50 files changed, 4498 insertions, 1452 deletions
diff --git a/clientloop.c b/clientloop.c
index 2c030e71b..8b1976171 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -317,10 +317,14 @@ client_check_window_change(void)
 * one of the file descriptors).
 */
-static void
+static int
 client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp,
    int *maxfdp, int *nallocp, int rekeying)
 {
+        struct timeval tv, *tvp;
+        int n;
+        extern Options options;
        /* Add any selections by the channel mechanism. */
        channel_prepare_select(readsetp, writesetp, maxfdp, nallocp, rekeying);
@@ -349,7 +353,7 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp,
                        /* clear mask since we did not call select() */
                        memset(*readsetp, 0, *nallocp);
                        memset(*writesetp, 0, *nallocp);
-                        return;
+                        return 0;
                } else {
                        FD_SET(connection_in, *readsetp);
                }
@@ -368,7 +372,21 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp,
         * SSH_MSG_IGNORE packet when the timeout expires.
         */
-        if (select((*maxfdp)+1, *readsetp, *writesetp, NULL, NULL) < 0) {
+        /*
+         * We don't do the 'random' bit, but we want periodic ignored
+         * message anyway, so as to notice when the other ends TCP
+         * has given up during an outage.
+         */
+        if (options.protocolkeepalives > 0) {
+                tvp = &tv;
+                tv.tv_sec = options.protocolkeepalives;
+                tv.tv_usec = 0;
+        } else
+                tvp = 0;
+        n = select((*maxfdp)+1, *readsetp, *writesetp, NULL, tvp);
+        if (n < 0) {
                char buf[100];
                /*
@@ -380,12 +398,13 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp,
                memset(*writesetp, 0, *nallocp);
                if (errno == EINTR)
-                        return;
+                        return 0;
                /* Note: we might still have data in the buffers. */
                snprintf(buf, sizeof buf, "select: %s\r\n", strerror(errno));
                buffer_append(&stderr_buffer, buf, strlen(buf));
                quit_pending = 1;
        }
+        return n == 0;
 }
 static void
@@ -846,6 +865,7 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
 {
        fd_set *readset = NULL, *writeset = NULL;
        double start_time, total_time;
+        int timed_out;
        int max_fd = 0, max_fd2 = 0, len, rekeying = 0, nalloc = 0;
        char buf[100];
@@ -953,7 +973,7 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
                 * available on one of the descriptors).
                 */
                max_fd2 = max_fd;
-                client_wait_until_can_do_something(&readset, &writeset,
+                timed_out = client_wait_until_can_do_something(&readset, &writeset,
                    &max_fd2, &nalloc, rekeying);
                if (quit_pending)
@@ -977,6 +997,21 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
                if (quit_pending)
                        break;
+                if(timed_out) {
+                        /*
+                         * Nothing is happening, so synthesize some
+                         * bogus activity
+                         */
+                        packet_start(compat20
+                                     ? SSH2_MSG_IGNORE
+                                     : SSH_MSG_IGNORE);
+                        packet_put_cstring("");
+                        packet_send();
+                        if (FD_ISSET(connection_out, writeset))
+                                packet_write_poll();
+                        continue;
+                }
                if (!compat20) {
                        /* Buffer data from stdin */
                        client_process_input(readset);
diff --git a/contrib/gnome-ssh-askpass.c b/contrib/gnome-ssh-askpass.c
deleted file mode 100644
index 7cece5620..000000000
--- a/contrib/gnome-ssh-askpass.c
+++ /dev/null
@@ -1,168 +0,0 @@
-/*
- * Copyright (c) 2000-2002 Damien Miller.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-/*
- * This is a simple GNOME SSH passphrase grabber. To use it, set the 
- * environment variable SSH_ASKPASS to point to the location of 
- * gnome-ssh-askpass before calling "ssh-add < /dev/null". 
- *
- * There is only two run-time options: if you set the environment variable
- * "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab
- * the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the 
- * pointer will be grabbed too. These may have some benefit to security if 
- * you don't trust your X server. We grab the keyboard always.
- */
-/*
- * Compile with:
- *
- * cc `gnome-config --cflags gnome gnomeui` \
- *    gnome-ssh-askpass.c -o gnome-ssh-askpass \
- *    `gnome-config --libs gnome gnomeui`
- *
- */
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <gnome.h>
-#include <X11/Xlib.h>
-#include <gdk/gdkx.h>
-void
-report_failed_grab (void)
-{
-        GtkWidget *err;
-        err = gnome_message_box_new("Could not grab keyboard or mouse.\n"
-                "A malicious client may be eavesdropping on your session.",
-                                    GNOME_MESSAGE_BOX_ERROR, "EXIT", NULL);
-        gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
-        gtk_object_set(GTK_OBJECT(err), "type", GTK_WINDOW_POPUP, NULL);
-        gnome_dialog_run_and_close(GNOME_DIALOG(err));
-}
-void
-passphrase_dialog(char *message)
-{
-        char *passphrase;
-        char **messages;
-        int result, i, grab_server, grab_pointer;
-        GtkWidget *dialog, *entry, *label;
-        grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
-        grab_pointer = (getenv("GNOME_SSH_ASKPASS_GRAB_POINTER") != NULL);
-        dialog = gnome_dialog_new("OpenSSH", GNOME_STOCK_BUTTON_OK,
-            GNOME_STOCK_BUTTON_CANCEL, NULL);
-        messages = g_strsplit(message, "\\n", 0);
-        if (messages)
-                for(i = 0; messages[i]; i++) {
-                        label = gtk_label_new(messages[i]);
-                        gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox),
-                            label, FALSE, FALSE, 0);
-                }
-        entry = gtk_entry_new();
-        gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), entry, FALSE, 
-            FALSE, 0);
-        gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
-        gtk_widget_grab_focus(entry);
-        /* Center window and prepare for grab */
-        gtk_object_set(GTK_OBJECT(dialog), "type", GTK_WINDOW_POPUP, NULL);
-        gnome_dialog_set_default(GNOME_DIALOG(dialog), 0);
-        gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
-        gtk_window_set_policy(GTK_WINDOW(dialog), FALSE, FALSE, TRUE);
-        gnome_dialog_close_hides(GNOME_DIALOG(dialog), TRUE);
-        gtk_container_set_border_width(GTK_CONTAINER(GNOME_DIALOG(dialog)->vbox),
-            GNOME_PAD);
-        gtk_widget_show_all(dialog);
-        /* Grab focus */
-        if (grab_server)
-                XGrabServer(GDK_DISPLAY());
-        if (grab_pointer && gdk_pointer_grab(dialog->window, TRUE, 0, 
-            NULL, NULL, GDK_CURRENT_TIME))
-                goto nograb;
-        if (gdk_keyboard_grab(dialog->window, FALSE, GDK_CURRENT_TIME))
-                goto nograbkb;
-        /* Make <enter> close dialog */
-        gnome_dialog_editable_enters(GNOME_DIALOG(dialog), GTK_EDITABLE(entry));
-        /* Run dialog */
-        result = gnome_dialog_run(GNOME_DIALOG(dialog));
-        /* Ungrab */
-        if (grab_server)
-                XUngrabServer(GDK_DISPLAY());
-        if (grab_pointer)
-                gdk_pointer_ungrab(GDK_CURRENT_TIME);
-        gdk_keyboard_ungrab(GDK_CURRENT_TIME);
-        gdk_flush();
-        /* Report passphrase if user selected OK */
-        passphrase = gtk_entry_get_text(GTK_ENTRY(entry));
-        if (result == 0)
-                puts(passphrase);
-                
-        /* Zero passphrase in memory */
-        memset(passphrase, '\0', strlen(passphrase));
-        gtk_entry_set_text(GTK_ENTRY(entry), passphrase);
-                        
-        gnome_dialog_close(GNOME_DIALOG(dialog));
-        return;
-        /* At least one grab failed - ungrab what we got, and report
-           the failure to the user.  Note that XGrabServer() cannot
-           fail.  */
- nograbkb:
-        gdk_pointer_ungrab(GDK_CURRENT_TIME);
- nograb:
-        if (grab_server)
-                XUngrabServer(GDK_DISPLAY());
-        gnome_dialog_close(GNOME_DIALOG(dialog));
-        
-        report_failed_grab();
-}
-int
-main(int argc, char **argv)
-{
-        char *message;
-        
-        gnome_init("GNOME ssh-askpass", "0.1", argc, argv);
-        if (argc == 2)
-                message = argv[1];
-        else
-                message = "Enter your OpenSSH passphrase:";
-        setvbuf(stdout, 0, _IONBF, 0);
-        passphrase_dialog(message);
-        return 0;
-}
diff --git a/debian/README.Debian b/debian/README.Debian
new file mode 100644
index 000000000..614dd08f6
--- /dev/null
+++ b/debian/README.Debian
@@ -0,0 +1,176 @@
+OpenSSH for Debian
+------------------
+Although this package is widely referred to as OpenSSH, it is actually
+a branch of an early version of ssh which has been tidied up by the
+OpenBSD folks.
+It has been decided that this version should have the privilege of
+carrying the ``ssh'' name in Debian, since it is the only version of
+ssh that is going to make it into Debian proper, being the only one 
+that complies with the Debian Free Software Guidelines.
+If you were expecting to get the non-free version of ssh (1.2.27 or
+whatever) when you installed this package, then you're out of luck, as
+Debian don't ship it.
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+Privilege Separation
+--------------------
+As of 3.3, openssh has employed privilege separation to reduce the
+quantity of code that runs as root, thereby reducing the impact of
+some security holes in sshd.
+Unfortunately, privilege separation interacts badly with PAM. Any PAM
+session modules that need to run as root (pam_mkhomedir, for example)
+will fail, and PAM keyboard-interactive authentication won't work.
+Privilege separation is turned on by default, so if you decide you
+want it turned off, you need to add "UsePrivilegeSeparation no" to
+/etc/ssh/sshd_config
+NB! If you are running a 2.0 series Linux kernel, then privilege
+separation will not work at all, and your sshd will fail to start
+unless you explicity turn privilege separation off.
+PermitRootLogin set to yes
+--------------------------
+This is now the default setting (in line with upstream), and people
+who asked for an automatically-generated configuration file when
+upgrading from potato (or on a new install) will have this setting in
+their /etc/ssh/sshd_config file. 
+Should you wish to change this setting, edit /etc/ssh/sshd_config, and
+change:
+PermitRootLogin yes
+to:
+PermitRootLogin no
+Having PermitRootLogin set to yes means that an attacker that knows
+the root password can ssh in directly (without having to go via a user
+account). If you set it to no, then they must compromise a normal user
+account. In the vast majority of cases, this does not give added
+security; remember that any account you su to root from is equivalent
+to root - compromising this account gives an attacker access to root
+easily. If you only ever log in as root from the physical console,
+then you probably want to set this value to no.
+As an aside, PermitRootLogin can also be set to "without-password" or
+"forced-commands-only" - see sshd(8) for more details.
+DO NOT FILE BUG REPORTS SAYING YOU THINK THIS DEFAULT IS INCORRECT!
+The argument above is somewhat condensed; I have had this discussion
+at great length with many people. If you think the default is
+incorrect, and feel strongly enough to want to argue with me about it,
+then send me email to matthew@debian.org. I will close bug reports
+claiming the default is incorrect.
+SSH now uses protocol 2 by default
+----------------------------------
+This means all your keyfiles you used for protocol version 1 need to
+be re-generated. The server keys are done automatically, but for RSA
+authentication, please read the ssh-keygen manpage.
+If you have an automatically generated configuration file, and decide
+at a later stage that you do want to support protocol version 1 (not
+recommended, but note that the ssh client shipped with Debian potato
+only supported protocol version 1), then you need to do the following:
+Change /etc/ssh/sshd_config such that:
+Protocol 2
+becomes:
+Protocol 2,1
+Also add the line:
+HostKey /etc/ssh/ssh_host_key
+(you may need to generate a host key if you do not already have one)
+/usr/bin/ssh not SUID:
+----------------------
+If you have not installed debconf, you'll have missed the chance to
+install ssh SUID, which means you won't be able to do Rhosts
+authentication.  If that upsets you, use:
+   dpkg-statoverride 
+or if that's also missing, use this:
+   chown root.root /usr/bin/ssh
+   chmod 04755 /usr/bin/ssh
+X11 Forwarding:
+---------------
+ssh's default for ForwardX11 has been changed to ``no'' because it has
+been pointed out that logging into remote systems administered by
+untrusted people is likely to open you up to X11 attacks, so you
+should have to actively decide that you trust the remote machine's
+root, before enabling X11.  I strongly recommend that you do this on a
+machine-by-machine basis, rather than just enabling it in the default
+host settings.
