xfree(doid);
+                doid = packet_get_string(&len);
+                if (doid[0] != SSH_GSS_OIDTYPE || doid[1] != len-2) {
+                        logit("Mechanism OID received using the old encoding form");
+                        oid.elements = doid;
+                        oid.length = len;
+                } else {
+                        oid.elements = doid + 2;
+                        oid.length   = len - 2;
+                }
+                gss_test_oid_set_member(&ms, &oid, supported, &present);
+        } while (mechs > 0 && !present);
+        gss_release_oid_set(&ms, &supported);
+        if (!present) {
+                xfree(doid);
+                return (0);
+        }
+        if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &oid)))) {
+                xfree(doid);
+                return (0);
+        }
+        authctxt->methoddata=(void *)ctxt;
+        packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE);
+        /* Return OID in same format as we received it*/
+        packet_put_string(doid, len);
+        packet_send();
+        xfree(doid);
+        dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token);
+        dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok);
+        authctxt->postponed = 1;
+        return (0);
+}
+static void
+input_gssapi_token(int type, u_int32_t plen, void *ctxt)
+{
+        Authctxt *authctxt = ctxt;
+        Gssctxt *gssctxt;
+        gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
+        gss_buffer_desc recv_tok;
+        OM_uint32 maj_status, min_status;
+        u_int len;
+        if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
+                fatal("No authentication or GSSAPI context");
+        gssctxt = authctxt->methoddata;
+        recv_tok.value = packet_get_string(&len);
+        recv_tok.length = len; /* u_int vs. size_t */
+        packet_check_eom();
+        maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
+            &send_tok, NULL));
+        xfree(recv_tok.value);
+        if (GSS_ERROR(maj_status)) {
+                if (send_tok.length != 0) {
+                        packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK);
+                        packet_put_string(send_tok.value, send_tok.length);
+                        packet_send();
+                }
+                authctxt->postponed = 0;
+                dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
+                userauth_finish(authctxt, 0, "gssapi");
+        } else {
+                if (send_tok.length != 0) {
+                        packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
+                        packet_put_string(send_tok.value, send_tok.length);
+                        packet_send();
+                }
+                if (maj_status == GSS_S_COMPLETE) {
+                        dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
+                        dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
+                                     &input_gssapi_exchange_complete);
+                }
+        }
+        gss_release_buffer(&min_status, &send_tok);
+}
+static void
+input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
+{
+        Authctxt *authctxt = ctxt;
+        Gssctxt *gssctxt;
+        gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
+        gss_buffer_desc recv_tok;
+        OM_uint32 maj_status;
+        u_int len;
+        if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
+                fatal("No authentication or GSSAPI context");
+        gssctxt = authctxt->methoddata;
+        recv_tok.value = packet_get_string(&len);
+        recv_tok.length = len;
+        packet_check_eom();
+        /* Push the error token into GSSAPI to see what it says */
+        maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
+            &send_tok, NULL));
+        xfree(recv_tok.value);
+        /* We can't return anything to the client, even if we wanted to */
+        dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
+        dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
+        /* The client will have already moved on to the next auth */
+        gss_release_buffer(&maj_status, &send_tok);
+}
+/*
+ * This is called when the client thinks we've completed authentication.
+ * It should only be enabled in the dispatch handler by the function above,
+ * which only enables it once the GSSAPI exchange is complete.
+ */
+static void
+input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
+{
+        Authctxt *authctxt = ctxt;
+        Gssctxt *gssctxt;
+        int authenticated;
+        if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
+                fatal("No authentication or GSSAPI context");
+        gssctxt = authctxt->methoddata;
+        /*
+         * We don't need to check the status, because the stored credentials
+         * which userok uses are only populated once the context init step
+         * has returned complete.
+         */
+        packet_check_eom();
+        authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
+        authctxt->postponed = 0;
+        dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
+        dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
+        dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
+        userauth_finish(authctxt, authenticated, "gssapi");
+}
+Authmethod method_gssapi = {
+        "gssapi",
+        userauth_gssapi,
+        &options.gss_authentication
+};
+#endif /* GSSAPI */
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index 2bde7bb79..505d3eff4 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth2-hostbased.c,v 1.2 2002/05/31 11:35:15 markus Exp $");
+RCSID("$OpenBSD: auth2-hostbased.c,v 1.5 2003/06/24 08:23:46 markus Exp $");
 #include "ssh2.h"
 #include "xmalloc.h"
@@ -42,7 +42,7 @@ RCSID("$OpenBSD: auth2-hostbased.c,v 1.2 2002/05/31 11:35:15 markus Exp $");
 /* import */
 extern ServerOptions options;
 extern u_char *session_id2;
-extern int session_id2_len;
+extern u_int session_id2_len;
 static int
 userauth_hostbased(Authctxt *authctxt)
@@ -77,7 +77,7 @@ userauth_hostbased(Authctxt *authctxt)
        pktype = key_type_from_name(pkalg);
        if (pktype == KEY_UNSPEC) {
                /* this is perfectly legal */
-                log("userauth_hostbased: unsupported "
+                logit("userauth_hostbased: unsupported "
                    "public key algorithm: %s", pkalg);
                goto done;
        }
@@ -136,7 +136,7 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
        HostStatus host_status;
        int len;
-        resolvedname = get_canonical_hostname(options.verify_reverse_mapping);
+        resolvedname = get_canonical_hostname(options.use_dns);
        ipaddr = get_remote_ipaddr();
        debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s",
@@ -152,7 +152,7 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
                        chost[len - 1] = '\0';
                }
                if (strcasecmp(resolvedname, chost) != 0)
-                        log("userauth_hostbased mismatch: "
+                        logit("userauth_hostbased mismatch: "
                            "client sends %s, but we resolve %s to %s",
                            chost, ipaddr, resolvedname);
                if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0)
diff --git a/auth2-kbdint.c b/auth2-kbdint.c
index e60992881..1696ef4d3 100644
--- a/auth2-kbdint.c
+++ b/auth2-kbdint.c
@@ -49,10 +49,6 @@ userauth_kbdint(Authctxt *authctxt)
        if (options.challenge_response_authentication)
                authenticated = auth2_challenge(authctxt, devs);
-#ifdef USE_PAM
-        if (authenticated == 0 && options.pam_authentication_via_kbd_int)
-                authenticated = auth2_pam(authctxt);
-#endif
        xfree(devs);
        xfree(lang);
 #ifdef HAVE_CYGWIN
diff --git a/auth2-none.c b/auth2-none.c
index 692a2961f..c342addec 100644
--- a/auth2-none.c
+++ b/auth2-none.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth2-none.c,v 1.4 2002/06/27 10:35:47 deraadt Exp $");
+RCSID("$OpenBSD: auth2-none.c,v 1.6 2003/08/26 09:58:43 markus Exp $");
 #include "auth.h"
 #include "xmalloc.h"
@@ -100,7 +100,9 @@ userauth_none(Authctxt *authctxt)
        if (check_nt_auth(1, authctxt->pw) == 0)
                return(0);
 #endif
-        return PRIVSEP(auth_password(authctxt, "")) && authctxt->valid;
+        if (options.password_authentication)
+                return (PRIVSEP(auth_password(authctxt, "")));
+        return (0);
 }
 Authmethod method_none = {
diff --git a/auth2-passwd.c b/auth2-passwd.c
index 5026969f8..67fb4c921 100644
--- a/auth2-passwd.c
+++ b/auth2-passwd.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth2-passwd.c,v 1.2 2002/05/31 11:35:15 markus Exp $");
+RCSID("$OpenBSD: auth2-passwd.c,v 1.4 2003/08/26 09:58:43 markus Exp $");
 #include "xmalloc.h"
 #include "packet.h"
@@ -44,10 +44,10 @@ userauth_passwd(Authctxt *authctxt)
        u_int len;
        change = packet_get_char();
        if (change)
-                log("password change not supported");
+                logit("password change not supported");
        password = packet_get_string(&len);
        packet_check_eom();
-        if (PRIVSEP(auth_password(authctxt, password)) == 1 && authctxt->valid
+        if (PRIVSEP(auth_password(authctxt, password)) == 1
 #ifdef HAVE_CYGWIN
            && check_nt_auth(1, authctxt->pw)
 #endif
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 947bfed0b..d51e939f1 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth2-pubkey.c,v 1.2 2002/05/31 11:35:15 markus Exp $");
+RCSID("$OpenBSD: auth2-pubkey.c,v 1.4 2003/06/24 08:23:46 markus Exp $");
 #include "ssh2.h"
 #include "xmalloc.h"
@@ -44,7 +44,7 @@ RCSID("$OpenBSD: auth2-pubkey.c,v 1.2 2002/05/31 11:35:15 markus Exp $");
 /* import */
 extern ServerOptions options;
 extern u_char *session_id2;
-extern int session_id2_len;
+extern u_int session_id2_len;
 static int
 userauth_pubkey(Authctxt *authctxt)
@@ -78,7 +78,7 @@ userauth_pubkey(Authctxt *authctxt)
        pktype = key_type_from_name(pkalg);
        if (pktype == KEY_UNSPEC) {
                /* this is perfectly legal */
-                log("userauth_pubkey: unsupported public key algorithm: %s",
+                logit("userauth_pubkey: unsupported public key algorithm: %s",
                    pkalg);
                goto done;
        }
@@ -199,7 +199,7 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file)
        if (options.strict_modes &&
            secure_filename(f, file, pw, line, sizeof(line)) != 0) {
                fclose(f);
-                log("Authentication refused: %s", line);
+                logit("Authentication refused: %s", line);
                restore_uid();
                return 0;
        }
diff --git a/auth2.c b/auth2.c
index 1b21eb2da..41e77efdc 100644
--- a/auth2.c
+++ b/auth2.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.96 2003/02/06 21:22:43 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.102 2003/08/26 09:58:43 markus Exp $");
 #include "ssh2.h"
 #include "xmalloc.h"
@@ -36,10 +36,14 @@ RCSID("$OpenBSD: auth2.c,v 1.96 2003/02/06 21:22:43 markus Exp $");
 #include "pathnames.h"
 #include "monitor_wrap.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
 /* import */
 extern ServerOptions options;
 extern u_char *session_id2;
-extern int session_id2_len;
+extern u_int session_id2_len;
 Authctxt *x_authctxt = NULL;
@@ -50,10 +54,16 @@ extern Authmethod method_pubkey;
 extern Authmethod method_passwd;
 extern Authmethod method_kbdint;
 extern Authmethod method_hostbased;
+#ifdef GSSAPI
+extern Authmethod method_gssapi;
+#endif
 Authmethod *authmethods[] = {
        &method_none,
        &method_pubkey,
+#ifdef GSSAPI
+        &method_gssapi,
+#endif
        &method_passwd,
        &method_kbdint,
        &method_hostbased,
@@ -85,10 +95,6 @@ do_authentication2(void)
        /* challenge-response is implemented via keyboard interactive */
        if (options.challenge_response_authentication)
                options.kbd_interactive_authentication = 1;
-        if (options.pam_authentication_via_kbd_int)
-                options.kbd_interactive_authentication = 1;
-        if (use_privsep)
-                options.pam_authentication_via_kbd_int = 0;
        dispatch_init(&dispatch_protocol_error);
        dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
@@ -157,12 +163,15 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
                        authctxt->valid = 1;
                        debug2("input_userauth_request: setting up authctxt for %s", user);
 #ifdef USE_PAM
-                        PRIVSEP(start_pam(authctxt->pw->pw_name));
+                        if (options.use_pam)
+                                PRIVSEP(start_pam(authctxt->pw->pw_name));
 #endif
                } else {
-                        log("input_userauth_request: illegal user %s", user);
+                        logit("input_userauth_request: illegal user %s", user);
+                        authctxt->pw = fakepw();
 #ifdef USE_PAM
-                        PRIVSEP(start_pam("NOUSER"));
+                        if (options.use_pam)
+                                PRIVSEP(start_pam(user));
 #endif
                }
                setproctitle("%s%s", authctxt->pw ? user : "unknown",
@@ -180,6 +189,12 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
        }
        /* reset state */
        auth2_challenge_stop(authctxt);
+#ifdef GSSAPI
+        dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
+        dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
+#endif
        authctxt->postponed = 0;
        /* try to authenticate user */
@@ -210,10 +225,9 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
                authenticated = 0;
 #ifdef USE_PAM
-        if (!use_privsep && authenticated && authctxt->user && 
+        if (options.use_pam && authenticated && !PRIVSEP(do_pam_account()))
-            !do_pam_account(authctxt->user, NULL))
                authenticated = 0;
-#endif /* USE_PAM */
+#endif
 #ifdef _UNICOS
        if (authenticated && cray_access_denied(authctxt->user)) {
@@ -238,13 +252,8 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
                /* now we can break out */
                authctxt->success = 1;
        } else {
-                if (authctxt->failures++ > AUTH_FAIL_MAX) {
+                if (authctxt->failures++ > AUTH_FAIL_MAX)
                        packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
-                }
-#ifdef _UNICOS
-                if (strcmp(method, "password") == 0)
-                        cray_login_failure(authctxt->user, IA_UDBERR);
-#endif /* _UNICOS */
                methods = authmethods_get();
                packet_start(SSH2_MSG_USERAUTH_FAILURE);
                packet_put_cstring(methods);
diff --git a/authfd.c b/authfd.c
index a186e0117..c78db6d94 100644
--- a/authfd.c
+++ b/authfd.c
@@ -35,7 +35,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: authfd.c,v 1.58 2003/01/23 13:50:27 markus Exp $");
+RCSID("$OpenBSD: authfd.c,v 1.61 2003/06/28 16:23:06 deraadt Exp $");
 #include <openssl/evp.h>
@@ -122,8 +122,8 @@ ssh_request_reply(AuthenticationConnection *auth, Buffer *request, Buffer *reply
        PUT_32BIT(buf, len);
        /* Send the length and then the packet to the agent. */
-        if (atomicio(write, auth->fd, buf, 4) != 4 ||
+        if (atomicio(vwrite, auth->fd, buf, 4) != 4 ||
-            atomicio(write, auth->fd, buffer_ptr(request),
+            atomicio(vwrite, auth->fd, buffer_ptr(request),
            buffer_len(request)) != buffer_len(request)) {
                error("Error writing to authentication socket.");
                return 0;
@@ -332,7 +332,7 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio
                buffer_get_bignum(&auth->identities, key->rsa->n);
                *comment = buffer_get_string(&auth->identities, NULL);
                if (bits != BN_num_bits(key->rsa->n))
-                        log("Warning: identity keysize mismatch: actual %d, announced %u",
+                        logit("Warning: identity keysize mismatch: actual %d, announced %u",
                            BN_num_bits(key->rsa->n), bits);
                break;
        case 2:
@@ -373,7 +373,7 @@ ssh_decrypt_challenge(AuthenticationConnection *auth,
        if (key->type != KEY_RSA1)
                return 0;
        if (response_type == 0) {
-                log("Compatibility with ssh protocol version 1.0 no longer supported.");
+                logit("Compatibility with ssh protocol version 1.0 no longer supported.");
                return 0;
        }
        buffer_init(&buffer);
@@ -392,7 +392,7 @@ ssh_decrypt_challenge(AuthenticationConnection *auth,
        type = buffer_get_char(&buffer);
        if (agent_failed(type)) {
-                log("Agent admitted failure to authenticate using the key.");
+                logit("Agent admitted failure to authenticate using the key.");
        } else if (type != SSH_AGENT_RSA_RESPONSE) {
                fatal("Bad authentication response: %d", type);
        } else {
@@ -441,7 +441,7 @@ ssh_agent_sign(AuthenticationConnection *auth,
        }
        type = buffer_get_char(&msg);
        if (agent_failed(type)) {
-                log("Agent admitted failure to sign using the key.");
+                logit("Agent admitted failure to sign using the key.");
        } else if (type != SSH2_AGENT_SIGN_RESPONSE) {
                fatal("Bad authentication response: %d", type);
        } else {
@@ -589,16 +589,33 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key)
 }
 int
-ssh_update_card(AuthenticationConnection *auth, int add, const char *reader_id, const char *pin)
+ssh_update_card(AuthenticationConnection *auth, int add, 
+    const char *reader_id, const char *pin, u_int life, u_int confirm)
 {
        Buffer msg;
-        int type;
+        int type, constrained = (life || confirm);
+        if (add) {
+                type = constrained ?
+                    SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED :
+                    SSH_AGENTC_ADD_SMARTCARD_KEY;
+        } else
+                type = SSH_AGENTC_REMOVE_SMARTCARD_KEY;
        buffer_init(&msg);
-        buffer_put_char(&msg, add ? SSH_AGENTC_ADD_SMARTCARD_KEY :
+        buffer_put_char(&msg, type);
-            SSH_AGENTC_REMOVE_SMARTCARD_KEY);
        buffer_put_cstring(&msg, reader_id);
        buffer_put_cstring(&msg, pin);
+        
+        if (constrained) {
+                if (life != 0) {
+                        buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME);
+                        buffer_put_int(&msg, life);
+                }
+                if (confirm != 0)
+                        buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_CONFIRM);
+        }
        if (ssh_request_reply(auth, &msg, &msg) == 0) {
                buffer_free(&msg);
                return 0;
@@ -641,7 +658,7 @@ decode_reply(int type)
        case SSH_AGENT_FAILURE:
        case SSH_COM_AGENT2_FAILURE:
        case SSH2_AGENT_FAILURE:
-                log("SSH_AGENT_FAILURE");
+                logit("SSH_AGENT_FAILURE");
                return 0;
        case SSH_AGENT_SUCCESS:
                return 1;
diff --git a/authfd.h b/authfd.h
index 2a8751ec1..74b825c51 100644
--- a/authfd.h
+++ b/authfd.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: authfd.h,v 1.32 2003/01/23 13:50:27 markus Exp $      */
+/*      $OpenBSD: authfd.h,v 1.33 2003/06/11 11:18:38 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -49,6 +49,7 @@
 /* add key with constraints */
 #define SSH_AGENTC_ADD_RSA_ID_CONSTRAINED       24
 #define SSH2_AGENTC_ADD_ID_CONSTRAINED          25
+#define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
 #define SSH_AGENT_CONSTRAIN_LIFETIME            1
 #define SSH_AGENT_CONSTRAIN_CONFIRM             2
@@ -82,7 +83,8 @@ int	 ssh_add_identity_constrained(AuthenticationConnection *, Key *,
 int      ssh_remove_identity(AuthenticationConnection *, Key *);
 int      ssh_remove_all_identities(AuthenticationConnection *, int);
 int      ssh_lock_agent(AuthenticationConnection *, int, const char *);
-int      ssh_update_card(AuthenticationConnection *, int, const char *, const char *);
+int      ssh_update_card(AuthenticationConnection *, int, const char *, 
+    const char *, u_int, u_int);
 int
 ssh_decrypt_challenge(AuthenticationConnection *, Key *, BIGNUM *, u_char[16],
diff --git a/authfile.c b/authfile.c
index 90618efde..1f46093e3 100644
--- a/authfile.c
+++ b/authfile.c
@@ -36,7 +36,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: authfile.c,v 1.52 2003/03/13 11:42:18 markus Exp $");
+RCSID("$OpenBSD: authfile.c,v 1.54 2003/05/24 09:30:39 djm Exp $");
 #include <openssl/err.h>
 #include <openssl/evp.h>
@@ -514,7 +514,7 @@ key_perm_ok(int fd, const char *filename)
                error("@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @");
                error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
                error("Permissions 0%3.3o for '%s' are too open.",
-                    st.st_mode & 0777, filename);
+                    (u_int)st.st_mode & 0777, filename);
                error("It is recommended that your private key files are NOT accessible by others.");
                error("This private key will be ignored.");
                return 0;
@@ -629,9 +629,18 @@ key_load_public(const char *filename, char **commentp)
        Key *pub;
        char file[MAXPATHLEN];
+        /* try rsa1 private key */
        pub = key_load_public_type(KEY_RSA1, filename, commentp);
        if (pub != NULL)
                return pub;
+        /* try rsa1 public key */
+        pub = key_new(KEY_RSA1);
+        if (key_try_load_public(pub, filename, commentp) == 1)
+                return pub;
+        key_free(pub);
+        /* try ssh2 public key */
        pub = key_new(KEY_UNSPEC);
        if (key_try_load_public(pub, filename, commentp) == 1)
                return pub;
diff --git a/bufaux.c b/bufaux.c
index 3c276b810..37cc27ff6 100644
--- a/bufaux.c
+++ b/bufaux.c
@@ -37,7 +37,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: bufaux.c,v 1.28 2002/10/23 10:40:16 markus Exp $");
+RCSID("$OpenBSD: bufaux.c,v 1.29 2003/04/08 20:21:28 itojun Exp $");
 #include <openssl/bn.h>
 #include "bufaux.h"
@@ -119,7 +119,7 @@ buffer_put_bignum2(Buffer *buffer, BIGNUM *value)
                /**XXX should be two's-complement */
                int i, carry;
                u_char *uc = buf;
-                log("negativ!");
+                logit("negativ!");
                for (i = bytes-1, carry = 1; i>=0; i--) {
                        uc[i] ^= 0xff;
                        if (carry)
@@ -165,7 +165,6 @@ buffer_get_int(Buffer *buffer)
        return GET_32BIT(buf);
 }
-#ifdef HAVE_U_INT64_T
 u_int64_t
 buffer_get_int64(Buffer *buffer)
 {
@@ -174,7 +173,6 @@ buffer_get_int64(Buffer *buffer)
        buffer_get(buffer, (char *) buf, 8);
        return GET_64BIT(buf);
 }
-#endif
 /*
 * Stores integers in the buffer, msb first.
@@ -197,7 +195,6 @@ buffer_put_int(Buffer *buffer, u_int value)
        buffer_append(buffer, buf, 4);
 }
-#ifdef HAVE_U_INT64_T
 void
 buffer_put_int64(Buffer *buffer, u_int64_t value)
 {
@@ -206,7 +203,6 @@ buffer_put_int64(Buffer *buffer, u_int64_t value)
        PUT_64BIT(buf, value);
        buffer_append(buffer, buf, 8);
 }
-#endif
 /*
 * Returns an arbitrary binary string from the buffer.  The string cannot
diff --git a/bufaux.h b/bufaux.h
index 80f35c1ec..935553579 100644
--- a/bufaux.h
+++ b/bufaux.h
@@ -29,10 +29,8 @@ void	buffer_put_short(Buffer *, u_short);
 u_int   buffer_get_int(Buffer *);
 void    buffer_put_int(Buffer *, u_int);
-#ifdef HAVE_U_INT64_T
 u_int64_t buffer_get_int64(Buffer *);
 void    buffer_put_int64(Buffer *, u_int64_t);
-#endif
 int     buffer_get_char(Buffer *);
 void    buffer_put_char(Buffer *, int);
diff --git a/buffer.c b/buffer.c
index ad04b267e..8ff8c2f48 100644
--- a/buffer.c
+++ b/buffer.c
@@ -12,7 +12,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: buffer.c,v 1.16 2002/06/26 08:54:18 markus Exp $");
+RCSID("$OpenBSD: buffer.c,v 1.17 2003/09/16 03:03:47 deraadt Exp $");
 #include "xmalloc.h"
 #include "buffer.h"
@@ -69,6 +69,7 @@ buffer_append(Buffer *buffer, const void *data, u_int len)
 void *
 buffer_append_space(Buffer *buffer, u_int len)
 {
+        u_int newlen;
        void *p;
        if (len > 0x100000)
@@ -98,11 +99,13 @@ restart:
                goto restart;
        }
        /* Increase the size of the buffer and retry. */
-        buffer->alloc += len + 32768;
+        
-        if (buffer->alloc > 0xa00000)
+        newlen = buffer->alloc + len + 32768;
+        if (newlen > 0xa00000)
                fatal("buffer_append_space: alloc %u not supported",
-                    buffer->alloc);
+                    newlen);
-        buffer->buf = xrealloc(buffer->buf, buffer->alloc);
+        buffer->buf = xrealloc(buffer->buf, newlen);
+        buffer->alloc = newlen;
        goto restart;
        /* NOTREACHED */
 }
diff --git a/canohost.c b/canohost.c
index 941db23b6..438175f76 100644
--- a/canohost.c
+++ b/canohost.c
@@ -12,7 +12,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: canohost.c,v 1.35 2002/11/26 02:38:54 stevesk Exp $");
+RCSID("$OpenBSD: canohost.c,v 1.37 2003/06/02 09:17:34 markus Exp $");
 #include "packet.h"
 #include "xmalloc.h"
@@ -27,7 +27,7 @@ static void check_ip_options(int, char *);
 */
 static char *
-get_remote_hostname(int socket, int verify_reverse_mapping)
+get_remote_hostname(int socket, int use_dns)
 {
        struct sockaddr_storage from;
        int i;
@@ -72,6 +72,9 @@ get_remote_hostname(int socket, int verify_reverse_mapping)
            NULL, 0, NI_NUMERICHOST) != 0)
                fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed");
+        if (!use_dns)
+                return xstrdup(ntop);
        if (from.ss_family == AF_INET)
                check_ip_options(socket, ntop);
@@ -80,14 +83,24 @@ get_remote_hostname(int socket, int verify_reverse_mapping)
        if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
            NULL, 0, NI_NAMEREQD) != 0) {
                /* Host name not found.  Use ip address. */
-#if 0
-                log("Could not reverse map address %.100s.", ntop);
-#endif
                return xstrdup(ntop);
        }
-        /* Got host name. */
+        /*
-        name[sizeof(name) - 1] = '\0';
+         * if reverse lookup result looks like a numeric hostname,
+         * someone is trying to trick us by PTR record like following:
+         *      1.1.1.10.in-addr.arpa.  IN PTR  2.3.4.5
+         */
+        memset(&hints, 0, sizeof(hints));
+        hints.ai_socktype = SOCK_DGRAM; /*dummy*/
+        hints.ai_flags = AI_NUMERICHOST;
+        if (getaddrinfo(name, "0", &hints, &ai) == 0) {
+                logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
+                    name, ntop);
+                freeaddrinfo(ai);
+                return xstrdup(ntop);
+        }
        /*
         * Convert it to all lowercase (which is expected by the rest
         * of this software).
@@ -95,9 +108,6 @@ get_remote_hostname(int socket, int verify_reverse_mapping)
        for (i = 0; name[i]; i++)
                if (isupper(name[i]))
                        name[i] = tolower(name[i]);
-        if (!verify_reverse_mapping)
-                return xstrdup(name);
        /*
         * Map it back to an IP address and check that the given
         * address actually is an address of this host.  This is
@@ -111,7 +121,7 @@ get_remote_hostname(int socket, int verify_reverse_mapping)
        hints.ai_family = from.ss_family;
        hints.ai_socktype = SOCK_STREAM;
        if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-                log("reverse mapping checking getaddrinfo for %.700s "
+                logit("reverse mapping checking getaddrinfo for %.700s "
                    "failed - POSSIBLE BREAKIN ATTEMPT!", name);
                return xstrdup(ntop);
        }
@@ -126,7 +136,7 @@ get_remote_hostname(int socket, int verify_reverse_mapping)
        /* If we reached the end of the list, the address was not there. */
        if (!ai) {
                /* Address not found for the host name. */
-                log("Address %.100s maps to %.600s, but this does not "
+                logit("Address %.100s maps to %.600s, but this does not "
                    "map back to the address - POSSIBLE BREAKIN ATTEMPT!",
                    ntop, name);
                return xstrdup(ntop);
@@ -149,6 +159,7 @@ get_remote_hostname(int socket, int verify_reverse_mapping)
 static void
 check_ip_options(int socket, char *ipaddr)
 {
+#ifdef IP_OPTIONS
        u_char options[200];
        char text[sizeof(options) * 3 + 1];
        socklen_t option_size;
@@ -166,11 +177,12 @@ check_ip_options(int socket, char *ipaddr)
                for (i = 0; i < option_size; i++)
                        snprintf(text + i*3, sizeof(text) - i*3,
                            " %2.2x", options[i]);
-                log("Connection from %.100s with IP options:%.800s",
+                logit("Connection from %.100s with IP options:%.800s",
                    ipaddr, text);
                packet_disconnect("Connection from %.100s with IP options:%.800s",
                    ipaddr, text);
        }
+#endif /* IP_OPTIONS */
 }
 /*
@@ -180,14 +192,14 @@ check_ip_options(int socket, char *ipaddr)
 */
 const char *
-get_canonical_hostname(int verify_reverse_mapping)
+get_canonical_hostname(int use_dns)
 {
        static char *canonical_host_name = NULL;
-        static int verify_reverse_mapping_done = 0;
+        static int use_dns_done = 0;
        /* Check if we have previously retrieved name with same option. */
        if (canonical_host_name != NULL) {
-                if (verify_reverse_mapping_done != verify_reverse_mapping)
+                if (use_dns_done != use_dns)
                        xfree(canonical_host_name);
                else
                        return canonical_host_name;
@@ -196,11 +208,11 @@ get_canonical_hostname(int verify_reverse_mapping)
        /* Get the real hostname if socket; otherwise return UNKNOWN. */
        if (packet_connection_is_on_socket())
                canonical_host_name = get_remote_hostname(
-                    packet_get_connection_in(), verify_reverse_mapping);
+                    packet_get_connection_in(), use_dns);
        else
                canonical_host_name = xstrdup("UNKNOWN");
-        verify_reverse_mapping_done = verify_reverse_mapping;
+        use_dns_done = use_dns;
        return canonical_host_name;
 }
@@ -294,11 +306,11 @@ get_remote_ipaddr(void)
 }
 const char *
-get_remote_name_or_ip(u_int utmp_len, int verify_reverse_mapping)
+get_remote_name_or_ip(u_int utmp_len, int use_dns)
 {
        static const char *remote = "";
        if (utmp_len > 0)
-                remote = get_canonical_hostname(verify_reverse_mapping);
+                remote = get_canonical_hostname(use_dns);
        if (utmp_len == 0 || strlen(remote) > utmp_len)
                remote = get_remote_ipaddr();
        return remote;
diff --git a/channels.c b/channels.c
index 1937b0244..65a6a7f00 100644
--- a/channels.c
+++ b/channels.c
@@ -39,7 +39,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: channels.c,v 1.187 2003/03/05 22:33:43 markus Exp $");
+RCSID("$OpenBSD: channels.c,v 1.194 2003/08/29 10:04:36 markus Exp $");
 #include "ssh.h"
 #include "ssh1.h"
@@ -54,7 +54,7 @@ RCSID("$OpenBSD: channels.c,v 1.187 2003/03/05 22:33:43 markus Exp $");
 #include "key.h"
 #include "authfd.h"
 #include "pathnames.h"
+#include "bufaux.h"
 /* -- channel core */
@@ -142,12 +142,12 @@ channel_lookup(int id)
        Channel *c;
        if (id < 0 || id >= channels_alloc) {
-                log("channel_lookup: %d: bad id", id);
+                logit("channel_lookup: %d: bad id", id);
                return NULL;
        }
        c = channels[id];
        if (c == NULL) {
-                log("channel_lookup: %d: bad id: channel free", id);
+                logit("channel_lookup: %d: bad id: channel free", id);
                return NULL;
        }
        return c;
@@ -177,7 +177,7 @@ channel_register_fds(Channel *c, int rfd, int wfd, int efd,
        /* XXX ugly hack: nonblock is only set by the server */
        if (nonblock && isatty(c->rfd)) {
-                debug("channel %d: rfd %d isatty", c->self, c->rfd);
+                debug2("channel %d: rfd %d isatty", c->self, c->rfd);
                c->isatty = 1;
                if (!isatty(c->wfd)) {
                        error("channel %d: wfd %d is not a tty?",
@@ -256,7 +256,7 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd,
        c->local_consumed = 0;
        c->local_maxpacket = maxpack;
        c->remote_id = -1;
-        c->remote_name = remote_name;
+        c->remote_name = xstrdup(remote_name);
        c->remote_window = 0;
        c->remote_maxpacket = 0;
        c->force_drain = 0;
@@ -304,7 +304,7 @@ channel_close_fd(int *fdp)
 static void
 channel_close_fds(Channel *c)
 {
-        debug3("channel_close_fds: channel %d: r %d w %d e %d",
+        debug3("channel %d: close_fds r %d w %d e %d",
            c->self, c->rfd, c->wfd, c->efd);
        channel_close_fd(&c->sock);
@@ -324,11 +324,11 @@ channel_free(Channel *c)
        for (n = 0, i = 0; i < channels_alloc; i++)
                if (channels[i])
                        n++;
-        debug("channel_free: channel %d: %s, nchannels %d", c->self,
+        debug("channel %d: free: %s, nchannels %d", c->self,
            c->remote_name ? c->remote_name : "???", n);
        s = channel_open_message();
-        debug3("channel_free: status: %s", s);
+        debug3("channel %d: status: %s", c->self, s);
        xfree(s);
        if (c->sock != -1)
@@ -419,7 +419,7 @@ channel_not_very_much_buffered_data(void)
                        }
 #endif
                        if (buffer_len(&c->output) > packet_get_maxsize()) {
-                                debug2("channel %d: big output buffer %d > %d",
+                                debug2("channel %d: big output buffer %u > %u",
                                    c->self, buffer_len(&c->output),
                                    packet_get_maxsize());
                                return 0;
@@ -575,7 +575,7 @@ channel_send_open(int id)
        Channel *c = channel_lookup(id);
        if (c == NULL) {
-                log("channel_send_open: %d: bad id", id);
+                logit("channel_send_open: %d: bad id", id);
                return;
        }
        debug2("channel %d: send open", id);
@@ -593,10 +593,10 @@ channel_request_start(int id, char *service, int wantconfirm)
        Channel *c = channel_lookup(id);
        if (c == NULL) {
-                log("channel_request_start: %d: unknown channel id", id);
+                logit("channel_request_start: %d: unknown channel id", id);
                return;
        }
-        debug("channel %d: request %s", id, service) ;
+        debug2("channel %d: request %s", id, service) ;
        packet_start(SSH2_MSG_CHANNEL_REQUEST);
        packet_put_int(c->remote_id);
        packet_put_cstring(service);
@@ -608,7 +608,7 @@ channel_register_confirm(int id, channel_callback_fn *fn)
        Channel *c = channel_lookup(id);
        if (c == NULL) {
-                log("channel_register_comfirm: %d: bad id", id);
+                logit("channel_register_comfirm: %d: bad id", id);
                return;
        }
        c->confirm = fn;
@@ -619,7 +619,7 @@ channel_register_cleanup(int id, channel_callback_fn *fn)
        Channel *c = channel_lookup(id);
        if (c == NULL) {
-                log("channel_register_cleanup: %d: bad id", id);
+                logit("channel_register_cleanup: %d: bad id", id);
                return;
        }
        c->detach_user = fn;
@@ -630,7 +630,7 @@ channel_cancel_cleanup(int id)
        Channel *c = channel_lookup(id);
        if (c == NULL) {
-                log("channel_cancel_cleanup: %d: bad id", id);
+                logit("channel_cancel_cleanup: %d: bad id", id);
                return;
        }
        c->detach_user = NULL;
@@ -641,7 +641,7 @@ channel_register_filter(int id, channel_filter_fn *fn)
        Channel *c = channel_lookup(id);
        if (c == NULL) {
-                log("channel_register_filter: %d: bad id", id);
+                logit("channel_register_filter: %d: bad id", id);
                return;
        }
        c->input_filter = fn;
@@ -739,7 +739,7 @@ channel_pre_input_draining(Channel *c, fd_set * readset, fd_set * writeset)
                packet_put_int(c->remote_id);
                packet_send();
                c->type = SSH_CHANNEL_CLOSED;
-                debug("channel %d: closing after input drain.", c->self);
+                debug2("channel %d: closing after input drain.", c->self);
        }
 }
@@ -780,7 +780,7 @@ x11_open_helper(Buffer *b)
                proto_len = ucp[6] + 256 * ucp[7];
                data_len = ucp[8] + 256 * ucp[9];
        } else {
-                debug("Initial X11 packet contains bad byte order byte: 0x%x",
+                debug2("Initial X11 packet contains bad byte order byte: 0x%x",
                    ucp[0]);
                return -1;
        }
@@ -793,14 +793,14 @@ x11_open_helper(Buffer *b)
        /* Check if authentication protocol matches. */
        if (proto_len != strlen(x11_saved_proto) ||
            memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) {
-                debug("X11 connection uses different authentication protocol.");
+                debug2("X11 connection uses different authentication protocol.");
                return -1;
        }
        /* Check if authentication data matches our fake data. */
        if (data_len != x11_fake_data_len ||
            memcmp(ucp + 12 + ((proto_len + 3) & ~3),
                x11_fake_data, x11_fake_data_len) != 0) {
-                debug("X11 auth data does not match fake data.");
+                debug2("X11 auth data does not match fake data.");
                return -1;
        }
        /* Check fake data length */
@@ -833,7 +833,7 @@ channel_pre_x11_open_13(Channel *c, fd_set * readset, fd_set * writeset)
                 * We have received an X11 connection that has bad
                 * authentication information.
                 */
-                log("X11 connection rejected because of wrong authentication.");
+                logit("X11 connection rejected because of wrong authentication.");
                buffer_clear(&c->input);
                buffer_clear(&c->output);
                channel_close_fd(&c->sock);
@@ -856,8 +856,8 @@ channel_pre_x11_open(Channel *c, fd_set * readset, fd_set * writeset)
                c->type = SSH_CHANNEL_OPEN;
                channel_pre_open(c, readset, writeset);
        } else if (ret == -1) {
-                log("X11 connection rejected because of wrong authentication.");
+                logit("X11 connection rejected because of wrong authentication.");
-                debug("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate);
+                debug2("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate);
                chan_read_failed(c);
                buffer_clear(&c->input);
                chan_ibuf_empty(c);
@@ -867,7 +867,7 @@ channel_pre_x11_open(Channel *c, fd_set * readset, fd_set * writeset)
                        chan_write_failed(c);
                else
                        c->type = SSH_CHANNEL_OPEN;
-                debug("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate);
+                debug2("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate);
        }
 }
@@ -925,7 +925,7 @@ channel_decode_socks4(Channel *c, fd_set * readset, fd_set * writeset)
        strlcpy(c->path, host, sizeof(c->path));
        c->host_port = ntohs(s4_req.dest_port);
-        debug("channel %d: dynamic request: socks4 host %s port %u command %u",
+        debug2("channel %d: dynamic request: socks4 host %s port %u command %u",
            c->self, host, c->host_port, s4_req.command);
        if (s4_req.command != 1) {
@@ -941,6 +941,117 @@ channel_decode_socks4(Channel *c, fd_set * readset, fd_set * writeset)
        return 1;
 }
+/* try to decode a socks5 header */
+#define SSH_SOCKS5_AUTHDONE     0x1000
+#define SSH_SOCKS5_NOAUTH       0x00
+#define SSH_SOCKS5_IPV4         0x01
+#define SSH_SOCKS5_DOMAIN       0x03
+#define SSH_SOCKS5_IPV6         0x04
+#define SSH_SOCKS5_CONNECT      0x01
+#define SSH_SOCKS5_SUCCESS      0x00
+static int
+channel_decode_socks5(Channel *c, fd_set * readset, fd_set * writeset)
+{
+        struct {
+                u_int8_t version;
+                u_int8_t command;
+                u_int8_t reserved;
+                u_int8_t atyp;
+        } s5_req, s5_rsp;
+        u_int16_t dest_port;
+        u_char *p, dest_addr[255+1];
+        int i, have, found, nmethods, addrlen, af;
+        debug2("channel %d: decode socks5", c->self);
+        p = buffer_ptr(&c->input);
+        if (p[0] != 0x05)
+                return -1;
+        have = buffer_len(&c->input);
+        if (!(c->flags & SSH_SOCKS5_AUTHDONE)) {
+                /* format: ver | nmethods | methods */
+                if (have < 2) 
+                        return 0;
+                nmethods = p[1];
+                if (have < nmethods + 2)
+                        return 0;
+                /* look for method: "NO AUTHENTICATION REQUIRED" */
+                for (found = 0, i = 2 ; i < nmethods + 2; i++) {
+                        if (p[i] == SSH_SOCKS5_NOAUTH ) {
+                                found = 1;
+                                break;
+                        }
+                }
+                if (!found) {
+                        debug("channel %d: method SSH_SOCKS5_NOAUTH not found",
+                            c->self);
+                        return -1;
+                }
+                buffer_consume(&c->input, nmethods + 2);
+                buffer_put_char(&c->output, 0x05);              /* version */
+                buffer_put_char(&c->output, SSH_SOCKS5_NOAUTH); /* method */
+                FD_SET(c->sock, writeset);
+                c->flags |= SSH_SOCKS5_AUTHDONE;
+                debug2("channel %d: socks5 auth done", c->self);
+                return 0;                               /* need more */
+        }
+        debug2("channel %d: socks5 post auth", c->self);
+        if (have < sizeof(s5_req)+1)
+                return 0;                       /* need more */
+        memcpy((char *)&s5_req, p, sizeof(s5_req));
+        if (s5_req.version != 0x05 ||
+            s5_req.command != SSH_SOCKS5_CONNECT ||
+            s5_req.reserved != 0x00) {
+                debug2("channel %d: only socks5 connect supported", c->self);
+                return -1;
+        }
+        switch(s5_req.atyp){
+        case SSH_SOCKS5_IPV4:
+                addrlen = 4;
+                af = AF_INET;
+                break;
+        case SSH_SOCKS5_DOMAIN:
+                addrlen = p[sizeof(s5_req)];
+                af = -1;
+                break;
+        case SSH_SOCKS5_IPV6:
+                addrlen = 16;
+                af = AF_INET6;
+                break;
+        default:
+                debug2("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp);
+                return -1;
+        }
+        if (have < 4 + addrlen + 2)
+                return 0;
+        buffer_consume(&c->input, sizeof(s5_req));
+        if (s5_req.atyp == SSH_SOCKS5_DOMAIN)
+                buffer_consume(&c->input, 1);    /* host string length */
+        buffer_get(&c->input, (char *)&dest_addr, addrlen);
+        buffer_get(&c->input, (char *)&dest_port, 2);
+        dest_addr[addrlen] = '\0';
+        if (s5_req.atyp == SSH_SOCKS5_DOMAIN)
+                strlcpy(c->path, dest_addr, sizeof(c->path));
+        else if (inet_ntop(af, dest_addr, c->path, sizeof(c->path)) == NULL)
+                return -1;
+        c->host_port = ntohs(dest_port);
+        
+        debug2("channel %d: dynamic request: socks5 host %s port %u command %u",
+            c->self, c->path, c->host_port, s5_req.command);
+        s5_rsp.version = 0x05;
+        s5_rsp.command = SSH_SOCKS5_SUCCESS;
+        s5_rsp.reserved = 0;                    /* ignored */
+        s5_rsp.atyp = SSH_SOCKS5_IPV4;
+        ((struct in_addr *)&dest_addr)->s_addr = INADDR_ANY;
+        dest_port = 0;                          /* ignored */
+        buffer_append(&c->output, (char *)&s5_rsp, sizeof(s5_rsp));
+        buffer_append(&c->output, (char *)&dest_addr, sizeof(struct in_addr));
+        buffer_append(&c->output, (char *)&dest_port, sizeof(dest_port));
+        return 1;
+}
 /* dynamic port forwarding */
 static void
 channel_pre_dynamic(Channel *c, fd_set * readset, fd_set * writeset)
@@ -953,7 +1064,7 @@ channel_pre_dynamic(Channel *c, fd_set * readset, fd_set * writeset)
        debug2("channel %d: pre_dynamic: have %d", c->self, have);
        /* buffer_dump(&c->input); */
        /* check if the fixed size part of the packet is in buffer. */
-        if (have < 4) {
+        if (have < 3) {
                /* need more */
                FD_SET(c->sock, readset);
                return;
@@ -964,6 +1075,9 @@ channel_pre_dynamic(Channel *c, fd_set * readset, fd_set * writeset)
        case 0x04:
                ret = channel_decode_socks4(c, readset, writeset);
                break;
+        case 0x05:
+                ret = channel_decode_socks5(c, readset, writeset);
+                break;
        default:
                ret = -1;
                break;
@@ -997,7 +1111,7 @@ channel_post_x11_listener(Channel *c, fd_set * readset, fd_set * writeset)
                addrlen = sizeof(addr);
                newsock = accept(c->sock, &addr, &addrlen);
                if (c->single_connection) {
-                        debug("single_connection: closing X11 listener.");
+                        debug2("single_connection: closing X11 listener.");
                        channel_close_fd(&c->sock);
                        chan_mark_dead(c);
                }
@@ -1013,8 +1127,7 @@ channel_post_x11_listener(Channel *c, fd_set * readset, fd_set * writeset)
                nc = channel_new("accepted x11 socket",
                    SSH_CHANNEL_OPENING, newsock, newsock, -1,
-                    c->local_window_max, c->local_maxpacket,
+                    c->local_window_max, c->local_maxpacket, 0, buf, 1);
-                    0, xstrdup(buf), 1);
                if (compat20) {
                        packet_start(SSH2_MSG_CHANNEL_OPEN);
                        packet_put_cstring("x11");
@@ -1024,7 +1137,7 @@ channel_post_x11_listener(Channel *c, fd_set * readset, fd_set * writeset)
                        /* originator ipaddr and port */
                        packet_put_cstring(remote_ipaddr);
                        if (datafellows & SSH_BUG_X11FWD) {
-                                debug("ssh2 x11 bug compat mode");
+                                debug2("ssh2 x11 bug compat mode");
                        } else {
                                packet_put_int(remote_port);
                        }
@@ -1129,10 +1242,8 @@ channel_post_port_listener(Channel *c, fd_set * readset, fd_set * writeset)
                        return;
                }
                set_nodelay(newsock);
-                nc = channel_new(rtype,
+                nc = channel_new(rtype, nextstate, newsock, newsock, -1,
-                    nextstate, newsock, newsock, -1,
+                    c->local_window_max, c->local_maxpacket, 0, rtype, 1);
-                    c->local_window_max, c->local_maxpacket,
-                    0, xstrdup(rtype), 1);
                nc->listening_port = c->listening_port;
                nc->host_port = c->host_port;
                strlcpy(nc->path, c->path, sizeof(nc->path));
@@ -1158,7 +1269,6 @@ static void
 channel_post_auth_listener(Channel *c, fd_set * readset, fd_set * writeset)
 {
        Channel *nc;
-        char *name;
        int newsock;
        struct sockaddr addr;
        socklen_t addrlen;
@@ -1170,11 +1280,10 @@ channel_post_auth_listener(Channel *c, fd_set * readset, fd_set * writeset)
                        error("accept from auth socket: %.100s", strerror(errno));
                        return;
                }
-                name = xstrdup("accepted auth socket");
                nc = channel_new("accepted auth socket",
                    SSH_CHANNEL_OPENING, newsock, newsock, -1,
                    c->local_window_max, c->local_maxpacket,
-                    0, name, 1);
+                    0, "accepted auth socket", 1);
                if (compat20) {
                        packet_start(SSH2_MSG_CHANNEL_OPEN);
                        packet_put_cstring("auth-agent@openssh.com");
@@ -1247,16 +1356,16 @@ channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset)
                if (len < 0 && (errno == EINTR || errno == EAGAIN))
                        return 1;
                if (len <= 0) {
-                        debug("channel %d: read<=0 rfd %d len %d",
+                        debug2("channel %d: read<=0 rfd %d len %d",
                            c->self, c->rfd, len);
                        if (c->type != SSH_CHANNEL_OPEN) {
-                                debug("channel %d: not open", c->self);
+                                debug2("channel %d: not open", c->self);
                                chan_mark_dead(c);
                                return -1;
                        } else if (compat13) {
                                buffer_clear(&c->output);
                                c->type = SSH_CHANNEL_INPUT_DRAINING;
-                                debug("channel %d: input draining.", c->self);
+                                debug2("channel %d: input draining.", c->self);
                        } else {
                                chan_read_failed(c);
                        }
@@ -1264,7 +1373,7 @@ channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset)
                }
                if (c->input_filter != NULL) {
                        if (c->input_filter(c, buf, len) == -1) {
-                                debug("channel %d: filter stops", c->self);
+                                debug2("channel %d: filter stops", c->self);
                                chan_read_failed(c);
                        }
                } else {
@@ -1297,12 +1406,12 @@ channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset)
                        return 1;
                if (len <= 0) {
                        if (c->type != SSH_CHANNEL_OPEN) {
-                                debug("channel %d: not open", c->self);
+                                debug2("channel %d: not open", c->self);
                                chan_mark_dead(c);
                                return -1;
                        } else if (compat13) {
                                buffer_clear(&c->output);
-                                debug("channel %d: input draining.", c->self);
+                                debug2("channel %d: input draining.", c->self);
                                c->type = SSH_CHANNEL_INPUT_DRAINING;
                        } else {
                                chan_write_failed(c);
@@ -1509,16 +1618,16 @@ channel_garbage_collect(Channel *c)
        if (c->detach_user != NULL) {
                if (!chan_is_dead(c, 0))
                        return;
-                debug("channel %d: gc: notify user", c->self);
+                debug2("channel %d: gc: notify user", c->self);
                c->detach_user(c->self, NULL);
                /* if we still have a callback */
                if (c->detach_user != NULL)
                        return;
-                debug("channel %d: gc: user detached", c->self);
+                debug2("channel %d: gc: user detached", c->self);
        }
        if (!chan_is_dead(c, 1))
                return;
-        debug("channel %d: garbage collecting", c->self);
+        debug2("channel %d: garbage collecting", c->self);
        channel_free(c);
 }
@@ -1717,11 +1826,11 @@ channel_input_data(int type, u_int32_t seq, void *ctxt)
        if (compat20) {
                if (data_len > c->local_maxpacket) {
-                        log("channel %d: rcvd big packet %d, maxpack %d",
+                        logit("channel %d: rcvd big packet %d, maxpack %d",
                            c->self, data_len, c->local_maxpacket);
                }
                if (data_len > c->local_window) {
-                        log("channel %d: rcvd too much data %d, win %d",
+                        logit("channel %d: rcvd too much data %d, win %d",
                            c->self, data_len, c->local_window);
                        xfree(data);
                        return;
@@ -1748,7 +1857,7 @@ channel_input_extended_data(int type, u_int32_t seq, void *ctxt)
        if (c == NULL)
                packet_disconnect("Received extended_data for bad channel %d.", id);
        if (c->type != SSH_CHANNEL_OPEN) {
-                log("channel %d: ext data for non open", id);
+                logit("channel %d: ext data for non open", id);
                return;
        }
        if (c->flags & CHAN_EOF_RCVD) {
@@ -1762,13 +1871,13 @@ channel_input_extended_data(int type, u_int32_t seq, void *ctxt)
        if (c->efd == -1 ||
            c->extended_usage != CHAN_EXTENDED_WRITE ||
            tcode != SSH2_EXTENDED_DATA_STDERR) {
-                log("channel %d: bad ext data", c->self);
+                logit("channel %d: bad ext data", c->self);
                return;
        }
        data = packet_get_string(&data_len);
        packet_check_eom();
        if (data_len > c->local_window) {
-                log("channel %d: rcvd too much extended_data %d, win %d",
+                logit("channel %d: rcvd too much extended_data %d, win %d",
                    c->self, data_len, c->local_window);
                xfree(data);
                return;
@@ -1893,7 +2002,7 @@ channel_input_open_confirmation(int type, u_int32_t seq, void *ctxt)
                        c->confirm(c->self, NULL);
                        debug2("callback done");
                }
-                debug("channel %d: open confirm rwindow %u rmax %u", c->self,
+                debug2("channel %d: open confirm rwindow %u rmax %u", c->self,
                    c->remote_window, c->remote_maxpacket);
        }
        packet_check_eom();
@@ -1934,7 +2043,7 @@ channel_input_open_failure(int type, u_int32_t seq, void *ctxt)
                        msg  = packet_get_string(NULL);
                        lang = packet_get_string(NULL);
                }
-                log("channel %d: open failed: %s%s%s", id,
+                logit("channel %d: open failed: %s%s%s", id,
                    reason2txt(reason), msg ? ": ": "", msg ? msg : "");
                if (msg != NULL)
                        xfree(msg);
@@ -1961,7 +2070,7 @@ channel_input_window_adjust(int type, u_int32_t seq, void *ctxt)
        c = channel_lookup(id);
        if (c == NULL || c->type != SSH_CHANNEL_OPEN) {
-                log("Received window adjust for "
+                logit("Received window adjust for "
                    "non-open channel %d.", id);
                return;
        }
@@ -1996,8 +2105,8 @@ channel_input_port_open(int type, u_int32_t seq, void *ctxt)
                    originator_string, 1);
                c->remote_id = remote_id;
        }
+        xfree(originator_string);
        if (c == NULL) {
-                xfree(originator_string);
                packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
                packet_put_int(remote_id);
                packet_send();
@@ -2058,7 +2167,7 @@ channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_por
                        continue;
                }
                /* Create a port to listen for the host. */
-                sock = socket(ai->ai_family, SOCK_STREAM, 0);
+                sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
                if (sock < 0) {
                        /* this is no error since kernel may not support ipv6 */
                        verbose("socket: %.100s", strerror(errno));
@@ -2094,7 +2203,7 @@ channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_por
                /* Allocate a channel number for the socket. */
                c = channel_new("port listener", type, sock, sock, -1,
                    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
-                    0, xstrdup("port listener"), 1);
+                    0, "port listener", 1);
                strlcpy(c->path, host, sizeof(c->path));
                c->host_port = port_to_connect;
                c->listening_port = listen_port;
@@ -2167,7 +2276,7 @@ channel_request_remote_forwarding(u_short listen_port,
                        success = 1;
                        break;
                case SSH_SMSG_FAILURE:
-                        log("Warning: Server denied remote port forwarding.");
+                        logit("Warning: Server denied remote port forwarding.");
                        break;
                default:
                        /* Unknown packet */
@@ -2206,9 +2315,13 @@ channel_input_port_forward_request(int is_root, int gateway_ports)
         * privileged port.
         */
        if (port < IPPORT_RESERVED && !is_root)
-                packet_disconnect("Requested forwarding of port %d but user is not root.",
+                packet_disconnect(
-                                  port);
+                    "Requested forwarding of port %d but user is not root.",
+                    port);
+        if (host_port == 0)
+                packet_disconnect("Dynamic forwarding denied.");
 #endif
        /* Initiate forwarding */
        channel_setup_local_fwd_listener(port, hostname, host_port, gateway_ports);
@@ -2280,7 +2393,7 @@ connect_to(const char *host, u_short port)
                        error("connect_to: getnameinfo failed");
                        continue;
                }
-                sock = socket(ai->ai_family, SOCK_STREAM, 0);
+                sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
                if (sock < 0) {
                        if (ai->ai_next == NULL)
                                error("socket: %.100s", strerror(errno));
@@ -2340,7 +2453,7 @@ channel_connect_to(const char *host, u_short port)
        }
        if (!permit) {
-                log("Received request to connect to host %.100s port %d, "
+                logit("Received request to connect to host %.100s port %d, "
                    "but the request was denied.", host, port);
                return -1;
        }
@@ -2381,7 +2494,8 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
                for (ai = aitop; ai; ai = ai->ai_next) {
                        if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
                                continue;
-                        sock = socket(ai->ai_family, SOCK_STREAM, 0);
+                        sock = socket(ai->ai_family, ai->ai_socktype,
+                            ai->ai_protocol);
                        if (sock < 0) {
                                if ((errno != EINVAL) && (errno != EAFNOSUPPORT)) {
                                        error("socket: %.100s", strerror(errno));
@@ -2400,7 +2514,7 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
                        }
 #endif
                        if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
-                                debug("bind port %d: %.100s", port, strerror(errno));
+                                debug2("bind port %d: %.100s", port, strerror(errno));
                                close(sock);
                                if (ai->ai_next)
@@ -2449,7 +2563,7 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
                nc = channel_new("x11 listener",
                    SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
                    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
-                    0, xstrdup("X11 inet listener"), 1);
+                    0, "X11 inet listener", 1);
                nc->single_connection = single_connection;
        }
@@ -2547,14 +2661,14 @@ x11_connect_display(void)
        }
        for (ai = aitop; ai; ai = ai->ai_next) {
                /* Create a socket. */
-                sock = socket(ai->ai_family, SOCK_STREAM, 0);
+                sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
                if (sock < 0) {
-                        debug("socket: %.100s", strerror(errno));
+                        debug2("socket: %.100s", strerror(errno));
                        continue;
                }
                /* Connect it to the display. */
                if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
-                        debug("connect %.100s port %d: %.100s", buf,
+                        debug2("connect %.100s port %d: %.100s", buf,
                            6000 + display_number, strerror(errno));
                        close(sock);
                        continue;
@@ -2606,11 +2720,11 @@ x11_input_open(int type, u_int32_t seq, void *ctxt)
                c->remote_id = remote_id;
                c->force_drain = 1;
        }
+        xfree(remote_host);
        if (c == NULL) {
                /* Send refusal to the remote host. */
                packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
                packet_put_int(remote_id);
-                xfree(remote_host);
        } else {
                /* Send a confirmation to the remote host. */
                packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
@@ -2732,7 +2846,6 @@ auth_input_open_request(int type, u_int32_t seq, void *ctxt)
 {
        Channel *c = NULL;
        int remote_id, sock;
-        char *name;
        /* Read the remote channel number from the message. */
        remote_id = packet_get_int();
@@ -2751,9 +2864,8 @@ auth_input_open_request(int type, u_int32_t seq, void *ctxt)
         * agent.
         */
        if (sock >= 0) {
-                name = xstrdup("authentication agent connection");
                c = channel_new("", SSH_CHANNEL_OPEN, sock, sock,
-                    -1, 0, 0, 0, name, 1);
+                    -1, 0, 0, 0, "authentication agent connection", 1);
                c->remote_id = remote_id;
                c->force_drain = 1;
        }
diff --git a/cipher-3des1.c b/cipher-3des1.c
new file mode 100644
index 000000000..f9a352397
--- /dev/null
+++ b/cipher-3des1.c
@@ -0,0 +1,171 @@
+/*
+ * Copyright (c) 2003 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "includes.h"
+RCSID("$OpenBSD: cipher-3des1.c,v 1.1 2003/05/15 03:08:29 markus Exp $");
+#include <openssl/evp.h>
+#include "xmalloc.h"
+#include "log.h"
+/*
+ * This is used by SSH1:
+ *
+ * What kind of triple DES are these 2 routines?
+ *
+ * Why is there a redundant initialization vector?
+ *
+ * If only iv3 was used, then, this would till effect have been
+ * outer-cbc. However, there is also a private iv1 == iv2 which
+ * perhaps makes differential analysis easier. On the other hand, the
+ * private iv1 probably makes the CRC-32 attack ineffective. This is a
+ * result of that there is no longer any known iv1 to use when
+ * choosing the X block.
+ */
+struct ssh1_3des_ctx
+{
+        EVP_CIPHER_CTX  k1, k2, k3;
+};
+const EVP_CIPHER * evp_ssh1_3des(void);
+void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
+static int
+ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
+    int enc)
+{
+        struct ssh1_3des_ctx *c;
+        u_char *k1, *k2, *k3;
+        if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
+                c = xmalloc(sizeof(*c));
+                EVP_CIPHER_CTX_set_app_data(ctx, c);
+        }
+        if (key == NULL)
+                return (1);
+        if (enc == -1)
+                enc = ctx->encrypt;
+        k1 = k2 = k3 = (u_char *) key;
+        k2 += 8;
+        if (EVP_CIPHER_CTX_key_length(ctx) >= 16+8) {
+                if (enc)
+                        k3 += 16;
+                else
+                        k1 += 16;
+        }
+        EVP_CIPHER_CTX_init(&c->k1);
+        EVP_CIPHER_CTX_init(&c->k2);
+        EVP_CIPHER_CTX_init(&c->k3);
+#ifdef SSH_OLD_EVP
+        EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc);
+        EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc);
+        EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc);
+#else
+        if (EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc) == 0 ||
+            EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc) == 0 ||
+            EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc) == 0) {
+                memset(c, 0, sizeof(*c));
+                xfree(c);
+                EVP_CIPHER_CTX_set_app_data(ctx, NULL);
+                return (0);
+        }
+#endif
+        return (1);
+}
+static int
+ssh1_3des_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, u_int len)
+{
+        struct ssh1_3des_ctx *c;
+        if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
+                error("ssh1_3des_cbc: no context");
+                return (0);
+        }
+#ifdef SSH_OLD_EVP
+        EVP_Cipher(&c->k1, dest, (u_char *)src, len);
+        EVP_Cipher(&c->k2, dest, dest, len);
+        EVP_Cipher(&c->k3, dest, dest, len);
+#else
+        if (EVP_Cipher(&c->k1, dest, (u_char *)src, len) == 0 ||
+            EVP_Cipher(&c->k2, dest, dest, len) == 0 ||
+            EVP_Cipher(&c->k3, dest, dest, len) == 0)
+                return (0);
+#endif
+        return (1);
+}
+static int
+ssh1_3des_cleanup(EVP_CIPHER_CTX *ctx)
+{
+        struct ssh1_3des_ctx *c;
+        if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
+                memset(c, 0, sizeof(*c));
+                xfree(c);
+                EVP_CIPHER_CTX_set_app_data(ctx, NULL);
+        }
+        return (1);
+}
+void
+ssh1_3des_iv(EVP_CIPHER_CTX *evp, int doset, u_char *iv, int len)
+{
+        struct ssh1_3des_ctx *c;
+        if (len != 24)
+                fatal("%s: bad 3des iv length: %d", __func__, len);
+        if ((c = EVP_CIPHER_CTX_get_app_data(evp)) == NULL)
+                fatal("%s: no 3des context", __func__);
+        if (doset) {
+                debug3("%s: Installed 3DES IV", __func__);
+                memcpy(c->k1.iv, iv, 8);
+                memcpy(c->k2.iv, iv + 8, 8);
+                memcpy(c->k3.iv, iv + 16, 8);
+        } else {
+                debug3("%s: Copying 3DES IV", __func__);
+                memcpy(iv, c->k1.iv, 8);
+                memcpy(iv + 8, c->k2.iv, 8);
+                memcpy(iv + 16, c->k3.iv, 8);
+        }
+}
+const EVP_CIPHER *
+evp_ssh1_3des(void)
+{
+        static EVP_CIPHER ssh1_3des;
+        memset(&ssh1_3des, 0, sizeof(EVP_CIPHER));
+        ssh1_3des.nid = NID_undef;
+        ssh1_3des.block_size = 8;
+        ssh1_3des.iv_len = 0;
+        ssh1_3des.key_len = 16;
+        ssh1_3des.init = ssh1_3des_init;
+        ssh1_3des.cleanup = ssh1_3des_cleanup;
+        ssh1_3des.do_cipher = ssh1_3des_cbc;
+#ifndef SSH_OLD_EVP
+        ssh1_3des.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH;
+#endif
+        return (&ssh1_3des);
+}
diff --git a/cipher-aes.c b/cipher-aes.c
new file mode 100644
index 000000000..c41def600
--- /dev/null
+++ b/cipher-aes.c
@@ -0,0 +1,156 @@
+/*
+ * Copyright (c) 2003 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "includes.h"
+#if OPENSSL_VERSION_NUMBER < 0x00907000L
+RCSID("$OpenBSD: cipher-aes.c,v 1.1 2003/05/15 03:08:29 markus Exp $");
+#include <openssl/evp.h>
+#include "rijndael.h"
+#include "xmalloc.h"
+#include "log.h"
+#define RIJNDAEL_BLOCKSIZE 16
+struct ssh_rijndael_ctx
+{
+        rijndael_ctx    r_ctx;
+        u_char          r_iv[RIJNDAEL_BLOCKSIZE];
+};
+const EVP_CIPHER * evp_rijndael(void);
+void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
+static int
+ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
+    int enc)
+{
+        struct ssh_rijndael_ctx *c;
+        if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
+                c = xmalloc(sizeof(*c));
+                EVP_CIPHER_CTX_set_app_data(ctx, c);
+        }
+        if (key != NULL) {
+                if (enc == -1)
+                        enc = ctx->encrypt;
+                rijndael_set_key(&c->r_ctx, (u_char *)key,
+                    8*EVP_CIPHER_CTX_key_length(ctx), enc);
+        }
+        if (iv != NULL)
+                memcpy(c->r_iv, iv, RIJNDAEL_BLOCKSIZE);
+        return (1);
+}
+static int
+ssh_rijndael_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
+    u_int len)
+{
+        struct ssh_rijndael_ctx *c;
+        u_char buf[RIJNDAEL_BLOCKSIZE];
+        u_char *cprev, *cnow, *plain, *ivp;
+        int i, j, blocks = len / RIJNDAEL_BLOCKSIZE;
+        if (len == 0)
+                return (1);
+        if (len % RIJNDAEL_BLOCKSIZE)
+                fatal("ssh_rijndael_cbc: bad len %d", len);
+        if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
+                error("ssh_rijndael_cbc: no context");
+                return (0);
+        }
+        if (ctx->encrypt) {
+                cnow  = dest;
+                plain = (u_char *)src;
+                cprev = c->r_iv;
+                for (i = 0; i < blocks; i++, plain+=RIJNDAEL_BLOCKSIZE,
+                    cnow+=RIJNDAEL_BLOCKSIZE) {
+                        for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++)
+                                buf[j] = plain[j] ^ cprev[j];
+                        rijndael_encrypt(&c->r_ctx, buf, cnow);
+                        cprev = cnow;
+                }
+                memcpy(c->r_iv, cprev, RIJNDAEL_BLOCKSIZE);
+        } else {
+                cnow  = (u_char *) (src+len-RIJNDAEL_BLOCKSIZE);
+                plain = dest+len-RIJNDAEL_BLOCKSIZE;
+                memcpy(buf, cnow, RIJNDAEL_BLOCKSIZE);
+                for (i = blocks; i > 0; i--, cnow-=RIJNDAEL_BLOCKSIZE,
+                    plain-=RIJNDAEL_BLOCKSIZE) {
+                        rijndael_decrypt(&c->r_ctx, cnow, plain);
+                        ivp = (i == 1) ? c->r_iv : cnow-RIJNDAEL_BLOCKSIZE;
+                        for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++)
+                                plain[j] ^= ivp[j];
+                }
+                memcpy(c->r_iv, buf, RIJNDAEL_BLOCKSIZE);
+        }
+        return (1);
+}
+static int
+ssh_rijndael_cleanup(EVP_CIPHER_CTX *ctx)
+{
+        struct ssh_rijndael_ctx *c;
+        if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
+                memset(c, 0, sizeof(*c));
+                xfree(c);
+                EVP_CIPHER_CTX_set_app_data(ctx, NULL);
+        }
+        return (1);
+}
+void
+ssh_rijndael_iv(EVP_CIPHER_CTX *evp, int doset, u_char * iv, u_int len)
+{
+        struct ssh_rijndael_ctx *c;
+        if ((c = EVP_CIPHER_CTX_get_app_data(evp)) == NULL)
+                fatal("ssh_rijndael_iv: no context");
+        if (doset)
+                memcpy(c->r_iv, iv, len);
+        else
+                memcpy(iv, c->r_iv, len);
+}
+const EVP_CIPHER *
+evp_rijndael(void)
+{
+        static EVP_CIPHER rijndal_cbc;
+        memset(&rijndal_cbc, 0, sizeof(EVP_CIPHER));
+        rijndal_cbc.nid = NID_undef;
+        rijndal_cbc.block_size = RIJNDAEL_BLOCKSIZE;
+        rijndal_cbc.iv_len = RIJNDAEL_BLOCKSIZE;
+        rijndal_cbc.key_len = 16;
+        rijndal_cbc.init = ssh_rijndael_init;
+        rijndal_cbc.cleanup = ssh_rijndael_cleanup;
+        rijndal_cbc.do_cipher = ssh_rijndael_cbc;
+#ifndef SSH_OLD_EVP
+        rijndal_cbc.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
+            EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
+#endif
+        return (&rijndal_cbc);
+}
+#endif /* OPENSSL_VERSION_NUMBER */
diff --git a/cipher-bf1.c b/cipher-bf1.c
new file mode 100644
index 000000000..64578bae8
--- /dev/null
+++ b/cipher-bf1.c
@@ -0,0 +1,97 @@
+/*
+ * Copyright (c) 2003 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "includes.h"
+RCSID("$OpenBSD: cipher-bf1.c,v 1.1 2003/05/15 03:08:29 markus Exp $");
+#include <openssl/evp.h>
+#include "xmalloc.h"
+#include "log.h"
+/*
+ * SSH1 uses a variation on Blowfish, all bytes must be swapped before
+ * and after encryption/decryption. Thus the swap_bytes stuff (yuk).
+ */
+const EVP_CIPHER * evp_ssh1_bf(void);
+static void
+swap_bytes(const u_char *src, u_char *dst, int n)
+{
+        u_char c[4];
+        /* Process 4 bytes every lap. */
+        for (n = n / 4; n > 0; n--) {
+                c[3] = *src++;
+                c[2] = *src++;
+                c[1] = *src++;
+                c[0] = *src++;
+                *dst++ = c[0];
+                *dst++ = c[1];
+                *dst++ = c[2];
+                *dst++ = c[3];
+        }
+}
+#ifdef SSH_OLD_EVP
+static void bf_ssh1_init (EVP_CIPHER_CTX * ctx, const unsigned char *key,
+                          const unsigned char *iv, int enc)
+{
+        if (iv != NULL)
+                memcpy (&(ctx->oiv[0]), iv, 8);
+        memcpy (&(ctx->iv[0]), &(ctx->oiv[0]), 8);
+        if (key != NULL)
+                BF_set_key (&(ctx->c.bf_ks), EVP_CIPHER_CTX_key_length (ctx),
+                            key);
+}
+#endif
+static int (*orig_bf)(EVP_CIPHER_CTX *, u_char *, const u_char *, u_int) = NULL;
+static int
+bf_ssh1_cipher(EVP_CIPHER_CTX *ctx, u_char *out, const u_char *in, u_int len)
+{
+        int ret;
+        swap_bytes(in, out, len);
+        ret = (*orig_bf)(ctx, out, out, len);
+        swap_bytes(out, out, len);
+        return (ret);
+}
+const EVP_CIPHER *
+evp_ssh1_bf(void)
+{
+        static EVP_CIPHER ssh1_bf;
+        memcpy(&ssh1_bf, EVP_bf_cbc(), sizeof(EVP_CIPHER));
+        orig_bf = ssh1_bf.do_cipher;
+        ssh1_bf.nid = NID_undef;
+#ifdef SSH_OLD_EVP
+        ssh1_bf.init = bf_ssh1_init;
+#endif
+        ssh1_bf.do_cipher = bf_ssh1_cipher;
+        ssh1_bf.key_len = 32;
+        return (&ssh1_bf);
+}
diff --git a/cipher-ctr.c b/cipher-ctr.c
new file mode 100644
index 000000000..a2bab5c14
--- /dev/null
+++ b/cipher-ctr.c
@@ -0,0 +1,141 @@
+/*
+ * Copyright (c) 2003 Markus Friedl <markus@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include "includes.h"
+RCSID("$OpenBSD: cipher-ctr.c,v 1.2 2003/06/17 18:14:23 markus Exp $");
+#include <openssl/evp.h>
+#include "log.h"
+#include "xmalloc.h"
+#if OPENSSL_VERSION_NUMBER < 0x00907000L
+#include "rijndael.h"
+#define AES_KEY rijndael_ctx
+#define AES_BLOCK_SIZE 16
+#define AES_encrypt(a, b, c) rijndael_encrypt(c, a, b)
+#define AES_set_encrypt_key(a, b, c) rijndael_set_key(c, (char *)a, b, 1)
+#else
+#include <openssl/aes.h>
+#endif
+const EVP_CIPHER *evp_aes_128_ctr(void);
+void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
+struct ssh_aes_ctr_ctx
+{
+        AES_KEY         aes_ctx;
+        u_char          aes_counter[AES_BLOCK_SIZE];
+};
+/*
+ * increment counter 'ctr',
+ * the counter is of size 'len' bytes and stored in network-byte-order.
+ * (LSB at ctr[len-1], MSB at ctr[0])
+ */
+static void
+ssh_ctr_inc(u_char *ctr, u_int len)
+{
+        int i;
+        for (i = len - 1; i >= 0; i--)
+                if (++ctr[i])   /* continue on overflow */
+                        return;
+}
+static int
+ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
+    u_int len)
+{
+        struct ssh_aes_ctr_ctx *c;
+        u_int n = 0;
+        u_char buf[AES_BLOCK_SIZE];
+        if (len == 0)
+                return (1);
+        if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL)
+                return (0);
+        while ((len--) > 0) {
+                if (n == 0) {
+                        AES_encrypt(c->aes_counter, buf, &c->aes_ctx);
+                        ssh_ctr_inc(c->aes_counter, AES_BLOCK_SIZE);
+                }
+                *(dest++) = *(src++) ^ buf[n];
+                n = (n + 1) % AES_BLOCK_SIZE;
+        }
+        return (1);
+}
+static int
+ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
+    int enc)
+{
+        struct ssh_aes_ctr_ctx *c;
+        if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
+                c = xmalloc(sizeof(*c));
+                EVP_CIPHER_CTX_set_app_data(ctx, c);
+        }
+        if (key != NULL)
+                AES_set_encrypt_key(key, ctx->key_len * 8, &c->aes_ctx);
+        if (iv != NULL)
+                memcpy(c->aes_counter, iv, AES_BLOCK_SIZE);
+        return (1);
+}
+static int
+ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx)
+{
+        struct ssh_aes_ctr_ctx *c;
+        if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
+                memset(c, 0, sizeof(*c));
+                xfree(c);
+                EVP_CIPHER_CTX_set_app_data(ctx, NULL);
+        }
+        return (1);
+}
+void
+ssh_aes_ctr_iv(EVP_CIPHER_CTX *evp, int doset, u_char * iv, u_int len)
+{
+        struct ssh_aes_ctr_ctx *c;
+        if ((c = EVP_CIPHER_CTX_get_app_data(evp)) == NULL)
+                fatal("ssh_aes_ctr_iv: no context");
+        if (doset)
+                memcpy(c->aes_counter, iv, len);
+        else
+                memcpy(iv, c->aes_counter, len);
+}
+const EVP_CIPHER *
+evp_aes_128_ctr(void)
+{
+        static EVP_CIPHER aes_ctr;
+        memset(&aes_ctr, 0, sizeof(EVP_CIPHER));
+        aes_ctr.nid = NID_undef;
+        aes_ctr.block_size = AES_BLOCK_SIZE;
+        aes_ctr.iv_len = AES_BLOCK_SIZE;
+        aes_ctr.key_len = 16;
+        aes_ctr.init = ssh_aes_ctr_init;
+        aes_ctr.cleanup = ssh_aes_ctr_cleanup;
+        aes_ctr.do_cipher = ssh_aes_ctr;
+        aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
+            EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
+        return (&aes_ctr);
+}
diff --git a/cipher.c b/cipher.c
index b5d38747e..e7c3c5411 100644
--- a/cipher.c
+++ b/cipher.c
@@ -35,7 +35,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: cipher.c,v 1.62 2002/11/21 22:45:31 markus Exp $");
+RCSID("$OpenBSD: cipher.c,v 1.65 2003/05/17 04:27:52 markus Exp $");
 #include "xmalloc.h"
 #include "log.h"
@@ -49,11 +49,14 @@ RCSID("$OpenBSD: cipher.c,v 1.62 2002/11/21 22:45:31 markus Exp $");
 #endif
 #if OPENSSL_VERSION_NUMBER < 0x00907000L
-#include "rijndael.h"
+extern const EVP_CIPHER *evp_rijndael(void);
-static const EVP_CIPHER *evp_rijndael(void);
+extern void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
 #endif
-static const EVP_CIPHER *evp_ssh1_3des(void);
+extern const EVP_CIPHER *evp_ssh1_bf(void);
-static const EVP_CIPHER *evp_ssh1_bf(void);
+extern const EVP_CIPHER *evp_ssh1_3des(void);
+extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
+extern const EVP_CIPHER *evp_aes_128_ctr(void);
+extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
 struct Cipher {
        char    *name;
@@ -84,6 +87,9 @@ struct Cipher {
        { "rijndael-cbc@lysator.liu.se",
                                SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc },
 #endif
+        { "aes128-ctr",         SSH_CIPHER_SSH2, 16, 16, evp_aes_128_ctr },
+        { "aes192-ctr",         SSH_CIPHER_SSH2, 16, 24, evp_aes_128_ctr },
+        { "aes256-ctr",         SSH_CIPHER_SSH2, 16, 32, evp_aes_128_ctr },
        { NULL,                 SSH_CIPHER_ILLEGAL, 0, 0, NULL }
 };
@@ -296,298 +302,6 @@ cipher_set_key_string(CipherContext *cc, Cipher *cipher,
        memset(&md, 0, sizeof(md));
 }
-/* Implementations for other non-EVP ciphers */
-/*
- * This is used by SSH1:
- *
- * What kind of triple DES are these 2 routines?
- *
- * Why is there a redundant initialization vector?
- *
- * If only iv3 was used, then, this would till effect have been
- * outer-cbc. However, there is also a private iv1 == iv2 which
- * perhaps makes differential analysis easier. On the other hand, the
- * private iv1 probably makes the CRC-32 attack ineffective. This is a
- * result of that there is no longer any known iv1 to use when
- * choosing the X block.
- */
-struct ssh1_3des_ctx
-{
-        EVP_CIPHER_CTX  k1, k2, k3;
-};
-static int
-ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
-    int enc)
-{
-        struct ssh1_3des_ctx *c;
-        u_char *k1, *k2, *k3;
-        if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
-                c = xmalloc(sizeof(*c));
-                EVP_CIPHER_CTX_set_app_data(ctx, c);
-        }
-        if (key == NULL)
-                return (1);
-        if (enc == -1)
-                enc = ctx->encrypt;
-        k1 = k2 = k3 = (u_char *) key;
-        k2 += 8;
-        if (EVP_CIPHER_CTX_key_length(ctx) >= 16+8) {
-                if (enc)
-                        k3 += 16;
-                else
-                        k1 += 16;
-        }
-        EVP_CIPHER_CTX_init(&c->k1);
-        EVP_CIPHER_CTX_init(&c->k2);
-        EVP_CIPHER_CTX_init(&c->k3);
-#ifdef SSH_OLD_EVP
-        EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc);
-        EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc);
-        EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc);
-#else
-        if (EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc) == 0 ||
-            EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc) == 0 ||
-            EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc) == 0) {
-                memset(c, 0, sizeof(*c));
-                xfree(c);
-                EVP_CIPHER_CTX_set_app_data(ctx, NULL);
-                return (0);
-        }
-#endif
-        return (1);
-}
-static int
-ssh1_3des_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, u_int len)
-{
-        struct ssh1_3des_ctx *c;
-        if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
-                error("ssh1_3des_cbc: no context");
-                return (0);
-        }
-#ifdef SSH_OLD_EVP
-        EVP_Cipher(&c->k1, dest, (u_char *)src, len);
-        EVP_Cipher(&c->k2, dest, dest, len);
-        EVP_Cipher(&c->k3, dest, dest, len);
-#else
-        if (EVP_Cipher(&c->k1, dest, (u_char *)src, len) == 0 ||
-            EVP_Cipher(&c->k2, dest, dest, len) == 0 ||
-            EVP_Cipher(&c->k3, dest, dest, len) == 0)
-                return (0);
-#endif
-        return (1);
-}
-static int
-ssh1_3des_cleanup(EVP_CIPHER_CTX *ctx)
-{
-        struct ssh1_3des_ctx *c;
-        if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
-                memset(c, 0, sizeof(*c));
-                xfree(c);
-                EVP_CIPHER_CTX_set_app_data(ctx, NULL);
-        }
-        return (1);
-}
-static const EVP_CIPHER *
-evp_ssh1_3des(void)
-{
-        static EVP_CIPHER ssh1_3des;
-        memset(&ssh1_3des, 0, sizeof(EVP_CIPHER));
-        ssh1_3des.nid = NID_undef;
-        ssh1_3des.block_size = 8;
-        ssh1_3des.iv_len = 0;
-        ssh1_3des.key_len = 16;
-        ssh1_3des.init = ssh1_3des_init;
-        ssh1_3des.cleanup = ssh1_3des_cleanup;
-        ssh1_3des.do_cipher = ssh1_3des_cbc;
-#ifndef SSH_OLD_EVP
-        ssh1_3des.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH;
-#endif
-        return (&ssh1_3des);
-}
-/*
- * SSH1 uses a variation on Blowfish, all bytes must be swapped before
- * and after encryption/decryption. Thus the swap_bytes stuff (yuk).
- */
-static void
-swap_bytes(const u_char *src, u_char *dst, int n)
-{
-        u_char c[4];
-        /* Process 4 bytes every lap. */
-        for (n = n / 4; n > 0; n--) {
-                c[3] = *src++;
-                c[2] = *src++;
-                c[1] = *src++;
-                c[0] = *src++;
-                *dst++ = c[0];
-                *dst++ = c[1];
-                *dst++ = c[2];
-                *dst++ = c[3];
-        }
-}
-#ifdef SSH_OLD_EVP
-static void bf_ssh1_init (EVP_CIPHER_CTX * ctx, const unsigned char *key,
-                          const unsigned char *iv, int enc)
-{
-        if (iv != NULL)
-                memcpy (&(ctx->oiv[0]), iv, 8);
-        memcpy (&(ctx->iv[0]), &(ctx->oiv[0]), 8);
-        if (key != NULL)
-                BF_set_key (&(ctx->c.bf_ks), EVP_CIPHER_CTX_key_length (ctx),
-                            key);
-}
-#endif
-static int (*orig_bf)(EVP_CIPHER_CTX *, u_char *, const u_char *, u_int) = NULL;
-static int
-bf_ssh1_cipher(EVP_CIPHER_CTX *ctx, u_char *out, const u_char *in, u_int len)
-{
-        int ret;
-        swap_bytes(in, out, len);
-        ret = (*orig_bf)(ctx, out, out, len);
-        swap_bytes(out, out, len);
-        return (ret);
-}
-static const EVP_CIPHER *
-evp_ssh1_bf(void)
-{
-        static EVP_CIPHER ssh1_bf;
-        memcpy(&ssh1_bf, EVP_bf_cbc(), sizeof(EVP_CIPHER));
-        orig_bf = ssh1_bf.do_cipher;
-        ssh1_bf.nid = NID_undef;
-#ifdef SSH_OLD_EVP
-        ssh1_bf.init = bf_ssh1_init;
-#endif
-        ssh1_bf.do_cipher = bf_ssh1_cipher;
-        ssh1_bf.key_len = 32;
-        return (&ssh1_bf);
-}
-#if OPENSSL_VERSION_NUMBER < 0x00907000L
-/* RIJNDAEL */
-#define RIJNDAEL_BLOCKSIZE 16
-struct ssh_rijndael_ctx
-{
-        rijndael_ctx    r_ctx;
-        u_char          r_iv[RIJNDAEL_BLOCKSIZE];
-};
-static int
-ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
-    int enc)
-{
-        struct ssh_rijndael_ctx *c;
-        if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
-                c = xmalloc(sizeof(*c));
-                EVP_CIPHER_CTX_set_app_data(ctx, c);
-        }
-        if (key != NULL) {
-                if (enc == -1)
-                        enc = ctx->encrypt;
-                rijndael_set_key(&c->r_ctx, (u_char *)key,
-                    8*EVP_CIPHER_CTX_key_length(ctx), enc);
-        }
-        if (iv != NULL)
-                memcpy(c->r_iv, iv, RIJNDAEL_BLOCKSIZE);
-        return (1);
-}
-static int
-ssh_rijndael_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
-    u_int len)
-{
-        struct ssh_rijndael_ctx *c;
-        u_char buf[RIJNDAEL_BLOCKSIZE];
-        u_char *cprev, *cnow, *plain, *ivp;
-        int i, j, blocks = len / RIJNDAEL_BLOCKSIZE;
-        if (len == 0)
-                return (1);
-        if (len % RIJNDAEL_BLOCKSIZE)
-                fatal("ssh_rijndael_cbc: bad len %d", len);
-        if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
-                error("ssh_rijndael_cbc: no context");
-                return (0);
-        }
-        if (ctx->encrypt) {
-                cnow  = dest;
-                plain = (u_char *)src;
-                cprev = c->r_iv;
-                for (i = 0; i < blocks; i++, plain+=RIJNDAEL_BLOCKSIZE,
-                    cnow+=RIJNDAEL_BLOCKSIZE) {
-                        for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++)
-                                buf[j] = plain[j] ^ cprev[j];
-                        rijndael_encrypt(&c->r_ctx, buf, cnow);
-                        cprev = cnow;
-                }
-                memcpy(c->r_iv, cprev, RIJNDAEL_BLOCKSIZE);
-        } else {
-                cnow  = (u_char *) (src+len-RIJNDAEL_BLOCKSIZE);
-                plain = dest+len-RIJNDAEL_BLOCKSIZE;
-                memcpy(buf, cnow, RIJNDAEL_BLOCKSIZE);
-                for (i = blocks; i > 0; i--, cnow-=RIJNDAEL_BLOCKSIZE,
-                    plain-=RIJNDAEL_BLOCKSIZE) {
-                        rijndael_decrypt(&c->r_ctx, cnow, plain);
-                        ivp = (i == 1) ? c->r_iv : cnow-RIJNDAEL_BLOCKSIZE;
-                        for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++)
-                                plain[j] ^= ivp[j];
-                }
-                memcpy(c->r_iv, buf, RIJNDAEL_BLOCKSIZE);
-        }
-        return (1);
-}
-static int
-ssh_rijndael_cleanup(EVP_CIPHER_CTX *ctx)
-{
-        struct ssh_rijndael_ctx *c;
-        if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
-                memset(c, 0, sizeof(*c));
-                xfree(c);
-                EVP_CIPHER_CTX_set_app_data(ctx, NULL);
-        }
-        return (1);
-}
-static const EVP_CIPHER *
-evp_rijndael(void)
-{
-        static EVP_CIPHER rijndal_cbc;
-        memset(&rijndal_cbc, 0, sizeof(EVP_CIPHER));
-        rijndal_cbc.nid = NID_undef;
-        rijndal_cbc.block_size = RIJNDAEL_BLOCKSIZE;
-        rijndal_cbc.iv_len = RIJNDAEL_BLOCKSIZE;
-        rijndal_cbc.key_len = 16;
-        rijndal_cbc.init = ssh_rijndael_init;
-        rijndal_cbc.cleanup = ssh_rijndael_cleanup;
-        rijndal_cbc.do_cipher = ssh_rijndael_cbc;
-#ifndef SSH_OLD_EVP
-        rijndal_cbc.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
-            EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
-#endif
-        return (&rijndal_cbc);
-}
-#endif
 /*
 * Exports an IV from the CipherContext required to export the key
 * state back from the unprivileged child to the privileged parent
@@ -611,7 +325,6 @@ void
 cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len)
 {
        Cipher *c = cc->cipher;
-        u_char *civ = NULL;
        int evplen;
        switch (c->number) {
@@ -624,45 +337,28 @@ cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len)
                if (evplen != len)
                        fatal("%s: wrong iv length %d != %d", __func__,
                            evplen, len);
 #if OPENSSL_VERSION_NUMBER < 0x00907000L
-                if (c->evptype == evp_rijndael) {
+                if (c->evptype == evp_rijndael)
-                        struct ssh_rijndael_ctx *aesc;
+                        ssh_rijndael_iv(&cc->evp, 0, iv, len);
+                else
-                        aesc = EVP_CIPHER_CTX_get_app_data(&cc->evp);
-                        if (aesc == NULL)
-                                fatal("%s: no rijndael context", __func__);
-                        civ = aesc->r_iv;
-                } else
 #endif
-                {
+                if (c->evptype == evp_aes_128_ctr)
-                        civ = cc->evp.iv;
+                        ssh_aes_ctr_iv(&cc->evp, 0, iv, len);
-                }
+                else
+                        memcpy(iv, cc->evp.iv, len);
+                break;
+        case SSH_CIPHER_3DES:
+                ssh1_3des_iv(&cc->evp, 0, iv, 24);
                break;
-        case SSH_CIPHER_3DES: {
-                struct ssh1_3des_ctx *desc;
-                if (len != 24)
-                        fatal("%s: bad 3des iv length: %d", __func__, len);
-                desc = EVP_CIPHER_CTX_get_app_data(&cc->evp);
-                if (desc == NULL)
-                        fatal("%s: no 3des context", __func__);
-                debug3("%s: Copying 3DES IV", __func__);
-                memcpy(iv, desc->k1.iv, 8);
-                memcpy(iv + 8, desc->k2.iv, 8);
-                memcpy(iv + 16, desc->k3.iv, 8);
-                return;
-        }
        default:
                fatal("%s: bad cipher %d", __func__, c->number);
        }
-        memcpy(iv, civ, len);
 }
 void
 cipher_set_keyiv(CipherContext *cc, u_char *iv)
 {
        Cipher *c = cc->cipher;
-        u_char *div = NULL;
        int evplen = 0;
        switch (c->number) {
@@ -672,36 +368,22 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv)
                evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
                if (evplen == 0)
                        return;
 #if OPENSSL_VERSION_NUMBER < 0x00907000L
-                if (c->evptype == evp_rijndael) {
+                if (c->evptype == evp_rijndael)
-                        struct ssh_rijndael_ctx *aesc;
+                        ssh_rijndael_iv(&cc->evp, 1, iv, evplen);
+                else
-                        aesc = EVP_CIPHER_CTX_get_app_data(&cc->evp);
-                        if (aesc == NULL)
-                                fatal("%s: no rijndael context", __func__);
-                        div = aesc->r_iv;
-                } else
 #endif
-                {
+                if (c->evptype == evp_aes_128_ctr)
-                        div = cc->evp.iv;
+                        ssh_aes_ctr_iv(&cc->evp, 1, iv, evplen);
-                }
+                else
+                        memcpy(cc->evp.iv, iv, evplen);
+                break;
+        case SSH_CIPHER_3DES:
+                ssh1_3des_iv(&cc->evp, 1, iv, 24);
                break;
-        case SSH_CIPHER_3DES: {
-                struct ssh1_3des_ctx *desc;
-                desc = EVP_CIPHER_CTX_get_app_data(&cc->evp);
-                if (desc == NULL)
-                        fatal("%s: no 3des context", __func__);
-                debug3("%s: Installed 3DES IV", __func__);
-                memcpy(desc->k1.iv, iv, 8);
-                memcpy(desc->k2.iv, iv + 8, 8);
-                memcpy(desc->k3.iv, iv + 16, 8);
-                return;
-        }
        default:
                fatal("%s: bad cipher %d", __func__, c->number);
        }
-        memcpy(div, iv, evplen);
 }
 #if OPENSSL_VERSION_NUMBER < 0x00907000L
diff --git a/clientloop.c b/clientloop.c
index af207c070..d8def78bd 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -59,7 +59,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: clientloop.c,v 1.107 2003/04/01 10:22:21 markus Exp $");
+RCSID("$OpenBSD: clientloop.c,v 1.112 2003/06/28 16:23:06 deraadt Exp $");
 #include "ssh.h"
 #include "ssh1.h"
@@ -395,9 +395,9 @@ client_suspend_self(Buffer *bin, Buffer *bout, Buffer *berr)
        /* Flush stdout and stderr buffers. */
        if (buffer_len(bout) > 0)
-                atomicio(write, fileno(stdout), buffer_ptr(bout), buffer_len(bout));
+                atomicio(vwrite, fileno(stdout), buffer_ptr(bout), buffer_len(bout));
        if (buffer_len(berr) > 0)
-                atomicio(write, fileno(stderr), buffer_ptr(berr), buffer_len(berr));
+                atomicio(vwrite, fileno(stderr), buffer_ptr(berr), buffer_len(berr));
        leave_raw_mode();
@@ -490,13 +490,13 @@ process_cmdline(void)
        if (*s == 0)
                goto out;
        if (strlen(s) < 2 || s[0] != '-' || !(s[1] == 'L' || s[1] == 'R')) {
-                log("Invalid command.");
+                logit("Invalid command.");
                goto out;
        }
        if (s[1] == 'L')
                local = 1;
        if (!local && !compat20) {
-                log("Not supported for SSH protocol version 1.");
+                logit("Not supported for SSH protocol version 1.");
                goto out;
        }
        s += 2;
@@ -507,24 +507,24 @@ process_cmdline(void)
            sfwd_port, buf, sfwd_host_port) != 3 &&
            sscanf(s, "%5[0-9]/%255[^/]/%5[0-9]",
            sfwd_port, buf, sfwd_host_port) != 3) {
-                log("Bad forwarding specification.");
+                logit("Bad forwarding specification.");
                goto out;
        }
        if ((fwd_port = a2port(sfwd_port)) == 0 ||
            (fwd_host_port = a2port(sfwd_host_port)) == 0) {
-                log("Bad forwarding port(s).");
+                logit("Bad forwarding port(s).");
                goto out;
        }
        if (local) {
                if (channel_setup_local_fwd_listener(fwd_port, buf,
                    fwd_host_port, options.gateway_ports) < 0) {
-                        log("Port forwarding failed.");
+                        logit("Port forwarding failed.");
                        goto out;
                }
        } else
                channel_request_remote_forwarding(fwd_port, buf,
                    fwd_host_port);
-        log("Forwarding port.");
+        logit("Forwarding port.");
 out:
        signal(SIGINT, handler);
        enter_raw_mode();
@@ -574,10 +574,23 @@ process_escapes(Buffer *bin, Buffer *bout, Buffer *berr, char *buf, int len)
                                /* We have been continued. */
                                continue;
+                        case 'B':
+                                if (compat20) {
+                                        snprintf(string, sizeof string,
+                                            "%cB\r\n", escape_char);
+                                        buffer_append(berr, string,
+                                            strlen(string));
+                                        channel_request_start(session_ident,
+                                            "break", 0);
+                                        packet_put_int(1000);
+                                        packet_send();
+                                }
+                                continue;
                        case 'R':
                                if (compat20) {
                                        if (datafellows & SSH_BUG_NOREKEY)
-                                                log("Server does not support re-keying");
+                                                logit("Server does not support re-keying");
                                        else
                                                need_rekeying = 1;
                                }
@@ -636,6 +649,7 @@ process_escapes(Buffer *bin, Buffer *bout, Buffer *berr, char *buf, int len)
 "%c?\r\n\
 Supported escape sequences:\r\n\
 %c.  - terminate connection\r\n\
+%cB  - send a BREAK to the remote system\r\n\
 %cC  - open a command line\r\n\
 %cR  - Request rekey (SSH protocol 2 only)\r\n\
 %c^Z - suspend ssh\r\n\
@@ -646,7 +660,7 @@ Supported escape sequences:\r\n\
 (Note that escapes are only recognized immediately after newline.)\r\n",
                                    escape_char, escape_char, escape_char, escape_char,
                                    escape_char, escape_char, escape_char, escape_char,
-                                    escape_char, escape_char);
+                                    escape_char, escape_char, escape_char);
                                buffer_append(berr, string, strlen(string));
                                continue;
@@ -968,9 +982,8 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
                /* Do channel operations unless rekeying in progress. */
                if (!rekeying) {
                        channel_after_select(readset, writeset);
+                        if (need_rekeying || packet_need_rekeying()) {
-                        if (need_rekeying) {
+                                debug("need rekeying");
-                                debug("user requests rekeying");
                                xxx_kex->done = 0;
                                kex_send_kexinit(xxx_kex);
                                need_rekeying = 0;
@@ -1146,7 +1159,7 @@ client_request_forwarded_tcpip(const char *request_type, int rchan)
        c = channel_new("forwarded-tcpip",
            SSH_CHANNEL_CONNECTING, sock, sock, -1,
            CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0,
-            xstrdup(originator_address), 1);
+            originator_address, 1);
        xfree(originator_address);
        xfree(listen_address);
        return c;
@@ -1182,8 +1195,7 @@ client_request_x11(const char *request_type, int rchan)
                return NULL;
        c = channel_new("x11",
            SSH_CHANNEL_X11_OPEN, sock, sock, -1,
-            CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0,
+            CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
-            xstrdup("x11"), 1);
        c->force_drain = 1;
        return c;
 }
@@ -1205,7 +1217,7 @@ client_request_agent(const char *request_type, int rchan)
        c = channel_new("authentication agent connection",
            SSH_CHANNEL_OPEN, sock, sock, -1,
            CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0,
-            xstrdup("authentication agent connection"), 1);
+            "authentication agent connection", 1);
        c->force_drain = 1;
        return c;
 }
diff --git a/compat.c b/compat.c
index 5e1774ab6..af1d14321 100644
--- a/compat.c
+++ b/compat.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: compat.c,v 1.66 2003/04/01 10:31:26 markus Exp $");
+RCSID("$OpenBSD: compat.c,v 1.69 2003/08/29 10:03:15 markus Exp $");
 #include "buffer.h"
 #include "packet.h"
@@ -79,7 +79,11 @@ compat_datafellows(const char *version)
                { "OpenSSH_2.5.3*",     SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
                { "OpenSSH_2.*,"
                  "OpenSSH_3.0*,"
-                  "OpenSSH_3.1*",       SSH_BUG_EXTEOF},
+                  "OpenSSH_3.1*",       SSH_BUG_EXTEOF|SSH_BUG_GSSAPI_BER},
+                { "OpenSSH_3.2*,"
+                  "OpenSSH_3.3*,"
+                  "OpenSSH_3.4*,"
+                  "OpenSSH_3.5*",       SSH_BUG_GSSAPI_BER},
                { "Sun_SSH_1.0*",       SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
                { "OpenSSH*",           0 },
                { "*MindTerm*",         0 },
@@ -131,12 +135,9 @@ compat_datafellows(const char *version)
                  "1.2.19*,"
                  "1.2.20*,"
                  "1.2.21*,"
-                  "1.2.22*",            SSH_BUG_IGNOREMSG|SSH_BUG_K5USER },
+                  "1.2.22*",            SSH_BUG_IGNOREMSG },
                { "1.3.2*",             /* F-Secure */
-                                        SSH_BUG_IGNOREMSG|SSH_BUG_K5USER },
+                                        SSH_BUG_IGNOREMSG },
-                { "1.2.1*,"
-                  "1.2.2*,"
-                  "1.2.3*",             SSH_BUG_K5USER },
                { "*SSH Compatible Server*",                    /* Netscreen */
                                        SSH_BUG_PASSWORDPAD },
                { "*OSU_0*,"
@@ -188,7 +189,7 @@ proto_spec(const char *spec)
                        ret |= SSH_PROTO_2;
                        break;
                default:
-                        log("ignoring bad proto spec: '%s'.", p);
+                        logit("ignoring bad proto spec: '%s'.", p);
                        break;
                }
        }
diff --git a/compat.h b/compat.h
index 881e450d3..7a5004455 100644
--- a/compat.h
+++ b/compat.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: compat.h,v 1.34 2003/04/01 10:31:26 markus Exp $      */
+/*      $OpenBSD: compat.h,v 1.36 2003/08/29 10:03:15 markus Exp $      */
 /*
 * Copyright (c) 1999, 2000, 2001 Markus Friedl.  All rights reserved.
@@ -53,9 +53,9 @@
 #define SSH_BUG_DERIVEKEY       0x00040000
 #define SSH_BUG_DUMMYCHAN       0x00100000
 #define SSH_BUG_EXTEOF          0x00200000
-#define SSH_BUG_K5USER          0x00400000
+#define SSH_BUG_PROBE           0x00400000
-#define SSH_BUG_PROBE           0x00800000
+#define SSH_BUG_FIRSTKEX        0x00800000
-#define SSH_BUG_FIRSTKEX        0x01000000
+#define SSH_BUG_GSSAPI_BER      0x01000000
 void     enable_compat13(void);
 void     enable_compat20(void);
diff --git a/config.h.in b/config.h.in
index 55149792c..41495c4fb 100644
--- a/config.h.in
+++ b/config.h.in
@@ -1,5 +1,29 @@
-/* config.h.in.  Generated from configure.ac by autoheader.  */
+/* config.h.in.  Generated automatically from configure.ac by autoheader.  */
-/* $Id: acconfig.h,v 1.149 2003/03/10 00:38:10 djm Exp $ */
+/* $Id: acconfig.h,v 1.166 2003/09/16 01:52:19 dtucker Exp $ */
+/*
+ * Copyright (c) 1999-2003 Damien Miller.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
 #ifndef _CONFIG_H
 #define _CONFIG_H
@@ -8,9 +32,20 @@
 /* Please make your changes there */
+/* Define if your platform breaks doing a seteuid before a setuid */
+#undef SETEUID_BREAKS_SETUID
+/* Define if your setreuid() is broken */
+#undef BROKEN_SETREUID
+/* Define if your setregid() is broken */
+#undef BROKEN_SETREGID
 /* Define to a Set Process Title type if your system is */
 /* supported by bsd-setproctitle.c */
 #undef SPT_TYPE
+#undef SPT_PADCHAR
 /* setgroups() NOOP allowed */
 #undef SETGROUPS_NOOP
@@ -82,6 +117,9 @@
 /* Define if you want to enable AIX4's authenticate function */
 #undef WITH_AIXAUTHENTICATE
+/* Define if your AIX loginfailed() function takes 4 arguments (AIX >= 5.2) */
+#undef AIX_LOGINFAILED_4ARG
 /* Define if you have/want arrays (cluster-wide session managment, not C arrays) */
 #undef WITH_IRIX_ARRAY
@@ -201,18 +239,15 @@
 /* Define if compiler implements __func__ */
 #undef HAVE___func__
+/* Define this is you want GSSAPI support in the version 2 protocol */
+#undef GSSAPI
 /* Define if you want Kerberos 5 support */
 #undef KRB5
 /* Define this if you are using the Heimdal version of Kerberos V5 */
 #undef HEIMDAL
-/* Define if you want Kerberos 4 support */
-#undef KRB4
-/* Define if you want AFS support */
-#undef AFS
 /* Define if you want S/Key support */
 #undef SKEY
@@ -295,9 +330,6 @@
 /* Specify location of ssh.pid */
 #undef _PATH_SSH_PIDDIR
-/* Use IPv4 for connection by default, IPv6 can still if explicity asked */
-#undef IPV4_DEFAULT
 /* getaddrinfo is broken (if present) */
 #undef BROKEN_GETADDRINFO
@@ -328,6 +360,9 @@
 /* Define in your struct dirent expects you to allocate extra space for d_name */
 #undef BROKEN_ONE_BYTE_DIRENT_D_NAME
+/* Define if your system has /etc/default/login */
+#undef HAVE_ETC_DEFAULT_LOGIN
 /* Define if your getopt(3) defines and uses optreset */
 #undef HAVE_GETOPT_OPTRESET
@@ -367,542 +402,558 @@
 /* Silly mkstemp() */
 #undef HAVE_STRICT_MKSTEMP
-/* Setproctitle emulation */
-#undef SETPROCTITLE_STRATEGY
-#undef SETPROCTITLE_PS_PADDING
 /* Some systems put this outside of libc */
 #undef HAVE_NANOSLEEP
-/* Pushing STREAMS modules incorrectly acquires a controlling TTY */
+/* Define if sshd somehow reacquires a controlling TTY after setsid() */
-#undef STREAMS_PUSH_ACQUIRES_CTTY
+#undef SSHD_ACQUIRES_CTTY
+/* Define if cmsg_type is not passed correctly */
+#undef BROKEN_CMSG_TYPE
+/* Strings used in /etc/passwd to denote locked account */
+#undef LOCKED_PASSWD_STRING
+#undef LOCKED_PASSWD_PREFIX
+#undef LOCKED_PASSWD_SUBSTR
+/* Define if DNS support is to be activated */
+#undef DNS
+/* Define if getrrsetbyname() exists */
+#undef HAVE_GETRRSETBYNAME
+/* Define if HEADER.ad exists in arpa/nameser.h */
+#undef HAVE_HEADER_AD
-/* Define to 1 if the `getpgrp' function requires zero arguments. */
+/* Define if the `getpgrp' function takes no argument. */
 #undef GETPGRP_VOID
-/* Define to 1 if you have the `arc4random' function. */
+/* Define if you have the `arc4random' function. */
 #undef HAVE_ARC4RANDOM
-/* Define to 1 if you have the `b64_ntop' function. */
+/* Define if you have the `b64_ntop' function. */
 #undef HAVE_B64_NTOP
-/* Define to 1 if you have the `b64_pton' function. */
+/* Define if you have the `b64_pton' function. */
 #undef HAVE_B64_PTON
-/* Define to 1 if you have the `basename' function. */
+/* Define if you have the `basename' function. */
 #undef HAVE_BASENAME
-/* Define to 1 if you have the `bcopy' function. */
+/* Define if you have the `bcopy' function. */
 #undef HAVE_BCOPY
-/* Define to 1 if you have the `bindresvport_sa' function. */
+/* Define if you have the `bindresvport_sa' function. */
 #undef HAVE_BINDRESVPORT_SA
-/* Define to 1 if you have the <bstring.h> header file. */
+/* Define if you have the <bstring.h> header file. */
 #undef HAVE_BSTRING_H
-/* Define to 1 if you have the `clock' function. */
+/* Define if you have the `clock' function. */
 #undef HAVE_CLOCK
-/* Define to 1 if you have the <crypt.h> header file. */
+/* Define if you have the <crypt.h> header file. */
 #undef HAVE_CRYPT_H
-/* Define to 1 if you have the `dirname' function. */
+/* Define if you have the `dirname' function. */
 #undef HAVE_DIRNAME
-/* Define to 1 if you have the <endian.h> header file. */
+/* Define if you have the <endian.h> header file. */
 #undef HAVE_ENDIAN_H
-/* Define to 1 if you have the `endutent' function. */
+/* Define if you have the `endutent' function. */
 #undef HAVE_ENDUTENT
-/* Define to 1 if you have the `endutxent' function. */
+/* Define if you have the `endutxent' function. */
 #undef HAVE_ENDUTXENT
-/* Define to 1 if you have the `fchmod' function. */
+/* Define if you have the `fchmod' function. */
 #undef HAVE_FCHMOD
-/* Define to 1 if you have the `fchown' function. */
+/* Define if you have the `fchown' function. */
 #undef HAVE_FCHOWN
-/* Define to 1 if you have the <floatingpoint.h> header file. */
+/* Define if you have the <features.h> header file. */
+#undef HAVE_FEATURES_H
+/* Define if you have the <floatingpoint.h> header file. */
 #undef HAVE_FLOATINGPOINT_H
-/* Define to 1 if you have the `freeaddrinfo' function. */
+/* Define if you have the `freeaddrinfo' function. */
 #undef HAVE_FREEADDRINFO
-/* Define to 1 if you have the `futimes' function. */
+/* Define if you have the `futimes' function. */
 #undef HAVE_FUTIMES
-/* Define to 1 if you have the `gai_strerror' function. */
+/* Define if you have the `gai_strerror' function. */
 #undef HAVE_GAI_STRERROR
-/* Define to 1 if you have the `getaddrinfo' function. */
+/* Define if you have the `getaddrinfo' function. */
 #undef HAVE_GETADDRINFO
-/* Define to 1 if you have the `getcwd' function. */
+/* Define if you have the `getcwd' function. */
 #undef HAVE_GETCWD
-/* Define to 1 if you have the `getgrouplist' function. */
+/* Define if you have the `getgrouplist' function. */
 #undef HAVE_GETGROUPLIST
-/* Define to 1 if you have the `getluid' function. */
+/* Define if you have the `getluid' function. */
 #undef HAVE_GETLUID
-/* Define to 1 if you have the `getnameinfo' function. */
+/* Define if you have the `getnameinfo' function. */
 #undef HAVE_GETNAMEINFO
-/* Define to 1 if you have the `getopt' function. */
+/* Define if you have the `getopt' function. */
 #undef HAVE_GETOPT
-/* Define to 1 if you have the <getopt.h> header file. */
+/* Define if you have the <getopt.h> header file. */
 #undef HAVE_GETOPT_H
-/* Define to 1 if you have the `getpeereid' function. */
+/* Define if you have the `getpeereid' function. */
 #undef HAVE_GETPEEREID
-/* Define to 1 if you have the `getpwanam' function. */
+/* Define if you have the `getpwanam' function. */
 #undef HAVE_GETPWANAM
-/* Define to 1 if you have the `getrlimit' function. */
+/* Define if you have the `getrlimit' function. */
 #undef HAVE_GETRLIMIT
-/* Define to 1 if you have the `getrusage' function. */
+/* Define if you have the `getrusage' function. */
 #undef HAVE_GETRUSAGE
-/* Define to 1 if you have the `gettimeofday' function. */
+/* Define if you have the `gettimeofday' function. */
 #undef HAVE_GETTIMEOFDAY
-/* Define to 1 if you have the `getttyent' function. */
+/* Define if you have the `getttyent' function. */
 #undef HAVE_GETTTYENT
-/* Define to 1 if you have the `getutent' function. */
+/* Define if you have the `getutent' function. */
 #undef HAVE_GETUTENT
-/* Define to 1 if you have the `getutid' function. */
+/* Define if you have the `getutid' function. */
 #undef HAVE_GETUTID
-/* Define to 1 if you have the `getutline' function. */
+/* Define if you have the `getutline' function. */
 #undef HAVE_GETUTLINE
-/* Define to 1 if you have the `getutxent' function. */
+/* Define if you have the `getutxent' function. */
 #undef HAVE_GETUTXENT
-/* Define to 1 if you have the `getutxid' function. */
+/* Define if you have the `getutxid' function. */
 #undef HAVE_GETUTXID
-/* Define to 1 if you have the `getutxline' function. */
+/* Define if you have the `getutxline' function. */
 #undef HAVE_GETUTXLINE
-/* Define to 1 if you have the `glob' function. */
+/* Define if you have the `glob' function. */
 #undef HAVE_GLOB
-/* Define to 1 if you have the <glob.h> header file. */
+/* Define if you have the <glob.h> header file. */
 #undef HAVE_GLOB_H
-/* Define to 1 if you have the <ia.h> header file. */
+/* Define if you have the <gssapi.h> header file. */
+#undef HAVE_GSSAPI_H
+/* Define if you have the <ia.h> header file. */
 #undef HAVE_IA_H
-/* Define to 1 if you have the `inet_aton' function. */
+/* Define if you have the `inet_aton' function. */
 #undef HAVE_INET_ATON
-/* Define to 1 if you have the `inet_ntoa' function. */
+/* Define if you have the `inet_ntoa' function. */
 #undef HAVE_INET_NTOA
-/* Define to 1 if you have the `inet_ntop' function. */
+/* Define if you have the `inet_ntop' function. */
 #undef HAVE_INET_NTOP
-/* Define to 1 if you have the `innetgr' function. */
+/* Define if you have the `innetgr' function. */
 #undef HAVE_INNETGR
-/* Define to 1 if you have the <inttypes.h> header file. */
+/* Define if you have the <inttypes.h> header file. */
 #undef HAVE_INTTYPES_H
-/* Define to 1 if you have the <krb.h> header file. */
+/* Define if you have the <lastlog.h> header file. */
-#undef HAVE_KRB_H
-/* Define to 1 if you have the <lastlog.h> header file. */
 #undef HAVE_LASTLOG_H
-/* Define to 1 if you have the `crypt' library (-lcrypt). */
+/* Define if you have the `crypt' library (-lcrypt). */
 #undef HAVE_LIBCRYPT
-/* Define to 1 if you have the `des' library (-ldes). */
+/* Define if you have the `dl' library (-ldl). */
-#undef HAVE_LIBDES
-/* Define to 1 if you have the `des425' library (-ldes425). */
-#undef HAVE_LIBDES425
-/* Define to 1 if you have the `dl' library (-ldl). */
 #undef HAVE_LIBDL
-/* Define to 1 if you have the <libgen.h> header file. */
+/* Define if you have the <libgen.h> header file. */
 #undef HAVE_LIBGEN_H
-/* Define to 1 if you have the `krb' library (-lkrb). */
+/* Define if you have the `nsl' library (-lnsl). */
-#undef HAVE_LIBKRB
-/* Define to 1 if you have the `krb4' library (-lkrb4). */
-#undef HAVE_LIBKRB4
-/* Define to 1 if you have the `nsl' library (-lnsl). */
 #undef HAVE_LIBNSL
-/* Define to 1 if you have the `pam' library (-lpam). */
+/* Define if you have the `pam' library (-lpam). */
 #undef HAVE_LIBPAM
-/* Define to 1 if you have the `resolv' library (-lresolv). */
+/* Define if you have the `sectok' library (-lsectok). */
-#undef HAVE_LIBRESOLV
-/* Define to 1 if you have the `sectok' library (-lsectok). */
 #undef HAVE_LIBSECTOK
-/* Define to 1 if you have the `socket' library (-lsocket). */
+/* Define if you have the `socket' library (-lsocket). */
 #undef HAVE_LIBSOCKET
-/* Define to 1 if you have the <libutil.h> header file. */
+/* Define if you have the <libutil.h> header file. */
 #undef HAVE_LIBUTIL_H
-/* Define to 1 if you have the `xnet' library (-lxnet). */
+/* Define if you have the `xnet' library (-lxnet). */
 #undef HAVE_LIBXNET
-/* Define to 1 if you have the `z' library (-lz). */
+/* Define if you have the `z' library (-lz). */
 #undef HAVE_LIBZ
-/* Define to 1 if you have the <limits.h> header file. */
+/* Define if you have the <limits.h> header file. */
 #undef HAVE_LIMITS_H
-/* Define to 1 if you have the <login_cap.h> header file. */
+/* Define if you have the <login_cap.h> header file. */
 #undef HAVE_LOGIN_CAP_H
-/* Define to 1 if you have the `login_getcapbool' function. */
+/* Define if you have the `login_getcapbool' function. */
 #undef HAVE_LOGIN_GETCAPBOOL
-/* Define to 1 if you have the <login.h> header file. */
+/* Define if you have the <login.h> header file. */
 #undef HAVE_LOGIN_H
-/* Define to 1 if you have the `logout' function. */
+/* Define if you have the `logout' function. */
 #undef HAVE_LOGOUT
-/* Define to 1 if you have the `logwtmp' function. */
+/* Define if you have the `logwtmp' function. */
 #undef HAVE_LOGWTMP
-/* Define to 1 if you have the <maillock.h> header file. */
+/* Define if you have the <maillock.h> header file. */
 #undef HAVE_MAILLOCK_H
-/* Define to 1 if you have the `md5_crypt' function. */
+/* Define if you have the `md5_crypt' function. */
 #undef HAVE_MD5_CRYPT
-/* Define to 1 if you have the `memmove' function. */
+/* Define if you have the `memmove' function. */
 #undef HAVE_MEMMOVE
-/* Define to 1 if you have the <memory.h> header file. */
+/* Define if you have the <memory.h> header file. */
 #undef HAVE_MEMORY_H
-/* Define to 1 if you have the `mkdtemp' function. */
+/* Define if you have the `mkdtemp' function. */
 #undef HAVE_MKDTEMP
-/* Define to 1 if you have the `mmap' function. */
+/* Define if you have the `mmap' function. */
 #undef HAVE_MMAP
-/* Define to 1 if you have the <netdb.h> header file. */
+/* Define if you have the <netdb.h> header file. */
 #undef HAVE_NETDB_H
-/* Define to 1 if you have the <netgroup.h> header file. */
+/* Define if you have the <netgroup.h> header file. */
 #undef HAVE_NETGROUP_H
-/* Define to 1 if you have the <netinet/in_systm.h> header file. */
+/* Define if you have the <netinet/in_systm.h> header file. */
 #undef HAVE_NETINET_IN_SYSTM_H
-/* Define to 1 if you have the `ngetaddrinfo' function. */
+/* Define if you have the `ngetaddrinfo' function. */
 #undef HAVE_NGETADDRINFO
-/* Define to 1 if you have the `nsleep' function. */
+/* Define if you have the `nsleep' function. */
 #undef HAVE_NSLEEP
-/* Define to 1 if you have the `ogetaddrinfo' function. */
+/* Define if you have the `ogetaddrinfo' function. */
 #undef HAVE_OGETADDRINFO
-/* Define to 1 if you have the `openpty' function. */
+/* Define if you have the `openlog_r' function. */
+#undef HAVE_OPENLOG_R
+/* Define if you have the `openpty' function. */
 #undef HAVE_OPENPTY
-/* Define to 1 if you have the `pam_getenvlist' function. */
+/* Define if you have the `pam_getenvlist' function. */
 #undef HAVE_PAM_GETENVLIST
-/* Define to 1 if you have the <paths.h> header file. */
+/* Define if you have the `pam_putenv' function. */
+#undef HAVE_PAM_PUTENV
+/* Define if you have the <paths.h> header file. */
 #undef HAVE_PATHS_H
-/* Define to 1 if you have the `pstat' function. */
+/* Define if you have the `pstat' function. */
 #undef HAVE_PSTAT
-/* Define to 1 if you have the <pty.h> header file. */
+/* Define if you have the <pty.h> header file. */
 #undef HAVE_PTY_H
-/* Define to 1 if you have the `pututline' function. */
+/* Define if you have the `pututline' function. */
 #undef HAVE_PUTUTLINE
-/* Define to 1 if you have the `pututxline' function. */
+/* Define if you have the `pututxline' function. */
 #undef HAVE_PUTUTXLINE
-/* Define to 1 if you have the `readpassphrase' function. */
+/* Define if you have the `readpassphrase' function. */
 #undef HAVE_READPASSPHRASE
-/* Define to 1 if you have the <readpassphrase.h> header file. */
+/* Define if you have the <readpassphrase.h> header file. */
 #undef HAVE_READPASSPHRASE_H
-/* Define to 1 if you have the `realpath' function. */
+/* Define if you have the `realpath' function. */
 #undef HAVE_REALPATH
-/* Define to 1 if you have the `recvmsg' function. */
+/* Define if you have the `recvmsg' function. */
 #undef HAVE_RECVMSG
-/* Define to 1 if you have the <rpc/types.h> header file. */
+/* Define if you have the <rpc/types.h> header file. */
 #undef HAVE_RPC_TYPES_H
-/* Define to 1 if you have the `rresvport_af' function. */
+/* Define if you have the `rresvport_af' function. */
 #undef HAVE_RRESVPORT_AF
-/* Define to 1 if you have the <sectok.h> header file. */
+/* Define if you have the <sectok.h> header file. */
 #undef HAVE_SECTOK_H
-/* Define to 1 if you have the <security/pam_appl.h> header file. */
+/* Define if you have the <security/pam_appl.h> header file. */
 #undef HAVE_SECURITY_PAM_APPL_H
-/* Define to 1 if you have the `sendmsg' function. */
+/* Define if you have the `sendmsg' function. */
 #undef HAVE_SENDMSG
-/* Define to 1 if you have the `setdtablesize' function. */
+/* Define if you have the `setauthdb' function. */
+#undef HAVE_SETAUTHDB
+/* Define if you have the `setdtablesize' function. */
 #undef HAVE_SETDTABLESIZE
-/* Define to 1 if you have the `setegid' function. */
+/* Define if you have the `setegid' function. */
 #undef HAVE_SETEGID
-/* Define to 1 if you have the `setenv' function. */
+/* Define if you have the `setenv' function. */
 #undef HAVE_SETENV
-/* Define to 1 if you have the `seteuid' function. */
+/* Define if you have the `seteuid' function. */
 #undef HAVE_SETEUID
-/* Define to 1 if you have the `setgroups' function. */
+/* Define if you have the `setgroups' function. */
 #undef HAVE_SETGROUPS
-/* Define to 1 if you have the `setlogin' function. */
+/* Define if you have the `setlogin' function. */
 #undef HAVE_SETLOGIN
-/* Define to 1 if you have the `setluid' function. */
+/* Define if you have the `setluid' function. */
 #undef HAVE_SETLUID
-/* Define to 1 if you have the `setpcred' function. */
+/* Define if you have the `setpcred' function. */
 #undef HAVE_SETPCRED
-/* Define to 1 if you have the `setproctitle' function. */
+/* Define if you have the `setproctitle' function. */
 #undef HAVE_SETPROCTITLE
-/* Define to 1 if you have the `setresgid' function. */
+/* Define if you have the `setregid' function. */
+#undef HAVE_SETREGID
+/* Define if you have the `setresgid' function. */
 #undef HAVE_SETRESGID
-/* Define to 1 if you have the `setreuid' function. */
+/* Define if you have the `setresuid' function. */
+#undef HAVE_SETRESUID
+/* Define if you have the `setreuid' function. */
 #undef HAVE_SETREUID
-/* Define to 1 if you have the `setrlimit' function. */
+/* Define if you have the `setrlimit' function. */
 #undef HAVE_SETRLIMIT
-/* Define to 1 if you have the `setsid' function. */
+/* Define if you have the `setsid' function. */
 #undef HAVE_SETSID
-/* Define to 1 if you have the `setutent' function. */
+/* Define if you have the `setutent' function. */
 #undef HAVE_SETUTENT
-/* Define to 1 if you have the `setutxent' function. */
+/* Define if you have the `setutxent' function. */
 #undef HAVE_SETUTXENT
-/* Define to 1 if you have the `setvbuf' function. */
+/* Define if you have the `setvbuf' function. */
 #undef HAVE_SETVBUF
-/* Define to 1 if you have the <shadow.h> header file. */
+/* Define if you have the <shadow.h> header file. */
 #undef HAVE_SHADOW_H
-/* Define to 1 if you have the `sigaction' function. */
+/* Define if you have the `sigaction' function. */
 #undef HAVE_SIGACTION
-/* Define to 1 if you have the `sigvec' function. */
+/* Define if you have the `sigvec' function. */
 #undef HAVE_SIGVEC
-/* Define to 1 if the system has the type `sig_atomic_t'. */
+/* Define if the system has the type `sig_atomic_t'. */
 #undef HAVE_SIG_ATOMIC_T
-/* Define to 1 if you have the `snprintf' function. */
+/* Define if you have the `snprintf' function. */
 #undef HAVE_SNPRINTF
-/* Define to 1 if you have the `socketpair' function. */
+/* Define if you have the `socketpair' function. */
 #undef HAVE_SOCKETPAIR
-/* Define to 1 if you have the <stddef.h> header file. */
+/* Define if you have the <stddef.h> header file. */
 #undef HAVE_STDDEF_H
-/* Define to 1 if you have the <stdint.h> header file. */
+/* Define if you have the <stdint.h> header file. */
 #undef HAVE_STDINT_H
-/* Define to 1 if you have the <stdlib.h> header file. */
+/* Define if you have the <stdlib.h> header file. */
 #undef HAVE_STDLIB_H
-/* Define to 1 if you have the `strerror' function. */
+/* Define if you have the `strerror' function. */
 #undef HAVE_STRERROR
-/* Define to 1 if you have the `strftime' function. */
+/* Define if you have the `strftime' function. */
 #undef HAVE_STRFTIME
-/* Define to 1 if you have the <strings.h> header file. */
+/* Define if you have the <strings.h> header file. */
 #undef HAVE_STRINGS_H
-/* Define to 1 if you have the <string.h> header file. */
+/* Define if you have the <string.h> header file. */
 #undef HAVE_STRING_H
-/* Define to 1 if you have the `strlcat' function. */
+/* Define if you have the `strlcat' function. */
 #undef HAVE_STRLCAT
-/* Define to 1 if you have the `strlcpy' function. */
+/* Define if you have the `strlcpy' function. */
 #undef HAVE_STRLCPY
-/* Define to 1 if you have the `strmode' function. */
+/* Define if you have the `strmode' function. */
 #undef HAVE_STRMODE
-/* Define to 1 if you have the `strnvis' function. */
+/* Define if you have the `strnvis' function. */
 #undef HAVE_STRNVIS
-/* Define to 1 if you have the `strsep' function. */
+/* Define if you have the `strsep' function. */
 #undef HAVE_STRSEP
-/* Define to 1 if `st_blksize' is member of `struct stat'. */
+/* Define if `st_blksize' is member of `struct stat'. */
 #undef HAVE_STRUCT_STAT_ST_BLKSIZE
-/* Define to 1 if the system has the type `struct timespec'. */
+/* Define if the system has the type `struct timespec'. */
 #undef HAVE_STRUCT_TIMESPEC
-/* Define to 1 if you have the `sysconf' function. */
+/* Define if you have the `sysconf' function. */
 #undef HAVE_SYSCONF
-/* Define to 1 if you have the <sys/bitypes.h> header file. */
+/* Define if you have the <sys/audit.h> header file. */
+#undef HAVE_SYS_AUDIT_H
+/* Define if you have the <sys/bitypes.h> header file. */
 #undef HAVE_SYS_BITYPES_H
-/* Define to 1 if you have the <sys/bsdtty.h> header file. */
+/* Define if you have the <sys/bsdtty.h> header file. */
 #undef HAVE_SYS_BSDTTY_H
-/* Define to 1 if you have the <sys/cdefs.h> header file. */
+/* Define if you have the <sys/cdefs.h> header file. */
 #undef HAVE_SYS_CDEFS_H
-/* Define to 1 if you have the <sys/mman.h> header file. */
+/* Define if you have the <sys/mman.h> header file. */
 #undef HAVE_SYS_MMAN_H
-/* Define to 1 if you have the <sys/pstat.h> header file. */
+/* Define if you have the <sys/pstat.h> header file. */
 #undef HAVE_SYS_PSTAT_H
-/* Define to 1 if you have the <sys/select.h> header file. */
+/* Define if you have the <sys/select.h> header file. */
 #undef HAVE_SYS_SELECT_H
-/* Define to 1 if you have the <sys/stat.h> header file. */
+/* Define if you have the <sys/stat.h> header file. */
 #undef HAVE_SYS_STAT_H
-/* Define to 1 if you have the <sys/stropts.h> header file. */
+/* Define if you have the <sys/stropts.h> header file. */
 #undef HAVE_SYS_STROPTS_H
-/* Define to 1 if you have the <sys/sysmacros.h> header file. */
+/* Define if you have the <sys/strtio.h> header file. */
+#undef HAVE_SYS_STRTIO_H
+/* Define if you have the <sys/sysmacros.h> header file. */
 #undef HAVE_SYS_SYSMACROS_H
-/* Define to 1 if you have the <sys/timers.h> header file. */
+/* Define if you have the <sys/timers.h> header file. */
 #undef HAVE_SYS_TIMERS_H
-/* Define to 1 if you have the <sys/time.h> header file. */
+/* Define if you have the <sys/time.h> header file. */
 #undef HAVE_SYS_TIME_H
-/* Define to 1 if you have the <sys/types.h> header file. */
+/* Define if you have the <sys/types.h> header file. */
 #undef HAVE_SYS_TYPES_H
-/* Define to 1 if you have the <sys/un.h> header file. */
+/* Define if you have the <sys/un.h> header file. */
 #undef HAVE_SYS_UN_H
-/* Define to 1 if you have the `tcgetpgrp' function. */
+/* Define if you have the `tcgetpgrp' function. */
 #undef HAVE_TCGETPGRP
-/* Define to 1 if you have the `time' function. */
+/* Define if you have the `tcsendbreak' function. */
+#undef HAVE_TCSENDBREAK
+/* Define if you have the `time' function. */
 #undef HAVE_TIME
-/* Define to 1 if you have the <time.h> header file. */
+/* Define if you have the <time.h> header file. */
 #undef HAVE_TIME_H
-/* Define to 1 if you have the <tmpdir.h> header file. */
+/* Define if you have the <tmpdir.h> header file. */
 #undef HAVE_TMPDIR_H
-/* Define to 1 if you have the `truncate' function. */
+/* Define if you have the `truncate' function. */
 #undef HAVE_TRUNCATE
-/* Define to 1 if you have the <ttyent.h> header file. */
+/* Define if you have the <ttyent.h> header file. */
 #undef HAVE_TTYENT_H
-/* Define to 1 if you have the <unistd.h> header file. */
+/* Define if you have the <unistd.h> header file. */
 #undef HAVE_UNISTD_H
-/* Define to 1 if you have the `updwtmp' function. */
+/* Define if you have the `updwtmp' function. */
 #undef HAVE_UPDWTMP
-/* Define to 1 if you have the <usersec.h> header file. */
+/* Define if you have the <usersec.h> header file. */
 #undef HAVE_USERSEC_H
-/* Define to 1 if you have the <util.h> header file. */
+/* Define if you have the <util.h> header file. */
 #undef HAVE_UTIL_H
-/* Define to 1 if you have the `utimes' function. */
+/* Define if you have the `utimes' function. */
 #undef HAVE_UTIMES
-/* Define to 1 if you have the <utime.h> header file. */
+/* Define if you have the <utime.h> header file. */
 #undef HAVE_UTIME_H
-/* Define to 1 if you have the `utmpname' function. */
+/* Define if you have the `utmpname' function. */
 #undef HAVE_UTMPNAME
-/* Define to 1 if you have the `utmpxname' function. */
+/* Define if you have the `utmpxname' function. */
 #undef HAVE_UTMPXNAME
-/* Define to 1 if you have the <utmpx.h> header file. */
+/* Define if you have the <utmpx.h> header file. */
 #undef HAVE_UTMPX_H
-/* Define to 1 if you have the <utmp.h> header file. */
+/* Define if you have the <utmp.h> header file. */
 #undef HAVE_UTMP_H
-/* Define to 1 if you have the `vhangup' function. */
+/* Define if you have the `vhangup' function. */
 #undef HAVE_VHANGUP
-/* Define to 1 if you have the `vsnprintf' function. */
+/* Define if you have the `vsnprintf' function. */
 #undef HAVE_VSNPRINTF
-/* Define to 1 if you have the `waitpid' function. */
+/* Define if you have the `waitpid' function. */
 #undef HAVE_WAITPID
-/* Define to 1 if you have the `_getpty' function. */
+/* Define if you have the `_getlong' function. */
+#undef HAVE__GETLONG
+/* Define if you have the `_getpty' function. */
 #undef HAVE__GETPTY
-/* Define to 1 if you have the `__b64_ntop' function. */
+/* Define if you have the `_getshort' function. */
+#undef HAVE__GETSHORT
+/* Define if you have the `__b64_ntop' function. */
 #undef HAVE___B64_NTOP
-/* Define to 1 if you have the `__b64_pton' function. */
+/* Define if you have the `__b64_pton' function. */
 #undef HAVE___B64_PTON
-/* Define to the address where bug reports for this package should be sent. */
-#undef PACKAGE_BUGREPORT
-/* Define to the full name of this package. */
-#undef PACKAGE_NAME
-/* Define to the full name and version of this package. */
-#undef PACKAGE_STRING
-/* Define to the one symbol short name of this package. */
-#undef PACKAGE_TARNAME
-/* Define to the version of this package. */
-#undef PACKAGE_VERSION
 /* The size of a `char', as computed by sizeof. */
 #undef SIZEOF_CHAR
@@ -918,11 +969,11 @@
 /* The size of a `short int', as computed by sizeof. */
 #undef SIZEOF_SHORT_INT
-/* Define to 1 if you have the ANSI C header files. */
+/* Define if you have the ANSI C header files. */
 #undef STDC_HEADERS
-/* Define to 1 if your processor stores words with the most significant byte
+/* Define if your processor stores words with the most significant byte first
-   first (like Motorola and SPARC, unlike Intel and VAX). */
+   (like Motorola and SPARC, unlike Intel and VAX). */
 #undef WORDS_BIGENDIAN
 /* Number of bits in a file offset, on hosts where this is settable. */
diff --git a/configure b/configure
index ceeb5b013..096c51af7 100755
--- a/configure
+++ b/configure
@@ -1,81 +1,12 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.57.
+# Generated by Autoconf 2.52.
 #
-# Copyright 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, 2002
+# Copyright 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001
 # Free Software Foundation, Inc.
 # This configure script is free software; the Free Software Foundation
 # gives unlimited permission to copy, distribute and modify it.
-## --------------------- ##
-## M4sh Initialization.  ##
-## --------------------- ##
-# Be Bourne compatible
-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
-  emulate sh
-  NULLCMD=:
-  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
-  # is contrary to our usage.  Disable this feature.
-  alias -g '${1+"$@"}'='"$@"'
-elif test -n "${BASH_VERSION+set}" && (set -o posix) >/dev/null 2>&1; then
-  set -o posix
-fi
-# Support unset when possible.
-if (FOO=FOO; unset FOO) >/dev/null 2>&1; then
-  as_unset=unset
-else
-  as_unset=false
-fi
-# Work around bugs in pre-3.0 UWIN ksh.
-$as_unset ENV MAIL MAILPATH
-PS1='$ '
-PS2='> '
-PS4='+ '
-# NLS nuisances.
-for as_var in \
-  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
-  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
-  LC_TELEPHONE LC_TIME
-do
-  if (set +x; test -n "`(eval $as_var=C; export $as_var) 2>&1`"); then
-    eval $as_var=C; export $as_var
-  else
-    $as_unset $as_var
-  fi
-done
-# Required to use basename.
-if expr a : '\(a\)' >/dev/null 2>&1; then
-  as_expr=expr
-else
-  as_expr=false
-fi
-if (basename /) >/dev/null 2>&1 && test "X`basename / 2>&1`" = "X/"; then
-  as_basename=basename
-else
-  as_basename=false
-fi
-# Name of the executable.
-as_me=`$as_basename "$0" ||
-$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
-         X"$0" : 'X\(//\)$' \| \
-         X"$0" : 'X\(/\)$' \| \
-         .     : '\(.\)' 2>/dev/null ||
-echo X/"$0" |
-    sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/; q; }
-          /^X\/\(\/\/\)$/{ s//\1/; q; }
-          /^X\/\(\/\).*/{ s//\1/; q; }
-          s/.*/./; q'`
-# PATH needs CR, and LINENO needs CR and PATH.
 # Avoid depending upon Character Ranges.
 as_cr_letters='abcdefghijklmnopqrstuvwxyz'
 as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
@@ -83,113 +14,22 @@ as_cr_Letters=$as_cr_letters$as_cr_LETTERS
 as_cr_digits='0123456789'
 as_cr_alnum=$as_cr_Letters$as_cr_digits
-# The user is always right.
+# Sed expression to map a string onto a valid variable name.
-if test "${PATH_SEPARATOR+set}" != set; then
+as_tr_sh="sed y%*+%pp%;s%[^_$as_cr_alnum]%_%g"
-  echo "#! /bin/sh" >conf$$.sh
-  echo  "exit 0"   >>conf$$.sh
-  chmod +x conf$$.sh
-  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
-    PATH_SEPARATOR=';'
-  else
-    PATH_SEPARATOR=:
-  fi
-  rm -f conf$$.sh
-fi
-  as_lineno_1=$LINENO
-  as_lineno_2=$LINENO
-  as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
-  test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x$as_lineno_3"  = "x$as_lineno_2"  || {
-  # Find who we are.  Look in the path if we contain no path at all
-  # relative or not.
-  case $0 in
-    *[\\/]* ) as_myself=$0 ;;
-    *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
-done
-       ;;
-  esac
-  # We did not find ourselves, most probably we were run as `sh COMMAND'
-  # in which case we are not to be found in the path.
-  if test "x$as_myself" = x; then
-    as_myself=$0
-  fi
-  if test ! -f "$as_myself"; then
-    { echo "$as_me: error: cannot find myself; rerun with an absolute path" >&2
-   { (exit 1); exit 1; }; }
-  fi
-  case $CONFIG_SHELL in
-  '')
-    as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for as_base in sh bash ksh sh5; do
-         case $as_dir in
-         /*)
-           if ("$as_dir/$as_base" -c '
-  as_lineno_1=$LINENO
-  as_lineno_2=$LINENO
-  as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
-  test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x$as_lineno_3"  = "x$as_lineno_2" ') 2>/dev/null; then
-             $as_unset BASH_ENV || test "${BASH_ENV+set}" != set || { BASH_ENV=; export BASH_ENV; }
-             $as_unset ENV || test "${ENV+set}" != set || { ENV=; export ENV; }
-             CONFIG_SHELL=$as_dir/$as_base
-             export CONFIG_SHELL
-             exec "$CONFIG_SHELL" "$0" ${1+"$@"}
-           fi;;
-         esac
-       done
-done
-;;
-  esac
-  # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
-  # uniformly replaced by the line number.  The first 'sed' inserts a
-  # line-number line before each line; the second 'sed' does the real
-  # work.  The second script uses 'N' to pair each line-number line
-  # with the numbered line, and appends trailing '-' during
-  # substitution so that $LINENO is not a special case at line end.
-  # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
-  # second 'sed' script.  Blame Lee E. McMahon for sed's syntax.  :-)
-  sed '=' <$as_myself |
-    sed '
-      N
-      s,$,-,
-      : loop
-      s,^\(['$as_cr_digits']*\)\(.*\)[$]LINENO\([^'$as_cr_alnum'_]\),\1\2\1\3,
-      t loop
-      s,-$,,
-      s,^['$as_cr_digits']*\n,,
-    ' >$as_me.lineno &&
-  chmod +x $as_me.lineno ||
-    { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
-   { (exit 1); exit 1; }; }
-  # Don't try to exec as it changes $[0], causing all sort of problems
+# Sed expression to map a string onto a valid CPP name.
-  # (the dirname of $[0] is not the place where we might find the
+as_tr_cpp="sed y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g"
-  # original and so on.  Autoconf is especially sensible to this).
-  . ./$as_me.lineno
-  # Exit status is that of the last command.
-  exit
-}
+# Be Bourne compatible
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+elif test -n "${BASH_VERSION+set}" && (set -o posix) >/dev/null 2>&1; then
+  set -o posix
+fi
-case `echo "testing\c"; echo 1,2,3`,`echo -n testing; echo 1,2,3` in
+# Name of the executable.
-  *c*,-n*) ECHO_N= ECHO_C='
+as_me=`echo "$0" |sed 's,.*[\\/],,'`
-' ECHO_T='      ' ;;
-  *c*,*  ) ECHO_N=-n ECHO_C= ECHO_T= ;;
-  *)       ECHO_N= ECHO_C='\c' ECHO_T= ;;
-esac
 if expr a : '\(a\)' >/dev/null 2>&1; then
  as_expr=expr
@@ -215,20 +55,24 @@ else
 fi
 rm -f conf$$ conf$$.exe conf$$.file
-if mkdir -p . 2>/dev/null; then
-  as_mkdir_p=:
-else
-  as_mkdir_p=false
-fi
 as_executable_p="test -f"
-# Sed expression to map a string onto a valid CPP name.
+# Support unset when possible.
-as_tr_cpp="sed y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g"
+if (FOO=FOO; unset FOO) >/dev/null 2>&1; then
+  as_unset=unset
-# Sed expression to map a string onto a valid variable name.
+else
-as_tr_sh="sed y%*+%pp%;s%[^_$as_cr_alnum]%_%g"
+  as_unset=false
+fi
+# NLS nuisances.
+$as_unset LANG || test "${LANG+set}" != set || { LANG=C; export LANG; }
+$as_unset LC_ALL || test "${LC_ALL+set}" != set || { LC_ALL=C; export LC_ALL; }
+$as_unset LC_TIME || test "${LC_TIME+set}" != set || { LC_TIME=C; export LC_TIME; }
+$as_unset LC_CTYPE || test "${LC_CTYPE+set}" != set || { LC_CTYPE=C; export LC_CTYPE; }
+$as_unset LANGUAGE || test "${LANGUAGE+set}" != set || { LANGUAGE=C; export LANGUAGE; }
+$as_unset LC_COLLATE || test "${LC_COLLATE+set}" != set || { LC_COLLATE=C; export LC_COLLATE; }
+$as_unset LC_NUMERIC || test "${LC_NUMERIC+set}" != set || { LC_NUMERIC=C; export LC_NUMERIC; }
+$as_unset LC_MESSAGES || test "${LC_MESSAGES+set}" != set || { LC_MESSAGES=C; export LC_MESSAGES; }
 # IFS
 # We need space, tab and new line, in precisely that order.
@@ -237,8 +81,7 @@ as_nl='
 IFS="   $as_nl"
 # CDPATH.
-$as_unset CDPATH
+$as_unset CDPATH || test "${CDPATH+set}" != set || { CDPATH=:; export CDPATH; }
 # Name of the host.
 # hostname on some systems (SVR3.2, Linux) returns a bogus exit status,
@@ -251,11 +94,9 @@ exec 6>&1
 # Initializations.
 #
 ac_default_prefix=/usr/local
-ac_config_libobj_dir=.
 cross_compiling=no
 subdirs=
-MFLAGS=
+MFLAGS= MAKEFLAGS=
-MAKEFLAGS=
 SHELL=${CONFIG_SHELL-/bin/sh}
 # Maximum number of lines to put in a shell here document.
@@ -263,13 +104,6 @@ SHELL=${CONFIG_SHELL-/bin/sh}
 # only ac_max_sed_lines should be used.
 : ${ac_max_here_lines=38}
-# Identity of this package.
-PACKAGE_NAME=
-PACKAGE_TARNAME=
-PACKAGE_VERSION=
-PACKAGE_STRING=
-PACKAGE_BUGREPORT=
 ac_unique_file="ssh.c"
 # Factoring default headers for most tests.
 ac_includes_default="\
@@ -308,9 +142,6 @@ ac_includes_default="\
 # include <unistd.h>
 #endif"
-ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT build build_cpu build_vendor build_os host host_cpu host_vendor host_os CPP RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA AR PERL SED ENT TEST_MINUS_S_SH SH LOGIN_PROGRAM_FALLBACK LD EGREP LIBWRAP LIBPAM INSTALL_SSH_RAND_HELPER SSH_PRIVSEP_USER PROG_LS PROG_NETSTAT PROG_ARP PROG_IFCONFIG PROG_JSTAT PROG_PS PROG_SAR PROG_W PROG_WHO PROG_LAST PROG_LASTLOG PROG_DF PROG_VMSTAT PROG_UPTIME PROG_IPCS PROG_TAIL INSTALL_SSH_PRNG_CMDS OPENSC_CONFIG PRIVSEP_PATH xauth_path STRIP_OPT XAUTH_PATH NROFF MANTYPE mansubdir user_path piddir LIBOBJS LTLIBOBJS'
-ac_subst_files=''
 # Initialize some variables set by options.
 ac_init_help=
 ac_init_version=false
@@ -349,6 +180,13 @@ oldincludedir='/usr/include'
 infodir='${prefix}/info'
 mandir='${prefix}/man'
+# Identity of this package.
+PACKAGE_NAME=
+PACKAGE_TARNAME=
+PACKAGE_VERSION=
+PACKAGE_STRING=
+PACKAGE_BUGREPORT=
 ac_prev=
 for ac_option
 do
@@ -481,7 +319,7 @@ do
    with_fp=no ;;
  -no-create | --no-create | --no-creat | --no-crea | --no-cre \
-  | --no-cr | --no-c | -n)
+  | --no-cr | --no-c)
    no_create=yes ;;
  -no-recursion | --no-recursion | --no-recursio | --no-recursi \
@@ -660,7 +498,7 @@ do
  eval ac_val=$`echo $ac_var`
  case $ac_val in
    [\\/$]* | ?:[\\/]* | NONE | '' ) ;;
-    *)  { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
+    *)  { echo "$as_me: error: expected an absolute path for --$ac_var: $ac_val" >&2
   { (exit 1); exit 1; }; };;
  esac
 done
@@ -672,19 +510,18 @@ do
  eval ac_val=$`echo $ac_var`
  case $ac_val in
    [\\/$]* | ?:[\\/]* ) ;;
-    *)  { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
+    *)  { echo "$as_me: error: expected an absolute path for --$ac_var: $ac_val" >&2
   { (exit 1); exit 1; }; };;
  esac
 done
 # There might be people who depend on the old broken behavior: `$host'
 # used to hold the argument of --host etc.
-# FIXME: To remove some day.
 build=$build_alias
 host=$host_alias
 target=$target_alias
-# FIXME: To remove some day.
+# FIXME: should be removed in autoconf 3.0.
 if test "x$host_alias" != x; then
  if test "x$build_alias" = x; then
    cross_compiling=maybe
@@ -700,23 +537,13 @@ test -n "$host_alias" && ac_tool_prefix=$host_alias-
 test "$silent" = yes && exec 6>/dev/null
 # Find the source files, if location was not specified.
 if test -z "$srcdir"; then
  ac_srcdir_defaulted=yes
  # Try the directory containing this script, then its parent.
-  ac_confdir=`(dirname "$0") 2>/dev/null ||
+  ac_prog=$0
-$as_expr X"$0" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+  ac_confdir=`echo "$ac_prog" | sed 's%[\\/][^\\/][^\\/]*$%%'`
-         X"$0" : 'X\(//\)[^/]' \| \
+  test "x$ac_confdir" = "x$ac_prog" && ac_confdir=.
-         X"$0" : 'X\(//\)$' \| \
-         X"$0" : 'X\(/\)' \| \
-         .     : '\(.\)' 2>/dev/null ||
-echo X"$0" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
-          /^X\(\/\/\)[^/].*/{ s//\1/; q; }
-          /^X\(\/\/\)$/{ s//\1/; q; }
-          /^X\(\/\).*/{ s//\1/; q; }
-          s/.*/./; q'`
  srcdir=$ac_confdir
  if test ! -r $srcdir/$ac_unique_file; then
    srcdir=..
@@ -726,16 +553,13 @@ else
 fi
 if test ! -r $srcdir/$ac_unique_file; then
  if test "$ac_srcdir_defaulted" = yes; then
-    { echo "$as_me: error: cannot find sources ($ac_unique_file) in $ac_confdir or .." >&2
+    { echo "$as_me: error: cannot find sources in $ac_confdir or .." >&2
   { (exit 1); exit 1; }; }
  else
-    { echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2
+    { echo "$as_me: error: cannot find sources in $srcdir" >&2
   { (exit 1); exit 1; }; }
  fi
 fi
-(cd $srcdir && test -r ./$ac_unique_file) 2>/dev/null ||
-  { echo "$as_me: error: sources are in $srcdir, but \`cd $srcdir' does not work" >&2
-   { (exit 1); exit 1; }; }
 srcdir=`echo "$srcdir" | sed 's%\([^\\/]\)[\\/]*$%\1%'`
 ac_env_build_alias_set=${build_alias+set}
 ac_env_build_alias_value=$build_alias
@@ -776,7 +600,7 @@ ac_cv_env_CPP_value=$CPP
 if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
-  cat <<_ACEOF
+  cat <<EOF
 \`configure' configures this package to adapt to many kinds of systems.
 Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -797,9 +621,9 @@ Configuration:
  -n, --no-create         do not create output files
      --srcdir=DIR        find the sources in DIR [configure dir or \`..']
-_ACEOF
+EOF
-  cat <<_ACEOF
+  cat <<EOF
 Installation directories:
  --prefix=PREFIX         install architecture-independent files in PREFIX
                          [$ac_default_prefix]
@@ -826,19 +650,19 @@ Fine tuning of the installation directories:
  --oldincludedir=DIR    C header files for non-gcc [/usr/include]
  --infodir=DIR          info documentation [PREFIX/info]
  --mandir=DIR           man documentation [PREFIX/man]
-_ACEOF
+EOF
-  cat <<\_ACEOF
+  cat <<\EOF
 System types:
  --build=BUILD     configure for building on BUILD [guessed]
-  --host=HOST       cross-compile to build programs to run on HOST [BUILD]
+  --host=HOST       build programs to run on HOST [BUILD]
-_ACEOF
+EOF
 fi
 if test -n "$ac_init_help"; then
-  cat <<\_ACEOF
+  cat <<\EOF
 Optional Features:
  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
@@ -877,9 +701,8 @@ Optional Packages:
  --with-privsep-user=user Specify non-privileged user for privilege separation
  --with-sectok           Enable smartcard support using libsectok
  --with-opensc=PFX       Enable smartcard support using OpenSC
+  --with-dns              Support for fetching keys from DNS (experimental)
  --with-kerberos5=PATH   Enable Kerberos 5 support
-  --with-kerberos4=PATH   Enable Kerberos 4 support
-  --with-afs=PATH         Enable AFS support
  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
  --with-xauth=PATH       Specify path to xauth program
  --with-mantype=man|cat|doc  Set man page type
@@ -888,7 +711,6 @@ Optional Packages:
  --with-ipaddr-display   Use ip address instead of hostname in \$DISPLAY
  --with-default-path=    Specify default \$PATH environment for server
  --with-superuser-path=  Specify different path for super-user
-  --with-ipv4-default     Use IPv4 by connections unless '-6' specified
  --with-4in6             Check for and convert IPv4 in IPv6 mapped addresses
  --with-bsd-auth         Enable BSD auth support
  --with-pid-dir=PATH     Specify location of ssh.pid file
@@ -906,60 +728,40 @@ Some influential environment variables:
 Use these variables to override the choices made by `configure' or to help
 it to find libraries and programs with nonstandard names/locations.
-_ACEOF
+EOF
 fi
 if test "$ac_init_help" = "recursive"; then
  # If there are subdirs, report their specific --help.
  ac_popdir=`pwd`
-  for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue
+  for ac_subdir in : $ac_subdirs_all; do test "x$ac_subdir" = x: && continue
-    test -d $ac_dir || continue
+    cd $ac_subdir
-    ac_builddir=.
+    # A "../" for each directory in /$ac_subdir.
+    ac_dots=`echo $ac_subdir |
-if test "$ac_dir" != .; then
+             sed 's,^\./,,;s,[^/]$,&/,;s,[^/]*/,../,g'`
-  ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
-  # A "../" for each directory in $ac_dir_suffix.
+    case $srcdir in
-  ac_top_builddir=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,../,g'`
+    .) # No --srcdir option.  We are building in place.
-else
+      ac_sub_srcdir=$srcdir ;;
-  ac_dir_suffix= ac_top_builddir=
+    [\\/]* | ?:[\\/]* ) # Absolute path.
-fi
+      ac_sub_srcdir=$srcdir/$ac_subdir ;;
+    *) # Relative path.
+      ac_sub_srcdir=$ac_dots$srcdir/$ac_subdir ;;
+    esac
-case $srcdir in
-  .)  # No --srcdir option.  We are building in place.
-    ac_srcdir=.
-    if test -z "$ac_top_builddir"; then
-       ac_top_srcdir=.
-    else
-       ac_top_srcdir=`echo $ac_top_builddir | sed 's,/$,,'`
-    fi ;;
-  [\\/]* | ?:[\\/]* )  # Absolute path.
-    ac_srcdir=$srcdir$ac_dir_suffix;
-    ac_top_srcdir=$srcdir ;;
-  *) # Relative path.
-    ac_srcdir=$ac_top_builddir$srcdir$ac_dir_suffix
-    ac_top_srcdir=$ac_top_builddir$srcdir ;;
-esac
-# Don't blindly perform a `cd "$ac_dir"/$ac_foo && pwd` since $ac_foo can be
-# absolute.
-ac_abs_builddir=`cd "$ac_dir" && cd $ac_builddir && pwd`
-ac_abs_top_builddir=`cd "$ac_dir" && cd ${ac_top_builddir}. && pwd`
-ac_abs_srcdir=`cd "$ac_dir" && cd $ac_srcdir && pwd`
-ac_abs_top_srcdir=`cd "$ac_dir" && cd $ac_top_srcdir && pwd`
-    cd $ac_dir
    # Check for guested configure; otherwise get Cygnus style configure.
-    if test -f $ac_srcdir/configure.gnu; then
+    if test -f $ac_sub_srcdir/configure.gnu; then
      echo
-      $SHELL $ac_srcdir/configure.gnu  --help=recursive
+      $SHELL $ac_sub_srcdir/configure.gnu  --help=recursive
-    elif test -f $ac_srcdir/configure; then
+    elif test -f $ac_sub_srcdir/configure; then
      echo
-      $SHELL $ac_srcdir/configure  --help=recursive
+      $SHELL $ac_sub_srcdir/configure  --help=recursive
-    elif test -f $ac_srcdir/configure.ac ||
+    elif test -f $ac_sub_srcdir/configure.ac ||
-           test -f $ac_srcdir/configure.in; then
+           test -f $ac_sub_srcdir/configure.in; then
      echo
      $ac_configure --help
    else
-      echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
+      echo "$as_me: WARNING: no configuration information is in $ac_subdir" >&2
    fi
    cd $ac_popdir
  done
@@ -967,31 +769,31 @@ fi
 test -n "$ac_init_help" && exit 0
 if $ac_init_version; then
-  cat <<\_ACEOF
+  cat <<\EOF
-Copyright 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, 2002
+Copyright 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001
 Free Software Foundation, Inc.
 This configure script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it.
-_ACEOF
+EOF
  exit 0
 fi
 exec 5>config.log
-cat >&5 <<_ACEOF
+cat >&5 <<EOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 It was created by $as_me, which was
-generated by GNU Autoconf 2.57.  Invocation command line was
+generated by GNU Autoconf 2.52.  Invocation command line was
  $ $0 $@
-_ACEOF
+EOF
 {
 cat <<_ASUNAME
-## --------- ##
+## ---------- ##
-## Platform. ##
+## Platform.  ##
-## --------- ##
+## ---------- ##
 hostname = `(hostname || uname -n) 2>/dev/null | sed 1q`
 uname -m = `(uname -m) 2>/dev/null || echo unknown`
@@ -1010,96 +812,51 @@ hostinfo               = `(hostinfo) 2>/dev/null               || echo unknown`
 /usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null       || echo unknown`
 /bin/universe          = `(/bin/universe) 2>/dev/null          || echo unknown`
-_ASUNAME
+PATH = $PATH
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  echo "PATH: $as_dir"
-done
+_ASUNAME
 } >&5
-cat >&5 <<_ACEOF
+cat >&5 <<EOF
+## ------------ ##
+## Core tests.  ##
-## ----------- ##
+## ------------ ##
-## Core tests. ##
-## ----------- ##
-_ACEOF
+EOF
 # Keep a trace of the command line.
 # Strip out --no-create and --no-recursion so they do not pile up.
-# Strip out --silent because we don't want to record it for future runs.
 # Also quote any args containing shell meta-characters.
-# Make two passes to allow for proper duplicate-argument suppression.
 ac_configure_args=
-ac_configure_args0=
-ac_configure_args1=
 ac_sep=
-ac_must_keep_next=false
+for ac_arg
-for ac_pass in 1 2
 do
-  for ac_arg
+  case $ac_arg in
-  do
+  -no-create | --no-create | --no-creat | --no-crea | --no-cre \
-    case $ac_arg in
+  | --no-cr | --no-c) ;;
-    -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;;
+  -no-recursion | --no-recursion | --no-recursio | --no-recursi \
-    -q | -quiet | --quiet | --quie | --qui | --qu | --q \
+  | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) ;;
-    | -silent | --silent | --silen | --sile | --sil)
+  *" "*|*"      "*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?\"\']*)
-      continue ;;
+    ac_arg=`echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"`
-    *" "*|*"    "*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?\"\']*)
+    ac_configure_args="$ac_configure_args$ac_sep'$ac_arg'"
-      ac_arg=`echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
+    ac_sep=" " ;;
-    esac
+  *) ac_configure_args="$ac_configure_args$ac_sep$ac_arg"
-    case $ac_pass in
+     ac_sep=" " ;;
-    1) ac_configure_args0="$ac_configure_args0 '$ac_arg'" ;;
+  esac
-    2)
+  # Get rid of the leading space.
-      ac_configure_args1="$ac_configure_args1 '$ac_arg'"
-      if test $ac_must_keep_next = true; then
-        ac_must_keep_next=false # Got value, back to normal.
-      else
-        case $ac_arg in
-          *=* | --config-cache | -C | -disable-* | --disable-* \
-          | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \
-          | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \
-          | -with-* | --with-* | -without-* | --without-* | --x)
-            case "$ac_configure_args0 " in
-              "$ac_configure_args1"*" '$ac_arg' "* ) continue ;;
-            esac
-            ;;
-          -* ) ac_must_keep_next=true ;;
-        esac
-      fi
-      ac_configure_args="$ac_configure_args$ac_sep'$ac_arg'"
-      # Get rid of the leading space.
-      ac_sep=" "
-      ;;
-    esac
-  done
 done
-$as_unset ac_configure_args0 || test "${ac_configure_args0+set}" != set || { ac_configure_args0=; export ac_configure_args0; }
-$as_unset ac_configure_args1 || test "${ac_configure_args1+set}" != set || { ac_configure_args1=; export ac_configure_args1; }
 # When interrupted or exit'd, cleanup temporary files, and complete
 # config.log.  We remove comments because anyway the quotes in there
 # would cause problems or look ugly.
-# WARNING: Be sure not to use single quotes in there, as some shells,
-# such as our DU 5.0 friend, will then `close' the trap.
 trap 'exit_status=$?
  # Save into config.log some information that might help in debugging.
-  {
+  echo >&5
-    echo
+  echo "## ----------------- ##" >&5
+  echo "## Cache variables.  ##" >&5
-    cat <<\_ASBOX
+  echo "## ----------------- ##" >&5
-## ---------------- ##
+  echo >&5
-## Cache variables. ##
+  # The following way of writing the cache mishandles newlines in values,
-## ---------------- ##
-_ASBOX
-    echo
-    # The following way of writing the cache mishandles newlines in values,
 {
  (set) 2>&1 |
    case `(ac_space='"'"' '"'"'; set | grep ac_space) 2>&1` in
@@ -1113,53 +870,21 @@ _ASBOX
        "s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1=\\2/p"
      ;;
    esac;
-}
+} >&5
-    echo
+  sed "/^$/d" confdefs.h >conftest.log
+  if test -s conftest.log; then
-    cat <<\_ASBOX
+    echo >&5
-## ----------------- ##
+    echo "## ------------ ##" >&5
-## Output variables. ##
+    echo "## confdefs.h.  ##" >&5
-## ----------------- ##
+    echo "## ------------ ##" >&5
-_ASBOX
+    echo >&5
-    echo
+    cat conftest.log >&5
-    for ac_var in $ac_subst_vars
+  fi
-    do
+  (echo; echo) >&5
-      eval ac_val=$`echo $ac_var`
+  test "$ac_signal" != 0 &&
-      echo "$ac_var='"'"'$ac_val'"'"'"
+    echo "$as_me: caught signal $ac_signal" >&5
-    done | sort
+  echo "$as_me: exit $exit_status" >&5
-    echo
+  rm -rf conftest* confdefs* core core.* *.core conf$$* $ac_clean_files &&
-    if test -n "$ac_subst_files"; then
-      cat <<\_ASBOX
-## ------------- ##
-## Output files. ##
-## ------------- ##
-_ASBOX
-      echo
-      for ac_var in $ac_subst_files
-      do
-        eval ac_val=$`echo $ac_var`
-        echo "$ac_var='"'"'$ac_val'"'"'"
-      done | sort
-      echo
-    fi
-    if test -s confdefs.h; then
-      cat <<\_ASBOX
-## ----------- ##
-## confdefs.h. ##
-## ----------- ##
-_ASBOX
-      echo
-      sed "/^$/d" confdefs.h | sort
-      echo
-    fi
-    test "$ac_signal" != 0 &&
-      echo "$as_me: caught signal $ac_signal"
-    echo "$as_me: exit $exit_status"
-  } >&5
-  rm -f core core.* *.core &&
-  rm -rf conftest* confdefs* conf$$* $ac_clean_files &&
    exit $exit_status
     ' 0
 for ac_signal in 1 2 13 15; do
@@ -1172,33 +897,6 @@ rm -rf conftest* confdefs.h
 # AIX cpp loses on an empty file, so make sure it contains at least a newline.
 echo >confdefs.h
-# Predefined preprocessor variables.
-cat >>confdefs.h <<_ACEOF
-#define PACKAGE_NAME "$PACKAGE_NAME"
-_ACEOF
-cat >>confdefs.h <<_ACEOF
-#define PACKAGE_TARNAME "$PACKAGE_TARNAME"
-_ACEOF
-cat >>confdefs.h <<_ACEOF
-#define PACKAGE_VERSION "$PACKAGE_VERSION"
-_ACEOF
-cat >>confdefs.h <<_ACEOF
-#define PACKAGE_STRING "$PACKAGE_STRING"
-_ACEOF
-cat >>confdefs.h <<_ACEOF
-#define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT"
-_ACEOF
 # Let the site file select an alternate cache file if it wants to.
 # Prefer explicitly selected file to automatically selected ones.
 if test -z "$CONFIG_SITE"; then
@@ -1210,9 +908,9 @@ if test -z "$CONFIG_SITE"; then
 fi
 for ac_site_file in $CONFIG_SITE; do
  if test -r "$ac_site_file"; then
-    { echo "$as_me:$LINENO: loading site script $ac_site_file" >&5
+    { echo "$as_me:911: loading site script $ac_site_file" >&5
 echo "$as_me: loading site script $ac_site_file" >&6;}
-    sed 's/^/| /' "$ac_site_file" >&5
+    cat "$ac_site_file" >&5
    . "$ac_site_file"
  fi
 done
@@ -1221,7 +919,7 @@ if test -r "$cache_file"; then
  # Some versions of bash will fail to source /dev/null (special
  # files actually), so we avoid doing that.
  if test -f "$cache_file"; then
-    { echo "$as_me:$LINENO: loading cache $cache_file" >&5
+    { echo "$as_me:922: loading cache $cache_file" >&5
 echo "$as_me: loading cache $cache_file" >&6;}
    case $cache_file in
      [\\/]* | ?:[\\/]* ) . $cache_file;;
@@ -1229,7 +927,7 @@ echo "$as_me: loading cache $cache_file" >&6;}
    esac
  fi
 else
-  { echo "$as_me:$LINENO: creating cache $cache_file" >&5
+  { echo "$as_me:930: creating cache $cache_file" >&5
 echo "$as_me: creating cache $cache_file" >&6;}
  >$cache_file
 fi
@@ -1245,42 +943,42 @@ for ac_var in `(set) 2>&1 |
  eval ac_new_val="\$ac_env_${ac_var}_value"
  case $ac_old_set,$ac_new_set in
    set,)
-      { echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
+      { echo "$as_me:946: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
 echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
      ac_cache_corrupted=: ;;
    ,set)
-      { echo "$as_me:$LINENO: error: \`$ac_var' was not set in the previous run" >&5
+      { echo "$as_me:950: error: \`$ac_var' was not set in the previous run" >&5
 echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
      ac_cache_corrupted=: ;;
    ,);;
    *)
      if test "x$ac_old_val" != "x$ac_new_val"; then
-        { echo "$as_me:$LINENO: error: \`$ac_var' has changed since the previous run:" >&5
+        { echo "$as_me:956: error: \`$ac_var' has changed since the previous run:" >&5
 echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;}
-        { echo "$as_me:$LINENO:   former value:  $ac_old_val" >&5
+        { echo "$as_me:958:   former value:  $ac_old_val" >&5
 echo "$as_me:   former value:  $ac_old_val" >&2;}
-        { echo "$as_me:$LINENO:   current value: $ac_new_val" >&5
+        { echo "$as_me:960:   current value: $ac_new_val" >&5
 echo "$as_me:   current value: $ac_new_val" >&2;}
        ac_cache_corrupted=:
      fi;;
  esac
-  # Pass precious variables to config.status.
+  # Pass precious variables to config.status.  It doesn't matter if
+  # we pass some twice (in addition to the command line arguments).
  if test "$ac_new_set" = set; then
    case $ac_new_val in
    *" "*|*"    "*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?\"\']*)
-      ac_arg=$ac_var=`echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
+      ac_arg=$ac_var=`echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"`
-    *) ac_arg=$ac_var=$ac_new_val ;;
+      ac_configure_args="$ac_configure_args '$ac_arg'"
-    esac
+      ;;
-    case " $ac_configure_args " in
+    *) ac_configure_args="$ac_configure_args $ac_var=$ac_new_val"
-      *" '$ac_arg' "*) ;; # Avoid dups.  Use of quotes ensures accuracy.
+       ;;
-      *) ac_configure_args="$ac_configure_args '$ac_arg'" ;;
    esac
  fi
 done
 if $ac_cache_corrupted; then
-  { echo "$as_me:$LINENO: error: changes in the environment can compromise the build" >&5
+  { echo "$as_me:979: error: changes in the environment can compromise the build" >&5
 echo "$as_me: error: changes in the environment can compromise the build" >&2;}
-  { { echo "$as_me:$LINENO: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5
+  { { echo "$as_me:981: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5
 echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&2;}
   { (exit 1); exit 1; }; }
 fi
@@ -1291,27 +989,28 @@ ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
 ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
+case `echo "testing\c"; echo 1,2,3`,`echo -n testing; echo 1,2,3` in
+  *c*,-n*) ECHO_N= ECHO_C='
+' ECHO_T='      ' ;;
+  *c*,*  ) ECHO_N=-n ECHO_C= ECHO_T= ;;
+  *)      ECHO_N= ECHO_C='\c' ECHO_T= ;;
+esac
+echo "#! $SHELL" >conftest.sh
+echo  "exit 0"   >>conftest.sh
+chmod +x conftest.sh
+if { (echo "$as_me:1001: PATH=\".;.\"; conftest.sh") >&5
+  (PATH=".;."; conftest.sh) 2>&5
+  ac_status=$?
+  echo "$as_me:1004: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  ac_path_separator=';'
+else
+  ac_path_separator=:
+fi
+PATH_SEPARATOR="$ac_path_separator"
+rm -f conftest.sh
+ac_config_headers="$ac_config_headers config.h"
-          ac_config_headers="$ac_config_headers config.h"
 ac_ext=c
 ac_cpp='$CPP $CPPFLAGS'
@@ -1321,7 +1020,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 if test -n "$ac_tool_prefix"; then
  # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
 set dummy ${ac_tool_prefix}gcc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:1023: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_prog_CC+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -1329,28 +1028,25 @@ else
  if test -n "$CC"; then
  ac_cv_prog_CC="$CC" # Let the user override the test.
 else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  $as_executable_p "$ac_dir/$ac_word" || continue
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ac_cv_prog_CC="${ac_tool_prefix}gcc"
-    ac_cv_prog_CC="${ac_tool_prefix}gcc"
+echo "$as_me:1038: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+break
-    break 2
-  fi
-done
 done
 fi
 fi
 CC=$ac_cv_prog_CC
 if test -n "$CC"; then
-  echo "$as_me:$LINENO: result: $CC" >&5
+  echo "$as_me:1046: result: $CC" >&5
 echo "${ECHO_T}$CC" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:1049: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -1359,7 +1055,7 @@ if test -z "$ac_cv_prog_CC"; then
  ac_ct_CC=$CC
  # Extract the first word of "gcc", so it can be a program name with args.
 set dummy gcc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:1058: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -1367,28 +1063,25 @@ else
  if test -n "$ac_ct_CC"; then
  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
 else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  $as_executable_p "$ac_dir/$ac_word" || continue
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ac_cv_prog_ac_ct_CC="gcc"
-    ac_cv_prog_ac_ct_CC="gcc"
+echo "$as_me:1073: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+break
-    break 2
-  fi
-done
 done
 fi
 fi
 ac_ct_CC=$ac_cv_prog_ac_ct_CC
 if test -n "$ac_ct_CC"; then
-  echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+  echo "$as_me:1081: result: $ac_ct_CC" >&5
 echo "${ECHO_T}$ac_ct_CC" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:1084: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -1401,7 +1094,7 @@ if test -z "$CC"; then
  if test -n "$ac_tool_prefix"; then
  # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
 set dummy ${ac_tool_prefix}cc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:1097: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_prog_CC+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -1409,28 +1102,25 @@ else
  if test -n "$CC"; then
  ac_cv_prog_CC="$CC" # Let the user override the test.
 else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  $as_executable_p "$ac_dir/$ac_word" || continue
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ac_cv_prog_CC="${ac_tool_prefix}cc"
-    ac_cv_prog_CC="${ac_tool_prefix}cc"
+echo "$as_me:1112: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+break
-    break 2
-  fi
-done
 done
 fi
 fi
 CC=$ac_cv_prog_CC
 if test -n "$CC"; then
-  echo "$as_me:$LINENO: result: $CC" >&5
+  echo "$as_me:1120: result: $CC" >&5
 echo "${ECHO_T}$CC" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:1123: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -1439,7 +1129,7 @@ if test -z "$ac_cv_prog_CC"; then
  ac_ct_CC=$CC
  # Extract the first word of "cc", so it can be a program name with args.
 set dummy cc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:1132: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -1447,28 +1137,25 @@ else
  if test -n "$ac_ct_CC"; then
  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
 else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  $as_executable_p "$ac_dir/$ac_word" || continue
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ac_cv_prog_ac_ct_CC="cc"
-    ac_cv_prog_ac_ct_CC="cc"
+echo "$as_me:1147: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+break
-    break 2
-  fi
-done
 done
 fi
 fi
 ac_ct_CC=$ac_cv_prog_ac_ct_CC
 if test -n "$ac_ct_CC"; then
-  echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+  echo "$as_me:1155: result: $ac_ct_CC" >&5
 echo "${ECHO_T}$ac_ct_CC" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:1158: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -1481,7 +1168,7 @@ fi
 if test -z "$CC"; then
  # Extract the first word of "cc", so it can be a program name with args.
 set dummy cc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:1171: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_prog_CC+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -1490,22 +1177,19 @@ else
  ac_cv_prog_CC="$CC" # Let the user override the test.
 else
  ac_prog_rejected=no
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  $as_executable_p "$ac_dir/$ac_word" || continue
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+if test "$ac_dir/$ac_word" = "/usr/ucb/cc"; then
-    if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
+  ac_prog_rejected=yes
-       ac_prog_rejected=yes
+  continue
-       continue
+fi
-     fi
+ac_cv_prog_CC="cc"
-    ac_cv_prog_CC="cc"
+echo "$as_me:1191: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+break
-    break 2
-  fi
-done
 done
 if test $ac_prog_rejected = yes; then
@@ -1517,17 +1201,19 @@ if test $ac_prog_rejected = yes; then
    # However, it has the same basename, so the bogon will be chosen
    # first if we set CC to just the basename; use the full file name.
    shift
-    ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@"
+    set dummy "$ac_dir/$ac_word" ${1+"$@"}
+    shift
+    ac_cv_prog_CC="$@"
  fi
 fi
 fi
 fi
 CC=$ac_cv_prog_CC
 if test -n "$CC"; then
-  echo "$as_me:$LINENO: result: $CC" >&5
+  echo "$as_me:1213: result: $CC" >&5
 echo "${ECHO_T}$CC" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:1216: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -1538,7 +1224,7 @@ if test -z "$CC"; then
  do
    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
 set dummy $ac_tool_prefix$ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:1227: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_prog_CC+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -1546,28 +1232,25 @@ else
  if test -n "$CC"; then
  ac_cv_prog_CC="$CC" # Let the user override the test.
 else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  $as_executable_p "$ac_dir/$ac_word" || continue
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
-    ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
+echo "$as_me:1242: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+break
-    break 2
-  fi
-done
 done
 fi
 fi
 CC=$ac_cv_prog_CC
 if test -n "$CC"; then
-  echo "$as_me:$LINENO: result: $CC" >&5
+  echo "$as_me:1250: result: $CC" >&5
 echo "${ECHO_T}$CC" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:1253: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -1580,7 +1263,7 @@ if test -z "$CC"; then
 do
  # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:1266: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -1588,28 +1271,25 @@ else
  if test -n "$ac_ct_CC"; then
  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
 else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  $as_executable_p "$ac_dir/$ac_word" || continue
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ac_cv_prog_ac_ct_CC="$ac_prog"
-    ac_cv_prog_ac_ct_CC="$ac_prog"
+echo "$as_me:1281: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+break
-    break 2
-  fi
-done
 done
 fi
 fi
 ac_ct_CC=$ac_cv_prog_ac_ct_CC
 if test -n "$ac_ct_CC"; then
-  echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+  echo "$as_me:1289: result: $ac_ct_CC" >&5
 echo "${ECHO_T}$ac_ct_CC" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:1292: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -1621,40 +1301,33 @@ fi
 fi
+test -z "$CC" && { { echo "$as_me:1304: error: no acceptable cc found in \$PATH" >&5
-test -z "$CC" && { { echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH
+echo "$as_me: error: no acceptable cc found in \$PATH" >&2;}
-See \`config.log' for more details." >&5
-echo "$as_me: error: no acceptable C compiler found in \$PATH
-See \`config.log' for more details." >&2;}
   { (exit 1); exit 1; }; }
 # Provide some information about the compiler.
-echo "$as_me:$LINENO:" \
+echo "$as_me:1309:" \
     "checking for C compiler version" >&5
 ac_compiler=`set X $ac_compile; echo $2`
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler --version </dev/null >&5\"") >&5
+{ (eval echo "$as_me:1312: \"$ac_compiler --version </dev/null >&5\"") >&5
  (eval $ac_compiler --version </dev/null >&5) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:1315: \$? = $ac_status" >&5
  (exit $ac_status); }
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler -v </dev/null >&5\"") >&5
+{ (eval echo "$as_me:1317: \"$ac_compiler -v </dev/null >&5\"") >&5
  (eval $ac_compiler -v </dev/null >&5) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:1320: \$? = $ac_status" >&5
  (exit $ac_status); }
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler -V </dev/null >&5\"") >&5
+{ (eval echo "$as_me:1322: \"$ac_compiler -V </dev/null >&5\"") >&5
  (eval $ac_compiler -V </dev/null >&5) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:1325: \$? = $ac_status" >&5
  (exit $ac_status); }
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 1329 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 int
 main ()
@@ -1665,120 +1338,100 @@ main ()
 }
 _ACEOF
 ac_clean_files_save=$ac_clean_files
-ac_clean_files="$ac_clean_files a.out a.exe b.out"
+ac_clean_files="$ac_clean_files a.out a.exe"
 # Try to create an executable without -o first, disregard a.out.
 # It will help us diagnose broken compilers, and finding out an intuition
 # of exeext.
-echo "$as_me:$LINENO: checking for C compiler default output" >&5
+echo "$as_me:1345: checking for C compiler default output" >&5
 echo $ECHO_N "checking for C compiler default output... $ECHO_C" >&6
 ac_link_default=`echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
-if { (eval echo "$as_me:$LINENO: \"$ac_link_default\"") >&5
+if { (eval echo "$as_me:1348: \"$ac_link_default\"") >&5
  (eval $ac_link_default) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:1351: \$? = $ac_status" >&5
  (exit $ac_status); }; then
  # Find the output, starting from the most likely.  This scheme is
 # not robust to junk in `.', hence go to wildcards (a.*) only as a last
 # resort.
+for ac_file in `ls a.exe conftest.exe 2>/dev/null;
-# Be careful to initialize this variable, since it used to be cached.
+                ls a.out conftest 2>/dev/null;
-# Otherwise an old cache value of `no' led to `EXEEXT = no' in a Makefile.
+                ls a.* conftest.* 2>/dev/null`; do
-ac_cv_exeext=
-# b.out is created by i960 compilers.
-for ac_file in a_out.exe a.exe conftest.exe a.out conftest a.* conftest.* b.out
-do
-  test -f "$ac_file" || continue
  case $ac_file in
-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.o | *.obj )
+    *.$ac_ext | *.o | *.obj | *.xcoff | *.tds | *.d | *.pdb ) ;;
-        ;;
+    a.out ) # We found the default executable, but exeext='' is most
-    conftest.$ac_ext )
+            # certainly right.
-        # This is the source file.
+            break;;
-        ;;
+    *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
-    [ab].out )
+          # FIXME: I believe we export ac_cv_exeext for Libtool --akim.
-        # We found the default executable, but exeext='' is most
+          export ac_cv_exeext
-        # certainly right.
+          break;;
-        break;;
+    * ) break;;
-    *.* )
-        ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
-        # FIXME: I believe we export ac_cv_exeext for Libtool,
-        # but it would be cool to find out if it's true.  Does anybody
-        # maintain Libtool? --akim.
-        export ac_cv_exeext
-        break;;
-    * )
-        break;;
  esac
 done
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+{ { echo "$as_me:1374: error: C compiler cannot create executables" >&5
-{ { echo "$as_me:$LINENO: error: C compiler cannot create executables
+echo "$as_me: error: C compiler cannot create executables" >&2;}
-See \`config.log' for more details." >&5
-echo "$as_me: error: C compiler cannot create executables
-See \`config.log' for more details." >&2;}
   { (exit 77); exit 77; }; }
 fi
 ac_exeext=$ac_cv_exeext
-echo "$as_me:$LINENO: result: $ac_file" >&5
+echo "$as_me:1380: result: $ac_file" >&5
 echo "${ECHO_T}$ac_file" >&6
 # Check the compiler produces executables we can run.  If not, either
 # the compiler is broken, or we cross compile.
-echo "$as_me:$LINENO: checking whether the C compiler works" >&5
+echo "$as_me:1385: checking whether the C compiler works" >&5
 echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6
 # FIXME: These cross compiler hacks should be removed for Autoconf 3.0
 # If not cross compiling, check that we can run a simple program.
 if test "$cross_compiling" != yes; then
  if { ac_try='./$ac_file'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:1391: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:1394: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
    cross_compiling=no
  else
    if test "$cross_compiling" = maybe; then
        cross_compiling=yes
    else
-        { { echo "$as_me:$LINENO: error: cannot run C compiled programs.
+        { { echo "$as_me:1401: error: cannot run C compiled programs.
-If you meant to cross compile, use \`--host'.
+If you meant to cross compile, use \`--host'." >&5
-See \`config.log' for more details." >&5
 echo "$as_me: error: cannot run C compiled programs.
-If you meant to cross compile, use \`--host'.
+If you meant to cross compile, use \`--host'." >&2;}
-See \`config.log' for more details." >&2;}
   { (exit 1); exit 1; }; }
    fi
  fi
 fi
-echo "$as_me:$LINENO: result: yes" >&5
+echo "$as_me:1409: result: yes" >&5
 echo "${ECHO_T}yes" >&6
-rm -f a.out a.exe conftest$ac_cv_exeext b.out
+rm -f a.out a.exe conftest$ac_cv_exeext
 ac_clean_files=$ac_clean_files_save
 # Check the compiler produces executables we can run.  If not, either
 # the compiler is broken, or we cross compile.
-echo "$as_me:$LINENO: checking whether we are cross compiling" >&5
+echo "$as_me:1416: checking whether we are cross compiling" >&5
 echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6
-echo "$as_me:$LINENO: result: $cross_compiling" >&5
+echo "$as_me:1418: result: $cross_compiling" >&5
 echo "${ECHO_T}$cross_compiling" >&6
-echo "$as_me:$LINENO: checking for suffix of executables" >&5
+echo "$as_me:1421: checking for executable suffix" >&5
-echo $ECHO_N "checking for suffix of executables... $ECHO_C" >&6
+echo $ECHO_N "checking for executable suffix... $ECHO_C" >&6
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:1423: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:1426: \$? = $ac_status" >&5
  (exit $ac_status); }; then
  # If both `conftest.exe' and `conftest' are `present' (well, observable)
 # catch `conftest.exe'.  For instance with Cygwin, `ls conftest' will
 # work properly (i.e., refer to `conftest.exe'), while it won't with
 # `rm'.
-for ac_file in conftest.exe conftest conftest.*; do
+for ac_file in `(ls conftest.exe; ls conftest; ls conftest.*) 2>/dev/null`; do
-  test -f "$ac_file" || continue
  case $ac_file in
-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.o | *.obj ) ;;
+    *.$ac_ext | *.o | *.obj | *.xcoff | *.tds | *.d | *.pdb ) ;;
    *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
          export ac_cv_exeext
          break;;
@@ -1786,32 +1439,26 @@ for ac_file in conftest.exe conftest conftest.*; do
  esac
 done
 else
-  { { echo "$as_me:$LINENO: error: cannot compute suffix of executables: cannot compile and link
+  { { echo "$as_me:1442: error: cannot compute EXEEXT: cannot compile and link" >&5
-See \`config.log' for more details." >&5
+echo "$as_me: error: cannot compute EXEEXT: cannot compile and link" >&2;}
-echo "$as_me: error: cannot compute suffix of executables: cannot compile and link
-See \`config.log' for more details." >&2;}
   { (exit 1); exit 1; }; }
 fi
 rm -f conftest$ac_cv_exeext
-echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5
+echo "$as_me:1448: result: $ac_cv_exeext" >&5
 echo "${ECHO_T}$ac_cv_exeext" >&6
 rm -f conftest.$ac_ext
 EXEEXT=$ac_cv_exeext
 ac_exeext=$EXEEXT
-echo "$as_me:$LINENO: checking for suffix of object files" >&5
+echo "$as_me:1454: checking for object suffix" >&5
-echo $ECHO_N "checking for suffix of object files... $ECHO_C" >&6
+echo $ECHO_N "checking for object suffix... $ECHO_C" >&6
 if test "${ac_cv_objext+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 1460 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 int
 main ()
@@ -1822,47 +1469,40 @@ main ()
 }
 _ACEOF
 rm -f conftest.o conftest.obj
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:1472: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:1475: \$? = $ac_status" >&5
  (exit $ac_status); }; then
  for ac_file in `(ls conftest.o conftest.obj; ls conftest.*) 2>/dev/null`; do
  case $ac_file in
-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg ) ;;
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb ) ;;
    *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'`
       break;;
  esac
 done
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+{ { echo "$as_me:1487: error: cannot compute OBJEXT: cannot compile" >&5
-{ { echo "$as_me:$LINENO: error: cannot compute suffix of object files: cannot compile
+echo "$as_me: error: cannot compute OBJEXT: cannot compile" >&2;}
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot compute suffix of object files: cannot compile
-See \`config.log' for more details." >&2;}
   { (exit 1); exit 1; }; }
 fi
 rm -f conftest.$ac_cv_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_objext" >&5
+echo "$as_me:1494: result: $ac_cv_objext" >&5
 echo "${ECHO_T}$ac_cv_objext" >&6
 OBJEXT=$ac_cv_objext
 ac_objext=$OBJEXT
-echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
+echo "$as_me:1498: checking whether we are using the GNU C compiler" >&5
 echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6
 if test "${ac_cv_c_compiler_gnu+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 1504 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 int
 main ()
@@ -1876,46 +1516,41 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:1519: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:1522: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:1525: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:1528: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_compiler_gnu=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_compiler_gnu=no
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 ac_cv_c_compiler_gnu=$ac_compiler_gnu
 fi
-echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
+echo "$as_me:1540: result: $ac_cv_c_compiler_gnu" >&5
 echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6
 GCC=`test $ac_compiler_gnu = yes && echo yes`
 ac_test_CFLAGS=${CFLAGS+set}
 ac_save_CFLAGS=$CFLAGS
 CFLAGS="-g"
-echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
+echo "$as_me:1546: checking whether $CC accepts -g" >&5
 echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6
 if test "${ac_cv_prog_cc_g+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 1552 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 int
 main ()
@@ -1926,27 +1561,26 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:1564: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:1567: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:1570: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:1573: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_prog_cc_g=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_prog_cc_g=no
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
+echo "$as_me:1583: result: $ac_cv_prog_cc_g" >&5
 echo "${ECHO_T}$ac_cv_prog_cc_g" >&6
 if test "$ac_test_CFLAGS" = set; then
  CFLAGS=$ac_save_CFLAGS
@@ -1963,102 +1597,6 @@ else
    CFLAGS=
  fi
 fi
-echo "$as_me:$LINENO: checking for $CC option to accept ANSI C" >&5
-echo $ECHO_N "checking for $CC option to accept ANSI C... $ECHO_C" >&6
-if test "${ac_cv_prog_cc_stdc+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_cv_prog_cc_stdc=no
-ac_save_CC=$CC
-cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <stdarg.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-/* Most of the following tests are stolen from RCS 5.7's src/conf.sh.  */
-struct buf { int x; };
-FILE * (*rcsopen) (struct buf *, struct stat *, int);
-static char *e (p, i)
-     char **p;
-     int i;
-{
-  return p[i];
-}
-static char *f (char * (*g) (char **, int), char **p, ...)
-{
-  char *s;
-  va_list v;
-  va_start (v,p);
-  s = g (p, va_arg (v,int));
-  va_end (v);
-  return s;
-}
-int test (int i, double x);
-struct s1 {int (*f) (int a);};
-struct s2 {int (*f) (double a);};
-int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int);
-int argc;
-char **argv;
-int
-main ()
-{
-return f (e, argv, 0) != argv[0]  ||  f (e, argv, 1) != argv[1];
-  ;
-  return 0;
-}
-_ACEOF
-# Don't try gcc -ansi; that turns off useful extensions and
-# breaks some systems' header files.
-# AIX                   -qlanglvl=ansi
-# Ultrix and OSF/1      -std1
-# HP-UX 10.20 and later -Ae
-# HP-UX older versions  -Aa -D_HPUX_SOURCE
-# SVR4                  -Xc -D__EXTENSIONS__
-for ac_arg in "" -qlanglvl=ansi -std1 -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
-do
-  CC="$ac_save_CC $ac_arg"
-  rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_prog_cc_stdc=$ac_arg
-break
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-fi
-rm -f conftest.$ac_objext
-done
-rm -f conftest.$ac_ext conftest.$ac_objext
-CC=$ac_save_CC
-fi
-case "x$ac_cv_prog_cc_stdc" in
-  x|xno)
-    echo "$as_me:$LINENO: result: none needed" >&5
-echo "${ECHO_T}none needed" >&6 ;;
-  *)
-    echo "$as_me:$LINENO: result: $ac_cv_prog_cc_stdc" >&5
-echo "${ECHO_T}$ac_cv_prog_cc_stdc" >&6
-    CC="$CC $ac_cv_prog_cc_stdc" ;;
-esac
 # Some people use a C++ compiler to compile C.  Since we use `exit',
 # in C++ we need to declare it.  In case someone uses the same compiler
 # for both compiling C and C++ we need to have the C++ compiler decide
@@ -2069,16 +1607,16 @@ cat >conftest.$ac_ext <<_ACEOF
 #endif
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:1610: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:1613: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:1616: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:1619: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  for ac_declaration in \
   ''\
@@ -2090,12 +1628,8 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   'void exit (int);'
 do
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 1631 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <stdlib.h>
 $ac_declaration
 int
@@ -2107,32 +1641,27 @@ exit (42);
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:1644: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:1647: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:1650: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:1653: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  :
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 continue
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 1663 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_declaration
 int
 main ()
@@ -2143,22 +1672,21 @@ exit (42);
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:1675: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:1678: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:1681: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:1684: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  break
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 done
@@ -2171,8 +1699,7 @@ fi
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 ac_ext=c
@@ -2198,7 +1725,7 @@ for ac_dir in $srcdir $srcdir/.. $srcdir/../..; do
  fi
 done
 if test -z "$ac_aux_dir"; then
-  { { echo "$as_me:$LINENO: error: cannot find install-sh or install.sh in $srcdir $srcdir/.. $srcdir/../.." >&5
+  { { echo "$as_me:1728: error: cannot find install-sh or install.sh in $srcdir $srcdir/.. $srcdir/../.." >&5
 echo "$as_me: error: cannot find install-sh or install.sh in $srcdir $srcdir/.. $srcdir/../.." >&2;}
   { (exit 1); exit 1; }; }
 fi
@@ -2208,11 +1735,11 @@ ac_configure="$SHELL $ac_aux_dir/configure" # This should be Cygnus configure.
 # Make sure we can run config.sub.
 $ac_config_sub sun4 >/dev/null 2>&1 ||
-  { { echo "$as_me:$LINENO: error: cannot run $ac_config_sub" >&5
+  { { echo "$as_me:1738: error: cannot run $ac_config_sub" >&5
 echo "$as_me: error: cannot run $ac_config_sub" >&2;}
   { (exit 1); exit 1; }; }
-echo "$as_me:$LINENO: checking build system type" >&5
+echo "$as_me:1742: checking build system type" >&5
 echo $ECHO_N "checking build system type... $ECHO_C" >&6
 if test "${ac_cv_build+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -2221,24 +1748,23 @@ else
 test -z "$ac_cv_build_alias" &&
  ac_cv_build_alias=`$ac_config_guess`
 test -z "$ac_cv_build_alias" &&
-  { { echo "$as_me:$LINENO: error: cannot guess build type; you must specify one" >&5
+  { { echo "$as_me:1751: error: cannot guess build type; you must specify one" >&5
 echo "$as_me: error: cannot guess build type; you must specify one" >&2;}
   { (exit 1); exit 1; }; }
 ac_cv_build=`$ac_config_sub $ac_cv_build_alias` ||
-  { { echo "$as_me:$LINENO: error: $ac_config_sub $ac_cv_build_alias failed" >&5
+  { { echo "$as_me:1755: error: $ac_config_sub $ac_cv_build_alias failed." >&5
-echo "$as_me: error: $ac_config_sub $ac_cv_build_alias failed" >&2;}
+echo "$as_me: error: $ac_config_sub $ac_cv_build_alias failed." >&2;}
   { (exit 1); exit 1; }; }
 fi
-echo "$as_me:$LINENO: result: $ac_cv_build" >&5
+echo "$as_me:1760: result: $ac_cv_build" >&5
 echo "${ECHO_T}$ac_cv_build" >&6
 build=$ac_cv_build
 build_cpu=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
 build_vendor=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
 build_os=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`
+echo "$as_me:1767: checking host system type" >&5
-echo "$as_me:$LINENO: checking host system type" >&5
 echo $ECHO_N "checking host system type... $ECHO_C" >&6
 if test "${ac_cv_host+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -2247,33 +1773,28 @@ else
 test -z "$ac_cv_host_alias" &&
  ac_cv_host_alias=$ac_cv_build_alias
 ac_cv_host=`$ac_config_sub $ac_cv_host_alias` ||
-  { { echo "$as_me:$LINENO: error: $ac_config_sub $ac_cv_host_alias failed" >&5
+  { { echo "$as_me:1776: error: $ac_config_sub $ac_cv_host_alias failed" >&5
 echo "$as_me: error: $ac_config_sub $ac_cv_host_alias failed" >&2;}
   { (exit 1); exit 1; }; }
 fi
-echo "$as_me:$LINENO: result: $ac_cv_host" >&5
+echo "$as_me:1781: result: $ac_cv_host" >&5
 echo "${ECHO_T}$ac_cv_host" >&6
 host=$ac_cv_host
 host_cpu=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
 host_vendor=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
 host_os=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`
+echo "$as_me:1788: checking whether byte ordering is bigendian" >&5
-echo "$as_me:$LINENO: checking whether byte ordering is bigendian" >&5
 echo $ECHO_N "checking whether byte ordering is bigendian... $ECHO_C" >&6
 if test "${ac_cv_c_bigendian+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  # See if sys/param.h defines the BYTE_ORDER macro.
+  ac_cv_c_bigendian=unknown
+# See if sys/param.h defines the BYTE_ORDER macro.
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 1796 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
 #include <sys/param.h>
@@ -2289,25 +1810,21 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:1813: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:1816: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:1819: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:1822: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  # It does; now see whether it defined to BIG_ENDIAN or not.
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 1826 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
 #include <sys/param.h>
@@ -2323,91 +1840,38 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:1843: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:1846: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:1849: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:1852: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_c_bigendian=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_c_bigendian=no
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
-# It does not; compile a test program.
-if test "$cross_compiling" = yes; then
-  # try to guess the endianness by grepping values into an object file
-  ac_cv_c_bigendian=unknown
-  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-short ascii_mm[] = { 0x4249, 0x4765, 0x6E44, 0x6961, 0x6E53, 0x7953, 0 };
-short ascii_ii[] = { 0x694C, 0x5454, 0x656C, 0x6E45, 0x6944, 0x6E61, 0 };
-void _ascii () { char *s = (char *) ascii_mm; s = (char *) ascii_ii; }
-short ebcdic_ii[] = { 0x89D3, 0xE3E3, 0x8593, 0x95C5, 0x89C4, 0x9581, 0 };
-short ebcdic_mm[] = { 0xC2C9, 0xC785, 0x95C4, 0x8981, 0x95E2, 0xA8E2, 0 };
-void _ebcdic () { char *s = (char *) ebcdic_mm; s = (char *) ebcdic_ii; }
-int
-main ()
-{
- _ascii (); _ebcdic ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  if grep BIGenDianSyS conftest.$ac_objext >/dev/null ; then
-  ac_cv_c_bigendian=yes
-fi
-if grep LiTTleEnDian conftest.$ac_objext >/dev/null ; then
-  if test "$ac_cv_c_bigendian" = unknown; then
-    ac_cv_c_bigendian=no
-  else
-    # finding both strings is unlikely to happen, but who knows?
-    ac_cv_c_bigendian=unknown
-  fi
-fi
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
+if test $ac_cv_c_bigendian = unknown; then
+if test "$cross_compiling" = yes; then
+  { { echo "$as_me:1868: error: cannot run test program while cross compiling" >&5
+echo "$as_me: error: cannot run test program while cross compiling" >&2;}
+   { (exit 1); exit 1; }; }
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 1873 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 int
 main ()
 {
@@ -2422,57 +1886,81 @@ main ()
 }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:1889: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:1892: \$? = $ac_status" >&5
  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:1894: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:1897: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_c_bigendian=no
 else
  echo "$as_me: program exited with status $ac_status" >&5
 echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
-( exit $ac_status )
 ac_cv_c_bigendian=yes
 fi
-rm -f core core.* *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 fi
-rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_c_bigendian" >&5
+echo "$as_me:1910: result: $ac_cv_c_bigendian" >&5
 echo "${ECHO_T}$ac_cv_c_bigendian" >&6
-case $ac_cv_c_bigendian in
+if test $ac_cv_c_bigendian = yes; then
-  yes)
-cat >>confdefs.h <<\_ACEOF
+cat >>confdefs.h <<\EOF
 #define WORDS_BIGENDIAN 1
-_ACEOF
+EOF
- ;;
-  no)
-     ;;
-  *)
-    { { echo "$as_me:$LINENO: error: unknown endianness
-presetting ac_cv_c_bigendian=no (or yes) will help" >&5
-echo "$as_me: error: unknown endianness
-presetting ac_cv_c_bigendian=no (or yes) will help" >&2;}
-   { (exit 1); exit 1; }; } ;;
-esac
+fi
 # Checks for programs.
+for ac_prog in mawk gawk nawk awk
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+echo "$as_me:1925: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_AWK+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$AWK"; then
+  ac_cv_prog_AWK="$AWK" # Let the user override the test.
+else
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
+ac_dummy="$PATH"
+for ac_dir in $ac_dummy; do
+  IFS=$ac_save_IFS
+  test -z "$ac_dir" && ac_dir=.
+  $as_executable_p "$ac_dir/$ac_word" || continue
+ac_cv_prog_AWK="$ac_prog"
+echo "$as_me:1940: found $ac_dir/$ac_word" >&5
+break
+done
+fi
+fi
+AWK=$ac_cv_prog_AWK
+if test -n "$AWK"; then
+  echo "$as_me:1948: result: $AWK" >&5
+echo "${ECHO_T}$AWK" >&6
+else
+  echo "$as_me:1951: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+  test -n "$AWK" && break
+done
 ac_ext=c
 ac_cpp='$CPP $CPPFLAGS'
 ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
 ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
-echo "$as_me:$LINENO: checking how to run the C preprocessor" >&5
+echo "$as_me:1963: checking how to run the C preprocessor" >&5
 echo $ECHO_N "checking how to run the C preprocessor... $ECHO_C" >&6
 # On Suns, sometimes $CPP names a directory.
 if test -n "$CPP" && test -d "$CPP"; then
@@ -2490,31 +1978,21 @@ for ac_c_preproc_warn_flag in '' yes
 do
  # Use a header file that comes with gcc, so configuring glibc
  # with a fresh cross-compiler works.
-  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-  # <limits.h> exists even on freestanding compilers.
  # On the NeXT, cc -E runs the code through the compiler's parser,
  # not just through cpp. "Syntax error" is here to catch this case.
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 1984 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
+#include <assert.h>
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
                     Syntax error
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
+if { (eval echo "$as_me:1989: \"$ac_cpp conftest.$ac_ext\"") >&5
  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
+  egrep -v '^ *\+' conftest.er1 >conftest.err
  rm -f conftest.er1
  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:1995: \$? = $ac_status" >&5
  (exit $ac_status); } >/dev/null; then
  if test -s conftest.err; then
    ac_cpp_err=$ac_c_preproc_warn_flag
@@ -2528,8 +2006,7 @@ if test -z "$ac_cpp_err"; then
  :
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+  cat conftest.$ac_ext >&5
  # Broken: fails on valid input.
 continue
 fi
@@ -2538,21 +2015,17 @@ rm -f conftest.err conftest.$ac_ext
  # OK, works on sane cases.  Now check whether non-existent headers
  # can be detected and how.
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 2018 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <ac_nonexistent.h>
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
+if { (eval echo "$as_me:2022: \"$ac_cpp conftest.$ac_ext\"") >&5
  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
+  egrep -v '^ *\+' conftest.er1 >conftest.err
  rm -f conftest.er1
  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:2028: \$? = $ac_status" >&5
  (exit $ac_status); } >/dev/null; then
  if test -s conftest.err; then
    ac_cpp_err=$ac_c_preproc_warn_flag
@@ -2567,8 +2040,7 @@ if test -z "$ac_cpp_err"; then
 continue
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+  cat conftest.$ac_ext >&5
  # Passes both tests.
 ac_preproc_ok=:
 break
@@ -2590,38 +2062,28 @@ fi
 else
  ac_cv_prog_CPP=$CPP
 fi
-echo "$as_me:$LINENO: result: $CPP" >&5
+echo "$as_me:2065: result: $CPP" >&5
 echo "${ECHO_T}$CPP" >&6
 ac_preproc_ok=false
 for ac_c_preproc_warn_flag in '' yes
 do
  # Use a header file that comes with gcc, so configuring glibc
  # with a fresh cross-compiler works.
-  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-  # <limits.h> exists even on freestanding compilers.
  # On the NeXT, cc -E runs the code through the compiler's parser,
  # not just through cpp. "Syntax error" is here to catch this case.
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 2075 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
+#include <assert.h>
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
                     Syntax error
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
+if { (eval echo "$as_me:2080: \"$ac_cpp conftest.$ac_ext\"") >&5
  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
+  egrep -v '^ *\+' conftest.er1 >conftest.err
  rm -f conftest.er1
  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:2086: \$? = $ac_status" >&5
  (exit $ac_status); } >/dev/null; then
  if test -s conftest.err; then
    ac_cpp_err=$ac_c_preproc_warn_flag
@@ -2635,8 +2097,7 @@ if test -z "$ac_cpp_err"; then
  :
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+  cat conftest.$ac_ext >&5
  # Broken: fails on valid input.
 continue
 fi
@@ -2645,21 +2106,17 @@ rm -f conftest.err conftest.$ac_ext
  # OK, works on sane cases.  Now check whether non-existent headers
  # can be detected and how.
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 2109 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <ac_nonexistent.h>
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
+if { (eval echo "$as_me:2113: \"$ac_cpp conftest.$ac_ext\"") >&5
  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
+  egrep -v '^ *\+' conftest.er1 >conftest.err
  rm -f conftest.er1
  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:2119: \$? = $ac_status" >&5
  (exit $ac_status); } >/dev/null; then
  if test -s conftest.err; then
    ac_cpp_err=$ac_c_preproc_warn_flag
@@ -2674,8 +2131,7 @@ if test -z "$ac_cpp_err"; then
 continue
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+  cat conftest.$ac_ext >&5
  # Passes both tests.
 ac_preproc_ok=:
 break
@@ -2688,10 +2144,8 @@ rm -f conftest.err conftest.$ac_ext
 if $ac_preproc_ok; then
  :
 else
-  { { echo "$as_me:$LINENO: error: C preprocessor \"$CPP\" fails sanity check
+  { { echo "$as_me:2147: error: C preprocessor \"$CPP\" fails sanity check" >&5
-See \`config.log' for more details." >&5
+echo "$as_me: error: C preprocessor \"$CPP\" fails sanity check" >&2;}
-echo "$as_me: error: C preprocessor \"$CPP\" fails sanity check
-See \`config.log' for more details." >&2;}
   { (exit 1); exit 1; }; }
 fi
@@ -2704,7 +2158,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 if test -n "$ac_tool_prefix"; then
  # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args.
 set dummy ${ac_tool_prefix}ranlib; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:2161: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_prog_RANLIB+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -2712,28 +2166,25 @@ else
  if test -n "$RANLIB"; then
  ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test.
 else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  $as_executable_p "$ac_dir/$ac_word" || continue
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib"
-    ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib"
+echo "$as_me:2176: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+break
-    break 2
-  fi
-done
 done
 fi
 fi
 RANLIB=$ac_cv_prog_RANLIB
 if test -n "$RANLIB"; then
-  echo "$as_me:$LINENO: result: $RANLIB" >&5
+  echo "$as_me:2184: result: $RANLIB" >&5
 echo "${ECHO_T}$RANLIB" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:2187: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -2742,7 +2193,7 @@ if test -z "$ac_cv_prog_RANLIB"; then
  ac_ct_RANLIB=$RANLIB
  # Extract the first word of "ranlib", so it can be a program name with args.
 set dummy ranlib; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:2196: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -2750,18 +2201,15 @@ else
  if test -n "$ac_ct_RANLIB"; then
  ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test.
 else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  $as_executable_p "$ac_dir/$ac_word" || continue
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ac_cv_prog_ac_ct_RANLIB="ranlib"
-    ac_cv_prog_ac_ct_RANLIB="ranlib"
+echo "$as_me:2211: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+break
-    break 2
-  fi
-done
 done
  test -z "$ac_cv_prog_ac_ct_RANLIB" && ac_cv_prog_ac_ct_RANLIB=":"
@@ -2769,10 +2217,10 @@ fi
 fi
 ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB
 if test -n "$ac_ct_RANLIB"; then
-  echo "$as_me:$LINENO: result: $ac_ct_RANLIB" >&5
+  echo "$as_me:2220: result: $ac_ct_RANLIB" >&5
 echo "${ECHO_T}$ac_ct_RANLIB" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:2223: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -2793,48 +2241,43 @@ fi
 # AFS /usr/afsws/bin/install, which mishandles nonexistent args
 # SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
 # ./install, which can be erroneously created by make from ./install.sh.
-echo "$as_me:$LINENO: checking for a BSD-compatible install" >&5
+echo "$as_me:2244: checking for a BSD compatible install" >&5
-echo $ECHO_N "checking for a BSD-compatible install... $ECHO_C" >&6
+echo $ECHO_N "checking for a BSD compatible install... $ECHO_C" >&6
 if test -z "$INSTALL"; then
 if test "${ac_cv_path_install+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+    ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+  for ac_dir in $PATH; do
-do
+    IFS=$ac_save_IFS
-  IFS=$as_save_IFS
+    # Account for people who put trailing slashes in PATH elements.
-  test -z "$as_dir" && as_dir=.
+    case $ac_dir/ in
-  # Account for people who put trailing slashes in PATH elements.
+    / | ./ | .// | /cC/* \
-case $as_dir/ in
+    | /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* \
-  ./ | .// | /cC/* | \
+    | /usr/ucb/* ) ;;
-  /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \
+    *)
-  /usr/ucb/* ) ;;
+      # OSF1 and SCO ODT 3.0 have their own names for install.
-  *)
+      # Don't use installbsd from OSF since it installs stuff as root
-    # OSF1 and SCO ODT 3.0 have their own names for install.
+      # by default.
-    # Don't use installbsd from OSF since it installs stuff as root
+      for ac_prog in ginstall scoinst install; do
-    # by default.
+        if $as_executable_p "$ac_dir/$ac_prog"; then
-    for ac_prog in ginstall scoinst install; do
+          if test $ac_prog = install &&
-      for ac_exec_ext in '' $ac_executable_extensions; do
+            grep dspmsg "$ac_dir/$ac_prog" >/dev/null 2>&1; then
-        if $as_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then
+            # AIX install.  It has an incompatible calling convention.
-          if test $ac_prog = install &&
+            :
-            grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
+          elif test $ac_prog = install &&
-            # AIX install.  It has an incompatible calling convention.
+            grep pwplus "$ac_dir/$ac_prog" >/dev/null 2>&1; then
-            :
+            # program-specific install script used by HP pwplus--don't use.
-          elif test $ac_prog = install &&
+            :
-            grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
+          else
-            # program-specific install script used by HP pwplus--don't use.
+            ac_cv_path_install="$ac_dir/$ac_prog -c"
-            :
+            break 2
-          else
+          fi
-            ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c"
+        fi
-            break 3
-          fi
-        fi
      done
-    done
+      ;;
-    ;;
+    esac
-esac
+  done
-done
 fi
  if test "${ac_cv_path_install+set}" = set; then
@@ -2847,7 +2290,7 @@ fi
    INSTALL=$ac_install_sh
  fi
 fi
-echo "$as_me:$LINENO: result: $INSTALL" >&5
+echo "$as_me:2293: result: $INSTALL" >&5
 echo "${ECHO_T}$INSTALL" >&6
 # Use test -z because SunOS4 sh mishandles braces in ${var-val}.
@@ -2860,7 +2303,7 @@ test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
 # Extract the first word of "ar", so it can be a program name with args.
 set dummy ar; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:2306: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_path_AR+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -2870,18 +2313,16 @@ else
  ac_cv_path_AR="$AR" # Let the user override the test with a path.
  ;;
  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$ac_dir/$ac_word"; then
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+   ac_cv_path_AR="$ac_dir/$ac_word"
-    ac_cv_path_AR="$as_dir/$ac_word$ac_exec_ext"
+   echo "$as_me:2323: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+   break
-    break 2
+fi
-  fi
-done
 done
  ;;
@@ -2890,10 +2331,10 @@ fi
 AR=$ac_cv_path_AR
 if test -n "$AR"; then
-  echo "$as_me:$LINENO: result: $AR" >&5
+  echo "$as_me:2334: result: $AR" >&5
 echo "${ECHO_T}$AR" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:2337: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -2901,7 +2342,7 @@ for ac_prog in perl5 perl
 do
  # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:2345: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_path_PERL+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -2911,18 +2352,16 @@ else
  ac_cv_path_PERL="$PERL" # Let the user override the test with a path.
  ;;
  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$ac_dir/$ac_word"; then
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+   ac_cv_path_PERL="$ac_dir/$ac_word"
-    ac_cv_path_PERL="$as_dir/$ac_word$ac_exec_ext"
+   echo "$as_me:2362: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+   break
-    break 2
+fi
-  fi
-done
 done
  ;;
@@ -2931,10 +2370,10 @@ fi
 PERL=$ac_cv_path_PERL
 if test -n "$PERL"; then
-  echo "$as_me:$LINENO: result: $PERL" >&5
+  echo "$as_me:2373: result: $PERL" >&5
 echo "${ECHO_T}$PERL" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:2376: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -2943,7 +2382,7 @@ done
 # Extract the first word of "sed", so it can be a program name with args.
 set dummy sed; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:2385: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_path_SED+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -2953,18 +2392,16 @@ else
  ac_cv_path_SED="$SED" # Let the user override the test with a path.
  ;;
  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$ac_dir/$ac_word"; then
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+   ac_cv_path_SED="$ac_dir/$ac_word"
-    ac_cv_path_SED="$as_dir/$ac_word$ac_exec_ext"
+   echo "$as_me:2402: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+   break
-    break 2
+fi
-  fi
-done
 done
  ;;
@@ -2973,17 +2410,16 @@ fi
 SED=$ac_cv_path_SED
 if test -n "$SED"; then
-  echo "$as_me:$LINENO: result: $SED" >&5
+  echo "$as_me:2413: result: $SED" >&5
 echo "${ECHO_T}$SED" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:2416: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
 # Extract the first word of "ent", so it can be a program name with args.
 set dummy ent; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:2422: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_path_ENT+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -2993,18 +2429,16 @@ else
  ac_cv_path_ENT="$ENT" # Let the user override the test with a path.
  ;;
  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$ac_dir/$ac_word"; then
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+   ac_cv_path_ENT="$ac_dir/$ac_word"
-    ac_cv_path_ENT="$as_dir/$ac_word$ac_exec_ext"
+   echo "$as_me:2439: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+   break
-    break 2
+fi
-  fi
-done
 done
  ;;
@@ -3013,17 +2447,16 @@ fi
 ENT=$ac_cv_path_ENT
 if test -n "$ENT"; then
-  echo "$as_me:$LINENO: result: $ENT" >&5
+  echo "$as_me:2450: result: $ENT" >&5
 echo "${ECHO_T}$ENT" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:2453: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
 # Extract the first word of "bash", so it can be a program name with args.
 set dummy bash; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:2459: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_path_TEST_MINUS_S_SH+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -3033,18 +2466,16 @@ else
  ac_cv_path_TEST_MINUS_S_SH="$TEST_MINUS_S_SH" # Let the user override the test with a path.
  ;;
  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$ac_dir/$ac_word"; then
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+   ac_cv_path_TEST_MINUS_S_SH="$ac_dir/$ac_word"
-    ac_cv_path_TEST_MINUS_S_SH="$as_dir/$ac_word$ac_exec_ext"
+   echo "$as_me:2476: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+   break
-    break 2
+fi
-  fi
-done
 done
  ;;
@@ -3053,16 +2484,16 @@ fi
 TEST_MINUS_S_SH=$ac_cv_path_TEST_MINUS_S_SH
 if test -n "$TEST_MINUS_S_SH"; then
-  echo "$as_me:$LINENO: result: $TEST_MINUS_S_SH" >&5
+  echo "$as_me:2487: result: $TEST_MINUS_S_SH" >&5
 echo "${ECHO_T}$TEST_MINUS_S_SH" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:2490: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
 # Extract the first word of "ksh", so it can be a program name with args.
 set dummy ksh; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:2496: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_path_TEST_MINUS_S_SH+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -3072,18 +2503,16 @@ else
  ac_cv_path_TEST_MINUS_S_SH="$TEST_MINUS_S_SH" # Let the user override the test with a path.
  ;;
  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$ac_dir/$ac_word"; then
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+   ac_cv_path_TEST_MINUS_S_SH="$ac_dir/$ac_word"
-    ac_cv_path_TEST_MINUS_S_SH="$as_dir/$ac_word$ac_exec_ext"
+   echo "$as_me:2513: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+   break
-    break 2
+fi
-  fi
-done
 done
  ;;
@@ -3092,16 +2521,16 @@ fi
 TEST_MINUS_S_SH=$ac_cv_path_TEST_MINUS_S_SH
 if test -n "$TEST_MINUS_S_SH"; then
-  echo "$as_me:$LINENO: result: $TEST_MINUS_S_SH" >&5
+  echo "$as_me:2524: result: $TEST_MINUS_S_SH" >&5
 echo "${ECHO_T}$TEST_MINUS_S_SH" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:2527: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
 # Extract the first word of "sh", so it can be a program name with args.
 set dummy sh; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:2533: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_path_TEST_MINUS_S_SH+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -3111,18 +2540,16 @@ else
  ac_cv_path_TEST_MINUS_S_SH="$TEST_MINUS_S_SH" # Let the user override the test with a path.
  ;;
  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$ac_dir/$ac_word"; then
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+   ac_cv_path_TEST_MINUS_S_SH="$ac_dir/$ac_word"
-    ac_cv_path_TEST_MINUS_S_SH="$as_dir/$ac_word$ac_exec_ext"
+   echo "$as_me:2550: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+   break
-    break 2
+fi
-  fi
-done
 done
  ;;
@@ -3131,16 +2558,16 @@ fi
 TEST_MINUS_S_SH=$ac_cv_path_TEST_MINUS_S_SH
 if test -n "$TEST_MINUS_S_SH"; then
-  echo "$as_me:$LINENO: result: $TEST_MINUS_S_SH" >&5
+  echo "$as_me:2561: result: $TEST_MINUS_S_SH" >&5
 echo "${ECHO_T}$TEST_MINUS_S_SH" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:2564: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
 # Extract the first word of "sh", so it can be a program name with args.
 set dummy sh; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:2570: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_path_SH+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -3150,18 +2577,16 @@ else
  ac_cv_path_SH="$SH" # Let the user override the test with a path.
  ;;
  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$ac_dir/$ac_word"; then
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+   ac_cv_path_SH="$ac_dir/$ac_word"
-    ac_cv_path_SH="$as_dir/$ac_word$ac_exec_ext"
+   echo "$as_me:2587: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+   break
-    break 2
+fi
-  fi
-done
 done
  ;;
@@ -3170,14 +2595,13 @@ fi
 SH=$ac_cv_path_SH
 if test -n "$SH"; then
-  echo "$as_me:$LINENO: result: $SH" >&5
+  echo "$as_me:2598: result: $SH" >&5
 echo "${ECHO_T}$SH" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:2601: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
 # System features
 # Check whether --enable-largefile or --disable-largefile was given.
 if test "${enable_largefile+set}" = set; then
@@ -3186,7 +2610,7 @@ if test "${enable_largefile+set}" = set; then
 fi;
 if test "$enable_largefile" != no; then
-  echo "$as_me:$LINENO: checking for special C compiler options needed for large files" >&5
+  echo "$as_me:2613: checking for special C compiler options needed for large files" >&5
 echo $ECHO_N "checking for special C compiler options needed for large files... $ECHO_C" >&6
 if test "${ac_cv_sys_largefile_CC+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -3198,12 +2622,8 @@ else
         # IRIX 6.2 and later do not support large files by default,
         # so use the C compiler's -n32 option if that helps.
         cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 2625 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
 /* Check that off_t can represent 2**63 - 1 correctly.
    We can't simply define LARGE_OFF_T to be 9223372036854775807,
@@ -3222,42 +2642,40 @@ main ()
 }
 _ACEOF
         rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:2645: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:2648: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:2651: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:2654: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  break
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 fi
 rm -f conftest.$ac_objext
         CC="$CC -n32"
         rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:2664: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:2667: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:2670: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:2673: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_sys_largefile_CC=' -n32'; break
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 fi
 rm -f conftest.$ac_objext
         break
@@ -3266,13 +2684,13 @@ rm -f conftest.$ac_objext
       rm -f conftest.$ac_ext
    fi
 fi
-echo "$as_me:$LINENO: result: $ac_cv_sys_largefile_CC" >&5
+echo "$as_me:2687: result: $ac_cv_sys_largefile_CC" >&5
 echo "${ECHO_T}$ac_cv_sys_largefile_CC" >&6
  if test "$ac_cv_sys_largefile_CC" != no; then
    CC=$CC$ac_cv_sys_largefile_CC
  fi
-  echo "$as_me:$LINENO: checking for _FILE_OFFSET_BITS value needed for large files" >&5
+  echo "$as_me:2693: checking for _FILE_OFFSET_BITS value needed for large files" >&5
 echo $ECHO_N "checking for _FILE_OFFSET_BITS value needed for large files... $ECHO_C" >&6
 if test "${ac_cv_sys_file_offset_bits+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -3280,12 +2698,8 @@ else
  while :; do
  ac_cv_sys_file_offset_bits=no
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 2701 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
 /* Check that off_t can represent 2**63 - 1 correctly.
    We can't simply define LARGE_OFF_T to be 9223372036854775807,
@@ -3304,31 +2718,26 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:2721: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:2724: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:2727: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:2730: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  break
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 2739 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #define _FILE_OFFSET_BITS 64
 #include <sys/types.h>
 /* Check that off_t can represent 2**63 - 1 correctly.
@@ -3348,38 +2757,37 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:2760: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:2763: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:2766: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:2769: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_sys_file_offset_bits=64; break
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
  break
 done
 fi
-echo "$as_me:$LINENO: result: $ac_cv_sys_file_offset_bits" >&5
+echo "$as_me:2780: result: $ac_cv_sys_file_offset_bits" >&5
 echo "${ECHO_T}$ac_cv_sys_file_offset_bits" >&6
 if test "$ac_cv_sys_file_offset_bits" != no; then
-cat >>confdefs.h <<_ACEOF
+cat >>confdefs.h <<EOF
 #define _FILE_OFFSET_BITS $ac_cv_sys_file_offset_bits
-_ACEOF
+EOF
 fi
 rm -f conftest*
-  echo "$as_me:$LINENO: checking for _LARGE_FILES value needed for large files" >&5
+  echo "$as_me:2790: checking for _LARGE_FILES value needed for large files" >&5
 echo $ECHO_N "checking for _LARGE_FILES value needed for large files... $ECHO_C" >&6
 if test "${ac_cv_sys_large_files+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -3387,12 +2795,8 @@ else
  while :; do
  ac_cv_sys_large_files=no
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 2798 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
 /* Check that off_t can represent 2**63 - 1 correctly.
    We can't simply define LARGE_OFF_T to be 9223372036854775807,
@@ -3411,31 +2815,26 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:2818: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:2821: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:2824: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:2827: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  break
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 2836 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #define _LARGE_FILES 1
 #include <sys/types.h>
 /* Check that off_t can represent 2**63 - 1 correctly.
@@ -3455,57 +2854,55 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:2857: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:2860: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:2863: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:2866: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_sys_large_files=1; break
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
  break
 done
 fi
-echo "$as_me:$LINENO: result: $ac_cv_sys_large_files" >&5
+echo "$as_me:2877: result: $ac_cv_sys_large_files" >&5
 echo "${ECHO_T}$ac_cv_sys_large_files" >&6
 if test "$ac_cv_sys_large_files" != no; then
-cat >>confdefs.h <<_ACEOF
+cat >>confdefs.h <<EOF
 #define _LARGE_FILES $ac_cv_sys_large_files
-_ACEOF
+EOF
 fi
 rm -f conftest*
 fi
 if test -z "$AR" ; then
-        { { echo "$as_me:$LINENO: error: *** 'ar' missing, please install or fix your \$PATH ***" >&5
+        { { echo "$as_me:2890: error: *** 'ar' missing, please install or fix your \$PATH ***" >&5
 echo "$as_me: error: *** 'ar' missing, please install or fix your \$PATH ***" >&2;}
   { (exit 1); exit 1; }; }
 fi
 # Use LOGIN_PROGRAM from environment if possible
 if test ! -z "$LOGIN_PROGRAM" ; then
-        cat >>confdefs.h <<_ACEOF
+        cat >>confdefs.h <<EOF
 #define LOGIN_PROGRAM_FALLBACK "$LOGIN_PROGRAM"
-_ACEOF
+EOF
 else
        # Search for login
        # Extract the first word of "login", so it can be a program name with args.
 set dummy login; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:2905: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_path_LOGIN_PROGRAM_FALLBACK+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -3515,18 +2912,16 @@ else
  ac_cv_path_LOGIN_PROGRAM_FALLBACK="$LOGIN_PROGRAM_FALLBACK" # Let the user override the test with a path.
  ;;
  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$ac_dir/$ac_word"; then
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+   ac_cv_path_LOGIN_PROGRAM_FALLBACK="$ac_dir/$ac_word"
-    ac_cv_path_LOGIN_PROGRAM_FALLBACK="$as_dir/$ac_word$ac_exec_ext"
+   echo "$as_me:2922: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+   break
-    break 2
+fi
-  fi
-done
 done
  ;;
@@ -3535,17 +2930,17 @@ fi
 LOGIN_PROGRAM_FALLBACK=$ac_cv_path_LOGIN_PROGRAM_FALLBACK
 if test -n "$LOGIN_PROGRAM_FALLBACK"; then
-  echo "$as_me:$LINENO: result: $LOGIN_PROGRAM_FALLBACK" >&5
+  echo "$as_me:2933: result: $LOGIN_PROGRAM_FALLBACK" >&5
 echo "${ECHO_T}$LOGIN_PROGRAM_FALLBACK" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:2936: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
        if test ! -z "$LOGIN_PROGRAM_FALLBACK" ; then
-                cat >>confdefs.h <<_ACEOF
+                cat >>confdefs.h <<EOF
 #define LOGIN_PROGRAM_FALLBACK "$LOGIN_PROGRAM_FALLBACK"
-_ACEOF
+EOF
        fi
 fi
@@ -3554,8 +2949,98 @@ if test -z "$LD" ; then
        LD=$CC
 fi
+echo "$as_me:2952: checking for $CC option to accept ANSI C" >&5
+echo $ECHO_N "checking for $CC option to accept ANSI C... $ECHO_C" >&6
+if test "${ac_cv_prog_cc_stdc+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_prog_cc_stdc=no
+ac_save_CC=$CC
+cat >conftest.$ac_ext <<_ACEOF
+#line 2960 "configure"
+#include "confdefs.h"
+#include <stdarg.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+/* Most of the following tests are stolen from RCS 5.7's src/conf.sh.  */
+struct buf { int x; };
+FILE * (*rcsopen) (struct buf *, struct stat *, int);
+static char *e (p, i)
+     char **p;
+     int i;
+{
+  return p[i];
+}
+static char *f (char * (*g) (char **, int), char **p, ...)
+{
+  char *s;
+  va_list v;
+  va_start (v,p);
+  s = g (p, va_arg (v,int));
+  va_end (v);
+  return s;
+}
+int test (int i, double x);
+struct s1 {int (*f) (int a);};
+struct s2 {int (*f) (double a);};
+int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int);
+int argc;
+char **argv;
+int
+main ()
+{
+return f (e, argv, 0) != argv[0]  ||  f (e, argv, 1) != argv[1];
+  ;
+  return 0;
+}
+_ACEOF
+# Don't try gcc -ansi; that turns off useful extensions and
+# breaks some systems' header files.
+# AIX                   -qlanglvl=ansi
+# Ultrix and OSF/1      -std1
+# HP-UX 10.20 and later -Ae
+# HP-UX older versions  -Aa -D_HPUX_SOURCE
+# SVR4                  -Xc -D__EXTENSIONS__
+for ac_arg in "" -qlanglvl=ansi -std1 -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
+do
+  CC="$ac_save_CC $ac_arg"
+  rm -f conftest.$ac_objext
+if { (eval echo "$as_me:3009: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:3012: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:3015: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:3018: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_prog_cc_stdc=$ac_arg
+break
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+fi
+rm -f conftest.$ac_objext
+done
+rm -f conftest.$ac_ext conftest.$ac_objext
+CC=$ac_save_CC
+fi
+case "x$ac_cv_prog_cc_stdc" in
+  x|xno)
+    echo "$as_me:3035: result: none needed" >&5
+echo "${ECHO_T}none needed" >&6 ;;
+  *)
+    echo "$as_me:3038: result: $ac_cv_prog_cc_stdc" >&5
+echo "${ECHO_T}$ac_cv_prog_cc_stdc" >&6
+    CC="$CC $ac_cv_prog_cc_stdc" ;;
+esac
-echo "$as_me:$LINENO: checking for inline" >&5
+echo "$as_me:3043: checking for inline" >&5
 echo $ECHO_N "checking for inline... $ECHO_C" >&6
 if test "${ac_cv_c_inline+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -3563,53 +3048,47 @@ else
  ac_cv_c_inline=no
 for ac_kw in inline __inline__ __inline; do
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 3051 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #ifndef __cplusplus
-typedef int foo_t;
+static $ac_kw int static_foo () {return 0; }
-static $ac_kw foo_t static_foo () {return 0; }
+$ac_kw int foo () {return 0; }
-$ac_kw foo_t foo () {return 0; }
 #endif
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:3060: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:3063: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:3066: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:3069: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_c_inline=$ac_kw; break
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 done
 fi
-echo "$as_me:$LINENO: result: $ac_cv_c_inline" >&5
+echo "$as_me:3080: result: $ac_cv_c_inline" >&5
 echo "${ECHO_T}$ac_cv_c_inline" >&6
 case $ac_cv_c_inline in
  inline | yes) ;;
  no)
-cat >>confdefs.h <<\_ACEOF
+cat >>confdefs.h <<\EOF
 #define inline
-_ACEOF
+EOF
 ;;
-  *)  cat >>confdefs.h <<_ACEOF
+  *)  cat >>confdefs.h <<EOF
 #define inline $ac_cv_c_inline
-_ACEOF
+EOF
 ;;
 esac
@@ -3620,10 +3099,9 @@ fi
 # Check for some target-specific stuff
 case "$host" in
 *-*-aix*)
-        AFS_LIBS="-lld"
        CPPFLAGS="$CPPFLAGS -I/usr/local/include"
        LDFLAGS="$LDFLAGS -L/usr/local/lib"
-        echo "$as_me:$LINENO: checking how to specify blibpath for linker ($LD)" >&5
+        echo "$as_me:3104: checking how to specify blibpath for linker ($LD)" >&5
 echo $ECHO_N "checking how to specify blibpath for linker ($LD)... $ECHO_C" >&6
        if (test -z "$blibpath"); then
                blibpath="/usr/lib:/lib:/usr/local/lib"
@@ -3633,12 +3111,8 @@ echo $ECHO_N "checking how to specify blibpath for linker ($LD)... $ECHO_C" >&6
                if (test -z "$blibflags"); then
                        LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
                        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 3114 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 int
 main ()
@@ -3649,116 +3123,101 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:3126: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:3129: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:3132: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:3135: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  blibflags=$tryflags
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
                fi
        done
        if (test -z "$blibflags"); then
-                echo "$as_me:$LINENO: result: not found" >&5
+                echo "$as_me:3146: result: not found" >&5
 echo "${ECHO_T}not found" >&6
-                { { echo "$as_me:$LINENO: error: *** must be able to specify blibpath on AIX - check config.log" >&5
+                { { echo "$as_me:3148: error: *** must be able to specify blibpath on AIX - check config.log" >&5
 echo "$as_me: error: *** must be able to specify blibpath on AIX - check config.log" >&2;}
   { (exit 1); exit 1; }; }
        else
-                echo "$as_me:$LINENO: result: $blibflags" >&5
+                echo "$as_me:3152: result: $blibflags" >&5
 echo "${ECHO_T}$blibflags" >&6
        fi
        LDFLAGS="$saved_LDFLAGS"
-        echo "$as_me:$LINENO: checking for authenticate" >&5
+                echo "$as_me:3156: checking for authenticate" >&5
 echo $ECHO_N "checking for authenticate... $ECHO_C" >&6
 if test "${ac_cv_func_authenticate+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 3162 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char authenticate (); below.
+    which can conflict with char authenticate (); below.  */
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+#include <assert.h>
-    <limits.h> exists even on freestanding compilers.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
 /* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
 char authenticate ();
+char (*f) ();
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
    to always fail with ENOSYS.  Some functions are actually named
    something starting with __ and the normal name is an alias.  */
 #if defined (__stub_authenticate) || defined (__stub___authenticate)
 choke me
 #else
-char (*f) () = authenticate;
+f = authenticate;
-#endif
-#ifdef __cplusplus
-}
 #endif
-int
-main ()
-{
-return f != authenticate;
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:3193: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:3196: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:3199: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:3202: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_func_authenticate=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_func_authenticate=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_authenticate" >&5
+echo "$as_me:3212: result: $ac_cv_func_authenticate" >&5
 echo "${ECHO_T}$ac_cv_func_authenticate" >&6
 if test $ac_cv_func_authenticate = yes; then
-  cat >>confdefs.h <<\_ACEOF
+  cat >>confdefs.h <<\EOF
 #define WITH_AIXAUTHENTICATE 1
-_ACEOF
+EOF
 else
-  echo "$as_me:$LINENO: checking for authenticate in -ls" >&5
+  echo "$as_me:3220: checking for authenticate in -ls" >&5
 echo $ECHO_N "checking for authenticate in -ls... $ECHO_C" >&6
 if test "${ac_cv_lib_s_authenticate+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -3766,12 +3225,8 @@ else
  ac_check_lib_save_LIBS=$LIBS
 LIBS="-ls  $LIBS"
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 3228 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
@@ -3789,126 +3244,279 @@ authenticate ();
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:3247: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:3250: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:3253: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:3256: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_lib_s_authenticate=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_lib_s_authenticate=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_s_authenticate" >&5
+echo "$as_me:3267: result: $ac_cv_lib_s_authenticate" >&5
 echo "${ECHO_T}$ac_cv_lib_s_authenticate" >&6
 if test $ac_cv_lib_s_authenticate = yes; then
-   cat >>confdefs.h <<\_ACEOF
+   cat >>confdefs.h <<\EOF
 #define WITH_AIXAUTHENTICATE 1
-_ACEOF
+EOF
                                LIBS="$LIBS -ls"
 fi
+fi
+                echo "$as_me:3280: checking whether loginfailed is declared" >&5
+echo $ECHO_N "checking whether loginfailed is declared... $ECHO_C" >&6
+if test "${ac_cv_have_decl_loginfailed+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 3286 "configure"
+#include "confdefs.h"
+#include <usersec.h>
+int
+main ()
+{
+#ifndef loginfailed
+  char *p = (char *) loginfailed;
+#endif
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:3302: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:3305: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:3308: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:3311: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_have_decl_loginfailed=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_have_decl_loginfailed=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
+echo "$as_me:3321: result: $ac_cv_have_decl_loginfailed" >&5
+echo "${ECHO_T}$ac_cv_have_decl_loginfailed" >&6
+if test $ac_cv_have_decl_loginfailed = yes; then
+  echo "$as_me:3324: checking if loginfailed takes 4 arguments" >&5
+echo $ECHO_N "checking if loginfailed takes 4 arguments... $ECHO_C" >&6
+                  cat >conftest.$ac_ext <<_ACEOF
+#line 3327 "configure"
+#include "confdefs.h"
+#include <usersec.h>
+int
+main ()
+{
+(void)loginfailed("user","host","tty",0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:3339: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:3342: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:3345: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:3348: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  echo "$as_me:3350: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+                         cat >>confdefs.h <<\EOF
+#define AIX_LOGINFAILED_4ARG 1
+EOF
-        cat >>confdefs.h <<\_ACEOF
+else
-#define BROKEN_GETADDRINFO 1
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+echo "$as_me:3359: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+for ac_func in setauthdb
+do
+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
+echo "$as_me:3369: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$as_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 3375 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
+int
+main ()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
+  ;
+  return 0;
+}
 _ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:3406: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:3409: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:3412: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:3415: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  eval "$as_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$as_ac_var=no"
+fi
+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:3425: result: `eval echo '${'$as_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+if test `eval echo '${'$as_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
+EOF
+fi
+done
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
+#define BROKEN_GETADDRINFO 1
+EOF
+        cat >>confdefs.h <<\EOF
 #define BROKEN_REALPATH 1
-_ACEOF
+EOF
+        cat >>confdefs.h <<\EOF
+#define SETEUID_BREAKS_SETUID 1
+EOF
-                cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
+#define BROKEN_SETREUID 1
+EOF
+        cat >>confdefs.h <<\EOF
+#define BROKEN_SETREGID 1
+EOF
+                cat >>confdefs.h <<\EOF
 #define DISABLE_LASTLOG 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define LOGIN_NEEDS_UTMPX 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
-#define SETPROCTITLE_STRATEGY PS_USE_CLOBBER_ARGV
+#define SPT_TYPE SPT_REUSEARGV
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
-#define SETPROCTITLE_PS_PADDING '\0'
-_ACEOF
        ;;
 *-*-cygwin*)
        check_for_libcrypt_later=1
        LIBS="$LIBS /usr/lib/textmode.o"
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_CYGWIN 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define USE_PIPES 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define DISABLE_SHADOW 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
-#define IPV4_DEFAULT 1
-_ACEOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define IP_TOS_IS_BROKEN 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define NO_X11_UNIX_SOCKETS 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define NO_IPPORT_RESERVED_CONCEPT 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define DISABLE_FD_PASSING 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define SETGROUPS_NOOP 1
-_ACEOF
+EOF
        ;;
 *-*-dgux*)
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define IP_TOS_IS_BROKEN 1
-_ACEOF
+EOF
        ;;
 *-*-darwin*)
-        echo "$as_me:$LINENO: checking if we have working getaddrinfo" >&5
+        echo "$as_me:3511: checking if we have working getaddrinfo" >&5
 echo $ECHO_N "checking if we have working getaddrinfo... $ECHO_C" >&6
        if test "$cross_compiling" = yes; then
-  echo "$as_me:$LINENO: result: assume it is working" >&5
+  echo "$as_me:3514: result: assume it is working" >&5
 echo "${ECHO_T}assume it is working" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 3518 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <mach-o/dyld.h>
 main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
                exit(0);
@@ -3917,32 +3525,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
 }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:3528: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:3531: \$? = $ac_status" >&5
  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:3533: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:3536: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: working" >&5
+  echo "$as_me:3538: result: working" >&5
 echo "${ECHO_T}working" >&6
 else
  echo "$as_me: program exited with status $ac_status" >&5
 echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+echo "$as_me:3544: result: buggy" >&5
-( exit $ac_status )
-echo "$as_me:$LINENO: result: buggy" >&5
 echo "${ECHO_T}buggy" >&6
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define BROKEN_GETADDRINFO 1
-_ACEOF
+EOF
 fi
-rm -f core core.* *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
        ;;
 *-*-hpux10.26)
@@ -3951,37 +3557,41 @@ fi
        fi
        CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
        IPADDR_IN_DISPLAY=yes
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_SECUREWARE 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define USE_PIPES 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define LOGIN_NO_ENDOPT 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define LOGIN_NEEDS_UTMPX 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define DISABLE_SHADOW 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define DISABLE_UTMP 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
-#define SETPROCTITLE_STRATEGY PS_USE_PSTAT
+#define LOCKED_PASSWD_STRING "*"
-_ACEOF
+EOF
+        cat >>confdefs.h <<\EOF
+#define SPT_TYPE SPT_PSTAT
+EOF
        LIBS="$LIBS -lsec -lsecpw"
-echo "$as_me:$LINENO: checking for t_error in -lxnet" >&5
+echo "$as_me:3594: checking for t_error in -lxnet" >&5
 echo $ECHO_N "checking for t_error in -lxnet... $ECHO_C" >&6
 if test "${ac_cv_lib_xnet_t_error+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -3989,12 +3599,8 @@ else
  ac_check_lib_save_LIBS=$LIBS
 LIBS="-lxnet  $LIBS"
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 3602 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
@@ -4012,38 +3618,37 @@ t_error ();
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:3621: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:3624: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:3627: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:3630: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_lib_xnet_t_error=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_lib_xnet_t_error=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_xnet_t_error" >&5
+echo "$as_me:3641: result: $ac_cv_lib_xnet_t_error" >&5
 echo "${ECHO_T}$ac_cv_lib_xnet_t_error" >&6
 if test $ac_cv_lib_xnet_t_error = yes; then
-  cat >>confdefs.h <<_ACEOF
+  cat >>confdefs.h <<EOF
 #define HAVE_LIBXNET 1
-_ACEOF
+EOF
  LIBS="-lxnet $LIBS"
 else
-  { { echo "$as_me:$LINENO: error: *** -lxnet needed on HP-UX - check config.log ***" >&5
+  { { echo "$as_me:3651: error: *** -lxnet needed on HP-UX - check config.log ***" >&5
 echo "$as_me: error: *** -lxnet needed on HP-UX - check config.log ***" >&2;}
   { (exit 1); exit 1; }; }
 fi
@@ -4056,33 +3661,37 @@ fi
        fi
        CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
        IPADDR_IN_DISPLAY=yes
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define USE_PIPES 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define LOGIN_NO_ENDOPT 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define LOGIN_NEEDS_UTMPX 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define DISABLE_SHADOW 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define DISABLE_UTMP 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
-#define SETPROCTITLE_STRATEGY PS_USE_PSTAT
+#define LOCKED_PASSWD_STRING "*"
-_ACEOF
+EOF
+        cat >>confdefs.h <<\EOF
+#define SPT_TYPE SPT_PSTAT
+EOF
        LIBS="$LIBS -lsec"
-echo "$as_me:$LINENO: checking for t_error in -lxnet" >&5
+echo "$as_me:3694: checking for t_error in -lxnet" >&5
 echo $ECHO_N "checking for t_error in -lxnet... $ECHO_C" >&6
 if test "${ac_cv_lib_xnet_t_error+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -4090,12 +3699,8 @@ else
  ac_check_lib_save_LIBS=$LIBS
 LIBS="-lxnet  $LIBS"
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 3702 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
@@ -4113,38 +3718,37 @@ t_error ();
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:3721: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:3724: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:3727: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:3730: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_lib_xnet_t_error=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_lib_xnet_t_error=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_xnet_t_error" >&5
+echo "$as_me:3741: result: $ac_cv_lib_xnet_t_error" >&5
 echo "${ECHO_T}$ac_cv_lib_xnet_t_error" >&6
 if test $ac_cv_lib_xnet_t_error = yes; then
-  cat >>confdefs.h <<_ACEOF
+  cat >>confdefs.h <<EOF
 #define HAVE_LIBXNET 1
-_ACEOF
+EOF
  LIBS="-lxnet $LIBS"
 else
-  { { echo "$as_me:$LINENO: error: *** -lxnet needed on HP-UX - check config.log ***" >&5
+  { { echo "$as_me:3751: error: *** -lxnet needed on HP-UX - check config.log ***" >&5
 echo "$as_me: error: *** -lxnet needed on HP-UX - check config.log ***" >&2;}
   { (exit 1); exit 1; }; }
 fi
@@ -4153,37 +3757,41 @@ fi
 *-*-hpux11*)
        CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
        IPADDR_IN_DISPLAY=yes
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define PAM_SUN_CODEBASE 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define USE_PIPES 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define LOGIN_NO_ENDOPT 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define LOGIN_NEEDS_UTMPX 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define DISABLE_SHADOW 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define DISABLE_UTMP 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
-#define SETPROCTITLE_STRATEGY PS_USE_PSTAT
+#define LOCKED_PASSWD_STRING "*"
-_ACEOF
+EOF
+        cat >>confdefs.h <<\EOF
+#define SPT_TYPE SPT_PSTAT
+EOF
        LIBS="$LIBS -lsec"
-echo "$as_me:$LINENO: checking for t_error in -lxnet" >&5
+echo "$as_me:3794: checking for t_error in -lxnet" >&5
 echo $ECHO_N "checking for t_error in -lxnet... $ECHO_C" >&6
 if test "${ac_cv_lib_xnet_t_error+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -4191,12 +3799,8 @@ else
  ac_check_lib_save_LIBS=$LIBS
 LIBS="-lxnet  $LIBS"
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 3802 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
@@ -4214,38 +3818,37 @@ t_error ();
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:3821: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:3824: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:3827: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:3830: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_lib_xnet_t_error=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_lib_xnet_t_error=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_xnet_t_error" >&5
+echo "$as_me:3841: result: $ac_cv_lib_xnet_t_error" >&5
 echo "${ECHO_T}$ac_cv_lib_xnet_t_error" >&6
 if test $ac_cv_lib_xnet_t_error = yes; then
-  cat >>confdefs.h <<_ACEOF
+  cat >>confdefs.h <<EOF
 #define HAVE_LIBXNET 1
-_ACEOF
+EOF
  LIBS="-lxnet $LIBS"
 else
-  { { echo "$as_me:$LINENO: error: *** -lxnet needed on HP-UX - check config.log ***" >&5
+  { { echo "$as_me:3851: error: *** -lxnet needed on HP-UX - check config.log ***" >&5
 echo "$as_me: error: *** -lxnet needed on HP-UX - check config.log ***" >&2;}
   { (exit 1); exit 1; }; }
 fi
@@ -4255,144 +3858,147 @@ fi
        CPPFLAGS="$CPPFLAGS -I/usr/local/include"
        LDFLAGS="$LDFLAGS"
        PATH="$PATH:/usr/etc"
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define BROKEN_INET_NTOA 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define WITH_ABBREV_NO_TTY 1
-_ACEOF
+EOF
+        cat >>confdefs.h <<\EOF
+#define LOCKED_PASSWD_STRING "*LK*"
+EOF
        ;;
 *-*-irix6*)
        CPPFLAGS="$CPPFLAGS -I/usr/local/include"
        LDFLAGS="$LDFLAGS"
        PATH="$PATH:/usr/etc"
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define WITH_IRIX_ARRAY 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define WITH_IRIX_PROJECT 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define WITH_IRIX_AUDIT 1
-_ACEOF
+EOF
-        echo "$as_me:$LINENO: checking for jlimit_startjob" >&5
+        echo "$as_me:3890: checking for jlimit_startjob" >&5
 echo $ECHO_N "checking for jlimit_startjob... $ECHO_C" >&6
 if test "${ac_cv_func_jlimit_startjob+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 3896 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char jlimit_startjob (); below.
+    which can conflict with char jlimit_startjob (); below.  */
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+#include <assert.h>
-    <limits.h> exists even on freestanding compilers.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
 /* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
 char jlimit_startjob ();
+char (*f) ();
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
    to always fail with ENOSYS.  Some functions are actually named
    something starting with __ and the normal name is an alias.  */
 #if defined (__stub_jlimit_startjob) || defined (__stub___jlimit_startjob)
 choke me
 #else
-char (*f) () = jlimit_startjob;
+f = jlimit_startjob;
-#endif
-#ifdef __cplusplus
-}
 #endif
-int
-main ()
-{
-return f != jlimit_startjob;
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:3927: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:3930: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:3933: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:3936: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_func_jlimit_startjob=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_func_jlimit_startjob=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_jlimit_startjob" >&5
+echo "$as_me:3946: result: $ac_cv_func_jlimit_startjob" >&5
 echo "${ECHO_T}$ac_cv_func_jlimit_startjob" >&6
 if test $ac_cv_func_jlimit_startjob = yes; then
-  cat >>confdefs.h <<\_ACEOF
+  cat >>confdefs.h <<\EOF
 #define WITH_IRIX_JOBS 1
-_ACEOF
+EOF
 fi
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define BROKEN_INET_NTOA 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define WITH_ABBREV_NO_TTY 1
-_ACEOF
+EOF
+        cat >>confdefs.h <<\EOF
+#define LOCKED_PASSWD_STRING "*LK*"
+EOF
        ;;
 *-*-linux*)
        no_dev_ptmx=1
        check_for_libcrypt_later=1
-        cat >>confdefs.h <<\_ACEOF
+        check_for_openpty_ctty_bug=1
+        cat >>confdefs.h <<\EOF
 #define DONT_TRY_OTHER_AF 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define PAM_TTY_KLUDGE 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
-#define SETPROCTITLE_STRATEGY PS_USE_CLOBBER_ARGV
+#define LOCKED_PASSWD_PREFIX "!!"
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
-#define SETPROCTITLE_PS_PADDING '\0'
+#define SPT_TYPE SPT_REUSEARGV
-_ACEOF
+EOF
        inet6_default_4in6=yes
+        case `uname -r` in
+        1.*|2.0.*)
+                cat >>confdefs.h <<\EOF
+#define BROKEN_CMSG_TYPE 1
+EOF
+                ;;
+        esac
        ;;
 mips-sony-bsd|mips-sony-newsos4)
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_NEWS4 1
-_ACEOF
+EOF
        SONY=1
        ;;
@@ -4408,21 +4014,21 @@ _ACEOF
        conf_utmp_location=/etc/utmp
        conf_wtmp_location=/usr/adm/wtmp
        MAIL=/usr/spool/mail
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_NEXT 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define BROKEN_REALPATH 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define USE_PIPES 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define BROKEN_SAVED_UIDS 1
-_ACEOF
+EOF
        CPPFLAGS="$CPPFLAGS -I/usr/local/include"
        CFLAGS="$CFLAGS"
@@ -4431,44 +4037,50 @@ _ACEOF
        CPPFLAGS="$CPPFLAGS -I/usr/local/include"
        LDFLAGS="$LDFLAGS -L/usr/local/lib -R/usr/local/lib"
        need_dash_r=1
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define PAM_SUN_CODEBASE 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define LOGIN_NEEDS_UTMPX 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define LOGIN_NEEDS_TERM 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define PAM_TTY_KLUDGE 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
-#define STREAMS_PUSH_ACQUIRES_CTTY 1
+#define LOCKED_PASSWD_STRING "*LK*"
-_ACEOF
+EOF
+        # Pushing STREAMS modules will cause sshd to acquire a controlling tty.
+        cat >>confdefs.h <<\EOF
+#define SSHD_ACQUIRES_CTTY 1
+EOF
+        external_path_file=/etc/default/login
        # hardwire lastlog location (can't detect it on some versions)
        conf_lastlog_location="/var/adm/lastlog"
-        echo "$as_me:$LINENO: checking for obsolete utmp and wtmp in solaris2.x" >&5
+        echo "$as_me:4068: checking for obsolete utmp and wtmp in solaris2.x" >&5
 echo $ECHO_N "checking for obsolete utmp and wtmp in solaris2.x... $ECHO_C" >&6
        sol2ver=`echo "$host"| sed -e 's/.*[0-9]\.//'`
        if test "$sol2ver" -ge 8; then
-                echo "$as_me:$LINENO: result: yes" >&5
+                echo "$as_me:4072: result: yes" >&5
 echo "${ECHO_T}yes" >&6
-                cat >>confdefs.h <<\_ACEOF
+                cat >>confdefs.h <<\EOF
 #define DISABLE_UTMP 1
-_ACEOF
+EOF
-                cat >>confdefs.h <<\_ACEOF
+                cat >>confdefs.h <<\EOF
 #define DISABLE_WTMP 1
-_ACEOF
+EOF
        else
-                echo "$as_me:$LINENO: result: no" >&5
+                echo "$as_me:4083: result: no" >&5
 echo "${ECHO_T}no" >&6
        fi
        ;;
@@ -4478,105 +4090,95 @@ echo "${ECHO_T}no" >&6
 for ac_func in getpwanam
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo "$as_me:4093: checking for $ac_func" >&5
 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
 if eval "test \"\${$as_ac_var+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 4099 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
+    which can conflict with char $ac_func (); below.  */
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+#include <assert.h>
-    <limits.h> exists even on freestanding compilers.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
 /* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
+char (*f) ();
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
    to always fail with ENOSYS.  Some functions are actually named
    something starting with __ and the normal name is an alias.  */
 #if defined (__stub_$ac_func) || defined (__stub___$ac_func)
 choke me
 #else
-char (*f) () = $ac_func;
+f = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
-int
-main ()
-{
-return f != $ac_func;
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:4130: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:4133: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:4136: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:4139: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  eval "$as_ac_var=yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 eval "$as_ac_var=no"
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
+echo "$as_me:4149: result: `eval echo '${'$as_ac_var'}'`" >&5
 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
 if test `eval echo '${'$as_ac_var'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
+  cat >>confdefs.h <<EOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
+EOF
 fi
 done
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define PAM_SUN_CODEBASE 1
-_ACEOF
+EOF
        conf_utmp_location=/etc/utmp
        conf_wtmp_location=/var/adm/wtmp
        conf_lastlog_location=/var/adm/lastlog
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define USE_PIPES 1
-_ACEOF
+EOF
        ;;
 *-ncr-sysv*)
        CPPFLAGS="$CPPFLAGS -I/usr/local/include"
        LDFLAGS="$LDFLAGS -L/usr/local/lib"
        LIBS="$LIBS -lc89"
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define USE_PIPES 1
-_ACEOF
+EOF
+        cat >>confdefs.h <<\EOF
+#define SSHD_ACQUIRES_CTTY 1
+EOF
        ;;
 *-sni-sysv*)
@@ -4584,14 +4186,19 @@ _ACEOF
        # /usr/ucblib MUST NOT be searched on ReliantUNIX
        LDFLAGS="$LDFLAGS -L/usr/local/lib"
        IPADDR_IN_DISPLAY=yes
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define USE_PIPES 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define IP_TOS_IS_BROKEN 1
-_ACEOF
+EOF
+        cat >>confdefs.h <<\EOF
+#define SSHD_ACQUIRES_CTTY 1
+EOF
+        external_path_file=/etc/default/login
        # /usr/ucblib/libucb.a no longer needed on ReliantUNIX
        # Attention: always take care to bind libsocket and libnsl before libc,
        # otherwise you will find lots of "SIOCGPGRP errno 22" on syslog
@@ -4599,17 +4206,41 @@ _ACEOF
 *-*-sysv4.2*)
        CPPFLAGS="$CPPFLAGS -I/usr/local/include"
        LDFLAGS="$LDFLAGS -L/usr/local/lib"
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define USE_PIPES 1
-_ACEOF
+EOF
+        cat >>confdefs.h <<\EOF
+#define SETEUID_BREAKS_SETUID 1
+EOF
+        cat >>confdefs.h <<\EOF
+#define BROKEN_SETREUID 1
+EOF
+        cat >>confdefs.h <<\EOF
+#define BROKEN_SETREGID 1
+EOF
        ;;
 *-*-sysv5*)
        CPPFLAGS="$CPPFLAGS -I/usr/local/include"
        LDFLAGS="$LDFLAGS -L/usr/local/lib"
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define USE_PIPES 1
-_ACEOF
+EOF
+        cat >>confdefs.h <<\EOF
+#define SETEUID_BREAKS_SETUID 1
+EOF
+        cat >>confdefs.h <<\EOF
+#define BROKEN_SETREUID 1
+EOF
+        cat >>confdefs.h <<\EOF
+#define BROKEN_SETREGID 1
+EOF
        ;;
 *-*-sysv*)
@@ -4622,107 +4253,95 @@ _ACEOF
        LIBS="$LIBS -los -lprot -lx -ltinfo -lm"
        RANLIB=true
        no_dev_ptmx=1
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define BROKEN_SYS_TERMIO_H 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define USE_PIPES 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_SECUREWARE 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define DISABLE_SHADOW 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define BROKEN_SAVED_UIDS 1
-_ACEOF
+EOF
+        cat >>confdefs.h <<\EOF
+#define WITH_ABBREV_NO_TTY 1
+EOF
 for ac_func in getluid setluid
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo "$as_me:4283: checking for $ac_func" >&5
 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
 if eval "test \"\${$as_ac_var+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 4289 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
+    which can conflict with char $ac_func (); below.  */
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+#include <assert.h>
-    <limits.h> exists even on freestanding compilers.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
 /* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
+char (*f) ();
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
    to always fail with ENOSYS.  Some functions are actually named
    something starting with __ and the normal name is an alias.  */
 #if defined (__stub_$ac_func) || defined (__stub___$ac_func)
 choke me
 #else
-char (*f) () = $ac_func;
+f = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
-int
-main ()
-{
-return f != $ac_func;
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:4320: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:4323: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:4326: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:4329: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  eval "$as_ac_var=yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 eval "$as_ac_var=no"
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
+echo "$as_me:4339: result: `eval echo '${'$as_ac_var'}'`" >&5
 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
 if test `eval echo '${'$as_ac_var'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
+  cat >>confdefs.h <<EOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
+EOF
 fi
 done
@@ -4738,103 +4357,103 @@ done
        LDFLAGS="$LDFLAGS -L/usr/local/lib"
        LIBS="$LIBS -lprot -lx -ltinfo -lm"
        no_dev_ptmx=1
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define USE_PIPES 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_SECUREWARE 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define DISABLE_SHADOW 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define DISABLE_FD_PASSING 1
-_ACEOF
+EOF
+        cat >>confdefs.h <<\EOF
+#define SETEUID_BREAKS_SETUID 1
+EOF
+        cat >>confdefs.h <<\EOF
+#define BROKEN_SETREUID 1
+EOF
+        cat >>confdefs.h <<\EOF
+#define BROKEN_SETREGID 1
+EOF
+        cat >>confdefs.h <<\EOF
+#define WITH_ABBREV_NO_TTY 1
+EOF
 for ac_func in getluid setluid
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo "$as_me:4395: checking for $ac_func" >&5
 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
 if eval "test \"\${$as_ac_var+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 4401 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
+    which can conflict with char $ac_func (); below.  */
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+#include <assert.h>
-    <limits.h> exists even on freestanding compilers.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
 /* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
+char (*f) ();
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
    to always fail with ENOSYS.  Some functions are actually named
    something starting with __ and the normal name is an alias.  */
 #if defined (__stub_$ac_func) || defined (__stub___$ac_func)
 choke me
 #else
-char (*f) () = $ac_func;
+f = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
-int
-main ()
-{
-return f != $ac_func;
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:4432: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:4435: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:4438: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:4441: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  eval "$as_ac_var=yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 eval "$as_ac_var=no"
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
+echo "$as_me:4451: result: `eval echo '${'$as_ac_var'}'`" >&5
 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
 if test `eval echo '${'$as_ac_var'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
+  cat >>confdefs.h <<EOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
+EOF
 fi
 done
@@ -4842,37 +4461,54 @@ done
        MANTYPE=man
        ;;
 *-*-unicosmk*)
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define USE_PIPES 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define DISABLE_FD_PASSING 1
-_ACEOF
+EOF
        LDFLAGS="$LDFLAGS"
        LIBS="$LIBS -lgen -lrsc -lshare -luex -lacm"
        MANTYPE=cat
        ;;
+*-*-unicosmp*)
+        cat >>confdefs.h <<\EOF
+#define WITH_ABBREV_NO_TTY 1
+EOF
+        cat >>confdefs.h <<\EOF
+#define USE_PIPES 1
+EOF
+        cat >>confdefs.h <<\EOF
+#define DISABLE_FD_PASSING 1
+EOF
+        LDFLAGS="$LDFLAGS"
+        LIBS="$LIBS -lgen -lacid"
+        MANTYPE=cat
+        ;;
 *-*-unicos*)
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define USE_PIPES 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define DISABLE_FD_PASSING 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define NO_SSH_LASTLOG 1
-_ACEOF
+EOF
        LDFLAGS="$LDFLAGS -Wl,-Dmsglevel=334:fatal"
        LIBS="$LIBS -lgen -lrsc -lshare -luex -lacm"
        MANTYPE=cat
        ;;
 *-dec-osf*)
-        echo "$as_me:$LINENO: checking for Digital Unix SIA" >&5
+        echo "$as_me:4511: checking for Digital Unix SIA" >&5
 echo $ECHO_N "checking for Digital Unix SIA... $ECHO_C" >&6
        no_osfsia=""
@@ -4881,7 +4517,7 @@ if test "${with_osfsia+set}" = set; then
  withval="$with_osfsia"
                        if test "x$withval" = "xno" ; then
-                                echo "$as_me:$LINENO: result: disabled" >&5
+                                echo "$as_me:4520: result: disabled" >&5
 echo "${ECHO_T}disabled" >&6
                                no_osfsia=1
                        fi
@@ -4889,52 +4525,60 @@ echo "${ECHO_T}disabled" >&6
 fi;
        if test -z "$no_osfsia" ; then
                if test -f /etc/sia/matrix.conf; then
-                        echo "$as_me:$LINENO: result: yes" >&5
+                        echo "$as_me:4528: result: yes" >&5
 echo "${ECHO_T}yes" >&6
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define HAVE_OSF_SIA 1
-_ACEOF
+EOF
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define DISABLE_LOGIN 1
-_ACEOF
+EOF
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define DISABLE_FD_PASSING 1
-_ACEOF
+EOF
                        LIBS="$LIBS -lsecurity -ldb -lm -laud"
                else
-                        echo "$as_me:$LINENO: result: no" >&5
+                        echo "$as_me:4544: result: no" >&5
 echo "${ECHO_T}no" >&6
                fi
        fi
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define DISABLE_FD_PASSING 1
-_ACEOF
+EOF
+        cat >>confdefs.h <<\EOF
+#define BROKEN_GETADDRINFO 1
+EOF
+        cat >>confdefs.h <<\EOF
+#define LOCKED_PASSWD_SUBSTR "Nologin"
+EOF
        ;;
 *-*-nto-qnx)
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define USE_PIPES 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define NO_X11_UNIX_SOCKETS 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define MISSING_NFDBITS 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define MISSING_HOWMANY 1
-_ACEOF
+EOF
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define MISSING_FD_MASK 1
-_ACEOF
+EOF
        ;;
 esac
@@ -4949,7 +4593,6 @@ if test "${with_cflags+set}" = set; then
                        CFLAGS="$CFLAGS $withval"
                fi
 fi;
 # Check whether --with-cppflags or --without-cppflags was given.
@@ -4960,7 +4603,6 @@ if test "${with_cppflags+set}" = set; then
                        CPPFLAGS="$CPPFLAGS $withval"
                fi
 fi;
 # Check whether --with-ldflags or --without-ldflags was given.
@@ -4971,7 +4613,6 @@ if test "${with_ldflags+set}" = set; then
                        LDFLAGS="$LDFLAGS $withval"
                fi
 fi;
 # Check whether --with-libs or --without-libs was given.
@@ -4982,370 +4623,82 @@ if test "${with_libs+set}" = set; then
                        LIBS="$LIBS $withval"
                fi
 fi;
-# Checks for header files.
+echo "$as_me:4628: checking compiler and flags for sanity" >&5
+echo $ECHO_N "checking compiler and flags for sanity... $ECHO_C" >&6
-echo "$as_me:$LINENO: checking for egrep" >&5
+if test "$cross_compiling" = yes; then
-echo $ECHO_N "checking for egrep... $ECHO_C" >&6
+  { { echo "$as_me:4631: error: cannot run test program while cross compiling" >&5
-if test "${ac_cv_prog_egrep+set}" = set; then
+echo "$as_me: error: cannot run test program while cross compiling" >&2;}
-  echo $ECHO_N "(cached) $ECHO_C" >&6
+   { (exit 1); exit 1; }; }
-else
-  if echo a | (grep -E '(a|b)') >/dev/null 2>&1
-    then ac_cv_prog_egrep='grep -E'
-    else ac_cv_prog_egrep='egrep'
-    fi
-fi
-echo "$as_me:$LINENO: result: $ac_cv_prog_egrep" >&5
-echo "${ECHO_T}$ac_cv_prog_egrep" >&6
- EGREP=$ac_cv_prog_egrep
-echo "$as_me:$LINENO: checking for ANSI C header files" >&5
-echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6
-if test "${ac_cv_header_stdc+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <stdlib.h>
-#include <stdarg.h>
-#include <string.h>
-#include <float.h>
-int
-main ()
-{
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_header_stdc=yes
 else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-ac_cv_header_stdc=no
-fi
-rm -f conftest.$ac_objext conftest.$ac_ext
-if test $ac_cv_header_stdc = yes; then
-  # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 4636 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <string.h>
-_ACEOF
-if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "memchr" >/dev/null 2>&1; then
-  :
-else
-  ac_cv_header_stdc=no
-fi
-rm -f conftest*
-fi
+#include <stdio.h>
+int main(){exit(0);}
-if test $ac_cv_header_stdc = yes; then
-  # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
-  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <stdlib.h>
-_ACEOF
-if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "free" >/dev/null 2>&1; then
-  :
-else
-  ac_cv_header_stdc=no
-fi
-rm -f conftest*
-fi
-if test $ac_cv_header_stdc = yes; then
-  # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
-  if test "$cross_compiling" = yes; then
-  :
-else
-  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <ctype.h>
-#if ((' ' & 0x0FF) == 0x020)
-# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
-# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
-#else
-# define ISLOWER(c) \
-                   (('a' <= (c) && (c) <= 'i') \
-                     || ('j' <= (c) && (c) <= 'r') \
-                     || ('s' <= (c) && (c) <= 'z'))
-# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c))
-#endif
-#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
-int
-main ()
-{
-  int i;
-  for (i = 0; i < 256; i++)
-    if (XOR (islower (i), ISLOWER (i))
-        || toupper (i) != TOUPPER (i))
-      exit(2);
-  exit (0);
-}
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:4644: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:4647: \$? = $ac_status" >&5
  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:4649: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:4652: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-  :
+        echo "$as_me:4654: result: yes" >&5
+echo "${ECHO_T}yes" >&6
 else
  echo "$as_me: program exited with status $ac_status" >&5
 echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
-( exit $ac_status )
-ac_cv_header_stdc=no
-fi
-rm -f core core.* *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
-fi
-fi
-fi
-echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
-echo "${ECHO_T}$ac_cv_header_stdc" >&6
-if test $ac_cv_header_stdc = yes; then
-cat >>confdefs.h <<\_ACEOF
-#define STDC_HEADERS 1
-_ACEOF
-fi
-# On IRIX 5.3, sys/types and inttypes.h are conflicting.
+                echo "$as_me:4661: result: no" >&5
+echo "${ECHO_T}no" >&6
+                { { echo "$as_me:4663: error: *** compiler cannot create working executables, check config.log ***" >&5
+echo "$as_me: error: *** compiler cannot create working executables, check config.log ***" >&2;}
+   { (exit 1); exit 1; }; }
-for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
-                  inttypes.h stdint.h unistd.h
-do
-as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <$ac_header>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  eval "$as_ac_Header=yes"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-eval "$as_ac_Header=no"
 fi
-rm -f conftest.$ac_objext conftest.$ac_ext
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
-if test `eval echo '${'$as_ac_Header'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
-_ACEOF
 fi
-done
+# Checks for header files.
-for ac_header in bstring.h crypt.h endian.h floatingpoint.h \
+for ac_header in bstring.h crypt.h endian.h features.h floatingpoint.h \
-        getopt.h glob.h ia.h lastlog.h libgen.h limits.h login.h \
+        getopt.h glob.h ia.h lastlog.h limits.h login.h \
        login_cap.h maillock.h netdb.h netgroup.h \
        netinet/in_systm.h paths.h pty.h readpassphrase.h \
        rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \
-        strings.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h \
+        strings.h sys/strtio.h sys/audit.h sys/bitypes.h sys/bsdtty.h \
-        sys/mman.h sys/pstat.h sys/select.h sys/stat.h \
+        sys/cdefs.h sys/mman.h sys/pstat.h sys/select.h sys/stat.h \
        sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h \
        sys/un.h time.h tmpdir.h ttyent.h usersec.h \
        util.h utime.h utmp.h utmpx.h
 do
 as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+echo "$as_me:4685: checking for $ac_header" >&5
-  echo "$as_me:$LINENO: checking for $ac_header" >&5
 echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
 if eval "test \"\${$as_ac_Header+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
-fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
-else
-  # Is the header compilable?
-echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <$ac_header>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_header_compiler=yes
 else
-  echo "$as_me: failed program was:" >&5
+  cat >conftest.$ac_ext <<_ACEOF
-sed 's/^/| /' conftest.$ac_ext >&5
+#line 4691 "configure"
+#include "confdefs.h"
-ac_header_compiler=no
-fi
-rm -f conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
-# Is the header present?
-echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <$ac_header>
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
+if { (eval echo "$as_me:4695: \"$ac_cpp conftest.$ac_ext\"") >&5
  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
+  egrep -v '^ *\+' conftest.er1 >conftest.err
  rm -f conftest.er1
  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:4701: \$? = $ac_status" >&5
  (exit $ac_status); } >/dev/null; then
  if test -s conftest.err; then
    ac_cpp_err=$ac_c_preproc_warn_flag
@@ -5356,149 +4709,88 @@ else
  ac_cpp_err=yes
 fi
 if test -z "$ac_cpp_err"; then
-  ac_header_preproc=yes
+  eval "$as_ac_Header=yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+  cat conftest.$ac_ext >&5
+  eval "$as_ac_Header=no"
-  ac_header_preproc=no
 fi
 rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc in
-  yes:no )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    (
-      cat <<\_ASBOX
-## ------------------------------------ ##
-## Report this to bug-autoconf@gnu.org. ##
-## ------------------------------------ ##
-_ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
-    ;;
-  no:yes )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    (
-      cat <<\_ASBOX
-## ------------------------------------ ##
-## Report this to bug-autoconf@gnu.org. ##
-## ------------------------------------ ##
-_ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
-    ;;
-esac
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  eval "$as_ac_Header=$ac_header_preproc"
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
+echo "$as_me:4720: result: `eval echo '${'$as_ac_Header'}'`" >&5
 echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
-fi
 if test `eval echo '${'$as_ac_Header'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
+  cat >>confdefs.h <<EOF
 #define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
-_ACEOF
+EOF
 fi
 done
 # Checks for libraries.
-echo "$as_me:$LINENO: checking for yp_match" >&5
+echo "$as_me:4731: checking for yp_match" >&5
 echo $ECHO_N "checking for yp_match... $ECHO_C" >&6
 if test "${ac_cv_func_yp_match+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 4737 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char yp_match (); below.
+    which can conflict with char yp_match (); below.  */
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+#include <assert.h>
-    <limits.h> exists even on freestanding compilers.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
 /* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
 char yp_match ();
+char (*f) ();
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
    to always fail with ENOSYS.  Some functions are actually named
    something starting with __ and the normal name is an alias.  */
 #if defined (__stub_yp_match) || defined (__stub___yp_match)
 choke me
 #else
-char (*f) () = yp_match;
+f = yp_match;
-#endif
-#ifdef __cplusplus
-}
 #endif
-int
-main ()
-{
-return f != yp_match;
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:4768: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:4771: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:4774: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:4777: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_func_yp_match=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_func_yp_match=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_yp_match" >&5
+echo "$as_me:4787: result: $ac_cv_func_yp_match" >&5
 echo "${ECHO_T}$ac_cv_func_yp_match" >&6
 if test $ac_cv_func_yp_match = yes; then
  :
 else
-echo "$as_me:$LINENO: checking for yp_match in -lnsl" >&5
+echo "$as_me:4793: checking for yp_match in -lnsl" >&5
 echo $ECHO_N "checking for yp_match in -lnsl... $ECHO_C" >&6
 if test "${ac_cv_lib_nsl_yp_match+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -5506,12 +4798,8 @@ else
  ac_check_lib_save_LIBS=$LIBS
 LIBS="-lnsl  $LIBS"
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 4801 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
@@ -5529,33 +4817,32 @@ yp_match ();
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:4820: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:4823: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:4826: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:4829: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_lib_nsl_yp_match=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_lib_nsl_yp_match=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_nsl_yp_match" >&5
+echo "$as_me:4840: result: $ac_cv_lib_nsl_yp_match" >&5
 echo "${ECHO_T}$ac_cv_lib_nsl_yp_match" >&6
 if test $ac_cv_lib_nsl_yp_match = yes; then
-  cat >>confdefs.h <<_ACEOF
+  cat >>confdefs.h <<EOF
 #define HAVE_LIBNSL 1
-_ACEOF
+EOF
  LIBS="-lnsl $LIBS"
@@ -5563,83 +4850,69 @@ fi
 fi
-echo "$as_me:$LINENO: checking for setsockopt" >&5
+echo "$as_me:4853: checking for setsockopt" >&5
 echo $ECHO_N "checking for setsockopt... $ECHO_C" >&6
 if test "${ac_cv_func_setsockopt+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 4859 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char setsockopt (); below.
+    which can conflict with char setsockopt (); below.  */
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+#include <assert.h>
-    <limits.h> exists even on freestanding compilers.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
 /* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
 char setsockopt ();
+char (*f) ();
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
    to always fail with ENOSYS.  Some functions are actually named
    something starting with __ and the normal name is an alias.  */
 #if defined (__stub_setsockopt) || defined (__stub___setsockopt)
 choke me
 #else
-char (*f) () = setsockopt;
+f = setsockopt;
-#endif
-#ifdef __cplusplus
-}
 #endif
-int
-main ()
-{
-return f != setsockopt;
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:4890: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:4893: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:4896: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:4899: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_func_setsockopt=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_func_setsockopt=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_setsockopt" >&5
+echo "$as_me:4909: result: $ac_cv_func_setsockopt" >&5
 echo "${ECHO_T}$ac_cv_func_setsockopt" >&6
 if test $ac_cv_func_setsockopt = yes; then
  :
 else
-echo "$as_me:$LINENO: checking for setsockopt in -lsocket" >&5
+echo "$as_me:4915: checking for setsockopt in -lsocket" >&5
 echo $ECHO_N "checking for setsockopt in -lsocket... $ECHO_C" >&6
 if test "${ac_cv_lib_socket_setsockopt+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -5647,12 +4920,8 @@ else
  ac_check_lib_save_LIBS=$LIBS
 LIBS="-lsocket  $LIBS"
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 4923 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
@@ -5670,33 +4939,32 @@ setsockopt ();
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:4942: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:4945: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:4948: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:4951: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_lib_socket_setsockopt=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_lib_socket_setsockopt=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_socket_setsockopt" >&5
+echo "$as_me:4962: result: $ac_cv_lib_socket_setsockopt" >&5
 echo "${ECHO_T}$ac_cv_lib_socket_setsockopt" >&6
 if test $ac_cv_lib_socket_setsockopt = yes; then
-  cat >>confdefs.h <<_ACEOF
+  cat >>confdefs.h <<EOF
 #define HAVE_LIBSOCKET 1
-_ACEOF
+EOF
  LIBS="-lsocket $LIBS"
@@ -5704,10 +4972,9 @@ fi
 fi
 if test "x$with_tcp_wrappers" != "xno" ; then
    if test "x$do_sco3_extra_lib_check" = "xyes" ; then
-        echo "$as_me:$LINENO: checking for innetgr in -lrpc" >&5
+        echo "$as_me:4977: checking for innetgr in -lrpc" >&5
 echo $ECHO_N "checking for innetgr in -lrpc... $ECHO_C" >&6
 if test "${ac_cv_lib_rpc_innetgr+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -5715,12 +4982,8 @@ else
  ac_check_lib_save_LIBS=$LIBS
 LIBS="-lrpc -lyp -lrpc $LIBS"
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 4985 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
@@ -5738,28 +5001,27 @@ innetgr ();
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:5004: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:5007: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:5010: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:5013: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_lib_rpc_innetgr=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_lib_rpc_innetgr=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_rpc_innetgr" >&5
+echo "$as_me:5024: result: $ac_cv_lib_rpc_innetgr" >&5
 echo "${ECHO_T}$ac_cv_lib_rpc_innetgr" >&6
 if test $ac_cv_lib_rpc_innetgr = yes; then
  LIBS="-lrpc -lyp -lrpc $LIBS"
@@ -5768,82 +5030,355 @@ fi
    fi
 fi
-echo "$as_me:$LINENO: checking for getspnam" >&5
+for ac_func in dirname
-echo $ECHO_N "checking for getspnam... $ECHO_C" >&6
+do
-if test "${ac_cv_func_getspnam+set}" = set; then
+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
+echo "$as_me:5036: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$as_ac_var+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 5042 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char getspnam (); below.
+    which can conflict with char $ac_func (); below.  */
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+#include <assert.h>
-    <limits.h> exists even on freestanding compilers.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
 /* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
-char getspnam ();
+char $ac_func ();
+char (*f) ();
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
    to always fail with ENOSYS.  Some functions are actually named
    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_getspnam) || defined (__stub___getspnam)
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
 choke me
 #else
-char (*f) () = getspnam;
+f = $ac_func;
 #endif
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:5073: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:5076: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:5079: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:5082: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  eval "$as_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$as_ac_var=no"
+fi
+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:5092: result: `eval echo '${'$as_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+if test `eval echo '${'$as_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
+EOF
+for ac_header in libgen.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+echo "$as_me:5102: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
+if eval "test \"\${$as_ac_Header+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 5108 "configure"
+#include "confdefs.h"
+#include <$ac_header>
+_ACEOF
+if { (eval echo "$as_me:5112: \"$ac_cpp conftest.$ac_ext\"") >&5
+  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+  ac_status=$?
+  egrep -v '^ *\+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:5118: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  eval "$as_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$as_ac_Header=no"
+fi
+rm -f conftest.err conftest.$ac_ext
+fi
+echo "$as_me:5137: result: `eval echo '${'$as_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+EOF
+fi
+done
+else
+        echo "$as_me:5149: checking for dirname in -lgen" >&5
+echo $ECHO_N "checking for dirname in -lgen... $ECHO_C" >&6
+if test "${ac_cv_lib_gen_dirname+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lgen  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#line 5157 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char dirname ();
+int
+main ()
+{
+dirname ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:5176: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:5179: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:5182: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:5185: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_gen_dirname=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_gen_dirname=no
+fi
+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:5196: result: $ac_cv_lib_gen_dirname" >&5
+echo "${ECHO_T}$ac_cv_lib_gen_dirname" >&6
+if test $ac_cv_lib_gen_dirname = yes; then
+                echo "$as_me:5200: checking for broken dirname" >&5
+echo $ECHO_N "checking for broken dirname... $ECHO_C" >&6
+if test "${ac_cv_have_broken_dirname+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+                        save_LIBS="$LIBS"
+                        LIBS="$LIBS -lgen"
+                        if test "$cross_compiling" = yes; then
+  { { echo "$as_me:5209: error: cannot run test program while cross compiling" >&5
+echo "$as_me: error: cannot run test program while cross compiling" >&2;}
+   { (exit 1); exit 1; }; }
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 5214 "configure"
+#include "confdefs.h"
+#include <libgen.h>
+#include <string.h>
+int main(int argc, char **argv) {
+    char *s, buf[32];
+    strncpy(buf,"/etc", 32);
+    s = dirname(buf);
+    if (!s || strncmp(s, "/", 32) != 0) {
+        exit(1);
+    } else {
+        exit(0);
+    }
 }
+_ACEOF
+rm -f conftest$ac_exeext
+if { (eval echo "$as_me:5234: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:5237: \$? = $ac_status" >&5
+  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
+  { (eval echo "$as_me:5239: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:5242: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+   ac_cv_have_broken_dirname="no"
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ ac_cv_have_broken_dirname="yes"
+fi
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+fi
+                        LIBS="$save_LIBS"
+fi
+echo "$as_me:5257: result: $ac_cv_have_broken_dirname" >&5
+echo "${ECHO_T}$ac_cv_have_broken_dirname" >&6
+                if test "x$ac_cv_have_broken_dirname" = "xno" ; then
+                        LIBS="$LIBS -lgen"
+                        cat >>confdefs.h <<\EOF
+#define HAVE_DIRNAME 1
+EOF
+for ac_header in libgen.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+echo "$as_me:5268: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
+if eval "test \"\${$as_ac_Header+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 5274 "configure"
+#include "confdefs.h"
+#include <$ac_header>
+_ACEOF
+if { (eval echo "$as_me:5278: \"$ac_cpp conftest.$ac_ext\"") >&5
+  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+  ac_status=$?
+  egrep -v '^ *\+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:5284: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  eval "$as_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$as_ac_Header=no"
+fi
+rm -f conftest.err conftest.$ac_ext
+fi
+echo "$as_me:5303: result: `eval echo '${'$as_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+EOF
+fi
+done
+                fi
+fi
+fi
+done
+echo "$as_me:5320: checking for getspnam" >&5
+echo $ECHO_N "checking for getspnam... $ECHO_C" >&6
+if test "${ac_cv_func_getspnam+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 5326 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char getspnam (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
 #endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char getspnam ();
+char (*f) ();
 int
 main ()
 {
-return f != getspnam;
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_getspnam) || defined (__stub___getspnam)
+choke me
+#else
+f = getspnam;
+#endif
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:5357: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:5360: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:5363: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:5366: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_func_getspnam=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_func_getspnam=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getspnam" >&5
+echo "$as_me:5376: result: $ac_cv_func_getspnam" >&5
 echo "${ECHO_T}$ac_cv_func_getspnam" >&6
 if test $ac_cv_func_getspnam = yes; then
  :
 else
-  echo "$as_me:$LINENO: checking for getspnam in -lgen" >&5
+  echo "$as_me:5381: checking for getspnam in -lgen" >&5
 echo $ECHO_N "checking for getspnam in -lgen... $ECHO_C" >&6
 if test "${ac_cv_lib_gen_getspnam+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -5851,12 +5386,8 @@ else
  ac_check_lib_save_LIBS=$LIBS
 LIBS="-lgen  $LIBS"
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 5389 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
@@ -5874,28 +5405,27 @@ getspnam ();
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:5408: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:5411: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:5414: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:5417: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_lib_gen_getspnam=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_lib_gen_getspnam=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_gen_getspnam" >&5
+echo "$as_me:5428: result: $ac_cv_lib_gen_getspnam" >&5
 echo "${ECHO_T}$ac_cv_lib_gen_getspnam" >&6
 if test $ac_cv_lib_gen_getspnam = yes; then
  LIBS="$LIBS -lgen"
@@ -5903,7 +5433,104 @@ fi
 fi
+echo "$as_me:5436: checking for library containing basename" >&5
+echo $ECHO_N "checking for library containing basename... $ECHO_C" >&6
+if test "${ac_cv_search_basename+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_func_search_save_LIBS=$LIBS
+ac_cv_search_basename=no
+cat >conftest.$ac_ext <<_ACEOF
+#line 5444 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char basename ();
+int
+main ()
+{
+basename ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:5463: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:5466: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:5469: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:5472: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_search_basename="none required"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+fi
+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
+if test "$ac_cv_search_basename" = no; then
+  for ac_lib in gen; do
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+    cat >conftest.$ac_ext <<_ACEOF
+#line 5484 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char basename ();
+int
+main ()
+{
+basename ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:5503: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:5506: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:5509: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:5512: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_search_basename="-l$ac_lib"
+break
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+fi
+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
+  done
+fi
+LIBS=$ac_func_search_save_LIBS
+fi
+echo "$as_me:5525: result: $ac_cv_search_basename" >&5
+echo "${ECHO_T}$ac_cv_search_basename" >&6
+if test "$ac_cv_search_basename" != no; then
+  test "$ac_cv_search_basename" = "none required" || LIBS="$ac_cv_search_basename $LIBS"
+  cat >>confdefs.h <<\EOF
+#define HAVE_BASENAME 1
+EOF
+fi
 # Check whether --with-rpath or --without-rpath was given.
 if test "${with_rpath+set}" = set; then
@@ -5916,16 +5543,14 @@ if test "${with_rpath+set}" = set; then
                        need_dash_r=1
                fi
 fi;
 # Check whether --with-zlib or --without-zlib was given.
 if test "${with_zlib+set}" = set; then
  withval="$with_zlib"
                if test "x$withval" = "xno" ; then
-                        { { echo "$as_me:$LINENO: error: *** zlib is required ***" >&5
+                        { { echo "$as_me:5553: error: *** zlib is required ***" >&5
 echo "$as_me: error: *** zlib is required ***" >&2;}
   { (exit 1); exit 1; }; }
                fi
@@ -5948,11 +5573,9 @@ echo "$as_me: error: *** zlib is required ***" >&2;}
                        CPPFLAGS="-I${withval} ${CPPFLAGS}"
                fi
 fi;
+echo "$as_me:5578: checking for deflate in -lz" >&5
-echo "$as_me:$LINENO: checking for deflate in -lz" >&5
 echo $ECHO_N "checking for deflate in -lz... $ECHO_C" >&6
 if test "${ac_cv_lib_z_deflate+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -5960,12 +5583,8 @@ else
  ac_check_lib_save_LIBS=$LIBS
 LIBS="-lz  $LIBS"
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 5586 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
@@ -5983,119 +5602,103 @@ deflate ();
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:5605: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:5608: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:5611: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:5614: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_lib_z_deflate=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_lib_z_deflate=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_z_deflate" >&5
+echo "$as_me:5625: result: $ac_cv_lib_z_deflate" >&5
 echo "${ECHO_T}$ac_cv_lib_z_deflate" >&6
 if test $ac_cv_lib_z_deflate = yes; then
-  cat >>confdefs.h <<_ACEOF
+  cat >>confdefs.h <<EOF
 #define HAVE_LIBZ 1
-_ACEOF
+EOF
  LIBS="-lz $LIBS"
 else
-  { { echo "$as_me:$LINENO: error: *** zlib missing - please install first or check config.log ***" >&5
+  { { echo "$as_me:5635: error: *** zlib missing - please install first or check config.log ***" >&5
 echo "$as_me: error: *** zlib missing - please install first or check config.log ***" >&2;}
   { (exit 1); exit 1; }; }
 fi
+echo "$as_me:5640: checking for strcasecmp" >&5
-echo "$as_me:$LINENO: checking for strcasecmp" >&5
 echo $ECHO_N "checking for strcasecmp... $ECHO_C" >&6
 if test "${ac_cv_func_strcasecmp+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 5646 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char strcasecmp (); below.
+    which can conflict with char strcasecmp (); below.  */
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+#include <assert.h>
-    <limits.h> exists even on freestanding compilers.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
 /* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
 char strcasecmp ();
+char (*f) ();
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
    to always fail with ENOSYS.  Some functions are actually named
    something starting with __ and the normal name is an alias.  */
 #if defined (__stub_strcasecmp) || defined (__stub___strcasecmp)
 choke me
 #else
-char (*f) () = strcasecmp;
+f = strcasecmp;
-#endif
-#ifdef __cplusplus
-}
 #endif
-int
-main ()
-{
-return f != strcasecmp;
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:5677: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:5680: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:5683: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:5686: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_func_strcasecmp=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_func_strcasecmp=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_strcasecmp" >&5
+echo "$as_me:5696: result: $ac_cv_func_strcasecmp" >&5
 echo "${ECHO_T}$ac_cv_func_strcasecmp" >&6
 if test $ac_cv_func_strcasecmp = yes; then
  :
 else
-   echo "$as_me:$LINENO: checking for strcasecmp in -lresolv" >&5
+   echo "$as_me:5701: checking for strcasecmp in -lresolv" >&5
 echo $ECHO_N "checking for strcasecmp in -lresolv... $ECHO_C" >&6
 if test "${ac_cv_lib_resolv_strcasecmp+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -6103,12 +5706,8 @@ else
  ac_check_lib_save_LIBS=$LIBS
 LIBS="-lresolv  $LIBS"
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 5709 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
@@ -6126,112 +5725,96 @@ strcasecmp ();
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:5728: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:5731: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:5734: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:5737: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_lib_resolv_strcasecmp=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_lib_resolv_strcasecmp=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_resolv_strcasecmp" >&5
+echo "$as_me:5748: result: $ac_cv_lib_resolv_strcasecmp" >&5
 echo "${ECHO_T}$ac_cv_lib_resolv_strcasecmp" >&6
 if test $ac_cv_lib_resolv_strcasecmp = yes; then
  LIBS="$LIBS -lresolv"
 fi
 fi
-echo "$as_me:$LINENO: checking for utimes" >&5
+echo "$as_me:5756: checking for utimes" >&5
 echo $ECHO_N "checking for utimes... $ECHO_C" >&6
 if test "${ac_cv_func_utimes+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 5762 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char utimes (); below.
+    which can conflict with char utimes (); below.  */
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+#include <assert.h>
-    <limits.h> exists even on freestanding compilers.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
 /* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
 char utimes ();
+char (*f) ();
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
    to always fail with ENOSYS.  Some functions are actually named
    something starting with __ and the normal name is an alias.  */
 #if defined (__stub_utimes) || defined (__stub___utimes)
 choke me
 #else
-char (*f) () = utimes;
+f = utimes;
-#endif
-#ifdef __cplusplus
-}
 #endif
-int
-main ()
-{
-return f != utimes;
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:5793: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:5796: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:5799: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:5802: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_func_utimes=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_func_utimes=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_utimes" >&5
+echo "$as_me:5812: result: $ac_cv_func_utimes" >&5
 echo "${ECHO_T}$ac_cv_func_utimes" >&6
 if test $ac_cv_func_utimes = yes; then
  :
 else
-   echo "$as_me:$LINENO: checking for utimes in -lc89" >&5
+   echo "$as_me:5817: checking for utimes in -lc89" >&5
 echo $ECHO_N "checking for utimes in -lc89... $ECHO_C" >&6
 if test "${ac_cv_lib_c89_utimes+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -6239,12 +5822,8 @@ else
  ac_check_lib_save_LIBS=$LIBS
 LIBS="-lc89  $LIBS"
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 5825 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
@@ -6262,109 +5841,58 @@ utimes ();
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:5844: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:5847: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:5850: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:5853: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_lib_c89_utimes=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_lib_c89_utimes=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_c89_utimes" >&5
+echo "$as_me:5864: result: $ac_cv_lib_c89_utimes" >&5
 echo "${ECHO_T}$ac_cv_lib_c89_utimes" >&6
 if test $ac_cv_lib_c89_utimes = yes; then
-  cat >>confdefs.h <<\_ACEOF
+  cat >>confdefs.h <<\EOF
 #define HAVE_UTIMES 1
-_ACEOF
+EOF
                                        LIBS="$LIBS -lc89"
 fi
 fi
 for ac_header in libutil.h
 do
 as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+echo "$as_me:5879: checking for $ac_header" >&5
-  echo "$as_me:$LINENO: checking for $ac_header" >&5
 echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
 if eval "test \"\${$as_ac_Header+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
-fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
-else
-  # Is the header compilable?
-echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <$ac_header>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_header_compiler=yes
 else
-  echo "$as_me: failed program was:" >&5
+  cat >conftest.$ac_ext <<_ACEOF
-sed 's/^/| /' conftest.$ac_ext >&5
+#line 5885 "configure"
+#include "confdefs.h"
-ac_header_compiler=no
-fi
-rm -f conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
-# Is the header present?
-echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <$ac_header>
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
+if { (eval echo "$as_me:5889: \"$ac_cpp conftest.$ac_ext\"") >&5
  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
+  egrep -v '^ *\+' conftest.er1 >conftest.err
  rm -f conftest.er1
  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:5895: \$? = $ac_status" >&5
  (exit $ac_status); } >/dev/null; then
  if test -s conftest.err; then
    ac_cpp_err=$ac_c_preproc_warn_flag
@@ -6375,71 +5903,25 @@ else
  ac_cpp_err=yes
 fi
 if test -z "$ac_cpp_err"; then
-  ac_header_preproc=yes
+  eval "$as_ac_Header=yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+  cat conftest.$ac_ext >&5
+  eval "$as_ac_Header=no"
-  ac_header_preproc=no
 fi
 rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc in
-  yes:no )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    (
-      cat <<\_ASBOX
-## ------------------------------------ ##
-## Report this to bug-autoconf@gnu.org. ##
-## ------------------------------------ ##
-_ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
-    ;;
-  no:yes )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    (
-      cat <<\_ASBOX
-## ------------------------------------ ##
-## Report this to bug-autoconf@gnu.org. ##
-## ------------------------------------ ##
-_ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
-    ;;
-esac
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  eval "$as_ac_Header=$ac_header_preproc"
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
+echo "$as_me:5914: result: `eval echo '${'$as_ac_Header'}'`" >&5
 echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
-fi
 if test `eval echo '${'$as_ac_Header'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
+  cat >>confdefs.h <<EOF
 #define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
-_ACEOF
+EOF
 fi
 done
-echo "$as_me:$LINENO: checking for library containing login" >&5
+echo "$as_me:5924: checking for library containing login" >&5
 echo $ECHO_N "checking for library containing login... $ECHO_C" >&6
 if test "${ac_cv_search_login+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -6447,12 +5929,8 @@ else
  ac_func_search_save_LIBS=$LIBS
 ac_cv_search_login=no
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 5932 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
@@ -6470,34 +5948,29 @@ login ();
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:5951: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:5954: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:5957: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:5960: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_search_login="none required"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 if test "$ac_cv_search_login" = no; then
  for ac_lib in util bsd; do
    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
    cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 5972 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
@@ -6515,210 +5988,176 @@ login ();
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:5991: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:5994: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:5997: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:6000: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_search_login="-l$ac_lib"
 break
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
  done
 fi
 LIBS=$ac_func_search_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_search_login" >&5
+echo "$as_me:6013: result: $ac_cv_search_login" >&5
 echo "${ECHO_T}$ac_cv_search_login" >&6
 if test "$ac_cv_search_login" != no; then
  test "$ac_cv_search_login" = "none required" || LIBS="$ac_cv_search_login $LIBS"
-  cat >>confdefs.h <<\_ACEOF
+  cat >>confdefs.h <<\EOF
 #define HAVE_LOGIN 1
-_ACEOF
+EOF
 fi
 for ac_func in logout updwtmp logwtmp
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo "$as_me:6026: checking for $ac_func" >&5
 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
 if eval "test \"\${$as_ac_var+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 6032 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
+    which can conflict with char $ac_func (); below.  */
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+#include <assert.h>
-    <limits.h> exists even on freestanding compilers.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
 /* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
+char (*f) ();
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
    to always fail with ENOSYS.  Some functions are actually named
    something starting with __ and the normal name is an alias.  */
 #if defined (__stub_$ac_func) || defined (__stub___$ac_func)
 choke me
 #else
-char (*f) () = $ac_func;
+f = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
-int
-main ()
-{
-return f != $ac_func;
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:6063: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:6066: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:6069: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:6072: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  eval "$as_ac_var=yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 eval "$as_ac_var=no"
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
+echo "$as_me:6082: result: `eval echo '${'$as_ac_var'}'`" >&5
 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
 if test `eval echo '${'$as_ac_var'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
+  cat >>confdefs.h <<EOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
+EOF
 fi
 done
 for ac_func in strftime
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo "$as_me:6095: checking for $ac_func" >&5
 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
 if eval "test \"\${$as_ac_var+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 6101 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
+    which can conflict with char $ac_func (); below.  */
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+#include <assert.h>
-    <limits.h> exists even on freestanding compilers.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
 /* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
+char (*f) ();
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
    to always fail with ENOSYS.  Some functions are actually named
    something starting with __ and the normal name is an alias.  */
 #if defined (__stub_$ac_func) || defined (__stub___$ac_func)
 choke me
 #else
-char (*f) () = $ac_func;
+f = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
-int
-main ()
-{
-return f != $ac_func;
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:6132: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:6135: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:6138: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:6141: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  eval "$as_ac_var=yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 eval "$as_ac_var=no"
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
+echo "$as_me:6151: result: `eval echo '${'$as_ac_var'}'`" >&5
 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
 if test `eval echo '${'$as_ac_var'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
+  cat >>confdefs.h <<EOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
+EOF
 else
  # strftime is in -lintl on SCO UNIX.
-echo "$as_me:$LINENO: checking for strftime in -lintl" >&5
+echo "$as_me:6160: checking for strftime in -lintl" >&5
 echo $ECHO_N "checking for strftime in -lintl... $ECHO_C" >&6
 if test "${ac_cv_lib_intl_strftime+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -6726,12 +6165,8 @@ else
  ac_check_lib_save_LIBS=$LIBS
 LIBS="-lintl  $LIBS"
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 6168 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
@@ -6749,33 +6184,32 @@ strftime ();
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:6187: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:6190: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:6193: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:6196: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_lib_intl_strftime=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_lib_intl_strftime=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_intl_strftime" >&5
+echo "$as_me:6207: result: $ac_cv_lib_intl_strftime" >&5
 echo "${ECHO_T}$ac_cv_lib_intl_strftime" >&6
 if test $ac_cv_lib_intl_strftime = yes; then
-  cat >>confdefs.h <<\_ACEOF
+  cat >>confdefs.h <<\EOF
 #define HAVE_STRFTIME 1
-_ACEOF
+EOF
 LIBS="-lintl $LIBS"
 fi
@@ -6783,17 +6217,12 @@ fi
 fi
 done
 # Check for ALTDIRFUNC glob() extension
-echo "$as_me:$LINENO: checking for GLOB_ALTDIRFUNC support" >&5
+echo "$as_me:6221: checking for GLOB_ALTDIRFUNC support" >&5
 echo $ECHO_N "checking for GLOB_ALTDIRFUNC support... $ECHO_C" >&6
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 6224 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
                #include <glob.h>
                #ifdef GLOB_ALTDIRFUNC
@@ -6802,76 +6231,62 @@ cat >>conftest.$ac_ext <<_ACEOF
 _ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "FOUNDIT" >/dev/null 2>&1; then
+  egrep "FOUNDIT" >/dev/null 2>&1; then
-                cat >>confdefs.h <<\_ACEOF
+                cat >>confdefs.h <<\EOF
 #define GLOB_HAS_ALTDIRFUNC 1
-_ACEOF
+EOF
-                echo "$as_me:$LINENO: result: yes" >&5
+                echo "$as_me:6240: result: yes" >&5
 echo "${ECHO_T}yes" >&6
 else
-                echo "$as_me:$LINENO: result: no" >&5
+                echo "$as_me:6245: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
 rm -f conftest*
 # Check for g.gl_matchc glob() extension
-echo "$as_me:$LINENO: checking for gl_matchc field in glob_t" >&5
+echo "$as_me:6252: checking for gl_matchc field in glob_t" >&5
 echo $ECHO_N "checking for gl_matchc field in glob_t... $ECHO_C" >&6
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 6255 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
                #include <glob.h>
                int main(void){glob_t g; g.gl_matchc = 1;}
 _ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "FOUNDIT" >/dev/null 2>&1; then
+  egrep "FOUNDIT" >/dev/null 2>&1; then
-                cat >>confdefs.h <<\_ACEOF
+                cat >>confdefs.h <<\EOF
 #define GLOB_HAS_GL_MATCHC 1
-_ACEOF
+EOF
-                echo "$as_me:$LINENO: result: yes" >&5
+                echo "$as_me:6269: result: yes" >&5
 echo "${ECHO_T}yes" >&6
 else
-                echo "$as_me:$LINENO: result: no" >&5
+                echo "$as_me:6274: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
 rm -f conftest*
+echo "$as_me:6280: checking whether struct dirent allocates space for d_name" >&5
-echo "$as_me:$LINENO: checking whether struct dirent allocates space for d_name" >&5
 echo $ECHO_N "checking whether struct dirent allocates space for d_name... $ECHO_C" >&6
 if test "$cross_compiling" = yes; then
-  { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
+  { { echo "$as_me:6283: error: cannot run test program while cross compiling" >&5
-See \`config.log' for more details." >&5
+echo "$as_me: error: cannot run test program while cross compiling" >&2;}
-echo "$as_me: error: cannot run test program while cross compiling
-See \`config.log' for more details." >&2;}
   { (exit 1); exit 1; }; }
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 6288 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
 #include <dirent.h>
@@ -6879,35 +6294,31 @@ int main(void){struct dirent d;exit(sizeof(d.d_name)<=sizeof(char));}
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:6297: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:6300: \$? = $ac_status" >&5
  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:6302: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:6305: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: yes" >&5
+  echo "$as_me:6307: result: yes" >&5
 echo "${ECHO_T}yes" >&6
 else
  echo "$as_me: program exited with status $ac_status" >&5
 echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
-( exit $ac_status )
+                echo "$as_me:6314: result: no" >&5
-                echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6
-                cat >>confdefs.h <<\_ACEOF
+                cat >>confdefs.h <<\EOF
 #define BROKEN_ONE_BYTE_DIRENT_D_NAME 1
-_ACEOF
+EOF
 fi
-rm -f core core.* *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 # Check whether user wants S/Key support
@@ -6924,29 +6335,23 @@ if test "${with_skey+set}" = set; then
                                LDFLAGS="$LDFLAGS -L${withval}/lib"
                        fi
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define SKEY 1
-_ACEOF
+EOF
                        LIBS="-lskey $LIBS"
                        SKEY_MSG="yes"
-                        echo "$as_me:$LINENO: checking for s/key support" >&5
+                        echo "$as_me:6345: checking for s/key support" >&5
 echo $ECHO_N "checking for s/key support... $ECHO_C" >&6
                        if test "$cross_compiling" = yes; then
-  { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
+  { { echo "$as_me:6348: error: cannot run test program while cross compiling" >&5
-See \`config.log' for more details." >&5
+echo "$as_me: error: cannot run test program while cross compiling" >&2;}
-echo "$as_me: error: cannot run test program while cross compiling
-See \`config.log' for more details." >&2;}
   { (exit 1); exit 1; }; }
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 6353 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <stdio.h>
 #include <skey.h>
@@ -6954,37 +6359,34 @@ int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:6362: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:6365: \$? = $ac_status" >&5
  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:6367: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:6370: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: yes" >&5
+  echo "$as_me:6372: result: yes" >&5
 echo "${ECHO_T}yes" >&6
 else
  echo "$as_me: program exited with status $ac_status" >&5
 echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
-( exit $ac_status )
+                                        echo "$as_me:6379: result: no" >&5
-                                        echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6
-                                        { { echo "$as_me:$LINENO: error: ** Incomplete or missing s/key libraries." >&5
+                                        { { echo "$as_me:6381: error: ** Incomplete or missing s/key libraries." >&5
 echo "$as_me: error: ** Incomplete or missing s/key libraries." >&2;}
   { (exit 1); exit 1; }; }
 fi
-rm -f core core.* *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
                fi
 fi;
 # Check whether user wants TCP wrappers support
@@ -7020,15 +6422,11 @@ if test "${with_tcp_wrappers+set}" = set; then
                        fi
                        LIBWRAP="-lwrap"
                        LIBS="$LIBWRAP $LIBS"
-                        echo "$as_me:$LINENO: checking for libwrap" >&5
+                        echo "$as_me:6425: checking for libwrap" >&5
 echo $ECHO_N "checking for libwrap... $ECHO_C" >&6
                        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 6428 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <tcpd.h>
                                        int deny_severity = 0, allow_severity = 0;
@@ -7042,215 +6440,124 @@ hosts_access(0);
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:6443: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:6446: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:6449: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:6452: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-                                        echo "$as_me:$LINENO: result: yes" >&5
+                                        echo "$as_me:6455: result: yes" >&5
 echo "${ECHO_T}yes" >&6
-                                        cat >>confdefs.h <<\_ACEOF
+                                        cat >>confdefs.h <<\EOF
 #define LIBWRAP 1
-_ACEOF
+EOF
                                        TCPW_MSG="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
-                                        { { echo "$as_me:$LINENO: error: *** libwrap missing" >&5
+                                        { { echo "$as_me:6467: error: *** libwrap missing" >&5
 echo "$as_me: error: *** libwrap missing" >&2;}
   { (exit 1); exit 1; }; }
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
                        LIBS="$saved_LIBS"
                fi
 fi;
 for ac_func in \
-        arc4random __b64_ntop b64_ntop __b64_pton b64_pton basename bcopy \
+        arc4random __b64_ntop b64_ntop __b64_pton b64_pton basename \
-        bindresvport_sa clock fchmod fchown freeaddrinfo futimes \
+        bcopy bindresvport_sa clock fchmod fchown freeaddrinfo futimes \
        gai_strerror getaddrinfo getcwd getgrouplist getnameinfo getopt \
-        getpeereid _getpty getrlimit getrusage getttyent glob inet_aton \
+        getpeereid _getpty getrlimit getttyent glob inet_aton \
        inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove \
-        mkdtemp mmap ngetaddrinfo nsleep ogetaddrinfo openpty pstat \
+        mkdtemp mmap ngetaddrinfo nsleep ogetaddrinfo openlog_r openpty \
-        readpassphrase realpath recvmsg rresvport_af sendmsg setdtablesize \
+        pstat readpassphrase realpath recvmsg rresvport_af sendmsg \
-        setegid setenv seteuid setgroups setlogin setpcred setproctitle \
+        setdtablesize setegid setenv seteuid setgroups setlogin setpcred \
-        setresgid setreuid setrlimit setsid setvbuf sigaction sigvec \
+        setproctitle setregid setresgid setresuid setreuid setrlimit \
-        snprintf socketpair strerror strlcat strlcpy strmode strnvis \
+        setsid setvbuf sigaction sigvec snprintf socketpair strerror \
-        sysconf tcgetpgrp truncate utimes vhangup vsnprintf waitpid \
+        strlcat strlcpy strmode strnvis sysconf tcgetpgrp \
+        truncate utimes vhangup vsnprintf waitpid \
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo "$as_me:6494: checking for $ac_func" >&5
 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
 if eval "test \"\${$as_ac_var+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 6500 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
+    which can conflict with char $ac_func (); below.  */
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+#include <assert.h>
-    <limits.h> exists even on freestanding compilers.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
 /* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
+char (*f) ();
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
    to always fail with ENOSYS.  Some functions are actually named
    something starting with __ and the normal name is an alias.  */
 #if defined (__stub_$ac_func) || defined (__stub___$ac_func)
 choke me
 #else
-char (*f) () = $ac_func;
+f = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
-int
-main ()
-{
-return f != $ac_func;
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:6531: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:6534: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:6537: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:6540: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  eval "$as_ac_var=yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 eval "$as_ac_var=no"
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
+echo "$as_me:6550: result: `eval echo '${'$as_ac_var'}'`" >&5
 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
 if test `eval echo '${'$as_ac_var'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
+  cat >>confdefs.h <<EOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
+EOF
 fi
 done
+echo "$as_me:6560: checking for library containing nanosleep" >&5
-echo "$as_me:$LINENO: checking for library containing nanosleep" >&5
 echo $ECHO_N "checking for library containing nanosleep... $ECHO_C" >&6
 if test "${ac_cv_search_nanosleep+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -7258,12 +6565,8 @@ else
  ac_func_search_save_LIBS=$LIBS
 ac_cv_search_nanosleep=no
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 6568 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
@@ -7281,34 +6584,29 @@ nanosleep ();
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:6587: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:6590: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:6593: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:6596: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_search_nanosleep="none required"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 if test "$ac_cv_search_nanosleep" = no; then
  for ac_lib in rt posix4; do
    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
    cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 6608 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
@@ -7326,161 +6624,231 @@ nanosleep ();
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:6627: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:6630: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:6633: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:6636: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_search_nanosleep="-l$ac_lib"
 break
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
  done
 fi
 LIBS=$ac_func_search_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_search_nanosleep" >&5
+echo "$as_me:6649: result: $ac_cv_search_nanosleep" >&5
 echo "${ECHO_T}$ac_cv_search_nanosleep" >&6
 if test "$ac_cv_search_nanosleep" != no; then
  test "$ac_cv_search_nanosleep" = "none required" || LIBS="$ac_cv_search_nanosleep $LIBS"
-  cat >>confdefs.h <<\_ACEOF
+  cat >>confdefs.h <<\EOF
 #define HAVE_NANOSLEEP 1
-_ACEOF
+EOF
 fi
-echo "$as_me:$LINENO: checking for library containing basename" >&5
+echo "$as_me:6659: checking for ANSI C header files" >&5
-echo $ECHO_N "checking for library containing basename... $ECHO_C" >&6
+echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6
-if test "${ac_cv_search_basename+set}" = set; then
+if test "${ac_cv_header_stdc+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  ac_func_search_save_LIBS=$LIBS
+  cat >conftest.$ac_ext <<_ACEOF
-ac_cv_search_basename=no
+#line 6665 "configure"
-cat >conftest.$ac_ext <<_ACEOF
+#include "confdefs.h"
-#line $LINENO "configure"
+#include <stdlib.h>
-/* confdefs.h.  */
+#include <stdarg.h>
+#include <string.h>
+#include <float.h>
 _ACEOF
-cat confdefs.h >>conftest.$ac_ext
+if { (eval echo "$as_me:6673: \"$ac_cpp conftest.$ac_ext\"") >&5
-cat >>conftest.$ac_ext <<_ACEOF
+  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
-/* end confdefs.h.  */
+  ac_status=$?
+  egrep -v '^ *\+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:6679: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  ac_cv_header_stdc=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_header_stdc=no
+fi
+rm -f conftest.err conftest.$ac_ext
-/* Override any gcc2 internal prototype to avoid an error.  */
+if test $ac_cv_header_stdc = yes; then
-#ifdef __cplusplus
+  # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
-extern "C"
+  cat >conftest.$ac_ext <<_ACEOF
+#line 6701 "configure"
+#include "confdefs.h"
+#include <string.h>
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "memchr" >/dev/null 2>&1; then
+  :
+else
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+fi
+if test $ac_cv_header_stdc = yes; then
+  # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
+  cat >conftest.$ac_ext <<_ACEOF
+#line 6719 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  egrep "free" >/dev/null 2>&1; then
+  :
+else
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+fi
+if test $ac_cv_header_stdc = yes; then
+  # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
+  if test "$cross_compiling" = yes; then
+  :
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 6740 "configure"
+#include "confdefs.h"
+#include <ctype.h>
+#if ((' ' & 0x0FF) == 0x020)
+# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
+# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
+#else
+# define ISLOWER(c) (('a' <= (c) && (c) <= 'i') \
+                     || ('j' <= (c) && (c) <= 'r') \
+                     || ('s' <= (c) && (c) <= 'z'))
+# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c))
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
+#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
-char basename ();
 int
 main ()
 {
-basename ();
+  int i;
-  ;
+  for (i = 0; i < 256; i++)
-  return 0;
+    if (XOR (islower (i), ISLOWER (i))
+        || toupper (i) != TOUPPER (i))
+      exit(2);
+  exit (0);
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
+rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:6766: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:6769: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
+  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-         { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:6771: \"$ac_try\"") >&5
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:6774: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-  ac_cv_search_basename="none required"
+  :
 else
-  echo "$as_me: failed program was:" >&5
+  echo "$as_me: program exited with status $ac_status" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_header_stdc=no
+fi
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+fi
+fi
+fi
+echo "$as_me:6787: result: $ac_cv_header_stdc" >&5
+echo "${ECHO_T}$ac_cv_header_stdc" >&6
+if test $ac_cv_header_stdc = yes; then
+cat >>confdefs.h <<\EOF
+#define STDC_HEADERS 1
+EOF
 fi
-rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
-if test "$ac_cv_search_basename" = no; then
-  for ac_lib in gen; do
-    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
-    cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Override any gcc2 internal prototype to avoid an error.  */
+# On IRIX 5.3, sys/types and inttypes.h are conflicting.
-#ifdef __cplusplus
-extern "C"
+for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
-#endif
+                  inttypes.h stdint.h unistd.h
-/* We use char because int might match the return type of a gcc2
+do
-   builtin and then its argument prototype would still apply.  */
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-char basename ();
+echo "$as_me:6803: checking for $ac_header" >&5
-int
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-main ()
+if eval "test \"\${$as_ac_Header+set}\" = set"; then
-{
+  echo $ECHO_N "(cached) $ECHO_C" >&6
-basename ();
+else
-  ;
+  cat >conftest.$ac_ext <<_ACEOF
-  return 0;
+#line 6809 "configure"
-}
+#include "confdefs.h"
+$ac_includes_default
+#include <$ac_header>
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
+rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:6815: \"$ac_compile\"") >&5
-  (eval $ac_link) 2>&5
+  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:6818: \$? = $ac_status" >&5
  (exit $ac_status); } &&
-         { ac_try='test -s conftest$ac_exeext'
+         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:6821: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:6824: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-  ac_cv_search_basename="-l$ac_lib"
+  eval "$as_ac_Header=yes"
-break
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+eval "$as_ac_Header=no"
-fi
-rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
-  done
 fi
-LIBS=$ac_func_search_save_LIBS
+rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_search_basename" >&5
+echo "$as_me:6834: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}$ac_cv_search_basename" >&6
+echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
-if test "$ac_cv_search_basename" != no; then
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
-  test "$ac_cv_search_basename" = "none required" || LIBS="$ac_cv_search_basename $LIBS"
+  cat >>confdefs.h <<EOF
-  cat >>confdefs.h <<\_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
-#define HAVE_BASENAME 1
+EOF
-_ACEOF
 fi
+done
+echo "$as_me:6844: checking whether strsep is declared" >&5
-echo "$as_me:$LINENO: checking whether strsep is declared" >&5
 echo $ECHO_N "checking whether strsep is declared... $ECHO_C" >&6
 if test "${ac_cv_have_decl_strsep+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 6850 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
 int
 main ()
@@ -7494,1131 +6862,746 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:6865: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:6868: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:6871: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:6874: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_have_decl_strsep=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_have_decl_strsep=no
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_have_decl_strsep" >&5
+echo "$as_me:6884: result: $ac_cv_have_decl_strsep" >&5
 echo "${ECHO_T}$ac_cv_have_decl_strsep" >&6
 if test $ac_cv_have_decl_strsep = yes; then
 for ac_func in strsep
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo "$as_me:6891: checking for $ac_func" >&5
 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
 if eval "test \"\${$as_ac_var+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 6897 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
+    which can conflict with char $ac_func (); below.  */
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+#include <assert.h>
-    <limits.h> exists even on freestanding compilers.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
 /* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
+char (*f) ();
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
    to always fail with ENOSYS.  Some functions are actually named
    something starting with __ and the normal name is an alias.  */
 #if defined (__stub_$ac_func) || defined (__stub___$ac_func)
 choke me
 #else
-char (*f) () = $ac_func;
+f = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
-int
-main ()
-{
-return f != $ac_func;
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:6928: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:6931: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:6934: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:6937: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  eval "$as_ac_var=yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 eval "$as_ac_var=no"
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
+echo "$as_me:6947: result: `eval echo '${'$as_ac_var'}'`" >&5
 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
 if test `eval echo '${'$as_ac_var'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
+  cat >>confdefs.h <<EOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
+EOF
 fi
 done
 fi
+echo "$as_me:6959: checking whether getrusage is declared" >&5
+echo $ECHO_N "checking whether getrusage is declared... $ECHO_C" >&6
+if test "${ac_cv_have_decl_getrusage+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 6965 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+#ifndef getrusage
+  char *p = (char *) getrusage;
+#endif
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:6980: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:6983: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:6986: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:6989: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_have_decl_getrusage=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_have_decl_getrusage=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:6999: result: $ac_cv_have_decl_getrusage" >&5
+echo "${ECHO_T}$ac_cv_have_decl_getrusage" >&6
+if test $ac_cv_have_decl_getrusage = yes; then
-for ac_func in dirname
+for ac_func in getrusage
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo "$as_me:7006: checking for $ac_func" >&5
 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
 if eval "test \"\${$as_ac_var+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 7012 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
+    which can conflict with char $ac_func (); below.  */
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+#include <assert.h>
-    <limits.h> exists even on freestanding compilers.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
 /* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
+char (*f) ();
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
    to always fail with ENOSYS.  Some functions are actually named
    something starting with __ and the normal name is an alias.  */
 #if defined (__stub_$ac_func) || defined (__stub___$ac_func)
 choke me
 #else
-char (*f) () = $ac_func;
+f = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
-int
-main ()
-{
-return f != $ac_func;
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:7043: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:7046: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:7049: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:7052: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  eval "$as_ac_var=yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 eval "$as_ac_var=no"
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
+echo "$as_me:7062: result: `eval echo '${'$as_ac_var'}'`" >&5
 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
 if test `eval echo '${'$as_ac_var'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
+  cat >>confdefs.h <<EOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
+EOF
-for ac_header in libgen.h
-do
-as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
+done
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+fi
+echo "$as_me:7074: checking whether tcsendbreak is declared" >&5
+echo $ECHO_N "checking whether tcsendbreak is declared... $ECHO_C" >&6
+if test "${ac_cv_have_decl_tcsendbreak+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  # Is the header compilable?
+  cat >conftest.$ac_ext <<_ACEOF
-echo "$as_me:$LINENO: checking $ac_header usability" >&5
+#line 7080 "configure"
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
+#include "confdefs.h"
-cat >conftest.$ac_ext <<_ACEOF
+#include <termios.h>
-#line $LINENO "configure"
-/* confdefs.h.  */
+int
-_ACEOF
+main ()
-cat confdefs.h >>conftest.$ac_ext
+{
-cat >>conftest.$ac_ext <<_ACEOF
+#ifndef tcsendbreak
-/* end confdefs.h.  */
+  char *p = (char *) tcsendbreak;
-$ac_includes_default
+#endif
-#include <$ac_header>
+  ;
+  return 0;
+}
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:7096: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:7099: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:7102: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:7105: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-  ac_header_compiler=yes
+  ac_cv_have_decl_tcsendbreak=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ac_cv_have_decl_tcsendbreak=no
-ac_header_compiler=no
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
-# Is the header present?
-echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <$ac_header>
-_ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
 fi
-if test -z "$ac_cpp_err"; then
+echo "$as_me:7115: result: $ac_cv_have_decl_tcsendbreak" >&5
-  ac_header_preproc=yes
+echo "${ECHO_T}$ac_cv_have_decl_tcsendbreak" >&6
-else
+if test $ac_cv_have_decl_tcsendbreak = yes; then
-  echo "$as_me: failed program was:" >&5
+  cat >>confdefs.h <<\EOF
-sed 's/^/| /' conftest.$ac_ext >&5
+#define HAVE_TCSENDBREAK 1
+EOF
-  ac_header_preproc=no
-fi
-rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc in
-  yes:no )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    (
-      cat <<\_ASBOX
-## ------------------------------------ ##
-## Report this to bug-autoconf@gnu.org. ##
-## ------------------------------------ ##
-_ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
-    ;;
-  no:yes )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    (
-      cat <<\_ASBOX
-## ------------------------------------ ##
-## Report this to bug-autoconf@gnu.org. ##
-## ------------------------------------ ##
-_ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
-    ;;
-esac
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  eval "$as_ac_Header=$ac_header_preproc"
-fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
-fi
-if test `eval echo '${'$as_ac_Header'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
-_ACEOF
-fi
-done
 else
-        echo "$as_me:$LINENO: checking for dirname in -lgen" >&5
+for ac_func in tcsendbreak
-echo $ECHO_N "checking for dirname in -lgen... $ECHO_C" >&6
+do
-if test "${ac_cv_lib_gen_dirname+set}" = set; then
+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
+echo "$as_me:7127: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$as_ac_var+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  ac_check_lib_save_LIBS=$LIBS
+  cat >conftest.$ac_ext <<_ACEOF
-LIBS="-lgen  $LIBS"
+#line 7133 "configure"
-cat >conftest.$ac_ext <<_ACEOF
+#include "confdefs.h"
-#line $LINENO "configure"
+/* System header to define __stub macros and hopefully few prototypes,
-/* confdefs.h.  */
+    which can conflict with char $ac_func (); below.  */
-_ACEOF
+#include <assert.h>
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
 extern "C"
 #endif
 /* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
-char dirname ();
+char $ac_func ();
+char (*f) ();
 int
 main ()
 {
-dirname ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:7164: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:7167: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:7170: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:7173: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-  ac_cv_lib_gen_dirname=yes
+  eval "$as_ac_var=yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+eval "$as_ac_var=no"
-ac_cv_lib_gen_dirname=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_gen_dirname" >&5
-echo "${ECHO_T}$ac_cv_lib_gen_dirname" >&6
-if test $ac_cv_lib_gen_dirname = yes; then
-                echo "$as_me:$LINENO: checking for broken dirname" >&5
-echo $ECHO_N "checking for broken dirname... $ECHO_C" >&6
-if test "${ac_cv_have_broken_dirname+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-                        save_LIBS="$LIBS"
-                        LIBS="$LIBS -lgen"
-                        if test "$cross_compiling" = yes; then
-  { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot run test program while cross compiling
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-else
-  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <libgen.h>
-#include <string.h>
-int main(int argc, char **argv) {
-    char *s, buf[32];
-    strncpy(buf,"/etc", 32);
-    s = dirname(buf);
-    if (!s || strncmp(s, "/", 32) != 0) {
-        exit(1);
-    } else {
-        exit(0);
-    }
-}
-_ACEOF
-rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-   ac_cv_have_broken_dirname="no"
-else
-  echo "$as_me: program exited with status $ac_status" >&5
-echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-( exit $ac_status )
- ac_cv_have_broken_dirname="yes"
-fi
-rm -f core core.* *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
-fi
-                        LIBS="$save_LIBS"
-fi
-echo "$as_me:$LINENO: result: $ac_cv_have_broken_dirname" >&5
-echo "${ECHO_T}$ac_cv_have_broken_dirname" >&6
-                if test "x$ac_cv_have_broken_dirname" = "xno" ; then
-                        LIBS="$LIBS -lgen"
-                        cat >>confdefs.h <<\_ACEOF
-#define HAVE_DIRNAME 1
-_ACEOF
-for ac_header in libgen.h
-do
-as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
-else
-  # Is the header compilable?
-echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <$ac_header>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_header_compiler=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-ac_header_compiler=no
-fi
-rm -f conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
-# Is the header present?
-echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <$ac_header>
-_ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
-  ac_header_preproc=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-  ac_header_preproc=no
-fi
-rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc in
-  yes:no )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    (
-      cat <<\_ASBOX
-## ------------------------------------ ##
-## Report this to bug-autoconf@gnu.org. ##
-## ------------------------------------ ##
-_ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
-    ;;
-  no:yes )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    (
-      cat <<\_ASBOX
-## ------------------------------------ ##
-## Report this to bug-autoconf@gnu.org. ##
-## ------------------------------------ ##
-_ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
-    ;;
-esac
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  eval "$as_ac_Header=$ac_header_preproc"
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
+echo "$as_me:7183: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+if test `eval echo '${'$as_ac_var'}'` = yes; then
-fi
+  cat >>confdefs.h <<EOF
-if test `eval echo '${'$as_ac_Header'}'` = yes; then
+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-  cat >>confdefs.h <<_ACEOF
+EOF
-#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
-_ACEOF
 fi
 done
-                fi
 fi
-fi
-done
 for ac_func in gettimeofday time
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo "$as_me:7198: checking for $ac_func" >&5
 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
 if eval "test \"\${$as_ac_var+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 7204 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
+    which can conflict with char $ac_func (); below.  */
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+#include <assert.h>
-    <limits.h> exists even on freestanding compilers.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
 /* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
+char (*f) ();
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
    to always fail with ENOSYS.  Some functions are actually named
    something starting with __ and the normal name is an alias.  */
 #if defined (__stub_$ac_func) || defined (__stub___$ac_func)
 choke me
 #else
-char (*f) () = $ac_func;
+f = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
-int
-main ()
-{
-return f != $ac_func;
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:7235: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:7238: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:7241: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:7244: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  eval "$as_ac_var=yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 eval "$as_ac_var=no"
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
+echo "$as_me:7254: result: `eval echo '${'$as_ac_var'}'`" >&5
 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
 if test `eval echo '${'$as_ac_var'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
+  cat >>confdefs.h <<EOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
+EOF
 fi
 done
 for ac_func in endutent getutent getutid getutline pututline setutent
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo "$as_me:7267: checking for $ac_func" >&5
 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
 if eval "test \"\${$as_ac_var+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 7273 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
+    which can conflict with char $ac_func (); below.  */
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+#include <assert.h>
-    <limits.h> exists even on freestanding compilers.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
 /* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
+char (*f) ();
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
    to always fail with ENOSYS.  Some functions are actually named
    something starting with __ and the normal name is an alias.  */
 #if defined (__stub_$ac_func) || defined (__stub___$ac_func)
 choke me
 #else
-char (*f) () = $ac_func;
+f = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
-int
-main ()
-{
-return f != $ac_func;
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:7304: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:7307: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:7310: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:7313: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  eval "$as_ac_var=yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 eval "$as_ac_var=no"
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
+echo "$as_me:7323: result: `eval echo '${'$as_ac_var'}'`" >&5
 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
 if test `eval echo '${'$as_ac_var'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
+  cat >>confdefs.h <<EOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
+EOF
 fi
 done
 for ac_func in utmpname
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo "$as_me:7336: checking for $ac_func" >&5
 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
 if eval "test \"\${$as_ac_var+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 7342 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
+    which can conflict with char $ac_func (); below.  */
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+#include <assert.h>
-    <limits.h> exists even on freestanding compilers.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
 /* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
+char (*f) ();
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
    to always fail with ENOSYS.  Some functions are actually named
    something starting with __ and the normal name is an alias.  */
 #if defined (__stub_$ac_func) || defined (__stub___$ac_func)
 choke me
 #else
-char (*f) () = $ac_func;
+f = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
-int
-main ()
-{
-return f != $ac_func;
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:7373: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:7376: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:7379: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:7382: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  eval "$as_ac_var=yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 eval "$as_ac_var=no"
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
+echo "$as_me:7392: result: `eval echo '${'$as_ac_var'}'`" >&5
 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
 if test `eval echo '${'$as_ac_var'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
+  cat >>confdefs.h <<EOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
+EOF
 fi
 done
 for ac_func in endutxent getutxent getutxid getutxline pututxline
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo "$as_me:7405: checking for $ac_func" >&5
 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
 if eval "test \"\${$as_ac_var+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 7411 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
+    which can conflict with char $ac_func (); below.  */
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+#include <assert.h>
-    <limits.h> exists even on freestanding compilers.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
 /* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
+char (*f) ();
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
    to always fail with ENOSYS.  Some functions are actually named
    something starting with __ and the normal name is an alias.  */
 #if defined (__stub_$ac_func) || defined (__stub___$ac_func)
 choke me
 #else
-char (*f) () = $ac_func;
+f = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
-int
-main ()
-{
-return f != $ac_func;
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:7442: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:7445: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:7448: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:7451: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  eval "$as_ac_var=yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 eval "$as_ac_var=no"
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
+echo "$as_me:7461: result: `eval echo '${'$as_ac_var'}'`" >&5
 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
 if test `eval echo '${'$as_ac_var'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
+  cat >>confdefs.h <<EOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
+EOF
 fi
 done
 for ac_func in setutxent utmpxname
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo "$as_me:7474: checking for $ac_func" >&5
 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
 if eval "test \"\${$as_ac_var+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 7480 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
+    which can conflict with char $ac_func (); below.  */
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+#include <assert.h>
-    <limits.h> exists even on freestanding compilers.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
 /* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
+char (*f) ();
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
    to always fail with ENOSYS.  Some functions are actually named
    something starting with __ and the normal name is an alias.  */
 #if defined (__stub_$ac_func) || defined (__stub___$ac_func)
 choke me
 #else
-char (*f) () = $ac_func;
+f = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
-int
-main ()
-{
-return f != $ac_func;
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:7511: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:7514: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:7517: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:7520: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  eval "$as_ac_var=yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 eval "$as_ac_var=no"
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
+echo "$as_me:7530: result: `eval echo '${'$as_ac_var'}'`" >&5
 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
 if test `eval echo '${'$as_ac_var'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
+  cat >>confdefs.h <<EOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
+EOF
 fi
 done
+echo "$as_me:7540: checking for daemon" >&5
-echo "$as_me:$LINENO: checking for daemon" >&5
 echo $ECHO_N "checking for daemon... $ECHO_C" >&6
 if test "${ac_cv_func_daemon+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 7546 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char daemon (); below.
+    which can conflict with char daemon (); below.  */
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+#include <assert.h>
-    <limits.h> exists even on freestanding compilers.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
 /* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
 char daemon ();
+char (*f) ();
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
    to always fail with ENOSYS.  Some functions are actually named
    something starting with __ and the normal name is an alias.  */
 #if defined (__stub_daemon) || defined (__stub___daemon)
 choke me
 #else
-char (*f) () = daemon;
+f = daemon;
-#endif
-#ifdef __cplusplus
-}
 #endif
-int
-main ()
-{
-return f != daemon;
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:7577: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:7580: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:7583: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:7586: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_func_daemon=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_func_daemon=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_daemon" >&5
+echo "$as_me:7596: result: $ac_cv_func_daemon" >&5
 echo "${ECHO_T}$ac_cv_func_daemon" >&6
 if test $ac_cv_func_daemon = yes; then
-  cat >>confdefs.h <<\_ACEOF
+  cat >>confdefs.h <<\EOF
 #define HAVE_DAEMON 1
-_ACEOF
+EOF
 else
-  echo "$as_me:$LINENO: checking for daemon in -lbsd" >&5
+  echo "$as_me:7604: checking for daemon in -lbsd" >&5
 echo $ECHO_N "checking for daemon in -lbsd... $ECHO_C" >&6
 if test "${ac_cv_lib_bsd_daemon+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -8626,12 +7609,8 @@ else
  ac_check_lib_save_LIBS=$LIBS
 LIBS="-lbsd  $LIBS"
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 7612 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
@@ -8649,119 +7628,102 @@ daemon ();
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:7631: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:7634: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:7637: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:7640: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_lib_bsd_daemon=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_lib_bsd_daemon=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_bsd_daemon" >&5
+echo "$as_me:7651: result: $ac_cv_lib_bsd_daemon" >&5
 echo "${ECHO_T}$ac_cv_lib_bsd_daemon" >&6
 if test $ac_cv_lib_bsd_daemon = yes; then
-  LIBS="$LIBS -lbsd"; cat >>confdefs.h <<\_ACEOF
+  LIBS="$LIBS -lbsd"; cat >>confdefs.h <<\EOF
 #define HAVE_DAEMON 1
-_ACEOF
+EOF
 fi
 fi
+echo "$as_me:7662: checking for getpagesize" >&5
-echo "$as_me:$LINENO: checking for getpagesize" >&5
 echo $ECHO_N "checking for getpagesize... $ECHO_C" >&6
 if test "${ac_cv_func_getpagesize+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 7668 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char getpagesize (); below.
+    which can conflict with char getpagesize (); below.  */
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+#include <assert.h>
-    <limits.h> exists even on freestanding compilers.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
 /* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
 char getpagesize ();
+char (*f) ();
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
    to always fail with ENOSYS.  Some functions are actually named
    something starting with __ and the normal name is an alias.  */
 #if defined (__stub_getpagesize) || defined (__stub___getpagesize)
 choke me
 #else
-char (*f) () = getpagesize;
+f = getpagesize;
-#endif
-#ifdef __cplusplus
-}
 #endif
-int
-main ()
-{
-return f != getpagesize;
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:7699: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:7702: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:7705: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:7708: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_func_getpagesize=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_func_getpagesize=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getpagesize" >&5
+echo "$as_me:7718: result: $ac_cv_func_getpagesize" >&5
 echo "${ECHO_T}$ac_cv_func_getpagesize" >&6
 if test $ac_cv_func_getpagesize = yes; then
-  cat >>confdefs.h <<\_ACEOF
+  cat >>confdefs.h <<\EOF
 #define HAVE_GETPAGESIZE 1
-_ACEOF
+EOF
 else
-  echo "$as_me:$LINENO: checking for getpagesize in -lucb" >&5
+  echo "$as_me:7726: checking for getpagesize in -lucb" >&5
 echo $ECHO_N "checking for getpagesize in -lucb... $ECHO_C" >&6
 if test "${ac_cv_lib_ucb_getpagesize+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -8769,12 +7731,8 @@ else
  ac_check_lib_save_LIBS=$LIBS
 LIBS="-lucb  $LIBS"
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 7734 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
@@ -8792,119 +7750,101 @@ getpagesize ();
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:7753: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:7756: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:7759: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:7762: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_lib_ucb_getpagesize=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_lib_ucb_getpagesize=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_ucb_getpagesize" >&5
+echo "$as_me:7773: result: $ac_cv_lib_ucb_getpagesize" >&5
 echo "${ECHO_T}$ac_cv_lib_ucb_getpagesize" >&6
 if test $ac_cv_lib_ucb_getpagesize = yes; then
-  LIBS="$LIBS -lucb"; cat >>confdefs.h <<\_ACEOF
+  LIBS="$LIBS -lucb"; cat >>confdefs.h <<\EOF
 #define HAVE_GETPAGESIZE 1
-_ACEOF
+EOF
 fi
 fi
 # Check for broken snprintf
 if test "x$ac_cv_func_snprintf" = "xyes" ; then
-        echo "$as_me:$LINENO: checking whether snprintf correctly terminates long strings" >&5
+        echo "$as_me:7786: checking whether snprintf correctly terminates long strings" >&5
 echo $ECHO_N "checking whether snprintf correctly terminates long strings... $ECHO_C" >&6
        if test "$cross_compiling" = yes; then
-  { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
+  { { echo "$as_me:7789: error: cannot run test program while cross compiling" >&5
-See \`config.log' for more details." >&5
+echo "$as_me: error: cannot run test program while cross compiling" >&2;}
-echo "$as_me: error: cannot run test program while cross compiling
-See \`config.log' for more details." >&2;}
   { (exit 1); exit 1; }; }
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 7794 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <stdio.h>
 int main(void){char b[5];snprintf(b,5,"123456789");exit(b[4]!='\0');}
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:7802: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:7805: \$? = $ac_status" >&5
  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:7807: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:7810: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: yes" >&5
+  echo "$as_me:7812: result: yes" >&5
 echo "${ECHO_T}yes" >&6
 else
  echo "$as_me: program exited with status $ac_status" >&5
 echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
-( exit $ac_status )
-                        echo "$as_me:$LINENO: result: no" >&5
+                        echo "$as_me:7819: result: no" >&5
 echo "${ECHO_T}no" >&6
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define BROKEN_SNPRINTF 1
-_ACEOF
+EOF
-                        { echo "$as_me:$LINENO: WARNING: ****** Your snprintf() function is broken, complain to your vendor" >&5
+                        { echo "$as_me:7825: WARNING: ****** Your snprintf() function is broken, complain to your vendor" >&5
 echo "$as_me: WARNING: ****** Your snprintf() function is broken, complain to your vendor" >&2;}
 fi
-rm -f core core.* *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 fi
 if test "x$ac_cv_func_mkdtemp" = "xyes" ; then
-echo "$as_me:$LINENO: checking for (overly) strict mkstemp" >&5
+echo "$as_me:7834: checking for (overly) strict mkstemp" >&5
 echo $ECHO_N "checking for (overly) strict mkstemp... $ECHO_C" >&6
 if test "$cross_compiling" = yes; then
-                echo "$as_me:$LINENO: result: yes" >&5
+                echo "$as_me:7838: result: yes" >&5
 echo "${ECHO_T}yes" >&6
-                cat >>confdefs.h <<\_ACEOF
+                cat >>confdefs.h <<\EOF
 #define HAVE_STRICT_MKSTEMP 1
-_ACEOF
+EOF
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 7846 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <stdlib.h>
 main() { char template[]="conftest.mkstemp-test";
@@ -8915,52 +7855,121 @@ unlink(template); exit(0);
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:7858: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:7861: \$? = $ac_status" >&5
  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:7863: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:7866: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-                echo "$as_me:$LINENO: result: no" >&5
+                echo "$as_me:7869: result: no" >&5
 echo "${ECHO_T}no" >&6
 else
  echo "$as_me: program exited with status $ac_status" >&5
 echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
-( exit $ac_status )
+                echo "$as_me:7877: result: yes" >&5
-                echo "$as_me:$LINENO: result: yes" >&5
 echo "${ECHO_T}yes" >&6
-                cat >>confdefs.h <<\_ACEOF
+                cat >>confdefs.h <<\EOF
 #define HAVE_STRICT_MKSTEMP 1
+EOF
+fi
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+fi
+fi
+if test ! -z "$check_for_openpty_ctty_bug"; then
+        echo "$as_me:7889: checking if openpty correctly handles controlling tty" >&5
+echo $ECHO_N "checking if openpty correctly handles controlling tty... $ECHO_C" >&6
+        if test "$cross_compiling" = yes; then
+  { { echo "$as_me:7892: error: cannot run test program while cross compiling" >&5
+echo "$as_me: error: cannot run test program while cross compiling" >&2;}
+   { (exit 1); exit 1; }; }
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 7897 "configure"
+#include "confdefs.h"
+#include <stdio.h>
+#include <sys/fcntl.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+int
+main()
+{
+        pid_t pid;
+        int fd, ptyfd, ttyfd, status;
+        pid = fork();
+        if (pid < 0) {          /* failed */
+                exit(1);
+        } else if (pid > 0) {   /* parent */
+                waitpid(pid, &status, 0);
+                if (WIFEXITED(status))
+                        exit(WEXITSTATUS(status));
+                else
+                        exit(2);
+        } else {                /* child */
+                close(0); close(1); close(2);
+                setsid();
+                openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
+                fd = open("/dev/tty", O_RDWR | O_NOCTTY);
+                if (fd >= 0)
+                        exit(3);        /* Acquired ctty: broken */
+                else
+                        exit(0);        /* Did not acquire ctty: OK */
+        }
+}
 _ACEOF
+rm -f conftest$ac_exeext
+if { (eval echo "$as_me:7934: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:7937: \$? = $ac_status" >&5
+  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
+  { (eval echo "$as_me:7939: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:7942: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+                        echo "$as_me:7945: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+                        echo "$as_me:7953: result: no" >&5
+echo "${ECHO_T}no" >&6
+                        cat >>confdefs.h <<\EOF
+#define SSHD_ACQUIRES_CTTY 1
+EOF
 fi
-rm -f core core.* *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 fi
-echo "$as_me:$LINENO: checking whether getpgrp requires zero arguments" >&5
+echo "$as_me:7964: checking whether getpgrp takes no argument" >&5
-echo $ECHO_N "checking whether getpgrp requires zero arguments... $ECHO_C" >&6
+echo $ECHO_N "checking whether getpgrp takes no argument... $ECHO_C" >&6
 if test "${ac_cv_func_getpgrp_void+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  # Use it with a single arg.
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 7971 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
 int
 main ()
@@ -8971,38 +7980,152 @@ getpgrp (0);
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:7983: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:7986: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:7989: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:7992: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-  ac_cv_func_getpgrp_void=no
+  ac_func_getpgrp_1=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ac_func_getpgrp_1=no
-ac_cv_func_getpgrp_void=yes
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+# Use it with no arg.
+cat >conftest.$ac_ext <<_ACEOF
+#line 8003 "configure"
+#include "confdefs.h"
+$ac_includes_default
+int
+main ()
+{
+getpgrp ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:8015: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:8018: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:8021: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:8024: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_func_getpgrp_0=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_func_getpgrp_0=no
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
+# If both static checks agree, we are done.
+case $ac_func_getpgrp_0:$ac_func_getpgrp_1 in
+  yes:no) ac_cv_func_getpgrp_void=yes;;
+  no:yes) ac_cv_func_getpgrp_void=false;;
+  *) if test "$cross_compiling" = yes; then
+  { { echo "$as_me:8038: error: cannot check getpgrp if cross compiling" >&5
+echo "$as_me: error: cannot check getpgrp if cross compiling" >&2;}
+   { (exit 1); exit 1; }; }
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 8043 "configure"
+#include "confdefs.h"
+$ac_includes_default
+/*
+ * If this system has a BSD-style getpgrp(),
+ * which takes a pid argument, exit unsuccessfully.