+In order for X11 forwarding to work, you need to install xauth on the
+server. In Debian this is in the xbase-clients package.
+Authorization Forwarding:
+-------------------------
+Similarly, root on a remote server could make use of your ssh-agent
+(while you're logged into their machine) to obtain access to machines
+which trust your keys.  This feature is therefore disabled by default.
+You should only re-enable it for those hosts (in your ~/.ssh/config or
+/etc/ssh/ssh_config) where you are confident that the remote machine
+is not a threat.
+Fallback to RSH:
+----------------
+The default for this setting has been changed from Yes to No, for
+security reasons, and to stop the delay attempting to rsh to machines
+that don't offer the service.  Simply switch it back on in either
+/etc/ssh/ssh_config or ~/.ssh/config for those machines that you need
+it for.
+Problems logging in with RSA authentication:
+--------------------------------------------
+If you have trouble logging in with RSA authentication then the
+problem is probably caused by the fact that you have your home
+directory writable by group, as well as user (this is the default on
+Debian systems).
+Depending upon other settings on your system (i.e. other users being
+in your group) this could open a security hole, so you will need to
+make your home directory writable only by yourself.  Run this command,
+as yourself:
+  chmod g-w ~/
+to remove group write permissions.  If you use ssh-copy-id to install your
+keys, it does this for you.
+-L option of ssh nonfree:
+-------------------------
+non-free ssh supported the usage of the option -L to use a non privileged
+port for scp. This option will not be supported by scp from openssh. 
+Please use instead scp -o "UsePrivilegedPort=no" as documented in the 
+manpage to scp itself. 
+Problem logging in because of TCP-Wrappers:
+-------------------------------------------
+ssh is compiled with support for tcp-wrappers. So if you can no longer
+log into your system, please check that /etc/hosts.allow and /etc/hosts.deny
+are configured so that ssh is not blocked. 
+Kerberos Authentication:
+------------------------
+ssh is compiled without support for kerberos authentication, and there are
+no current plans to support this.  Thus the KerberosAuthentication and 
+KerberosTgtPassing options will not be recognised.
+--
+Matthew Vernon
+<matthew@debian.org>
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 000000000..6a6a6eb0c
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,1020 @@
+openssh (1:3.5p1-1) unstable; urgency=low
+  * New upstream release.
+    - Fixes typo in ssh-add usage (closes: #152239).
+    - Fixes 'PermitRootLogin forced-commands-only' (closes: #166184).
+    - ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys
+      are deprecated for security reasons and will eventually go away. For
+      now they can be re-enabled by setting 'PermitUserEnvironment yes' in
+      sshd_config.
+    - ssh-agent is installed setgid to prevent ptrace() attacks. The group
+      actually doesn't matter, as it drops privileges immediately, but to
+      avoid confusion the postinst creates a new 'ssh' group for it.
+  * Obsolete patches:
+    - Solar Designer's privsep+compression patch for Linux 2.2 (see
+      1:3.3p1-0.0woody1).
+    - Hostbased auth ssh-keysign backport (see 1:3.4p1-4).
+  * Remove duplicated phrase in ssh_config(5) (closes: #152404).
+  * Source the debconf confmodule at the top of the postrm rather than at
+    the bottom, to avoid making future non-idempotency problems worse (see
+    #151035).
+  * Debconf templates:
+    - Add Polish (thanks, Grzegorz Kusnierz).
+    - Update French (thanks, Denis Barbier; closes: #132509).
+    - Update Spanish (thanks, Carlos Valdivia Yag�e; closes: #164716).
+  * Write a man page for gnome-ssh-askpass, and link it to ssh-askpass.1 if
+    this is the selected ssh-askpass alternative (closes: #67775).
+ -- Colin Watson <cjwatson@debian.org>  Sat, 26 Oct 2002 19:41:51 +0100
+openssh (1:3.4p1-4) unstable; urgency=low
+  * Allow ssh-krb5 in ssh-askpass-gnome's dependencies (closes: #129532).
+  * Restore Russia to list of countries where encryption is problematic (see
+    #148951 and http://www.average.org/freecrypto/).
+  * Drop ssh-askpass-gnome's priority to optional, per the override file.
+  * Drop the PAM special case for hurd-i386 (closes: #99157).
+  * s/dile/idle/ in ssh_config(5) (closes: #118331).
+  * Note in README.Debian that you need xauth from xbase-clients on the
+    server for X11 forwarding (closes: #140269).
+  * Use correct path to upstream README in copyright file (closes: #146037).
+  * Document the units for ProtocolKeepAlives (closes: #159479).
+  * Backport upstream patch to fix hostbased auth (closes: #117114).
+  * Add -g to CFLAGS.
+ -- Colin Watson <cjwatson@debian.org>  Sun, 13 Oct 2002 18:58:53 +0100
+openssh (1:3.4p1-3) unstable; urgency=low
+  * Add myself to Uploaders: and begin acting as temporary maintainer, at
+    Matthew's request. (Normal service will resume in some months' time.)
+  * Add sharutils to Build-Depends (closes: #138465).
+  * Stop creating the /usr/doc/ssh symlink.
+  * Fix some debconf template typos (closes: #160358).
+  * Split debconf templates into one file per language.
+  * Add debconf template translations:
+    - Brazilian Portuguese (thanks, Andre Luis Lopes; closes: #106173).
+    - Danish (thanks, Claus Hindsgaul; closes: #126607).
+    - Japanese (thanks, Tomohiro KUBOTA; closes: #137427).
+    - Russian (thanks, Ilgiz Kalmetev; closes: #136610).
+    - Spanish (thanks, Carlos Valdivia Yag�e; closes: #129041).
+  * Update debconf template translations:
+    - French (thanks, Igor Genibel; closes: #151361).
+    - German (thanks, Axel Noetzold; closes: #147069).
+  * Some of these translations are fuzzy. Please send updates.
+ -- Colin Watson <cjwatson@debian.org>  Sun, 13 Oct 2002 14:09:57 +0100
+openssh (1:3.4p1-2) unstable; urgency=high
+  * Get a security-fixed version into unstable
+  * Also tidy README.Debian up a little
+ -- Matthew Vernon <matthew@debian.org>  Fri, 28 Jun 2002 17:20:59 +0100
+        
+openssh (1:3.4p1-1) testing; urgency=high
+  * Extend my tendrils back into this package (Closes: #150915, #151098)
+  * thanks to the security team for their work
+  * no thanks to ISS/Theo de Raadt for their handling of these bugs
+  * save old sshd_configs to sshd_config.dpkg-old when auto-generating a
+    new one
+  * tell/ask the user about PriviledgeSeparation
+  * /etc/init.d/ssh run will now create the chroot empty dir if necessary 
+  * Remove our previous statoverride on /usr/bin/ssh (only for people 
+    upgrading from a version where we'd put one in ourselves!)
+  * Stop slandering Russia, since someone asked so nicely (Closes: #148951)
+  * Reduce the sleep time in /etc/init.d/ssh during a restart
+        
+ -- Matthew Vernon <matthew@debian.org>  Fri, 28 Jun 2002 15:52:10 +0100
+        
+openssh (1:3.4p1-0.0woody1) testing-security; urgency=high
+  * NMU by the security team.
+  * New upstream version
+ -- Michael Stone <mstone@debian.org>  Wed, 26 Jun 2002 15:40:38 -0400
+openssh (1:3.3p1-0.0woody4) testing-security; urgency=high
+  * NMU by the security team.
+  * fix error when /etc/ssh/sshd_config exists on new install
+  * check that user doesn't exist before running adduser
+  * use openssl internal random unconditionally
+ -- Michael Stone <mstone@debian.org>  Tue, 25 Jun 2002 19:44:39 -0400
+openssh (1:3.3p1-0.0woody3) testing-security; urgency=high
+  * NMU by the security team.
+  * use correct home directory when sshd user is created
+ -- Michael Stone <mstone@debian.org>  Tue, 25 Jun 2002 08:59:50 -0400
+openssh (1:3.3p1-0.0woody2) testing-security; urgency=high
+  * NMU by the security team.
+  * Fix rsa1 key creation (Closes: #150949)
+  * don't fail if sshd user removal fails
+  * depends: on adduser (Closes: #150907)
+ -- Michael Stone <mstone@debian.org>  Tue, 25 Jun 2002 08:59:50 -0400
+openssh (1:3.3p1-0.0woody1) testing-security; urgency=high
+  * NMU by the security team.
+  * New upstream version.
+    - Enable privilege separation by default.
+  * Include patch from Solar Designer for privilege separation and
+    compression on 2.2.x kernels.
+  * Remove --disable-suid-ssh from configure.
+  * Support setuid ssh-keysign binary instead of setuid ssh client.
+  * Check sshd configuration before restarting.
+ -- Daniel Jacobowitz <dan@debian.org>  Mon, 24 Jun 2002 13:43:44 -0400
+openssh (1:3.0.2p1-9) unstable; urgency=high
+  * Thanks to those who NMUd
+  * The only change in this version is to debian/control - I've removed
+    the bit that says you can't export it from the US - it would look 
+    pretty daft to say this about a package in main! Also, it's now OK
+    to use crypto in France, so I've edited that comment slightly
+  * Correct a path in README.Debian too (Closes: #138634)
+ -- Matthew Vernon <matthew@debian.org>  Sun,  4 Apr 2002 09:52:59 +0100
+        
+openssh (1:3.0.2p1-8.3) unstable; urgency=medium
+  * NMU
+  * Really set urgency to medium this time (oops)
+  * Fix priority to standard per override while I'm at it
+ -- Aaron M. Ucko <ucko@debian.org>  Sun, 24 Mar 2002 09:00:08 -0500
+openssh (1:3.0.2p1-8.2) unstable; urgency=low
+  * NMU with maintainer's permission
+  * Prepare for upcoming ssh-nonfree transitional packages per
+    <http://lists.debian.org/debian-ssh/2002/debian-ssh-200203/msg00008.html>
+  * Urgency medium because it would really be good to get this into woody
+    before it releases
+  * Fix sections to match override file
+  * Reissued due to clash with non-US -> main move
+ -- Aaron M. Ucko <ucko@debian.org>  Sat, 23 Mar 2002 21:21:52 -0500
+openssh (1:3.0.2p1-8.1) unstable; urgency=low
+  * NMU
+  * Move from non-US to mani
+ -- LaMont Jones <lamont@debian.org>  Thu, 21 Mar 2002 09:33:50 -0700
+openssh (1:3.0.2p1-8) unstable; urgency=critical
+  * Security fix - patch from upstream (Closes: #137209, #137210)
+  * Undo the changes in the unreleased -7, since they appear to break 
+    things here. Accordingly, the code change is minimal, and I'm 
+    happy to get it into testing ASAP
+        
+ -- Matthew Vernon <matthew@debian.org>  Thu,  7 Mar 2002 14:25:23 +0000
+openssh (1:3.0.2p1-7) unstable; urgency=high
+  * Build to support IPv6 and IPv4 by default again
+ -- Matthew Vernon <matthew@debian.org>  Sat,  2 Mar 2002 00:25:05 +0000
+        
+openssh (1:3.0.2p1-6) unstable; urgency=high
+  * Correct error in the clean target (Closes: #130868)
+ -- Matthew Vernon <matthew@debian.org>  Sat, 26 Jan 2002 00:32:00 +0000
+openssh (1:3.0.2p1-5) unstable; urgency=medium
+  * Include the Debian version in our identification, to make it easier to
+    audit networks for patched versions in future
+ -- Matthew Vernon <matthew@debian.org>  Mon, 21 Jan 2002 17:16:10 +0000
+        
+openssh (1:3.0.2p1-4) unstable; urgency=medium
+  * If we're asked to not run sshd, stop any running sshd's first 
+    (Closes: #129327)
+ -- Matthew Vernon <matthew@debian.org>  Wed, 16 Jan 2002 21:24:16 +0000
+        
+openssh (1:3.0.2p1-3) unstable; urgency=high
+  * Fix /etc/pam.d/ssh to not set $MAIL (Closes: #128913)
+  * Remove extra debconf suggestion (Closes: #128094)
+  * Mmm. speedy bug-fixing :-)
+ -- Matthew Vernon <matthew@debian.org>  Sat, 12 Jan 2002 17:23:58 +0000
+        
+openssh (1:3.0.2p1-2) unstable; urgency=high
+  * Fix postinst to not automatically overwrite sshd_config (!) 