+ *
+ * Snarfed from Chet Ramey's bash pgrp.c test program
+ */
+int     pid;
+int     pg1, pg2, pg3, pg4;
+int     ng, np, s, child;
+int
+main ()
+{
+  pid = getpid ();
+  pg1 = getpgrp (0);
+  pg2 = getpgrp ();
+  pg3 = getpgrp (pid);
+  pg4 = getpgrp (1);
+  /* If all of these values are the same, it's pretty sure that we're
+     on a system that ignores getpgrp's first argument.  */
+  if (pg2 == pg4 && pg1 == pg3 && pg2 == pg3)
+    exit (0);
+  child = fork ();
+  if (child < 0)
+    exit(1);
+  else if (child == 0)
+    {
+      np = getpid ();
+      /*  If this is Sys V, this will not work; pgrp will be set to np
+         because setpgrp just changes a pgrp to be the same as the
+         pid.  */
+      setpgrp (np, pg1);
+      ng = getpgrp (0);        /* Same result for Sys V and BSD */
+      if (ng == pg1)
+        exit (1);
+      else
+        exit (0);
+    }
+  else
+    {
+      wait (&s);
+      exit (s>>8);
+    }
+}
+_ACEOF
+rm -f conftest$ac_exeext
+if { (eval echo "$as_me:8097: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:8100: \$? = $ac_status" >&5
+  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
+  { (eval echo "$as_me:8102: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:8105: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_getpgrp_void=yes
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_func_getpgrp_void=no
+fi
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+fi;;
+esac # $ac_func_getpgrp_0:$ac_func_getpgrp_1
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getpgrp_void" >&5
+echo "$as_me:8119: result: $ac_cv_func_getpgrp_void" >&5
 echo "${ECHO_T}$ac_cv_func_getpgrp_void" >&6
 if test $ac_cv_func_getpgrp_void = yes; then
-cat >>confdefs.h <<\_ACEOF
+cat >>confdefs.h <<\EOF
 #define GETPGRP_VOID 1
-_ACEOF
+EOF
 fi
 # Check for PAM libs
 PAM_MSG="no"
@@ -9012,13 +8135,12 @@ if test "${with_pam+set}" = set; then
                if test "x$withval" != "xno" ; then
                        if test "x$ac_cv_header_security_pam_appl_h" != "xyes" ; then
-                                { { echo "$as_me:$LINENO: error: PAM headers not found" >&5
+                                { { echo "$as_me:8138: error: PAM headers not found" >&5
 echo "$as_me: error: PAM headers not found" >&2;}
   { (exit 1); exit 1; }; }
                        fi
+echo "$as_me:8143: checking for dlopen in -ldl" >&5
-echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
 echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6
 if test "${ac_cv_lib_dl_dlopen+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -9026,12 +8148,8 @@ else
  ac_check_lib_save_LIBS=$LIBS
 LIBS="-ldl  $LIBS"
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 8151 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
@@ -9049,40 +8167,38 @@ dlopen ();
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:8170: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:8173: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:8176: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:8179: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_lib_dl_dlopen=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_lib_dl_dlopen=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
+echo "$as_me:8190: result: $ac_cv_lib_dl_dlopen" >&5
 echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6
 if test $ac_cv_lib_dl_dlopen = yes; then
-  cat >>confdefs.h <<_ACEOF
+  cat >>confdefs.h <<EOF
 #define HAVE_LIBDL 1
-_ACEOF
+EOF
  LIBS="-ldl $LIBS"
 fi
+echo "$as_me:8201: checking for pam_set_item in -lpam" >&5
-echo "$as_me:$LINENO: checking for pam_set_item in -lpam" >&5
 echo $ECHO_N "checking for pam_set_item in -lpam... $ECHO_C" >&6
 if test "${ac_cv_lib_pam_pam_set_item+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -9090,12 +8206,8 @@ else
  ac_check_lib_save_LIBS=$LIBS
 LIBS="-lpam  $LIBS"
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 8209 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
@@ -9113,133 +8225,185 @@ pam_set_item ();
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:8228: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:8231: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:8234: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:8237: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_lib_pam_pam_set_item=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_lib_pam_pam_set_item=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_pam_pam_set_item" >&5
+echo "$as_me:8248: result: $ac_cv_lib_pam_pam_set_item" >&5
 echo "${ECHO_T}$ac_cv_lib_pam_pam_set_item" >&6
 if test $ac_cv_lib_pam_pam_set_item = yes; then
-  cat >>confdefs.h <<_ACEOF
+  cat >>confdefs.h <<EOF
 #define HAVE_LIBPAM 1
-_ACEOF
+EOF
  LIBS="-lpam $LIBS"
 else
-  { { echo "$as_me:$LINENO: error: *** libpam missing" >&5
+  { { echo "$as_me:8258: error: *** libpam missing" >&5
 echo "$as_me: error: *** libpam missing" >&2;}
   { (exit 1); exit 1; }; }
 fi
 for ac_func in pam_getenvlist
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo "$as_me:8266: checking for $ac_func" >&5
 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
 if eval "test \"\${$as_ac_var+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 8272 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char $ac_func (); below.
+    which can conflict with char $ac_func (); below.  */
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+#include <assert.h>
-    <limits.h> exists even on freestanding compilers.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
 /* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
+char (*f) ();
+int
+main ()
+{
 /* The GNU C library defines this for functions which it implements
    to always fail with ENOSYS.  Some functions are actually named
    something starting with __ and the normal name is an alias.  */
 #if defined (__stub_$ac_func) || defined (__stub___$ac_func)
 choke me
 #else
-char (*f) () = $ac_func;
+f = $ac_func;
 #endif
-#ifdef __cplusplus
+  ;
+  return 0;
 }
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:8303: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:8306: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:8309: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:8312: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  eval "$as_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+eval "$as_ac_var=no"
+fi
+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:8322: result: `eval echo '${'$as_ac_var'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+if test `eval echo '${'$as_ac_var'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
+EOF
+fi
+done
+for ac_func in pam_putenv
+do
+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
+echo "$as_me:8335: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$as_ac_var+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 8341 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.  */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
 #endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
 int
 main ()
 {
-return f != $ac_func;
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:8372: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:8375: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:8378: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:8381: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  eval "$as_ac_var=yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 eval "$as_ac_var=no"
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
+echo "$as_me:8391: result: `eval echo '${'$as_ac_var'}'`" >&5
 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
 if test `eval echo '${'$as_ac_var'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
+  cat >>confdefs.h <<EOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
+EOF
 fi
 done
                        disable_shadow=yes
                        PAM_MSG="yes"
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define USE_PAM 1
-_ACEOF
+EOF
                        if test $ac_cv_lib_dl_dlopen = yes; then
                                LIBPAM="-lpam -ldl"
@@ -9249,21 +8413,16 @@ _ACEOF
                fi
 fi;
 # Check for older PAM
 if test "x$PAM_MSG" = "xyes" ; then
        # Check PAM strerror arguments (old PAM)
-        echo "$as_me:$LINENO: checking whether pam_strerror takes only one argument" >&5
+        echo "$as_me:8421: checking whether pam_strerror takes only one argument" >&5
 echo $ECHO_N "checking whether pam_strerror takes only one argument... $ECHO_C" >&6
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 8424 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <stdlib.h>
 #include <security/pam_appl.h>
@@ -9277,33 +8436,31 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:8439: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:8442: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:8445: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:8448: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:8450: result: no" >&5
 echo "${ECHO_T}no" >&6
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+                        cat >>confdefs.h <<\EOF
-                        cat >>confdefs.h <<\_ACEOF
 #define HAVE_OLD_PAM 1
-_ACEOF
+EOF
-                        echo "$as_me:$LINENO: result: yes" >&5
+                        echo "$as_me:8460: result: yes" >&5
 echo "${ECHO_T}yes" >&6
                        PAM_MSG="yes (old library)"
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
@@ -9312,7 +8469,7 @@ fi
 # because the system crypt() is more featureful.
 if test "x$check_for_libcrypt_before" = "x1"; then
-echo "$as_me:$LINENO: checking for crypt in -lcrypt" >&5
+echo "$as_me:8472: checking for crypt in -lcrypt" >&5
 echo $ECHO_N "checking for crypt in -lcrypt... $ECHO_C" >&6
 if test "${ac_cv_lib_crypt_crypt+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -9320,12 +8477,8 @@ else
  ac_check_lib_save_LIBS=$LIBS
 LIBS="-lcrypt  $LIBS"
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 8480 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
@@ -9343,33 +8496,32 @@ crypt ();
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:8499: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:8502: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:8505: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:8508: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_lib_crypt_crypt=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_lib_crypt_crypt=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_crypt_crypt" >&5
+echo "$as_me:8519: result: $ac_cv_lib_crypt_crypt" >&5
 echo "${ECHO_T}$ac_cv_lib_crypt_crypt" >&6
 if test $ac_cv_lib_crypt_crypt = yes; then
-  cat >>confdefs.h <<_ACEOF
+  cat >>confdefs.h <<EOF
 #define HAVE_LIBCRYPT 1
-_ACEOF
+EOF
  LIBS="-lcrypt $LIBS"
@@ -9406,16 +8558,11 @@ if test "${with_ssl_dir+set}" = set; then
                        fi
                fi
 fi;
 LIBS="$LIBS -lcrypto"
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 8564 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
@@ -9433,25 +8580,24 @@ RAND_add ();
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:8583: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:8586: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:8589: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:8592: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-  cat >>confdefs.h <<\_ACEOF
+  cat >>confdefs.h <<\EOF
 #define HAVE_OPENSSL 1
-_ACEOF
+EOF
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
                                if test -n "${need_dash_r}"; then
                        LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}"
@@ -9460,12 +8606,8 @@ sed 's/^/| /' conftest.$ac_ext >&5
                fi
                CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}"
                cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 8609 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
@@ -9483,55 +8625,46 @@ RAND_add ();
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:8628: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:8631: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:8634: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:8637: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-  cat >>confdefs.h <<\_ACEOF
+  cat >>confdefs.h <<\EOF
 #define HAVE_OPENSSL 1
-_ACEOF
+EOF
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+                                { { echo "$as_me:8647: error: *** Can't find recent OpenSSL libcrypto (see config.log for details) ***" >&5
-                                { { echo "$as_me:$LINENO: error: *** Can't find recent OpenSSL libcrypto (see config.log for details) ***" >&5
 echo "$as_me: error: *** Can't find recent OpenSSL libcrypto (see config.log for details) ***" >&2;}
   { (exit 1); exit 1; }; }
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 # Determine OpenSSL header version
-echo "$as_me:$LINENO: checking OpenSSL header version" >&5
+echo "$as_me:8658: checking OpenSSL header version" >&5
 echo $ECHO_N "checking OpenSSL header version... $ECHO_C" >&6
 if test "$cross_compiling" = yes; then
-  { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
+  { { echo "$as_me:8661: error: cannot run test program while cross compiling" >&5
-See \`config.log' for more details." >&5
+echo "$as_me: error: cannot run test program while cross compiling" >&2;}
-echo "$as_me: error: cannot run test program while cross compiling
-See \`config.log' for more details." >&2;}
   { (exit 1); exit 1; }; }
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 8666 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <stdio.h>
 #include <string.h>
@@ -9553,56 +8686,47 @@ int main(void) {
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:8689: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:8692: \$? = $ac_status" >&5
  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:8694: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:8697: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
                ssl_header_ver=`cat conftest.sslincver`
-                echo "$as_me:$LINENO: result: $ssl_header_ver" >&5
+                echo "$as_me:8701: result: $ssl_header_ver" >&5
 echo "${ECHO_T}$ssl_header_ver" >&6
 else
  echo "$as_me: program exited with status $ac_status" >&5
 echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
-( exit $ac_status )
+                echo "$as_me:8709: result: not found" >&5
-                echo "$as_me:$LINENO: result: not found" >&5
 echo "${ECHO_T}not found" >&6
-                { { echo "$as_me:$LINENO: error: OpenSSL version header not found." >&5
+                { { echo "$as_me:8711: error: OpenSSL version header not found." >&5
 echo "$as_me: error: OpenSSL version header not found." >&2;}
   { (exit 1); exit 1; }; }
 fi
-rm -f core core.* *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 # Determine OpenSSL library version
-echo "$as_me:$LINENO: checking OpenSSL library version" >&5
+echo "$as_me:8720: checking OpenSSL library version" >&5
 echo $ECHO_N "checking OpenSSL library version... $ECHO_C" >&6
 if test "$cross_compiling" = yes; then
-  { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
+  { { echo "$as_me:8723: error: cannot run test program while cross compiling" >&5
-See \`config.log' for more details." >&5
+echo "$as_me: error: cannot run test program while cross compiling" >&2;}
-echo "$as_me: error: cannot run test program while cross compiling
-See \`config.log' for more details." >&2;}
   { (exit 1); exit 1; }; }
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 8728 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <stdio.h>
 #include <string.h>
@@ -9625,56 +8749,47 @@ int main(void) {
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:8752: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:8755: \$? = $ac_status" >&5
  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:8757: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:8760: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
                ssl_library_ver=`cat conftest.ssllibver`
-                echo "$as_me:$LINENO: result: $ssl_library_ver" >&5
+                echo "$as_me:8764: result: $ssl_library_ver" >&5
 echo "${ECHO_T}$ssl_library_ver" >&6
 else
  echo "$as_me: program exited with status $ac_status" >&5
 echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
-( exit $ac_status )
-                echo "$as_me:$LINENO: result: not found" >&5
+                echo "$as_me:8772: result: not found" >&5
 echo "${ECHO_T}not found" >&6
-                { { echo "$as_me:$LINENO: error: OpenSSL library not found." >&5
+                { { echo "$as_me:8774: error: OpenSSL library not found." >&5
 echo "$as_me: error: OpenSSL library not found." >&2;}
   { (exit 1); exit 1; }; }
 fi
-rm -f core core.* *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 # Sanity check OpenSSL headers
-echo "$as_me:$LINENO: checking whether OpenSSL's headers match the library" >&5
+echo "$as_me:8783: checking whether OpenSSL's headers match the library" >&5
 echo $ECHO_N "checking whether OpenSSL's headers match the library... $ECHO_C" >&6
 if test "$cross_compiling" = yes; then
-  { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
+  { { echo "$as_me:8786: error: cannot run test program while cross compiling" >&5
-See \`config.log' for more details." >&5
+echo "$as_me: error: cannot run test program while cross compiling" >&2;}
-echo "$as_me: error: cannot run test program while cross compiling
-See \`config.log' for more details." >&2;}
   { (exit 1); exit 1; }; }
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 8791 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <string.h>
 #include <openssl/opensslv.h>
@@ -9682,42 +8797,43 @@ int main(void) { exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:8800: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:8803: \$? = $ac_status" >&5
  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:8805: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:8808: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-                echo "$as_me:$LINENO: result: yes" >&5
+                echo "$as_me:8811: result: yes" >&5
 echo "${ECHO_T}yes" >&6
 else
  echo "$as_me: program exited with status $ac_status" >&5
 echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
-( exit $ac_status )
+                echo "$as_me:8819: result: no" >&5
-                echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6
-                { { echo "$as_me:$LINENO: error: Your OpenSSL headers do not match your library" >&5
+                { { echo "$as_me:8821: error: Your OpenSSL headers do not match your library.
-echo "$as_me: error: Your OpenSSL headers do not match your library" >&2;}
+Check config.log for details.
+Also see contrib/findssl.sh for help identifying header/library mismatches." >&5
+echo "$as_me: error: Your OpenSSL headers do not match your library.
+Check config.log for details.
+Also see contrib/findssl.sh for help identifying header/library mismatches." >&2;}
   { (exit 1); exit 1; }; }
 fi
-rm -f core core.* *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 # Some Linux systems (Slackware) need crypt() from libcrypt, *not* the
 # version in OpenSSL. Skip this for PAM
-if test "x$PAM_MSG" = "xno" -a "x$check_for_libcrypt_later" = "x1"; then
+if test "x$check_for_libcrypt_later" = "x1"; then
-        echo "$as_me:$LINENO: checking for crypt in -lcrypt" >&5
+        echo "$as_me:8836: checking for crypt in -lcrypt" >&5
 echo $ECHO_N "checking for crypt in -lcrypt... $ECHO_C" >&6
 if test "${ac_cv_lib_crypt_crypt+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -9725,12 +8841,8 @@ else
  ac_check_lib_save_LIBS=$LIBS
 LIBS="-lcrypt  $LIBS"
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 8844 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
@@ -9748,28 +8860,27 @@ crypt ();
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:8863: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:8866: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:8869: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:8872: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_lib_crypt_crypt=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_lib_crypt_crypt=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_crypt_crypt" >&5
+echo "$as_me:8883: result: $ac_cv_lib_crypt_crypt" >&5
 echo "${ECHO_T}$ac_cv_lib_crypt_crypt" >&6
 if test $ac_cv_lib_crypt_crypt = yes; then
  LIBS="$LIBS -lcrypt"
@@ -9777,26 +8888,19 @@ fi
 fi
 ### Configure cryptographic random number support
 # Check wheter OpenSSL seeds itself
-echo "$as_me:$LINENO: checking whether OpenSSL's PRNG is internally seeded" >&5
+echo "$as_me:8894: checking whether OpenSSL's PRNG is internally seeded" >&5
 echo $ECHO_N "checking whether OpenSSL's PRNG is internally seeded... $ECHO_C" >&6
 if test "$cross_compiling" = yes; then
-  { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
+  { { echo "$as_me:8897: error: cannot run test program while cross compiling" >&5
-See \`config.log' for more details." >&5
+echo "$as_me: error: cannot run test program while cross compiling" >&2;}
-echo "$as_me: error: cannot run test program while cross compiling
-See \`config.log' for more details." >&2;}
   { (exit 1); exit 1; }; }
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 8902 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <string.h>
 #include <openssl/rand.h>
@@ -9804,40 +8908,36 @@ int main(void) { exit(RAND_status() == 1 ? 0 : 1); }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:8911: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:8914: \$? = $ac_status" >&5
  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:8916: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:8919: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
                OPENSSL_SEEDS_ITSELF=yes
-                echo "$as_me:$LINENO: result: yes" >&5
+                echo "$as_me:8923: result: yes" >&5
 echo "${ECHO_T}yes" >&6
 else
  echo "$as_me: program exited with status $ac_status" >&5
 echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
-( exit $ac_status )
+                echo "$as_me:8931: result: no" >&5
-                echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6
                # Default to use of the rand helper if OpenSSL doesn't
                # seed itself
                USE_RAND_HELPER=yes
 fi
-rm -f core core.* *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 # Do we want to force the use of the rand helper?
 # Check whether --with-rand-helper or --without-rand-helper was given.
@@ -9848,7 +8948,7 @@ if test "${with_rand_helper+set}" = set; then
                        # Force use of OpenSSL's internal RNG, even if
                        # the previous test showed it to be unseeded.
                        if test -z "$OPENSSL_SEEDS_ITSELF" ; then
-                                { echo "$as_me:$LINENO: WARNING: *** Forcing use of OpenSSL's non-self-seeding PRNG" >&5
+                                { echo "$as_me:8951: WARNING: *** Forcing use of OpenSSL's non-self-seeding PRNG" >&5
 echo "$as_me: WARNING: *** Forcing use of OpenSSL's non-self-seeding PRNG" >&2;}
                                OPENSSL_SEEDS_ITSELF=yes
                                USE_RAND_HELPER=""
@@ -9862,9 +8962,9 @@ fi;
 # Which randomness source do we use?
 if test ! -z "$OPENSSL_SEEDS_ITSELF" -a -z "$USE_RAND_HELPER" ; then
        # OpenSSL only
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define OPENSSL_PRNG_ONLY 1
-_ACEOF
+EOF
        RAND_MSG="OpenSSL internal ONLY"
        INSTALL_SSH_RAND_HELPER=""
@@ -9874,7 +8974,6 @@ elif test ! -z "$USE_RAND_HELPER" ; then
        INSTALL_SSH_RAND_HELPER="yes"
 fi
 ### Configuration of ssh-rand-helper
 # PRNGD TCP socket
@@ -9890,20 +8989,19 @@ if test "${with_prngd_port+set}" = set; then
                [0-9]*)
                        ;;
                *)
-                        { { echo "$as_me:$LINENO: error: You must specify a numeric port number for --with-prngd-port" >&5
+                        { { echo "$as_me:8992: error: You must specify a numeric port number for --with-prngd-port" >&5
 echo "$as_me: error: You must specify a numeric port number for --with-prngd-port" >&2;}
   { (exit 1); exit 1; }; }
                        ;;
                esac
                if test ! -z "$withval" ; then
                        PRNGD_PORT="$withval"
-                        cat >>confdefs.h <<_ACEOF
+                        cat >>confdefs.h <<EOF
 #define PRNGD_PORT $PRNGD_PORT
-_ACEOF
+EOF
                fi
 fi;
 # PRNGD Unix domain socket
@@ -9922,7 +9020,7 @@ if test "${with_prngd_socket+set}" = set; then
                /*)
                        ;;
                *)
-                        { { echo "$as_me:$LINENO: error: You must specify an absolute path to the entropy socket" >&5
+                        { { echo "$as_me:9023: error: You must specify an absolute path to the entropy socket" >&5
 echo "$as_me: error: You must specify an absolute path to the entropy socket" >&2;}
   { (exit 1); exit 1; }; }
                        ;;
@@ -9930,18 +9028,18 @@ echo "$as_me: error: You must specify an absolute path to the entropy socket" >&
                if test ! -z "$withval" ; then
                        if test ! -z "$PRNGD_PORT" ; then
-                                { { echo "$as_me:$LINENO: error: You may not specify both a PRNGD/EGD port and socket" >&5
+                                { { echo "$as_me:9031: error: You may not specify both a PRNGD/EGD port and socket" >&5
 echo "$as_me: error: You may not specify both a PRNGD/EGD port and socket" >&2;}
   { (exit 1); exit 1; }; }
                        fi
                        if test ! -r "$withval" ; then
-                                { echo "$as_me:$LINENO: WARNING: Entropy socket is not readable" >&5
+                                { echo "$as_me:9036: WARNING: Entropy socket is not readable" >&5
 echo "$as_me: WARNING: Entropy socket is not readable" >&2;}
                        fi
                        PRNGD_SOCKET="$withval"
-                        cat >>confdefs.h <<_ACEOF
+                        cat >>confdefs.h <<EOF
 #define PRNGD_SOCKET "$PRNGD_SOCKET"
-_ACEOF
+EOF
                fi
@@ -9949,29 +9047,28 @@ else
                # Check for existing socket only if we don't have a random device already
                if test "$USE_RAND_HELPER" = yes ; then
-                        echo "$as_me:$LINENO: checking for PRNGD/EGD socket" >&5
+                        echo "$as_me:9050: checking for PRNGD/EGD socket" >&5
 echo $ECHO_N "checking for PRNGD/EGD socket... $ECHO_C" >&6
                        # Insert other locations here
                        for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
                                if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then
                                        PRNGD_SOCKET="$sock"
-                                        cat >>confdefs.h <<_ACEOF
+                                        cat >>confdefs.h <<EOF
 #define PRNGD_SOCKET "$PRNGD_SOCKET"
-_ACEOF
+EOF
                                        break;
                                fi
                        done
                        if test ! -z "$PRNGD_SOCKET" ; then
-                                echo "$as_me:$LINENO: result: $PRNGD_SOCKET" >&5
+                                echo "$as_me:9064: result: $PRNGD_SOCKET" >&5
 echo "${ECHO_T}$PRNGD_SOCKET" >&6
                        else
-                                echo "$as_me:$LINENO: result: not found" >&5
+                                echo "$as_me:9067: result: not found" >&5
 echo "${ECHO_T}not found" >&6
                        fi
                fi
 fi;
 # Change default command timeout for hashing entropy source
@@ -9985,12 +9082,10 @@ if test "${with_entropy_timeout+set}" = set; then
                        entropy_timeout=$withval
                fi
 fi;
-cat >>confdefs.h <<_ACEOF
+cat >>confdefs.h <<EOF
 #define ENTROPY_TIMEOUT_MSEC $entropy_timeout
-_ACEOF
+EOF
 SSH_PRIVSEP_USER=sshd
@@ -10002,13 +9097,10 @@ if test "${with_privsep_user+set}" = set; then
                        SSH_PRIVSEP_USER=$withval
                fi
 fi;
-cat >>confdefs.h <<_ACEOF
+cat >>confdefs.h <<EOF
 #define SSH_PRIVSEP_USER "$SSH_PRIVSEP_USER"
-_ACEOF
+EOF
 # We do this little dance with the search path to insure
 # that programs that we select for use by installed programs
@@ -10028,7 +9120,7 @@ PATH=$PATH:/etc:$OPATH
        # Extract the first word of "ls", so it can be a program name with args.
 set dummy ls; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:9123: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_path_PROG_LS+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -10038,18 +9130,16 @@ else
  ac_cv_path_PROG_LS="$PROG_LS" # Let the user override the test with a path.
  ;;
  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$ac_dir/$ac_word"; then
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+   ac_cv_path_PROG_LS="$ac_dir/$ac_word"
-    ac_cv_path_PROG_LS="$as_dir/$ac_word$ac_exec_ext"
+   echo "$as_me:9140: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+   break
-    break 2
+fi
-  fi
-done
 done
  ;;
@@ -10058,10 +9148,10 @@ fi
 PROG_LS=$ac_cv_path_PROG_LS
 if test -n "$PROG_LS"; then
-  echo "$as_me:$LINENO: result: $PROG_LS" >&5
+  echo "$as_me:9151: result: $PROG_LS" >&5
 echo "${ECHO_T}$PROG_LS" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:9154: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -10069,11 +9159,9 @@ fi
                PROG_LS="undef"
        fi
        # Extract the first word of "netstat", so it can be a program name with args.
 set dummy netstat; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:9164: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_path_PROG_NETSTAT+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -10083,18 +9171,16 @@ else
  ac_cv_path_PROG_NETSTAT="$PROG_NETSTAT" # Let the user override the test with a path.
  ;;
  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$ac_dir/$ac_word"; then
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+   ac_cv_path_PROG_NETSTAT="$ac_dir/$ac_word"
-    ac_cv_path_PROG_NETSTAT="$as_dir/$ac_word$ac_exec_ext"
+   echo "$as_me:9181: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+   break
-    break 2
+fi
-  fi
-done
 done
  ;;
@@ -10103,10 +9189,10 @@ fi
 PROG_NETSTAT=$ac_cv_path_PROG_NETSTAT
 if test -n "$PROG_NETSTAT"; then
-  echo "$as_me:$LINENO: result: $PROG_NETSTAT" >&5
+  echo "$as_me:9192: result: $PROG_NETSTAT" >&5
 echo "${ECHO_T}$PROG_NETSTAT" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:9195: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -10114,11 +9200,9 @@ fi
                PROG_NETSTAT="undef"
        fi
        # Extract the first word of "arp", so it can be a program name with args.
 set dummy arp; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:9205: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_path_PROG_ARP+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -10128,18 +9212,16 @@ else
  ac_cv_path_PROG_ARP="$PROG_ARP" # Let the user override the test with a path.
  ;;
  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$ac_dir/$ac_word"; then
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+   ac_cv_path_PROG_ARP="$ac_dir/$ac_word"
-    ac_cv_path_PROG_ARP="$as_dir/$ac_word$ac_exec_ext"
+   echo "$as_me:9222: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+   break
-    break 2
+fi
-  fi
-done
 done
  ;;
@@ -10148,10 +9230,10 @@ fi
 PROG_ARP=$ac_cv_path_PROG_ARP
 if test -n "$PROG_ARP"; then
-  echo "$as_me:$LINENO: result: $PROG_ARP" >&5
+  echo "$as_me:9233: result: $PROG_ARP" >&5
 echo "${ECHO_T}$PROG_ARP" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:9236: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -10159,11 +9241,9 @@ fi
                PROG_ARP="undef"
        fi
        # Extract the first word of "ifconfig", so it can be a program name with args.
 set dummy ifconfig; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:9246: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_path_PROG_IFCONFIG+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -10173,18 +9253,16 @@ else
  ac_cv_path_PROG_IFCONFIG="$PROG_IFCONFIG" # Let the user override the test with a path.
  ;;
  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$ac_dir/$ac_word"; then
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+   ac_cv_path_PROG_IFCONFIG="$ac_dir/$ac_word"
-    ac_cv_path_PROG_IFCONFIG="$as_dir/$ac_word$ac_exec_ext"
+   echo "$as_me:9263: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+   break
-    break 2
+fi
-  fi
-done
 done
  ;;
@@ -10193,10 +9271,10 @@ fi
 PROG_IFCONFIG=$ac_cv_path_PROG_IFCONFIG
 if test -n "$PROG_IFCONFIG"; then
-  echo "$as_me:$LINENO: result: $PROG_IFCONFIG" >&5
+  echo "$as_me:9274: result: $PROG_IFCONFIG" >&5
 echo "${ECHO_T}$PROG_IFCONFIG" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:9277: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -10204,11 +9282,9 @@ fi
                PROG_IFCONFIG="undef"
        fi
        # Extract the first word of "jstat", so it can be a program name with args.
 set dummy jstat; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:9287: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_path_PROG_JSTAT+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -10218,18 +9294,16 @@ else
  ac_cv_path_PROG_JSTAT="$PROG_JSTAT" # Let the user override the test with a path.
  ;;
  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$ac_dir/$ac_word"; then
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+   ac_cv_path_PROG_JSTAT="$ac_dir/$ac_word"
-    ac_cv_path_PROG_JSTAT="$as_dir/$ac_word$ac_exec_ext"
+   echo "$as_me:9304: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+   break
-    break 2
+fi
-  fi
-done
 done
  ;;
@@ -10238,10 +9312,10 @@ fi
 PROG_JSTAT=$ac_cv_path_PROG_JSTAT
 if test -n "$PROG_JSTAT"; then
-  echo "$as_me:$LINENO: result: $PROG_JSTAT" >&5
+  echo "$as_me:9315: result: $PROG_JSTAT" >&5
 echo "${ECHO_T}$PROG_JSTAT" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:9318: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -10249,11 +9323,9 @@ fi
                PROG_JSTAT="undef"
        fi
        # Extract the first word of "ps", so it can be a program name with args.
 set dummy ps; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:9328: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_path_PROG_PS+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -10263,18 +9335,16 @@ else
  ac_cv_path_PROG_PS="$PROG_PS" # Let the user override the test with a path.
  ;;
  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$ac_dir/$ac_word"; then
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+   ac_cv_path_PROG_PS="$ac_dir/$ac_word"
-    ac_cv_path_PROG_PS="$as_dir/$ac_word$ac_exec_ext"
+   echo "$as_me:9345: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+   break
-    break 2
+fi
-  fi
-done
 done
  ;;
@@ -10283,10 +9353,10 @@ fi
 PROG_PS=$ac_cv_path_PROG_PS
 if test -n "$PROG_PS"; then
-  echo "$as_me:$LINENO: result: $PROG_PS" >&5
+  echo "$as_me:9356: result: $PROG_PS" >&5
 echo "${ECHO_T}$PROG_PS" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:9359: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -10294,11 +9364,9 @@ fi
                PROG_PS="undef"
        fi
        # Extract the first word of "sar", so it can be a program name with args.
 set dummy sar; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:9369: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_path_PROG_SAR+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -10308,18 +9376,16 @@ else
  ac_cv_path_PROG_SAR="$PROG_SAR" # Let the user override the test with a path.
  ;;
  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$ac_dir/$ac_word"; then
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+   ac_cv_path_PROG_SAR="$ac_dir/$ac_word"
-    ac_cv_path_PROG_SAR="$as_dir/$ac_word$ac_exec_ext"
+   echo "$as_me:9386: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+   break
-    break 2
+fi
-  fi
-done
 done
  ;;
@@ -10328,10 +9394,10 @@ fi
 PROG_SAR=$ac_cv_path_PROG_SAR
 if test -n "$PROG_SAR"; then
-  echo "$as_me:$LINENO: result: $PROG_SAR" >&5
+  echo "$as_me:9397: result: $PROG_SAR" >&5
 echo "${ECHO_T}$PROG_SAR" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:9400: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -10339,11 +9405,9 @@ fi
                PROG_SAR="undef"
        fi
        # Extract the first word of "w", so it can be a program name with args.
 set dummy w; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:9410: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_path_PROG_W+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -10353,18 +9417,16 @@ else
  ac_cv_path_PROG_W="$PROG_W" # Let the user override the test with a path.
  ;;
  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$ac_dir/$ac_word"; then
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+   ac_cv_path_PROG_W="$ac_dir/$ac_word"
-    ac_cv_path_PROG_W="$as_dir/$ac_word$ac_exec_ext"
+   echo "$as_me:9427: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+   break
-    break 2
+fi
-  fi
-done
 done
  ;;
@@ -10373,10 +9435,10 @@ fi
 PROG_W=$ac_cv_path_PROG_W
 if test -n "$PROG_W"; then
-  echo "$as_me:$LINENO: result: $PROG_W" >&5
+  echo "$as_me:9438: result: $PROG_W" >&5
 echo "${ECHO_T}$PROG_W" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:9441: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -10384,11 +9446,9 @@ fi
                PROG_W="undef"
        fi
        # Extract the first word of "who", so it can be a program name with args.
 set dummy who; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:9451: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_path_PROG_WHO+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -10398,18 +9458,16 @@ else
  ac_cv_path_PROG_WHO="$PROG_WHO" # Let the user override the test with a path.
  ;;
  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$ac_dir/$ac_word"; then
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+   ac_cv_path_PROG_WHO="$ac_dir/$ac_word"
-    ac_cv_path_PROG_WHO="$as_dir/$ac_word$ac_exec_ext"
+   echo "$as_me:9468: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+   break
-    break 2
+fi
-  fi
-done
 done
  ;;
@@ -10418,10 +9476,10 @@ fi
 PROG_WHO=$ac_cv_path_PROG_WHO
 if test -n "$PROG_WHO"; then
-  echo "$as_me:$LINENO: result: $PROG_WHO" >&5
+  echo "$as_me:9479: result: $PROG_WHO" >&5
 echo "${ECHO_T}$PROG_WHO" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:9482: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -10429,11 +9487,9 @@ fi
                PROG_WHO="undef"
        fi
        # Extract the first word of "last", so it can be a program name with args.
 set dummy last; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:9492: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_path_PROG_LAST+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -10443,18 +9499,16 @@ else
  ac_cv_path_PROG_LAST="$PROG_LAST" # Let the user override the test with a path.
  ;;
  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$ac_dir/$ac_word"; then
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+   ac_cv_path_PROG_LAST="$ac_dir/$ac_word"
-    ac_cv_path_PROG_LAST="$as_dir/$ac_word$ac_exec_ext"
+   echo "$as_me:9509: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+   break
-    break 2
+fi
-  fi
-done
 done
  ;;
@@ -10463,10 +9517,10 @@ fi
 PROG_LAST=$ac_cv_path_PROG_LAST
 if test -n "$PROG_LAST"; then
-  echo "$as_me:$LINENO: result: $PROG_LAST" >&5
+  echo "$as_me:9520: result: $PROG_LAST" >&5
 echo "${ECHO_T}$PROG_LAST" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:9523: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -10474,11 +9528,9 @@ fi
                PROG_LAST="undef"
        fi
        # Extract the first word of "lastlog", so it can be a program name with args.
 set dummy lastlog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:9533: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_path_PROG_LASTLOG+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -10488,18 +9540,16 @@ else
  ac_cv_path_PROG_LASTLOG="$PROG_LASTLOG" # Let the user override the test with a path.
  ;;
  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$ac_dir/$ac_word"; then
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+   ac_cv_path_PROG_LASTLOG="$ac_dir/$ac_word"
-    ac_cv_path_PROG_LASTLOG="$as_dir/$ac_word$ac_exec_ext"
+   echo "$as_me:9550: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+   break
-    break 2
+fi
-  fi
-done
 done
  ;;
@@ -10508,10 +9558,10 @@ fi
 PROG_LASTLOG=$ac_cv_path_PROG_LASTLOG
 if test -n "$PROG_LASTLOG"; then
-  echo "$as_me:$LINENO: result: $PROG_LASTLOG" >&5
+  echo "$as_me:9561: result: $PROG_LASTLOG" >&5
 echo "${ECHO_T}$PROG_LASTLOG" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:9564: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -10519,11 +9569,9 @@ fi
                PROG_LASTLOG="undef"
        fi
        # Extract the first word of "df", so it can be a program name with args.
 set dummy df; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:9574: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_path_PROG_DF+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -10533,18 +9581,16 @@ else
  ac_cv_path_PROG_DF="$PROG_DF" # Let the user override the test with a path.
  ;;
  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$ac_dir/$ac_word"; then
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+   ac_cv_path_PROG_DF="$ac_dir/$ac_word"
-    ac_cv_path_PROG_DF="$as_dir/$ac_word$ac_exec_ext"
+   echo "$as_me:9591: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+   break
-    break 2
+fi
-  fi
-done
 done
  ;;
@@ -10553,10 +9599,10 @@ fi
 PROG_DF=$ac_cv_path_PROG_DF
 if test -n "$PROG_DF"; then
-  echo "$as_me:$LINENO: result: $PROG_DF" >&5
+  echo "$as_me:9602: result: $PROG_DF" >&5
 echo "${ECHO_T}$PROG_DF" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:9605: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -10564,11 +9610,9 @@ fi
                PROG_DF="undef"
        fi
        # Extract the first word of "vmstat", so it can be a program name with args.
 set dummy vmstat; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:9615: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_path_PROG_VMSTAT+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -10578,18 +9622,16 @@ else
  ac_cv_path_PROG_VMSTAT="$PROG_VMSTAT" # Let the user override the test with a path.
  ;;
  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$ac_dir/$ac_word"; then
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+   ac_cv_path_PROG_VMSTAT="$ac_dir/$ac_word"
-    ac_cv_path_PROG_VMSTAT="$as_dir/$ac_word$ac_exec_ext"
+   echo "$as_me:9632: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+   break
-    break 2
+fi
-  fi
-done
 done
  ;;
@@ -10598,10 +9640,10 @@ fi
 PROG_VMSTAT=$ac_cv_path_PROG_VMSTAT
 if test -n "$PROG_VMSTAT"; then
-  echo "$as_me:$LINENO: result: $PROG_VMSTAT" >&5
+  echo "$as_me:9643: result: $PROG_VMSTAT" >&5
 echo "${ECHO_T}$PROG_VMSTAT" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:9646: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -10609,11 +9651,9 @@ fi
                PROG_VMSTAT="undef"
        fi
        # Extract the first word of "uptime", so it can be a program name with args.
 set dummy uptime; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:9656: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_path_PROG_UPTIME+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -10623,18 +9663,16 @@ else
  ac_cv_path_PROG_UPTIME="$PROG_UPTIME" # Let the user override the test with a path.
  ;;
  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$ac_dir/$ac_word"; then
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+   ac_cv_path_PROG_UPTIME="$ac_dir/$ac_word"
-    ac_cv_path_PROG_UPTIME="$as_dir/$ac_word$ac_exec_ext"
+   echo "$as_me:9673: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+   break
-    break 2
+fi
-  fi
-done
 done
  ;;
@@ -10643,10 +9681,10 @@ fi
 PROG_UPTIME=$ac_cv_path_PROG_UPTIME
 if test -n "$PROG_UPTIME"; then
-  echo "$as_me:$LINENO: result: $PROG_UPTIME" >&5
+  echo "$as_me:9684: result: $PROG_UPTIME" >&5
 echo "${ECHO_T}$PROG_UPTIME" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:9687: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -10654,11 +9692,9 @@ fi
                PROG_UPTIME="undef"
        fi
        # Extract the first word of "ipcs", so it can be a program name with args.
 set dummy ipcs; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:9697: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_path_PROG_IPCS+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -10668,18 +9704,16 @@ else
  ac_cv_path_PROG_IPCS="$PROG_IPCS" # Let the user override the test with a path.
  ;;
  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$ac_dir/$ac_word"; then
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+   ac_cv_path_PROG_IPCS="$ac_dir/$ac_word"
-    ac_cv_path_PROG_IPCS="$as_dir/$ac_word$ac_exec_ext"
+   echo "$as_me:9714: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+   break
-    break 2
+fi
-  fi
-done
 done
  ;;
@@ -10688,10 +9722,10 @@ fi
 PROG_IPCS=$ac_cv_path_PROG_IPCS
 if test -n "$PROG_IPCS"; then
-  echo "$as_me:$LINENO: result: $PROG_IPCS" >&5
+  echo "$as_me:9725: result: $PROG_IPCS" >&5
 echo "${ECHO_T}$PROG_IPCS" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:9728: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -10699,11 +9733,9 @@ fi
                PROG_IPCS="undef"
        fi
        # Extract the first word of "tail", so it can be a program name with args.
 set dummy tail; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:9738: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_path_PROG_TAIL+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -10713,18 +9745,16 @@ else
  ac_cv_path_PROG_TAIL="$PROG_TAIL" # Let the user override the test with a path.
  ;;
  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$ac_dir/$ac_word"; then
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+   ac_cv_path_PROG_TAIL="$ac_dir/$ac_word"
-    ac_cv_path_PROG_TAIL="$as_dir/$ac_word$ac_exec_ext"
+   echo "$as_me:9755: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+   break
-    break 2
+fi
-  fi
-done
 done
  ;;
@@ -10733,10 +9763,10 @@ fi
 PROG_TAIL=$ac_cv_path_PROG_TAIL
 if test -n "$PROG_TAIL"; then
-  echo "$as_me:$LINENO: result: $PROG_TAIL" >&5
+  echo "$as_me:9766: result: $PROG_TAIL" >&5
 echo "${ECHO_T}$PROG_TAIL" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:9769: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -10744,7 +9774,6 @@ fi
                PROG_TAIL="undef"
        fi
 # restore PATH
 PATH=$OPATH
@@ -10762,26 +9791,20 @@ if test ! -z "$INSTALL_SSH_RAND_HELPER" ; then
        fi
 fi
 # Cheap hack to ensure NEWS-OS libraries are arranged right.
 if test ! -z "$SONY" ; then
  LIBS="$LIBS -liberty";
 fi
 # Checks for data types
-echo "$as_me:$LINENO: checking for char" >&5
+echo "$as_me:9800: checking for char" >&5
 echo $ECHO_N "checking for char... $ECHO_C" >&6
 if test "${ac_cv_type_char+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 9806 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
 int
 main ()
@@ -10795,328 +9818,209 @@ if (sizeof (char))
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:9821: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:9824: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:9827: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:9830: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_type_char=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_type_char=no
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_char" >&5
+echo "$as_me:9840: result: $ac_cv_type_char" >&5
 echo "${ECHO_T}$ac_cv_type_char" >&6
-echo "$as_me:$LINENO: checking size of char" >&5
+echo "$as_me:9843: checking size of char" >&5
 echo $ECHO_N "checking size of char... $ECHO_C" >&6
 if test "${ac_cv_sizeof_char+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  if test "$ac_cv_type_char" = yes; then
-  # The cast to unsigned long works around a bug in the HP C Compiler
-  # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
-  # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
-  # This bug is HP SR number 8606223364.
  if test "$cross_compiling" = yes; then
  # Depending upon the size, compute the lo and hi bounds.
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 9852 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
 int
 main ()
 {
-static int test_array [1 - 2 * !(((long) (sizeof (char))) >= 0)];
+int _array_ [1 - 2 * !((sizeof (char)) >= 0)]
-test_array [0] = 0
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:9864: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:9867: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:9870: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:9873: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_lo=0 ac_mid=0
  while :; do
    cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 9878 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
 int
 main ()
 {
-static int test_array [1 - 2 * !(((long) (sizeof (char))) <= $ac_mid)];
+int _array_ [1 - 2 * !((sizeof (char)) <= $ac_mid)]
-test_array [0] = 0
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:9890: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:9893: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:9896: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:9899: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_hi=$ac_mid; break
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ac_lo=`expr $ac_mid + 1`; ac_mid=`expr 2 '*' $ac_mid + 1`
-ac_lo=`expr $ac_mid + 1`
-                    if test $ac_lo -le $ac_mid; then
-                      ac_lo= ac_hi=
-                      break
-                    fi
-                    ac_mid=`expr 2 '*' $ac_mid + 1`
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
  done
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ac_hi=-1 ac_mid=-1
-cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-static int test_array [1 - 2 * !(((long) (sizeof (char))) < 0)];
-test_array [0] = 0
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_hi=-1 ac_mid=-1
  while :; do
    cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 9915 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
 int
 main ()
 {
-static int test_array [1 - 2 * !(((long) (sizeof (char))) >= $ac_mid)];
+int _array_ [1 - 2 * !((sizeof (char)) >= $ac_mid)]
-test_array [0] = 0
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:9927: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:9930: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:9933: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:9936: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_lo=$ac_mid; break
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ac_hi=`expr $ac_mid - 1`; ac_mid=`expr 2 '*' $ac_mid`
-ac_hi=`expr '(' $ac_mid ')' - 1`
-                       if test $ac_mid -le $ac_hi; then
-                         ac_lo= ac_hi=
-                         break
-                       fi
-                       ac_mid=`expr 2 '*' $ac_mid`
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
  done
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-ac_lo= ac_hi=
-fi
-rm -f conftest.$ac_objext conftest.$ac_ext
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 # Binary search between lo and hi bounds.
 while test "x$ac_lo" != "x$ac_hi"; do
  ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo`
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 9952 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
 int
 main ()
 {
-static int test_array [1 - 2 * !(((long) (sizeof (char))) <= $ac_mid)];
+int _array_ [1 - 2 * !((sizeof (char)) <= $ac_mid)]
-test_array [0] = 0
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:9964: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:9967: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:9970: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:9973: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_hi=$ac_mid
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ac_lo=`expr $ac_mid + 1`
-ac_lo=`expr '(' $ac_mid ')' + 1`
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 done
-case $ac_lo in
+ac_cv_sizeof_char=$ac_lo
-?*) ac_cv_sizeof_char=$ac_lo;;
-'') { { echo "$as_me:$LINENO: error: cannot compute sizeof (char), 77
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot compute sizeof (char), 77
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; } ;;
-esac
 else
  if test "$cross_compiling" = yes; then
-  { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
+  { { echo "$as_me:9986: error: cannot run test program while cross compiling" >&5
-See \`config.log' for more details." >&5
+echo "$as_me: error: cannot run test program while cross compiling" >&2;}
-echo "$as_me: error: cannot run test program while cross compiling
-See \`config.log' for more details." >&2;}
   { (exit 1); exit 1; }; }
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 9991 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
-long longval () { return (long) (sizeof (char)); }
-unsigned long ulongval () { return (long) (sizeof (char)); }
-#include <stdio.h>
-#include <stdlib.h>
 int
 main ()
 {
+FILE *f = fopen ("conftest.val", "w");
-  FILE *f = fopen ("conftest.val", "w");
+if (!f)
-  if (! f)
+  exit (1);
-    exit (1);
+fprintf (f, "%d", (sizeof (char)));
-  if (((long) (sizeof (char))) < 0)
+fclose (f);
-    {
-      long i = longval ();
-      if (i != ((long) (sizeof (char))))
-        exit (1);
-      fprintf (f, "%ld\n", i);
-    }
-  else
-    {
-      unsigned long i = ulongval ();
-      if (i != ((long) (sizeof (char))))
-        exit (1);
-      fprintf (f, "%lu\n", i);
-    }
-  exit (ferror (f) || fclose (f) != 0);
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:10007: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10010: \$? = $ac_status" >&5
  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:10012: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10015: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_sizeof_char=`cat conftest.val`
 else
  echo "$as_me: program exited with status $ac_status" >&5
 echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
-( exit $ac_status )
-{ { echo "$as_me:$LINENO: error: cannot compute sizeof (char), 77
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot compute sizeof (char), 77
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
 fi
-rm -f core core.* *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 fi
 rm -f conftest.val
@@ -11124,25 +10028,20 @@ else
  ac_cv_sizeof_char=0
 fi
 fi
-echo "$as_me:$LINENO: result: $ac_cv_sizeof_char" >&5
+echo "$as_me:10031: result: $ac_cv_sizeof_char" >&5
 echo "${ECHO_T}$ac_cv_sizeof_char" >&6
-cat >>confdefs.h <<_ACEOF
+cat >>confdefs.h <<EOF
 #define SIZEOF_CHAR $ac_cv_sizeof_char
-_ACEOF
+EOF
-echo "$as_me:$LINENO: checking for short int" >&5
+echo "$as_me:10037: checking for short int" >&5
 echo $ECHO_N "checking for short int... $ECHO_C" >&6
 if test "${ac_cv_type_short_int+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 10043 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
 int
 main ()
@@ -11156,328 +10055,209 @@ if (sizeof (short int))
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:10058: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10061: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:10064: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10067: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_type_short_int=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_type_short_int=no
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_short_int" >&5
+echo "$as_me:10077: result: $ac_cv_type_short_int" >&5
 echo "${ECHO_T}$ac_cv_type_short_int" >&6
-echo "$as_me:$LINENO: checking size of short int" >&5
+echo "$as_me:10080: checking size of short int" >&5
 echo $ECHO_N "checking size of short int... $ECHO_C" >&6
 if test "${ac_cv_sizeof_short_int+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  if test "$ac_cv_type_short_int" = yes; then
-  # The cast to unsigned long works around a bug in the HP C Compiler
-  # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
-  # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
-  # This bug is HP SR number 8606223364.
  if test "$cross_compiling" = yes; then
  # Depending upon the size, compute the lo and hi bounds.
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 10089 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
 int
 main ()
 {
-static int test_array [1 - 2 * !(((long) (sizeof (short int))) >= 0)];
+int _array_ [1 - 2 * !((sizeof (short int)) >= 0)]
-test_array [0] = 0
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:10101: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10104: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:10107: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10110: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_lo=0 ac_mid=0
  while :; do
    cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 10115 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
 int
 main ()
 {
-static int test_array [1 - 2 * !(((long) (sizeof (short int))) <= $ac_mid)];
+int _array_ [1 - 2 * !((sizeof (short int)) <= $ac_mid)]
-test_array [0] = 0
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:10127: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10130: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:10133: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10136: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_hi=$ac_mid; break
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ac_lo=`expr $ac_mid + 1`; ac_mid=`expr 2 '*' $ac_mid + 1`
-ac_lo=`expr $ac_mid + 1`
-                    if test $ac_lo -le $ac_mid; then
-                      ac_lo= ac_hi=
-                      break
-                    fi
-                    ac_mid=`expr 2 '*' $ac_mid + 1`
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
  done
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ac_hi=-1 ac_mid=-1
-cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-static int test_array [1 - 2 * !(((long) (sizeof (short int))) < 0)];
-test_array [0] = 0
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_hi=-1 ac_mid=-1
  while :; do
    cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 10152 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
 int
 main ()
 {
-static int test_array [1 - 2 * !(((long) (sizeof (short int))) >= $ac_mid)];
+int _array_ [1 - 2 * !((sizeof (short int)) >= $ac_mid)]
-test_array [0] = 0
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:10164: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10167: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:10170: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10173: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_lo=$ac_mid; break
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ac_hi=`expr $ac_mid - 1`; ac_mid=`expr 2 '*' $ac_mid`
-ac_hi=`expr '(' $ac_mid ')' - 1`
-                       if test $ac_mid -le $ac_hi; then
-                         ac_lo= ac_hi=
-                         break
-                       fi
-                       ac_mid=`expr 2 '*' $ac_mid`
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
  done
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-ac_lo= ac_hi=
-fi
-rm -f conftest.$ac_objext conftest.$ac_ext
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 # Binary search between lo and hi bounds.
 while test "x$ac_lo" != "x$ac_hi"; do
  ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo`
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 10189 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
 int
 main ()
 {
-static int test_array [1 - 2 * !(((long) (sizeof (short int))) <= $ac_mid)];
+int _array_ [1 - 2 * !((sizeof (short int)) <= $ac_mid)]
-test_array [0] = 0
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:10201: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10204: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:10207: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10210: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_hi=$ac_mid
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ac_lo=`expr $ac_mid + 1`
-ac_lo=`expr '(' $ac_mid ')' + 1`
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 done
-case $ac_lo in
+ac_cv_sizeof_short_int=$ac_lo
-?*) ac_cv_sizeof_short_int=$ac_lo;;
-'') { { echo "$as_me:$LINENO: error: cannot compute sizeof (short int), 77
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot compute sizeof (short int), 77
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; } ;;
-esac
 else
  if test "$cross_compiling" = yes; then
-  { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
+  { { echo "$as_me:10223: error: cannot run test program while cross compiling" >&5
-See \`config.log' for more details." >&5
+echo "$as_me: error: cannot run test program while cross compiling" >&2;}
-echo "$as_me: error: cannot run test program while cross compiling
-See \`config.log' for more details." >&2;}
   { (exit 1); exit 1; }; }
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 10228 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
-long longval () { return (long) (sizeof (short int)); }
-unsigned long ulongval () { return (long) (sizeof (short int)); }
-#include <stdio.h>
-#include <stdlib.h>
 int
 main ()
 {
+FILE *f = fopen ("conftest.val", "w");
-  FILE *f = fopen ("conftest.val", "w");
+if (!f)
-  if (! f)
+  exit (1);
-    exit (1);
+fprintf (f, "%d", (sizeof (short int)));
-  if (((long) (sizeof (short int))) < 0)
+fclose (f);
-    {
-      long i = longval ();
-      if (i != ((long) (sizeof (short int))))
-        exit (1);
-      fprintf (f, "%ld\n", i);
-    }
-  else
-    {
-      unsigned long i = ulongval ();
-      if (i != ((long) (sizeof (short int))))
-        exit (1);
-      fprintf (f, "%lu\n", i);
-    }
-  exit (ferror (f) || fclose (f) != 0);
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:10244: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10247: \$? = $ac_status" >&5
  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:10249: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10252: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_sizeof_short_int=`cat conftest.val`
 else
  echo "$as_me: program exited with status $ac_status" >&5
 echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
-( exit $ac_status )
-{ { echo "$as_me:$LINENO: error: cannot compute sizeof (short int), 77
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot compute sizeof (short int), 77
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
 fi
-rm -f core core.* *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 fi
 rm -f conftest.val
@@ -11485,25 +10265,20 @@ else
  ac_cv_sizeof_short_int=0
 fi
 fi
-echo "$as_me:$LINENO: result: $ac_cv_sizeof_short_int" >&5
+echo "$as_me:10268: result: $ac_cv_sizeof_short_int" >&5
 echo "${ECHO_T}$ac_cv_sizeof_short_int" >&6
-cat >>confdefs.h <<_ACEOF
+cat >>confdefs.h <<EOF
 #define SIZEOF_SHORT_INT $ac_cv_sizeof_short_int
-_ACEOF
+EOF
-echo "$as_me:$LINENO: checking for int" >&5
+echo "$as_me:10274: checking for int" >&5
 echo $ECHO_N "checking for int... $ECHO_C" >&6
 if test "${ac_cv_type_int+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 10280 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
 int
 main ()
@@ -11517,328 +10292,209 @@ if (sizeof (int))
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:10295: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10298: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:10301: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10304: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_type_int=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_type_int=no
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_int" >&5
+echo "$as_me:10314: result: $ac_cv_type_int" >&5
 echo "${ECHO_T}$ac_cv_type_int" >&6
-echo "$as_me:$LINENO: checking size of int" >&5
+echo "$as_me:10317: checking size of int" >&5
 echo $ECHO_N "checking size of int... $ECHO_C" >&6
 if test "${ac_cv_sizeof_int+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  if test "$ac_cv_type_int" = yes; then
-  # The cast to unsigned long works around a bug in the HP C Compiler
-  # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
-  # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
-  # This bug is HP SR number 8606223364.
  if test "$cross_compiling" = yes; then
  # Depending upon the size, compute the lo and hi bounds.
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 10326 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
 int
 main ()
 {
-static int test_array [1 - 2 * !(((long) (sizeof (int))) >= 0)];
+int _array_ [1 - 2 * !((sizeof (int)) >= 0)]
-test_array [0] = 0
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:10338: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10341: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:10344: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10347: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_lo=0 ac_mid=0
  while :; do
    cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 10352 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
 int
 main ()
 {
-static int test_array [1 - 2 * !(((long) (sizeof (int))) <= $ac_mid)];
+int _array_ [1 - 2 * !((sizeof (int)) <= $ac_mid)]
-test_array [0] = 0
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:10364: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10367: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:10370: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10373: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_hi=$ac_mid; break
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ac_lo=`expr $ac_mid + 1`; ac_mid=`expr 2 '*' $ac_mid + 1`
-ac_lo=`expr $ac_mid + 1`
-                    if test $ac_lo -le $ac_mid; then
-                      ac_lo= ac_hi=
-                      break
-                    fi
-                    ac_mid=`expr 2 '*' $ac_mid + 1`
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
  done
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ac_hi=-1 ac_mid=-1
-cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-static int test_array [1 - 2 * !(((long) (sizeof (int))) < 0)];
-test_array [0] = 0
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_hi=-1 ac_mid=-1
  while :; do
    cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 10389 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
 int
 main ()
 {
-static int test_array [1 - 2 * !(((long) (sizeof (int))) >= $ac_mid)];
+int _array_ [1 - 2 * !((sizeof (int)) >= $ac_mid)]
-test_array [0] = 0
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:10401: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10404: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:10407: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10410: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_lo=$ac_mid; break
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ac_hi=`expr $ac_mid - 1`; ac_mid=`expr 2 '*' $ac_mid`
-ac_hi=`expr '(' $ac_mid ')' - 1`
-                       if test $ac_mid -le $ac_hi; then
-                         ac_lo= ac_hi=
-                         break
-                       fi
-                       ac_mid=`expr 2 '*' $ac_mid`
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
  done
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-ac_lo= ac_hi=
-fi
-rm -f conftest.$ac_objext conftest.$ac_ext
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 # Binary search between lo and hi bounds.
 while test "x$ac_lo" != "x$ac_hi"; do
  ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo`
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 10426 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
 int
 main ()
 {
-static int test_array [1 - 2 * !(((long) (sizeof (int))) <= $ac_mid)];
+int _array_ [1 - 2 * !((sizeof (int)) <= $ac_mid)]
-test_array [0] = 0
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:10438: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10441: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:10444: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10447: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_hi=$ac_mid
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ac_lo=`expr $ac_mid + 1`
-ac_lo=`expr '(' $ac_mid ')' + 1`
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 done
-case $ac_lo in
+ac_cv_sizeof_int=$ac_lo
-?*) ac_cv_sizeof_int=$ac_lo;;
-'') { { echo "$as_me:$LINENO: error: cannot compute sizeof (int), 77
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot compute sizeof (int), 77
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; } ;;
-esac
 else
  if test "$cross_compiling" = yes; then
-  { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
+  { { echo "$as_me:10460: error: cannot run test program while cross compiling" >&5
-See \`config.log' for more details." >&5
+echo "$as_me: error: cannot run test program while cross compiling" >&2;}
-echo "$as_me: error: cannot run test program while cross compiling
-See \`config.log' for more details." >&2;}
   { (exit 1); exit 1; }; }
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 10465 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
-long longval () { return (long) (sizeof (int)); }
-unsigned long ulongval () { return (long) (sizeof (int)); }
-#include <stdio.h>
-#include <stdlib.h>
 int
 main ()
 {
+FILE *f = fopen ("conftest.val", "w");
-  FILE *f = fopen ("conftest.val", "w");
+if (!f)
-  if (! f)
+  exit (1);
-    exit (1);
+fprintf (f, "%d", (sizeof (int)));
-  if (((long) (sizeof (int))) < 0)
+fclose (f);
-    {
-      long i = longval ();
-      if (i != ((long) (sizeof (int))))
-        exit (1);
-      fprintf (f, "%ld\n", i);
-    }
-  else
-    {
-      unsigned long i = ulongval ();
-      if (i != ((long) (sizeof (int))))
-        exit (1);
-      fprintf (f, "%lu\n", i);
-    }
-  exit (ferror (f) || fclose (f) != 0);
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:10481: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10484: \$? = $ac_status" >&5
  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:10486: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10489: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_sizeof_int=`cat conftest.val`
 else
  echo "$as_me: program exited with status $ac_status" >&5
 echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
-( exit $ac_status )
-{ { echo "$as_me:$LINENO: error: cannot compute sizeof (int), 77
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot compute sizeof (int), 77
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
 fi
-rm -f core core.* *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 fi
 rm -f conftest.val
@@ -11846,25 +10502,20 @@ else
  ac_cv_sizeof_int=0
 fi
 fi
-echo "$as_me:$LINENO: result: $ac_cv_sizeof_int" >&5
+echo "$as_me:10505: result: $ac_cv_sizeof_int" >&5
 echo "${ECHO_T}$ac_cv_sizeof_int" >&6
-cat >>confdefs.h <<_ACEOF
+cat >>confdefs.h <<EOF
 #define SIZEOF_INT $ac_cv_sizeof_int
-_ACEOF
+EOF
-echo "$as_me:$LINENO: checking for long int" >&5
+echo "$as_me:10511: checking for long int" >&5
 echo $ECHO_N "checking for long int... $ECHO_C" >&6
 if test "${ac_cv_type_long_int+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 10517 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
 int
 main ()
@@ -11878,328 +10529,209 @@ if (sizeof (long int))
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:10532: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10535: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:10538: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10541: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_type_long_int=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_type_long_int=no
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_long_int" >&5
+echo "$as_me:10551: result: $ac_cv_type_long_int" >&5
 echo "${ECHO_T}$ac_cv_type_long_int" >&6
-echo "$as_me:$LINENO: checking size of long int" >&5
+echo "$as_me:10554: checking size of long int" >&5
 echo $ECHO_N "checking size of long int... $ECHO_C" >&6
 if test "${ac_cv_sizeof_long_int+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  if test "$ac_cv_type_long_int" = yes; then
-  # The cast to unsigned long works around a bug in the HP C Compiler
-  # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
-  # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
-  # This bug is HP SR number 8606223364.
  if test "$cross_compiling" = yes; then
  # Depending upon the size, compute the lo and hi bounds.
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 10563 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
 int
 main ()
 {
-static int test_array [1 - 2 * !(((long) (sizeof (long int))) >= 0)];
+int _array_ [1 - 2 * !((sizeof (long int)) >= 0)]
-test_array [0] = 0
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:10575: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10578: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:10581: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10584: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_lo=0 ac_mid=0
  while :; do
    cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 10589 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
 int
 main ()
 {
-static int test_array [1 - 2 * !(((long) (sizeof (long int))) <= $ac_mid)];
+int _array_ [1 - 2 * !((sizeof (long int)) <= $ac_mid)]
-test_array [0] = 0
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:10601: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10604: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:10607: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10610: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_hi=$ac_mid; break
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ac_lo=`expr $ac_mid + 1`; ac_mid=`expr 2 '*' $ac_mid + 1`
-ac_lo=`expr $ac_mid + 1`
-                    if test $ac_lo -le $ac_mid; then
-                      ac_lo= ac_hi=
-                      break
-                    fi
-                    ac_mid=`expr 2 '*' $ac_mid + 1`
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
  done
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ac_hi=-1 ac_mid=-1
-cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-static int test_array [1 - 2 * !(((long) (sizeof (long int))) < 0)];
-test_array [0] = 0
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_hi=-1 ac_mid=-1
  while :; do
    cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 10626 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
 int
 main ()
 {
-static int test_array [1 - 2 * !(((long) (sizeof (long int))) >= $ac_mid)];
+int _array_ [1 - 2 * !((sizeof (long int)) >= $ac_mid)]
-test_array [0] = 0
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:10638: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10641: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:10644: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10647: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_lo=$ac_mid; break
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ac_hi=`expr $ac_mid - 1`; ac_mid=`expr 2 '*' $ac_mid`
-ac_hi=`expr '(' $ac_mid ')' - 1`
-                       if test $ac_mid -le $ac_hi; then
-                         ac_lo= ac_hi=
-                         break
-                       fi
-                       ac_mid=`expr 2 '*' $ac_mid`
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
  done
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-ac_lo= ac_hi=
-fi
-rm -f conftest.$ac_objext conftest.$ac_ext
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 # Binary search between lo and hi bounds.
 while test "x$ac_lo" != "x$ac_hi"; do
  ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo`
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 10663 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
 int
 main ()
 {
-static int test_array [1 - 2 * !(((long) (sizeof (long int))) <= $ac_mid)];
+int _array_ [1 - 2 * !((sizeof (long int)) <= $ac_mid)]
-test_array [0] = 0
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:10675: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10678: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:10681: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10684: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_hi=$ac_mid
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ac_lo=`expr $ac_mid + 1`
-ac_lo=`expr '(' $ac_mid ')' + 1`
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 done
-case $ac_lo in
+ac_cv_sizeof_long_int=$ac_lo
-?*) ac_cv_sizeof_long_int=$ac_lo;;
-'') { { echo "$as_me:$LINENO: error: cannot compute sizeof (long int), 77
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot compute sizeof (long int), 77
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; } ;;
-esac
 else
  if test "$cross_compiling" = yes; then
-  { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
+  { { echo "$as_me:10697: error: cannot run test program while cross compiling" >&5
-See \`config.log' for more details." >&5
+echo "$as_me: error: cannot run test program while cross compiling" >&2;}
-echo "$as_me: error: cannot run test program while cross compiling
-See \`config.log' for more details." >&2;}
   { (exit 1); exit 1; }; }
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 10702 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
-long longval () { return (long) (sizeof (long int)); }
-unsigned long ulongval () { return (long) (sizeof (long int)); }
-#include <stdio.h>
-#include <stdlib.h>
 int
 main ()
 {
+FILE *f = fopen ("conftest.val", "w");
-  FILE *f = fopen ("conftest.val", "w");
+if (!f)
-  if (! f)
+  exit (1);
-    exit (1);
+fprintf (f, "%d", (sizeof (long int)));
-  if (((long) (sizeof (long int))) < 0)
+fclose (f);
-    {
-      long i = longval ();
-      if (i != ((long) (sizeof (long int))))
-        exit (1);
-      fprintf (f, "%ld\n", i);
-    }
-  else
-    {
-      unsigned long i = ulongval ();
-      if (i != ((long) (sizeof (long int))))
-        exit (1);
-      fprintf (f, "%lu\n", i);
-    }
-  exit (ferror (f) || fclose (f) != 0);
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:10718: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10721: \$? = $ac_status" >&5
  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:10723: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10726: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_sizeof_long_int=`cat conftest.val`
 else
  echo "$as_me: program exited with status $ac_status" >&5
 echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
-( exit $ac_status )
-{ { echo "$as_me:$LINENO: error: cannot compute sizeof (long int), 77
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot compute sizeof (long int), 77
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
 fi
-rm -f core core.* *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 fi
 rm -f conftest.val
@@ -12207,25 +10739,20 @@ else
  ac_cv_sizeof_long_int=0
 fi
 fi
-echo "$as_me:$LINENO: result: $ac_cv_sizeof_long_int" >&5
+echo "$as_me:10742: result: $ac_cv_sizeof_long_int" >&5
 echo "${ECHO_T}$ac_cv_sizeof_long_int" >&6
-cat >>confdefs.h <<_ACEOF
+cat >>confdefs.h <<EOF
 #define SIZEOF_LONG_INT $ac_cv_sizeof_long_int
-_ACEOF
+EOF
-echo "$as_me:$LINENO: checking for long long int" >&5
+echo "$as_me:10748: checking for long long int" >&5
 echo $ECHO_N "checking for long long int... $ECHO_C" >&6
 if test "${ac_cv_type_long_long_int+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 10754 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
 int
 main ()
@@ -12239,328 +10766,209 @@ if (sizeof (long long int))
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:10769: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10772: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:10775: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10778: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_type_long_long_int=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_type_long_long_int=no
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_long_long_int" >&5
+echo "$as_me:10788: result: $ac_cv_type_long_long_int" >&5
 echo "${ECHO_T}$ac_cv_type_long_long_int" >&6
-echo "$as_me:$LINENO: checking size of long long int" >&5
+echo "$as_me:10791: checking size of long long int" >&5
 echo $ECHO_N "checking size of long long int... $ECHO_C" >&6
 if test "${ac_cv_sizeof_long_long_int+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  if test "$ac_cv_type_long_long_int" = yes; then
-  # The cast to unsigned long works around a bug in the HP C Compiler
-  # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
-  # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
-  # This bug is HP SR number 8606223364.
  if test "$cross_compiling" = yes; then
  # Depending upon the size, compute the lo and hi bounds.
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 10800 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
 int
 main ()
 {
-static int test_array [1 - 2 * !(((long) (sizeof (long long int))) >= 0)];
+int _array_ [1 - 2 * !((sizeof (long long int)) >= 0)]
-test_array [0] = 0
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:10812: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10815: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:10818: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10821: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_lo=0 ac_mid=0
  while :; do
    cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 10826 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
 int
 main ()
 {
-static int test_array [1 - 2 * !(((long) (sizeof (long long int))) <= $ac_mid)];
+int _array_ [1 - 2 * !((sizeof (long long int)) <= $ac_mid)]
-test_array [0] = 0
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:10838: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10841: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:10844: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10847: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_hi=$ac_mid; break
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ac_lo=`expr $ac_mid + 1`; ac_mid=`expr 2 '*' $ac_mid + 1`
-ac_lo=`expr $ac_mid + 1`
-                    if test $ac_lo -le $ac_mid; then
-                      ac_lo= ac_hi=
-                      break
-                    fi
-                    ac_mid=`expr 2 '*' $ac_mid + 1`
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
  done
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ac_hi=-1 ac_mid=-1
-cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-static int test_array [1 - 2 * !(((long) (sizeof (long long int))) < 0)];
-test_array [0] = 0
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_hi=-1 ac_mid=-1
  while :; do
    cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 10863 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
 int
 main ()
 {
-static int test_array [1 - 2 * !(((long) (sizeof (long long int))) >= $ac_mid)];
+int _array_ [1 - 2 * !((sizeof (long long int)) >= $ac_mid)]
-test_array [0] = 0
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:10875: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10878: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:10881: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10884: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_lo=$ac_mid; break
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ac_hi=`expr $ac_mid - 1`; ac_mid=`expr 2 '*' $ac_mid`
-ac_hi=`expr '(' $ac_mid ')' - 1`
-                       if test $ac_mid -le $ac_hi; then
-                         ac_lo= ac_hi=
-                         break
-                       fi
-                       ac_mid=`expr 2 '*' $ac_mid`
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
  done
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-ac_lo= ac_hi=
-fi
-rm -f conftest.$ac_objext conftest.$ac_ext
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 # Binary search between lo and hi bounds.
 while test "x$ac_lo" != "x$ac_hi"; do
  ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo`
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 10900 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
 int
 main ()
 {
-static int test_array [1 - 2 * !(((long) (sizeof (long long int))) <= $ac_mid)];
+int _array_ [1 - 2 * !((sizeof (long long int)) <= $ac_mid)]
-test_array [0] = 0
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:10912: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10915: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:10918: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10921: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_hi=$ac_mid
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ac_lo=`expr $ac_mid + 1`
-ac_lo=`expr '(' $ac_mid ')' + 1`
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 done
-case $ac_lo in
+ac_cv_sizeof_long_long_int=$ac_lo
-?*) ac_cv_sizeof_long_long_int=$ac_lo;;
-'') { { echo "$as_me:$LINENO: error: cannot compute sizeof (long long int), 77
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot compute sizeof (long long int), 77
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; } ;;
-esac
 else
  if test "$cross_compiling" = yes; then
-  { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
+  { { echo "$as_me:10934: error: cannot run test program while cross compiling" >&5
-See \`config.log' for more details." >&5
+echo "$as_me: error: cannot run test program while cross compiling" >&2;}
-echo "$as_me: error: cannot run test program while cross compiling
-See \`config.log' for more details." >&2;}
   { (exit 1); exit 1; }; }
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 10939 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
-long longval () { return (long) (sizeof (long long int)); }
-unsigned long ulongval () { return (long) (sizeof (long long int)); }
-#include <stdio.h>
-#include <stdlib.h>
 int
 main ()
 {
+FILE *f = fopen ("conftest.val", "w");
-  FILE *f = fopen ("conftest.val", "w");
+if (!f)
-  if (! f)
+  exit (1);
-    exit (1);
+fprintf (f, "%d", (sizeof (long long int)));
-  if (((long) (sizeof (long long int))) < 0)
+fclose (f);
-    {
-      long i = longval ();
-      if (i != ((long) (sizeof (long long int))))
-        exit (1);
-      fprintf (f, "%ld\n", i);
-    }
-  else
-    {
-      unsigned long i = ulongval ();
-      if (i != ((long) (sizeof (long long int))))
-        exit (1);
-      fprintf (f, "%lu\n", i);
-    }
-  exit (ferror (f) || fclose (f) != 0);
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:10955: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10958: \$? = $ac_status" >&5
  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:10960: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:10963: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_sizeof_long_long_int=`cat conftest.val`
 else
  echo "$as_me: program exited with status $ac_status" >&5
 echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
-( exit $ac_status )
-{ { echo "$as_me:$LINENO: error: cannot compute sizeof (long long int), 77
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot compute sizeof (long long int), 77
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
 fi
-rm -f core core.* *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 fi
 rm -f conftest.val
@@ -12568,13 +10976,11 @@ else
  ac_cv_sizeof_long_long_int=0
 fi
 fi
-echo "$as_me:$LINENO: result: $ac_cv_sizeof_long_long_int" >&5
+echo "$as_me:10979: result: $ac_cv_sizeof_long_long_int" >&5
 echo "${ECHO_T}$ac_cv_sizeof_long_long_int" >&6
-cat >>confdefs.h <<_ACEOF
+cat >>confdefs.h <<EOF
 #define SIZEOF_LONG_LONG_INT $ac_cv_sizeof_long_long_int
-_ACEOF
+EOF
 # Sanity check long long for some platforms (AIX)
 if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
@@ -12582,19 +10988,15 @@ if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
 fi
 # More checks for data types
-echo "$as_me:$LINENO: checking for u_int type" >&5
+echo "$as_me:10991: checking for u_int type" >&5
 echo $ECHO_N "checking for u_int type... $ECHO_C" >&6
 if test "${ac_cv_have_u_int+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 10998 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
 int
 main ()
@@ -12605,51 +11007,46 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:11010: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11013: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:11016: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11019: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_have_u_int="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_have_u_int="no"
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_have_u_int" >&5
+echo "$as_me:11031: result: $ac_cv_have_u_int" >&5
 echo "${ECHO_T}$ac_cv_have_u_int" >&6
 if test "x$ac_cv_have_u_int" = "xyes" ; then
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_U_INT 1
-_ACEOF
+EOF
        have_u_int=1
 fi
-echo "$as_me:$LINENO: checking for intXX_t types" >&5
+echo "$as_me:11041: checking for intXX_t types" >&5
 echo $ECHO_N "checking for intXX_t types... $ECHO_C" >&6
 if test "${ac_cv_have_intxx_t+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 11048 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
 int
 main ()
@@ -12660,34 +11057,33 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:11060: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11063: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:11066: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11069: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_have_intxx_t="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_have_intxx_t="no"
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_have_intxx_t" >&5
+echo "$as_me:11081: result: $ac_cv_have_intxx_t" >&5
 echo "${ECHO_T}$ac_cv_have_intxx_t" >&6
 if test "x$ac_cv_have_intxx_t" = "xyes" ; then
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_INTXX_T 1
-_ACEOF
+EOF
        have_intxx_t=1
 fi
@@ -12695,15 +11091,11 @@ fi
 if (test -z "$have_intxx_t" && \
           test "x$ac_cv_header_stdint_h" = "xyes")
 then
-    echo "$as_me:$LINENO: checking for intXX_t types in stdint.h" >&5
+    echo "$as_me:11094: checking for intXX_t types in stdint.h" >&5
 echo $ECHO_N "checking for intXX_t types in stdint.h... $ECHO_C" >&6
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 11097 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <stdint.h>
 int
 main ()
@@ -12714,49 +11106,44 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:11109: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11112: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:11115: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11118: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define HAVE_INTXX_T 1
-_ACEOF
+EOF
-                        echo "$as_me:$LINENO: result: yes" >&5
+                        echo "$as_me:11125: result: yes" >&5
 echo "${ECHO_T}yes" >&6
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ echo "$as_me:11131: result: no" >&5
- echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: checking for int64_t type" >&5
+echo "$as_me:11138: checking for int64_t type" >&5
 echo $ECHO_N "checking for int64_t type... $ECHO_C" >&6
 if test "${ac_cv_have_int64_t+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 11145 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
 #ifdef HAVE_STDINT_H
@@ -12776,50 +11163,45 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:11166: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11169: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:11172: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11175: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_have_int64_t="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_have_int64_t="no"
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_have_int64_t" >&5
+echo "$as_me:11187: result: $ac_cv_have_int64_t" >&5
 echo "${ECHO_T}$ac_cv_have_int64_t" >&6
 if test "x$ac_cv_have_int64_t" = "xyes" ; then
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_INT64_T 1
-_ACEOF
+EOF
 fi
-echo "$as_me:$LINENO: checking for u_intXX_t types" >&5
+echo "$as_me:11196: checking for u_intXX_t types" >&5
 echo $ECHO_N "checking for u_intXX_t types... $ECHO_C" >&6
 if test "${ac_cv_have_u_intxx_t+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 11203 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
 int
 main ()
@@ -12830,48 +11212,43 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:11215: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11218: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:11221: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11224: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_have_u_intxx_t="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_have_u_intxx_t="no"
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_have_u_intxx_t" >&5
+echo "$as_me:11236: result: $ac_cv_have_u_intxx_t" >&5
 echo "${ECHO_T}$ac_cv_have_u_intxx_t" >&6
 if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_U_INTXX_T 1
-_ACEOF
+EOF
        have_u_intxx_t=1
 fi
 if test -z "$have_u_intxx_t" ; then
-    echo "$as_me:$LINENO: checking for u_intXX_t types in sys/socket.h" >&5
+    echo "$as_me:11247: checking for u_intXX_t types in sys/socket.h" >&5
 echo $ECHO_N "checking for u_intXX_t types in sys/socket.h... $ECHO_C" >&6
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 11250 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/socket.h>
 int
 main ()
@@ -12882,49 +11259,44 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:11262: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11265: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:11268: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11271: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define HAVE_U_INTXX_T 1
-_ACEOF
+EOF
-                        echo "$as_me:$LINENO: result: yes" >&5
+                        echo "$as_me:11278: result: yes" >&5
 echo "${ECHO_T}yes" >&6
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ echo "$as_me:11284: result: no" >&5
- echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: checking for u_int64_t types" >&5
+echo "$as_me:11291: checking for u_int64_t types" >&5
 echo $ECHO_N "checking for u_int64_t types... $ECHO_C" >&6
 if test "${ac_cv_have_u_int64_t+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 11298 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
 int
 main ()
@@ -12935,48 +11307,43 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:11310: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11313: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:11316: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11319: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_have_u_int64_t="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_have_u_int64_t="no"
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_have_u_int64_t" >&5
+echo "$as_me:11331: result: $ac_cv_have_u_int64_t" >&5
 echo "${ECHO_T}$ac_cv_have_u_int64_t" >&6
 if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_U_INT64_T 1
-_ACEOF
+EOF
        have_u_int64_t=1
 fi
 if test -z "$have_u_int64_t" ; then
-    echo "$as_me:$LINENO: checking for u_int64_t type in sys/bitypes.h" >&5
+    echo "$as_me:11342: checking for u_int64_t type in sys/bitypes.h" >&5
 echo $ECHO_N "checking for u_int64_t type in sys/bitypes.h... $ECHO_C" >&6
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 11345 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/bitypes.h>
 int
 main ()
@@ -12987,30 +11354,29 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:11357: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11360: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:11363: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11366: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define HAVE_U_INT64_T 1
-_ACEOF
+EOF
-                        echo "$as_me:$LINENO: result: yes" >&5
+                        echo "$as_me:11373: result: yes" >&5
 echo "${ECHO_T}yes" >&6
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ echo "$as_me:11379: result: no" >&5
- echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -13018,19 +11384,15 @@ rm -f conftest.$ac_objext conftest.$ac_ext
 fi
 if test -z "$have_u_intxx_t" ; then
-        echo "$as_me:$LINENO: checking for uintXX_t types" >&5
+        echo "$as_me:11387: checking for uintXX_t types" >&5
 echo $ECHO_N "checking for uintXX_t types... $ECHO_C" >&6
 if test "${ac_cv_have_uintxx_t+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
                cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 11394 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
@@ -13043,48 +11405,43 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:11408: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11411: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:11414: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11417: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_have_uintxx_t="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_have_uintxx_t="no"
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_have_uintxx_t" >&5
+echo "$as_me:11429: result: $ac_cv_have_uintxx_t" >&5
 echo "${ECHO_T}$ac_cv_have_uintxx_t" >&6
        if test "x$ac_cv_have_uintxx_t" = "xyes" ; then
-                cat >>confdefs.h <<\_ACEOF
+                cat >>confdefs.h <<\EOF
 #define HAVE_UINTXX_T 1
-_ACEOF
+EOF
        fi
 fi
 if test -z "$have_uintxx_t" ; then
-    echo "$as_me:$LINENO: checking for uintXX_t types in stdint.h" >&5
+    echo "$as_me:11440: checking for uintXX_t types in stdint.h" >&5
 echo $ECHO_N "checking for uintXX_t types in stdint.h... $ECHO_C" >&6
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 11443 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <stdint.h>
 int
 main ()
@@ -13095,30 +11452,29 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:11455: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11458: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:11461: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11464: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define HAVE_UINTXX_T 1
-_ACEOF
+EOF
-                        echo "$as_me:$LINENO: result: yes" >&5
+                        echo "$as_me:11471: result: yes" >&5
 echo "${ECHO_T}yes" >&6
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ echo "$as_me:11477: result: no" >&5
- echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -13128,15 +11484,11 @@ fi
 if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \
           test "x$ac_cv_header_sys_bitypes_h" = "xyes")
 then
-        echo "$as_me:$LINENO: checking for intXX_t and u_intXX_t types in sys/bitypes.h" >&5
+        echo "$as_me:11487: checking for intXX_t and u_intXX_t types in sys/bitypes.h" >&5
 echo $ECHO_N "checking for intXX_t and u_intXX_t types in sys/bitypes.h... $ECHO_C" >&6
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 11490 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/bitypes.h>
@@ -13153,54 +11505,48 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:11508: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11511: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:11514: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11517: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define HAVE_U_INTXX_T 1
-_ACEOF
+EOF
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define HAVE_INTXX_T 1
-_ACEOF
+EOF
-                        echo "$as_me:$LINENO: result: yes" >&5
+                        echo "$as_me:11528: result: yes" >&5
 echo "${ECHO_T}yes" >&6
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+echo "$as_me:11534: result: no" >&5
-echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
+echo "$as_me:11541: checking for u_char" >&5
-echo "$as_me:$LINENO: checking for u_char" >&5
 echo $ECHO_N "checking for u_char... $ECHO_C" >&6
 if test "${ac_cv_have_u_char+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 11548 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
@@ -13213,50 +11559,44 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:11562: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11565: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:11568: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11571: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_have_u_char="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_have_u_char="no"
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_have_u_char" >&5
+echo "$as_me:11583: result: $ac_cv_have_u_char" >&5
 echo "${ECHO_T}$ac_cv_have_u_char" >&6
 if test "x$ac_cv_have_u_char" = "xyes" ; then
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_U_CHAR 1
-_ACEOF
+EOF
 fi
+   echo "$as_me:11592: checking for socklen_t" >&5
-   echo "$as_me:$LINENO: checking for socklen_t" >&5
 echo $ECHO_N "checking for socklen_t... $ECHO_C" >&6
 if test "${ac_cv_type_socklen_t+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 11598 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -13272,33 +11612,32 @@ if (sizeof (socklen_t))
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:11615: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11618: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:11621: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11624: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_type_socklen_t=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_type_socklen_t=no
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_socklen_t" >&5
+echo "$as_me:11634: result: $ac_cv_type_socklen_t" >&5
 echo "${ECHO_T}$ac_cv_type_socklen_t" >&6
 if test $ac_cv_type_socklen_t = yes; then
  :
 else
-      echo "$as_me:$LINENO: checking for socklen_t equivalent" >&5
+      echo "$as_me:11640: checking for socklen_t equivalent" >&5
 echo $ECHO_N "checking for socklen_t equivalent... $ECHO_C" >&6
      if test "${curl_cv_socklen_t_equiv+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -13310,12 +11649,8 @@ else
         for arg2 in "struct sockaddr" void; do
            for t in int size_t unsigned long "unsigned long"; do
               cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 11652 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
                  #include <sys/types.h>
                  #include <sys/socket.h>
@@ -13334,16 +11669,16 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:11672: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11675: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:11678: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11681: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
                  curl_cv_socklen_t_equiv="$t"
@@ -13351,44 +11686,37 @@ if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
            done
         done
         if test "x$curl_cv_socklen_t_equiv" = x; then
-            { { echo "$as_me:$LINENO: error: Cannot find a type to use in place of socklen_t" >&5
+            { { echo "$as_me:11696: error: Cannot find a type to use in place of socklen_t" >&5
 echo "$as_me: error: Cannot find a type to use in place of socklen_t" >&2;}
   { (exit 1); exit 1; }; }
         fi
 fi
-      echo "$as_me:$LINENO: result: $curl_cv_socklen_t_equiv" >&5
+      echo "$as_me:11703: result: $curl_cv_socklen_t_equiv" >&5
 echo "${ECHO_T}$curl_cv_socklen_t_equiv" >&6
-cat >>confdefs.h <<_ACEOF
+cat >>confdefs.h <<EOF
 #define socklen_t $curl_cv_socklen_t_equiv
-_ACEOF
+EOF
 fi
+echo "$as_me:11712: checking for sig_atomic_t" >&5
-echo "$as_me:$LINENO: checking for sig_atomic_t" >&5
 echo $ECHO_N "checking for sig_atomic_t... $ECHO_C" >&6
 if test "${ac_cv_type_sig_atomic_t+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 11718 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <signal.h>
 int
@@ -13403,51 +11731,44 @@ if (sizeof (sig_atomic_t))
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:11734: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11737: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:11740: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11743: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_type_sig_atomic_t=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_type_sig_atomic_t=no
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_sig_atomic_t" >&5
+echo "$as_me:11753: result: $ac_cv_type_sig_atomic_t" >&5
 echo "${ECHO_T}$ac_cv_type_sig_atomic_t" >&6
 if test $ac_cv_type_sig_atomic_t = yes; then
-cat >>confdefs.h <<_ACEOF
+cat >>confdefs.h <<EOF
 #define HAVE_SIG_ATOMIC_T 1
-_ACEOF
+EOF
 fi
+echo "$as_me:11763: checking for size_t" >&5
-echo "$as_me:$LINENO: checking for size_t" >&5
 echo $ECHO_N "checking for size_t... $ECHO_C" >&6
 if test "${ac_cv_have_size_t+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 11770 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
@@ -13460,50 +11781,45 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:11784: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11787: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:11790: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11793: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_have_size_t="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_have_size_t="no"
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_have_size_t" >&5
+echo "$as_me:11805: result: $ac_cv_have_size_t" >&5
 echo "${ECHO_T}$ac_cv_have_size_t" >&6
 if test "x$ac_cv_have_size_t" = "xyes" ; then
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_SIZE_T 1
-_ACEOF
+EOF
 fi
-echo "$as_me:$LINENO: checking for ssize_t" >&5
+echo "$as_me:11814: checking for ssize_t" >&5
 echo $ECHO_N "checking for ssize_t... $ECHO_C" >&6
 if test "${ac_cv_have_ssize_t+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 11821 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
@@ -13516,50 +11832,45 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:11835: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11838: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:11841: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11844: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_have_ssize_t="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_have_ssize_t="no"
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_have_ssize_t" >&5
+echo "$as_me:11856: result: $ac_cv_have_ssize_t" >&5
 echo "${ECHO_T}$ac_cv_have_ssize_t" >&6
 if test "x$ac_cv_have_ssize_t" = "xyes" ; then
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_SSIZE_T 1
-_ACEOF
+EOF
 fi
-echo "$as_me:$LINENO: checking for clock_t" >&5
+echo "$as_me:11865: checking for clock_t" >&5
 echo $ECHO_N "checking for clock_t... $ECHO_C" >&6
 if test "${ac_cv_have_clock_t+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 11872 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <time.h>
@@ -13572,50 +11883,45 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:11886: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11889: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:11892: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11895: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_have_clock_t="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_have_clock_t="no"
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_have_clock_t" >&5
+echo "$as_me:11907: result: $ac_cv_have_clock_t" >&5
 echo "${ECHO_T}$ac_cv_have_clock_t" >&6
 if test "x$ac_cv_have_clock_t" = "xyes" ; then
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_CLOCK_T 1
-_ACEOF
+EOF
 fi
-echo "$as_me:$LINENO: checking for sa_family_t" >&5
+echo "$as_me:11916: checking for sa_family_t" >&5
 echo $ECHO_N "checking for sa_family_t... $ECHO_C" >&6
 if test "${ac_cv_have_sa_family_t+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 11923 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -13629,29 +11935,24 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:11938: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11941: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:11944: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11947: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_have_sa_family_t="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 11954 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -13666,22 +11967,21 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:11970: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11973: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:11976: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:11979: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_have_sa_family_t="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_have_sa_family_t="no"
 fi
@@ -13691,28 +11991,24 @@ fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_have_sa_family_t" >&5
+echo "$as_me:11994: result: $ac_cv_have_sa_family_t" >&5
 echo "${ECHO_T}$ac_cv_have_sa_family_t" >&6
 if test "x$ac_cv_have_sa_family_t" = "xyes" ; then
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_SA_FAMILY_T 1
-_ACEOF
+EOF
 fi
-echo "$as_me:$LINENO: checking for pid_t" >&5
+echo "$as_me:12003: checking for pid_t" >&5
 echo $ECHO_N "checking for pid_t... $ECHO_C" >&6
 if test "${ac_cv_have_pid_t+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 12010 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
@@ -13725,50 +12021,45 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:12024: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:12027: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:12030: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:12033: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_have_pid_t="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_have_pid_t="no"
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_have_pid_t" >&5
+echo "$as_me:12045: result: $ac_cv_have_pid_t" >&5
 echo "${ECHO_T}$ac_cv_have_pid_t" >&6
 if test "x$ac_cv_have_pid_t" = "xyes" ; then
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_PID_T 1
-_ACEOF
+EOF
 fi
-echo "$as_me:$LINENO: checking for mode_t" >&5
+echo "$as_me:12054: checking for mode_t" >&5
 echo $ECHO_N "checking for mode_t... $ECHO_C" >&6
 if test "${ac_cv_have_mode_t+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 12061 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
@@ -13781,51 +12072,45 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:12075: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:12078: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:12081: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:12084: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_have_mode_t="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_have_mode_t="no"
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_have_mode_t" >&5
+echo "$as_me:12096: result: $ac_cv_have_mode_t" >&5
 echo "${ECHO_T}$ac_cv_have_mode_t" >&6
 if test "x$ac_cv_have_mode_t" = "xyes" ; then
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_MODE_T 1
-_ACEOF
+EOF
 fi
+echo "$as_me:12105: checking for struct sockaddr_storage" >&5
-echo "$as_me:$LINENO: checking for struct sockaddr_storage" >&5
 echo $ECHO_N "checking for struct sockaddr_storage... $ECHO_C" >&6
 if test "${ac_cv_have_struct_sockaddr_storage+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 12112 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -13839,50 +12124,45 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:12127: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:12130: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:12133: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:12136: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_have_struct_sockaddr_storage="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_have_struct_sockaddr_storage="no"
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_have_struct_sockaddr_storage" >&5
+echo "$as_me:12148: result: $ac_cv_have_struct_sockaddr_storage" >&5
 echo "${ECHO_T}$ac_cv_have_struct_sockaddr_storage" >&6
 if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_STRUCT_SOCKADDR_STORAGE 1
-_ACEOF
+EOF
 fi
-echo "$as_me:$LINENO: checking for struct sockaddr_in6" >&5
+echo "$as_me:12157: checking for struct sockaddr_in6" >&5
 echo $ECHO_N "checking for struct sockaddr_in6... $ECHO_C" >&6
 if test "${ac_cv_have_struct_sockaddr_in6+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 12164 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
 #include <netinet/in.h>
@@ -13896,50 +12176,45 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:12179: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:12182: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:12185: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:12188: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_have_struct_sockaddr_in6="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_have_struct_sockaddr_in6="no"
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_have_struct_sockaddr_in6" >&5
+echo "$as_me:12200: result: $ac_cv_have_struct_sockaddr_in6" >&5
 echo "${ECHO_T}$ac_cv_have_struct_sockaddr_in6" >&6
 if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_STRUCT_SOCKADDR_IN6 1
-_ACEOF
+EOF
 fi
-echo "$as_me:$LINENO: checking for struct in6_addr" >&5
+echo "$as_me:12209: checking for struct in6_addr" >&5
 echo $ECHO_N "checking for struct in6_addr... $ECHO_C" >&6
 if test "${ac_cv_have_struct_in6_addr+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 12216 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
 #include <netinet/in.h>
@@ -13953,50 +12228,45 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:12231: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:12234: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:12237: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:12240: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_have_struct_in6_addr="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_have_struct_in6_addr="no"
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_have_struct_in6_addr" >&5
+echo "$as_me:12252: result: $ac_cv_have_struct_in6_addr" >&5
 echo "${ECHO_T}$ac_cv_have_struct_in6_addr" >&6
 if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_STRUCT_IN6_ADDR 1
-_ACEOF
+EOF
 fi
-echo "$as_me:$LINENO: checking for struct addrinfo" >&5
+echo "$as_me:12261: checking for struct addrinfo" >&5
 echo $ECHO_N "checking for struct addrinfo... $ECHO_C" >&6
 if test "${ac_cv_have_struct_addrinfo+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 12268 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -14011,50 +12281,45 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:12284: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:12287: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:12290: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:12293: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_have_struct_addrinfo="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_have_struct_addrinfo="no"
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_have_struct_addrinfo" >&5
+echo "$as_me:12305: result: $ac_cv_have_struct_addrinfo" >&5
 echo "${ECHO_T}$ac_cv_have_struct_addrinfo" >&6
 if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_STRUCT_ADDRINFO 1
-_ACEOF
+EOF
 fi
-echo "$as_me:$LINENO: checking for struct timeval" >&5
+echo "$as_me:12314: checking for struct timeval" >&5
 echo $ECHO_N "checking for struct timeval... $ECHO_C" >&6
 if test "${ac_cv_have_struct_timeval+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 12321 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/time.h>
 int
 main ()
@@ -14065,50 +12330,45 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:12333: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:12336: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:12339: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:12342: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_have_struct_timeval="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_have_struct_timeval="no"
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_have_struct_timeval" >&5
+echo "$as_me:12354: result: $ac_cv_have_struct_timeval" >&5
 echo "${ECHO_T}$ac_cv_have_struct_timeval" >&6
 if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_STRUCT_TIMEVAL 1
-_ACEOF
+EOF
        have_struct_timeval=1
 fi
-echo "$as_me:$LINENO: checking for struct timespec" >&5
+echo "$as_me:12364: checking for struct timespec" >&5
 echo $ECHO_N "checking for struct timespec... $ECHO_C" >&6
 if test "${ac_cv_type_struct_timespec+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 12370 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
 int
 main ()
@@ -14122,38 +12382,35 @@ if (sizeof (struct timespec))
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:12385: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:12388: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:12391: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:12394: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_type_struct_timespec=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_type_struct_timespec=no
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_struct_timespec" >&5
+echo "$as_me:12404: result: $ac_cv_type_struct_timespec" >&5
 echo "${ECHO_T}$ac_cv_type_struct_timespec" >&6
 if test $ac_cv_type_struct_timespec = yes; then
-cat >>confdefs.h <<_ACEOF
+cat >>confdefs.h <<EOF
 #define HAVE_STRUCT_TIMESPEC 1
-_ACEOF
+EOF
 fi
 # We need int64_t or else certian parts of the compile will fail.
 if test "x$ac_cv_have_int64_t" = "xno" -a \
        "x$ac_cv_sizeof_long_int" != "x8" -a \
@@ -14164,19 +12421,13 @@ if test "x$ac_cv_have_int64_t" = "xno" -a \
        exit 1;
 else
        if test "$cross_compiling" = yes; then
-  { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
+  { { echo "$as_me:12424: error: cannot run test program while cross compiling" >&5
-See \`config.log' for more details." >&5
+echo "$as_me: error: cannot run test program while cross compiling" >&2;}
-echo "$as_me: error: cannot run test program while cross compiling
-See \`config.log' for more details." >&2;}
   { (exit 1); exit 1; }; }
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 12429 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <stdio.h>
 #include <string.h>
@@ -14203,55 +12454,47 @@ main() { exit(0); }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:12457: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:12460: \$? = $ac_status" >&5
  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:12462: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:12465: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   true
 else
  echo "$as_me: program exited with status $ac_status" >&5
 echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ cat >>confdefs.h <<\EOF
-( exit $ac_status )
- cat >>confdefs.h <<\_ACEOF
 #define BROKEN_SNPRINTF 1
-_ACEOF
+EOF
 fi
-rm -f core core.* *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 fi
 # look for field 'ut_host' in header 'utmp.h'
                ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'`
                ossh_varname="ossh_cv_$ossh_safe""_has_"ut_host
-        echo "$as_me:$LINENO: checking for ut_host field in utmp.h" >&5
+        echo "$as_me:12484: checking for ut_host field in utmp.h" >&5
 echo $ECHO_N "checking for ut_host field in utmp.h... $ECHO_C" >&6
        if eval "test \"\${$ossh_varname+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
                cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 12491 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <utmp.h>
 _ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "ut_host" >/dev/null 2>&1; then
+  egrep "ut_host" >/dev/null 2>&1; then
                        eval "$ossh_varname=yes"
 else
                        eval "$ossh_varname=no"
@@ -14262,41 +12505,36 @@ fi
        ossh_result=`eval 'echo $'"$ossh_varname"`
        if test -n "`echo $ossh_varname`"; then
-                echo "$as_me:$LINENO: result: $ossh_result" >&5
+                echo "$as_me:12508: result: $ossh_result" >&5
 echo "${ECHO_T}$ossh_result" >&6
                if test "x$ossh_result" = "xyes"; then
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define HAVE_HOST_IN_UTMP 1
-_ACEOF
+EOF
                fi
        else
-                echo "$as_me:$LINENO: result: no" >&5
+                echo "$as_me:12517: result: no" >&5
 echo "${ECHO_T}no" >&6
        fi
 # look for field 'ut_host' in header 'utmpx.h'
                ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'`
                ossh_varname="ossh_cv_$ossh_safe""_has_"ut_host
-        echo "$as_me:$LINENO: checking for ut_host field in utmpx.h" >&5
+        echo "$as_me:12524: checking for ut_host field in utmpx.h" >&5
 echo $ECHO_N "checking for ut_host field in utmpx.h... $ECHO_C" >&6
        if eval "test \"\${$ossh_varname+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
                cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 12531 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <utmpx.h>
 _ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "ut_host" >/dev/null 2>&1; then
+  egrep "ut_host" >/dev/null 2>&1; then
                        eval "$ossh_varname=yes"
 else
                        eval "$ossh_varname=no"
@@ -14307,41 +12545,36 @@ fi
        ossh_result=`eval 'echo $'"$ossh_varname"`
        if test -n "`echo $ossh_varname`"; then
-                echo "$as_me:$LINENO: result: $ossh_result" >&5
+                echo "$as_me:12548: result: $ossh_result" >&5
 echo "${ECHO_T}$ossh_result" >&6
                if test "x$ossh_result" = "xyes"; then
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define HAVE_HOST_IN_UTMPX 1
-_ACEOF
+EOF
                fi
        else
-                echo "$as_me:$LINENO: result: no" >&5
+                echo "$as_me:12557: result: no" >&5
 echo "${ECHO_T}no" >&6
        fi
 # look for field 'syslen' in header 'utmpx.h'
                ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'`
                ossh_varname="ossh_cv_$ossh_safe""_has_"syslen
-        echo "$as_me:$LINENO: checking for syslen field in utmpx.h" >&5
+        echo "$as_me:12564: checking for syslen field in utmpx.h" >&5
 echo $ECHO_N "checking for syslen field in utmpx.h... $ECHO_C" >&6
        if eval "test \"\${$ossh_varname+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
                cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 12571 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <utmpx.h>
 _ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "syslen" >/dev/null 2>&1; then
+  egrep "syslen" >/dev/null 2>&1; then
                        eval "$ossh_varname=yes"
 else
                        eval "$ossh_varname=no"
@@ -14352,41 +12585,36 @@ fi
        ossh_result=`eval 'echo $'"$ossh_varname"`
        if test -n "`echo $ossh_varname`"; then
-                echo "$as_me:$LINENO: result: $ossh_result" >&5
+                echo "$as_me:12588: result: $ossh_result" >&5
 echo "${ECHO_T}$ossh_result" >&6
                if test "x$ossh_result" = "xyes"; then
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define HAVE_SYSLEN_IN_UTMPX 1
-_ACEOF
+EOF
                fi
        else
-                echo "$as_me:$LINENO: result: no" >&5
+                echo "$as_me:12597: result: no" >&5
 echo "${ECHO_T}no" >&6
        fi
 # look for field 'ut_pid' in header 'utmp.h'
                ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'`
                ossh_varname="ossh_cv_$ossh_safe""_has_"ut_pid
-        echo "$as_me:$LINENO: checking for ut_pid field in utmp.h" >&5
+        echo "$as_me:12604: checking for ut_pid field in utmp.h" >&5
 echo $ECHO_N "checking for ut_pid field in utmp.h... $ECHO_C" >&6
        if eval "test \"\${$ossh_varname+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
                cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 12611 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <utmp.h>
 _ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "ut_pid" >/dev/null 2>&1; then
+  egrep "ut_pid" >/dev/null 2>&1; then
                        eval "$ossh_varname=yes"
 else
                        eval "$ossh_varname=no"
@@ -14397,41 +12625,36 @@ fi
        ossh_result=`eval 'echo $'"$ossh_varname"`
        if test -n "`echo $ossh_varname`"; then
-                echo "$as_me:$LINENO: result: $ossh_result" >&5
+                echo "$as_me:12628: result: $ossh_result" >&5
 echo "${ECHO_T}$ossh_result" >&6
                if test "x$ossh_result" = "xyes"; then
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define HAVE_PID_IN_UTMP 1
-_ACEOF
+EOF
                fi
        else
-                echo "$as_me:$LINENO: result: no" >&5
+                echo "$as_me:12637: result: no" >&5
 echo "${ECHO_T}no" >&6
        fi
 # look for field 'ut_type' in header 'utmp.h'
                ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'`
                ossh_varname="ossh_cv_$ossh_safe""_has_"ut_type
-        echo "$as_me:$LINENO: checking for ut_type field in utmp.h" >&5
+        echo "$as_me:12644: checking for ut_type field in utmp.h" >&5
 echo $ECHO_N "checking for ut_type field in utmp.h... $ECHO_C" >&6
        if eval "test \"\${$ossh_varname+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
                cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 12651 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <utmp.h>
 _ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "ut_type" >/dev/null 2>&1; then
+  egrep "ut_type" >/dev/null 2>&1; then
                        eval "$ossh_varname=yes"
 else
                        eval "$ossh_varname=no"
@@ -14442,41 +12665,36 @@ fi
        ossh_result=`eval 'echo $'"$ossh_varname"`
        if test -n "`echo $ossh_varname`"; then
-                echo "$as_me:$LINENO: result: $ossh_result" >&5
+                echo "$as_me:12668: result: $ossh_result" >&5
 echo "${ECHO_T}$ossh_result" >&6
                if test "x$ossh_result" = "xyes"; then
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define HAVE_TYPE_IN_UTMP 1
-_ACEOF
+EOF
                fi
        else
-                echo "$as_me:$LINENO: result: no" >&5
+                echo "$as_me:12677: result: no" >&5
 echo "${ECHO_T}no" >&6
        fi
 # look for field 'ut_type' in header 'utmpx.h'
                ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'`
                ossh_varname="ossh_cv_$ossh_safe""_has_"ut_type
-        echo "$as_me:$LINENO: checking for ut_type field in utmpx.h" >&5
+        echo "$as_me:12684: checking for ut_type field in utmpx.h" >&5
 echo $ECHO_N "checking for ut_type field in utmpx.h... $ECHO_C" >&6
        if eval "test \"\${$ossh_varname+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
                cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 12691 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <utmpx.h>
 _ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "ut_type" >/dev/null 2>&1; then
+  egrep "ut_type" >/dev/null 2>&1; then
                        eval "$ossh_varname=yes"
 else
                        eval "$ossh_varname=no"
@@ -14487,41 +12705,36 @@ fi
        ossh_result=`eval 'echo $'"$ossh_varname"`
        if test -n "`echo $ossh_varname`"; then
-                echo "$as_me:$LINENO: result: $ossh_result" >&5
+                echo "$as_me:12708: result: $ossh_result" >&5
 echo "${ECHO_T}$ossh_result" >&6
                if test "x$ossh_result" = "xyes"; then
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define HAVE_TYPE_IN_UTMPX 1
-_ACEOF
+EOF
                fi
        else
-                echo "$as_me:$LINENO: result: no" >&5
+                echo "$as_me:12717: result: no" >&5
 echo "${ECHO_T}no" >&6
        fi
 # look for field 'ut_tv' in header 'utmp.h'
                ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'`
                ossh_varname="ossh_cv_$ossh_safe""_has_"ut_tv
-        echo "$as_me:$LINENO: checking for ut_tv field in utmp.h" >&5
+        echo "$as_me:12724: checking for ut_tv field in utmp.h" >&5
 echo $ECHO_N "checking for ut_tv field in utmp.h... $ECHO_C" >&6
        if eval "test \"\${$ossh_varname+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
                cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 12731 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <utmp.h>
 _ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "ut_tv" >/dev/null 2>&1; then
+  egrep "ut_tv" >/dev/null 2>&1; then
                        eval "$ossh_varname=yes"
 else
                        eval "$ossh_varname=no"
@@ -14532,41 +12745,36 @@ fi
        ossh_result=`eval 'echo $'"$ossh_varname"`
        if test -n "`echo $ossh_varname`"; then
-                echo "$as_me:$LINENO: result: $ossh_result" >&5
+                echo "$as_me:12748: result: $ossh_result" >&5
 echo "${ECHO_T}$ossh_result" >&6
                if test "x$ossh_result" = "xyes"; then
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define HAVE_TV_IN_UTMP 1
-_ACEOF
+EOF
                fi
        else
-                echo "$as_me:$LINENO: result: no" >&5
+                echo "$as_me:12757: result: no" >&5
 echo "${ECHO_T}no" >&6
        fi
 # look for field 'ut_id' in header 'utmp.h'
                ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'`
                ossh_varname="ossh_cv_$ossh_safe""_has_"ut_id
-        echo "$as_me:$LINENO: checking for ut_id field in utmp.h" >&5
+        echo "$as_me:12764: checking for ut_id field in utmp.h" >&5
 echo $ECHO_N "checking for ut_id field in utmp.h... $ECHO_C" >&6
        if eval "test \"\${$ossh_varname+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
                cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 12771 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <utmp.h>
 _ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "ut_id" >/dev/null 2>&1; then
+  egrep "ut_id" >/dev/null 2>&1; then
                        eval "$ossh_varname=yes"
 else
                        eval "$ossh_varname=no"
@@ -14577,41 +12785,36 @@ fi
        ossh_result=`eval 'echo $'"$ossh_varname"`
        if test -n "`echo $ossh_varname`"; then
-                echo "$as_me:$LINENO: result: $ossh_result" >&5
+                echo "$as_me:12788: result: $ossh_result" >&5
 echo "${ECHO_T}$ossh_result" >&6
                if test "x$ossh_result" = "xyes"; then
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define HAVE_ID_IN_UTMP 1
-_ACEOF
+EOF
                fi
        else
-                echo "$as_me:$LINENO: result: no" >&5
+                echo "$as_me:12797: result: no" >&5
 echo "${ECHO_T}no" >&6
        fi
 # look for field 'ut_id' in header 'utmpx.h'
                ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'`
                ossh_varname="ossh_cv_$ossh_safe""_has_"ut_id
-        echo "$as_me:$LINENO: checking for ut_id field in utmpx.h" >&5
+        echo "$as_me:12804: checking for ut_id field in utmpx.h" >&5
 echo $ECHO_N "checking for ut_id field in utmpx.h... $ECHO_C" >&6
        if eval "test \"\${$ossh_varname+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
                cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 12811 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <utmpx.h>
 _ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "ut_id" >/dev/null 2>&1; then
+  egrep "ut_id" >/dev/null 2>&1; then
                        eval "$ossh_varname=yes"
 else
                        eval "$ossh_varname=no"
@@ -14622,41 +12825,36 @@ fi
        ossh_result=`eval 'echo $'"$ossh_varname"`
        if test -n "`echo $ossh_varname`"; then
-                echo "$as_me:$LINENO: result: $ossh_result" >&5
+                echo "$as_me:12828: result: $ossh_result" >&5
 echo "${ECHO_T}$ossh_result" >&6
                if test "x$ossh_result" = "xyes"; then
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define HAVE_ID_IN_UTMPX 1
-_ACEOF
+EOF
                fi
        else
-                echo "$as_me:$LINENO: result: no" >&5
+                echo "$as_me:12837: result: no" >&5
 echo "${ECHO_T}no" >&6
        fi
 # look for field 'ut_addr' in header 'utmp.h'
                ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'`
                ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr
-        echo "$as_me:$LINENO: checking for ut_addr field in utmp.h" >&5
+        echo "$as_me:12844: checking for ut_addr field in utmp.h" >&5
 echo $ECHO_N "checking for ut_addr field in utmp.h... $ECHO_C" >&6
        if eval "test \"\${$ossh_varname+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
                cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 12851 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <utmp.h>
 _ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "ut_addr" >/dev/null 2>&1; then
+  egrep "ut_addr" >/dev/null 2>&1; then
                        eval "$ossh_varname=yes"
 else
                        eval "$ossh_varname=no"
@@ -14667,41 +12865,36 @@ fi
        ossh_result=`eval 'echo $'"$ossh_varname"`
        if test -n "`echo $ossh_varname`"; then
-                echo "$as_me:$LINENO: result: $ossh_result" >&5
+                echo "$as_me:12868: result: $ossh_result" >&5
 echo "${ECHO_T}$ossh_result" >&6
                if test "x$ossh_result" = "xyes"; then
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define HAVE_ADDR_IN_UTMP 1
-_ACEOF
+EOF
                fi
        else
-                echo "$as_me:$LINENO: result: no" >&5
+                echo "$as_me:12877: result: no" >&5
 echo "${ECHO_T}no" >&6
        fi
 # look for field 'ut_addr' in header 'utmpx.h'
                ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'`
                ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr
-        echo "$as_me:$LINENO: checking for ut_addr field in utmpx.h" >&5
+        echo "$as_me:12884: checking for ut_addr field in utmpx.h" >&5
 echo $ECHO_N "checking for ut_addr field in utmpx.h... $ECHO_C" >&6
        if eval "test \"\${$ossh_varname+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
                cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 12891 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <utmpx.h>
 _ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "ut_addr" >/dev/null 2>&1; then
+  egrep "ut_addr" >/dev/null 2>&1; then
                        eval "$ossh_varname=yes"
 else
                        eval "$ossh_varname=no"
@@ -14712,41 +12905,36 @@ fi
        ossh_result=`eval 'echo $'"$ossh_varname"`
        if test -n "`echo $ossh_varname`"; then
-                echo "$as_me:$LINENO: result: $ossh_result" >&5
+                echo "$as_me:12908: result: $ossh_result" >&5
 echo "${ECHO_T}$ossh_result" >&6
                if test "x$ossh_result" = "xyes"; then
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define HAVE_ADDR_IN_UTMPX 1
-_ACEOF
+EOF
                fi
        else
-                echo "$as_me:$LINENO: result: no" >&5
+                echo "$as_me:12917: result: no" >&5
 echo "${ECHO_T}no" >&6
        fi
 # look for field 'ut_addr_v6' in header 'utmp.h'
                ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'`
                ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr_v6
-        echo "$as_me:$LINENO: checking for ut_addr_v6 field in utmp.h" >&5
+        echo "$as_me:12924: checking for ut_addr_v6 field in utmp.h" >&5
 echo $ECHO_N "checking for ut_addr_v6 field in utmp.h... $ECHO_C" >&6
        if eval "test \"\${$ossh_varname+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
                cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 12931 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <utmp.h>
 _ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "ut_addr_v6" >/dev/null 2>&1; then
+  egrep "ut_addr_v6" >/dev/null 2>&1; then
                        eval "$ossh_varname=yes"
 else
                        eval "$ossh_varname=no"
@@ -14757,41 +12945,36 @@ fi
        ossh_result=`eval 'echo $'"$ossh_varname"`
        if test -n "`echo $ossh_varname`"; then
-                echo "$as_me:$LINENO: result: $ossh_result" >&5
+                echo "$as_me:12948: result: $ossh_result" >&5
 echo "${ECHO_T}$ossh_result" >&6
                if test "x$ossh_result" = "xyes"; then
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define HAVE_ADDR_V6_IN_UTMP 1
-_ACEOF
+EOF
                fi
        else
-                echo "$as_me:$LINENO: result: no" >&5
+                echo "$as_me:12957: result: no" >&5
 echo "${ECHO_T}no" >&6
        fi
 # look for field 'ut_addr_v6' in header 'utmpx.h'
                ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'`
                ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr_v6
-        echo "$as_me:$LINENO: checking for ut_addr_v6 field in utmpx.h" >&5
+        echo "$as_me:12964: checking for ut_addr_v6 field in utmpx.h" >&5
 echo $ECHO_N "checking for ut_addr_v6 field in utmpx.h... $ECHO_C" >&6
        if eval "test \"\${$ossh_varname+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
                cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 12971 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <utmpx.h>
 _ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "ut_addr_v6" >/dev/null 2>&1; then
+  egrep "ut_addr_v6" >/dev/null 2>&1; then
                        eval "$ossh_varname=yes"
 else
                        eval "$ossh_varname=no"
@@ -14802,41 +12985,36 @@ fi
        ossh_result=`eval 'echo $'"$ossh_varname"`
        if test -n "`echo $ossh_varname`"; then
-                echo "$as_me:$LINENO: result: $ossh_result" >&5
+                echo "$as_me:12988: result: $ossh_result" >&5
 echo "${ECHO_T}$ossh_result" >&6
                if test "x$ossh_result" = "xyes"; then
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define HAVE_ADDR_V6_IN_UTMPX 1
-_ACEOF
+EOF
                fi
        else
-                echo "$as_me:$LINENO: result: no" >&5
+                echo "$as_me:12997: result: no" >&5
 echo "${ECHO_T}no" >&6
        fi
 # look for field 'ut_exit' in header 'utmp.h'
                ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'`
                ossh_varname="ossh_cv_$ossh_safe""_has_"ut_exit
-        echo "$as_me:$LINENO: checking for ut_exit field in utmp.h" >&5
+        echo "$as_me:13004: checking for ut_exit field in utmp.h" >&5
 echo $ECHO_N "checking for ut_exit field in utmp.h... $ECHO_C" >&6
        if eval "test \"\${$ossh_varname+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
                cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 13011 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <utmp.h>
 _ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "ut_exit" >/dev/null 2>&1; then
+  egrep "ut_exit" >/dev/null 2>&1; then
                        eval "$ossh_varname=yes"
 else
                        eval "$ossh_varname=no"
@@ -14847,41 +13025,36 @@ fi
        ossh_result=`eval 'echo $'"$ossh_varname"`
        if test -n "`echo $ossh_varname`"; then
-                echo "$as_me:$LINENO: result: $ossh_result" >&5
+                echo "$as_me:13028: result: $ossh_result" >&5
 echo "${ECHO_T}$ossh_result" >&6
                if test "x$ossh_result" = "xyes"; then
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define HAVE_EXIT_IN_UTMP 1
-_ACEOF
+EOF
                fi
        else
-                echo "$as_me:$LINENO: result: no" >&5
+                echo "$as_me:13037: result: no" >&5
 echo "${ECHO_T}no" >&6
        fi
 # look for field 'ut_time' in header 'utmp.h'
                ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'`
                ossh_varname="ossh_cv_$ossh_safe""_has_"ut_time
-        echo "$as_me:$LINENO: checking for ut_time field in utmp.h" >&5
+        echo "$as_me:13044: checking for ut_time field in utmp.h" >&5
 echo $ECHO_N "checking for ut_time field in utmp.h... $ECHO_C" >&6
        if eval "test \"\${$ossh_varname+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
                cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 13051 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <utmp.h>
 _ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "ut_time" >/dev/null 2>&1; then
+  egrep "ut_time" >/dev/null 2>&1; then
                        eval "$ossh_varname=yes"
 else
                        eval "$ossh_varname=no"
@@ -14892,41 +13065,36 @@ fi
        ossh_result=`eval 'echo $'"$ossh_varname"`
        if test -n "`echo $ossh_varname`"; then
-                echo "$as_me:$LINENO: result: $ossh_result" >&5
+                echo "$as_me:13068: result: $ossh_result" >&5
 echo "${ECHO_T}$ossh_result" >&6
                if test "x$ossh_result" = "xyes"; then
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define HAVE_TIME_IN_UTMP 1
-_ACEOF
+EOF
                fi
        else
-                echo "$as_me:$LINENO: result: no" >&5
+                echo "$as_me:13077: result: no" >&5
 echo "${ECHO_T}no" >&6
        fi
 # look for field 'ut_time' in header 'utmpx.h'
                ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'`
                ossh_varname="ossh_cv_$ossh_safe""_has_"ut_time
-        echo "$as_me:$LINENO: checking for ut_time field in utmpx.h" >&5
+        echo "$as_me:13084: checking for ut_time field in utmpx.h" >&5
 echo $ECHO_N "checking for ut_time field in utmpx.h... $ECHO_C" >&6
        if eval "test \"\${$ossh_varname+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
                cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 13091 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <utmpx.h>
 _ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "ut_time" >/dev/null 2>&1; then
+  egrep "ut_time" >/dev/null 2>&1; then
                        eval "$ossh_varname=yes"
 else
                        eval "$ossh_varname=no"
@@ -14937,41 +13105,36 @@ fi
        ossh_result=`eval 'echo $'"$ossh_varname"`
        if test -n "`echo $ossh_varname`"; then
-                echo "$as_me:$LINENO: result: $ossh_result" >&5
+                echo "$as_me:13108: result: $ossh_result" >&5
 echo "${ECHO_T}$ossh_result" >&6
                if test "x$ossh_result" = "xyes"; then
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define HAVE_TIME_IN_UTMPX 1
-_ACEOF
+EOF
                fi
        else
-                echo "$as_me:$LINENO: result: no" >&5
+                echo "$as_me:13117: result: no" >&5
 echo "${ECHO_T}no" >&6
        fi
 # look for field 'ut_tv' in header 'utmpx.h'
                ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'`
                ossh_varname="ossh_cv_$ossh_safe""_has_"ut_tv
-        echo "$as_me:$LINENO: checking for ut_tv field in utmpx.h" >&5
+        echo "$as_me:13124: checking for ut_tv field in utmpx.h" >&5
 echo $ECHO_N "checking for ut_tv field in utmpx.h... $ECHO_C" >&6
        if eval "test \"\${$ossh_varname+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
                cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 13131 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <utmpx.h>
 _ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "ut_tv" >/dev/null 2>&1; then
+  egrep "ut_tv" >/dev/null 2>&1; then
                        eval "$ossh_varname=yes"
 else
                        eval "$ossh_varname=no"
@@ -14982,32 +13145,27 @@ fi
        ossh_result=`eval 'echo $'"$ossh_varname"`
        if test -n "`echo $ossh_varname`"; then
-                echo "$as_me:$LINENO: result: $ossh_result" >&5
+                echo "$as_me:13148: result: $ossh_result" >&5
 echo "${ECHO_T}$ossh_result" >&6
                if test "x$ossh_result" = "xyes"; then
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define HAVE_TV_IN_UTMPX 1
-_ACEOF
+EOF
                fi
        else
-                echo "$as_me:$LINENO: result: no" >&5
+                echo "$as_me:13157: result: no" >&5
 echo "${ECHO_T}no" >&6
        fi
+echo "$as_me:13161: checking for struct stat.st_blksize" >&5
-echo "$as_me:$LINENO: checking for struct stat.st_blksize" >&5
 echo $ECHO_N "checking for struct stat.st_blksize... $ECHO_C" >&6
 if test "${ac_cv_member_struct_stat_st_blksize+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 13167 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 $ac_includes_default
 int
 main ()
@@ -15020,88 +13178,44 @@ return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:13181: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_member_struct_stat_st_blksize=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-static struct stat ac_aggr;
-if (sizeof ac_aggr.st_blksize)
-return 0;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13184: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:13187: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13190: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_member_struct_stat_st_blksize=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_member_struct_stat_st_blksize=no
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-rm -f conftest.$ac_objext conftest.$ac_ext
+echo "$as_me:13200: result: $ac_cv_member_struct_stat_st_blksize" >&5
-fi
-echo "$as_me:$LINENO: result: $ac_cv_member_struct_stat_st_blksize" >&5
 echo "${ECHO_T}$ac_cv_member_struct_stat_st_blksize" >&6
 if test $ac_cv_member_struct_stat_st_blksize = yes; then
-cat >>confdefs.h <<_ACEOF
+cat >>confdefs.h <<EOF
 #define HAVE_STRUCT_STAT_ST_BLKSIZE 1
-_ACEOF
+EOF
 fi
+echo "$as_me:13210: checking for ss_family field in struct sockaddr_storage" >&5
-echo "$as_me:$LINENO: checking for ss_family field in struct sockaddr_storage" >&5
 echo $ECHO_N "checking for ss_family field in struct sockaddr_storage... $ECHO_C" >&6
 if test "${ac_cv_have_ss_family_in_struct_ss+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 13217 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -15115,49 +13229,44 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:13232: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13235: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:13238: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13241: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_have_ss_family_in_struct_ss="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_have_ss_family_in_struct_ss="no"
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_have_ss_family_in_struct_ss" >&5
+echo "$as_me:13252: result: $ac_cv_have_ss_family_in_struct_ss" >&5
 echo "${ECHO_T}$ac_cv_have_ss_family_in_struct_ss" >&6
 if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_SS_FAMILY_IN_SS 1
-_ACEOF
+EOF
 fi
-echo "$as_me:$LINENO: checking for __ss_family field in struct sockaddr_storage" >&5
+echo "$as_me:13261: checking for __ss_family field in struct sockaddr_storage" >&5
 echo $ECHO_N "checking for __ss_family field in struct sockaddr_storage... $ECHO_C" >&6
 if test "${ac_cv_have___ss_family_in_struct_ss+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 13268 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -15171,50 +13280,45 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:13283: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13286: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:13289: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13292: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_have___ss_family_in_struct_ss="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_have___ss_family_in_struct_ss="no"
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_have___ss_family_in_struct_ss" >&5
+echo "$as_me:13304: result: $ac_cv_have___ss_family_in_struct_ss" >&5
 echo "${ECHO_T}$ac_cv_have___ss_family_in_struct_ss" >&6
 if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE___SS_FAMILY_IN_SS 1
-_ACEOF
+EOF
 fi
-echo "$as_me:$LINENO: checking for pw_class field in struct passwd" >&5
+echo "$as_me:13313: checking for pw_class field in struct passwd" >&5
 echo $ECHO_N "checking for pw_class field in struct passwd... $ECHO_C" >&6
 if test "${ac_cv_have_pw_class_in_struct_passwd+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 13320 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <pwd.h>
@@ -15227,50 +13331,45 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:13334: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13337: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:13340: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13343: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_have_pw_class_in_struct_passwd="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_have_pw_class_in_struct_passwd="no"
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_have_pw_class_in_struct_passwd" >&5
+echo "$as_me:13355: result: $ac_cv_have_pw_class_in_struct_passwd" >&5
 echo "${ECHO_T}$ac_cv_have_pw_class_in_struct_passwd" >&6
 if test "x$ac_cv_have_pw_class_in_struct_passwd" = "xyes" ; then
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_PW_CLASS_IN_PASSWD 1
-_ACEOF
+EOF
 fi
-echo "$as_me:$LINENO: checking for pw_expire field in struct passwd" >&5
+echo "$as_me:13364: checking for pw_expire field in struct passwd" >&5
 echo $ECHO_N "checking for pw_expire field in struct passwd... $ECHO_C" >&6
 if test "${ac_cv_have_pw_expire_in_struct_passwd+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 13371 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <pwd.h>
@@ -15283,50 +13382,45 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:13385: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13388: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:13391: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13394: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_have_pw_expire_in_struct_passwd="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_have_pw_expire_in_struct_passwd="no"
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_have_pw_expire_in_struct_passwd" >&5
+echo "$as_me:13406: result: $ac_cv_have_pw_expire_in_struct_passwd" >&5
 echo "${ECHO_T}$ac_cv_have_pw_expire_in_struct_passwd" >&6
 if test "x$ac_cv_have_pw_expire_in_struct_passwd" = "xyes" ; then
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_PW_EXPIRE_IN_PASSWD 1
-_ACEOF
+EOF
 fi
-echo "$as_me:$LINENO: checking for pw_change field in struct passwd" >&5
+echo "$as_me:13415: checking for pw_change field in struct passwd" >&5
 echo $ECHO_N "checking for pw_change field in struct passwd... $ECHO_C" >&6
 if test "${ac_cv_have_pw_change_in_struct_passwd+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 13422 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <pwd.h>
@@ -15339,57 +13433,50 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:13436: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13439: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:13442: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13445: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_have_pw_change_in_struct_passwd="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_have_pw_change_in_struct_passwd="no"
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_have_pw_change_in_struct_passwd" >&5
+echo "$as_me:13457: result: $ac_cv_have_pw_change_in_struct_passwd" >&5
 echo "${ECHO_T}$ac_cv_have_pw_change_in_struct_passwd" >&6
 if test "x$ac_cv_have_pw_change_in_struct_passwd" = "xyes" ; then
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_PW_CHANGE_IN_PASSWD 1
-_ACEOF
+EOF
 fi
-echo "$as_me:$LINENO: checking for msg_accrights field in struct msghdr" >&5
+echo "$as_me:13466: checking for msg_accrights field in struct msghdr" >&5
 echo $ECHO_N "checking for msg_accrights field in struct msghdr... $ECHO_C" >&6
 if test "${ac_cv_have_accrights_in_msghdr+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
        if test "$cross_compiling" = yes; then
-  { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
+  { { echo "$as_me:13473: error: cannot run test program while cross compiling" >&5
-See \`config.log' for more details." >&5
+echo "$as_me: error: cannot run test program while cross compiling" >&2;}
-echo "$as_me: error: cannot run test program while cross compiling
-See \`config.log' for more details." >&2;}
   { (exit 1); exit 1; }; }
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 13478 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -15405,59 +13492,51 @@ exit(0);
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:13495: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13498: \$? = $ac_status" >&5
  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:13500: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13503: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_have_accrights_in_msghdr="yes"
 else
  echo "$as_me: program exited with status $ac_status" >&5
 echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
-( exit $ac_status )
 ac_cv_have_accrights_in_msghdr="no"
 fi
-rm -f core core.* *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 fi
-echo "$as_me:$LINENO: result: $ac_cv_have_accrights_in_msghdr" >&5
+echo "$as_me:13517: result: $ac_cv_have_accrights_in_msghdr" >&5
 echo "${ECHO_T}$ac_cv_have_accrights_in_msghdr" >&6
 if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_ACCRIGHTS_IN_MSGHDR 1
-_ACEOF
+EOF
 fi
-echo "$as_me:$LINENO: checking for msg_control field in struct msghdr" >&5
+echo "$as_me:13526: checking for msg_control field in struct msghdr" >&5
 echo $ECHO_N "checking for msg_control field in struct msghdr... $ECHO_C" >&6
 if test "${ac_cv_have_control_in_msghdr+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
        if test "$cross_compiling" = yes; then
-  { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
+  { { echo "$as_me:13533: error: cannot run test program while cross compiling" >&5
-See \`config.log' for more details." >&5
+echo "$as_me: error: cannot run test program while cross compiling" >&2;}
-echo "$as_me: error: cannot run test program while cross compiling
-See \`config.log' for more details." >&2;}
   { (exit 1); exit 1; }; }
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 13538 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -15473,52 +13552,46 @@ exit(0);
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:13555: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13558: \$? = $ac_status" >&5
  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:13560: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13563: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_have_control_in_msghdr="yes"
 else
  echo "$as_me: program exited with status $ac_status" >&5
 echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
-( exit $ac_status )
 ac_cv_have_control_in_msghdr="no"
 fi
-rm -f core core.* *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 fi
-echo "$as_me:$LINENO: result: $ac_cv_have_control_in_msghdr" >&5
+echo "$as_me:13577: result: $ac_cv_have_control_in_msghdr" >&5
 echo "${ECHO_T}$ac_cv_have_control_in_msghdr" >&6
 if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_CONTROL_IN_MSGHDR 1
-_ACEOF
+EOF
 fi
-echo "$as_me:$LINENO: checking if libc defines __progname" >&5
+echo "$as_me:13586: checking if libc defines __progname" >&5
 echo $ECHO_N "checking if libc defines __progname... $ECHO_C" >&6
 if test "${ac_cv_libc_defines___progname+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 13593 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 int
 main ()
@@ -15529,50 +13602,45 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:13605: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13608: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:13611: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13614: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_libc_defines___progname="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_libc_defines___progname="no"
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_libc_defines___progname" >&5
+echo "$as_me:13626: result: $ac_cv_libc_defines___progname" >&5
 echo "${ECHO_T}$ac_cv_libc_defines___progname" >&6
 if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE___PROGNAME 1
-_ACEOF
+EOF
 fi
-echo "$as_me:$LINENO: checking whether $CC implements __FUNCTION__" >&5
+echo "$as_me:13635: checking whether $CC implements __FUNCTION__" >&5
 echo $ECHO_N "checking whether $CC implements __FUNCTION__... $ECHO_C" >&6
 if test "${ac_cv_cc_implements___FUNCTION__+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 13642 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <stdio.h>
@@ -15585,50 +13653,45 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:13656: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13659: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:13662: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13665: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_cc_implements___FUNCTION__="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_cc_implements___FUNCTION__="no"
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_cc_implements___FUNCTION__" >&5
+echo "$as_me:13677: result: $ac_cv_cc_implements___FUNCTION__" >&5
 echo "${ECHO_T}$ac_cv_cc_implements___FUNCTION__" >&6
 if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE___FUNCTION__ 1
-_ACEOF
+EOF
 fi
-echo "$as_me:$LINENO: checking whether $CC implements __func__" >&5
+echo "$as_me:13686: checking whether $CC implements __func__" >&5
 echo $ECHO_N "checking whether $CC implements __func__... $ECHO_C" >&6
 if test "${ac_cv_cc_implements___func__+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 13693 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <stdio.h>
@@ -15641,50 +13704,45 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:13707: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13710: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:13713: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13716: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_cc_implements___func__="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_cc_implements___func__="no"
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_cc_implements___func__" >&5
+echo "$as_me:13728: result: $ac_cv_cc_implements___func__" >&5
 echo "${ECHO_T}$ac_cv_cc_implements___func__" >&6
 if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE___func__ 1
-_ACEOF
+EOF
 fi
-echo "$as_me:$LINENO: checking whether getopt has optreset support" >&5
+echo "$as_me:13737: checking whether getopt has optreset support" >&5
 echo $ECHO_N "checking whether getopt has optreset support... $ECHO_C" >&6
 if test "${ac_cv_have_getopt_optreset+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 13744 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <getopt.h>
@@ -15697,50 +13755,45 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:13758: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13761: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:13764: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13767: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_have_getopt_optreset="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_have_getopt_optreset="no"
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_have_getopt_optreset" >&5
+echo "$as_me:13779: result: $ac_cv_have_getopt_optreset" >&5
 echo "${ECHO_T}$ac_cv_have_getopt_optreset" >&6
 if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_GETOPT_OPTRESET 1
-_ACEOF
+EOF
 fi
-echo "$as_me:$LINENO: checking if libc defines sys_errlist" >&5
+echo "$as_me:13788: checking if libc defines sys_errlist" >&5
 echo $ECHO_N "checking if libc defines sys_errlist... $ECHO_C" >&6
 if test "${ac_cv_libc_defines_sys_errlist+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 13795 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 int
 main ()
@@ -15751,51 +13804,45 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:13807: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13810: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:13813: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13816: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_libc_defines_sys_errlist="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_libc_defines_sys_errlist="no"
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_libc_defines_sys_errlist" >&5
+echo "$as_me:13828: result: $ac_cv_libc_defines_sys_errlist" >&5
 echo "${ECHO_T}$ac_cv_libc_defines_sys_errlist" >&6
 if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_SYS_ERRLIST 1
-_ACEOF
+EOF
 fi
+echo "$as_me:13837: checking if libc defines sys_nerr" >&5
-echo "$as_me:$LINENO: checking if libc defines sys_nerr" >&5
 echo $ECHO_N "checking if libc defines sys_nerr... $ECHO_C" >&6
 if test "${ac_cv_libc_defines_sys_nerr+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 13844 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 int
 main ()
@@ -15806,39 +13853,37 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:13856: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13859: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:13862: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13865: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   ac_cv_libc_defines_sys_nerr="yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_libc_defines_sys_nerr="no"
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_libc_defines_sys_nerr" >&5
+echo "$as_me:13877: result: $ac_cv_libc_defines_sys_nerr" >&5
 echo "${ECHO_T}$ac_cv_libc_defines_sys_nerr" >&6
 if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define HAVE_SYS_NERR 1
-_ACEOF
+EOF
 fi
 SCARD_MSG="no"
 # Check whether user wants sectok support
 # Check whether --with-sectok or --without-sectok was given.
@@ -15860,70 +13905,23 @@ if test "${with_sectok+set}" = set; then
 for ac_header in sectok.h
 do
 as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+echo "$as_me:13908: checking for $ac_header" >&5
-  echo "$as_me:$LINENO: checking for $ac_header" >&5
 echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
 if eval "test \"\${$as_ac_Header+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
-fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
-else
-  # Is the header compilable?
-echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <$ac_header>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_header_compiler=yes
 else
-  echo "$as_me: failed program was:" >&5
+  cat >conftest.$ac_ext <<_ACEOF
-sed 's/^/| /' conftest.$ac_ext >&5
+#line 13914 "configure"
+#include "confdefs.h"
-ac_header_compiler=no
-fi
-rm -f conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
-# Is the header present?
-echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <$ac_header>
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
+if { (eval echo "$as_me:13918: \"$ac_cpp conftest.$ac_ext\"") >&5
  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
+  egrep -v '^ *\+' conftest.er1 >conftest.err
  rm -f conftest.er1
  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13924: \$? = $ac_status" >&5
  (exit $ac_status); } >/dev/null; then
  if test -s conftest.err; then
    ac_cpp_err=$ac_c_preproc_warn_flag
@@ -15934,77 +13932,31 @@ else
  ac_cpp_err=yes
 fi
 if test -z "$ac_cpp_err"; then
-  ac_header_preproc=yes
+  eval "$as_ac_Header=yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+  cat conftest.$ac_ext >&5
+  eval "$as_ac_Header=no"
-  ac_header_preproc=no
 fi
 rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc in
-  yes:no )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    (
-      cat <<\_ASBOX
-## ------------------------------------ ##
-## Report this to bug-autoconf@gnu.org. ##
-## ------------------------------------ ##
-_ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
-    ;;
-  no:yes )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    (
-      cat <<\_ASBOX
-## ------------------------------------ ##
-## Report this to bug-autoconf@gnu.org. ##
-## ------------------------------------ ##
-_ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
-    ;;
-esac
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  eval "$as_ac_Header=$ac_header_preproc"
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
+echo "$as_me:13943: result: `eval echo '${'$as_ac_Header'}'`" >&5
 echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
-fi
 if test `eval echo '${'$as_ac_Header'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
+  cat >>confdefs.h <<EOF
 #define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
-_ACEOF
+EOF
 fi
 done
                        if test "$ac_cv_header_sectok_h" != yes; then
-                                { { echo "$as_me:$LINENO: error: Can't find sectok.h" >&5
+                                { { echo "$as_me:13954: error: Can't find sectok.h" >&5
 echo "$as_me: error: Can't find sectok.h" >&2;}
   { (exit 1); exit 1; }; }
                        fi
-echo "$as_me:$LINENO: checking for sectok_open in -lsectok" >&5
+echo "$as_me:13959: checking for sectok_open in -lsectok" >&5
 echo $ECHO_N "checking for sectok_open in -lsectok... $ECHO_C" >&6
 if test "${ac_cv_lib_sectok_sectok_open+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -16012,12 +13964,8 @@ else
  ac_check_lib_save_LIBS=$LIBS
 LIBS="-lsectok  $LIBS"
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 13967 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
@@ -16035,55 +13983,53 @@ sectok_open ();
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:13986: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13989: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:13992: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:13995: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_lib_sectok_sectok_open=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 ac_cv_lib_sectok_sectok_open=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_sectok_sectok_open" >&5
+echo "$as_me:14006: result: $ac_cv_lib_sectok_sectok_open" >&5
 echo "${ECHO_T}$ac_cv_lib_sectok_sectok_open" >&6
 if test $ac_cv_lib_sectok_sectok_open = yes; then
-  cat >>confdefs.h <<_ACEOF
+  cat >>confdefs.h <<EOF
 #define HAVE_LIBSECTOK 1
-_ACEOF
+EOF
  LIBS="-lsectok $LIBS"
 fi
                        if test "$ac_cv_lib_sectok_sectok_open" != yes; then
-                                { { echo "$as_me:$LINENO: error: Can't find libsectok" >&5
+                                { { echo "$as_me:14018: error: Can't find libsectok" >&5
 echo "$as_me: error: Can't find libsectok" >&2;}
   { (exit 1); exit 1; }; }
                        fi
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define SMARTCARD 1
-_ACEOF
+EOF
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define USE_SECTOK 1
-_ACEOF
+EOF
                        SCARD_MSG="yes, using sectok"
                fi
 fi;
 # Check whether user wants OpenSC support
@@ -16099,7 +14045,7 @@ if test x$opensc_config_prefix != x ; then
  OPENSC_CONFIG=$opensc_config_prefix/bin/opensc-config
  # Extract the first word of "opensc-config", so it can be a program name with args.
 set dummy opensc-config; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:14048: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_path_OPENSC_CONFIG+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -16109,18 +14055,16 @@ else
  ac_cv_path_OPENSC_CONFIG="$OPENSC_CONFIG" # Let the user override the test with a path.
  ;;
  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $PATH
+ac_dummy="$PATH"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$ac_dir/$ac_word"; then
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+   ac_cv_path_OPENSC_CONFIG="$ac_dir/$ac_word"
-    ac_cv_path_OPENSC_CONFIG="$as_dir/$ac_word$ac_exec_ext"
+   echo "$as_me:14065: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+   break
-    break 2
+fi
-  fi
-done
 done
  test -z "$ac_cv_path_OPENSC_CONFIG" && ac_cv_path_OPENSC_CONFIG="no"
@@ -16130,10 +14074,10 @@ fi
 OPENSC_CONFIG=$ac_cv_path_OPENSC_CONFIG
 if test -n "$OPENSC_CONFIG"; then
-  echo "$as_me:$LINENO: result: $OPENSC_CONFIG" >&5
+  echo "$as_me:14077: result: $OPENSC_CONFIG" >&5
 echo "${ECHO_T}$OPENSC_CONFIG" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:14080: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -16142,108 +14086,81 @@ fi
    LIBOPENSC_LIBS=`$OPENSC_CONFIG --libs`
    CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS"
    LDFLAGS="$LDFLAGS $LIBOPENSC_LIBS"
-    cat >>confdefs.h <<\_ACEOF
+    cat >>confdefs.h <<\EOF
 #define SMARTCARD 1
-_ACEOF
+EOF
-    cat >>confdefs.h <<\_ACEOF
+    cat >>confdefs.h <<\EOF
 #define USE_OPENSC 1
-_ACEOF
+EOF
    SCARD_MSG="yes, using OpenSC"
  fi
 fi
-# Check whether user wants Kerberos 5 support
+# Check whether user wants DNS support
-KRB5_MSG="no"
+DNS_MSG="no"
-# Check whether --with-kerberos5 or --without-kerberos5 was given.
+# Check whether --with-dns or --without-dns was given.
-if test "${with_kerberos5+set}" = set; then
+if test "${with_dns+set}" = set; then
-  withval="$with_kerberos5"
+  withval="$with_dns"
-                if test "x$withval" != "xno" ; then
+                if test "x$withval" != "xno" ; then
-                        if test "x$withval" = "xyes" ; then
+                        DNS_MSG="yes"
-                                KRB5ROOT="/usr/local"
+                        cat >>confdefs.h <<\EOF
-                        else
+#define DNS 1
-                                KRB5ROOT=${withval}
+EOF
-                        fi
-                        CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
+                        echo "$as_me:14114: checking for library containing getrrsetbyname" >&5
-                        LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
+echo $ECHO_N "checking for library containing getrrsetbyname... $ECHO_C" >&6
-                        cat >>confdefs.h <<\_ACEOF
+if test "${ac_cv_search_getrrsetbyname+set}" = set; then
-#define KRB5 1
+  echo $ECHO_N "(cached) $ECHO_C" >&6
-_ACEOF
+else
+  ac_func_search_save_LIBS=$LIBS
+ac_cv_search_getrrsetbyname=no
+cat >conftest.$ac_ext <<_ACEOF
+#line 14122 "configure"
+#include "confdefs.h"
-                        KRB5_MSG="yes"
+/* Override any gcc2 internal prototype to avoid an error.  */
-                        echo "$as_me:$LINENO: checking whether we are using Heimdal" >&5
+#ifdef __cplusplus
-echo $ECHO_N "checking whether we are using Heimdal... $ECHO_C" >&6
+extern "C"
-                        cat >conftest.$ac_ext <<_ACEOF
+#endif
-#line $LINENO "configure"
+/* We use char because int might match the return type of a gcc2
-/* confdefs.h.  */
+   builtin and then its argument prototype would still apply.  */
-_ACEOF
+char getrrsetbyname ();
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
- #include <krb5.h>
 int
 main ()
 {
- char *tmp = heimdal_version;
+getrrsetbyname ();
  ;
  return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext
+rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:14141: \"$ac_link\"") >&5
-  (eval $ac_compile) 2>&5
+  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:14144: \$? = $ac_status" >&5
  (exit $ac_status); } &&
-         { ac_try='test -s conftest.$ac_objext'
+         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:14147: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:14150: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-   echo "$as_me:$LINENO: result: yes" >&5
+  ac_cv_search_getrrsetbyname="none required"
-echo "${ECHO_T}yes" >&6
-                                         cat >>confdefs.h <<\_ACEOF
-#define HEIMDAL 1
-_ACEOF
-                                         K5LIBS="-lkrb5 -ldes -lcom_err -lasn1 -lroken"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
- echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-                                         K5LIBS="-lkrb5 -lk5crypto -lcom_err"
 fi
-rm -f conftest.$ac_objext conftest.$ac_ext
+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
-                        if test ! -z "$need_dash_r" ; then
+if test "$ac_cv_search_getrrsetbyname" = no; then
-                                LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib"
+  for ac_lib in resolv; do
-                        fi
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
-                        if test ! -z "$blibpath" ; then
+    cat >conftest.$ac_ext <<_ACEOF
-                                blibpath="$blibpath:${KRB5ROOT}/lib"
+#line 14162 "configure"
-                        fi
+#include "confdefs.h"
-echo "$as_me:$LINENO: checking for dn_expand in -lresolv" >&5
-echo $ECHO_N "checking for dn_expand in -lresolv... $ECHO_C" >&6
-if test "${ac_cv_lib_resolv_dn_expand+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lresolv  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
@@ -16251,364 +14168,444 @@ extern "C"
 #endif
 /* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
-char dn_expand ();
+char getrrsetbyname ();
 int
 main ()
 {
-dn_expand ();
+getrrsetbyname ();
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:14181: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:14184: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:14187: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:14190: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-  ac_cv_lib_resolv_dn_expand=yes
+  ac_cv_search_getrrsetbyname="-l$ac_lib"
+break
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
-ac_cv_lib_resolv_dn_expand=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
+  done
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_resolv_dn_expand" >&5
+LIBS=$ac_func_search_save_LIBS
-echo "${ECHO_T}$ac_cv_lib_resolv_dn_expand" >&6
-if test $ac_cv_lib_resolv_dn_expand = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBRESOLV 1
-_ACEOF
-  LIBS="-lresolv $LIBS"
 fi
+echo "$as_me:14203: result: $ac_cv_search_getrrsetbyname" >&5
+echo "${ECHO_T}$ac_cv_search_getrrsetbyname" >&6
+if test "$ac_cv_search_getrrsetbyname" != no; then
+  test "$ac_cv_search_getrrsetbyname" = "none required" || LIBS="$ac_cv_search_getrrsetbyname $LIBS"
+  cat >>confdefs.h <<\EOF
+#define HAVE_GETRRSETBYNAME 1
+EOF
+else
-                        KRB5=yes
+                                        # Needed by our getrrsetbyname()
-                fi
+                                        echo "$as_me:14214: checking for library containing res_query" >&5
+echo $ECHO_N "checking for library containing res_query... $ECHO_C" >&6
+if test "${ac_cv_search_res_query+set}" = set; then
-fi;
-# Check whether user wants Kerberos 4 support
-KRB4_MSG="no"
-# Check whether --with-kerberos4 or --without-kerberos4 was given.
-if test "${with_kerberos4+set}" = set; then
-  withval="$with_kerberos4"
-                if test "x$withval" != "xno" ; then
-                        if test "x$withval" != "xyes" ; then
-                                CPPFLAGS="$CPPFLAGS -I${withval}/include"
-                                LDFLAGS="$LDFLAGS -L${withval}/lib"
-                                if test ! -z "$need_dash_r" ; then
-                                        LDFLAGS="$LDFLAGS -R${withval}/lib"
-                                fi
-                                if test ! -z "$blibpath" ; then
-                                        blibpath="$blibpath:${withval}/lib"
-                                fi
-                        else
-                                if test -d /usr/include/kerberosIV ; then
-                                        CPPFLAGS="$CPPFLAGS -I/usr/include/kerberosIV"
-                                fi
-                        fi
-for ac_header in krb.h
-do
-as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
-fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
 else
-  # Is the header compilable?
+  ac_func_search_save_LIBS=$LIBS
-echo "$as_me:$LINENO: checking $ac_header usability" >&5
+ac_cv_search_res_query=no
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 14222 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
+/* Override any gcc2 internal prototype to avoid an error.  */
-cat >>conftest.$ac_ext <<_ACEOF
+#ifdef __cplusplus
-/* end confdefs.h.  */
+extern "C"
-$ac_includes_default
+#endif
-#include <$ac_header>
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char res_query ();
+int
+main ()
+{
+res_query ();
+  ;
+  return 0;
+}
 _ACEOF
-rm -f conftest.$ac_objext
+rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:14241: \"$ac_link\"") >&5
-  (eval $ac_compile) 2>&5
+  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:14244: \$? = $ac_status" >&5
  (exit $ac_status); } &&
-         { ac_try='test -s conftest.$ac_objext'
+         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:14247: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:14250: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-  ac_header_compiler=yes
+  ac_cv_search_res_query="none required"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
-ac_header_compiler=no
 fi
-rm -f conftest.$ac_objext conftest.$ac_ext
+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+if test "$ac_cv_search_res_query" = no; then
-echo "${ECHO_T}$ac_header_compiler" >&6
+  for ac_lib in resolv; do
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+    cat >conftest.$ac_ext <<_ACEOF
+#line 14262 "configure"
+#include "confdefs.h"
-# Is the header present?
+/* Override any gcc2 internal prototype to avoid an error.  */
-echo "$as_me:$LINENO: checking $ac_header presence" >&5
+#ifdef __cplusplus
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
+extern "C"
-cat >conftest.$ac_ext <<_ACEOF
+#endif
-#line $LINENO "configure"
+/* We use char because int might match the return type of a gcc2
-/* confdefs.h.  */
+   builtin and then its argument prototype would still apply.  */
-_ACEOF
+char res_query ();
-cat confdefs.h >>conftest.$ac_ext
+int
-cat >>conftest.$ac_ext <<_ACEOF
+main ()
-/* end confdefs.h.  */
+{
-#include <$ac_header>
+res_query ();
+  ;
+  return 0;
+}
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
+rm -f conftest.$ac_objext conftest$ac_exeext
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (eval echo "$as_me:14281: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
+  echo "$as_me:14284: \$? = $ac_status" >&5
-  rm -f conftest.er1
+  (exit $ac_status); } &&
-  cat conftest.err >&5
+         { ac_try='test -s conftest$ac_exeext'
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  { (eval echo "$as_me:14287: \"$ac_try\"") >&5
-  (exit $ac_status); } >/dev/null; then
+  (eval $ac_try) 2>&5
-  if test -s conftest.err; then
+  ac_status=$?
-    ac_cpp_err=$ac_c_preproc_warn_flag
+  echo "$as_me:14290: \$? = $ac_status" >&5
-  else
+  (exit $ac_status); }; }; then
-    ac_cpp_err=
+  ac_cv_search_res_query="-l$ac_lib"
-  fi
+break
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
-  ac_header_preproc=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
-  ac_header_preproc=no
 fi
-rm -f conftest.err conftest.$ac_ext
+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+  done
-echo "${ECHO_T}$ac_header_preproc" >&6
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc in
-  yes:no )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    (
-      cat <<\_ASBOX
-## ------------------------------------ ##
-## Report this to bug-autoconf@gnu.org. ##
-## ------------------------------------ ##
-_ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
-    ;;
-  no:yes )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    (
-      cat <<\_ASBOX
-## ------------------------------------ ##
-## Report this to bug-autoconf@gnu.org. ##
-## ------------------------------------ ##
-_ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
-    ;;
-esac
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  eval "$as_ac_Header=$ac_header_preproc"
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
+LIBS=$ac_func_search_save_LIBS
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
 fi
-if test `eval echo '${'$as_ac_Header'}'` = yes; then
+echo "$as_me:14303: result: $ac_cv_search_res_query" >&5
-  cat >>confdefs.h <<_ACEOF
+echo "${ECHO_T}$ac_cv_search_res_query" >&6
-#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+if test "$ac_cv_search_res_query" != no; then
-_ACEOF
+  test "$ac_cv_search_res_query" = "none required" || LIBS="$ac_cv_search_res_query $LIBS"
 fi
-done
+                                        echo "$as_me:14310: checking for library containing dn_expand" >&5
+echo $ECHO_N "checking for library containing dn_expand... $ECHO_C" >&6
-                        if test "$ac_cv_header_krb_h" != yes; then
+if test "${ac_cv_search_dn_expand+set}" = set; then
-                                { echo "$as_me:$LINENO: WARNING: Cannot find krb.h, build may fail" >&5
-echo "$as_me: WARNING: Cannot find krb.h, build may fail" >&2;}
-                        fi
-echo "$as_me:$LINENO: checking for main in -lkrb" >&5
-echo $ECHO_N "checking for main in -lkrb... $ECHO_C" >&6
-if test "${ac_cv_lib_krb_main+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  ac_check_lib_save_LIBS=$LIBS
+  ac_func_search_save_LIBS=$LIBS
-LIBS="-lkrb  $LIBS"
+ac_cv_search_dn_expand=no
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 14318 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char dn_expand ();
 int
 main ()
 {
-main ();
+dn_expand ();
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:14337: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:14340: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:14343: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:14346: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-  ac_cv_lib_krb_main=yes
+  ac_cv_search_dn_expand="none required"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+fi
+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
+if test "$ac_cv_search_dn_expand" = no; then
+  for ac_lib in resolv; do
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+    cat >conftest.$ac_ext <<_ACEOF
+#line 14358 "configure"
+#include "confdefs.h"
-ac_cv_lib_krb_main=no
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char dn_expand ();
+int
+main ()
+{
+dn_expand ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:14377: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:14380: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:14383: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:14386: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_search_dn_expand="-l$ac_lib"
+break
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
+  done
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_krb_main" >&5
+LIBS=$ac_func_search_save_LIBS
-echo "${ECHO_T}$ac_cv_lib_krb_main" >&6
-if test $ac_cv_lib_krb_main = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBKRB 1
-_ACEOF
-  LIBS="-lkrb $LIBS"
 fi
+echo "$as_me:14399: result: $ac_cv_search_dn_expand" >&5
+echo "${ECHO_T}$ac_cv_search_dn_expand" >&6
+if test "$ac_cv_search_dn_expand" != no; then
+  test "$ac_cv_search_dn_expand" = "none required" || LIBS="$ac_cv_search_dn_expand $LIBS"
-                        if test "$ac_cv_lib_krb_main" != yes; then
+fi
-echo "$as_me:$LINENO: checking for main in -lkrb4" >&5
+for ac_func in _getshort _getlong
-echo $ECHO_N "checking for main in -lkrb4... $ECHO_C" >&6
+do
-if test "${ac_cv_lib_krb4_main+set}" = set; then
+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
+echo "$as_me:14409: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
+if eval "test \"\${$as_ac_var+set}\" = set"; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  ac_check_lib_save_LIBS=$LIBS
+  cat >conftest.$ac_ext <<_ACEOF
-LIBS="-lkrb4  $LIBS"
+#line 14415 "configure"
-cat >conftest.$ac_ext <<_ACEOF
+#include "confdefs.h"
-#line $LINENO "configure"
+/* System header to define __stub macros and hopefully few prototypes,
-/* confdefs.h.  */
+    which can conflict with char $ac_func (); below.  */
-_ACEOF
+#include <assert.h>
-cat confdefs.h >>conftest.$ac_ext
+/* Override any gcc2 internal prototype to avoid an error.  */
-cat >>conftest.$ac_ext <<_ACEOF
+#ifdef __cplusplus
-/* end confdefs.h.  */
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char $ac_func ();
+char (*f) ();
 int
 main ()
 {
-main ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+f = $ac_func;
+#endif
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:14446: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:14449: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:14452: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:14455: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-  ac_cv_lib_krb4_main=yes
+  eval "$as_ac_var=yes"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+eval "$as_ac_var=no"
-ac_cv_lib_krb4_main=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_krb4_main" >&5
+echo "$as_me:14465: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}$ac_cv_lib_krb4_main" >&6
+echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
-if test $ac_cv_lib_krb4_main = yes; then
+if test `eval echo '${'$as_ac_var'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
+  cat >>confdefs.h <<EOF
-#define HAVE_LIBKRB4 1
+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
+EOF
+fi
+done
+                                        echo "$as_me:14475: checking for HEADER.ad" >&5
+echo $ECHO_N "checking for HEADER.ad... $ECHO_C" >&6
+if test "${ac_cv_member_HEADER_ad+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 14481 "configure"
+#include "confdefs.h"
+#include <arpa/nameser.h>
+int
+main ()
+{
+static HEADER ac_aggr;
+if (ac_aggr.ad)
+return 0;
+  ;
+  return 0;
+}
 _ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:14496: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:14499: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:14502: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:14505: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_member_HEADER_ad=yes
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ac_cv_member_HEADER_ad=no
+fi
+rm -f conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:14515: result: $ac_cv_member_HEADER_ad" >&5
+echo "${ECHO_T}$ac_cv_member_HEADER_ad" >&6
+if test $ac_cv_member_HEADER_ad = yes; then
+  cat >>confdefs.h <<\EOF
+#define HAVE_HEADER_AD 1
+EOF
-  LIBS="-lkrb4 $LIBS"
+fi
 fi
-                                if test "$ac_cv_lib_krb4_main" != yes; then
+                fi
-                                        { echo "$as_me:$LINENO: WARNING: Cannot find libkrb nor libkrb4, build may fail" >&5
-echo "$as_me: WARNING: Cannot find libkrb nor libkrb4, build may fail" >&2;}
+fi;
-                                else
-                                        KLIBS="-lkrb4"
+# Check whether user wants Kerberos 5 support
-                                fi
+KRB5_MSG="no"
-                        else
-                                KLIBS="-lkrb"
+# Check whether --with-kerberos5 or --without-kerberos5 was given.
-                        fi
+if test "${with_kerberos5+set}" = set; then
+  withval="$with_kerberos5"
+                if test "x$withval" != "xno" ; then
+                        if test "x$withval" = "xyes" ; then
+                                KRB5ROOT="/usr/local"
+                        else
+                                KRB5ROOT=${withval}
+                        fi
+                        CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
+                        LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
+                        cat >>confdefs.h <<\EOF
+#define KRB5 1
+EOF
+                        KRB5_MSG="yes"
+                        echo "$as_me:14550: checking whether we are using Heimdal" >&5
+echo $ECHO_N "checking whether we are using Heimdal... $ECHO_C" >&6
+                        cat >conftest.$ac_ext <<_ACEOF
+#line 14553 "configure"
+#include "confdefs.h"
+ #include <krb5.h>
+int
+main ()
+{
+ char *tmp = heimdal_version;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:14565: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:14568: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:14571: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:14574: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+   echo "$as_me:14576: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+                                         cat >>confdefs.h <<\EOF
+#define HEIMDAL 1
+EOF
+                                         K5LIBS="-lkrb5 -ldes -lcom_err -lasn1 -lroken"
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
+ echo "$as_me:14587: result: no" >&5
+echo "${ECHO_T}no" >&6
+                                         K5LIBS="-lkrb5 -lk5crypto -lcom_err"
-echo "$as_me:$LINENO: checking for des_cbc_encrypt in -ldes" >&5
+fi
-echo $ECHO_N "checking for des_cbc_encrypt in -ldes... $ECHO_C" >&6
+rm -f conftest.$ac_objext conftest.$ac_ext
-if test "${ac_cv_lib_des_des_cbc_encrypt+set}" = set; then
+                        if test ! -z "$need_dash_r" ; then
+                                LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib"
+                        fi
+                        if test ! -z "$blibpath" ; then
+                                blibpath="$blibpath:${KRB5ROOT}/lib"
+                        fi
+                        echo "$as_me:14599: checking for library containing dn_expand" >&5
+echo $ECHO_N "checking for library containing dn_expand... $ECHO_C" >&6
+if test "${ac_cv_search_dn_expand+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  ac_check_lib_save_LIBS=$LIBS
+  ac_func_search_save_LIBS=$LIBS
-LIBS="-ldes  $LIBS"
+ac_cv_search_dn_expand=no
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 14607 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
@@ -16616,64 +14613,95 @@ extern "C"
 #endif
 /* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
-char des_cbc_encrypt ();
+char dn_expand ();
 int
 main ()
 {
-des_cbc_encrypt ();
+dn_expand ();
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:14626: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:14629: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:14632: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:14635: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-  ac_cv_lib_des_des_cbc_encrypt=yes
+  ac_cv_search_dn_expand="none required"
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+fi
+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
+if test "$ac_cv_search_dn_expand" = no; then
+  for ac_lib in resolv; do
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+    cat >conftest.$ac_ext <<_ACEOF
+#line 14647 "configure"
+#include "confdefs.h"
-ac_cv_lib_des_des_cbc_encrypt=no
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char dn_expand ();
+int
+main ()
+{
+dn_expand ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:14666: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:14669: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:14672: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:14675: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_search_dn_expand="-l$ac_lib"
+break
+else
+  echo "$as_me: failed program was:" >&5
+cat conftest.$ac_ext >&5
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
+  done
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_des_des_cbc_encrypt" >&5
+LIBS=$ac_func_search_save_LIBS
-echo "${ECHO_T}$ac_cv_lib_des_des_cbc_encrypt" >&6
-if test $ac_cv_lib_des_des_cbc_encrypt = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBDES 1
-_ACEOF
-  LIBS="-ldes $LIBS"
 fi
+echo "$as_me:14688: result: $ac_cv_search_dn_expand" >&5
+echo "${ECHO_T}$ac_cv_search_dn_expand" >&6
+if test "$ac_cv_search_dn_expand" != no; then
+  test "$ac_cv_search_dn_expand" = "none required" || LIBS="$ac_cv_search_dn_expand $LIBS"
-                        if test "$ac_cv_lib_des_des_cbc_encrypt" != yes; then
+fi
-echo "$as_me:$LINENO: checking for des_cbc_encrypt in -ldes425" >&5
+                        echo "$as_me:14695: checking for gss_init_sec_context in -lgssapi" >&5
-echo $ECHO_N "checking for des_cbc_encrypt in -ldes425... $ECHO_C" >&6
+echo $ECHO_N "checking for gss_init_sec_context in -lgssapi... $ECHO_C" >&6
-if test "${ac_cv_lib_des425_des_cbc_encrypt+set}" = set; then
+if test "${ac_cv_lib_gssapi_gss_init_sec_context+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldes425  $LIBS"
+LIBS="-lgssapi $K5LIBS $LIBS"
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 14703 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
@@ -16681,72 +14709,55 @@ extern "C"
 #endif
 /* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
-char des_cbc_encrypt ();
+char gss_init_sec_context ();
 int
 main ()
 {
-des_cbc_encrypt ();
+gss_init_sec_context ();
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:14722: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:14725: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:14728: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:14731: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-  ac_cv_lib_des425_des_cbc_encrypt=yes
+  ac_cv_lib_gssapi_gss_init_sec_context=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_gssapi_gss_init_sec_context=no
-ac_cv_lib_des425_des_cbc_encrypt=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_des425_des_cbc_encrypt" >&5
+echo "$as_me:14742: result: $ac_cv_lib_gssapi_gss_init_sec_context" >&5
-echo "${ECHO_T}$ac_cv_lib_des425_des_cbc_encrypt" >&6
+echo "${ECHO_T}$ac_cv_lib_gssapi_gss_init_sec_context" >&6
-if test $ac_cv_lib_des425_des_cbc_encrypt = yes; then
+if test $ac_cv_lib_gssapi_gss_init_sec_context = yes; then
-  cat >>confdefs.h <<_ACEOF
+   cat >>confdefs.h <<\EOF
-#define HAVE_LIBDES425 1
+#define GSSAPI 1
-_ACEOF
+EOF
-  LIBS="-ldes425 $LIBS"
-fi
-                                if test "$ac_cv_lib_des425_des_cbc_encrypt" != yes; then
-                                        { echo "$as_me:$LINENO: WARNING: Cannot find libdes nor libdes425, build may fail" >&5
-echo "$as_me: WARNING: Cannot find libdes nor libdes425, build may fail" >&2;}
-                                else
-                                        KLIBS="-ldes425"
-                                fi
-                        else
-                                KLIBS="-ldes"
-                        fi
-echo "$as_me:$LINENO: checking for dn_expand in -lresolv" >&5
+                                  K5LIBS="-lgssapi $K5LIBS"
-echo $ECHO_N "checking for dn_expand in -lresolv... $ECHO_C" >&6
+else
-if test "${ac_cv_lib_resolv_dn_expand+set}" = set; then
+   echo "$as_me:14751: checking for gss_init_sec_context in -lgssapi_krb5" >&5
+echo $ECHO_N "checking for gss_init_sec_context in -lgssapi_krb5... $ECHO_C" >&6
+if test "${ac_cv_lib_gssapi_krb5_gss_init_sec_context+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lresolv  $LIBS"
+LIBS="-lgssapi_krb5 $K5LIBS $LIBS"
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 14759 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* Override any gcc2 internal prototype to avoid an error.  */
 #ifdef __cplusplus
@@ -16754,92 +14765,198 @@ extern "C"
 #endif
 /* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
-char dn_expand ();
+char gss_init_sec_context ();
 int
 main ()
 {
-dn_expand ();
+gss_init_sec_context ();
  ;
  return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:14778: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:14781: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:14784: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:14787: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-  ac_cv_lib_resolv_dn_expand=yes
+  ac_cv_lib_gssapi_krb5_gss_init_sec_context=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ac_cv_lib_gssapi_krb5_gss_init_sec_context=no
-ac_cv_lib_resolv_dn_expand=no
 fi
 rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_resolv_dn_expand" >&5
+echo "$as_me:14798: result: $ac_cv_lib_gssapi_krb5_gss_init_sec_context" >&5
-echo "${ECHO_T}$ac_cv_lib_resolv_dn_expand" >&6
+echo "${ECHO_T}$ac_cv_lib_gssapi_krb5_gss_init_sec_context" >&6
-if test $ac_cv_lib_resolv_dn_expand = yes; then
+if test $ac_cv_lib_gssapi_krb5_gss_init_sec_context = yes; then
-  cat >>confdefs.h <<_ACEOF
+   cat >>confdefs.h <<\EOF
-#define HAVE_LIBRESOLV 1
+#define GSSAPI 1
-_ACEOF
+EOF
-  LIBS="-lresolv $LIBS"
+                                          K5LIBS="-lgssapi_krb5 $K5LIBS"
+else
+  { echo "$as_me:14807: WARNING: Cannot find any suitable gss-api library - build may fail" >&5
+echo "$as_me: WARNING: Cannot find any suitable gss-api library - build may fail" >&2;}
+fi
 fi
-                        KRB4=yes
+                        echo "$as_me:14813: checking for gssapi.h" >&5
-                        KRB4_MSG="yes"
+echo $ECHO_N "checking for gssapi.h... $ECHO_C" >&6
-                        cat >>confdefs.h <<\_ACEOF
+if test "${ac_cv_header_gssapi_h+set}" = set; then
-#define KRB4 1
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 14819 "configure"
+#include "confdefs.h"
+#include <gssapi.h>
 _ACEOF
+if { (eval echo "$as_me:14823: \"$ac_cpp conftest.$ac_ext\"") >&5
+  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+  ac_status=$?
+  egrep -v '^ *\+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:14829: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  ac_cv_header_gssapi_h=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_header_gssapi_h=no
+fi
+rm -f conftest.err conftest.$ac_ext
+fi
+echo "$as_me:14848: result: $ac_cv_header_gssapi_h" >&5
+echo "${ECHO_T}$ac_cv_header_gssapi_h" >&6
+if test $ac_cv_header_gssapi_h = yes; then
+  :
+else
+   unset ac_cv_header_gssapi_h
+                                  CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
-                fi
+for ac_header in gssapi.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-fi;
+echo "$as_me:14859: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-# Check whether user wants AFS support
+if eval "test \"\${$as_ac_Header+set}\" = set"; then
-AFS_MSG="no"
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
-# Check whether --with-afs or --without-afs was given.
+  cat >conftest.$ac_ext <<_ACEOF
-if test "${with_afs+set}" = set; then
+#line 14865 "configure"
-  withval="$with_afs"
+#include "confdefs.h"
+#include <$ac_header>
+_ACEOF
+if { (eval echo "$as_me:14869: \"$ac_cpp conftest.$ac_ext\"") >&5
+  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+  ac_status=$?
+  egrep -v '^ *\+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:14875: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  eval "$as_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  eval "$as_ac_Header=no"
+fi
+rm -f conftest.err conftest.$ac_ext
+fi
+echo "$as_me:14894: result: `eval echo '${'$as_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<EOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+EOF
-                if test "x$withval" != "xno" ; then
+else
+  { echo "$as_me:14902: WARNING: Cannot find any suitable gss-api header - build may fail" >&5
+echo "$as_me: WARNING: Cannot find any suitable gss-api header - build may fail" >&2;}
-                        if test "x$withval" != "xyes" ; then
+fi
-                                CPPFLAGS="$CPPFLAGS -I${withval}/include"
+done
-                                LDFLAGS="$LDFLAGS -L${withval}/lib"
-                        fi
-                        if test -z "$KRB4" ; then
+fi
-                                { echo "$as_me:$LINENO: WARNING: AFS requires Kerberos IV support, build may fail" >&5
-echo "$as_me: WARNING: AFS requires Kerberos IV support, build may fail" >&2;}
-                        fi
-                        LIBS="-lkafs $LIBS"
+                        oldCPP="$CPPFLAGS"
-                        if test ! -z "$AFS_LIBS" ; then
+                        CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
-                                LIBS="$LIBS $AFS_LIBS"
+                        echo "$as_me:14912: checking for gssapi_krb5.h" >&5
-                        fi
+echo $ECHO_N "checking for gssapi_krb5.h... $ECHO_C" >&6
-                        cat >>confdefs.h <<\_ACEOF
+if test "${ac_cv_header_gssapi_krb5_h+set}" = set; then
-#define AFS 1
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+#line 14918 "configure"
+#include "confdefs.h"
+#include <gssapi_krb5.h>
 _ACEOF
+if { (eval echo "$as_me:14922: \"$ac_cpp conftest.$ac_ext\"") >&5
+  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+  ac_status=$?