+    (Closes: #127842, #127867)
+  * Add section in README.Debian about the PermitRootLogin setting
+        
+ -- Matthew Vernon <matthew@debian.org>  Sat,  5 Jan 2003 05:26:30 +0000
+        
+openssh (1:3.0.2p1-1) unstable; urgency=high
+  * Incorporate fix from Colin's NMU
+  * New upstream version (fixes the bug Wichert fixed) (Closes: #124035)
+  * Capitalise IETF (Closes: #125379)
+  * Refer to the correct sftp-server location (Closes: #126854, #126224)
+  * Do what we're asked re SetUID ssh (Closes: #124065, #124154, #123247)
+  * Ask people upgrading from potato if they want a new conffile 
+    (Closes: #125642)
+  * Fix a typo in postinst (Closes: #122192, #122410, #123440)
+  * Frob the default config a little (Closes: #122284, #125827, #125696,
+    #123854)
+  * Make /etc/init.d/ssh be more clear about ssh not running (Closes:
+    #123552)
+  * Fix typo in templates file (Closes: #123411)
+ -- Matthew Vernon <matthew@debian.org>  Fri,  4 Jan 2002 16:01:52 +0000
+        
+openssh (1:3.0.1p1-1.2) unstable; urgency=high
+  * Non-maintainer upload
+  * Prevent local users from passing environment variables to the login
+    process when UseLogin is enabled
+ -- Wichert Akkerman <wakkerma@debian.org>  Mon,  3 Dec 2001 19:34:45 +0100
+openssh (1:3.0.1p1-1.1) unstable; urgency=low
+  * Non-maintainer upload, at Matthew's request.
+  * Remove sa_restorer assignment to fix compilation on alpha, hppa, and
+    ia64 (closes: #122086).
+ -- Colin Watson <cjwatson@debian.org>  Sun,  2 Dec 2001 18:54:16 +0000
+openssh (1:3.0.1p1-1) unstable; urgency=high
+  * New upstream version (Closes: #113646, #113513, #114707, #118564)
+  * Building with a libc that works (!) (Closes: #115228)
+  * Patches forward-ported are -1/-2 options for scp, the improvement to
+    'waiting for forwarded connections to terminate...'
+  * Fix /etc/init.d/ssh to stop sshd properly (Closes: #115228)
+  * /etc/ssh/sshd_config is no longer a conffile but generated in the postinst
+  * Remove suidregister leftover from postrm
+  * Mention key we are making in the postinst
+  * Default to not enable SSH protocol 1 support, since protocol 2 is
+    much safer anyway.
+  * New version of the vpn-fixes patch, from Ian Jackson
+  * New handling of -q, and added new -qq option; thanks to Jon Amery
+  * Experimental smartcard support not enabled, since I have no way of
+    testing it.
+        
+ -- Matthew Vernon <matthew@debian.org>  Thu, 28 Nov 2001 17:43:01 +0000
+        
+openssh (1:2.9p2-6) unstable; urgency=low
+  * check for correct file in /etc/init.d/ssh (Closes: #110876)
+  * correct location of version 2 keys in ssh.1 (Closes: #110439)
+  * call update-alternatives --quiet (Closes: #103314)
+  * hack ssh-copy-id to chmod go-w (Closes: #95551)
+  * TEMPORARY fix to provide largefile support using a -D in the cflags
+    line. long-term, upstream will patch the autoconf stuff
+    (Closes: #106809, #111849)
+  * remove /etc/rc references in ssh-keygen.1 (Closes: #68350)
+  * scp.1 patch from Adam McKenna to document -r properly (Closes: #76054)
+  * Check for files containing a newline character (Closes: #111692)
+ -- Matthew Vernon <matthew@debian.org>  Thu, 13 Sep 2001 16:47:36 +0100
+openssh (1:2.9p2-5) unstable; urgency=high
+  * Thanks to all the bug-fixers who helped!
+  * remove sa_restorer assignment (Closes: #102837)
+  * patch from Peter Benie to DTRT wrt X forwarding if the server refuses
+    us access (Closes: #48297)
+  * patch from upstream CVS to fix port forwarding (Closes: #107132)
+  * patch from Jonathan Amery to document ssh-keygen behaviour 
+    (Closes:#106643, #107512)
+  * patch to postinst from Jonathan Amery (Closes: #106411)
+  * patch to manpage from Jonathan Amery (Closes: #107364)
+  * patch from Matthew Vernon to make -q emit fatal errors as that is the
+    documented behaviour (Closes: #64347)
+  * patch from Ian Jackson to cause us to destroy a file when we scp it
+    onto itself, rather than dumping bits of our memory into it, which was
+    a security hole (see #51955)
+  * patch from Jonathan Amery to document lack of Kerberos support 
+    (Closes: #103726)
+  * patch from Matthew Vernon to make the 'waiting for connections to
+    terminate' message more helpful (Closes: #50308)
+ -- Matthew Vernon <matthew@debian.org>  Thu, 23 Aug 2001 02:14:09 +0100
+        
+openssh (1:2.9p2-4) unstable; urgency=high
+  * Today's build of ssh is strawberry flavoured
+  * Patch from mhp to reduce length of time sshd is stopped for (Closes: #106176)
+  * Tidy up debconf template (Closes: #106152)
+  * If called non-setuid, then setgid()'s failure should not be fatal (see
+    #105854)
+ -- Matthew Vernon <matthew@debian.org>  Sun, 22 Jul 2001 14:19:43 +0100
+        
+openssh (1:2.9p2-3) unstable; urgency=low
+  * Patch from yours truly to add -1 and -2 options to scp (Closes: #106061)
+  * Improve the IdentityFile section in the man page (Closes: #106038)
+ -- Matthew Vernon <matthew@debian.org>  Sat, 21 Jul 2001 14:47:27 +0100
+        
+openssh (1:2.9p2-2) unstable; urgency=low
+  * Document the protocol version 2 and IPV6 changes (Closes: #105845, #105868)
+  * Make PrintLastLog 'no' by default (Closes: #105893)
+        
+ -- Matthew Vernon <matthew@debian.org>  Thu, 19 Jul 2001 18:36:41 +0100
+        
+openssh (1:2.9p2-1) unstable; urgency=low
+  * new (several..) upstream version (Closes: #96726, #81856, #96335)
+  * Hopefully, this will close some other bugs too
+ -- Matthew Vernon <matthew@debian.org>  Tue, 17 Jul 2001 19:41:58 +0100
+        
+openssh (1:2.5.2p2-3) unstable; urgency=low
+  * Taking Over this package
+  * Patches from Robert Bihlmeyer for the Hurd (Closes: #102991)
+  * Put PermitRootLogin back to yes (Closes: #67334, #67371, #78274)
+  * Don't fiddle with conf-files any more (Closes: #69501)
+        
+ -- Matthew Vernon <matthew@debian.org>  Tue, 03 Jul 2001 02:58:13 +0100
+        
+openssh (1:2.5.2p2-2.2) unstable; urgency=low
+  * NMU
+  * Include Hurd compatibility patches from Robert Bihlmeyer (Closes: #76033)
+  * Patch from Richard Kettlewell for protocolkeepalives (Closes: #99273)
+  * Patch from Matthew Vernon for BannerTimeOut, batchmode, and
+    documentation for protocolkeepalives. Makes ssh more generally useful
+    for scripting uses (Closes: #82877, #99275)
+  * Set a umask, so ourpidfile isn't world-writable (closes: #100012,
+    #98286, #97391)
+ -- Matthew Vernon <matthew@debian.org>  Thu, 28 Jun 2001 23:15:42 +0100
+openssh (1:2.5.2p2-2.1) unstable; urgency=low
+ 
+  * NMU
+  * Remove duplicate Build-Depends for libssl096-dev and change it to 
+    depend on libssl-dev instaed.  Also adding in virtual | real package
+    style build-deps.  (Closes: #93793, #75228)
+  * Removing add-log entry (Closes: #79266)
+  * This was a pam bug from a while back (Closes: #86908, #88457, #86843)
+  * pam build-dep already exists (Closes: #93683)
+  * libgnome-dev build-dep already exists (Closes: #93694)
+  * No longer in non-free (Closes: #85401)
+  * Adding in fr debconf translations (Closes: #83783)
+  * Already suggests xbase-clients (Closes: #79741)
+  * No need to suggest libpam-pwdb anymore (Closes: #81658)
+  * Providing rsh-client (Closes: #79437)
+  * hurd patch was already applied (Closes: #76033)
+  * default set to no (Closes: #73682)
+  * Adding in a suggests for dnsutils (Closes: #93265)
+  * postinst bugs fixed (Closes: #88057, #88066, #88196, #88405, #88612)
+    (Closes: #88774, #88196, #89556, #90123, #90228, #90833, #87814, #85465)
+  * Adding in debconf dependency
+ 
+ -- Ivan E. Moore II <rkrusty@debian.org>  Mon, 16 Apr 2001 14:11:04 +0100
+openssh (1:2.5.2p2-2) unstable; urgency=high
+  * disable the OpenSSL version check in entropy.c
+    (closes: #93581, #93588, #93590, #93614, #93619, #93635, #93648)
+ -- Philip Hands <phil@uk.alcove.com>  Wed, 11 Apr 2001 20:30:04 +0100
+openssh (1:2.5.2p2-1) unstable; urgency=low
+  * New upstream release
+  * removed make-ssh-known-hosts, since ssh-keyscan does that job (closes: #86069, #87748)
+  * fix double space indent in german templates (closes: #89493)
+  * make postinst check for ssh_host_rsa_key
+  * get rid of the last of the misguided debian/rules NMU debris  :-/
+ -- Philip Hands <phil@hands.com>  Sat, 24 Mar 2001 20:59:33 +0000
+openssh (1:2.5.1p2-2) unstable; urgency=low
+  * rebuild with new debhelper (closes: #89558, #89536, #90225)
+  * fix broken dpkg-statoverride test in postinst
+    (closes: #89612, #90474, #90460, #89605)
+  * NMU bug fixed but not closed in last upload  (closes: #88206)
+  
+ -- Philip Hands <phil@hands.com>  Fri, 23 Mar 2001 16:11:33 +0000
+openssh (1:2.5.1p2-1) unstable; urgency=high
+  * New upstream release
+  * fix typo in postinst (closes: #88110)
+  * revert to setting PAM service name in debian/rules, backing out last
+    NMU, which also (closes: #88101)
+  * restore the pam lastlog/motd lines, lost during the NMUs, and sshd_config
+  * restore printlastlog option patch
+  * revert to using debhelper, which had been partially disabled in NMUs
+ -- Philip Hands <phil@hands.com>  Tue, 13 Mar 2001 01:41:34 +0000
+openssh (1:2.5.1p1-1.8) unstable; urgency=high
+  * And now the old pam-bug s/sshd/ssh in ssh.c is also fixed
+ -- Christian Kurz <shorty@debian.org>  Thu,  1 Mar 2001 19:48:01 +0100
+openssh (1:2.5.1p1-1.7) unstable; urgency=high
+  * And now we mark the correct binary as setuid, when a user requested
+    to install it setuid.
+ -- Christian Kurz <shorty@debian.org>  Thu,  1 Mar 2001 07:19:56 +0100
+openssh (1:2.5.1p1-1.6) unstable; urgency=high
+  * Fixes postinst to handle overrides that are already there. Damn, I 
+    should have noticed the bug earlier.
+ -- Christian Kurz <shorty@debian.org>  Wed, 28 Feb 2001 22:35:00 +0100
+openssh (1:2.5.1p1-1.5) unstable; urgency=high
+  * Rebuild ssh with pam-support.
+ -- Christian Kurz <shorty@debian.org>  Mon, 26 Feb 2001 21:55:51 +0100
+openssh (1:2.5.1p1-1.4) unstable; urgency=low
+  * Added Build-Depends on libssl096-dev.
+  * Fixed sshd_config file to disallow root logins again.
+ -- Christian Kurz <shorty@debian.org>  Sun, 25 Feb 2001 20:03:55 +0100
+openssh (1:2.5.1p1-1.3) unstable; urgency=low
+  * Fixed missing manpages for sftp.1 and ssh-keyscan.1
+  * Made package policy 3.5.2 compliant.
+ -- Christian Kurz <shorty@debian.org>  Sun, 25 Feb 2001 15:46:26 +0100
+openssh (1:2.5.1p1-1.2) unstable; urgency=low
+  * Added Conflict with sftp, since we now provide our own sftp-client.
+  * Added a fix for our broken dpkg-statoverride call in the 
+    2.3.0p1-13.
+  * Fixed some config pathes in the comments of sshd_config.
+  * Removed ssh-key-exchange-vulnerability-patch since it's not needed
+    anymore because upstream included the fix.
+ -- Christian Kurz <shorty@debian.org>  Sun, 25 Feb 2001 13:46:58 +0100
+openssh (1:2.5.1p1-1.1) unstable; urgency=high
+  * Another NMU to get the new upstream version 2.5.1p1 into
+    unstable. (Closes: #87123)
+  * Corrected postinst to mark ssh as setuid. (Closes: #86391, #85766)
+  * Key Exchange patch is already included by upstream. (Closes: #86015)
+  * Upgrading should be possible now. (Closes: #85525, #85523)
+  * Added --disable-suid-ssh as compile option, so ssh won't get installed
+    suid per default.
+  * Fixed postinst to run dpkg-statoverride only, when dpkg-statoverride
+    is available and the mode of the binary should be 4755. And also added
+    suggestion for a newer dpkg.
+    (Closes: #85734, #85741, #86876)
+  * sftp and ssh-keyscan will also be included from now on. (Closes: #79994)
+  * scp now understands spaces in filenames (Closes: #53783, #58958,
+    #66723)
+  * ssh-keygen now supports showing DSA fingerprints. (Closes: #68623)
+  * ssh doesn' t show motd anymore when switch -t is used. (Closes #69035)
+  * ssh supports the usage of other dsa keys via the ssh command line
+    options. (Closes: #81250)
+  * Documentation in sshd_config fixed. (Closes: #81088)
+  * primes file included by upstream and included now. (Closes: #82101)
+  * scp now allows dots in the username. (Closes: #82477)
+  * Spelling error in ssh-copy-id.1 corrected by upstream. (Closes: #78124)
+ -- Christian Kurz <shorty@debian.org>  Sun, 25 Feb 2001 10:06:08 +0100
+openssh (1:2.3.0p1-1.13) unstable; urgency=low
+  * Config should now also be fixed with this hopefully last NMU.
+ -- Christian Kurz <shorty@debian.org>  Sat, 10 Feb 2001 22:56:36 +0100
+openssh (1:2.3.0p1-1.12) unstable; urgency=high
+  * Added suggest for xbase-clients to control-file. (Closes #85227)
+  * Applied patch from Markus Friedl to fix a vulnerability in 
+    the rsa keyexchange.
+  * Fixed position of horizontal line. (Closes: #83613)
+  * Fixed hopefully the grep problem in the config-file. (Closes: #78802)
+  * Converted package from suidregister to dpkg-statoverride.
+ -- Christian Kurz <shorty@debian.org>  Fri,  9 Feb 2001 19:43:55 +0100
+openssh (1:2.3.0p1-1.11) unstable; urgency=medium
+  * Fixed some typos in the german translation of the debconf
+    template.
+ -- Christian Kurz <shorty@debian.org>  Wed, 24 Jan 2001 18:22:38 +0100
+openssh (1:2.3.0p1-1.10) unstable; urgency=medium
+  * Fixed double printing of motd. (Closes: #82618)
+ -- Christian Kurz <shorty@debian.org>  Tue, 23 Jan 2001 21:03:43 +0100
+openssh (1:2.3.0p1-1.9) unstable; urgency=high
+  * And the next NMU which includes the patch from Andrew Bartlett
+    and Markus Friedl to fix the root privileges handling of openssh.
+    (Closes: #82657)
+ -- Christian Kurz <shorty@debian.org>  Wed, 17 Jan 2001 22:20:54 +0100
+openssh (1:2.3.0p1-1.8) unstable; urgency=high
+  * Applied fix from Ryan Murray to allow building on other architectures
+    since the hurd patch was wrong. (Closes: #82471)
+ -- Christian Kurz <shorty@debian.org>  Tue, 16 Jan 2001 22:45:51 +0100
+openssh (1:2.3.0p1-1.7) unstable; urgency=medium
+  * Fixed another typo on sshd_config
+ -- Christian Kurz <shorty@debian.org>  Sun, 14 Jan 2001 19:01:31 +0100
+openssh (1:2.3.0p1-1.6) unstable; urgency=high
+  * Added Build-Dependency on groff (Closes: #81886)
+  * Added Build-Depencency on debhelper (Closes: #82072)
+  * Fixed entry for known_hosts in sshd_config (Closes: #82096)
+ -- Christian Kurz <shorty@debian.org>  Thu, 11 Jan 2001 23:08:16 +0100
+openssh (1:2.3.0p1-1.5) unstable; urgency=high
+  * Fixed now also the problem with sshd used as default ipv4 and
+    didn't use IPv6. This should be now fixed.
+ -- Christian Kurz <shorty@debian.org>  Thu, 11 Jan 2001 21:25:55 +0100
+openssh (1:2.3.0p1-1.4) unstable; urgency=high
+  * Fixed buggy entry in postinst.
+ -- Christian Kurz <shorty@debian.org>  Wed, 10 Jan 2001 23:12:16 +0100
+openssh (1:2.3.0p1-1.3) unstable; urgency=high
+  * After finishing the rewrite of the rules-file I had to notice that
+    the manpage installation was broken. This should now work again.
+ -- Christian Kurz <shorty@debian.org>  Wed, 10 Jan 2001 22:11:59 +0100
+openssh (1:2.3.0p1-1.2) unstable; urgency=high
+  * Fixed the screwed up build-dependency.
+  * Removed --with-ipv4-default to support ipv6.
+  * Changed makefile to use /etc/pam.d/ssh instead of /etc/pam.d/sshd.
+  * Fixed location to sftp-server in config.
+  * Since debian still relies on /etc/pam.d/ssh instead of moving to
+    /etc/pam.d/sshd, I had to hack ssh.h to get ssh to use this name.
+  * Fixed path to host key in sshd_config.
+ -- Christian Kurz <shorty@debian.org>  Wed, 10 Jan 2001 08:23:47 +0100
+openssh (1:2.3.0p1-1.1) unstable; urgency=medium
+  * NMU with permission of Phil Hands.
+  * New upstream release
+  * Update Build-Depends to point to new libssl096.
+  * This upstream release doesn't leak any information depending
+    on the setting of PermitRootLogin (Closes: #59933)
+  * New upstream release contains fix against forcing a client to 
+    do X/agent forwarding (Closes: #76788)
+  * Changed template to contain correct path to the documentation 
+    (Closes: #67245)
+  * Added --with-4in6 switch as compile option into debian/rules.       
+  * Added --with-ipv4-default as compile option into debian/rules. 
+    (Closes: #75037)
+  * Changed default path to also contain /usr/local/bin and 
+    /usr/X11R6/bin (Closes: #62472,#54567,#62810)
+  * Changed path to sftp-server in sshd_config to match the
+    our package (Closes: #68347)
+  * Replaced OpenBSDh with OpenBSD in the init-script.  
+  * Changed location to original source in copyright.head
+  * Changed behaviour of init-script when invoked with the option
+    restart (Closes: #68706,#72560)
+  * Added a note about -L option of scp to README.Debian        
+  * ssh won't print now the motd if invoked with -t option
+    (Closes: #59933)
+  * RFC.nroff.gz get's now converted into RFC.gz. (Closes: #63867)      
+  * Added a note about tcp-wrapper support to README.Debian 
+    (Closes: #72807,#22190)
+  * Removed two unneeded options from building process. 
+  * Added sshd.pam into debian dir and install it.
+  * Commented out unnecessary call to dh_installinfo.
+  * Added a line to sshd.pam so that limits will be paid attention
+    to (Closes: #66904)
+  * Restart Option has a Timeout of 10 seconds (Closes: 51264)
+  * scp won't override files anymore (Closes: 51955)
+  * Removed pam_lastlog module, so that the lastlog is now printed
+    only once (Closes: #71742, #68335, #69592, #71495, #77781)
+  * If password is expired, openssh now forces the user to change it.
+    (Closes: #51747)
+  * scp should now have no more problems with shell-init-files that
+    produces ouput (Closes: #56280,#59873)
+  * ssh now prints the motd correctly (Closes: #66926)  
+  * ssh upgrade should disable ssh daemon only if users has choosen
+    to do so (Closes: #67478)
+  * ssh can now be installed suid (Closes: #70879)      
+  * Modified debian/rules to support hurd.
+ -- Christian Kurz <shorty@debian.org>  Wed, 27 Dec 2000 20:06:57 +0100
+openssh (1:2.2.0p1-1.1) unstable; urgency=medium
+  * Non-Maintainer Upload
+  * Check for new returns in the new libc
+    (closes: #72803, #74393, #72797, #71307, #71702)
+  * Link against libssl095a (closes: #66304)
+  * Correct check for PermitRootLogin (closes: #69448)
+ -- Ryan Murray <rmurray@debian.org>  Wed, 18 Oct 2000 00:48:18 -0700
+openssh (1:2.2.0p1-1) unstable; urgency=low
+  * New upstream release
+ -- Philip Hands <phil@hands.com>  Mon, 11 Sep 2000 14:49:43 +0100
+openssh (1:2.1.1p4-3) unstable; urgency=low
+  * add rsh alternatives
+  * add -S option to scp (using Tommi Virtanen's patch) (closes: #63097)
+  * do the IPV4_DEFAULT thing properly this time
+ -- Philip Hands <phil@hands.com>  Fri, 11 Aug 2000 18:14:37 +0100
+openssh (1:2.1.1p4-2) unstable; urgency=low
+  * reinstate manpage .out patch from 1:1.2.3
+  * fix typo in postinst
+  * only compile ssh with IPV4_DEFAULT
+  * apply James Troup's patch to add a -o option to scp and updated manpage
+ -- Philip Hands <phil@hands.com>  Sun, 30 Jul 2000 00:12:49 +0100
+openssh (1:2.1.1p4-1) unstable; urgency=low
+  * New upstream release
+ -- Philip Hands <phil@hands.com>  Sat, 29 Jul 2000 14:46:16 +0100
+openssh (1:1.2.3-10) unstable; urgency=low
+  * add version to libpam-modules dependency, because old versions of
+    pam_motd make it impossible to log in.
+ -- Philip Hands <phil@hands.com>  Sat, 29 Jul 2000 13:28:22 +0100
+openssh (1:1.2.3-9) frozen unstable; urgency=low
+  * force location of /usr/bin/X11/xauth
+    (closes: #64424, #66437, #66859)  *RC*
+  * typos in config (closes: #66779, #66780)
+  * sshd_not_to_be_run could be assumed to be true, in error, if the config
+    script died in an unusual way --- I've reversed this (closes: #66335)  
+  * Apply Zack Weinberg <zack@wolery.cumb.org>'s patch to ssh-askpass-ptk
+    (closes: #65981)
+  * change default for PermitRootLogin to "no" (closes: #66406)
+ -- Philip Hands <phil@hands.com>  Tue, 11 Jul 2000 20:51:18 +0100
+openssh (1:1.2.3-8) frozen unstable; urgency=low
+  * get rid of Provides: rsh-server (this will mean that rstartd
+    will need to change it's depends to deal with #63948, which I'm
+    reopening)  (closes: #66257)
+    Given that this is also a trivial change, and is a reversal of a
+    change that was mistakenly made after the freeze, I think this should
+    also go into frozen.
+ -- Philip Hands <phil@hands.com>  Wed, 28 Jun 2000 03:26:30 +0100
+openssh (1:1.2.3-7) frozen unstable; urgency=low
+  * check if debconf is installed before calling db_stop in postinst.
+    This is required to allow ssh to be installed when debconf is not
+    wanted, which probably makes it an RC upload (hopefully the last of
+    too many).