+  egrep -v '^ *\+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:14928: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  ac_cv_header_gssapi_krb5_h=yes
+else
+  echo "$as_me: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  ac_cv_header_gssapi_krb5_h=no
+fi
+rm -f conftest.err conftest.$ac_ext
+fi
+echo "$as_me:14947: result: $ac_cv_header_gssapi_krb5_h" >&5
+echo "${ECHO_T}$ac_cv_header_gssapi_krb5_h" >&6
+if test $ac_cv_header_gssapi_krb5_h = yes; then
+  :
+else
+   CPPFLAGS="$oldCPP"
+fi
-                        AFS_MSG="yes"
+                        KRB5=yes
-                fi
+                fi
 fi;
-LIBS="$LIBS $KLIBS $K5LIBS"
+LIBS="$LIBS $K5LIBS"
 # Looking for programs, paths and files
@@ -16853,11 +14970,8 @@ if test "${with_privsep_path+set}" = set; then
                        PRIVSEP_PATH=$withval
                fi
 fi;
 # Check whether --with-xauth or --without-xauth was given.
 if test "${with_xauth+set}" = set; then
  withval="$with_xauth"
@@ -16875,7 +14989,7 @@ else
                TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin"
                # Extract the first word of "xauth", so it can be a program name with args.
 set dummy xauth; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:14992: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_path_xauth_path+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -16885,18 +14999,16 @@ else
  ac_cv_path_xauth_path="$xauth_path" # Let the user override the test with a path.
  ;;
  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $TestPath
+ac_dummy="$TestPath"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$ac_dir/$ac_word"; then
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+   ac_cv_path_xauth_path="$ac_dir/$ac_word"
-    ac_cv_path_xauth_path="$as_dir/$ac_word$ac_exec_ext"
+   echo "$as_me:15009: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+   break
-    break 2
+fi
-  fi
-done
 done
  ;;
@@ -16905,10 +15017,10 @@ fi
 xauth_path=$ac_cv_path_xauth_path
 if test -n "$xauth_path"; then
-  echo "$as_me:$LINENO: result: $xauth_path" >&5
+  echo "$as_me:15020: result: $xauth_path" >&5
 echo "${ECHO_T}$xauth_path" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:15023: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -16916,7 +15028,6 @@ fi
                        xauth_path="/usr/openwin/bin/xauth"
                fi
 fi;
 STRIP_OPT=-s
@@ -16928,17 +15039,15 @@ if test "${enable_strip+set}" = set; then
                        STRIP_OPT=
                fi
 fi;
 if test -z "$xauth_path" ; then
        XAUTH_PATH="undefined"
 else
-        cat >>confdefs.h <<_ACEOF
+        cat >>confdefs.h <<EOF
 #define XAUTH_PATH "$xauth_path"
-_ACEOF
+EOF
        XAUTH_PATH=$xauth_path
@@ -16947,21 +15056,21 @@ fi
 # Check for mail directory (last resort if we cannot get it from headers)
 if test ! -z "$MAIL" ; then
        maildir=`dirname $MAIL`
-        cat >>confdefs.h <<_ACEOF
+        cat >>confdefs.h <<EOF
 #define MAIL_DIRECTORY "$maildir"
-_ACEOF
+EOF
 fi
 if test -z "$no_dev_ptmx" ; then
        if test "x$disable_ptmx_check" != "xyes" ; then
-                echo "$as_me:$LINENO: checking for \"/dev/ptmx\"" >&5
+                echo "$as_me:15067: checking for \"/dev/ptmx\"" >&5
 echo $ECHO_N "checking for \"/dev/ptmx\"... $ECHO_C" >&6
 if test "${ac_cv_file___dev_ptmx_+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  test "$cross_compiling" = yes &&
-  { { echo "$as_me:$LINENO: error: cannot check for file existence when cross compiling" >&5
+  { { echo "$as_me:15073: error: cannot check for file existence when cross compiling" >&5
 echo "$as_me: error: cannot check for file existence when cross compiling" >&2;}
   { (exit 1); exit 1; }; }
 if test -r ""/dev/ptmx""; then
@@ -16970,28 +15079,27 @@ else
  ac_cv_file___dev_ptmx_=no
 fi
 fi
-echo "$as_me:$LINENO: result: $ac_cv_file___dev_ptmx_" >&5
+echo "$as_me:15082: result: $ac_cv_file___dev_ptmx_" >&5
 echo "${ECHO_T}$ac_cv_file___dev_ptmx_" >&6
 if test $ac_cv_file___dev_ptmx_ = yes; then
-                                cat >>confdefs.h <<_ACEOF
+                                cat >>confdefs.h <<EOF
 #define HAVE_DEV_PTMX 1
-_ACEOF
+EOF
                                have_dev_ptmx=1
 fi
        fi
 fi
-echo "$as_me:$LINENO: checking for \"/dev/ptc\"" >&5
+echo "$as_me:15096: checking for \"/dev/ptc\"" >&5
 echo $ECHO_N "checking for \"/dev/ptc\"... $ECHO_C" >&6
 if test "${ac_cv_file___dev_ptc_+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
  test "$cross_compiling" = yes &&
-  { { echo "$as_me:$LINENO: error: cannot check for file existence when cross compiling" >&5
+  { { echo "$as_me:15102: error: cannot check for file existence when cross compiling" >&5
 echo "$as_me: error: cannot check for file existence when cross compiling" >&2;}
   { (exit 1); exit 1; }; }
 if test -r ""/dev/ptc""; then
@@ -17000,20 +15108,18 @@ else
  ac_cv_file___dev_ptc_=no
 fi
 fi
-echo "$as_me:$LINENO: result: $ac_cv_file___dev_ptc_" >&5
+echo "$as_me:15111: result: $ac_cv_file___dev_ptc_" >&5
 echo "${ECHO_T}$ac_cv_file___dev_ptc_" >&6
 if test $ac_cv_file___dev_ptc_ = yes; then
-                cat >>confdefs.h <<_ACEOF
+                cat >>confdefs.h <<EOF
 #define HAVE_DEV_PTS_AND_PTC 1
-_ACEOF
+EOF
                have_dev_ptc=1
 fi
 # Options from here on. Some of these are preset by platform above
 # Check whether --with-mantype or --without-mantype was given.
@@ -17025,13 +15131,12 @@ if test "${with_mantype+set}" = set; then
                        MANTYPE=$withval
                        ;;
                *)
-                        { { echo "$as_me:$LINENO: error: invalid man type: $withval" >&5
+                        { { echo "$as_me:15134: error: invalid man type: $withval" >&5
 echo "$as_me: error: invalid man type: $withval" >&2;}
   { (exit 1); exit 1; }; }
                        ;;
                esac
 fi;
 if test -z "$MANTYPE"; then
        TestPath="/usr/bin${PATH_SEPARATOR}/usr/ucb"
@@ -17039,7 +15144,7 @@ if test -z "$MANTYPE"; then
 do
  # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo "$as_me:15147: checking for $ac_word" >&5
 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
 if test "${ac_cv_path_NROFF+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -17049,18 +15154,16 @@ else
  ac_cv_path_NROFF="$NROFF" # Let the user override the test with a path.
  ;;
  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+  ac_save_IFS=$IFS; IFS=$ac_path_separator
-for as_dir in $TestPath
+ac_dummy="$TestPath"
-do
+for ac_dir in $ac_dummy; do
-  IFS=$as_save_IFS
+  IFS=$ac_save_IFS
-  test -z "$as_dir" && as_dir=.
+  test -z "$ac_dir" && ac_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$ac_dir/$ac_word"; then
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+   ac_cv_path_NROFF="$ac_dir/$ac_word"
-    ac_cv_path_NROFF="$as_dir/$ac_word$ac_exec_ext"
+   echo "$as_me:15164: found $ac_dir/$ac_word" >&5
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+   break
-    break 2
+fi
-  fi
-done
 done
  ;;
@@ -17069,10 +15172,10 @@ fi
 NROFF=$ac_cv_path_NROFF
 if test -n "$NROFF"; then
-  echo "$as_me:$LINENO: result: $NROFF" >&5
+  echo "$as_me:15175: result: $NROFF" >&5
 echo "${ECHO_T}$NROFF" >&6
 else
-  echo "$as_me:$LINENO: result: no" >&5
+  echo "$as_me:15178: result: no" >&5
 echo "${ECHO_T}no" >&6
 fi
@@ -17095,7 +15198,6 @@ else
        mansubdir=$MANTYPE;
 fi
 # Check whether to enable MD5 passwords
 MD5_MSG="no"
@@ -17104,14 +15206,13 @@ if test "${with_md5_passwords+set}" = set; then
  withval="$with_md5_passwords"
                if test "x$withval" != "xno" ; then
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define HAVE_MD5_PASSWORDS 1
-_ACEOF
+EOF
                        MD5_MSG="yes"
                fi
 fi;
 # Whether to disable shadow password support
@@ -17121,26 +15222,21 @@ if test "${with_shadow+set}" = set; then
  withval="$with_shadow"
                if test "x$withval" = "xno" ; then
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define DISABLE_SHADOW 1
-_ACEOF
+EOF
                        disable_shadow=yes
                fi
 fi;
 if test -z "$disable_shadow" ; then
-        echo "$as_me:$LINENO: checking if the systems has expire shadow information" >&5
+        echo "$as_me:15235: checking if the systems has expire shadow information" >&5
 echo $ECHO_N "checking if the systems has expire shadow information... $ECHO_C" >&6
        cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 15238 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
 #include <shadow.h>
@@ -17155,36 +15251,34 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:15254: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:15257: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:15260: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:15263: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   sp_expire_available=yes
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
        if test "x$sp_expire_available" = "xyes" ; then
-                echo "$as_me:$LINENO: result: yes" >&5
+                echo "$as_me:15274: result: yes" >&5
 echo "${ECHO_T}yes" >&6
-                cat >>confdefs.h <<\_ACEOF
+                cat >>confdefs.h <<\EOF
 #define HAS_SHADOW_EXPIRE 1
-_ACEOF
+EOF
        else
-                echo "$as_me:$LINENO: result: no" >&5
+                echo "$as_me:15281: result: no" >&5
 echo "${ECHO_T}no" >&6
        fi
 fi
@@ -17192,9 +15286,9 @@ fi
 # Use ip address instead of hostname in $DISPLAY
 if test ! -z "$IPADDR_IN_DISPLAY" ; then
        DISPLAY_HACK_MSG="yes"
-        cat >>confdefs.h <<\_ACEOF
+        cat >>confdefs.h <<\EOF
 #define IPADDR_IN_DISPLAY 1
-_ACEOF
+EOF
 else
        DISPLAY_HACK_MSG="no"
@@ -17204,21 +15298,50 @@ if test "${with_ipaddr_display+set}" = set; then
  withval="$with_ipaddr_display"
                        if test "x$withval" != "xno" ; then
-                                cat >>confdefs.h <<\_ACEOF
+                                cat >>confdefs.h <<\EOF
 #define IPADDR_IN_DISPLAY 1
-_ACEOF
+EOF
                                DISPLAY_HACK_MSG="yes"
                        fi
 fi;
 fi
+# check for /etc/default/login and use it if present.
+echo "$as_me:15312: checking for \"/etc/default/login\"" >&5
+echo $ECHO_N "checking for \"/etc/default/login\"... $ECHO_C" >&6
+if test "${ac_cv_file___etc_default_login_+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  test "$cross_compiling" = yes &&
+  { { echo "$as_me:15318: error: cannot check for file existence when cross compiling" >&5
+echo "$as_me: error: cannot check for file existence when cross compiling" >&2;}
+   { (exit 1); exit 1; }; }
+if test -r ""/etc/default/login""; then
+  ac_cv_file___etc_default_login_=yes
+else
+  ac_cv_file___etc_default_login_=no
+fi
+fi
+echo "$as_me:15327: result: $ac_cv_file___etc_default_login_" >&5
+echo "${ECHO_T}$ac_cv_file___etc_default_login_" >&6
+if test $ac_cv_file___etc_default_login_ = yes; then
+   external_path_file=/etc/default/login
+fi
+if test "x$external_path_file" = "x/etc/default/login"; then
+        cat >>confdefs.h <<\EOF
+#define HAVE_ETC_DEFAULT_LOGIN 1
+EOF
+fi
 if test $ac_cv_func_login_getcapbool = "yes" -a \
        $ac_cv_header_login_cap_h = "yes" ; then
-        USES_LOGIN_CONF=yes
+        external_path_file=/etc/login.conf
 fi
 # Whether to mess with the default path
 SERVER_PATH_MSG="(default)"
@@ -17226,34 +15349,46 @@ SERVER_PATH_MSG="(default)"
 if test "${with_default_path+set}" = set; then
  withval="$with_default_path"
-                if test "$USES_LOGIN_CONF" = "yes" ; then
+                if test "x$external_path_file" = "x/etc/login.conf" ; then
-                        { echo "$as_me:$LINENO: WARNING:
+                        { echo "$as_me:15353: WARNING:
 --with-default-path=PATH has no effect on this system.
 Edit /etc/login.conf instead." >&5
 echo "$as_me: WARNING:
 --with-default-path=PATH has no effect on this system.
 Edit /etc/login.conf instead." >&2;}
                elif test "x$withval" != "xno" ; then
+                        if test ! -z "$external_path_file" ; then
+                                { echo "$as_me:15361: WARNING:
+--with-default-path=PATH will only be used if PATH is not defined in
+$external_path_file ." >&5
+echo "$as_me: WARNING:
+--with-default-path=PATH will only be used if PATH is not defined in
+$external_path_file ." >&2;}
+                        fi
                        user_path="$withval"
                        SERVER_PATH_MSG="$withval"
                fi
 else
-   if test "$USES_LOGIN_CONF" = "yes" ; then
+   if test "x$external_path_file" = "x/etc/login.conf" ; then
-        { echo "$as_me:$LINENO: WARNING: Make sure the path to scp is in /etc/login.conf" >&5
+                { echo "$as_me:15374: WARNING: Make sure the path to scp is in /etc/login.conf" >&5
 echo "$as_me: WARNING: Make sure the path to scp is in /etc/login.conf" >&2;}
        else
-        if test "$cross_compiling" = yes; then
+                if test ! -z "$external_path_file" ; then
+                        { echo "$as_me:15378: WARNING:
+If PATH is defined in $external_path_file, ensure the path to scp is included,
+otherwise scp will not work." >&5
+echo "$as_me: WARNING:
+If PATH is defined in $external_path_file, ensure the path to scp is included,
+otherwise scp will not work." >&2;}
+                fi
+                if test "$cross_compiling" = yes; then
   user_path="/usr/bin:/bin:/usr/sbin:/sbin"
 else
  cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 15390 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 /* find out what STDPATH is */
 #include <stdio.h>
@@ -17289,26 +15424,24 @@ main()
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+if { (eval echo "$as_me:15427: \"$ac_link\"") >&5
  (eval $ac_link) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:15430: \$? = $ac_status" >&5
  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:15432: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:15435: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
   user_path=`cat conftest.stdpath`
 else
  echo "$as_me: program exited with status $ac_status" >&5
 echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
-( exit $ac_status )
 user_path="/usr/bin:/bin:/usr/sbin:/sbin"
 fi
-rm -f core core.* *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 # make sure $bindir is in USER_PATH so scp will work
                t_bindir=`eval echo ${bindir}`
@@ -17323,18 +15456,17 @@ fi
                        echo $user_path | grep "^$t_bindir"  > /dev/null 2>&1
                        if test $? -ne 0  ; then
                                user_path=$user_path:$t_bindir
-                                echo "$as_me:$LINENO: result: Adding $t_bindir to USER_PATH so scp will work" >&5
+                                echo "$as_me:15459: result: Adding $t_bindir to USER_PATH so scp will work" >&5
 echo "${ECHO_T}Adding $t_bindir to USER_PATH so scp will work" >&6
                        fi
                fi
        fi
 fi;
-if test "$USES_LOGIN_CONF" != "yes" ; then
+if test "x$external_path_file" != "x/etc/login.conf" ; then
-        cat >>confdefs.h <<_ACEOF
+        cat >>confdefs.h <<EOF
 #define USER_PATH "$user_path"
-_ACEOF
+EOF
 fi
@@ -17345,36 +15477,16 @@ if test "${with_superuser_path+set}" = set; then
  withval="$with_superuser_path"
                if test "x$withval" != "xno" ; then
-                        cat >>confdefs.h <<_ACEOF
+                        cat >>confdefs.h <<EOF
 #define SUPERUSER_PATH "$withval"
-_ACEOF
+EOF
                        superuser_path=$withval
                fi
-fi;
-# Whether to force IPv4 by default (needed on broken glibc Linux)
-IPV4_HACK_MSG="no"
-# Check whether --with-ipv4-default or --without-ipv4-default was given.
-if test "${with_ipv4_default+set}" = set; then
-  withval="$with_ipv4_default"
-                if test "x$withval" != "xno" ; then
-                        cat >>confdefs.h <<\_ACEOF
-#define IPV4_DEFAULT 1
-_ACEOF
-                        IPV4_HACK_MSG="yes"
-                fi
 fi;
-echo "$as_me:$LINENO: checking if we need to convert IPv4 in IPv6-mapped addresses" >&5
+echo "$as_me:15489: checking if we need to convert IPv4 in IPv6-mapped addresses" >&5
 echo $ECHO_N "checking if we need to convert IPv4 in IPv6-mapped addresses... $ECHO_C" >&6
 IPV4_IN6_HACK_MSG="no"
@@ -17383,34 +15495,33 @@ if test "${with_4in6+set}" = set; then
  withval="$with_4in6"
                if test "x$withval" != "xno" ; then
-                        echo "$as_me:$LINENO: result: yes" >&5
+                        echo "$as_me:15498: result: yes" >&5
 echo "${ECHO_T}yes" >&6
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define IPV4_IN_IPV6 1
-_ACEOF
+EOF
                        IPV4_IN6_HACK_MSG="yes"
                else
-                        echo "$as_me:$LINENO: result: no" >&5
+                        echo "$as_me:15506: result: no" >&5
 echo "${ECHO_T}no" >&6
                fi
 else
                if test "x$inet6_default_4in6" = "xyes"; then
-                        echo "$as_me:$LINENO: result: yes (default)" >&5
+                        echo "$as_me:15513: result: yes (default)" >&5
 echo "${ECHO_T}yes (default)" >&6
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define IPV4_IN_IPV6 1
-_ACEOF
+EOF
                        IPV4_IN6_HACK_MSG="yes"
                else
-                        echo "$as_me:$LINENO: result: no (default)" >&5
+                        echo "$as_me:15521: result: no (default)" >&5
 echo "${ECHO_T}no (default)" >&6
                fi
 fi;
 # Whether to enable BSD auth support
@@ -17421,14 +15532,13 @@ if test "${with_bsd_auth+set}" = set; then
  withval="$with_bsd_auth"
                if test "x$withval" != "xno" ; then
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define BSD_AUTH 1
-_ACEOF
+EOF
                        BSD_AUTH_MSG=yes
                fi
 fi;
 # Where to place sshd.pid
@@ -17441,7 +15551,6 @@ if test ! -d $piddir ; then
        esac
 fi
 # Check whether --with-pid-dir or --without-pid-dir was given.
 if test "${with_pid_dir+set}" = set; then
  withval="$with_pid_dir"
@@ -17449,90 +15558,111 @@ if test "${with_pid_dir+set}" = set; then
                if test "x$withval" != "xno" ; then
                        piddir=$withval
                        if test ! -d $piddir ; then
-                        { echo "$as_me:$LINENO: WARNING: ** no $piddir directory on this system **" >&5
+                        { echo "$as_me:15561: WARNING: ** no $piddir directory on this system **" >&5
 echo "$as_me: WARNING: ** no $piddir directory on this system **" >&2;}
                        fi
                fi
 fi;
-cat >>confdefs.h <<_ACEOF
+cat >>confdefs.h <<EOF
 #define _PATH_SSH_PIDDIR "$piddir"
-_ACEOF
+EOF
 # Check whether --enable-lastlog or --disable-lastlog was given.
 if test "${enable_lastlog+set}" = set; then
  enableval="$enable_lastlog"
-   cat >>confdefs.h <<\_ACEOF
+                if test "x$enableval" = "xno" ; then
+                        cat >>confdefs.h <<\EOF
 #define DISABLE_LASTLOG 1
-_ACEOF
+EOF
+                fi
 fi;
 # Check whether --enable-utmp or --disable-utmp was given.
 if test "${enable_utmp+set}" = set; then
  enableval="$enable_utmp"
-   cat >>confdefs.h <<\_ACEOF
+                if test "x$enableval" = "xno" ; then
+                        cat >>confdefs.h <<\EOF
 #define DISABLE_UTMP 1
-_ACEOF
+EOF
+                fi
 fi;
 # Check whether --enable-utmpx or --disable-utmpx was given.
 if test "${enable_utmpx+set}" = set; then
  enableval="$enable_utmpx"
-   cat >>confdefs.h <<\_ACEOF
+                if test "x$enableval" = "xno" ; then
+                        cat >>confdefs.h <<\EOF
 #define DISABLE_UTMPX 1
-_ACEOF
+EOF
+                fi
 fi;
 # Check whether --enable-wtmp or --disable-wtmp was given.
 if test "${enable_wtmp+set}" = set; then
  enableval="$enable_wtmp"
-   cat >>confdefs.h <<\_ACEOF
+                if test "x$enableval" = "xno" ; then
+                        cat >>confdefs.h <<\EOF
 #define DISABLE_WTMP 1
-_ACEOF
+EOF
+                fi
 fi;
 # Check whether --enable-wtmpx or --disable-wtmpx was given.
 if test "${enable_wtmpx+set}" = set; then
  enableval="$enable_wtmpx"
-   cat >>confdefs.h <<\_ACEOF
+                if test "x$enableval" = "xno" ; then
+                        cat >>confdefs.h <<\EOF
 #define DISABLE_WTMPX 1
-_ACEOF
+EOF
+                fi
 fi;
 # Check whether --enable-libutil or --disable-libutil was given.
 if test "${enable_libutil+set}" = set; then
  enableval="$enable_libutil"
-   cat >>confdefs.h <<\_ACEOF
+                if test "x$enableval" = "xno" ; then
+                        cat >>confdefs.h <<\EOF
 #define DISABLE_LOGIN 1
-_ACEOF
+EOF
+                fi
 fi;
 # Check whether --enable-pututline or --disable-pututline was given.
 if test "${enable_pututline+set}" = set; then
  enableval="$enable_pututline"
-   cat >>confdefs.h <<\_ACEOF
+                if test "x$enableval" = "xno" ; then
+                        cat >>confdefs.h <<\EOF
 #define DISABLE_PUTUTLINE 1
-_ACEOF
+EOF
+                fi
 fi;
 # Check whether --enable-pututxline or --disable-pututxline was given.
 if test "${enable_pututxline+set}" = set; then
  enableval="$enable_pututxline"
-   cat >>confdefs.h <<\_ACEOF
+                if test "x$enableval" = "xno" ; then
+                        cat >>confdefs.h <<\EOF
 #define DISABLE_PUTUTXLINE 1
-_ACEOF
+EOF
+                fi
 fi;
@@ -17541,27 +15671,21 @@ if test "${with_lastlog+set}" = set; then
  withval="$with_lastlog"
                if test "x$withval" = "xno" ; then
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define DISABLE_LASTLOG 1
-_ACEOF
+EOF
                else
                        conf_lastlog_location=$withval
                fi
 fi;
+echo "$as_me:15684: checking if your system defines LASTLOG_FILE" >&5
-echo "$as_me:$LINENO: checking if your system defines LASTLOG_FILE" >&5
 echo $ECHO_N "checking if your system defines LASTLOG_FILE... $ECHO_C" >&6
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 15687 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
 #include <utmp.h>
@@ -17584,35 +15708,30 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:15711: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:15714: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:15717: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:15720: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-   echo "$as_me:$LINENO: result: yes" >&5
+   echo "$as_me:15722: result: yes" >&5
 echo "${ECHO_T}yes" >&6
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+                echo "$as_me:15728: result: no" >&5
-                echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6
-                echo "$as_me:$LINENO: checking if your system defines _PATH_LASTLOG" >&5
+                echo "$as_me:15730: checking if your system defines _PATH_LASTLOG" >&5
 echo $ECHO_N "checking if your system defines _PATH_LASTLOG... $ECHO_C" >&6
                cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 15733 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
 #include <utmp.h>
@@ -17632,32 +15751,30 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:15754: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:15757: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:15760: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:15763: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-   echo "$as_me:$LINENO: result: yes" >&5
+   echo "$as_me:15765: result: yes" >&5
 echo "${ECHO_T}yes" >&6
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+                        echo "$as_me:15771: result: no" >&5
-                        echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6
                        system_lastlog_path=no
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 fi
 rm -f conftest.$ac_objext conftest.$ac_ext
@@ -17669,28 +15786,24 @@ if test -z "$conf_lastlog_location"; then
                                fi
                done
                if test -z "$conf_lastlog_location"; then
-                        { echo "$as_me:$LINENO: WARNING: ** Cannot find lastlog **" >&5
+                        { echo "$as_me:15789: WARNING: ** Cannot find lastlog **" >&5
 echo "$as_me: WARNING: ** Cannot find lastlog **" >&2;}
                                        fi
        fi
 fi
 if test -n "$conf_lastlog_location"; then
-        cat >>confdefs.h <<_ACEOF
+        cat >>confdefs.h <<EOF
 #define CONF_LASTLOG_FILE "$conf_lastlog_location"
-_ACEOF
+EOF
 fi
-echo "$as_me:$LINENO: checking if your system defines UTMP_FILE" >&5
+echo "$as_me:15802: checking if your system defines UTMP_FILE" >&5
 echo $ECHO_N "checking if your system defines UTMP_FILE... $ECHO_C" >&6
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 15805 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
 #include <utmp.h>
@@ -17707,24 +15820,23 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:15823: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:15826: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:15829: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:15832: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-   echo "$as_me:$LINENO: result: yes" >&5
+   echo "$as_me:15834: result: yes" >&5
 echo "${ECHO_T}yes" >&6
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ echo "$as_me:15839: result: no" >&5
- echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6
          system_utmp_path=no
@@ -17738,29 +15850,25 @@ if test -z "$conf_utmp_location"; then
                        fi
                done
                if test -z "$conf_utmp_location"; then
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define DISABLE_UTMP 1
-_ACEOF
+EOF
                fi
        fi
 fi
 if test -n "$conf_utmp_location"; then
-        cat >>confdefs.h <<_ACEOF
+        cat >>confdefs.h <<EOF
 #define CONF_UTMP_FILE "$conf_utmp_location"
-_ACEOF
+EOF
 fi
-echo "$as_me:$LINENO: checking if your system defines WTMP_FILE" >&5
+echo "$as_me:15867: checking if your system defines WTMP_FILE" >&5
 echo $ECHO_N "checking if your system defines WTMP_FILE... $ECHO_C" >&6
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 15870 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
 #include <utmp.h>
@@ -17777,24 +15885,23 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:15888: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:15891: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:15894: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:15897: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-   echo "$as_me:$LINENO: result: yes" >&5
+   echo "$as_me:15899: result: yes" >&5
 echo "${ECHO_T}yes" >&6
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ echo "$as_me:15904: result: no" >&5
- echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6
          system_wtmp_path=no
@@ -17808,30 +15915,25 @@ if test -z "$conf_wtmp_location"; then
                        fi
                done
                if test -z "$conf_wtmp_location"; then
-                        cat >>confdefs.h <<\_ACEOF
+                        cat >>confdefs.h <<\EOF
 #define DISABLE_WTMP 1
-_ACEOF
+EOF
                fi
        fi
 fi
 if test -n "$conf_wtmp_location"; then
-        cat >>confdefs.h <<_ACEOF
+        cat >>confdefs.h <<EOF
 #define CONF_WTMP_FILE "$conf_wtmp_location"
-_ACEOF
+EOF
 fi
+echo "$as_me:15932: checking if your system defines UTMPX_FILE" >&5
-echo "$as_me:$LINENO: checking if your system defines UTMPX_FILE" >&5
 echo $ECHO_N "checking if your system defines UTMPX_FILE... $ECHO_C" >&6
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 15935 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
 #include <utmp.h>
@@ -17851,24 +15953,23 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:15956: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:15959: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:15962: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:15965: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-   echo "$as_me:$LINENO: result: yes" >&5
+   echo "$as_me:15967: result: yes" >&5
 echo "${ECHO_T}yes" >&6
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ echo "$as_me:15972: result: no" >&5
- echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6
          system_utmpx_path=no
@@ -17876,27 +15977,23 @@ fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 if test -z "$conf_utmpx_location"; then
        if test x"$system_utmpx_path" = x"no" ; then
-                cat >>confdefs.h <<\_ACEOF
+                cat >>confdefs.h <<\EOF
 #define DISABLE_UTMPX 1
-_ACEOF
+EOF
        fi
 else
-        cat >>confdefs.h <<_ACEOF
+        cat >>confdefs.h <<EOF
 #define CONF_UTMPX_FILE "$conf_utmpx_location"
-_ACEOF
+EOF
 fi
-echo "$as_me:$LINENO: checking if your system defines WTMPX_FILE" >&5
+echo "$as_me:15992: checking if your system defines WTMPX_FILE" >&5
 echo $ECHO_N "checking if your system defines WTMPX_FILE... $ECHO_C" >&6
 cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
+#line 15995 "configure"
-/* confdefs.h.  */
+#include "confdefs.h"
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
 #include <sys/types.h>
 #include <utmp.h>
@@ -17916,24 +16013,23 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+if { (eval echo "$as_me:16016: \"$ac_compile\"") >&5
  (eval $ac_compile) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:16019: \$? = $ac_status" >&5
  (exit $ac_status); } &&
         { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  { (eval echo "$as_me:16022: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:16025: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
-   echo "$as_me:$LINENO: result: yes" >&5
+   echo "$as_me:16027: result: yes" >&5
 echo "${ECHO_T}yes" >&6
 else
  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
+cat conftest.$ac_ext >&5
+ echo "$as_me:16032: result: no" >&5
- echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6
          system_wtmpx_path=no
@@ -17941,22 +16037,21 @@ fi
 rm -f conftest.$ac_objext conftest.$ac_ext
 if test -z "$conf_wtmpx_location"; then
        if test x"$system_wtmpx_path" = x"no" ; then
-                cat >>confdefs.h <<\_ACEOF
+                cat >>confdefs.h <<\EOF
 #define DISABLE_WTMPX 1
-_ACEOF
+EOF
        fi
 else
-        cat >>confdefs.h <<_ACEOF
+        cat >>confdefs.h <<EOF
 #define CONF_WTMPX_FILE "$conf_wtmpx_location"
-_ACEOF
+EOF
 fi
 if test ! -z "$blibpath" ; then
        LDFLAGS="$LDFLAGS $blibflags$blibpath"
-        { echo "$as_me:$LINENO: WARNING: Please check and edit blibpath in LDFLAGS in Makefile" >&5
+        { echo "$as_me:16054: WARNING: Please check and edit blibpath in LDFLAGS in Makefile" >&5
 echo "$as_me: WARNING: Please check and edit blibpath in LDFLAGS in Makefile" >&2;}
 fi
@@ -17967,8 +16062,7 @@ if test "$ac_cv_lib_pam_pam_set_item" = yes ; then
        LIBS=`echo $LIBS | sed 's/-ldl //'`
 fi
+ac_config_files="$ac_config_files Makefile openbsd-compat/Makefile scard/Makefile ssh_prng_cmds"
-                                        ac_config_files="$ac_config_files Makefile openbsd-compat/Makefile scard/Makefile ssh_prng_cmds"
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -17980,7 +16074,7 @@ cat >confcache <<\_ACEOF
 # config.status only pays attention to the cache file if you give it
 # the --recheck option to rerun configure.
 #
-# `ac_cv_env_foo' variables (set or unset) will be overridden when
+# `ac_cv_env_foo' variables (set or unset) will be overriden when
 # loading this file, other *unset* `ac_cv_foo' will be assigned the
 # following values.
@@ -18015,7 +16109,7 @@ _ACEOF
     t end
     /^ac_cv_env/!s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/
     : end' >>confcache
-if diff $cache_file confcache >/dev/null 2>&1; then :; else
+if cmp -s $cache_file confcache; then :; else
  if test -w $cache_file; then
    test "x$cache_file" != "x/dev/null" && echo "updating cache $cache_file"
    cat confcache >$cache_file
@@ -18046,227 +16140,35 @@ fi
 DEFS=-DHAVE_CONFIG_H
-ac_libobjs=
-ac_ltlibobjs=
-for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
-  # 1. Remove the extension, and $U if already installed.
-  ac_i=`echo "$ac_i" |
-         sed 's/\$U\././;s/\.o$//;s/\.obj$//'`
-  # 2. Add them.
-  ac_libobjs="$ac_libobjs $ac_i\$U.$ac_objext"
-  ac_ltlibobjs="$ac_ltlibobjs $ac_i"'$U.lo'
-done
-LIBOBJS=$ac_libobjs
-LTLIBOBJS=$ac_ltlibobjs
 : ${CONFIG_STATUS=./config.status}
 ac_clean_files_save=$ac_clean_files
 ac_clean_files="$ac_clean_files $CONFIG_STATUS"
-{ echo "$as_me:$LINENO: creating $CONFIG_STATUS" >&5
+{ echo "$as_me:16146: creating $CONFIG_STATUS" >&5
 echo "$as_me: creating $CONFIG_STATUS" >&6;}
 cat >$CONFIG_STATUS <<_ACEOF
 #! $SHELL
-# Generated by $as_me.
+# Generated automatically by configure.
 # Run this file to recreate the current configuration.
 # Compiler output produced by configure, useful for debugging
 # configure, is in config.log if it exists.
 debug=false
-ac_cs_recheck=false
-ac_cs_silent=false
 SHELL=\${CONFIG_SHELL-$SHELL}
+ac_cs_invocation="\$0 \$@"
 _ACEOF
 cat >>$CONFIG_STATUS <<\_ACEOF
-## --------------------- ##
-## M4sh Initialization.  ##
-## --------------------- ##
 # Be Bourne compatible
 if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
  emulate sh
  NULLCMD=:
-  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
-  # is contrary to our usage.  Disable this feature.
-  alias -g '${1+"$@"}'='"$@"'
 elif test -n "${BASH_VERSION+set}" && (set -o posix) >/dev/null 2>&1; then
  set -o posix
 fi
-# Support unset when possible.
-if (FOO=FOO; unset FOO) >/dev/null 2>&1; then
-  as_unset=unset
-else
-  as_unset=false
-fi
-# Work around bugs in pre-3.0 UWIN ksh.
-$as_unset ENV MAIL MAILPATH
-PS1='$ '
-PS2='> '
-PS4='+ '
-# NLS nuisances.
-for as_var in \
-  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
-  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
-  LC_TELEPHONE LC_TIME
-do
-  if (set +x; test -n "`(eval $as_var=C; export $as_var) 2>&1`"); then
-    eval $as_var=C; export $as_var
-  else
-    $as_unset $as_var
-  fi
-done
-# Required to use basename.
-if expr a : '\(a\)' >/dev/null 2>&1; then
-  as_expr=expr
-else
-  as_expr=false
-fi
-if (basename /) >/dev/null 2>&1 && test "X`basename / 2>&1`" = "X/"; then
-  as_basename=basename
-else
-  as_basename=false
-fi
 # Name of the executable.
-as_me=`$as_basename "$0" ||
+as_me=`echo "$0" |sed 's,.*[\\/],,'`
-$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
-         X"$0" : 'X\(//\)$' \| \
-         X"$0" : 'X\(/\)$' \| \
-         .     : '\(.\)' 2>/dev/null ||
-echo X/"$0" |
-    sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/; q; }
-          /^X\/\(\/\/\)$/{ s//\1/; q; }
-          /^X\/\(\/\).*/{ s//\1/; q; }
-          s/.*/./; q'`
-# PATH needs CR, and LINENO needs CR and PATH.
-# Avoid depending upon Character Ranges.
-as_cr_letters='abcdefghijklmnopqrstuvwxyz'
-as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
-as_cr_Letters=$as_cr_letters$as_cr_LETTERS
-as_cr_digits='0123456789'
-as_cr_alnum=$as_cr_Letters$as_cr_digits
-# The user is always right.
-if test "${PATH_SEPARATOR+set}" != set; then
-  echo "#! /bin/sh" >conf$$.sh
-  echo  "exit 0"   >>conf$$.sh
-  chmod +x conf$$.sh
-  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
-    PATH_SEPARATOR=';'
-  else
-    PATH_SEPARATOR=:
-  fi
-  rm -f conf$$.sh
-fi
-  as_lineno_1=$LINENO
-  as_lineno_2=$LINENO
-  as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
-  test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x$as_lineno_3"  = "x$as_lineno_2"  || {
-  # Find who we are.  Look in the path if we contain no path at all
-  # relative or not.
-  case $0 in
-    *[\\/]* ) as_myself=$0 ;;
-    *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
-done
-       ;;
-  esac
-  # We did not find ourselves, most probably we were run as `sh COMMAND'
-  # in which case we are not to be found in the path.
-  if test "x$as_myself" = x; then
-    as_myself=$0
-  fi
-  if test ! -f "$as_myself"; then
-    { { echo "$as_me:$LINENO: error: cannot find myself; rerun with an absolute path" >&5
-echo "$as_me: error: cannot find myself; rerun with an absolute path" >&2;}
-   { (exit 1); exit 1; }; }
-  fi
-  case $CONFIG_SHELL in
-  '')
-    as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for as_base in sh bash ksh sh5; do
-         case $as_dir in
-         /*)
-           if ("$as_dir/$as_base" -c '
-  as_lineno_1=$LINENO
-  as_lineno_2=$LINENO
-  as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
-  test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x$as_lineno_3"  = "x$as_lineno_2" ') 2>/dev/null; then
-             $as_unset BASH_ENV || test "${BASH_ENV+set}" != set || { BASH_ENV=; export BASH_ENV; }
-             $as_unset ENV || test "${ENV+set}" != set || { ENV=; export ENV; }
-             CONFIG_SHELL=$as_dir/$as_base
-             export CONFIG_SHELL
-             exec "$CONFIG_SHELL" "$0" ${1+"$@"}
-           fi;;
-         esac
-       done
-done
-;;
-  esac
-  # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
-  # uniformly replaced by the line number.  The first 'sed' inserts a
-  # line-number line before each line; the second 'sed' does the real
-  # work.  The second script uses 'N' to pair each line-number line
-  # with the numbered line, and appends trailing '-' during
-  # substitution so that $LINENO is not a special case at line end.
-  # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
-  # second 'sed' script.  Blame Lee E. McMahon for sed's syntax.  :-)
-  sed '=' <$as_myself |
-    sed '
-      N
-      s,$,-,
-      : loop
-      s,^\(['$as_cr_digits']*\)\(.*\)[$]LINENO\([^'$as_cr_alnum'_]\),\1\2\1\3,
-      t loop
-      s,-$,,
-      s,^['$as_cr_digits']*\n,,
-    ' >$as_me.lineno &&
-  chmod +x $as_me.lineno ||
-    { { echo "$as_me:$LINENO: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&5
-echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2;}
-   { (exit 1); exit 1; }; }
-  # Don't try to exec as it changes $[0], causing all sort of problems
-  # (the dirname of $[0] is not the place where we might find the
-  # original and so on.  Autoconf is especially sensible to this).
-  . ./$as_me.lineno
-  # Exit status is that of the last command.
-  exit
-}
-case `echo "testing\c"; echo 1,2,3`,`echo -n testing; echo 1,2,3` in
-  *c*,-n*) ECHO_N= ECHO_C='
-' ECHO_T='      ' ;;
-  *c*,*  ) ECHO_N=-n ECHO_C= ECHO_T= ;;
-  *)       ECHO_N= ECHO_C='\c' ECHO_T= ;;
-esac
 if expr a : '\(a\)' >/dev/null 2>&1; then
  as_expr=expr
@@ -18292,20 +16194,24 @@ else
 fi
 rm -f conf$$ conf$$.exe conf$$.file
-if mkdir -p . 2>/dev/null; then
-  as_mkdir_p=:
-else
-  as_mkdir_p=false
-fi
 as_executable_p="test -f"
-# Sed expression to map a string onto a valid CPP name.
+# Support unset when possible.
-as_tr_cpp="sed y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g"
+if (FOO=FOO; unset FOO) >/dev/null 2>&1; then
+  as_unset=unset
-# Sed expression to map a string onto a valid variable name.
+else
-as_tr_sh="sed y%*+%pp%;s%[^_$as_cr_alnum]%_%g"
+  as_unset=false
+fi
+# NLS nuisances.
+$as_unset LANG || test "${LANG+set}" != set || { LANG=C; export LANG; }
+$as_unset LC_ALL || test "${LC_ALL+set}" != set || { LC_ALL=C; export LC_ALL; }
+$as_unset LC_TIME || test "${LC_TIME+set}" != set || { LC_TIME=C; export LC_TIME; }
+$as_unset LC_CTYPE || test "${LC_CTYPE+set}" != set || { LC_CTYPE=C; export LC_CTYPE; }
+$as_unset LANGUAGE || test "${LANGUAGE+set}" != set || { LANGUAGE=C; export LANGUAGE; }
+$as_unset LC_COLLATE || test "${LC_COLLATE+set}" != set || { LC_COLLATE=C; export LC_COLLATE; }
+$as_unset LC_NUMERIC || test "${LC_NUMERIC+set}" != set || { LC_NUMERIC=C; export LC_NUMERIC; }
+$as_unset LC_MESSAGES || test "${LC_MESSAGES+set}" != set || { LC_MESSAGES=C; export LC_MESSAGES; }
 # IFS
 # We need space, tab and new line, in precisely that order.
@@ -18314,34 +16220,10 @@ as_nl='
 IFS="   $as_nl"
 # CDPATH.
-$as_unset CDPATH
+$as_unset CDPATH || test "${CDPATH+set}" != set || { CDPATH=:; export CDPATH; }
 exec 6>&1
-# Open the log real soon, to keep \$[0] and so on meaningful, and to
-# report actual input values of CONFIG_FILES etc. instead of their
-# values after options handling.  Logging --version etc. is OK.
-exec 5>>config.log
-{
-  echo
-  sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
-## Running $as_me. ##
-_ASBOX
-} >&5
-cat >&5 <<_CSEOF
-This file was extended by $as_me, which was
-generated by GNU Autoconf 2.57.  Invocation command line was
-  CONFIG_FILES    = $CONFIG_FILES
-  CONFIG_HEADERS  = $CONFIG_HEADERS
-  CONFIG_LINKS    = $CONFIG_LINKS
-  CONFIG_COMMANDS = $CONFIG_COMMANDS
-  $ $0 $@
-_CSEOF
-echo "on `(hostname || uname -n) 2>/dev/null | sed 1q`" >&5
-echo >&5
 _ACEOF
 # Files that config.status was made for.
@@ -18361,7 +16243,7 @@ if test -n "$ac_config_commands"; then
  echo "config_commands=\"$ac_config_commands\"" >>$CONFIG_STATUS
 fi
-cat >>$CONFIG_STATUS <<\_ACEOF
+cat >>$CONFIG_STATUS <<\EOF
 ac_cs_usage="\
 \`$as_me' instantiates files from templates according to the
@@ -18371,7 +16253,6 @@ Usage: $0 [OPTIONS] [FILE]...
  -h, --help       print this help, then exit
  -V, --version    print version number, then exit
-  -q, --quiet      do not print progress messages
  -d, --debug      don't remove temporary files
      --recheck    update $as_me by reconfiguring in the same conditions
  --file=FILE[:TEMPLATE]
@@ -18386,12 +16267,12 @@ Configuration headers:
 $config_headers
 Report bugs to <bug-autoconf@gnu.org>."
-_ACEOF
+EOF
-cat >>$CONFIG_STATUS <<_ACEOF
+cat >>$CONFIG_STATUS <<EOF
 ac_cs_version="\\
 config.status
-configured by $0, generated by GNU Autoconf 2.57,
+configured by $0, generated by GNU Autoconf 2.52,
  with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\"
 Copyright 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001
@@ -18400,9 +16281,9 @@ This config.status script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it."
 srcdir=$srcdir
 INSTALL="$INSTALL"
-_ACEOF
+EOF
-cat >>$CONFIG_STATUS <<\_ACEOF
+cat >>$CONFIG_STATUS <<\EOF
 # If no file are specified by the user, then we need to provide default
 # value.  By we need to know if files were specified by the user.
 ac_need_defaults=:
@@ -18412,30 +16293,30 @@ do
  --*=*)
    ac_option=`expr "x$1" : 'x\([^=]*\)='`
    ac_optarg=`expr "x$1" : 'x[^=]*=\(.*\)'`
-    ac_shift=:
+    shift
-    ;;
+    set dummy "$ac_option" "$ac_optarg" ${1+"$@"}
-  -*)
+    shift
-    ac_option=$1
-    ac_optarg=$2
-    ac_shift=shift
    ;;
+  -*);;
  *) # This is not an option, so the user has probably given explicit
     # arguments.
-     ac_option=$1
     ac_need_defaults=false;;
  esac
-  case $ac_option in
+  case $1 in
  # Handling of the options.
-_ACEOF
+EOF
-cat >>$CONFIG_STATUS <<\_ACEOF
+cat >>$CONFIG_STATUS <<EOF
  -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
-    ac_cs_recheck=: ;;
+    echo "running $SHELL $0 " $ac_configure_args " --no-create --no-recursion"
+    exec $SHELL $0 $ac_configure_args --no-create --no-recursion ;;
+EOF
+cat >>$CONFIG_STATUS <<\EOF
  --version | --vers* | -V )
    echo "$ac_cs_version"; exit 0 ;;
  --he | --h)
    # Conflict between --help and --header
-    { { echo "$as_me:$LINENO: error: ambiguous option: $1
+    { { echo "$as_me:16319: error: ambiguous option: $1
 Try \`$0 --help' for more information." >&5
 echo "$as_me: error: ambiguous option: $1
 Try \`$0 --help' for more information." >&2;}
@@ -18445,19 +16326,16 @@ Try \`$0 --help' for more information." >&2;}
  --debug | --d* | -d )
    debug=: ;;
  --file | --fil | --fi | --f )
-    $ac_shift
+    shift
-    CONFIG_FILES="$CONFIG_FILES $ac_optarg"
+    CONFIG_FILES="$CONFIG_FILES $1"
    ac_need_defaults=false;;
  --header | --heade | --head | --hea )
-    $ac_shift
+    shift
-    CONFIG_HEADERS="$CONFIG_HEADERS $ac_optarg"
+    CONFIG_HEADERS="$CONFIG_HEADERS $1"
    ac_need_defaults=false;;
-  -q | -quiet | --quiet | --quie | --qui | --qu | --q \
-  | -silent | --silent | --silen | --sile | --sil | --si | --s)
-    ac_cs_silent=: ;;
  # This is an error.
-  -*) { { echo "$as_me:$LINENO: error: unrecognized option: $1
+  -*) { { echo "$as_me:16338: error: unrecognized option: $1
 Try \`$0 --help' for more information." >&5
 echo "$as_me: error: unrecognized option: $1
 Try \`$0 --help' for more information." >&2;}
@@ -18469,27 +16347,25 @@ Try \`$0 --help' for more information." >&2;}
  shift
 done
-ac_configure_extra_args=
+exec 5>>config.log
+cat >&5 << _ACEOF
-if $ac_cs_silent; then
+## ----------------------- ##
-  exec 6>/dev/null
+## Running config.status.  ##
-  ac_configure_extra_args="$ac_configure_extra_args --silent"
+## ----------------------- ##
-fi
-_ACEOF
+This file was extended by $as_me 2.52, executed with
-cat >>$CONFIG_STATUS <<_ACEOF
+  CONFIG_FILES    = $CONFIG_FILES
-if \$ac_cs_recheck; then
+  CONFIG_HEADERS  = $CONFIG_HEADERS
-  echo "running $SHELL $0 " $ac_configure_args \$ac_configure_extra_args " --no-create --no-recursion" >&6
+  CONFIG_LINKS    = $CONFIG_LINKS
-  exec $SHELL $0 $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
+  CONFIG_COMMANDS = $CONFIG_COMMANDS
-fi
+  > $ac_cs_invocation
+on `(hostname || uname -n) 2>/dev/null | sed 1q`
 _ACEOF
+EOF
+cat >>$CONFIG_STATUS <<\EOF
-cat >>$CONFIG_STATUS <<\_ACEOF
 for ac_config_target in $ac_config_targets
 do
  case "$ac_config_target" in
@@ -18499,7 +16375,7 @@ do
  "scard/Makefile" ) CONFIG_FILES="$CONFIG_FILES scard/Makefile" ;;
  "ssh_prng_cmds" ) CONFIG_FILES="$CONFIG_FILES ssh_prng_cmds" ;;
  "config.h" ) CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;;
-  *) { { echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5
+  *) { { echo "$as_me:16378: error: invalid argument: $ac_config_target" >&5
 echo "$as_me: error: invalid argument: $ac_config_target" >&2;}
   { (exit 1); exit 1; }; };;
  esac
@@ -18514,9 +16390,6 @@ if $ac_need_defaults; then
  test "${CONFIG_HEADERS+set}" = set || CONFIG_HEADERS=$config_headers
 fi
-# Have a temporary directory for convenience.  Make it in the build tree
-# simply because there is no reason to put it here, and in addition,
-# creating and moving files from /tmp can sometimes cause problems.
 # Create a temporary directory, and hook for its removal unless debugging.
 $debug ||
 {
@@ -18525,23 +16398,23 @@ $debug ||
 }
 # Create a (secure) tmp directory for tmp files.
+: ${TMPDIR=/tmp}
 {
-  tmp=`(umask 077 && mktemp -d -q "./confstatXXXXXX") 2>/dev/null` &&
+  tmp=`(umask 077 && mktemp -d -q "$TMPDIR/csXXXXXX") 2>/dev/null` &&
  test -n "$tmp" && test -d "$tmp"
 }  ||
 {
-  tmp=./confstat$$-$RANDOM
+  tmp=$TMPDIR/cs$$-$RANDOM
  (umask 077 && mkdir $tmp)
 } ||
 {
-   echo "$me: cannot create a temporary directory in ." >&2
+   echo "$me: cannot create a temporary directory in $TMPDIR" >&2
   { (exit 1); exit 1; }
 }
-_ACEOF
+EOF
-cat >>$CONFIG_STATUS <<_ACEOF
+cat >>$CONFIG_STATUS <<EOF
 #
 # CONFIG_FILES section.
@@ -18554,12 +16427,6 @@ if test -n "\$CONFIG_FILES"; then
  sed 's/,@/@@/; s/@,/@@/; s/,;t t\$/@;t t/; /@;t t\$/s/[\\\\&,]/\\\\&/g;
   s/@@/,@/; s/@@/@,/; s/@;t t\$/,;t t/' >\$tmp/subs.sed <<\\CEOF
 s,@SHELL@,$SHELL,;t t
-s,@PATH_SEPARATOR@,$PATH_SEPARATOR,;t t
-s,@PACKAGE_NAME@,$PACKAGE_NAME,;t t
-s,@PACKAGE_TARNAME@,$PACKAGE_TARNAME,;t t
-s,@PACKAGE_VERSION@,$PACKAGE_VERSION,;t t
-s,@PACKAGE_STRING@,$PACKAGE_STRING,;t t
-s,@PACKAGE_BUGREPORT@,$PACKAGE_BUGREPORT,;t t
 s,@exec_prefix@,$exec_prefix,;t t
 s,@prefix@,$prefix,;t t
 s,@program_transform_name@,$program_transform_name,;t t
@@ -18575,13 +16442,19 @@ s,@includedir@,$includedir,;t t
 s,@oldincludedir@,$oldincludedir,;t t
 s,@infodir@,$infodir,;t t
 s,@mandir@,$mandir,;t t
+s,@PACKAGE_NAME@,$PACKAGE_NAME,;t t
+s,@PACKAGE_TARNAME@,$PACKAGE_TARNAME,;t t
+s,@PACKAGE_VERSION@,$PACKAGE_VERSION,;t t
+s,@PACKAGE_STRING@,$PACKAGE_STRING,;t t
+s,@PACKAGE_BUGREPORT@,$PACKAGE_BUGREPORT,;t t
 s,@build_alias@,$build_alias,;t t
 s,@host_alias@,$host_alias,;t t
 s,@target_alias@,$target_alias,;t t
-s,@DEFS@,$DEFS,;t t
 s,@ECHO_C@,$ECHO_C,;t t
 s,@ECHO_N@,$ECHO_N,;t t
 s,@ECHO_T@,$ECHO_T,;t t
+s,@PATH_SEPARATOR@,$PATH_SEPARATOR,;t t
+s,@DEFS@,$DEFS,;t t
 s,@LIBS@,$LIBS,;t t
 s,@CC@,$CC,;t t
 s,@CFLAGS@,$CFLAGS,;t t
@@ -18598,6 +16471,7 @@ s,@host@,$host,;t t
 s,@host_cpu@,$host_cpu,;t t
 s,@host_vendor@,$host_vendor,;t t
 s,@host_os@,$host_os,;t t
+s,@AWK@,$AWK,;t t
 s,@CPP@,$CPP,;t t
 s,@RANLIB@,$RANLIB,;t t
 s,@ac_ct_RANLIB@,$ac_ct_RANLIB,;t t
@@ -18612,7 +16486,6 @@ s,@TEST_MINUS_S_SH@,$TEST_MINUS_S_SH,;t t
 s,@SH@,$SH,;t t
 s,@LOGIN_PROGRAM_FALLBACK@,$LOGIN_PROGRAM_FALLBACK,;t t
 s,@LD@,$LD,;t t
-s,@EGREP@,$EGREP,;t t
 s,@LIBWRAP@,$LIBWRAP,;t t
 s,@LIBPAM@,$LIBPAM,;t t
 s,@INSTALL_SSH_RAND_HELPER@,$INSTALL_SSH_RAND_HELPER,;t t
@@ -18644,13 +16517,11 @@ s,@MANTYPE@,$MANTYPE,;t t
 s,@mansubdir@,$mansubdir,;t t
 s,@user_path@,$user_path,;t t
 s,@piddir@,$piddir,;t t
-s,@LIBOBJS@,$LIBOBJS,;t t
-s,@LTLIBOBJS@,$LTLIBOBJS,;t t
 CEOF
-_ACEOF
+EOF
-  cat >>$CONFIG_STATUS <<\_ACEOF
+  cat >>$CONFIG_STATUS <<\EOF
  # Split the substitutions into bite-sized pieces for seds with
  # small command number limits, like on Digital OSF/1 and HP-UX.
  ac_max_sed_lines=48
@@ -18689,8 +16560,8 @@ _ACEOF
  fi
 fi # test -n "$CONFIG_FILES"
-_ACEOF
+EOF
-cat >>$CONFIG_STATUS <<\_ACEOF
+cat >>$CONFIG_STATUS <<\EOF
 for ac_file in : $CONFIG_FILES; do test "x$ac_file" = x: && continue
  # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
  case $ac_file in
@@ -18704,8 +16575,7 @@ for ac_file in : $CONFIG_FILES; do test "x$ac_file" = x: && continue
  esac
  # Compute @srcdir@, @top_srcdir@, and @INSTALL@ for subdirectories.
-  ac_dir=`(dirname "$ac_file") 2>/dev/null ||
+  ac_dir=`$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
         X"$ac_file" : 'X\(//\)[^/]' \| \
         X"$ac_file" : 'X\(//\)$' \| \
         X"$ac_file" : 'X\(/\)' \| \
@@ -18716,84 +16586,60 @@ echo X"$ac_file" |
          /^X\(\/\/\)$/{ s//\1/; q; }
          /^X\(\/\).*/{ s//\1/; q; }
          s/.*/./; q'`
-  { if $as_mkdir_p; then
+  if test "$ac_dir" != "$ac_file" && test "$ac_dir" != .; then
-    mkdir -p "$ac_dir"
+    { case "$ac_dir" in
-  else
+  [\\/]* | ?:[\\/]* ) as_incr_dir=;;
-    as_dir="$ac_dir"
+  *)                      as_incr_dir=.;;
-    as_dirs=
+esac
-    while test ! -d "$as_dir"; do
+as_dummy="$ac_dir"
-      as_dirs="$as_dir $as_dirs"
+for as_mkdir_dir in `IFS='/\\'; set X $as_dummy; shift; echo "$@"`; do
-      as_dir=`(dirname "$as_dir") 2>/dev/null ||
+  case $as_mkdir_dir in
-$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+    # Skip DOS drivespec
-         X"$as_dir" : 'X\(//\)[^/]' \| \
+    ?:) as_incr_dir=$as_mkdir_dir ;;
-         X"$as_dir" : 'X\(//\)$' \| \
+    *)
-         X"$as_dir" : 'X\(/\)' \| \
+      as_incr_dir=$as_incr_dir/$as_mkdir_dir
-         .     : '\(.\)' 2>/dev/null ||
+      test -d "$as_incr_dir" || mkdir "$as_incr_dir"
-echo X"$as_dir" |
+    ;;
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
+  esac
-          /^X\(\/\/\)[^/].*/{ s//\1/; q; }
+done; }
-          /^X\(\/\/\)$/{ s//\1/; q; }
-          /^X\(\/\).*/{ s//\1/; q; }
-          s/.*/./; q'`
-    done
-    test ! -n "$as_dirs" || mkdir $as_dirs
-  fi || { { echo "$as_me:$LINENO: error: cannot create directory \"$ac_dir\"" >&5
-echo "$as_me: error: cannot create directory \"$ac_dir\"" >&2;}
-   { (exit 1); exit 1; }; }; }
-  ac_builddir=.
-if test "$ac_dir" != .; then
+    ac_dir_suffix="/`echo $ac_dir|sed 's,^\./,,'`"
-  ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
+    # A "../" for each directory in $ac_dir_suffix.
-  # A "../" for each directory in $ac_dir_suffix.
+    ac_dots=`echo "$ac_dir_suffix" | sed 's,/[^/]*,../,g'`
-  ac_top_builddir=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,../,g'`
+  else
-else
+    ac_dir_suffix= ac_dots=
-  ac_dir_suffix= ac_top_builddir=
+  fi
-fi
-case $srcdir in
+  case $srcdir in
-  .)  # No --srcdir option.  We are building in place.
+  .)  ac_srcdir=.
-    ac_srcdir=.
+      if test -z "$ac_dots"; then
-    if test -z "$ac_top_builddir"; then
+         ac_top_srcdir=.
-       ac_top_srcdir=.
+      else
-    else
+         ac_top_srcdir=`echo $ac_dots | sed 's,/$,,'`
-       ac_top_srcdir=`echo $ac_top_builddir | sed 's,/$,,'`
+      fi ;;
-    fi ;;
+  [\\/]* | ?:[\\/]* )
-  [\\/]* | ?:[\\/]* )  # Absolute path.
+      ac_srcdir=$srcdir$ac_dir_suffix;
-    ac_srcdir=$srcdir$ac_dir_suffix;
+      ac_top_srcdir=$srcdir ;;
-    ac_top_srcdir=$srcdir ;;
  *) # Relative path.
-    ac_srcdir=$ac_top_builddir$srcdir$ac_dir_suffix
+    ac_srcdir=$ac_dots$srcdir$ac_dir_suffix
-    ac_top_srcdir=$ac_top_builddir$srcdir ;;
+    ac_top_srcdir=$ac_dots$srcdir ;;
-esac
+  esac
-# Don't blindly perform a `cd "$ac_dir"/$ac_foo && pwd` since $ac_foo can be
-# absolute.
-ac_abs_builddir=`cd "$ac_dir" && cd $ac_builddir && pwd`
-ac_abs_top_builddir=`cd "$ac_dir" && cd ${ac_top_builddir}. && pwd`
-ac_abs_srcdir=`cd "$ac_dir" && cd $ac_srcdir && pwd`
-ac_abs_top_srcdir=`cd "$ac_dir" && cd $ac_top_srcdir && pwd`
  case $INSTALL in
  [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;;
-  *) ac_INSTALL=$ac_top_builddir$INSTALL ;;
+  *) ac_INSTALL=$ac_dots$INSTALL ;;
  esac
  if test x"$ac_file" != x-; then
-    { echo "$as_me:$LINENO: creating $ac_file" >&5
+    { echo "$as_me:16634: creating $ac_file" >&5
 echo "$as_me: creating $ac_file" >&6;}
    rm -f "$ac_file"
  fi
  # Let's still pretend it is `configure' which instantiates (i.e., don't
  # use $as_me), people would be surprised to read:
-  #    /* config.h.  Generated by config.status.  */
+  #    /* config.h.  Generated automatically by config.status.  */
-  if test x"$ac_file" = x-; then
+  configure_input="Generated automatically from `echo $ac_file_in |
-    configure_input=
+                                                 sed 's,.*/,,'` by configure."
-  else
-    configure_input="$ac_file.  "
-  fi
-  configure_input=$configure_input"Generated from `echo $ac_file_in |
-                                     sed 's,.*/,,'` by configure."
  # First look for the input files in the build tree, otherwise in the
  # src tree.
@@ -18803,7 +16649,7 @@ echo "$as_me: creating $ac_file" >&6;}
      -) echo $tmp/stdin ;;
      [\\/$]*)
         # Absolute (can't be DOS-style, as IFS=:)
-         test -f "$f" || { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
+         test -f "$f" || { { echo "$as_me:16652: error: cannot find input file: $f" >&5
 echo "$as_me: error: cannot find input file: $f" >&2;}
   { (exit 1); exit 1; }; }
         echo $f;;
@@ -18816,29 +16662,23 @@ echo "$as_me: error: cannot find input file: $f" >&2;}
           echo $srcdir/$f
         else
           # /dev/null tree
-           { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
+           { { echo "$as_me:16665: error: cannot find input file: $f" >&5
 echo "$as_me: error: cannot find input file: $f" >&2;}
   { (exit 1); exit 1; }; }
         fi;;
      esac
    done` || { (exit 1); exit 1; }
-_ACEOF
+EOF
-cat >>$CONFIG_STATUS <<_ACEOF
+cat >>$CONFIG_STATUS <<EOF
  sed "$ac_vpsub
 $extrasub
-_ACEOF
+EOF
-cat >>$CONFIG_STATUS <<\_ACEOF
+cat >>$CONFIG_STATUS <<\EOF
 :t
 /@[a-zA-Z_][a-zA-Z_0-9]*@/!b
 s,@configure_input@,$configure_input,;t t
 s,@srcdir@,$ac_srcdir,;t t
-s,@abs_srcdir@,$ac_abs_srcdir,;t t
 s,@top_srcdir@,$ac_top_srcdir,;t t
-s,@abs_top_srcdir@,$ac_abs_top_srcdir,;t t
-s,@builddir@,$ac_builddir,;t t
-s,@abs_builddir@,$ac_abs_builddir,;t t
-s,@top_builddir@,$ac_top_builddir,;t t
-s,@abs_top_builddir@,$ac_abs_top_builddir,;t t
 s,@INSTALL@,$ac_INSTALL,;t t
 " $ac_file_inputs | (eval "$ac_sed_cmds") >$tmp/out
  rm -f $tmp/stdin
@@ -18850,8 +16690,8 @@ s,@INSTALL@,$ac_INSTALL,;t t
  fi
 done
-_ACEOF
+EOF
-cat >>$CONFIG_STATUS <<\_ACEOF
+cat >>$CONFIG_STATUS <<\EOF
 #
 # CONFIG_HEADER section.
@@ -18883,7 +16723,7 @@ for ac_file in : $CONFIG_HEADERS; do test "x$ac_file" = x: && continue
  * )   ac_file_in=$ac_file.in ;;
  esac
-  test x"$ac_file" != x- && { echo "$as_me:$LINENO: creating $ac_file" >&5
+  test x"$ac_file" != x- && { echo "$as_me:16726: creating $ac_file" >&5
 echo "$as_me: creating $ac_file" >&6;}
  # First look for the input files in the build tree, otherwise in the
@@ -18894,7 +16734,7 @@ echo "$as_me: creating $ac_file" >&6;}
      -) echo $tmp/stdin ;;
      [\\/$]*)
         # Absolute (can't be DOS-style, as IFS=:)
-         test -f "$f" || { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
+         test -f "$f" || { { echo "$as_me:16737: error: cannot find input file: $f" >&5
 echo "$as_me: error: cannot find input file: $f" >&2;}
   { (exit 1); exit 1; }; }
         echo $f;;
@@ -18907,7 +16747,7 @@ echo "$as_me: error: cannot find input file: $f" >&2;}
           echo $srcdir/$f
         else
           # /dev/null tree
-           { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
+           { { echo "$as_me:16750: error: cannot find input file: $f" >&5
 echo "$as_me: error: cannot find input file: $f" >&2;}
   { (exit 1); exit 1; }; }
         fi;;
@@ -18916,7 +16756,7 @@ echo "$as_me: error: cannot find input file: $f" >&2;}
  # Remove the trailing spaces.
  sed 's/[      ]*$//' $ac_file_inputs >$tmp/in
-_ACEOF
+EOF
 # Transform confdefs.h into two sed scripts, `conftest.defines' and
 # `conftest.undefs', that substitutes the proper values into
@@ -18932,7 +16772,7 @@ rm -f conftest.defines conftest.undefs
 # `end' is used to avoid that the second main sed command (meant for
 # 0-ary CPP macros) applies to n-ary macro definitions.
 # See the Autoconf documentation for `clear'.
-cat >confdef2sed.sed <<\_ACEOF
+cat >confdef2sed.sed <<\EOF
 s/[\\&,]/\\&/g
 s,[\\$`],\\&,g
 t clear
@@ -18941,7 +16781,7 @@ s,^[ 	]*#[ 	]*define[ 	][ 	]*\([^ 	(][^ 	(]*\)\(([^)]*)\)[ 	]*\(.*\)$,${ac_dA}\1
 t end
 s,^[    ]*#[    ]*define[       ][      ]*\([^  ][^     ]*\)[   ]*\(.*\)$,${ac_dA}\1${ac_dB}\1${ac_dC}\2${ac_dD},gp
 : end
-_ACEOF
+EOF
 # If some macros were called several times there might be several times
 # the same #defines, which is useless.  Nevertheless, we may not want to
 # sort them, since we want the *last* AC-DEFINE to be honored.
@@ -18952,14 +16792,14 @@ rm -f confdef2sed.sed
 # This sed command replaces #undef with comments.  This is necessary, for
 # example, in the case of _POSIX_SOURCE, which is predefined and required
 # on some systems where configure will not decide to define it.
-cat >>conftest.undefs <<\_ACEOF
+cat >>conftest.undefs <<\EOF
 s,^[    ]*#[    ]*undef[        ][      ]*[a-zA-Z_][a-zA-Z_0-9]*,/* & */,
-_ACEOF
+EOF
 # Break up conftest.defines because some shells have a limit on the size
 # of here documents, and old seds have small limits too (100 cmds).
 echo '  # Handle all the #define templates only if necessary.' >>$CONFIG_STATUS
-echo '  if grep "^[     ]*#[    ]*define" $tmp/in >/dev/null; then' >>$CONFIG_STATUS
+echo '  if egrep "^[    ]*#[    ]*define" $tmp/in >/dev/null; then' >>$CONFIG_STATUS
 echo '  # If there are no defines, we may have an empty if/fi' >>$CONFIG_STATUS
 echo '  :' >>$CONFIG_STATUS
 rm -f conftest.tail
@@ -18983,7 +16823,7 @@ do
  mv conftest.tail conftest.defines
 done
 rm -f conftest.defines
-echo '  fi # grep' >>$CONFIG_STATUS
+echo '  fi # egrep' >>$CONFIG_STATUS
 echo >>$CONFIG_STATUS
 # Break up conftest.undefs because some shells have a limit on the size
@@ -19011,24 +16851,23 @@ do
 done
 rm -f conftest.undefs
-cat >>$CONFIG_STATUS <<\_ACEOF
+cat >>$CONFIG_STATUS <<\EOF
  # Let's still pretend it is `configure' which instantiates (i.e., don't
  # use $as_me), people would be surprised to read:
-  #    /* config.h.  Generated by config.status.  */
+  #    /* config.h.  Generated automatically by config.status.  */
  if test x"$ac_file" = x-; then
-    echo "/* Generated by configure.  */" >$tmp/config.h
+    echo "/* Generated automatically by configure.  */" >$tmp/config.h
  else
-    echo "/* $ac_file.  Generated by configure.  */" >$tmp/config.h
+    echo "/* $ac_file.  Generated automatically by configure.  */" >$tmp/config.h
  fi
  cat $tmp/in >>$tmp/config.h
  rm -f $tmp/in
  if test x"$ac_file" != x-; then
-    if diff $ac_file $tmp/config.h >/dev/null 2>&1; then
+    if cmp -s $ac_file $tmp/config.h 2>/dev/null; then
-      { echo "$as_me:$LINENO: $ac_file is unchanged" >&5
+      { echo "$as_me:16867: $ac_file is unchanged" >&5
 echo "$as_me: $ac_file is unchanged" >&6;}
    else
-      ac_dir=`(dirname "$ac_file") 2>/dev/null ||
+      ac_dir=`$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
         X"$ac_file" : 'X\(//\)[^/]' \| \
         X"$ac_file" : 'X\(//\)$' \| \
         X"$ac_file" : 'X\(/\)' \| \
@@ -19039,31 +16878,24 @@ echo X"$ac_file" |
          /^X\(\/\/\)$/{ s//\1/; q; }
          /^X\(\/\).*/{ s//\1/; q; }
          s/.*/./; q'`
-      { if $as_mkdir_p; then
+      if test "$ac_dir" != "$ac_file" && test "$ac_dir" != .; then
-    mkdir -p "$ac_dir"
+        { case "$ac_dir" in
-  else
+  [\\/]* | ?:[\\/]* ) as_incr_dir=;;
-    as_dir="$ac_dir"
+  *)                      as_incr_dir=.;;
-    as_dirs=
+esac
-    while test ! -d "$as_dir"; do
+as_dummy="$ac_dir"
-      as_dirs="$as_dir $as_dirs"
+for as_mkdir_dir in `IFS='/\\'; set X $as_dummy; shift; echo "$@"`; do
-      as_dir=`(dirname "$as_dir") 2>/dev/null ||
+  case $as_mkdir_dir in
-$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+    # Skip DOS drivespec
-         X"$as_dir" : 'X\(//\)[^/]' \| \
+    ?:) as_incr_dir=$as_mkdir_dir ;;
-         X"$as_dir" : 'X\(//\)$' \| \
+    *)
-         X"$as_dir" : 'X\(/\)' \| \
+      as_incr_dir=$as_incr_dir/$as_mkdir_dir
-         .     : '\(.\)' 2>/dev/null ||
+      test -d "$as_incr_dir" || mkdir "$as_incr_dir"
-echo X"$as_dir" |
+    ;;
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
+  esac
-          /^X\(\/\/\)[^/].*/{ s//\1/; q; }
+done; }
-          /^X\(\/\/\)$/{ s//\1/; q; }
-          /^X\(\/\).*/{ s//\1/; q; }
-          s/.*/./; q'`
-    done
-    test ! -n "$as_dirs" || mkdir $as_dirs
-  fi || { { echo "$as_me:$LINENO: error: cannot create directory \"$ac_dir\"" >&5
-echo "$as_me: error: cannot create directory \"$ac_dir\"" >&2;}
-   { (exit 1); exit 1; }; }; }
+      fi
      rm -f $ac_file
      mv $tmp/config.h $ac_file
    fi
@@ -19072,16 +16904,15 @@ echo "$as_me: error: cannot create directory \"$ac_dir\"" >&2;}
    rm -f $tmp/config.h
  fi
 done
-_ACEOF
+EOF
-cat >>$CONFIG_STATUS <<\_ACEOF
+cat >>$CONFIG_STATUS <<\EOF
 { (exit 0); exit 0; }
-_ACEOF
+EOF
 chmod +x $CONFIG_STATUS
 ac_clean_files=$ac_clean_files_save
 # configure is writing to config.log, and then calls config.status.
 # config.status does its own redirection, appending to config.log.
 # Unfortunately, on DOS this fails, as config.log is still kept open
@@ -19092,18 +16923,14 @@ ac_clean_files=$ac_clean_files_save
 # need to make the FD available again.
 if test "$no_create" != yes; then
  ac_cs_success=:
-  ac_config_status_args=
-  test "$silent" = yes &&
-    ac_config_status_args="$ac_config_status_args --quiet"
  exec 5>/dev/null
-  $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false
+  $SHELL $CONFIG_STATUS || ac_cs_success=false
  exec 5>>config.log
  # Use ||, not &&, to avoid exiting from the if with $? = 1, which
  # would make configure fail if this is the last instruction.
  $ac_cs_success || { (exit 1); exit 1; }
 fi
 # Print summary of options
 # Someone please show me a better way :)
@@ -19127,25 +16954,28 @@ echo "                   Askpass program: $E"
 echo "                      Manual pages: $F"
 echo "                          PID file: $G"
 echo "  Privilege separation chroot path: $H"
-if test "$USES_LOGIN_CONF" = "yes" ; then
+if test "x$external_path_file" = "x/etc/login.conf" ; then
-echo "   At runtime, sshd will use the path defined in /etc/login.conf"
+echo "   At runtime, sshd will use the path defined in $external_path_file"
+echo "   Make sure the path to scp is present, otherwise scp will not work"
 else
 echo "            sshd default user PATH: $I"
+        if test ! -z "$external_path_file"; then
+echo "   (If PATH is set in $external_path_file it will be used instead. If"
+echo "   used, ensure the path to scp is present, otherwise scp will not work.)"
+        fi
 fi
 if test ! -z "$superuser_path" ; then
 echo "          sshd superuser user PATH: $J"
 fi
 echo "                    Manpage format: $MANTYPE"
-echo "                       PAM support: ${PAM_MSG}"
+echo "                       DNS support: $DNS_MSG"
-echo "                KerberosIV support: $KRB4_MSG"
+echo "                       PAM support: $PAM_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
-echo "                       AFS support: $AFS_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
 echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
-echo "          Use IPv4 by default hack: $IPV4_HACK_MSG"
 echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
 echo "                  BSD Auth support: $BSD_AUTH_MSG"
 echo "              Random number source: $RAND_MSG"
diff --git a/configure.ac b/configure.ac
index e5a8d6f05..7ddcb777f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.113.2.1 2003/04/29 09:12:08 djm Exp $
+# $Id: configure.ac,v 1.154.2.1 2003/09/16 05:48:15 tim Exp $
 AC_INIT
 AC_CONFIG_SRCDIR([ssh.c])
@@ -9,6 +9,7 @@ AC_CANONICAL_HOST
 AC_C_BIGENDIAN
 # Checks for programs.
+AC_PROG_AWK
 AC_PROG_CPP
 AC_PROG_RANLIB
 AC_PROG_INSTALL
@@ -54,7 +55,6 @@ fi
 # Check for some target-specific stuff
 case "$host" in
 *-*-aix*)
-        AFS_LIBS="-lld"
        CPPFLAGS="$CPPFLAGS -I/usr/local/include"
        LDFLAGS="$LDFLAGS -L/usr/local/lib"
        AC_MSG_CHECKING([how to specify blibpath for linker ($LD)]) 
@@ -75,19 +75,36 @@ case "$host" in
                AC_MSG_RESULT($blibflags)
        fi
        LDFLAGS="$saved_LDFLAGS"
+        dnl Check for authenticate.  Might be in libs.a on older AIXes
        AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)],
                [AC_CHECK_LIB(s,authenticate,
                        [ AC_DEFINE(WITH_AIXAUTHENTICATE)
                                LIBS="$LIBS -ls"
                        ])
                ])
+        dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2)
+        AC_CHECK_DECL(loginfailed,
+                 [AC_MSG_CHECKING(if loginfailed takes 4 arguments)
+                  AC_TRY_COMPILE(
+                        [#include <usersec.h>],
+                        [(void)loginfailed("user","host","tty",0);],
+                        [AC_MSG_RESULT(yes)
+                         AC_DEFINE(AIX_LOGINFAILED_4ARG)],
+                        [AC_MSG_RESULT(no)]
+                )],
+                [],
+                [#include <usersec.h>]
+        )
+        AC_CHECK_FUNCS(setauthdb)
        AC_DEFINE(BROKEN_GETADDRINFO)
        AC_DEFINE(BROKEN_REALPATH)
+        AC_DEFINE(SETEUID_BREAKS_SETUID)
+        AC_DEFINE(BROKEN_SETREUID)
+        AC_DEFINE(BROKEN_SETREGID)
        dnl AIX handles lastlog as part of its login message
        AC_DEFINE(DISABLE_LASTLOG)
        AC_DEFINE(LOGIN_NEEDS_UTMPX)
-        AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_CLOBBER_ARGV)
+        AC_DEFINE(SPT_TYPE,SPT_REUSEARGV)
-        AC_DEFINE(SETPROCTITLE_PS_PADDING, '\0')
        ;;
 *-*-cygwin*)
        check_for_libcrypt_later=1
@@ -95,7 +112,6 @@ case "$host" in
        AC_DEFINE(HAVE_CYGWIN)
        AC_DEFINE(USE_PIPES)
        AC_DEFINE(DISABLE_SHADOW)
-        AC_DEFINE(IPV4_DEFAULT)
        AC_DEFINE(IP_TOS_IS_BROKEN)
        AC_DEFINE(NO_X11_UNIX_SOCKETS)
        AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT)
@@ -129,7 +145,8 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
        AC_DEFINE(LOGIN_NEEDS_UTMPX)
        AC_DEFINE(DISABLE_SHADOW)
        AC_DEFINE(DISABLE_UTMP)
-        AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT)
+        AC_DEFINE(LOCKED_PASSWD_STRING, "*")
+        AC_DEFINE(SPT_TYPE,SPT_PSTAT)
        LIBS="$LIBS -lsec -lsecpw"
        AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
        disable_ptmx_check=yes
@@ -145,7 +162,8 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
        AC_DEFINE(LOGIN_NEEDS_UTMPX)
        AC_DEFINE(DISABLE_SHADOW)
        AC_DEFINE(DISABLE_UTMP)
-        AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT)
+        AC_DEFINE(LOCKED_PASSWD_STRING, "*")
+        AC_DEFINE(SPT_TYPE,SPT_PSTAT)
        LIBS="$LIBS -lsec"
        AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
        ;;
@@ -158,7 +176,8 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
        AC_DEFINE(LOGIN_NEEDS_UTMPX)
        AC_DEFINE(DISABLE_SHADOW)
        AC_DEFINE(DISABLE_UTMP)
-        AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT)
+        AC_DEFINE(LOCKED_PASSWD_STRING, "*")
+        AC_DEFINE(SPT_TYPE,SPT_PSTAT)
        LIBS="$LIBS -lsec"
        AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
        ;;
@@ -168,6 +187,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
        PATH="$PATH:/usr/etc"
        AC_DEFINE(BROKEN_INET_NTOA)
        AC_DEFINE(WITH_ABBREV_NO_TTY)
+        AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
        ;;
 *-*-irix6*)
        CPPFLAGS="$CPPFLAGS -I/usr/local/include"
@@ -179,15 +199,22 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
        AC_CHECK_FUNC(jlimit_startjob, [AC_DEFINE(WITH_IRIX_JOBS)])
        AC_DEFINE(BROKEN_INET_NTOA)
        AC_DEFINE(WITH_ABBREV_NO_TTY)
+        AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
        ;;
 *-*-linux*)
        no_dev_ptmx=1
        check_for_libcrypt_later=1
+        check_for_openpty_ctty_bug=1
        AC_DEFINE(DONT_TRY_OTHER_AF)
        AC_DEFINE(PAM_TTY_KLUDGE)
-        AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_CLOBBER_ARGV)
+        AC_DEFINE(LOCKED_PASSWD_PREFIX, "!!")
-        AC_DEFINE(SETPROCTITLE_PS_PADDING, '\0')
+        AC_DEFINE(SPT_TYPE,SPT_REUSEARGV)
        inet6_default_4in6=yes
+        case `uname -r` in
+        1.*|2.0.*)
+                AC_DEFINE(BROKEN_CMSG_TYPE)
+                ;;
+        esac
        ;;
 mips-sony-bsd|mips-sony-newsos4)
        AC_DEFINE(HAVE_NEWS4)
@@ -220,7 +247,10 @@ mips-sony-bsd|mips-sony-newsos4)
        AC_DEFINE(LOGIN_NEEDS_UTMPX)
        AC_DEFINE(LOGIN_NEEDS_TERM)
        AC_DEFINE(PAM_TTY_KLUDGE)
-        AC_DEFINE(STREAMS_PUSH_ACQUIRES_CTTY)
+        AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
+        # Pushing STREAMS modules will cause sshd to acquire a controlling tty.
+        AC_DEFINE(SSHD_ACQUIRES_CTTY)
+        external_path_file=/etc/default/login
        # hardwire lastlog location (can't detect it on some versions)
        conf_lastlog_location="/var/adm/lastlog"
        AC_MSG_CHECKING(for obsolete utmp and wtmp in solaris2.x)
@@ -247,6 +277,7 @@ mips-sony-bsd|mips-sony-newsos4)
        LDFLAGS="$LDFLAGS -L/usr/local/lib"
        LIBS="$LIBS -lc89"
        AC_DEFINE(USE_PIPES)
+        AC_DEFINE(SSHD_ACQUIRES_CTTY)
        ;;
 *-sni-sysv*)
        CPPFLAGS="$CPPFLAGS -I/usr/local/include"
@@ -255,6 +286,8 @@ mips-sony-bsd|mips-sony-newsos4)
        IPADDR_IN_DISPLAY=yes
        AC_DEFINE(USE_PIPES)
        AC_DEFINE(IP_TOS_IS_BROKEN)
+        AC_DEFINE(SSHD_ACQUIRES_CTTY)
+        external_path_file=/etc/default/login
        # /usr/ucblib/libucb.a no longer needed on ReliantUNIX
        # Attention: always take care to bind libsocket and libnsl before libc,
        # otherwise you will find lots of "SIOCGPGRP errno 22" on syslog
@@ -263,11 +296,17 @@ mips-sony-bsd|mips-sony-newsos4)
        CPPFLAGS="$CPPFLAGS -I/usr/local/include"
        LDFLAGS="$LDFLAGS -L/usr/local/lib"
        AC_DEFINE(USE_PIPES)
+        AC_DEFINE(SETEUID_BREAKS_SETUID)
+        AC_DEFINE(BROKEN_SETREUID)
+        AC_DEFINE(BROKEN_SETREGID)
        ;;
 *-*-sysv5*)
        CPPFLAGS="$CPPFLAGS -I/usr/local/include"
        LDFLAGS="$LDFLAGS -L/usr/local/lib"
        AC_DEFINE(USE_PIPES)
+        AC_DEFINE(SETEUID_BREAKS_SETUID)
+        AC_DEFINE(BROKEN_SETREUID)
+        AC_DEFINE(BROKEN_SETREGID)
        ;;
 *-*-sysv*)
        CPPFLAGS="$CPPFLAGS -I/usr/local/include"
@@ -284,6 +323,7 @@ mips-sony-bsd|mips-sony-newsos4)
        AC_DEFINE(HAVE_SECUREWARE)
        AC_DEFINE(DISABLE_SHADOW)
        AC_DEFINE(BROKEN_SAVED_UIDS)
+        AC_DEFINE(WITH_ABBREV_NO_TTY)
        AC_CHECK_FUNCS(getluid setluid)
        MANTYPE=man
        do_sco3_extra_lib_check=yes
@@ -300,6 +340,10 @@ mips-sony-bsd|mips-sony-newsos4)
        AC_DEFINE(HAVE_SECUREWARE)
        AC_DEFINE(DISABLE_SHADOW)
        AC_DEFINE(DISABLE_FD_PASSING)
+        AC_DEFINE(SETEUID_BREAKS_SETUID)
+        AC_DEFINE(BROKEN_SETREUID)
+        AC_DEFINE(BROKEN_SETREGID)
+        AC_DEFINE(WITH_ABBREV_NO_TTY)
        AC_CHECK_FUNCS(getluid setluid)
        MANTYPE=man
        ;;
@@ -310,6 +354,14 @@ mips-sony-bsd|mips-sony-newsos4)
        LIBS="$LIBS -lgen -lrsc -lshare -luex -lacm"
        MANTYPE=cat
        ;;
+*-*-unicosmp*)
+        AC_DEFINE(WITH_ABBREV_NO_TTY)
+        AC_DEFINE(USE_PIPES)
+        AC_DEFINE(DISABLE_FD_PASSING)
+        LDFLAGS="$LDFLAGS"
+        LIBS="$LIBS -lgen -lacid"
+        MANTYPE=cat
+        ;;
 *-*-unicos*)
        AC_DEFINE(USE_PIPES)
        AC_DEFINE(DISABLE_FD_PASSING)
@@ -342,6 +394,8 @@ mips-sony-bsd|mips-sony-newsos4)
                fi
        fi
        AC_DEFINE(DISABLE_FD_PASSING)
+        AC_DEFINE(BROKEN_GETADDRINFO)
+        AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin")
        ;;
 *-*-nto-qnx)
@@ -387,14 +441,26 @@ AC_ARG_WITH(libs,
        ]       
 )
+AC_MSG_CHECKING(compiler and flags for sanity)
+AC_TRY_RUN([
+#include <stdio.h>
+int main(){exit(0);}
+        ],
+        [       AC_MSG_RESULT(yes) ],
+        [
+                AC_MSG_RESULT(no)
+                AC_MSG_ERROR([*** compiler cannot create working executables, check config.log ***])
+        ]
+)
 # Checks for header files.
-AC_CHECK_HEADERS(bstring.h crypt.h endian.h floatingpoint.h \
+AC_CHECK_HEADERS(bstring.h crypt.h endian.h features.h floatingpoint.h \
-        getopt.h glob.h ia.h lastlog.h libgen.h limits.h login.h \
+        getopt.h glob.h ia.h lastlog.h limits.h login.h \
        login_cap.h maillock.h netdb.h netgroup.h \
        netinet/in_systm.h paths.h pty.h readpassphrase.h \
        rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \
-        strings.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h \
+        strings.h sys/strtio.h sys/audit.h sys/bitypes.h sys/bsdtty.h \
-        sys/mman.h sys/pstat.h sys/select.h sys/stat.h \
+        sys/cdefs.h sys/mman.h sys/pstat.h sys/select.h sys/stat.h \
        sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h \
        sys/un.h time.h tmpdir.h ttyent.h usersec.h \
        util.h utime.h utmp.h utmpx.h)
@@ -410,8 +476,46 @@ if test "x$with_tcp_wrappers" != "xno" ; then
    fi
 fi
+dnl IRIX and Solaris 2.5.1 have dirname() in libgen
+AC_CHECK_FUNCS(dirname, [AC_CHECK_HEADERS(libgen.h)] ,[
+        AC_CHECK_LIB(gen, dirname,[
+                AC_CACHE_CHECK([for broken dirname],
+                        ac_cv_have_broken_dirname, [
+                        save_LIBS="$LIBS"
+                        LIBS="$LIBS -lgen"
+                        AC_TRY_RUN(
+                                [
+#include <libgen.h>
+#include <string.h>
+int main(int argc, char **argv) {
+    char *s, buf[32];
+    strncpy(buf,"/etc", 32);
+    s = dirname(buf);
+    if (!s || strncmp(s, "/", 32) != 0) {
+        exit(1);
+    } else {
+        exit(0);
+    }
+}
+                                ],
+                                [ ac_cv_have_broken_dirname="no" ],
+                                [ ac_cv_have_broken_dirname="yes" ]
+                        )
+                        LIBS="$save_LIBS"
+                ])
+                if test "x$ac_cv_have_broken_dirname" = "xno" ; then
+                        LIBS="$LIBS -lgen"
+                        AC_DEFINE(HAVE_DIRNAME)
+                        AC_CHECK_HEADERS(libgen.h)
+                fi
+        ])
+])
 AC_CHECK_FUNC(getspnam, ,
        AC_CHECK_LIB(gen, getspnam, LIBS="$LIBS -lgen"))
+AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME))
 AC_ARG_WITH(rpath,
        [  --without-rpath         Disable auto-added -R linker paths],
@@ -608,61 +712,32 @@ AC_ARG_WITH(tcp-wrappers,
 dnl    Checks for library functions. Please keep in alphabetical order
 AC_CHECK_FUNCS(\
-        arc4random __b64_ntop b64_ntop __b64_pton b64_pton basename bcopy \
+        arc4random __b64_ntop b64_ntop __b64_pton b64_pton basename \
-        bindresvport_sa clock fchmod fchown freeaddrinfo futimes \
+        bcopy bindresvport_sa clock fchmod fchown freeaddrinfo futimes \
        gai_strerror getaddrinfo getcwd getgrouplist getnameinfo getopt \
-        getpeereid _getpty getrlimit getrusage getttyent glob inet_aton \
+        getpeereid _getpty getrlimit getttyent glob inet_aton \
        inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove \
-        mkdtemp mmap ngetaddrinfo nsleep ogetaddrinfo openpty pstat \
+        mkdtemp mmap ngetaddrinfo nsleep ogetaddrinfo openlog_r openpty \
-        readpassphrase realpath recvmsg rresvport_af sendmsg setdtablesize \
+        pstat readpassphrase realpath recvmsg rresvport_af sendmsg \
-        setegid setenv seteuid setgroups setlogin setpcred setproctitle \
+        setdtablesize setegid setenv seteuid setgroups setlogin setpcred \
-        setresgid setreuid setrlimit setsid setvbuf sigaction sigvec \
+        setproctitle setregid setresgid setresuid setreuid setrlimit \
-        snprintf socketpair strerror strlcat strlcpy strmode strnvis \
+        setsid setvbuf sigaction sigvec snprintf socketpair strerror \
-        sysconf tcgetpgrp truncate utimes vhangup vsnprintf waitpid \
+        strlcat strlcpy strmode strnvis sysconf tcgetpgrp \
+        truncate utimes vhangup vsnprintf waitpid \
 )
 AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP))
-AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME))
-dnl Make sure strsep prototype is defined before defining HAVE_STRSEP
+dnl Make sure prototypes are defined for these before using them.
 AC_CHECK_DECL(strsep, [AC_CHECK_FUNCS(strsep)])
+AC_CHECK_DECL(getrusage, [AC_CHECK_FUNCS(getrusage)])
-dnl IRIX and Solaris 2.5.1 have dirname() in libgen
+dnl tcsendbreak might be a macro
-AC_CHECK_FUNCS(dirname, [AC_CHECK_HEADERS(libgen.h)] ,[
+AC_CHECK_DECL(tcsendbreak,
-        AC_CHECK_LIB(gen, dirname,[
+        [AC_DEFINE(HAVE_TCSENDBREAK)],
-                AC_CACHE_CHECK([for broken dirname],
+        [AC_CHECK_FUNCS(tcsendbreak)], 
-                        ac_cv_have_broken_dirname, [
+        [#include <termios.h>]
-                        save_LIBS="$LIBS"
+)
-                        LIBS="$LIBS -lgen"
-                        AC_TRY_RUN(
-                                [
-#include <libgen.h>
-#include <string.h>
-int main(int argc, char **argv) {
-    char *s, buf[32];
-    strncpy(buf,"/etc", 32);
-    s = dirname(buf);
-    if (!s || strncmp(s, "/", 32) != 0) {
-        exit(1);
-    } else {
-        exit(0);
-    }
-}
-                                ],
-                                [ ac_cv_have_broken_dirname="no" ],
-                                [ ac_cv_have_broken_dirname="yes" ]
-                        )
-                        LIBS="$save_LIBS"
-                ])
-                if test "x$ac_cv_have_broken_dirname" = "xno" ; then
-                        LIBS="$LIBS -lgen"
-                        AC_DEFINE(HAVE_DIRNAME)
-                        AC_CHECK_HEADERS(libgen.h)
-                fi
-        ])
-])
 dnl    Checks for time functions
 AC_CHECK_FUNCS(gettimeofday time)
@@ -726,6 +801,53 @@ unlink(template); exit(0);
 )
 fi
+dnl make sure that openpty does not reacquire controlling terminal
+if test ! -z "$check_for_openpty_ctty_bug"; then
+        AC_MSG_CHECKING(if openpty correctly handles controlling tty)
+        AC_TRY_RUN(
+                [
+#include <stdio.h>
+#include <sys/fcntl.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+int
+main()
+{
+        pid_t pid;
+        int fd, ptyfd, ttyfd, status;
+        pid = fork();
+        if (pid < 0) {          /* failed */
+                exit(1);
+        } else if (pid > 0) {   /* parent */
+                waitpid(pid, &status, 0);
+                if (WIFEXITED(status)) 
+                        exit(WEXITSTATUS(status));
+                else
+                        exit(2);
+        } else {                /* child */
+                close(0); close(1); close(2);
+                setsid();
+                openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
+                fd = open("/dev/tty", O_RDWR | O_NOCTTY);
+                if (fd >= 0)
+                        exit(3);        /* Acquired ctty: broken */
+                else
+                        exit(0);        /* Did not acquire ctty: OK */
+        }
+}
+                ],
+                [
+                        AC_MSG_RESULT(yes)
+                ],
+                [
+                        AC_MSG_RESULT(no)
+                        AC_DEFINE(SSHD_ACQUIRES_CTTY)
+                ]
+        )
+fi
 AC_FUNC_GETPGRP
 # Check for PAM libs
@@ -741,6 +863,7 @@ AC_ARG_WITH(pam,
                        AC_CHECK_LIB(dl, dlopen, , )
                        AC_CHECK_LIB(pam, pam_set_item, , AC_MSG_ERROR([*** libpam missing]))
                        AC_CHECK_FUNCS(pam_getenvlist)
+                        AC_CHECK_FUNCS(pam_putenv)
                        disable_shadow=yes
                        PAM_MSG="yes"
@@ -905,13 +1028,15 @@ int main(void) { exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); }
        ],
        [
                AC_MSG_RESULT(no)
-                AC_MSG_ERROR(Your OpenSSL headers do not match your library)
+                AC_MSG_ERROR([Your OpenSSL headers do not match your library.
+Check config.log for details.
+Also see contrib/findssl.sh for help identifying header/library mismatches.])
        ]
 )
 # Some Linux systems (Slackware) need crypt() from libcrypt, *not* the 
 # version in OpenSSL. Skip this for PAM
-if test "x$PAM_MSG" = "xno" -a "x$check_for_libcrypt_later" = "x1"; then
+if test "x$check_for_libcrypt_later" = "x1"; then
        AC_CHECK_LIB(crypt, crypt, LIBS="$LIBS -lcrypt")
 fi
@@ -1752,7 +1877,6 @@ if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
 fi
 SCARD_MSG="no" 
 # Check whether user wants sectok support
 AC_ARG_WITH(sectok,
        [  --with-sectok           Enable smartcard support using libsectok],
@@ -1802,6 +1926,29 @@ if test x$opensc_config_prefix != x ; then
  fi
 fi
+# Check whether user wants DNS support
+DNS_MSG="no" 
+AC_ARG_WITH(dns,
+        [  --with-dns              Support for fetching keys from DNS (experimental)],
+        [
+                if test "x$withval" != "xno" ; then
+                        DNS_MSG="yes"
+                        AC_DEFINE(DNS)
+                        AC_SEARCH_LIBS(getrrsetbyname, resolv, 
+                                [AC_DEFINE(HAVE_GETRRSETBYNAME)],
+                                [
+                                        # Needed by our getrrsetbyname()
+                                        AC_SEARCH_LIBS(res_query, resolv)
+                                        AC_SEARCH_LIBS(dn_expand, resolv)
+                                        AC_CHECK_FUNCS(_getshort _getlong)
+                                        AC_CHECK_MEMBER(HEADER.ad,
+                                                [AC_DEFINE(HAVE_HEADER_AD)],,
+                                                [#include <arpa/nameser.h>])
+                                ])
+                fi
+        ]
+)
 # Check whether user wants Kerberos 5 support
 KRB5_MSG="no" 
 AC_ARG_WITH(kerberos5,
@@ -1834,93 +1981,38 @@ AC_ARG_WITH(kerberos5,
                        if test ! -z "$blibpath" ; then
                                blibpath="$blibpath:${KRB5ROOT}/lib"
                        fi
-                        AC_CHECK_LIB(resolv, dn_expand, , )
+                        AC_SEARCH_LIBS(dn_expand, resolv)
+                        AC_CHECK_LIB(gssapi,gss_init_sec_context,
+                                [ AC_DEFINE(GSSAPI)
+                                  K5LIBS="-lgssapi $K5LIBS" ],
+                                [ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context,
+                                        [ AC_DEFINE(GSSAPI)
+                                          K5LIBS="-lgssapi_krb5 $K5LIBS" ],
+                                        AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]),
+                                        $K5LIBS)
+                                ],
+                                $K5LIBS)
+                        
+                        AC_CHECK_HEADER(gssapi.h, ,
+                                [ unset ac_cv_header_gssapi_h
+                                  CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi" 
+                                  AC_CHECK_HEADERS(gssapi.h, ,
+                                        AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
+                                  ) 
+                                ]
+                        )
+                        oldCPP="$CPPFLAGS"
+                        CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
+                        AC_CHECK_HEADER(gssapi_krb5.h, ,
+                                        [ CPPFLAGS="$oldCPP" ])
                        KRB5=yes
                fi
        ]
 )
-# Check whether user wants Kerberos 4 support
+LIBS="$LIBS $K5LIBS"
-KRB4_MSG="no" 
-AC_ARG_WITH(kerberos4,
-        [  --with-kerberos4=PATH   Enable Kerberos 4 support],
-        [
-                if test "x$withval" != "xno" ; then
-                        if test "x$withval" != "xyes" ; then
-                                CPPFLAGS="$CPPFLAGS -I${withval}/include"
-                                LDFLAGS="$LDFLAGS -L${withval}/lib"
-                                if test ! -z "$need_dash_r" ; then
-                                        LDFLAGS="$LDFLAGS -R${withval}/lib"
-                                fi
-                                if test ! -z "$blibpath" ; then
-                                        blibpath="$blibpath:${withval}/lib"
-                                fi
-                        else
-                                if test -d /usr/include/kerberosIV ; then
-                                        CPPFLAGS="$CPPFLAGS -I/usr/include/kerberosIV"
-                                fi
-                        fi
-                        AC_CHECK_HEADERS(krb.h)
-                        if test "$ac_cv_header_krb_h" != yes; then
-                                AC_MSG_WARN([Cannot find krb.h, build may fail])
-                        fi
-                        AC_CHECK_LIB(krb, main)
-                        if test "$ac_cv_lib_krb_main" != yes; then
-                                AC_CHECK_LIB(krb4, main)
-                                if test "$ac_cv_lib_krb4_main" != yes; then
-                                        AC_MSG_WARN([Cannot find libkrb nor libkrb4, build may fail])
-                                else
-                                        KLIBS="-lkrb4"
-                                fi
-                        else
-                                KLIBS="-lkrb"
-                        fi
-                        AC_CHECK_LIB(des, des_cbc_encrypt)
-                        if test "$ac_cv_lib_des_des_cbc_encrypt" != yes; then
-                                AC_CHECK_LIB(des425, des_cbc_encrypt)
-                                if test "$ac_cv_lib_des425_des_cbc_encrypt" != yes; then
-                                        AC_MSG_WARN([Cannot find libdes nor libdes425, build may fail])
-                                else
-                                        KLIBS="-ldes425"
-                                fi
-                        else
-                                KLIBS="-ldes"
-                        fi
-                        AC_CHECK_LIB(resolv, dn_expand, , )
-                        KRB4=yes
-                        KRB4_MSG="yes" 
-                        AC_DEFINE(KRB4)
-                fi
-        ]
-)
-# Check whether user wants AFS support
-AFS_MSG="no" 
-AC_ARG_WITH(afs,
-        [  --with-afs=PATH         Enable AFS support],
-        [
-                if test "x$withval" != "xno" ; then
-                        if test "x$withval" != "xyes" ; then
-                                CPPFLAGS="$CPPFLAGS -I${withval}/include"
-                                LDFLAGS="$LDFLAGS -L${withval}/lib"
-                        fi
-                        if test -z "$KRB4" ; then
-                                AC_MSG_WARN([AFS requires Kerberos IV support, build may fail])
-                        fi
-                        LIBS="-lkafs $LIBS"
-                        if test ! -z "$AFS_LIBS" ; then
-                                LIBS="$LIBS $AFS_LIBS"
-                        fi
-                        AC_DEFINE(AFS)
-                        AFS_MSG="yes" 
-                fi
-        ]
-)
-LIBS="$LIBS $KLIBS $K5LIBS"
 # Looking for programs, paths and files
@@ -2090,30 +2182,48 @@ else
        )
 fi
+# check for /etc/default/login and use it if present.
+AC_CHECK_FILE("/etc/default/login", [ external_path_file=/etc/default/login ])
+if test "x$external_path_file" = "x/etc/default/login"; then
+        AC_DEFINE(HAVE_ETC_DEFAULT_LOGIN)
+fi
 dnl BSD systems use /etc/login.conf so --with-default-path= has no effect
 if test $ac_cv_func_login_getcapbool = "yes" -a \
        $ac_cv_header_login_cap_h = "yes" ; then
-        USES_LOGIN_CONF=yes
+        external_path_file=/etc/login.conf
 fi
 # Whether to mess with the default path
 SERVER_PATH_MSG="(default)" 
 AC_ARG_WITH(default-path,
        [  --with-default-path=    Specify default \$PATH environment for server],
        [
-                if test "$USES_LOGIN_CONF" = "yes" ; then
+                if test "x$external_path_file" = "x/etc/login.conf" ; then
                        AC_MSG_WARN([
 --with-default-path=PATH has no effect on this system.
 Edit /etc/login.conf instead.])
                elif test "x$withval" != "xno" ; then   
+                        if test ! -z "$external_path_file" ; then
+                                AC_MSG_WARN([
+--with-default-path=PATH will only be used if PATH is not defined in
+$external_path_file .])
+                        fi
                        user_path="$withval"
                        SERVER_PATH_MSG="$withval" 
                fi
        ],
-        [ if test "$USES_LOGIN_CONF" = "yes" ; then
+        [ if test "x$external_path_file" = "x/etc/login.conf" ; then
-        AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf])
+                AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf])
        else
-        AC_TRY_RUN(
+                if test ! -z "$external_path_file" ; then
-                [
+                        AC_MSG_WARN([
+If PATH is defined in $external_path_file, ensure the path to scp is included,
+otherwise scp will not work.])
+                fi
+                AC_TRY_RUN(
+                        [
 /* find out what STDPATH is */
 #include <stdio.h>
 #ifdef HAVE_PATHS_H
@@ -2167,7 +2277,7 @@ main()
                fi
        fi ]
 )
-if test "$USES_LOGIN_CONF" != "yes" ; then
+if test "x$external_path_file" != "x/etc/login.conf" ; then
        AC_DEFINE_UNQUOTED(USER_PATH, "$user_path")
        AC_SUBST(user_path)
 fi
@@ -2184,18 +2294,6 @@ AC_ARG_WITH(superuser-path,
 )
-# Whether to force IPv4 by default (needed on broken glibc Linux)
-IPV4_HACK_MSG="no" 
-AC_ARG_WITH(ipv4-default,
-        [  --with-ipv4-default     Use IPv4 by connections unless '-6' specified],
-        [
-                if test "x$withval" != "xno" ; then     
-                        AC_DEFINE(IPV4_DEFAULT)
-                        IPV4_HACK_MSG="yes" 
-                fi
-        ]
-)
 AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses])
 IPV4_IN6_HACK_MSG="no" 
 AC_ARG_WITH(4in6,
@@ -2259,35 +2357,67 @@ AC_SUBST(piddir)
 dnl allow user to disable some login recording features
 AC_ARG_ENABLE(lastlog,
        [  --disable-lastlog       disable use of lastlog even if detected [no]],
-        [ AC_DEFINE(DISABLE_LASTLOG) ]
+        [
+                if test "x$enableval" = "xno" ; then
+                        AC_DEFINE(DISABLE_LASTLOG)
+                fi
+        ]
 )
 AC_ARG_ENABLE(utmp,
        [  --disable-utmp          disable use of utmp even if detected [no]],
-        [ AC_DEFINE(DISABLE_UTMP) ]
+        [
+                if test "x$enableval" = "xno" ; then
+                        AC_DEFINE(DISABLE_UTMP)
+                fi
+        ]
 )
 AC_ARG_ENABLE(utmpx,
        [  --disable-utmpx         disable use of utmpx even if detected [no]],
-        [ AC_DEFINE(DISABLE_UTMPX) ]
+        [
+                if test "x$enableval" = "xno" ; then
+                        AC_DEFINE(DISABLE_UTMPX)
+                fi
+        ]
 )
 AC_ARG_ENABLE(wtmp,
        [  --disable-wtmp          disable use of wtmp even if detected [no]],
-        [ AC_DEFINE(DISABLE_WTMP) ]
+        [
+                if test "x$enableval" = "xno" ; then
+                        AC_DEFINE(DISABLE_WTMP)
+                fi
+        ]
 )
 AC_ARG_ENABLE(wtmpx,
        [  --disable-wtmpx         disable use of wtmpx even if detected [no]],
-        [ AC_DEFINE(DISABLE_WTMPX) ]
+        [
+                if test "x$enableval" = "xno" ; then
+                        AC_DEFINE(DISABLE_WTMPX)
+                fi
+        ]
 )
 AC_ARG_ENABLE(libutil,
        [  --disable-libutil       disable use of libutil (login() etc.) [no]],
-        [ AC_DEFINE(DISABLE_LOGIN) ]
+        [
+                if test "x$enableval" = "xno" ; then
+                        AC_DEFINE(DISABLE_LOGIN)
+                fi
+        ]
 )
 AC_ARG_ENABLE(pututline,
        [  --disable-pututline     disable use of pututline() etc. ([uw]tmp) [no]],
-        [ AC_DEFINE(DISABLE_PUTUTLINE) ]
+        [
+                if test "x$enableval" = "xno" ; then
+                        AC_DEFINE(DISABLE_PUTUTLINE) 
+                fi
+        ]
 )
 AC_ARG_ENABLE(pututxline,
        [  --disable-pututxline    disable use of pututxline() etc. ([uw]tmpx) [no]],
-        [ AC_DEFINE(DISABLE_PUTUTXLINE) ]
+        [
+                if test "x$enableval" = "xno" ; then
+                        AC_DEFINE(DISABLE_PUTUTXLINE)
+                fi
+        ]
 )
 AC_ARG_WITH(lastlog,
  [  --with-lastlog=FILE|DIR specify lastlog location [common locations]],
@@ -2517,25 +2647,28 @@ echo "                   Askpass program: $E"
 echo "                      Manual pages: $F"
 echo "                          PID file: $G"
 echo "  Privilege separation chroot path: $H"
-if test "$USES_LOGIN_CONF" = "yes" ; then
+if test "x$external_path_file" = "x/etc/login.conf" ; then
-echo "   At runtime, sshd will use the path defined in /etc/login.conf"
+echo "   At runtime, sshd will use the path defined in $external_path_file"
+echo "   Make sure the path to scp is present, otherwise scp will not work"
 else
 echo "            sshd default user PATH: $I"
+        if test ! -z "$external_path_file"; then
+echo "   (If PATH is set in $external_path_file it will be used instead. If"
+echo "   used, ensure the path to scp is present, otherwise scp will not work.)"
+        fi
 fi
 if test ! -z "$superuser_path" ; then
 echo "          sshd superuser user PATH: $J"
 fi
 echo "                    Manpage format: $MANTYPE"
-echo "                       PAM support: ${PAM_MSG}"
+echo "                       DNS support: $DNS_MSG"
-echo "                KerberosIV support: $KRB4_MSG"
+echo "                       PAM support: $PAM_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
-echo "                       AFS support: $AFS_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
 echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
-echo "          Use IPv4 by default hack: $IPV4_HACK_MSG"
 echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
 echo "                  BSD Auth support: $BSD_AUTH_MSG"
 echo "              Random number source: $RAND_MSG"
diff --git a/contrib/aix/README b/contrib/aix/README
index 82fd8be1b..2a299350a 100644
--- a/contrib/aix/README
+++ b/contrib/aix/README
@@ -26,6 +26,7 @@ and for comparison with the output from this script, however no code
 from lppbuild is included and it is not required for operation.
 SRC support based on examples provided by Sandor Sklar and Maarten Kreuger.
+PrivSep account handling fixes contributed by W. Earl Allen.
 Other notes:
@@ -45,3 +46,5 @@ you get to keep both pieces.
        - Darren Tucker (dtucker at zip dot com dot au)
          2002/03/01
+$Id: README,v 1.4 2003/08/25 05:01:04 dtucker Exp $
diff --git a/contrib/aix/buildbff.sh b/contrib/aix/buildbff.sh
index 3b3699660..727ac446d 100755
--- a/contrib/aix/buildbff.sh
+++ b/contrib/aix/buildbff.sh
@@ -1,6 +1,7 @@
 #!/bin/sh
 #
 # buildbff.sh: Create AIX SMIT-installable OpenSSH packages
+# $Id: buildbff.sh,v 1.6 2003/08/25 05:01:04 dtucker Exp $
 #
 # Author: Darren Tucker (dtucker at zip dot com dot au)
 # This file is placed in the public domain and comes with absolutely
@@ -14,9 +15,9 @@
 #       create a "config.local" in your build directory or set
 #       environment variables to override these.
 #
-[ -z "$PERMIT_ROOT_LOGIN" ] || PERMIT_ROOT_LOGIN=no
+[ -z "$PERMIT_ROOT_LOGIN" ] && PERMIT_ROOT_LOGIN=no
-[ -z "$X11_FORWARDING" ] || X11_FORWARDING=no
+[ -z "$X11_FORWARDING" ] && X11_FORWARDING=no
-[ -z "$AIX_SRC" ] || AIX_SRC=no
+[ -z "$AIX_SRC" ] && AIX_SRC=no
 umask 022
@@ -31,7 +32,7 @@ else
 fi
 #
-# We still support running from contrib/aix, but this is depreciated
+# We still support running from contrib/aix, but this is deprecated
 #
 if pwd | egrep 'contrib/aix$'
 then
@@ -121,7 +122,7 @@ cp $srcdir/README* $objdir/$PKGDIR/
 # Extract common info requires for the 'info' part of the package.
 #       AIX requires 4-part version numbers
 #
-VERSION=`./ssh -V 2>&1 | sed -e 's/,.*//' | cut -f 2 -d _`
+VERSION=`./ssh -V 2>&1 | cut -f 1 -d , | cut -f 2 -d _`
 MAJOR=`echo $VERSION | cut -f 1 -d p | cut -f 1 -d .`
 MINOR=`echo $VERSION | cut -f 1 -d p | cut -f 2 -d .`
 PATCH=`echo $VERSION | cut -f 1 -d p | cut -f 3 -d .`
@@ -218,7 +219,7 @@ else
        fi
        # Create user if required
-        if cut -f1 -d: /etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
+        if lsuser ALL | cut -f1 -d: | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
        then
                echo "PrivSep user $SSH_PRIVSEP_USER already exists."
        else
diff --git a/contrib/aix/inventory.sh b/contrib/aix/inventory.sh
index 619493ae2..4f408e678 100755
--- a/contrib/aix/inventory.sh
+++ b/contrib/aix/inventory.sh
@@ -1,8 +1,10 @@
 #!/bin/sh
 #
 # inventory.sh
+# $Id: inventory.sh,v 1.5 2003/08/26 03:43:13 dtucker Exp $
 #
 # Originally written by Ben Lindstrom, modified by Darren Tucker to use perl
+# This file is placed into the public domain.
 #
 # This will produce an AIX package inventory file, which looks like:
 #
diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec
index f7fbe15e5..97d6adf51 100644
--- a/contrib/caldera/openssh.spec
+++ b/contrib/caldera/openssh.spec
@@ -17,9 +17,9 @@
 #old cvs stuff.  please update before use.  may be deprecated.
 %define use_stable      1
 %if %{use_stable}
-  %define version       3.6.1p2
+  %define version       3.7p1
  %define cvs           %{nil}
-  %define release       2
+  %define release       1
 %else
  %define version       2.9.9p2
  %define cvs           cvs20011009
@@ -364,4 +364,4 @@ fi
 * Mon Jan 01 1998 ...
 Template Version: 1.31
-$Id: openssh.spec,v 1.42.2.1 2003/04/29 09:12:08 djm Exp $
+$Id: openssh.spec,v 1.43.2.2 2003/09/16 06:02:40 djm Exp $
diff --git a/contrib/cygwin/ssh-user-config b/contrib/cygwin/ssh-user-config
index 5a76adbaf..4da113181 100644
--- a/contrib/cygwin/ssh-user-config
+++ b/contrib/cygwin/ssh-user-config
@@ -171,8 +171,8 @@ then
    fi
    if request "Do you want to use this identity to login to this machine?"
    then
-      echo "Adding to ${pwdhome}/.ssh/authorized_keys2"
+      echo "Adding to ${pwdhome}/.ssh/authorized_keys"
-      cat "${pwdhome}/.ssh/id_rsa.pub" >> "${pwdhome}/.ssh/authorized_keys2"
+      cat "${pwdhome}/.ssh/id_rsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
    fi
  fi
 fi
@@ -190,8 +190,8 @@ then
    fi
    if request "Do you want to use this identity to login to this machine?"
    then
-      echo "Adding to ${pwdhome}/.ssh/authorized_keys2"
+      echo "Adding to ${pwdhome}/.ssh/authorized_keys"
-      cat "${pwdhome}/.ssh/id_dsa.pub" >> "${pwdhome}/.ssh/authorized_keys2"
+      cat "${pwdhome}/.ssh/id_dsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
    fi
  fi
 fi
diff --git a/contrib/findssl.sh b/contrib/findssl.sh
new file mode 100644
index 000000000..87a4abce2
--- /dev/null
+++ b/contrib/findssl.sh
@@ -0,0 +1,159 @@
+#!/bin/sh
+#
+# findssl.sh
+#       Search for all instances of OpenSSL headers and libraries
+#       and print their versions.
+#       Intended to help diagnose OpenSSH's "OpenSSL headers do not
+#       match your library" errors.
+#
+#       Written by Darren Tucker (dtucker at zip dot com dot au)
+#       This file is placed in the public domain.
+#
+# $Id: findssl.sh,v 1.1 2003/06/24 10:22:10 dtucker Exp $
+#       2002-07-27: Initial release.
+#       2002-08-04: Added public domain notice.
+#       2003-06-24: Incorporated readme, set library paths. First cvs version.
+#
+# "OpenSSL headers do not match your library" are usually caused by 
+# OpenSSH's configure picking up an older version of OpenSSL headers
+# or libraries.  You can use the following # procedure to help identify
+# the cause.
+# 
+# The  output  of  configure  will  tell you the versions of the OpenSSL
+# headers and libraries that were picked up, for example:
+# 
+# checking OpenSSL header version... 90604f (OpenSSL 0.9.6d 9 May 2002)
+# checking OpenSSL library version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul 2001)
+# checking whether OpenSSL's headers match the library... no
+# configure: error: Your OpenSSL headers do not match your library
+# 
+# Now run findssl.sh. This should identify the headers and libraries
+# present  and  their  versions.  You  should  be  able  to identify the
+# libraries  and headers used and adjust your CFLAGS or remove incorrect
+# versions.  The  output will show OpenSSL's internal version identifier
+# and should look something like:
+# $ ./findssl.sh
+# Searching for OpenSSL header files.
+# 0x0090604fL /usr/include/openssl/opensslv.h
+# 0x0090604fL /usr/local/ssl/include/openssl/opensslv.h
+# 
+# Searching for OpenSSL shared library files.
+# 0x0090602fL /lib/libcrypto.so.0.9.6b
+# 0x0090602fL /lib/libcrypto.so.2
+# 0x0090581fL /usr/lib/libcrypto.so.0
+# 0x0090602fL /usr/lib/libcrypto.so
+# 0x0090581fL /usr/lib/libcrypto.so.0.9.5a
+# 0x0090600fL /usr/lib/libcrypto.so.0.9.6
+# 0x0090600fL /usr/lib/libcrypto.so.1
+# 
+# Searching for OpenSSL static library files.
+# 0x0090602fL /usr/lib/libcrypto.a
+# 0x0090604fL /usr/local/ssl/lib/libcrypto.a
+# 
+# In  this  example, I gave configure no extra flags, so it's picking up
+# the  OpenSSL header from /usr/include/openssl (90604f) and the library
+# from /usr/lib/ (90602f).
+#
+# Adjust these to suit your compiler.
+# You may also need to set the *LIB*PATH environment variables if
+# DEFAULT_LIBPATH is not correct for your system.
+#
+CC=gcc
+STATIC=-static
+#
+# Set up conftest C source
+#
+rm -f findssl.log
+cat >conftest.c <<EOD
+#include <stdio.h>
+int main(){printf("0x%08xL\n", SSLeay());}
+EOD
+#
+# Set default library paths if not already set
+#
+DEFAULT_LIBPATH=/usr/lib:/usr/local/lib
+LIBPATH=${LIBPATH:=$DEFAULT_LIBPATH}
+LD_LIBRARY_PATH=${LD_LIBRARY_PATH:=$DEFAULT_LIBPATH}
+LIBRARY_PATH=${LIBRARY_PATH:=$DEFAULT_LIBPATH}
+export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH
+#
+# Search for OpenSSL headers and print versions
+#
+echo Searching for OpenSSL header files.
+if [ -x "`which locate`" ]
+then
+        headers=`locate opensslv.h`
+else
+        headers=`find / -name opensslv.h -print 2>/dev/null`
+fi
+for header in $headers
+do
+        ver=`awk '/OPENSSL_VERSION_NUMBER/{printf \$3}' $header`
+        echo "$ver $header"
+done
+echo
+#
+# Search for shared libraries.
+# Relies on shared libraries looking like "libcrypto.s*"
+#
+echo Searching for OpenSSL shared library files.
+if [ -x "`which locate`" ]
+then
+        libraries=`locate libcrypto.s`
+else
+        libraries=`find / -name 'libcrypto.s*' -print 2>/dev/null`
+fi
+for lib in $libraries
+do
+        (echo "Trying libcrypto $lib" >>findssl.log
+        dir=`dirname $lib`
+        LIBPATH="$dir:$LIBPATH"
+        LD_LIBRARY_PATH="$dir:$LIBPATH"
+        LIBRARY_PATH="$dir:$LIBPATH"
+        export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH
+        ${CC} -o conftest conftest.c $lib 2>>findssl.log
+        if [ -x ./conftest ]
+        then
+                ver=`./conftest 2>/dev/null`
+                rm -f ./conftest
+                echo "$ver $lib"
+        fi)
+done
+echo
+#
+# Search for static OpenSSL libraries and print versions
+#
+echo Searching for OpenSSL static library files.
+if [ -x "`which locate`" ]
+then
+        libraries=`locate libcrypto.a`
+else
+        libraries=`find / -name libcrypto.a -print 2>/dev/null`
+fi
+for lib in $libraries
+do
+        libdir=`dirname $lib`
+        echo "Trying libcrypto $lib" >>findssl.log
+        ${CC} ${STATIC} -o conftest conftest.c -L${libdir} -lcrypto 2>>findssl.log
+        if [ -x ./conftest ]
+        then
+                ver=`./conftest 2>/dev/null`
+                rm -f ./conftest
+                echo "$ver $lib"
+        fi
+done
+#
+# Clean up
+#
+rm -f conftest.c
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index e7c3bb121..ce7c564c3 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,4 +1,4 @@
-%define ver 3.6.1p2
+%define ver 3.7p1
 %define rel 1
 # OpenSSH privilege separation requires a user & group ID
@@ -26,9 +26,6 @@
 # Is this build for RHL 6.x?
 %define build6x 0
-# Disable IPv6 (avoids DNS hangs on some glibc versions)
-%define noip6 0
 # Do we want kerberos5 support (1=yes 0=no)
 %define kerberos5 1
@@ -43,7 +40,6 @@
 # If this is RHL 6.x, the default configuration has sysconfdir in /usr/etc.
 %if %{build6x}
 %define _sysconfdir /etc
-%define noip6 1
 %endif
 # Options for static OpenSSL link:
@@ -54,10 +50,6 @@
 # rpm -ba|--rebuild --define "smartcard 1"
 %{?smartcard:%define scard 1}
-# Option to disable ipv6
-# rpm -ba|--rebuild --define "noipv6 1"
-%{?noipv6:%define noip6 1}
 # Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no)
 %define rescue 0
 %{?build_rescue:%define rescue 1}
@@ -87,12 +79,12 @@ PreReq: initscripts >= 5.00
 %else
 PreReq: initscripts >= 5.20
 %endif
-BuildPreReq: perl, openssl-devel, sharutils, tcp_wrappers
+BuildPreReq: perl, openssl-devel, tcp_wrappers
 BuildPreReq: /bin/login
 %if ! %{build6x}
 BuildPreReq: glibc-devel, pam
 %else
-BuildPreReq: db1-devel, /usr/include/security/pam_appl.h
+BuildPreReq: /usr/include/security/pam_appl.h
 %endif
 %if ! %{no_x11_askpass}
 BuildPreReq: XFree86-devel
@@ -196,9 +188,6 @@ CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS
 %if %{scard}
        --with-smartcard \
 %endif
-%if %{noip6}
-        --with-ipv4-default \
-%endif
 %if %{rescue}
        --without-pam --with-md5-passwords \
 %else
@@ -274,9 +263,11 @@ install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome
         rm -f $RPM_BUILD_ROOT/usr/share/openssh/Ssh.bin
 %endif
+%if ! %{no_gnome_askpass}
 install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
 install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
 install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
+%endif
 perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
@@ -400,6 +391,14 @@ fi
 %endif
 %changelog
+* Mon Jun 2 2003 Damien Miller <djm@mindrot.org>
+- Remove noip6 option. This may be controlled at run-time in client config 
+  file using new AddressFamily directive
+* Mon May 12 2003 Damien Miller <djm@mindrot.org>
+- Don't install profile.d scripts when not building with GNOME/GTK askpass
+  (patch from bet@rahul.net)
 * Wed Oct 01 2002 Damien Miller <djm@mindrot.org>
 - Install ssh-agent setgid nobody to prevent ptrace() key theft attacks
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec
index 707c3a221..ca7437bd6 100644
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@@ -1,6 +1,6 @@
 Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
 Name: openssh
-Version: 3.6.1p2
+Version: 3.7p1
 URL: http://www.openssh.com/
 Release: 1
 Source0: openssh-%{version}.tar.gz
diff --git a/defines.h b/defines.h
index 73fbe077b..e662966fb 100644
--- a/defines.h
+++ b/defines.h
@@ -1,7 +1,31 @@
+/*
+ * Copyright (c) 1999-2003 Damien Miller.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
 #ifndef _DEFINES_H
 #define _DEFINES_H
-/* $Id: defines.h,v 1.97 2003/01/24 00:50:32 djm Exp $ */
+/* $Id: defines.h,v 1.103 2003/09/16 01:52:19 dtucker Exp $ */
 /* Constants */
@@ -188,28 +212,21 @@ typedef unsigned long  u_int32_t;
 #ifndef HAVE_INT64_T
 # if (SIZEOF_LONG_INT == 8)
 typedef long int int64_t;
-#   define HAVE_INT64_T 1
 # else
 #  if (SIZEOF_LONG_LONG_INT == 8)
 typedef long long int int64_t;
-#   define HAVE_INT64_T 1
 #  endif
 # endif
 #endif
 #ifndef HAVE_U_INT64_T
 # if (SIZEOF_LONG_INT == 8)
 typedef unsigned long int u_int64_t;
-#   define HAVE_U_INT64_T 1
 # else
 #  if (SIZEOF_LONG_LONG_INT == 8)
 typedef unsigned long long int u_int64_t;
-#   define HAVE_U_INT64_T 1
 #  endif
 # endif
 #endif
-#if !defined(HAVE_LONG_LONG_INT) && (SIZEOF_LONG_LONG_INT == 8)
-# define HAVE_LONG_LONG_INT 1
-#endif
 #ifndef HAVE_U_CHAR
 typedef unsigned char u_char;
@@ -304,6 +321,10 @@ struct winsize {
 # define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
 #endif
+#ifndef SUPERUSER_PATH
+# define SUPERUSER_PATH _PATH_STDPATH
+#endif
 #ifndef _PATH_DEVNULL
 # define _PATH_DEVNULL "/dev/null"
 #endif
@@ -420,6 +441,23 @@ struct winsize {
 #define CMSG_SPACE(len) (__CMSG_ALIGN(sizeof(struct cmsghdr)) + __CMSG_ALIGN(len))
 #endif
+/* given pointer to struct cmsghdr, return pointer to data */
+#ifndef CMSG_DATA
+#define CMSG_DATA(cmsg) ((u_char *)(cmsg) + __CMSG_ALIGN(sizeof(struct cmsghdr)))
+#endif /* CMSG_DATA */
+/*
+ * RFC 2292 requires to check msg_controllen, in case that the kernel returns
+ * an empty list for some reasons.
+ */
+#ifndef CMSG_FIRSTHDR
+#define CMSG_FIRSTHDR(mhdr) \
+        ((mhdr)->msg_controllen >= sizeof(struct cmsghdr) ? \
+         (struct cmsghdr *)(mhdr)->msg_control : \
+         (struct cmsghdr *)NULL)
+#endif /* CMSG_FIRSTHDR */
 /* Function replacement / compatibility hacks */
 #if !defined(HAVE_GETADDRINFO) && (defined(HAVE_OGETADDRINFO) || defined(HAVE_NGETADDRINFO))
@@ -487,6 +525,10 @@ struct winsize {
 #  define __func__ ""
 #endif
+#if defined(KRB5) && !defined(HEIMDAL)
+#  define krb5_get_err_text(context,code) error_message(code)
+#endif
 /*
 * Define this to use pipes instead of socketpairs for communicating with the
 * client program.  Socketpairs do not seem to work on all systems.
diff --git a/dh.c b/dh.c
index 1be51953c..996428b7f 100644
--- a/dh.c
+++ b/dh.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: dh.c,v 1.23 2002/11/21 22:22:50 markus Exp $");
+RCSID("$OpenBSD: dh.c,v 1.24 2003/04/08 20:21:28 itojun Exp $");
 #include "xmalloc.h"
@@ -112,7 +112,7 @@ choose_dh(int min, int wantbits, int max)
        if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL &&
            (f = fopen(_PATH_DH_PRIMES, "r")) == NULL) {
-                log("WARNING: %s does not exist, using old modulus", _PATH_DH_MODULI);
+                logit("WARNING: %s does not exist, using old modulus", _PATH_DH_MODULI);
                return (dh_new_group1());
        }
@@ -140,7 +140,7 @@ choose_dh(int min, int wantbits, int max)
        if (bestcount == 0) {
                fclose(f);
-                log("WARNING: no suitable primes in %s", _PATH_DH_PRIMES);
+                logit("WARNING: no suitable primes in %s", _PATH_DH_PRIMES);
                return (NULL);
        }
@@ -176,7 +176,7 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
        int bits_set = 0;
        if (dh_pub->neg) {
-                log("invalid public DH value: negativ");
+                logit("invalid public DH value: negativ");
                return 0;
        }
        for (i = 0; i <= n; i++)
@@ -187,7 +187,7 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
        /* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */
        if (bits_set > 1 && (BN_cmp(dh_pub, dh->p) == -1))
                return 1;
-        log("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
+        logit("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
        return 0;
 }
diff --git a/dispatch.c b/dispatch.c
index ce32bc22f..c5ff65031 100644
--- a/dispatch.c
+++ b/dispatch.c
@@ -22,7 +22,7 @@
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 #include "includes.h"
-RCSID("$OpenBSD: dispatch.c,v 1.15 2002/01/11 13:39:36 markus Exp $");
+RCSID("$OpenBSD: dispatch.c,v 1.16 2003/04/08 20:21:28 itojun Exp $");
 #include "ssh1.h"
 #include "ssh2.h"
@@ -39,7 +39,7 @@ dispatch_fn *dispatch[DISPATCH_MAX];
 void
 dispatch_protocol_error(int type, u_int32_t seq, void *ctxt)
 {
-        log("dispatch_protocol_error: type %d seq %u", type, seq);
+        logit("dispatch_protocol_error: type %d seq %u", type, seq);
        if (!compat20)
                fatal("protocol error");
        packet_start(SSH2_MSG_UNIMPLEMENTED);
@@ -50,7 +50,7 @@ dispatch_protocol_error(int type, u_int32_t seq, void *ctxt)
 void
 dispatch_protocol_ignore(int type, u_int32_t seq, void *ctxt)
 {
-        log("dispatch_protocol_ignore: type %d seq %u", type, seq);
+        logit("dispatch_protocol_ignore: type %d seq %u", type, seq);
 }
 void
 dispatch_init(dispatch_fn *dflt)
diff --git a/dns.c b/dns.c
new file mode 100644
index 000000000..90ab5601a
--- /dev/null
+++ b/dns.c
@@ -0,0 +1,290 @@
+/*      $OpenBSD: dns.c,v 1.6 2003/06/11 10:18:47 jakob Exp $   */
+/*
+ * Copyright (c) 2003 Wesley Griffin. All rights reserved.
+ * Copyright (c) 2003 Jakob Schlyter. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "includes.h"
+#ifdef DNS
+#include <openssl/bn.h>
+#ifdef LWRES
+#include <lwres/netdb.h>
+#include <dns/result.h>
+#else /* LWRES */
+#include <netdb.h>
+#endif /* LWRES */
+#include "xmalloc.h"
+#include "key.h"
+#include "dns.h"
+#include "log.h"
+#include "uuencode.h"
+extern char *__progname;
+RCSID("$OpenBSD: dns.c,v 1.6 2003/06/11 10:18:47 jakob Exp $");
+#ifndef LWRES
+static const char *errset_text[] = {
+        "success",              /* 0 ERRSET_SUCCESS */
+        "out of memory",        /* 1 ERRSET_NOMEMORY */
+        "general failure",      /* 2 ERRSET_FAIL */
+        "invalid parameter",    /* 3 ERRSET_INVAL */
+        "name does not exist",  /* 4 ERRSET_NONAME */
+        "data does not exist",  /* 5 ERRSET_NODATA */
+};
+static const char *
+dns_result_totext(unsigned int error)
+{
+        switch (error) {
+        case ERRSET_SUCCESS:
+                return errset_text[ERRSET_SUCCESS];
+        case ERRSET_NOMEMORY:
+                return errset_text[ERRSET_NOMEMORY];
+        case ERRSET_FAIL:
+                return errset_text[ERRSET_FAIL];
+        case ERRSET_INVAL:
+                return errset_text[ERRSET_INVAL];
+        case ERRSET_NONAME:
+                return errset_text[ERRSET_NONAME];
+        case ERRSET_NODATA:
+                return errset_text[ERRSET_NODATA];
+        default:
+                return "unknown error";
+        }
+}
+#endif /* LWRES */
+/*
+ * Read SSHFP parameters from key buffer.
+ */
+static int
+dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type,
+    u_char **digest, u_int *digest_len, Key *key)
+{
+        int success = 0;
+        switch (key->type) {
+        case KEY_RSA:
+                *algorithm = SSHFP_KEY_RSA;
+                break;
+        case KEY_DSA:
+                *algorithm = SSHFP_KEY_DSA;
+                break;
+        default:
+                *algorithm = SSHFP_KEY_RESERVED;
+        }
+        if (*algorithm) {
+                *digest_type = SSHFP_HASH_SHA1;
+                *digest = key_fingerprint_raw(key, SSH_FP_SHA1, digest_len);
+                success = 1;
+        } else {
+                *digest_type = SSHFP_HASH_RESERVED;
+                *digest = NULL;
+                *digest_len = 0;
+                success = 0;
+        }
+        return success;
+}
+/*
+ * Read SSHFP parameters from rdata buffer.
+ */
+static int
+dns_read_rdata(u_int8_t *algorithm, u_int8_t *digest_type,
+    u_char **digest, u_int *digest_len, u_char *rdata, int rdata_len)
+{
+        int success = 0;
+        *algorithm = SSHFP_KEY_RESERVED;
+        *digest_type = SSHFP_HASH_RESERVED;
+        if (rdata_len >= 2) {
+                *algorithm = rdata[0];
+                *digest_type = rdata[1];
+                *digest_len = rdata_len - 2;
+                if (*digest_len > 0) {
+                        *digest = (u_char *) xmalloc(*digest_len);
+                        memcpy(*digest, rdata + 2, *digest_len);
+                } else {
+                        *digest = NULL;
+                }
+                success = 1;
+        }
+        return success;
+}
+/*
+ * Verify the given hostname, address and host key using DNS.
+ * Returns 0 if key verifies or -1 if key does NOT verify
+ */
+int
+verify_host_key_dns(const char *hostname, struct sockaddr *address,
+    Key *hostkey)
+{
+        int counter;
+        int result;
+        struct rrsetinfo *fingerprints = NULL;
+        int failures = 0;
+        u_int8_t hostkey_algorithm;
+        u_int8_t hostkey_digest_type;
+        u_char *hostkey_digest;
+        u_int hostkey_digest_len;
+        u_int8_t dnskey_algorithm;
+        u_int8_t dnskey_digest_type;
+        u_char *dnskey_digest;
+        u_int dnskey_digest_len;
+        debug3("verify_hostkey_dns");
+        if (hostkey == NULL)
+                fatal("No key to look up!");
+        result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
+            DNS_RDATATYPE_SSHFP, 0, &fingerprints);
+        if (result) {
+                verbose("DNS lookup error: %s", dns_result_totext(result));
+                return DNS_VERIFY_ERROR;
+        }
+#ifdef DNSSEC
+        /* Only accept validated answers */
+        if (!fingerprints->rri_flags & RRSET_VALIDATED) {
+                error("Ignored unvalidated fingerprint from DNS.");
+                freerrset(fingerprints);
+                return DNS_VERIFY_ERROR;
+        }
+#endif
+        debug("found %d fingerprints in DNS", fingerprints->rri_nrdatas);
+        /* Initialize host key parameters */
+        if (!dns_read_key(&hostkey_algorithm, &hostkey_digest_type,
+            &hostkey_digest, &hostkey_digest_len, hostkey)) {
+                error("Error calculating host key fingerprint.");
+                freerrset(fingerprints);
+                return DNS_VERIFY_ERROR;
+        }
+        for (counter = 0 ; counter < fingerprints->rri_nrdatas ; counter++)  {
+                /*
+                 * Extract the key from the answer. Ignore any badly
+                 * formatted fingerprints.
+                 */
+                if (!dns_read_rdata(&dnskey_algorithm, &dnskey_digest_type,
+                    &dnskey_digest, &dnskey_digest_len,
+                    fingerprints->rri_rdatas[counter].rdi_data,
+                    fingerprints->rri_rdatas[counter].rdi_length)) {
+                        verbose("Error parsing fingerprint from DNS.");
+                        continue;
+                }
+                /* Check if the current key is the same as the given key */
+                if (hostkey_algorithm == dnskey_algorithm &&
+                    hostkey_digest_type == dnskey_digest_type) {
+                        if (hostkey_digest_len == dnskey_digest_len &&
+                            memcmp(hostkey_digest, dnskey_digest,
+                            hostkey_digest_len) == 0) {
+                                /* Matching algoritm and digest. */
+                                freerrset(fingerprints);
+                                debug("matching host key fingerprint found in DNS");
+                                return DNS_VERIFY_OK;
+                        } else {
+                                /* Correct algorithm but bad digest */
+                                debug("verify_hostkey_dns: failed");
+                                failures++;
+                        }
+                }
+        }
+        freerrset(fingerprints);
+        if (failures) {
+                error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+                error("@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @");
+                error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+                error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
+                error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
+                error("It is also possible that the %s host key has just been changed.",
+                    key_type(hostkey));
+                error("Please contact your system administrator.");
+                return DNS_VERIFY_FAILED;
+        }
+        debug("fingerprints found in DNS, but none of them matched");
+        return DNS_VERIFY_ERROR;
+}
+/*
+ * Export the fingerprint of a key as a DNS resource record
+ */
+int
+export_dns_rr(const char *hostname, Key *key, FILE *f, int generic)
+{
+        u_int8_t rdata_pubkey_algorithm = 0;
+        u_int8_t rdata_digest_type = SSHFP_HASH_SHA1;
+        u_char *rdata_digest;
+        u_int rdata_digest_len;
+        int i;
+        int success = 0;
+        if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type,
+                         &rdata_digest, &rdata_digest_len, key)) {
+                if (generic)
+                        fprintf(f, "%s IN TYPE%d \\# %d %02x %02x ", hostname,
+                            DNS_RDATATYPE_SSHFP, 2 + rdata_digest_len,
+                            rdata_pubkey_algorithm, rdata_digest_type);
+                else
+                        fprintf(f, "%s IN SSHFP %d %d ", hostname,
+                            rdata_pubkey_algorithm, rdata_digest_type);
+                for (i = 0; i < rdata_digest_len; i++)
+                        fprintf(f, "%02x", rdata_digest[i]);
+                fprintf(f, "\n");
+                success = 1;
+        } else {
+                error("dns_export_rr: unsupported algorithm");
+        }
+        return success;
+}
+#endif /* DNS */
diff --git a/dns.h b/dns.h
new file mode 100644
index 000000000..ba0ea9fb4
--- /dev/null
+++ b/dns.h
@@ -0,0 +1,57 @@
+/*      $OpenBSD: dns.h,v 1.3 2003/05/14 22:56:51 jakob Exp $   */
+/*
+ * Copyright (c) 2003 Wesley Griffin. All rights reserved.
+ * Copyright (c) 2003 Jakob Schlyter. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "includes.h"
+#ifdef DNS
+#ifndef DNS_H
+#define DNS_H
+enum sshfp_types {
+        SSHFP_KEY_RESERVED,
+        SSHFP_KEY_RSA,
+        SSHFP_KEY_DSA
+};
+enum sshfp_hashes {
+        SSHFP_HASH_RESERVED,
+        SSHFP_HASH_SHA1
+};
+#define DNS_RDATACLASS_IN       1
+#define DNS_RDATATYPE_SSHFP     44
+#define DNS_VERIFY_FAILED       -1
+#define DNS_VERIFY_OK           0
+#define DNS_VERIFY_ERROR        1
+int     verify_host_key_dns(const char *, struct sockaddr *, Key *);
+int     export_dns_rr(const char *, Key *, FILE *, int);
+#endif /* DNS_H */
+#endif /* DNS */
diff --git a/entropy.c b/entropy.c
index dcc8689c9..216879786 100644
--- a/entropy.c
+++ b/entropy.c
@@ -45,7 +45,7 @@
 * XXX: we should tell the child how many bytes we need.
 */
-RCSID("$Id: entropy.c,v 1.44 2002/06/09 19:41:48 mouring Exp $");
+RCSID("$Id: entropy.c,v 1.46 2003/08/25 01:16:21 mouring Exp $");
 #ifndef OPENSSL_PRNG_ONLY
 #define RANDOM_SEED_SIZE 48
@@ -75,7 +75,7 @@ seed_rng(void)
        if (pipe(p) == -1)
                fatal("pipe: %s", strerror(errno));
-        old_sigchld = mysignal(SIGCHLD, SIG_DFL);
+        old_sigchld = signal(SIGCHLD, SIG_DFL);
        if ((pid = fork()) == -1)
                fatal("Couldn't fork: %s", strerror(errno));
        if (pid == 0) {
@@ -89,8 +89,8 @@ seed_rng(void)
                if (original_uid != original_euid && 
                    ( seteuid(getuid()) == -1 || 
                      setuid(original_uid) == -1) ) {
-                        fprintf(stderr, "(rand child) setuid(%d): %s\n", 
+                        fprintf(stderr, "(rand child) setuid(%li): %s\n", 
-                            original_uid, strerror(errno));
+                            (long int)original_uid, strerror(errno));
                        _exit(1);
                }
                
@@ -116,7 +116,7 @@ seed_rng(void)
        if (waitpid(pid, &ret, 0) == -1)
               fatal("Couldn't wait for ssh-rand-helper completion: %s", 
                   strerror(errno));
-        mysignal(SIGCHLD, old_sigchld);
+        signal(SIGCHLD, old_sigchld);
        /* We don't mind if the child exits upon a SIGPIPE */
        if (!WIFEXITED(ret) && 
diff --git a/groupaccess.c b/groupaccess.c
index 66dfa68fe..fbf794fc8 100644
--- a/groupaccess.c
+++ b/groupaccess.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: groupaccess.c,v 1.5 2002/03/04 17:27:39 stevesk Exp $");
+RCSID("$OpenBSD: groupaccess.c,v 1.6 2003/04/08 20:21:28 itojun Exp $");
 #include "groupaccess.h"
 #include "xmalloc.h"
@@ -49,7 +49,7 @@ ga_init(const char *user, gid_t base)
        ngroups = sizeof(groups_bygid) / sizeof(gid_t);
        if (getgrouplist(user, base, groups_bygid, &ngroups) == -1)
-                log("getgrouplist: groups list too small");
+                logit("getgrouplist: groups list too small");
        for (i = 0, j = 0; i < ngroups; i++)
                if ((gr = getgrgid(groups_bygid[i])) != NULL)
                        groups_byname[j++] = xstrdup(gr->gr_name);
diff --git a/gss-genr.c b/gss-genr.c
new file mode 100644
index 000000000..bda12d6f1
--- /dev/null
+++ b/gss-genr.c
@@ -0,0 +1,256 @@
+/*      $OpenBSD: gss-genr.c,v 1.1 2003/08/22 10:56:09 markus Exp $     */
+/*
+ * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "includes.h"
+#ifdef GSSAPI
+#include "xmalloc.h"
+#include "bufaux.h"
+#include "compat.h"
+#include "log.h"
+#include "monitor_wrap.h"
+#include "ssh-gss.h"
+/* Check that the OID in a data stream matches that in the context */
+int
+ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
+{
+        return (ctx != NULL && ctx->oid != GSS_C_NO_OID &&
+            ctx->oid->length == len &&
+            memcmp(ctx->oid->elements, data, len) == 0);
+}
+/* Set the contexts OID from a data stream */
+void
+ssh_gssapi_set_oid_data(Gssctxt *ctx, void *data, size_t len)
+{
+        if (ctx->oid != GSS_C_NO_OID) {
+                xfree(ctx->oid->elements);
+                xfree(ctx->oid);
+        }
+        ctx->oid = xmalloc(sizeof(gss_OID_desc));
+        ctx->oid->length = len;
+        ctx->oid->elements = xmalloc(len);
+        memcpy(ctx->oid->elements, data, len);
+}
+/* Set the contexts OID */
+void
+ssh_gssapi_set_oid(Gssctxt *ctx, gss_OID oid)
+{
+        ssh_gssapi_set_oid_data(ctx, oid->elements, oid->length);
+}
+/* All this effort to report an error ... */
+void
+ssh_gssapi_error(Gssctxt *ctxt)
+{
+        debug("%s", ssh_gssapi_last_error(ctxt, NULL, NULL));
+}
+char *
+ssh_gssapi_last_error(Gssctxt *ctxt,
+                      OM_uint32 *major_status, OM_uint32 *minor_status)
+{
+        OM_uint32 lmin;
+        gss_buffer_desc msg = GSS_C_EMPTY_BUFFER;
+        OM_uint32 ctx;
+        Buffer b;
+        char *ret;
+        buffer_init(&b);
+        if (major_status != NULL)
+                *major_status = ctxt->major;
+        if (minor_status != NULL)
+                *minor_status = ctxt->minor;
+        ctx = 0;
+        /* The GSSAPI error */
+        do {
+                gss_display_status(&lmin, ctxt->major,
+                    GSS_C_GSS_CODE, GSS_C_NULL_OID, &ctx, &msg);
+                buffer_append(&b, msg.value, msg.length);
+                buffer_put_char(&b, '\n');
+                gss_release_buffer(&lmin, &msg);
+        } while (ctx != 0);
+        /* The mechanism specific error */
+        do {
+                gss_display_status(&lmin, ctxt->minor,
+                    GSS_C_MECH_CODE, GSS_C_NULL_OID, &ctx, &msg);
+                buffer_append(&b, msg.value, msg.length);
+                buffer_put_char(&b, '\n');
+                gss_release_buffer(&lmin, &msg);
+        } while (ctx != 0);
+        buffer_put_char(&b, '\0');
+        ret = xmalloc(buffer_len(&b));
+        buffer_get(&b, ret, buffer_len(&b));
+        buffer_free(&b);
+        return (ret);
+}
+/*
+ * Initialise our GSSAPI context. We use this opaque structure to contain all
+ * of the data which both the client and server need to persist across
+ * {accept,init}_sec_context calls, so that when we do it from the userauth
+ * stuff life is a little easier
+ */
+void
+ssh_gssapi_build_ctx(Gssctxt **ctx)
+{
+        *ctx = xmalloc(sizeof (Gssctxt));
+        (*ctx)->major = 0;
+        (*ctx)->minor = 0;
+        (*ctx)->context = GSS_C_NO_CONTEXT;
+        (*ctx)->name = GSS_C_NO_NAME;
+        (*ctx)->oid = GSS_C_NO_OID;
+        (*ctx)->creds = GSS_C_NO_CREDENTIAL;
+        (*ctx)->client = GSS_C_NO_NAME;
+        (*ctx)->client_creds = GSS_C_NO_CREDENTIAL;
+}
+/* Delete our context, providing it has been built correctly */
+void
+ssh_gssapi_delete_ctx(Gssctxt **ctx)
+{
+        OM_uint32 ms;
+        if ((*ctx) == NULL)
+                return;
+        if ((*ctx)->context != GSS_C_NO_CONTEXT)
+                gss_delete_sec_context(&ms, &(*ctx)->context, GSS_C_NO_BUFFER);
+        if ((*ctx)->name != GSS_C_NO_NAME)
+                gss_release_name(&ms, &(*ctx)->name);
+        if ((*ctx)->oid != GSS_C_NO_OID) {
+                xfree((*ctx)->oid->elements);
+                xfree((*ctx)->oid);
+                (*ctx)->oid = GSS_C_NO_OID;
+        }
+        if ((*ctx)->creds != GSS_C_NO_CREDENTIAL)
+                gss_release_cred(&ms, &(*ctx)->creds);
+        if ((*ctx)->client != GSS_C_NO_NAME)
+                gss_release_name(&ms, &(*ctx)->client);
+        if ((*ctx)->client_creds != GSS_C_NO_CREDENTIAL)
+                gss_release_cred(&ms, &(*ctx)->client_creds);
+        xfree(*ctx);
+        *ctx = NULL;
+}
+/*
+ * Wrapper to init_sec_context
+ * Requires that the context contains:
+ *      oid
+ *      server name (from ssh_gssapi_import_name)
+ */
+OM_uint32
+ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok,
+    gss_buffer_desc* send_tok, OM_uint32 *flags)
+{
+        int deleg_flag = 0;
+        if (deleg_creds) {
+                deleg_flag = GSS_C_DELEG_FLAG;
+                debug("Delegating credentials");
+        }
+        ctx->major = gss_init_sec_context(&ctx->minor,
+            GSS_C_NO_CREDENTIAL, &ctx->context, ctx->name, ctx->oid,
+            GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
+            0, NULL, recv_tok, NULL, send_tok, flags, NULL);
+        if (GSS_ERROR(ctx->major))
+                ssh_gssapi_error(ctx);
+        return (ctx->major);
+}
+/* Create a service name for the given host */
+OM_uint32
+ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
+{
+        gss_buffer_desc gssbuf;
+        gssbuf.length = sizeof("host@") + strlen(host);
+        gssbuf.value = xmalloc(gssbuf.length);
+        snprintf(gssbuf.value, gssbuf.length, "host@%s", host);
+        if ((ctx->major = gss_import_name(&ctx->minor,
+            &gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name)))
+                ssh_gssapi_error(ctx);
+        xfree(gssbuf.value);
+        return (ctx->major);
+}
+/* Acquire credentials for a server running on the current host.
+ * Requires that the context structure contains a valid OID
+ */
+/* Returns a GSSAPI error code */
+OM_uint32
+ssh_gssapi_acquire_cred(Gssctxt *ctx)
+{
+        OM_uint32 status;
+        char lname[MAXHOSTNAMELEN];
+        gss_OID_set oidset;
+        gss_create_empty_oid_set(&status, &oidset);
+        gss_add_oid_set_member(&status, ctx->oid, &oidset);
+        if (gethostname(lname, MAXHOSTNAMELEN))
+                return (-1);
+        if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname)))
+                return (ctx->major);
+        if ((ctx->major = gss_acquire_cred(&ctx->minor,
+            ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
+                ssh_gssapi_error(ctx);
+        gss_release_oid_set(&status, &oidset);
+        return (ctx->major);
+}
+OM_uint32
+ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) {
+        if (*ctx)
+                ssh_gssapi_delete_ctx(ctx);
+        ssh_gssapi_build_ctx(ctx);
+        ssh_gssapi_set_oid(*ctx, oid);
+        return (ssh_gssapi_acquire_cred(*ctx));
+}
+#endif /* GSSAPI */
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
new file mode 100644
index 000000000..f48e09911
--- /dev/null
+++ b/gss-serv-krb5.c
@@ -0,0 +1,205 @@
+/*      $OpenBSD: gss-serv-krb5.c,v 1.1 2003/08/22 10:56:09 markus Exp $        */
+/*
+ * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "includes.h"
+#ifdef GSSAPI
+#ifdef KRB5
+#include "auth.h"
+#include "xmalloc.h"
+#include "log.h"
+#include "servconf.h"
+#include "ssh-gss.h"
+extern ServerOptions options;
+#ifdef HEIMDAL
+#include <krb5.h>
+#else
+#include <gssapi_krb5.h>
+#endif
+static krb5_context krb_context = NULL;
+/* Initialise the krb5 library, for the stuff that GSSAPI won't do */
+static int 
+ssh_gssapi_krb5_init()
+{
+        krb5_error_code problem;
+        if (krb_context != NULL)
+                return 1;
+        problem = krb5_init_context(&krb_context);
+        if (problem) {
+                logit("Cannot initialize krb5 context");
+                return 0;
+        }
+        krb5_init_ets(krb_context);
+        return 1;
+}
+/* Check if this user is OK to login. This only works with krb5 - other
+ * GSSAPI mechanisms will need their own.
+ * Returns true if the user is OK to log in, otherwise returns 0
+ */
+static int
+ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
+{
+        krb5_principal princ;
+        int retval;
+        if (ssh_gssapi_krb5_init() == 0)
+                return 0;
+        if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
+            &princ))) {
+                logit("krb5_parse_name(): %.100s",
+                    krb5_get_err_text(krb_context, retval));
+                return 0;
+        }
+        if (krb5_kuserok(krb_context, princ, name)) {
+                retval = 1;
+                logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
+                    name, (char *)client->displayname.value);
+        } else
+                retval = 0;
+        krb5_free_principal(krb_context, princ);
+        return retval;
+}
+/* This writes out any forwarded credentials from the structure populated
+ * during userauth. Called after we have setuid to the user */
+static void
+ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
+{
+        krb5_ccache ccache;
+        krb5_error_code problem;
+        krb5_principal princ;
+        OM_uint32 maj_status, min_status;
+        if (client->creds == NULL) {
+                debug("No credentials stored");
+                return;
+        }
+        if (ssh_gssapi_krb5_init() == 0)
+                return;
+#ifdef HEIMDAL
+        if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
+                logit("krb5_cc_gen_new(): %.100s",
+                    krb5_get_err_text(krb_context, problem));
+                return;
+        }
+#else
+        {
+                int tmpfd;
+                char ccname[40];
+    
+                snprintf(ccname, sizeof(ccname), 
+                    "FILE:/tmp/krb5cc_%d_XXXXXX", geteuid());
+    
+                if ((tmpfd = mkstemp(ccname + strlen("FILE:"))) == -1) {
+                        logit("mkstemp(): %.100s", strerror(errno));
+                        problem = errno;
+                        return;
+                }
+                if (fchmod(tmpfd, S_IRUSR | S_IWUSR) == -1) {
+                        logit("fchmod(): %.100s", strerror(errno));
+                        close(tmpfd);
+                        problem = errno;
+                        return;
+                }
+                close(tmpfd);
+                if ((problem = krb5_cc_resolve(krb_context, ccname, &ccache))) {
+                        logit("krb5_cc_resolve(): %.100s",
+                            krb5_get_err_text(krb_context, problem));
+                        return;
+                }
+        }
+#endif  /* #ifdef HEIMDAL */
+        if ((problem = krb5_parse_name(krb_context, 
+            client->exportedname.value, &princ))) {
+                logit("krb5_parse_name(): %.100s",
+                    krb5_get_err_text(krb_context, problem));
+                krb5_cc_destroy(krb_context, ccache);
+                return;
+        }
+        if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
+                logit("krb5_cc_initialize(): %.100s",
+                    krb5_get_err_text(krb_context, problem));
+                krb5_free_principal(krb_context, princ);
+                krb5_cc_destroy(krb_context, ccache);
+                return;
+        }
+        krb5_free_principal(krb_context, princ);
+        if ((maj_status = gss_krb5_copy_ccache(&min_status, 
+            client->creds, ccache))) {
+                logit("gss_krb5_copy_ccache() failed");
+                krb5_cc_destroy(krb_context, ccache);
+                return;
+        }
+        client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
+        client->store.envvar = "KRB5CCNAME";
+        client->store.envval = xstrdup(client->store.filename);
+#ifdef USE_PAM
+        if (options.use_pam)
+                do_pam_putenv(client->store.envvar,client->store.envval);
+#endif
+        krb5_cc_close(krb_context, ccache);
+        return;
+}
+ssh_gssapi_mech gssapi_kerberos_mech = {
+        "toWM5Slw5Ew8Mqkay+al2g==",
+        "Kerberos",
+        {9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
+        NULL,
+        &ssh_gssapi_krb5_userok,
+        NULL,
+        &ssh_gssapi_krb5_storecreds
+};
+#endif /* KRB5 */
+#endif /* GSSAPI */
diff --git a/gss-serv.c b/gss-serv.c
new file mode 100644
index 000000000..8fd1d63f0
--- /dev/null
+++ b/gss-serv.c
@@ -0,0 +1,292 @@
+/*      $OpenBSD: gss-serv.c,v 1.3 2003/08/31 13:31:57 markus Exp $     */
+/*
+ * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "includes.h"
+#ifdef GSSAPI
+#include "bufaux.h"
+#include "compat.h"
+#include "auth.h"
+#include "log.h"
+#include "channels.h"
+#include "session.h"
+#include "servconf.h"
+#include "monitor_wrap.h"
+#include "xmalloc.h"
+#include "getput.h"
+#include "ssh-gss.h"
+extern ServerOptions options;
+static ssh_gssapi_client gssapi_client =
+    { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
+    GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
+ssh_gssapi_mech gssapi_null_mech =
+    { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL};
+#ifdef KRB5
+extern ssh_gssapi_mech gssapi_kerberos_mech;
+#endif
+ssh_gssapi_mech* supported_mechs[]= {
+#ifdef KRB5
+        &gssapi_kerberos_mech,
+#endif
+        &gssapi_null_mech,
+};
+/* Unpriviledged */
+void
+ssh_gssapi_supported_oids(gss_OID_set *oidset)
+{
+        int i = 0;
+        OM_uint32 min_status;
+        int present;
+        gss_OID_set supported;
+        gss_create_empty_oid_set(&min_status, oidset);
+        gss_indicate_mechs(&min_status, &supported);
+        while (supported_mechs[i]->name != NULL) {
+                if (GSS_ERROR(gss_test_oid_set_member(&min_status,
+                    &supported_mechs[i]->oid, supported, &present)))
+                        present = 0;
+                if (present)
+                        gss_add_oid_set_member(&min_status,
+                            &supported_mechs[i]->oid, oidset);
+                i++;
+        }
+}
+/* Wrapper around accept_sec_context
+ * Requires that the context contains:
+ *    oid
+ *    credentials       (from ssh_gssapi_acquire_cred)
+ */
+/* Priviledged */
+OM_uint32
+ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok,
+    gss_buffer_desc *send_tok, OM_uint32 *flags)
+{
+        OM_uint32 status;
+        gss_OID mech;
+        ctx->major = gss_accept_sec_context(&ctx->minor,
+            &ctx->context, ctx->creds, recv_tok,
+            GSS_C_NO_CHANNEL_BINDINGS, &ctx->client, &mech,
+            send_tok, flags, NULL, &ctx->client_creds);
+        if (GSS_ERROR(ctx->major))
+                ssh_gssapi_error(ctx);
+        if (ctx->client_creds)
+                debug("Received some client credentials");
+        else
+                debug("Got no client credentials");
+        status = ctx->major;
+        /* Now, if we're complete and we have the right flags, then
+         * we flag the user as also having been authenticated
+         */
+        if (((flags == NULL) || ((*flags & GSS_C_MUTUAL_FLAG) &&
+            (*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE)) {
+                if (ssh_gssapi_getclient(ctx, &gssapi_client))
+                        fatal("Couldn't convert client name");
+        }
+        return (status);
+}
+/*
+ * This parses an exported name, extracting the mechanism specific portion
+ * to use for ACL checking. It verifies that the name belongs the mechanism
+ * originally selected.
+ */
+static OM_uint32
+ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
+{
+        char *tok;
+        OM_uint32 offset;
+        OM_uint32 oidl;
+        tok=ename->value;
+        /*
+         * Check that ename is long enough for all of the fixed length
+         * header, and that the initial ID bytes are correct
+         */
+        if (ename->length<6 || memcmp(tok,"\x04\x01", 2)!=0)
+                return GSS_S_FAILURE;
+        /*
+         * Extract the OID, and check it. Here GSSAPI breaks with tradition
+         * and does use the OID type and length bytes. To confuse things
+         * there are two lengths - the first including these, and the
+         * second without.
+         */
+        oidl = GET_16BIT(tok+2); /* length including next two bytes */
+        oidl = oidl-2; /* turn it into the _real_ length of the variable OID */
+        /*
+         * Check the BER encoding for correct type and length, that the
+         * string is long enough and that the OID matches that in our context
+         */
+        if (tok[4] != 0x06 || tok[5] != oidl ||
+            ename->length < oidl+6 ||
+           !ssh_gssapi_check_oid(ctx,tok+6,oidl))
+                return GSS_S_FAILURE;
+        offset = oidl+6;
+        if (ename->length < offset+4)
+                return GSS_S_FAILURE;
+        name->length = GET_32BIT(tok+offset);
+        offset += 4;
+        if (ename->length < offset+name->length)
+                return GSS_S_FAILURE;
+        name->value = xmalloc(name->length+1);
+        memcpy(name->value,tok+offset,name->length);
+        ((char *)name->value)[name->length] = 0;
+        return GSS_S_COMPLETE;
+}
+/* Extract the client details from a given context. This can only reliably
+ * be called once for a context */
+/* Priviledged (called from accept_secure_ctx) */
+OM_uint32
+ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
+{
+        int i = 0;
+        gss_buffer_desc ename;
+        client->mech = NULL;
+        while (supported_mechs[i]->name != NULL) {
+                if (supported_mechs[i]->oid.length == ctx->oid->length &&
+                    (memcmp(supported_mechs[i]->oid.elements,
+                    ctx->oid->elements, ctx->oid->length) == 0))
+                        client->mech = supported_mechs[i];
+                i++;
+        }
+        if (client->mech == NULL)
+                return GSS_S_FAILURE;
+        if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
+            &client->displayname, NULL))) {
+                ssh_gssapi_error(ctx);
+                return (ctx->major);
+        }
+        if ((ctx->major = gss_export_name(&ctx->minor, ctx->client,
+            &ename))) {
+                ssh_gssapi_error(ctx);
+                return (ctx->major);
+        }
+        if ((ctx->major = ssh_gssapi_parse_ename(ctx,&ename,
+            &client->exportedname))) {
+                return (ctx->major);
+        }
+        /* We can't copy this structure, so we just move the pointer to it */
+        client->creds = ctx->client_creds;
+        ctx->client_creds = GSS_C_NO_CREDENTIAL;
+        return (ctx->major);
+}
+/* As user - called through fatal cleanup hook */
+void
+ssh_gssapi_cleanup_creds(void *ignored)
+{
+        if (gssapi_client.store.filename != NULL) {
+                /* Unlink probably isn't sufficient */
+                debug("removing gssapi cred file\"%s\"", gssapi_client.store.filename);
+                unlink(gssapi_client.store.filename);
+        }
+}
+/* As user */
+void
+ssh_gssapi_storecreds(void)
+{
+        if (gssapi_client.mech && gssapi_client.mech->storecreds) {
+                (*gssapi_client.mech->storecreds)(&gssapi_client);
+                if (options.gss_cleanup_creds)
+                        fatal_add_cleanup(ssh_gssapi_cleanup_creds, NULL);
+        } else
+                debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
+}
+/* This allows GSSAPI methods to do things to the childs environment based
+ * on the passed authentication process and credentials.
+ */
+/* As user */
+void
+ssh_gssapi_do_child(char ***envp, u_int *envsizep)
+{
+        if (gssapi_client.store.envvar != NULL &&
+            gssapi_client.store.envval != NULL) {
+                debug("Setting %s to %s", gssapi_client.store.envvar,
+                gssapi_client.store.envval);
+                child_set_env(envp, envsizep, gssapi_client.store.envvar,
+                     gssapi_client.store.envval);
+        }
+}
+/* Priviledged */
+int
+ssh_gssapi_userok(char *user)
+{
+        if (gssapi_client.exportedname.length == 0 ||
+            gssapi_client.exportedname.value == NULL) {
+                debug("No suitable client data");
+                return 0;
+        }
+        if (gssapi_client.mech && gssapi_client.mech->userok)
+                return ((*gssapi_client.mech->userok)(&gssapi_client, user));
+        else
+                debug("ssh_gssapi_userok: Unknown GSSAPI mechanism");
+        return (0);
+}
+#endif
diff --git a/hostfile.c b/hostfile.c
index dcee03448..42a8aa71d 100644
--- a/hostfile.c
+++ b/hostfile.c
@@ -36,7 +36,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: hostfile.c,v 1.30 2002/07/24 16:11:18 markus Exp $");
+RCSID("$OpenBSD: hostfile.c,v 1.31 2003/04/08 20:21:28 itojun Exp $");
 #include "packet.h"
 #include "match.h"
@@ -77,10 +77,10 @@ hostfile_check_key(int bits, Key *key, const char *host, const char *filename, i
        if (key == NULL || key->type != KEY_RSA1 || key->rsa == NULL)
                return 1;
        if (bits != BN_num_bits(key->rsa->n)) {
-                log("Warning: %s, line %d: keysize mismatch for host %s: "
+                logit("Warning: %s, line %d: keysize mismatch for host %s: "
                    "actual %d vs. announced %d.",
                    filename, linenum, host, BN_num_bits(key->rsa->n), bits);
-                log("Warning: replace %d with %d in %s, line %d.",
+                logit("Warning: replace %d with %d in %s, line %d.",
                    bits, BN_num_bits(key->rsa->n), filename, linenum);
        }
        return 1;
diff --git a/includes.h b/includes.h
index 37d402ef4..033cd91fa 100644
--- a/includes.h
+++ b/includes.h
@@ -50,9 +50,6 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
 #ifdef HAVE_NETGROUP_H
 # include <netgroup.h>
 #endif
-#if defined(HAVE_NETDB_H)
-# include <netdb.h>
-#endif
 #ifdef HAVE_ENDIAN_H
 # include <endian.h>
 #endif
@@ -68,6 +65,7 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
 #ifdef HAVE_NEXT
 #  include <libc.h>
 #endif
+#define __USE_GNU /* before unistd.h, activate extra prototypes for glibc */
 #include <unistd.h> /* For STDIN_FILENO, etc */
 #include <termios.h> /* Struct winsize */
@@ -133,12 +131,18 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
 #ifdef HAVE_SYS_MMAN_H
 #include <sys/mman.h> /* for MAP_ANONYMOUS */
 #endif
+#ifdef HAVE_SYS_STRTIO_H
+#include <sys/strtio.h> /* for TIOCCBRK on HP-UX */
+#endif
 #include <netinet/in_systm.h> /* For typedefs */
 #include <netinet/in.h> /* For IPv6 macros */
 #include <netinet/ip.h> /* For IPTOS macros */
 #include <netinet/tcp.h>
 #include <arpa/inet.h>
+#if defined(HAVE_NETDB_H)
+# include <netdb.h>
+#endif
 #ifdef HAVE_RPC_TYPES_H
 # include <rpc/types.h> /* For INADDR_LOOPBACK */
 #endif
@@ -167,7 +171,6 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
 #include "version.h"
 #include "openbsd-compat/openbsd-compat.h"
-#include "openbsd-compat/bsd-cygwin_util.h"
 #include "openbsd-compat/bsd-nextstep.h"
 #include "entropy.h"
diff --git a/key.c b/key.c
index 060b63745..54318cbbf 100644
--- a/key.c
+++ b/key.c
@@ -32,7 +32,7 @@
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 #include "includes.h"
-RCSID("$OpenBSD: key.c,v 1.51 2003/02/12 09:33:04 markus Exp $");
+RCSID("$OpenBSD: key.c,v 1.54 2003/07/09 13:58:19 avsm Exp $");
 #include <openssl/evp.h>
@@ -169,7 +169,7 @@ key_equal(Key *a, Key *b)
        return 0;
 }
-static u_char *
+u_char*
 key_fingerprint_raw(Key *k, enum fp_type dgst_type, u_int *dgst_raw_length)
 {
        const EVP_MD *md = NULL;
@@ -236,8 +236,10 @@ key_fingerprint_hex(u_char *dgst_raw, u_int dgst_raw_len)
        for (i = 0; i < dgst_raw_len; i++) {
                char hex[4];
                snprintf(hex, sizeof(hex), "%02x:", dgst_raw[i]);
-                strlcat(retval, hex, dgst_raw_len * 3);
+                strlcat(retval, hex, dgst_raw_len * 3 + 1);
        }
+        /* Remove the trailing ':' character */
        retval[(dgst_raw_len * 3) - 1] = '\0';
        return retval;
 }
@@ -438,7 +440,7 @@ key_read(Key *ret, char **cpp)
                        xfree(blob);
                        return -1;
                }
-                k = key_from_blob(blob, n);
+                k = key_from_blob(blob, (u_int)n);
                xfree(blob);
                if (k == NULL) {
                        error("key_read: key_from_blob %s failed", cp);
@@ -674,7 +676,7 @@ key_names_valid2(const char *names)
 }
 Key *
-key_from_blob(u_char *blob, int blen)
+key_from_blob(u_char *blob, u_int blen)
 {
        Buffer b;
        char *ktype;
diff --git a/key.h b/key.h
index 725c7a04a..28753fdfa 100644
--- a/key.h
+++ b/key.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: key.h,v 1.20 2003/02/12 09:33:04 markus Exp $ */
+/*      $OpenBSD: key.h,v 1.22 2003/06/24 08:23:46 markus Exp $ */
 /*
 * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -61,6 +61,7 @@ void	 key_free(Key *);
 Key     *key_demote(Key *);
 int      key_equal(Key *, Key *);
 char    *key_fingerprint(Key *, enum fp_type, enum fp_rep);
+u_char  *key_fingerprint_raw(Key *, enum fp_type, u_int *);
 char    *key_type(Key *);
 int      key_write(Key *, FILE *);
 int      key_read(Key *, char **);
@@ -70,7 +71,7 @@ Key	*key_generate(int, u_int);
 Key     *key_from_private(Key *);
 int      key_type_from_name(char *);
-Key     *key_from_blob(u_char *, int);
+Key     *key_from_blob(u_char *, u_int);
 int      key_to_blob(Key *, u_char **, u_int *);
 char    *key_ssh_name(Key *);
 int      key_names_valid2(const char *);
diff --git a/log.c b/log.c
index 84e4ce0ac..58ce8e5dd 100644
--- a/log.c
+++ b/log.c
@@ -34,7 +34,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: log.c,v 1.25 2003/01/11 18:29:43 markus Exp $");
+RCSID("$OpenBSD: log.c,v 1.28 2003/05/24 09:02:22 djm Exp $");
 #include "log.h"
 #include "xmalloc.h"
@@ -127,7 +127,7 @@ error(const char *fmt,...)