+ -- Philip Hands <phil@hands.com>  Wed, 28 Jun 2000 03:19:47 +0100
+openssh (1:1.2.3-6) frozen unstable; urgency=low
+  * fixed depressing little bug involving a line wrap looking like
+    a blank line in the templates file   *RC*
+    (closes: #66090, #66078, #66083, #66182)
+ -- Philip Hands <phil@hands.com>  Mon, 26 Jun 2000 00:45:05 +0100
+openssh (1:1.2.3-5) frozen unstable; urgency=low
+  * add code to prevent UseLogin exploit, although I think our PAM
+    conditional code breaks UseLogin in a way that protects us from this
+    exploit anyway. ;-)  (closes: #65495)  *RC*
+  * Apply Zack Weinberg <zack@wolery.cumb.org>'s patch to fix keyboard
+    grab vulnerability in ssh-askpass-gnome (closes: #64795) *RC*
+  * stop redirection of sshd's file descriptors (introduced in 1:1.2.3-3)
+    and use db_stop in the postinst to solve that problem instead
+    (closes: #65104)
+  * add Provides: rsh-server to ssh (closes: #63948)
+  * provide config option not to run sshd
+ -- Philip Hands <phil@hands.com>  Mon, 12 Jun 2000 23:05:11 +0100
+openssh (1:1.2.3-4) frozen unstable; urgency=low
+  * fixes #63436 which is *RC*
+  * add 10 second pause in init.d restart (closes: #63844)
+  * get rid of noenv in PAM mail line (closes: #63856)
+  * fix host key path in make-ssh-known-hosts (closes: #63713)
+  * change wording of SUID template (closes: #62788, #63436)
+ -- Philip Hands <phil@hands.com>  Sat, 27 May 2000 11:18:06 +0100
+openssh (1:1.2.3-3) frozen unstable; urgency=low
+  * redirect sshd's file descriptors to /dev/null in init to
+    prevent debconf from locking up during installation 
+    ** grave bug just submited by me **
+ -- Philip Hands <phil@hands.com>  Thu, 20 Apr 2000 17:10:59 +0100
+openssh (1:1.2.3-2) frozen  unstable; urgency=low
+  * allow user to select SUID status of /usr/bin/ssh (closes: 62462) ** RC **
+  * suggest debconf
+  * conflict with debconf{,-tiny} (<<0.2.17) so I can clean up the preinst
+ -- Philip Hands <phil@hands.com>  Wed, 19 Apr 2000 17:49:15 +0100
+openssh (1:1.2.3-1) frozen unstable; urgency=low
+  * New upstream release
+  * patch sshd to create extra xauth key required for localhost
+    (closes: #49944)  *** RC ***
+  * FallbacktoRsh now defaults to ``no'' to match impression
+    given in sshd_config
+  * stop setting suid bit on ssh (closes: #58711, #58558)
+    This breaks Rhosts authentication (which nobody uses) and allows
+    the LD_PRELOAD trick to get socks working, so seems like a net benefit.
+ -- Philip Hands <phil@hands.com>  Thu, 13 Apr 2000 20:01:54 +0100
+openssh (1:1.2.2-1.4) frozen unstable; urgency=low
+  * Recompile for frozen, contains fix for RC bug.
+ -- Tommi Virtanen <tv@debian.org>  Tue, 29 Feb 2000 22:14:58 +0200
+openssh (1:1.2.2-1.3) unstable; urgency=low
+  * Integrated man page addition for PrintLastLog.
+    This bug was filed on "openssh", and I ended up
+    creating my own patch for this (closes: #59054)
+  * Improved error message when ssh_exchange_identification
+    gets EOF (closes: #58904)
+  * Fixed typo (your -> you're) in debian/preinst.
+  * Added else-clauses to config to make this upgradepath possible:
+    oldssh -> openssh preinst fails due to upgrade_to_openssh=false
+    -> ssh-nonfree -> openssh. Without these, debconf remembered
+    the old answer, config didn't force asking it, and preinst always
+    aborted (closes: #56596, #57782)
+  * Moved setting upgrade_to_openssh isdefault flag to the place
+    where preinst would abort. This means no double question to most
+    users, people who currently suffer from "can't upgrade" may need
+    to run apt-get install ssh twice. Did not do the same for 
+    use_old_init_script, as the situation is a bit different, and
+    less common (closes: #54010, #56224)
+  * Check for existance of ssh-keygen before attempting to use it in
+    preinst, added warning for non-existant ssh-keygen in config. This
+    happens when the old ssh is removed (say, due to ssh-nonfree getting
+    installed).
+ -- Tommi Virtanen <tv@debian.org>  Sun, 27 Feb 2000 21:36:43 +0200
+openssh (1:1.2.2-1.2) frozen unstable; urgency=low
+  * Non-maintainer upload.
+  * Added configuration option PrintLastLog, default off due to PAM
+    (closes: #54007, #55042)
+  * ssh-askpass-{gnome,ptk} now provide ssh-askpass, making ssh's
+    Suggests: line more accurate. Also closing related bugs fixed
+    earlier, when default ssh-askpass moved to /usr/bin.
+    (closes: #52403, #54741, #50607, #52298, #50967, #51661)
+  * Patched to call vhangup, with autoconf detection and all
+    (closes: #55379)
+  * Added --with-ipv4-default workaround to a glibc bug causing
+    slow DNS lookups, as per UPGRADING. Use -6 to really use
+    IPv6 addresses. (closes: #57891, #58744, #58713, #57970)
+  * Added noenv to PAM pam_mail line. Thanks to Ben Collins.
+    (closes: #58429)
+  * Added the UPGRADING file to the package.
+  * Added frozen to the changelog line and recompiled before
+    package was installed into the archive.
+ -- Tommi Virtanen <tv@debian.org>  Fri, 25 Feb 2000 22:08:57 +0200
+openssh (1:1.2.2-1.1) frozen unstable; urgency=low
+  * Non-maintainer upload.
+  * Integrated scp pipe buffer patch from Ben Collins
+    <benc@debian.org>, should now work even if reading
+    a pipe gives less than fstat st_blksize bytes. 
+    Should now work on Alpha and Sparc Linux (closes: #53697, #52071)
+  * Made ssh depend on libssl09 (>= 0.9.4-3) (closes: #51393)
+  * Integrated patch from Ben Collins <benc@debian.org>
+    to do full shadow account locking and expiration
+    checking (closes: #58165, #51747)
+ -- Tommi Virtanen <tv@debian.org>  Tue, 22 Feb 2000 20:46:12 +0200
+openssh (1:1.2.2-1) frozen unstable; urgency=medium
+  * New upstream release (closes: #56870, #56346)
+  * built against new libesd (closes: #56805)
+  * add  Colin Watson <cjw44@cam.ac.uk> =NULL patch
+    (closes: #49902, #54894)
+  * use socketpairs as suggested by Andrew Tridgell to eliminate rsync
+    (and other) lockups
+  * patch SSHD_PAM_SERVICE back into auth-pam.c, again :-/
+    (closes: #49902, #55872, #56959)
+  * uncoment the * line in ssh_config (closes: #56444)
+  
+  * #54894 & #49902 are release critical, so this should go in frozen
+ -- Philip Hands <phil@hands.com>  Wed,  9 Feb 2000 04:52:04 +0000
+openssh (1:1.2.1pre24-1) unstable; urgency=low
+  * New upstream release
+ -- Philip Hands <phil@hands.com>  Fri, 31 Dec 1999 02:47:24 +0000
+openssh (1:1.2.1pre23-1) unstable; urgency=low
+  * New upstream release
+  * excape ? in /etc/init.d/ssh (closes: #53269)
+ -- Philip Hands <phil@hands.com>  Wed, 29 Dec 1999 16:50:46 +0000
+openssh (1:1.2pre17-1) unstable; urgency=low
+  * New upstream release
+ -- Philip Hands <phil@hands.com>  Thu,  9 Dec 1999 16:50:40 +0000
+openssh (1:1.2pre16-1) unstable; urgency=low
+  * New upstream release
+  * upstream release (1.2pre14) (closes: #50299)
+  * make ssh depend on libwrap0 (>= 7.6-1.1) (closes: #50973, #50776)
+  * dispose of grep -q broken pipe message in config script (closes: #50855)
+  * add make-ssh-known-hosts (closes: #50660)
+  * add -i option to ssh-copy-id (closes: #50657)
+  * add check for *LK* in password, indicating a locked account
+ -- Philip Hands <phil@hands.com>  Wed,  8 Dec 1999 22:59:38 +0000
+openssh (1:1.2pre13-1) unstable; urgency=low
+  * New upstream release
+  * make sshd.c use SSHD_PAM_SERVICE and define it as "ssh" in debian/rules
+  * remove duplicate line in /etc/pam.d/ssh (closes: #50310)
+  * mention ssh -A option in ssh.1 & ssh_config
+  * enable forwarding to localhost in default ssh_config (closes: #50373)
+  * tweak preinst to deal with debconf being `unpacked'
+  * use --with-tcp-wrappers (closes: #49545)
+ -- Philip Hands <phil@hands.com>  Sat, 20 Nov 1999 14:20:04 +0000
+openssh (1:1.2pre11-2) unstable; urgency=low
+  * oops, just realised that I forgot to strip out the unpleasant
+    fiddling mentioned below (which turned not to be a fix anyway)
+ -- Philip Hands <phil@hands.com>  Mon, 15 Nov 1999 01:35:23 +0000
+openssh (1:1.2pre11-1) unstable; urgency=low
+  * New upstream release (closes: #49722)
+  * add 2>/dev/null to dispose of spurious message casused by grep -q
+    (closes: #49876, #49604)
+  * fix typo in debian/control (closes: #49841)
+  * Do some unpleasant fiddling with upgraded keys in the preinst, which
+    should make the keylength problem go away.   (closes: #49676)
+  * make pam_start in sshd use ``ssh'' as the service name (closes: #49956)
+  * If /etc/ssh/NOSERVER exist, stop sshd from starting (closes: #47107)
+  * apply Ben Collins <bcollins@debian.org>'s shadow patch
+  * disable lastlogin and motd printing if using pam (closes: #49957)
+  * add ssh-copy-id script and manpage
+ -- Philip Hands <phil@hands.com>  Fri, 12 Nov 1999 01:03:38 +0000
+openssh (1:1.2pre9-1) unstable; urgency=low
+  * New upstream release
+  * apply Chip Salzenberg <chip@valinux.com>'s SO_REUSEADDR patch
+    to channels.c, to make forwarded ports instantly reusable
+  * replace Pre-Depend: debconf with some check code in preinst
+  * make the ssh-add ssh-askpass failure message more helpful
+  * fix the ssh-agent getopts bug (closes: #49426)
+  * fixed typo on Suggests: line (closes: #49704, #49571)
+  * tidy up ssh package description (closes: #49642)
+  * make ssh suid (closes: #49635)
+  * in preinst upgrade code, ensure ssh_host_keys is mode 600 (closes: #49606)
+  * disable agent forwarding by default, for the similar reasons as
+    X forwarding (closes: #49586)
+ -- Philip Hands <phil@hands.com>  Tue,  9 Nov 1999 09:57:47 +0000
+openssh (1:1.2pre7-4) unstable; urgency=low
+  * predepend on debconf (>= 0.2.17) should now allow preinst questions
+ -- Philip Hands <phil@hands.com>  Sat,  6 Nov 1999 10:31:06 +0000
+openssh (1:1.2pre7-3) unstable; urgency=low
+  * add ssh-askpass package using Tommi Virtanen's perl-tk script
+  * add ssh-preconfig package cludge
+  * add usage hints to ssh-agent.1
+ -- Philip Hands <phil@hands.com>  Fri,  5 Nov 1999 00:38:33 +0000
+openssh (1:1.2pre7-2) unstable; urgency=low
+  * use pam patch from Ben Collins <bcollins@debian.org>
+  * add slogin symlink to Makefile.in
+  * change /usr/bin/login to LOGIN_PROGRAM define of /bin/login 
+  * sort out debconf usage
+  * patch from Tommi Virtanen <tv@debian.org>'s makes ssh-add use ssh-askpass
+ -- Philip Hands <phil@hands.com>  Thu,  4 Nov 1999 11:08:54 +0000
+openssh (1:1.2pre7-1) unstable; urgency=low
+  * New upstream release
+ -- Philip Hands <phil@hands.com>  Tue,  2 Nov 1999 21:02:37 +0000
+openssh (1:1.2.0.pre6db1-2) unstable; urgency=low
+  * change the binary package name to ssh (the non-free branch of ssh has
+    been renamed to ssh-nonfree)
+  * make pam file comply with Debian standards
+  * use an epoch to make sure openssh supercedes ssh-nonfree
+ -- Philip Hands <phil@hands.com>  Sat, 30 Oct 1999 16:26:05 +0100
+openssh (1.2pre6db1-1) unstable; urgency=low
+  * New upstream source
+  * sshd accepts logins now!
+ -- Dan Brosemer <odin@linuxfreak.com>  Fri, 29 Oct 1999 11:13:38 -0500
+openssh (1.2.0.19991028-1) unstable; urgency=low
+  * New upstream source
+  * Added test for -lnsl to configure script
+ -- Dan Brosemer <odin@linuxfreak.com>  Thu, 28 Oct 1999 18:52:09 -0500
+openssh (1.2.0.19991027-3) unstable; urgency=low
+  * Initial release
+ -- Dan Brosemer <odin@linuxfreak.com>  Wed, 27 Oct 1999 19:39:46 -0500
+  
+Local variables:
+mode: debian-changelog
+End:
diff --git a/debian/conffiles b/debian/conffiles
new file mode 100644
index 000000000..fbc2e8444
--- /dev/null
+++ b/debian/conffiles
@@ -0,0 +1,4 @@
+/etc/ssh/ssh_config
+/etc/ssh/moduli
+/etc/init.d/ssh
+/etc/pam.d/ssh
diff --git a/debian/config b/debian/config
new file mode 100644
index 000000000..0a5f42b2e
--- /dev/null
+++ b/debian/config
@@ -0,0 +1,86 @@
+#!/bin/sh 
+action=$1
+version=$2
+if [ -d /etc/ssh-nonfree -a ! -d /etc/ssh ]; then
+  version=1.2.27
+  cp -a /etc/ssh-nonfree /etc/ssh
+fi
+# Source debconf library.