 /* Log this message (information that usually should go to the log). */
 void
-log(const char *fmt,...)
+logit(const char *fmt,...)
 {
        va_list args;
@@ -339,6 +339,9 @@ log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
 void
 do_log(LogLevel level, const char *fmt, va_list args)
 {
+#ifdef OPENLOG_R
+        struct syslog_data sdata = SYSLOG_DATA_INIT;
+#endif
        char msgbuf[MSGBUFSIZ];
        char fmtbuf[MSGBUFSIZ];
        char *txt = NULL;
@@ -387,14 +390,19 @@ do_log(LogLevel level, const char *fmt, va_list args)
        } else {
                vsnprintf(msgbuf, sizeof(msgbuf), fmt, args);
        }
-        /* Escape magic chars in output. */
+        strnvis(fmtbuf, msgbuf, sizeof(fmtbuf), VIS_SAFE|VIS_OCTAL);
-        strnvis(fmtbuf, msgbuf, sizeof(fmtbuf), VIS_OCTAL);
-        
        if (log_on_stderr) {
-                fprintf(stderr, "%s\r\n", fmtbuf);
+                snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf);
+                write(STDERR_FILENO, msgbuf, strlen(msgbuf));
        } else {
+#ifdef OPENLOG_R
+                openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
+                syslog_r(pri, &sdata, "%.500s", fmtbuf);
+                closelog_r(&sdata);
+#else
                openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility);
                syslog(pri, "%.500s", fmtbuf);
                closelog();
+#endif
        }
 }
diff --git a/log.h b/log.h
index 917fafa69..c3666818f 100644
--- a/log.h
+++ b/log.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: log.h,v 1.8 2002/07/19 15:43:33 markus Exp $  */
+/*      $OpenBSD: log.h,v 1.9 2003/04/08 20:21:28 itojun Exp $  */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -55,7 +55,7 @@ LogLevel log_level_number(char *);
 void     fatal(const char *, ...) __attribute__((format(printf, 1, 2)));
 void     error(const char *, ...) __attribute__((format(printf, 1, 2)));
-void     log(const char *, ...) __attribute__((format(printf, 1, 2)));
+void     logit(const char *, ...) __attribute__((format(printf, 1, 2)));
 void     verbose(const char *, ...) __attribute__((format(printf, 1, 2)));
 void     debug(const char *, ...) __attribute__((format(printf, 1, 2)));
 void     debug2(const char *, ...) __attribute__((format(printf, 1, 2)));
diff --git a/loginrec.c b/loginrec.c
index 6697ca7b0..bdac3e959 100644
--- a/loginrec.c
+++ b/loginrec.c
@@ -12,11 +12,6 @@
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by Markus Friedl.
- * 4. The name of the author may not be used to endorse or promote products
- *    derived from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
@@ -163,7 +158,7 @@
 #include "log.h"
 #include "atomicio.h"
-RCSID("$Id: loginrec.c,v 1.47 2003/03/10 00:23:07 djm Exp $");
+RCSID("$Id: loginrec.c,v 1.52 2003/07/06 05:20:46 dtucker Exp $");
 #ifdef HAVE_UTIL_H
 #  include <util.h>
@@ -413,7 +408,7 @@ login_write (struct logininfo *li)
 {
 #ifndef HAVE_CYGWIN
        if ((int)geteuid() != 0) {
-          log("Attempt to write login records by non-root user (aborting)");
+          logit("Attempt to write login records by non-root user (aborting)");
          return 1;
        }
 #endif
@@ -818,7 +813,7 @@ utmp_write_direct(struct logininfo *li, struct utmp *ut)
        endttyent();
        if((struct ttyent *)0 == ty) {
-                log("utmp_write_entry: tty not found");
+                logit("utmp_write_entry: tty not found");
                return(1);
        }
 #else /* FIXME */
@@ -842,8 +837,8 @@ utmp_write_direct(struct logininfo *li, struct utmp *ut)
                }
                (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET);
-                if (atomicio(write, fd, ut, sizeof(*ut)) != sizeof(*ut))
+                if (atomicio(vwrite, fd, ut, sizeof(*ut)) != sizeof(*ut))
-                        log("utmp_write_direct: error writing %s: %s",
+                        logit("utmp_write_direct: error writing %s: %s",
                            UTMP_FILE, strerror(errno));
                (void)close(fd);
@@ -862,12 +857,12 @@ utmp_perform_login(struct logininfo *li)
        construct_utmp(li, &ut);
 # ifdef UTMP_USE_LIBRARY
        if (!utmp_write_library(li, &ut)) {
-                log("utmp_perform_login: utmp_write_library() failed");
+                logit("utmp_perform_login: utmp_write_library() failed");
                return 0;
        }
 # else
        if (!utmp_write_direct(li, &ut)) {
-                log("utmp_perform_login: utmp_write_direct() failed");
+                logit("utmp_perform_login: utmp_write_direct() failed");
                return 0;
        }
 # endif
@@ -883,12 +878,12 @@ utmp_perform_logout(struct logininfo *li)
        construct_utmp(li, &ut);
 # ifdef UTMP_USE_LIBRARY
        if (!utmp_write_library(li, &ut)) {
-                log("utmp_perform_logout: utmp_write_library() failed");
+                logit("utmp_perform_logout: utmp_write_library() failed");
                return 0;
        }
 # else
        if (!utmp_write_direct(li, &ut)) {
-                log("utmp_perform_logout: utmp_write_direct() failed");
+                logit("utmp_perform_logout: utmp_write_direct() failed");
                return 0;
        }
 # endif
@@ -907,7 +902,7 @@ utmp_write_entry(struct logininfo *li)
                return utmp_perform_logout(li);
        default:
-                log("utmp_write_entry: invalid type field");
+                logit("utmp_write_entry: invalid type field");
                return 0;
        }
 }
@@ -948,7 +943,7 @@ utmpx_write_library(struct logininfo *li, struct utmpx *utx)
 static int
 utmpx_write_direct(struct logininfo *li, struct utmpx *utx)
 {
-        log("utmpx_write_direct: not implemented!");
+        logit("utmpx_write_direct: not implemented!");
        return 0;
 }
 # endif /* UTMPX_USE_LIBRARY */
@@ -961,12 +956,12 @@ utmpx_perform_login(struct logininfo *li)
        construct_utmpx(li, &utx);
 # ifdef UTMPX_USE_LIBRARY
        if (!utmpx_write_library(li, &utx)) {
-                log("utmpx_perform_login: utmp_write_library() failed");
+                logit("utmpx_perform_login: utmp_write_library() failed");
                return 0;
        }
 # else
        if (!utmpx_write_direct(li, &ut)) {
-                log("utmpx_perform_login: utmp_write_direct() failed");
+                logit("utmpx_perform_login: utmp_write_direct() failed");
                return 0;
        }
 # endif
@@ -1004,7 +999,7 @@ utmpx_write_entry(struct logininfo *li)
        case LTYPE_LOGOUT:
                return utmpx_perform_logout(li);
        default:
-                log("utmpx_write_entry: invalid type field");
+                logit("utmpx_write_entry: invalid type field");
                return 0;
        }
 }
@@ -1026,14 +1021,14 @@ wtmp_write(struct logininfo *li, struct utmp *ut)
        int fd, ret = 1;
        if ((fd = open(WTMP_FILE, O_WRONLY|O_APPEND, 0)) < 0) {
-                log("wtmp_write: problem writing %s: %s",
+                logit("wtmp_write: problem writing %s: %s",
                    WTMP_FILE, strerror(errno));
                return 0;
        }
        if (fstat(fd, &buf) == 0)
-                if (atomicio(write, fd, ut, sizeof(*ut)) != sizeof(*ut)) {
+                if (atomicio(vwrite, fd, ut, sizeof(*ut)) != sizeof(*ut)) {
                        ftruncate(fd, buf.st_size);
-                        log("wtmp_write: problem writing %s: %s",
+                        logit("wtmp_write: problem writing %s: %s",
                            WTMP_FILE, strerror(errno));
                        ret = 0;
                }
@@ -1070,7 +1065,7 @@ wtmp_write_entry(struct logininfo *li)
        case LTYPE_LOGOUT:
                return wtmp_perform_logout(li);
        default:
-                log("wtmp_write_entry: invalid type field");
+                logit("wtmp_write_entry: invalid type field");
                return 0;
        }
 }
@@ -1119,12 +1114,12 @@ wtmp_get_entry(struct logininfo *li)
        li->tv_sec = li->tv_usec = 0;
        if ((fd = open(WTMP_FILE, O_RDONLY)) < 0) {
-                log("wtmp_get_entry: problem opening %s: %s",
+                logit("wtmp_get_entry: problem opening %s: %s",
                    WTMP_FILE, strerror(errno));
                return 0;
        }
        if (fstat(fd, &st) != 0) {
-                log("wtmp_get_entry: couldn't stat %s: %s",
+                logit("wtmp_get_entry: couldn't stat %s: %s",
                    WTMP_FILE, strerror(errno));
                close(fd);
                return 0;
@@ -1139,7 +1134,7 @@ wtmp_get_entry(struct logininfo *li)
        while (!found) {
                if (atomicio(read, fd, &ut, sizeof(ut)) != sizeof(ut)) {
-                        log("wtmp_get_entry: read of %s failed: %s",
+                        logit("wtmp_get_entry: read of %s failed: %s",
                            WTMP_FILE, strerror(errno));
                        close (fd);
                        return 0;
@@ -1192,15 +1187,15 @@ wtmpx_write(struct logininfo *li, struct utmpx *utx)
        int fd, ret = 1;
        if ((fd = open(WTMPX_FILE, O_WRONLY|O_APPEND, 0)) < 0) {
-                log("wtmpx_write: problem opening %s: %s",
+                logit("wtmpx_write: problem opening %s: %s",
                    WTMPX_FILE, strerror(errno));
                return 0;
        }
        if (fstat(fd, &buf) == 0)
-                if (atomicio(write, fd, utx, sizeof(*utx)) != sizeof(*utx)) {
+                if (atomicio(vwrite, fd, utx, sizeof(*utx)) != sizeof(*utx)) {
                        ftruncate(fd, buf.st_size);
-                        log("wtmpx_write: problem writing %s: %s",
+                        logit("wtmpx_write: problem writing %s: %s",
                            WTMPX_FILE, strerror(errno));
                        ret = 0;
                }
@@ -1239,7 +1234,7 @@ wtmpx_write_entry(struct logininfo *li)
        case LTYPE_LOGOUT:
                return wtmpx_perform_logout(li);
        default:
-                log("wtmpx_write_entry: invalid type field");
+                logit("wtmpx_write_entry: invalid type field");
                return 0;
        }
 }
@@ -1275,12 +1270,12 @@ wtmpx_get_entry(struct logininfo *li)
        li->tv_sec = li->tv_usec = 0;
        if ((fd = open(WTMPX_FILE, O_RDONLY)) < 0) {
-                log("wtmpx_get_entry: problem opening %s: %s",
+                logit("wtmpx_get_entry: problem opening %s: %s",
                    WTMPX_FILE, strerror(errno));
                return 0;
        }
        if (fstat(fd, &st) != 0) {
-                log("wtmpx_get_entry: couldn't stat %s: %s",
+                logit("wtmpx_get_entry: couldn't stat %s: %s",
                    WTMPX_FILE, strerror(errno));
                close(fd);
                return 0;
@@ -1295,7 +1290,7 @@ wtmpx_get_entry(struct logininfo *li)
        while (!found) {
                if (atomicio(read, fd, &utx, sizeof(utx)) != sizeof(utx)) {
-                        log("wtmpx_get_entry: read of %s failed: %s",
+                        logit("wtmpx_get_entry: read of %s failed: %s",
                            WTMPX_FILE, strerror(errno));
                        close (fd);
                        return 0;
@@ -1340,7 +1335,7 @@ syslogin_perform_login(struct logininfo *li)
        struct utmp *ut;
        if (! (ut = (struct utmp *)malloc(sizeof(*ut)))) {
-                log("syslogin_perform_login: couldn't malloc()");
+                logit("syslogin_perform_login: couldn't malloc()");
                return 0;
        }
        construct_utmp(li, ut);
@@ -1359,7 +1354,7 @@ syslogin_perform_logout(struct logininfo *li)
        (void)line_stripname(line, li->line, sizeof(line));
        if (!logout(line)) {
-                log("syslogin_perform_logout: logout() returned an error");
+                logit("syslogin_perform_logout: logout() returned an error");
 #  ifdef HAVE_LOGWTMP
        } else {
                logwtmp(line, "", "");
@@ -1382,7 +1377,7 @@ syslogin_write_entry(struct logininfo *li)
        case LTYPE_LOGOUT:
                return syslogin_perform_logout(li);
        default:
-                log("syslogin_write_entry: Invalid type field");
+                logit("syslogin_write_entry: Invalid type field");
                return 0;
        }
 }
@@ -1417,7 +1412,7 @@ lastlog_filetype(char *filename)
        struct stat st;
        if (stat(LASTLOG_FILE, &st) != 0) {
-                log("lastlog_perform_login: Couldn't stat %s: %s", LASTLOG_FILE,
+                logit("lastlog_perform_login: Couldn't stat %s: %s", LASTLOG_FILE,
                        strerror(errno));
                return 0;
        }
@@ -1448,12 +1443,12 @@ lastlog_openseek(struct logininfo *li, int *fd, int filemode)
                                 LASTLOG_FILE, li->username);
                        break;
                default:
-                        log("lastlog_openseek: %.100s is not a file or directory!",
+                        logit("lastlog_openseek: %.100s is not a file or directory!",
                            LASTLOG_FILE);
                        return 0;
        }
-        *fd = open(lastlog_file, filemode);
+        *fd = open(lastlog_file, filemode, 0600);
        if ( *fd < 0) {
                debug("lastlog_openseek: Couldn't open %s: %s",
                    lastlog_file, strerror(errno));
@@ -1465,7 +1460,7 @@ lastlog_openseek(struct logininfo *li, int *fd, int filemode)
                offset = (off_t) ((long)li->uid * sizeof(struct lastlog));
                if ( lseek(*fd, offset, SEEK_SET) != offset ) {
-                        log("lastlog_openseek: %s->lseek(): %s",
+                        logit("lastlog_openseek: %s->lseek(): %s",
                         lastlog_file, strerror(errno));
                        return 0;
                }
@@ -1487,9 +1482,9 @@ lastlog_perform_login(struct logininfo *li)
                return(0);
        /* write the entry */
-        if (atomicio(write, fd, &last, sizeof(last)) != sizeof(last)) {
+        if (atomicio(vwrite, fd, &last, sizeof(last)) != sizeof(last)) {
                close(fd);
-                log("lastlog_write_filemode: Error writing to %s: %s",
+                logit("lastlog_write_filemode: Error writing to %s: %s",
                    LASTLOG_FILE, strerror(errno));
                return 0;
        }
@@ -1505,7 +1500,7 @@ lastlog_write_entry(struct logininfo *li)
        case LTYPE_LOGIN:
                return lastlog_perform_login(li);
        default:
-                log("lastlog_write_entry: Invalid type field");
+                logit("lastlog_write_entry: Invalid type field");
                return 0;
        }
 }
diff --git a/loginrec.h b/loginrec.h
index 732e21e11..7f932c296 100644
--- a/loginrec.h
+++ b/loginrec.h
@@ -12,11 +12,6 @@
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by Markus Friedl.
- * 4. The name of the author may not be used to endorse or promote products
- *    derived from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
@@ -40,7 +35,7 @@
 #include <netinet/in.h>
 #include <sys/socket.h>
-/* RCSID("$Id: loginrec.h,v 1.6 2001/05/08 20:33:06 mouring Exp $"); */
+/* RCSID("$Id: loginrec.h,v 1.7 2003/06/03 02:18:50 djm Exp $"); */
 /**
 ** you should use the login_* calls to work around platform dependencies
diff --git a/logintest.c b/logintest.c
index da9ea50ec..3f3997d10 100644
--- a/logintest.c
+++ b/logintest.c
@@ -9,11 +9,6 @@
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by Markus Friedl.
- * 4. The name of the author may not be used to endorse or promote products
- *    derived from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
@@ -48,7 +43,7 @@
 #include "loginrec.h"
-RCSID("$Id: logintest.c,v 1.8 2001/04/05 23:05:22 stevesk Exp $");
+RCSID("$Id: logintest.c,v 1.10 2003/08/21 23:34:41 djm Exp $");
 #ifdef HAVE___PROGNAME
 extern char *__progname;
@@ -292,7 +287,7 @@ main(int argc, char *argv[])
 {
        printf("Platform-independent login recording test driver\n");
-        __progname = get_progname(argv[0]);
+        __progname = ssh_get_progname(argv[0]);
        if (argc == 2) {
                if (strncmp(argv[1], "-i", 3) == 0)
                        compile_opts_only = 1;
diff --git a/md5crypt.c b/md5crypt.c
index ba98ccccc..e14d53ac1 100644
--- a/md5crypt.c
+++ b/md5crypt.c
@@ -1,159 +1,165 @@
 /*
 * ----------------------------------------------------------------------------
 * "THE BEER-WARE LICENSE" (Revision 42):
- * <phk@login.dknet.dk> wrote this file.  As long as you retain this notice you
+ * <phk@login.dknet.dk> wrote this file.  As long as you retain this 
- * can do whatever you want with this stuff. If we meet some day, and you think
+ * notice you can do whatever you want with this stuff. If we meet some 
- * this stuff is worth it, you can buy me a beer in return.   Poul-Henning Kamp
+ * day, and you think this stuff is worth it, you can buy me a beer in 
+ * return.   Poul-Henning Kamp
 * ----------------------------------------------------------------------------
 */
-/*
- * Ported from FreeBSD to Linux, only minimal changes.  --marekm
- */
-/*
- * Adapted from shadow-19990607 by Tudor Bosman, tudorb@jm.nu
- */
 #include "includes.h"
-RCSID("$Id: md5crypt.c,v 1.5 2001/02/09 01:55:36 djm Exp $");
 #if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
 #include <openssl/md5.h>
-static unsigned char itoa64[] =         /* 0 ... 63 => ascii - 64 */
+RCSID("$Id: md5crypt.c,v 1.7 2003/05/30 06:58:23 dtucker Exp $");
-        "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+/* 0 ... 63 => ascii - 64 */
+static unsigned char itoa64[] =
+    "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
-static char     *magic = "$1$"; /*
+static char *magic = "$1$";
-                                 * This string is magic for
-                                 * this algorithm.  Having
-                                 * it this way, we can get
-                                 * get better later on
-                                 */
-static void
+static char *
-to64(char *s, unsigned long v, int n)
+to64(unsigned long v, int n)
 {
+        static char buf[5];
+        char *s = buf;
+        if (n > 4)
+                return (NULL);
+        memset(buf, '\0', sizeof(buf));
        while (--n >= 0) {
                *s++ = itoa64[v&0x3f];
                v >>= 6;
        }
+        
+        return (buf);
 }
 int
 is_md5_salt(const char *salt)
 {
-        return (!strncmp(salt, magic, strlen(magic)));
+        return (strncmp(salt, magic, strlen(magic)) == 0);
 }
-/*
- * UNIX password
- *
- * Use MD5 for what it is best at...
- */
 char *
 md5_crypt(const char *pw, const char *salt)
 {
-        static char     passwd[120], *p;
+        static char passwd[120], salt_copy[9], *p;
-        static const char *sp,*ep;
+        static const char *sp, *ep;
-        unsigned char   final[16];
+        unsigned char final[16];
-        int sl,pl,i,j;
+        int sl, pl, i, j;
-        MD5_CTX ctx,ctx1;
+        MD5_CTX ctx, ctx1;
        unsigned long l;
        /* Refine the Salt first */
        sp = salt;
        /* If it starts with the magic string, then skip that */
-        if(!strncmp(sp,magic,strlen(magic)))
+        if(strncmp(sp, magic, strlen(magic)) == 0)
                sp += strlen(magic);
        /* It stops at the first '$', max 8 chars */
-        for(ep=sp;*ep && *ep != '$' && ep < (sp+8);ep++)
+        for (ep = sp; *ep != '$'; ep++) {
-                continue;
+                if (*ep == '\0' || ep >= (sp + 8))
+                        return (NULL);
+        }
        /* get the length of the true salt */
        sl = ep - sp;
+        /* Stash the salt */
+        memcpy(salt_copy, sp, sl);
+        salt_copy[sl] = '\0';
        MD5_Init(&ctx);
        /* The password first, since that is what is most unknown */
-        MD5_Update(&ctx,pw,strlen(pw));
+        MD5_Update(&ctx, pw, strlen(pw));
        /* Then our magic string */
-        MD5_Update(&ctx,magic,strlen(magic));
+        MD5_Update(&ctx, magic, strlen(magic));
        /* Then the raw salt */
-        MD5_Update(&ctx,sp,sl);
+        MD5_Update(&ctx, sp, sl);
-        /* Then just as many characters of the MD5(pw,salt,pw) */
+        /* Then just as many characters of the MD5(pw, salt, pw) */
        MD5_Init(&ctx1);
-        MD5_Update(&ctx1,pw,strlen(pw));
+        MD5_Update(&ctx1, pw, strlen(pw));
-        MD5_Update(&ctx1,sp,sl);
+        MD5_Update(&ctx1, sp, sl);
-        MD5_Update(&ctx1,pw,strlen(pw));
+        MD5_Update(&ctx1, pw, strlen(pw));
-        MD5_Final(final,&ctx1);
+        MD5_Final(final, &ctx1);
        for(pl = strlen(pw); pl > 0; pl -= 16)
-                MD5_Update(&ctx,final,pl>16 ? 16 : pl);
+                MD5_Update(&ctx, final, pl > 16 ? 16 : pl);
        /* Don't leave anything around in vm they could use. */
-        memset(final,0,sizeof final);
+        memset(final, '\0', sizeof final);
        /* Then something really weird... */
-        for (j=0,i = strlen(pw); i ; i >>= 1)
+        for (j = 0, i = strlen(pw); i != 0; i >>= 1)
-                if(i&1)
+                if (i & 1)
-                    MD5_Update(&ctx, final+j, 1);
+                        MD5_Update(&ctx, final + j, 1);
                else
-                    MD5_Update(&ctx, pw+j, 1);
+                        MD5_Update(&ctx, pw + j, 1);
        /* Now make the output string */
-        strcpy(passwd,magic);
+        snprintf(passwd, sizeof(passwd), "%s%s$", magic, salt_copy);
-        strncat(passwd,sp,sl);
-        strcat(passwd,"$");
-        MD5_Final(final,&ctx);
+        MD5_Final(final, &ctx);
        /*
         * and now, just to make sure things don't run too fast
         * On a 60 Mhz Pentium this takes 34 msec, so you would
         * need 30 seconds to build a 1000 entry dictionary...
         */
-        for(i=0;i<1000;i++) {
+        for(i = 0; i < 1000; i++) {
                MD5_Init(&ctx1);
-                if(i & 1)
+                if (i & 1)
-                        MD5_Update(&ctx1,pw,strlen(pw));
+                        MD5_Update(&ctx1, pw, strlen(pw));
                else
-                        MD5_Update(&ctx1,final,16);
+                        MD5_Update(&ctx1, final, 16);
-                if(i % 3)
+                if (i % 3)
-                        MD5_Update(&ctx1,sp,sl);
+                        MD5_Update(&ctx1, sp, sl);
-                if(i % 7)
+                if (i % 7)
-                        MD5_Update(&ctx1,pw,strlen(pw));
+                        MD5_Update(&ctx1, pw, strlen(pw));
-                if(i & 1)
+                if (i & 1)
-                        MD5_Update(&ctx1,final,16);
+                        MD5_Update(&ctx1, final, 16);
                else
-                        MD5_Update(&ctx1,pw,strlen(pw));
+                        MD5_Update(&ctx1, pw, strlen(pw));
-                MD5_Final(final,&ctx1);
+                MD5_Final(final, &ctx1);
        }
        p = passwd + strlen(passwd);
-        l = (final[ 0]<<16) | (final[ 6]<<8) | final[12]; to64(p,l,4); p += 4;
+        l = (final[ 0]<<16) | (final[ 6]<<8) | final[12];
-        l = (final[ 1]<<16) | (final[ 7]<<8) | final[13]; to64(p,l,4); p += 4;
+        strlcat(passwd, to64(l, 4), sizeof(passwd));
-        l = (final[ 2]<<16) | (final[ 8]<<8) | final[14]; to64(p,l,4); p += 4;
+        l = (final[ 1]<<16) | (final[ 7]<<8) | final[13];
-        l = (final[ 3]<<16) | (final[ 9]<<8) | final[15]; to64(p,l,4); p += 4;
+        strlcat(passwd, to64(l, 4), sizeof(passwd));
-        l = (final[ 4]<<16) | (final[10]<<8) | final[ 5]; to64(p,l,4); p += 4;
+        l = (final[ 2]<<16) | (final[ 8]<<8) | final[14];
-        l =                    final[11]                ; to64(p,l,2); p += 2;
+        strlcat(passwd, to64(l, 4), sizeof(passwd));
-        *p = '\0';
+        l = (final[ 3]<<16) | (final[ 9]<<8) | final[15];
+        strlcat(passwd, to64(l, 4), sizeof(passwd));
+        l = (final[ 4]<<16) | (final[10]<<8) | final[ 5];
+        strlcat(passwd, to64(l, 4), sizeof(passwd));
+        l =                    final[11]                ;
+        strlcat(passwd, to64(l, 2), sizeof(passwd));
        /* Don't leave anything around in vm they could use. */
-        memset(final,0,sizeof final);
+        memset(final, 0, sizeof(final));
+        memset(salt_copy, 0, sizeof(salt_copy));
+        memset(&ctx, 0, sizeof(ctx));
+        memset(&ctx1, 0, sizeof(ctx1));
+        (void)to64(0, 4);
-        return passwd;
+        return (passwd);
 }
 #endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */
diff --git a/md5crypt.h b/md5crypt.h
index 21356fbe7..2341e2c12 100644
--- a/md5crypt.h
+++ b/md5crypt.h
@@ -7,15 +7,7 @@
 * ----------------------------------------------------------------------------
 */
-/*
+/* $Id: md5crypt.h,v 1.4 2003/05/18 14:46:46 djm Exp $ */
- * Ported from FreeBSD to Linux, only minimal changes.  --marekm
- */
-/*
- * Adapted from shadow-19990607 by Tudor Bosman, tudorb@jm.nu
- */
-/* $Id: md5crypt.h,v 1.3 2001/02/09 01:55:36 djm Exp $ */
 #ifndef _MD5CRYPT_H
 #define _MD5CRYPT_H
@@ -24,8 +16,8 @@
 #if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
-int is_md5_salt(const char *salt);
+int is_md5_salt(const char *);
-char *md5_crypt(const char *pw, const char *salt);
+char *md5_crypt(const char *, const char *);
 #endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */
diff --git a/mdoc2man.awk b/mdoc2man.awk
new file mode 100644
index 000000000..856e2d7c5
--- /dev/null
+++ b/mdoc2man.awk
@@ -0,0 +1,340 @@
+#!/usr/bin/awk
+#
+# Version history:
+#  v3, I put the program under a proper license
+#      Dan Nelson <dnelson@allantgroup.com> added .An, .Aq and fixed a typo
+#  v2, fixed to work on GNU awk --posix and MacOS X
+#  v1, first attempt, didn't work on MacOS X
+#
+# Copyright (c) 2003 Peter Stuge <stuge-mdoc2man@cdy.org>
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+BEGIN {
+  optlist=0
+  oldoptlist=0
+  nospace=0
+  synopsis=0
+  reference=0
+  block=0
+  ext=0
+  extopt=0
+  literal=0
+  prenl=0
+  line=""
+}
+function wtail() {
+  retval=""
+  while(w<nwords) {
+    if(length(retval))
+      retval=retval OFS
+    retval=retval words[++w]
+  }
+  return retval
+}
+function add(str) {
+  for(;prenl;prenl--)
+    line=line "\n"
+  line=line str
+}
+! /^\./ {
+  for(;prenl;prenl--)
+    print ""
+  print
+  if(literal)
+    print ".br"
+  next
+}
+/^\.\\"/ { next }
+{
+  option=0
+  parens=0
+  angles=0
+  sub("^\\.","")
+  nwords=split($0,words)
+  for(w=1;w<=nwords;w++) {
+    skip=0
+    if(match(words[w],"^Li|Pf$")) {
+      skip=1
+    } else if(match(words[w],"^Xo$")) {
+      skip=1
+      ext=1
+      if(length(line)&&!(match(line," $")||prenl))
+        add(OFS)
+    } else if(match(words[w],"^Xc$")) {
+      skip=1
+      ext=0
+      if(!extopt)
+        prenl++
+      w=nwords
+    } else if(match(words[w],"^Bd$")) {
+      skip=1
+      if(match(words[w+1],"-literal")) {
+        literal=1
+        prenl++
+        w=nwords
+      }
+    } else if(match(words[w],"^Ed$")) {
+      skip=1
+      literal=0
+    } else if(match(words[w],"^Ns$")) {
+      skip=1
+      if(!nospace)
+        nospace=1
+      sub(" $","",line)
+    } else if(match(words[w],"^No$")) {
+      skip=1
+      sub(" $","",line)
+      add(words[++w])
+    } else if(match(words[w],"^Dq$")) {
+      skip=1
+      add("``")
+      add(words[++w])
+      while(w<nwords&&!match(words[w+1],"^[\\.,]"))
+        add(OFS words[++w])
+      add("''")
+      if(!nospace&&match(words[w+1],"^[\\.,]"))
+        nospace=1
+    } else if(match(words[w],"^Sq|Ql$")) {
+      skip=1
+      add("`" words[++w] "'")
+      if(!nospace&&match(words[w+1],"^[\\.,]"))
+        nospace=1
+    } else if(match(words[w],"^Oo$")) {
+      skip=1
+      extopt=1
+      if(!nospace)
+        nospace=1
+      add("[")
+    } else if(match(words[w],"^Oc$")) {
+      skip=1
+      extopt=0
+      add("]")
+    }
+    if(!skip) {
+      if(!nospace&&length(line)&&!(match(line," $")||prenl))
+        add(OFS)
+      if(nospace==1)
+        nospace=0
+    }
+    if(match(words[w],"^Dd$")) {
+      date=wtail()
+      next
+    } else if(match(words[w],"^Dt$")) {
+      id=wtail()
+      next
+    } else if(match(words[w],"^Os$")) {
+      add(".TH " id " \"" date "\" \"" wtail() "\"")
+    } else if(match(words[w],"^Sh$")) {
+      add(".SH")
+      synopsis=match(words[w+1],"SYNOPSIS")
+    } else if(match(words[w],"^Xr$")) {
+      add("\\fB" words[++w] "\\fP(" words[++w] ")" words[++w])
+    } else if(match(words[w],"^Rs$")) {
+      split("",refauthors)
+      nrefauthors=0
+      reftitle=""
+      refissue=""
+      refdate=""
+      refopt=""
+      reference=1
+      next
+    } else if(match(words[w],"^Re$")) {
+      prenl++
+      for(i=nrefauthors-1;i>0;i--) {
+        add(refauthors[i])
+        if(i>1)
+          add(", ")
+      }
+      if(nrefauthors>1)
+        add(" and ")
+      add(refauthors[0] ", \\fI" reftitle "\\fP")
+      if(length(refissue))
+        add(", " refissue)
+      if(length(refdate))
+        add(", " refdate)
+      if(length(refopt))
+        add(", " refopt)
+      add(".")
+      reference=0
+    } else if(reference) {
+      if(match(words[w],"^%A$")) { refauthors[nrefauthors++]=wtail() }
+      if(match(words[w],"^%T$")) {
+        reftitle=wtail()
+        sub("^\"","",reftitle)
+        sub("\"$","",reftitle)
+      }
+      if(match(words[w],"^%N$")) { refissue=wtail() }
+      if(match(words[w],"^%D$")) { refdate=wtail() }
+      if(match(words[w],"^%O$")) { refopt=wtail() }
+    } else if(match(words[w],"^Nm$")) {
+      if(synopsis) {
+        add(".br")
+        prenl++
+      }
+      n=words[++w]
+      if(!length(name))
+        name=n
+      if(!length(n))
+        n=name
+      add("\\fB" n "\\fP")
+      if(!nospace&&match(words[w+1],"^[\\.,]"))
+        nospace=1
+    } else if(match(words[w],"^Nd$")) {
+      add("\\- " wtail())
+    } else if(match(words[w],"^Fl$")) {
+      add("\\fB\\-" words[++w] "\\fP")
+      if(!nospace&&match(words[w+1],"^[\\.,]"))
+        nospace=1
+    } else if(match(words[w],"^Ar$")) {
+      add("\\fI")
+      if(w==nwords)
+        add("file ...\\fP")
+      else {
+        add(words[++w] "\\fP")
+        while(match(words[w+1],"^\\|$"))
+          add(OFS words[++w] " \\fI" words[++w] "\\fP")
+      }
+      if(!nospace&&match(words[w+1],"^[\\.,]"))
+        nospace=1
+    } else if(match(words[w],"^Cm$")) {
+      add("\\fB" words[++w] "\\fP")
+      while(w<nwords&&match(words[w+1],"^[\\.,:;)]"))
+        add(words[++w])
+    } else if(match(words[w],"^Op$")) {
+      option=1
+      if(!nospace)
+        nospace=1
+      add("[")
+    } else if(match(words[w],"^Pp$")) {
+      prenl++
+    } else if(match(words[w],"^An$")) {
+      prenl++
+    } else if(match(words[w],"^Ss$")) {
+      add(".SS")
+    } else if(match(words[w],"^Pa$")&&!option) {
+      add("\\fI")
+      w++
+      if(match(words[w],"^\\."))
+        add("\\&")
+      add(words[w] "\\fP")
+      while(w<nwords&&match(words[w+1],"^[\\.,:;)]"))
+        add(words[++w])
+    } else if(match(words[w],"^Dv$")) {
+      add(".BR")
+    } else if(match(words[w],"^Em|Ev$")) {
+      add(".IR")
+    } else if(match(words[w],"^Pq$")) {
+      add("(")
+      nospace=1
+      parens=1
+    } else if(match(words[w],"^Aq$")) {
+      add("<")
+      nospace=1
+      angles=1
+    } else if(match(words[w],"^S[xy]$")) {
+      add(".B " wtail())
+    } else if(match(words[w],"^Ic$")) {
+      plain=1
+      add("\\fB")
+      while(w<nwords) {
+        w++
+        if(match(words[w],"^Op$")) {
+          w++
+          add("[")
+          words[nwords]=words[nwords] "]"
+        }
+        if(match(words[w],"^Ar$")) {
+          add("\\fI" words[++w] "\\fP")
+        } else if(match(words[w],"^[\\.,]")) {
+          sub(" $","",line)
+          if(plain) {
+            add("\\fP")
+            plain=0
+          }
+          add(words[w])
+        } else {
+          if(!plain) {
+            add("\\fB")
+            plain=1
+          }
+          add(words[w])
+        }
+        if(!nospace)
+          add(OFS)
+      }
+      sub(" $","",line)
+      if(plain)
+        add("\\fP")
+    } else if(match(words[w],"^Bl$")) {
+      oldoptlist=optlist
+      if(match(words[w+1],"-bullet"))
+        optlist=1
+      else if(match(words[w+1],"-enum")) {
+        optlist=2
+        enum=0
+      } else if(match(words[w+1],"-tag"))
+        optlist=3
+      else if(match(words[w+1],"-item"))
+        optlist=4
+      else if(match(words[w+1],"-bullet"))
+        optlist=1
+      w=nwords
+    } else if(match(words[w],"^El$")) {
+      optlist=oldoptlist
+    } else if(match(words[w],"^It$")&&optlist) {
+      if(optlist==1)
+        add(".IP \\(bu")
+      else if(optlist==2)
+        add(".IP " ++enum ".")
+      else if(optlist==3) {
+        add(".TP")
+        prenl++
+        if(match(words[w+1],"^Pa|Ev$")) {
+          add(".B")
+          w++
+        }
+      } else if(optlist==4)
+        add(".IP")
+    } else if(match(words[w],"^Sm$")) {
+      if(match(words[w+1],"off"))
+        nospace=2
+      else if(match(words[w+1],"on"))
+        nospace=0
+      w++
+    } else if(!skip) {
+      add(words[w])
+    }
+  }
+  if(match(line,"^\\.[^a-zA-Z]"))
+    sub("^\\.","",line)
+  if(parens)
+    add(")")
+  if(angles)
+    add(">")
+  if(option)
+    add("]")
+  if(ext&&!extopt&&!match(line," $"))
+    add(OFS)
+  if(!ext&&!extopt&&length(line)) {
+    print line
+    prenl=0
+    line=""
+  }
+}
diff --git a/misc.c b/misc.c
index 512fb22fb..c457a952c 100644
--- a/misc.c
+++ b/misc.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: misc.c,v 1.20 2002/12/13 10:03:15 markus Exp $");
+RCSID("$OpenBSD: misc.c,v 1.21 2003/04/12 10:15:36 markus Exp $");
 #include "misc.h"
 #include "log.h"
@@ -60,7 +60,7 @@ set_nonblock(int fd)
                debug2("fd %d is O_NONBLOCK", fd);
                return;
        }
-        debug("fd %d setting O_NONBLOCK", fd);
+        debug2("fd %d setting O_NONBLOCK", fd);
        val |= O_NONBLOCK;
        if (fcntl(fd, F_SETFL, val) == -1)
                debug("fcntl(%d, F_SETFL, O_NONBLOCK): %s",
@@ -323,29 +323,3 @@ addargs(arglist *args, char *fmt, ...)
        args->list[args->num++] = xstrdup(buf);
        args->list[args->num] = NULL;
 }
-mysig_t
-mysignal(int sig, mysig_t act)
-{
-#ifdef HAVE_SIGACTION
-        struct sigaction sa, osa;
-        if (sigaction(sig, NULL, &osa) == -1)
-                return (mysig_t) -1;
-        if (osa.sa_handler != act) {
-                memset(&sa, 0, sizeof(sa));
-                sigemptyset(&sa.sa_mask);
-                sa.sa_flags = 0;
-#if defined(SA_INTERRUPT)
-                if (sig == SIGALRM)
-                        sa.sa_flags |= SA_INTERRUPT;
-#endif
-                sa.sa_handler = act;
-                if (sigaction(sig, &sa, NULL) == -1)
-                        return (mysig_t) -1;
-        }
-        return (osa.sa_handler);
-#else
-        return (signal(sig, act));
-#endif
-}
diff --git a/misc.h b/misc.h
index 3b4b87967..6d2869b36 100644
--- a/misc.h
+++ b/misc.h
@@ -31,7 +31,3 @@ struct arglist {
        int     nalloc;
 };
 void     addargs(arglist *, char *, ...) __attribute__((format(printf, 2, 3)));
-/* wrapper for signal interface */
-typedef void (*mysig_t)(int);
-mysig_t mysignal(int sig, mysig_t act);
diff --git a/moduli.c b/moduli.c
new file mode 100644
index 000000000..eb2c0fd18
--- /dev/null
+++ b/moduli.c
@@ -0,0 +1,617 @@
+/* $OpenBSD: moduli.c,v 1.1 2003/07/28 09:49:56 djm Exp $ */
+/*
+ * Copyright 1994 Phil Karn <karn@qualcomm.com>
+ * Copyright 1996-1998, 2003 William Allen Simpson <wsimpson@greendragon.com>
+ * Copyright 2000 Niels Provos <provos@citi.umich.edu>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/*
+ * Two-step process to generate safe primes for DHGEX
+ *
+ *  Sieve candidates for "safe" primes,
+ *  suitable for use as Diffie-Hellman moduli;
+ *  that is, where q = (p-1)/2 is also prime.
+ *
+ * First step: generate candidate primes (memory intensive)
+ * Second step: test primes' safety (processor intensive)
+ */
+#include "includes.h"
+#include "moduli.h"
+#include "xmalloc.h"
+#include "log.h"
+#include <openssl/bn.h>
+/*
+ * Debugging defines 
+ */
+/* define DEBUG_LARGE 1 */
+/* define DEBUG_SMALL 1 */
+/* define DEBUG_TEST  1 */
+/*
+ * File output defines
+ */
+/* need line long enough for largest moduli plus headers */
+#define QLINESIZE               (100+8192)
+/* Type: decimal.
+ * Specifies the internal structure of the prime modulus.
+ */
+#define QTYPE_UNKNOWN           (0)
+#define QTYPE_UNSTRUCTURED      (1)
+#define QTYPE_SAFE              (2)
+#define QTYPE_SCHNOOR           (3)
+#define QTYPE_SOPHIE_GERMAINE   (4)
+#define QTYPE_STRONG            (5)
+/* Tests: decimal (bit field).
+ * Specifies the methods used in checking for primality.
+ * Usually, more than one test is used.
+ */
+#define QTEST_UNTESTED          (0x00)
+#define QTEST_COMPOSITE         (0x01)
+#define QTEST_SIEVE             (0x02)
+#define QTEST_MILLER_RABIN      (0x04)
+#define QTEST_JACOBI            (0x08)
+#define QTEST_ELLIPTIC          (0x10)
+/* Size: decimal.
+ * Specifies the number of the most significant bit (0 to M).
+ ** WARNING: internally, usually 1 to N.
+ */
+#define QSIZE_MINIMUM           (511)
+/*
+ * Prime sieving defines
+ */
+/* Constant: assuming 8 bit bytes and 32 bit words */
+#define SHIFT_BIT       (3)
+#define SHIFT_BYTE      (2)
+#define SHIFT_WORD      (SHIFT_BIT+SHIFT_BYTE)
+#define SHIFT_MEGABYTE  (20)
+#define SHIFT_MEGAWORD  (SHIFT_MEGABYTE-SHIFT_BYTE)
+/*
+ * Constant: when used with 32-bit integers, the largest sieve prime
+ * has to be less than 2**32.
+ */
+#define SMALL_MAXIMUM   (0xffffffffUL)
+/* Constant: can sieve all primes less than 2**32, as 65537**2 > 2**32-1. */
+#define TINY_NUMBER     (1UL<<16)
+/* Ensure enough bit space for testing 2*q. */
+#define TEST_MAXIMUM    (1UL<<16)
+#define TEST_MINIMUM    (QSIZE_MINIMUM + 1)
+/* real TEST_MINIMUM    (1UL << (SHIFT_WORD - TEST_POWER)) */
+#define TEST_POWER      (3)     /* 2**n, n < SHIFT_WORD */
+/* bit operations on 32-bit words */
+#define BIT_CLEAR(a,n)  ((a)[(n)>>SHIFT_WORD] &= ~(1L << ((n) & 31)))
+#define BIT_SET(a,n)    ((a)[(n)>>SHIFT_WORD] |= (1L << ((n) & 31)))
+#define BIT_TEST(a,n)   ((a)[(n)>>SHIFT_WORD] & (1L << ((n) & 31)))
+/*
+ * Prime testing defines
+ */
+/*
+ * Sieving data (XXX - move to struct)
+ */
+/* sieve 2**16 */
+static u_int32_t *TinySieve, tinybits;
+/* sieve 2**30 in 2**16 parts */
+static u_int32_t *SmallSieve, smallbits, smallbase;
+/* sieve relative to the initial value */
+static u_int32_t *LargeSieve, largewords, largetries, largenumbers;
+static u_int32_t largebits, largememory;        /* megabytes */
+static BIGNUM *largebase;
+/*
+ * print moduli out in consistent form,
+ */
+static int
+qfileout(FILE * ofile, u_int32_t otype, u_int32_t otests, u_int32_t otries,
+    u_int32_t osize, u_int32_t ogenerator, BIGNUM * omodulus)
+{
+        struct tm *gtm;
+        time_t time_now;
+        int res;
+        time(&time_now);
+        gtm = gmtime(&time_now);
+        
+        res = fprintf(ofile, "%04d%02d%02d%02d%02d%02d %u %u %u %u %x ",
+            gtm->tm_year + 1900, gtm->tm_mon + 1, gtm->tm_mday,
+            gtm->tm_hour, gtm->tm_min, gtm->tm_sec,
+            otype, otests, otries, osize, ogenerator);
+        if (res < 0)
+                return (-1);
+        if (BN_print_fp(ofile, omodulus) < 1)
+                return (-1);
+        res = fprintf(ofile, "\n");
+        fflush(ofile);
+        return (res > 0 ? 0 : -1);
+}
+/*
+ ** Sieve p's and q's with small factors
+ */
+static void
+sieve_large(u_int32_t s)
+{
+        u_int32_t r, u;
+        debug2("sieve_large %u", s);
+        largetries++;
+        /* r = largebase mod s */
+        r = BN_mod_word(largebase, s);
+        if (r == 0)
+                u = 0; /* s divides into largebase exactly */
+        else
+                u = s - r; /* largebase+u is first entry divisible by s */
+        if (u < largebits * 2) {
+                /*
+                 * The sieve omits p's and q's divisible by 2, so ensure that
+                 * largebase+u is odd. Then, step through the sieve in
+                 * increments of 2*s
+                 */
+                if (u & 0x1)
+                        u += s; /* Make largebase+u odd, and u even */
+                /* Mark all multiples of 2*s */
+                for (u /= 2; u < largebits; u += s)
+                        BIT_SET(LargeSieve, u);
+        }
+        /* r = p mod s */
+        r = (2 * r + 1) % s;
+        if (r == 0)
+                u = 0; /* s divides p exactly */
+        else
+                u = s - r; /* p+u is first entry divisible by s */
+        if (u < largebits * 4) {
+                /*
+                 * The sieve omits p's divisible by 4, so ensure that
+                 * largebase+u is not. Then, step through the sieve in
+                 * increments of 4*s
+                 */
+                while (u & 0x3) {
+                        if (SMALL_MAXIMUM - u < s)
+                                return;
+                        u += s;
+                }
+                /* Mark all multiples of 4*s */
+                for (u /= 4; u < largebits; u += s)
+                        BIT_SET(LargeSieve, u);
+        }
+}
+/*
+ * list candidates for Sophie-Germaine primes (where q = (p-1)/2)
+ * to standard output.
+ * The list is checked against small known primes (less than 2**30).
+ */
+int
+gen_candidates(FILE *out, int memory, int power, BIGNUM *start)
+{
+        BIGNUM *q;
+        u_int32_t j, r, s, t;
+        u_int32_t smallwords = TINY_NUMBER >> 6;
+        u_int32_t tinywords = TINY_NUMBER >> 6;
+        time_t time_start, time_stop;
+        int i, ret = 0;
+        largememory = memory;
+        /*
+         * Set power to the length in bits of the prime to be generated.
+         * This is changed to 1 less than the desired safe prime moduli p.
+         */
+        if (power > TEST_MAXIMUM) {
+                error("Too many bits: %u > %lu", power, TEST_MAXIMUM);
+                return (-1);
+        } else if (power < TEST_MINIMUM) {
+                error("Too few bits: %u < %u", power, TEST_MINIMUM);
+                return (-1);
+        }
+        power--; /* decrement before squaring */
+        /*
+         * The density of ordinary primes is on the order of 1/bits, so the
+         * density of safe primes should be about (1/bits)**2. Set test range
+         * to something well above bits**2 to be reasonably sure (but not
+         * guaranteed) of catching at least one safe prime.
+         */
+        largewords = ((power * power) >> (SHIFT_WORD - TEST_POWER));
+        /*
+         * Need idea of how much memory is available. We don't have to use all
+         * of it.
+         */
+        if (largememory > LARGE_MAXIMUM) {
+                logit("Limited memory: %u MB; limit %lu MB",
+                    largememory, LARGE_MAXIMUM);
+                largememory = LARGE_MAXIMUM;
+        }
+        if (largewords <= (largememory << SHIFT_MEGAWORD)) {
+                logit("Increased memory: %u MB; need %u bytes",
+                    largememory, (largewords << SHIFT_BYTE));
+                largewords = (largememory << SHIFT_MEGAWORD);
+        } else if (largememory > 0) {
+                logit("Decreased memory: %u MB; want %u bytes",
+                    largememory, (largewords << SHIFT_BYTE));
+                largewords = (largememory << SHIFT_MEGAWORD);
+        }
+        TinySieve = calloc(tinywords, sizeof(u_int32_t));
+        if (TinySieve == NULL) {
+                error("Insufficient memory for tiny sieve: need %u bytes",
+                    tinywords << SHIFT_BYTE);
+                exit(1);
+        }
+        tinybits = tinywords << SHIFT_WORD;
+        SmallSieve = calloc(smallwords, sizeof(u_int32_t));
+        if (SmallSieve == NULL) {
+                error("Insufficient memory for small sieve: need %u bytes",
+                    smallwords << SHIFT_BYTE);
+                xfree(TinySieve);
+                exit(1);
+        }
+        smallbits = smallwords << SHIFT_WORD;
+        /*
+         * dynamically determine available memory
+         */
+        while ((LargeSieve = calloc(largewords, sizeof(u_int32_t))) == NULL)
+                largewords -= (1L << (SHIFT_MEGAWORD - 2)); /* 1/4 MB chunks */
+        largebits = largewords << SHIFT_WORD;
+        largenumbers = largebits * 2;   /* even numbers excluded */
+        /* validation check: count the number of primes tried */
+        largetries = 0;
+        q = BN_new();
+        /*
+         * Generate random starting point for subprime search, or use
+         * specified parameter.
+         */
+        largebase = BN_new();
+        if (start == NULL)
+                BN_rand(largebase, power, 1, 1);
+        else
+                BN_copy(largebase, start);
+        /* ensure odd */
+        BN_set_bit(largebase, 0);
+        time(&time_start);
+        logit("%.24s Sieve next %u plus %u-bit", ctime(&time_start), 
+            largenumbers, power);
+        debug2("start point: 0x%s", BN_bn2hex(largebase));
+        /*
+         * TinySieve
+         */
+        for (i = 0; i < tinybits; i++) {
+                if (BIT_TEST(TinySieve, i))
+                        continue; /* 2*i+3 is composite */
+                /* The next tiny prime */
+                t = 2 * i + 3;
+                /* Mark all multiples of t */
+                for (j = i + t; j < tinybits; j += t)
+                        BIT_SET(TinySieve, j);
+                sieve_large(t);
+        }
+        /*
+         * Start the small block search at the next possible prime. To avoid
+         * fencepost errors, the last pass is skipped.
+         */
+        for (smallbase = TINY_NUMBER + 3;
+             smallbase < (SMALL_MAXIMUM - TINY_NUMBER);
+             smallbase += TINY_NUMBER) {
+                for (i = 0; i < tinybits; i++) {
+                        if (BIT_TEST(TinySieve, i))
+                                continue; /* 2*i+3 is composite */
+                        /* The next tiny prime */
+                        t = 2 * i + 3;
+                        r = smallbase % t;
+                        if (r == 0) {
+                                s = 0; /* t divides into smallbase exactly */
+                        } else {
+                                /* smallbase+s is first entry divisible by t */
+                                s = t - r;
+                        }
+                        /*
+                         * The sieve omits even numbers, so ensure that
+                         * smallbase+s is odd. Then, step through the sieve
+                         * in increments of 2*t
+                         */
+                        if (s & 1)
+                                s += t; /* Make smallbase+s odd, and s even */
+                        /* Mark all multiples of 2*t */
+                        for (s /= 2; s < smallbits; s += t)
+                                BIT_SET(SmallSieve, s);
+                }
+                /*
+                 * SmallSieve
+                 */
+                for (i = 0; i < smallbits; i++) {
+                        if (BIT_TEST(SmallSieve, i))
+                                continue; /* 2*i+smallbase is composite */
+                        /* The next small prime */
+                        sieve_large((2 * i) + smallbase);
+                }
+                memset(SmallSieve, 0, smallwords << SHIFT_BYTE);
+        }
+        time(&time_stop);
+        logit("%.24s Sieved with %u small primes in %ld seconds",
+            ctime(&time_stop), largetries, (long) (time_stop - time_start));
+        for (j = r = 0; j < largebits; j++) {
+                if (BIT_TEST(LargeSieve, j))
+                        continue; /* Definitely composite, skip */
+                debug2("test q = largebase+%u", 2 * j);
+                BN_set_word(q, 2 * j);
+                BN_add(q, q, largebase);
+                if (qfileout(out, QTYPE_SOPHIE_GERMAINE, QTEST_SIEVE,
+                    largetries, (power - 1) /* MSB */, (0), q) == -1) {
+                        ret = -1;
+                        break;
+                }
+                r++; /* count q */
+        }
+        time(&time_stop);
+        xfree(LargeSieve);
+        xfree(SmallSieve);
+        xfree(TinySieve);
+        logit("%.24s Found %u candidates", ctime(&time_stop), r);
+        return (ret);
+}
+/*
+ * perform a Miller-Rabin primality test
+ * on the list of candidates
+ * (checking both q and p)
+ * The result is a list of so-call "safe" primes
+ */
+int
+prime_test(FILE *in, FILE *out, u_int32_t trials, 
+    u_int32_t generator_wanted)
+{
+        BIGNUM *q, *p, *a;
+        BN_CTX *ctx;
+        char *cp, *lp;
+        u_int32_t count_in = 0, count_out = 0, count_possible = 0;
+        u_int32_t generator_known, in_tests, in_tries, in_type, in_size;
+        time_t time_start, time_stop;
+        int res;
+        time(&time_start);
+        p = BN_new();
+        q = BN_new();
+        ctx = BN_CTX_new();
+        debug2("%.24s Final %u Miller-Rabin trials (%x generator)",
+            ctime(&time_start), trials, generator_wanted);
+        res = 0;
+        lp = xmalloc(QLINESIZE + 1);
+        while (fgets(lp, QLINESIZE, in) != NULL) {
+                int ll = strlen(lp);
+                count_in++;
+                if (ll < 14 || *lp == '!' || *lp == '#') {
+                        debug2("%10u: comment or short line", count_in);
+                        continue;
+                }
+                /* XXX - fragile parser */
+                /* time */
+                cp = &lp[14];   /* (skip) */
+                /* type */
+                in_type = strtoul(cp, &cp, 10);
+                /* tests */
+                in_tests = strtoul(cp, &cp, 10);
+                if (in_tests & QTEST_COMPOSITE) {
+                        debug2("%10u: known composite", count_in);
+                        continue;
+                }
+                /* tries */
+                in_tries = strtoul(cp, &cp, 10);
+                /* size (most significant bit) */
+                in_size = strtoul(cp, &cp, 10);
+                /* generator (hex) */
+                generator_known = strtoul(cp, &cp, 16);
+                /* Skip white space */
+                cp += strspn(cp, " ");
+                /* modulus (hex) */
+                switch (in_type) {
+                case QTYPE_SOPHIE_GERMAINE:
+                        debug2("%10u: (%u) Sophie-Germaine", count_in, in_type);
+                        a = q;
+                        BN_hex2bn(&a, cp);
+                        /* p = 2*q + 1 */
+                        BN_lshift(p, q, 1);
+                        BN_add_word(p, 1);
+                        in_size += 1;
+                        generator_known = 0;
+                        break;
+                default:
+                        debug2("%10u: (%u)", count_in, in_type);
+                        a = p;
+                        BN_hex2bn(&a, cp);
+                        /* q = (p-1) / 2 */
+                        BN_rshift(q, p, 1);
+                        break;
+                }
+                /*
+                 * due to earlier inconsistencies in interpretation, check
+                 * the proposed bit size.
+                 */
+                if (BN_num_bits(p) != (in_size + 1)) {
+                        debug2("%10u: bit size %u mismatch", count_in, in_size);
+                        continue;
+                }
+                if (in_size < QSIZE_MINIMUM) {
+                        debug2("%10u: bit size %u too short", count_in, in_size);
+                        continue;
+                }
+                if (in_tests & QTEST_MILLER_RABIN)
+                        in_tries += trials;
+                else
+                        in_tries = trials;
+                /*
+                 * guess unknown generator
+                 */
+                if (generator_known == 0) {
+                        if (BN_mod_word(p, 24) == 11)
+                                generator_known = 2;
+                        else if (BN_mod_word(p, 12) == 5)
+                                generator_known = 3;
+                        else {
+                                u_int32_t r = BN_mod_word(p, 10);
+                                if (r == 3 || r == 7) {
+                                        generator_known = 5;
+                                }
+                        }
+                }
+                /*
+                 * skip tests when desired generator doesn't match
+                 */
+                if (generator_wanted > 0 &&
+                    generator_wanted != generator_known) {
+                        debug2("%10u: generator %d != %d",
+                            count_in, generator_known, generator_wanted);
+                        continue;
+                }
+                count_possible++;
+                /*
+                 * The (1/4)^N performance bound on Miller-Rabin is 
+                 * extremely pessimistic, so don't spend a lot of time 
+                 * really verifying that q is prime until after we know 
+                 * that p is also prime. A single pass will weed out the 
+                 * vast majority of composite q's.
+                 */
+                if (BN_is_prime(q, 1, NULL, ctx, NULL) <= 0) {
+                        debug2("%10u: q failed first possible prime test",
+                            count_in);
+                        continue;
+                }
+        
+                /*
+                 * q is possibly prime, so go ahead and really make sure 
+                 * that p is prime. If it is, then we can go back and do 
+                 * the same for q. If p is composite, chances are that 
+                 * will show up on the first Rabin-Miller iteration so it
+                 * doesn't hurt to specify a high iteration count.
+                 */
+                if (!BN_is_prime(p, trials, NULL, ctx, NULL)) {
+                        debug2("%10u: p is not prime", count_in);
+                        continue;
+                }
+                debug("%10u: p is almost certainly prime", count_in);
+                /* recheck q more rigorously */
+                if (!BN_is_prime(q, trials - 1, NULL, ctx, NULL)) {
+                        debug("%10u: q is not prime", count_in);
+                        continue;
+                }
+                debug("%10u: q is almost certainly prime", count_in);
+                if (qfileout(out, QTYPE_SAFE, (in_tests | QTEST_MILLER_RABIN), 
+                    in_tries, in_size, generator_known, p)) {
+                        res = -1;
+                        break;
+                }
+                count_out++;
+        }
+        time(&time_stop);
+        xfree(lp);
+        BN_free(p);
+        BN_free(q);
+        BN_CTX_free(ctx);
+        logit("%.24s Found %u safe primes of %u candidates in %ld seconds",
+            ctime(&time_stop), count_out, count_possible, 
+            (long) (time_stop - time_start));
+        return (res);
+}
diff --git a/moduli.h b/moduli.h
new file mode 100644
index 000000000..9cd1cd3f8
--- /dev/null
+++ b/moduli.h
@@ -0,0 +1,23 @@
+/* $OpenBSD: moduli.h,v 1.1 2003/07/28 09:49:56 djm Exp $ */
+#include <sys/types.h>
+#include <openssl/bn.h>
+/*
+ * Using virtual memory can cause thrashing.  This should be the largest
+ * number that is supported without a large amount of disk activity --
+ * that would increase the run time from hours to days or weeks!
+ */
+#define LARGE_MINIMUM   (8UL)   /* megabytes */
+/*
+ * Do not increase this number beyond the unsigned integer bit size.
+ * Due to a multiple of 4, it must be LESS than 128 (yielding 2**30 bits).
+ */
+#define LARGE_MAXIMUM   (127UL) /* megabytes */
+/* Minimum number of primality tests to perform */
+#define TRIAL_MINIMUM           (4)
+int gen_candidates(FILE *, int, int, BIGNUM *);
+int prime_test(FILE *, FILE *, u_int32_t, u_int32_t);
diff --git a/monitor.c b/monitor.c
index bce9e684c..e5656470d 100644
--- a/monitor.c
+++ b/monitor.c
@@ -25,7 +25,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.36 2003/04/01 10:22:21 markus Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.49 2003/08/28 12:54:34 markus Exp $");
 #include <openssl/dh.h>
@@ -59,6 +59,11 @@ RCSID("$OpenBSD: monitor.c,v 1.36 2003/04/01 10:22:21 markus Exp $");
 #include "ssh2.h"
 #include "mpaux.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+static Gssctxt *gsscontext = NULL;
+#endif
 /* Imports */
 extern ServerOptions options;
 extern u_int utmp_len;
@@ -93,7 +98,7 @@ struct {
        u_int olen;
 } child_state;
-/* Functions on the montior that answer unprivileged requests */
+/* Functions on the monitor that answer unprivileged requests */
 int mm_answer_moduli(int, Buffer *);
 int mm_answer_sign(int, Buffer *);
@@ -118,13 +123,17 @@ int mm_answer_sessid(int, Buffer *);
 #ifdef USE_PAM
 int mm_answer_pam_start(int, Buffer *);
+int mm_answer_pam_account(int, Buffer *);
+int mm_answer_pam_init_ctx(int, Buffer *);
+int mm_answer_pam_query(int, Buffer *);
+int mm_answer_pam_respond(int, Buffer *);
+int mm_answer_pam_free_ctx(int, Buffer *);
 #endif
-#ifdef KRB4
+#ifdef GSSAPI
-int mm_answer_krb4(int, Buffer *);
+int mm_answer_gss_setup_ctx(int, Buffer *);
-#endif
+int mm_answer_gss_accept_ctx(int, Buffer *);
-#ifdef KRB5
+int mm_answer_gss_userok(int, Buffer *);
-int mm_answer_krb5(int, Buffer *);
 #endif
 static Authctxt *authctxt;
@@ -137,8 +146,9 @@ static int key_blobtype = MM_NOKEY;
 static char *hostbased_cuser = NULL;
 static char *hostbased_chost = NULL;
 static char *auth_method = "unknown";
-static int session_id2_len = 0;
+static u_int session_id2_len = 0;
 static u_char *session_id2 = NULL;
+static pid_t monitor_child_pid;
 struct mon_table {
        enum monitor_reqtype type;
@@ -163,6 +173,11 @@ struct mon_table mon_dispatch_proto20[] = {
    {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
 #ifdef USE_PAM
    {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
+    {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
+    {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
+    {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
+    {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
+    {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
 #endif
 #ifdef BSD_AUTH
    {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
@@ -174,6 +189,11 @@ struct mon_table mon_dispatch_proto20[] = {
 #endif
    {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
    {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
+#ifdef GSSAPI
+    {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx},
+    {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
+    {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
+#endif
    {0, 0, NULL}
 };
@@ -205,12 +225,11 @@ struct mon_table mon_dispatch_proto15[] = {
 #endif
 #ifdef USE_PAM
    {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
-#endif
+    {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
-#ifdef KRB4
+    {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
-    {MONITOR_REQ_KRB4, MON_ONCE|MON_AUTH, mm_answer_krb4},
+    {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
-#endif
+    {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
-#ifdef KRB5
+    {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
-    {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
 #endif
    {0, 0, NULL}
 };
@@ -286,8 +305,16 @@ monitor_child_preauth(struct monitor *pmonitor)
                            !auth_root_allowed(auth_method))
                                authenticated = 0;
 #ifdef USE_PAM
-                        if (!do_pam_account(authctxt->pw->pw_name, NULL))
+                        /* PAM needs to perform account checks after auth */
-                                authenticated = 0;
+                        if (options.use_pam) {
+                                Buffer m;
+                                buffer_init(&m);
+                                mm_request_receive_expect(pmonitor->m_sendfd, 
+                                    MONITOR_REQ_PAM_ACCOUNT, &m);
+                                authenticated = mm_answer_pam_account(pmonitor->m_sendfd, &m);
+                                buffer_free(&m);
+                        }
 #endif
                }
@@ -310,9 +337,25 @@ monitor_child_preauth(struct monitor *pmonitor)
        return (authctxt);
 }
+static void
+monitor_set_child_handler(pid_t pid)
+{
+        monitor_child_pid = pid;
+}
+static void
+monitor_child_handler(int signal)
+{
+        kill(monitor_child_pid, signal);
+}
 void
 monitor_child_postauth(struct monitor *pmonitor)
 {
+        monitor_set_child_handler(pmonitor->m_pid);
+        signal(SIGHUP, &monitor_child_handler);
+        signal(SIGTERM, &monitor_child_handler);
        if (compat20) {
                mon_dispatch = mon_dispatch_postauth20;
@@ -320,7 +363,6 @@ monitor_child_postauth(struct monitor *pmonitor)
                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
        } else {
                mon_dispatch = mon_dispatch_postauth15;
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -556,7 +598,8 @@ mm_answer_pwnamallow(int socket, Buffer *m)
        }
 #ifdef USE_PAM
-        monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);
+        if (options.use_pam)
+                monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);
 #endif
        return (0);
@@ -606,7 +649,7 @@ mm_answer_authpassword(int socket, Buffer *m)
        passwd = buffer_get_string(m, &plen);
        /* Only authenticate if the context is valid */
        authenticated = options.password_authentication &&
-            auth_password(authctxt, passwd) && authctxt->valid;
+            auth_password(authctxt, passwd);
        memset(passwd, 0, strlen(passwd));
        xfree(passwd);
@@ -739,14 +782,133 @@ mm_answer_pam_start(int socket, Buffer *m)
 {
        char *user;
        
+        if (!options.use_pam)
+                fatal("UsePAM not set, but ended up in %s anyway", __func__);
        user = buffer_get_string(m, NULL);
        start_pam(user);
        xfree(user);
+        monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1);
        return (0);
 }
+int
+mm_answer_pam_account(int socket, Buffer *m)
+{
+        u_int ret;
+        
+        if (!options.use_pam)
+                fatal("UsePAM not set, but ended up in %s anyway", __func__);
+        ret = do_pam_account();
+        buffer_put_int(m, ret);
+        mm_request_send(socket, MONITOR_ANS_PAM_ACCOUNT, m);
+        return (ret);
+}
+static void *sshpam_ctxt, *sshpam_authok;
+extern KbdintDevice sshpam_device;
+int
+mm_answer_pam_init_ctx(int socket, Buffer *m)
+{
+        debug3("%s", __func__);
+        authctxt->user = buffer_get_string(m, NULL);
+        sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
+        sshpam_authok = NULL;
+        buffer_clear(m);
+        if (sshpam_ctxt != NULL) {
+                monitor_permit(mon_dispatch, MONITOR_REQ_PAM_FREE_CTX, 1);
+                buffer_put_int(m, 1);
+        } else {
+                buffer_put_int(m, 0);
+        }
+        mm_request_send(socket, MONITOR_ANS_PAM_INIT_CTX, m);
+        return (0);
+}
+int
+mm_answer_pam_query(int socket, Buffer *m)
+{
+        char *name, *info, **prompts;
+        u_int num, *echo_on;
+        int i, ret;
+        debug3("%s", __func__);
+        sshpam_authok = NULL;
+        ret = (sshpam_device.query)(sshpam_ctxt, &name, &info, &num, &prompts, &echo_on);
+        if (ret == 0 && num == 0)
+                sshpam_authok = sshpam_ctxt;
+        if (num > 1 || name == NULL || info == NULL)
+                ret = -1;
+        buffer_clear(m);
+        buffer_put_int(m, ret);
+        buffer_put_cstring(m, name);
+        xfree(name);
+        buffer_put_cstring(m, info);
+        xfree(info);
+        buffer_put_int(m, num);
+        for (i = 0; i < num; ++i) {
+                buffer_put_cstring(m, prompts[i]);
+                xfree(prompts[i]);
+                buffer_put_int(m, echo_on[i]);
+        }
+        if (prompts != NULL)
+                xfree(prompts);
+        if (echo_on != NULL)
+                xfree(echo_on);
+        mm_request_send(socket, MONITOR_ANS_PAM_QUERY, m);
+        return (0);
+}
+int
+mm_answer_pam_respond(int socket, Buffer *m)
+{
+        char **resp;
+        u_int num;
+        int i, ret;
+        debug3("%s", __func__);
+        sshpam_authok = NULL;
+        num = buffer_get_int(m);
+        if (num > 0) {
+                resp = xmalloc(num * sizeof(char *));
+                for (i = 0; i < num; ++i)
+                        resp[i] = buffer_get_string(m, NULL);
+                ret = (sshpam_device.respond)(sshpam_ctxt, num, resp);
+                for (i = 0; i < num; ++i)
+                        xfree(resp[i]);
+                xfree(resp);
+        } else {
+                ret = (sshpam_device.respond)(sshpam_ctxt, num, NULL);
+        }
+        buffer_clear(m);
+        buffer_put_int(m, ret);
+        mm_request_send(socket, MONITOR_ANS_PAM_RESPOND, m);
+        auth_method = "keyboard-interactive/pam";
+        if (ret == 0)
+                sshpam_authok = sshpam_ctxt;
+        return (0);
+}
+int
+mm_answer_pam_free_ctx(int socket, Buffer *m)
+{
+        debug3("%s", __func__);
+        (sshpam_device.free_ctx)(sshpam_ctxt);
+        buffer_clear(m);
+        mm_request_send(socket, MONITOR_ANS_PAM_FREE_CTX, m);
+        return (sshpam_authok == sshpam_ctxt);
+}
 #endif
 static void
@@ -870,7 +1032,7 @@ monitor_valid_userblob(u_char *data, u_int datalen)
                fail++;
        p = buffer_get_string(&b, NULL);
        if (strcmp(authctxt->user, p) != 0) {
-                log("wrong user name passed to monitor: expected %s != %.100s",
+                logit("wrong user name passed to monitor: expected %s != %.100s",
                    authctxt->user, p);
                fail++;
        }
@@ -918,7 +1080,7 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
                fail++;
        p = buffer_get_string(&b, NULL);
        if (strcmp(authctxt->user, p) != 0) {
-                log("wrong user name passed to monitor: expected %s != %.100s",
+                logit("wrong user name passed to monitor: expected %s != %.100s",
                    authctxt->user, p);
                fail++;
        }
@@ -1028,14 +1190,14 @@ mm_record_login(Session *s, struct passwd *pw)
        }
        /* Record that there was a login on that tty from the remote host. */
        record_login(s->pid, s->tty, pw->pw_name, pw->pw_uid,
-            get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping),
+            get_remote_name_or_ip(utmp_len, options.use_dns),
            (struct sockaddr *)&from, fromlen);
 }
 static void
 mm_session_close(Session *s)
 {
-        debug3("%s: session %d pid %d", __func__, s->self, s->pid);
+        debug3("%s: session %d pid %ld", __func__, s->self, (long)s->pid);
        if (s->ttyfd != -1) {
                debug3("%s: tty %s ptyfd %d",  __func__, s->tty, s->ptyfd);
                fatal_remove_cleanup(session_pty_cleanup2, (void *)s);
@@ -1299,89 +1461,6 @@ mm_answer_rsa_response(int socket, Buffer *m)
        return (success);
 }
-#ifdef KRB4
-int
-mm_answer_krb4(int socket, Buffer *m)
-{
-        KTEXT_ST auth, reply;
-        char  *client, *p;
-        int success;
-        u_int alen;
-        reply.length = auth.length = 0;
- 
-        p = buffer_get_string(m, &alen);
-        if (alen >=  MAX_KTXT_LEN)
-                 fatal("%s: auth too large", __func__);
-        memcpy(auth.dat, p, alen);
-        auth.length = alen;
-        memset(p, 0, alen);
-        xfree(p);
-        success = options.kerberos_authentication &&
-            authctxt->valid &&
-            auth_krb4(authctxt, &auth, &client, &reply);
-        memset(auth.dat, 0, alen);
-        buffer_clear(m);
-        buffer_put_int(m, success);
-        if (success) {
-                buffer_put_cstring(m, client);
-                buffer_put_string(m, reply.dat, reply.length);
-                if (client)
-                        xfree(client);
-                if (reply.length)
-                        memset(reply.dat, 0, reply.length);
-        }
-        debug3("%s: sending result %d", __func__, success);
-        mm_request_send(socket, MONITOR_ANS_KRB4, m);
-        auth_method = "kerberos";
-        /* Causes monitor loop to terminate if authenticated */
-        return (success);
-}
-#endif
-#ifdef KRB5
-int
-mm_answer_krb5(int socket, Buffer *m)
-{
-        krb5_data tkt, reply;
-        char *client_user;
-        u_int len;
-        int success;
-        /* use temporary var to avoid size issues on 64bit arch */
-        tkt.data = buffer_get_string(m, &len);
-        tkt.length = len;
-        success = options.kerberos_authentication &&
-            authctxt->valid &&
-            auth_krb5(authctxt, &tkt, &client_user, &reply);
-        if (tkt.length)
-                xfree(tkt.data);
-        buffer_clear(m);
-        buffer_put_int(m, success);
-        if (success) {
-                buffer_put_cstring(m, client_user);
-                buffer_put_string(m, reply.data, reply.length);
-                if (client_user)
-                        xfree(client_user);
-                if (reply.length)
-                        xfree(reply.data);
-        }
-        mm_request_send(socket, MONITOR_ANS_KRB5, m);
-        return success;
-}
-#endif
 int
 mm_answer_term(int socket, Buffer *req)
 {
@@ -1497,6 +1576,8 @@ mm_get_keystate(struct monitor *pmonitor)
        Buffer m;
        u_char *blob, *p;
        u_int bloblen, plen;
+        u_int32_t seqnr, packets;
+        u_int64_t blocks;
        debug3("%s: Waiting for new keys", __func__);
@@ -1526,8 +1607,14 @@ mm_get_keystate(struct monitor *pmonitor)
        xfree(blob);
        /* Now get sequence numbers for the packets */
-        packet_set_seqnr(MODE_OUT, buffer_get_int(&m));
+        seqnr = buffer_get_int(&m);
-        packet_set_seqnr(MODE_IN, buffer_get_int(&m));
+        blocks = buffer_get_int64(&m);
+        packets = buffer_get_int(&m);
+        packet_set_state(MODE_OUT, seqnr, blocks, packets);
+        seqnr = buffer_get_int(&m);
+        blocks = buffer_get_int64(&m);
+        packets = buffer_get_int(&m);
+        packet_set_state(MODE_IN, seqnr, blocks, packets);
 skip:
        /* Get the key context */
@@ -1648,3 +1735,79 @@ monitor_reinit(struct monitor *mon)
        mon->m_recvfd = pair[0];
        mon->m_sendfd = pair[1];
 }
+#ifdef GSSAPI
+int
+mm_answer_gss_setup_ctx(int socket, Buffer *m)
+{
+        gss_OID_desc oid;
+        OM_uint32 major;
+        u_int len;
+        oid.elements = buffer_get_string(m, &len);
+        oid.length = len;
+        major = ssh_gssapi_server_ctx(&gsscontext, &oid);
+        xfree(oid.elements);
+        buffer_clear(m);
+        buffer_put_int(m, major);
+        mm_request_send(socket,MONITOR_ANS_GSSSETUP, m);
+        /* Now we have a context, enable the step */
+        monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 1);
+        return (0);
+}
+int
+mm_answer_gss_accept_ctx(int socket, Buffer *m)
+{
+        gss_buffer_desc in;
+        gss_buffer_desc out = GSS_C_EMPTY_BUFFER;
+        OM_uint32 major,minor;
+        OM_uint32 flags = 0; /* GSI needs this */
+        u_int len;
+        in.value = buffer_get_string(m, &len);
+        in.length = len;
+        major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
+        xfree(in.value);
+        buffer_clear(m);
+        buffer_put_int(m, major);
+        buffer_put_string(m, out.value, out.length);
+        buffer_put_int(m, flags);
+        mm_request_send(socket, MONITOR_ANS_GSSSTEP, m);
+        gss_release_buffer(&minor, &out);
+        /* Complete - now we can do signing */
+        if (major==GSS_S_COMPLETE) {
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
+                monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
+        }
+        return (0);
+}
+int
+mm_answer_gss_userok(int socket, Buffer *m)
+{
+        int authenticated;
+        authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
+        buffer_clear(m);
+        buffer_put_int(m, authenticated);
+        debug3("%s: sending result %d", __func__, authenticated);
+        mm_request_send(socket, MONITOR_ANS_GSSUSEROK, m);
+        auth_method="gssapi";
+        /* Monitor loop will terminate if authenticated */
+        return (authenticated);
+}
+#endif /* GSSAPI */
diff --git a/monitor.h b/monitor.h
index 668ac9897..2461156c7 100644
--- a/monitor.h
+++ b/monitor.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: monitor.h,v 1.8 2002/09/26 11:38:43 markus Exp $      */
+/*      $OpenBSD: monitor.h,v 1.11 2003/08/28 12:54:34 markus Exp $     */
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -49,9 +49,15 @@ enum monitor_reqtype {
        MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED,
        MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
        MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
-        MONITOR_REQ_KRB4, MONITOR_ANS_KRB4,
+        MONITOR_REQ_GSSSETUP, MONITOR_ANS_GSSSETUP,
-        MONITOR_REQ_KRB5, MONITOR_ANS_KRB5,
+        MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
+        MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK,
        MONITOR_REQ_PAM_START,
+        MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT,
+        MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
+        MONITOR_REQ_PAM_QUERY, MONITOR_ANS_PAM_QUERY,
+        MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND,
+        MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,
        MONITOR_REQ_TERM
 };
diff --git a/monitor_fdpass.c b/monitor_fdpass.c
index 641ce721e..22b7882bd 100644
--- a/monitor_fdpass.c
+++ b/monitor_fdpass.c
@@ -113,9 +113,11 @@ mm_receive_fd(int socket)
                fatal("%s: no fd", __func__);
 #else
        cmsg = CMSG_FIRSTHDR(&msg);
+#ifndef BROKEN_CMSG_TYPE
        if (cmsg->cmsg_type != SCM_RIGHTS)
                fatal("%s: expected type %d got %d", __func__,
                    SCM_RIGHTS, cmsg->cmsg_type);
+#endif
        fd = (*(int *)CMSG_DATA(cmsg));
 #endif
        return fd;
diff --git a/monitor_mm.c b/monitor_mm.c
index b4a6e40c9..e57c87cc2 100644
--- a/monitor_mm.c
+++ b/monitor_mm.c
@@ -30,7 +30,6 @@ RCSID("$OpenBSD: monitor_mm.c,v 1.8 2002/08/02 14:43:15 millert Exp $");
 #include <sys/mman.h>
 #endif
-#include "openbsd-compat/xmmap.h"
 #include "ssh.h"
 #include "xmalloc.h"
 #include "log.h"
diff --git a/monitor_wrap.c b/monitor_wrap.c
index c9714138a..4034d569c 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -25,7 +25,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: monitor_wrap.c,v 1.24 2003/04/01 10:22:21 markus Exp $");
+RCSID("$OpenBSD: monitor_wrap.c,v 1.31 2003/08/28 12:54:34 markus Exp $");
 #include <openssl/bn.h>
 #include <openssl/dh.h>
@@ -47,11 +47,16 @@ RCSID("$OpenBSD: monitor_wrap.c,v 1.24 2003/04/01 10:22:21 markus Exp $");
 #include "atomicio.h"
 #include "monitor_fdpass.h"
 #include "getput.h"
+#include "servconf.h"
 #include "auth.h"
 #include "channels.h"
 #include "session.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
 /* Imports */
 extern int compat20;
 extern Newkeys *newkeys[];
@@ -59,6 +64,7 @@ extern z_stream incoming_stream;
 extern z_stream outgoing_stream;
 extern struct monitor *pmonitor;
 extern Buffer input, output;
+extern ServerOptions options;
 void
 mm_request_send(int socket, enum monitor_reqtype type, Buffer *m)
@@ -70,9 +76,9 @@ mm_request_send(int socket, enum monitor_reqtype type, Buffer *m)
        PUT_32BIT(buf, mlen + 1);
        buf[4] = (u_char) type;         /* 1st byte of payload is mesg-type */
-        if (atomicio(write, socket, buf, sizeof(buf)) != sizeof(buf))
+        if (atomicio(vwrite, socket, buf, sizeof(buf)) != sizeof(buf))
                fatal("%s: write", __func__);
-        if (atomicio(write, socket, buffer_ptr(m), mlen) != mlen)
+        if (atomicio(vwrite, socket, buffer_ptr(m), mlen) != mlen)
                fatal("%s: write", __func__);
 }
@@ -520,6 +526,8 @@ mm_send_keystate(struct monitor *pmonitor)
        Buffer m;
        u_char *blob, *p;
        u_int bloblen, plen;
+        u_int32_t seqnr, packets;
+        u_int64_t blocks;
        buffer_init(&m);
@@ -568,8 +576,14 @@ mm_send_keystate(struct monitor *pmonitor)
        buffer_put_string(&m, blob, bloblen);
        xfree(blob);
-        buffer_put_int(&m, packet_get_seqnr(MODE_OUT));
+        packet_get_state(MODE_OUT, &seqnr, &blocks, &packets);
-        buffer_put_int(&m, packet_get_seqnr(MODE_IN));
+        buffer_put_int(&m, seqnr);
+        buffer_put_int64(&m, blocks);
+        buffer_put_int(&m, packets);
+        packet_get_state(MODE_IN, &seqnr, &blocks, &packets);
+        buffer_put_int(&m, seqnr);
+        buffer_put_int64(&m, blocks);
+        buffer_put_int(&m, packets);
        debug3("%s: New keys have been sent", __func__);
 skip:
@@ -661,6 +675,8 @@ mm_start_pam(char *user)
        Buffer m;
        debug3("%s entering", __func__);
+        if (!options.use_pam)
+                fatal("UsePAM=no, but ended up in %s anyway", __func__);
        buffer_init(&m);
        buffer_put_cstring(&m, user);
@@ -669,6 +685,112 @@ mm_start_pam(char *user)
        buffer_free(&m);
 }
+u_int
+mm_do_pam_account(void)
+{
+        Buffer m;
+        u_int ret;
+        debug3("%s entering", __func__);
+        if (!options.use_pam)
+                fatal("UsePAM=no, but ended up in %s anyway", __func__);
+        buffer_init(&m);
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_ACCOUNT, &m);
+        mm_request_receive_expect(pmonitor->m_recvfd, 
+            MONITOR_ANS_PAM_ACCOUNT, &m);
+        ret = buffer_get_int(&m);
+        buffer_free(&m);
+        
+        debug3("%s returning %d", __func__, ret);
+        return (ret);
+}
+void *
+mm_sshpam_init_ctx(Authctxt *authctxt)
+{
+        Buffer m;
+        int success;
+        debug3("%s", __func__);
+        buffer_init(&m);
+        buffer_put_cstring(&m, authctxt->user);
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
+        debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
+        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
+        success = buffer_get_int(&m);
+        if (success == 0) {
+                debug3("%s: pam_init_ctx failed", __func__);
+                buffer_free(&m);
+                return (NULL);
+        }
+        buffer_free(&m);
+        return (authctxt);
+}
+int
+mm_sshpam_query(void *ctx, char **name, char **info,
+    u_int *num, char ***prompts, u_int **echo_on)
+{
+        Buffer m;
+        int i, ret;
+        debug3("%s", __func__);
+        buffer_init(&m);
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_QUERY, &m);
+        debug3("%s: waiting for MONITOR_ANS_PAM_QUERY", __func__);
+        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_QUERY, &m);
+        ret = buffer_get_int(&m);
+        debug3("%s: pam_query returned %d", __func__, ret);
+        *name = buffer_get_string(&m, NULL);
+        *info = buffer_get_string(&m, NULL);
+        *num = buffer_get_int(&m);
+        *prompts = xmalloc((*num + 1) * sizeof(char *));
+        *echo_on = xmalloc((*num + 1) * sizeof(u_int));
+        for (i = 0; i < *num; ++i) {
+                (*prompts)[i] = buffer_get_string(&m, NULL);
+                (*echo_on)[i] = buffer_get_int(&m);
+        }
+        buffer_free(&m);
+        return (ret);
+}
+int
+mm_sshpam_respond(void *ctx, u_int num, char **resp)
+{
+        Buffer m;
+        int i, ret;
+        debug3("%s", __func__);
+        buffer_init(&m);
+        buffer_put_int(&m, num);
+        for (i = 0; i < num; ++i)
+                buffer_put_cstring(&m, resp[i]);
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_RESPOND, &m);
+        debug3("%s: waiting for MONITOR_ANS_PAM_RESPOND", __func__);
+        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_RESPOND, &m);
+        ret = buffer_get_int(&m);
+        debug3("%s: pam_respond returned %d", __func__, ret);
+        buffer_free(&m);
+        return (ret);
+}
+void
+mm_sshpam_free_ctx(void *ctxtp)
+{
+        Buffer m;
+        debug3("%s", __func__);
+        buffer_init(&m);
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_FREE_CTX, &m);
+        debug3("%s: waiting for MONITOR_ANS_PAM_FREE_CTX", __func__);
+        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_FREE_CTX, &m);
+        buffer_free(&m);
+}
 #endif /* USE_PAM */
 /* Request process termination */
@@ -949,73 +1071,69 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16])
        return (success);
 }
-#ifdef KRB4
+#ifdef GSSAPI
-int
+OM_uint32
-mm_auth_krb4(Authctxt *authctxt, void *_auth, char **client, void *_reply)
+mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
 {
-        KTEXT auth, reply;
+        Buffer m;
-        Buffer m;
+        OM_uint32 major;
-        u_int rlen;
-        int success = 0;
-        char *p;
-        debug3("%s entering", __func__);
+        /* Client doesn't get to see the context */
-        auth = _auth;
+        *ctx = NULL;
-        reply = _reply;
        buffer_init(&m);
-        buffer_put_string(&m, auth->dat, auth->length);
+        buffer_put_string(&m, oid->elements, oid->length);
-        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB4, &m);
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSETUP, &m);
-        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB4, &m);
+        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSETUP, &m);
+        major = buffer_get_int(&m);
-        success = buffer_get_int(&m);
-        if (success) {
-                *client = buffer_get_string(&m, NULL);
-                p = buffer_get_string(&m, &rlen);
-                if (rlen >= MAX_KTXT_LEN)
-                        fatal("%s: reply from monitor too large", __func__);
-                reply->length = rlen;
-                memcpy(reply->dat, p, rlen);
-                memset(p, 0, rlen);
-                xfree(p);
-        }
        buffer_free(&m);
-        return (success);
+        return (major);
 }
-#endif
-#ifdef KRB5
+OM_uint32
-int
+mm_ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *in,
-mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp)
+    gss_buffer_desc *out, OM_uint32 *flags)
 {
-        krb5_data *tkt, *reply;
        Buffer m;
-        int success;
+        OM_uint32 major;
+        u_int len;
-        debug3("%s entering", __func__);
-        tkt = (krb5_data *) argp;
-        reply = (krb5_data *) resp;
        buffer_init(&m);
-        buffer_put_string(&m, tkt->data, tkt->length);
+        buffer_put_string(&m, in->value, in->length);
-        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB5, &m);
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSTEP, &m);
-        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB5, &m);
+        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSTEP, &m);
-        success = buffer_get_int(&m);
+        major = buffer_get_int(&m);
-        if (success) {
+        out->value = buffer_get_string(&m, &len);
-                u_int len;
+        out->length = len;
+        if (flags)
+                *flags = buffer_get_int(&m);
-                *userp = buffer_get_string(&m, NULL);
+        buffer_free(&m);
-                reply->data = buffer_get_string(&m, &len);
-                reply->length = len;
+        return (major);
-        } else {
+}
-                memset(reply, 0, sizeof(*reply));
-                *userp = NULL;
+int
-        }
+mm_ssh_gssapi_userok(char *user)
+{
+        Buffer m;
+        int authenticated = 0;
+        buffer_init(&m);
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, &m);
+        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUSEROK,
+                                  &m);
+        authenticated = buffer_get_int(&m);
        buffer_free(&m);
-        return (success);
+        debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
+        return (authenticated);
 }
-#endif
+#endif /* GSSAPI */
diff --git a/monitor_wrap.h b/monitor_wrap.h
index d960a3d0b..5e0334588 100644
--- a/monitor_wrap.h
+++ b/monitor_wrap.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: monitor_wrap.h,v 1.8 2002/09/26 11:38:43 markus Exp $ */
+/*      $OpenBSD: monitor_wrap.h,v 1.11 2003/08/28 12:54:34 markus Exp $        */
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -55,8 +55,21 @@ int mm_auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
 int mm_auth_rsa_verify_response(Key *, BIGNUM *, u_char *);
 BIGNUM *mm_auth_rsa_generate_challenge(Key *);
+#ifdef GSSAPI
+#include "ssh-gss.h"
+OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **ctxt, gss_OID oid);
+OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *ctxt,
+   gss_buffer_desc *recv, gss_buffer_desc *send, OM_uint32 *flags);
+int mm_ssh_gssapi_userok(char *user);
+#endif
 #ifdef USE_PAM
 void mm_start_pam(char *);
+u_int mm_do_pam_account(void);
+void *mm_sshpam_init_ctx(struct Authctxt *);
+int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **);
+int mm_sshpam_respond(void *, u_int, char **);
+void mm_sshpam_free_ctx(void *);
 #endif
 void mm_terminate(void);
@@ -83,16 +96,6 @@ int mm_bsdauth_respond(void *, u_int, char **);
 int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
 int mm_skey_respond(void *, u_int, char **);
-/* auth_krb */
-#ifdef KRB4
-int mm_auth_krb4(struct Authctxt *, void *, char **, void *);
-#endif
-#ifdef KRB5
-/* auth and reply are really krb5_data objects, but we don't want to
- * include all of the krb5 headers here */
-int mm_auth_krb5(void *authctxt, void *auth, char **client, void *reply);
-#endif
 /* zlib allocation hooks */
 void *mm_zalloc(struct mm_master *, u_int, u_int);
diff --git a/msg.c b/msg.c
index 5d266c207..6a806c3f5 100644
--- a/msg.c
+++ b/msg.c
@@ -22,7 +22,7 @@
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 #include "includes.h"
-RCSID("$OpenBSD: msg.c,v 1.5 2002/12/19 00:07:02 djm Exp $");
+RCSID("$OpenBSD: msg.c,v 1.6 2003/06/28 16:23:06 deraadt Exp $");
 #include "buffer.h"
 #include "getput.h"
@@ -40,9 +40,9 @@ ssh_msg_send(int fd, u_char type, Buffer *m)
        PUT_32BIT(buf, mlen + 1);
        buf[4] = type;          /* 1st byte of payload is mesg-type */
-        if (atomicio(write, fd, buf, sizeof(buf)) != sizeof(buf))
+        if (atomicio(vwrite, fd, buf, sizeof(buf)) != sizeof(buf))
                fatal("ssh_msg_send: write");
-        if (atomicio(write, fd, buffer_ptr(m), mlen) != mlen)
+        if (atomicio(vwrite, fd, buffer_ptr(m), mlen) != mlen)
                fatal("ssh_msg_send: write");
 }
diff --git a/myproposal.h b/myproposal.h
index 62f5cfb65..8b431d9d2 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: myproposal.h,v 1.14 2002/04/03 09:26:11 markus Exp $  */
+/*      $OpenBSD: myproposal.h,v 1.15 2003/05/17 04:27:52 markus Exp $  */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -27,7 +27,8 @@
 #define KEX_DEFAULT_PK_ALG      "ssh-rsa,ssh-dss"
 #define KEX_DEFAULT_ENCRYPT \
        "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour," \
-        "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se"
+        "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \
+        "aes128-ctr,aes192-ctr,aes256-ctr"
 #define KEX_DEFAULT_MAC \
        "hmac-md5,hmac-sha1,hmac-ripemd160," \
        "hmac-ripemd160@openssh.com," \
diff --git a/nchan.c b/nchan.c
index bce7325b3..3138cdd19 100644
--- a/nchan.c
+++ b/nchan.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: nchan.c,v 1.47 2002/06/19 00:27:55 deraadt Exp $");
+RCSID("$OpenBSD: nchan.c,v 1.49 2003/08/29 10:04:36 markus Exp $");
 #include "ssh1.h"
 #include "ssh2.h"
@@ -83,7 +83,7 @@ chan_set_istate(Channel *c, u_int next)
 {
        if (c->istate > CHAN_INPUT_CLOSED || next > CHAN_INPUT_CLOSED)
                fatal("chan_set_istate: bad state %d -> %d", c->istate, next);
-        debug("channel %d: input %s -> %s", c->self, istates[c->istate],
+        debug2("channel %d: input %s -> %s", c->self, istates[c->istate],
            istates[next]);
        c->istate = next;
 }
@@ -92,7 +92,7 @@ chan_set_ostate(Channel *c, u_int next)
 {
        if (c->ostate > CHAN_OUTPUT_CLOSED || next > CHAN_OUTPUT_CLOSED)
                fatal("chan_set_ostate: bad state %d -> %d", c->ostate, next);
-        debug("channel %d: output %s -> %s", c->self, ostates[c->ostate],
+        debug2("channel %d: output %s -> %s", c->self, ostates[c->ostate],
            ostates[next]);
        c->ostate = next;
 }
@@ -104,7 +104,7 @@ chan_set_ostate(Channel *c, u_int next)
 static void
 chan_rcvd_oclose1(Channel *c)
 {
-        debug("channel %d: rcvd oclose", c->self);
+        debug2("channel %d: rcvd oclose", c->self);
        switch (c->istate) {
        case CHAN_INPUT_WAIT_OCLOSE:
                chan_set_istate(c, CHAN_INPUT_CLOSED);
@@ -128,7 +128,7 @@ chan_rcvd_oclose1(Channel *c)
 void
 chan_read_failed(Channel *c)
 {
-        debug("channel %d: read failed", c->self);
+        debug2("channel %d: read failed", c->self);
        switch (c->istate) {
        case CHAN_INPUT_OPEN:
                chan_shutdown_read(c);
@@ -143,7 +143,7 @@ chan_read_failed(Channel *c)
 void
 chan_ibuf_empty(Channel *c)
 {
-        debug("channel %d: ibuf empty", c->self);
+        debug2("channel %d: ibuf empty", c->self);
        if (buffer_len(&c->input)) {
                error("channel %d: chan_ibuf_empty for non empty buffer",
                    c->self);
@@ -169,7 +169,7 @@ chan_ibuf_empty(Channel *c)
 static void
 chan_rcvd_ieof1(Channel *c)
 {
-        debug("channel %d: rcvd ieof", c->self);
+        debug2("channel %d: rcvd ieof", c->self);
        switch (c->ostate) {
        case CHAN_OUTPUT_OPEN:
                chan_set_ostate(c, CHAN_OUTPUT_WAIT_DRAIN);
@@ -186,7 +186,7 @@ chan_rcvd_ieof1(Channel *c)
 static void
 chan_write_failed1(Channel *c)
 {
-        debug("channel %d: write failed", c->self);
+        debug2("channel %d: write failed", c->self);
        switch (c->ostate) {
        case CHAN_OUTPUT_OPEN:
                chan_shutdown_write(c);
@@ -207,7 +207,7 @@ chan_write_failed1(Channel *c)
 void
 chan_obuf_empty(Channel *c)
 {
-        debug("channel %d: obuf empty", c->self);
+        debug2("channel %d: obuf empty", c->self);
        if (buffer_len(&c->output)) {
                error("channel %d: chan_obuf_empty for non empty buffer",
                    c->self);
@@ -229,7 +229,7 @@ chan_obuf_empty(Channel *c)
 static void
 chan_send_ieof1(Channel *c)
 {
-        debug("channel %d: send ieof", c->self);
+        debug2("channel %d: send ieof", c->self);
        switch (c->istate) {
        case CHAN_INPUT_OPEN:
        case CHAN_INPUT_WAIT_DRAIN:
@@ -246,7 +246,7 @@ chan_send_ieof1(Channel *c)
 static void
 chan_send_oclose1(Channel *c)
 {
-        debug("channel %d: send oclose", c->self);
+        debug2("channel %d: send oclose", c->self);
        switch (c->ostate) {
        case CHAN_OUTPUT_OPEN:
        case CHAN_OUTPUT_WAIT_DRAIN:
@@ -268,7 +268,7 @@ chan_send_oclose1(Channel *c)
 static void
 chan_rcvd_close2(Channel *c)
 {
-        debug("channel %d: rcvd close", c->self);
+        debug2("channel %d: rcvd close", c->self);
        if (c->flags & CHAN_CLOSE_RCVD)
                error("channel %d: protocol error: close rcvd twice", c->self);
        c->flags |= CHAN_CLOSE_RCVD;
@@ -301,7 +301,7 @@ chan_rcvd_close2(Channel *c)
 static void
 chan_rcvd_eof2(Channel *c)
 {
-        debug("channel %d: rcvd eof", c->self);
+        debug2("channel %d: rcvd eof", c->self);
        c->flags |= CHAN_EOF_RCVD;
        if (c->ostate == CHAN_OUTPUT_OPEN)
                chan_set_ostate(c, CHAN_OUTPUT_WAIT_DRAIN);
@@ -309,7 +309,7 @@ chan_rcvd_eof2(Channel *c)
 static void
 chan_write_failed2(Channel *c)
 {
-        debug("channel %d: write failed", c->self);
+        debug2("channel %d: write failed", c->self);
        switch (c->ostate) {
        case CHAN_OUTPUT_OPEN:
        case CHAN_OUTPUT_WAIT_DRAIN:
@@ -325,7 +325,7 @@ chan_write_failed2(Channel *c)
 static void
 chan_send_eof2(Channel *c)
 {
-        debug("channel %d: send eof", c->self);
+        debug2("channel %d: send eof", c->self);
        switch (c->istate) {
        case CHAN_INPUT_WAIT_DRAIN:
                packet_start(SSH2_MSG_CHANNEL_EOF);
@@ -342,7 +342,7 @@ chan_send_eof2(Channel *c)
 static void
 chan_send_close2(Channel *c)
 {
-        debug("channel %d: send close", c->self);
+        debug2("channel %d: send close", c->self);
        if (c->ostate != CHAN_OUTPUT_CLOSED ||
            c->istate != CHAN_INPUT_CLOSED) {
                error("channel %d: cannot send close for istate/ostate %d/%d",
@@ -398,13 +398,13 @@ int
 chan_is_dead(Channel *c, int send)
 {
        if (c->type == SSH_CHANNEL_ZOMBIE) {
-                debug("channel %d: zombie", c->self);
+                debug2("channel %d: zombie", c->self);
                return 1;
        }
        if (c->istate != CHAN_INPUT_CLOSED || c->ostate != CHAN_OUTPUT_CLOSED)
                return 0;
        if (!compat20) {
-                debug("channel %d: is dead", c->self);
+                debug2("channel %d: is dead", c->self);
                return 1;
        }
        if ((datafellows & SSH_BUG_EXTEOF) &&
@@ -421,7 +421,7 @@ chan_is_dead(Channel *c, int send)
                } else {
                        /* channel would be dead if we sent a close */
                        if (c->flags & CHAN_CLOSE_RCVD) {
-                                debug("channel %d: almost dead",
+                                debug2("channel %d: almost dead",
                                    c->self);
                                return 1;
                        }
@@ -429,7 +429,7 @@ chan_is_dead(Channel *c, int send)
        }
        if ((c->flags & CHAN_CLOSE_SENT) &&
            (c->flags & CHAN_CLOSE_RCVD)) {
-                debug("channel %d: is dead", c->self);
+                debug2("channel %d: is dead", c->self);
                return 1;
        }
        return 0;
@@ -443,15 +443,15 @@ chan_shutdown_write(Channel *c)
        if (compat20 && c->type == SSH_CHANNEL_LARVAL)
                return;
        /* shutdown failure is allowed if write failed already */
-        debug("channel %d: close_write", c->self);
+        debug2("channel %d: close_write", c->self);
        if (c->sock != -1) {
                if (shutdown(c->sock, SHUT_WR) < 0)
-                        debug("channel %d: chan_shutdown_write: "
+                        debug2("channel %d: chan_shutdown_write: "
                            "shutdown() failed for fd%d: %.100s",
                            c->self, c->sock, strerror(errno));
        } else {
                if (channel_close_fd(&c->wfd) < 0)
-                        log("channel %d: chan_shutdown_write: "
+                        logit("channel %d: chan_shutdown_write: "
                            "close() failed for fd%d: %.100s",
                            c->self, c->wfd, strerror(errno));
        }
@@ -461,7 +461,7 @@ chan_shutdown_read(Channel *c)
 {
        if (compat20 && c->type == SSH_CHANNEL_LARVAL)
                return;
-        debug("channel %d: close_read", c->self);
+        debug2("channel %d: close_read", c->self);
        if (c->sock != -1) {
                /*
                 * shutdown(sock, SHUT_READ) may return ENOTCONN if the
@@ -476,7 +476,7 @@ chan_shutdown_read(Channel *c)
                            strerror(errno));
        } else {
                if (channel_close_fd(&c->rfd) < 0)
-                        log("channel %d: chan_shutdown_read: "
+                        logit("channel %d: chan_shutdown_read: "
                            "close() failed for fd%d: %.100s",
                            c->self, c->rfd, strerror(errno));
        }
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
index 8615e3633..c48593f7b 100644
--- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.25 2003/02/24 01:55:56 djm Exp $
+# $Id: Makefile.in,v 1.28 2003/07/24 06:52:14 mouring Exp $
 sysconfdir=@sysconfdir@
 piddir=@piddir@
@@ -16,9 +16,9 @@ RANLIB=@RANLIB@
 INSTALL=@INSTALL@
 LDFLAGS=-L. @LDFLAGS@
-OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o vis.o
+OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o vis.o
-COMPAT=bsd-arc4random.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-snprintf.o bsd-waitpid.o fake-getaddrinfo.o fake-getnameinfo.o xmmap.o
+COMPAT=bsd-arc4random.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o xmmap.o xcrypt.o
 PORTS=port-irix.o port-aix.o
diff --git a/openbsd-compat/base64.h b/openbsd-compat/base64.h
index 72db3ffc7..732c6b3f8 100644
--- a/openbsd-compat/base64.h
+++ b/openbsd-compat/base64.h
@@ -1,23 +1,65 @@
-/* $Id: base64.h,v 1.4 2003/02/24 04:45:43 djm Exp $ */
+/* $Id: base64.h,v 1.6 2003/08/29 16:59:52 mouring Exp $ */
+/*
+ * Copyright (c) 1996 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+/*
+ * Portions Copyright (c) 1995 by International Business Machines, Inc.
+ *
+ * International Business Machines, Inc. (hereinafter called IBM) grants
+ * permission under its copyrights to use, copy, modify, and distribute this
+ * Software with or without fee, provided that the above copyright notice and
+ * all paragraphs of this notice appear in all copies, and that the name of IBM
+ * not be used in connection with the marketing of any product incorporating
+ * the Software or modifications thereof, without specific, written prior
+ * permission.
+ *
+ * To the extent it has a right to do so, IBM grants an immunity from suit
+ * under its patents, if any, for the use, sale or manufacture of products to
+ * the extent that such products are used for performing Domain Name System
+ * dynamic updates in TCP/IP networks by means of the Software.  No immunity is
+ * granted for any product per se or for any other function of any product.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES,
+ * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE.  IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL,
+ * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN
+ * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
+ */
 #ifndef _BSD_BASE64_H
 #define _BSD_BASE64_H
-#include "config.h"
+#include "includes.h"
 #ifndef HAVE___B64_NTOP
 # ifndef HAVE_B64_NTOP
 int b64_ntop(u_char const *src, size_t srclength, char *target, 
    size_t targsize);
 # endif /* !HAVE_B64_NTOP */
-# define __b64_ntop b64_ntop
+# define __b64_ntop(a,b,c,d) b64_ntop(a,b,c,d)
 #endif /* HAVE___B64_NTOP */
 #ifndef HAVE___B64_PTON
 # ifndef HAVE_B64_PTON
 int b64_pton(char const *src, u_char *target, size_t targsize);
 # endif /* !HAVE_B64_PTON */
-# define __b64_pton b64_pton
+# define __b64_pton(a,b,c) b64_pton(a,b,c)
 #endif /* HAVE___B64_PTON */
 #endif /* _BSD_BASE64_H */
diff --git a/openbsd-compat/basename.c b/openbsd-compat/basename.c
index 5a3823bc5..2054c8068 100644
--- a/openbsd-compat/basename.c
+++ b/openbsd-compat/basename.c
@@ -1,37 +1,26 @@
-/*      $OpenBSD: basename.c,v 1.8 2002/06/09 05:03:59 deraadt Exp $    */
+/*      $OpenBSD: basename.c,v 1.11 2003/06/17 21:56:23 millert Exp $   */
 /*
 * Copyright (c) 1997 Todd C. Miller <Todd.Miller@courtesan.com>
- * All rights reserved.
 *
- * Redistribution and use in source and binary forms, with or without
+ * Permission to use, copy, modify, and distribute this software for any
- * modification, are permitted provided that the following conditions
+ * purpose with or without fee is hereby granted, provided that the above
- * are met:
+ * copyright notice and this permission notice appear in all copies.
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote products
- *    derived from this software without specific prior written permission.
 *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
- * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
- * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
-#include "includes.h"
-#if !defined(HAVE_BASENAME)
+#include "includes.h"
+#ifndef HAVE_BASENAME
 #ifndef lint
-static char rcsid[] = "$OpenBSD: basename.c,v 1.8 2002/06/09 05:03:59 deraadt Exp $";
+static char rcsid[] = "$OpenBSD: basename.c,v 1.11 2003/06/17 21:56:23 millert Exp $";
 #endif /* not lint */
 char *
diff --git a/openbsd-compat/bindresvport.c b/openbsd-compat/bindresvport.c
index 620f980ed..8a273f9b5 100644
--- a/openbsd-compat/bindresvport.c
+++ b/openbsd-compat/bindresvport.c
@@ -1,48 +1,37 @@
-/* This file has be modified from the original OpenBSD source */
+/* This file has be substantially modified from the original OpenBSD source */
+/*      $OpenBSD: bindresvport.c,v 1.15 2003/05/20 22:42:35 deraadt Exp $       */
 /*
- * Sun RPC is a product of Sun Microsystems, Inc. and is provided for
+ * Copyright 1996, Jason Downs.  All rights reserved.
- * unrestricted use provided that this legend is included on all tape
+ * Copyright 1998, Theo de Raadt.  All rights reserved.
- * media and as a part of the software program in whole or part.  Users
+ * Copyright 2000, Damien Miller.  All rights reserved.
- * may copy or modify Sun RPC without charge, but are not authorized
+ *
- * to license or distribute it to anyone else except as part of a product or
+ * Redistribution and use in source and binary forms, with or without
- * program developed by the user.
+ * modification, are permitted provided that the following conditions
- * 
+ * are met:
- * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE
+ * 1. Redistributions of source code must retain the above copyright
- * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR
+ *    notice, this list of conditions and the following disclaimer.
- * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE.
+ * 2. Redistributions in binary form must reproduce the above copyright
- * 
+ *    notice, this list of conditions and the following disclaimer in the
- * Sun RPC is provided with no support and without any obligation on the
+ *    documentation and/or other materials provided with the distribution.
- * part of Sun Microsystems, Inc. to assist in its use, correction,
+ *
- * modification or enhancement.
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * 
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * OR ANY PART THEREOF.
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * 
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * In no event will Sun Microsystems, Inc. be liable for any lost revenue
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * or profits or other special, indirect and consequential damages, even if
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * Sun has been advised of the possibility of such damages.
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * 
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- * Sun Microsystems, Inc.
- * 2550 Garcia Avenue
- * Mountain View, California  94043
 */
 #include "includes.h"
 #ifndef HAVE_BINDRESVPORT_SA
-#if defined(LIBC_SCCS) && !defined(lint)
-static char *rcsid = "$OpenBSD: bindresvport.c,v 1.13 2000/01/26 03:43:21 deraadt Exp $";
-#endif /* LIBC_SCCS and not lint */
-/*
- * Copyright (c) 1987 by Sun Microsystems, Inc.
- *
- * Portions Copyright(C) 1996, Jason Downs.  All rights reserved.
- */
 #include "includes.h"
 #define STARTPORT 600
diff --git a/openbsd-compat/bsd-arc4random.c b/openbsd-compat/bsd-arc4random.c
index dd08130d5..5f890968e 100644
--- a/openbsd-compat/bsd-arc4random.c
+++ b/openbsd-compat/bsd-arc4random.c
@@ -25,7 +25,7 @@
 #include "includes.h"
 #include "log.h"
-RCSID("$Id: bsd-arc4random.c,v 1.6 2003/03/17 05:13:53 djm Exp $");
+RCSID("$Id: bsd-arc4random.c,v 1.7 2003/05/18 14:13:38 djm Exp $");
 #ifndef HAVE_ARC4RANDOM
@@ -70,6 +70,7 @@ void arc4random_stir(void)
                fatal("Couldn't obtain random bytes (error %ld)",
                    ERR_get_error());
        RC4_set_key(&rc4, sizeof(rand_buf), rand_buf);
+        RC4(&rc4, sizeof(rand_buf), rand_buf, rand_buf);
        memset(rand_buf, 0, sizeof(rand_buf));
        rc4_ready = REKEY_BYTES;
diff --git a/openbsd-compat/bsd-cray.c b/openbsd-compat/bsd-cray.c
index edb3112b3..f2ac428cc 100644
--- a/openbsd-compat/bsd-cray.c
+++ b/openbsd-compat/bsd-cray.c
@@ -1,5 +1,5 @@
 /* 
- * $Id: bsd-cray.c,v 1.8 2002/09/26 00:38:51 tim Exp $
+ * $Id: bsd-cray.c,v 1.12 2003/06/03 02:45:27 dtucker Exp $
 *
 * bsd-cray.c
 *
@@ -67,10 +67,10 @@
 extern ServerOptions options;
-char cray_tmpdir[TPATHSIZ+1];               /* job TMPDIR path */
+char cray_tmpdir[TPATHSIZ + 1];             /* job TMPDIR path */
-struct          sysv sysv;      /* system security structure */
+struct sysv sysv;       /* system security structure */
-struct          usrv usrv;      /* user   security structure */
+struct usrv usrv;       /* user security structure */
 /*
 * Functions.
@@ -86,39 +86,40 @@ int cray_access_denied(char *);
 void
 cray_login_failure(char *username, int errcode)
 {
-        struct udb      *ueptr;         /* UDB pointer for username */
+        struct udb *ueptr;              /* UDB pointer for username */
-        ia_failure_t    fsent;          /* ia_failure structure */
+        ia_failure_t fsent;             /* ia_failure structure */
        ia_failure_ret_t fret;          /* ia_failure return stuff */
-        struct jtab     jtab;           /* job table structure */
+        struct jtab jtab;               /* job table structure */
-        int             jid = 0;        /* job id */
+        int jid = 0;                    /* job id */
-        if ((jid = getjtab(&jtab)) < 0) {
+        if ((jid = getjtab(&jtab)) < 0)
                debug("cray_login_failure(): getjtab error");
-        }
        getsysudb();
-        if ((ueptr = getudbnam(username)) == UDB_NULL) {
+        if ((ueptr = getudbnam(username)) == UDB_NULL)
                debug("cray_login_failure(): getudbname() returned NULL");
-        }
        endudb();
-        fsent.revision  = 0;
-        fsent.uname     = username;
+        memset(&fsent, '\0', sizeof(fsent));
-        fsent.host      = (char *)get_canonical_hostname(options.verify_reverse_mapping);
+        fsent.revision = 0;
-        fsent.ttyn      = "sshd";
+        fsent.uname = username;
-        fsent.caller    = IA_SSHD;
+        fsent.host = (char *)get_canonical_hostname(options.use_dns);
-        fsent.flags     = IA_INTERACTIVE;
+        fsent.ttyn = "sshd";
-        fsent.ueptr     = ueptr;
+        fsent.caller = IA_SSHD;
-        fsent.jid       = jid;
+        fsent.flags = IA_INTERACTIVE;
-        fsent.errcode   = errcode;
+        fsent.ueptr = ueptr;
-        fsent.pwdp      = NULL;
+        fsent.jid = jid;
-        fsent.exitcode  = 0;    /* dont exit in ia_failure() */
+        fsent.errcode = errcode;
+        fsent.pwdp = NULL;
-        fret.revision   = 0;
+        fsent.exitcode = 0;     /* dont exit in ia_failure() */
-        fret.normal     = 0;
+        fret.revision = 0;
+        fret.normal = 0;
        /*
         * Call ia_failure because of an login failure.
         */
-        ia_failure(&fsent,&fret);
+        ia_failure(&fsent, &fret);
 }
 /*
@@ -127,338 +128,316 @@ cray_login_failure(char *username, int errcode)
 int
 cray_access_denied(char *username)
 {
-        struct udb      *ueptr;         /* UDB pointer for username */
+        struct udb *ueptr;              /* UDB pointer for username */
-        int             errcode;        /* IA errorcode */
+        int errcode;                    /* IA errorcode */
        errcode = 0;
        getsysudb();
-        if ((ueptr = getudbnam(username)) == UDB_NULL) {
+        if ((ueptr = getudbnam(username)) == UDB_NULL)
                debug("cray_login_failure(): getudbname() returned NULL");
-        }
        endudb();
-        if (ueptr && ueptr->ue_disabled)
+        if (ueptr != NULL && ueptr->ue_disabled)
                errcode = IA_DISABLED;
        if (errcode)
                cray_login_failure(username, errcode);
        return (errcode);
 }
+/*
+ * record_failed_login: generic "login failed" interface function
+ */
+void
+record_failed_login(const char *user, const char *ttyname)
+{
+        cray_login_failure((char *)user, IA_UDBERR);
+}
 int
 cray_setup (uid_t uid, char *username, const char *command)
 {
        extern struct udb *getudb();
        extern char *setlimits();
-        int err;                      /* error return */
+        int err;                        /* error return */
-        time_t          system_time;    /* current system clock */
+        time_t system_time;             /* current system clock */
-        time_t          expiration_time; /* password expiration time */
+        time_t expiration_time;         /* password expiration time */
-        int             maxattempts;    /* maximum no. of failed login attempts */
+        int maxattempts;                /* maximum no. of failed login attempts */
-        int             SecureSys;      /* unicos security flag */
+        int SecureSys;                  /* unicos security flag */
-        int             minslevel = 0;  /* system minimum security level */
+        int minslevel = 0;              /* system minimum security level */
-        int             i, j;
+        int i, j;
-        int             valid_acct = -1; /* flag for reading valid acct */
+        int valid_acct = -1;            /* flag for reading valid acct */
-        char acct_name[MAXACID]  = { "" }; /* used to read acct name */
+        char acct_name[MAXACID] = { "" }; /* used to read acct name */
-        struct          jtab jtab;      /* Job table struct */
+        struct jtab jtab;               /* Job table struct */
-        struct          udb ue;         /* udb entry for logging-in user */
+        struct udb ue;                  /* udb entry for logging-in user */
-        struct          udb *up;        /* pointer to UDB entry */
+        struct udb *up;                 /* pointer to UDB entry */
-        struct          secstat secinfo; /* file  security attributes */
+        struct secstat secinfo;         /* file  security attributes */
-        struct          servprov init_info; /* used for sesscntl() call */
+        struct servprov init_info;      /* used for sesscntl() call */
-        int             jid;            /* job ID */
+        int jid;                        /* job ID */
-        int             pid;            /* process ID */
+        int pid;                        /* process ID */
-        char            *sr;            /* status return from setlimits() */
+        char *sr;                       /* status return from setlimits() */
-        char            *ttyn = NULL;   /* ttyname or command name*/
+        char *ttyn = NULL;              /* ttyname or command name*/
-        char            hostname[MAXHOSTNAMELEN];
+        char hostname[MAXHOSTNAMELEN];
-        passwd_t        pwdacm,
+        /* passwd stuff for ia_user */
-                        pwddialup,
+        passwd_t pwdacm, pwddialup, pwdudb, pwdwal, pwddce;
-                        pwdudb,
+        ia_user_ret_t uret;             /* stuff returned from ia_user */
-                        pwdwal,
+        ia_user_t usent                 /* ia_user main structure */
-                        pwddce;         /* passwd stuff for ia_user */
+        int ia_rcode;                   /* ia_user return code */
-        ia_user_ret_t   uret;           /* stuff returned from ia_user */
+        ia_failure_t fsent;             /* ia_failure structure */
-        ia_user_t       usent;          /* ia_user main structure */
-        int             ia_rcode;       /* ia_user return code */
-        ia_failure_t    fsent;          /* ia_failure structure */
        ia_failure_ret_t fret;          /* ia_failure return stuff */
-        ia_success_t    ssent;          /* ia_success structure */
+        ia_success_t ssent;             /* ia_success structure */
        ia_success_ret_t sret;          /* ia_success return stuff */
-        int             ia_mlsrcode;    /* ia_mlsuser return code */
+        int ia_mlsrcode;                /* ia_mlsuser return code */
-        int             secstatrc;      /* [f]secstat return code */
+        int secstatrc;                  /* [f]secstat return code */
        if (SecureSys = (int)sysconf(_SC_CRAY_SECURE_SYS)) {
                getsysv(&sysv, sizeof(struct sysv));
                minslevel = sysv.sy_minlvl;
-                if (getusrv(&usrv) < 0) {
+                if (getusrv(&usrv) < 0)
-                        debug("getusrv() failed, errno = %d",errno);
+                        fatal("getusrv() failed, errno = %d", errno);
-                        exit(1);
-                }
        }
        hostname[0] = '\0';
-        strncpy(hostname,
+        strlcpy(hostname,
-           (char *)get_canonical_hostname(options.verify_reverse_mapping),
+           (char *)get_canonical_hostname(options.use_dns),
           MAXHOSTNAMELEN);
-        /*
+        /*
-         *  Fetch user's UDB entry.
+         *  Fetch user's UDB entry.
-         */
+         */
-        getsysudb();
+        getsysudb();
-        if ((up = getudbnam(username)) == UDB_NULL) {
+        if ((up = getudbnam(username)) == UDB_NULL)
-                debug("cannot fetch user's UDB entry");
+                fatal("cannot fetch user's UDB entry");
-                exit(1);
-        }
+        /*
+         *  Prevent any possible fudging so perform a data
-        /*
+         *  safety check and compare the supplied uid against
-         *  Prevent any possible fudging so perform a data
+         *  the udb's uid.
-         *  safety check and compare the supplied uid against
+         */
-         *  the udb's uid.
+        if (up->ue_uid != uid)
-         */
+                fatal("IA uid missmatch");
-        if (up->ue_uid != uid) {
-                debug("IA uid missmatch");
-                exit(1);
-        }
        endudb();
-        if ((jid = getjtab (&jtab)) < 0) {
+        if ((jid = getjtab(&jtab)) < 0) {
                debug("getjtab");
-                return -1;
+                return(-1);
        }
        pid = getpid();
        ttyn = ttyname(0);
        if (SecureSys) {
-                if (ttyn) {
+                if (ttyn != NULL)
                        secstatrc = secstat(ttyn, &secinfo);
-                } else {
+                else
                        secstatrc = fsecstat(1, &secinfo);
-                }
-                if (secstatrc == 0) {
+                if (secstatrc == 0)
                        debug("[f]secstat() successful");
-                } else {
+                else
-                        debug("[f]secstat() error, rc = %d", secstatrc);
+                        fatal("[f]secstat() error, rc = %d", secstatrc);
-                        exit(1);
-                }
        }
        if ((ttyn == NULL) && ((char *)command != NULL))
                ttyn = (char *)command;
-        /*
+        /*
-         *  Initialize all structures to call ia_user
+         *  Initialize all structures to call ia_user
-         */
+         */
-        usent.revision = 0;
+        usent.revision = 0;
-        usent.uname    = username;
+        usent.uname = username;
-        usent.host     = hostname;
+        usent.host = hostname;
-        usent.ttyn     = ttyn;
+        usent.ttyn = ttyn;
-        usent.caller   = IA_SSHD; 
+        usent.caller = IA_SSHD; 
-        usent.pswdlist = &pwdacm;
+        usent.pswdlist = &pwdacm;
-        usent.ueptr    = &ue;
+        usent.ueptr = &ue;
-        usent.flags    = IA_INTERACTIVE | IA_FFLAG;
+        usent.flags = IA_INTERACTIVE | IA_FFLAG;
-        pwdacm.atype   = IA_SECURID;
+        pwdacm.atype = IA_SECURID;
-        pwdacm.pwdp    = NULL;
+        pwdacm.pwdp = NULL;
-        pwdacm.next    = &pwdudb;
+        pwdacm.next = &pwdudb;
-        pwdudb.atype   = IA_UDB;
+        pwdudb.atype = IA_UDB;
-        pwdudb.pwdp    = NULL;
+        pwdudb.pwdp = NULL;
-        pwdudb.next    = &pwddce;
+        pwdudb.next = &pwddce;
-        pwddce.atype   = IA_DCE;
+        pwddce.atype = IA_DCE;
-        pwddce.pwdp    = NULL;
+        pwddce.pwdp = NULL;
-        pwddce.next    = &pwddialup;
+        pwddce.next = &pwddialup;
-        pwddialup.atype = IA_DIALUP;
+        pwddialup.atype = IA_DIALUP;
-        pwddialup.pwdp  = NULL;
+        pwddialup.pwdp = NULL;
-        /* pwddialup.next  = &pwdwal; */
+        /* pwddialup.next = &pwdwal; */
-        pwddialup.next  = NULL;
+        pwddialup.next = NULL;
-        pwdwal.atype = IA_WAL;
+        pwdwal.atype = IA_WAL;
-        pwdwal.pwdp  = NULL;
+        pwdwal.pwdp = NULL;
-        pwdwal.next  = NULL;
+        pwdwal.next = NULL;
-        uret.revision = 0;
+        uret.revision = 0;
-        uret.pswd     = NULL;
+        uret.pswd = NULL;
-        uret.normal   = 0;
+        uret.normal = 0;
-        ia_rcode = ia_user(&usent, &uret);
+        ia_rcode = ia_user(&usent, &uret);
+        switch (ia_rcode) {
-        switch (ia_rcode) {
+        /*
-                /*
+         *  These are acceptable return codes from ia_user()
-                 *  These are acceptable return codes from ia_user()
+         */
-                 */
+        case IA_UDBWEEK:        /* Password Expires in 1 week */
-                case IA_UDBWEEK:        /* Password Expires in 1 week */
+                expiration_time = ue.ue_pwage.time + ue.ue_pwage.maxage;
-                     expiration_time = ue.ue_pwage.time + ue.ue_pwage.maxage;
+                printf ("WARNING - your current password will expire %s\n",
-                     printf ("WARNING - your current password will expire %s\n",
+                ctime((const time_t *)&expiration_time));
-                     ctime((const time_t *)&expiration_time));
+                break;
-                     break;
+        case IA_UDBEXPIRED:
-                case IA_UDBEXPIRED:
+                if (ttyname(0) != NULL) {
-                     if (ttyname(0) != NULL) {
+                        /* Force a password change */
-                     /* Force a password change */
+                        printf("Your password has expired; Choose a new one.\n");
-                         printf("Your password has expired; Choose a new one.\n");
+                        execl("/bin/passwd", "passwd", username, 0);
-                         execl("/bin/passwd", "passwd", username, 0);
+                        exit(9);
-                         exit(9);
+                        }
-                     }
+                break;
+        case IA_NORMAL:         /* Normal Return Code */
-                     break;
+                break;
-                case IA_NORMAL:         /* Normal Return Code */
+        case IA_BACKDOOR:
-                     break;
+                /* XXX: can we memset it to zero here so save some of this */
-                case IA_BACKDOOR:
+                strlcpy(ue.ue_name, "root", sizeof(ue.ue_name));
-                     strcpy(ue.ue_name, "root");
+                strlcpy(ue.ue_dir, "/", sizeof(ue.ue_dir));
-                     strcpy(ue.ue_passwd, "");
+                strlcpy(ue.ue_shell, "/bin/sh", sizeof(ue.ue_shell));
-                     strcpy(ue.ue_dir, "/");
-                     strcpy(ue.ue_shell, "/bin/sh");
+                ue.ue_passwd[0] = '\0';
-                     strcpy(ue.ue_age, "");
+                ue.ue_age[0] = '\0';
-                     strcpy(ue.ue_comment, "");
+                ue.ue_comment[0] = '\0';
-                     strcpy(ue.ue_loghost, "");
+                ue.ue_loghost[0] = '\0';
-                     strcpy(ue.ue_logline, "");
+                ue.ue_logline[0] = '\0';
-                     ue.ue_uid=-1;
-                     ue.ue_nice[UDBRC_INTER]=0;
+                ue.ue_uid = -1;
-                     for (i=0;i<MAXVIDS;i++)
+                ue.ue_nice[UDBRC_INTER] = 0;
-                         ue.ue_gids[i]=0;
-                     ue.ue_logfails=0;
+                for (i = 0; i < MAXVIDS; i++)
-                     ue.ue_minlvl=minslevel; 
+                        ue.ue_gids[i] = 0;
-                     ue.ue_maxlvl=minslevel;
-                     ue.ue_deflvl=minslevel;
+                ue.ue_logfails = 0;
-                     ue.ue_defcomps=0;
+                ue.ue_minlvl = ue.ue_maxlvl = ue.ue_deflvl = minslevel;
-                     ue.ue_comparts=0;
+                ue.ue_defcomps = 0;
-                     ue.ue_permits=0;
+                ue.ue_comparts = 0;
-                     ue.ue_trap=0;
+                ue.ue_permits = 0;
-                     ue.ue_disabled=0;
+                ue.ue_trap = 0;
-                     ue.ue_logtime=0;
+                ue.ue_disabled = 0;
-                     break;
+                ue.ue_logtime = 0;
-                case IA_CONSOLE:        /* Superuser not from Console */
+                break;
-                case IA_TRUSTED:        /* Trusted user */
+        case IA_CONSOLE:        /* Superuser not from Console */
-                     if (options.permit_root_login > PERMIT_NO)
+        case IA_TRUSTED:        /* Trusted user */
-                        break;          /* Accept root login */
+                if (options.permit_root_login > PERMIT_NO)
-                default:
+                        break;  /* Accept root login */
-                /*
+        default:
-                 *  These are failed return codes from ia_user()
+        /*
-                 */
+         *  These are failed return codes from ia_user()
-                     switch (ia_rcode) 
+         */
-                       {
+                switch (ia_rcode) 
-                       case IA_BADAUTH:
+                {
-                         printf ("Bad authorization, access denied.\n");
+                case IA_BADAUTH:
-                         break;
+                        printf("Bad authorization, access denied.\n");
-                       case IA_DIALUPERR:
+                        break;
-                         break;
+                case IA_DISABLED:
-                       case IA_DISABLED:
+                        printf("Your login has been disabled. Contact the system ");
-                         printf ("Your login has been disabled. Contact the system ");
+                        printf("administrator for assistance.\n");
-                         printf ("administrator for assistance.\n");
+                        break;
-                         break;
+                case IA_GETSYSV:
-                       case IA_GETSYSV:
+                        printf("getsysv() failed - errno = %d\n", errno);
-                         printf ("getsysv() failed - errno = %d\n", errno);
+                        break;
-                         break;
+                case IA_MAXLOGS:
-                       case IA_LOCALHOST:
+                        printf("Maximum number of failed login attempts exceeded.\n");
-                         break;
+                        printf("Access denied.\n");
-                       case IA_MAXLOGS:
+                        break;
-                         printf ("Maximum number of failed login attempts exceeded.\n");
+                case IA_UDBPWDNULL:
-                         printf ("Access denied.\n");
+                        if (SecureSys)
-                         break;
+                                printf("NULL Password not allowed on MLS systems.\n");
-                       case IA_NOPASS:
+                        break;
-                         break;
+                default:
-                       case IA_PUBLIC:
+                        break;
-                         break;
+                }
-                       case IA_SECURIDERR:
-                         break;
+                /*
-                       case IA_CONSOLE:
+                 *  Authentication failed.
-                         break;
+                 */
-                       case IA_TRUSTED:
+                printf("sshd: Login incorrect, (0%o)\n",
-                         break;
+                    ia_rcode-IA_ERRORCODE);
-                       case IA_UDBERR:
-                         break;
+                /*
-                       case IA_UDBPWDNULL:
+                 *  Initialize structure for ia_failure
-                         /* 
+                 *  which will exit.
-                          * NULL password not allowed on MLS systems
+                 */
-                          */
+                fsent.revision = 0;
-                         if (SecureSys) {
+                fsent.uname = username;
-                           printf("NULL Password not allowed on MLS systems.\n");
+                fsent.host = hostname;
-                         }
+                fsent.ttyn = ttyn;
-                         break;
+                fsent.caller = IA_SSHD;
-                       case IA_UNKNOWN:
+                fsent.flags = IA_INTERACTIVE;
-                         break;
+                fsent.ueptr = &ue;
-                       case IA_UNKNOWNYP:
+                fsent.jid = jid;
-                         break;
+                fsent.errcode = ia_rcode;
-                       case IA_WALERR:
+                fsent.pwdp = uret.pswd;
-                         break;
+                fsent.exitcode = 1;
-                       default:
-                         /* nothing special */
+                fret.revision = 0;
-                         ;
+                fret.normal = 0;
-                       }   /* 2. switch  (ia_rcode) */
-                     /*
+                /*
-                      *  Authentication failed.
+                *  Call ia_failure because of an IA failure.
-                      */
+                *  There is no return because ia_failure exits.
-                     printf("sshd: Login incorrect, (0%o)\n",
+                */
-                            ia_rcode-IA_ERRORCODE);
+                ia_failure(&fsent, &fret);
-                     
-                     /*
+                exit(1); 
-                      *  Initialize structure for ia_failure
+        }
-                      *  which will exit.
-                      */
-                     fsent.revision = 0;
-                     fsent.uname    = username;
-                     fsent.host     = hostname;
-                     fsent.ttyn     = ttyn;
-                     fsent.caller   = IA_SSHD;
-                     fsent.flags    = IA_INTERACTIVE;
-                     fsent.ueptr    = &ue;
-                     fsent.jid      = jid;
-                     fsent.errcode  = ia_rcode;
-                     fsent.pwdp     = uret.pswd;
-                     fsent.exitcode = 1;
-                     
-                     fret.revision  = 0;
-                     fret.normal    = 0;
-                     
-                     /*
-                      *  Call ia_failure because of an IA failure.
-                      *  There is no return because ia_failure exits.
-                      */
-        
-                     ia_failure(&fsent,&fret);
-                     exit(1); 
-        }   /* 1. switch  (ia_rcode) */
        ia_mlsrcode = IA_NORMAL;
        if (SecureSys) {
                debug("calling ia_mlsuser()");
-                ia_mlsrcode = ia_mlsuser (&ue, &secinfo, &usrv, NULL, 0);
+                ia_mlsrcode = ia_mlsuser(&ue, &secinfo, &usrv, NULL, 0);
        }
        if (ia_mlsrcode != IA_NORMAL) {
                printf("sshd: Login incorrect, (0%o)\n",
-                ia_mlsrcode-IA_ERRORCODE);
+                    ia_mlsrcode-IA_ERRORCODE);
                /*
-                 *  Initialize structure for ia_failure
+                 *  Initialize structure for ia_failure
-                 *  which will exit.
+                 *  which will exit.
-                */
+                 */
                fsent.revision = 0;
-                fsent.uname    = username;
+                fsent.uname = username;
-                fsent.host     = hostname;
+                fsent.host = hostname;
-                fsent.ttyn     = ttyn;
+                fsent.ttyn = ttyn;
-                fsent.caller   = IA_SSHD;
+                fsent.caller = IA_SSHD;
-                fsent.flags    = IA_INTERACTIVE;
+                fsent.flags = IA_INTERACTIVE;
-                fsent.ueptr    = &ue;
+                fsent.ueptr = &ue;
-                fsent.jid      = jid;
+                fsent.jid  = jid;
-                fsent.errcode  = ia_mlsrcode;
+                fsent.errcode = ia_mlsrcode;
-                fsent.pwdp     = uret.pswd;
+                fsent.pwdp = uret.pswd;
                fsent.exitcode = 1;
-                fret.revision  = 0;
+                fret.revision = 0;
-                fret.normal    = 0;
+                fret.normal = 0;
                /*
-                *  Call ia_failure because of an IA failure.
+                 *  Call ia_failure because of an IA failure.
-                *  There is no return because ia_failure exits.
+                 *  There is no return because ia_failure exits.
-                */
+                 */
                ia_failure(&fsent,&fret);
                exit(1); 
        }
-        /* Provide login status information */
+        /* Provide login status information */
-        if (options.print_lastlog && ue.ue_logtime != 0) {
+        if (options.print_lastlog && ue.ue_logtime != 0) {
-            printf("Last successful login was : %.*s ",
+                printf("Last successful login was : %.*s ", 19,
-                    19, (char *)ctime(&ue.ue_logtime));
+                    (char *)ctime(&ue.ue_logtime));
-  
-           if (*ue.ue_loghost != '\0')
+                if (*ue.ue_loghost != '\0') {
-                printf("from %.*s\n", sizeof(ue.ue_loghost), ue.ue_loghost);
+                        printf("from %.*s\n", sizeof(ue.ue_loghost),
- 
+                            ue.ue_loghost);
-            else printf("on %.*s\n", sizeof(ue.ue_logline), ue.ue_logline);
+                } else {
- 
+                        printf("on %.*s\n", sizeof(ue.ue_logline),
-            if ( SecureSys && (ue.ue_logfails != 0)) 
+                            ue.ue_logline);
-                printf("  followed by %d failed attempts\n", ue.ue_logfails);
+                }
-        }
+                if (SecureSys && (ue.ue_logfails != 0)) {
-        
+                        printf("  followed by %d failed attempts\n",
+                            ue.ue_logfails);
+                }
+        }
        /*
         * Call ia_success to process successful I/A.
         */
@@ -472,109 +451,116 @@ cray_setup (uid_t uid, char *username, const char *command)
        ssent.jid = jid;
        ssent.errcode = ia_rcode;
        ssent.us = NULL;
-        ssent.time = 1;                  /* Set ue_logtime */
+        ssent.time = 1; /* Set ue_logtime */
        sret.revision = 0;
        sret.normal = 0;
-        ia_success(&ssent,&sret);
+        ia_success(&ssent, &sret);
-        /*
+        /*
-         * Query for account, iff > 1 valid acid & askacid permbit
+         * Query for account, iff > 1 valid acid & askacid permbit
-         */
+         */
-        if (((ue.ue_permbits & PERMBITS_ACCTID) ||
+        if (((ue.ue_permbits & PERMBITS_ACCTID) ||
-             (ue.ue_acids[0] >= 0) && (ue.ue_acids[1] >= 0)) &&
+            (ue.ue_acids[0] >= 0) && (ue.ue_acids[1] >= 0)) &&
-            ue.ue_permbits & PERMBITS_ASKACID) {
+            ue.ue_permbits & PERMBITS_ASKACID) {
                if (ttyname(0) != NULL) {
-                  debug("cray_setup: ttyname true case, %.100s", ttyname);
+                        debug("cray_setup: ttyname true case, %.100s", ttyname);
-                  while (valid_acct == -1) {
+                        while (valid_acct == -1) {
-                        printf("Account (? for available accounts)"
+                                printf("Account (? for available accounts)"
-                               " [%s]: ", acid2nam(ue.ue_acids[0]));
+                                    " [%s]: ", acid2nam(ue.ue_acids[0]));
-                        gets(acct_name);
+                                fgets(acct_name, MAXACID, stdin);
-                        switch (acct_name[0]) {
+                                switch (acct_name[0]) {
-                        case EOF:
+                                case EOF:
-                                exit(0);
+                                        exit(0);
-                                break;
+                                        break;
-                        case '\0':
+                                case '\0':
-                                valid_acct = ue.ue_acids[0];
+                                        valid_acct = ue.ue_acids[0];
-                                strcpy(acct_name, acid2nam(valid_acct));
+                                        strlcpy(acct_name, acid2nam(valid_acct), MAXACID);
-                                break;
+                                        break;
-                        case '?':
+                                case '?':
-                                /* Print the list 3 wide */
+                                        /* Print the list 3 wide */
-                                for (i = 0, j = 0; i < MAXVIDS; i++) {
+                                        for (i = 0, j = 0; i < MAXVIDS; i++) {
-                                        if (ue.ue_acids[i] == -1) {
+                                                if (ue.ue_acids[i] == -1) {
-                                                printf("\n");
+                                                        printf("\n");
-                                                break;
+                                                        break;
-                                        }
+                                                }
-                                        if (++j == 4) {
+                                                if (++j == 4) {
-                                                j = 1;
+                                                        j = 1;
-                                                printf("\n");
+                                                        printf("\n");
-                                        }
+                                                }
-                                        printf(" %s",
+                                                printf(" %s",
-                                               acid2nam(ue.ue_acids[i]));
+                                                    acid2nam(ue.ue_acids[i]));
-                                }
+                                        }
-                                if (ue.ue_permbits & PERMBITS_ACCTID)
+                                        if (ue.ue_permbits & PERMBITS_ACCTID) {
-                                        printf("\"acctid\" permbit also allows"
+                                                printf("\"acctid\" permbit also allows"
-                                               " you to select any valid "
+                                                    " you to select any valid "
-                                               "account name.\n");
+                                                    "account name.\n");
-                                printf("\n");
+                                        }
-                                break;
+                                        printf("\n");
-                        default:
+                                        break;
-                                if ((valid_acct = nam2acid(acct_name)) == -1)                                        printf("Account id not found for"
+                                default:
-                                               " account name \"%s\"\n\n",
+                                        valid_acct = nam2acid(acct_name);
-                                               acct_name);
+                                        if (valid_acct == -1) {
-                                break;
+                                                printf(
-                        }
+                                                    "Account id not found for"
-                        /*
+                                                    " account name \"%s\"\n\n",
-                         * If an account was given, search the user's
+                                                    acct_name);
-                         * acids array to verify they can use this account.
+                                        break;
-                         */
+                                        }
-                        if ((valid_acct != -1) &&
+                                        /*
-                            !(ue.ue_permbits & PERMBITS_ACCTID)) {
+                                         * If an account was given, search the user's
-                                for (i = 0; i < MAXVIDS; i++) {
+                                         * acids array to verify they can use this account.
-                                        if (ue.ue_acids[i] == -1)
+                                         */
-                                                break;
+                                        if ((valid_acct != -1) &&
-                                        if (valid_acct == ue.ue_acids[i])
+                                            !(ue.ue_permbits & PERMBITS_ACCTID)) {
-                                                break;
+                                                for (i = 0; i < MAXVIDS; i++) {
-                                }
+                                                        if (ue.ue_acids[i] == -1)
-                                if (i == MAXVIDS ||
+                                                                break;
-                                    ue.ue_acids[i] == -1) {
+                                                        if (valid_acct == ue.ue_acids[i])
-                                        fprintf(stderr, "Cannot set"
+                                                                break;
-                                                " account name to "
+                                                }
-                                                "\"%s\", permission "
+                                                if (i == MAXVIDS ||
-                                                "denied\n\n", acct_name);
+                                                    ue.ue_acids[i] == -1) {
-                                        valid_acct = -1;
+                                                        fprintf(stderr, "Cannot set"
-                                }
+                                                            " account name to "
-                        }
+                                                            "\"%s\", permission "
-                  }
+                                                            "denied\n\n", acct_name);
+                                                        valid_acct = -1;
+                                                }
+                                        }
+                                }
+                        } else {
+                                /*
+                                 * The client isn't connected to a terminal and can't
+                                 * respond to an acid prompt.  Use default acid.
+                                 */
+                                debug("cray_setup: ttyname false case, %.100s",
+                                    ttyname);
+                                valid_acct = ue.ue_acids[0];
+                        }
                } else {
                        /*
-                         * The client isn't connected to a terminal and can't
+                         * The user doesn't have the askacid permbit set or
-                         * respond to an acid prompt.  Use default acid.
+                         * only has one valid account to use.
                         */
-                        debug("cray_setup: ttyname false case, %.100s", ttyname);
                        valid_acct = ue.ue_acids[0];
                }
-        } else {
+                if (acctid(0, valid_acct) < 0) {
-                /*
+                        printf ("Bad account id: %d\n", valid_acct);
-                 * The user doesn't have the askacid permbit set or
+                        exit(1);
-                 * only has one valid account to use.
+        }
-                 */
-                valid_acct = ue.ue_acids[0];
+        /* 
-        }
+         * Now set shares, quotas, limits, including CPU time for the 
-        if (acctid(0, valid_acct) < 0) {
+         * (interactive) job and process, and set up permissions 
-                printf ("Bad account id: %d\n", valid_acct);
+         * (for chown etc), etc.
-                exit(1);
+         */
-        }
-/* set up shares and quotas */
-/* Now set shares, quotas, limits, including CPU time for the (interactive) 
- * job and process, and set up permissions (for chown etc), etc.
- */
        if (setshares(ue.ue_uid, valid_acct, printf, 0, 0)) {
-                printf("Unable to give %d shares to <%s>(%d/%d)\n", ue.ue_shares, ue.ue_name, ue.ue_uid, valid_acct);
+                printf("Unable to give %d shares to <%s>(%d/%d)\n",
+                    ue.ue_shares, ue.ue_name, ue.ue_uid, valid_acct);
                exit(1);
-        }
+        }
        sr = setlimits(username, C_PROC, pid, UDBRC_INTER);
        if (sr != NULL) {
@@ -587,17 +573,15 @@ cray_setup (uid_t uid, char *username, const char *command)
                exit(1);
        }
        /*
-         * Place the service provider information into
+         * Place the service provider information into
         * the session table (Unicos) or job table (Unicos/mk).
         * There exist double defines for the job/session table in
         * unicos/mk (jtab.h) so no need for a compile time switch.
         */
-        bzero((char *)&init_info, sizeof(struct servprov));
+        memset(&init_info, '\0', sizeof(init_info));
-        init_info.s_sessinit.si_id  = URM_SPT_LOGIN;
+        init_info.s_sessinit.si_id = URM_SPT_LOGIN;
        init_info.s_sessinit.si_pid = getpid();
        init_info.s_sessinit.si_sid = jid;
-        init_info.s_routing.seqno = 0;
-        init_info.s_routing.iadrs = 0;
        sesscntl(0, S_SETSERVPO, (int)&init_info);
        /*
@@ -610,7 +594,7 @@ cray_setup (uid_t uid, char *username, const char *command)
                }
        }
-        return(0);
+        return (0);
 }
 /*
@@ -623,10 +607,10 @@ void
 drop_cray_privs()
 {
 #if defined(_SC_CRAY_PRIV_SU)
-        priv_proc_t*              privstate;
+        priv_proc_t *privstate;
-        int                       result;
+        int result;
-        extern      int           priv_set_proc();
+        extern int priv_set_proc();
-        extern      priv_proc_t*  priv_init_proc();
+        extern priv_proc_t *priv_init_proc();
        /*
         * If ether of theses two flags are not set
@@ -654,15 +638,17 @@ drop_cray_privs()
        usrv.sv_intcat = TFM_SYSTEM;
        usrv.sv_valcat |= (TFM_SYSTEM | TFM_SYSFILE);
-        if (setusrv(&usrv) < 0)
+        if (setusrv(&usrv) < 0) {
                fatal("%s(%d): setusrv(): %s", __FILE__, __LINE__,
                    strerror(errno));
+        }
        if ((privstate = priv_init_proc()) != NULL) {
                result = priv_set_proc(privstate);
-                if (result != 0 )
+                if (result != 0 ) {
                        fatal("%s(%d): priv_set_proc(): %s",
                            __FILE__, __LINE__, strerror(errno));
+                }
                priv_free_proc(privstate);
        }
        debug ("Privileges should be cleared...");
@@ -683,6 +669,7 @@ cray_retain_utmp(struct utmp *ut, int pid)
        struct utmp utmp;
        if ((fd = open(UTMP_FILE, O_RDONLY)) != -1) {
+                /* XXX use atomicio */
                while (read(fd, (char *)&utmp, sizeof(utmp)) == sizeof(utmp)) {
                        if (pid == utmp.ut_pid) {
                                ut->ut_jid = utmp.ut_jid;
@@ -693,9 +680,8 @@ cray_retain_utmp(struct utmp *ut, int pid)
                        }
                }
                close(fd);
-        }
+        } else
-        else
+                fatal("Unable to open utmp file");
-        fatal("Unable to open utmp file");
 }
 /*
@@ -708,11 +694,9 @@ cray_retain_utmp(struct utmp *ut, int pid)
 void
 cray_delete_tmpdir(char *login, int jid, uid_t uid)
 {
-        int child;
        static char jtmp[TPATHSIZ];
        struct stat statbuf;
-        int c;
+        int child, c, wstat;
-        int wstat;
        for (c = 'a'; c <= 'z'; c++) {
                snprintf(jtmp, TPATHSIZ, "%s/jtmp.%06d%c", JTMPDIR, jid, c);
diff --git a/openbsd-compat/bsd-cray.h b/openbsd-compat/bsd-cray.h
index a09954f2f..a121ea152 100644
--- a/openbsd-compat/bsd-cray.h
+++ b/openbsd-compat/bsd-cray.h
@@ -1,8 +1,6 @@
-/* 
+/* $Id: bsd-cray.h,v 1.10 2003/08/29 16:59:52 mouring Exp $ */
- * $Id: bsd-cray.h,v 1.7 2003/03/21 01:05:38 mouring Exp $
- *
+/*
- * bsd-cray.h
- *
 * Copyright (c) 2002, Cray Inc.  (Wendy Palm <wendyp@cray.com>)
 * Significant portions provided by 
 *          Wayne Schroeder, SDSC <schroeder@sdsc.edu>
@@ -34,25 +32,31 @@
 * on UNICOS systems.
 *
 */
 #ifndef _BSD_CRAY_H
 #define _BSD_CRAY_H
 #ifdef _UNICOS
-void cray_init_job(struct passwd *);            /* init cray job */
-void cray_job_termination_handler(int);         /* process end of job signal */
+void cray_init_job(struct passwd *);
-void cray_login_failure(char *username, int errcode);
+void cray_job_termination_handler(int);
-int cray_access_denied(char *username);
+void cray_login_failure(char *, int );
-extern  char   cray_tmpdir[];                   /* cray tmpdir */
+int cray_access_denied(char *);
+#define CUSTOM_FAILED_LOGIN 1
+void record_failed_login(const char *, const char *);
+extern char cray_tmpdir[];
 #ifndef IA_SSHD
-#define IA_SSHD IA_LOGIN
+# define IA_SSHD IA_LOGIN
 #endif
 #ifndef MAXHOSTNAMELEN
-#define MAXHOSTNAMELEN  64
+# define MAXHOSTNAMELEN  64
 #endif
 #ifndef _CRAYT3E
-#include <sys/ttold.h>
+# include <sys/ttold.h>
-#define TIOCGPGRP (tIOC|20)
+# define TIOCGPGRP (tIOC|20)
-#endif
 #endif
+#endif /* UNICOS */
 #endif /* _BSD_CRAY_H */
diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c
index 0fa5964bc..a87cf3c97 100644
--- a/openbsd-compat/bsd-cygwin_util.c
+++ b/openbsd-compat/bsd-cygwin_util.c
@@ -1,6 +1,4 @@
 /*
- * cygwin_util.c
- *
 * Copyright (c) 2000, 2001, Corinna Vinschen <vinschen@cygnus.com>
 *
 * Redistribution and use in source and binary forms, with or without
@@ -31,7 +29,7 @@
 #include "includes.h"
-RCSID("$Id: bsd-cygwin_util.c,v 1.9 2002/11/09 15:59:29 mouring Exp $");
+RCSID("$Id: bsd-cygwin_util.c,v 1.11 2003/08/07 06:23:43 dtucker Exp $");
 #ifdef HAVE_CYGWIN
@@ -53,7 +51,8 @@ RCSID("$Id: bsd-cygwin_util.c,v 1.9 2002/11/09 15:59:29 mouring Exp $");
 # undef pipe
 #endif
-int binary_open(const char *filename, int flags, ...)
+int 
+binary_open(const char *filename, int flags, ...)
 {
        va_list ap;
        mode_t mode;
@@ -61,55 +60,56 @@ int binary_open(const char *filename, int flags, ...)
        va_start(ap, flags);
        mode = va_arg(ap, mode_t);
        va_end(ap);
-        return open(filename, flags | O_BINARY, mode);
+        return (open(filename, flags | O_BINARY, mode));
 }
-int binary_pipe(int fd[2])
+int 
+binary_pipe(int fd[2])
 {
        int ret = pipe(fd);
        if (!ret) {
-                setmode (fd[0], O_BINARY);
+                setmode(fd[0], O_BINARY);
-                setmode (fd[1], O_BINARY);
+                setmode(fd[1], O_BINARY);
        }
-        return ret;
+        return (ret);
 }
 #define HAS_CREATE_TOKEN 1
 #define HAS_NTSEC_BY_DEFAULT 2
-static int has_capability(int what)
+static int 
+has_capability(int what)
 {
-        /* has_capability() basically calls uname() and checks if
-           specific capabilities of Cygwin can be evaluated from that.
-           This simplifies the calling functions which only have to ask
-           for a capability using has_capability() instead of having
-           to figure that out by themselves. */
        static int inited;
        static int has_create_token;
        static int has_ntsec_by_default;
+        /* 
+         * has_capability() basically calls uname() and checks if
+         * specific capabilities of Cygwin can be evaluated from that.
+         * This simplifies the calling functions which only have to ask
+         * for a capability using has_capability() instead of having
+         * to figure that out by themselves.
+         */
        if (!inited) {
                struct utsname uts;
                char *c;
                
                if (!uname(&uts)) {
-                        int major_high = 0;
+                        int major_high = 0, major_low = 0, minor = 0;
-                        int major_low = 0;
+                        int api_major_version = 0, api_minor_version = 0;
-                        int minor = 0;
-                        int api_major_version = 0;
-                        int api_minor_version = 0;
                        char *c;
                        sscanf(uts.release, "%d.%d.%d", &major_high,
-                               &major_low, &minor);
+                            &major_low, &minor);
-                        c = strchr(uts.release, '(');
+                        if ((c = strchr(uts.release, '(')) != NULL) {
-                        if (c)
                                sscanf(c + 1, "%d.%d", &api_major_version,
-                                       &api_minor_version);
+                                    &api_minor_version);
+                        }
                        if (major_high > 1 ||
                            (major_high == 1 && (major_low > 3 ||
-                             (major_low == 3 && minor >= 2))))
+                            (major_low == 3 && minor >= 2))))
                                has_create_token = 1;
                        if (api_major_version > 0 || api_minor_version >= 56)
                                has_ntsec_by_default = 1;
@@ -118,14 +118,15 @@ static int has_capability(int what)
        }
        switch (what) {
        case HAS_CREATE_TOKEN:
-                return has_create_token;
+                return (has_create_token);
        case HAS_NTSEC_BY_DEFAULT:
-                return has_ntsec_by_default;
+                return (has_ntsec_by_default);
        }
-        return 0;
+        return (0);
 }
-int check_nt_auth(int pwd_authenticated, struct passwd *pw)
+int
+check_nt_auth(int pwd_authenticated, struct passwd *pw)
 {
        /*
        * The only authentication which is able to change the user
@@ -149,34 +150,33 @@ int check_nt_auth(int pwd_authenticated, struct passwd *pw)
                        has_create_token = 0;
                        if (has_capability(HAS_CREATE_TOKEN) &&
                            (ntsec_on(cygwin) ||
-                             (has_capability(HAS_NTSEC_BY_DEFAULT) &&
+                            (has_capability(HAS_NTSEC_BY_DEFAULT) &&
-                              !ntsec_off(cygwin))))
+                            !ntsec_off(cygwin))))
                                has_create_token = 1;
                }
                if (has_create_token < 1 &&
                    !pwd_authenticated && geteuid() != pw->pw_uid)
-                        return 0;
+                        return (0);
        }
-        return 1;
+        return (1);
 }
-int check_ntsec(const char *filename)
+int
+check_ntsec(const char *filename)
 {
        char *cygwin;
-        int allow_ntea = 0;
+        int allow_ntea = 0, allow_ntsec = 0;
-        int allow_ntsec = 0;
        struct statfs fsstat;
        /* Windows 95/98/ME don't support file system security at all. */
        if (!is_winnt)
-                return 0;
+                return (0);
        /* Evaluate current CYGWIN settings. */
        cygwin = getenv("CYGWIN");
        allow_ntea = ntea_on(cygwin);
        allow_ntsec = ntsec_on(cygwin) ||
-                      (has_capability(HAS_NTSEC_BY_DEFAULT) &&
+            (has_capability(HAS_NTSEC_BY_DEFAULT) && !ntsec_off(cygwin));
-                       !ntsec_off(cygwin));
        /*
         * `ntea' is an emulation of POSIX attributes. It doesn't support
@@ -185,14 +185,14 @@ int check_ntsec(const char *filename)
         * for security checks.
         */
        if (allow_ntea)
-                return 1;
+                return (1);
        /*
         * Retrieve file system flags. In Cygwin, file system flags are
         * copied to f_type which has no meaning in Win32 itself.
         */
        if (statfs(filename, &fsstat))
-                return 1;
+                return (1);
        /*
         * Only file systems supporting ACLs are able to set permissions.
@@ -200,12 +200,13 @@ int check_ntsec(const char *filename)
         * ACLs to support POSIX permissions on files.
         */
        if (fsstat.f_type & FS_PERSISTENT_ACLS)
-                return allow_ntsec;
+                return (allow_ntsec);
-        return 0;
+        return (0);
 }
-void register_9x_service(void)
+void
+register_9x_service(void)
 {
        HINSTANCE kerneldll;
        DWORD (*RegisterServiceProcess)(DWORD, DWORD);
@@ -219,10 +220,10 @@ void register_9x_service(void)
         */
        if (is_winnt)
                return;
-        if (! (kerneldll = LoadLibrary("KERNEL32.DLL")))
+        if (!(kerneldll = LoadLibrary("KERNEL32.DLL")))
                return;
-        if (! (RegisterServiceProcess = (DWORD (*)(DWORD, DWORD))
+        if (!(RegisterServiceProcess = (DWORD (*)(DWORD, DWORD))
-                          GetProcAddress(kerneldll, "RegisterServiceProcess")))
+                GetProcAddress(kerneldll, "RegisterServiceProcess")))
                return;
        RegisterServiceProcess(0, 1);
 }
diff --git a/openbsd-compat/bsd-cygwin_util.h b/openbsd-compat/bsd-cygwin_util.h
index af470bdd8..5ccb0fba2 100644
--- a/openbsd-compat/bsd-cygwin_util.h
+++ b/openbsd-compat/bsd-cygwin_util.h
@@ -1,8 +1,6 @@
-/* $Id: bsd-cygwin_util.h,v 1.7 2002/04/15 22:00:52 stevesk Exp $ */
+/* $Id: bsd-cygwin_util.h,v 1.10 2003/08/07 06:28:16 dtucker Exp $ */
 /*
- * cygwin_util.c
- *
 * Copyright (c) 2000, 2001, Corinna Vinschen <vinschen@cygnus.com>
 *
 * Redistribution and use in source and binary forms, with or without
@@ -36,12 +34,17 @@
 #ifdef HAVE_CYGWIN
+#undef ERROR
+#define is_winnt       (GetVersion() < 0x80000000)
+#include <windows.h>
+#include <sys/cygwin.h>
 #include <io.h>
-int binary_open(const char *filename, int flags, ...);
+int binary_open(const char *, int , ...);
 int binary_pipe(int fd[2]);
-int check_nt_auth(int pwd_authenticated, struct passwd *pw);
+int check_nt_auth(int, struct passwd *);
-int check_ntsec(const char *filename);
+int check_ntsec(const char *);
 void register_9x_service(void);
 #define open binary_open
diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c
index b8e9996d5..08b089bdc 100644
--- a/openbsd-compat/bsd-misc.c
+++ b/openbsd-compat/bsd-misc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999-2000 Damien Miller.  All rights reserved.
+ * Copyright (c) 1999-2003 Damien Miller.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -25,13 +25,13 @@
 #include "includes.h"
 #include "xmalloc.h"
-RCSID("$Id: bsd-misc.c,v 1.12 2003/03/18 18:21:41 tim Exp $");
+RCSID("$Id: bsd-misc.c,v 1.19 2003/08/25 01:16:21 mouring Exp $");
 /*
 * NB. duplicate __progname in case it is an alias for argv[0]
 * Otherwise it may get clobbered by setproctitle()
 */
-char *get_progname(char *argv0)
+char *ssh_get_progname(char *argv0)
 {
 #ifdef HAVE___PROGNAME
        extern char *__progname;
@@ -41,21 +41,21 @@ char *get_progname(char *argv0)
        char *p;
        if (argv0 == NULL)
-                return "unknown";       /* XXX */
+                return ("unknown");     /* XXX */
        p = strrchr(argv0, '/');
        if (p == NULL)
                p = argv0;
        else
                p++;
-        return xstrdup(p);
+        return (xstrdup(p));
 #endif
 }
 #ifndef HAVE_SETLOGIN
 int setlogin(const char *name)
 {
-        return(0);
+        return (0);
 }
 #endif /* !HAVE_SETLOGIN */
@@ -63,21 +63,21 @@ int setlogin(const char *name)
 int innetgr(const char *netgroup, const char *host, 
            const char *user, const char *domain)
 {
-        return(0);
+        return (0);
 }
 #endif /* HAVE_INNETGR */
 #if !defined(HAVE_SETEUID) && defined(HAVE_SETREUID)
 int seteuid(uid_t euid)
 {
-        return(setreuid(-1,euid));
+        return (setreuid(-1, euid));
 }
 #endif /* !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) */
 #if !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID)
 int setegid(uid_t egid)
 {
-        return(setresgid(-1,egid,-1));
+        return(setresgid(-1, egid, -1));
 }
 #endif /* !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID) */
@@ -88,9 +88,9 @@ const char *strerror(int e)
        extern char *sys_errlist[];
        
        if ((e >= 0) && (e < sys_nerr))
-                return(sys_errlist[e]);
+                return (sys_errlist[e]);
-        else
-                return("unlisted error");
+        return ("unlisted error");
 }
 #endif
@@ -102,24 +102,25 @@ int utimes(char *filename, struct timeval *tvp)
        ub.actime = tvp[0].tv_sec;
        ub.modtime = tvp[1].tv_sec;
        
-        return(utime(filename, &ub));
+        return (utime(filename, &ub));
 }
 #endif 
 #ifndef HAVE_TRUNCATE
-int truncate (const char *path, off_t length)
+int truncate(const char *path, off_t length)
 {
        int fd, ret, saverrno;
        fd = open(path, O_WRONLY);
        if (fd < 0)
-                return -1;
+                return (-1);
        ret = ftruncate(fd, length);
        saverrno = errno;
-        (void) close (fd);
+        close(fd);
        if (ret == -1)
                errno = saverrno;
        return(ret);
 }
 #endif /* HAVE_TRUNCATE */
@@ -131,7 +132,7 @@ int truncate (const char *path, off_t length)
 int
 setgroups(size_t size, const gid_t *list)
 {
-        return 0;
+        return (0);
 }
 #endif 
@@ -166,3 +167,62 @@ int nanosleep(const struct timespec *req, struct timespec *rem)
 #endif
+#ifndef HAVE_TCGETPGRP
+pid_t
+tcgetpgrp(int fd)
+{
+        int ctty_pgrp;
+        if (ioctl(fd, TIOCGPGRP, &ctty_pgrp) == -1)
+                return(-1);
+        else
+                return(ctty_pgrp);
+}
+#endif /* HAVE_TCGETPGRP */
+#ifndef HAVE_TCSENDBREAK
+int
+tcsendbreak(int fd, int duration)
+{
+# if defined(TIOCSBRK) && defined(TIOCCBRK)
+        struct timeval sleepytime;
+        sleepytime.tv_sec = 0;
+        sleepytime.tv_usec = 400000;
+        if (ioctl(fd, TIOCSBRK, 0) == -1)
+                return (-1);
+        (void)select(0, 0, 0, 0, &sleepytime);
+        if (ioctl(fd, TIOCCBRK, 0) == -1)
+                return (-1);
+        return (0);
+# else
+        return -1;
+# endif
+}
+#endif /* HAVE_TCSENDBREAK */
+mysig_t
+mysignal(int sig, mysig_t act)
+{
+#ifdef HAVE_SIGACTION
+        struct sigaction sa, osa;
+        if (sigaction(sig, NULL, &osa) == -1)
+                return (mysig_t) -1;
+        if (osa.sa_handler != act) {
+                memset(&sa, 0, sizeof(sa));
+                sigemptyset(&sa.sa_mask);
+                sa.sa_flags = 0;
+#ifdef SA_INTERRUPT
+                if (sig == SIGALRM)
+                        sa.sa_flags |= SA_INTERRUPT;
+#endif
+                sa.sa_handler = act;
+                if (sigaction(sig, &sa, NULL) == -1)
+                        return (mysig_t) -1;
+        }
+        return (osa.sa_handler);
+#else
+        return (signal(sig, act));
+#endif
+}
diff --git a/openbsd-compat/bsd-misc.h b/openbsd-compat/bsd-misc.h
index 78d9ccdd4..6b70473f3 100644
--- a/openbsd-compat/bsd-misc.h
+++ b/openbsd-compat/bsd-misc.h
@@ -1,5 +1,7 @@
+/* $Id: bsd-misc.h,v 1.13 2003/08/29 16:59:52 mouring Exp $ */
 /*
- * Copyright (c) 1999-2000 Damien Miller.  All rights reserved.
+ * Copyright (c) 1999-2003 Damien Miller.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -22,42 +24,39 @@
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
-/* $Id: bsd-misc.h,v 1.7 2003/03/18 18:21:41 tim Exp $ */
 #ifndef _BSD_MISC_H
 #define _BSD_MISC_H
-#include "config.h"
+#include "includes.h"
-char *get_progname(char *argv0);
+char *ssh_get_progname(char *);
 #ifndef HAVE_SETSID
 #define setsid() setpgrp(0, getpid())
 #endif /* !HAVE_SETSID */
 #ifndef HAVE_SETENV
-int setenv(const char *name, const char *value, int overwrite);
+int setenv(const char *, const char *, int);
 #endif /* !HAVE_SETENV */
 #ifndef HAVE_SETLOGIN
-int setlogin(const char *name);
+int setlogin(const char *);
 #endif /* !HAVE_SETLOGIN */
 #ifndef HAVE_INNETGR
-int innetgr(const char *netgroup, const char *host, 
+int innetgr(const char *, const char *, const char *, const char *);
-            const char *user, const char *domain);
 #endif /* HAVE_INNETGR */
 #if !defined(HAVE_SETEUID) && defined(HAVE_SETREUID)
-int seteuid(uid_t euid);
+int seteuid(uid_t);
 #endif /* !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) */
 #if !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID)
-int setegid(uid_t egid);
+int setegid(uid_t);
 #endif /* !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID) */
 #if !defined(HAVE_STRERROR) && defined(HAVE_SYS_ERRLIST) && defined(HAVE_SYS_NERR)
-const char *strerror(int e);
+const char *strerror(int);
 #endif 
@@ -69,15 +68,15 @@ struct timeval {
 }
 #endif /* HAVE_STRUCT_TIMEVAL */
-int utimes(char *filename, struct timeval *tvp);
+int utimes(char *, struct timeval *);
 #endif /* HAVE_UTIMES */
 #ifndef HAVE_TRUNCATE
-int truncate (const char *path, off_t length);
+int truncate (const char *, off_t);
 #endif /* HAVE_TRUNCATE */
 #if !defined(HAVE_SETGROUPS) && defined(SETGROUPS_NOOP)
-int setgroups(size_t size, const gid_t *list);
+int setgroups(size_t, const gid_t *);
 #endif
 #if !defined(HAVE_NANOSLEEP) && !defined(HAVE_NSLEEP)
@@ -87,7 +86,21 @@ struct timespec {
        long    tv_nsec;
 };
 #endif
-int nanosleep(const struct timespec *req, struct timespec *rem);
+int nanosleep(const struct timespec *, struct timespec *);
+#endif
+#ifndef HAVE_TCGETPGRP
+pid_t tcgetpgrp(int);
+#endif
+#ifndef HAVE_TCSENDBREAK
+int tcsendbreak(int, int);
 #endif
+/* wrapper for signal interface */
+typedef void (*mysig_t)(int);
+mysig_t mysignal(int sig, mysig_t act);
+#define signal(a,b) mysignal(a,b)
 #endif /* _BSD_MISC_H */
diff --git a/openbsd-compat/bsd-nextstep.c b/openbsd-compat/bsd-nextstep.c
index 85b298a48..bd35a3afc 100644
--- a/openbsd-compat/bsd-nextstep.c
+++ b/openbsd-compat/bsd-nextstep.c
@@ -1,4 +1,6 @@
 /*
+ * Copyright (c) 2000,2001 Ben Lindstrom.  All rights reserved.
+ *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@@ -22,7 +24,7 @@
 #include "includes.h"
-RCSID("$Id: bsd-nextstep.c,v 1.4 2001/03/26 05:35:34 mouring Exp $");
+RCSID("$Id: bsd-nextstep.c,v 1.6 2003/06/01 03:23:57 mouring Exp $");
 #ifdef HAVE_NEXT
 #include <errno.h>
@@ -40,7 +42,7 @@ posix_wait(int *status)
        if (status)
                *status = (int) statusp.w_status;
-        return wait_pid;
+        return (wait_pid);
 }
 int
diff --git a/openbsd-compat/bsd-nextstep.h b/openbsd-compat/bsd-nextstep.h
index c6a7019c6..ca5b4b54a 100644
--- a/openbsd-compat/bsd-nextstep.h
+++ b/openbsd-compat/bsd-nextstep.h
@@ -1,4 +1,8 @@
+/* $Id: bsd-nextstep.h,v 1.9 2003/08/29 16:59:52 mouring Exp $ */
 /*
+ * Copyright (c) 2000,2001 Ben Lindstrom.  All rights reserved.
+ *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@@ -21,8 +25,6 @@
 *
 */
-/* $Id: bsd-nextstep.h,v 1.6 2001/03/19 13:42:22 mouring Exp $ */
 #ifndef _NEXT_POSIX_H
 #define _NEXT_POSIX_H
@@ -37,22 +39,21 @@
 #define dirent direct
 /* Swap out NeXT's BSD wait() for a more POSIX complient one */
-pid_t posix_wait(int *status);
+pid_t posix_wait(int *);
 #define wait(a) posix_wait(a)
 /* #ifdef wrapped functions that need defining for clean compiling */
 pid_t getppid(void);
 void vhangup(void);
-int innetgr(const char *netgroup, const char *host, const char *user, 
+int innetgr(const char *, const char *, const char *, const char *);
-            const char *domain);
 /* TERMCAP */
-int tcgetattr(int fd, struct termios *t);
+int tcgetattr(int, struct termios *);
-int tcsetattr(int fd, int opt, const struct termios *t);
+int tcsetattr(int, int, const struct termios *);
-int tcsetpgrp(int fd, pid_t pgrp);
+int tcsetpgrp(int, pid_t);
-speed_t cfgetospeed(const struct termios *t);
+speed_t cfgetospeed(const struct termios *);
-speed_t cfgetispeed(const struct termios *t);
+speed_t cfgetispeed(const struct termios *);
-int cfsetospeed(struct termios *t, int speed);
+int cfsetospeed(struct termios *, int);
-int cfsetispeed(struct termios *t, int speed);
+int cfsetispeed(struct termios *, int);
 #endif /* HAVE_NEXT */
 #endif /* _NEXT_POSIX_H */
diff --git a/openbsd-compat/bsd-snprintf.c b/openbsd-compat/bsd-snprintf.c
index 2f82180d1..e4d8a439a 100644
--- a/openbsd-compat/bsd-snprintf.c
+++ b/openbsd-compat/bsd-snprintf.c
@@ -58,7 +58,7 @@
 #include "includes.h"
-RCSID("$Id: bsd-snprintf.c,v 1.6 2003/04/01 11:31:56 djm Exp $");
+RCSID("$Id: bsd-snprintf.c,v 1.7 2003/05/18 14:13:39 djm Exp $");
 #if defined(BROKEN_SNPRINTF)            /* For those with broken snprintf() */
 # undef HAVE_SNPRINTF
@@ -72,15 +72,15 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args);
 static void 
 fmtstr(char *buffer, size_t *currlen, size_t maxlen, char *value, int flags, 
-       int min, int max);
+    int min, int max);
 static void 
 fmtint(char *buffer, size_t *currlen, size_t maxlen, long value, int base, 
-       int min, int max, int flags);
+    int min, int max, int flags);
 static void 
 fmtfp(char *buffer, size_t *currlen, size_t maxlen, long double fvalue, 
-      int min, int max, int flags);
+    int min, int max, int flags);
 static void
 dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c);
@@ -121,15 +121,10 @@ dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c);
 static void 
 dopr(char *buffer, size_t maxlen, const char *format, va_list args)
 {
-        char *strvalue;
+        char *strvalue, ch;
-        char ch;
        long value;
        long double fvalue;
-        int min = 0;
+        int min = 0, max = -1, state = DP_S_DEFAULT, flags = 0, cflags = 0;
-        int max = -1;
-        int state = DP_S_DEFAULT;
-        int flags = 0;
-        int cflags = 0;
        size_t currlen = 0;
  
        ch = *format++;
@@ -139,224 +134,224 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args)
                        state = DP_S_DONE;
                switch(state) {
-                        case DP_S_DEFAULT:
+                case DP_S_DEFAULT:
-                                if (ch == '%') 
+                        if (ch == '%') 
-                                        state = DP_S_FLAGS;
+                                state = DP_S_FLAGS;
-                                else 
+                        else 
-                                        dopr_outch(buffer, &currlen, maxlen, ch);
+                                dopr_outch(buffer, &currlen, maxlen, ch);
+                        ch = *format++;
+                        break;
+                case DP_S_FLAGS:
+                        switch (ch) {
+                        case '-':
+                                flags |= DP_F_MINUS;
                                ch = *format++;
                                break;
-                        case DP_S_FLAGS:
+                        case '+':
-                                switch (ch) {
+                                flags |= DP_F_PLUS;
-                                        case '-':
+                                ch = *format++;
-                                                flags |= DP_F_MINUS;
-                                                ch = *format++;
-                                                break;
-                                        case '+':
-                                                flags |= DP_F_PLUS;
-                                                ch = *format++;
-                                                break;
-                                        case ' ':
-                                                flags |= DP_F_SPACE;
-                                                ch = *format++;
-                                                break;
-                                        case '#':
-                                                flags |= DP_F_NUM;
-                                                ch = *format++;
-                                                break;
-                                        case '0':
-                                                flags |= DP_F_ZERO;
-                                                ch = *format++;
-                                                break;
-                                        default:
-                                                state = DP_S_MIN;
-                                                break;
-                                }
                                break;
-                        case DP_S_MIN:
+                        case ' ':
-                                if (isdigit((unsigned char)ch)) {
+                                flags |= DP_F_SPACE;
-                                        min = 10*min + char_to_int (ch);
+                                ch = *format++;
-                                        ch = *format++;
-                                } else if (ch == '*') {
-                                        min = va_arg (args, int);
-                                        ch = *format++;
-                                        state = DP_S_DOT;
-                                } else 
-                                        state = DP_S_DOT;
                                break;
-                        case DP_S_DOT:
+                        case '#':
-                                if (ch == '.') {
+                                flags |= DP_F_NUM;
-                                        state = DP_S_MAX;
+                                ch = *format++;
-                                        ch = *format++;
-                                } else 
-                                        state = DP_S_MOD;
                                break;
-                        case DP_S_MAX:
+                        case '0':
-                                if (isdigit((unsigned char)ch)) {
+                                flags |= DP_F_ZERO;
-                                        if (max < 0)
+                                ch = *format++;
-                                                max = 0;
-                                        max = 10*max + char_to_int(ch);
-                                        ch = *format++;
-                                } else if (ch == '*') {
-                                        max = va_arg (args, int);
-                                        ch = *format++;
-                                        state = DP_S_MOD;
-                                } else 
-                                        state = DP_S_MOD;
                                break;
-                        case DP_S_MOD:
+                        default:
-                                switch (ch) {
+                                state = DP_S_MIN;
-                                        case 'h':
-                                                cflags = DP_C_SHORT;
-                                                ch = *format++;
-                                                break;
-                                        case 'l':
-                                                cflags = DP_C_LONG;
-                                                ch = *format++;
-                                                if (ch == 'l') {
-                                                        cflags = DP_C_LONG_LONG;
-                                                        ch = *format++;
-                                                }
-                                                break;
-                                        case 'q':
-                                                cflags = DP_C_LONG_LONG;
-                                                ch = *format++;
-                                                break;
-                                        case 'L':
-                                                cflags = DP_C_LDOUBLE;
-                                                ch = *format++;
-                                                break;
-                                        default:
-                                                break;
-                                }
-                                state = DP_S_CONV;
                                break;
-                        case DP_S_CONV:
+                        }
-                                switch (ch) {
+                        break;
-                                        case 'd':
+                case DP_S_MIN:
-                                        case 'i':
+                        if (isdigit((unsigned char)ch)) {
-                                                if (cflags == DP_C_SHORT) 
+                                min = 10 * min + char_to_int (ch);
-                                                        value = va_arg(args, int);
+                                ch = *format++;
-                                                else if (cflags == DP_C_LONG)
+                        } else if (ch == '*') {
-                                                        value = va_arg(args, long int);
+                                min = va_arg (args, int);
-                                                else if (cflags == DP_C_LONG_LONG)
+                                ch = *format++;
-                                                        value = va_arg (args, long long);
+                                state = DP_S_DOT;
-                                                else
+                        } else 
-                                                        value = va_arg (args, int);
+                                state = DP_S_DOT;
-                                                fmtint(buffer, &currlen, maxlen, value, 10, min, max, flags);
+                        break;
-                                                break;
+                case DP_S_DOT:
-                                        case 'o':
+                        if (ch == '.') {
-                                                flags |= DP_F_UNSIGNED;
+                                state = DP_S_MAX;
-                                                if (cflags == DP_C_SHORT)
+                                ch = *format++;
-                                                        value = va_arg(args, unsigned int);
+                        } else 
-                                                else if (cflags == DP_C_LONG)
+                                state = DP_S_MOD;
-                                                        value = va_arg(args, unsigned long int);
+                        break;
-                                                else if (cflags == DP_C_LONG_LONG)
+                case DP_S_MAX:
-                                                        value = va_arg(args, unsigned long long);
+                        if (isdigit((unsigned char)ch)) {
-                                                else
+                                if (max < 0)
-                                                        value = va_arg(args, unsigned int);
+                                        max = 0;
-                                                fmtint(buffer, &currlen, maxlen, value, 8, min, max, flags);
+                                max = 10 * max + char_to_int(ch);
-                                                break;
+                                ch = *format++;
-                                        case 'u':
+                        } else if (ch == '*') {
-                                                flags |= DP_F_UNSIGNED;
+                                max = va_arg (args, int);
-                                                if (cflags == DP_C_SHORT)
+                                ch = *format++;
-                                                        value = va_arg(args, unsigned int);
+                                state = DP_S_MOD;
-                                                else if (cflags == DP_C_LONG)
+                        } else 
-                                                        value = va_arg(args, unsigned long int);
+                                state = DP_S_MOD;
-                                                else if (cflags == DP_C_LONG_LONG)
+                        break;
-                                                        value = va_arg(args, unsigned long long);
+                case DP_S_MOD:
-                                                else
+                        switch (ch) {
-                                                        value = va_arg(args, unsigned int);
+                        case 'h':
-                                                fmtint (buffer, &currlen, maxlen, value, 10, min, max, flags);
+                                cflags = DP_C_SHORT;
-                                                break;
+                                ch = *format++;
-                                        case 'X':
+                                break;
-                                                flags |= DP_F_UP;
+                        case 'l':
-                                        case 'x':
+                                cflags = DP_C_LONG;
-                                                flags |= DP_F_UNSIGNED;
+                                ch = *format++;
-                                                if (cflags == DP_C_SHORT)
+                                if (ch == 'l') {
-                                                        value = va_arg(args, unsigned int);
+                                        cflags = DP_C_LONG_LONG;
-                                                else if (cflags == DP_C_LONG)
+                                        ch = *format++;
-                                                        value = va_arg(args, unsigned long int);
-                                                else if (cflags == DP_C_LONG_LONG)
-                                                        value = va_arg(args, unsigned long long);
-                                                else
-                                                        value = va_arg(args, unsigned int);
-                                                fmtint(buffer, &currlen, maxlen, value, 16, min, max, flags);
-                                                break;
-                                        case 'f':
-                                                if (cflags == DP_C_LDOUBLE)
-                                                        fvalue = va_arg(args, long double);
-                                                else
-                                                        fvalue = va_arg(args, double);
-                                                /* um, floating point? */
-                                                fmtfp(buffer, &currlen, maxlen, fvalue, min, max, flags);
-                                                break;
-                                        case 'E':
-                                                flags |= DP_F_UP;
-                                        case 'e':
-                                                if (cflags == DP_C_LDOUBLE)
-                                                        fvalue = va_arg(args, long double);
-                                                else
-                                                        fvalue = va_arg(args, double);
-                                                break;
-                                        case 'G':
-                                                flags |= DP_F_UP;
-                                        case 'g':
-                                                if (cflags == DP_C_LDOUBLE)
-                                                        fvalue = va_arg(args, long double);
-                                                else
-                                                        fvalue = va_arg(args, double);
-                                                break;
-                                        case 'c':
-                                                dopr_outch(buffer, &currlen, maxlen, va_arg(args, int));
-                                                break;
-                                        case 's':
-                                                strvalue = va_arg(args, char *);
-                                                if (max < 0) 
-                                                        max = maxlen; /* ie, no max */
-                                                fmtstr(buffer, &currlen, maxlen, strvalue, flags, min, max);
-                                                break;
-                                        case 'p':
-                                                strvalue = va_arg(args, void *);
-                                                fmtint(buffer, &currlen, maxlen, (long) strvalue, 16, min, max, flags);
-                                                break;
-                                        case 'n':
-                                                if (cflags == DP_C_SHORT) {
-                                                        short int *num;
-                                                        num = va_arg(args, short int *);
-                                                        *num = currlen;
-                                                } else if (cflags == DP_C_LONG) {
-                                                        long int *num;
-                                                        num = va_arg(args, long int *);
-                                                        *num = currlen;
-                                                } else if (cflags == DP_C_LONG_LONG) {
-                                                        long long *num;
-                                                        num = va_arg(args, long long *);
-                                                        *num = currlen;
-                                                } else {
-                                                        int *num;
-                                                        num = va_arg(args, int *);
-                                                        *num = currlen;
-                                                }
-                                                break;
-                                        case '%':
-                                                dopr_outch(buffer, &currlen, maxlen, ch);
-                                                break;
-                                        case 'w': /* not supported yet, treat as next char */
-                                                ch = *format++;
-                                                break;
-                                        default: /* Unknown, skip */
-                                        break;
                                }
+                                break;
+                        case 'q':
+                                cflags = DP_C_LONG_LONG;
+                                ch = *format++;
+                                break;
+                        case 'L':
+                                cflags = DP_C_LDOUBLE;
                                ch = *format++;
-                                state = DP_S_DEFAULT;
-                                flags = cflags = min = 0;
-                                max = -1;
                                break;
-                        case DP_S_DONE:
+                        default:
+                                break;
+                        }
+                        state = DP_S_CONV;
+                        break;
+                case DP_S_CONV:
+                        switch (ch) {
+                        case 'd':
+                        case 'i':
+                                if (cflags == DP_C_SHORT) 
+                                        value = va_arg(args, int);
+                                else if (cflags == DP_C_LONG)
+                                        value = va_arg(args, long int);
+                                else if (cflags == DP_C_LONG_LONG)
+                                        value = va_arg (args, long long);
+                                else
+                                        value = va_arg (args, int);
+                                fmtint(buffer, &currlen, maxlen, value, 10, min, max, flags);
+                                break;
+                        case 'o':
+                                flags |= DP_F_UNSIGNED;
+                                if (cflags == DP_C_SHORT)
+                                        value = va_arg(args, unsigned int);
+                                else if (cflags == DP_C_LONG)
+                                        value = va_arg(args, unsigned long int);
+                                else if (cflags == DP_C_LONG_LONG)
+                                        value = va_arg(args, unsigned long long);
+                                else
+                                        value = va_arg(args, unsigned int);
+                                fmtint(buffer, &currlen, maxlen, value, 8, min, max, flags);
                                break;
-                        default: /* hmm? */
+                        case 'u':
-                                break; /* some picky compilers need this */
+                                flags |= DP_F_UNSIGNED;
+                                if (cflags == DP_C_SHORT)
+                                        value = va_arg(args, unsigned int);
+                                else if (cflags == DP_C_LONG)
+                                        value = va_arg(args, unsigned long int);
+                                else if (cflags == DP_C_LONG_LONG)
+                                        value = va_arg(args, unsigned long long);
+                                else
+                                        value = va_arg(args, unsigned int);
+                                fmtint (buffer, &currlen, maxlen, value, 10, min, max, flags);
+                                break;
+                        case 'X':
+                                flags |= DP_F_UP;
+                        case 'x':
+                                flags |= DP_F_UNSIGNED;
+                                if (cflags == DP_C_SHORT)
+                                        value = va_arg(args, unsigned int);
+                                else if (cflags == DP_C_LONG)
+                                        value = va_arg(args, unsigned long int);
+                                else if (cflags == DP_C_LONG_LONG)
+                                        value = va_arg(args, unsigned long long);
+                                else
+                                        value = va_arg(args, unsigned int);
+                                fmtint(buffer, &currlen, maxlen, value, 16, min, max, flags);
+                                break;
+                        case 'f':
+                                if (cflags == DP_C_LDOUBLE)
+                                        fvalue = va_arg(args, long double);
+                                else
+                                        fvalue = va_arg(args, double);
+                                /* um, floating point? */
+                                fmtfp(buffer, &currlen, maxlen, fvalue, min, max, flags);
+                                break;
+                        case 'E':
+                                flags |= DP_F_UP;
+                        case 'e':
+                                if (cflags == DP_C_LDOUBLE)
+                                        fvalue = va_arg(args, long double);
+                                else
+                                        fvalue = va_arg(args, double);
+                                break;
+                        case 'G':
+                                flags |= DP_F_UP;
+                        case 'g':
+                                if (cflags == DP_C_LDOUBLE)
+                                        fvalue = va_arg(args, long double);
+                                else
+                                        fvalue = va_arg(args, double);
+                                break;
+                        case 'c':
+                                dopr_outch(buffer, &currlen, maxlen, va_arg(args, int));
+                                break;
+                        case 's':
+                                strvalue = va_arg(args, char *);
+                                if (max < 0) 
+                                        max = maxlen; /* ie, no max */
+                                fmtstr(buffer, &currlen, maxlen, strvalue, flags, min, max);
+                                break;
+                        case 'p':
+                                strvalue = va_arg(args, void *);
+                                fmtint(buffer, &currlen, maxlen, (long) strvalue, 16, min, max, flags);
+                                break;
+                        case 'n':
+                                if (cflags == DP_C_SHORT) {
+                                        short int *num;
+                                        num = va_arg(args, short int *);
+                                        *num = currlen;
+                                } else if (cflags == DP_C_LONG) {
+                                        long int *num;
+                                        num = va_arg(args, long int *);
+                                        *num = currlen;
+                                } else if (cflags == DP_C_LONG_LONG) {
+                                        long long *num;
+                                        num = va_arg(args, long long *);
+                                        *num = currlen;
+                                } else {
+                                        int *num;
+                                        num = va_arg(args, int *);
+                                        *num = currlen;
+                                }
+                                break;
+                        case '%':
+                                dopr_outch(buffer, &currlen, maxlen, ch);
+                                break;
+                        case 'w': /* not supported yet, treat as next char */
+                                ch = *format++;
+                                break;
+                        default: /* Unknown, skip */
+                        break;
+                        }
+                        ch = *format++;
+                        state = DP_S_DEFAULT;
+                        flags = cflags = min = 0;
+                        max = -1;
+                        break;
+                case DP_S_DONE:
+                        break;
+                default: /* hmm? */
+                        break; /* some picky compilers need this */
                }
        }
        if (currlen < maxlen - 1) 
@@ -367,10 +362,9 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args)
 static void
 fmtstr(char *buffer, size_t *currlen, size_t maxlen,
-       char *value, int flags, int min, int max)
+    char *value, int flags, int min, int max)
 {
-        int padlen, strln;     /* amount to pad */
+        int cnt = 0, padlen, strln;     /* amount to pad */
-        int cnt = 0;
  
        if (value == 0) 
                value = "<NULL>";
@@ -402,15 +396,13 @@ fmtstr(char *buffer, size_t *currlen, size_t maxlen,
 static void 
 fmtint(char *buffer, size_t *currlen, size_t maxlen,
-       long value, int base, int min, int max, int flags)
+    long value, int base, int min, int max, int flags)
 {
        unsigned long uvalue;
        char convert[20];
-        int signvalue = 0;
+        int signvalue = 0, place = 0, caps = 0;
-        int place = 0;
        int spadlen = 0; /* amount to space pad */
        int zpadlen = 0; /* amount to zero pad */
-        int caps = 0;
  
        if (max < 0)
                max = 0;
@@ -429,11 +421,10 @@ fmtint(char *buffer, size_t *currlen, size_t maxlen,
  
        if (flags & DP_F_UP) 
                caps = 1; /* Should characters be upper case? */
        do {
                convert[place++] =
-                        (caps? "0123456789ABCDEF":"0123456789abcdef")
+                    (caps ? "0123456789ABCDEF" : "0123456789abcdef")
-                        [uvalue % (unsigned)base];
+                    [uvalue % (unsigned)base];
                uvalue = (uvalue / (unsigned)base );
        } while (uvalue && (place < 20));
        if (place == 20) 
@@ -453,7 +444,6 @@ fmtint(char *buffer, size_t *currlen, size_t maxlen,
        if (flags & DP_F_MINUS) 
                spadlen = -spadlen; /* Left Justifty */
        /* Spaces */
        while (spadlen > 0) {
                dopr_outch(buffer, currlen, maxlen, ' ');
@@ -512,16 +502,11 @@ static void
 fmtfp(char *buffer, size_t *currlen, size_t maxlen, long double fvalue, 
      int min, int max, int flags)
 {
-        char iconvert[20];
+        char iconvert[20], fconvert[20];
-        char fconvert[20];
+        int signvalue = 0, iplace = 0, fplace = 0;
-        int signvalue = 0;
-        int iplace = 0;
-        int fplace = 0;
        int padlen = 0; /* amount to pad */
-        int zpadlen = 0; 
+        int zpadlen = 0, caps = 0;
-        int caps = 0;
+        long intpart, fracpart;
-        long intpart;
-        long fracpart;
        long double ufvalue;
  
        /* 
@@ -562,7 +547,8 @@ fmtfp(char *buffer, size_t *currlen, size_t maxlen, long double fvalue,
        /* Convert integer part */
        do {
                iconvert[iplace++] =
-                  (caps? "0123456789ABCDEF":"0123456789abcdef")[intpart % 10];
+                    (caps ? "0123456789ABCDEF" : "0123456789abcdef")
+                    [intpart % 10];
                intpart = (intpart / 10);
        } while(intpart && (iplace < 20));
        if (iplace == 20) 
@@ -572,7 +558,8 @@ fmtfp(char *buffer, size_t *currlen, size_t maxlen, long double fvalue,
        /* Convert fractional part */
        do {
                fconvert[fplace++] =
-                  (caps? "0123456789ABCDEF":"0123456789abcdef")[fracpart % 10];
+                    (caps ? "0123456789ABCDEF" : "0123456789abcdef")
+                    [fracpart % 10];
                fracpart = (fracpart / 10);
        } while(fracpart && (fplace < 20));
        if (fplace == 20) 
@@ -611,8 +598,8 @@ fmtfp(char *buffer, size_t *currlen, size_t maxlen, long double fvalue,
                dopr_outch(buffer, currlen, maxlen, iconvert[--iplace]);
        /*
-         * Decimal point.  This should probably use locale to find the correct
+         * Decimal point.  This should probably use locale to find the 
-         * char to print out.
+         * correct char to print out.
         */
        dopr_outch(buffer, currlen, maxlen, '.');
@@ -662,90 +649,4 @@ snprintf(char *str,size_t count,const char *fmt,...)
        return(strlen(str));
 }
-#ifdef TEST_SNPRINTF
-int 
-main(void)
-{
-#define LONG_STRING 1024
-        char buf1[LONG_STRING];
-        char buf2[LONG_STRING];
-        char *fp_fmt[] = {
-                "%-1.5f",
-                "%1.5f",
-                "%123.9f",
-                "%10.5f",
-                "% 10.5f",
-                "%+22.9f",
-                "%+4.9f",
-                "%01.3f",
-                "%4f",
-                "%3.1f",
-                "%3.2f",
-                NULL
-        };
-        double fp_nums[] = { 
-                -1.5, 
-                134.21, 
-                91340.2, 
-                341.1234, 
-                0203.9, 
-                0.96, 
-                0.996, 
-                0.9996, 
-                1.996, 
-                4.136, 
-                0
-        };
-        char *int_fmt[] = {
-                "%-1.5d",
-                "%1.5d",
-                "%123.9d",
-                "%5.5d",
-                "%10.5d",
-                "% 10.5d",
-                "%+22.33d",
-                "%01.3d",
-                "%4d",
-                "%lld",
-                "%qd",
-                NULL
-        };
-        long long int_nums[] = { -1, 134, 91340, 341, 0203, 0, 9999999 };
-        int x, y;
-        int fail = 0;
-        int num = 0;
-        printf("Testing snprintf format codes against system sprintf...\n");
-        for (x = 0; fp_fmt[x] != NULL ; x++) {
-                for (y = 0; fp_nums[y] != 0 ; y++) {
-                        snprintf(buf1, sizeof (buf1), fp_fmt[x], fp_nums[y]);
-                        sprintf (buf2, fp_fmt[x], fp_nums[y]);
-                        if (strcmp (buf1, buf2)) {
-                                printf("snprintf doesn't match Format: %s\n\t"
-                                       "snprintf = %s\n\tsprintf  = %s\n", 
-                                        fp_fmt[x], buf1, buf2);
-                                fail++;
-                        }
-                        num++;
-                }
-        }
-        for (x = 0; int_fmt[x] != NULL ; x++) {
-                for (y = 0; int_nums[y] != 0 ; y++) {
-                        snprintf(buf1, sizeof (buf1), int_fmt[x], int_nums[y]);
-                        sprintf(buf2, int_fmt[x], int_nums[y]);
-                        if (strcmp (buf1, buf2)) {
-                                printf("snprintf doesn't match Format: %s\n\t"
-                                       "snprintf = %s\n\tsprintf  = %s\n", 
-                                        int_fmt[x], buf1, buf2);
-                                fail++;
-                        }
-                        num++;
-                }
-        }
-        printf("%d tests failed out of %d.\n", fail, num);
-        return(0);
-}
-#endif /* SNPRINTF_TEST */
 #endif /* !HAVE_SNPRINTF */
diff --git a/openbsd-compat/bsd-waitpid.c b/openbsd-compat/bsd-waitpid.c
index 47b4446dc..93c9ec35e 100644
--- a/openbsd-compat/bsd-waitpid.c
+++ b/openbsd-compat/bsd-waitpid.c
@@ -1,4 +1,6 @@
 /*
+ * Copyright (c) 2000 Ben Lindstrom.  All rights reserved.
+ *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@@ -22,7 +24,7 @@
 #include "includes.h"
-RCSID("$Id: bsd-waitpid.c,v 1.3 2001/03/26 05:35:34 mouring Exp $");
+RCSID("$Id: bsd-waitpid.c,v 1.5 2003/06/01 03:23:57 mouring Exp $");
 #ifndef HAVE_WAITPID 
 #include <errno.h>
@@ -38,15 +40,16 @@ waitpid(int pid, int *stat_loc, int options)
        if (pid <= 0) {
                if (pid != -1) {
                        errno = EINVAL;
-                        return -1;
+                        return (-1);
                }
-                pid = 0;   /* wait4() wants pid=0 for indiscriminate wait. */
+                /* wait4() wants pid=0 for indiscriminate wait. */
+                pid = 0;
        }
        wait_pid = wait4(pid, &statusp, options, NULL);
        if (stat_loc)
                *stat_loc = (int) statusp.w_status;            
-        return wait_pid;                               
+        return (wait_pid);                               
 }
 #endif /* !HAVE_WAITPID */
diff --git a/openbsd-compat/bsd-waitpid.h b/openbsd-compat/bsd-waitpid.h
index e24edd791..2d853db61 100644
--- a/openbsd-compat/bsd-waitpid.h
+++ b/openbsd-compat/bsd-waitpid.h
@@ -1,4 +1,8 @@
+/* $Id: bsd-waitpid.h,v 1.5 2003/08/29 16:59:52 mouring Exp $ */
 /*
+ * Copyright (c) 2000 Ben Lindstrom.  All rights reserved.
+ *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@@ -21,8 +25,6 @@
 *
 */
-/* $Id: bsd-waitpid.h,v 1.2 2001/02/09 01:55:36 djm Exp $ */
 #ifndef _BSD_WAITPID_H
 #define _BSD_WAITPID_H
@@ -43,7 +45,7 @@
 #define WCOREDUMP(w)    ((_W_INT(w)) & WCOREFLAG)
 /* Prototype */
-pid_t waitpid(int pid, int *stat_loc, int options);
+pid_t waitpid(int, int *, int);
 #endif /* !HAVE_WAITPID */
 #endif /* _BSD_WAITPID_H */
diff --git a/openbsd-compat/daemon.c b/openbsd-compat/daemon.c
index 7d23b2467..6dd45f6a7 100644
--- a/openbsd-compat/daemon.c
+++ b/openbsd-compat/daemon.c
@@ -10,11 +10,7 @@
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
+ * 3. Neither the name of the University nor the names of its contributors
- *    must display the following acknowledgement:
- *      This product includes software developed by the University of
- *      California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
@@ -36,12 +32,11 @@
 #ifndef HAVE_DAEMON
 #if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$OpenBSD: daemon.c,v 1.2 1996/08/19 08:22:13 tholo Exp $";
+static char rcsid[] = "$OpenBSD: daemon.c,v 1.5 2003/07/15 17:32:41 deraadt Exp $";
 #endif /* LIBC_SCCS and not lint */
 int
-daemon(nochdir, noclose)
+daemon(int nochdir, int noclose)
-        int nochdir, noclose;
 {
        int fd;
diff --git a/openbsd-compat/dirname.c b/openbsd-compat/dirname.c
index 35c7d8ec7..1ab7516d8 100644
--- a/openbsd-compat/dirname.c
+++ b/openbsd-compat/dirname.c
@@ -1,46 +1,34 @@
-/*      $OpenBSD: dirname.c,v 1.7 2002/05/24 21:22:37 deraadt Exp $     */
+/*      $OpenBSD: dirname.c,v 1.10 2003/06/17 21:56:23 millert Exp $    */
 /*
 * Copyright (c) 1997 Todd C. Miller <Todd.Miller@courtesan.com>
- * All rights reserved.
 *
- * Redistribution and use in source and binary forms, with or without
+ * Permission to use, copy, modify, and distribute this software for any
- * modification, are permitted provided that the following conditions
+ * purpose with or without fee is hereby granted, provided that the above
- * are met:
+ * copyright notice and this permission notice appear in all copies.
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote products
- *    derived from this software without specific prior written permission.
 *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
- * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
- * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 #include "includes.h"
 #ifndef HAVE_DIRNAME
-#if defined(LIBC_SCCS) && !defined(lint)
+#ifndef lint
-static char rcsid[] = "$OpenBSD: dirname.c,v 1.7 2002/05/24 21:22:37 deraadt Exp $";
+static char rcsid[] = "$OpenBSD: dirname.c,v 1.10 2003/06/17 21:56:23 millert Exp $";
-#endif /* LIBC_SCCS and not lint */
+#endif /* not lint */
 #include <errno.h>
 #include <string.h>
 #include <sys/param.h>
 char *
-dirname(path)
+dirname(const char *path)
-        const char *path;
 {
        static char bname[MAXPATHLEN];
        register const char *endp;
diff --git a/openbsd-compat/fake-rfc2553.c b/openbsd-compat/fake-rfc2553.c
new file mode 100644
index 000000000..f44924836
--- /dev/null
+++ b/openbsd-compat/fake-rfc2553.c
@@ -0,0 +1,220 @@
+/*
+ * Copyright (C) 2000-2003 Damien Miller.  All rights reserved.
+ * Copyright (C) 1999 WIDE Project.  All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+/*
+ * Pseudo-implementation of RFC2553 name / address resolution functions
+ *
+ * But these functions are not implemented correctly. The minimum subset
+ * is implemented for ssh use only. For example, this routine assumes
+ * that ai_family is AF_INET. Don't use it for another purpose.
+ */
+#include "includes.h"
+RCSID("$Id: fake-rfc2553.c,v 1.4 2003/06/13 22:43:23 djm Exp $");
+#ifndef HAVE_GETNAMEINFO
+int getnameinfo(const struct sockaddr *sa, size_t salen, char *host, 
+                size_t hostlen, char *serv, size_t servlen, int flags)
+{
+        struct sockaddr_in *sin = (struct sockaddr_in *)sa;
+        struct hostent *hp;
+        char tmpserv[16];
+        if (serv != NULL) {
+                snprintf(tmpserv, sizeof(tmpserv), "%d", ntohs(sin->sin_port));
+                if (strlcpy(serv, tmpserv, servlen) >= servlen)
+                        return (EAI_MEMORY);
+        }
+        if (host != NULL) {
+                if (flags & NI_NUMERICHOST) {
+                        if (strlcpy(host, inet_ntoa(sin->sin_addr),
+                            hostlen) >= hostlen)
+                                return (EAI_MEMORY);
+                        else
+                                return (0);
+                } else {
+                        hp = gethostbyaddr((char *)&sin->sin_addr, 
+                            sizeof(struct in_addr), AF_INET);
+                        if (hp == NULL)
+                                return (EAI_NODATA);
+                        
+                        if (strlcpy(host, hp->h_name, hostlen) >= hostlen)
+                                return (EAI_MEMORY);
+                        else
+                                return (0);
+                }
+        }
+        return (0);
+}
+#endif /* !HAVE_GETNAMEINFO */
+#ifndef HAVE_GAI_STRERROR
+char *
+gai_strerror(int err)
+{
+        switch (err) {
+        case EAI_NODATA:
+                return ("no address associated with name");
+        case EAI_MEMORY:
+                return ("memory allocation failure.");
+        case EAI_NONAME:
+                return ("nodename nor servname provided, or not known");
+        default:
+                return ("unknown/invalid error.");
+        }
+}    
+#endif /* !HAVE_GAI_STRERROR */
+#ifndef HAVE_FREEADDRINFO
+void
+freeaddrinfo(struct addrinfo *ai)
+{
+        struct addrinfo *next;
+        for(; ai != NULL;) {
+                next = ai->ai_next;
+                free(ai);
+                ai = next;
+        }
+}
+#endif /* !HAVE_FREEADDRINFO */
+#ifndef HAVE_GETADDRINFO
+static struct
+addrinfo *malloc_ai(int port, u_long addr, const struct addrinfo *hints)
+{
+        struct addrinfo *ai;
+        ai = malloc(sizeof(*ai) + sizeof(struct sockaddr_in));
+        if (ai == NULL)
+                return (NULL);
+        
+        memset(ai, '\0', sizeof(*ai) + sizeof(struct sockaddr_in));
+        
+        ai->ai_addr = (struct sockaddr *)(ai + 1);
+        /* XXX -- ssh doesn't use sa_len */
+        ai->ai_addrlen = sizeof(struct sockaddr_in);
+        ai->ai_addr->sa_family = ai->ai_family = AF_INET;
+        ((struct sockaddr_in *)(ai)->ai_addr)->sin_port = port;
+        ((struct sockaddr_in *)(ai)->ai_addr)->sin_addr.s_addr = addr;
+        
+        /* XXX: the following is not generally correct, but does what we want */
+        if (hints->ai_socktype)
+                ai->ai_socktype = hints->ai_socktype;
+        else
+                ai->ai_socktype = SOCK_STREAM;
+        if (hints->ai_protocol)
+                ai->ai_protocol = hints->ai_protocol;
+        return (ai);
+}
+int
+getaddrinfo(const char *hostname, const char *servname, 
+    const struct addrinfo *hints, struct addrinfo **res)
+{
+        struct hostent *hp;
+        struct servent *sp;
+        struct in_addr in;
+        int i;
+        long int port;
+        u_long addr;
+        port = 0;
+        if (servname != NULL) {
+                char *cp;
+                port = strtol(servname, &cp, 10);
+                if (port > 0 && port <= 65535 && *cp == '\0')
+                        port = htons(port);
+                else if ((sp = getservbyname(servname, NULL)) != NULL)
+                        port = sp->s_port;
+                else
+                        port = 0;
+        }
+        if (hints && hints->ai_flags & AI_PASSIVE) {
+                addr = htonl(0x00000000);
+                if (hostname && inet_aton(hostname, &in) != 0)
+                        addr = in.s_addr;
+                *res = malloc_ai(port, addr, hints);
+                if (*res == NULL) 
+                        return (EAI_MEMORY);
+                return (0);
+        }
+                
+        if (!hostname) {
+                *res = malloc_ai(port, htonl(0x7f000001), hints);
+                if (*res == NULL) 
+                        return (EAI_MEMORY);
+                return (0);
+        }
+        
+        if (inet_aton(hostname, &in)) {
+                *res = malloc_ai(port, in.s_addr, hints);
+                if (*res == NULL) 
+                        return (EAI_MEMORY);
+                return (0);
+        }
+        
+        /* Don't try DNS if AI_NUMERICHOST is set */
+        if (hints && hints->ai_flags & AI_NUMERICHOST)
+                return (EAI_NONAME);
+        
+        hp = gethostbyname(hostname);
+        if (hp && hp->h_name && hp->h_name[0] && hp->h_addr_list[0]) {
+                struct addrinfo *cur, *prev;
+                cur = prev = *res = NULL;
+                for (i = 0; hp->h_addr_list[i]; i++) {
+                        struct in_addr *in = (struct in_addr *)hp->h_addr_list[i];
+                        cur = malloc_ai(port, in->s_addr, hints);
+                        if (cur == NULL) {
+                                if (*res != NULL)
+                                        freeaddrinfo(*res);
+                                return (EAI_MEMORY);
+                        }
+                        if (prev)
+                                prev->ai_next = cur;
+                        else
+                                *res = cur;
+                        prev = cur;
+                }
+                return (0);
+        }
+        
+        return (EAI_NODATA);
+}
+#endif /* !HAVE_GETADDRINFO */
diff --git a/openbsd-compat/fake-rfc2553.h b/openbsd-compat/fake-rfc2553.h
new file mode 100644
index 000000000..b70b928f8
--- /dev/null
+++ b/openbsd-compat/fake-rfc2553.h
@@ -0,0 +1,154 @@
+/* $Id: fake-rfc2553.h,v 1.6 2003/08/29 16:59:52 mouring Exp $ */
+/*
+ * Copyright (C) 2000-2003 Damien Miller.  All rights reserved.
+ * Copyright (C) 1999 WIDE Project.  All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+/*
+ * Pseudo-implementation of RFC2553 name / address resolution functions
+ *
+ * But these functions are not implemented correctly. The minimum subset
+ * is implemented for ssh use only. For example, this routine assumes
+ * that ai_family is AF_INET. Don't use it for another purpose.
+ */
+#ifndef _FAKE_RFC2553_H
+#define _FAKE_RFC2553_H
+#include "includes.h"
+#include "sys/types.h"
+/*
+ * First, socket and INET6 related definitions 
+ */
+#ifndef HAVE_STRUCT_SOCKADDR_STORAGE
+# define        _SS_MAXSIZE     128     /* Implementation specific max size */
+# define       _SS_PADSIZE     (_SS_MAXSIZE - sizeof (struct sockaddr))
+struct sockaddr_storage {
+        struct sockaddr ss_sa;
+        char            __ss_pad2[_SS_PADSIZE];
+};
+# define ss_family ss_sa.sa_family
+#endif /* !HAVE_STRUCT_SOCKADDR_STORAGE */
+#ifndef IN6_IS_ADDR_LOOPBACK
+# define IN6_IS_ADDR_LOOPBACK(a) \
+        (((u_int32_t *)(a))[0] == 0 && ((u_int32_t *)(a))[1] == 0 && \
+         ((u_int32_t *)(a))[2] == 0 && ((u_int32_t *)(a))[3] == htonl(1))
+#endif /* !IN6_IS_ADDR_LOOPBACK */
+#ifndef HAVE_STRUCT_IN6_ADDR
+struct in6_addr {
+        u_int8_t        s6_addr[16];
+};
+#endif /* !HAVE_STRUCT_IN6_ADDR */
+#ifndef HAVE_STRUCT_SOCKADDR_IN6
+struct sockaddr_in6 {
+        unsigned short  sin6_family;
+        u_int16_t       sin6_port;
+        u_int32_t       sin6_flowinfo;
+        struct in6_addr sin6_addr;
+};
+#endif /* !HAVE_STRUCT_SOCKADDR_IN6 */
+#ifndef AF_INET6
+/* Define it to something that should never appear */
+#define AF_INET6 AF_MAX
+#endif
+/*
+ * Next, RFC2553 name / address resolution API
+ */
+#ifndef NI_NUMERICHOST
+# define NI_NUMERICHOST    (1)
+#endif
+#ifndef NI_NAMEREQD
+# define NI_NAMEREQD       (1<<1)
+#endif
+#ifndef NI_NUMERICSERV
+# define NI_NUMERICSERV    (1<<2)
+#endif
+#ifndef AI_PASSIVE
+# define AI_PASSIVE             (1)
+#endif
+#ifndef AI_CANONNAME
+# define AI_CANONNAME           (1<<1)
+#endif
+#ifndef AI_NUMERICHOST
+# define AI_NUMERICHOST         (1<<2)
+#endif
+#ifndef NI_MAXSERV
+# define NI_MAXSERV 32
+#endif /* !NI_MAXSERV */
+#ifndef NI_MAXHOST
+# define NI_MAXHOST 1025
+#endif /* !NI_MAXHOST */
+#ifndef EAI_NODATA
+# define EAI_NODATA     1
+# define EAI_MEMORY     2
+# define EAI_NONAME     3
+#endif
+#ifndef HAVE_STRUCT_ADDRINFO
+struct addrinfo {
+        int     ai_flags;       /* AI_PASSIVE, AI_CANONNAME */
+        int     ai_family;      /* PF_xxx */
+        int     ai_socktype;    /* SOCK_xxx */
+        int     ai_protocol;    /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
+        size_t  ai_addrlen;     /* length of ai_addr */
+        char    *ai_canonname;  /* canonical name for hostname */
+        struct sockaddr *ai_addr;       /* binary address */
+        struct addrinfo *ai_next;       /* next structure in linked list */
+};
+#endif /* !HAVE_STRUCT_ADDRINFO */
+#ifndef HAVE_GETADDRINFO
+int getaddrinfo(const char *, const char *, 
+    const struct addrinfo *, struct addrinfo **);
+#endif /* !HAVE_GETADDRINFO */
+#ifndef HAVE_GAI_STRERROR
+char *gai_strerror(int);
+#endif /* !HAVE_GAI_STRERROR */
+#ifndef HAVE_FREEADDRINFO
+void freeaddrinfo(struct addrinfo *);
+#endif /* !HAVE_FREEADDRINFO */
+#ifndef HAVE_GETNAMEINFO
+int getnameinfo(const struct sockaddr *, size_t, char *, size_t, 
+    char *, size_t, int);
+#endif /* !HAVE_GETNAMEINFO */
+#endif /* !_FAKE_RFC2553_H */
diff --git a/openbsd-compat/getcwd.c b/openbsd-compat/getcwd.c
index f4b98e824..31d1cfe93 100644
--- a/openbsd-compat/getcwd.c
+++ b/openbsd-compat/getcwd.c
@@ -10,6 +10,9 @@
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -29,7 +32,7 @@
 #if !defined(HAVE_GETCWD)
 #if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$OpenBSD: getcwd.c,v 1.7 2002/11/24 01:52:27 cloder Exp $";
+static char rcsid[] = "$OpenBSD: getcwd.c,v 1.9 2003/06/11 21:03:10 deraadt Exp $";
 #endif /* LIBC_SCCS and not lint */
 #include <sys/param.h>
@@ -47,7 +50,7 @@ static char rcsid[] = "$OpenBSD: getcwd.c,v 1.7 2002/11/24 01:52:27 cloder Exp $
            (dp->d_name[1] == '.' && dp->d_name[2] == '\0')))
 char *
-getcwd(char *pt,size_t size)
+getcwd(char *pt, size_t size)
 {
        register struct dirent *dp;
        register DIR *dir = NULL;
diff --git a/openbsd-compat/getgrouplist.c b/openbsd-compat/getgrouplist.c
index f7a27c339..085cda8c3 100644
--- a/openbsd-compat/getgrouplist.c
+++ b/openbsd-compat/getgrouplist.c
@@ -10,11 +10,7 @@
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
+ * 3. Neither the name of the University nor the names of its contributors
- *    must display the following acknowledgement:
- *      This product includes software developed by the University of
- *      California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
@@ -36,7 +32,7 @@
 #ifndef HAVE_GETGROUPLIST
 #if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$OpenBSD: getgrouplist.c,v 1.7 1997/08/19 19:13:27 deraadt Exp $";
+static char rcsid[] = "$OpenBSD: getgrouplist.c,v 1.9 2003/06/25 21:16:47 deraadt Exp $";
 #endif /* LIBC_SCCS and not lint */
 /*
@@ -44,6 +40,7 @@ static char rcsid[] = "$OpenBSD: getgrouplist.c,v 1.7 1997/08/19 19:13:27 deraad
 */
 #include <sys/types.h>
 #include <string.h>
+#include <unistd.h>
 #include <grp.h>
 int
diff --git a/openbsd-compat/getopt.c b/openbsd-compat/getopt.c
index a3fe807ee..2136fbfcc 100644
--- a/openbsd-compat/getopt.c
+++ b/openbsd-compat/getopt.c
@@ -10,11 +10,7 @@
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
+ * 3. Neither the name of the University nor the names of its contributors
- *    must display the following acknowledgement:
- *      This product includes software developed by the University of
- *      California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
@@ -35,7 +31,7 @@
 #if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET)
 #if defined(LIBC_SCCS) && !defined(lint)
-static char *rcsid = "$OpenBSD: getopt.c,v 1.4 2002/12/08 22:57:14 millert Exp $";
+static char *rcsid = "$OpenBSD: getopt.c,v 1.5 2003/06/02 20:18:37 millert Exp $";
 #endif /* LIBC_SCCS and not lint */
 #include <stdio.h>
diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
new file mode 100644
index 000000000..44fa2755b
--- /dev/null
+++ b/openbsd-compat/getrrsetbyname.c
@@ -0,0 +1,578 @@
+/* $OpenBSD: getrrsetbyname.c,v 1.7 2003/03/07 07:34:14 itojun Exp $ */
+/*
+ * Copyright (c) 2001 Jakob Schlyter. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/*
+ * Portions Copyright (c) 1999-2001 Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include "includes.h"
+#if defined(DNS) && !defined(HAVE_GETRRSETBYNAME)
+#include "getrrsetbyname.h"
+/* #include "thread_private.h" */
+#define ANSWER_BUFFER_SIZE 1024*64
+struct dns_query {
+        char                    *name;
+        u_int16_t               type;
+        u_int16_t               class;
+        struct dns_query        *next;
+};
+struct dns_rr {
+        char                    *name;
+        u_int16_t               type;
+        u_int16_t               class;
+        u_int16_t               ttl;
+        u_int16_t               size;
+        void                    *rdata;
+        struct dns_rr           *next;
+};
+struct dns_response {
+        HEADER                  header;
+        struct dns_query        *query;
+        struct dns_rr           *answer;
+        struct dns_rr           *authority;
+        struct dns_rr           *additional;
+};
+static struct dns_response *parse_dns_response(const u_char *, int);
+static struct dns_query *parse_dns_qsection(const u_char *, int,
+    const u_char **, int);
+static struct dns_rr *parse_dns_rrsection(const u_char *, int, const u_char **,
+    int);
+static void free_dns_query(struct dns_query *);
+static void free_dns_rr(struct dns_rr *);
+static void free_dns_response(struct dns_response *);
+static int count_dns_rr(struct dns_rr *, u_int16_t, u_int16_t);
+/*
+ * Inline versions of get/put short/long.  Pointer is advanced.
+ *
+ * These macros demonstrate the property of C whereby it can be
+ * portable or it can be elegant but rarely both.
+ */
+#ifndef INT32SZ
+# define INT32SZ        4
+#endif
+#ifndef INT16SZ
+# define INT16SZ        2
+#endif
+#ifndef GETSHORT
+#define GETSHORT(s, cp) { \
+        register u_char *t_cp = (u_char *)(cp); \
+        (s) = ((u_int16_t)t_cp[0] << 8) \
+            | ((u_int16_t)t_cp[1]) \
+            ; \
+        (cp) += INT16SZ; \
+}
+#endif
+#ifndef GETLONG
+#define GETLONG(l, cp) { \
+        register u_char *t_cp = (u_char *)(cp); \
+        (l) = ((u_int32_t)t_cp[0] << 24) \
+            | ((u_int32_t)t_cp[1] << 16) \
+            | ((u_int32_t)t_cp[2] << 8) \
+            | ((u_int32_t)t_cp[3]) \
+            ; \
+        (cp) += INT32SZ; \
+}
+#endif
+/*
+ * Routines to insert/extract short/long's.
+ */
+#ifndef HAVE__GETSHORT
+static u_int16_t
+_getshort(msgp)
+        register const u_char *msgp;
+{
+        register u_int16_t u;
+        GETSHORT(u, msgp);
+        return (u);
+}
+#endif
+#ifndef HAVE__GETLONG
+static u_int32_t
+_getlong(msgp)
+        register const u_char *msgp;
+{
+        register u_int32_t u;
+        GETLONG(u, msgp);
+        return (u);
+}
+#endif
+int
+getrrsetbyname(const char *hostname, unsigned int rdclass,
+    unsigned int rdtype, unsigned int flags,
+    struct rrsetinfo **res)
+{
+        struct __res_state *_resp = &_res;
+        int result;
+        struct rrsetinfo *rrset = NULL;
+        struct dns_response *response;
+        struct dns_rr *rr;
+        struct rdatainfo *rdata;
+        int length;
+        unsigned int index_ans, index_sig;
+        u_char answer[ANSWER_BUFFER_SIZE];
+        /* check for invalid class and type */
+        if (rdclass > 0xffff || rdtype > 0xffff) {
+                result = ERRSET_INVAL;
+                goto fail;
+        }
+        /* don't allow queries of class or type ANY */
+        if (rdclass == 0xff || rdtype == 0xff) {
+                result = ERRSET_INVAL;
+                goto fail;
+        }
+        /* don't allow flags yet, unimplemented */
+        if (flags) {
+                result = ERRSET_INVAL;
+                goto fail;
+        }
+        /* initialize resolver */
+        if ((_resp->options & RES_INIT) == 0 && res_init() == -1) {
+                result = ERRSET_FAIL;
+                goto fail;
+        }
+#ifdef DEBUG
+        _resp->options |= RES_DEBUG;
+#endif /* DEBUG */
+#ifdef RES_USE_DNSSEC
+        /* turn on DNSSEC if EDNS0 is configured */
+        if (_resp->options & RES_USE_EDNS0)
+                _resp->options |= RES_USE_DNSSEC;
+#endif /* RES_USE_DNSEC */
+        /* make query */
+        length = res_query(hostname, (signed int) rdclass, (signed int) rdtype,
+            answer, sizeof(answer));
+        if (length < 0) {
+                switch(h_errno) {
+                case HOST_NOT_FOUND:
+                        result = ERRSET_NONAME;
+                        goto fail;
+                case NO_DATA:
+                        result = ERRSET_NODATA;
+                        goto fail;
+                default:
+                        result = ERRSET_FAIL;
+                        goto fail;
+                }
+        }
+        /* parse result */
+        response = parse_dns_response(answer, length);
+        if (response == NULL) {
+                result = ERRSET_FAIL;
+                goto fail;
+        }
+        if (response->header.qdcount != 1) {
+                result = ERRSET_FAIL;
+                goto fail;
+        }
+        /* initialize rrset */
+        rrset = calloc(1, sizeof(struct rrsetinfo));
+        if (rrset == NULL) {
+                result = ERRSET_NOMEMORY;
+                goto fail;
+        }
+        rrset->rri_rdclass = response->query->class;
+        rrset->rri_rdtype = response->query->type;
+        rrset->rri_ttl = response->answer->ttl;
+        rrset->rri_nrdatas = response->header.ancount;
+#ifdef HAVE_HEADER_AD
+        /* check for authenticated data */
+        if (response->header.ad == 1)
+                rrset->rri_flags |= RRSET_VALIDATED;
+#endif
+        /* copy name from answer section */
+        length = strlen(response->answer->name);
+        rrset->rri_name = malloc(length + 1);
+        if (rrset->rri_name == NULL) {
+                result = ERRSET_NOMEMORY;
+                goto fail;
+        }
+        strlcpy(rrset->rri_name, response->answer->name, length + 1);
+        /* count answers */
+        rrset->rri_nrdatas = count_dns_rr(response->answer, rrset->rri_rdclass,
+            rrset->rri_rdtype);
+        rrset->rri_nsigs = count_dns_rr(response->answer, rrset->rri_rdclass,
+            T_SIG);
+        /* allocate memory for answers */
+        rrset->rri_rdatas = calloc(rrset->rri_nrdatas,
+            sizeof(struct rdatainfo));
+        if (rrset->rri_rdatas == NULL) {
+                result = ERRSET_NOMEMORY;
+                goto fail;
+        }
+        /* allocate memory for signatures */
+        rrset->rri_sigs = calloc(rrset->rri_nsigs, sizeof(struct rdatainfo));
+        if (rrset->rri_sigs == NULL) {
+                result = ERRSET_NOMEMORY;
+                goto fail;
+        }
+        /* copy answers & signatures */
+        for (rr = response->answer, index_ans = 0, index_sig = 0;
+            rr; rr = rr->next) {
+                rdata = NULL;
+                if (rr->class == rrset->rri_rdclass &&
+                    rr->type  == rrset->rri_rdtype)
+                        rdata = &rrset->rri_rdatas[index_ans++];
+                if (rr->class == rrset->rri_rdclass &&
+                    rr->type  == T_SIG)
+                        rdata = &rrset->rri_sigs[index_sig++];
+                if (rdata) {
+                        rdata->rdi_length = rr->size;
+                        rdata->rdi_data   = malloc(rr->size);
+                        if (rdata->rdi_data == NULL) {
+                                result = ERRSET_NOMEMORY;
+                                goto fail;
+                        }
+                        memcpy(rdata->rdi_data, rr->rdata, rr->size);
+                }
+        }
+        *res = rrset;
+        return (ERRSET_SUCCESS);
+fail:
+        if (rrset != NULL)
+                freerrset(rrset);
+        return (result);
+}
+void
+freerrset(struct rrsetinfo *rrset)
+{
+        u_int16_t i;
+        if (rrset == NULL)
+                return;
+        if (rrset->rri_rdatas) {
+                for (i = 0; i < rrset->rri_nrdatas; i++) {
+                        if (rrset->rri_rdatas[i].rdi_data == NULL)
+                                break;
+                        free(rrset->rri_rdatas[i].rdi_data);
+                }
+                free(rrset->rri_rdatas);
+        }
+        if (rrset->rri_sigs) {
+                for (i = 0; i < rrset->rri_nsigs; i++) {
+                        if (rrset->rri_sigs[i].rdi_data == NULL)
+                                break;
+                        free(rrset->rri_sigs[i].rdi_data);
+                }
+                free(rrset->rri_sigs);
+        }
+        if (rrset->rri_name)
+                free(rrset->rri_name);
+        free(rrset);
+}
+/*
+ * DNS response parsing routines
+ */
+static struct dns_response *
+parse_dns_response(const u_char *answer, int size)
+{
+        struct dns_response *resp;
+        const u_char *cp;
+        /* allocate memory for the response */
+        resp = calloc(1, sizeof(*resp));
+        if (resp == NULL)
+                return (NULL);
+        /* initialize current pointer */
+        cp = answer;
+        /* copy header */
+        memcpy(&resp->header, cp, HFIXEDSZ);
+        cp += HFIXEDSZ;
+        /* fix header byte order */
+        resp->header.qdcount = ntohs(resp->header.qdcount);
+        resp->header.ancount = ntohs(resp->header.ancount);
+        resp->header.nscount = ntohs(resp->header.nscount);
+        resp->header.arcount = ntohs(resp->header.arcount);
+        /* there must be at least one query */
+        if (resp->header.qdcount < 1) {
+                free_dns_response(resp);
+                return (NULL);
+        }
+        /* parse query section */
+        resp->query = parse_dns_qsection(answer, size, &cp,
+            resp->header.qdcount);
+        if (resp->header.qdcount && resp->query == NULL) {
+                free_dns_response(resp);
+                return (NULL);
+        }
+        /* parse answer section */
+        resp->answer = parse_dns_rrsection(answer, size, &cp,
+            resp->header.ancount);
+        if (resp->header.ancount && resp->answer == NULL) {
+                free_dns_response(resp);
+                return (NULL);
+        }
+        /* parse authority section */
+        resp->authority = parse_dns_rrsection(answer, size, &cp,
+            resp->header.nscount);
+        if (resp->header.nscount && resp->authority == NULL) {
+                free_dns_response(resp);
+                return (NULL);
+        }
+        /* parse additional section */
+        resp->additional = parse_dns_rrsection(answer, size, &cp,
+            resp->header.arcount);
+        if (resp->header.arcount && resp->additional == NULL) {
+                free_dns_response(resp);
+                return (NULL);
+        }
+        return (resp);
+}
+static struct dns_query *
+parse_dns_qsection(const u_char *answer, int size, const u_char **cp, int count)
+{
+        struct dns_query *head, *curr, *prev;
+        int i, length;
+        char name[MAXDNAME];
+        for (i = 1, head = NULL, prev = NULL; i <= count; i++, prev = curr) {
+                /* allocate and initialize struct */
+                curr = calloc(1, sizeof(struct dns_query));
+                if (curr == NULL) {
+                        free_dns_query(head);
+                        return (NULL);
+                }
+                if (head == NULL)
+                        head = curr;
+                if (prev != NULL)
+                        prev->next = curr;
+                /* name */
+                length = dn_expand(answer, answer + size, *cp, name,
+                    sizeof(name));
+                if (length < 0) {
+                        free_dns_query(head);
+                        return (NULL);
+                }
+                curr->name = strdup(name);
+                if (curr->name == NULL) {
+                        free_dns_query(head);
+                        return (NULL);
+                }
+                *cp += length;
+                /* type */
+                curr->type = _getshort(*cp);
+                *cp += INT16SZ;
+                /* class */
+                curr->class = _getshort(*cp);
+                *cp += INT16SZ;
+        }
+        return (head);
+}
+static struct dns_rr *
+parse_dns_rrsection(const u_char *answer, int size, const u_char **cp, int count)
+{
+        struct dns_rr *head, *curr, *prev;
+        int i, length;
+        char name[MAXDNAME];
+        for (i = 1, head = NULL, prev = NULL; i <= count; i++, prev = curr) {
+                /* allocate and initialize struct */
+                curr = calloc(1, sizeof(struct dns_rr));
+                if (curr == NULL) {
+                        free_dns_rr(head);
+                        return (NULL);
+                }
+                if (head == NULL)
+                        head = curr;
+                if (prev != NULL)
+                        prev->next = curr;
+                /* name */
+                length = dn_expand(answer, answer + size, *cp, name,
+                    sizeof(name));
+                if (length < 0) {
+                        free_dns_rr(head);
+                        return (NULL);
+                }
+                curr->name = strdup(name);
+                if (curr->name == NULL) {
+                        free_dns_rr(head);
+                        return (NULL);
+                }
+                *cp += length;
+                /* type */
+                curr->type = _getshort(*cp);
+                *cp += INT16SZ;
+                /* class */
+                curr->class = _getshort(*cp);
+                *cp += INT16SZ;
+                /* ttl */
+                curr->ttl = _getlong(*cp);
+                *cp += INT32SZ;
+                /* rdata size */
+                curr->size = _getshort(*cp);
+                *cp += INT16SZ;
+                /* rdata itself */
+                curr->rdata = malloc(curr->size);
+                if (curr->rdata == NULL) {
+                        free_dns_rr(head);
+                        return (NULL);
+                }
+                memcpy(curr->rdata, *cp, curr->size);
+                *cp += curr->size;
+        }
+        return (head);
+}
+static void
+free_dns_query(struct dns_query *p)
+{
+        if (p == NULL)
+                return;
+        if (p->name)
+                free(p->name);
+        free_dns_query(p->next);
+        free(p);
+}
+static void
+free_dns_rr(struct dns_rr *p)
+{
+        if (p == NULL)
+                return;
+        if (p->name)
+                free(p->name);
+        if (p->rdata)
+                free(p->rdata);
+        free_dns_rr(p->next);
+        free(p);
+}
+static void
+free_dns_response(struct dns_response *p)
+{
+        if (p == NULL)
+                return;
+        free_dns_query(p->query);
+        free_dns_rr(p->answer);
+        free_dns_rr(p->authority);
+        free_dns_rr(p->additional);
+        free(p);
+}
+static int
+count_dns_rr(struct dns_rr *p, u_int16_t class, u_int16_t type)
+{
+        int n = 0;
+        while(p) {
+                if (p->class == class && p->type == type)
+                        n++;
+                p = p->next;
+        }
+        return (n);
+}
+#endif /* defined(DNS) && !defined(HAVE_GETRRSETBYNAME) */
diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h
new file mode 100644
index 000000000..6466a54d6
--- /dev/null
+++ b/openbsd-compat/getrrsetbyname.h
@@ -0,0 +1,100 @@
+/* $OpenBSD: getrrsetbyname.c,v 1.4 2001/08/16 18:16:43 ho Exp $ */
+/*
+ * Copyright (c) 2001 Jakob Schlyter. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+/*
+ * Portions Copyright (c) 1999-2001 Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#ifndef _GETRRSETBYNAME_H
+#define _GETRRSETBYNAME_H
+#include "includes.h"
+#if defined(DNS) && !defined(HAVE_GETRRSETBYNAME)
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <netdb.h>
+#include <resolv.h>
+/*
+ * Flags for getrrsetbyname()
+ */
+#ifndef RRSET_VALIDATED
+# define RRSET_VALIDATED        1
+#endif
+/*
+ * Return codes for getrrsetbyname()
+ */
+#ifndef ERRSET_SUCCESS
+# define ERRSET_SUCCESS         0
+# define ERRSET_NOMEMORY        1
+# define ERRSET_FAIL            2
+# define ERRSET_INVAL           3
+# define ERRSET_NONAME          4
+# define ERRSET_NODATA          5
+#endif
+struct rdatainfo {
+        unsigned int            rdi_length;     /* length of data */
+        unsigned char           *rdi_data;      /* record data */
+};
+struct rrsetinfo {
+        unsigned int            rri_flags;      /* RRSET_VALIDATED ... */
+        unsigned int            rri_rdclass;    /* class number */
+        unsigned int            rri_rdtype;     /* RR type number */
+        unsigned int            rri_ttl;        /* time to live */
+        unsigned int            rri_nrdatas;    /* size of rdatas array */
+        unsigned int            rri_nsigs;      /* size of sigs array */
+        char                    *rri_name;      /* canonical name */
+        struct rdatainfo        *rri_rdatas;    /* individual records */
+        struct rdatainfo        *rri_sigs;      /* individual signatures */
+};
+int             getrrsetbyname(const char *, unsigned int, unsigned int, unsigned int, struct rrsetinfo **);
+void            freerrset(struct rrsetinfo *);
+#endif /* defined(DNS) && !defined(HAVE_GETRRSETBYNAME) */
+#endif /* _GETRRSETBYNAME_H */
diff --git a/openbsd-compat/glob.c b/openbsd-compat/glob.c
index e928a2272..50f35c304 100644
--- a/openbsd-compat/glob.c
+++ b/openbsd-compat/glob.c
@@ -13,11 +13,7 @@
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
+ * 3. Neither the name of the University nor the names of its contributors
- *    must display the following acknowledgement:
- *      This product includes software developed by the University of
- *      California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
@@ -56,7 +52,7 @@ get_arg_max(void)
 #if 0
 static char sccsid[] = "@(#)glob.c      8.3 (Berkeley) 10/13/93";
 #else
-static char rcsid[] = "$OpenBSD: glob.c,v 1.20 2002/06/14 21:34:58 todd Exp $";
+static char rcsid[] = "$OpenBSD: glob.c,v 1.22 2003/06/25 21:16:47 deraadt Exp $";
 #endif
 #endif /* LIBC_SCCS and not lint */
@@ -615,7 +611,7 @@ glob3(pathbuf, pathbuf_last, pathend, pathend_last, pattern, pattern_last,
         * and dirent.h as taking pointers to differently typed opaque
         * structures.
         */
-        struct dirent *(*readdirfunc)();
+        struct dirent *(*readdirfunc)(void *);
        if (pathend > pathend_last)
                return (1);
@@ -640,7 +636,7 @@ glob3(pathbuf, pathbuf_last, pathend, pathend_last, pattern, pattern_last,
        if (pglob->gl_flags & GLOB_ALTDIRFUNC)
                readdirfunc = pglob->gl_readdir;
        else
-                readdirfunc = readdir;
+                readdirfunc = (struct dirent *(*)(void *))readdir;
        while ((dp = (*readdirfunc)(dirp))) {
                register u_char *sc;
                register Char *dc;
diff --git a/openbsd-compat/glob.h b/openbsd-compat/glob.h
index 6421f7049..aceddbc48 100644
--- a/openbsd-compat/glob.h
+++ b/openbsd-compat/glob.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: glob.h,v 1.7 2002/02/17 19:42:21 millert Exp $        */
+/*      $OpenBSD: glob.h,v 1.8 2003/06/02 19:34:12 millert Exp $        */
 /*      $NetBSD: glob.h,v 1.5 1994/10/26 00:55:56 cgd Exp $     */
 /*
@@ -16,11 +16,7 @@
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
+ * 3. Neither the name of the University nor the names of its contributors
- *    must display the following acknowledgement:
- *      This product includes software developed by the University of
- *      California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
diff --git a/openbsd-compat/inet_aton.c b/openbsd-compat/inet_aton.c
index 1fc001da6..5de49868d 100644
--- a/openbsd-compat/inet_aton.c
+++ b/openbsd-compat/inet_aton.c
@@ -1,8 +1,6 @@
-/*      $OpenBSD: inet_addr.c,v 1.6 1999/05/03 22:31:14 yanick Exp $    */
+/*      $OpenBSD: inet_addr.c,v 1.7 2003/06/02 20:18:35 millert Exp $   */
 /*
- * ++Copyright++ 1983, 1990, 1993
- * -
 * Copyright (c) 1983, 1990, 1993
 *    The Regents of the University of California.  All rights reserved.
 * 
@@ -14,11 +12,7 @@
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
+ * 3. Neither the name of the University nor the names of its contributors
- *    must display the following acknowledgement:
- *      This product includes software developed by the University of
- *      California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 * 
@@ -64,7 +58,7 @@
 static char sccsid[] = "@(#)inet_addr.c 8.1 (Berkeley) 6/17/93";
 static char rcsid[] = "$From: inet_addr.c,v 8.5 1996/08/05 08:31:35 vixie Exp $";
 #else
-static char rcsid[] = "$OpenBSD: inet_addr.c,v 1.6 1999/05/03 22:31:14 yanick Exp $";
+static char rcsid[] = "$OpenBSD: inet_addr.c,v 1.7 2003/06/02 20:18:35 millert Exp $";
 #endif
 #endif /* LIBC_SCCS and not lint */
diff --git a/openbsd-compat/inet_ntoa.c b/openbsd-compat/inet_ntoa.c
index ac5f56708..e0384491d 100644
--- a/openbsd-compat/inet_ntoa.c
+++ b/openbsd-compat/inet_ntoa.c
@@ -10,11 +10,7 @@
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
+ * 3. Neither the name of the University nor the names of its contributors
- *    must display the following acknowledgement:
- *      This product includes software developed by the University of
- *      California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
@@ -36,7 +32,7 @@
 #if defined(BROKEN_INET_NTOA) || !defined(HAVE_INET_NTOA)
 #if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$OpenBSD: inet_ntoa.c,v 1.3 2002/06/27 10:14:01 itojun Exp $";
+static char rcsid[] = "$OpenBSD: inet_ntoa.c,v 1.4 2003/06/02 20:18:35 millert Exp $";
 #endif /* LIBC_SCCS and not lint */
 /*
diff --git a/openbsd-compat/inet_ntop.c b/openbsd-compat/inet_ntop.c
index 3bea519af..075eac44f 100644
--- a/openbsd-compat/inet_ntop.c
+++ b/openbsd-compat/inet_ntop.c
@@ -31,7 +31,6 @@ static char rcsid[] = "$OpenBSD: inet_ntop.c,v 1.5 2002/08/23 16:27:31 itojun Ex
 #include <sys/param.h>
 #include <sys/types.h>
 #include <sys/socket.h>
-#include "openbsd-compat/fake-socket.h"
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #ifndef HAVE_CYGWIN
diff --git a/openbsd-compat/mktemp.c b/openbsd-compat/mktemp.c
index c951050c0..2cd747835 100644
--- a/openbsd-compat/mktemp.c
+++ b/openbsd-compat/mktemp.c
@@ -13,11 +13,7 @@
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
+ * 3. Neither the name of the University nor the names of its contributors
- *    must display the following acknowledgement:
- *      This product includes software developed by the University of
- *      California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
@@ -39,7 +35,7 @@
 #if !defined(HAVE_MKDTEMP) || defined(HAVE_STRICT_MKSTEMP)
 #if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$OpenBSD: mktemp.c,v 1.16 2002/05/27 18:20:45 millert Exp $";
+static char rcsid[] = "$OpenBSD: mktemp.c,v 1.17 2003/06/02 20:18:37 millert Exp $";
 #endif /* LIBC_SCCS and not lint */
 #ifdef HAVE_CYGWIN
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
index c3e19b9cb..852948c54 100644
--- a/openbsd-compat/openbsd-compat.h
+++ b/openbsd-compat/openbsd-compat.h
@@ -1,49 +1,168 @@
-/* $Id: openbsd-compat.h,v 1.19 2003/02/24 01:55:56 djm Exp $ */
+/* $Id: openbsd-compat.h,v 1.24 2003/08/29 16:59:52 mouring Exp $ */
-#ifndef _OPENBSD_H
+/*
-#define _OPENBSD_H
+ * Copyright (c) 1999-2003 Damien Miller.  All rights reserved.
+ * Copyright (c) 2003 Ben Lindstrom. All rights reserved.
+ * Copyright (c) 2002 Tim Rice.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
-#include "config.h"
+#ifndef _OPENBSD_COMPAT_H
+#define _OPENBSD_COMPAT_H
+#include "includes.h"
 /* OpenBSD function replacements */
-#include "basename.h"
-#include "bindresvport.h"
-#include "getcwd.h"
-#include "realpath.h"
-#include "rresvport.h"
-#include "strlcpy.h"
-#include "strlcat.h"
-#include "strmode.h"
-#include "mktemp.h"
-#include "daemon.h"
-#include "dirname.h"
 #include "base64.h"
 #include "sigact.h"
-#include "inet_ntoa.h"
-#include "inet_ntop.h"
-#include "strsep.h"
-#include "setproctitle.h"
-#include "getgrouplist.h"
 #include "glob.h"
 #include "readpassphrase.h"
-#include "getopt.h"
 #include "vis.h"
+#include "getrrsetbyname.h"
+#ifndef HAVE_BASENAME
+char *basename(const char *path);
+#endif
+#ifndef HAVE_BINDRESVPORT_SA
+int bindresvport_sa(int sd, struct sockaddr *sa);
+#endif
+#ifndef HAVE_GETCWD
+char *getcwd(char *pt, size_t size);
+#endif 
+#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
+char *realpath(const char *path, char *resolved);
+#endif 
+#ifndef HAVE_RRESVPORT_AF
+int rresvport_af(int *alport, sa_family_t af);
+#endif
+#ifndef HAVE_STRLCPY
+/* #include <sys/types.h> XXX Still needed? */
+size_t strlcpy(char *dst, const char *src, size_t siz);
+#endif
+#ifndef HAVE_STRLCAT
+/* #include <sys/types.h> XXX Still needed? */
+size_t strlcat(char *dst, const char *src, size_t siz);
+#endif 
+#ifndef HAVE_SETENV
+int setenv(register const char *name, register const char *value, int rewrite);
+#endif
+#ifndef HAVE_STRMODE
+void strmode(int mode, char *p);
+#endif
+#if !defined(HAVE_MKDTEMP) || defined(HAVE_STRICT_MKSTEMP)
+int mkstemps(char *path, int slen);
+int mkstemp(char *path);
+char *mkdtemp(char *path);
+#endif 
+#ifndef HAVE_DAEMON
+int daemon(int nochdir, int noclose);
+#endif 
+#ifndef HAVE_DIRNAME
+char *dirname(const char *path);
+#endif
+#if defined(BROKEN_INET_NTOA) || !defined(HAVE_INET_NTOA)
+char *inet_ntoa(struct in_addr in);
+#endif
+#ifndef HAVE_INET_NTOP
+const char *inet_ntop(int af, const void *src, char *dst, size_t size);
+#endif
+#ifndef HAVE_INET_ATON
+int inet_aton(const char *cp, struct in_addr *addr);
+#endif 
+#ifndef HAVE_STRSEP
+char *strsep(char **stringp, const char *delim);
+#endif
+#ifndef HAVE_SETPROCTITLE
+void setproctitle(const char *fmt, ...);
+void compat_init_setproctitle(int argc, char *argv[]);
+#endif
+#ifndef HAVE_GETGROUPLIST
+/* #include <grp.h> XXXX Still needed ? */
+int getgrouplist(const char *, gid_t, gid_t *, int *);
+#endif
+#if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET)
+int BSDgetopt(int argc, char * const *argv, const char *opts);
+#endif
 /* Home grown routines */
-#include "bsd-arc4random.h"
-#include "bsd-getpeereid.h"
 #include "bsd-misc.h"
-#include "bsd-snprintf.h"
 #include "bsd-waitpid.h"
+/*#include <sys/types.h> XXX Still needed? * For uid_t, gid_t * */
+#ifndef HAVE_GETPEEREID
+int getpeereid(int , uid_t *, gid_t *);
+#endif 
+#ifndef HAVE_ARC4RANDOM
+unsigned int arc4random(void);
+void arc4random_stir(void);
+#endif /* !HAVE_ARC4RANDOM */
+/* #include <sys/types.h> XXX needed? For size_t */
+#ifndef HAVE_SNPRINTF
+int snprintf(char *, size_t, const char *, ...);
+#endif 
+#ifndef HAVE_VSNPRINTF
+int vsnprintf(char *, size_t, const char *, va_list);
+#endif
+void *xmmap(size_t size);
+char *xcrypt(const char *password, const char *salt);
+char *shadow_pw(struct passwd *pw);
 /* rfc2553 socket API replacements */
-#include "fake-getaddrinfo.h"
+#include "fake-rfc2553.h"
-#include "fake-getnameinfo.h"
-#include "fake-socket.h"
 /* Routines for a single OS platform */
 #include "bsd-cray.h"
+#include "bsd-cygwin_util.h"
 #include "port-irix.h"
 #include "port-aix.h"
-#endif /* _OPENBSD_H */
+#endif /* _OPENBSD_COMPAT_H */
diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c
index 4c96a3171..7a981634b 100644
--- a/openbsd-compat/port-aix.c
+++ b/openbsd-compat/port-aix.c
@@ -24,11 +24,17 @@
 *
 */
 #include "includes.h"
+#include "ssh.h"
+#include "log.h"
+#include "servconf.h"
 #ifdef _AIX
 #include <uinfo.h>
 #include <../xmalloc.h>
+#include "port-aix.h"
+extern ServerOptions options;
 /*
 * AIX has a "usrinfo" area where logname and other stuff is stored - 
@@ -41,16 +47,95 @@ void
 aix_usrinfo(struct passwd *pw)
 {
        u_int i;
+        size_t len;
        char *cp;
-        cp = xmalloc(16 + 2 * strlen(pw->pw_name));
+        len = sizeof("LOGNAME= NAME= ") + (2 * strlen(pw->pw_name));
-        i = sprintf(cp, "LOGNAME=%s%cNAME=%s%c", pw->pw_name, 0, 
+        cp = xmalloc(len);
-            pw->pw_name, 0);
+        i = snprintf(cp, len, "LOGNAME=%s%cNAME=%s%c", pw->pw_name, '\0', 
+            pw->pw_name, '\0');
        if (usrinfo(SETUINFO, cp, i) == -1)
                fatal("Couldn't set usrinfo: %s", strerror(errno));
        debug3("AIX/UsrInfo: set len %d", i);
        xfree(cp);
 }
+#ifdef WITH_AIXAUTHENTICATE
+/*
+ * Remove embedded newlines in string (if any).
+ * Used before logging messages returned by AIX authentication functions
+ * so the message is logged on one line.
+ */
+void
+aix_remove_embedded_newlines(char *p)
+{
+        if (p == NULL)
+                return;
+        for (; *p; p++) {
+                if (*p == '\n')
+                        *p = ' ';
+        }
+        /* Remove trailing whitespace */
+        if (*--p == ' ')
+                *p = '\0';
+}
+#endif /* WITH_AIXAUTHENTICATE */
+  
+# ifdef CUSTOM_FAILED_LOGIN
+/*
+ * record_failed_login: generic "login failed" interface function
+ */
+void
+record_failed_login(const char *user, const char *ttyname)
+{
+        char *hostname = get_canonical_hostname(options.use_dns);
+        if (geteuid() != 0)
+                return;
+        aix_setauthdb(user);
+#  ifdef AIX_LOGINFAILED_4ARG
+        loginfailed((char *)user, hostname, (char *)ttyname, AUDIT_FAIL_AUTH);
+#  else
+        loginfailed((char *)user, hostname, (char *)ttyname);
+#  endif
+}
+/*
+ * If we have setauthdb, retrieve the password registry for the user's
+ * account then feed it to setauthdb.  This may load registry-specific method
+ * code.  If we don't have setauthdb or have already called it this is a no-op.
+ */
+void
+aix_setauthdb(const char *user)
+{
+#  ifdef HAVE_SETAUTHDB
+        static char *registry = NULL;
+        if (registry != NULL)   /* have already done setauthdb */
+                return;
+        if (setuserdb(S_READ) == -1) {
+                debug3("%s: Could not open userdb to read", __func__);
+                return;
+        }
+        
+        if (getuserattr((char *)user, S_REGISTRY, &registry, SEC_CHAR) == 0) {
+                if (setauthdb(registry, NULL) == 0)
+                        debug3("%s: AIX/setauthdb set registry %s", __func__,
+                            registry);
+                else 
+                        debug3("%s: AIX/setauthdb set registry %s failed: %s",
+                            __func__, registry, strerror(errno));
+        } else
+                debug3("%s: Could not read S_REGISTRY for user: %s", __func__,
+                    strerror(errno));
+        enduserdb();
+#  endif
+}
+# endif /* CUSTOM_FAILED_LOGIN */
 #endif /* _AIX */
diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h
index 4abe00316..09e7f9e97 100644
--- a/openbsd-compat/port-aix.h
+++ b/openbsd-compat/port-aix.h
@@ -1,3 +1,5 @@
+/* $Id: port-aix.h,v 1.14 2003/08/29 16:59:52 mouring Exp $ */
 /*
 *
 * Copyright (c) 2001 Gert Doering.  All rights reserved.
@@ -21,11 +23,24 @@
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
 */
 #ifdef _AIX
+#ifdef WITH_AIXAUTHENTICATE
+# include <login.h>
+# include <userpw.h>
+# include <usersec.h>
+# ifdef HAVE_SYS_AUDIT_H
+#  include <sys/audit.h>
+# endif
+#endif
+/* Some versions define r_type in the above headers, which causes a conflict */
+#ifdef r_type
+# undef r_type
+#endif
 /* AIX 4.2.x doesn't have nanosleep but does have nsleep which is equivalent */
 #if !defined(HAVE_NANOSLEEP) && defined(HAVE_NSLEEP)
 # define nanosleep(a,b) nsleep(a,b)
@@ -36,5 +51,12 @@
 # include <sys/timers.h>
 #endif
-void aix_usrinfo(struct passwd *pw);
+#ifdef WITH_AIXAUTHENTICATE
+# define CUSTOM_FAILED_LOGIN 1
+void record_failed_login(const char *, const char *);
+void aix_setauthdb(const char *);
+#endif
+void aix_usrinfo(struct passwd *);
+void aix_remove_embedded_newlines(char *);
 #endif /* _AIX */
diff --git a/openbsd-compat/port-irix.c b/openbsd-compat/port-irix.c
index a63ec429a..aa6db1cf8 100644
--- a/openbsd-compat/port-irix.c
+++ b/openbsd-compat/port-irix.c
@@ -1,15 +1,42 @@
+/*
+ * Copyright (c) 2000 Denis Parker.  All rights reserved.
+ * Copyright (c) 2000 Michael Stone.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
 #include "includes.h"
-#if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY)
+#if defined(WITH_IRIX_PROJECT) || \
+    defined(WITH_IRIX_JOBS) || \
+    defined(WITH_IRIX_ARRAY)
 #ifdef WITH_IRIX_PROJECT
-#include <proj.h>
+# include <proj.h>
 #endif /* WITH_IRIX_PROJECT */
 #ifdef WITH_IRIX_JOBS
-#include <sys/resource.h>
+# include <sys/resource.h>
 #endif
 #ifdef WITH_IRIX_AUDIT
-#include <sat.h>
+# include <sat.h>
 #endif /* WITH_IRIX_AUDIT */
 void
@@ -17,14 +44,12 @@ irix_setusercontext(struct passwd *pw)
 {
 #ifdef WITH_IRIX_PROJECT
        prid_t projid;
-#endif /* WITH_IRIX_PROJECT */
+#endif
 #ifdef WITH_IRIX_JOBS
        jid_t jid = 0;
-#else
+#elif defined(WITH_IRIX_ARRAY)
-# ifdef WITH_IRIX_ARRAY
        int jid = 0;
-# endif /* WITH_IRIX_ARRAY */
+#endif
-#endif /* WITH_IRIX_JOBS */
 #ifdef WITH_IRIX_JOBS
        jid = jlimit_startjob(pw->pw_name, pw->pw_uid, "interactive");
diff --git a/openbsd-compat/port-irix.h b/openbsd-compat/port-irix.h
index 2dd3c2e25..67c486307 100644
--- a/openbsd-compat/port-irix.h
+++ b/openbsd-compat/port-irix.h
@@ -1,5 +1,39 @@
-#if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY)
+/* $Id: port-irix.h,v 1.4 2003/08/29 16:59:52 mouring Exp $ */
+/*
+ * Copyright (c) 2000 Denis Parker.  All rights reserved.
+ * Copyright (c) 2000 Michael Stone.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef _PORT_IRIX_H
+#define _PORT_IRIX_H
+#if defined(WITH_IRIX_PROJECT) || \
+    defined(WITH_IRIX_JOBS) || \
+    defined(WITH_IRIX_ARRAY)
 void irix_setusercontext(struct passwd *pw);
 #endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */
+#endif /* ! _PORT_IRIX_H */
diff --git a/openbsd-compat/readpassphrase.c b/openbsd-compat/readpassphrase.c
index 4e549b62b..0d0baf569 100644
--- a/openbsd-compat/readpassphrase.c
+++ b/openbsd-compat/readpassphrase.c
@@ -1,34 +1,27 @@
-/*      $OpenBSD: readpassphrase.c,v 1.14 2002/06/28 01:43:58 millert Exp $     */
+/*      $OpenBSD: readpassphrase.c,v 1.16 2003/06/17 21:56:23 millert Exp $     */
 /*
 * Copyright (c) 2000-2002 Todd C. Miller <Todd.Miller@courtesan.com>
- * All rights reserved.
 *
- * Redistribution and use in source and binary forms, with or without
+ * Permission to use, copy, modify, and distribute this software for any
- * modification, are permitted provided that the following conditions
+ * purpose with or without fee is hereby granted, provided that the above
- * are met:
+ * copyright notice and this permission notice appear in all copies.
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote products
- *    derived from this software without specific prior written permission.
 *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ *
- * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * Sponsored in part by the Defense Advanced Research Projects
- * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * Agency (DARPA) and Air Force Research Laboratory, Air Force
+ * Materiel Command, USAF, under agreement number F39502-99-1-0512.
 */
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$OpenBSD: readpassphrase.c,v 1.14 2002/06/28 01:43:58 millert Exp $";
+static const char rcsid[] = "$OpenBSD: readpassphrase.c,v 1.16 2003/06/17 21:56:23 millert Exp $";
 #endif /* LIBC_SCCS and not lint */
 #include "includes.h"
@@ -185,6 +178,7 @@ getpass(const char *prompt)
 static void handler(int s)
 {
        signo = s;
 }
 #endif /* HAVE_READPASSPHRASE */
diff --git a/openbsd-compat/realpath.c b/openbsd-compat/realpath.c
index b9035ca22..77da14e7c 100644
--- a/openbsd-compat/realpath.c
+++ b/openbsd-compat/realpath.c
@@ -13,6 +13,9 @@
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -32,7 +35,7 @@
 #if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
 #if defined(LIBC_SCCS) && !defined(lint)
-static char *rcsid = "$OpenBSD: realpath.c,v 1.7 2002/05/24 21:22:37 deraadt Exp $";
+static char *rcsid = "$OpenBSD: realpath.c,v 1.10 2003/08/01 21:04:59 millert Exp $";
 #endif /* LIBC_SCCS and not lint */
 #include <sys/param.h>
@@ -62,7 +65,7 @@ char *
 realpath(const char *path, char *resolved)
 {
        struct stat sb;
-        int fd, n, rootd, serrno = 0;
+        int fd, n, needslash, serrno = 0;
        char *p, *q, wbuf[MAXPATHLEN], start[MAXPATHLEN];
        int symlinks = 0;
@@ -138,18 +141,18 @@ loop:
         * happens if the last component is empty, or the dirname is root.
         */
        if (resolved[0] == '/' && resolved[1] == '\0')
-                rootd = 1;
+                needslash = 0;
        else
-                rootd = 0;
+                needslash = 1;
        if (*wbuf) {
-                if (strlen(resolved) + strlen(wbuf) + rootd + 1 > MAXPATHLEN) {
+                if (strlen(resolved) + strlen(wbuf) + needslash >= MAXPATHLEN) {
                        serrno = ENAMETOOLONG;
                        goto err1;
                }
-                if (rootd == 0)
+                if (needslash == 0)
-                        (void)strcat(resolved, "/");
+                        strlcat(resolved, "/", MAXPATHLEN);
-                (void)strcat(resolved, wbuf);
+                strlcat(resolved, wbuf, MAXPATHLEN);
        }
        /* Go back to where we came from. */
diff --git a/openbsd-compat/rresvport.c b/openbsd-compat/rresvport.c
index 9f058961d..608a3b184 100644
--- a/openbsd-compat/rresvport.c
+++ b/openbsd-compat/rresvport.c
@@ -11,12 +11,7 @@
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
+ * 3. Neither the name of the University nor the names of its contributors
- *    must display the following acknowledgement:
- *      This product includes software developed by the University of
- *      California, Berkeley and its contributors.
- *      This product includes software developed by Theo de Raadt.
- * 4. Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
@@ -38,7 +33,7 @@
 #ifndef HAVE_RRESVPORT_AF
 #if defined(LIBC_SCCS) && !defined(lint)
-static char *rcsid = "$OpenBSD: rresvport.c,v 1.5 2000/01/26 03:43:20 deraadt Exp $";
+static char *rcsid = "$OpenBSD: rresvport.c,v 1.6 2003/06/03 02:11:35 deraadt Exp $";
 #endif /* LIBC_SCCS and not lint */
 #include "includes.h"
diff --git a/openbsd-compat/setenv.c b/openbsd-compat/setenv.c
index e5c5de62e..c9941c195 100644
--- a/openbsd-compat/setenv.c
+++ b/openbsd-compat/setenv.c
@@ -10,11 +10,7 @@
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
+ * 3. Neither the name of the University nor the names of its contributors
- *    must display the following acknowledgement:
- *      This product includes software developed by the University of
- *      California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
@@ -35,7 +31,7 @@
 #ifndef HAVE_SETENV
 #if defined(LIBC_SCCS) && !defined(lint)
-static char *rcsid = "$OpenBSD: setenv.c,v 1.5 2002/12/10 22:44:13 mickey Exp $";
+static char *rcsid = "$OpenBSD: setenv.c,v 1.6 2003/06/02 20:18:38 millert Exp $";
 #endif /* LIBC_SCCS and not lint */
 #include <stdlib.h>
diff --git a/openbsd-compat/setproctitle.c b/openbsd-compat/setproctitle.c
index 07af7e9c0..b41100fc6 100644
--- a/openbsd-compat/setproctitle.c
+++ b/openbsd-compat/setproctitle.c
@@ -1,41 +1,34 @@
-/*
+/* Based on conf.c from UCB sendmail 8.8.8 */
- * Based on src/backend/utils/misc/pg_status.c from 
- * PostgreSQL Database Management System
- * 
- * Portions Copyright (c) 1996-2001, The PostgreSQL Global Development Group
- * 
- * Portions Copyright (c) 1994, The Regents of the University of California
- * 
- * Permission to use, copy, modify, and distribute this software and its
- * documentation for any purpose, without fee, and without a written agreement
- * is hereby granted, provided that the above copyright notice and this
- * paragraph and the following two paragraphs appear in all copies.
- * 
- * IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY PARTY FOR
- * DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING
- * LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS
- * DOCUMENTATION, EVEN IF THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- * 
- * THE UNIVERSITY OF CALIFORNIA SPECIFICALLY DISCLAIMS ANY WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE.  THE SOFTWARE PROVIDED HEREUNDER IS
- * ON AN "AS IS" BASIS, AND THE UNIVERSITY OF CALIFORNIA HAS NO OBLIGATIONS TO
- * PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
- */
-/*--------------------------------------------------------------------
+/*
- * ps_status.c
+ * Copyright 2003 Damien Miller
- *
+ * Copyright (c) 1983, 1995-1997 Eric P. Allman
- * Routines to support changing the ps display of PostgreSQL backends
+ * Copyright (c) 1988, 1993
- * to contain some useful information. Mechanism differs wildly across
+ *      The Regents of the University of California.  All rights reserved.
- * platforms.
 *
- * $Header: /var/cvs/openssh/openbsd-compat/setproctitle.c,v 1.5 2003/01/20 02:15:11 djm Exp $
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
 *
- * Copyright 2000 by PostgreSQL Global Development Group
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * various details abducted from various places
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- *--------------------------------------------------------------------
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
 */
 #include "includes.h"
@@ -44,200 +37,121 @@
 #include <unistd.h>
 #ifdef HAVE_SYS_PSTAT_H
-#include <sys/pstat.h>          /* for HP-UX */
+#include <sys/pstat.h>
-#endif
-#ifdef HAVE_PS_STRINGS
-#include <machine/vmparam.h>    /* for old BSD */
-#include <sys/exec.h>
 #endif
-/*------
+#define SPT_NONE        0       /* don't use it at all */
- * Alternative ways of updating ps display:
+#define SPT_PSTAT       1       /* cover argv with title information */
- *
+#define SPT_REUSEARGV   2       /* use pstat(PSTAT_SETCMD, ...) */
- * SETPROCTITLE_STRATEGY == PS_USE_PSTAT
- *         use the pstat(PSTAT_SETCMD, )
- *         (HPUX)
- * SETPROCTITLE_STRATEGY == PS_USE_PS_STRINGS
- *         assign PS_STRINGS->ps_argvstr = "string"
- *         (some BSD systems)
- * SETPROCTITLE_STRATEGY == PS_USE_CHANGE_ARGV
- *         assign argv[0] = "string"
- *         (some other BSD systems)
- * SETPROCTITLE_STRATEGY == PS_USE_CLOBBER_ARGV
- *         write over the argv and environment area
- *         (most SysV-like systems)
- * SETPROCTITLE_STRATEGY == PS_USE_NONE
- *         don't update ps display
- *         (This is the default, as it is safest.)
- */
-#define PS_USE_NONE                     0
+#ifndef SPT_TYPE
-#define PS_USE_PSTAT                    1
+# define SPT_TYPE       SPT_NONE
-#define PS_USE_PS_STRINGS               2
-#define PS_USE_CHANGE_ARGV              3
-#define PS_USE_CLOBBER_ARGV             4
-#ifndef SETPROCTITLE_STRATEGY
-# define SETPROCTITLE_STRATEGY  PS_USE_NONE 
 #endif
-#ifndef SETPROCTITLE_PS_PADDING
+#ifndef SPT_PADCHAR
-# define SETPROCTITLE_PS_PADDING        ' '
+# define SPT_PADCHAR    '\0'
 #endif
-#endif /* HAVE_SETPROCTITLE */
-extern char **environ;
+#if SPT_TYPE == SPT_REUSEARGV
+static char *argv_start = NULL;
-/*
+static size_t argv_env_len = 0;
- * argv clobbering uses existing argv space, all other methods need a buffer
- */
-#if SETPROCTITLE_STRATEGY != PS_USE_CLOBBER_ARGV
-static char ps_buffer[256];
-static const size_t ps_buffer_size = sizeof(ps_buffer);
-#else
-static char *ps_buffer;                 /* will point to argv area */
-static size_t ps_buffer_size;           /* space determined at run time */
 #endif
-/* save the original argv[] location here */
+#endif /* HAVE_SETPROCTITLE */
-static int      save_argc;
-static char **save_argv;
-extern char *__progname;
-#ifndef HAVE_SETPROCTITLE
-/*
- * Call this to update the ps status display to a fixed prefix plus an
- * indication of what you're currently doing passed in the argument.
- */
 void
-setproctitle(const char *fmt, ...)
+compat_init_setproctitle(int argc, char *argv[])
 {
-#if SETPROCTITLE_STRATEGY == PS_USE_PSTAT
+#if defined(SPT_TYPE) && SPT_TYPE == SPT_REUSEARGV
-        union pstun pst;
+        extern char **environ;
-#endif
+        char *lastargv = NULL;
-#if SETPROCTITLE_STRATEGY != PS_USE_NONE
+        char **envp = environ;
-        ssize_t used;
+        int i;
-        va_list ap;
-        /* no ps display if you didn't call save_ps_display_args() */
-        if (save_argv == NULL)
-                return;
-#if SETPROCTITLE_STRATEGY == PS_USE_CLOBBER_ARGV
-        /* If ps_buffer is a pointer, it might still be null */
-        if (ps_buffer == NULL)
-                return;
-#endif /* PS_USE_CLOBBER_ARGV */
        /*
-         * Overwrite argv[] to point at appropriate space, if needed
+         * NB: This assumes that argv has already been copied out of the
+         * way. This is true for sshd, but may not be true for other 
+         * programs. Beware.
         */
-#if SETPROCTITLE_STRATEGY == PS_USE_CHANGE_ARGV
-        save_argv[0] = ps_buffer;
-        save_argv[1] = NULL;
-#endif /* PS_USE_CHANGE_ARGV */
-#if SETPROCTITLE_STRATEGY == PS_USE_CLOBBER_ARGV
+        if (argc == 0 || argv[0] == NULL)
-        save_argv[1] = NULL;
+                return;
-#endif /* PS_USE_CLOBBER_ARGV */
+        /* Fail if we can't allocate room for the new environment */
+        for (i = 0; envp[i] != NULL; i++)
+                ;
+        if ((environ = malloc(sizeof(*environ) * (i + 1))) == NULL) {
+                environ = envp; /* put it back */
+                return;
+        }
        /*
-         * Make fixed prefix of ps display.
+         * Find the last argv string or environment variable within 
+         * our process memory area.
         */
+        for (i = 0; i < argc; i++) {
-        va_start(ap, fmt);
+                if (lastargv == NULL || lastargv + 1 == argv[i])
-        if (fmt == NULL)
+                        lastargv = argv[i] + strlen(argv[i]);
-                snprintf(ps_buffer, ps_buffer_size, "%s", __progname);
+        }
-        else {
+        for (i = 0; envp[i] != NULL; i++) {
-                used = snprintf(ps_buffer, ps_buffer_size, "%s: ", __progname);
+                if (lastargv + 1 == envp[i])
-                if (used == -1 || used >= ps_buffer_size)
+                        lastargv = envp[i] + strlen(envp[i]);
-                        used = ps_buffer_size;
-                vsnprintf(ps_buffer + used, ps_buffer_size - used, fmt, ap);
        }
-        va_end(ap);
-#if SETPROCTITLE_STRATEGY == PS_USE_PSTAT
-        pst.pst_command = ps_buffer;
-        pstat(PSTAT_SETCMD, pst, strlen(ps_buffer), 0, 0);
-#endif   /* PS_USE_PSTAT */
-#if SETPROCTITLE_STRATEGY == PS_USE_PS_STRINGS
-        PS_STRINGS->ps_nargvstr = 1;
-        PS_STRINGS->ps_argvstr = ps_buffer;
-#endif   /* PS_USE_PS_STRINGS */
-#if SETPROCTITLE_STRATEGY == PS_USE_CLOBBER_ARGV
+        argv[1] = NULL;
-        /* pad unused memory */
+        argv_start = argv[0];
-        used = strlen(ps_buffer);
+        argv_env_len = lastargv - argv[0] - 1;
-        memset(ps_buffer + used, SETPROCTITLE_PS_PADDING, 
-            ps_buffer_size - used);
-#endif   /* PS_USE_CLOBBER_ARGV */
-#endif /* PS_USE_NONE */
+        /* 
+         * Copy environment 
+         * XXX - will truncate env on strdup fail
+         */
+        for (i = 0; envp[i] != NULL; i++)
+                environ[i] = strdup(envp[i]);
+        environ[i] = NULL;
+#endif /* SPT_REUSEARGV */
 }
-#endif /* HAVE_SETPROCTITLE */
+#ifndef HAVE_SETPROCTITLE
-/*
- * Call this early in startup to save the original argc/argv values.
- *
- * argv[] will not be overwritten by this routine, but may be overwritten
- * during setproctitle. Also, the physical location of the environment
- * strings may be moved, so this should be called before any code that
- * might try to hang onto a getenv() result.
- */
 void
-compat_init_setproctitle(int argc, char *argv[])
+setproctitle(const char *fmt, ...)
 {
-#if SETPROCTITLE_STRATEGY == PS_USE_CLOBBER_ARGV
+#if SPT_TYPE != SPT_NONE
-        char *end_of_area = NULL;
+        va_list ap;
-        char **new_environ;
+        char buf[1024];
-        int i;
+        size_t len;
+        extern char *__progname;
+#if SPT_TYPE == SPT_PSTAT
+        union pstun pst;
 #endif
-        save_argc = argc;
+#if SPT_TYPE == SPT_REUSEARGV
-        save_argv = argv;
+        if (argv_env_len <= 0)
-#if SETPROCTITLE_STRATEGY == PS_USE_CLOBBER_ARGV
-        /*
-         * If we're going to overwrite the argv area, count the available
-         * space.  Also move the environment to make additional room.
-         */
-        /*
-         * check for contiguous argv strings
-         */
-        for (i = 0; i < argc; i++) {
-                if (i == 0 || end_of_area + 1 == argv[i])
-                        end_of_area = argv[i] + strlen(argv[i]);
-        }
-        /* probably can't happen? */
-        if (end_of_area == NULL) {
-                ps_buffer = NULL;
-                ps_buffer_size = 0;
                return;
-        }
+#endif
-        /*
+        strlcpy(buf, __progname, sizeof(buf));
-         * check for contiguous environ strings following argv
-         */
+        va_start(ap, fmt);
-        for (i = 0; environ[i] != NULL; i++) {
+        if (fmt != NULL) {
-                if (end_of_area + 1 == environ[i])
+                len = strlcat(buf, ": ", sizeof(buf));
-                        end_of_area = environ[i] + strlen(environ[i]);
+                if (len < sizeof(buf))
+                        vsnprintf(buf + len, sizeof(buf) - len , fmt, ap);
        }
+        va_end(ap);
-        ps_buffer = argv[0];
+#if SPT_TYPE == SPT_PSTAT
-        ps_buffer_size = end_of_area - argv[0] - 1;
+        pst.pst_command = buf;
+        pstat(PSTAT_SETCMD, pst, strlen(buf), 0, 0);
+#elif SPT_TYPE == SPT_REUSEARGV
+/*      debug("setproctitle: copy \"%s\" into len %d", 
+            buf, argv_env_len); */
+        len = strlcpy(argv_start, buf, argv_env_len);
+        for(; len < argv_env_len; len++)
+                argv_start[len] = SPT_PADCHAR;
+#endif
-        /*
+#endif /* SPT_NONE */
-         * Duplicate and move the environment out of the way
-         */
-        new_environ = malloc(sizeof(char *) * (i + 1));
-        for (i = 0; environ[i] != NULL; i++)
-                new_environ[i] = strdup(environ[i]);
-        new_environ[i] = NULL;
-        environ = new_environ;
-#endif /* PS_USE_CLOBBER_ARGV */
 }
+#endif /* HAVE_SETPROCTITLE */
diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c
index 3a9b5d1a7..cae16657c 100644
--- a/openbsd-compat/strlcat.c
+++ b/openbsd-compat/strlcat.c
@@ -1,42 +1,30 @@
-/*      $OpenBSD: strlcat.c,v 1.8 2001/05/13 15:40:15 deraadt Exp $     */
+/*      $OpenBSD: strlcat.c,v 1.11 2003/06/17 21:56:24 millert Exp $    */
 /*
 * Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com>
- * All rights reserved.
 *
- * Redistribution and use in source and binary forms, with or without
+ * Permission to use, copy, modify, and distribute this software for any
- * modification, are permitted provided that the following conditions
+ * purpose with or without fee is hereby granted, provided that the above
- * are met:
+ * copyright notice and this permission notice appear in all copies.
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote products
- *    derived from this software without specific prior written permission.
 *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
- * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
- * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 #include "includes.h"
 #ifndef HAVE_STRLCAT
 #if defined(LIBC_SCCS) && !defined(lint)
-static char *rcsid = "$OpenBSD: strlcat.c,v 1.8 2001/05/13 15:40:15 deraadt Exp $";
+static char *rcsid = "$OpenBSD: strlcat.c,v 1.11 2003/06/17 21:56:24 millert Exp $";
 #endif /* LIBC_SCCS and not lint */
 #include <sys/types.h>
 #include <string.h>
-#include "strlcat.h"
 /*
 * Appends src to string dst of size siz (unlike strncat, siz is the
@@ -46,10 +34,7 @@ static char *rcsid = "$OpenBSD: strlcat.c,v 1.8 2001/05/13 15:40:15 deraadt Exp
 * If retval >= siz, truncation occurred.
 */
 size_t
-strlcat(dst, src, siz)
+strlcat(char *dst, const char *src, size_t siz)
-        char *dst;
-        const char *src;
-        size_t siz;
 {
        register char *d = dst;
        register const char *s = src;
diff --git a/openbsd-compat/strlcpy.c b/openbsd-compat/strlcpy.c
index 2f87eca44..c8fe29987 100644
--- a/openbsd-compat/strlcpy.c
+++ b/openbsd-compat/strlcpy.c
@@ -1,42 +1,30 @@
-/*      $OpenBSD: strlcpy.c,v 1.5 2001/05/13 15:40:16 deraadt Exp $     */
+/*      $OpenBSD: strlcpy.c,v 1.8 2003/06/17 21:56:24 millert Exp $     */
 /*
 * Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com>
- * All rights reserved.
 *
- * Redistribution and use in source and binary forms, with or without
+ * Permission to use, copy, modify, and distribute this software for any
- * modification, are permitted provided that the following conditions
+ * purpose with or without fee is hereby granted, provided that the above
- * are met:
+ * copyright notice and this permission notice appear in all copies.
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote products
- *    derived from this software without specific prior written permission.
 *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
- * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
- * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 #include "includes.h"
 #ifndef HAVE_STRLCPY
 #if defined(LIBC_SCCS) && !defined(lint)
-static char *rcsid = "$OpenBSD: strlcpy.c,v 1.5 2001/05/13 15:40:16 deraadt Exp $";
+static char *rcsid = "$OpenBSD: strlcpy.c,v 1.8 2003/06/17 21:56:24 millert Exp $";
 #endif /* LIBC_SCCS and not lint */
 #include <sys/types.h>
 #include <string.h>
-#include "strlcpy.h"
 /*
 * Copy src to string dst of size siz.  At most siz-1 characters
@@ -44,10 +32,7 @@ static char *rcsid = "$OpenBSD: strlcpy.c,v 1.5 2001/05/13 15:40:16 deraadt Exp
 * Returns strlen(src); if retval >= siz, truncation occurred.
 */
 size_t
-strlcpy(dst, src, siz)
+strlcpy(char *dst, const char *src, size_t siz)
-        char *dst;
-        const char *src;
-        size_t siz;
 {
        register char *d = dst;
        register const char *s = src;
diff --git a/openbsd-compat/strmode.c b/openbsd-compat/strmode.c
index e64d19869..adf5e273e 100644
--- a/openbsd-compat/strmode.c
+++ b/openbsd-compat/strmode.c
@@ -10,11 +10,7 @@
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
+ * 3. Neither the name of the University nor the names of its contributors
- *    must display the following acknowledgement:
- *      This product includes software developed by the University of
- *      California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
@@ -35,15 +31,17 @@
 #ifndef HAVE_STRMODE
 #if defined(LIBC_SCCS) && !defined(lint)
-static char *rcsid = "$OpenBSD: strmode.c,v 1.3 1997/06/13 13:57:20 deraadt Exp $";
+static char *rcsid = "$OpenBSD: strmode.c,v 1.5 2003/06/11 21:08:16 deraadt Exp $";
 #endif /* LIBC_SCCS and not lint */
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <string.h>
+/* XXX mode should be mode_t */
 void
-strmode(register mode_t mode, register char *p)
+strmode(int mode, char *p)
 {
         /* print type */
        switch (mode & S_IFMT) {
diff --git a/openbsd-compat/strsep.c b/openbsd-compat/strsep.c
index d0afc44ae..b13671343 100644
--- a/openbsd-compat/strsep.c
+++ b/openbsd-compat/strsep.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: strsep.c,v 1.3 1997/08/20 04:28:14 millert Exp $      */
+/*      $OpenBSD: strsep.c,v 1.5 2003/06/11 21:08:16 deraadt Exp $      */
 /*-
 * Copyright (c) 1990, 1993
@@ -12,11 +12,7 @@
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
+ * 3. Neither the name of the University nor the names of its contributors
- *    must display the following acknowledgement:
- *      This product includes software developed by the University of
- *      California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
@@ -44,7 +40,7 @@
 #if 0
 static char sccsid[] = "@(#)strsep.c    8.1 (Berkeley) 6/4/93";
 #else
-static char *rcsid = "$OpenBSD: strsep.c,v 1.3 1997/08/20 04:28:14 millert Exp $";
+static char *rcsid = "$OpenBSD: strsep.c,v 1.5 2003/06/11 21:08:16 deraadt Exp $";
 #endif
 #endif /* LIBC_SCCS and not lint */
@@ -62,9 +58,9 @@ static char *rcsid = "$OpenBSD: strsep.c,v 1.3 1997/08/20 04:28:14 millert Exp $
 char *
 strsep(char **stringp, const char *delim)
 {
-        register char *s;
+        char *s;
-        register const char *spanp;
+        const char *spanp;
-        register int c, sc;
+        int c, sc;
        char *tok;
        if ((s = *stringp) == NULL)
diff --git a/openbsd-compat/sys-queue.h b/openbsd-compat/sys-queue.h
index 176fe3174..dd5c47525 100644
--- a/openbsd-compat/sys-queue.h
+++ b/openbsd-compat/sys-queue.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: queue.h,v 1.22 2001/06/23 04:39:35 angelos Exp $      */
+/*      $OpenBSD: queue.h,v 1.23 2003/06/02 23:28:21 millert Exp $      */
 /*      $NetBSD: queue.h,v 1.11 1996/05/16 05:17:14 mycroft Exp $       */
 /*
@@ -13,11 +13,7 @@
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
+ * 3. Neither the name of the University nor the names of its contributors
- *    must display the following acknowledgement:
- *      This product includes software developed by the University of
- *      California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
diff --git a/openbsd-compat/vis.c b/openbsd-compat/vis.c
index fc5741390..e6a2ce98d 100644
--- a/openbsd-compat/vis.c
+++ b/openbsd-compat/vis.c
@@ -10,11 +10,7 @@
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
+ * 3. Neither the name of the University nor the names of its contributors
- *    must display the following acknowledgement:
- *      This product includes software developed by the University of
- *      California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
@@ -30,14 +26,15 @@
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */
-#include "config.h"
+#include "includes.h"
 #if !defined(HAVE_STRNVIS)
 #if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$OpenBSD: vis.c,v 1.8 2002/02/19 19:39:36 millert Exp $";
+static char rcsid[] = "$OpenBSD: vis.c,v 1.12 2003/06/02 20:18:35 millert Exp $";
 #endif /* LIBC_SCCS and not lint */
 #include <ctype.h>
+#include <string.h>
 #include "vis.h"
@@ -47,8 +44,9 @@ static char rcsid[] = "$OpenBSD: vis.c,v 1.8 2002/02/19 19:39:36 millert Exp $";
                                ((flag & VIS_SP) == 0 && (c) == ' ') ||      \
                                ((flag & VIS_TAB) == 0 && (c) == '\t') ||    \
                                ((flag & VIS_NL) == 0 && (c) == '\n') ||     \
-                                ((flag & VIS_SAFE) &&                        \
+                                ((flag & VIS_SAFE) && ((c) == '\b' ||        \
-                                ((c) == '\b' || (c) == '\007' || (c) == '\r')))
+                                (c) == '\007' || (c) == '\r' ||              \
+                                isgraph((u_char)(c)))))
 /*
 * vis - visually encode characters
@@ -169,16 +167,20 @@ strvis(dst, src, flag)
 int
 strnvis(dst, src, siz, flag)
-        register char *dst;
+        char *dst;
-        register const char *src;
+        const char *src;
        size_t siz;
        int flag;
 {
-        register char c;
+        char c;
        char *start, *end;
+        char tbuf[5];
+        int  i;
+        i = 0;
        for (start = dst, end = start + siz - 1; (c = *src) && dst < end; ) {
                if (isvisible(c)) {
+                        i = 1;
                        *dst++ = c;
                        if (c == '\\' && (flag & VIS_NOSLASH) == 0) {
                                /* need space for the extra '\\' */
@@ -186,22 +188,25 @@ strnvis(dst, src, siz, flag)
                                        *dst++ = '\\';
                                else {
                                        dst--;
+                                        i = 2;
                                        break;
                                }
                        }
                        src++;
                } else {
-                        /* vis(3) requires up to 4 chars */
+                        i = vis(tbuf, c, flag, *++src) - tbuf;
-                        if (dst + 3 < end)
+                        if (dst + i <= end) {
-                                dst = vis(dst, c, flag, *++src);
+                                memcpy(dst, tbuf, i);
-                        else
+                                dst += i;
+                        } else {
+                                src--;
                                break;
+                        }
                }
        }
-        *dst = '\0';
+        if (siz > 0)
-        if (dst >= end) {
+                *dst = '\0';
-                char tbuf[5];
+        if (dst + i > end) {
                /* adjust return value for truncation */
                while ((c = *src))
                        dst += vis(tbuf, c, flag, *++src) - tbuf;
diff --git a/openbsd-compat/vis.h b/openbsd-compat/vis.h
index 5df6f3694..1c131cc85 100644
--- a/openbsd-compat/vis.h
+++ b/openbsd-compat/vis.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: vis.h,v 1.5 2002/02/16 21:27:17 millert Exp $ */
+/*      $OpenBSD: vis.h,v 1.6 2003/06/02 19:34:12 millert Exp $ */
 /*      $NetBSD: vis.h,v 1.4 1994/10/26 00:56:41 cgd Exp $      */
 /*-
@@ -13,11 +13,7 @@
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
+ * 3. Neither the name of the University nor the names of its contributors
- *    must display the following acknowledgement:
- *      This product includes software developed by the University of
- *      California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
@@ -35,7 +31,8 @@
 *
 *      @(#)vis.h       5.9 (Berkeley) 4/3/91
 */
-#include "config.h"
+#include "includes.h"
 #if !defined(HAVE_STRNVIS)
 #ifndef _VIS_H_
diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c
new file mode 100644
index 000000000..5b5d69c72
--- /dev/null
+++ b/openbsd-compat/xcrypt.c
@@ -0,0 +1,116 @@
+/*
+ * Copyright (c) 2003 Ben Lindstrom.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "includes.h"
+#if !defined(HAVE_OSF_SIA)
+# ifdef HAVE_CRYPT_H
+#  include <crypt.h>
+# endif
+# ifdef __hpux
+#  include <hpsecurity.h>
+#  include <prot.h>
+# endif
+# ifdef HAVE_SECUREWARE
+#  include <sys/security.h>
+#  include <sys/audit.h>
+#  include <prot.h>
+# endif 
+# if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
+#  include <shadow.h>
+# endif
+# if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
+#  include <sys/label.h>
+#  include <sys/audit.h>
+#  include <pwdadj.h>
+# endif
+# if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
+#  include "md5crypt.h"
+# endif 
+char *
+xcrypt(const char *password, const char *salt)
+{
+        char *crypted;
+# ifdef HAVE_MD5_PASSWORDS
+        if (is_md5_salt(salt))
+                crypted = md5_crypt(password, salt);
+        else
+                crypted = crypt(password, salt);
+# elif defined(__hpux) && !defined(HAVE_SECUREWARE)
+        if (iscomsec())
+                crypted = bigcrypt(password, salt);
+        else
+                crypted = crypt(password, salt);
+# elif defined(HAVE_SECUREWARE)
+        crypted = bigcrypt(password, salt);
+# else
+        crypted = crypt(password, salt);
+# endif 
+        return crypted;
+}
+/*
+ * Handle shadowed password systems in a cleaner way for portable
+ * version.
+ */
+char *
+shadow_pw(struct passwd *pw)
+{
+        char *pw_password = pw->pw_passwd;
+# if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
+        struct spwd *spw = getspnam(pw->pw_name);
+        if (spw != NULL)
+                pw_password = spw->sp_pwdp;
+# endif
+# if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
+        struct passwd_adjunct *spw;
+        if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL)
+                pw_password = spw->pwa_passwd;
+# elif defined(HAVE_SECUREWARE)
+        struct pr_passwd *spw = getprpwnam(pw->pw_name);
+        if (spw != NULL)
+                pw_password = spw->ufld.fd_encrypt;
+# elif defined(__hpux) && !defined(HAVE_SECUREWARE)
+        struct pr_passwd *spw;
+        if (iscomsec() && (spw = getprpwnam(pw->pw_name)) != NULL)
+                pw_password = spw->ufld.fd_encrypt;
+# endif
+        return pw_password;
+}
+#endif /* !defined(HAVE_OSF_SIA) */
diff --git a/openbsd-compat/xmmap.c b/openbsd-compat/xmmap.c
index 8f1d2022c..9dc4340a7 100644
--- a/openbsd-compat/xmmap.c
+++ b/openbsd-compat/xmmap.c
@@ -1,4 +1,7 @@
 /*
+ * Copyright (c) 2002 Tim Rice.  All rights reserved.
+ * MAP_FAILED code by Solar Designer.
+ * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@@ -20,6 +23,8 @@
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
+/* $Id: xmmap.c,v 1.3 2003/06/02 02:25:27 tim Exp $ */
 #include "includes.h"
 #ifdef HAVE_SYS_MMAN_H
diff --git a/packet.c b/packet.c
index 3e21df722..4ef639fd6 100644
--- a/packet.c
+++ b/packet.c
@@ -37,7 +37,9 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: packet.c,v 1.104 2003/04/01 10:22:21 markus Exp $");
+RCSID("$OpenBSD: packet.c,v 1.109 2003/07/10 14:42:28 markus Exp $");
+#include "openbsd-compat/sys-queue.h"
 #include "xmalloc.h"
 #include "buffer.h"
@@ -106,7 +108,7 @@ static int compression_buffer_ready = 0;
 static int packet_compression = 0;
 /* default maximum packet size */
-int max_packet_size = 32768;
+u_int max_packet_size = 32768;
 /* Flag indicating whether this module has been initialized. */
 static int initialized = 0;
@@ -116,8 +118,14 @@ static int interactive_mode = 0;
 /* Session key information for Encryption and MAC */
 Newkeys *newkeys[MODE_MAX];
-static u_int32_t read_seqnr = 0;
+static struct packet_state {
-static u_int32_t send_seqnr = 0;
+        u_int32_t seqnr;
+        u_int32_t packets;
+        u_int64_t blocks;
+} p_read, p_send;
+static u_int64_t max_blocks_in, max_blocks_out;
+static u_int32_t rekey_limit;
 /* Session key for protocol v1 */
 static u_char ssh1_key[SSH_SESSION_KEY_LENGTH];
@@ -126,6 +134,13 @@ static u_int ssh1_keylen;
 /* roundup current message to extra_pad bytes */
 static u_char extra_pad = 0;
+struct packet {
+        TAILQ_ENTRY(packet) next;
+        u_char type;
+        Buffer payload;
+};
+TAILQ_HEAD(, packet) outgoing;
 /*
 * Sets the descriptors used for communication.  Disables encryption until
 * packet_set_encryption_key is called.
@@ -148,6 +163,7 @@ packet_set_connection(int fd_in, int fd_out)
                buffer_init(&output);
                buffer_init(&outgoing_packet);
                buffer_init(&incoming_packet);
+                TAILQ_INIT(&outgoing);
        }
        /* Kludge: arrange the close function to be called from fatal(). */
        fatal_add_cleanup((void (*) (void *)) packet_close, NULL);
@@ -249,27 +265,31 @@ packet_set_iv(int mode, u_char *dat)
        cipher_set_keyiv(cc, dat);
 }
 int
-packet_get_ssh1_cipher()
+packet_get_ssh1_cipher(void)
 {
        return (cipher_get_number(receive_context.cipher));
 }
+void
-u_int32_t
+packet_get_state(int mode, u_int32_t *seqnr, u_int64_t *blocks, u_int32_t *packets)
-packet_get_seqnr(int mode)
 {
-        return (mode == MODE_IN ? read_seqnr : send_seqnr);
+        struct packet_state *state;
+        state = (mode == MODE_IN) ? &p_read : &p_send;
+        *seqnr = state->seqnr;
+        *blocks = state->blocks;
+        *packets = state->packets;
 }
 void
-packet_set_seqnr(int mode, u_int32_t seqnr)
+packet_set_state(int mode, u_int32_t seqnr, u_int64_t blocks, u_int32_t packets)
 {
-        if (mode == MODE_IN)
+        struct packet_state *state;
-                read_seqnr = seqnr;
-        else if (mode == MODE_OUT)
+        state = (mode == MODE_IN) ? &p_read : &p_send;
-                send_seqnr = seqnr;
+        state->seqnr = seqnr;
-        else
+        state->blocks = blocks;
-                fatal("packet_set_seqnr: bad mode %d", mode);
+        state->packets = packets;
 }
 /* returns 1 if connection is via ipv4 */
@@ -562,6 +582,7 @@ set_newkeys(int mode)
        Mac *mac;
        Comp *comp;
        CipherContext *cc;
+        u_int64_t *max_blocks;
        int encrypt;
        debug2("set_newkeys: mode %d", mode);
@@ -569,9 +590,13 @@ set_newkeys(int mode)
        if (mode == MODE_OUT) {
                cc = &send_context;
                encrypt = CIPHER_ENCRYPT;
+                p_send.packets = p_send.blocks = 0;
+                max_blocks = &max_blocks_out;
        } else {
                cc = &receive_context;
                encrypt = CIPHER_DECRYPT;
+                p_read.packets = p_read.blocks = 0;
+                max_blocks = &max_blocks_in;
        }
        if (newkeys[mode] != NULL) {
                debug("set_newkeys: rekeying");
@@ -610,13 +635,23 @@ set_newkeys(int mode)
                        buffer_compress_init_recv();
                comp->enabled = 1;
        }
+        /*
+         * The 2^(blocksize*2) limit is too expensive for 3DES,
+         * blowfish, etc, so enforce a 1GB limit for small blocksizes.
+         */
+        if (enc->block_size >= 16)
+                *max_blocks = (u_int64_t)1 << (enc->block_size*2);
+        else
+                *max_blocks = ((u_int64_t)1 << 30) / enc->block_size;
+        if (rekey_limit)
+                *max_blocks = MIN(*max_blocks, rekey_limit / enc->block_size);
 }
 /*
 * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue)
 */
 static void
-packet_send2(void)
+packet_send2_wrapped(void)
 {
        u_char type, *cp, *macbuf = NULL;
        u_char padlen, pad;
@@ -698,10 +733,10 @@ packet_send2(void)
        /* compute MAC over seqnr and packet(length fields, payload, padding) */
        if (mac && mac->enabled) {
-                macbuf = mac_compute(mac, send_seqnr,
+                macbuf = mac_compute(mac, p_send.seqnr,
                    buffer_ptr(&outgoing_packet),
                    buffer_len(&outgoing_packet));
-                DBG(debug("done calc MAC out #%d", send_seqnr));
+                DBG(debug("done calc MAC out #%d", p_send.seqnr));
        }
        /* encrypt packet and append to output buffer. */
        cp = buffer_append_space(&output, buffer_len(&outgoing_packet));
@@ -715,14 +750,64 @@ packet_send2(void)
        buffer_dump(&output);
 #endif
        /* increment sequence number for outgoing packets */
-        if (++send_seqnr == 0)
+        if (++p_send.seqnr == 0)
-                log("outgoing seqnr wraps around");
+                logit("outgoing seqnr wraps around");
+        if (++p_send.packets == 0)
+                if (!(datafellows & SSH_BUG_NOREKEY))
+                        fatal("XXX too many packets with same key");
+        p_send.blocks += (packet_length + 4) / block_size;
        buffer_clear(&outgoing_packet);
        if (type == SSH2_MSG_NEWKEYS)
                set_newkeys(MODE_OUT);
 }
+static void
+packet_send2(void)
+{
+        static int rekeying = 0;
+        struct packet *p;
+        u_char type, *cp;
+        cp = buffer_ptr(&outgoing_packet);
+        type = cp[5];
+        /* during rekeying we can only send key exchange messages */
+        if (rekeying) {
+                if (!((type >= SSH2_MSG_TRANSPORT_MIN) &&
+                    (type <= SSH2_MSG_TRANSPORT_MAX))) {
+                        debug("enqueue packet: %u", type);
+                        p = xmalloc(sizeof(*p));
+                        p->type = type;
+                        memcpy(&p->payload, &outgoing_packet, sizeof(Buffer));
+                        buffer_init(&outgoing_packet);
+                        TAILQ_INSERT_TAIL(&outgoing, p, next);
+                        return;
+                }
+        }
+        /* rekeying starts with sending KEXINIT */
+        if (type == SSH2_MSG_KEXINIT)
+                rekeying = 1;
+        packet_send2_wrapped();
+        /* after a NEWKEYS message we can send the complete queue */
+        if (type == SSH2_MSG_NEWKEYS) {
+                rekeying = 0;
+                while ((p = TAILQ_FIRST(&outgoing))) {
+                        type = p->type;
+                        debug("dequeue packet: %u", type);
+                        buffer_free(&outgoing_packet);
+                        memcpy(&outgoing_packet, &p->payload,
+                            sizeof(Buffer));
+                        TAILQ_REMOVE(&outgoing, p, next);
+                        xfree(p);
+                        packet_send2_wrapped();
+                }
+        }
+}
 void
 packet_send(void)
 {
@@ -784,7 +869,7 @@ packet_read_seqnr(u_int32_t *seqnr_p)
                /* Read data from the socket. */
                len = read(connection_in, buf, sizeof(buf));
                if (len == 0) {
-                        log("Connection closed by %.200s", get_remote_ipaddr());
+                        logit("Connection closed by %.200s", get_remote_ipaddr());
                        fatal_cleanup();
                }
                if (len < 0)
@@ -966,18 +1051,22 @@ packet_read_poll2(u_int32_t *seqnr_p)
         * increment sequence number for incoming packet
         */
        if (mac && mac->enabled) {
-                macbuf = mac_compute(mac, read_seqnr,
+                macbuf = mac_compute(mac, p_read.seqnr,
                    buffer_ptr(&incoming_packet),
                    buffer_len(&incoming_packet));
                if (memcmp(macbuf, buffer_ptr(&input), mac->mac_len) != 0)
                        packet_disconnect("Corrupted MAC on input.");
-                DBG(debug("MAC #%d ok", read_seqnr));
+                DBG(debug("MAC #%d ok", p_read.seqnr));
                buffer_consume(&input, mac->mac_len);
        }
        if (seqnr_p != NULL)
-                *seqnr_p = read_seqnr;
+                *seqnr_p = p_read.seqnr;
-        if (++read_seqnr == 0)
+        if (++p_read.seqnr == 0)
-                log("incoming seqnr wraps around");
+                logit("incoming seqnr wraps around");
+        if (++p_read.packets == 0)
+                if (!(datafellows & SSH_BUG_NOREKEY))
+                        fatal("XXX too many packets with same key");
+        p_read.blocks += (packet_length + 4) / block_size;
        /* get padlen */
        cp = buffer_ptr(&incoming_packet);
@@ -1042,7 +1131,7 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p)
                        case SSH2_MSG_DISCONNECT:
                                reason = packet_get_int();
                                msg = packet_get_string(NULL);
-                                log("Received disconnect from %s: %u: %.400s",
+                                logit("Received disconnect from %s: %u: %.400s",
                                    get_remote_ipaddr(), reason, msg);
                                xfree(msg);
                                fatal_cleanup();
@@ -1068,7 +1157,7 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p)
                                break;
                        case SSH_MSG_DISCONNECT:
                                msg = packet_get_string(NULL);
-                                log("Received disconnect from %s: %.400s",
+                                logit("Received disconnect from %s: %.400s",
                                    get_remote_ipaddr(), msg);
                                fatal_cleanup();
                                xfree(msg);
@@ -1227,7 +1316,7 @@ packet_disconnect(const char *fmt,...)
        va_end(args);
        /* Display the error locally */
-        log("Disconnecting: %.100s", buf);
+        logit("Disconnecting: %.100s", buf);
        /* Send the disconnect message to the other side, and wait for it to get sent. */
        if (compat20) {
@@ -1314,6 +1403,8 @@ packet_not_very_much_data_to_write(void)
                return buffer_len(&output) < 128 * 1024;
 }
+#if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN)
 static void
 packet_set_tos(int interactive)
 {
@@ -1327,6 +1418,7 @@ packet_set_tos(int interactive)
                error("setsockopt IP_TOS %d: %.100s:",
                    tos, strerror(errno));
 }
+#endif
 /* Informs that the current session is interactive.  Sets IP flags for that. */
@@ -1344,6 +1436,7 @@ packet_set_interactive(int interactive)
        /* Only set socket options if using a socket.  */
        if (!packet_connection_is_on_socket())
+                return;
        if (interactive)
                set_nodelay(connection_in);
 #if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN)
@@ -1360,18 +1453,18 @@ packet_is_interactive(void)
        return interactive_mode;
 }
-int
+u_int
-packet_set_maxsize(int s)
+packet_set_maxsize(u_int s)
 {
        static int called = 0;
        if (called) {
-                log("packet_set_maxsize: called twice: old %d new %d",
+                logit("packet_set_maxsize: called twice: old %d new %d",
                    max_packet_size, s);
                return -1;
        }
        if (s < 4 * 1024 || s > 1024 * 1024) {
-                log("packet_set_maxsize: bad size %d", s);
+                logit("packet_set_maxsize: bad size %d", s);
                return -1;
        }
        called = 1;
@@ -1413,3 +1506,22 @@ packet_send_ignore(int nbytes)
                rand >>= 8;
        }
 }
+#define MAX_PACKETS     (1<<31)
+int
+packet_need_rekeying(void)
+{
+        if (datafellows & SSH_BUG_NOREKEY)
+                return 0;
+        return
+            (p_send.packets > MAX_PACKETS) ||
+            (p_read.packets > MAX_PACKETS) ||
+            (max_blocks_out && (p_send.blocks > max_blocks_out)) ||
+            (max_blocks_in  && (p_read.blocks > max_blocks_in));
+}
+void
+packet_set_rekey_limit(u_int32_t bytes)
+{
+        rekey_limit = bytes;
+}
diff --git a/packet.h b/packet.h
index 46830c3df..7732fafb7 100644
--- a/packet.h
+++ b/packet.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: packet.h,v 1.37 2003/04/01 10:22:21 markus Exp $      */
+/*      $OpenBSD: packet.h,v 1.40 2003/06/24 08:23:46 markus Exp $      */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -62,8 +62,8 @@ int	 packet_get_keyiv_len(int);
 void     packet_get_keyiv(int, u_char *, u_int);
 int      packet_get_keycontext(int, u_char *);
 void     packet_set_keycontext(int, u_char *);
-u_int32_t packet_get_seqnr(int);
+void     packet_get_state(int, u_int32_t *, u_int64_t *, u_int32_t *);
-void     packet_set_seqnr(int, u_int32_t);
+void     packet_set_state(int, u_int32_t, u_int64_t, u_int32_t);
 int      packet_get_ssh1_cipher(void);
 void     packet_set_iv(int, u_char *);
@@ -81,8 +81,8 @@ void	 packet_add_padding(u_char);
 void     tty_make_modes(int, struct termios *);
 void     tty_parse_modes(int, int *);
-extern int max_packet_size;
+extern u_int max_packet_size;
-int      packet_set_maxsize(int);
+u_int    packet_set_maxsize(u_int);
 #define  packet_get_maxsize() max_packet_size
 /* don't allow remaining bytes after the end of the message */
@@ -90,10 +90,13 @@ int      packet_set_maxsize(int);
 do { \
        int _len = packet_remaining(); \
        if (_len > 0) { \
-                log("Packet integrity error (%d bytes remaining) at %s:%d", \
+                logit("Packet integrity error (%d bytes remaining) at %s:%d", \
                    _len ,__FILE__, __LINE__); \
                packet_disconnect("Packet integrity error."); \
        } \
 } while (0)
+int      packet_need_rekeying(void);
+void     packet_set_rekey_limit(u_int32_t);
 #endif                          /* PACKET_H */
diff --git a/progressmeter.c b/progressmeter.c
index 90eb97f37..c315464ee 100644
--- a/progressmeter.c
+++ b/progressmeter.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (c) 1999 Theo de Raadt.  All rights reserved.
+ * Copyright (c) 2003 Nils Nordman.  All rights reserved.
- * Copyright (c) 1999 Aaron Campbell.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -23,260 +22,244 @@
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
-/*
- * Parts from:
- *
- * Copyright (c) 1983, 1990, 1992, 1993, 1995
- *      The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by the University of
- *      California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- */
 #include "includes.h"
-RCSID("$OpenBSD: progressmeter.c,v 1.3 2003/03/17 10:38:38 markus Exp $");
+RCSID("$OpenBSD: progressmeter.c,v 1.15 2003/08/31 12:14:22 markus Exp $");
-#ifdef HAVE_LIBGEN_H
-#include <libgen.h>
-#endif
-#include "atomicio.h"
 #include "progressmeter.h"
+#include "atomicio.h"
+#include "misc.h"
-/* Number of seconds before xfer considered "stalled". */
+#define DEFAULT_WINSIZE 80
-#define STALLTIME       5
+#define MAX_WINSIZE 512
-/* alarm() interval for updating progress meter. */
+#define PADDING 1               /* padding between the progress indicators */
-#define PROGRESSTIME    1
+#define UPDATE_INTERVAL 1       /* update the progress meter every second */
+#define STALL_TIME 5            /* we're stalled after this many seconds */
-/* Signal handler used for updating the progress meter. */
-static void update_progress_meter(int);
-/* Returns non-zero if we are the foreground process. */
+/* determines whether we can output to the terminal */
-static int foregroundproc(void);
+static int can_output(void);
-/* Returns width of the terminal (for progress meter calculations). */
+/* formats and inserts the specified size into the given buffer */
-static int get_tty_width(void);
+static void format_size(char *, int, off_t);
+static void format_rate(char *, int, off_t);
-/* Visual statistics about files as they are transferred. */
+/* updates the progressmeter to reflect the current state of the transfer */
-static void draw_progress_meter(void);
+void refresh_progress_meter(void);
-/* Time a transfer started. */
+/* signal handler for updating the progress meter */
-static struct timeval start;
+static void update_progress_meter(int);
-/* Number of bytes of current file transferred so far. */
+static time_t start;            /* start progress */
-static volatile off_t *statbytes;
+static time_t last_update;      /* last progress update */
+static char *file;              /* name of the file being transferred */
+static off_t end_pos;           /* ending position of transfer */
+static off_t cur_pos;           /* transfer position as of last refresh */
+static volatile off_t *counter; /* progress counter */
+static long stalled;            /* how long we have been stalled */
+static int bytes_per_second;    /* current speed in bytes per second */
+static int win_size;            /* terminal window size */
-/* Total size of current file. */
+/* units for format_size */
-static off_t totalbytes;
+static const char unit[] = " KMGT";
-/* Name of current file being transferred. */
+static int
-static char *curfile;
+can_output(void)
+{
+        return (getpgrp() == tcgetpgrp(STDOUT_FILENO));
+}
-/* Time of last update. */
+static void
-static struct timeval lastupdate;
+format_rate(char *buf, int size, off_t bytes)
+{
+        int i;
+        bytes *= 100;
+        for (i = 0; bytes >= 100*1000 && unit[i] != 'T'; i++)
+                bytes = (bytes + 512) / 1024;
+        if (i == 0) {
+                i++;
+                bytes = (bytes + 512) / 1024;
+        }
+        snprintf(buf, size, "%3lld.%1lld%c%s",
+            (int64_t) bytes / 100,
+            (int64_t) (bytes + 5) / 10 % 10,
+            unit[i],
+            i ? "B" : " ");
+}
-/* Size at the time of the last update. */
+static void
-static off_t lastsize;
+format_size(char *buf, int size, off_t bytes)
+{
+        int i;
+        for (i = 0; bytes >= 10000 && unit[i] != 'T'; i++)
+                bytes = (bytes + 512) / 1024;
+        snprintf(buf, size, "%4lld%c%s",
+            (int64_t) bytes,
+            unit[i],
+            i ? "B" : " ");
+}
 void
-start_progress_meter(char *file, off_t filesize, off_t *counter)
+refresh_progress_meter(void)
 {
-        if ((curfile = basename(file)) == NULL)
+        char buf[MAX_WINSIZE + 1];
-                curfile = file;
+        time_t now;
+        off_t transferred;
+        double elapsed;
+        int percent;
+        int bytes_left;
+        int cur_speed;
+        int hours, minutes, seconds;
+        int i, len;
+        int file_len;
+        transferred = *counter - cur_pos;
+        cur_pos = *counter;
+        now = time(NULL);
+        bytes_left = end_pos - cur_pos;
+        if (bytes_left > 0)
+                elapsed = now - last_update;
+        else
+                elapsed = now - start;
-        totalbytes = filesize;
+        /* calculate speed */
-        statbytes = counter;
+        if (elapsed != 0)
-        (void) gettimeofday(&start, (struct timezone *) 0);
+                cur_speed = (transferred / elapsed);
-        lastupdate = start;
+        else
-        lastsize = 0;
+                cur_speed = 0;
-        draw_progress_meter();
+#define AGE_FACTOR 0.9
-        signal(SIGALRM, update_progress_meter);
+        if (bytes_per_second != 0) {
-        alarm(PROGRESSTIME);
+                bytes_per_second = (bytes_per_second * AGE_FACTOR) +
-}
+                    (cur_speed * (1.0 - AGE_FACTOR));
+        } else
+                bytes_per_second = cur_speed;
+        /* filename */
+        buf[0] = '\0';
+        file_len = win_size - 35;
+        if (file_len > 0) {
+                len = snprintf(buf, file_len + 1, "\r%s", file);
+                if (len < 0)
+                        len = 0;
+                for (i = len;  i < file_len; i++ )
+                        buf[i] = ' ';
+                buf[file_len] = '\0';
+        }
-void
+        /* percent of transfer done */
-stop_progress_meter()
+        if (end_pos != 0)
-{
+                percent = ((float)cur_pos / end_pos) * 100;
-        alarm(0);
+        else
-        draw_progress_meter();
+                percent = 100;
-        if (foregroundproc() != 0)
+        snprintf(buf + strlen(buf), win_size - strlen(buf),
-                atomicio(write, fileno(stdout), "\n", 1);
+            " %3d%% ", percent);
+        /* amount transferred */
+        format_size(buf + strlen(buf), win_size - strlen(buf),
+            cur_pos);
+        strlcat(buf, " ", win_size);
+        /* bandwidth usage */
+        format_rate(buf + strlen(buf), win_size - strlen(buf),
+            bytes_per_second);
+        strlcat(buf, "/s ", win_size);
+        /* ETA */
+        if (!transferred)
+                stalled += elapsed;
+        else
+                stalled = 0;
+        if (stalled >= STALL_TIME)
+                strlcat(buf, "- stalled -", win_size);
+        else if (bytes_per_second == 0 && bytes_left)
+                strlcat(buf, "  --:-- ETA", win_size);
+        else {
+                if (bytes_left > 0)
+                        seconds = bytes_left / bytes_per_second;
+                else
+                        seconds = elapsed;
+                hours = seconds / 3600;
+                seconds -= hours * 3600;
+                minutes = seconds / 60;
+                seconds -= minutes * 60;
+                if (hours != 0)
+                        snprintf(buf + strlen(buf), win_size - strlen(buf),
+                            "%d:%02d:%02d", hours, minutes, seconds);
+                else
+                        snprintf(buf + strlen(buf), win_size - strlen(buf),
+                            "  %02d:%02d", minutes, seconds);
+                if (bytes_left > 0)
+                        strlcat(buf, " ETA", win_size);
+                else
+                        strlcat(buf, "    ", win_size);
+        }
+        atomicio(vwrite, STDOUT_FILENO, buf, win_size);
+        last_update = now;
 }
 static void
 update_progress_meter(int ignore)
 {
-        int save_errno = errno;
+        int save_errno;
+        save_errno = errno;
+        if (can_output())
+                refresh_progress_meter();
-        draw_progress_meter();
        signal(SIGALRM, update_progress_meter);
-        alarm(PROGRESSTIME);
+        alarm(UPDATE_INTERVAL);
        errno = save_errno;
 }
-static int
+void
-foregroundproc(void)
+start_progress_meter(char *f, off_t filesize, off_t *stat)
-{
-        static pid_t pgrp = -1;
-        int ctty_pgrp;
-        if (pgrp == -1)
-                pgrp = getpgrp();
-#ifdef HAVE_TCGETPGRP
-        return ((ctty_pgrp = tcgetpgrp(STDOUT_FILENO)) != -1 &&
-                        ctty_pgrp == pgrp);
-#else
-        return ((ioctl(STDOUT_FILENO, TIOCGPGRP, &ctty_pgrp) != -1 &&
-                 ctty_pgrp == pgrp));
-#endif
-}
-static void
-draw_progress_meter()
 {
-        static const char spaces[] = "                          "
+        struct winsize winsize;
-            "                                                   "
-            "                                                   "
-            "                                                   "
-            "                                                   "
-            "                                                   ";
-        static const char prefixes[] = " KMGTP";
-        struct timeval now, td, wait;
-        off_t cursize, abbrevsize, bytespersec;
-        double elapsed;
-        int ratio, remaining, i, ai, bi, nspaces;
-        char buf[512];
-        if (foregroundproc() == 0)
-                return;
-        (void) gettimeofday(&now, (struct timezone *) 0);
+        start = last_update = time(NULL);
-        cursize = *statbytes;
+        file = f;
-        if (totalbytes != 0) {
+        end_pos = filesize;
-                ratio = 100.0 * cursize / totalbytes;
+        cur_pos = 0;
-                ratio = MAX(ratio, 0);
+        counter = stat;
-                ratio = MIN(ratio, 100);
+        stalled = 0;
+        bytes_per_second = 0;
+        if (ioctl(STDOUT_FILENO, TIOCGWINSZ, &winsize) != -1 &&
+            winsize.ws_col != 0) {
+                if (winsize.ws_col > MAX_WINSIZE)
+                        win_size = MAX_WINSIZE;
+                else
+                        win_size = winsize.ws_col;
        } else
-                ratio = 100;
+                win_size = DEFAULT_WINSIZE;
+        win_size += 1;                                  /* trailing \0 */
-        abbrevsize = cursize;
-        for (ai = 0; abbrevsize >= 10000 && ai < sizeof(prefixes); ai++)
-                abbrevsize >>= 10;
-        timersub(&now, &lastupdate, &wait);
+        if (can_output())
-        if (cursize > lastsize) {
+                refresh_progress_meter();
-                lastupdate = now;
-                lastsize = cursize;
-                wait.tv_sec = 0;
-        }
-        timersub(&now, &start, &td);
-        elapsed = td.tv_sec + (td.tv_usec / 1000000.0);
-        bytespersec = 0;
-        if (cursize > 0) {
-                bytespersec = cursize;
-                if (elapsed > 0.0)
-                        bytespersec /= elapsed;
-        }
-        for (bi = 1; bytespersec >= 1024000 && bi < sizeof(prefixes); bi++)
-                bytespersec >>= 10;
-        nspaces = MIN(get_tty_width() - 79, sizeof(spaces) - 1);
-#ifdef HAVE_LONG_LONG_INT
-        snprintf(buf, sizeof(buf),
-            "\r%-45.45s%.*s%3d%% %4lld%c%c %3lld.%01d%cB/s",
-            curfile,
-            nspaces,
-            spaces,
-            ratio,
-            (long long)abbrevsize,
-            prefixes[ai],
-            ai == 0 ? ' ' : 'B',
-            (long long)(bytespersec / 1024),
-            (int)((bytespersec % 1024) * 10 / 1024),
-            prefixes[bi]
-        );
-#else
-                /* XXX: Handle integer overflow? */
-        snprintf(buf, sizeof(buf),
-            "\r%-45.45s%.*s%3d%% %4lu%c%c %3lu.%01d%cB/s",
-            curfile,
-            nspaces,
-            spaces,
-            ratio,
-            (u_long)abbrevsize,
-            prefixes[ai],
-            ai == 0 ? ' ' : 'B',
-            (u_long)(bytespersec / 1024),
-            (int)((bytespersec % 1024) * 10 / 1024),
-            prefixes[bi]
-        );
-#endif
-        if (cursize <= 0 || elapsed <= 0.0 || cursize > totalbytes) {
-                snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
-                    "   --:-- ETA");
-        } else if (wait.tv_sec >= STALLTIME) {
-                snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
-                    " - stalled -");
-        } else {
-                if (cursize != totalbytes)
-                        remaining = (int)(totalbytes / (cursize / elapsed) -
-                            elapsed);
-                else
-                        remaining = elapsed;
-                i = remaining / 3600;
+        signal(SIGALRM, update_progress_meter);
-                if (i)
+        alarm(UPDATE_INTERVAL);
-                        snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
-                            "%2d:", i);
-                else
-                        snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
-                            "   ");
-                i = remaining % 3600;
-                snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
-                    "%02d:%02d%s", i / 60, i % 60,
-                    (cursize != totalbytes) ? " ETA" : "    ");
-        }
-        atomicio(write, fileno(stdout), buf, strlen(buf));
 }
-static int
+void
-get_tty_width(void)
+stop_progress_meter(void)
 {
-        struct winsize winsize;
+        alarm(0);
-        if (ioctl(fileno(stdout), TIOCGWINSZ, &winsize) != -1)
+        if (!can_output())
-                return (winsize.ws_col ? winsize.ws_col : 80);
+                return;
-        else
-                return (80);
+        /* Ensure we complete the progress */
+        if (cur_pos != end_pos)
+                refresh_progress_meter();
+        atomicio(vwrite, STDOUT_FILENO, "\n", 1);
 }
diff --git a/readconf.c b/readconf.c
index 1df5ce2d9..13987ffa7 100644
--- a/readconf.c
+++ b/readconf.c
@@ -12,7 +12,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.104 2003/04/01 10:22:21 markus Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.121 2003/09/01 18:15:50 markus Exp $");
 #include "ssh.h"
 #include "xmalloc.h"
@@ -57,7 +57,6 @@ RCSID("$OpenBSD: readconf.c,v 1.104 2003/04/01 10:22:21 markus Exp $");
   Host fascist.blob.com
     Port 23123
     User tylonen
-     RhostsAuthentication no
     PasswordAuthentication no
   Host puukko.hut.fi
@@ -75,7 +74,6 @@ RCSID("$OpenBSD: readconf.c,v 1.104 2003/04/01 10:22:21 markus Exp $");
   Host *
     ForwardAgent no
     ForwardX11 no
-     RhostsAuthentication yes
     PasswordAuthentication yes
     RSAAuthentication yes
     RhostsRSAAuthentication yes
@@ -91,18 +89,9 @@ RCSID("$OpenBSD: readconf.c,v 1.104 2003/04/01 10:22:21 markus Exp $");
 typedef enum {
        oBadOption,
-        oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
+        oForwardAgent, oForwardX11, oGatewayPorts,
        oPasswordAuthentication, oRSAAuthentication,
        oChallengeResponseAuthentication, oXAuthLocation,
-#if defined(KRB4) || defined(KRB5)
-        oKerberosAuthentication,
-#endif
-#if defined(AFS) || defined(KRB5)
-        oKerberosTgtPassing,
-#endif
-#ifdef AFS
-        oAFSTokenPassing,
-#endif
        oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
        oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
        oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
@@ -114,8 +103,9 @@ typedef enum {
        oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
        oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
-        oEnableSSHKeysign,
+        oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
-        oDeprecated
+        oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+        oDeprecated, oUnsupported
 } OpCodes;
 /* Textual representations of the tokens. */
@@ -129,7 +119,7 @@ static struct {
        { "xauthlocation", oXAuthLocation },
        { "gatewayports", oGatewayPorts },
        { "useprivilegedport", oUsePrivilegedPort },
-        { "rhostsauthentication", oRhostsAuthentication },
+        { "rhostsauthentication", oDeprecated },
        { "passwordauthentication", oPasswordAuthentication },
        { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
        { "kbdinteractivedevices", oKbdInteractiveDevices },
@@ -141,14 +131,15 @@ static struct {
        { "challengeresponseauthentication", oChallengeResponseAuthentication },
        { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
        { "tisauthentication", oChallengeResponseAuthentication },  /* alias */
-#if defined(KRB4) || defined(KRB5)
+        { "kerberosauthentication", oUnsupported },
-        { "kerberosauthentication", oKerberosAuthentication },
+        { "kerberostgtpassing", oUnsupported },
-#endif
+        { "afstokenpassing", oUnsupported },
-#if defined(AFS) || defined(KRB5)
+#if defined(GSSAPI)
-        { "kerberostgtpassing", oKerberosTgtPassing },
+        { "gssapiauthentication", oGssAuthentication },
-#endif
+        { "gssapidelegatecredentials", oGssDelegateCreds },
-#ifdef AFS
+#else
-        { "afstokenpassing", oAFSTokenPassing },
+        { "gssapiauthentication", oUnsupported },
+        { "gssapidelegatecredentials", oUnsupported },
 #endif
        { "fallbacktorsh", oDeprecated },
        { "usersh", oDeprecated },
@@ -184,10 +175,22 @@ static struct {
        { "preferredauthentications", oPreferredAuthentications },
        { "hostkeyalgorithms", oHostKeyAlgorithms },
        { "bindaddress", oBindAddress },
+#ifdef SMARTCARD
        { "smartcarddevice", oSmartcardDevice },
+#else
+        { "smartcarddevice", oUnsupported },
+#endif
        { "clearallforwardings", oClearAllForwardings },
        { "enablesshkeysign", oEnableSSHKeysign },
+#ifdef DNS
+        { "verifyhostkeydns", oVerifyHostKeyDNS },
+#else
+        { "verifyhostkeydns", oUnsupported },
+#endif
        { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
+        { "rekeylimit", oRekeyLimit },
+        { "connecttimeout", oConnectTimeout },
+        { "addressfamily", oAddressFamily },
        { NULL, oBadOption }
 };
@@ -281,6 +284,13 @@ process_config_line(Options *options, const char *host,
        u_short fwd_port, fwd_host_port;
        char sfwd_host_port[6];
+        /* Strip trailing whitespace */
+        for(len = strlen(line) - 1; len > 0; len--) {
+                if (strchr(WHITESPACE, line[len]) == NULL)
+                        break;
+                line[len] = '\0';
+        }
        s = line;
        /* Get the keyword. (Each line is supposed to begin with a keyword). */
        keyword = strdelim(&s);
@@ -297,6 +307,20 @@ process_config_line(Options *options, const char *host,
                /* don't panic, but count bad options */
                return -1;
                /* NOTREACHED */
+        case oConnectTimeout:
+                intptr = &options->connection_timeout;
+/* parse_time: */
+                arg = strdelim(&s);
+                if (!arg || *arg == '\0')
+                        fatal("%s line %d: missing time value.",
+                            filename, linenum);
+                if ((value = convtime(arg)) == -1)
+                        fatal("%s line %d: invalid time value.",
+                            filename, linenum);
+                if (*intptr == -1)
+                        *intptr = value;
+                break;
        case oForwardAgent:
                intptr = &options->forward_agent;
 parse_flag:
@@ -326,10 +350,6 @@ parse_flag:
                intptr = &options->use_privileged_port;
                goto parse_flag;
-        case oRhostsAuthentication:
-                intptr = &options->rhosts_authentication;
-                goto parse_flag;
        case oPasswordAuthentication:
                intptr = &options->password_authentication;
                goto parse_flag;
@@ -361,21 +381,15 @@ parse_flag:
        case oChallengeResponseAuthentication:
                intptr = &options->challenge_response_authentication;
                goto parse_flag;
-#if defined(KRB4) || defined(KRB5)
-        case oKerberosAuthentication:
+        case oGssAuthentication:
-                intptr = &options->kerberos_authentication;
+                intptr = &options->gss_authentication;
-                goto parse_flag;
-#endif
-#if defined(AFS) || defined(KRB5)
-        case oKerberosTgtPassing:
-                intptr = &options->kerberos_tgt_passing;
                goto parse_flag;
-#endif
-#ifdef AFS
+        case oGssDelegateCreds:
-        case oAFSTokenPassing:
+                intptr = &options->gss_deleg_creds;
-                intptr = &options->afs_token_passing;
                goto parse_flag;
-#endif
        case oBatchMode:
                intptr = &options->batch_mode;
                goto parse_flag;
@@ -384,6 +398,10 @@ parse_flag:
                intptr = &options->check_host_ip;
                goto parse_flag;
+        case oVerifyHostKeyDNS:
+                intptr = &options->verify_host_key_dns;
+                goto parse_flag;
        case oStrictHostKeyChecking:
                intptr = &options->strict_host_key_checking;
                arg = strdelim(&s);
@@ -423,6 +441,31 @@ parse_flag:
                intptr = &options->compression_level;
                goto parse_int;
+        case oRekeyLimit:
+                intptr = &options->rekey_limit;
+                arg = strdelim(&s);
+                if (!arg || *arg == '\0')
+                        fatal("%.200s line %d: Missing argument.", filename, linenum);
+                if (arg[0] < '0' || arg[0] > '9')
+                        fatal("%.200s line %d: Bad number.", filename, linenum);
+                value = strtol(arg, &endofnumber, 10);
+                if (arg == endofnumber)
+                        fatal("%.200s line %d: Bad number.", filename, linenum);
+                switch (toupper(*endofnumber)) {
+                case 'K':
+                        value *= 1<<10;
+                        break;
+                case 'M':
+                        value *= 1<<20;
+                        break;
+                case 'G':
+                        value *= 1<<30;
+                        break;
+                }
+                if (*activep && *intptr == -1)
+                        *intptr = value;
+                break;
        case oIdentityFile:
                arg = strdelim(&s);
                if (!arg || *arg == '\0')
@@ -489,6 +532,8 @@ parse_string:
                goto parse_string;
        case oProxyCommand:
+                if (s == NULL)
+                        fatal("%.200s line %d: Missing argument.", filename, linenum);
                charptr = &options->proxy_command;
                len = strspn(s, WHITESPACE "=");
                if (*activep && *charptr == NULL)
@@ -626,7 +671,7 @@ parse_int:
                        fatal("%.200s line %d: Badly formatted port number.",
                            filename, linenum);
                if (*activep)
-                        add_local_forward(options, fwd_port, "socks4", 0);
+                        add_local_forward(options, fwd_port, "socks", 0);
                break;
        case oClearAllForwardings:
@@ -666,6 +711,21 @@ parse_int:
                        *intptr = value;
                break;
+        case oAddressFamily:
+                arg = strdelim(&s);
+                intptr = &options->address_family;
+                if (strcasecmp(arg, "inet") == 0)
+                        value = AF_INET;
+                else if (strcasecmp(arg, "inet6") == 0)
+                        value = AF_INET6;
+                else if (strcasecmp(arg, "any") == 0)
+                        value = AF_UNSPEC;
+                else
+                        fatal("Unsupported AddressFamily \"%s\"", arg);
+                if (*activep && *intptr == -1)
+                        *intptr = value;
+                break;
        case oEnableSSHKeysign:
                intptr = &options->enable_ssh_keysign;
                goto parse_flag;
@@ -675,6 +735,11 @@ parse_int:
                    filename, linenum, keyword);
                return 0;
+        case oUnsupported:
+                error("%s line %d: Unsupported option \"%s\"",
+                    filename, linenum, keyword);
+                return 0;
        default:
                fatal("process_config_line: Unimplemented opcode %d", opcode);
        }
@@ -744,19 +809,11 @@ initialize_options(Options * options)
        options->xauth_location = NULL;
        options->gateway_ports = -1;
        options->use_privileged_port = -1;
-        options->rhosts_authentication = -1;
        options->rsa_authentication = -1;
        options->pubkey_authentication = -1;
        options->challenge_response_authentication = -1;
-#if defined(KRB4) || defined(KRB5)
+        options->gss_authentication = -1;
-        options->kerberos_authentication = -1;
+        options->gss_deleg_creds = -1;
-#endif
-#if defined(AFS) || defined(KRB5)
-        options->kerberos_tgt_passing = -1;
-#endif
-#ifdef AFS
-        options->afs_token_passing = -1;
-#endif
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->kbd_interactive_devices = NULL;
@@ -769,7 +826,9 @@ initialize_options(Options * options)
        options->keepalives = -1;
        options->compression_level = -1;
        options->port = -1;
+        options->address_family = -1;
        options->connection_attempts = -1;
+        options->connection_timeout = -1;
        options->number_of_password_prompts = -1;
        options->cipher = -1;
        options->ciphers = NULL;
@@ -795,6 +854,8 @@ initialize_options(Options * options)
        options->smartcard_device = NULL;
        options->enable_ssh_keysign = - 1;
        options->no_host_authentication_for_localhost = - 1;
+        options->rekey_limit = - 1;
+        options->verify_host_key_dns = -1;
 }
 /*
@@ -817,26 +878,16 @@ fill_default_options(Options * options)
                options->gateway_ports = 0;
        if (options->use_privileged_port == -1)
                options->use_privileged_port = 0;
-        if (options->rhosts_authentication == -1)
-                options->rhosts_authentication = 0;
        if (options->rsa_authentication == -1)
                options->rsa_authentication = 1;
        if (options->pubkey_authentication == -1)
                options->pubkey_authentication = 1;
        if (options->challenge_response_authentication == -1)
                options->challenge_response_authentication = 1;
-#if defined(KRB4) || defined(KRB5)
+        if (options->gss_authentication == -1)
-        if (options->kerberos_authentication == -1)
+                options->gss_authentication = 1;
-                options->kerberos_authentication = 1;
+        if (options->gss_deleg_creds == -1)
-#endif
+                options->gss_deleg_creds = 0;
-#if defined(AFS) || defined(KRB5)
-        if (options->kerberos_tgt_passing == -1)
-                options->kerberos_tgt_passing = 1;
-#endif
-#ifdef AFS
-        if (options->afs_token_passing == -1)
-                options->afs_token_passing = 1;
-#endif
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
@@ -859,6 +910,8 @@ fill_default_options(Options * options)
                options->compression_level = 6;
        if (options->port == -1)
                options->port = 0;      /* Filled in ssh_connect. */
+        if (options->address_family == -1)
+                options->address_family = AF_UNSPEC;
        if (options->connection_attempts == -1)
                options->connection_attempts = 1;
        if (options->number_of_password_prompts == -1)
@@ -911,6 +964,10 @@ fill_default_options(Options * options)
                options->no_host_authentication_for_localhost = 0;
        if (options->enable_ssh_keysign == -1)
                options->enable_ssh_keysign = 0;
+        if (options->rekey_limit == -1)
+                options->rekey_limit = 0;
+        if (options->verify_host_key_dns == -1)
+                options->verify_host_key_dns = 0;
        /* options->proxy_command should not be set by default */
        /* options->user will be set in the main program if appropriate */
        /* options->hostname will be set in the main program if appropriate */
diff --git a/readconf.h b/readconf.h
index 78e04fedf..60287f710 100644
--- a/readconf.h
+++ b/readconf.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: readconf.h,v 1.46 2003/04/01 10:22:21 markus Exp $    */
+/*      $OpenBSD: readconf.h,v 1.55 2003/09/01 18:15:50 markus Exp $    */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -33,7 +33,6 @@ typedef struct {
        char   *xauth_location; /* Location for xauth program */
        int     gateway_ports;  /* Allow remote connects to forwarded ports. */
        int     use_privileged_port;    /* Don't use privileged port if false. */
-        int     rhosts_authentication;  /* Try rhosts authentication. */
        int     rhosts_rsa_authentication;      /* Try rhosts with RSA
                                                 * authentication. */
        int     rsa_authentication;     /* Try RSA authentication. */
@@ -41,15 +40,8 @@ typedef struct {
        int     hostbased_authentication;       /* ssh2's rhosts_rsa */
        int     challenge_response_authentication;
                                        /* Try S/Key or TIS, authentication. */
-#if defined(KRB4) || defined(KRB5)
+        int     gss_authentication;     /* Try GSS authentication */
-        int     kerberos_authentication;        /* Try Kerberos authentication. */
+        int     gss_deleg_creds;        /* Delegate GSS credentials */
-#endif
-#if defined(AFS) || defined(KRB5)
-        int     kerberos_tgt_passing;   /* Try Kerberos TGT passing. */
-#endif
-#ifdef AFS
-        int     afs_token_passing;      /* Try AFS token passing. */
-#endif
        int     password_authentication;        /* Try password
                                                 * authentication. */
        int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
@@ -64,8 +56,11 @@ typedef struct {
        LogLevel log_level;     /* Level for logging. */
        int     port;           /* Port to connect. */
+        int     address_family;
        int     connection_attempts;    /* Max attempts (seconds) before
                                         * giving up */
+        int     connection_timeout;     /* Max time (seconds) before
+                                         * aborting connection attempt */
        int     number_of_password_prompts;     /* Max number of password
                                                 * prompts. */
        int     cipher;         /* Cipher to use. */
@@ -86,6 +81,7 @@ typedef struct {
        char   *preferred_authentications;
        char   *bind_address;   /* local socket address for connection to sshd */
        char   *smartcard_device; /* Smartcard reader device */
+        int     verify_host_key_dns;    /* Verify host key using DNS */
        int     num_identity_files;     /* Number of files for RSA/DSA identities. */
        char   *identity_files[SSH_MAX_IDENTITY_FILES];
@@ -101,6 +97,7 @@ typedef struct {
        int     clear_forwardings;
        int     enable_ssh_keysign;
+        int     rekey_limit;
        int     no_host_authentication_for_localhost;
 }       Options;
diff --git a/regress/Makefile b/regress/Makefile
index 6e2029348..623be8d82 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,8 +1,11 @@
-#       $OpenBSD: Makefile,v 1.20 2003/01/08 23:54:22 djm Exp $
+#       $OpenBSD: Makefile,v 1.24 2003/07/03 08:24:13 markus Exp $
-REGRESS_TARGETS=        t1 t2 t3 t4 t5 t6 t7
+REGRESS_TARGETS=        t1 t2 t3 t4 t5 t6 t7 t-exec
+tests:          $(REGRESS_TARGETS)
-CLEANFILES+=    t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2
+clean:
+        for F in $(CLEANFILES); do rm -f $(OBJ)$$F; done
+distclean:      clean
 LTESTS=         connect \
                proxy-connect \
@@ -11,6 +14,7 @@ LTESTS= 	connect \
                proto-mismatch \
                exit-status \
                transfer \
+                rekey \
                stderr-data \
                stderr-after-eof \
                broken-pipe \
@@ -24,30 +28,34 @@ LTESTS= 	connect \
                keygen-change \
                sftp \
                sftp-cmds \
+                sftp-badcmds \
                sftp-batch \
+                reconfigure \
+                dynamic-forward \
                forwarding
 USER!=          id -un
-CLEANFILES+=    authorized_keys_${USER} known_hosts pidfile \
+CLEANFILES=     t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
+                authorized_keys_${USER} known_hosts pidfile \
                ssh_config ssh_proxy sshd_config sshd_proxy \
                rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \
                rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \
-                ls.copy
+                ls.copy remote_pid
-#LTESTS+=       ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
+#LTESTS +=      ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
 t1:
        ssh-keygen -if ${.CURDIR}/rsa_ssh2.prv | diff - ${.CURDIR}/rsa_openssh.prv
 t2:
-        cat ${.CURDIR}/rsa_openssh.prv > t2.out
+        cat ${.CURDIR}/rsa_openssh.prv > $(OBJ)/t2.out
-        chmod 600 t2.out
+        chmod 600 $(OBJ)/t2.out
-        ssh-keygen -yf t2.out | diff - ${.CURDIR}/rsa_openssh.pub
+        ssh-keygen -yf $(OBJ)/t2.out | diff - ${.CURDIR}/rsa_openssh.pub
 t3:
-        ssh-keygen -ef ${.CURDIR}/rsa_openssh.pub |\
+        ssh-keygen -ef ${.CURDIR}/rsa_openssh.pub >$(OBJ)/rsa_secsh.pub
-                ssh-keygen -if /dev/stdin |\
+        ssh-keygen -if $(OBJ)/rsa_secsh.pub | diff - ${.CURDIR}/rsa_openssh.pub
-                diff - ${.CURDIR}/rsa_openssh.pub
+        rm -f ${.CURDIR}/rsa_secsh.pub
 t4:
        ssh-keygen -lf ${.CURDIR}/rsa_openssh.pub |\
@@ -58,22 +66,21 @@ t5:
                awk '{print $$2}' | diff - ${.CURDIR}/t5.ok
 t6:
-        ssh-keygen -if ${.CURDIR}/dsa_ssh2.prv > t6.out1
+        ssh-keygen -if ${.CURDIR}/dsa_ssh2.prv > $(OBJ)/t6.out1
-        ssh-keygen -if ${.CURDIR}/dsa_ssh2.pub > t6.out2
+        ssh-keygen -if ${.CURDIR}/dsa_ssh2.pub > $(OBJ)/t6.out2
-        chmod 600 t6.out1
+        chmod 600 $(OBJ)/t6.out1
-        ssh-keygen -yf t6.out1 | diff - t6.out2
+        ssh-keygen -yf $(OBJ)/t6.out1 | diff - $(OBJ)/t6.out2
-t7.out:
+$(OBJ)/t7.out:
        ssh-keygen -q -t rsa -N '' -f $@
-t7: t7.out
+t7: $(OBJ)/t7.out
-        ssh-keygen -lf t7.out > /dev/null
+        ssh-keygen -lf $(OBJ)/t7.out > /dev/null
-        ssh-keygen -Bf t7.out > /dev/null
+        ssh-keygen -Bf $(OBJ)/t7.out > /dev/null
-.for t in ${LTESTS}
+t-exec: ${LTESTS:=.sh}
-REGRESS_TARGETS+=t-${t}
+        @if [ "x$?" = "x" ]; then exit 0; fi; \
-t-${t}:
+        for TEST in ""$?; do \
-        sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/${t}.sh
+                echo "run test $${TEST}" ... 1>&2; \
-.endfor
+                (sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \
+        done
-.include "bsd.regress.mk"
diff --git a/regress/README.regress b/regress/README.regress
new file mode 100644
index 000000000..916894a88
--- /dev/null
+++ b/regress/README.regress
@@ -0,0 +1,86 @@
+Overview.
+$ ./configure && make tests
+You'll see some progress info. A failure will cause either the make to
+abort or the driver script to report a "FATAL" failure.
+The test consists of 2 parts. The first is the file-based tests which is
+driven by the Makefile, and the second is a set of network or proxycommand
+based tests, which are driven by a driver script (test-exec.sh) which is
+called multiple times by the Makefile.
+Failures in the first part will cause the Makefile to return an error.
+Failures in the second part will print a "FATAL" message for the failed
+test and continue.
+OpenBSD has a system-wide regression test suite. OpenSSH Portable's test
+suite is based on OpenBSD's with modifications.
+Environment variables.
+SUDO: path to sudo command, if desired. Note that some systems (notably
+        systems using PAM) require sudo to execute some tests.
+TEST_SSH_TRACE: set yo "yes" for verbose output from tests 
+TEST_SSH_QUIET: set to "yes" to suppress non-fatal output.
+TEST_SSH_x: path to "ssh" command under test, where x=SSH,SSHD,SSHAGENT,SSHADD
+        SSHKEYGEN,SSHKEYSCAN,SFTP,SFTPSERVER
+OBJ: used by test scripts to access build dir.
+Individual tests.
+You can invoke test-exec.sh directly if you set up the path to find the
+binaries under test and the test scripts themselves, for example:
+$ cd regress
+$ PATH=`pwd`/..:$PATH:. sh test-exec.sh `pwd` agent-timeout.sh
+ok agent timeout test
+Files.
+test-exec.sh: the main test driver. Sets environment, creates config files
+and keys and runs the specified test.
+At the time of writing, the individual tests are:
+agent-timeout.sh:       agent timeout test
+agent.sh:               simple agent test
+broken-pipe.sh:         broken pipe test
+connect-privsep.sh:     proxy connect with privsep
+connect.sh:             simple connect
+exit-status.sh:         remote exit status
+forwarding.sh:          local and remote forwarding
+keygen-change.sh:       change passphrase for key
+keyscan.sh:             keyscan
+proto-mismatch.sh:      protocol version mismatch
+proto-version.sh:       sshd version with different protocol combinations
+proxy-connect.sh:       proxy connect
+sftp.sh:                basic sftp put/get
+ssh-com-client.sh:      connect with ssh.com client
+ssh-com-keygen.sh:      ssh.com key import
+ssh-com-sftp.sh:        basic sftp put/get with ssh.com server
+ssh-com.sh:             connect to ssh.com server
+stderr-after-eof.sh:    stderr data after eof
+stderr-data.sh:         stderr data transfer
+transfer.sh:            transfer data
+try-ciphers.sh:         try ciphers
+yes-head.sh:            yes pipe head
+Problems?
+Run the failing test with shell tracing (-x) turned on:
+$ PATH=`pwd`/..:$PATH:. sh -x test-exec.sh `pwd` agent-timeout.sh
+Failed tests can be difficult to diagnose. Suggestions:
+- run the individual test via ./test-exec.sh `pwd` [testname]
+- set LogLevel to VERBOSE in test-exec.sh and enable syslogging of
+  auth.debug (eg to /var/log/authlog).
+Known Issues.
+$Id: README.regress,v 1.1 2003/09/04 05:39:54 dtucker Exp $
diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh
index 0889fe80e..46d20dc2b 100644
--- a/regress/agent-getpeereid.sh
+++ b/regress/agent-getpeereid.sh
@@ -7,6 +7,12 @@ UNPRIV=nobody
 ASOCK=${OBJ}/agent
 SSH_AUTH_SOCK=/nonexistant
+if grep "#undef.*HAVE_GETPEEREID" ${BUILDDIR}/config.h >/dev/null 2>&1
+then
+        echo "skipped (not supported on this platform)"
+        exit 0
+fi
 trace "start agent"
 eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null
 r=$?
diff --git a/regress/agent-ptrace.sh b/regress/agent-ptrace.sh
index 9f9c99960..cd9c0023d 100644
--- a/regress/agent-ptrace.sh
+++ b/regress/agent-ptrace.sh
@@ -3,6 +3,22 @@
 tid="disallow agent ptrace attach"
+if have_prog uname ; then
+        case `uname` in
+        Linux|HP-UX|SunOS|NetBSD|AIX|CYGWIN*)
+                echo "skipped (not supported on this platform)"
+                exit 0
+                ;;
+        esac
+fi
+if have_prog gdb ; then
+        : ok
+else
+        echo "skipped (gdb not found)"
+        exit 0
+fi
 trace "start agent"
 eval `${SSHAGENT} -s` > /dev/null
 r=$?
@@ -16,7 +32,7 @@ EOF
        if [ $? -ne 0 ]; then
                fail "gdb failed: exit code $?"
        fi
-        grep -q 'ptrace: Operation not permitted.' ${OBJ}/gdb.out
+        grep 'ptrace: Operation not permitted.' >/dev/null ${OBJ}/gdb.out
        r=$?
        rm -f ${OBJ}/gdb.out
        if [ $r -ne 0 ]; then
diff --git a/regress/agent-timeout.sh b/regress/agent-timeout.sh
index 28b1be028..3a40e7af8 100644
--- a/regress/agent-timeout.sh
+++ b/regress/agent-timeout.sh
@@ -3,7 +3,7 @@
 tid="agent timeout test"
-TIMEOUT=5
+SSHAGENT_TIMEOUT=10
 trace "start agent"
 eval `${SSHAGENT} -s` > /dev/null
@@ -13,7 +13,7 @@ if [ $r -ne 0 ]; then
 else
        trace "add keys with timeout"
        for t in rsa rsa1; do
-                ${SSHADD} -t ${TIMEOUT} $OBJ/$t > /dev/null 2>&1
+                ${SSHADD} -t ${SSHAGENT_TIMEOUT} $OBJ/$t > /dev/null 2>&1
                if [ $? -ne 0 ]; then
                        fail "ssh-add did succeed exit code 0"
                fi
@@ -23,10 +23,10 @@ else
        if [ $n -ne 2 ]; then
                fail "ssh-add -l did not return 2 keys: $n"
        fi
-        trace "sleeping 2*${TIMEOUT} seconds"
+        trace "sleeping 2*${SSHAGENT_TIMEOUT} seconds"
-        sleep ${TIMEOUT}
+        sleep ${SSHAGENT_TIMEOUT}
-        sleep ${TIMEOUT}
+        sleep ${SSHAGENT_TIMEOUT}
-        ${SSHADD} -l 2> /dev/null | grep -q 'The agent has no identities.'