+. /usr/share/debconf/confmodule
+db_version 2.0
+if [ -n "$version" ] && dpkg --compare-versions "$version" lt 1:3.0p1-1
+then
+  db_text medium ssh/ssh2_keys_merged
+fi
+if [ -e /etc/init.d/ssh ] && ! grep -q pidfile /etc/init.d/ssh
+then
+  db_fset ssh/use_old_init_script isdefault true
+  db_input medium ssh/use_old_init_script || true
+  db_go
+  db_get ssh/use_old_init_script
+  [ "$RET" = "false" ] && exit 0
+else
+  db_set ssh/use_old_init_script true
+  db_fset ssh/use_old_init_script isdefault false
+fi
+if [ -z "$version" -a ! -e /etc/ssh/sshd_config ]
+then
+  db_input medium ssh/protocol2_only || true
+fi
+if [ -e /etc/ssh/sshd_config ]
+then
+    if dpkg --compare-versions "$version" lt-nl 1:1.3 ; 
+    then db_input medium ssh/new_config || true
+        db_get ssh/new_config
+        if [ "$RET" = "true" ];
+        then db_input medium ssh/protocol2_only ||true
+             db_input high ssh/privsep_ask ||true
+        else db_text high ssh/privsep_tell ||true
+        fi
+    else db_text high ssh/privsep_tell ||true
+    fi
+else db_text high ssh/privsep_tell ||true
+fi 
+db_input medium ssh/SUID_client || true
+db_input medium ssh/run_sshd || true
+if [ -x /usr/sbin/in.telnetd ] && grep -q "^telnet\b" /etc/inetd.conf
+then
+  if ! /usr/sbin/in.telnetd -? 2>&1 | grep -q ssl 2>/dev/null
+  then 
+    db_input low ssh/insecure_telnetd || true
+  fi
+fi
+key=/etc/ssh/ssh_host_key
+export key
+if [ -n "$version" ] && [ -f $key ] && [ ! -x /usr/bin/ssh-keygen ] &&
+     dpkg --compare-versions "$version" lt 1.2.28
+then
+  # make sure that keys get updated to get rid of IDEA; preinst
+  # actually does the work, but if the old ssh-keygen is not found,
+  # it can't do that -- thus, we tell the user that he must create
+  # a new host key.
+  echo -en '\0\0' | 3<&0 sh -c \
+      'dd if=$key bs=1 skip=32 count=2 2>/dev/null | cmp -s - /dev/fd/3' || {
+    # this means that bytes 32&33 of the key were not both zero, in which
+    # case the key is encrypted, which we need to fix
+    db_input high ssh/encrypted_host_key_but_no_keygen || true
+  }
+fi
+db_text low ssh/forward_warning || true
+db_go
+exit 0
diff --git a/debian/control b/debian/control
new file mode 100644
index 000000000..2fe062623
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,45 @@
+Source: openssh
+Section: net
+Priority: standard
+Maintainer: Matthew Vernon <matthew@debian.org>
+Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev | libz-dev, libssl-dev, libpam0g-dev | libpam-dev, libgnome-dev, groff, debhelper (>=1.1.17), sharutils
+Standards-Version: 3.5.2
+Uploaders: Colin Watson <cjwatson@debian.org>
+Package: ssh
+Architecture: any
+Depends: ${shlibs:Depends}, libpam-modules (>= 0.72-9), debconf, adduser
+Conflicts: ssh-nonfree (<<2), ssh-socks, ssh2, debconf (<<0.2.17), debconf-tiny (<<0.2.17), sftp, rsh-client (<<0.16.1-1)
+Suggests: ssh-askpass, xbase-clients, dpkg (>=1.8.3.1), dnsutils
+Provides: rsh-client
+Description: Secure rlogin/rsh/rcp replacement (OpenSSH)
+ This is the portable version of OpenSSH, a free implementation of
+ the Secure Shell protocol as specified by the IETF secsh working
+ group.
+ .
+ Ssh (Secure Shell) is a program for logging into a remote machine
+ and for executing commands on a remote machine.
+ It provides secure encrypted communications between two untrusted
+ hosts over an insecure network.  X11 connections and arbitrary TCP/IP
+ ports can also be forwarded over the secure channel.
+ It is intended as a replacement for rlogin, rsh and rcp, and can be
+ used to provide applications with a secure communication channel.
+ .
+ --------------------------------------------------------------------
+ .
+ In some countries, particularly Russia, Iraq, and Pakistan, it may
+ be illegal to use any encryption at all without a special permit.
+Package: ssh-askpass-gnome
+Section: x11
+Priority: optional
+Architecture: any
+Depends: ${shlibs:Depends}, ssh (>=1:1.2pre7-4) | ssh-krb5
+Provides: ssh-askpass
+Description: under X, asks user for a passphrase for ssh-add
+ This has been split out of the main ssh package, so that the ssh will
+ not need to depend upon the Gnome libraries.
+ .
+ You probably want the ssh-askpass package instead, but this is
+ provided to add to your choice and/or confusion.
diff --git a/debian/copyright.head b/debian/copyright.head
new file mode 100644
index 000000000..1e1282f98
--- /dev/null
+++ b/debian/copyright.head
@@ -0,0 +1,36 @@
+This package was debianized by Philip Hands <phil@hands.com> on 31 Oct 1999
+(with help from  Dan Brosemer <odin@linuxfreak.com>)
+It was downloaded from here:
+  ftp://ftp.fu-berlin.de/unix/security/openssh/openssh-2.3.0p1.tar.gz
+worldwide mirrors are listed here:
+  http://www.openssh.com/ftp.html
+The Debian specific parts of the package are mostly taken from the
+original ssh package, which has since been renamed as ssh-nonfree.
+The Debian patch is distributed under the terms of the GPL.
+The upstream source for this package is a combination of the ssh
+branch that is being maintained by the OpenBSD team (starting from
+the last version of SSH that was distributed under a free license),
+and porting work by Damien Miller <damien@ibs.com.au> to get it
+working on Linux.  Other people also contributed to this, and are
+credited in /usr/share/doc/ssh/README.
+Copyright:
+Code in helper.[ch] is Copyright Internet Business Solutions and is
+released under a X11-style license (see source file for details).
+(A)RC4 code in rc4.[ch] is Copyright Damien Miller. It too is under a
+X11-style license (see source file for details).
+make-ssh-known-hosts is Copyright Tero Kivinen <Tero.Kivinen@hut.fi>,
+and is distributed under the GPL (see source file for details).
+The copyright for the orignal SSH version follows.  It has been
+modified with [comments] to reflect the changes that the OpenBSD folks
+have made:
diff --git a/debian/dirs b/debian/dirs
new file mode 100644
index 000000000..00a019411
--- /dev/null
+++ b/debian/dirs
@@ -0,0 +1,7 @@
+usr/bin
+usr/sbin
+usr/lib
+etc/ssh
+etc/init.d
+usr/share/man/man1
+usr/share/man/man8
diff --git a/debian/gnome-ssh-askpass.1 b/debian/gnome-ssh-askpass.1
new file mode 100644
index 000000000..b74c410a8
--- /dev/null
+++ b/debian/gnome-ssh-askpass.1
@@ -0,0 +1,51 @@
+.TH GNOME-SSH-ASKPASS 1
+.SH NAME
+gnome\-ssh\-askpass \- prompts a user for a passphrase using GNOME
+.SH SYNOPSIS
+.B gnome\-ssh\-askpass
+.SH DESCRIPTION
+.B gnome\-ssh\-askpass
+is a GNOME-based passphrase dialog for use with OpenSSH.
+It is intended to be called by the
+.BR ssh\-add (1)
+program and not invoked directly.
+It allows
+.BR ssh\-add (1)
+to obtain a passphrase from a user, even if not connected to a terminal
+(assuming that an X display is available).
+This happens automatically in the case where
+.B ssh\-add
+is invoked from one's
+.B ~/.xsession
+or as one of the GNOME startup programs, for example.
+.PP
+In order to be called automatically by
+.BR ssh\-add ,
+.B gnome\-ssh\-askpass
+should be installed as
+.IR /usr/bin/ssh\-askpass .
+.SH "ENVIRONMENT VARIABLES"
+The following environment variables are recognized:
+.TP
+.I GNOME_SSH_ASKPASS_GRAB_SERVER
+Causes
+.B gnome\-ssh\-askpass
+to grab the X server before asking for a passphrase.
+.TP
+.I GNOME_SSH_ASKPASS_GRAB_POINTER
+Causes
+.B gnome\-ssh\-askpass
+to grab the mouse pointer using
+.IR gdk_pointer_grab ()
+before asking for a passphrase.
+.PP
+Regardless of whether either of these environment variables is set,
+.B gnome\-ssh\-askpass
+will grab the keyboard using
+.IR gdk_keyboard_grab ().
+.SH AUTHOR
+This manual page was written by Colin Watson <cjwatson@debian.org>
+for the Debian system (but may be used by others).
+It was based on that for
+.B x11\-ssh\-askpass
+by Philip Hands.
diff --git a/debian/init b/debian/init
new file mode 100644
index 000000000..fe59584e6
--- /dev/null
+++ b/debian/init
@@ -0,0 +1,60 @@
+#! /bin/sh
+# /etc/init.d/ssh: start and stop the OpenBSD "secure shell(tm)" daemon
+test -x /usr/sbin/sshd || exit 0
+( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0
+# forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists
+if [ -e /etc/ssh/sshd_not_to_be_run ]; then 
+    echo "OpenBSD Secure Shell server not in use (/etc/ssh/sshd_not_to_be_run)"
+    exit 0
+fi
+check_config() {
+        /usr/sbin/sshd -t || exit 1
+}
+# Configurable options:
+case "$1" in
+  start)
+        test -f /etc/ssh/sshd_not_to_be_run && exit 0
+#Create the PrivSep empty dir if necessary
+        if [ ! -d /var/run/sshd ]; then
+            mkdir /var/run/sshd; chmod 0755 /var/run/sshd
+        fi
+        echo -n "Starting OpenBSD Secure Shell server: sshd"
+        start-stop-daemon --start --quiet --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd
+        echo "."
+        ;;
+  stop)
+        echo -n "Stopping OpenBSD Secure Shell server: sshd"
+        start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid
+        echo "."
+        ;;
+  reload|force-reload)
+        test -f /etc/ssh/sshd_not_to_be_run && exit 0
+        check_config
+        echo -n "Reloading OpenBSD Secure Shell server's configuration"
+        start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd
+        echo "."
+        ;;
+  restart)
+        test -f /etc/ssh/sshd_not_to_be_run && exit 0
+        check_config
+        echo -n "Restarting OpenBSD Secure Shell server: sshd"
+        start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid
+        sleep 2
+        start-stop-daemon --start --quiet --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd
+        echo "."
+        ;;
+  *)
+        echo "Usage: /etc/init.d/ssh {start|stop|reload|force-reload|restart}"
+        exit 1
+esac
+exit 0
diff --git a/debian/postinst b/debian/postinst
new file mode 100644
index 000000000..1b741c203
--- /dev/null
+++ b/debian/postinst
@@ -0,0 +1,334 @@
+#!/bin/sh -e
+action="$1"
+oldversion="$2"
+test -e /usr/share/debconf/confmodule && {
+  . /usr/share/debconf/confmodule
+    db_version 2.0
+}
+umask 022
+if [ "$action" != configure ]
+  then
+  exit 0
+fi
+check_idea_key() {
+    #check for old host_key files using IDEA, which openssh does not support
+        if [ -f /etc/ssh/ssh_host_key ] ; then
+                if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key 2>&1 | \
+                                grep -q 'unknown cipher' 2>/dev/null ; then
+      mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old
+      mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old
+  fi
+        fi
+}
+create_key() {
+        local msg="$1"
+        shift
+        local file="$1"
+        shift
+        if [ ! -f "$file" ] ; then
+                echo -n $msg
+                ssh-keygen -f "$file" -N '' "$@" > /dev/null
+                echo
+        fi
+}
+create_keys() {
+        RET=true
+        test -e /usr/share/debconf/confmodule && {
+                db_get ssh/protocol2_only
+        }
+        if [ "$RET" = "false" ] ; then
+                create_key "Creating SSH1 key" /etc/ssh/ssh_host_key -t rsa1
+        fi
+        create_key "Creating SSH2 RSA key" /etc/ssh/ssh_host_rsa_key -t rsa
+        create_key "Creating SSH2 DSA key" /etc/ssh/ssh_host_dsa_key -t dsa
+}
+create_sshdconfig() {
+        if [ -e /etc/ssh/sshd_config ] ; then
+            if dpkg --compare-versions "$oldversion" lt-nl 1:1.3 ; then
+                RET=true
+                test -e /usr/share/debconf/confmodule && {
+                    db_get ssh/new_config
+                }
+                if [ "$RET" = "false" ] ; then return 0; fi
+            else return 0
+            fi
+        fi
+        RET=true
+        test -e /usr/share/debconf/confmodule && {
+                db_get ssh/protocol2_only
+        }
+        #Preserve old sshd_config before generating a new on
+        if [ -e /etc/ssh/sshd_config ] ; then 
+            mv /etc/ssh/sshd_config /etc/ssh/sshd_config.dpkg-old
+        fi
+        cat <<EOF > /etc/ssh/sshd_config
+# Package generated configuration file
+# See the sshd(8) manpage for defails
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+EOF
+if [ "$RET" = "false" ]; then
+                cat <<EOF >> /etc/ssh/sshd_config
+Protocol 2,1
+# HostKeys for protocol version 1
+HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+EOF
+else
+        cat <<EOF >> /etc/ssh/sshd_config
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+EOF
+fi
+test -e /usr/share/debconf/confmodule && {
+    db_get ssh/privsep_ask
+}
+if [ "$RET" = "false" ]; then
+    cat <<EOF >> /etc/ssh/sshd_config
+#Explicitly set PrivSep off, as requested
+UsePrivilegeSeparation no
+# Use PAM authentication via keyboard-interactive so PAM modules can
+# properly interface with the user
+PAMAuthenticationViaKbdInt yes
+EOF
+else
+        cat <<EOF >> /etc/ssh/sshd_config
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+# ...but breaks Pam auth via kbdint, so we have to turn it off
+# Use PAM authentication via keyboard-interactive so PAM modules can
+# properly interface with the user (off due to PrivSep)
+PAMAuthenticationViaKbdInt no
+EOF
+fi
+        cat <<EOF >> /etc/ssh/sshd_config
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+# Authentication:
+LoginGraceTime 600
+PermitRootLogin yes
+StrictModes yes
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile     %h/.ssh/authorized_keys
+# rhosts authentication should not be used
+RhostsAuthentication no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+# Uncomment to disable s/key passwords 
+#ChallengeResponseAuthentication no
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication yes
+# To change Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#AFSTokenPassing no
+#KerberosTicketCleanup no
+# Kerberos TGT Passing does only work with the AFS kaserver
+#KerberosTgtPassing yes
+X11Forwarding no
+X11DisplayOffset 10
+PrintMotd no
+#PrintLastLog no
+KeepAlive yes
+#UseLogin no
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+#ReverseMappingCheck yes
+Subsystem       sftp    /usr/lib/sftp-server
+EOF
+}
+fix_rsh_diversion() {
+# get rid of mistaken rsh diversion (circa 1.2.27-1)
+        if [ -L /usr/bin/rsh ] &&
+                dpkg-divert --list '/usr/bin/rsh.real/rsh' | grep -q ' ssh$' ; then
+                for cmd in rlogin  rsh rcp ; do
+                        [ -L /usr/bin/$cmd ] && rm /usr/bin/$cmd
+                        dpkg-divert --package ssh --remove --rename \
+                                --divert /usr/bin/rsh.real/$cmd /usr/bin/$cmd
+                        [ -L /usr/man/man1/$cmd.1.gz ] && rm /usr/man/man1/$$cmd.1.gz
+                        dpkg-divert --package ssh --remove --rename \
+                                --divert /usr/man/man1/$cmd.real.1.gz /usr/man/man1/$cmd.1.gz
+                done
+                rmdir /usr/bin/rsh.real
+        fi
+}
+fix_statoverride() {
+# Remove an erronous override for sshd (we should have overridden ssh)
+        if [ -x /usr/sbin/dpkg-statoverride ]; then
+                if dpkg-statoverride --list /usr/sbin/sshd 2>/dev/null ; then
+                        dpkg-statoverride --remove /usr/sbin/sshd
+                fi
+        fi
+}
+create_alternatives() {
+# Create alternatives for the various r* tools
+# Make sure we don't change existing alternatives that a user might have
+# changed
+        for cmd in rsh rlogin rcp ; do
+                if ! update-alternatives --display $cmd | \
+                                grep -q ssh ; then
+                        update-alternatives --quiet --install /usr/bin/$cmd $cmd /usr/bin/ssh 20 \
+                                --slave /usr/share/man/man1/$cmd.1.gz $cmd.1.gz /usr/share/man/man1/ssh.1.gz
+                fi
+        done
+        
+}
+setup_sshd_user() {
+        if ! id sshd > /dev/null 2>&1 ; then
+                adduser --quiet --system --no-create-home --home /var/run/sshd sshd
+        fi
+}
+set_sshd_permissions() {
+        suid=false
+        if dpkg --compare-versions "$oldversion" lt-nl 1:3.4p1-1 ; then
+            if [ -x /usr/sbin/dpkg-statoverride ] ; then
+                if dpkg-statoverride --list /usr/bin/ssh >/dev/null; then
+                    dpkg-statoverride --remove /usr/bin/ssh >/dev/null
+                fi 
+            fi
+        fi
+        [ -e /usr/share/debconf/confmodule ] && {
+                db_get ssh/SUID_client
+                suid="$RET"
+        }
+       if [ -x /usr/sbin/dpkg-statoverride ] ; then
+               if ! dpkg-statoverride --list /usr/lib/ssh-keysign >/dev/null ; then
+                       if [ "$suid" = "false" ] ; then
+                               chmod 0755 /usr/lib/ssh-keysign
+                       elif [ "$suid" = "true" ] ; then
+                               chmod 4755 /usr/lib/ssh-keysign
+                       fi
+               fi
+       else
+               if [ "$suid" = "false" ] ; then
+                       chmod 0755 /usr/lib/ssh-keysign
+               elif [ "$suid" = "true" ] ; then
+                       chmod 4755 /usr/lib/ssh-keysign
+               fi
+        fi
+}
+set_ssh_agent_permissions() {
+        if ! getent group | grep -q '^ssh:'; then
+                addgroup --quiet ssh
+        fi
+        if ! [ -x /usr/sbin/dpkg-statoverride ] || \
+            ! dpkg-statoverride --list /usr/bin/ssh-agent >/dev/null ; then
+                chgrp ssh /usr/bin/ssh-agent
+                chmod 2755 /usr/bin/ssh-agent
+        fi
+}
+setup_startup() {
+        start=yes
+        [ -e /usr/share/debconf/confmodule ] && {
+                db_get ssh/run_sshd
+                start="$RET"
+        }
+        if [ "$start" != "true" ] ; then
+                /etc/init.d/ssh stop 2>&1 >/dev/null
+                touch /etc/ssh/sshd_not_to_be_run
+        else
+                rm -f /etc/ssh/sshd_not_to_be_run 2>/dev/null
+        fi
+}
+setup_init() {
+        if [ -e /etc/init.d/ssh ]; then
+                update-rc.d ssh defaults >/dev/null
+                /etc/init.d/ssh restart
+        fi
+}
+check_idea_key
+create_keys
+create_sshdconfig
+fix_rsh_diversion
+fix_statoverride
+create_alternatives
+setup_sshd_user
+set_sshd_permissions
+set_ssh_agent_permissions
+setup_startup
+setup_init
+[ -e /usr/share/debconf/confmodule ] && db_stop
+exit 0
diff --git a/debian/postinst.old b/debian/postinst.old
new file mode 100644
index 000000000..586da1cc6
--- /dev/null
+++ b/debian/postinst.old
@@ -0,0 +1,269 @@
+#!/bin/sh -e
+action="$1"
+oldversion="$2"
+test -e /usr/share/debconf/confmodule && {
+  . /usr/share/debconf/confmodule
+    db_version 2.0
+}
+if [ "$action" != configure ]
+  then
+  exit 0
+fi
+check_idea_key() {
+    #check for old host_key files using IDEA, which openssh does not support
+        if [ -f /etc/ssh/ssh_host_key ] ; then
+                if ssh-keygen -p -N '' -f /etc/ssh/ssh_host_key 2>&1 | \
+                                grep -q 'unknown cipher' 2>/dev/null ; then
+      mv /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.old
+      mv /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key.pub.old
+  fi
+        fi
+}
+create_key() {
+        local file="$1"
+        shift
+        if [ ! -f "$file" ] ; then
+                ( umask 022 ; \
+                  ssh-keygen -f "$file" -N '' "$@" > /dev/null )
+  fi
+}
+create_keys() {
+        RET=true
+test -e /usr/share/debconf/confmodule && {
+                db_get ssh/protocol2_only
+}
+        if [ "$RET" = "false" ] ; then
+                echo "Creating SSH1 key"
+                create_key /etc/ssh/ssh_host_key
+fi
+        echo "Creating SSH2 RSA key"
+        create_key /etc/ssh/ssh_host_rsa_key -t rsa
+        echo "Creating SSH2 DSA key"
+        create_key /etc/ssh/ssh_host_dsa_key -t dsa
+}
+create_sshdconfig() {
+        [ -e /etc/ssh/sshd_config ] && return
+RET=true
+test -e /usr/share/debconf/confmodule && {
+                db_get ssh/protocol2_only
+}
+        cat <<EOF > /etc/ssh/sshd_config
+# Package generated configuration file
+# See the sshd(8) manpage for defails
+# What ports, IPs and protocols we listen for
+Port 22
+# Uncomment the next entry to accept IPv6 traffic.
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+EOF
+if [ "$RET" = "false" ]; then
+                cat <<EOF >> /etc/ssh/sshd_config
+Protocol 2,1
+# HostKeys for protocol version 1
+HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+EOF
+else
+        cat <<EOF >> /etc/ssh/sshd_config
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+EOF
+fi
+        cat <<EOF >> /etc/ssh/sshd_config
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+# Authentication:
+LoginGraceTime 600
+PermitRootLogin no
+StrictModes yes
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile     %h/.ssh/authorized_keys
+# rhosts authentication should not be used
+RhostsAuthentication no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+# To disable tunneled clear text passwords, change to no here!