+        ${SSHADD} -l 2> /dev/null | grep 'The agent has no identities.' >/dev/null
        if [ $? -ne 0 ]; then
                fail "ssh-add -l still returns keys after timeout"
        fi
diff --git a/regress/agent.sh b/regress/agent.sh
index 7e9b4cb18..b34487767 100644
--- a/regress/agent.sh
+++ b/regress/agent.sh
@@ -19,7 +19,7 @@ else
                fail "ssh-add -l did not fail with exit code 1"
        fi
        trace "overwrite authorized keys"
-        echo -n > $OBJ/authorized_keys_$USER
+        echon > $OBJ/authorized_keys_$USER
        for t in rsa rsa1; do
                # generate user key for agent
                rm -f $OBJ/$t-agent
diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh
new file mode 100644
index 000000000..2b0b825d0
--- /dev/null
+++ b/regress/dynamic-forward.sh
@@ -0,0 +1,47 @@
+#       $OpenBSD: dynamic-forward.sh,v 1.2 2003/07/03 08:21:46 markus Exp $
+#       Placed in the Public Domain.
+tid="dynamic forwarding"
+PORT=4242
+FWDPORT=4243
+DATA=/bin/ls${EXEEXT}
+if have_prog nc && nc -h 2>&1 | grep "x proxy address" >/dev/null; then
+        proxycmd="nc -x 127.0.0.1:$FWDPORT -X"
+elif have_prog connect; then
+        proxycmd="connect -S 127.0.0.1:$FWDPORT -"
+else
+        echo "skipped (no suitable ProxyCommand found)"
+        exit 0
+fi
+trace "will use ProxyCommand $proxycmd"
+start_sshd
+for p in 1 2; do
+        trace "start dynamic forwarding, fork to background"
+        ${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q somehost \
+                exec sh -c \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\'
+        for s in 4 5; do
+            for h in 127.0.0.1 localhost; do
+                trace "testing ssh protocol $p socks version $s host $h"
+                ${SSH} -F $OBJ/ssh_config \
+                        -o "ProxyCommand ${proxycmd}${s} $h $PORT" \
+                        somehost cat $DATA > $OBJ/ls.copy
+                test -f $OBJ/ls.copy     || fail "failed copy $DATA"
+                cmp $DATA $OBJ/ls.copy || fail "corrupted copy of $DATA"
+            done
+        done
+        if [ -f $OBJ/remote_pid ]; then
+                remote=`cat $OBJ/remote_pid`
+                trace "terminate remote shell, pid $remote"
+                if [ $remote -gt 1 ]; then
+                        kill -HUP $remote
+                fi
+        else
+                fail "no pid file: $OBJ/remote_pid"
+        fi
+done
diff --git a/regress/forwarding.sh b/regress/forwarding.sh
index 7b281c013..dfe065dd6 100644
--- a/regress/forwarding.sh
+++ b/regress/forwarding.sh
@@ -2,6 +2,7 @@
 #       Placed in the Public Domain.
 tid="local and remote forwarding"
+DATA=/bin/ls${EXEEXT}
 start_sshd
@@ -25,9 +26,9 @@ for p in 1 2; do
        trace "transfer over forwarded channels and check result"
        ${SSH} -$q -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \
-                somehost cat /bin/ls > $OBJ/ls.copy
+                somehost cat $DATA > $OBJ/ls.copy
-        test -f $OBJ/ls.copy                    || fail "failed copy /bin/ls"
+        test -f $OBJ/ls.copy                    || fail "failed copy $DATA"
-        cmp /bin/ls $OBJ/ls.copy                || fail "corrupted copy of /bin/ls"
+        cmp $DATA $OBJ/ls.copy                  || fail "corrupted copy of $DATA"
        sleep 10
 done
diff --git a/regress/proto-version.sh b/regress/proto-version.sh
index 7dc616f5f..1651a69e1 100644
--- a/regress/proto-version.sh
+++ b/regress/proto-version.sh
@@ -8,7 +8,7 @@ check_version ()
 {
        version=$1
        expect=$2
-        banner=`echo -n | ${SSHD} -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy`
+        banner=`echon | ${SSHD} -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy`
        case ${banner} in
        SSH-1.99-*)
                proto=199
diff --git a/regress/reconfigure.sh b/regress/reconfigure.sh
new file mode 100644
index 000000000..ba6dbc6f5
--- /dev/null
+++ b/regress/reconfigure.sh
@@ -0,0 +1,35 @@
+#       $OpenBSD: reconfigure.sh,v 1.2 2003/06/21 09:14:05 markus Exp $
+#       Placed in the Public Domain.
+tid="simple connect after reconfigure"
+# we need the full path to sshd for -HUP
+case $SSHD in
+/*)
+        # full path is OK 
+        ;;
+*)
+        # otherwise make fully qualified
+        SSHD=$OBJ/$SSHD
+esac
+start_sshd
+$SUDO kill -HUP `cat $PIDFILE`
+sleep 1
+trace "wait for sshd to restart"
+i=0;
+while [ ! -f $PIDFILE -a $i -lt 10 ]; do
+        i=`expr $i + 1`
+        sleep $i
+done
+test -f $PIDFILE || fatal "sshd did not restart"
+for p in 1 2; do
+        ${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true
+        if [ $? -ne 0 ]; then
+                fail "ssh connect with protocol $p failed after reconfigure"
+        fi
+done
diff --git a/regress/rekey.sh b/regress/rekey.sh
new file mode 100644
index 000000000..6b7e845ec
--- /dev/null
+++ b/regress/rekey.sh
@@ -0,0 +1,31 @@
+#       $OpenBSD: rekey.sh,v 1.1 2003/03/28 13:58:28 markus Exp $
+#       Placed in the Public Domain.
+tid="rekey during transfer data"
+DATA=${OBJ}/data
+COPY=${OBJ}/copy
+LOG=${OBJ}/log
+rm -f ${COPY} ${LOG} ${DATA}
+dd if=/bin/ls${EXEEXT} of=${DATA} bs=1k seek=511 count=1 > /dev/null 2>&1
+for s in 16 1k 128k 256k; do
+        trace "rekeylimit ${s}"
+        rm -f ${COPY}
+        cat $DATA | \
+                ${SSH} -oCompression=no -oRekeyLimit=$s \
+                        -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" \
+                2> ${LOG}
+        if [ $? -ne 0 ]; then
+                fail "ssh failed"
+        fi
+        cmp $DATA ${COPY}               || fail "corrupted copy"
+        n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
+        n=`expr $n - 1`
+        trace "$n rekeying(s)"
+        if [ $n -lt 1 ]; then
+                fail "no rekeying occured"
+        fi
+done
+rm -f ${COPY} ${LOG} ${DATA}
diff --git a/regress/sftp-badcmds.sh b/regress/sftp-badcmds.sh
new file mode 100644
index 000000000..a6a19409d
--- /dev/null
+++ b/regress/sftp-badcmds.sh
@@ -0,0 +1,78 @@
+#       $OpenBSD: sftp-badcmds.sh,v 1.2 2003/05/15 04:07:12 mouring Exp $
+#       Placed in the Public Domain.
+tid="sftp invalid commands"
+DATA=/bin/ls${EXEEXT}
+DATA2=/bin/cat${EXEEXT}
+NONEXIST=/NONEXIST.$$
+COPY=${OBJ}/copy
+GLOBFILES=`(cd /bin;echo l*)`
+rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd
+rm -f ${COPY}
+verbose "$tid: get nonexistent"
+echo "get $NONEXIST $COPY" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+        || fail "get nonexistent failed"
+test -f ${COPY} && fail "existing copy after get nonexistent"
+rm -f ${COPY}.dd/*
+verbose "$tid: glob get to nonexistent directory"
+echo "get /bin/l* $NONEXIST" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+        || fail "get nonexistent failed"
+for x in $GLOBFILES; do
+        test -f ${COPY}.dd/$x && fail "existing copy after get nonexistent"
+done
+rm -f ${COPY}
+verbose "$tid: put nonexistent"
+echo "put $NONEXIST $COPY" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+        || fail "put nonexistent failed"
+test -f ${COPY} && fail "existing copy after put nonexistent"
+rm -f ${COPY}.dd/*
+verbose "$tid: glob put to nonexistent directory"
+echo "put /bin/l* ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+        || fail "put nonexistent failed"
+for x in $GLOBFILES; do
+        test -f ${COPY}.dd/$x && fail "existing copy after nonexistent"
+done
+rm -f ${COPY}
+verbose "$tid: rename nonexistent"
+echo "rename $NONEXIST ${COPY}.1" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+        || fail "rename nonexist failed"
+test -f ${COPY}.1 && fail "file exists after rename nonexistent"
+rm -f ${COPY} ${COPY}.1
+cp $DATA $COPY
+cp $DATA2 ${COPY}.1
+verbose "$tid: rename target exists"
+echo "rename $COPY ${COPY}.1" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+        || fail "rename target exists failed"
+test -f ${COPY} || fail "oldname missing after rename target exists"
+test -f ${COPY}.1 || fail "newname missing after rename target exists"
+cmp $DATA ${COPY} >/dev/null 2>&1 || fail "corrupted oldname after rename target exists"
+cmp $DATA2 ${COPY}.1 >/dev/null 2>&1 || fail "corrupted newname after rename target exists"
+rm -rf ${COPY} ${COPY}.dd
+cp $DATA $COPY
+mkdir ${COPY}.dd
+verbose "$tid: rename target exists (directory)"
+echo "rename $COPY ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+        || fail "rename target exists (directory) failed"
+test -f ${COPY} || fail "oldname missing after rename target exists (directory)"
+test -d ${COPY}.dd || fail "newname missing after rename target exists (directory)"
+cmp $DATA ${COPY} >/dev/null 2>&1 || fail "corrupted oldname after rename target exists (directory)"
+rm -f ${COPY}.dd/*
+rm -rf ${COPY}
+cp ${DATA2} ${COPY}
+verbose "$tid: glob put files to local file"
+echo "put /bin/l* $COPY" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 
+cmp ${DATA2} ${COPY} || fail "put successed when it should have failed"
+rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd
diff --git a/regress/sftp-batch.sh b/regress/sftp-batch.sh
index cffacb6df..f648eae80 100644
--- a/regress/sftp-batch.sh
+++ b/regress/sftp-batch.sh
@@ -3,9 +3,9 @@
 tid="sftp batchfile"
-DATA=/bin/ls
+DATA=/bin/ls${EXEEXT}
 COPY=${OBJ}/copy
-BATCH=${OBJ}/sftp-batch
+BATCH=${OBJ}/sftp-batch.tmp
 rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${BATCH}.*
diff --git a/regress/sftp-cmds.sh b/regress/sftp-cmds.sh
index 462c6802f..1256aeb2d 100644
--- a/regress/sftp-cmds.sh
+++ b/regress/sftp-cmds.sh
@@ -1,17 +1,42 @@
-#       $OpenBSD: sftp-cmds.sh,v 1.2 2003/01/10 07:52:41 djm Exp $
+#       $OpenBSD: sftp-cmds.sh,v 1.5 2003/07/19 00:46:31 djm Exp $
 #       Placed in the Public Domain.
 # XXX - TODO: 
-# - globbed operations
 # - chmod / chown / chgrp
 # - -p flag for get & put
 tid="sftp commands"
-DATA=/bin/ls
+DATA=/bin/ls${EXEEXT}
 COPY=${OBJ}/copy
+# test that these files are readable!
-rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${BATCH}.*
+for i in `(cd /bin;echo l*)`
+do
+        if [ -r $i ]; then
+                GLOBFILES="$GLOBFILES $i"
+        fi
+done
+if have_prog uname
+then
+        case `uname` in
+        CYGWIN*)
+                os=cygwin
+                ;;
+        *)
+                os=`uname`
+                ;;
+        esac
+else
+        os="unknown"
+fi
+# Path with embedded quote
+QUOTECOPY=${COPY}".\"blah\""
+QUOTECOPY_ARG=${COPY}'.\"blah\"'
+rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${COPY}.dd2
+mkdir ${COPY}.dd
 verbose "$tid: lls"
 echo "lls ${OBJ}" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
@@ -54,21 +79,91 @@ echo "get $DATA $COPY" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
        || fail "get failed"
 cmp $DATA ${COPY} || fail "corrupted copy after get"
+rm -f ${COPY}.dd/*
+verbose "$tid: get to directory"
+echo "get $DATA ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+        || fail "get failed"
+cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after get"
+rm -f ${COPY}.dd/*
+verbose "$tid: glob get to directory"
+echo "get /bin/l* ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+        || fail "get failed"
+for x in $GLOBFILES; do
+        cmp /bin/$x ${COPY}.dd/$x || fail "corrupted copy after get"
+done
+rm -f ${COPY}.dd/*
+verbose "$tid: get to local dir"
+(echo "lcd ${COPY}.dd"; echo "get $DATA" ) | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+        || fail "get failed"
+cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after get"
+rm -f ${COPY}.dd/*
+verbose "$tid: glob get to local dir"
+(echo "lcd ${COPY}.dd"; echo "get /bin/l*") | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+        || fail "get failed"
+for x in $GLOBFILES; do
+        cmp /bin/$x ${COPY}.dd/$x || fail "corrupted copy after get"
+done
 rm -f ${COPY}
 verbose "$tid: put"
 echo "put $DATA $COPY" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
        || fail "put failed"
 cmp $DATA ${COPY} || fail "corrupted copy after put"
+if [ "$os" != "cygwin" ]; then
+rm -f ${QUOTECOPY}
+verbose "$tid: put filename with quotes"
+echo "put $DATA \"$QUOTECOPY_ARG\"" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+        || fail "put failed"
+cmp $DATA ${QUOTECOPY} || fail "corrupted copy after put with quotes"
+fi
+rm -f ${COPY}.dd/*
+verbose "$tid: put to directory"
+echo "put $DATA ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+        || fail "put failed"
+cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after put"
+rm -f ${COPY}.dd/*
+verbose "$tid: glob put to directory"
+echo "put /bin/l* ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+        || fail "put failed"
+for x in $GLOBFILES; do
+        cmp /bin/$x ${COPY}.dd/$x || fail "corrupted copy after put"
+done
+rm -f ${COPY}.dd/*
+verbose "$tid: put to local dir"
+(echo "cd ${COPY}.dd"; echo "put $DATA") | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+        || fail "put failed"
+cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after put"
+rm -f ${COPY}.dd/*
+verbose "$tid: glob put to local dir"
+(echo "cd ${COPY}.dd"; echo "put /bin/l*") | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+        || fail "put failed"
+for x in $GLOBFILES; do
+        cmp /bin/$x ${COPY}.dd/$x || fail "corrupted copy after put"
+done
 verbose "$tid: rename"
 echo "rename $COPY ${COPY}.1" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
        || fail "rename failed"
 test -f ${COPY}.1 || fail "missing file after rename"
 cmp $DATA ${COPY}.1 >/dev/null 2>&1 || fail "corrupted copy after rename"
+verbose "$tid: rename directory"
+echo "rename ${COPY}.dd ${COPY}.dd2" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+        || fail "rename directory failed"
+test -d ${COPY}.dd && fail "oldname exists after rename directory"
+test -d ${COPY}.dd2 || fail "missing newname after rename directory"
 verbose "$tid: ln"
 echo "ln ${COPY}.1 ${COPY}.2" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 || fail "ln failed"
-test -L ${COPY}.2 || fail "missing file after ln"
+test -h ${COPY}.2 || fail "missing file after ln"
 verbose "$tid: mkdir"
 echo "mkdir ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
@@ -95,6 +190,6 @@ verbose "$tid: lchdir"
 echo "lchdir ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
        || fail "lchdir failed"
-rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${BATCH}.*
+rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${COPY}.dd2
diff --git a/regress/sftp.sh b/regress/sftp.sh
index e8d473123..0e22f8f6b 100644
--- a/regress/sftp.sh
+++ b/regress/sftp.sh
@@ -3,27 +3,33 @@
 tid="basic sftp put/get"
-DATA=/bin/ls
+DATA=/bin/ls${EXEEXT}
 COPY=${OBJ}/copy
+SFTPCMDFILE=${OBJ}/batch
+cat >$SFTPCMDFILE <<EOF
+version
+get $DATA ${COPY}.1
+put $DATA ${COPY}.2
+EOF
 BUFFERSIZE="5 1000 32000 64000"
 REQUESTS="1 2 10"
 for B in ${BUFFERSIZE}; do
        for R in ${REQUESTS}; do
                verbose "test $tid: buffer_size $B num_requests $R"
-                rm -f ${COPY}.1 ${COPY}.2
+                rm -f ${COPY}.1 ${COPY}.2                
-                ${SFTP} -P ${SFTPSERVER} -B $B -R $R -b /dev/stdin \
+                ${SFTP} -P ${SFTPSERVER} -B $B -R $R -b $SFTPCMDFILE \
-                > /dev/null 2>&1 << EOF
+                > /dev/null 2>&1
-                version
-                get $DATA ${COPY}.1
-                put $DATA ${COPY}.2
-EOF
                r=$?
                if [ $r -ne 0 ]; then
                        fail "sftp failed with $r"
+                else 
+                        cmp $DATA ${COPY}.1 || fail "corrupted copy after get"
+                        cmp $DATA ${COPY}.2 || fail "corrupted copy after put"
                fi
-                cmp $DATA ${COPY}.1 || fail "corrupted copy after get"
-                cmp $DATA ${COPY}.2 || fail "corrupted copy after put"
        done
 done
+rm -f ${COPY}.1 ${COPY}.2                
+rm -f $SFTPCMDFILE
diff --git a/regress/ssh-com-client.sh b/regress/ssh-com-client.sh
index 015ebbb8c..fc953228e 100644
--- a/regress/ssh-com-client.sh
+++ b/regress/ssh-com-client.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: ssh-com-client.sh,v 1.4 2002/07/16 08:58:16 markus Exp $
+#       $OpenBSD: ssh-com-client.sh,v 1.5 2003/05/14 22:08:27 markus Exp $
 #       Placed in the Public Domain.
 tid="connect with ssh.com client"
@@ -17,6 +17,8 @@ VERSIONS="
        3.0.0
        3.1.0
        3.2.0
+        3.2.2
+        3.2.3
        3.3.0"
 # 2.0.10 2.0.12 2.0.13 don't like the test setup
@@ -62,7 +64,7 @@ EOF
 # we need a real server (no ProxyConnect option)
 start_sshd
-DATA=/bin/ls
+DATA=/bin/ls${EXEEXT}
 COPY=${OBJ}/copy
 rm -f ${COPY}
diff --git a/regress/ssh-com-keygen.sh b/regress/ssh-com-keygen.sh
index e93dc78c9..dbe9b0a6b 100644
--- a/regress/ssh-com-keygen.sh
+++ b/regress/ssh-com-keygen.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: ssh-com-keygen.sh,v 1.2 2002/07/16 08:58:16 markus Exp $
+#       $OpenBSD: ssh-com-keygen.sh,v 1.3 2003/05/14 22:08:27 markus Exp $
 #       Placed in the Public Domain.
 tid="ssh.com key import"
@@ -20,6 +20,8 @@ VERSIONS="
        3.0.0
        3.1.0
        3.2.0
+        3.2.2
+        3.2.3
        3.3.0"
 COMPRV=${OBJ}/comkey
diff --git a/regress/ssh-com-sftp.sh b/regress/ssh-com-sftp.sh
index f08018b84..6ca7dad51 100644
--- a/regress/ssh-com-sftp.sh
+++ b/regress/ssh-com-sftp.sh
@@ -1,10 +1,17 @@
-#       $OpenBSD: ssh-com-sftp.sh,v 1.3 2002/07/16 08:58:16 markus Exp $
+#       $OpenBSD: ssh-com-sftp.sh,v 1.4 2003/05/14 22:08:27 markus Exp $
 #       Placed in the Public Domain.
 tid="basic sftp put/get with ssh.com server"
-DATA=/bin/ls
+DATA=/bin/ls${EXEEXT}
 COPY=${OBJ}/copy
+SFTPCMDFILE=${OBJ}/batch
+cat >$SFTPCMDFILE <<EOF
+version
+get $DATA ${COPY}.1
+put $DATA ${COPY}.2
+EOF
 BUFFERSIZE="5 1000 32000 64000"
 REQUESTS="1 2 10"
@@ -26,6 +33,8 @@ VERSIONS="
        3.0.0
        3.1.0
        3.2.0
+        3.2.2
+        3.2.3
        3.3.0"
 # go for it
@@ -39,18 +48,17 @@ for v in ${VERSIONS}; do
                for R in ${REQUESTS}; do
                        verbose "test $tid: buffer_size $B num_requests $R"
                        rm -f ${COPY}.1 ${COPY}.2
-                        ${SFTP} -P ${server} -B $B -R $R -b /dev/stdin \
+                        ${SFTP} -P ${server} -B $B -R $R -b $SFTPCMDFILE \
-                        > /dev/null 2>&1 << EOF
+                        > /dev/null 2>&1
-                        version
-                        get $DATA ${COPY}.1
-                        put $DATA ${COPY}.2
-EOF
                        r=$?
                        if [ $r -ne 0 ]; then
                                fail "sftp failed with $r"
+                        else                                
+                                cmp $DATA ${COPY}.1 || fail "corrupted copy after get"
+                                cmp $DATA ${COPY}.2 || fail "corrupted copy after put"
                        fi
-                        cmp $DATA ${COPY}.1 || fail "corrupted copy after get"
-                        cmp $DATA ${COPY}.2 || fail "corrupted copy after put"
                done
        done
 done
+rm -f ${COPY}.1 ${COPY}.2                
+rm -f $SFTPCMDFILE
diff --git a/regress/ssh-com.sh b/regress/ssh-com.sh
index c2bd15380..78ae6e9e1 100644
--- a/regress/ssh-com.sh
+++ b/regress/ssh-com.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: ssh-com.sh,v 1.4 2002/07/16 08:58:16 markus Exp $
+#       $OpenBSD: ssh-com.sh,v 1.5 2003/05/14 22:08:27 markus Exp $
 #       Placed in the Public Domain.
 tid="connect to ssh.com server"
@@ -18,6 +18,8 @@ VERSIONS="
        3.0.0
        3.1.0
        3.2.0
+        3.2.2
+        3.2.3
        3.3.0"
 # 2.0.10 does not support UserConfigDirectory
 # 2.3.1 requires a config in $HOME/.ssh2
@@ -65,7 +67,7 @@ done
 # convert and append DSA hostkey
 (
-        echo -n 'ssh2-localhost-with-alias,127.0.0.1,::1 '
+        echon 'ssh2-localhost-with-alias,127.0.0.1,::1 '
        ${SSHKEYGEN} -if ${SRC}/dsa_ssh2.pub
 ) >> $OBJ/known_hosts
diff --git a/regress/stderr-after-eof.sh b/regress/stderr-after-eof.sh
index bebd700bf..05a5ea56d 100644
--- a/regress/stderr-after-eof.sh
+++ b/regress/stderr-after-eof.sh
@@ -7,13 +7,23 @@ DATA=/etc/motd
 DATA=${OBJ}/data
 COPY=${OBJ}/copy
-MD5=md5sum
+if have_prog md5sum; then
+        CHECKSUM=md5sum
+elif have_prog openssl; then
+        CHECKSUM="openssl md5"
+elif have_prog cksum; then
+        CHECKSUM=cksum
+elif have_prog sum; then
+        CHECKSUM=sum
+else
+        fatal "No checksum program available, aborting $tid test"
+fi
 # setup data
 rm -f ${DATA} ${COPY}
 cp /dev/null ${DATA}
 for i in 1 2 3 4 5 6; do
-        (date;echo $i) | $MD5 >> ${DATA}
+        (date;echo $i) | $CHECKSUM >> ${DATA}
 done
 ${SSH} -2 -F $OBJ/ssh_proxy otherhost \
diff --git a/regress/stderr-data.sh b/regress/stderr-data.sh
index 0157690b0..1daf79bb5 100644
--- a/regress/stderr-data.sh
+++ b/regress/stderr-data.sh
@@ -3,7 +3,7 @@
 tid="stderr data transfer"
-DATA=/bin/ls
+DATA=/bin/ls${EXEEXT}
 COPY=${OBJ}/copy
 rm -f ${COPY}
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index a7a8ddbe6..cc7ea67fe 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -2,10 +2,16 @@
 #       Placed in the Public Domain.
 PORT=4242
-USER=`id -un`
-SUDO=
 #SUDO=sudo
+if [ -x /usr/ucb/whoami ]; then
+        USER=`/usr/ucb/whoami`
+elif whoami >/dev/null 2>&1; then
+        USER=`whoami`
+else
+        USER=`id -un`
+fi
 OBJ=$1
 if [ "x$OBJ" = "x" ]; then
        echo '$OBJ not defined'
@@ -72,6 +78,32 @@ export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER
 #echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER
 # helper
+echon()
+{
+       if [ "x`echo -n`" = "x" ]; then
+               echo -n "$@"
+       elif [ "x`echo '\c'`" = "x" ]; then
+               echo "$@\c"
+       else
+               fatal "Don't know how to echo without newline."
+       fi
+}
+have_prog()
+{
+        saved_IFS="$IFS"
+        IFS=":"
+        for i in $PATH
+        do
+                if [ -x $i/$1 ]; then
+                        IFS="$saved_IFS"
+                        return 0
+                fi
+        done
+        IFS="$saved_IFS"
+        return 1
+}
 cleanup ()
 {
        if [ -f $PIDFILE ]; then
@@ -111,7 +143,7 @@ fail ()
 fatal ()
 {
-        echo -n "FATAL: "
+        echon "FATAL: "
        fail "$@"
        cleanup
        exit $RESULT
@@ -130,6 +162,7 @@ cat << EOF > $OBJ/sshd_config
        PidFile                 $PIDFILE
        AuthorizedKeysFile      $OBJ/authorized_keys_%u
        LogLevel                QUIET
+        StrictModes             no
 EOF
 # server config for proxy connects
@@ -169,7 +202,7 @@ for t in rsa rsa1; do
        # known hosts file for client
        (
-                echo -n 'localhost-with-alias,127.0.0.1,::1 '
+                echon 'localhost-with-alias,127.0.0.1,::1 '
                cat $OBJ/$t.pub
        ) >> $OBJ/known_hosts
@@ -189,7 +222,7 @@ chmod 644 $OBJ/authorized_keys_$USER
 # create a proxy version of the client config
 (
        cat $OBJ/ssh_config
-        echo proxycommand ${SSHD} -i -f $OBJ/sshd_proxy
+        echo proxycommand ${SUDO} ${SSHD} -i -f $OBJ/sshd_proxy
 ) > $OBJ/ssh_proxy
 # check proxy config
@@ -203,7 +236,7 @@ start_sshd ()
        trace "wait for sshd"
        i=0;
-        while [ ! -f $PIDFILE -a $i -lt 5 ]; do
+        while [ ! -f $PIDFILE -a $i -lt 10 ]; do
                i=`expr $i + 1`
                sleep $i
        done
diff --git a/regress/transfer.sh b/regress/transfer.sh
index 31cdc0ce3..13ea367d5 100644
--- a/regress/transfer.sh
+++ b/regress/transfer.sh
@@ -3,7 +3,7 @@
 tid="transfer data"
-DATA=/bin/ls
+DATA=/bin/ls${EXEEXT}
 COPY=${OBJ}/copy
 for p in 1 2; do
diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh
index 161f039c0..2c727f66c 100644
--- a/regress/try-ciphers.sh
+++ b/regress/try-ciphers.sh
@@ -1,10 +1,11 @@
-#       $OpenBSD: try-ciphers.sh,v 1.7 2002/04/03 09:30:01 markus Exp $
+#       $OpenBSD: try-ciphers.sh,v 1.8 2003/06/12 15:40:01 markus Exp $
 #       Placed in the Public Domain.
 tid="try ciphers"
 ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc arcfour 
-        aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se"
+        aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
+        aes128-ctr aes192-ctr aes256-ctr"
 macs="hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96"
 for c in $ciphers; do
diff --git a/regress/yes-head.sh b/regress/yes-head.sh
index f213f6863..17a4d0dd4 100644
--- a/regress/yes-head.sh
+++ b/regress/yes-head.sh
@@ -4,7 +4,7 @@
 tid="yes pipe head"
 for p in 1 2; do
-        lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'yes | head -2000' | (sleep 3 ; wc -l)`
+        lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | head -2000"' | (sleep 3 ; wc -l)`
        if [ $? -ne 0 ]; then
                fail "yes|head test failed"
                lines = 0;
diff --git a/scard-opensc.c b/scard-opensc.c
index dd21de39a..2489fec45 100644
--- a/scard-opensc.c
+++ b/scard-opensc.c
@@ -89,6 +89,12 @@ sc_init(void)
        r = sc_establish_context(&ctx, "openssh");
        if (r)
                goto err;
+        if (sc_reader_id >= ctx->reader_count) {
+                r = SC_ERROR_NO_READERS_FOUND;
+                error("Illegal reader number %d (max %d)", sc_reader_id, 
+                    ctx->reader_count -1);
+                goto err;
+        }
        r = sc_connect_card(ctx->reader[sc_reader_id], 0, &card);
        if (r)
                goto err;
@@ -104,7 +110,8 @@ err:
 /* private key operations */
 static int
-sc_prkey_op_init(RSA *rsa, struct sc_pkcs15_object **key_obj_out)
+sc_prkey_op_init(RSA *rsa, struct sc_pkcs15_object **key_obj_out,
+        unsigned int usage)
 {
        int r;
        struct sc_priv_data *priv;
@@ -124,7 +131,8 @@ sc_prkey_op_init(RSA *rsa, struct sc_pkcs15_object **key_obj_out)
                        goto err;
                }
        }
-        r = sc_pkcs15_find_prkey_by_id(p15card, &priv->cert_id, &key_obj);
+        r = sc_pkcs15_find_prkey_by_id_usage(p15card, &priv->cert_id, 
+                usage, &key_obj);
        if (r) {
                error("Unable to find private key from SmartCard: %s",
                      sc_strerror(r));
@@ -133,7 +141,16 @@ sc_prkey_op_init(RSA *rsa, struct sc_pkcs15_object **key_obj_out)
        key = key_obj->data;
        r = sc_pkcs15_find_pin_by_auth_id(p15card, &key_obj->auth_id,
                                          &pin_obj);
-        if (r) {
+        if (r == SC_ERROR_OBJECT_NOT_FOUND) {
+                /* no pin required */
+                r = sc_lock(card);
+                if (r) {
+                        error("Unable to lock smartcard: %s", sc_strerror(r));
+                        goto err;
+                }
+                *key_obj_out = key_obj;
+                return 0;
+        } else if (r) {
                error("Unable to find PIN object from SmartCard: %s",
                      sc_strerror(r));
                goto err;
@@ -161,6 +178,9 @@ err:
        return -1;
 }
+#define SC_USAGE_DECRYPT        SC_PKCS15_PRKEY_USAGE_DECRYPT | \
+                                SC_PKCS15_PRKEY_USAGE_UNWRAP
 static int
 sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa,
    int padding)
@@ -170,10 +190,11 @@ sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa,
        if (padding != RSA_PKCS1_PADDING)
                return -1;      
-        r = sc_prkey_op_init(rsa, &key_obj);
+        r = sc_prkey_op_init(rsa, &key_obj, SC_USAGE_DECRYPT);
        if (r)
                return -1;
-        r = sc_pkcs15_decipher(p15card, key_obj, 0, from, flen, to, flen);
+        r = sc_pkcs15_decipher(p15card, key_obj, SC_ALGORITHM_RSA_PAD_PKCS1, 
+            from, flen, to, flen);
        sc_unlock(card);
        if (r < 0) {
                error("sc_pkcs15_decipher() failed: %s", sc_strerror(r));
@@ -185,6 +206,9 @@ err:
        return -1;
 }
+#define SC_USAGE_SIGN           SC_PKCS15_PRKEY_USAGE_SIGN | \
+                                SC_PKCS15_PRKEY_USAGE_SIGNRECOVER
 static int
 sc_sign(int type, u_char *m, unsigned int m_len,
        unsigned char *sigret, unsigned int *siglen, RSA *rsa)
@@ -193,7 +217,15 @@ sc_sign(int type, u_char *m, unsigned int m_len,
        int r;
        unsigned long flags = 0;
-        r = sc_prkey_op_init(rsa, &key_obj);
+        /* XXX: sc_prkey_op_init will search for a pkcs15 private
+         * key object with the sign or signrecover usage flag set.
+         * If the signing key has only the non-repudiation flag set
+         * the key will be rejected as using a non-repudiation key
+         * for authentication is not recommended. Note: This does not
+         * prevent the use of a non-repudiation key for authentication
+         * if the sign or signrecover flag is set as well. 
+         */
+        r = sc_prkey_op_init(rsa, &key_obj, SC_USAGE_SIGN);
        if (r)
                return -1;
        /* FIXME: length of sigret correct? */
@@ -321,7 +353,7 @@ sc_read_pubkey(Key * k, const struct sc_pkcs15_object *cert_obj)
        debug("sc_read_pubkey() with cert id %02X", cinfo->id.value[0]);
        r = sc_pkcs15_read_certificate(p15card, cinfo, &cert);
        if (r) {
-                log("Certificate read failed: %s", sc_strerror(r));
+                logit("Certificate read failed: %s", sc_strerror(r));
                goto err;
        }
        x509 = X509_new();
@@ -331,7 +363,7 @@ sc_read_pubkey(Key * k, const struct sc_pkcs15_object *cert_obj)
        }
        p = cert->data;
        if (!d2i_X509(&x509, &p, cert->data_len)) {
-                log("Unable to parse X.509 certificate");
+                logit("Unable to parse X.509 certificate");
                r = -1;
                goto err;
        }
@@ -341,7 +373,7 @@ sc_read_pubkey(Key * k, const struct sc_pkcs15_object *cert_obj)
        X509_free(x509);
        x509 = NULL;
        if (pubkey->type != EVP_PKEY_RSA) {
-                log("Public key is of unknown type");
+                logit("Public key is of unknown type");
                r = -1;
                goto err;
        }
@@ -413,7 +445,7 @@ sc_get_keys(const char *id, const char *pin)
                r = sc_pkcs15_get_objects(p15card, SC_PKCS15_TYPE_CERT_X509,
                                          certs, 32);
                if (r == 0) {
-                        log("No certificates found on smartcard");
+                        logit("No certificates found on smartcard");
                        r = -1;
                        goto err;
                } else if (r < 0) {
@@ -423,9 +455,14 @@ sc_get_keys(const char *id, const char *pin)
                }
                key_count = r;
        }
-        /* FIXME: only keep entries with a corresponding private key */
        keys = xmalloc(sizeof(Key *) * (key_count*2+1));
        for (i = 0; i < key_count; i++) {
+                sc_pkcs15_object_t *tmp_obj = NULL;
+                cert_id = ((sc_pkcs15_cert_info_t *)(certs[i]->data))->id;
+                if (sc_pkcs15_find_prkey_by_id(p15card, &cert_id, &tmp_obj))
+                        /* skip the public key (certificate) if no
+                         * corresponding private key is present */
+                        continue;
                k = key_new(KEY_RSA);
                if (k == NULL)
                        break;
@@ -459,4 +496,30 @@ sc_put_key(Key *prv, const char *id)
        return -1;
 }
+char *
+sc_get_key_label(Key *key)
+{
+        int r;
+        const struct sc_priv_data *priv;
+        struct sc_pkcs15_object *key_obj;
+        priv = (const struct sc_priv_data *) RSA_get_app_data(key->rsa);
+        if (priv == NULL || p15card == NULL) {
+                logit("SmartCard key not loaded");
+                /* internal error => return default label */
+                return xstrdup("smartcard key");
+        }
+        r = sc_pkcs15_find_prkey_by_id(p15card, &priv->cert_id, &key_obj);
+        if (r) {
+                logit("Unable to find private key from SmartCard: %s",
+                      sc_strerror(r));
+                return xstrdup("smartcard key");
+        }
+        if (key_obj == NULL || key_obj->label == NULL)
+                /* the optional PKCS#15 label does not exists
+                 * => return the default label */
+                return xstrdup("smartcard key");
+        return xstrdup(key_obj->label);
+}
 #endif /* SMARTCARD */
diff --git a/scard.c b/scard.c
index 9791938c0..906287ba2 100644
--- a/scard.c
+++ b/scard.c
@@ -24,7 +24,7 @@
 #include "includes.h"
 #if defined(SMARTCARD) && defined(USE_SECTOK)
-RCSID("$OpenBSD: scard.c,v 1.26 2002/06/23 03:30:17 deraadt Exp $");
+RCSID("$OpenBSD: scard.c,v 1.28 2003/06/12 19:12:02 markus Exp $");
 #include <openssl/evp.h>
 #include <sectok.h>
@@ -526,7 +526,7 @@ sc_put_key(Key *prv, const char *id)
        }
        if (!sectok_swOK(sw))
                goto done;
-        log("cyberflex_load_rsa_priv done");
+        logit("cyberflex_load_rsa_priv done");
        key_fid[0] = 0x73;
        key_fid[1] = 0x68;
        if (cyberflex_load_rsa_pub(fd, cla, key_fid, len, elements[5],
@@ -536,7 +536,7 @@ sc_put_key(Key *prv, const char *id)
        }
        if (!sectok_swOK(sw))
                goto done;
-        log("cyberflex_load_rsa_pub done");
+        logit("cyberflex_load_rsa_pub done");
        status = 0;
 done:
@@ -554,4 +554,11 @@ done:
                sectok_close(fd);
        return (status);
 }
+char *
+sc_get_key_label(Key *key)
+{
+        return xstrdup("smartcard key");
+}
 #endif /* SMARTCARD && USE_SECTOK */
diff --git a/scard.h b/scard.h
index 00999cb09..9ba20a361 100644
--- a/scard.h
+++ b/scard.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: scard.h,v 1.11 2002/06/30 21:59:45 deraadt Exp $      */
+/*      $OpenBSD: scard.h,v 1.12 2003/06/12 19:12:03 markus Exp $       */
 /*
 * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -36,5 +36,6 @@
 Key     **sc_get_keys(const char *, const char *);
 void     sc_close(void);
 int      sc_put_key(Key *, const char *);
+char    *sc_get_key_label(Key *);
 #endif
diff --git a/scp.0 b/scp.0
index 7a653c687..2ebff48d0 100644
--- a/scp.0
+++ b/scp.0
@@ -79,15 +79,16 @@ DESCRIPTION
 DIAGNOSTICS
     scp exits with 0 on success or >0 if an error occurred.
-AUTHORS
+SEE ALSO
-     Timo Rinne <tri@iki.fi> and Tatu Ylonen <ylo@cs.hut.fi>
+     rcp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1),
+     ssh_config(5), sshd(8)
 HISTORY
     scp is based on the rcp(1) program in BSD source code from the Regents of
     the University of California.
-SEE ALSO
+AUTHORS
-     rcp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1),
+     Timo Rinne M-bM-^LM-)tri@iki.fiM-bM-^LM-* and
-     ssh_config(5), sshd(8)
+     Tatu Ylonen M-bM-^LM-)ylo@cs.hut.fiM-bM-^LM-*
 BSD                           September 25, 1999                           BSD
diff --git a/scp.1 b/scp.1
index a3ec2e0c6..a971500ee 100644
--- a/scp.1
+++ b/scp.1
@@ -9,7 +9,7 @@
 .\"
 .\" Created: Sun May  7 00:14:37 1995 ylo
 .\"
-.\" $OpenBSD: scp.1,v 1.27 2003/03/28 10:11:43 jmc Exp $
+.\" $OpenBSD: scp.1,v 1.28 2003/06/10 09:12:11 jmc Exp $
 .\"
 .Dd September 25, 1999
 .Dt SCP 1
@@ -148,14 +148,6 @@ to use IPv6 addresses only.
 .Sh DIAGNOSTICS
 .Nm
 exits with 0 on success or >0 if an error occurred.
-.Sh AUTHORS
-Timo Rinne <tri@iki.fi> and Tatu Ylonen <ylo@cs.hut.fi>
-.Sh HISTORY
-.Nm
-is based on the
-.Xr rcp 1
-program in BSD source code from the Regents of the University of
-California.
 .Sh SEE ALSO
 .Xr rcp 1 ,
 .Xr sftp 1 ,
@@ -165,3 +157,13 @@ California.
 .Xr ssh-keygen 1 ,
 .Xr ssh_config 5 ,
 .Xr sshd 8
+.Sh HISTORY
+.Nm
+is based on the
+.Xr rcp 1
+program in BSD source code from the Regents of the University of
+California.
+.Sh AUTHORS
+.An Timo Rinne Aq tri@iki.fi
+and
+.An Tatu Ylonen Aq ylo@cs.hut.fi
diff --git a/scp.c b/scp.c
index 35d4c5f71..4f9247c2d 100644
--- a/scp.c
+++ b/scp.c
@@ -52,11 +52,7 @@
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
+ * 3. Neither the name of the University nor the names of its contributors
- *    must display the following acknowledgement:
- *      This product includes software developed by the University of
- *      California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
@@ -75,7 +71,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: scp.c,v 1.102 2003/03/05 22:33:43 markus Exp $");
+RCSID("$OpenBSD: scp.c,v 1.108 2003/07/18 01:54:25 deraadt Exp $");
 #include "xmalloc.h"
 #include "atomicio.h"
@@ -111,7 +107,16 @@ int showprogress = 1;
 char *ssh_program = _PATH_SSH_PROGRAM;
 /* This is used to store the pid of ssh_program */
-pid_t do_cmd_pid;
+pid_t do_cmd_pid = -1;
+static void
+killchild(int signo)
+{
+        if (do_cmd_pid > 1)
+                kill(do_cmd_pid, signo);
+        _exit(1);
+}
 /*
 * This function executes the given command as the specified user on the
@@ -146,7 +151,7 @@ do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc)
        close(reserved[0]);
        close(reserved[1]);
-        /* For a child to execute the command on the remote host using ssh. */
+        /* Fork a child to execute the command on the remote host using ssh. */
        do_cmd_pid = fork();
        if (do_cmd_pid == 0) {
                /* Child. */
@@ -174,6 +179,9 @@ do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc)
        *fdout = pin[1];
        close(pout[1]);
        *fdin = pout[0];
+        signal(SIGTERM, killchild);
+        signal(SIGINT, killchild);
+        signal(SIGHUP, killchild);
        return 0;
 }
@@ -206,9 +214,7 @@ void toremote(char *, int, char *[]);
 void usage(void);
 int
-main(argc, argv)
+main(int argc, char **argv)
-        int argc;
-        char *argv[];
 {
        int ch, fflag, tflag, status;
        double speed;
@@ -216,7 +222,7 @@ main(argc, argv)
        extern char *optarg;
        extern int optind;
-        __progname = get_progname(argv[0]);
+        __progname = ssh_get_progname(argv[0]);
        args.list = NULL;
        addargs(&args, "ssh");          /* overwritten with ssh_program */
@@ -292,7 +298,7 @@ main(argc, argv)
        argv += optind;
        if ((pwd = getpwuid(userid = getuid())) == NULL)
-                fatal("unknown user %d", (int) userid);
+                fatal("unknown user %u", (u_int) userid);
        if (!isatty(STDERR_FILENO))
                showprogress = 0;
@@ -353,9 +359,7 @@ main(argc, argv)
 }
 void
-toremote(targ, argc, argv)
+toremote(char *targ, int argc, char **argv)
-        char *targ, *argv[];
-        int argc;
 {
        int i, len;
        char *bp, *host, *src, *suser, *thost, *tuser;
@@ -443,9 +447,7 @@ toremote(targ, argc, argv)
 }
 void
-tolocal(argc, argv)
+tolocal(int argc, char **argv)
-        int argc;
-        char *argv[];
 {
        int i, len;
        char *bp, *host, *src, *suser;
@@ -494,9 +496,7 @@ tolocal(argc, argv)
 }
 void
-source(argc, argv)
+source(int argc, char **argv)
-        int argc;
-        char *argv[];
 {
        struct stat stb;
        static BUF buffer;
@@ -549,25 +549,18 @@ syserr:			run_err("%s: %s", name, strerror(errno));
                        (void) snprintf(buf, sizeof buf, "T%lu 0 %lu 0\n",
                            (u_long) stb.st_mtime,
                            (u_long) stb.st_atime);
-                        (void) atomicio(write, remout, buf, strlen(buf));
+                        (void) atomicio(vwrite, remout, buf, strlen(buf));
                        if (response() < 0)
                                goto next;
                }
 #define FILEMODEMASK    (S_ISUID|S_ISGID|S_IRWXU|S_IRWXG|S_IRWXO)
-#ifdef HAVE_LONG_LONG_INT
                snprintf(buf, sizeof buf, "C%04o %lld %s\n",
                    (u_int) (stb.st_mode & FILEMODEMASK),
-                    (long long)stb.st_size, last);
+                    (int64_t)stb.st_size, last);
-#else
-                /* XXX: Handle integer overflow? */
-                snprintf(buf, sizeof buf, "C%04o %lu %s\n",
-                    (u_int) (stb.st_mode & FILEMODEMASK),
-                    (u_long) stb.st_size, last);
-#endif
                if (verbose_mode) {
                        fprintf(stderr, "Sending file modes: %s", buf);
                }
-                (void) atomicio(write, remout, buf, strlen(buf));
+                (void) atomicio(vwrite, remout, buf, strlen(buf));
                if (response() < 0)
                        goto next;
                if ((bp = allocbuf(&buffer, fd, 2048)) == NULL) {
@@ -587,9 +580,9 @@ next:			(void) close(fd);
                                        haderr = result >= 0 ? EIO : errno;
                        }
                        if (haderr)
-                                (void) atomicio(write, remout, bp->buf, amt);
+                                (void) atomicio(vwrite, remout, bp->buf, amt);
                        else {
-                                result = atomicio(write, remout, bp->buf, amt);
+                                result = atomicio(vwrite, remout, bp->buf, amt);
                                if (result != amt)
                                        haderr = result >= 0 ? EIO : errno;
                                statbytes += result;
@@ -603,7 +596,7 @@ next:			(void) close(fd);
                if (close(fd) < 0 && !haderr)
                        haderr = errno;
                if (!haderr)
-                        (void) atomicio(write, remout, "", 1);
+                        (void) atomicio(vwrite, remout, "", 1);
                else
                        run_err("%s: %s", name, strerror(haderr));
                (void) response();
@@ -611,9 +604,7 @@ next:			(void) close(fd);
 }
 void
-rsource(name, statp)
+rsource(char *name, struct stat *statp)
-        char *name;
-        struct stat *statp;
 {
        DIR *dirp;
        struct dirent *dp;
@@ -632,7 +623,7 @@ rsource(name, statp)
                (void) snprintf(path, sizeof(path), "T%lu 0 %lu 0\n",
                    (u_long) statp->st_mtime,
                    (u_long) statp->st_atime);
-                (void) atomicio(write, remout, path, strlen(path));
+                (void) atomicio(vwrite, remout, path, strlen(path));
                if (response() < 0) {
                        closedir(dirp);
                        return;
@@ -642,7 +633,7 @@ rsource(name, statp)
            (u_int) (statp->st_mode & FILEMODEMASK), 0, last);
        if (verbose_mode)
                fprintf(stderr, "Entering directory: %s", path);
-        (void) atomicio(write, remout, path, strlen(path));
+        (void) atomicio(vwrite, remout, path, strlen(path));
        if (response() < 0) {
                closedir(dirp);
                return;
@@ -661,7 +652,7 @@ rsource(name, statp)
                source(1, vect);
        }
        (void) closedir(dirp);
-        (void) atomicio(write, remout, "E\n", 2);
+        (void) atomicio(vwrite, remout, "E\n", 2);
        (void) response();
 }
@@ -720,9 +711,7 @@ bwlimit(int amount)
 }
 void
-sink(argc, argv)
+sink(int argc, char **argv)
-        int argc;
-        char *argv[];
 {
        static BUF buffer;
        struct stat stb;
@@ -753,7 +742,7 @@ sink(argc, argv)
        if (targetshouldbedirectory)
                verifydir(targ);
-        (void) atomicio(write, remout, "", 1);
+        (void) atomicio(vwrite, remout, "", 1);
        if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode))
                targisdir = 1;
        for (first = 1;; first = 0) {
@@ -771,7 +760,7 @@ sink(argc, argv)
                if (buf[0] == '\01' || buf[0] == '\02') {
                        if (iamremote == 0)
-                                (void) atomicio(write, STDERR_FILENO,
+                                (void) atomicio(vwrite, STDERR_FILENO,
                                    buf + 1, strlen(buf + 1));
                        if (buf[0] == '\02')
                                exit(1);
@@ -779,7 +768,7 @@ sink(argc, argv)
                        continue;
                }
                if (buf[0] == 'E') {
-                        (void) atomicio(write, remout, "", 1);
+                        (void) atomicio(vwrite, remout, "", 1);
                        return;
                }
                if (ch == '\n')
@@ -801,7 +790,7 @@ sink(argc, argv)
                        atime.tv_usec = strtol(cp, &cp, 10);
                        if (!cp || *cp++ != '\0')
                                SCREWUP("atime.usec not delimited");
-                        (void) atomicio(write, remout, "", 1);
+                        (void) atomicio(vwrite, remout, "", 1);
                        continue;
                }
                if (*cp != 'C' && *cp != 'D') {
@@ -886,7 +875,7 @@ sink(argc, argv)
 bad:                    run_err("%s: %s", np, strerror(errno));
                        continue;
                }
-                (void) atomicio(write, remout, "", 1);
+                (void) atomicio(vwrite, remout, "", 1);
                if ((bp = allocbuf(&buffer, ofd, 4096)) == NULL) {
                        (void) close(ofd);
                        continue;
@@ -923,7 +912,7 @@ bad:			run_err("%s: %s", np, strerror(errno));
                        if (count == bp->cnt) {
                                /* Keep reading so we stay sync'd up. */
                                if (wrerr == NO) {
-                                        j = atomicio(write, ofd, bp->buf, count);
+                                        j = atomicio(vwrite, ofd, bp->buf, count);
                                        if (j != count) {
                                                wrerr = YES;
                                                wrerrno = j >= 0 ? EIO : errno;
@@ -936,7 +925,7 @@ bad:			run_err("%s: %s", np, strerror(errno));
                if (showprogress)
                        stop_progress_meter();
                if (count != 0 && wrerr == NO &&
-                    (j = atomicio(write, ofd, bp->buf, count)) != count) {
+                    (j = atomicio(vwrite, ofd, bp->buf, count)) != count) {
                        wrerr = YES;
                        wrerrno = j >= 0 ? EIO : errno;
                }
@@ -981,7 +970,7 @@ bad:			run_err("%s: %s", np, strerror(errno));
                        run_err("%s: %s", np, strerror(wrerrno));
                        break;
                case NO:
-                        (void) atomicio(write, remout, "", 1);
+                        (void) atomicio(vwrite, remout, "", 1);
                        break;
                case DISPLAYED:
                        break;
@@ -1016,7 +1005,7 @@ response(void)
                } while (cp < &rbuf[sizeof(rbuf) - 1] && ch != '\n');
                if (!iamremote)
-                        (void) atomicio(write, STDERR_FILENO, rbuf, cp - rbuf);
+                        (void) atomicio(vwrite, STDERR_FILENO, rbuf, cp - rbuf);
                ++errs;
                if (resp == 1)
                        return (-1);
@@ -1061,8 +1050,7 @@ run_err(const char *fmt,...)
 }
 void
-verifydir(cp)
+verifydir(char *cp)
-        char *cp;
 {
        struct stat stb;
@@ -1076,8 +1064,7 @@ verifydir(cp)
 }
 int
-okname(cp0)
+okname(char *cp0)
-        char *cp0;
 {
        int c;
        char *cp;
@@ -1107,9 +1094,7 @@ bad:	fprintf(stderr, "%s: invalid user name\n", cp0);
 }
 BUF *
-allocbuf(bp, fd, blksize)
+allocbuf(BUF *bp, int fd, int blksize)
-        BUF *bp;
-        int fd, blksize;
 {
        size_t size;
 #ifdef HAVE_STRUCT_STAT_ST_BLKSIZE
@@ -1137,8 +1122,7 @@ allocbuf(bp, fd, blksize)
 }
 void
-lostconn(signo)
+lostconn(int signo)
-        int signo;
 {
        if (!iamremote)
                write(STDERR_FILENO, "lost connection\n", 16);
diff --git a/servconf.c b/servconf.c
index 2510659ee..71e28b3cb 100644
--- a/servconf.c
+++ b/servconf.c
@@ -10,23 +10,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.116 2003/02/21 09:05:53 markus Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.127 2003/09/01 18:15:50 markus Exp $");
-#if defined(KRB4)
-#include <krb.h>
-#endif
-#if defined(KRB5)
-#ifdef HEIMDAL
-#include <krb.h>
-#else
-/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
- * keytab */
-#define KEYFILE "/etc/krb5.keytab"
-#endif
-#endif
-#ifdef AFS
-#include <kafs.h>
-#endif
 #include "ssh.h"
 #include "log.h"
@@ -56,7 +40,7 @@ initialize_server_options(ServerOptions *options)
        memset(options, 0, sizeof(*options));
        /* Portable-specific options */
-        options->pam_authentication_via_kbd_int = -1;
+        options->use_pam = -1;
        /* Standard Options */
        options->num_ports = 0;
@@ -80,23 +64,16 @@ initialize_server_options(ServerOptions *options)
        options->keepalives = -1;
        options->log_facility = SYSLOG_FACILITY_NOT_SET;
        options->log_level = SYSLOG_LEVEL_NOT_SET;
-        options->rhosts_authentication = -1;
        options->rhosts_rsa_authentication = -1;
        options->hostbased_authentication = -1;
        options->hostbased_uses_name_from_packet_only = -1;
        options->rsa_authentication = -1;
        options->pubkey_authentication = -1;
-#if defined(KRB4) || defined(KRB5)
        options->kerberos_authentication = -1;
        options->kerberos_or_local_passwd = -1;
        options->kerberos_ticket_cleanup = -1;
-#endif
+        options->gss_authentication=-1;
-#if defined(AFS) || defined(KRB5)
+        options->gss_cleanup_creds = -1;
-        options->kerberos_tgt_passing = -1;
-#endif
-#ifdef AFS
-        options->afs_token_passing = -1;
-#endif
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->challenge_response_authentication = -1;
@@ -118,7 +95,7 @@ initialize_server_options(ServerOptions *options)
        options->max_startups_rate = -1;
        options->max_startups = -1;
        options->banner = NULL;
-        options->verify_reverse_mapping = -1;
+        options->use_dns = -1;
        options->client_alive_interval = -1;
        options->client_alive_count_max = -1;
        options->authorized_keys_file = NULL;
@@ -132,8 +109,8 @@ void
 fill_default_server_options(ServerOptions *options)
 {
        /* Portable-specific options */
-        if (options->pam_authentication_via_kbd_int == -1)
+        if (options->use_pam == -1)
-                options->pam_authentication_via_kbd_int = 0;
+                options->use_pam = 1;
        /* Standard Options */
        if (options->protocol == SSH_PROTO_UNKNOWN)
@@ -188,8 +165,6 @@ fill_default_server_options(ServerOptions *options)
                options->log_facility = SYSLOG_FACILITY_AUTH;
        if (options->log_level == SYSLOG_LEVEL_NOT_SET)
                options->log_level = SYSLOG_LEVEL_INFO;
-        if (options->rhosts_authentication == -1)
-                options->rhosts_authentication = 0;
        if (options->rhosts_rsa_authentication == -1)
                options->rhosts_rsa_authentication = 0;
        if (options->hostbased_authentication == -1)
@@ -200,22 +175,16 @@ fill_default_server_options(ServerOptions *options)
                options->rsa_authentication = 1;
        if (options->pubkey_authentication == -1)
                options->pubkey_authentication = 1;
-#if defined(KRB4) || defined(KRB5)
        if (options->kerberos_authentication == -1)
                options->kerberos_authentication = 0;
        if (options->kerberos_or_local_passwd == -1)
                options->kerberos_or_local_passwd = 1;
        if (options->kerberos_ticket_cleanup == -1)
                options->kerberos_ticket_cleanup = 1;
-#endif
+        if (options->gss_authentication == -1)
-#if defined(AFS) || defined(KRB5)
+                options->gss_authentication = 0;
-        if (options->kerberos_tgt_passing == -1)
+        if (options->gss_cleanup_creds == -1)
-                options->kerberos_tgt_passing = 0;
+                options->gss_cleanup_creds = 1;
-#endif
-#ifdef AFS
-        if (options->afs_token_passing == -1)
-                options->afs_token_passing = 0;
-#endif
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
@@ -240,8 +209,8 @@ fill_default_server_options(ServerOptions *options)
                options->max_startups_rate = 100;               /* 100% */
        if (options->max_startups_begin == -1)
                options->max_startups_begin = options->max_startups;
-        if (options->verify_reverse_mapping == -1)
+        if (options->use_dns == -1)
-                options->verify_reverse_mapping = 0;
+                options->use_dns = 1;
        if (options->client_alive_interval == -1)
                options->client_alive_interval = 0;
        if (options->client_alive_count_max == -1)
@@ -275,21 +244,13 @@ fill_default_server_options(ServerOptions *options)
 typedef enum {
        sBadOption,             /* == unknown option */
        /* Portable-specific options */
-        sPAMAuthenticationViaKbdInt,
+        sUsePAM,
        /* Standard Options */
        sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
        sPermitRootLogin, sLogFacility, sLogLevel,
-        sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
+        sRhostsRSAAuthentication, sRSAAuthentication,
-#if defined(KRB4) || defined(KRB5)
        sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
-#endif
+        sKerberosTgtPassing, sChallengeResponseAuthentication,
-#if defined(AFS) || defined(KRB5)
-        sKerberosTgtPassing,
-#endif
-#ifdef AFS
-        sAFSTokenPassing,
-#endif
-        sChallengeResponseAuthentication,
        sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
        sPrintMotd, sPrintLastLog, sIgnoreRhosts,
        sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
@@ -298,11 +259,12 @@ typedef enum {
        sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
        sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
        sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
-        sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
+        sBanner, sUseDNS, sHostbasedAuthentication,
        sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
        sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
+        sGssAuthentication, sGssCleanupCreds,
        sUsePrivilegeSeparation,
-        sDeprecated
+        sDeprecated, sUnsupported
 } ServerOpCodes;
 /* Textual representation of the tokens. */
@@ -311,7 +273,12 @@ static struct {
        ServerOpCodes opcode;
 } keywords[] = {
        /* Portable-specific options */
-        { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
+#ifdef USE_PAM
+        { "usepam", sUsePAM },
+#else
+        { "usepam", sUnsupported },
+#endif
+        { "pamauthenticationviakbdint", sDeprecated },
        /* Standard Options */
        { "port", sPort },
        { "hostkey", sHostKeyFile },
@@ -323,23 +290,30 @@ static struct {
        { "permitrootlogin", sPermitRootLogin },
        { "syslogfacility", sLogFacility },
        { "loglevel", sLogLevel },
-        { "rhostsauthentication", sRhostsAuthentication },
+        { "rhostsauthentication", sDeprecated },
        { "rhostsrsaauthentication", sRhostsRSAAuthentication },
        { "hostbasedauthentication", sHostbasedAuthentication },
        { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
        { "rsaauthentication", sRSAAuthentication },
        { "pubkeyauthentication", sPubkeyAuthentication },
        { "dsaauthentication", sPubkeyAuthentication },                 /* alias */
-#if defined(KRB4) || defined(KRB5)
+#ifdef KRB5
        { "kerberosauthentication", sKerberosAuthentication },
        { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
        { "kerberosticketcleanup", sKerberosTicketCleanup },
+#else
+        { "kerberosauthentication", sUnsupported },
+        { "kerberosorlocalpasswd", sUnsupported },
+        { "kerberosticketcleanup", sUnsupported },
 #endif
-#if defined(AFS) || defined(KRB5)
+        { "kerberostgtpassing", sUnsupported },
-        { "kerberostgtpassing", sKerberosTgtPassing },
+        { "afstokenpassing", sUnsupported },
-#endif
+#ifdef GSSAPI
-#ifdef AFS
+        { "gssapiauthentication", sGssAuthentication },
-        { "afstokenpassing", sAFSTokenPassing },
+        { "gssapicleanupcreds", sGssCleanupCreds },
+#else
+        { "gssapiauthentication", sUnsupported },
+        { "gssapicleanupcreds", sUnsupported },
 #endif
        { "passwordauthentication", sPasswordAuthentication },
        { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
@@ -373,8 +347,9 @@ static struct {
        { "subsystem", sSubsystem },
        { "maxstartups", sMaxStartups },
        { "banner", sBanner },
-        { "verifyreversemapping", sVerifyReverseMapping },
+        { "usedns", sUseDNS },
-        { "reversemappingcheck", sVerifyReverseMapping },
+        { "verifyreversemapping", sDeprecated },
+        { "reversemappingcheck", sDeprecated },
        { "clientaliveinterval", sClientAliveInterval },
        { "clientalivecountmax", sClientAliveCountMax },
        { "authorizedkeysfile", sAuthorizedKeysFile },
@@ -458,8 +433,8 @@ process_server_config_line(ServerOptions *options, char *line,
        opcode = parse_token(arg, filename, linenum);
        switch (opcode) {
        /* Portable-specific options */
-        case sPAMAuthenticationViaKbdInt:
+        case sUsePAM:
-                intptr = &options->pam_authentication_via_kbd_int;
+                intptr = &options->use_pam;
                goto parse_flag;
        /* Standard Options */
@@ -622,10 +597,6 @@ parse_flag:
                intptr = &options->ignore_user_known_hosts;
                goto parse_flag;
-        case sRhostsAuthentication:
-                intptr = &options->rhosts_authentication;
-                goto parse_flag;
        case sRhostsRSAAuthentication:
                intptr = &options->rhosts_rsa_authentication;
                goto parse_flag;
@@ -645,7 +616,7 @@ parse_flag:
        case sPubkeyAuthentication:
                intptr = &options->pubkey_authentication;
                goto parse_flag;
-#if defined(KRB4) || defined(KRB5)
        case sKerberosAuthentication:
                intptr = &options->kerberos_authentication;
                goto parse_flag;
@@ -657,17 +628,14 @@ parse_flag:
        case sKerberosTicketCleanup:
                intptr = &options->kerberos_ticket_cleanup;
                goto parse_flag;
-#endif
-#if defined(AFS) || defined(KRB5)
+        case sGssAuthentication:
-        case sKerberosTgtPassing:
+                intptr = &options->gss_authentication;
-                intptr = &options->kerberos_tgt_passing;
                goto parse_flag;
-#endif
-#ifdef AFS
+        case sGssCleanupCreds:
-        case sAFSTokenPassing:
+                intptr = &options->gss_cleanup_creds;
-                intptr = &options->afs_token_passing;
                goto parse_flag;
-#endif
        case sPasswordAuthentication:
                intptr = &options->password_authentication;
@@ -733,8 +701,8 @@ parse_flag:
                intptr = &options->gateway_ports;
                goto parse_flag;
-        case sVerifyReverseMapping:
+        case sUseDNS:
-                intptr = &options->verify_reverse_mapping;
+                intptr = &options->use_dns;
                goto parse_flag;
        case sLogFacility:
@@ -910,7 +878,14 @@ parse_flag:
                goto parse_int;
        case sDeprecated:
-                log("%s line %d: Deprecated option %s",
+                logit("%s line %d: Deprecated option %s",
+                    filename, linenum, arg);
+                while (arg)
+                    arg = strdelim(&cp);
+                break;
+        case sUnsupported:
+                logit("%s line %d: Unsupported option %s",
                    filename, linenum, arg);
                while (arg)
                    arg = strdelim(&cp);
diff --git a/servconf.h b/servconf.h
index 024987dd6..828e94c5c 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: servconf.h,v 1.59 2002/07/30 17:03:55 markus Exp $    */
+/*      $OpenBSD: servconf.h,v 1.65 2003/09/01 18:15:50 markus Exp $    */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -65,15 +65,12 @@ typedef struct {
        int     gateway_ports;  /* If true, allow remote connects to forwarded ports. */
        SyslogFacility log_facility;    /* Facility for system logging. */
        LogLevel log_level;     /* Level for system logging. */
-        int     rhosts_authentication;  /* If true, permit rhosts
-                                         * authentication. */
        int     rhosts_rsa_authentication;      /* If true, permit rhosts RSA
                                                 * authentication. */
        int     hostbased_authentication;       /* If true, permit ssh2 hostbased auth */
        int     hostbased_uses_name_from_packet_only; /* experimental */
        int     rsa_authentication;     /* If true, permit RSA authentication. */
        int     pubkey_authentication;  /* If true, permit ssh2 pubkey authentication. */
-#if defined(KRB4) || defined(KRB5)
        int     kerberos_authentication;        /* If true, permit Kerberos
                                                 * authentication. */
        int     kerberos_or_local_passwd;       /* If true, permit kerberos
@@ -83,14 +80,8 @@ typedef struct {
                                                 * /etc/passwd */
        int     kerberos_ticket_cleanup;        /* If true, destroy ticket
                                                 * file on logout. */
-#endif
+        int     gss_authentication;     /* If true, permit GSSAPI authentication */
-#if defined(AFS) || defined(KRB5)
+        int     gss_cleanup_creds;      /* If true, destroy cred cache on logout */
-        int     kerberos_tgt_passing;   /* If true, permit Kerberos TGT
-                                         * passing. */
-#endif
-#ifdef AFS
-        int     afs_token_passing;      /* If true, permit AFS token passing. */
-#endif
        int     password_authentication;        /* If true, permit password
                                                 * authentication. */
        int     kbd_interactive_authentication; /* If true, permit */
@@ -118,7 +109,7 @@ typedef struct {
        int     max_startups_rate;
        int     max_startups;
        char   *banner;                 /* SSH-2 banner message */
-        int     verify_reverse_mapping; /* cross-check ip and dns */
+        int     use_dns;
        int     client_alive_interval;  /*
                                         * poke the client this often to
                                         * see if it's still there
@@ -131,7 +122,7 @@ typedef struct {
        char   *authorized_keys_file;   /* File containing public keys */
        char   *authorized_keys_file2;
-        int     pam_authentication_via_kbd_int;
+        int     use_pam;                /* Enable auth via PAM */
 }       ServerOptions;
 void     initialize_server_options(ServerOptions *);
diff --git a/serverloop.c b/serverloop.c
index f4df9cccb..a95390273 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -35,7 +35,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: serverloop.c,v 1.106 2003/04/01 10:22:21 markus Exp $");
+RCSID("$OpenBSD: serverloop.c,v 1.110 2003/06/24 08:23:46 markus Exp $");
 #include "xmalloc.h"
 #include "packet.h"
@@ -158,7 +158,7 @@ sigchld_handler(int sig)
 static void
 make_packets_from_stderr_data(void)
 {
-        int len;
+        u_int len;
        /* Send buffered stderr data to the client. */
        while (buffer_len(&stderr_buffer) > 0 &&
@@ -187,7 +187,7 @@ make_packets_from_stderr_data(void)
 static void
 make_packets_from_stdout_data(void)
 {
-        int len;
+        u_int len;
        /* Send buffered stdout data to the client. */
        while (buffer_len(&stdout_buffer) > 0 &&
@@ -771,8 +771,14 @@ server_loop2(Authctxt *authctxt)
                    &nalloc, 0);
                collect_children();
-                if (!rekeying)
+                if (!rekeying) {
                        channel_after_select(readset, writeset);
+                        if (packet_need_rekeying()) {
+                                debug("need rekeying");
+                                xxx_kex->done = 0;
+                                kex_send_kexinit(xxx_kex);
+                        }
+                }
                process_input(readset);
                if (connection_closed)
                        break;
@@ -874,7 +880,7 @@ server_request_direct_tcpip(char *ctype)
                return NULL;
        c = channel_new(ctype, SSH_CHANNEL_CONNECTING,
            sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT,
-            CHAN_TCP_PACKET_DEFAULT, 0, xstrdup("direct-tcpip"), 1);
+            CHAN_TCP_PACKET_DEFAULT, 0, "direct-tcpip", 1);
        return c;
 }
@@ -893,7 +899,7 @@ server_request_session(char *ctype)
         */
        c = channel_new(ctype, SSH_CHANNEL_LARVAL,
            -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
-            0, xstrdup("server-session"), 1);
+            0, "server-session", 1);
        if (session_open(xxx_authctxt, c->self) != 1) {
                debug("session open failed, free channel %d", c->self);
                channel_free(c);
@@ -971,7 +977,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
                pw = auth_get_user();
                if (pw == NULL)
                        fatal("server_input_global_request: no user");
-                listen_address = packet_get_string(NULL); /* XXX currently ignored */
+                listen_address = packet_get_string(NULL);
                listen_port = (u_short)packet_get_int();
                debug("server_input_global_request: tcpip-forward listen %s port %d",
                    listen_address, listen_port);
diff --git a/session.c b/session.c
index c75fea966..4497f5c0b 100644
--- a/session.c
+++ b/session.c
@@ -33,7 +33,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.154 2003/03/05 22:33:43 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.163 2003/08/31 13:29:05 markus Exp $");
 #include "ssh.h"
 #include "ssh1.h"
@@ -58,10 +58,8 @@ RCSID("$OpenBSD: session.c,v 1.154 2003/03/05 22:33:43 markus Exp $");
 #include "session.h"
 #include "monitor_wrap.h"
-#ifdef HAVE_CYGWIN
+#ifdef GSSAPI
-#include <windows.h>
+#include "ssh-gss.h"
-#include <sys/cygwin.h>
-#define is_winnt       (GetVersion() < 0x80000000)
 #endif
 /* func */
@@ -95,6 +93,7 @@ extern int debug_flag;
 extern u_int utmp_len;
 extern int startup_pipe;
 extern void destroy_sensitive_data(void);
+extern Buffer loginmsg;
 /* original command from peer. */
 const char *original_command = NULL;
@@ -103,10 +102,6 @@ const char *original_command = NULL;
 #define MAX_SESSIONS 10
 Session sessions[MAX_SESSIONS];
-#ifdef WITH_AIXAUTHENTICATE
-char *aixloginmsg;
-#endif /* WITH_AIXAUTHENTICATE */
 #ifdef HAVE_LOGIN_CAP
 login_cap_t *lc;
 #endif
@@ -192,7 +187,7 @@ auth_input_request_forwarding(struct passwd * pw)
        nc = channel_new("auth socket",
            SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1,
            CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
-            0, xstrdup("auth socket"), 1);
+            0, "auth socket", 1);
        strlcpy(nc->path, auth_sock_name, sizeof(nc->path));
        return 1;
 }
@@ -225,10 +220,6 @@ do_authenticated(Authctxt *authctxt)
        /* remove agent socket */
        if (auth_sock_name != NULL)
                auth_sock_cleanup_proc(authctxt->pw);
-#ifdef KRB4
-        if (options.kerberos_ticket_cleanup)
-                krb4_cleanup_proc(authctxt);
-#endif
 #ifdef KRB5
        if (options.kerberos_ticket_cleanup)
                krb5_cleanup_proc(authctxt);
@@ -341,58 +332,6 @@ do_authenticated1(Authctxt *authctxt)
                                success = 1;
                        break;
-#if defined(AFS) || defined(KRB5)
-                case SSH_CMSG_HAVE_KERBEROS_TGT:
-                        if (!options.kerberos_tgt_passing) {
-                                verbose("Kerberos TGT passing disabled.");
-                        } else {
-                                char *kdata = packet_get_string(&dlen);
-                                packet_check_eom();
-                                /* XXX - 0x41, see creds_to_radix version */
-                                if (kdata[0] != 0x41) {
-#ifdef KRB5
-                                        krb5_data tgt;
-                                        tgt.data = kdata;
-                                        tgt.length = dlen;
-                                        if (auth_krb5_tgt(s->authctxt, &tgt))
-                                                success = 1;
-                                        else
-                                                verbose("Kerberos v5 TGT refused for %.100s", s->authctxt->user);
-#endif /* KRB5 */
-                                } else {
-#ifdef AFS
-                                        if (auth_krb4_tgt(s->authctxt, kdata))
-                                                success = 1;
-                                        else
-                                                verbose("Kerberos v4 TGT refused for %.100s", s->authctxt->user);
-#endif /* AFS */
-                                }
-                                xfree(kdata);
-                        }
-                        break;
-#endif /* AFS || KRB5 */
-#ifdef AFS
-                case SSH_CMSG_HAVE_AFS_TOKEN:
-                        if (!options.afs_token_passing || !k_hasafs()) {
-                                verbose("AFS token passing disabled.");
-                        } else {
-                                /* Accept AFS token. */
-                                char *token = packet_get_string(&dlen);
-                                packet_check_eom();
-                                if (auth_afs_token(s->authctxt, token))
-                                        success = 1;
-                                else
-                                        verbose("AFS token refused for %.100s",
-                                            s->authctxt->user);
-                                xfree(token);
-                        }
-                        break;
-#endif /* AFS */
                case SSH_CMSG_EXEC_SHELL:
                case SSH_CMSG_EXEC_CMD:
                        if (type == SSH_CMSG_EXEC_CMD) {
@@ -412,7 +351,7 @@ do_authenticated1(Authctxt *authctxt)
                         * Any unknown messages in this phase are ignored,
                         * and a failure message is returned.
                         */
-                        log("Unknown packet type received after authentication: %d", type);
+                        logit("Unknown packet type received after authentication: %d", type);
                }
                packet_start(success ? SSH_SMSG_SUCCESS : SSH_SMSG_FAILURE);
                packet_send();
@@ -456,11 +395,12 @@ do_exec_no_pty(Session *s, const char *command)
        session_proctitle(s);
 #if defined(USE_PAM)
-        do_pam_session(s->pw->pw_name, NULL);
+        if (options.use_pam) {
-        do_pam_setcred(1);
+                do_pam_setcred(1);
-        if (is_pam_password_change_required())
+                if (is_pam_password_change_required())
-                packet_disconnect("Password change required but no "
+                        packet_disconnect("Password change required but no "
-                    "TTY available");
+                            "TTY available");
+        }
 #endif /* USE_PAM */
        /* Fork the child. */
@@ -583,8 +523,10 @@ do_exec_pty(Session *s, const char *command)
        ttyfd = s->ttyfd;
 #if defined(USE_PAM)
-        do_pam_session(s->pw->pw_name, s->tty);
+        if (options.use_pam) {
-        do_pam_setcred(1);
+                do_pam_set_tty(s->tty);
+                do_pam_setcred(1);
+        }
 #endif
        /* Fork the child. */
@@ -690,7 +632,7 @@ do_pre_login(Session *s)
        }
        record_utmp_only(pid, s->tty, s->pw->pw_name,
-            get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping),
+            get_remote_name_or_ip(utmp_len, options.use_dns),
            (struct sockaddr *)&from, fromlen);
 }
 #endif
@@ -708,6 +650,14 @@ do_exec(Session *s, const char *command)
                debug("Forced command '%.900s'", command);
        }
+#ifdef GSSAPI
+        if (options.gss_authentication) {
+                temporarily_use_uid(s->pw);
+                ssh_gssapi_storecreds();
+                restore_uid();
+        }
+#endif
        if (s->ttyfd != -1)
                do_exec_pty(s, command);
        else
@@ -745,7 +695,7 @@ do_login(Session *s, const char *command)
        if (!use_privsep)
                record_login(pid, s->tty, pw->pw_name, pw->pw_uid,
                    get_remote_name_or_ip(utmp_len,
-                    options.verify_reverse_mapping),
+                    options.use_dns),
                    (struct sockaddr *)&from, fromlen);
 #ifdef USE_PAM
@@ -753,9 +703,10 @@ do_login(Session *s, const char *command)
         * If password change is needed, do it now.
         * This needs to occur before the ~/.hushlogin check.
         */
-        if (is_pam_password_change_required()) {
+        if (options.use_pam && is_pam_password_change_required()) {
                print_pam_messages();
                do_pam_chauthtok();
+                /* XXX - signal [net] parent to enable forwardings */
        }
 #endif
@@ -763,13 +714,16 @@ do_login(Session *s, const char *command)
                return;
 #ifdef USE_PAM
-        if (!is_pam_password_change_required())
+        if (options.use_pam && !is_pam_password_change_required())
                print_pam_messages();
 #endif /* USE_PAM */
-#ifdef WITH_AIXAUTHENTICATE
-        if (aixloginmsg && *aixloginmsg)
+        /* display post-login message */
-                printf("%s\n", aixloginmsg);
+        if (buffer_len(&loginmsg) > 0) {
-#endif /* WITH_AIXAUTHENTICATE */
+                buffer_append(&loginmsg, "\0", 1);
+                printf("%s\n", (char *)buffer_ptr(&loginmsg));
+        }
+        buffer_free(&loginmsg);
 #ifndef NO_SSH_LASTLOG
        if (options.print_lastlog && s->last_login_time != 0) {
@@ -840,7 +794,7 @@ check_quietlogin(Session *s, const char *command)
 * Sets the value of the given variable in the environment.  If the variable
 * already exists, its value is overriden.
 */
-static void
+void
 child_set_env(char ***envp, u_int *envsizep, const char *name,
        const char *value)
 {
@@ -848,6 +802,16 @@ child_set_env(char ***envp, u_int *envsizep, const char *name,
        char **env;
        /*
+         * If we're passed an uninitialized list, allocate a single null
+         * entry before continuing.
+         */
+        if (*envp == NULL && *envsizep == 0) {
+                *envp = xmalloc(sizeof(char *));
+                *envp[0] = NULL;
+                *envsizep = 1;
+        }
+        /*
         * Find the slot where the value should be stored.  If the variable
         * already exists, we reuse the slot; otherwise we append a new slot
         * at the end of the array, expanding if necessary.
@@ -923,6 +887,59 @@ read_environment_file(char ***env, u_int *envsize,
        fclose(f);
 }
+#ifdef HAVE_ETC_DEFAULT_LOGIN
+/*
+ * Return named variable from specified environment, or NULL if not present.
+ */
+static char *
+child_get_env(char **env, const char *name)
+{
+        int i;
+        size_t len;
+        len = strlen(name);
+        for (i=0; env[i] != NULL; i++)
+                if (strncmp(name, env[i], len) == 0 && env[i][len] == '=')
+                        return(env[i] + len + 1);
+        return NULL;
+}
+/*
+ * Read /etc/default/login.
+ * We pick up the PATH (or SUPATH for root) and UMASK.
+ */
+static void
+read_etc_default_login(char ***env, u_int *envsize, uid_t uid)
+{
+        char **tmpenv = NULL, *var;
+        u_int i;
+        size_t tmpenvsize = 0;
+        mode_t mask;
+        /*
+         * We don't want to copy the whole file to the child's environment,
+         * so we use a temporary environment and copy the variables we're
+         * interested in.
+         */
+        read_environment_file(&tmpenv, &tmpenvsize, "/etc/default/login");
+        if (uid == 0)
+                var = child_get_env(tmpenv, "SUPATH");
+        else
+                var = child_get_env(tmpenv, "PATH");
+        if (var != NULL)
+                child_set_env(env, envsize, "PATH", var);
+        
+        if ((var = child_get_env(tmpenv, "UMASK")) != NULL)
+                if (sscanf(var, "%5lo", &mask) == 1)
+                        umask(mask);
+        
+        for (i = 0; tmpenv[i] != NULL; i++)
+                xfree(tmpenv[i]);
+        xfree(tmpenv);
+}
+#endif /* HAVE_ETC_DEFAULT_LOGIN */
 void copy_environment(char **source, char ***env, u_int *envsize)
 {
        char *var_name, *var_val;
@@ -951,7 +968,7 @@ do_setup_env(Session *s, const char *shell)
 {
        char buf[256];
        u_int i, envsize;
-        char **env, *laddr;
+        char **env, *laddr, *path = NULL;
        struct passwd *pw = s->pw;
        /* Initialize the environment. */
@@ -967,6 +984,13 @@ do_setup_env(Session *s, const char *shell)
        copy_environment(environ, &env, &envsize);
 #endif
+#ifdef GSSAPI
+        /* Allow any GSSAPI methods that we've used to alter 
+         * the childs environment as they see fit
+         */
+        ssh_gssapi_do_child(&env, &envsize);
+#endif
        if (!options.use_login) {
                /* Set basic environment. */
                child_set_env(&env, &envsize, "USER", pw->pw_name);
@@ -988,12 +1012,15 @@ do_setup_env(Session *s, const char *shell)
                 * needed for loading shared libraries. So the path better
                 * remains intact here.
                 */
-#  ifdef SUPERUSER_PATH
+#  ifdef HAVE_ETC_DEFAULT_LOGIN
-                child_set_env(&env, &envsize, "PATH", 
+                read_etc_default_login(&env, &envsize, pw->pw_uid);
-                    s->pw->pw_uid == 0 ? SUPERUSER_PATH : _PATH_STDPATH);
+                path = child_get_env(env, "PATH");
-#  else 
+#  endif /* HAVE_ETC_DEFAULT_LOGIN */
-                child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
+                if (path == NULL || *path == '\0') {
-#  endif /* SUPERUSER_PATH */
+                        child_set_env(&env, &envsize, "PATH", 
+                            s->pw->pw_uid == 0 ?
+                                SUPERUSER_PATH : _PATH_STDPATH);
+                }
 # endif /* HAVE_CYGWIN */
 #endif /* HAVE_LOGIN_CAP */
@@ -1062,11 +1089,6 @@ do_setup_env(Session *s, const char *shell)
                read_environment_file(&env, &envsize, "/etc/environment");
        }
 #endif
-#ifdef KRB4
-        if (s->authctxt->krb4_ticket_file)
-                child_set_env(&env, &envsize, "KRBTKFILE",
-                    s->authctxt->krb4_ticket_file);
-#endif
 #ifdef KRB5
        if (s->authctxt->krb5_ticket_file)
                child_set_env(&env, &envsize, "KRB5CCNAME",
@@ -1077,10 +1099,9 @@ do_setup_env(Session *s, const char *shell)
         * Pull in any environment variables that may have
         * been set by PAM.
         */
-        {
+        if (options.use_pam) {
-                char **p;
+                char **p = fetch_pam_environment();
-                p = fetch_pam_environment();
                copy_environment(p, &env, &envsize);
                free_pam_environment(p);
        }
@@ -1192,7 +1213,7 @@ do_nologin(struct passwd *pw)
 #endif
        if (f) {
                /* /etc/nologin exists.  Print its contents and exit. */
-                log("User %.100s not allowed because %s exists",
+                logit("User %.100s not allowed because %s exists",
                    pw->pw_name, _PATH_NOLOGIN);
                while (fgets(buf, sizeof(buf), f))
                        fputs(buf, stderr);
@@ -1212,7 +1233,8 @@ do_setusercontext(struct passwd *pw)
        {
 #ifdef HAVE_SETPCRED
-                setpcred(pw->pw_name);
+                if (setpcred(pw->pw_name, (char **)NULL) == -1)
+                        fatal("Failed to set process credentials");
 #endif /* HAVE_SETPCRED */
 #ifdef HAVE_LOGIN_CAP
 # ifdef __bsdi__
@@ -1248,7 +1270,10 @@ do_setusercontext(struct passwd *pw)
                 * These will have been wiped by the above initgroups() call.
                 * Reestablish them here.
                 */
-                do_pam_setcred(0);
+                if (options.use_pam) {
+                        do_pam_session();
+                        do_pam_setcred(0);
+                }
 # endif /* USE_PAM */
 # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY)
                irix_setusercontext(pw);
@@ -1349,7 +1374,7 @@ do_child(Session *s, const char *command)
        /* we have to stash the hostname before we close our socket. */
        if (options.use_login)
                hostname = get_remote_name_or_ip(utmp_len,
-                    options.verify_reverse_mapping);
+                    options.use_dns);
        /*
         * Close the connection descriptors; note that this is the child, and
         * the server will still have the socket open, and it is important
@@ -1391,18 +1416,6 @@ do_child(Session *s, const char *command)
         */
        environ = env;
-#ifdef AFS
-        /* Try to get AFS tokens for the local cell. */
-        if (k_hasafs()) {
-                char cell[64];
-                if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0)
-                        krb_afslog(cell, 0);
-                krb_afslog(0, 0);
-        }
-#endif /* AFS */
        /* Change current directory to the user\'s home directory. */
        if (chdir(pw->pw_dir) < 0) {
                fprintf(stderr, "Could not chdir to home directory %s: %s\n",
@@ -1672,7 +1685,7 @@ session_subsystem_req(Session *s)
        int i;
        packet_check_eom();
-        log("subsystem request for %.100s", subsys);
+        logit("subsystem request for %.100s", subsys);
        for (i = 0; i < options.num_subsystems; i++) {
                if (strcmp(subsys, options.subsystem_name[i]) == 0) {
@@ -1691,7 +1704,7 @@ session_subsystem_req(Session *s)
        }
        if (!success)
-                log("subsystem request for %.100s failed, subsystem not found",
+                logit("subsystem request for %.100s failed, subsystem not found",
                    subsys);
        xfree(subsys);
@@ -1739,6 +1752,20 @@ session_exec_req(Session *s)
 }
 static int
+session_break_req(Session *s)
+{
+        u_int break_length;
+        break_length = packet_get_int();        /* ignored */
+        packet_check_eom();
+        if (s->ttyfd == -1 ||
+            tcsendbreak(s->ttyfd, 0) < 0)
+                return 0;
+        return 1;
+}
+static int
 session_auth_agent_req(Session *s)
 {
        static int called = 0;
@@ -1762,7 +1789,7 @@ session_input_channel_req(Channel *c, const char *rtype)
        Session *s;
        if ((s = session_by_channel(c->self)) == NULL) {
-                log("session_input_channel_req: no session %d req %.100s",
+                logit("session_input_channel_req: no session %d req %.100s",
                    c->self, rtype);
                return 0;
        }
@@ -1785,6 +1812,8 @@ session_input_channel_req(Channel *c, const char *rtype)
                        success = session_auth_agent_req(s);
                } else if (strcmp(rtype, "subsystem") == 0) {
                        success = session_subsystem_req(s);
+                } else if (strcmp(rtype, "break") == 0) {
+                        success = session_break_req(s);
                }
        }
        if (strcmp(rtype, "window-change") == 0) {
@@ -2121,4 +2150,8 @@ static void
 do_authenticated2(Authctxt *authctxt)
 {
        server_loop2(authctxt);
+#if defined(GSSAPI)
+        if (options.gss_cleanup_creds)
+                ssh_gssapi_cleanup_creds(NULL);
+#endif
 }
diff --git a/session.h b/session.h
index d3ddfab75..525e47f64 100644
--- a/session.h
+++ b/session.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: session.h,v 1.19 2002/06/30 21:59:45 deraadt Exp $    */
+/*      $OpenBSD: session.h,v 1.20 2003/08/22 10:56:09 markus Exp $     */
 /*
 * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -68,4 +68,7 @@ Session	*session_new(void);
 Session *session_by_tty(char *);
 void     session_close(Session *);
 void     do_setusercontext(struct passwd *);
+void     child_set_env(char ***envp, u_int *envsizep, const char *name,
+                       const char *value);
 #endif
diff --git a/sftp-client.c b/sftp-client.c
index 3b3279e65..ffff0fe5a 100644
--- a/sftp-client.c
+++ b/sftp-client.c
@@ -28,7 +28,7 @@
 /* XXX: copy between two remote sites */
 #include "includes.h"
-RCSID("$OpenBSD: sftp-client.c,v 1.42 2003/03/05 22:33:43 markus Exp $");
+RCSID("$OpenBSD: sftp-client.c,v 1.44 2003/06/28 16:23:06 deraadt Exp $");
 #include "openbsd-compat/sys-queue.h"
@@ -71,10 +71,10 @@ send_msg(int fd, Buffer *m)
        /* Send length first */
        PUT_32BIT(mlen, buffer_len(m));
-        if (atomicio(write, fd, mlen, sizeof(mlen)) <= 0)
+        if (atomicio(vwrite, fd, mlen, sizeof(mlen)) <= 0)
                fatal("Couldn't send packet: %s", strerror(errno));
-        if (atomicio(write, fd, buffer_ptr(m), buffer_len(m)) <= 0)
+        if (atomicio(vwrite, fd, buffer_ptr(m), buffer_len(m)) <= 0)
                fatal("Couldn't send packet: %s", strerror(errno));
        buffer_clear(m);
@@ -507,7 +507,7 @@ do_lstat(struct sftp_conn *conn, char *path, int quiet)
                if (quiet)
                        debug("Server version does not support lstat operation");
                else
-                        log("Server version does not support lstat operation");
+                        logit("Server version does not support lstat operation");
                return(do_stat(conn, path, quiet));
        }
@@ -875,7 +875,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
                                fatal("Received more data than asked for "
                                    "%u > %u", len, req->len);
                        if ((lseek(local_fd, req->offset, SEEK_SET) == -1 ||
-                            atomicio(write, local_fd, data, len) != len) &&
+                            atomicio(vwrite, local_fd, data, len) != len) &&
                            !write_error) {
                                write_errno = errno;
                                write_error = 1;
diff --git a/sftp-common.c b/sftp-common.c
index 31d41385b..5313b134d 100644
--- a/sftp-common.c
+++ b/sftp-common.c
@@ -24,7 +24,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sftp-common.c,v 1.8 2002/10/16 14:31:48 itojun Exp $");
+RCSID("$OpenBSD: sftp-common.c,v 1.9 2003/05/24 09:30:40 djm Exp $");
 #include "buffer.h"
 #include "bufaux.h"
@@ -206,8 +206,8 @@ ls_file(char *name, struct stat *st, int remote)
                tbuf[0] = '\0';
        ulen = MAX(strlen(user), 8);
        glen = MAX(strlen(group), 8);
-        snprintf(buf, sizeof buf, "%s %3d %-*s %-*s %8llu %s %s", mode,
+        snprintf(buf, sizeof buf, "%s %3u %-*s %-*s %8llu %s %s", mode,
-            st->st_nlink, ulen, user, glen, group,
+            (u_int)st->st_nlink, ulen, user, glen, group,
            (unsigned long long)st->st_size, tbuf, name);
        return xstrdup(buf);
 }
diff --git a/sftp-int.c b/sftp-int.c
index 6987de9a3..94299aa43 100644
--- a/sftp-int.c
+++ b/sftp-int.c
@@ -25,7 +25,7 @@
 /* XXX: recursive operations */
 #include "includes.h"
-RCSID("$OpenBSD: sftp-int.c,v 1.57 2003/03/05 22:33:43 markus Exp $");
+RCSID("$OpenBSD: sftp-int.c,v 1.62 2003/08/25 08:13:09 fgsch Exp $");
 #include "buffer.h"
 #include "xmalloc.h"
@@ -53,6 +53,10 @@ int showprogress = 1;
 /* Seperators for interactive commands */
 #define WHITESPACE " \t\r\n"
+/* Define what type of ls view (0 - multi-column) */
+#define LONG_VIEW 1             /* Full view ala ls -l */
+#define SHORT_VIEW 2            /* Single row view ala ls -1 */
 /* Commands for interactive mode */
 #define I_CHDIR         1
 #define I_CHGRP         2
@@ -307,7 +311,10 @@ parse_ls_flags(const char **cpp, int *lflag)
                for(; strchr(WHITESPACE, *cp) == NULL; cp++) {
                        switch (*cp) {
                        case 'l':
-                                *lflag = 1;
+                                *lflag = LONG_VIEW;
+                                break;
+                        case '1':
+                                *lflag = SHORT_VIEW;
                                break;
                        default:
                                error("Invalid flag -%c", *cp);
@@ -325,7 +332,7 @@ get_pathname(const char **cpp, char **path)
 {
        const char *cp = *cpp, *end;
        char quot;
-        int i;
+        int i, j;
        cp += strspn(cp, WHITESPACE);
        if (!*cp) {
@@ -334,37 +341,54 @@ get_pathname(const char **cpp, char **path)
                return (0);
        }
+        *path = xmalloc(strlen(cp) + 1);
        /* Check for quoted filenames */
        if (*cp == '\"' || *cp == '\'') {
                quot = *cp++;
-                end = strchr(cp, quot);
+                /* Search for terminating quote, unescape some chars */
-                if (end == NULL) {
+                for (i = j = 0; i <= strlen(cp); i++) {
-                        error("Unterminated quote");
+                        if (cp[i] == quot) {    /* Found quote */
-                        goto fail;
+                                (*path)[j] = '\0';
+                                break;
+                        }
+                        if (cp[i] == '\0') {    /* End of string */
+                                error("Unterminated quote");
+                                goto fail;
+                        }
+                        if (cp[i] == '\\') {    /* Escaped characters */
+                                i++;
+                                if (cp[i] != '\'' && cp[i] != '\"' && 
+                                    cp[i] != '\\') {
+                                        error("Bad escaped character '\%c'",
+                                            cp[i]);
+                                        goto fail;
+                                }
+                        }
+                        (*path)[j++] = cp[i];
                }
-                if (cp == end) {
+                if (j == 0) {
                        error("Empty quotes");
                        goto fail;
                }
-                *cpp = end + 1 + strspn(end + 1, WHITESPACE);
+                *cpp = cp + i + strspn(cp + i, WHITESPACE);
        } else {
                /* Read to end of filename */
                end = strpbrk(cp, WHITESPACE);
                if (end == NULL)
                        end = strchr(cp, '\0');
                *cpp = end + strspn(end, WHITESPACE);
-        }
-        i = end - cp;
+                memcpy(*path, cp, end - cp);
+                (*path)[end - cp] = '\0';
-        *path = xmalloc(i + 1);
+        }
-        memcpy(*path, cp, i);
+        return (0);
-        (*path)[i] = '\0';
-        return(0);
 fail:
-        *path = NULL;
+        xfree(*path);
+        *path = NULL;   
        return (-1);
 }
@@ -425,29 +449,8 @@ process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, int pflag)
                goto out;
        }
-        /* Only one match, dst may be file, directory or unspecified */
+        /* If multiple matches, dst must be a directory or unspecified */
-        if (g.gl_pathv[0] && g.gl_matchc == 1) {
+        if (g.gl_matchc > 1 && dst && !is_dir(dst)) {
-                if (dst) {
-                        /* If directory specified, append filename */
-                        if (is_dir(dst)) {
-                                if (infer_path(g.gl_pathv[0], &tmp)) {
-                                        err = 1;
-                                        goto out;
-                                }
-                                abs_dst = path_append(dst, tmp);
-                                xfree(tmp);
-                        } else
-                                abs_dst = xstrdup(dst);
-                } else if (infer_path(g.gl_pathv[0], &abs_dst)) {
-                        err = -1;
-                        goto out;
-                }
-                err = do_download(conn, g.gl_pathv[0], abs_dst, pflag);
-                goto out;
-        }
-        /* Multiple matches, dst may be directory or unspecified */
-        if (dst && !is_dir(dst)) {
                error("Multiple files match, but \"%s\" is not a directory",
                    dst);
                err = -1;
@@ -459,7 +462,19 @@ process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, int pflag)
                        err = -1;
                        goto out;
                }
-                if (dst) {
+                if (g.gl_matchc == 1 && dst) {
+                        /* If directory specified, append filename */
+                        if (is_dir(dst)) {
+                                if (infer_path(g.gl_pathv[0], &tmp)) {
+                                        err = 1;
+                                        goto out;
+                                }
+                                abs_dst = path_append(dst, tmp);
+                                xfree(tmp);
+                        } else
+                                abs_dst = xstrdup(dst);
+                } else if (dst) {
                        abs_dst = path_append(dst, tmp);
                        xfree(tmp);
                } else
@@ -503,38 +518,8 @@ process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd, int pflag)
                goto out;
        }
-        /* Only one match, dst may be file, directory or unspecified */
+        /* If multiple matches, dst may be directory or unspecified */
-        if (g.gl_pathv[0] && g.gl_matchc == 1) {
+        if (g.gl_matchc > 1 && tmp_dst && !remote_is_dir(conn, tmp_dst)) {
-                if (!is_reg(g.gl_pathv[0])) {
-                        error("Can't upload %s: not a regular file",
-                            g.gl_pathv[0]);
-                        err = 1;
-                        goto out;
-                }
-                if (tmp_dst) {
-                        /* If directory specified, append filename */
-                        if (remote_is_dir(conn, tmp_dst)) {
-                                if (infer_path(g.gl_pathv[0], &tmp)) {
-                                        err = 1;
-                                        goto out;
-                                }
-                                abs_dst = path_append(tmp_dst, tmp);
-                                xfree(tmp);
-                        } else
-                                abs_dst = xstrdup(tmp_dst);
-                } else {
-                        if (infer_path(g.gl_pathv[0], &abs_dst)) {
-                                err = -1;
-                                goto out;
-                        }
-                        abs_dst = make_absolute(abs_dst, pwd);
-                }
-                err = do_upload(conn, g.gl_pathv[0], abs_dst, pflag);
-                goto out;
-        }
-        /* Multiple matches, dst may be directory or unspecified */
-        if (tmp_dst && !remote_is_dir(conn, tmp_dst)) {
                error("Multiple files match, but \"%s\" is not a directory",
                    tmp_dst);
                err = -1;
@@ -551,7 +536,20 @@ process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd, int pflag)
                        err = -1;
                        goto out;
                }
-                if (tmp_dst) {
+                if (g.gl_matchc == 1 && tmp_dst) {
+                        /* If directory specified, append filename */
+                        if (remote_is_dir(conn, tmp_dst)) {
+                                if (infer_path(g.gl_pathv[0], &tmp)) {
+                                        err = 1;
+                                        goto out;
+                                }
+                                abs_dst = path_append(tmp_dst, tmp);
+                                xfree(tmp);
+                        } else
+                                abs_dst = xstrdup(tmp_dst);
+                } else if (tmp_dst) {
                        abs_dst = path_append(tmp_dst, tmp);
                        xfree(tmp);
                } else
@@ -567,6 +565,7 @@ out:
                xfree(abs_dst);
        if (tmp_dst)
                xfree(tmp_dst);
+        globfree(&g);
        return(err);
 }
@@ -583,15 +582,27 @@ sdirent_comp(const void *aa, const void *bb)
 static int
 do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
 {
-        int n;
+        int n, c = 1, colspace = 0, columns = 1;
        SFTP_DIRENT **d;
        if ((n = do_readdir(conn, path, &d)) != 0)
                return (n);
-        /* Count entries for sort */
+        if (!(lflag & SHORT_VIEW)) {
-        for (n = 0; d[n] != NULL; n++)
+                int m = 0, width = 80;
-                ;
+                struct winsize ws;
+                /* Count entries for sort and find longest filename */
+                for (n = 0; d[n] != NULL; n++)
+                        m = MAX(m, strlen(d[n]->filename));
+                if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) != -1) 
+                        width = ws.ws_col;
+                columns = width / (m + 2);
+                columns = MAX(columns, 1);
+                colspace = width / columns;
+        }
        qsort(d, n, sizeof(*d), sdirent_comp);
@@ -602,7 +613,7 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
                fname = path_strip(tmp, strip_path);
                xfree(tmp);
-                if (lflag) {
+                if (lflag & LONG_VIEW) {
                        char *lname;
                        struct stat sb;
@@ -612,13 +623,20 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
                        printf("%s\n", lname);
                        xfree(lname);
                } else {
-                        /* XXX - multicolumn display would be nice here */
+                        printf("%-*s", colspace, fname);
-                        printf("%s\n", fname);
+                        if (c >= columns) {
+                                printf("\n");
+                                c = 1;
+                        } else
+                                c++;
                }
                xfree(fname);
        }
+        if (!(lflag & LONG_VIEW) && (c != 1))
+                printf("\n");
        free_sftp_dirents(d);
        return (0);
 }
@@ -629,9 +647,8 @@ do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
    int lflag)
 {
        glob_t g;
-        int i;
+        int i, c = 1, colspace = 0, columns = 1;
        Attrib *a;
-        struct stat sb;
        memset(&g, 0, sizeof(g));
@@ -658,12 +675,31 @@ do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
                }
        }
+        if (!(lflag & SHORT_VIEW)) {
+                int m = 0, width = 80;
+                struct winsize ws;      
+                /* Count entries for sort and find longest filename */
+                for (i = 0; g.gl_pathv[i]; i++)
+                        m = MAX(m, strlen(g.gl_pathv[i]));
+                if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) != -1)
+                        width = ws.ws_col;
+                columns = width / (m + 2);
+                columns = MAX(columns, 1);
+                colspace = width / columns;
+        }
        for (i = 0; g.gl_pathv[i]; i++) {
-                char *fname, *lname;
+                char *fname;
                fname = path_strip(g.gl_pathv[i], strip_path);
-                if (lflag) {
+                if (lflag & LONG_VIEW) {
+                        char *lname;
+                        struct stat sb;
                        /*
                         * XXX: this is slow - 1 roundtrip per path
                         * A solution to this is to fork glob() and
@@ -679,12 +715,19 @@ do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
                        printf("%s\n", lname);
                        xfree(lname);
                } else {
-                        /* XXX - multicolumn display would be nice here */
+                        printf("%-*s", colspace, fname);
-                        printf("%s\n", fname);
+                        if (c >= columns) {
+                                printf("\n");
+                                c = 1;
+                        } else
+                                c++;
                }
                xfree(fname);
        }
+        if (!(lflag & LONG_VIEW) && (c != 1))
+                printf("\n");
        if (g.gl_pathc)
                globfree(&g);
diff --git a/sftp-server.0 b/sftp-server.0
index 37dcb5beb..fc57814f5 100644
--- a/sftp-server.0
+++ b/sftp-server.0
@@ -19,7 +19,7 @@ SEE ALSO
     filexfer-00.txt, January 2001, work in progress material.
 AUTHORS
-     Markus Friedl <markus@openbsd.org>
+     Markus Friedl M-bM-^LM-)markus@openbsd.orgM-bM-^LM-*
 HISTORY
     sftp-server first appeared in OpenBSD 2.8 .
diff --git a/sftp-server.8 b/sftp-server.8
index 0a0210a34..871f83796 100644
--- a/sftp-server.8
+++ b/sftp-server.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: sftp-server.8,v 1.8 2001/06/23 05:57:08 deraadt Exp $
+.\" $OpenBSD: sftp-server.8,v 1.9 2003/06/10 09:12:11 jmc Exp $
 .\"
 .\" Copyright (c) 2000 Markus Friedl.  All rights reserved.
 .\"
@@ -56,7 +56,7 @@ for more information.
 .%O work in progress material
 .Re
 .Sh AUTHORS
-Markus Friedl <markus@openbsd.org>
+.An Markus Friedl Aq markus@openbsd.org
 .Sh HISTORY
 .Nm
 first appeared in OpenBSD 2.8 .
diff --git a/sftp-server.c b/sftp-server.c
index 9a66b4de7..9166853ed 100644
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -22,7 +22,7 @@
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 #include "includes.h"
-RCSID("$OpenBSD: sftp-server.c,v 1.41 2003/03/26 04:02:51 deraadt Exp $");
+RCSID("$OpenBSD: sftp-server.c,v 1.43 2003/06/25 22:39:36 miod Exp $");
 #include "buffer.h"
 #include "bufaux.h"
@@ -52,7 +52,7 @@ Buffer oqueue;
 /* Version of client */
 int version;
-/* portable attibutes, etc. */
+/* portable attributes, etc. */
 typedef struct Stat Stat;
@@ -442,7 +442,7 @@ process_read(void)
            (u_int64_t)off, len);
        if (len > sizeof buf) {
                len = sizeof buf;
-                log("read change len %d", len);
+                logit("read change len %d", len);
        }
        fd = handle_to_fd(handle);
        if (fd >= 0) {
@@ -495,7 +495,7 @@ process_write(void)
                        } else if (ret == len) {
                                status = SSH2_FX_OK;
                        } else {
-                                log("nothing at all written");
+                                logit("nothing at all written");
                        }
                }
        }
@@ -1030,7 +1030,7 @@ main(int ac, char **av)
        /* XXX should use getopt */
-        __progname = get_progname(av[0]);
+        __progname = ssh_get_progname(av[0]);
        handle_init();
 #ifdef DEBUG_SFTP_SERVER
diff --git a/sftp.0 b/sftp.0
index 479751215..b72ea4700 100644
--- a/sftp.0
+++ b/sftp.0
@@ -1,7 +1,7 @@
 SFTP(1)                   BSD General Commands Manual                  SFTP(1)
 NAME
-     sftp - Secure file transfer program
+     sftp - secure file transfer program
 SYNOPSIS
     sftp [-vC1] [-b batchfile] [-o ssh_option] [-s subsystem | sftp_server]
@@ -9,6 +9,7 @@ SYNOPSIS
          [-R num_requests] [-S program] host
     sftp [[user@]host[:file [file]]]
     sftp [[user@]host[:dir[/]]]
+     sftp -b batchfile [user@]host
 DESCRIPTION
     sftp is an interactive file transfer program, similar to ftp(1), which
@@ -21,10 +22,13 @@ DESCRIPTION
     active authentication method is used; otherwise it will do so after suc-
     cessful interactive authentication.
-     The last usage format allows the sftp client to start in a remote direc-
+     The third usage format allows the sftp client to start in a remote direc-
     tory.
-     The options are as follows:
+     The final usage format allows for automated sessions using the -b option.
+     In such cases, it is usually necessary to configure public key authenti-
+     cation to obviate the need to enter a password at connection time (see
+     sshd(8) and ssh-keygen(1) for details).  The options are as follows:
     -b batchfile
             Batch mode reads a series of commands from an input batchfile
@@ -33,42 +37,42 @@ DESCRIPTION
             will abort if any of the following commands fail: get, put,
             rename, ln, rm, mkdir, chdir, ls, lchdir, chmod, chown, chgrp,
             lpwd and lmkdir.  Termination on error can be suppressed on a
-             command by command basis by prefixing the command with a M-bM-^@M-^M-bM-^@M-^Y-M-bM-^@M-^M-bM-^@M-^Y
+             command by command basis by prefixing the command with a M-bM-^@M-^X-M-bM-^@M-^Y
-             character (For example, -rm /tmp/blah* ).
+             character (for example, -rm /tmp/blah*).
     -o ssh_option
             Can be used to pass options to ssh in the format used in
             ssh_config(5).  This is useful for specifying options for which
-             there is no separate sftp command-line flag. For example, to
+             there is no separate sftp command-line flag.  For example, to
             specify an alternate port use: sftp -oPort=24.
     -s subsystem | sftp_server
             Specifies the SSH2 subsystem or the path for an sftp server on
-             the remote host. A path is useful for using sftp over protocol
+             the remote host.  A path is useful for using sftp over protocol
-             version 1, or when the remote sshd does not have an sftp subsys-
+             version 1, or when the remote sshd(8) does not have an sftp sub-
-             tem configured.
+             system configured.
-     -v      Raise logging level. This option is also passed to ssh.
+     -v      Raise logging level.  This option is also passed to ssh.
     -B buffer_size
             Specify the size of the buffer that sftp uses when transferring
-             files. Larger buffers require fewer round trips at the cost of
+             files.  Larger buffers require fewer round trips at the cost of
-             higher memory consumption. The default is 32768 bytes.
+             higher memory consumption.  The default is 32768 bytes.
     -C      Enables compression (via sshM-bM-^@M-^Ys -C flag).
     -F ssh_config
-             Specifies an alternative per-user configuration file for ssh.
+             Specifies an alternative per-user configuration file for ssh(1).
             This option is directly passed to ssh(1).
     -P sftp_server path
-             Connect directly to a local sftp-server (rather than via ssh)
+             Connect directly to a local sftp server (rather than via ssh(1))
             This option may be useful in debugging the client and server.
     -R num_requests
             Specify how many requests may be outstanding at any one time.
             Increasing this may slightly improve file transfer speed but will
-             increase memory usage. The default is 16 outstanding requests.
+             increase memory usage.  The default is 16 outstanding requests.
     -S program
             Name of the program to use for the encrypted connection.  The
@@ -103,7 +107,7 @@ INTERACTIVE COMMANDS
     get [flags] remote-path [local-path]
             Retrieve the remote-path and store it on the local machine.  If
             the local path name is not specified, it is given the same name
-             it has on the remote machine. If the -P flag is specified, then
+             it has on the remote machine.  If the -P flag is specified, then
             the fileM-bM-^@M-^Ys full permission and access time are copied too.
     help    Display help text.
@@ -122,7 +126,7 @@ INTERACTIVE COMMANDS
     ls [flags] [path]
             Display remote directory listing of either path or current direc-
-             tory if path is not specified. If the -l flag is specified, then
+             tory if path is not specified.  If the -l flag is specified, then
             display additional details including permissions and ownership
             information.
@@ -136,9 +140,9 @@ INTERACTIVE COMMANDS
             Toggle display of progress meter.
     put [flags] local-path [remote-path]
-             Upload local-path and store it on the remote machine. If the
+             Upload local-path and store it on the remote machine.  If the
             remote path name is not specified, it is given the same name it
-             has on the local machine. If the -P flag is specified, then the
+             has on the local machine.  If the -P flag is specified, then the
             fileM-bM-^@M-^Ys full permission and access time are copied too.
     pwd     Display remote working directory.
@@ -167,9 +171,6 @@ INTERACTIVE COMMANDS
     ?       Synonym for help.
-AUTHORS
-     Damien Miller <djm@mindrot.org>
 SEE ALSO
     scp(1), ssh(1), ssh-add(1), ssh-keygen(1), ssh_config(5), sftp-server(8),
     sshd(8)
diff --git a/sftp.1 b/sftp.1
index 02d2c274b..753a4f2b9 100644
--- a/sftp.1
+++ b/sftp.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: sftp.1,v 1.41 2003/03/28 10:11:43 jmc Exp $
+.\" $OpenBSD: sftp.1,v 1.45 2003/09/02 18:50:06 jmc Exp $
 .\"
 .\" Copyright (c) 2001 Damien Miller.  All rights reserved.
 .\"
@@ -27,7 +27,7 @@
 .Os
 .Sh NAME
 .Nm sftp
-.Nd Secure file transfer program
+.Nd secure file transfer program
 .Sh SYNOPSIS
 .Nm sftp
 .Bk -words
@@ -43,13 +43,16 @@
 .Ar host
 .Ek
 .Nm sftp
-.Oo Oo Ar user Ns No @ Oc Ns
+.Oo Oo Ar user Ns @ Oc Ns
 .Ar host Ns Oo : Ns Ar file Oo
 .Ar file Oc Oc Oc
 .Nm sftp
-.Oo Oo Ar user Ns No @ Oc Ns
+.Oo Oo Ar user Ns @ Oc Ns
 .Ar host Ns Oo : Ns Ar dir Ns
 .Oo Ar / Oc Oc Oc
+.Nm sftp
+.Fl b Ar batchfile
+.Oo Ar user Ns @ Oc Ns Ar host
 .Sh DESCRIPTION
 .Nm
 is an interactive file transfer program, similar to
@@ -68,8 +71,17 @@ The second usage format will retrieve files automatically if a non-interactive
 authentication method is used; otherwise it will do so after
 successful interactive authentication.
 .Pp
-The last usage format allows the sftp client to start in a remote directory.
+The third usage format allows the sftp client to start in a remote directory.
 .Pp
+The final usage format allows for automated sessions using the
+.Fl b
+option.
+In such cases, it is usually necessary to configure public key authentication
+to obviate the need to enter a password at connection time (see
+.Xr sshd 8
+and
+.Xr ssh-keygen 1
+for details).
 The options are as follows:
 .Bl -tag -width Ds
 .It Fl b Ar batchfile
@@ -89,10 +101,9 @@ and
 .Ic lmkdir .
 Termination on error can be suppressed on a command by command basis by
 prefixing the command with a
-.Ic '-'
+.Sq Ic \-
-character (For example,
+character (for example,
-.Ic -rm /tmp/blah*
+.Ic -rm /tmp/blah* ) .
-).
 .It Fl o Ar ssh_option
 Can be used to pass options to
 .Nm ssh
@@ -101,22 +112,27 @@ in the format used in
 This is useful for specifying options
 for which there is no separate
 .Nm sftp
-command-line flag. For example, to specify an alternate
+command-line flag.
-port use:
+For example, to specify an alternate port use:
 .Ic sftp -oPort=24 .
 .It Fl s Ar subsystem | sftp_server
 Specifies the SSH2 subsystem or the path for an sftp server
-on the remote host. A path is useful for using sftp over
+on the remote host.
-protocol version 1, or when the remote
+A path is useful for using
-.Nm sshd
+.Nm
+over protocol version 1, or when the remote
+.Xr sshd 8
 does not have an sftp subsystem configured.
 .It Fl v
-Raise logging level. This option is also passed to ssh.
+Raise logging level.
+This option is also passed to ssh.
 .It Fl B Ar buffer_size
 Specify the size of the buffer that
 .Nm
-uses when transferring files. Larger buffers require fewer round trips at
+uses when transferring files.
-the cost of higher memory consumption. The default is 32768 bytes.
+Larger buffers require fewer round trips at the cost of higher
+memory consumption.
+The default is 32768 bytes.
 .It Fl C
 Enables compression (via ssh's
 .Fl C
@@ -124,19 +140,19 @@ flag).
 .It Fl F Ar ssh_config
 Specifies an alternative
 per-user configuration file for
-.Nm ssh .
+.Xr ssh 1 .
 This option is directly passed to
 .Xr ssh 1 .
 .It Fl P Ar sftp_server path
-Connect directly to a local
+Connect directly to a local sftp server
-.Nm sftp-server
 (rather than via
-.Nm ssh )
+.Xr ssh 1 )
 This option may be useful in debugging the client and server.
 .It Fl R Ar num_requests
-Specify how many requests may be outstanding at any one time. Increasing
+Specify how many requests may be outstanding at any one time.
-this may slightly improve file transfer speed but will increase memory
+Increasing this may slightly improve file transfer speed
-usage. The default is 16 outstanding requests.
+but will increase memory usage.
+The default is 16 outstanding requests.
 .It Fl S Ar program
 Name of the
 .Ar program
@@ -156,7 +172,8 @@ Commands are case insensitive and pathnames may be enclosed in quotes if they
 contain spaces.
 .Bl -tag -width Ds
 .It Ic bye
-Quit sftp.
+Quit
+.Nm sftp .
 .It Ic cd Ar path
 Change remote directory to
 .Ar path .
@@ -183,7 +200,8 @@ to
 .Ar own
 must be a numeric UID.
 .It Ic exit
-Quit sftp.
+Quit
+.Nm sftp .
 .It Xo Ic get
 .Op Ar flags
 .Ar remote-path
@@ -194,7 +212,8 @@ Retrieve the
 and store it on the local machine.
 If the local
 path name is not specified, it is given the same name it has on the
-remote machine. If the
+remote machine.
+If the
 .Fl P
 flag is specified, then the file's full permission and access time are
 copied too.
@@ -224,7 +243,8 @@ Display remote directory listing of either
 .Ar path
 or current directory if
 .Ar path
-is not specified. If the
+is not specified.
+If the
 .Fl l
 flag is specified, then display additional details including permissions
 and ownership information.
@@ -243,15 +263,18 @@ Toggle display of progress meter.
 .Xc
 Upload
 .Ar local-path
-and store it on the remote machine. If the remote path name is not
+and store it on the remote machine.
-specified, it is given the same name it has on the local machine. If the
+If the remote path name is not specified, it is given the same name it has
+on the local machine.
+If the
 .Fl P
 flag is specified, then the file's full permission and access time are
 copied too.
 .It Ic pwd
 Display remote working directory.
 .It Ic quit
-Quit sftp.
+Quit
+.Nm sftp .
 .It Ic rename Ar oldpath Ar newpath
 Rename remote file from
 .Ar oldpath
@@ -272,17 +295,15 @@ to
 Display the
 .Nm
 protocol version.
-.It Ic ! Ar command
+.It Ic \&! Ar command
 Execute
 .Ar command
 in local shell.
-.It Ic !
+.It Ic \&!
 Escape to local shell.
-.It Ic ?
+.It Ic \&?
 Synonym for help.
 .El
-.Sh AUTHORS
-Damien Miller <djm@mindrot.org>
 .Sh SEE ALSO
 .Xr scp 1 ,
 .Xr ssh 1 ,
diff --git a/sftp.c b/sftp.c
index e8adcba18..c2a6593b8 100644
--- a/sftp.c
+++ b/sftp.c
@@ -24,9 +24,7 @@
 #include "includes.h"
-RCSID("$OpenBSD: sftp.c,v 1.34 2003/01/10 08:19:07 fgsch Exp $");
+RCSID("$OpenBSD: sftp.c,v 1.37 2003/07/10 20:05:55 markus Exp $");
-/* XXX: short-form remote directory listings (like 'ls -C') */
 #include "buffer.h"
 #include "xmalloc.h"
@@ -48,11 +46,21 @@ char *__progname;
 FILE* infile;
 size_t copy_buffer_len = 32768;
 size_t num_requests = 16;
+static pid_t sshpid = -1;
 extern int showprogress;
 static void
-connect_to_server(char *path, char **args, int *in, int *out, pid_t *sshpid)
+killchild(int signo)
+{
+        if (sshpid > 1)
+                kill(sshpid, signo);
+        _exit(1);
+}
+static void
+connect_to_server(char *path, char **args, int *in, int *out)
 {
        int c_in, c_out;
@@ -74,9 +82,9 @@ connect_to_server(char *path, char **args, int *in, int *out, pid_t *sshpid)
        c_in = c_out = inout[1];
 #endif /* USE_PIPES */
-        if ((*sshpid = fork()) == -1)
+        if ((sshpid = fork()) == -1)
                fatal("fork: %s", strerror(errno));
-        else if (*sshpid == 0) {
+        else if (sshpid == 0) {
                if ((dup2(c_in, STDIN_FILENO) == -1) ||
                    (dup2(c_out, STDOUT_FILENO) == -1)) {
                        fprintf(stderr, "dup2: %s\n", strerror(errno));
@@ -91,6 +99,9 @@ connect_to_server(char *path, char **args, int *in, int *out, pid_t *sshpid)
                exit(1);
        }
+        signal(SIGTERM, killchild);
+        signal(SIGINT, killchild);
+        signal(SIGHUP, killchild);
        close(c_in);
        close(c_out);
 }
@@ -101,8 +112,9 @@ usage(void)
        extern char *__progname;
        fprintf(stderr,
-            "usage: %s [-vC1] [-b batchfile] [-o option] [-s subsystem|path] [-B buffer_size]\n"
+            "usage: %s [-vC1] [-b batchfile] [-o ssh_option] [-s subsystem | sftp_server]\n"
-            "            [-F config] [-P direct server path] [-S program]\n"
+            "            [-B buffer_size] [-F ssh_config] [-P sftp_server path]\n"
+            "            [-R num_requests] [-S program]\n"
            "            [user@]host[:file [file]]\n", __progname);
        exit(1);
 }
@@ -111,7 +123,6 @@ int
 main(int argc, char **argv)
 {
        int in, out, ch, err;
-        pid_t sshpid;
        char *host, *userhost, *cp, *file2;
        int debug_level = 0, sshver = 2;
        char *file1 = NULL, *sftp_server = NULL;
@@ -121,7 +132,7 @@ main(int argc, char **argv)
        extern int optind;
        extern char *optarg;
-        __progname = get_progname(argv[0]);
+        __progname = ssh_get_progname(argv[0]);
        args.list = NULL;
        addargs(&args, "ssh");          /* overwritten with ssh_program */
        addargs(&args, "-oForwardX11 no");
@@ -229,15 +240,13 @@ main(int argc, char **argv)
                args.list[0] = ssh_program;
                fprintf(stderr, "Connecting to %s...\n", host);
-                connect_to_server(ssh_program, args.list, &in, &out,
+                connect_to_server(ssh_program, args.list, &in, &out);
-                    &sshpid);
        } else {
                args.list = NULL;
                addargs(&args, "sftp-server");
                fprintf(stderr, "Attaching to %s...\n", sftp_direct);
-                connect_to_server(sftp_direct, args.list, &in, &out,
+                connect_to_server(sftp_direct, args.list, &in, &out);
-                    &sshpid);
        }
        err = interactive_loop(in, out, file1, file2);
diff --git a/ssh-add.0 b/ssh-add.0
index b0096423d..95929d4d3 100644
--- a/ssh-add.0
+++ b/ssh-add.0
@@ -54,6 +54,21 @@ DESCRIPTION
     -e reader
             Remove key in smartcard reader.
+ENVIRONMENT
+     DISPLAY and SSH_ASKPASS
+             If ssh-add needs a passphrase, it will read the passphrase from
+             the current terminal if it was run from a terminal.  If ssh-add
+             does not have a terminal associated with it but DISPLAY and
+             SSH_ASKPASS are set, it will execute the program specified by
+             SSH_ASKPASS and open an X11 window to read the passphrase.  This
+             is particularly useful when calling ssh-add from a .Xsession or
+             related script.  (Note that on some machines it may be necessary
+             to redirect the input from /dev/null to make this work.)
+     SSH_AUTH_SOCK
+             Identifies the path of a unix-domain socket used to communicate
+             with the agent.
 FILES
     $HOME/.ssh/identity
             Contains the protocol version 1 RSA authentication identity of
@@ -70,25 +85,13 @@ FILES
     Identity files should not be readable by anyone but the user.  Note that
     ssh-add ignores identity files if they are accessible by others.
-ENVIRONMENT
-     DISPLAY and SSH_ASKPASS
-             If ssh-add needs a passphrase, it will read the passphrase from
-             the current terminal if it was run from a terminal.  If ssh-add
-             does not have a terminal associated with it but DISPLAY and
-             SSH_ASKPASS are set, it will execute the program specified by
-             SSH_ASKPASS and open an X11 window to read the passphrase.  This
-             is particularly useful when calling ssh-add from a .Xsession or
-             related script.  (Note that on some machines it may be necessary
-             to redirect the input from /dev/null to make this work.)
-     SSH_AUTH_SOCK
-             Identifies the path of a unix-domain socket used to communicate
-             with the agent.
 DIAGNOSTICS
     Exit status is 0 on success, 1 if the specified command fails, and 2 if
     ssh-add is unable to contact the authentication agent.
+SEE ALSO
+     ssh(1), ssh-agent(1), ssh-keygen(1), sshd(8)
 AUTHORS
     OpenSSH is a derivative of the original and free ssh 1.2.12 release by
     Tatu Ylonen.  Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
@@ -96,7 +99,4 @@ AUTHORS
     ated OpenSSH.  Markus Friedl contributed the support for SSH protocol
     versions 1.5 and 2.0.
-SEE ALSO
-     ssh(1), ssh-agent(1), ssh-keygen(1), sshd(8)
 BSD                           September 25, 1999                           BSD
diff --git a/ssh-add.1 b/ssh-add.1
index bcdb8e7f6..fe0190859 100644
--- a/ssh-add.1
+++ b/ssh-add.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-add.1,v 1.38 2003/03/28 10:11:43 jmc Exp $
+.\"     $OpenBSD: ssh-add.1,v 1.39 2003/06/10 09:12:11 jmc Exp $
 .\"
 .\"  -*- nroff -*-
 .\"
@@ -109,20 +109,6 @@ Add key in smartcard
 Remove key in smartcard
 .Ar reader .
 .El
-.Sh FILES
-.Bl -tag -width Ds
-.It Pa $HOME/.ssh/identity
-Contains the protocol version 1 RSA authentication identity of the user.
-.It Pa $HOME/.ssh/id_dsa
-Contains the protocol version 2 DSA authentication identity of the user.
-.It Pa $HOME/.ssh/id_rsa
-Contains the protocol version 2 RSA authentication identity of the user.
-.El
-.Pp
-Identity files should not be readable by anyone but the user.
-Note that
-.Nm
-ignores identity files if they are accessible by others.
 .Sh ENVIRONMENT
 .Bl -tag -width Ds
 .It Ev "DISPLAY" and "SSH_ASKPASS"
@@ -152,11 +138,30 @@ to make this work.)
 Identifies the path of a unix-domain socket used to communicate with the
 agent.
 .El
+.Sh FILES
+.Bl -tag -width Ds
+.It Pa $HOME/.ssh/identity
+Contains the protocol version 1 RSA authentication identity of the user.
+.It Pa $HOME/.ssh/id_dsa
+Contains the protocol version 2 DSA authentication identity of the user.
+.It Pa $HOME/.ssh/id_rsa
+Contains the protocol version 2 RSA authentication identity of the user.
+.El
+.Pp
+Identity files should not be readable by anyone but the user.
+Note that
+.Nm
+ignores identity files if they are accessible by others.
 .Sh DIAGNOSTICS
 Exit status is 0 on success, 1 if the specified command fails,
 and 2 if
 .Nm
 is unable to contact the authentication agent.
+.Sh SEE ALSO
+.Xr ssh 1 ,
+.Xr ssh-agent 1 ,
+.Xr ssh-keygen 1 ,
+.Xr sshd 8
 .Sh AUTHORS
 OpenSSH is a derivative of the original and free
 ssh 1.2.12 release by Tatu Ylonen.
@@ -166,8 +171,3 @@ removed many bugs, re-added newer features and
 created OpenSSH.
 Markus Friedl contributed the support for SSH
 protocol versions 1.5 and 2.0.
-.Sh SEE ALSO
-.Xr ssh 1 ,
-.Xr ssh-agent 1 ,
-.Xr ssh-keygen 1 ,
-.Xr sshd 8
diff --git a/ssh-add.c b/ssh-add.c
index 9adec3094..2e394e5c1 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -35,7 +35,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-add.c,v 1.66 2003/03/05 22:33:43 markus Exp $");
+RCSID("$OpenBSD: ssh-add.c,v 1.68 2003/06/16 10:22:45 markus Exp $");
 #include <openssl/evp.h>
@@ -164,7 +164,8 @@ add_file(AuthenticationConnection *ac, const char *filename)
                        if (private != NULL)
                                break;
                        clear_pass();
-                        strlcpy(msg, "Bad passphrase, try again: ", sizeof msg);
+                        snprintf(msg, sizeof msg,
+                            "Bad passphrase, try again for %.200s: ", comment);
                }
        }
@@ -201,7 +202,7 @@ update_card(AuthenticationConnection *ac, int add, const char *id)
        if (pin == NULL)
                return -1;
-        if (ssh_update_card(ac, add, id, pin)) {
+        if (ssh_update_card(ac, add, id, pin, lifetime, confirm)) {
                fprintf(stderr, "Card %s: %s\n",
                    add ? "added" : "removed", id);
                ret = 0;
@@ -318,7 +319,7 @@ main(int argc, char **argv)
        char *sc_reader_id = NULL;
        int i, ch, deleting = 0, ret = 0;
-        __progname = get_progname(argv[0]);
+        __progname = ssh_get_progname(argv[0]);
        init_rng();
        seed_rng();
diff --git a/ssh-agent.0 b/ssh-agent.0
index 48cc9b36e..990cbc29b 100644
--- a/ssh-agent.0
+++ b/ssh-agent.0
@@ -60,7 +60,7 @@ DESCRIPTION
     can thus use the privileges given by the identities anywhere in the net-
     work in a secure way.
-     There are two main ways to get an agent setup: Either the agent starts a
+     There are two main ways to get an agent set up: Either the agent starts a
     new subcommand into which some environment variables are exported, or the
     agent prints the needed shell commands (either sh(1) or csh(1) syntax can
     be generated) which can be evalled in the calling shell.  Later ssh(1)
@@ -101,6 +101,9 @@ FILES
             owner.  The sockets should get automatically removed when the
             agent exits.
+SEE ALSO
+     ssh(1), ssh-add(1), ssh-keygen(1), sshd(8)
 AUTHORS
     OpenSSH is a derivative of the original and free ssh 1.2.12 release by
     Tatu Ylonen.  Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
@@ -108,7 +111,4 @@ AUTHORS
     ated OpenSSH.  Markus Friedl contributed the support for SSH protocol
     versions 1.5 and 2.0.
-SEE ALSO
-     ssh(1), ssh-add(1), ssh-keygen(1), sshd(8)
 BSD                           September 25, 1999                           BSD
diff --git a/ssh-agent.1 b/ssh-agent.1
index fde4608bb..aab15cc7f 100644
--- a/ssh-agent.1
+++ b/ssh-agent.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-agent.1,v 1.37 2003/03/28 10:11:43 jmc Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.39 2003/06/10 09:12:11 jmc Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -133,7 +133,7 @@ However, the connection to the agent is forwarded over SSH
 remote logins, and the user can thus use the privileges given by the
 identities anywhere in the network in a secure way.
 .Pp
-There are two main ways to get an agent setup:
+There are two main ways to get an agent set up:
 Either the agent starts a new subcommand into which some environment
 variables are exported, or the agent prints the needed shell commands
 (either
@@ -179,6 +179,11 @@ authentication agent.
 These sockets should only be readable by the owner.
 The sockets should get automatically removed when the agent exits.
 .El
+.Sh SEE ALSO
+.Xr ssh 1 ,
+.Xr ssh-add 1 ,
+.Xr ssh-keygen 1 ,
+.Xr sshd 8
 .Sh AUTHORS
 OpenSSH is a derivative of the original and free
 ssh 1.2.12 release by Tatu Ylonen.
@@ -188,8 +193,3 @@ removed many bugs, re-added newer features and
 created OpenSSH.
 Markus Friedl contributed the support for SSH
 protocol versions 1.5 and 2.0.
-.Sh SEE ALSO
-.Xr ssh 1 ,
-.Xr ssh-add 1 ,
-.Xr ssh-keygen 1 ,
-.Xr sshd 8
diff --git a/ssh-agent.c b/ssh-agent.c
index eb593de73..c05c61468 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -35,7 +35,7 @@
 #include "includes.h"
 #include "openbsd-compat/sys-queue.h"
-RCSID("$OpenBSD: ssh-agent.c,v 1.108 2003/03/13 11:44:50 markus Exp $");
+RCSID("$OpenBSD: ssh-agent.c,v 1.111 2003/06/12 19:12:03 markus Exp $");
 #include <openssl/evp.h>
 #include <openssl/md5.h>
@@ -261,7 +261,7 @@ process_authentication_challenge1(SocketEntry *e)
                /* The response is MD5 of decrypted challenge plus session id. */
                len = BN_num_bytes(challenge);
                if (len <= 0 || len > 32) {
-                        log("process_authentication_challenge: bad challenge length %d", len);
+                        logit("process_authentication_challenge: bad challenge length %d", len);
                        goto failure;
                }
                memset(buf, 0, 32);
@@ -350,7 +350,7 @@ process_remove_identity(SocketEntry *e, int version)
                buffer_get_bignum(&e->request, key->rsa->n);
                if (bits != key_size(key))
-                        log("Warning: identity keysize mismatch: actual %u, announced %u",
+                        logit("Warning: identity keysize mismatch: actual %u, announced %u",
                            key_size(key), bits);
                break;
        case 2:
@@ -580,13 +580,29 @@ static void
 process_add_smartcard_key (SocketEntry *e)
 {
        char *sc_reader_id = NULL, *pin;
-        int i, version, success = 0;
+        int i, version, success = 0, death = 0, confirm = 0;
        Key **keys, *k;
        Identity *id;
        Idtab *tab;
        sc_reader_id = buffer_get_string(&e->request, NULL);
        pin = buffer_get_string(&e->request, NULL);
+        while (buffer_len(&e->request)) {
+                switch (buffer_get_char(&e->request)) {
+                case SSH_AGENT_CONSTRAIN_LIFETIME:
+                        death = time(NULL) + buffer_get_int(&e->request);
+                        break;
+                case SSH_AGENT_CONSTRAIN_CONFIRM:
+                        confirm = 1;
+                        break;
+                default:
+                        break;
+                }
+        }
+        if (lifetime && !death)
+                death = time(NULL) + lifetime;
        keys = sc_get_keys(sc_reader_id, pin);
        xfree(sc_reader_id);
        xfree(pin);
@@ -602,9 +618,9 @@ process_add_smartcard_key (SocketEntry *e)
                if (lookup_identity(k, version) == NULL) {
                        id = xmalloc(sizeof(Identity));
                        id->key = k;
-                        id->comment = xstrdup("smartcard key");
+                        id->comment = sc_get_key_label(k);
-                        id->death = 0;
+                        id->death = death;
-                        id->confirm = 0;
+                        id->confirm = confirm;
                        TAILQ_INSERT_TAIL(&tab->idlist, id, next);
                        tab->nentries++;
                        success = 1;
@@ -748,6 +764,7 @@ process_message(SocketEntry *e)
                break;
 #ifdef SMARTCARD
        case SSH_AGENTC_ADD_SMARTCARD_KEY:
+        case SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED:
                process_add_smartcard_key(e);
                break;
        case SSH_AGENTC_REMOVE_SMARTCARD_KEY:
@@ -962,7 +979,7 @@ check_parent_exists(int sig)
                /* printf("Parent has died - Authentication agent exiting.\n"); */
                cleanup_handler(sig); /* safe */
        }
-        signal(SIGALRM, check_parent_exists);
+        mysignal(SIGALRM, check_parent_exists);
        alarm(10);
        errno = save_errno;
 }
@@ -1007,7 +1024,7 @@ main(int ac, char **av)
        SSLeay_add_all_algorithms();
-        __progname = get_progname(av[0]);
+        __progname = ssh_get_progname(av[0]);
        init_rng();
        seed_rng();
@@ -1194,7 +1211,7 @@ skip:
        fatal_add_cleanup(cleanup_socket, NULL);
        new_socket(AUTH_SOCKET, sock);
        if (ac > 0) {
-                signal(SIGALRM, check_parent_exists);
+                mysignal(SIGALRM, check_parent_exists);
                alarm(10);
        }
        idtab_init();
diff --git a/ssh-gss.h b/ssh-gss.h
new file mode 100644
index 000000000..6b58adb3a
--- /dev/null
+++ b/ssh-gss.h
@@ -0,0 +1,121 @@
+/*
+ * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef _SSH_GSS_H
+#define _SSH_GSS_H
+#ifdef GSSAPI
+#include "buffer.h"
+#include <gssapi.h>
+#ifdef KRB5
+#ifndef HEIMDAL
+#include <gssapi_generic.h>
+/* MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */
+#ifndef GSS_C_NT_HOSTBASED_SERVICE
+#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
+#endif /* GSS_C_NT_... */
+#endif /* !HEIMDAL */
+#endif /* KRB5 */
+/* draft-ietf-secsh-gsskeyex-06 */
+#define SSH2_MSG_USERAUTH_GSSAPI_RESPONSE               60
+#define SSH2_MSG_USERAUTH_GSSAPI_TOKEN                  61
+#define SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE      63
+#define SSH2_MSG_USERAUTH_GSSAPI_ERROR                  64
+#define SSH2_MSG_USERAUTH_GSSAPI_ERRTOK                 65
+#define SSH_GSS_OIDTYPE 0x06
+typedef struct {
+        char *filename;
+        char *envvar;
+        char *envval;
+        void *data;
+} ssh_gssapi_ccache;
+typedef struct {
+        gss_buffer_desc displayname;
+        gss_buffer_desc exportedname;
+        gss_cred_id_t creds;
+        struct ssh_gssapi_mech_struct *mech;
+        ssh_gssapi_ccache store;
+} ssh_gssapi_client;
+typedef struct ssh_gssapi_mech_struct {
+        char *enc_name;
+        char *name;
+        gss_OID_desc oid;
+        int (*dochild) (ssh_gssapi_client *);
+        int (*userok) (ssh_gssapi_client *, char *);
+        int (*localname) (ssh_gssapi_client *, char **);
+        void (*storecreds) (ssh_gssapi_client *);
+} ssh_gssapi_mech;
+typedef struct {
+        OM_uint32       major; /* both */
+        OM_uint32       minor; /* both */
+        gss_ctx_id_t    context; /* both */
+        gss_name_t      name; /* both */
+        gss_OID         oid; /* client */
+        gss_cred_id_t   creds; /* server */
+        gss_name_t      client; /* server */
+        gss_cred_id_t   client_creds; /* server */
+} Gssctxt;
+extern ssh_gssapi_mech *supported_mechs[];
+int  ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len);
+void ssh_gssapi_set_oid_data(Gssctxt *ctx, void *data, size_t len);
+void ssh_gssapi_set_oid(Gssctxt *ctx, gss_OID oid);
+void ssh_gssapi_supported_oids(gss_OID_set *oidset);
+ssh_gssapi_mech *ssh_gssapi_get_ctype(Gssctxt *ctxt);
+OM_uint32 ssh_gssapi_import_name(Gssctxt *ctx, const char *host);
+OM_uint32 ssh_gssapi_acquire_cred(Gssctxt *ctx);
+OM_uint32 ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds,
+    gss_buffer_desc *recv_tok, gss_buffer_desc *send_tok, OM_uint32 *flags);
+OM_uint32 ssh_gssapi_accept_ctx(Gssctxt *ctx,
+    gss_buffer_desc *recv_tok, gss_buffer_desc *send_tok, OM_uint32 *flags);
+OM_uint32 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *);
+void ssh_gssapi_error(Gssctxt *ctx);
+char *ssh_gssapi_last_error(Gssctxt *ctxt, OM_uint32 *maj, OM_uint32 *min);
+void ssh_gssapi_build_ctx(Gssctxt **ctx);
+void ssh_gssapi_delete_ctx(Gssctxt **ctx);
+OM_uint32 ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid);
+/* In the server */
+int ssh_gssapi_userok(char *name);
+void ssh_gssapi_do_child(char ***envp, u_int *envsizep);
+void ssh_gssapi_cleanup_creds(void *ignored);
+void ssh_gssapi_storecreds(void);
+#endif /* GSSAPI */
+#endif /* _SSH_GSS_H */
diff --git a/ssh-keygen.0 b/ssh-keygen.0
index 515d9f94c..2db957554 100644
--- a/ssh-keygen.0
+++ b/ssh-keygen.0
@@ -15,12 +15,18 @@ SYNOPSIS
     ssh-keygen -B [-f input_keyfile]
     ssh-keygen -D reader
     ssh-keygen -U reader [-f input_keyfile]
+     ssh-keygen -r hostname [-f input_keyfile] [-g]
+     ssh-keygen -G output_file [-b bits] [-M memory] [-S start_point]
+     ssh-keygen -T output_file -f input_file [-a num_trials] [-W generator]
 DESCRIPTION
     ssh-keygen generates, manages and converts authentication keys for
     ssh(1).  ssh-keygen can create RSA keys for use by SSH protocol version 1
-     and RSA or DSA keys for use by SSH protocol version 2. The type of key to
+     and RSA or DSA keys for use by SSH protocol version 2.  The type of key
-     be generated is specified with the -t option.
+     to be generated is specified with the -t option.
+     ssh-keygen is also used to generate groups for use in Diffie-Hellman
+     group exchange (DH-GEX).  See the MODULI GENERATION section for details.
     Normally each user wishing to use SSH with RSA or DSA authentication runs
     this once to create the authentication key in $HOME/.ssh/identity,
@@ -56,6 +62,10 @@ DESCRIPTION
     The options are as follows:
+     -a trials
+             Specifies the number of primality tests to perform when screening
+             DH-GEX candidates using the -T command.
     -b bits
             Specifies the number of bits in the key to create.  Minimum is
             512 bits.  Generally, 1024 bits is considered sufficient.  The
@@ -71,6 +81,8 @@ DESCRIPTION
             This option allows exporting keys for use by several commercial
             SSH implementations.
+     -g      Use generic DNS resource record format.
     -f filename
             Specifies the filename of the key file.
@@ -108,15 +120,71 @@ DESCRIPTION
     -D reader
             Download the RSA public key stored in the smartcard in reader.
+     -G output_file
+             Generate candidate primes for DH-GEX.  These primes must be
+             screened for safety (using the -T option) before use.
+     -M memory
+             Specify the amount of memory to use (in megabytes) when generat-
+             ing candidate moduli for DH-GEX.
     -N new_passphrase
             Provides the new passphrase.
     -P passphrase
             Provides the (old) passphrase.
+     -S start
+             Specify start point (in hex) when generating candidate moduli for
+             DH-GEX.
+     -T output_file
+             Test DH group exchange candidate primes (generated using the -G
+             option) for safety.
+     -W generator
+             Specify desired generator when testing candidate moduli for DH-
+             GEX.
     -U reader
             Upload an existing RSA private key into the smartcard in reader.
+     -r hostname
+             Print DNS resource record with the specified hostname.
+MODULI GENERATION
+     ssh-keygen may be used to generate groups for the Diffie-Hellman Group
+     Exchange (DH-GEX) protocol.  Generating these groups is a two-step pro-
+     cess: first, candidate primes are generated using a fast, but memory
+     intensive process.  These candidate primes are then tested for suitabil-
+     ity (a CPU-intensive process).
+     Generation of primes is performed using the -G option.  The desired
+     length of the primes may be specified by the -b option.  For example:
+           ssh-keygen -G moduli-2048.candidates -b 2048
+     By default, the search for primes begins at a random point in the desired
+     length range.  This may be overridden using the -S option, which speci-
+     fies a different start point (in hex).
+     Once a set of candidates have been generated, they must be tested for
+     suitability.  This may be performed using the -T option.  In this mode
+     ssh-keygen will read candidates from standard input (or a file specified
+     using the -f option).  For example:
+           ssh-keygen -T moduli-2048 -f moduli-2048.candidates
+     By default, each candidate will be subjected to 100 primality tests.
+     This may be overridden using the -a option.  The DH generator value will
+     be chosen automatically for the prime under consideration.  If a specific
+     generator is desired, it may be requested using the -W option.  Valid
+     generator values are 2, 3 and 5.
+     Screened DH groups may be installed in /etc/moduli.  It is important that
+     this file contains moduli of a range of bit lengths and that both ends of
+     a connection share common moduli.
 FILES
     $HOME/.ssh/identity
             Contains the protocol version 1 RSA authentication identity of
@@ -166,6 +234,16 @@ FILES
             to log in using public key authentication.  There is no need to
             keep the contents of this file secret.
+     /etc/moduli
+             Contains Diffie-Hellman groups used for DH-GEX.  The file format
+             is described in moduli(5).
+SEE ALSO
+     ssh(1), ssh-add(1), ssh-agent(1), moduli(5), sshd(8)
+     J. Galbraith and R. Thayer, SECSH Public Key File Format, draft-ietf-
+     secsh-publickeyfile-01.txt, March 2001, work in progress material.
 AUTHORS
     OpenSSH is a derivative of the original and free ssh 1.2.12 release by
     Tatu Ylonen.  Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
@@ -173,10 +251,4 @@ AUTHORS
     ated OpenSSH.  Markus Friedl contributed the support for SSH protocol
     versions 1.5 and 2.0.
-SEE ALSO
-     ssh(1), ssh-add(1), ssh-agent(1), sshd(8)
-     J. Galbraith and R. Thayer, SECSH Public Key File Format, draft-ietf-
-     secsh-publickeyfile-01.txt, March 2001, work in progress material.
 BSD                           September 25, 1999                           BSD
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 000e8ff2a..dc4bcacd0 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.56 2003/03/28 10:11:43 jmc Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.60 2003/07/28 09:49:56 djm Exp $
 .\"
 .\"  -*- nroff -*-
 .\"
@@ -83,17 +83,38 @@
 .Nm ssh-keygen
 .Fl U Ar reader
 .Op Fl f Ar input_keyfile
+.Nm ssh-keygen
+.Fl r Ar hostname
+.Op Fl f Ar input_keyfile
+.Op Fl g
+.Nm ssh-keygen
+.Fl G Ar output_file
+.Op Fl b Ar bits
+.Op Fl M Ar memory
+.Op Fl S Ar start_point
+.Nm ssh-keygen
+.Fl T Ar output_file
+.Fl f Ar input_file
+.Op Fl a Ar num_trials
+.Op Fl W Ar generator
 .Sh DESCRIPTION
 .Nm
 generates, manages and converts authentication keys for
 .Xr ssh 1 .
 .Nm
 can create RSA keys for use by SSH protocol version 1 and RSA or DSA
-keys for use by SSH protocol version 2. The type of key to be generated
+keys for use by SSH protocol version 2.
-is specified with the
+The type of key to be generated is specified with the
 .Fl t
 option.
 .Pp
+.Nm
+is also used to generate groups for use in Diffie-Hellman group
+exchange (DH-GEX).
+See the
+.Sx MODULI GENERATION
+section for details.
+.Pp
 Normally each user wishing to use SSH
 with RSA or DSA authentication runs this once to create the authentication
 key in
@@ -146,6 +167,11 @@ should be placed to be activated.
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
+.It Fl a Ar trials
+Specifies the number of primality tests to perform when screening DH-GEX
+candidates using the
+.Fl T
+command.
 .It Fl b Ar bits
 Specifies the number of bits in the key to create.
 Minimum is 512 bits.
@@ -163,6 +189,8 @@ print the key in a
 to stdout.
 This option allows exporting keys for use by several commercial
 SSH implementations.
+.It Fl g
+Use generic DNS resource record format.
 .It Fl f Ar filename
 Specifies the filename of the key file.
 .It Fl i
@@ -211,14 +239,88 @@ Provides the new comment.
 .It Fl D Ar reader
 Download the RSA public key stored in the smartcard in
 .Ar reader .
+.It Fl G Ar output_file
+Generate candidate primes for DH-GEX.
+These primes must be screened for
+safety (using the
+.Fl T
+option) before use.
+.It Fl M Ar memory
+Specify the amount of memory to use (in megabytes) when generating
+candidate moduli for DH-GEX.
 .It Fl N Ar new_passphrase
 Provides the new passphrase.
 .It Fl P Ar passphrase
 Provides the (old) passphrase.
+.It Fl S Ar start
+Specify start point (in hex) when generating candidate moduli for DH-GEX.
+.It Fl T Ar output_file
+Test DH group exchange candidate primes (generated using the
+.Fl G
+option) for safety.
+.It Fl W Ar generator
+Specify desired generator when testing candidate moduli for DH-GEX.
 .It Fl U Ar reader
 Upload an existing RSA private key into the smartcard in
 .Ar reader .
+.It Fl r Ar hostname
+Print DNS resource record with the specified
+.Ar hostname .
 .El
+.Sh MODULI GENERATION
+.Nm
+may be used to generate groups for the Diffie-Hellman Group Exchange
+(DH-GEX) protocol.
+Generating these groups is a two-step process: first, candidate
+primes are generated using a fast, but memory intensive process.
+These candidate primes are then tested for suitability (a CPU-intensive
+process).
+.Pp
+Generation of primes is performed using the
+.Fl G
+option.
+The desired length of the primes may be specified by the
+.Fl b
+option.
+For example:
+.Pp
+.Dl ssh-keygen -G moduli-2048.candidates -b 2048
+.Pp
+By default, the search for primes begins at a random point in the
+desired length range.
+This may be overridden using the
+.Fl S
+option, which specifies a different start point (in hex).
+.Pp
+Once a set of candidates have been generated, they must be tested for
+suitability.
+This may be performed using the
+.Fl T
+option.
+In this mode
+.Nm
+will read candidates from standard input (or a file specified using the
+.Fl f
+option).
+For example:
+.Pp
+.Dl ssh-keygen -T moduli-2048 -f moduli-2048.candidates
+.Pp
+By default, each candidate will be subjected to 100 primality tests.
+This may be overridden using the
+.Fl a
+option.
+The DH generator value will be chosen automatically for the
+prime under consideration.
+If a specific generator is desired, it may be requested using the
+.Fl W
+option.
+Valid generator values are 2, 3 and 5.
+.Pp
+Screened DH groups may be installed in
+.Pa /etc/moduli .
+It is important that this file contains moduli of a range of bit lengths and
+that both ends of a connection share common moduli.
 .Sh FILES
 .Bl -tag -width Ds
 .It Pa $HOME/.ssh/identity
@@ -275,20 +377,16 @@ The contents of this file should be added to
 on all machines
 where the user wishes to log in using public key authentication.
 There is no need to keep the contents of this file secret.
+.It Pa /etc/moduli
+Contains Diffie-Hellman groups used for DH-GEX.
+The file format is described in
+.Xr moduli 5 .
 .El
-.Sh AUTHORS
-OpenSSH is a derivative of the original and free
-ssh 1.2.12 release by Tatu Ylonen.
-Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
-Theo de Raadt and Dug Song
-removed many bugs, re-added newer features and
-created OpenSSH.
-Markus Friedl contributed the support for SSH
-protocol versions 1.5 and 2.0.
 .Sh SEE ALSO
 .Xr ssh 1 ,
 .Xr ssh-add 1 ,
 .Xr ssh-agent 1 ,
+.Xr moduli 5 ,
 .Xr sshd 8
 .Rs
 .%A J. Galbraith
@@ -298,3 +396,12 @@ protocol versions 1.5 and 2.0.
 .%D March 2001
 .%O work in progress material
 .Re
+.Sh AUTHORS
+OpenSSH is a derivative of the original and free
+ssh 1.2.12 release by Tatu Ylonen.
+Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
+Theo de Raadt and Dug Song
+removed many bugs, re-added newer features and
+created OpenSSH.
+Markus Friedl contributed the support for SSH
+protocol versions 1.5 and 2.0.
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 6a872bcfd..e74d3cd37 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -12,7 +12,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keygen.c,v 1.102 2002/11/26 00:45:03 wcobb Exp $");
+RCSID("$OpenBSD: ssh-keygen.c,v 1.108 2003/08/14 16:08:58 markus Exp $");
 #include <openssl/evp.h>
 #include <openssl/pem.h>
@@ -27,10 +27,14 @@ RCSID("$OpenBSD: ssh-keygen.c,v 1.102 2002/11/26 00:45:03 wcobb Exp $");
 #include "pathnames.h"
 #include "log.h"
 #include "readpass.h"
+#include "moduli.h"
 #ifdef SMARTCARD
 #include "scard.h"
 #endif
+#ifdef DNS
+#include "dns.h"
+#endif
 /* Number of bits in the RSA/DSA key.  This value can be changed on the command line. */
 int bits = 1024;
@@ -70,6 +74,7 @@ char *identity_comment = NULL;
 int convert_to_ssh2 = 0;
 int convert_from_ssh2 = 0;
 int print_public = 0;
+int print_generic = 0;
 char *key_type_name = NULL;
@@ -163,6 +168,10 @@ do_convert_to_ssh2(struct passwd *pw)
                        exit(1);
                }
        }
+        if (k->type == KEY_RSA1) {
+                fprintf(stderr, "version 1 keys are not supported\n");
+                exit(1);
+        }
        if (key_to_blob(k, &blob, &len) <= 0) {
                fprintf(stderr, "key_to_blob failed\n");
                exit(1);
@@ -415,7 +424,7 @@ do_upload(struct passwd *pw, const char *sc_reader_id)
        key_free(prv);
        if (ret < 0)
                exit(1);
-        log("loading key done");
+        logit("loading key done");
        exit(0);
 }
@@ -616,6 +625,38 @@ do_change_passphrase(struct passwd *pw)
        exit(0);
 }
+#ifdef DNS
+/*
+ * Print the SSHFP RR.
+ */
+static void
+do_print_resource_record(struct passwd *pw, char *hostname)
+{
+        Key *public;
+        char *comment = NULL;
+        struct stat st;
+        if (!have_identity)
+                ask_filename(pw, "Enter file in which the key is");
+        if (stat(identity_file, &st) < 0) {
+                perror(identity_file);
+                exit(1);
+        }
+        public = key_load_public(identity_file, &comment);
+        if (public != NULL) {
+                export_dns_rr(hostname, public, stdout, print_generic);
+                key_free(public);
+                xfree(comment);
+                exit(0);
+        }
+        if (comment)
+                xfree(comment);
+        printf("failed to read v2 public key from %s.\n", identity_file);
+        exit(1);
+}
+#endif /* DNS */
 /*
 * Change the comment of a private key file.
 */
@@ -722,6 +763,7 @@ usage(void)
        fprintf(stderr, "  -c          Change comment in private and public key files.\n");
        fprintf(stderr, "  -e          Convert OpenSSH to IETF SECSH key file.\n");
        fprintf(stderr, "  -f filename Filename of the key file.\n");
+        fprintf(stderr, "  -g          Use generic DNS resource record format.\n");
        fprintf(stderr, "  -i          Convert IETF SECSH to OpenSSH key file.\n");
        fprintf(stderr, "  -l          Show fingerprint of key file.\n");
        fprintf(stderr, "  -p          Change passphrase of private key file.\n");
@@ -732,11 +774,17 @@ usage(void)
        fprintf(stderr, "  -C comment  Provide new comment.\n");
        fprintf(stderr, "  -N phrase   Provide new passphrase.\n");
        fprintf(stderr, "  -P phrase   Provide old passphrase.\n");
+#ifdef DNS
+        fprintf(stderr, "  -r hostname Print DNS resource record.\n");
+#endif /* DNS */
 #ifdef SMARTCARD
        fprintf(stderr, "  -D reader   Download public key from smartcard.\n");
        fprintf(stderr, "  -U reader   Upload private key to smartcard.\n");
 #endif /* SMARTCARD */
+        fprintf(stderr, "  -G file     Generate candidates for DH-GEX moduli\n");
+        fprintf(stderr, "  -T file     Screen candidates for DH-GEX moduli\n");
        exit(1);
 }
@@ -747,19 +795,25 @@ int
 main(int ac, char **av)
 {
        char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2;
-        char *reader_id = NULL;
+        char out_file[MAXPATHLEN], *reader_id = NULL;
+        char *resource_record_hostname = NULL;
        Key *private, *public;
        struct passwd *pw;
        struct stat st;
-        int opt, type, fd, download = 0;
+        int opt, type, fd, download = 0, memory = 0;
+        int generator_wanted = 0, trials = 100;
+        int do_gen_candidates = 0, do_screen_candidates = 0;
+        BIGNUM *start = NULL;
        FILE *f;
        extern int optind;
        extern char *optarg;
-        __progname = get_progname(av[0]);
+        __progname = ssh_get_progname(av[0]);
        SSLeay_add_all_algorithms();
+        log_init(av[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
        init_rng();
        seed_rng();
@@ -774,7 +828,8 @@ main(int ac, char **av)
                exit(1);
        }
-        while ((opt = getopt(ac, av, "deiqpclBRxXyb:f:t:U:D:P:N:C:")) != -1) {
+        while ((opt = getopt(ac, av,
+            "degiqpclBRxXyb:f:t:U:D:P:N:C:r:g:T:G:M:S:a:W:")) != -1) {
                switch (opt) {
                case 'b':
                        bits = atoi(optarg);
@@ -799,6 +854,9 @@ main(int ac, char **av)
                        strlcpy(identity_file, optarg, sizeof(identity_file));
                        have_identity = 1;
                        break;
+                case 'g':
+                        print_generic = 1;
+                        break;
                case 'P':
                        identity_passphrase = optarg;
                        break;
@@ -839,6 +897,42 @@ main(int ac, char **av)
                case 'U':
                        reader_id = optarg;
                        break;
+                case 'r':
+                        resource_record_hostname = optarg;
+                        break;
+                case 'W':
+                        generator_wanted = atoi(optarg);
+                        if (generator_wanted < 1)
+                                fatal("Desired generator has bad value.");
+                        break;
+                case 'a':
+                        trials = atoi(optarg);
+                        if (trials < TRIAL_MINIMUM) {
+                                fatal("Minimum primality trials is %d", 
+                                    TRIAL_MINIMUM);
+                        }
+                        break;
+                case 'M':
+                        memory = atoi(optarg);
+                        if (memory != 0 && 
+                           (memory < LARGE_MINIMUM || memory > LARGE_MAXIMUM)) {
+                                fatal("Invalid memory amount (min %ld, max %ld)",
+                                    LARGE_MINIMUM, LARGE_MAXIMUM);
+                        }
+                        break;
+                case 'G':
+                        do_gen_candidates = 1;
+                        strlcpy(out_file, optarg, sizeof(out_file));
+                        break;
+                case 'T':
+                        do_screen_candidates = 1;
+                        strlcpy(out_file, optarg, sizeof(out_file));
+                        break;
+                case 'S':
+                        /* XXX - also compare length against bits */
+                        if (BN_hex2bn(&start, optarg) == 0)
+                                fatal("Invalid start point.");
+                        break;
                case '?':
                default:
                        usage();
@@ -864,6 +958,13 @@ main(int ac, char **av)
                do_convert_from_ssh2(pw);
        if (print_public)
                do_print_public(pw);
+        if (resource_record_hostname != NULL) {
+#ifdef DNS
+                do_print_resource_record(pw, resource_record_hostname);
+#else /* DNS */
+                fatal("no DNS support.");
+#endif /* DNS */
+        }
        if (reader_id != NULL) {
 #ifdef SMARTCARD
                if (download)
@@ -875,6 +976,42 @@ main(int ac, char **av)
 #endif /* SMARTCARD */
        }
+        if (do_gen_candidates) {
+                FILE *out = fopen(out_file, "w");
+                
+                if (out == NULL) {
+                        error("Couldn't open modulus candidate file \"%s\": %s",
+                            out_file, strerror(errno));
+                        return (1);
+                }
+                if (gen_candidates(out, memory, bits, start) != 0)
+                        fatal("modulus candidate generation failed\n");
+                return (0);
+        }
+        if (do_screen_candidates) {
+                FILE *in;
+                FILE *out = fopen(out_file, "w");
+                if (have_identity && strcmp(identity_file, "-") != 0) {
+                        if ((in = fopen(identity_file, "r")) == NULL) {
+                                fatal("Couldn't open modulus candidate "
+                                    "file \"%s\": %s", identity_file, 
+                                    strerror(errno));
+                        }
+                } else
+                        in = stdin;
+                if (out == NULL) {
+                        fatal("Couldn't open moduli file \"%s\": %s",
+                            out_file, strerror(errno));
+                }
+                if (prime_test(in, out, trials, generator_wanted) != 0)
+                        fatal("modulus screening failed\n");
+                return (0);
+        }
        arc4random_stir();
        if (key_type_name == NULL) {
diff --git a/ssh-keyscan.0 b/ssh-keyscan.0
index 19031a27f..23d9f943c 100644
--- a/ssh-keyscan.0
+++ b/ssh-keyscan.0
@@ -57,17 +57,6 @@ SECURITY
     detection of tampered keyfiles or man in the middle attacks which have
     begun after the ssh_known_hosts file was created.
-EXAMPLES
-     Print the rsa1 host key for machine hostname:
-     $ ssh-keyscan hostname
-     Find all hosts from the file ssh_hosts which have new or different keys
-     from those in the sorted file ssh_known_hosts:
-     $ ssh-keyscan -t rsa,dsa -f ssh_hosts | \
-             sort -u - ssh_known_hosts | diff ssh_known_hosts -
 FILES
     Input format:
@@ -81,22 +70,33 @@ FILES
     host-or-namelist keytype base64-encoded-key
-     Where keytype is either M-bM-^@M-^\ssh-rsaM-bM-^@M-^] or M-bM-^@M-^\ssh-dsaM-bM-^@M-^].
+     Where keytype is either M-bM-^@M-^\ssh-rsaM-bM-^@M-^] or M-bM-^@M-^\ssh-dssM-bM-^@M-^].
     /etc/ssh/ssh_known_hosts
-BUGS
+EXAMPLES
-     It generates "Connection closed by remote host" messages on the consoles
+     Print the rsa1 host key for machine hostname:
-     of all the machines it scans if the server is older than version 2.9.
-     This is because it opens a connection to the ssh port, reads the public
+     $ ssh-keyscan hostname
-     key, and drops the connection as soon as it gets the key.
+     Find all hosts from the file ssh_hosts which have new or different keys
+     from those in the sorted file ssh_known_hosts:
+     $ ssh-keyscan -t rsa,dsa -f ssh_hosts | \
+             sort -u - ssh_known_hosts | diff ssh_known_hosts -
 SEE ALSO
     ssh(1), sshd(8)
 AUTHORS
-     David Mazieres <dm@lcs.mit.edu> wrote the initial version, and Wayne
+     David Mazieres M-bM-^LM-)dm@lcs.mit.eduM-bM-^LM-* wrote the initial version, and
-     Davison <wayned@users.sourceforge.net> added support for protocol version
+     Wayne Davison M-bM-^LM-)wayned@users.sourceforge.netM-bM-^LM-* added support for protocol
-     2.
+     version 2.
+BUGS
+     It generates "Connection closed by remote host" messages on the consoles
+     of all the machines it scans if the server is older than version 2.9.
+     This is because it opens a connection to the ssh port, reads the public
+     key, and drops the connection as soon as it gets the key.
 BSD                             January 1, 1996                            BSD
diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
index f6596c481..572751f66 100644
--- a/ssh-keyscan.1
+++ b/ssh-keyscan.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keyscan.1,v 1.15 2003/03/28 10:11:43 jmc Exp $
+.\"     $OpenBSD: ssh-keyscan.1,v 1.17 2003/06/10 09:12:11 jmc Exp $
 .\"
 .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
 .\"
@@ -103,24 +103,6 @@ On the other hand, if the security model allows such a risk,
 .Nm
 can help in the detection of tampered keyfiles or man in the middle
 attacks which have begun after the ssh_known_hosts file was created.
-.Sh EXAMPLES
-.Pp
-Print the
-.Pa rsa1
-host key for machine
-.Pa hostname :
-.Bd -literal
-$ ssh-keyscan hostname
-.Ed
-.Pp
-Find all hosts from the file
-.Pa ssh_hosts
-which have new or different keys from those in the sorted file
-.Pa ssh_known_hosts :
-.Bd -literal
-$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e\ 
-        sort -u - ssh_known_hosts | diff ssh_known_hosts -
-.Ed
 .Sh FILES
 .Pa Input format:
 .Bd -literal
@@ -142,19 +124,36 @@ Where
 is either
 .Dq ssh-rsa
 or
-.Dq ssh-dsa .
+.Dq ssh-dss .
 .Pp
 .Pa /etc/ssh/ssh_known_hosts
-.Sh BUGS
+.Sh EXAMPLES
-It generates "Connection closed by remote host" messages on the consoles
+Print the
-of all the machines it scans if the server is older than version 2.9.
+.Pa rsa1
-This is because it opens a connection to the ssh port, reads the public
+host key for machine
-key, and drops the connection as soon as it gets the key.
+.Pa hostname :
+.Bd -literal
+$ ssh-keyscan hostname
+.Ed
+.Pp
+Find all hosts from the file
+.Pa ssh_hosts
+which have new or different keys from those in the sorted file
+.Pa ssh_known_hosts :
+.Bd -literal
+$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e
+        sort -u - ssh_known_hosts | diff ssh_known_hosts -
+.Ed
 .Sh SEE ALSO
 .Xr ssh 1 ,
 .Xr sshd 8
 .Sh AUTHORS
-David Mazieres <dm@lcs.mit.edu>
+.An David Mazieres Aq dm@lcs.mit.edu
 wrote the initial version, and
-Wayne Davison <wayned@users.sourceforge.net>
+.An Wayne Davison Aq wayned@users.sourceforge.net
 added support for protocol version 2.
+.Sh BUGS
+It generates "Connection closed by remote host" messages on the consoles
+of all the machines it scans if the server is older than version 2.9.
+This is because it opens a connection to the ssh port, reads the public
+key, and drops the connection as soon as it gets the key.
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index 5b4eb82d1..9fa8aaebc 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -7,7 +7,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keyscan.c,v 1.41 2003/02/16 17:09:57 markus Exp $");
+RCSID("$OpenBSD: ssh-keyscan.c,v 1.44 2003/06/28 16:23:06 deraadt Exp $");
 #include "openbsd-compat/sys-queue.h"
@@ -31,11 +31,7 @@ RCSID("$OpenBSD: ssh-keyscan.c,v 1.41 2003/02/16 17:09:57 markus Exp $");
 /* Flag indicating whether IPv4 or IPv6.  This can be set on the command line.
   Default value is AF_UNSPEC means both IPv4 and IPv6. */
-#ifdef IPV4_DEFAULT
-int IPv4or6 = AF_INET;
-#else
 int IPv4or6 = AF_UNSPEC;
-#endif
 int ssh_port = SSH_DEFAULT_PORT;
@@ -397,7 +393,7 @@ tcpconnect(char *host)
        if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
                fatal("getaddrinfo %s: %s", host, gai_strerror(gaierr));
        for (ai = aitop; ai; ai = ai->ai_next) {
-                s = socket(ai->ai_family, SOCK_STREAM, 0);
+                s = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
                if (s < 0) {
                        error("socket: %s", strerror(errno));
                        continue;
@@ -545,7 +541,7 @@ congreet(int s)
        n = snprintf(buf, sizeof buf, "SSH-%d.%d-OpenSSH-keyscan\r\n",
            c->c_keytype == KT_RSA1? PROTOCOL_MAJOR_1 : PROTOCOL_MAJOR_2,
            c->c_keytype == KT_RSA1? PROTOCOL_MINOR_1 : PROTOCOL_MINOR_2);
-        if (atomicio(write, s, buf, n) != n) {
+        if (atomicio(vwrite, s, buf, n) != n) {
                error("write (%s): %s", c->c_name, strerror(errno));
                confree(s);
                return;
@@ -685,7 +681,7 @@ fatal(const char *fmt,...)
 static void
 usage(void)
 {
-        fprintf(stderr, "usage: %s [-v46] [-p port] [-T timeout] [-f file]\n"
+        fprintf(stderr, "usage: %s [-v46] [-p port] [-T timeout] [-t type] [-f file]\n"
            "\t\t   [host | addrlist namelist] [...]\n",
            __progname);
        exit(1);
@@ -701,7 +697,7 @@ main(int argc, char **argv)
        extern int optind;
        extern char *optarg;
-        __progname = get_progname(argv[0]);
+        __progname = ssh_get_progname(argv[0]);
        init_rng();
        seed_rng();
        TAILQ_INIT(&tq);
diff --git a/ssh-keysign.0 b/ssh-keysign.0
index 6fb9ca59b..5e9c6f9c7 100644
--- a/ssh-keysign.0
+++ b/ssh-keysign.0
@@ -33,10 +33,10 @@ FILES
 SEE ALSO
     ssh(1), ssh-keygen(1), ssh_config(5), sshd(8)
-AUTHORS
-     Markus Friedl <markus@openbsd.org>
 HISTORY
     ssh-keysign first appeared in OpenBSD 3.2.
+AUTHORS
+     Markus Friedl M-bM-^LM-)markus@openbsd.orgM-bM-^LM-*
 BSD                              May 24, 2002                              BSD
diff --git a/ssh-keysign.8 b/ssh-keysign.8
index 2e3f8ff3e..a17e8d5cf 100644
--- a/ssh-keysign.8
+++ b/ssh-keysign.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-keysign.8,v 1.6 2003/03/28 10:11:43 jmc Exp $
+.\" $OpenBSD: ssh-keysign.8,v 1.7 2003/06/10 09:12:11 jmc Exp $
 .\"
 .\" Copyright (c) 2002 Markus Friedl.  All rights reserved.
 .\"
@@ -74,9 +74,9 @@ must be set-uid root if hostbased authentication is used.
 .Xr ssh-keygen 1 ,
 .Xr ssh_config 5 ,
 .Xr sshd 8
-.Sh AUTHORS
-Markus Friedl <markus@openbsd.org>
 .Sh HISTORY
 .Nm
 first appeared in
 .Ox 3.2 .
+.Sh AUTHORS
+.An Markus Friedl Aq markus@openbsd.org
diff --git a/ssh-keysign.c b/ssh-keysign.c
index 26c8faad2..c7ca5c4e4 100644
--- a/ssh-keysign.c
+++ b/ssh-keysign.c
@@ -22,7 +22,7 @@
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keysign.c,v 1.10 2003/03/13 11:42:19 markus Exp $");
+RCSID("$OpenBSD: ssh-keysign.c,v 1.13 2003/07/03 08:09:06 djm Exp $");
 #include <openssl/evp.h>
 #include <openssl/rand.h>
@@ -42,7 +42,8 @@ RCSID("$OpenBSD: ssh-keysign.c,v 1.10 2003/03/13 11:42:19 markus Exp $");
 #include "pathnames.h"
 #include "readconf.h"
-uid_t original_real_uid;        /* XXX readconf.c needs this */
+/* XXX readconf.c needs these */
+uid_t original_real_uid;
 #ifdef HAVE___PROGNAME
 extern char *__progname;
@@ -55,7 +56,7 @@ valid_request(struct passwd *pw, char *host, Key **ret, u_char *data,
    u_int datalen)
 {
        Buffer b;
-        Key *key;
+        Key *key = NULL;
        u_char *pkblob;
        u_int blen, len;
        char *pkalg, *p;
diff --git a/ssh-rand-helper.c b/ssh-rand-helper.c
index 68b77b208..7e65e4569 100644
--- a/ssh-rand-helper.c
+++ b/ssh-rand-helper.c
@@ -39,7 +39,7 @@
 #include "pathnames.h"
 #include "log.h"
-RCSID("$Id: ssh-rand-helper.c,v 1.10 2003/03/17 05:13:53 djm Exp $");
+RCSID("$Id: ssh-rand-helper.c,v 1.13 2003/08/21 23:34:41 djm Exp $");
 /* Number of bytes we write out */
 #define OUTPUT_SEED_SIZE        48
@@ -187,7 +187,7 @@ reopen:
        msg[0] = 0x02;
        msg[1] = len;
-        if (atomicio(write, fd, msg, sizeof(msg)) != sizeof(msg)) {
+        if (atomicio(vwrite, fd, msg, sizeof(msg)) != sizeof(msg)) {
                if (errno == EPIPE && errors < 10) {
                        close(fd);
                        errors++;
@@ -532,7 +532,7 @@ prng_check_seedfile(char *filename)
        /* mode 0600, owned by root or the current user? */
        if (((st.st_mode & 0177) != 0) || !(st.st_uid == getuid())) {
                debug("WARNING: PRNG seedfile %.100s must be mode 0600, "
-                    "owned by uid %d", filename, getuid());
+                    "owned by uid %li", filename, (long int)getuid());
                return 0;
        }
@@ -550,7 +550,7 @@ prng_write_seedfile(void)
        pw = getpwuid(getuid());
        if (pw == NULL)
                fatal("Couldn't get password entry for current user "
-                    "(%i): %s", getuid(), strerror(errno));
+                    "(%li): %s", (long int)getuid(), strerror(errno));
        /* Try to ensure that the parent directory is there */
        snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir,
@@ -572,7 +572,7 @@ prng_write_seedfile(void)
                debug("WARNING: couldn't access PRNG seedfile %.100s "
                    "(%.100s)", filename, strerror(errno));
        } else {
-                if (atomicio(write, fd, &seed, sizeof(seed)) < sizeof(seed))
+                if (atomicio(vwrite, fd, &seed, sizeof(seed)) < sizeof(seed))
                        fatal("problem writing PRNG seedfile %.100s "
                            "(%.100s)", filename, strerror(errno));
                close(fd);
@@ -589,7 +589,7 @@ prng_read_seedfile(void)
        pw = getpwuid(getuid());
        if (pw == NULL)
                fatal("Couldn't get password entry for current user "
-                    "(%i): %s", getuid(), strerror(errno));
+                    "(%li): %s", (long int)getuid(), strerror(errno));
        snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir,
                SSH_PRNG_SEED_FILE);
@@ -769,7 +769,7 @@ main(int argc, char **argv)
        extern char *optarg;
        LogLevel ll;
-        __progname = get_progname(argv[0]);
+        __progname = ssh_get_progname(argv[0]);
        log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
        ll = SYSLOG_LEVEL_INFO;
@@ -858,7 +858,7 @@ main(int argc, char **argv)
                        printf("%02x", (unsigned char)(buf[ret]));
                printf("\n");
        } else
-                ret = atomicio(write, STDOUT_FILENO, buf, bytes);
+                ret = atomicio(vwrite, STDOUT_FILENO, buf, bytes);
                
        memset(buf, '\0', bytes);
        xfree(buf);
diff --git a/ssh-rsa.c b/ssh-rsa.c
index efbc9e664..53e5023f7 100644
--- a/ssh-rsa.c
+++ b/ssh-rsa.c
@@ -1,29 +1,20 @@
 /*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ * Copyright (c) 2000, 2003 Markus Friedl <markus@openbsd.org>
 *
- * Redistribution and use in source and binary forms, with or without
+ * Permission to use, copy, modify, and distribute this software for any
- * modification, are permitted provided that the following conditions
+ * purpose with or without fee is hereby granted, provided that the above
- * are met:
+ * copyright notice and this permission notice appear in all copies.
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
 *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-rsa.c,v 1.28 2003/02/12 09:33:04 markus Exp $");
+RCSID("$OpenBSD: ssh-rsa.c,v 1.30 2003/06/18 11:28:11 markus Exp $");
 #include <openssl/evp.h>
 #include <openssl/err.h>
diff --git a/ssh.0 b/ssh.0
index 0baca2288..972ac45c7 100644
--- a/ssh.0
+++ b/ssh.0
@@ -6,7 +6,7 @@ NAME
 SYNOPSIS
     ssh [-l login_name] hostname | user@hostname [command]
-     ssh [-afgknqstvxACNTX1246] [-b bind_address] [-c cipher_spec]
+     ssh [-afgknqstvxACNTVX1246] [-b bind_address] [-c cipher_spec]
         [-e escape_char] [-i identity_file] [-l login_name] [-m mac_spec]
         [-o option] [-p port] [-F configfile] [-L port:host:hostport]
         [-R port:host:hostport] [-D port] hostname | user@hostname [command]
@@ -149,6 +149,9 @@ DESCRIPTION
     ~?      Display a list of escape characters
+     ~B      Send a BREAK to the remote system (only useful for SSH protocol
+             version 2 and if the peer supports it)
     ~C      Open command line (only useful for adding port forwardings using
             the -L and -R options)
@@ -263,12 +266,12 @@ DESCRIPTION
             ties specified in configuration files).
     -I smartcard_device
-             Specifies which smartcard device to use. The argument is the
+             Specifies which smartcard device to use.  The argument is the
             device ssh should use to communicate with a smartcard used for
             storing the userM-bM-^@M-^Ys private RSA key.
-     -k      Disables forwarding of Kerberos tickets and AFS tokens.  This may
+     -k      Disables forwarding of Kerberos tickets.  This may also be speci-
-             also be specified on a per-host basis in the configuration file.
+             fied on a per-host basis in the configuration file.
     -l login_name
             Specifies the user to log in as on the remote machine.  This also
@@ -305,10 +308,10 @@ DESCRIPTION
             suppressed.
     -s      May be used to request invocation of a subsystem on the remote
-             system. Subsystems are a feature of the SSH2 protocol which
+             system.  Subsystems are a feature of the SSH2 protocol which
             facilitate the use of SSH as a secure transport for other appli-
-             cations (eg. sftp). The subsystem is specified as the remote com-
+             cations (eg. sftp).  The subsystem is specified as the remote
-             mand.
+             command.
     -t      Force pseudo-tty allocation.  This can be used to execute arbi-
             trary screen-based programs on a remote machine, which can be
@@ -319,8 +322,10 @@ DESCRIPTION
     -v      Verbose mode.  Causes ssh to print debugging messages about its
             progress.  This is helpful in debugging connection, authentica-
-             tion, and configuration problems.  Multiple -v options increases
+             tion, and configuration problems.  Multiple -v options increase
-             the verbosity.  Maximum is 3.
+             the verbosity.  The maximum is 3.
+     -V      Display the version number and exit.
     -x      Disables X11 forwarding.
@@ -377,10 +382,10 @@ DESCRIPTION
             side, and whenever a connection is made to this port, the connec-
             tion is forwarded over the secure channel, and the application
             protocol is then used to determine where to connect to from the
-             remote machine.  Currently the SOCKS4 protocol is supported, and
+             remote machine.  Currently the SOCKS4 and SOCKS5 protocols are
-             ssh will act as a SOCKS4 server.  Only root can forward privi-
+             supported, and ssh will act as a SOCKS server.  Only root can
-             leged ports.  Dynamic port forwardings can also be specified in
+             forward privileged ports.  Dynamic port forwardings can also be
-             the configuration file.
+             specified in the configuration file.
     -1      Forces ssh to try protocol version 1 only.
@@ -559,7 +564,7 @@ FILES
             with ssh without permitting login with rlogin or rsh(1).
     /etc/hosts.equiv
-             This file is used during .rhosts authentication. It contains
+             This file is used during .rhosts authentication.  It contains
             canonical hosts names, one per line (the full format is described
             on the sshd(8) manual page).  If the client host is found in this
             file, login is automatically permitted provided client and server
@@ -590,13 +595,6 @@ DIAGNOSTICS
     ssh exits with the exit status of the remote command or with 255 if an
     error occurred.
-AUTHORS
-     OpenSSH is a derivative of the original and free ssh 1.2.12 release by
-     Tatu Ylonen.  Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
-     de Raadt and Dug Song removed many bugs, re-added newer features and cre-
-     ated OpenSSH.  Markus Friedl contributed the support for SSH protocol
-     versions 1.5 and 2.0.
 SEE ALSO
     rsh(1), scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1),
     telnet(1), ssh_config(5), ssh-keysign(8), sshd(8)
@@ -605,4 +603,11 @@ SEE ALSO
     Protocol Architecture, draft-ietf-secsh-architecture-12.txt, January
     2002, work in progress material.
+AUTHORS
+     OpenSSH is a derivative of the original and free ssh 1.2.12 release by
+     Tatu Ylonen.  Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
+     de Raadt and Dug Song removed many bugs, re-added newer features and cre-
+     ated OpenSSH.  Markus Friedl contributed the support for SSH protocol
+     versions 1.5 and 2.0.
 BSD                           September 25, 1999                           BSD
diff --git a/ssh.1 b/ssh.1
index fd822bb3d..c81cb42c6 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.168 2003/03/28 10:11:43 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.175 2003/07/22 13:35:22 markus Exp $
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@@ -49,7 +49,7 @@
 .Pp
 .Nm ssh
 .Bk -words
-.Op Fl afgknqstvxACNTX1246
+.Op Fl afgknqstvxACNTVX1246
 .Op Fl b Ar bind_address
 .Op Fl c Ar cipher_spec
 .Op Fl e Ar escape_char
@@ -301,6 +301,9 @@ Background ssh at logout when waiting for forwarded connection / X11 sessions
 to terminate
 .It Cm ~?
 Display a list of escape characters
+.It Cm ~B
+Send a BREAK to the remote system (only useful for SSH protocol version 2
+and if the peer supports it)
 .It Cm ~C
 Open command line (only useful for adding port forwardings using the
 .Fl L
@@ -485,13 +488,13 @@ It is possible to have multiple
 options (and multiple identities specified in
 configuration files).
 .It Fl I Ar smartcard_device
-Specifies which smartcard device to use. The argument is
+Specifies which smartcard device to use.
-the device
+The argument is the device
 .Nm
 should use to communicate with a smartcard used for storing the user's
 private RSA key.
 .It Fl k
-Disables forwarding of Kerberos tickets and AFS tokens.
+Disables forwarding of Kerberos tickets.
 This may also be specified on a per-host basis in the configuration file.
 .It Fl l Ar login_name
 Specifies the user to log in as on the remote machine.
@@ -539,9 +542,10 @@ per-host basis in the configuration file.
 Quiet mode.
 Causes all warning and diagnostic messages to be suppressed.
 .It Fl s
-May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use
+May be used to request invocation of a subsystem on the remote system.
-of SSH as a secure transport for other applications (eg. sftp). The
+Subsystems are a feature of the SSH2 protocol which facilitate the use
-subsystem is specified as the remote command.
+of SSH as a secure transport for other applications (eg. sftp).
+The subsystem is specified as the remote command.
 .It Fl t
 Force pseudo-tty allocation.
 This can be used to execute arbitrary
@@ -563,8 +567,10 @@ This is helpful in
 debugging connection, authentication, and configuration problems.
 Multiple
 .Fl v
-options increases the verbosity.
+options increase the verbosity.
-Maximum is 3.
+The maximum is 3.
+.It Fl V
+Display the version number and exit.
 .It Fl x
 Disables X11 forwarding.
 .It Fl X
@@ -643,9 +649,9 @@ on the local side, and whenever a connection is made to this port, the
 connection is forwarded over the secure channel, and the application
 protocol is then used to determine where to connect to from the
 remote machine.
-Currently the SOCKS4 protocol is supported, and
+Currently the SOCKS4 and SOCKS5 protocols are supported, and
 .Nm
-will act as a SOCKS4 server.
+will act as a SOCKS server.
 Only root can forward privileged ports.
 Dynamic port forwardings can also be specified in the configuration file.
 .It Fl 1
@@ -916,7 +922,8 @@ or
 .Xr rsh 1 .
 .It Pa /etc/hosts.equiv
 This file is used during
-.Pa \&.rhosts authentication.
+.Pa \&.rhosts
+authentication.
 It contains
 canonical hosts names, one per line (the full format is described on
 the
@@ -958,15 +965,6 @@ above.
 .Nm
 exits with the exit status of the remote command or with 255
 if an error occurred.
-.Sh AUTHORS
-OpenSSH is a derivative of the original and free
-ssh 1.2.12 release by Tatu Ylonen.
-Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
-Theo de Raadt and Dug Song
-removed many bugs, re-added newer features and
-created OpenSSH.
-Markus Friedl contributed the support for SSH
-protocol versions 1.5 and 2.0.
 .Sh SEE ALSO
 .Xr rsh 1 ,
 .Xr scp 1 ,
@@ -989,3 +987,12 @@ protocol versions 1.5 and 2.0.
 .%D January 2002
 .%O work in progress material
 .Re
+.Sh AUTHORS
+OpenSSH is a derivative of the original and free
+ssh 1.2.12 release by Tatu Ylonen.
+Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
+Theo de Raadt and Dug Song
+removed many bugs, re-added newer features and
+created OpenSSH.
+Markus Friedl contributed the support for SSH
+protocol versions 1.5 and 2.0.
diff --git a/ssh.c b/ssh.c
index 720604394..35418f693 100644
--- a/ssh.c
+++ b/ssh.c
@@ -40,7 +40,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.190 2003/02/06 09:27:29 markus Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.201 2003/09/01 18:15:50 markus Exp $");
 #include <openssl/evp.h>
 #include <openssl/err.h>
@@ -79,14 +79,6 @@ extern char *__progname;
 char *__progname;
 #endif
-/* Flag indicating whether IPv4 or IPv6.  This can be set on the command line.
-   Default value is AF_UNSPEC means both IPv4 and IPv6. */
-#ifdef IPV4_DEFAULT
-int IPv4or6 = AF_INET;
-#else
-int IPv4or6 = AF_UNSPEC;
-#endif
 /* Flag indicating whether debug mode is on.  This can be set on the command line. */
 int debug_flag = 0;
@@ -162,9 +154,6 @@ usage(void)
             _PATH_SSH_USER_CONFFILE);
        fprintf(stderr, "  -A          Enable authentication agent forwarding.\n");
        fprintf(stderr, "  -a          Disable authentication agent forwarding (default).\n");
-#ifdef AFS
-        fprintf(stderr, "  -k          Disable Kerberos ticket and AFS token forwarding.\n");
-#endif                          /* AFS */
        fprintf(stderr, "  -X          Enable X11 connection forwarding.\n");
        fprintf(stderr, "  -x          Disable X11 connection forwarding (default).\n");
        fprintf(stderr, "  -i file     Identity for public key authentication "
@@ -222,7 +211,7 @@ main(int ac, char **av)
        extern int optind, optreset;
        extern char *optarg;
-        __progname = get_progname(av[0]);
+        __progname = ssh_get_progname(av[0]);
        init_rng();
        /*
@@ -253,7 +242,7 @@ main(int ac, char **av)
        /* Get user data. */
        pw = getpwuid(original_real_uid);
        if (!pw) {
-                log("You don't exist, go away!");
+                logit("You don't exist, go away!");
                exit(1);
        }
        /* Take a copy of the returned structure. */
@@ -284,10 +273,10 @@ again:
                        options.protocol = SSH_PROTO_2;
                        break;
                case '4':
-                        IPv4or6 = AF_INET;
+                        options.address_family = AF_INET;
                        break;
                case '6':
-                        IPv4or6 = AF_INET6;
+                        options.address_family = AF_INET6;
                        break;
                case 'n':
                        stdin_null_flag = 1;
@@ -314,12 +303,9 @@ again:
                case 'A':
                        options.forward_agent = 1;
                        break;
-#ifdef AFS
                case 'k':
-                        options.kerberos_tgt_passing = 0;
+                        /* ignored for backward compatibility */
-                        options.afs_token_passing = 0;
                        break;
-#endif
                case 'i':
                        if (stat(optarg, &st) < 0) {
                                fprintf(stderr, "Warning: Identity file %s "
@@ -346,22 +332,22 @@ again:
                        tty_flag = 1;
                        break;
                case 'v':
-                        if (0 == debug_flag) {
+                        if (debug_flag == 0) {
                                debug_flag = 1;
                                options.log_level = SYSLOG_LEVEL_DEBUG1;
-                        } else if (options.log_level < SYSLOG_LEVEL_DEBUG3) {
+                        } else {
-                                options.log_level++;
+                                if (options.log_level < SYSLOG_LEVEL_DEBUG3)
+                                        options.log_level++;
                                break;
-                        } else
+                        }
-                                fatal("Too high debugging level.");
                        /* fallthrough */
                case 'V':
                        fprintf(stderr,
-                            "%s, SSH protocols %d.%d/%d.%d, OpenSSL 0x%8.8lx\n",
+                            "%s, SSH protocols %d.%d/%d.%d, %s\n",
                            SSH_VERSION,
                            PROTOCOL_MAJOR_1, PROTOCOL_MINOR_1,
                            PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
-                            SSLeay());
+                            SSLeay_version(SSLEAY_VERSION));
                        if (opt == 'V')
                                exit(0);
                        break;
@@ -427,9 +413,9 @@ again:
                case 'L':
                case 'R':
-                        if (sscanf(optarg, "%5[0-9]:%255[^:]:%5[0-9]",
+                        if (sscanf(optarg, "%5[0123456789]:%255[^:]:%5[0123456789]",
                            sfwd_port, buf, sfwd_host_port) != 3 &&
-                            sscanf(optarg, "%5[0-9]/%255[^/]/%5[0-9]",
+                            sscanf(optarg, "%5[0123456789]/%255[^/]/%5[0123456789]",
                            sfwd_port, buf, sfwd_host_port) != 3) {
                                fprintf(stderr,
                                    "Bad forwarding specification '%s'\n",
@@ -458,7 +444,7 @@ again:
                                    optarg);
                                exit(1);
                        }
-                        add_local_forward(&options, fwd_port, "socks4", 0);
+                        add_local_forward(&options, fwd_port, "socks", 0);
                        break;
                case 'C':
@@ -518,7 +504,6 @@ again:
        SSLeay_add_all_algorithms();
        ERR_load_crypto_strings();
-        channel_set_af(IPv4or6);
        /* Initialize the command to execute on remote host. */
        buffer_init(&command);
@@ -559,7 +544,7 @@ again:
        /* Do not allocate a tty if stdin is not a tty. */
        if (!isatty(fileno(stdin)) && !force_tty_flag) {
                if (tty_flag)
-                        log("Pseudo-terminal will not be allocated because stdin is not a terminal.");
+                        logit("Pseudo-terminal will not be allocated because stdin is not a terminal.");
                tty_flag = 0;
        }
@@ -590,6 +575,8 @@ again:
        /* Fill configuration defaults. */
        fill_default_options(&options);
+        channel_set_af(options.address_family);
        /* reinit */
        log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 1);
@@ -601,25 +588,20 @@ again:
        if (options.hostname != NULL)
                host = options.hostname;
+        /* force lowercase for hostkey matching */
+        if (options.host_key_alias != NULL) {
+                for (p = options.host_key_alias; *p; p++)
+                        if (isupper(*p))
+                                *p = tolower(*p);
+        }
        if (options.proxy_command != NULL &&
            strcmp(options.proxy_command, "none") == 0)
                options.proxy_command = NULL;
-        /* Disable rhosts authentication if not running as root. */
-#ifdef HAVE_CYGWIN
-        /* Ignore uid if running under Windows */
-        if (!options.use_privileged_port) {
-#else
-        if (original_effective_uid != 0 || !options.use_privileged_port) {
-#endif
-                debug("Rhosts Authentication disabled, "
-                    "originating port will not be trusted.");
-                options.rhosts_authentication = 0;
-        }
        /* Open a connection to the remote host. */
+        if (ssh_connect(host, &hostaddr, options.port,
-        if (ssh_connect(host, &hostaddr, options.port, IPv4or6,
+            options.address_family, options.connection_attempts,
-            options.connection_attempts,
 #ifdef HAVE_CYGWIN
            options.use_privileged_port,
 #else
@@ -793,7 +775,7 @@ x11_get_proto(char **_proto, char **_data)
        if (!got_data) {
                u_int32_t rand = 0;
-                log("Warning: No xauth data; using fake authentication data for X11 forwarding.");
+                logit("Warning: No xauth data; using fake authentication data for X11 forwarding.");
                strlcpy(proto, "MIT-MAGIC-COOKIE-1", sizeof proto);
                for (i = 0; i < 16; i++) {
                        if (i % 4 == 0)
@@ -873,7 +855,7 @@ ssh_session(void)
                if (type == SSH_SMSG_SUCCESS)
                        packet_start_compression(options.compression_level);
                else if (type == SSH_SMSG_FAILURE)
-                        log("Warning: Remote host refused compression.");
+                        logit("Warning: Remote host refused compression.");
                else
                        packet_disconnect("Protocol error waiting for compression response.");
        }
@@ -912,7 +894,7 @@ ssh_session(void)
                        interactive = 1;
                        have_tty = 1;
                } else if (type == SSH_SMSG_FAILURE)
-                        log("Warning: Remote host failed or refused to allocate a pseudo tty.");
+                        logit("Warning: Remote host failed or refused to allocate a pseudo tty.");
                else
                        packet_disconnect("Protocol error waiting for pty request response.");
        }
@@ -930,7 +912,7 @@ ssh_session(void)
                if (type == SSH_SMSG_SUCCESS) {
                        interactive = 1;
                } else if (type == SSH_SMSG_FAILURE) {
-                        log("Warning: Remote host denied X11 forwarding.");
+                        logit("Warning: Remote host denied X11 forwarding.");
                } else {
                        packet_disconnect("Protocol error waiting for X11 forwarding");
                }
@@ -949,7 +931,7 @@ ssh_session(void)
                type = packet_read();
                packet_check_eom();
                if (type != SSH_SMSG_SUCCESS)
-                        log("Warning: Remote host denied authentication agent forwarding.");
+                        logit("Warning: Remote host denied authentication agent forwarding.");
        }
        /* Initiate port forwardings. */
@@ -1017,7 +999,7 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt)
            options.remote_forwards[i].host,
            options.remote_forwards[i].host_port);
        if (type == SSH2_MSG_REQUEST_FAILURE)
-                log("Warning: remote port forwarding failed for listen port %d",
+                logit("Warning: remote port forwarding failed for listen port %d",
                    options.remote_forwards[i].port);
 }
@@ -1132,7 +1114,7 @@ ssh_session2_open(void)
        c = channel_new(
            "session", SSH_CHANNEL_OPENING, in, out, err,
            window, packetmax, CHAN_EXTENDED_WRITE,
-            xstrdup("client-session"), /*nonblock*/0);
+            "client-session", /*nonblock*/0);
        debug3("ssh_session2_open: channel_new: %d", c->self);
@@ -1184,7 +1166,7 @@ load_public_identity_files(void)
                            sizeof(Key *) * (SSH_MAX_IDENTITY_FILES - 1));
                        options.num_identity_files++;
                        options.identity_keys[0] = keys[i];
-                        options.identity_files[0] = xstrdup("smartcard key");;
+                        options.identity_files[0] = sc_get_key_label(keys[i]);
                }
                if (options.num_identity_files > SSH_MAX_IDENTITY_FILES)
                        options.num_identity_files = SSH_MAX_IDENTITY_FILES;
diff --git a/ssh.h b/ssh.h
index 0a6ad1317..e88b9b83e 100644
--- a/ssh.h
+++ b/ssh.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssh.h,v 1.71 2002/06/22 02:00:29 stevesk Exp $        */
+/*      $OpenBSD: ssh.h,v 1.74 2003/09/01 13:52:18 markus Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -20,7 +20,6 @@
 #include <stdarg.h> /* For va_list */
 #include <syslog.h> /* For LOG_AUTH and friends */
 #include <sys/socket.h> /* For struct sockaddr_storage */
-#include "openbsd-compat/fake-socket.h" /* For struct sockaddr_storage */
 #ifdef HAVE_SYS_SELECT_H
 # include <sys/select.h>
 #endif
@@ -89,9 +88,6 @@
 */
 #define SSH_SESSION_KEY_LENGTH          32
-/* Name of Kerberos service for SSH to use. */
-#define KRB4_SERVICE_NAME               "rcmd"
 /* Used to identify ``EscapeChar none'' */
 #define SSH_ESCAPECHAR_NONE             -2
diff --git a/ssh2.h b/ssh2.h
index 091e52b13..fb491c918 100644
--- a/ssh2.h
+++ b/ssh2.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssh2.h,v 1.8 2002/03/04 17:27:39 stevesk Exp $        */
+/*      $OpenBSD: ssh2.h,v 1.9 2003/05/14 00:52:59 markus Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -61,6 +61,8 @@
 #define SSH2_MSG_TRANSPORT_MAX                          49
 #define SSH2_MSG_USERAUTH_MIN                           50
 #define SSH2_MSG_USERAUTH_MAX                           79
+#define SSH2_MSG_USERAUTH_PER_METHOD_MIN                60
+#define SSH2_MSG_USERAUTH_PER_METHOD_MAX                SSH2_MSG_USERAUTH_MAX
 #define SSH2_MSG_CONNECTION_MIN                         80
 #define SSH2_MSG_CONNECTION_MAX                         127
 #define SSH2_MSG_RESERVED_MIN                           128
diff --git a/ssh_config b/ssh_config
index 94cffbf39..2692e8913 100644
--- a/ssh_config
+++ b/ssh_config
@@ -1,4 +1,4 @@
-#       $OpenBSD: ssh_config,v 1.16 2002/07/03 14:21:05 markus Exp $
+#       $OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $
 # This is the ssh client system-wide configuration file.  See
 # ssh_config(5) for more information.  This file provides defaults for
@@ -18,13 +18,14 @@
 # Host *
 #   ForwardAgent no
 #   ForwardX11 no
-#   RhostsAuthentication no
 #   RhostsRSAAuthentication no
 #   RSAAuthentication yes
 #   PasswordAuthentication yes
 #   HostbasedAuthentication no
 #   BatchMode no
 #   CheckHostIP yes
+#   AddressFamily any
+#   ConnectTimeout 0
 #   StrictHostKeyChecking ask
 #   IdentityFile ~/.ssh/identity
 #   IdentityFile ~/.ssh/id_rsa
diff --git a/ssh_config.0 b/ssh_config.0
index 74e516594..a8687ffc2 100644
--- a/ssh_config.0
+++ b/ssh_config.0
@@ -39,16 +39,16 @@ DESCRIPTION
     Host    Restricts the following declarations (up to the next Host key-
             word) to be only for those hosts that match one of the patterns
-             given after the keyword.  M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y?  can be used as wildcards
+             given after the keyword.  M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be used as wildcards in
-             in the patterns.  A single M-bM-^@M-^X*M-bM-^@M-^Y as a pattern can be used to pro-
+             the patterns.  A single M-bM-^@M-^X*M-bM-^@M-^Y as a pattern can be used to provide
-             vide global defaults for all hosts.  The host is the hostname
+             global defaults for all hosts.  The host is the hostname argument
-             argument given on the command line (i.e., the name is not con-
+             given on the command line (i.e., the name is not converted to a
-             verted to a canonicalized host name before matching).
+             canonicalized host name before matching).
-     AFSTokenPassing
+     AddressFamily
-             Specifies whether to pass AFS tokens to remote host.  The argu-
+             Specifies which address family to use when connecting.  Valid
-             ment to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].  This option applies
+             arguments are M-bM-^@M-^\anyM-bM-^@M-^], M-bM-^@M-^\inetM-bM-^@M-^] (Use IPv4 only) or M-bM-^@M-^\inet6M-bM-^@M-^] (Use IPv6
-             to protocol version 1 only.
+             only.)
     BatchMode
             If set to M-bM-^@M-^\yesM-bM-^@M-^], passphrase/password querying will be disabled.
@@ -112,15 +112,28 @@ DESCRIPTION
             exiting.  The argument must be an integer.  This may be useful in
             scripts if the connection sometimes fails.  The default is 1.
+     ConnectTimeout
+             Specifies the timeout (in seconds) used when connecting to the
+             ssh server, instead of using the default system TCP timeout.
+             This value is used only when the target is down or really
+             unreachable, not when it refuses the connection.
     DynamicForward
             Specifies that a TCP/IP port on the local machine be forwarded
             over the secure channel, and the application protocol is then
             used to determine where to connect to from the remote machine.
-             The argument must be a port number.  Currently the SOCKS4 proto-
+             The argument must be a port number.  Currently the SOCKS4 and
-             col is supported, and ssh will act as a SOCKS4 server.  Multiple
+             SOCKS5 protocols are supported, and ssh will act as a SOCKS
-             forwardings may be specified, and additional forwardings can be
+             server.  Multiple forwardings may be specified, and additional
-             given on the command line.  Only the superuser can forward privi-
+             forwardings can be given on the command line.  Only the superuser
-             leged ports.
+             can forward privileged ports.
+     EnableSSHKeysign
+             Setting this option to M-bM-^@M-^\yesM-bM-^@M-^] in the global client configuration
+             file /etc/ssh/ssh_config enables the use of the helper program
+             ssh-keysign(8) during HostbasedAuthentication.  The argument must
+             be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].  The default is M-bM-^@M-^\noM-bM-^@M-^].  See ssh-keysign(8) for
+             more information.
     EscapeChar
             Sets the escape character (default: M-bM-^@M-^X~M-bM-^@M-^Y).  The escape character
@@ -166,6 +179,16 @@ DESCRIPTION
             Specifies a file to use for the global host key database instead
             of /etc/ssh/ssh_known_hosts.
+     GSSAPIAuthentication
+             Specifies whether authentication based on GSSAPI may be used,
+             either using the result of a successful key exchange, or using
+             GSSAPI user authentication.  The default is M-bM-^@M-^\yesM-bM-^@M-^].  Note that
+             this option applies to protocol version 2 only.
+     GSSAPIDelegateCredentials
+             Forward (delegate) credentials to the server.  The default is
+             M-bM-^@M-^\noM-bM-^@M-^].  Note that this option applies to protocol version 2 only.
     HostbasedAuthentication
             Specifies whether to try rhosts based authentication with public
             key authentication.  The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].  The
@@ -192,14 +215,14 @@ DESCRIPTION
     IdentityFile
             Specifies a file from which the userM-bM-^@M-^Ys RSA or DSA authentication
-             identity is read. The default is $HOME/.ssh/identity for protocol
+             identity is read.  The default is $HOME/.ssh/identity for proto-
-             version 1, and $HOME/.ssh/id_rsa and $HOME/.ssh/id_dsa for proto-
+             col version 1, and $HOME/.ssh/id_rsa and $HOME/.ssh/id_dsa for
-             col version 2.  Additionally, any identities represented by the
+             protocol version 2.  Additionally, any identities represented by
-             authentication agent will be used for authentication.  The file
+             the authentication agent will be used for authentication.  The
-             name may use the tilde syntax to refer to a userM-bM-^@M-^Ys home direc-
+             file name may use the tilde syntax to refer to a userM-bM-^@M-^Ys home
-             tory.  It is possible to have multiple identity files specified
+             directory.  It is possible to have multiple identity files speci-
-             in configuration files; all these identities will be tried in
+             fied in configuration files; all these identities will be tried
-             sequence.
+             in sequence.
     KeepAlive
             Specifies whether the system should send TCP keepalive messages
@@ -214,15 +237,6 @@ DESCRIPTION
             To disable keepalives, the value should be set to M-bM-^@M-^\noM-bM-^@M-^].
-     KerberosAuthentication
-             Specifies whether Kerberos authentication will be used.  The
-             argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].
-     KerberosTgtPassing
-             Specifies whether a Kerberos TGT will be forwarded to the server.
-             This will only work if the Kerberos server is actually an AFS
-             kaserver.  The argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].
     LocalForward
             Specifies that a TCP/IP port on the local machine be forwarded
             over the secure channel to the specified host and port from the
@@ -267,9 +281,9 @@ DESCRIPTION
     PreferredAuthentications
             Specifies the order in which the client should try protocol 2
-             authentication methods. This allows a client to prefer one method
+             authentication methods.  This allows a client to prefer one
-             (e.g.  keyboard-interactive) over another method (e.g.  password)
+             method (e.g.  keyboard-interactive) over another method (e.g.
-             The default for this option is:
+             password) The default for this option is:
             M-bM-^@M-^\hostbased,publickey,keyboard-interactive,passwordM-bM-^@M-^].
     Protocol
@@ -307,16 +321,6 @@ DESCRIPTION
             specified, and additional forwardings can be given on the command
             line.  Only the superuser can forward privileged ports.
-     RhostsAuthentication
-             Specifies whether to try rhosts based authentication.  Note that
-             this declaration only affects the client side and has no effect
-             whatsoever on security.  Most servers do not permit RhostsAuthen-
-             tication because it is not secure (see RhostsRSAAuthentication).
-             The argument to this keyword must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].  The default
-             is M-bM-^@M-^\noM-bM-^@M-^].  This option applies to protocol version 1 only and
-             requires ssh to be setuid root and UsePrivilegedPort to be set to
-             M-bM-^@M-^\yesM-bM-^@M-^].
     RhostsRSAAuthentication
             Specifies whether to try rhosts based authentication with RSA
             host authentication.  The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].  The
@@ -331,9 +335,9 @@ DESCRIPTION
             applies to protocol version 1 only.
     SmartcardDevice
-             Specifies which smartcard device to use. The argument to this
+             Specifies which smartcard device to use.  The argument to this
             keyword is the device ssh should use to communicate with a smart-
-             card used for storing the userM-bM-^@M-^Ys private RSA key. By default, no
+             card used for storing the userM-bM-^@M-^Ys private RSA key.  By default, no
             device is specified and smartcard support is not activated.
     StrictHostKeyChecking
@@ -356,8 +360,7 @@ DESCRIPTION
             Specifies whether to use a privileged port for outgoing connec-
             tions.  The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].  The default is M-bM-^@M-^\noM-bM-^@M-^].
             If set to M-bM-^@M-^\yesM-bM-^@M-^] ssh must be setuid root.  Note that this option
-             must be set to M-bM-^@M-^\yesM-bM-^@M-^] if RhostsAuthentication and
+             must be set to M-bM-^@M-^\yesM-bM-^@M-^] for RhostsRSAAuthentication with older
-             RhostsRSAAuthentication authentications are needed with older
             servers.
     User    Specifies the user to log in as.  This can be useful when a dif-
@@ -369,6 +372,11 @@ DESCRIPTION
             Specifies a file to use for the user host key database instead of
             $HOME/.ssh/known_hosts.
+     VerifyHostKeyDNS
+             Specifies whether to verify the remote key using DNS and SSHFP
+             resource records.  The default is M-bM-^@M-^\noM-bM-^@M-^].  Note that this option
+             applies to protocol version 2 only.
     XAuthLocation
             Specifies the full pathname of the xauth(1) program.  The default
             is /usr/X11R6/bin/xauth.
@@ -387,6 +395,9 @@ FILES
             file, and for those users who do not have a configuration file.
             This file must be world-readable.
+SEE ALSO
+     ssh(1)
 AUTHORS
     OpenSSH is a derivative of the original and free ssh 1.2.12 release by
     Tatu Ylonen.  Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
@@ -394,7 +405,4 @@ AUTHORS
     ated OpenSSH.  Markus Friedl contributed the support for SSH protocol
     versions 1.5 and 2.0.
-SEE ALSO
-     ssh(1)
 BSD                           September 25, 1999                           BSD
diff --git a/ssh_config.5 b/ssh_config.5
index 44208b431..7a435a90e 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.7 2003/03/28 10:11:43 jmc Exp $
+.\" $OpenBSD: ssh_config.5,v 1.20 2003/09/02 18:50:06 jmc Exp $
 .Dd September 25, 1999
 .Dt SSH_CONFIG 5
 .Os
@@ -104,7 +104,7 @@ keyword) to be only for those hosts that match one of the patterns
 given after the keyword.
 .Ql \&*
 and
-.Ql ?
+.Ql \&?
 can be used as wildcards in the
 patterns.
 A single
@@ -115,13 +115,14 @@ The host is the
 .Ar hostname
 argument given on the command line (i.e., the name is not converted to
 a canonicalized host name before matching).
-.It Cm AFSTokenPassing
+.It Cm AddressFamily
-Specifies whether to pass AFS tokens to remote host.
+Specifies which address family to use when connecting.
-The argument to this keyword must be
+Valid arguments are
-.Dq yes
+.Dq any ,
-or
+.Dq inet
-.Dq no .
+(Use IPv4 only) or
-This option applies to protocol version 1 only.
+.Dq inet6
+(Use IPv6 only.)
 .It Cm BatchMode
 If set to
 .Dq yes ,
@@ -227,18 +228,41 @@ Specifies the number of tries (one per second) to make before exiting.
 The argument must be an integer.
 This may be useful in scripts if the connection sometimes fails.
 The default is 1.
+.It Cm ConnectTimeout
+Specifies the timeout (in seconds) used when connecting to the ssh
+server, instead of using the default system TCP timeout.
+This value is used only when the target is down or really unreachable,
+not when it refuses the connection.
 .It Cm DynamicForward
 Specifies that a TCP/IP port on the local machine be forwarded
 over the secure channel, and the application
 protocol is then used to determine where to connect to from the
 remote machine.
 The argument must be a port number.
-Currently the SOCKS4 protocol is supported, and
+Currently the SOCKS4 and SOCKS5 protocols are supported, and
 .Nm ssh
-will act as a SOCKS4 server.
+will act as a SOCKS server.
 Multiple forwardings may be specified, and
 additional forwardings can be given on the command line.
 Only the superuser can forward privileged ports.
+.It Cm EnableSSHKeysign
+Setting this option to
+.Dq yes
+in the global client configuration file
+.Pa /etc/ssh/ssh_config
+enables the use of the helper program
+.Xr ssh-keysign 8
+during
+.Cm HostbasedAuthentication .
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
+See
+.Xr ssh-keysign 8
+for more information.
 .It Cm EscapeChar
 Sets the escape character (default:
 .Ql ~ ) .
@@ -307,6 +331,18 @@ The default is
 Specifies a file to use for the global
 host key database instead of
 .Pa /etc/ssh/ssh_known_hosts .
+.It Cm GSSAPIAuthentication
+Specifies whether authentication based on GSSAPI may be used, either using
+the result of a successful key exchange, or using GSSAPI user
+authentication.
+The default is
+.Dq yes .
+Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIDelegateCredentials
+Forward (delegate) credentials to the server.
+The default is
+.Dq no .
+Note that this option applies to protocol version 2 only.
 .It Cm HostbasedAuthentication
 Specifies whether to try rhosts based authentication with public key
 authentication.
@@ -339,7 +375,8 @@ Numeric IP addresses are also permitted (both on the command line and in
 specifications).
 .It Cm IdentityFile
 Specifies a file from which the user's RSA or DSA authentication identity
-is read. The default is
+is read.
+The default is
 .Pa $HOME/.ssh/identity
 for protocol version 1, and
 .Pa $HOME/.ssh/id_rsa
@@ -370,19 +407,6 @@ This is important in scripts, and many users want it too.
 .Pp
 To disable keepalives, the value should be set to
 .Dq no .
-.It Cm KerberosAuthentication
-Specifies whether Kerberos authentication will be used.
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
-.It Cm KerberosTgtPassing
-Specifies whether a Kerberos TGT will be forwarded to the server.
-This will only work if the Kerberos server is actually an AFS kaserver.
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
 .It Cm LocalForward
 Specifies that a TCP/IP port on the local machine be forwarded over
 the secure channel to the specified host and port from the remote machine.
@@ -436,7 +460,8 @@ Specifies the port number to connect on the remote host.
 Default is 22.
 .It Cm PreferredAuthentications
 Specifies the order in which the client should try protocol 2
-authentication methods. This allows a client to prefer one method (e.g.
+authentication methods.
+This allows a client to prefer one method (e.g.
 .Cm keyboard-interactive )
 over another method (e.g.
 .Cm password )
@@ -504,26 +529,6 @@ IPv6 addresses can be specified with an alternative syntax:
 Multiple forwardings may be specified, and additional
 forwardings can be given on the command line.
 Only the superuser can forward privileged ports.
-.It Cm RhostsAuthentication
-Specifies whether to try rhosts based authentication.
-Note that this
-declaration only affects the client side and has no effect whatsoever
-on security.
-Most servers do not permit RhostsAuthentication because it
-is not secure (see
-.Cm RhostsRSAAuthentication ) .
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
-This option applies to protocol version 1 only and requires
-.Nm ssh
-to be setuid root and
-.Cm UsePrivilegedPort
-to be set to
-.Dq yes .
 .It Cm RhostsRSAAuthentication
 Specifies whether to try rhosts based authentication with RSA host
 authentication.
@@ -549,12 +554,12 @@ The default is
 .Dq yes .
 Note that this option applies to protocol version 1 only.
 .It Cm SmartcardDevice
-Specifies which smartcard device to use. The argument to this keyword is
+Specifies which smartcard device to use.
-the device
+The argument to this keyword is the device
 .Nm ssh
 should use to communicate with a smartcard used for storing the user's
-private RSA key. By default, no device is specified and smartcard support
+private RSA key.
-is not activated.
+By default, no device is specified and smartcard support is not activated.
 .It Cm StrictHostKeyChecking
 If this flag is set to
 .Dq yes ,
@@ -604,11 +609,9 @@ If set to
 must be setuid root.
 Note that this option must be set to
 .Dq yes
-if
+for
-.Cm RhostsAuthentication
-and
 .Cm RhostsRSAAuthentication
-authentications are needed with older servers.
+with older servers.
 .It Cm User
 Specifies the user to log in as.
 This can be useful when a different user name is used on different machines.
@@ -618,6 +621,12 @@ having to remember to give the user name on the command line.
 Specifies a file to use for the user
 host key database instead of
 .Pa $HOME/.ssh/known_hosts .
+.It Cm VerifyHostKeyDNS
+Specifies whether to verify the remote key using DNS and SSHFP resource
+records.
+The default is
+.Dq no .
+Note that this option applies to protocol version 2 only.
 .It Cm XAuthLocation
 Specifies the full pathname of the
 .Xr xauth 1
@@ -643,6 +652,8 @@ values that are not specified in the user's configuration file, and
 for those users who do not have a configuration file.
 This file must be world-readable.
 .El
+.Sh SEE ALSO
+.Xr ssh 1
 .Sh AUTHORS
 OpenSSH is a derivative of the original and free
 ssh 1.2.12 release by Tatu Ylonen.
@@ -652,5 +663,3 @@ removed many bugs, re-added newer features and
 created OpenSSH.
 Markus Friedl contributed the support for SSH
 protocol versions 1.5 and 2.0.
-.Sh SEE ALSO
-.Xr ssh 1
diff --git a/sshconnect.c b/sshconnect.c
index dae25969a..40d22800f 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -13,7 +13,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect.c,v 1.137 2002/11/21 23:03:51 deraadt Exp $");
+RCSID("$OpenBSD: sshconnect.c,v 1.147 2003/06/29 12:44:38 markus Exp $");
 #include <openssl/bn.h>
@@ -33,9 +33,17 @@ RCSID("$OpenBSD: sshconnect.c,v 1.137 2002/11/21 23:03:51 deraadt Exp $");
 #include "misc.h"
 #include "readpass.h"
+#ifdef DNS
+#include "dns.h"
+#endif
 char *client_version_string = NULL;
 char *server_version_string = NULL;
+#ifdef DNS
+int verified_host_key_dns = 0;
+#endif
 /* import */
 extern Options options;
 extern char *__progname;
@@ -163,7 +171,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
 * Creates a (possibly privileged) socket for use as the ssh connection.
 */
 static int
-ssh_create_socket(int privileged, int family)
+ssh_create_socket(int privileged, struct addrinfo *ai)
 {
        int sock, gaierr;
        struct addrinfo hints, *res;
@@ -175,15 +183,16 @@ ssh_create_socket(int privileged, int family)
        if (privileged) {
                int p = IPPORT_RESERVED - 1;
                PRIV_START;
-                sock = rresvport_af(&p, family);
+                sock = rresvport_af(&p, ai->ai_family);
                PRIV_END;
                if (sock < 0)
-                        error("rresvport: af=%d %.100s", family, strerror(errno));
+                        error("rresvport: af=%d %.100s", ai->ai_family,
+                            strerror(errno));
                else
                        debug("Allocated local port %d.", p);
                return sock;
        }
-        sock = socket(family, SOCK_STREAM, 0);
+        sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
        if (sock < 0)
                error("socket: %.100s", strerror(errno));
@@ -192,8 +201,9 @@ ssh_create_socket(int privileged, int family)
                return sock;
        memset(&hints, 0, sizeof(hints));
-        hints.ai_family = family;
+        hints.ai_family = ai->ai_family;
-        hints.ai_socktype = SOCK_STREAM;
+        hints.ai_socktype = ai->ai_socktype;
+        hints.ai_protocol = ai->ai_protocol;
        hints.ai_flags = AI_PASSIVE;
        gaierr = getaddrinfo(options.bind_address, "0", &hints, &res);
        if (gaierr) {
@@ -212,6 +222,73 @@ ssh_create_socket(int privileged, int family)
        return sock;
 }
+static int
+timeout_connect(int sockfd, const struct sockaddr *serv_addr,
+    socklen_t addrlen, int timeout)
+{
+        fd_set *fdset;
+        struct timeval tv;
+        socklen_t optlen;
+        int fdsetsz, optval, rc, result = -1;
+        if (timeout <= 0)
+                return (connect(sockfd, serv_addr, addrlen));
+        if (fcntl(sockfd, F_SETFL, O_NONBLOCK) < 0)
+                return (-1);
+        rc = connect(sockfd, serv_addr, addrlen);
+        if (rc == 0)
+                return (0);
+        if (errno != EINPROGRESS)
+                return (-1);
+        fdsetsz = howmany(sockfd + 1, NFDBITS) * sizeof(fd_mask);
+        fdset = (fd_set *)xmalloc(fdsetsz);
+        memset(fdset, 0, fdsetsz);
+        FD_SET(sockfd, fdset);
+        tv.tv_sec = timeout;
+        tv.tv_usec = 0;
+        for(;;) {
+                rc = select(sockfd + 1, NULL, fdset, NULL, &tv);
+                if (rc != -1 || errno != EINTR)
+                        break;
+        }
+        switch(rc) {
+        case 0:
+                /* Timed out */
+                errno = ETIMEDOUT;
+                break;
+        case -1:
+                /* Select error */
+                debug("select: %s", strerror(errno));
+                break;
+        case 1:
+                /* Completed or failed */
+                optval = 0;
+                optlen = sizeof(optval);
+                if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval, 
+                    &optlen) == -1)
+                        debug("getsockopt: %s", strerror(errno));
+                        break;
+                if (optval != 0) {
+                        errno = optval;
+                        break;
+                }
+                result = 0;
+                break;
+        default:
+                /* Should not occur */
+                fatal("Bogus return (%d) from select()", rc);
+        }
+        xfree(fdset);
+        return (result);
+}
 /*
 * Opens a TCP/IP connection to the remote server on the given host.
 * The address of the remote host will be returned in hostaddr.
@@ -295,12 +372,13 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
                                host, ntop, strport);
                        /* Create a socket for connecting. */
-                        sock = ssh_create_socket(needpriv, ai->ai_family);
+                        sock = ssh_create_socket(needpriv, ai);
                        if (sock < 0)
                                /* Any error is already output */
                                continue;
-                        if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) {
+                        if (timeout_connect(sock, ai->ai_addr, ai->ai_addrlen,
+                            options.connection_timeout) >= 0) {
                                /* Successful connection. */
                                memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen);
                                break;
@@ -332,7 +410,7 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
        /* Return failure if we didn't get a successful connection. */
        if (attempt >= connection_attempts) {
-                log("ssh: connect to host %s port %s: %s",
+                logit("ssh: connect to host %s port %s: %s",
                    host, strport, strerror(errno));
                return full_failure ? ECONNABORTED : ECONNREFUSED;
        }
@@ -421,7 +499,7 @@ ssh_exchange_identification(void)
                        enable_compat13();
                        minor1 = 3;
                        if (options.forward_agent) {
-                                log("Agent forwarding disabled for protocol 1.3");
+                                logit("Agent forwarding disabled for protocol 1.3");
                                options.forward_agent = 0;
                        }
                }
@@ -445,7 +523,7 @@ ssh_exchange_identification(void)
            compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
            compat20 ? PROTOCOL_MINOR_2 : minor1,
            SSH_VERSION);
-        if (atomicio(write, connection_out, buf, strlen(buf)) != strlen(buf))
+        if (atomicio(vwrite, connection_out, buf, strlen(buf)) != strlen(buf))
                fatal("write: %.100s", strerror(errno));
        client_version_string = xstrdup(buf);
        chop(client_version_string);
@@ -496,7 +574,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
        int salen;
        char ntop[NI_MAXHOST];
        char msg[1024];
-        int len, host_line, ip_line, has_keys;
+        int len, host_line, ip_line;
        const char *host_file = NULL, *ip_file = NULL;
        /*
@@ -612,16 +690,16 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
                debug("Found key in %s:%d", host_file, host_line);
                if (options.check_host_ip && ip_status == HOST_NEW) {
                        if (readonly)
-                                log("%s host key for IP address "
+                                logit("%s host key for IP address "
                                    "'%.128s' not in list of known hosts.",
                                    type, ip);
                        else if (!add_host_to_hostfile(user_hostfile, ip,
                            host_key))
-                                log("Failed to add the %s host key for IP "
+                                logit("Failed to add the %s host key for IP "
                                    "address '%.128s' to the list of known "
                                    "hosts (%.30s).", type, ip, user_hostfile);
                        else
-                                log("Warning: Permanently added the %s host "
+                                logit("Warning: Permanently added the %s host "
                                    "key for IP address '%.128s' to the list "
                                    "of known hosts.", type, ip);
                }
@@ -640,19 +718,36 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
                            "have requested strict checking.", type, host);
                        goto fail;
                } else if (options.strict_host_key_checking == 2) {
-                        has_keys = show_other_keys(host, host_key);
+                        char msg1[1024], msg2[1024];
+                        if (show_other_keys(host, host_key))
+                                snprintf(msg1, sizeof(msg1),
+                                   "\nbut keys of different type are already"
+                                   " known for this host.");
+                        else
+                                snprintf(msg1, sizeof(msg1), ".");
                        /* The default */
                        fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+                        msg2[0] = '\0';
+#ifdef DNS
+                        if (options.verify_host_key_dns) {
+                                if (verified_host_key_dns)
+                                        snprintf(msg2, sizeof(msg2),
+                                            "Matching host key fingerprint"
+                                            " found in DNS.\n");
+                                else
+                                        snprintf(msg2, sizeof(msg2),
+                                            "No matching host key fingerprint"
+                                            " found in DNS.\n");
+                        }
+#endif
                        snprintf(msg, sizeof(msg),
                            "The authenticity of host '%.200s (%s)' can't be "
                            "established%s\n"
-                            "%s key fingerprint is %s.\n"
+                            "%s key fingerprint is %s.\n%s"
                            "Are you sure you want to continue connecting "
                            "(yes/no)? ",
-                            host, ip,
+                            host, ip, msg1, type, fp, msg2);
-                            has_keys ? ",\nbut keys of different type are already "
-                            "known for this host." : ".",
-                            type, fp);
                        xfree(fp);
                        if (!confirm(msg))
                                goto fail;
@@ -668,10 +763,10 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
                 * local known_hosts file.
                 */
                if (!add_host_to_hostfile(user_hostfile, hostp, host_key))
-                        log("Failed to add the host to the list of known "
+                        logit("Failed to add the host to the list of known "
                            "hosts (%.500s).", user_hostfile);
                else
-                        log("Warning: Permanently added '%.200s' (%s) to the "
+                        logit("Warning: Permanently added '%.200s' (%s) to the "
                            "list of known hosts.", hostp, type);
                break;
        case HOST_CHANGED:
@@ -722,7 +817,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
                /*
                 * If strict host key checking has not been requested, allow
-                 * the connection but without password authentication or
+                 * the connection but without MITM-able authentication or
                 * agent forwarding.
                 */
                if (options.password_authentication) {
@@ -730,6 +825,17 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
                            "man-in-the-middle attacks.");
                        options.password_authentication = 0;
                }
+                if (options.kbd_interactive_authentication) {
+                        error("Keyboard-interactive authentication is disabled"
+                            " to avoid man-in-the-middle attacks.");
+                        options.kbd_interactive_authentication = 0;
+                        options.challenge_response_authentication = 0;
+                }
+                if (options.challenge_response_authentication) {
+                        error("Challenge/response authentication is disabled"
+                            " to avoid man-in-the-middle attacks.");
+                        options.challenge_response_authentication = 0;
+                }
                if (options.forward_agent) {
                        error("Agent forwarding is disabled to avoid "
                            "man-in-the-middle attacks.");
@@ -774,7 +880,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
                            host_file, host_line);
                }
                if (options.strict_host_key_checking == 1) {
-                        log(msg);
+                        logit("%s", msg);
                        error("Exiting, you have requested strict checking.");
                        goto fail;
                } else if (options.strict_host_key_checking == 2) {
@@ -783,7 +889,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
                        if (!confirm(msg))
                                goto fail;
                } else {
-                        log(msg);
+                        logit("%s", msg);
                }
        }
@@ -795,11 +901,33 @@ fail:
        return -1;
 }
+/* returns 0 if key verifies or -1 if key does NOT verify */
 int
 verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
 {
        struct stat st;
+#ifdef DNS
+        if (options.verify_host_key_dns) {
+                switch(verify_host_key_dns(host, hostaddr, host_key)) {
+                case DNS_VERIFY_OK:
+#ifdef DNSSEC
+                        return 0;
+#else
+                        verified_host_key_dns = 1;
+                        break;
+#endif
+                case DNS_VERIFY_FAILED:
+                        return -1;
+                case DNS_VERIFY_ERROR:
+                        break;
+                default:
+                        debug3("bad return value from verify_host_key_dns");
+                        break;
+                }
+        }
+#endif /* DNS */
        /* return ok if the key can be found in an old keyfile */
        if (stat(options.system_hostfile2, &st) == 0 ||
            stat(options.user_hostfile2, &st) == 0) {
@@ -881,7 +1009,7 @@ show_key_from_file(const char *file, const char *host, int keytype)
        if ((ret = lookup_key_in_hostfile_by_type(file, host,
            keytype, found, &line))) {
                fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
-                log("WARNING: %s key found for host %s\n"
+                logit("WARNING: %s key found for host %s\n"
                    "in %s:%d\n"
                    "%s key fingerprint %s.",
                    key_type(found), host, file, line,
diff --git a/sshconnect1.c b/sshconnect1.c
index 2fc9a981a..2f89964ec 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -13,25 +13,11 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.52 2002/08/08 13:50:23 aaron Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.56 2003/08/28 12:54:34 markus Exp $");
 #include <openssl/bn.h>
 #include <openssl/md5.h>
-#ifdef KRB4
-#include <krb.h>
-#endif
-#ifdef KRB5
-#include <krb5.h>
-#ifndef HEIMDAL
-#define krb5_get_err_text(context,code) error_message(code)
-#endif /* !HEIMDAL */
-#endif
-#ifdef AFS
-#include <kafs.h>
-#include "radix.h"
-#endif
 #include "ssh.h"
 #include "ssh1.h"
 #include "xmalloc.h"
@@ -122,7 +108,7 @@ try_agent_authentication(void)
                         * although it advertised it supports this.  Just
                         * return a wrong value.
                         */
-                        log("Authentication agent failed to decrypt challenge.");
+                        logit("Authentication agent failed to decrypt challenge.");
                        memset(response, 0, sizeof(response));
                }
                key_free(key);
@@ -380,478 +366,6 @@ try_rhosts_rsa_authentication(const char *local_user, Key * host_key)
        return 0;
 }
-#ifdef KRB4
-static int
-try_krb4_authentication(void)
-{
-        KTEXT_ST auth;          /* Kerberos data */
-        char *reply;
-        char inst[INST_SZ];
-        char *realm;
-        CREDENTIALS cred;
-        int r, type;
-        socklen_t slen;
-        Key_schedule schedule;
-        u_long checksum, cksum;
-        MSG_DAT msg_data;
-        struct sockaddr_in local, foreign;
-        struct stat st;
-        /* Don't do anything if we don't have any tickets. */
-        if (stat(tkt_string(), &st) < 0)
-                return 0;
-        strlcpy(inst, (char *)krb_get_phost(get_canonical_hostname(1)),
-            INST_SZ);
-        realm = (char *)krb_realmofhost(get_canonical_hostname(1));
-        if (!realm) {
-                debug("Kerberos v4: no realm for %s", get_canonical_hostname(1));
-                return 0;
-        }
-        /* This can really be anything. */
-        checksum = (u_long)getpid();
-        r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum);
-        if (r != KSUCCESS) {
-                debug("Kerberos v4 krb_mk_req failed: %s", krb_err_txt[r]);
-                return 0;
-        }
-        /* Get session key to decrypt the server's reply with. */
-        r = krb_get_cred(KRB4_SERVICE_NAME, inst, realm, &cred);
-        if (r != KSUCCESS) {
-                debug("get_cred failed: %s", krb_err_txt[r]);
-                return 0;
-        }
-        des_key_sched((des_cblock *) cred.session, schedule);
-        /* Send authentication info to server. */
-        packet_start(SSH_CMSG_AUTH_KERBEROS);
-        packet_put_string((char *) auth.dat, auth.length);
-        packet_send();
-        packet_write_wait();
-        /* Zero the buffer. */
-        (void) memset(auth.dat, 0, MAX_KTXT_LEN);
-        slen = sizeof(local);
-        memset(&local, 0, sizeof(local));
-        if (getsockname(packet_get_connection_in(),
-            (struct sockaddr *)&local, &slen) < 0)
-                debug("getsockname failed: %s", strerror(errno));
-        slen = sizeof(foreign);
-        memset(&foreign, 0, sizeof(foreign));
-        if (getpeername(packet_get_connection_in(),
-            (struct sockaddr *)&foreign, &slen) < 0) {
-                debug("getpeername failed: %s", strerror(errno));
-                fatal_cleanup();
-        }
-        /* Get server reply. */
-        type = packet_read();
-        switch (type) {
-        case SSH_SMSG_FAILURE:
-                /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
-                debug("Kerberos v4 authentication failed.");
-                return 0;
-                break;
-        case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
-                /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
-                debug("Kerberos v4 authentication accepted.");
-                /* Get server's response. */
-                reply = packet_get_string((u_int *) &auth.length);
-                if (auth.length >= MAX_KTXT_LEN)
-                        fatal("Kerberos v4: Malformed response from server");
-                memcpy(auth.dat, reply, auth.length);
-                xfree(reply);
-                packet_check_eom();
-                /*
-                 * If his response isn't properly encrypted with the session
-                 * key, and the decrypted checksum fails to match, he's
-                 * bogus. Bail out.
-                 */
-                r = krb_rd_priv(auth.dat, auth.length, schedule, &cred.session,
-                    &foreign, &local, &msg_data);
-                if (r != KSUCCESS) {
-                        debug("Kerberos v4 krb_rd_priv failed: %s",
-                            krb_err_txt[r]);
-                        packet_disconnect("Kerberos v4 challenge failed!");
-                }
-                /* Fetch the (incremented) checksum that we supplied in the request. */
-                memcpy((char *)&cksum, (char *)msg_data.app_data,
-                    sizeof(cksum));
-                cksum = ntohl(cksum);
-                /* If it matches, we're golden. */
-                if (cksum == checksum + 1) {
-                        debug("Kerberos v4 challenge successful.");
-                        return 1;
-                } else
-                        packet_disconnect("Kerberos v4 challenge failed!");
-                break;
-        default:
-                packet_disconnect("Protocol error on Kerberos v4 response: %d", type);
-        }
-        return 0;
-}
-#endif /* KRB4 */
-#ifdef KRB5
-static int
-try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
-{
-        krb5_error_code problem;
-        const char *tkfile;
-        struct stat buf;
-        krb5_ccache ccache = NULL;
-        const char *remotehost;
-        krb5_data ap;
-        int type;
-        krb5_ap_rep_enc_part *reply = NULL;
-        int ret;
-        memset(&ap, 0, sizeof(ap));
-        problem = krb5_init_context(context);
-        if (problem) {
-                debug("Kerberos v5: krb5_init_context failed");
-                ret = 0;
-                goto out;
-        }
-        
-        problem = krb5_auth_con_init(*context, auth_context);
-        if (problem) {
-                debug("Kerberos v5: krb5_auth_con_init failed");
-                ret = 0;
-                goto out;
-        }
-#ifndef HEIMDAL
-        problem = krb5_auth_con_setflags(*context, *auth_context,
-                                         KRB5_AUTH_CONTEXT_RET_TIME);
-        if (problem) {
-                debug("Keberos v5: krb5_auth_con_setflags failed");
-                ret = 0;
-                goto out;
-        }
-#endif
-        tkfile = krb5_cc_default_name(*context);
-        if (strncmp(tkfile, "FILE:", 5) == 0)
-                tkfile += 5;
-        if (stat(tkfile, &buf) == 0 && getuid() != buf.st_uid) {
-                debug("Kerberos v5: could not get default ccache (permission denied).");
-                ret = 0;
-                goto out;
-        }
-        problem = krb5_cc_default(*context, &ccache);
-        if (problem) {
-                debug("Kerberos v5: krb5_cc_default failed: %s",
-                    krb5_get_err_text(*context, problem));
-                ret = 0;
-                goto out;
-        }
-        remotehost = get_canonical_hostname(1);
-        problem = krb5_mk_req(*context, auth_context, AP_OPTS_MUTUAL_REQUIRED,
-            "host", remotehost, NULL, ccache, &ap);
-        if (problem) {
-                debug("Kerberos v5: krb5_mk_req failed: %s",
-                    krb5_get_err_text(*context, problem));
-                ret = 0;
-                goto out;
-        }
-        packet_start(SSH_CMSG_AUTH_KERBEROS);
-        packet_put_string((char *) ap.data, ap.length);
-        packet_send();
-        packet_write_wait();
-        xfree(ap.data);
-        ap.length = 0;
-        type = packet_read();
-        switch (type) {
-        case SSH_SMSG_FAILURE:
-                /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
-                debug("Kerberos v5 authentication failed.");
-                ret = 0;
-                break;
-        case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
-                /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
-                debug("Kerberos v5 authentication accepted.");
-                /* Get server's response. */
-                ap.data = packet_get_string((unsigned int *) &ap.length);
-                packet_check_eom();
-                /* XXX je to dobre? */
-                problem = krb5_rd_rep(*context, *auth_context, &ap, &reply);
-                if (problem) {
-                        ret = 0;
-                }
-                ret = 1;
-                break;
-        default:
-                packet_disconnect("Protocol error on Kerberos v5 response: %d",
-                    type);
-                ret = 0;
-                break;
-        }
- out:
-        if (ccache != NULL)
-                krb5_cc_close(*context, ccache);
-        if (reply != NULL)
-                krb5_free_ap_rep_enc_part(*context, reply);
-        if (ap.length > 0)
-#ifdef HEIMDAL
-                krb5_data_free(&ap);
-#else
-                krb5_free_data_contents(*context, &ap);
-#endif
-        return (ret);
-}
-static void
-send_krb5_tgt(krb5_context context, krb5_auth_context auth_context)
-{
-        int fd, type;
-        krb5_error_code problem;
-        krb5_data outbuf;
-        krb5_ccache ccache = NULL;
-        krb5_creds creds;
-#ifdef HEIMDAL
-        krb5_kdc_flags flags;
-#else
-        int forwardable;
-#endif
-        const char *remotehost;
-        memset(&creds, 0, sizeof(creds));
-        memset(&outbuf, 0, sizeof(outbuf));
-        fd = packet_get_connection_in();
-#ifdef HEIMDAL
-        problem = krb5_auth_con_setaddrs_from_fd(context, auth_context, &fd);
-#else
-        problem = krb5_auth_con_genaddrs(context, auth_context, fd,
-                        KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR |
-                        KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
-#endif
-        if (problem)
-                goto out;
-        problem = krb5_cc_default(context, &ccache);
-        if (problem)
-                goto out;
-        problem = krb5_cc_get_principal(context, ccache, &creds.client);
-        if (problem)
-                goto out;
-        remotehost = get_canonical_hostname(1);
-        
-#ifdef HEIMDAL
-        problem = krb5_build_principal(context, &creds.server,
-            strlen(creds.client->realm), creds.client->realm,
-            "krbtgt", creds.client->realm, NULL);
-#else
-        problem = krb5_build_principal(context, &creds.server,
-            creds.client->realm.length, creds.client->realm.data,
-            "host", remotehost, NULL);
-#endif
-        if (problem)
-                goto out;
-        creds.times.endtime = 0;
-#ifdef HEIMDAL
-        flags.i = 0;
-        flags.b.forwarded = 1;
-        flags.b.forwardable = krb5_config_get_bool(context,  NULL,
-            "libdefaults", "forwardable", NULL);
-        problem = krb5_get_forwarded_creds(context, auth_context,
-            ccache, flags.i, remotehost, &creds, &outbuf);
-#else
-        forwardable = 1;
-        problem = krb5_fwd_tgt_creds(context, auth_context, remotehost,
-            creds.client, creds.server, ccache, forwardable, &outbuf);
-#endif
-        if (problem)
-                goto out;
-        packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
-        packet_put_string((char *)outbuf.data, outbuf.length);
-        packet_send();
-        packet_write_wait();
-        type = packet_read();
-        if (type == SSH_SMSG_SUCCESS) {
-                char *pname;
-                krb5_unparse_name(context, creds.client, &pname);
-                debug("Kerberos v5 TGT forwarded (%s).", pname);
-                xfree(pname);
-        } else
-                debug("Kerberos v5 TGT forwarding failed.");
-        return;
- out:
-        if (problem)
-                debug("Kerberos v5 TGT forwarding failed: %s",
-                    krb5_get_err_text(context, problem));
-        if (creds.client)
-                krb5_free_principal(context, creds.client);
-        if (creds.server)
-                krb5_free_principal(context, creds.server);
-        if (ccache)
-                krb5_cc_close(context, ccache);
-        if (outbuf.data)
-                xfree(outbuf.data);
-}
-#endif /* KRB5 */
-#ifdef AFS
-static void
-send_krb4_tgt(void)
-{
-        CREDENTIALS *creds;
-        struct stat st;
-        char buffer[4096], pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
-        int problem, type;
-        /* Don't do anything if we don't have any tickets. */
-        if (stat(tkt_string(), &st) < 0)
-                return;
-        creds = xmalloc(sizeof(*creds));
-        problem = krb_get_tf_fullname(TKT_FILE, pname, pinst, prealm);
-        if (problem)
-                goto out;
-        problem = krb_get_cred("krbtgt", prealm, prealm, creds);
-        if (problem)
-                goto out;
-        if (time(0) > krb_life_to_time(creds->issue_date, creds->lifetime)) {
-                problem = RD_AP_EXP;
-                goto out;
-        }
-        creds_to_radix(creds, (u_char *)buffer, sizeof(buffer));
-        packet_start(SSH_CMSG_HAVE_KERBEROS_TGT);
-        packet_put_cstring(buffer);
-        packet_send();
-        packet_write_wait();
-        type = packet_read();
-        if (type == SSH_SMSG_SUCCESS)
-                debug("Kerberos v4 TGT forwarded (%s%s%s@%s).",
-                    creds->pname, creds->pinst[0] ? "." : "",
-                    creds->pinst, creds->realm);
-        else
-                debug("Kerberos v4 TGT rejected.");
-        xfree(creds);
-        return;
- out:
-        debug("Kerberos v4 TGT passing failed: %s", krb_err_txt[problem]);
-        xfree(creds);
-}
-static void
-send_afs_tokens(void)
-{
-        CREDENTIALS creds;
-        struct ViceIoctl parms;
-        struct ClearToken ct;
-        int i, type, len;
-        char buf[2048], *p, *server_cell;
-        char buffer[8192];
-        /* Move over ktc_GetToken, here's something leaner. */
-        for (i = 0; i < 100; i++) {     /* just in case */
-                parms.in = (char *) &i;
-                parms.in_size = sizeof(i);
-                parms.out = buf;
-                parms.out_size = sizeof(buf);
-                if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0)
-                        break;
-                p = buf;
-                /* Get secret token. */
-                memcpy(&creds.ticket_st.length, p, sizeof(u_int));
-                if (creds.ticket_st.length > MAX_KTXT_LEN)
-                        break;
-                p += sizeof(u_int);
-                memcpy(creds.ticket_st.dat, p, creds.ticket_st.length);
-                p += creds.ticket_st.length;
-                /* Get clear token. */
-                memcpy(&len, p, sizeof(len));
-                if (len != sizeof(struct ClearToken))
-                        break;
-                p += sizeof(len);
-                memcpy(&ct, p, len);
-                p += len;
-                p += sizeof(len);       /* primary flag */
-                server_cell = p;
-                /* Flesh out our credentials. */
-                strlcpy(creds.service, "afs", sizeof(creds.service));
-                creds.instance[0] = '\0';
-                strlcpy(creds.realm, server_cell, REALM_SZ);
-                memcpy(creds.session, ct.HandShakeKey, DES_KEY_SZ);
-                creds.issue_date = ct.BeginTimestamp;
-                creds.lifetime = krb_time_to_life(creds.issue_date,
-                    ct.EndTimestamp);
-                creds.kvno = ct.AuthHandle;
-                snprintf(creds.pname, sizeof(creds.pname), "AFS ID %d", ct.ViceId);
-                creds.pinst[0] = '\0';
-                /* Encode token, ship it off. */
-                if (creds_to_radix(&creds, (u_char *)buffer,
-                    sizeof(buffer)) <= 0)
-                        break;
-                packet_start(SSH_CMSG_HAVE_AFS_TOKEN);
-                packet_put_cstring(buffer);
-                packet_send();
-                packet_write_wait();
-                /* Roger, Roger. Clearance, Clarence. What's your vector,
-                   Victor? */
-                type = packet_read();
-                if (type == SSH_SMSG_FAILURE)
-                        debug("AFS token for cell %s rejected.", server_cell);
-                else if (type != SSH_SMSG_SUCCESS)
-                        packet_disconnect("Protocol error on AFS token response: %d", type);
-        }
-}
-#endif /* AFS */
 /*
 * Tries to authenticate with any string-based challenge/response system.
 * Note that the client code is not tied to s/key or TIS.
@@ -890,7 +404,7 @@ try_challenge_response_authentication(void)
                if (i != 0)
                        error("Permission denied, please try again.");
                if (options.cipher == SSH_CIPHER_NONE)
-                        log("WARNING: Encryption is disabled! "
+                        logit("WARNING: Encryption is disabled! "
                            "Response will be transmitted in clear text.");
                response = read_passphrase(prompt, 0);
                if (strcmp(response, "") == 0) {
@@ -925,7 +439,7 @@ try_password_authentication(char *prompt)
        debug("Doing password authentication.");
        if (options.cipher == SSH_CIPHER_NONE)
-                log("WARNING: Encryption is disabled! Password will be transmitted in clear text.");
+                logit("WARNING: Encryption is disabled! Password will be transmitted in clear text.");
        for (i = 0; i < options.number_of_password_prompts; i++) {
                if (i != 0)
                        error("Permission denied, please try again.");
@@ -981,9 +495,9 @@ ssh_kex(char *host, struct sockaddr *hostaddr)
        rbits = BN_num_bits(server_key->rsa->n);
        if (bits != rbits) {
-                log("Warning: Server lies about size of server public key: "
+                logit("Warning: Server lies about size of server public key: "
                    "actual size is %d bits vs. announced %d.", rbits, bits);
-                log("Warning: This may be due to an old implementation of ssh.");
+                logit("Warning: This may be due to an old implementation of ssh.");
        }
        /* Get the host key. */
        host_key = key_new(KEY_RSA1);
@@ -993,9 +507,9 @@ ssh_kex(char *host, struct sockaddr *hostaddr)
        rbits = BN_num_bits(host_key->rsa->n);
        if (bits != rbits) {
-                log("Warning: Server lies about size of server host key: "
+                logit("Warning: Server lies about size of server host key: "
                    "actual size is %d bits vs. announced %d.", rbits, bits);
-                log("Warning: This may be due to an old implementation of ssh.");
+                logit("Warning: This may be due to an old implementation of ssh.");
        }
        /* Get protocol flags. */
@@ -1086,7 +600,7 @@ ssh_kex(char *host, struct sockaddr *hostaddr)
                        options.cipher = ssh_cipher_default;
        } else if (options.cipher == SSH_CIPHER_ILLEGAL ||
            !(cipher_mask_ssh1(1) & (1 << options.cipher))) {
-                log("No valid SSH1 cipher, using %.100s instead.",
+                logit("No valid SSH1 cipher, using %.100s instead.",
                    cipher_name(ssh_cipher_default));
                options.cipher = ssh_cipher_default;
        }
@@ -1140,10 +654,6 @@ void
 ssh_userauth1(const char *local_user, const char *server_user, char *host,
    Sensitive *sensitive)
 {
-#ifdef KRB5
-        krb5_context context = NULL;
-        krb5_auth_context auth_context = NULL;
-#endif
        int i, type;
        if (supported_authentications == 0)
@@ -1168,56 +678,6 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
        if (type != SSH_SMSG_FAILURE)
                packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type);
-#ifdef KRB5
-        if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
-            options.kerberos_authentication) {
-                debug("Trying Kerberos v5 authentication.");
-                if (try_krb5_authentication(&context, &auth_context)) {
-                        type = packet_read();
-                        if (type == SSH_SMSG_SUCCESS)
-                                goto success;
-                        if (type != SSH_SMSG_FAILURE)
-                                packet_disconnect("Protocol error: got %d in response to Kerberos v5 auth", type);
-                }
-        }
-#endif /* KRB5 */
-#ifdef KRB4
-        if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) &&
-            options.kerberos_authentication) {
-                debug("Trying Kerberos v4 authentication.");
-                if (try_krb4_authentication()) {
-                        type = packet_read();
-                        if (type == SSH_SMSG_SUCCESS)
-                                goto success;
-                        if (type != SSH_SMSG_FAILURE)
-                                packet_disconnect("Protocol error: got %d in response to Kerberos v4 auth", type);
-                }
-        }
-#endif /* KRB4 */
-        /*
-         * Use rhosts authentication if running in privileged socket and we
-         * do not wish to remain anonymous.
-         */
-        if ((supported_authentications & (1 << SSH_AUTH_RHOSTS)) &&
-            options.rhosts_authentication) {
-                debug("Trying rhosts authentication.");
-                packet_start(SSH_CMSG_AUTH_RHOSTS);
-                packet_put_cstring(local_user);
-                packet_send();
-                packet_write_wait();
-                /* The server should respond with success or failure. */
-                type = packet_read();
-                if (type == SSH_SMSG_SUCCESS)
-                        goto success;
-                if (type != SSH_SMSG_FAILURE)
-                        packet_disconnect("Protocol error: got %d in response to rhosts auth",
-                                          type);
-        }
        /*
         * Try .rhosts or /etc/hosts.equiv authentication with RSA host
         * authentication.
@@ -1271,36 +731,5 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
        /* NOTREACHED */
 success:
-#ifdef KRB5
-        /* Try Kerberos v5 TGT passing. */
-        if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
-            options.kerberos_tgt_passing && context && auth_context) {
-                if (options.cipher == SSH_CIPHER_NONE)
-                        log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
-                send_krb5_tgt(context, auth_context);
-        }
-        if (auth_context)
-                krb5_auth_con_free(context, auth_context);
-        if (context)
-                krb5_free_context(context);
-#endif
-#ifdef AFS
-        /* Try Kerberos v4 TGT passing if the server supports it. */
-        if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
-            options.kerberos_tgt_passing) {
-                if (options.cipher == SSH_CIPHER_NONE)
-                        log("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!");
-                send_krb4_tgt();
-        }
-        /* Try AFS token passing if the server supports it. */
-        if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) &&
-            options.afs_token_passing && k_hasafs()) {
-                if (options.cipher == SSH_CIPHER_NONE)
-                        log("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
-                send_afs_tokens();
-        }
-#endif /* AFS */
        return; /* need statement after label */
 }
diff --git a/sshconnect2.c b/sshconnect2.c
index 642b34b9e..933c223ec 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -23,7 +23,9 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.114 2003/04/01 10:22:21 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.124 2003/08/25 10:33:33 djm Exp $");
+#include "openbsd-compat/sys-queue.h"
 #include "ssh.h"
 #include "ssh2.h"
@@ -48,6 +50,10 @@ RCSID("$OpenBSD: sshconnect2.c,v 1.114 2003/04/01 10:22:21 markus Exp $");
 #include "msg.h"
 #include "pathnames.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
 /* import */
 extern char *client_version_string;
 extern char *server_version_string;
@@ -58,7 +64,7 @@ extern Options options;
 */
 u_char *session_id2 = NULL;
-int session_id2_len = 0;
+u_int session_id2_len = 0;
 char *xxx_host;
 struct sockaddr *xxx_hostaddr;
@@ -82,7 +88,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
        xxx_hostaddr = hostaddr;
        if (options.ciphers == (char *)-1) {
-                log("No valid ciphers for protocol version 2 given, using defaults.");
+                logit("No valid ciphers for protocol version 2 given, using defaults.");
                options.ciphers = NULL;
        }
        if (options.ciphers != NULL) {
@@ -108,6 +114,9 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
                myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
                    options.hostkeyalgorithms;
+        if (options.rekey_limit)
+                packet_set_rekey_limit(options.rekey_limit);
        /* start key exchange */
        kex = kex_setup(myproposal);
        kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
@@ -138,10 +147,18 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
 typedef struct Authctxt Authctxt;
 typedef struct Authmethod Authmethod;
+typedef struct identity Identity;
-typedef int sign_cb_fn(
+typedef struct idlist Idlist;
-    Authctxt *authctxt, Key *key,
-    u_char **sigp, u_int *lenp, u_char *data, u_int datalen);
+struct identity {
+        TAILQ_ENTRY(identity) next;
+        AuthenticationConnection *ac;   /* set if agent supports key */
+        Key     *key;                   /* public/private key */
+        char    *filename;              /* comment for agent-only keys */
+        int     tried;
+        int     isprivate;              /* key points to the private key */
+};
+TAILQ_HEAD(idlist, identity);
 struct Authctxt {
        const char *server_user;
@@ -152,14 +169,14 @@ struct Authctxt {
        int success;
        char *authlist;
        /* pubkey */
-        Key *last_key;
+        Idlist keys;
-        sign_cb_fn *last_key_sign;
-        int last_key_hint;
        AuthenticationConnection *agent;
        /* hostbased */
        Sensitive *sensitive;
        /* kbd-interactive */
        int info_req_seen;
+        /* generic */
+        void *methoddata;
 };
 struct Authmethod {
        char    *name;          /* string to compare against server's list */
@@ -181,17 +198,35 @@ int	userauth_pubkey(Authctxt *);
 int     userauth_passwd(Authctxt *);
 int     userauth_kbdint(Authctxt *);
 int     userauth_hostbased(Authctxt *);
+int     userauth_kerberos(Authctxt *);
+#ifdef GSSAPI
+int     userauth_gssapi(Authctxt *authctxt);
+void    input_gssapi_response(int type, u_int32_t, void *);
+void    input_gssapi_token(int type, u_int32_t, void *);
+void    input_gssapi_hash(int type, u_int32_t, void *);
+void    input_gssapi_error(int, u_int32_t, void *);
+void    input_gssapi_errtok(int, u_int32_t, void *);
+#endif
 void    userauth(Authctxt *, char *);
-static int sign_and_send_pubkey(Authctxt *, Key *, sign_cb_fn *);
+static int sign_and_send_pubkey(Authctxt *, Identity *);
-static void clear_auth_state(Authctxt *);
+static void pubkey_prepare(Authctxt *);
+static void pubkey_cleanup(Authctxt *);
+static Key *load_identity_file(char *);
 static Authmethod *authmethod_get(char *authlist);
 static Authmethod *authmethod_lookup(const char *name);
 static char *authmethods_get(void);
 Authmethod authmethods[] = {
+#ifdef GSSAPI
+        {"gssapi",
+                userauth_gssapi,
+                &options.gss_authentication,
+                NULL},
+#endif
        {"hostbased",
                userauth_hostbased,
                &options.hostbased_authentication,
@@ -248,7 +283,7 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
        /* setup authentication context */
        memset(&authctxt, 0, sizeof(authctxt));
-        authctxt.agent = ssh_get_authentication_connection();
+        pubkey_prepare(&authctxt);
        authctxt.server_user = server_user;
        authctxt.local_user = local_user;
        authctxt.host = host;
@@ -256,6 +291,7 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
        authctxt.success = 0;
        authctxt.method = authmethod_lookup("none");
        authctxt.authlist = NULL;
+        authctxt.methoddata = NULL;
        authctxt.sensitive = sensitive;
        authctxt.info_req_seen = 0;
        if (authctxt.method == NULL)
@@ -270,14 +306,19 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
        dispatch_set(SSH2_MSG_USERAUTH_BANNER, &input_userauth_banner);
        dispatch_run(DISPATCH_BLOCK, &authctxt.success, &authctxt);     /* loop until success */
-        if (authctxt.agent != NULL)
+        pubkey_cleanup(&authctxt);
-                ssh_close_authentication_connection(authctxt.agent);
+        dispatch_range(SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
        debug("Authentication succeeded (%s).", authctxt.method->name);
 }
 void
 userauth(Authctxt *authctxt, char *authlist)
 {
+        if (authctxt->methoddata) {
+                xfree(authctxt->methoddata);
+                authctxt->methoddata = NULL;
+        }
        if (authlist == NULL) {
                authlist = authctxt->authlist;
        } else {
@@ -290,6 +331,12 @@ userauth(Authctxt *authctxt, char *authlist)
                if (method == NULL)
                        fatal("Permission denied (%s).", authlist);
                authctxt->method = method;
+                /* reset the per method handler */
+                dispatch_range(SSH2_MSG_USERAUTH_PER_METHOD_MIN,
+                    SSH2_MSG_USERAUTH_PER_METHOD_MAX, NULL);
+                /* and try new method */
                if (method->userauth(authctxt) != 0) {
                        debug2("we sent a %s packet, wait for reply", method->name);
                        break;
@@ -314,7 +361,7 @@ input_userauth_banner(int type, u_int32_t seq, void *ctxt)
        debug3("input_userauth_banner");
        msg = packet_get_string(NULL);
        lang = packet_get_string(NULL);
-        fprintf(stderr, "%s", msg);
+        logit("%s", msg);
        xfree(msg);
        xfree(lang);
 }
@@ -327,7 +374,8 @@ input_userauth_success(int type, u_int32_t seq, void *ctxt)
                fatal("input_userauth_success: no authentication context");
        if (authctxt->authlist)
                xfree(authctxt->authlist);
-        clear_auth_state(authctxt);
+        if (authctxt->methoddata)
+                xfree(authctxt->methoddata);
        authctxt->success = 1;                  /* break out */
 }
@@ -346,10 +394,9 @@ input_userauth_failure(int type, u_int32_t seq, void *ctxt)
        packet_check_eom();
        if (partial != 0)
-                log("Authenticated with partial success.");
+                logit("Authenticated with partial success.");
        debug("Authentications that can continue: %s", authlist);
-        clear_auth_state(authctxt);
        userauth(authctxt, authlist);
 }
 void
@@ -357,6 +404,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
 {
        Authctxt *authctxt = ctxt;
        Key *key = NULL;
+        Identity *id = NULL;
        Buffer b;
        int pktype, sent = 0;
        u_int alen, blen;
@@ -379,55 +427,267 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
        }
        packet_check_eom();
-        debug("Server accepts key: pkalg %s blen %u lastkey %p hint %d",
+        debug("Server accepts key: pkalg %s blen %u", pkalg, blen);
-            pkalg, blen, authctxt->last_key, authctxt->last_key_hint);
-        do {
+        if ((pktype = key_type_from_name(pkalg)) == KEY_UNSPEC) {
-                if (authctxt->last_key == NULL ||
+                debug("unknown pkalg %s", pkalg);
-                    authctxt->last_key_sign == NULL) {
+                goto done;
-                        debug("no last key or no sign cb");
+        }
-                        break;
+        if ((key = key_from_blob(pkblob, blen)) == NULL) {
-                }
+                debug("no key from blob. pkalg %s", pkalg);
-                if ((pktype = key_type_from_name(pkalg)) == KEY_UNSPEC) {
+                goto done;
-                        debug("unknown pkalg %s", pkalg);
+        }
-                        break;
+        if (key->type != pktype) {
-                }
+                error("input_userauth_pk_ok: type mismatch "
-                if ((key = key_from_blob(pkblob, blen)) == NULL) {
+                    "for decoded key (received %d, expected %d)",
-                        debug("no key from blob. pkalg %s", pkalg);
+                    key->type, pktype);
-                        break;
+                goto done;
-                }
+        }
-                if (key->type != pktype) {
+        fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-                        error("input_userauth_pk_ok: type mismatch "
+        debug2("input_userauth_pk_ok: fp %s", fp);
-                            "for decoded key (received %d, expected %d)",
+        xfree(fp);
-                            key->type, pktype);
-                        break;
+        TAILQ_FOREACH(id, &authctxt->keys, next) {
-                }
+                if (key_equal(key, id->key)) {
-                fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+                        sent = sign_and_send_pubkey(authctxt, id);
-                debug2("input_userauth_pk_ok: fp %s", fp);
-                xfree(fp);
-                if (!key_equal(key, authctxt->last_key)) {
-                        debug("key != last_key");
                        break;
                }
-                sent = sign_and_send_pubkey(authctxt, key,
+        }
-                   authctxt->last_key_sign);
+done:
-        } while (0);
        if (key != NULL)
                key_free(key);
        xfree(pkalg);
        xfree(pkblob);
-        /* unregister */
-        clear_auth_state(authctxt);
-        dispatch_set(SSH2_MSG_USERAUTH_PK_OK, NULL);
        /* try another method if we did not send a packet */
        if (sent == 0)
                userauth(authctxt, NULL);
+}
+#ifdef GSSAPI
+int 
+userauth_gssapi(Authctxt *authctxt)
+{
+        Gssctxt *gssctxt = NULL;
+        static gss_OID_set supported = NULL;
+        static int mech = 0;
+        OM_uint32 min;
+        int ok = 0;
+        /* Try one GSSAPI method at a time, rather than sending them all at
+         * once. */
+        if (supported == NULL)
+                gss_indicate_mechs(&min, &supported);
+        /* Check to see if the mechanism is usable before we offer it */
+        while (mech<supported->count && !ok) {
+                if (gssctxt)
+                        ssh_gssapi_delete_ctx(&gssctxt);
+                ssh_gssapi_build_ctx(&gssctxt);
+                ssh_gssapi_set_oid(gssctxt, &supported->elements[mech]);
+                /* My DER encoding requires length<128 */
+                if (supported->elements[mech].length < 128 &&
+                    !GSS_ERROR(ssh_gssapi_import_name(gssctxt,
+                    authctxt->host))) {
+                        ok = 1; /* Mechanism works */
+                } else {
+                        mech++;
+                }
+        }
+        if (!ok) return 0;
+        authctxt->methoddata=(void *)gssctxt;
+        packet_start(SSH2_MSG_USERAUTH_REQUEST);
+        packet_put_cstring(authctxt->server_user);
+        packet_put_cstring(authctxt->service);
+        packet_put_cstring(authctxt->method->name);
+        packet_put_int(1);
+        /* Some servers encode the OID incorrectly (as we used to) */
+        if (datafellows & SSH_BUG_GSSAPI_BER) {
+                packet_put_string(supported->elements[mech].elements,
+                    supported->elements[mech].length);
+        } else {
+                packet_put_int((supported->elements[mech].length)+2);
+                packet_put_char(SSH_GSS_OIDTYPE);
+                packet_put_char(supported->elements[mech].length);
+                packet_put_raw(supported->elements[mech].elements,
+                    supported->elements[mech].length);
+        }
+        packet_send();
+        dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE, &input_gssapi_response);
+        dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token);
+        dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERROR, &input_gssapi_error);
+        dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok);
+        mech++; /* Move along to next candidate */
+        return 1;
+}
+void
+input_gssapi_response(int type, u_int32_t plen, void *ctxt)
+{
+        Authctxt *authctxt = ctxt;
+        Gssctxt *gssctxt;
+        OM_uint32 status, ms;
+        int oidlen;
+        char *oidv;
+        gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
+        if (authctxt == NULL)
+                fatal("input_gssapi_response: no authentication context");
+        gssctxt = authctxt->methoddata;
+        /* Setup our OID */
+        oidv = packet_get_string(&oidlen);
+        if (datafellows & SSH_BUG_GSSAPI_BER) {
+                if (!ssh_gssapi_check_oid(gssctxt, oidv, oidlen))
+                        fatal("Server returned different OID than expected");
+        } else {
+                if(oidv[0] != SSH_GSS_OIDTYPE || oidv[1] != oidlen-2) {
+                        debug("Badly encoded mechanism OID received");
+                        userauth(authctxt, NULL);
+                        xfree(oidv);
+                        return;
+                }
+                if (!ssh_gssapi_check_oid(gssctxt, oidv+2, oidlen-2))
+                        fatal("Server returned different OID than expected");
+        }
+        packet_check_eom();
+        xfree(oidv);
+        status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
+            GSS_C_NO_BUFFER, &send_tok, NULL);
+        if (GSS_ERROR(status)) {
+                if (send_tok.length > 0) {
+                        packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK);
+                        packet_put_string(send_tok.value, send_tok.length);
+                        packet_send();
+                        gss_release_buffer(&ms, &send_tok);
+                }
+                /* Start again with next method on list */
+                debug("Trying to start again");
+                userauth(authctxt, NULL);
+                return;
+        }
+        /* We must have data to send */
+        packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
+        packet_put_string(send_tok.value, send_tok.length);
+        packet_send();
+        gss_release_buffer(&ms, &send_tok);
 }
+void
+input_gssapi_token(int type, u_int32_t plen, void *ctxt)
+{
+        Authctxt *authctxt = ctxt;
+        Gssctxt *gssctxt;
+        gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
+        gss_buffer_desc recv_tok;
+        OM_uint32 status, ms;
+        u_int slen;
+        if (authctxt == NULL)
+                fatal("input_gssapi_response: no authentication context");
+        gssctxt = authctxt->methoddata;
+        recv_tok.value = packet_get_string(&slen);
+        recv_tok.length = slen; /* safe typecast */
+        packet_check_eom();
+        status=ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
+            &recv_tok, &send_tok, NULL);
+        xfree(recv_tok.value);
+        if (GSS_ERROR(status)) {
+                if (send_tok.length > 0) {
+                        packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK);
+                        packet_put_string(send_tok.value, send_tok.length);
+                        packet_send();
+                        gss_release_buffer(&ms, &send_tok);
+                }
+                /* Start again with the next method in the list */
+                userauth(authctxt, NULL);
+                return;
+        }
+        if (send_tok.length > 0) {
+                packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
+                packet_put_string(send_tok.value, send_tok.length);
+                packet_send();
+                gss_release_buffer(&ms, &send_tok);
+        }
+        if (status == GSS_S_COMPLETE) {
+                /* If that succeeded, send a exchange complete message */
+                packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
+                packet_send();
+        }
+}
+void
+input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
+{
+        Authctxt *authctxt = ctxt;
+        Gssctxt *gssctxt;
+        gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
+        gss_buffer_desc recv_tok;
+        OM_uint32 status, ms;
+        u_int len;
+        if (authctxt == NULL)
+                fatal("input_gssapi_response: no authentication context");
+        gssctxt = authctxt->methoddata;
+        recv_tok.value = packet_get_string(&len);
+        recv_tok.length = len;
+        packet_check_eom();
+        /* Stick it into GSSAPI and see what it says */
+        status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
+                                     &recv_tok, &send_tok, NULL);
+        xfree(recv_tok.value);
+        gss_release_buffer(&ms, &send_tok);
+        /* Server will be returning a failed packet after this one */
+}
+void
+input_gssapi_error(int type, u_int32_t plen, void *ctxt)
+{
+        OM_uint32 maj, min;
+        char *msg;
+        char *lang;
+        maj=packet_get_int();
+        min=packet_get_int();
+        msg=packet_get_string(NULL);
+        lang=packet_get_string(NULL);
+        packet_check_eom();
+        debug("Server GSSAPI Error:\n%s\n", msg);
+        xfree(msg);
+        xfree(lang);
+}
+#endif /* GSSAPI */
 int
 userauth_none(Authctxt *authctxt)
 {
@@ -491,7 +751,7 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
        info = packet_get_string(NULL);
        lang = packet_get_string(NULL);
        if (strlen(info) > 0)
-                log("%s", info);
+                logit("%s", info);
        xfree(info);
        xfree(lang);
        packet_start(SSH2_MSG_USERAUTH_REQUEST);
@@ -523,7 +783,7 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
                if (strcmp(password, retype) != 0) {
                        memset(password, 0, strlen(password));
                        xfree(password);
-                        log("Mismatch; try again, EOF to quit.");
+                        logit("Mismatch; try again, EOF to quit.");
                        password = NULL;
                }
                memset(retype, 0, strlen(retype));
@@ -539,34 +799,44 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
            &input_userauth_passwd_changereq);
 }
-static void
+static int
-clear_auth_state(Authctxt *authctxt)
+identity_sign(Identity *id, u_char **sigp, u_int *lenp,
+    u_char *data, u_int datalen)
 {
-        /* XXX clear authentication state */
+        Key *prv;
-        dispatch_set(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ, NULL);
+        int ret;
-        if (authctxt->last_key != NULL && authctxt->last_key_hint == -1) {
+        /* the agent supports this key */
-                debug3("clear_auth_state: key_free %p", authctxt->last_key);
+        if (id->ac)
-                key_free(authctxt->last_key);
+                return (ssh_agent_sign(id->ac, id->key, sigp, lenp,
-        }
+                    data, datalen));
-        authctxt->last_key = NULL;
+        /*
-        authctxt->last_key_hint = -2;
+         * we have already loaded the private key or
-        authctxt->last_key_sign = NULL;
+         * the private key is stored in external hardware
+         */
+        if (id->isprivate || (id->key->flags & KEY_FLAG_EXT))
+                return (key_sign(id->key, sigp, lenp, data, datalen));
+        /* load the private key from the file */
+        if ((prv = load_identity_file(id->filename)) == NULL)
+                return (-1);
+        ret = key_sign(prv, sigp, lenp, data, datalen);
+        key_free(prv);
+        return (ret);
 }
 static int
-sign_and_send_pubkey(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback)
+sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
 {
        Buffer b;
        u_char *blob, *signature;
        u_int bloblen, slen;
-        int skip = 0;
+        u_int skip = 0;
        int ret = -1;
        int have_sig = 1;
        debug3("sign_and_send_pubkey");
-        if (key_to_blob(k, &blob, &bloblen) == 0) {
+        if (key_to_blob(id->key, &blob, &bloblen) == 0) {
                /* we cannot handle this key */
                debug3("sign_and_send_pubkey: cannot handle key");
                return 0;
@@ -591,12 +861,12 @@ sign_and_send_pubkey(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback)
        } else {
                buffer_put_cstring(&b, authctxt->method->name);
                buffer_put_char(&b, have_sig);
-                buffer_put_cstring(&b, key_ssh_name(k));
+                buffer_put_cstring(&b, key_ssh_name(id->key));
        }
        buffer_put_string(&b, blob, bloblen);
        /* generate signature */
-        ret = (*sign_callback)(authctxt, k, &signature, &slen,
+        ret = identity_sign(id, &signature, &slen,
            buffer_ptr(&b), buffer_len(&b));
        if (ret == -1) {
                xfree(blob);
@@ -616,7 +886,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback)
                buffer_put_cstring(&b, authctxt->method->name);
                buffer_put_char(&b, have_sig);
                if (!(datafellows & SSH_BUG_PKAUTH))
-                        buffer_put_cstring(&b, key_ssh_name(k));
+                        buffer_put_cstring(&b, key_ssh_name(id->key));
                buffer_put_string(&b, blob, bloblen);
        }
        xfree(blob);
@@ -640,23 +910,19 @@ sign_and_send_pubkey(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback)
 }
 static int
-send_pubkey_test(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback,
+send_pubkey_test(Authctxt *authctxt, Identity *id)
-    int hint)
 {
        u_char *blob;
        u_int bloblen, have_sig = 0;
        debug3("send_pubkey_test");
-        if (key_to_blob(k, &blob, &bloblen) == 0) {
+        if (key_to_blob(id->key, &blob, &bloblen) == 0) {
                /* we cannot handle this key */
                debug3("send_pubkey_test: cannot handle key");
                return 0;
        }
        /* register callback for USERAUTH_PK_OK message */
-        authctxt->last_key_sign = sign_callback;
-        authctxt->last_key_hint = hint;
-        authctxt->last_key = k;
        dispatch_set(SSH2_MSG_USERAUTH_PK_OK, &input_userauth_pk_ok);
        packet_start(SSH2_MSG_USERAUTH_REQUEST);
@@ -665,7 +931,7 @@ send_pubkey_test(Authctxt *authctxt, Key *k, sign_cb_fn *sign_callback,
        packet_put_cstring(authctxt->method->name);
        packet_put_char(have_sig);
        if (!(datafellows & SSH_BUG_PKAUTH))
-                packet_put_cstring(key_ssh_name(k));
+                packet_put_cstring(key_ssh_name(id->key));
        packet_put_string(blob, bloblen);
        xfree(blob);
        packet_send();
@@ -710,103 +976,134 @@ load_identity_file(char *filename)
        return private;
 }
-static int
+/*
-identity_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, u_int *lenp,
+ * try keys in the following order:
-    u_char *data, u_int datalen)
+ *      1. agent keys that are found in the config file
-{
+ *      2. other agent keys
-        Key *private;
+ *      3. keys that are only listed in the config file
-        int idx, ret;
+ */
+static void
-        idx = authctxt->last_key_hint;
+pubkey_prepare(Authctxt *authctxt)
-        if (idx < 0)
-                return -1;
-        /* private key is stored in external hardware */
-        if (options.identity_keys[idx]->flags & KEY_FLAG_EXT)
-                return key_sign(options.identity_keys[idx], sigp, lenp, data, datalen);
-        private = load_identity_file(options.identity_files[idx]);
-        if (private == NULL)
-                return -1;
-        ret = key_sign(private, sigp, lenp, data, datalen);
-        key_free(private);
-        return ret;
-}
-static int
-agent_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, u_int *lenp,
-    u_char *data, u_int datalen)
-{
-        return ssh_agent_sign(authctxt->agent, key, sigp, lenp, data, datalen);
-}
-static int
-key_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, u_int *lenp,
-    u_char *data, u_int datalen)
 {
-        return key_sign(key, sigp, lenp, data, datalen);
+        Identity *id;
+        Idlist agent, files, *preferred;
+        Key *key;
+        AuthenticationConnection *ac;
+        char *comment;
+        int i, found;
+        TAILQ_INIT(&agent);     /* keys from the agent */
+        TAILQ_INIT(&files);     /* keys from the config file */
+        preferred = &authctxt->keys;
+        TAILQ_INIT(preferred);  /* preferred order of keys */
+        /* list of keys stored in the filesystem */
+        for (i = 0; i < options.num_identity_files; i++) {
+                key = options.identity_keys[i];
+                if (key && key->type == KEY_RSA1)
+                        continue;
+                options.identity_keys[i] = NULL;
+                id = xmalloc(sizeof(*id));
+                memset(id, 0, sizeof(*id));
+                id->key = key;
+                id->filename = xstrdup(options.identity_files[i]);
+                TAILQ_INSERT_TAIL(&files, id, next);
+        }
+        /* list of keys supported by the agent */
+        if ((ac = ssh_get_authentication_connection())) {
+                for (key = ssh_get_first_identity(ac, &comment, 2);
+                    key != NULL;
+                    key = ssh_get_next_identity(ac, &comment, 2)) {
+                        found = 0;
+                        TAILQ_FOREACH(id, &files, next) {
+                                /* agent keys from the config file are preferred */ 
+                                if (key_equal(key, id->key)) {
+                                        key_free(key);
+                                        xfree(comment);
+                                        TAILQ_REMOVE(&files, id, next);
+                                        TAILQ_INSERT_TAIL(preferred, id, next);
+                                        id->ac = ac;
+                                        found = 1;
+                                        break;
+                                }
+                        }
+                        if (!found) {
+                                id = xmalloc(sizeof(*id));
+                                memset(id, 0, sizeof(*id));
+                                id->key = key;
+                                id->filename = comment;
+                                id->ac = ac;
+                                TAILQ_INSERT_TAIL(&agent, id, next);
+                        }
+                }
+                /* append remaining agent keys */
+                for (id = TAILQ_FIRST(&agent); id; id = TAILQ_FIRST(&agent)) {
+                        TAILQ_REMOVE(&agent, id, next);
+                        TAILQ_INSERT_TAIL(preferred, id, next);
+                }
+                authctxt->agent = ac;
+        }
+        /* append remaining keys from the config file */
+        for (id = TAILQ_FIRST(&files); id; id = TAILQ_FIRST(&files)) {
+                TAILQ_REMOVE(&files, id, next);
+                TAILQ_INSERT_TAIL(preferred, id, next);
+        }
+        TAILQ_FOREACH(id, preferred, next) {
+                debug2("key: %s (%p)", id->filename, id->key);
+        }
 }
-static int
+static void
-userauth_pubkey_agent(Authctxt *authctxt)
+pubkey_cleanup(Authctxt *authctxt)
 {
-        static int called = 0;
+        Identity *id;
-        int ret = 0;
-        char *comment;
+        if (authctxt->agent != NULL)
-        Key *k;
+                ssh_close_authentication_connection(authctxt->agent);
+        for (id = TAILQ_FIRST(&authctxt->keys); id;
-        if (called == 0) {
+            id = TAILQ_FIRST(&authctxt->keys)) {
-                if (ssh_get_num_identities(authctxt->agent, 2) == 0)
+                TAILQ_REMOVE(&authctxt->keys, id, next);
-                        debug2("userauth_pubkey_agent: no keys at all");
+                if (id->key)
-                called = 1;
+                        key_free(id->key);
-        }
+                if (id->filename)
-        k = ssh_get_next_identity(authctxt->agent, &comment, 2);
+                        xfree(id->filename);
-        if (k == NULL) {
+                xfree(id);
-                debug2("userauth_pubkey_agent: no more keys");
-        } else {
-                debug("Offering agent key: %s", comment);
-                xfree(comment);
-                ret = send_pubkey_test(authctxt, k, agent_sign_cb, -1);
-                if (ret == 0)
-                        key_free(k);
        }
-        if (ret == 0)
-                debug2("userauth_pubkey_agent: no message sent");
-        return ret;
 }
 int
 userauth_pubkey(Authctxt *authctxt)
 {
-        static int idx = 0;
+        Identity *id;
        int sent = 0;
-        Key *key;
-        char *filename;
-        if (authctxt->agent != NULL) {
+        while ((id = TAILQ_FIRST(&authctxt->keys))) {
-                do {
+                if (id->tried++)
-                        sent = userauth_pubkey_agent(authctxt);
+                        return (0);
-                } while (!sent && authctxt->agent->howmany > 0);
+                TAILQ_REMOVE(&authctxt->keys, id, next);
-        }
+                TAILQ_INSERT_TAIL(&authctxt->keys, id, next);
-        while (!sent && idx < options.num_identity_files) {
+                /*
-                key = options.identity_keys[idx];
+                 * send a test message if we have the public key. for
-                filename = options.identity_files[idx];
+                 * encrypted keys we cannot do this and have to load the
-                if (key == NULL) {
+                 * private key instead
-                        debug("Trying private key: %s", filename);
+                 */
-                        key = load_identity_file(filename);
+                if (id->key && id->key->type != KEY_RSA1) {
-                        if (key != NULL) {
+                        debug("Offering public key: %s", id->filename);
-                                sent = sign_and_send_pubkey(authctxt, key,
+                        sent = send_pubkey_test(authctxt, id);
-                                    key_sign_cb);
+                } else if (id->key == NULL) {
-                                key_free(key);
+                        debug("Trying private key: %s", id->filename);
+                        id->key = load_identity_file(id->filename);
+                        if (id->key != NULL) {
+                                id->isprivate = 1;
+                                sent = sign_and_send_pubkey(authctxt, id);
+                                key_free(id->key);
+                                id->key = NULL;
                        }
-                } else if (key->type != KEY_RSA1) {
-                        debug("Offering public key: %s", filename);
-                        sent = send_pubkey_test(authctxt, key,
-                            identity_sign_cb, idx);
                }
-                idx++;
+                if (sent)
+                        return (sent);
        }
-        return sent;
+        return (0);
 }
 /*
@@ -862,9 +1159,9 @@ input_userauth_info_req(int type, u_int32_t seq, void *ctxt)
        inst = packet_get_string(NULL);
        lang = packet_get_string(NULL);
        if (strlen(name) > 0)
-                log("%s", name);
+                logit("%s", name);
        if (strlen(inst) > 0)
-                log("%s", inst);
+                logit("%s", inst);
        xfree(name);
        xfree(inst);
        xfree(lang);
diff --git a/sshd.0 b/sshd.0
index 7bed03416..937e35906 100644
--- a/sshd.0
+++ b/sshd.0
@@ -42,6 +42,17 @@ DESCRIPTION
     authentication combined with RSA host authentication, RSA challenge-
     response authentication, or password based authentication.
+     Regardless of the authentication type, the account is checked to ensure
+     that it is accessible.  An account is not accessible if it is locked,
+     listed in DenyUsers or its group is listed in DenyGroups .  The defini-
+     tion of a locked account is system dependant. Some platforms have their
+     own account database (eg AIX) and some modify the passwd field ( M-bM-^@M-^X*LK*M-bM-^@M-^Y
+     on Solaris, M-bM-^@M-^X*M-bM-^@M-^Y on HP-UX, containing M-bM-^@M-^XNologinM-bM-^@M-^Y on Tru64 and a leading
+     M-bM-^@M-^X!!M-bM-^@M-^Y on Linux).  If there is a requirement to disable password authenti-
+     cation for the account while allowing still public-key, then the passwd
+     field should be set to something other than these values (eg M-bM-^@M-^XNPM-bM-^@M-^Y or
+     M-bM-^@M-^X*NP*M-bM-^@M-^Y ).
     Rhosts authentication is normally disabled because it is fundamentally
     insecure, but can be enabled in the server configuration file if desired.
     System security is not improved unless rshd, rlogind, and rexecd are dis-
@@ -169,10 +180,10 @@ DESCRIPTION
             the utmp file.  -u0 may also be used to prevent sshd from making
             DNS requests unless the authentication mechanism or configuration
             requires it.  Authentication mechanisms that may require DNS
-             include RhostsAuthentication, RhostsRSAAuthentication,
+             include RhostsRSAAuthentication, HostbasedAuthentication and
-             HostbasedAuthentication and using a from="pattern-list" option in
+             using a from="pattern-list" option in a key file.  Configuration
-             a key file.  Configuration options that require DNS include using
+             options that require DNS include using a USER@HOST pattern in
-             a USER@HOST pattern in AllowUsers or DenyUsers.
+             AllowUsers or DenyUsers.
     -D      When this option is specified sshd will not detach and does not
             become a daemon.  This allows easy monitoring of sshd.
@@ -250,9 +261,9 @@ AUTHORIZED_KEYS FILE FORMAT
     from="pattern-list"
             Specifies that in addition to public key authentication, the
             canonical name of the remote host must be present in the comma-
-             separated list of patterns (M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y?  serve as wildcards).
+             separated list of patterns (M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y serve as wildcards).  The
-             The list may also contain patterns negated by prefixing them with
+             list may also contain patterns negated by prefixing them with
-             M-bM-^@M-^XM-bM-^@M-^Y!; if the canonical host name matches a negated pattern, the
+             M-bM-^@M-^X!M-bM-^@M-^Y; if the canonical host name matches a negated pattern, the
             key is not accepted.  The purpose of this option is to optionally
             increase security: public key authentication by itself does not
             trust the network or name servers or anything (but the key); how-
@@ -304,7 +315,7 @@ AUTHORIZED_KEYS FILE FORMAT
             Limit local M-bM-^@M-^XM-bM-^@M-^Xssh -LM-bM-^@M-^YM-bM-^@M-^Y port forwarding such that it may only con-
             nect to the specified host and port.  IPv6 addresses can be spec-
             ified with an alternative syntax: host/port.  Multiple permitopen
-             options may be applied separated by commas. No pattern matching
+             options may be applied separated by commas.  No pattern matching
             is performed on the specified hostnames, they must be literal
             domains or addresses.
@@ -328,11 +339,11 @@ SSH_KNOWN_HOSTS FILE FORMAT
     Each line in these files contains the following fields: hostnames, bits,
     exponent, modulus, comment.  The fields are separated by spaces.
-     Hostnames is a comma-separated list of patterns (M-bM-^@M-^Y*M-bM-^@M-^Y and M-bM-^@M-^Y?M-bM-^@M-^Y act as wild-
+     Hostnames is a comma-separated list of patterns (M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y act as wild-
     cards); each pattern in turn is matched against the canonical host name
     (when authenticating a client) or against the user-supplied name (when
-     authenticating a server).  A pattern may also be preceded by M-bM-^@M-^XM-bM-^@M-^Y!  to
+     authenticating a server).  A pattern may also be preceded by M-bM-^@M-^X!M-bM-^@M-^Y to indi-
-     indicate negation: if the host name matches a negated pattern, it is not
+     cate negation: if the host name matches a negated pattern, it is not
     accepted (by that line) even if it matched another pattern on the line.
     Bits, exponent, and modulus are taken directly from the RSA host key;
@@ -520,14 +531,6 @@ FILES
             login-time initializations globally.  This file should be
             writable only by root, and should be world-readable.
-AUTHORS
-     OpenSSH is a derivative of the original and free ssh 1.2.12 release by
-     Tatu Ylonen.  Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
-     de Raadt and Dug Song removed many bugs, re-added newer features and cre-
-     ated OpenSSH.  Markus Friedl contributed the support for SSH protocol
-     versions 1.5 and 2.0.  Niels Provos and Markus Friedl contributed support
-     for privilege separation.
 SEE ALSO
     scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1),
     login.conf(5), moduli(5), sshd_config(5), sftp-server(8)
@@ -540,4 +543,12 @@ SEE ALSO
     for the SSH Transport Layer Protocol, draft-ietf-secsh-dh-group-
     exchange-02.txt, January 2002, work in progress material.
+AUTHORS
+     OpenSSH is a derivative of the original and free ssh 1.2.12 release by
+     Tatu Ylonen.  Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
+     de Raadt and Dug Song removed many bugs, re-added newer features and cre-
+     ated OpenSSH.  Markus Friedl contributed the support for SSH protocol
+     versions 1.5 and 2.0.  Niels Provos and Markus Friedl contributed support
+     for privilege separation.
 BSD                           September 25, 1999                           BSD
diff --git a/sshd.8 b/sshd.8
index a99c4f162..0eeea6666 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.194 2003/01/31 21:54:40 jmc Exp $
+.\" $OpenBSD: sshd.8,v 1.199 2003/08/13 08:46:31 markus Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -114,6 +114,29 @@ authentication combined with RSA host
 authentication, RSA challenge-response authentication, or password
 based authentication.
 .Pp
+Regardless of the authentication type, the account is checked to
+ensure that it is accessible.  An account is not accessible if it is
+locked, listed in
+.Cm DenyUsers
+or its group is listed in
+.Cm DenyGroups
+\&.  The definition of a locked account is system dependant. Some platforms
+have their own account database (eg AIX) and some modify the passwd field (
+.Ql \&*LK\&*
+on Solaris,
+.Ql \&*
+on HP-UX, containing
+.Ql Nologin
+on Tru64 and a leading
+.Ql \&!!
+on Linux).  If there is a requirement to disable password authentication
+for the account while allowing still public-key, then the passwd field
+should be set to something other than these values (eg
+.Ql NP
+or
+.Ql \&*NP\&*
+).
+.Pp
 Rhosts authentication is normally disabled
 because it is fundamentally insecure, but can be enabled in the server
 configuration file if desired.
@@ -292,7 +315,6 @@ may also be used to prevent
 from making DNS requests unless the authentication
 mechanism or configuration requires it.
 Authentication mechanisms that may require DNS include
-.Cm RhostsAuthentication ,
 .Cm RhostsRSAAuthentication ,
 .Cm HostbasedAuthentication
 and using a
@@ -429,13 +451,13 @@ that option keywords are case-insensitive):
 Specifies that in addition to public key authentication, the canonical name
 of the remote host must be present in the comma-separated list of
 patterns
-.Pf ( Ql *
+.Pf ( Ql \&*
 and
-.Ql ?
+.Ql \&?
 serve as wildcards).
 The list may also contain
 patterns negated by prefixing them with
-.Ql ! ;
+.Ql \&! ;
 if the canonical host name matches a negated pattern, the key is not accepted.
 The purpose
 of this option is to optionally increase security: public key authentication
@@ -497,9 +519,9 @@ IPv6 addresses can be specified with an alternative syntax:
 .Ar host/port .
 Multiple
 .Cm permitopen
-options may be applied separated by commas. No pattern matching is
+options may be applied separated by commas.
-performed on the specified hostnames, they must be literal domains or
+No pattern matching is performed on the specified hostnames,
-addresses.
+they must be literal domains or addresses.
 .El
 .Ss Examples
 1024 33 12121.\|.\|.\|312314325 ylo@foo.bar
@@ -524,12 +546,16 @@ Each line in these files contains the following fields: hostnames,
 bits, exponent, modulus, comment.
 The fields are separated by spaces.
 .Pp
-Hostnames is a comma-separated list of patterns ('*' and '?' act as
+Hostnames is a comma-separated list of patterns
+.Pf ( Ql \&*
+and
+.Ql \&?
+act as
 wildcards); each pattern in turn is matched against the canonical host
 name (when authenticating a client) or against the user-supplied
 name (when authenticating a server).
 A pattern may also be preceded by
-.Ql !
+.Ql \&!
 to indicate negation: if the host name matches a negated
 pattern, it is not accepted (by that line) even if it matched another
 pattern on the line.
@@ -767,17 +793,6 @@ This can be used to specify
 machine-specific login-time initializations globally.
 This file should be writable only by root, and should be world-readable.
 .El
-.Sh AUTHORS
-OpenSSH is a derivative of the original and free
-ssh 1.2.12 release by Tatu Ylonen.
-Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
-Theo de Raadt and Dug Song
-removed many bugs, re-added newer features and
-created OpenSSH.
-Markus Friedl contributed the support for SSH
-protocol versions 1.5 and 2.0.
-Niels Provos and Markus Friedl contributed support
-for privilege separation.
 .Sh SEE ALSO
 .Xr scp 1 ,
 .Xr sftp 1 ,
@@ -809,3 +824,14 @@ for privilege separation.
 .%D January 2002
 .%O work in progress material
 .Re
+.Sh AUTHORS
+OpenSSH is a derivative of the original and free
+ssh 1.2.12 release by Tatu Ylonen.
+Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
+Theo de Raadt and Dug Song
+removed many bugs, re-added newer features and
+created OpenSSH.
+Markus Friedl contributed the support for SSH
+protocol versions 1.5 and 2.0.
+Niels Provos and Markus Friedl contributed support
+for privilege separation.
diff --git a/sshd.c b/sshd.c
index 0f2b2a3ce..47df9caf1 100644
--- a/sshd.c
+++ b/sshd.c
@@ -42,7 +42,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.263 2003/02/16 17:09:57 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.276 2003/08/28 12:54:34 markus Exp $");
 #include <openssl/dh.h>
 #include <openssl/bn.h>
@@ -112,11 +112,7 @@ char *config_file_name = _PATH_SERVER_CONFIG_FILE;
 * Flag indicating whether IPv4 or IPv6.  This can be set on the command line.
 * Default value is AF_UNSPEC means both IPv4 and IPv6.
 */
-#ifdef IPV4_DEFAULT
-int IPv4or6 = AF_INET;
-#else
 int IPv4or6 = AF_UNSPEC;
-#endif
 /*
 * Debug mode flag.  This can be set on the command line.  If debug
@@ -192,7 +188,7 @@ u_char session_id[16];
 /* same for ssh2 */
 u_char *session_id2 = NULL;
-int session_id2_len = 0;
+u_int session_id2_len = 0;
 /* record remote hostname or ip */
 u_int utmp_len = MAXHOSTNAMELEN;
@@ -205,6 +201,9 @@ int startup_pipe;		/* in child */
 int use_privsep;
 struct monitor *pmonitor;
+/* message to be displayed after login */
+Buffer loginmsg;
 /* Prototypes for various functions defined later in this file. */
 void destroy_sensitive_data(void);
 void demote_sensitive_data(void);
@@ -258,11 +257,11 @@ sighup_handler(int sig)
 static void
 sighup_restart(void)
 {
-        log("Received SIGHUP; restarting.");
+        logit("Received SIGHUP; restarting.");
        close_listen_socks();
        close_startup_pipes();
        execv(saved_argv[0], saved_argv);
-        log("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0],
+        logit("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0],
            strerror(errno));
        exit(1);
 }
@@ -371,39 +370,37 @@ sshd_exchange_identification(int sock_in, int sock_out)
        snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION);
        server_version_string = xstrdup(buf);
-        if (client_version_string == NULL) {
+        /* Send our protocol version identification. */
-                /* Send our protocol version identification. */
+        if (atomicio(vwrite, sock_out, server_version_string,
-                if (atomicio(write, sock_out, server_version_string,
+            strlen(server_version_string))
-                    strlen(server_version_string))
+            != strlen(server_version_string)) {
-                    != strlen(server_version_string)) {
+                logit("Could not write ident string to %s", get_remote_ipaddr());
-                        log("Could not write ident string to %s", get_remote_ipaddr());
+                fatal_cleanup();
+        }
+        /* Read other sides version identification. */
+        memset(buf, 0, sizeof(buf));
+        for (i = 0; i < sizeof(buf) - 1; i++) {
+                if (atomicio(read, sock_in, &buf[i], 1) != 1) {
+                        logit("Did not receive identification string from %s",
+                            get_remote_ipaddr());
                        fatal_cleanup();
                }
+                if (buf[i] == '\r') {
-                /* Read other sides version identification. */
+                        buf[i] = 0;
-                memset(buf, 0, sizeof(buf));
+                        /* Kludge for F-Secure Macintosh < 1.0.2 */
-                for (i = 0; i < sizeof(buf) - 1; i++) {
+                        if (i == 12 &&
-                        if (atomicio(read, sock_in, &buf[i], 1) != 1) {
+                            strncmp(buf, "SSH-1.5-W1.0", 12) == 0)
-                                log("Did not receive identification string from %s",
-                                    get_remote_ipaddr());
-                                fatal_cleanup();
-                        }
-                        if (buf[i] == '\r') {
-                                buf[i] = 0;
-                                /* Kludge for F-Secure Macintosh < 1.0.2 */
-                                if (i == 12 &&
-                                    strncmp(buf, "SSH-1.5-W1.0", 12) == 0)
-                                        break;
-                                continue;
-                        }
-                        if (buf[i] == '\n') {
-                                buf[i] = 0;
                                break;
-                        }
+                        continue;
+                }
+                if (buf[i] == '\n') {
+                        buf[i] = 0;
+                        break;
                }
-                buf[sizeof(buf) - 1] = 0;
-                client_version_string = xstrdup(buf);
        }
+        buf[sizeof(buf) - 1] = 0;
+        client_version_string = xstrdup(buf);
        /*
         * Check that the versions match.  In future this might accept
@@ -412,10 +409,10 @@ sshd_exchange_identification(int sock_in, int sock_out)
        if (sscanf(client_version_string, "SSH-%d.%d-%[^\n]\n",
            &remote_major, &remote_minor, remote_version) != 3) {
                s = "Protocol mismatch.\n";
-                (void) atomicio(write, sock_out, s, strlen(s));
+                (void) atomicio(vwrite, sock_out, s, strlen(s));
                close(sock_in);
                close(sock_out);
-                log("Bad protocol version identification '%.100s' from %s",
+                logit("Bad protocol version identification '%.100s' from %s",
                    client_version_string, get_remote_ipaddr());
                fatal_cleanup();
        }
@@ -425,13 +422,13 @@ sshd_exchange_identification(int sock_in, int sock_out)
        compat_datafellows(remote_version);
        if (datafellows & SSH_BUG_PROBE) {
-                log("probed from %s with %s.  Don't panic.",
+                logit("probed from %s with %s.  Don't panic.",
                    get_remote_ipaddr(), client_version_string);
                fatal_cleanup();
        }
        if (datafellows & SSH_BUG_SCANNER) {
-                log("scanned from %s with %s.  Don't panic.",
+                logit("scanned from %s with %s.  Don't panic.",
                    get_remote_ipaddr(), client_version_string);
                fatal_cleanup();
        }
@@ -473,10 +470,10 @@ sshd_exchange_identification(int sock_in, int sock_out)
        if (mismatch) {
                s = "Protocol major versions differ.\n";
-                (void) atomicio(write, sock_out, s, strlen(s));
+                (void) atomicio(vwrite, sock_out, s, strlen(s));
                close(sock_in);
                close(sock_out);
-                log("Protocol major versions differ for %s: %.200s vs. %.200s",
+                logit("Protocol major versions differ for %s: %.200s vs. %.200s",
                    get_remote_ipaddr(),
                    server_version_string, client_version_string);
                fatal_cleanup();
@@ -568,8 +565,6 @@ privsep_preauth_child(void)
        do_setusercontext(pw);
 #else
        gidset[0] = pw->pw_gid;
-        if (setgid(pw->pw_gid) < 0)
-                fatal("setgid failed for %u", pw->pw_gid );
        if (setgroups(1, gidset) < 0)
                fatal("setgroups: %.100s", strerror(errno));
        permanently_set_uid(pw);
@@ -824,26 +819,27 @@ main(int ac, char **av)
 #ifdef HAVE_SECUREWARE
        (void)set_auth_parameters(ac, av);
 #endif
-        __progname = get_progname(av[0]);
+        __progname = ssh_get_progname(av[0]);
        init_rng();
        /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
        saved_argc = ac;
-        saved_argv = av;
+        saved_argv = xmalloc(sizeof(*saved_argv) * (ac + 1));
-        saved_argv = xmalloc(sizeof(*saved_argv) * ac);
        for (i = 0; i < ac; i++)
                saved_argv[i] = xstrdup(av[i]);
+        saved_argv[i] = NULL;
 #ifndef HAVE_SETPROCTITLE
        /* Prepare for later setproctitle emulation */
        compat_init_setproctitle(ac, av);
+        av = saved_argv;
 #endif
        /* Initialize configuration options to their default values. */
        initialize_server_options(&options);
        /* Parse command-line arguments. */
-        while ((opt = getopt(ac, av, "f:p:b:k:h:g:V:u:o:dDeiqtQ46")) != -1) {
+        while ((opt = getopt(ac, av, "f:p:b:k:h:g:u:o:dDeiqtQ46")) != -1) {
                switch (opt) {
                case '4':
                        IPv4or6 = AF_INET;
@@ -855,15 +851,11 @@ main(int ac, char **av)
                        config_file_name = optarg;
                        break;
                case 'd':
-                        if (0 == debug_flag) {
+                        if (debug_flag == 0) {
                                debug_flag = 1;
                                options.log_level = SYSLOG_LEVEL_DEBUG1;
-                        } else if (options.log_level < SYSLOG_LEVEL_DEBUG3) {
+                        } else if (options.log_level < SYSLOG_LEVEL_DEBUG3)
                                options.log_level++;
-                        } else {
-                                fprintf(stderr, "Too high debugging level.\n");
-                                exit(1);
-                        }
                        break;
                case 'D':
                        no_daemon_flag = 1;
@@ -914,11 +906,6 @@ main(int ac, char **av)
                        }
                        options.host_key_files[options.num_host_key_files++] = optarg;
                        break;
-                case 'V':
-                        client_version_string = optarg;
-                        /* only makes sense with inetd_flag, i.e. no listen() */
-                        inetd_flag = 1;
-                        break;
                case 't':
                        test_flag = 1;
                        break;
@@ -1010,15 +997,15 @@ main(int ac, char **av)
                    key_type(key));
        }
        if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
-                log("Disabling protocol version 1. Could not load host key");
+                logit("Disabling protocol version 1. Could not load host key");
                options.protocol &= ~SSH_PROTO_1;
        }
        if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) {
-                log("Disabling protocol version 2. Could not load host key");
+                logit("Disabling protocol version 2. Could not load host key");
                options.protocol &= ~SSH_PROTO_2;
        }
        if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
-                log("sshd: no hostkeys available -- exiting.");
+                logit("sshd: no hostkeys available -- exiting.");
                exit(1);
        }
@@ -1153,7 +1140,8 @@ main(int ac, char **av)
                                continue;
                        }
                        /* Create socket for listening. */
-                        listen_sock = socket(ai->ai_family, SOCK_STREAM, 0);
+                        listen_sock = socket(ai->ai_family, ai->ai_socktype,
+                            ai->ai_protocol);
                        if (listen_sock < 0) {
                                /* kernel may not support ipv6 */
                                verbose("socket: %.100s", strerror(errno));
@@ -1186,7 +1174,7 @@ main(int ac, char **av)
                        num_listen_socks++;
                        /* Start listening on the port. */
-                        log("Server listening on %s port %s.", ntop, strport);
+                        logit("Server listening on %s port %s.", ntop, strport);
                        if (listen(listen_sock, 5) < 0)
                                fatal("listen: %.100s", strerror(errno));
@@ -1221,7 +1209,10 @@ main(int ac, char **av)
                         * overwrite any old pid in the file.
                         */
                        f = fopen(options.pid_file, "wb");
-                        if (f) {
+                        if (f == NULL) {
+                                error("Couldn't create pid file \"%s\": %s",
+                                    options.pid_file, strerror(errno));
+                        } else {
                                fprintf(f, "%ld\n", (long) getpid());
                                fclose(f);
                        }
@@ -1262,7 +1253,7 @@ main(int ac, char **av)
                        if (ret < 0 && errno != EINTR)
                                error("select: %.100s", strerror(errno));
                        if (received_sigterm) {
-                                log("Received signal %d; terminating.",
+                                logit("Received signal %d; terminating.",
                                    (int) received_sigterm);
                                close_listen_socks();
                                unlink(options.pid_file);
@@ -1400,11 +1391,11 @@ main(int ac, char **av)
         * setlogin() affects the entire process group.  We don't
         * want the child to be able to affect the parent.
         */
-#if !defined(STREAMS_PUSH_ACQUIRES_CTTY)
+#if !defined(SSHD_ACQUIRES_CTTY)
        /*
-         * If setsid is called on Solaris, sshd will acquire the controlling
+         * If setsid is called, on some platforms sshd will later acquire a
-         * terminal while pushing STREAMS modules. This will prevent the
+         * controlling terminal which will result in "could not set
-         * shell from acquiring it later.
+         * controlling tty" errors.
         */
        if (!debug_flag && !inetd_flag && setsid() < 0)
                error("setsid: %.100s", strerror(errno));
@@ -1471,37 +1462,12 @@ main(int ac, char **av)
                alarm(options.login_grace_time);
        sshd_exchange_identification(sock_in, sock_out);
-        /*
-         * Check that the connection comes from a privileged port.
-         * Rhosts-Authentication only makes sense from privileged
-         * programs.  Of course, if the intruder has root access on his local
-         * machine, he can connect from any port.  So do not use these
-         * authentication methods from machines that you do not trust.
-         */
-        if (options.rhosts_authentication &&
-            (remote_port >= IPPORT_RESERVED ||
-            remote_port < IPPORT_RESERVED / 2)) {
-                debug("Rhosts Authentication disabled, "
-                    "originating port %d not trusted.", remote_port);
-                options.rhosts_authentication = 0;
-        }
-#if defined(KRB4) && !defined(KRB5)
-        if (!packet_connection_is_ipv4() &&
-            options.kerberos_authentication) {
-                debug("Kerberos Authentication disabled, only available for IPv4.");
-                options.kerberos_authentication = 0;
-        }
-#endif /* KRB4 && !KRB5 */
-#ifdef AFS
-        /* If machine has AFS, set process authentication group. */
-        if (k_hasafs()) {
-                k_setpag();
-                k_unlog();
-        }
-#endif /* AFS */
        packet_set_nonblocking();
+        /* prepare buffers to collect authentication messages */
+        buffer_init(&loginmsg);
        if (use_privsep)
                if ((authctxt = privsep_preauth()) != NULL)
                        goto authenticated;
@@ -1543,7 +1509,8 @@ main(int ac, char **av)
        verbose("Closing connection to %.100s", remote_ip);
 #ifdef USE_PAM
-        finish_pam();
+        if (options.use_pam)
+                finish_pam();
 #endif /* USE_PAM */
        packet_close();
@@ -1655,24 +1622,10 @@ do_ssh1_kex(void)
        /* Declare supported authentication types. */
        auth_mask = 0;
-        if (options.rhosts_authentication)
-                auth_mask |= 1 << SSH_AUTH_RHOSTS;
        if (options.rhosts_rsa_authentication)
                auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
        if (options.rsa_authentication)
                auth_mask |= 1 << SSH_AUTH_RSA;
-#if defined(KRB4) || defined(KRB5)
-        if (options.kerberos_authentication)
-                auth_mask |= 1 << SSH_AUTH_KERBEROS;
-#endif
-#if defined(AFS) || defined(KRB5)
-        if (options.kerberos_tgt_passing)
-                auth_mask |= 1 << SSH_PASS_KERBEROS_TGT;
-#endif
-#ifdef AFS
-        if (options.afs_token_passing)
-                auth_mask |= 1 << SSH_PASS_AFS_TOKEN;
-#endif
        if (options.challenge_response_authentication == 1)
                auth_mask |= 1 << SSH_AUTH_TIS;
        if (options.password_authentication)
@@ -1750,7 +1703,7 @@ do_ssh1_kex(void)
                u_char *buf = xmalloc(bytes);
                MD5_CTX md;
-                log("do_connection: generating a fake encryption key");
+                logit("do_connection: generating a fake encryption key");
                BN_bn2bin(session_key_int, buf);
                MD5_Init(&md);
                MD5_Update(&md, buf, bytes);
diff --git a/sshd_config b/sshd_config
index 36429c9d0..dd53f1057 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
-#       $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
+#       $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -22,7 +22,7 @@
 #HostKey /etc/ssh/ssh_host_dsa_key
 # Lifetime and size of ephemeral version 1 server key
-#KeyRegenerationInterval 3600
+#KeyRegenerationInterval 1h
 #ServerKeyBits 768
 # Logging
@@ -32,7 +32,7 @@
 # Authentication:
-#LoginGraceTime 120
+#LoginGraceTime 2m
 #PermitRootLogin yes
 #StrictModes yes
@@ -40,10 +40,6 @@
 #PubkeyAuthentication yes
 #AuthorizedKeysFile     .ssh/authorized_keys
-# rhosts authentication should not be used
-#RhostsAuthentication no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 #RhostsRSAAuthentication no
 # similar for protocol version 2
@@ -51,6 +47,8 @@
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # RhostsRSAAuthentication and HostbasedAuthentication
 #IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes
@@ -64,15 +62,17 @@
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
-#AFSTokenPassing no
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCreds yes
-# Kerberos TGT Passing only works with the AFS kaserver
+# Set this to 'yes' to enable PAM authentication (via challenge-response)
-#KerberosTgtPassing no
+# and session processing. Depending on your PAM configuration, this may
+# bypass the setting of 'PasswordAuthentication'
-# Set this to 'yes' to enable PAM keyboard-interactive authentication 
+#UsePAM yes
-# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
-#PAMAuthenticationViaKbdInt no
+#AllowTcpForwarding yes
+#GatewayPorts no
 #X11Forwarding no
 #X11DisplayOffset 10
 #X11UseLocalhost yes
@@ -83,11 +83,14 @@
 #UsePrivilegeSeparation yes
 #PermitUserEnvironment no
 #Compression yes
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS yes
+#PidFile /var/run/sshd.pid
 #MaxStartups 10
 # no default banner path
 #Banner /some/path
-#VerifyReverseMapping no
 # override default of no subsystems
 Subsystem       sftp    /usr/libexec/sftp-server
diff --git a/sshd_config.0 b/sshd_config.0
index 7800de312..bc266317f 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -15,15 +15,11 @@ DESCRIPTION
     The possible keywords and their meanings are as follows (note that key-
     words are case-insensitive and arguments are case-sensitive):
-     AFSTokenPassing
-             Specifies whether an AFS token may be forwarded to the server.
-             Default is M-bM-^@M-^\noM-bM-^@M-^].
     AllowGroups
             This keyword can be followed by a list of group name patterns,
             separated by spaces.  If specified, login is allowed only for
             users whose primary group or supplementary group list matches one
-             of the patterns.  M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y?  can be used as wildcards in the
+             of the patterns.  M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be used as wildcards in the
             patterns.  Only group names are valid; a numerical group ID is
             not recognized.  By default, login is allowed for all groups.
@@ -36,7 +32,7 @@ DESCRIPTION
     AllowUsers
             This keyword can be followed by a list of user name patterns,
             separated by spaces.  If specified, login is allowed only for
-             user names that match one of the patterns.  M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y?  can be
+             user names that match one of the patterns.  M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be
             used as wildcards in the patterns.  Only user names are valid; a
             numerical user ID is not recognized.  By default, login is
             allowed for all users.  If the pattern takes the form USER@HOST
@@ -70,7 +66,7 @@ DESCRIPTION
             ciphers must be comma-separated.  The default is
               M-bM-^@M-^XM-bM-^@M-^Xaes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
-                 aes192-cbc,aes256-cbcM-bM-^@M-^YM-bM-^@M-^Y
+                 aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctrM-bM-^@M-^YM-bM-^@M-^Y
     ClientAliveInterval
             Sets a timeout interval in seconds after which if no data has
@@ -81,18 +77,18 @@ DESCRIPTION
     ClientAliveCountMax
             Sets the number of client alive messages (see above) which may be
-             sent without sshd receiving any messages back from the client. If
+             sent without sshd receiving any messages back from the client.
-             this threshold is reached while client alive messages are being
+             If this threshold is reached while client alive messages are
-             sent, sshd will disconnect the client, terminating the session.
+             being sent, sshd will disconnect the client, terminating the ses-
-             It is important to note that the use of client alive messages is
+             sion.  It is important to note that the use of client alive mes-
-             very different from KeepAlive (below). The client alive messages
+             sages is very different from KeepAlive (below).  The client alive
-             are sent through the encrypted channel and therefore will not be
+             messages are sent through the encrypted channel and therefore
-             spoofable. The TCP keepalive option enabled by KeepAlive is
+             will not be spoofable.  The TCP keepalive option enabled by
-             spoofable. The client alive mechanism is valuable when the client
+             KeepAlive is spoofable.  The client alive mechanism is valuable
-             or server depend on knowing when a connection has become inac-
+             when the client or server depend on knowing when a connection has
-             tive.
+             become inactive.
-             The default value is 3. If ClientAliveInterval (above) is set to
+             The default value is 3.  If ClientAliveInterval (above) is set to
             15, and ClientAliveCountMax is left at the default, unresponsive
             ssh clients will be disconnected after approximately 45 seconds.
@@ -104,14 +100,14 @@ DESCRIPTION
             This keyword can be followed by a list of group name patterns,
             separated by spaces.  Login is disallowed for users whose primary
             group or supplementary group list matches one of the patterns.
-             M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y?  can be used as wildcards in the patterns.  Only
+             M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be used as wildcards in the patterns.  Only group
-             group names are valid; a numerical group ID is not recognized.
+             names are valid; a numerical group ID is not recognized.  By
-             By default, login is allowed for all groups.
+             default, login is allowed for all groups.
     DenyUsers
             This keyword can be followed by a list of user name patterns,
             separated by spaces.  Login is disallowed for user names that
-             match one of the patterns.  M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^XM-bM-^@M-^Y?  can be used as wildcards
+             match one of the patterns.  M-bM-^@M-^X*M-bM-^@M-^Y and M-bM-^@M-^X?M-bM-^@M-^Y can be used as wildcards
             in the patterns.  Only user names are valid; a numerical user ID
             is not recognized.  By default, login is allowed for all users.
             If the pattern takes the form USER@HOST then USER and HOST are
@@ -128,6 +124,16 @@ DESCRIPTION
             forwarded ports.  The argument must be M-bM-^@M-^\yesM-bM-^@M-^] or M-bM-^@M-^\noM-bM-^@M-^].  The
             default is M-bM-^@M-^\noM-bM-^@M-^].
+     GSSAPIAuthentication
+             Specifies whether user authentication based on GSSAPI is allowed.
+             The default is M-bM-^@M-^\noM-bM-^@M-^].  Note that this option applies to protocol
+             version 2 only.
+     GSSAPICleanupCredentials
+             Specifies whether to automatically destroy the userM-bM-^@M-^Ys credentials
+             cache on logout.  The default is M-bM-^@M-^\yesM-bM-^@M-^].  Note that this option
+             applies to protocol version 2 only.
     HostbasedAuthentication
             Specifies whether rhosts or /etc/hosts.equiv authentication
             together with successful public key client host authentication is
@@ -146,8 +152,7 @@ DESCRIPTION
     IgnoreRhosts
             Specifies that .rhosts and .shosts files will not be used in
-             RhostsAuthentication, RhostsRSAAuthentication or
+             RhostsRSAAuthentication or HostbasedAuthentication.
-             HostbasedAuthentication.
             /etc/hosts.equiv and /etc/shosts.equiv are still used.  The
             default is M-bM-^@M-^\yesM-bM-^@M-^].
@@ -173,23 +178,17 @@ DESCRIPTION
             To disable keepalives, the value should be set to M-bM-^@M-^\noM-bM-^@M-^].
     KerberosAuthentication
-             Specifies whether Kerberos authentication is allowed.  This can
+             Specifies whether the password provided by the user for
-             be in the form of a Kerberos ticket, or if PasswordAuthentication
+             PasswordAuthentication will be validated through the Kerberos
-             is yes, the password provided by the user will be validated
+             KDC.  To use this option, the server needs a Kerberos servtab
-             through the Kerberos KDC.  To use this option, the server needs a
+             which allows the verification of the KDCM-bM-^@M-^Ys identity.  Default is
-             Kerberos servtab which allows the verification of the KDCM-bM-^@M-^Ys iden-
+             M-bM-^@M-^\noM-bM-^@M-^].
-             tity.  Default is M-bM-^@M-^\noM-bM-^@M-^].
     KerberosOrLocalPasswd
             If set then if password authentication through Kerberos fails
             then the password will be validated via any additional local
             mechanism such as /etc/passwd.  Default is M-bM-^@M-^\yesM-bM-^@M-^].
-     KerberosTgtPassing
-             Specifies whether a Kerberos TGT may be forwarded to the server.
-             Default is M-bM-^@M-^\noM-bM-^@M-^], as this only works when the Kerberos KDC is
-             actually an AFS kaserver.
     KerberosTicketCleanup
             Specifies whether to automatically destroy the userM-bM-^@M-^Ys ticket
             cache file on logout.  Default is M-bM-^@M-^\yesM-bM-^@M-^].
@@ -211,7 +210,7 @@ DESCRIPTION
                   ListenAddress [host|IPv6_addr]:port
             If port is not specified, sshd will listen on the address and all
-             prior Port options specified. The default is to listen on all
+             prior Port options specified.  The default is to listen on all
             local addresses.  Multiple ListenAddress options are permitted.
             Additionally, any Port options must precede this option for non
             port qualified addresses.
@@ -249,12 +248,6 @@ DESCRIPTION
             and all connection attempts are refused if the number of unau-
             thenticated connections reaches M-bM-^@M-^\fullM-bM-^@M-^] (60).
-     PAMAuthenticationViaKbdInt
-             Specifies whether PAM challenge response authentication is
-             allowed. This allows the use of most PAM challenge response
-             authentication modules, but it will allow password authentication
-             regardless of whether PasswordAuthentication is enabled.
     PasswordAuthentication
             Specifies whether password authentication is allowed.  The
             default is M-bM-^@M-^\yesM-bM-^@M-^].
@@ -275,7 +268,7 @@ DESCRIPTION
             If this option is set to M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^] root login with
             public key authentication will be allowed, but only if the
             command option has been specified (which may be useful for taking
-             remote backups even if root login is normally not allowed). All
+             remote backups even if root login is normally not allowed).  All
             other authentication methods are disabled for root.
             If this option is set to M-bM-^@M-^\noM-bM-^@M-^] root is not allowed to login.
@@ -315,16 +308,10 @@ DESCRIPTION
     PubkeyAuthentication
             Specifies whether public key authentication is allowed.  The
             default is M-bM-^@M-^\yesM-bM-^@M-^].  Note that this option applies to protocol ver-
-             sion 2 only.
+             sion 2 only.  RhostsRSAAuthentication should be used instead,
+             because it performs RSA-based host authentication in addition to
-     RhostsAuthentication
+             normal rhosts or /etc/hosts.equiv authentication.  The default is
-             Specifies whether authentication using rhosts or /etc/hosts.equiv
+             M-bM-^@M-^\noM-bM-^@M-^].  This option applies to protocol version 1 only.
-             files is sufficient.  Normally, this method should not be permit-
-             ted because it is insecure.  RhostsRSAAuthentication should be
-             used instead, because it performs RSA-based host authentication
-             in addition to normal rhosts or /etc/hosts.equiv authentication.
-             The default is M-bM-^@M-^\noM-bM-^@M-^].  This option applies to protocol version 1
-             only.
     RhostsRSAAuthentication
             Specifies whether rhosts or /etc/hosts.equiv authentication
@@ -361,6 +348,10 @@ DESCRIPTION
             LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  The
             default is AUTH.
+     UseDNS  Specifies whether sshd should lookup the remote host name and
+             check that the resolved host name for the remote IP address maps
+             back to the very same IP address.  The default is M-bM-^@M-^\yesM-bM-^@M-^].
     UseLogin
             Specifies whether login(1) is used for interactive login ses-
             sions.  The default is M-bM-^@M-^\noM-bM-^@M-^].  Note that login(1) is never used
@@ -369,6 +360,11 @@ DESCRIPTION
             know how to handle xauth(1) cookies.  If UsePrivilegeSeparation
             is specified, it will be disabled after authentication.
+     UsePAM  Enables PAM authentication (via challenge-response) and session
+             set up.  If you enable this, you should probably disable
+             PasswordAuthentication.  If you enable then you will not be able
+             to run sshd as a non-root user.
     UsePrivilegeSeparation
             Specifies whether sshd separates privileges by creating an
             unprivileged child process to deal with incoming network traffic.
@@ -378,11 +374,6 @@ DESCRIPTION
             taining any corruption within the unprivileged processes.  The
             default is M-bM-^@M-^\yesM-bM-^@M-^].
-     VerifyReverseMapping
-             Specifies whether sshd should try to verify the remote host name
-             and check that the resolved host name for the remote IP address
-             maps back to the very same IP address.  The default is M-bM-^@M-^\noM-bM-^@M-^].
     X11DisplayOffset
             Specifies the first display number available for sshdM-bM-^@M-^Ys X11 for-
             warding.  This prevents sshd from interfering with real X11
@@ -400,7 +391,7 @@ DESCRIPTION
             substitution occur on the client side.  The security risk of
             using X11 forwarding is that the clientM-bM-^@M-^Ys X11 display server may
             be exposed to attack when the ssh client requests forwarding (see
-             the warnings for ForwardX11 in ssh_config(5) ). A system adminis-
+             the warnings for ForwardX11 in ssh_config(5)).  A system adminis-
             trator may have a stance in which they want to protect clients
             that may expose themselves to attack by unwittingly requesting
             X11 forwarding, which can warrant a M-bM-^@M-^\noM-bM-^@M-^] setting.
@@ -454,6 +445,9 @@ FILES
             writable by root only, but it is recommended (though not neces-
             sary) that it be world-readable.
+SEE ALSO
+     sshd(8)
 AUTHORS
     OpenSSH is a derivative of the original and free ssh 1.2.12 release by
     Tatu Ylonen.  Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
@@ -462,7 +456,4 @@ AUTHORS
     versions 1.5 and 2.0.  Niels Provos and Markus Friedl contributed support
     for privilege separation.
-SEE ALSO
-     sshd(8)
 BSD                           September 25, 1999                           BSD
diff --git a/sshd_config.5 b/sshd_config.5
index 6f38a260a..727fdb12a 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.15 2003/03/28 10:11:43 jmc Exp $
+.\" $OpenBSD: sshd_config.5,v 1.25 2003/09/01 09:50:04 markus Exp $
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@@ -61,10 +61,6 @@ The possible
 keywords and their meanings are as follows (note that
 keywords are case-insensitive and arguments are case-sensitive):
 .Bl -tag -width Ds
-.It Cm AFSTokenPassing
-Specifies whether an AFS token may be forwarded to the server.
-Default is
-.Dq no .
 .It Cm AllowGroups
 This keyword can be followed by a list of group name patterns, separated
 by spaces.
@@ -72,7 +68,7 @@ If specified, login is allowed only for users whose primary
 group or supplementary group list matches one of the patterns.
 .Ql \&*
 and
-.Ql ?
+.Ql \&?
 can be used as
 wildcards in the patterns.
 Only group names are valid; a numerical group ID is not recognized.
@@ -93,7 +89,7 @@ If specified, login is allowed only for user names that
 match one of the patterns.
 .Ql \&*
 and
-.Ql ?
+.Ql \&?
 can be used as
 wildcards in the patterns.
 Only user names are valid; a numerical user ID is not recognized.
@@ -107,7 +103,8 @@ Specifies the file that contains the public keys that can be used
 for user authentication.
 .Cm AuthorizedKeysFile
 may contain tokens of the form %T which are substituted during connection
-set-up. The following tokens are defined: %% is replaced by a literal '%',
+set-up.
+The following tokens are defined: %% is replaced by a literal '%',
 %h is replaced by the home directory of the user being authenticated and
 %u is replaced by the username of that user.
 After expansion,
@@ -138,7 +135,7 @@ The default is
 .Pp
 .Bd -literal
  ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
-    aes192-cbc,aes256-cbc''
+    aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr''
 .Ed
 .It Cm ClientAliveInterval
 Sets a timeout interval in seconds after which if no data has been received
@@ -153,20 +150,24 @@ This option applies to protocol version 2 only.
 Sets the number of client alive messages (see above) which may be
 sent without
 .Nm sshd
-receiving any messages back from the client. If this threshold is
+receiving any messages back from the client.
-reached while client alive messages are being sent,
+If this threshold is reached while client alive messages are being sent,
 .Nm sshd
-will disconnect the client, terminating the session. It is important
+will disconnect the client, terminating the session.
-to note that the use of client alive messages is very different from
+It is important to note that the use of client alive messages is very
+different from
 .Cm KeepAlive
-(below). The client alive messages are sent through the
+(below).
-encrypted channel and therefore will not be spoofable. The TCP keepalive
+The client alive messages are sent through the encrypted channel
-option enabled by
+and therefore will not be spoofable.
+The TCP keepalive option enabled by
 .Cm KeepAlive
-is spoofable. The client alive mechanism is valuable when the client or
+is spoofable.
+The client alive mechanism is valuable when the client or
 server depend on knowing when a connection has become inactive.
 .Pp
-The default value is 3. If
+The default value is 3.
+If
 .Cm ClientAliveInterval
 (above) is set to 15, and
 .Cm ClientAliveCountMax
@@ -187,7 +188,7 @@ Login is disallowed for users whose primary group or supplementary
 group list matches one of the patterns.
 .Ql \&*
 and
-.Ql ?
+.Ql \&?
 can be used as
 wildcards in the patterns.
 Only group names are valid; a numerical group ID is not recognized.
@@ -199,7 +200,7 @@ by spaces.
 Login is disallowed for user names that match one of the patterns.
 .Ql \&*
 and
-.Ql ?
+.Ql \&?
 can be used as wildcards in the patterns.
 Only user names are valid; a numerical user ID is not recognized.
 By default, login is allowed for all users.
@@ -224,6 +225,17 @@ or
 .Dq no .
 The default is
 .Dq no .
+.It Cm GSSAPIAuthentication
+Specifies whether user authentication based on GSSAPI is allowed.
+The default is 
+.Dq no .
+Note that this option applies to protocol version 2 only.
+.It Cm GSSAPICleanupCredentials
+Specifies whether to automatically destroy the user's credentials cache
+on logout.
+The default is
+.Dq yes .
+Note that this option applies to protocol version 2 only.
 .It Cm HostbasedAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
 with successful public key client host authentication is allowed
@@ -259,7 +271,6 @@ Specifies that
 and
 .Pa .shosts
 files will not be used in
-.Cm RhostsAuthentication ,
 .Cm RhostsRSAAuthentication
 or
 .Cm HostbasedAuthentication .
@@ -303,11 +314,9 @@ This avoids infinitely hanging sessions.
 To disable keepalives, the value should be set to
 .Dq no .
 .It Cm KerberosAuthentication
-Specifies whether Kerberos authentication is allowed.
+Specifies whether the password provided by the user for
-This can be in the form of a Kerberos ticket, or if
 .Cm PasswordAuthentication
-is yes, the password provided by the user will be validated through
+will be validated through the Kerberos KDC.
-the Kerberos KDC.
 To use this option, the server needs a
 Kerberos servtab which allows the verification of the KDC's identity.
 Default is
@@ -319,11 +328,6 @@ such as
 .Pa /etc/passwd .
 Default is
 .Dq yes .
-.It Cm KerberosTgtPassing
-Specifies whether a Kerberos TGT may be forwarded to the server.
-Default is
-.Dq no ,
-as this only works when the Kerberos KDC is actually an AFS kaserver.
 .It Cm KerberosTicketCleanup
 Specifies whether to automatically destroy the user's ticket cache
 file on logout.
@@ -369,11 +373,12 @@ is not specified,
 .Nm sshd
 will listen on the address and all prior
 .Cm Port
-options specified. The default is to listen on all local
+options specified.
-addresses.
+The default is to listen on all local addresses.
 Multiple
 .Cm ListenAddress
-options are permitted. Additionally, any
+options are permitted.
+Additionally, any
 .Cm Port
 options must precede this option for non port qualified addresses.
 .It Cm LoginGraceTime
@@ -422,12 +427,6 @@ The probability increases linearly and all connection attempts
 are refused if the number of unauthenticated connections reaches
 .Dq full
 (60).
-.It Cm PAMAuthenticationViaKbdInt
-Specifies whether PAM challenge response authentication is allowed. This
-allows the use of most PAM challenge response authentication modules, but
-it will allow password authentication regardless of whether
-.Cm PasswordAuthentication
-is enabled.
 .It Cm PasswordAuthentication
 Specifies whether password authentication is allowed.
 The default is
@@ -460,8 +459,8 @@ but only if the
 .Ar command
 option has been specified
 (which may be useful for taking remote backups even if root login is
-normally not allowed). All other authentication methods are disabled
+normally not allowed).
-for root.
+All other authentication methods are disabled for root.
 .Pp
 If this option is set to
 .Dq no
@@ -534,10 +533,6 @@ Specifies whether public key authentication is allowed.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
-.It Cm RhostsAuthentication
-Specifies whether authentication using rhosts or /etc/hosts.equiv
-files is sufficient.
-Normally, this method should not be permitted because it is insecure.
 .Cm RhostsRSAAuthentication
 should be used
 instead, because it performs RSA-based host authentication in addition
@@ -585,6 +580,14 @@ Gives the facility code that is used when logging messages from
 The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 The default is AUTH.
+.It Cm UseDNS
+Specifies whether
+.Nm sshd
+should lookup the remote host name and check that
+the resolved host name for the remote IP address maps back to the
+very same IP address.
+The default is
+.Dq yes .
 .It Cm UseLogin
 Specifies whether
 .Xr login 1
@@ -604,6 +607,13 @@ cookies.
 If
 .Cm UsePrivilegeSeparation
 is specified, it will be disabled after authentication.
+.It Cm UsePAM
+Enables PAM authentication (via challenge-response) and session set up. 
+If you enable this, you should probably disable 
+.Cm PasswordAuthentication .
+If you enable 
+.CM UsePAM
+then you will not be able to run sshd as a non-root user.
 .It Cm UsePrivilegeSeparation
 Specifies whether
 .Nm sshd
@@ -615,14 +625,6 @@ The goal of privilege separation is to prevent privilege
 escalation by containing any corruption within the unprivileged processes.
 The default is
 .Dq yes .
-.It Cm VerifyReverseMapping
-Specifies whether
-.Nm sshd
-should try to verify the remote host name and check that
-the resolved host name for the remote IP address maps back to the
-very same IP address.
-The default is
-.Dq no .
 .It Cm X11DisplayOffset
 Specifies the first display number available for
 .Nm sshd Ns 's
@@ -653,7 +655,7 @@ display server may be exposed to attack when the ssh client requests
 forwarding (see the warnings for
 .Cm ForwardX11
 in
-.Xr ssh_config 5 ).
+.Xr ssh_config 5 ) .
 A system administrator may have a stance in which they want to
 protect clients that may expose themselves to attack by unwittingly
 requesting X11 forwarding, which can warrant a
@@ -699,7 +701,6 @@ The default is
 .Pa /usr/X11R6/bin/xauth .
 .El
 .Ss Time Formats
-.Pp
 .Nm sshd
 command-line arguments and configuration file options that specify time
 may be expressed using a sequence of the form:
@@ -748,6 +749,8 @@ Contains configuration data for
 This file should be writable by root only, but it is recommended
 (though not necessary) that it be world-readable.
 .El
+.Sh SEE ALSO
+.Xr sshd 8
 .Sh AUTHORS
 OpenSSH is a derivative of the original and free
 ssh 1.2.12 release by Tatu Ylonen.
@@ -759,5 +762,3 @@ Markus Friedl contributed the support for SSH
 protocol versions 1.5 and 2.0.
 Niels Provos and Markus Friedl contributed support
 for privilege separation.
-.Sh SEE ALSO
-.Xr sshd 8
diff --git a/sshlogin.c b/sshlogin.c
index 12555d635..36b648934 100644
--- a/sshlogin.c
+++ b/sshlogin.c
@@ -39,7 +39,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshlogin.c,v 1.5 2002/08/29 15:57:25 stevesk Exp $");
+RCSID("$OpenBSD: sshlogin.c,v 1.7 2003/06/12 07:57:38 markus Exp $");
 #include "loginrec.h"
@@ -60,8 +60,8 @@ get_last_login_time(uid_t uid, const char *logname,
 }
 /*
- * Records that the user has logged in.  I these parts of operating systems
+ * Records that the user has logged in.  I wish these parts of operating
- * were more standardized.
+ * systems were more standardized.
 */
 void
 record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid,
diff --git a/sshpty.c b/sshpty.c
index d28947f62..4747ceaf4 100644
--- a/sshpty.c
+++ b/sshpty.c
@@ -12,7 +12,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshpty.c,v 1.8 2003/02/03 08:56:16 markus Exp $");
+RCSID("$OpenBSD: sshpty.c,v 1.10 2003/06/12 07:57:38 markus Exp $");
 #ifdef HAVE_UTIL_H
 # include <util.h>
@@ -101,12 +101,12 @@ pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen)
                error("/dev/ptmx: %.100s", strerror(errno));
                return 0;
        }
-        old_signal = mysignal(SIGCHLD, SIG_DFL);
+        old_signal = signal(SIGCHLD, SIG_DFL);
        if (grantpt(ptm) < 0) {
                error("grantpt: %.100s", strerror(errno));
                return 0;
        }
-        mysignal(SIGCHLD, old_signal);
+        signal(SIGCHLD, old_signal);
        if (unlockpt(ptm) < 0) {
                error("unlockpt: %.100s", strerror(errno));
                return 0;
@@ -226,7 +226,7 @@ pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen)
                }
                /* set tty modes to a sane state for broken clients */
                if (tcgetattr(*ptyfd, &tio) < 0)
-                        log("Getting tty modes for pty failed: %.100s", strerror(errno));
+                        logit("Getting tty modes for pty failed: %.100s", strerror(errno));
                else {
                        tio.c_lflag |= (ECHO | ISIG | ICANON);
                        tio.c_oflag |= (OPOST | ONLCR);
@@ -234,7 +234,7 @@ pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen)
                        /* Set the new modes for the terminal. */
                        if (tcsetattr(*ptyfd, TCSANOW, &tio) < 0)
-                                log("Setting tty modes for pty failed: %.100s", strerror(errno));
+                                logit("Setting tty modes for pty failed: %.100s", strerror(errno));
                }
                return 1;
@@ -258,7 +258,7 @@ pty_release(const char *ttyname)
                error("chmod %.100s 0666 failed: %.100s", ttyname, strerror(errno));
 }
-/* Makes the tty the processes controlling tty and sets it to sane modes. */
+/* Makes the tty the process's controlling tty and sets it to sane modes. */
 void
 pty_make_controlling_tty(int *ttyfd, const char *ttyname)
@@ -274,9 +274,9 @@ pty_make_controlling_tty(int *ttyfd, const char *ttyname)
        fd = open(ttyname, O_RDWR|O_NOCTTY);
        if (fd != -1) {
-                mysignal(SIGHUP, SIG_IGN);
+                signal(SIGHUP, SIG_IGN);
                ioctl(fd, TCVHUP, (char *)NULL);
-                mysignal(SIGHUP, SIG_DFL);
+                signal(SIGHUP, SIG_DFL);
                setpgid(0, 0);
                close(fd);
        } else {
@@ -323,9 +323,9 @@ pty_make_controlling_tty(int *ttyfd, const char *ttyname)
                error("SETPGRP %s",strerror(errno));
 #endif /* HAVE_NEWS4 */
 #ifdef USE_VHANGUP
-        old = mysignal(SIGHUP, SIG_IGN);
+        old = signal(SIGHUP, SIG_IGN);
        vhangup();
-        mysignal(SIGHUP, old);
+        signal(SIGHUP, old);
 #endif /* USE_VHANGUP */
        fd = open(ttyname, O_RDWR);
        if (fd < 0) {
@@ -409,10 +409,10 @@ pty_setowner(struct passwd *pw, const char *ttyname)
                        if (errno == EROFS &&
                            (st.st_mode & (S_IRGRP | S_IROTH)) == 0)
                                debug("chmod(%.100s, 0%o) failed: %.100s",
-                                    ttyname, mode, strerror(errno));
+                                    ttyname, (u_int)mode, strerror(errno));
                        else
                                fatal("chmod(%.100s, 0%o) failed: %.100s",
-                                    ttyname, mode, strerror(errno));
+                                    ttyname, (u_int)mode, strerror(errno));
                }
        }
 }
diff --git a/sshtty.c b/sshtty.c
index 5c016f80a..2f47b06d1 100644
--- a/sshtty.c
+++ b/sshtty.c
@@ -35,7 +35,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshtty.c,v 1.3 2002/03/04 17:27:39 stevesk Exp $");
+RCSID("$OpenBSD: sshtty.c,v 1.4 2003/07/16 10:36:28 markus Exp $");
 #include "sshtty.h"
 #include "log.h"
@@ -80,6 +80,9 @@ enter_raw_mode(void)
        _saved_tio = tio;
        tio.c_iflag |= IGNPAR;
        tio.c_iflag &= ~(ISTRIP | INLCR | IGNCR | ICRNL | IXON | IXANY | IXOFF);
+#ifdef IUCLC
+        tio.c_iflag &= ~IUCLC;
+#endif
        tio.c_lflag &= ~(ISIG | ICANON | ECHO | ECHOE | ECHOK | ECHONL);
 #ifdef IEXTEN
        tio.c_lflag &= ~IEXTEN;
diff --git a/ttymodes.c b/ttymodes.c
index 5cc13dcd5..c32e213a4 100644
--- a/ttymodes.c
+++ b/ttymodes.c
@@ -43,7 +43,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: ttymodes.c,v 1.18 2002/06/19 00:27:55 deraadt Exp $");
+RCSID("$OpenBSD: ttymodes.c,v 1.19 2003/04/08 20:21:29 itojun Exp $");
 #include "packet.h"
 #include "log.h"
@@ -267,7 +267,7 @@ tty_make_modes(int fd, struct termios *tiop)
        if (tiop == NULL) {
                if (tcgetattr(fd, &tio) == -1) {
-                        log("tcgetattr: %.100s", strerror(errno));
+                        logit("tcgetattr: %.100s", strerror(errno));
                        goto end;
                }
        } else
@@ -341,7 +341,7 @@ tty_parse_modes(int fd, int *n_bytes_ptr)
         * modes, they will initially have reasonable values.
         */
        if (tcgetattr(fd, &tio) == -1) {
-                log("tcgetattr: %.100s", strerror(errno));
+                logit("tcgetattr: %.100s", strerror(errno));
                failure = -1;
        }
@@ -420,7 +420,7 @@ tty_parse_modes(int fd, int *n_bytes_ptr)
                                         * left in the packet; hopefully there is nothing
                                         * more coming after the mode data.
                                         */
-                                        log("parse_tty_modes: unknown opcode %d", opcode);
+                                        logit("parse_tty_modes: unknown opcode %d", opcode);
                                        goto set;
                                }
                        } else {
@@ -436,7 +436,7 @@ tty_parse_modes(int fd, int *n_bytes_ptr)
                                        (void) packet_get_int();
                                        break;
                                } else {
-                                        log("parse_tty_modes: unknown opcode %d", opcode);
+                                        logit("parse_tty_modes: unknown opcode %d", opcode);
                                        goto set;
                                }
                        }
@@ -446,7 +446,7 @@ tty_parse_modes(int fd, int *n_bytes_ptr)
 set:
        if (*n_bytes_ptr != n_bytes) {
                *n_bytes_ptr = n_bytes;
-                log("parse_tty_modes: n_bytes_ptr != n_bytes: %d %d",
+                logit("parse_tty_modes: n_bytes_ptr != n_bytes: %d %d",
                    *n_bytes_ptr, n_bytes);
                return;         /* Don't process bytes passed */
        }
@@ -455,5 +455,5 @@ set:
        /* Set the new modes for the terminal. */
        if (tcsetattr(fd, TCSANOW, &tio) == -1)
-                log("Setting tty modes failed: %.100s", strerror(errno));
+                logit("Setting tty modes failed: %.100s", strerror(errno));
 }
diff --git a/uidswap.c b/uidswap.c
index 86c61a4b0..3f13f9bf4 100644
--- a/uidswap.c
+++ b/uidswap.c
@@ -12,7 +12,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: uidswap.c,v 1.23 2002/07/15 17:15:31 stevesk Exp $");
+RCSID("$OpenBSD: uidswap.c,v 1.24 2003/05/29 16:58:45 deraadt Exp $");
 #include "log.h"
 #include "uidswap.h"
@@ -143,12 +143,63 @@ restore_uid(void)
 void
 permanently_set_uid(struct passwd *pw)
 {
+        uid_t old_uid = getuid();
+        gid_t old_gid = getgid();
        if (temporarily_use_uid_effective)
                fatal("permanently_set_uid: temporarily_use_uid effective");
        debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid,
            (u_int)pw->pw_gid);
+#if defined(HAVE_SETRESGID)
+        if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0)
+                fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
+#elif defined(HAVE_SETREGID) && !defined(BROKEN_SETREGID)
+        if (setregid(pw->pw_gid, pw->pw_gid) < 0)
+                fatal("setregid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
+#else
+        if (setegid(pw->pw_gid) < 0)
+                fatal("setegid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
        if (setgid(pw->pw_gid) < 0)
                fatal("setgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
+#endif
+#if defined(HAVE_SETRESUID)
+        if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) < 0)
+                fatal("setresuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
+#elif defined(HAVE_SETREUID) && !defined(BROKEN_SETREUID)
+        if (setreuid(pw->pw_uid, pw->pw_uid) < 0)
+                fatal("setreuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
+#else
+# ifndef SETEUID_BREAKS_SETUID
+        if (seteuid(pw->pw_uid) < 0)
+                fatal("seteuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
+# endif
        if (setuid(pw->pw_uid) < 0)
                fatal("setuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
+#endif
+        /* Try restoration of GID if changed (test clearing of saved gid) */
+        if (old_gid != pw->pw_gid && 
+            (setgid(old_gid) != -1 || setegid(old_gid) != -1))
+                fatal("%s: was able to restore old [e]gid", __func__);
+        /* Verify GID drop was successful */
+        if (getgid() != pw->pw_gid || getegid() != pw->pw_gid) {
+                fatal("%s: egid incorrect gid:%u egid:%u (should be %u)", 
+                    __func__, (u_int)getgid(), (u_int)getegid(), 
+                    (u_int)pw->pw_gid);
+        }
+        /* Try restoration of UID if changed (test clearing of saved uid) */
+        if (old_uid != pw->pw_uid && 
+            (setuid(old_uid) != -1 || seteuid(old_uid) != -1))
+                fatal("%s: was able to restore old [e]uid", __func__);
+        /* Verify UID drop was successful */
+        if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) {
+                fatal("%s: euid incorrect uid:%u euid:%u (should be %u)", 
+                    __func__, (u_int)getuid(), (u_int)geteuid(), 
+                    (u_int)pw->pw_uid);
+        }
 }
diff --git a/version.h b/version.h
index 3b2a35d91..37e0c22ab 100644
--- a/version.h
+++ b/version.h
@@ -1,3 +1,3 @@
 /* $OpenBSD: version.h,v 1.37 2003/04/01 10:56:46 markus Exp $ */
-#define SSH_VERSION    "OpenSSH_3.6.1p2"
+#define SSH_VERSION    "OpenSSH_3.7p1"