+PermitEmptyPasswords no
+# Uncomment to disable s/key passwords 
+#ChallengeResponseAuthentication no
+# Use PAM authentication via keyboard-interactive so PAM modules can
+# properly interface with the user
+PasswordAuthentication no
+PAMAuthenticationViaKbdInt yes
+# To change Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#AFSTokenPassing no
+#KerberosTicketCleanup no
+# Kerberos TGT Passing does only work with the AFS kaserver
+#KerberosTgtPassing yes
+X11Forwarding no
+X11DisplayOffset 10
+PrintMotd no
+#PrintLastLog no
+KeepAlive yes
+#UseLogin no
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+#ReverseMappingCheck yes
+Subsystem       sftp    /usr/libexec/sftp-server
+EOF
+}
+fix_rsh_diversion() {
+# get rid of mistaken rsh diversion (circa 1.2.27-1)
+        if [ -L /usr/bin/rsh ] &&
+                dpkg-divert --list '/usr/bin/rsh.real/rsh' | grep -q ' ssh$' ; then
+                for cmd in rlogin  rsh rcp ; do
+                        [ -L /usr/bin/$cmd ] && rm /usr/bin/$cmd
+                        dpkg-divert --package ssh --remove --rename \
+                                --divert /usr/bin/rsh.real/$cmd /usr/bin/$cmd
+                        [ -L /usr/man/man1/$cmd.1.gz ] && rm /usr/man/man1/$$cmd.1.gz
+                        dpkg-divert --package ssh --remove --rename \
+                                --divert /usr/man/man1/$cmd.real.1.gz /usr/man/man1/$cmd.1.gz
+                done
+                rmdir /usr/bin/rsh.real
+        fi
+}
+fix_statoverride() {
+# Remove an erronous override for sshd (we should have overridden ssh)
+if [ -x /usr/sbin/dpkg-statoverride ]; then
+                if dpkg-statoverride --list /usr/sbin/sshd 2>/dev/null ; then
+                        dpkg-statoverride --remote /usr/sbin/sshd
+                fi
+                fi
+}
+create_alternatives() {
+# Create alternatives for the various r* tools
+# Make sure we don't change existing alternatives that a user might have
+# changed
+        for cmd in rsh rlogin rcp ; do
+                if ! update-alternatives --display $cmd | \
+                                grep -q ssh ; then
+                        update-alternatives --quiet --install /usr/bin/$cmd $cmd /usr/bin/ssh 20 \
+                                --slave /usr/share/man/man1/$cmd.1.gz $cmd.1.gz /usr/share/man/man1/ssh.1.gz
+        fi
+        done
+        
+}
+set_sshd_permissions() {
+        suid=no
+        [ -e /usr/share/debconf/confmodule ] && {
+                db_get ssh/SUID_client
+                suid="$RET"
+        }
+        if [ "$suid" = "yes" ] ; then
+                if [ -x /usr/sbin/dpkg-statoverride ] && \
+                        ! dpkg-statoverride /usr/bin/ssh ; then
+                        dpkg-statoverride --add root root 04755 /usr/bin/ssh
+fi
+        fi
+}
+setup_startup() {
+        start=yes
+        [ -e /usr/share/debconf/confmodule ] && {
+                db_get ssh/run_sshd
+                start="$RET"
+        }
+        if [ "$start" != "true" ] ; then
+                touch /etc/ssh/sshd_not_to_be_run
+        else
+                rm -f /etc/ssh/sshd_not_to_be_run 2>/dev/null
+        fi
+}
+setup_init() {
+if [ -e /etc/init.d/ssh ]; then
+    update-rc.d ssh defaults >/dev/null
+    /etc/init.d/ssh restart
+fi
+}
+check_idea_key
+create_keys
+create_sshdconfig
+fix_rsh_diversion
+fix_statoverride
+create_alternatives
+set_sshd_permissions
+setup_startup
+setup_init
+# Automatically added by dh_installdocs
+if [ "$1" = "configure" ]; then
+        if [ -d /usr/doc -a ! -e /usr/doc/ssh -a -d /usr/share/doc/ssh ]; then
+                ln -sf ../share/doc/ssh /usr/doc/ssh
+        fi
+fi
+# End automatically added section
+[ -e /usr/share/debconf/confmodule ] && db_stop
+exit 0
diff --git a/debian/postrm b/debian/postrm
new file mode 100644
index 000000000..c76f662df
--- /dev/null
+++ b/debian/postrm
@@ -0,0 +1,19 @@
+#!/bin/sh -e
+#DEBHELPER#
+if [ "$1" = "purge" ]
+then
+  rm -rf /etc/ssh
+fi
+if [ "$1" = "purge" ] ; then
+    update-rc.d ssh remove >/dev/null
+fi
+if [ "$1" = "purge" ] ; then
+        deluser --quiet sshd > /dev/null || true
+        delgroup --quiet ssh > /dev/null || true
+fi
+exit 0
diff --git a/debian/preinst b/debian/preinst
new file mode 100644
index 000000000..320d4df2a
--- /dev/null
+++ b/debian/preinst
@@ -0,0 +1,79 @@
+#!/bin/sh -e
+action=$1
+version=$2
+if [ -d /etc/ssh-nonfree -a ! -d /etc/ssh ]; then
+  version=1.2.27
+fi
+if [ "$action" = upgrade -o "$action" = install ]
+then
+  # check if debconf is missing
+  if ! test -f /usr/share/debconf/confmodule
+  then
+    cat <<EOF
+WARNING: ssh's pre-configuration script relies on debconf to tell you
+about some problems that might prevent you from logging in if you are
+upgrading from the old, Non-free version of ssh.
+If this is a new installation, you don't need to worry about this.
+Just go ahead and install ssh (make sure to read .../ssh/README.Debian).
+If you are upgrading, but you have alternative ways of logging into
+the machine (i.e. you're sitting in front of it, or you have telnetd
+running), then you also don't need to worry too much, because you can
+fix it up afterwards if there's a problem.
+If you're upgrading from an older (non-free) version of ssh, and ssh
+is the only way you have to access this machine, then you should
+probably abort the installation of ssh, install debconf, and then
+retry the installation of ssh.
+EOF
+    echo -n "Do you want to install SSH anyway [yN]: "
+    read input
+    expr "$input" : '[Yy]' >/dev/null || exit 1
+    # work around for missing debconf
+    db_get() { : ; }
+    RET=true
+    if [ -d /etc/ssh-nonfree -a ! -d /etc/ssh ]; then
+      cp -a /etc/ssh-nonfree /etc/ssh
+    fi
+  else
+    # Source debconf library.
+    . /usr/share/debconf/confmodule
+    db_version 2.0
+  fi
+  db_get ssh/use_old_init_script
+  if [ "$RET" = "false" ]; then
+    echo "ssh config: Aborting because ssh/use_old_init_script = false" >&2
+    exit 1
+  fi
+  # deal with upgrading from pre-OpenSSH versions
+  key=/etc/ssh/ssh_host_key
+  export key
+  if [ -n "$version" ] && [ -x /usr/bin/ssh-keygen ] && [ -f $key ] &&
+     dpkg --compare-versions "$version" lt 1.2.28
+  then
+    # make sure that keys get updated to get rid of IDEA
+    #
+    # N.B. this only works because we've still got the old
+    # nonfree ssh-keygen at this point
+    #
+    # First, check if we need to bother
+    echo -en '\0\0' | 3<&0 sh -c \
+        'dd if=$key bs=1 skip=32 count=2 2>/dev/null | cmp -s - /dev/fd/3' || {
+      # this means that bytes 32&33 of the key were not both zero, in which
+      # case the key is encrypted, which we need to fix
+      chmod 600 $key
+      ssh-keygen -u -f $key >/dev/null
+    }
+  fi
+fi
+#DEBHELPER#
diff --git a/debian/prerm b/debian/prerm
new file mode 100644
index 000000000..17aa45e1f
--- /dev/null
+++ b/debian/prerm
@@ -0,0 +1,44 @@
+#! /bin/sh
+# prerm script for ssh
+#
+# see: dh_installdeb(1)
+set -e
+# summary of how this script can be called:
+#        * <prerm> `remove'
+#        * <old-prerm> `upgrade' <new-version>
+#        * <new-prerm> `failed-upgrade' <old-version>
+#        * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
+#        * <deconfigured's-prerm> `deconfigure' `in-favour'
+#          <package-being-installed> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+case "$1" in
+    remove|deconfigure)
+        update-alternatives --quiet --remove ssh /usr/bin/ssh
+        update-alternatives --quiet --remove ssh /usr/bin/slogin
+        update-alternatives --quiet --remove ssh /usr/bin/scp
+    if [ -e /etc/init.d/ssh ]; then
+        /etc/init.d/ssh stop
+    fi
+#       install-info --quiet --remove /usr/info/ssh-askpass.info.gz
+        ;;
+    upgrade)
+#       install-info --quiet --remove /usr/info/ssh-askpass.info.gz
+        ;;
+    failed-upgrade)
+        ;;
+    *)
+        echo "prerm called with unknown argument \`$1'" >&2
+        exit 0
+    ;;
+esac
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+#DEBHELPER#
+exit 0
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 000000000..fb60b2270
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,99 @@
+#!/usr/bin/make -f
+# Uncomment this to turn on verbose mode.
+# export DH_VERBOSE=1
+# This is the debhelper compatability version to use.
+export DH_COMPAT=1
+# This has to be exported to make some magic below work.
+export DH_OPTIONS
+#PKG_VER = $(shell perl -e 'print <> =~ /\((.*)\)/' debian/changelog)
+build: build-stamp
+build-stamp:
+        dh_testdir
+#Change the version string to include the Debian Version
+        if <version.h sed -e "/define/s/\"\(.*\)\"/\"\1 Debian `dpkg-parsechangelog | sed -n -e '/^Version:/s/Version: //p'`\"/" >version.h.new; \
+        then mv version.h version.h.upstream; mv version.h.new version.h; \
+        else echo "Version number change failed"; exit 1; \
+        fi
+        ./configure --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/lib --mandir=/usr/share/man --with-tcp-wrappers --with-xauth=/usr/bin/X11/xauth --with-default-path=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin --with-pam --with-4in6 --with-ipv4-default \
+                --with-privsep-path=/var/run/sshd  --without-rand-helper
+        $(MAKE) -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' CFLAGS='-O2 -g -Wall -DLOGIN_PROGRAM=\"/bin/login\" -DSSHD_PAM_SERVICE=\"ssh\" -D__FILE_OFFSET_BITS=64 -DHAVE_MMAP_ANON_SHARED' \
+                SSH_KEYSIGN='/usr/lib/ssh-keysign'
+        $(MAKE) -C contrib gnome-ssh-askpass1 CC='gcc -O2'
+        touch build-stamp
+clean:
+        dh_testdir
+        rm -f build-stamp
+        -$(MAKE) -i distclean
+        -$(MAKE) -C contrib clean
+        rm -f config.log
+        if [ -f version.h.upstream ]; then mv version.h.upstream version.h; \
+        fi
+        dh_clean
+install: DH_OPTIONS=
+install: build
+        dh_testdir
+        dh_testroot
+        dh_clean -k
+        dh_installdirs
+        # Add here commands to install the package into debian/tmp.
+        $(MAKE) DESTDIR=`pwd`/debian/tmp install
+        rm -f debian/tmp/etc/ssh/ssh_host_*key*
+        rm -f debian/tmp/etc/ssh/sshd_config
+        #Temporary hack: remove /usr/share/Ssh.bin, since we have no smartcard support anyway.
+        rm -f debian/tmp/usr/share/Ssh.bin
+        install -m 755 contrib/ssh-copy-id debian/tmp/usr/bin/ssh-copy-id
+        install -m 644 -c contrib/ssh-copy-id.1 debian/tmp/usr/share/man/man1/ssh-copy-id.1
+        install -m 644 debian/gnome-ssh-askpass.1 debian/tmp/usr/share/man/man1/gnome-ssh-askpass.1
+        install -s -o root -g root -m 755 contrib/gnome-ssh-askpass1 debian/ssh-askpass-gnome/usr/lib/ssh/gnome-ssh-askpass
+        install -o root -g root debian/init debian/tmp/etc/init.d/ssh
+        install -o root -g root -m 755 -d debian/tmp/var/run/sshd
+        dh_movefiles
+# Build architecture-independent files here.
+binary-indep: build install
+        # nothing to do
+# Build architecture-dependent files here.
+binary-arch: build install
+        dh_testdir
+        dh_testroot
+        dh_installdebconf
+        dh_installdocs OVERVIEW README
+        cat debian/copyright.head LICENCE > debian/tmp/usr/share/doc/ssh/copyright
+        dh_installexamples
+        dh_installmenu
+        nroff RFC.nroff > debian/tmp/usr/share/doc/ssh/RFC
+        gzip -9 debian/tmp/usr/share/doc/ssh/RFC
+        rm -rf debian/tmp/usr/share/doc/ssh/RFC.nroff.gz
+        dh_installpam
+        dh_installcron
+        dh_installchangelogs ChangeLog
+        dh_strip
+        dh_link
+        dh_compress
+        dh_fixperms
+        dh_installdeb
+        test ! -e debian/tmp/etc/ssh/ssh_prng_cmds \
+          || echo "/etc/ssh/ssh_prng_cmds" >> debian/tmp/DEBIAN/conffiles
+        dh_shlibdeps
+        dh_gencontrol
+        dh_md5sums
+        dh_builddeb
+binary: binary-indep binary-arch
+.PHONY: build clean binary-indep binary-arch binary install
diff --git a/debian/ssh-askpass-gnome.copyright b/debian/ssh-askpass-gnome.copyright
new file mode 100644
index 000000000..4a71dda00
--- /dev/null
+++ b/debian/ssh-askpass-gnome.copyright
@@ -0,0 +1,44 @@
+This package contains a Gnome based implementation of ssh-askpass
+written by Damien Miller.
+It is split out from the main package to isolate the dependency on the
+Gnome and X11 libraries.
+It was packaged for Debian by Philip Hands <phil@hands.com>.
+Copyright:
+/*
+**
+** GNOME ssh passphrase requestor
+**
+** Damien Miller <djm@ibs.com.au>
+** 
+** Copyright 1999 Internet Business Solutions
+**
+** Permission is hereby granted, free of charge, to any person
+** obtaining a copy of this software and associated documentation
+** files (the "Software"), to deal in the Software without
+** restriction, including without limitation the rights to use, copy,
+** modify, merge, publish, distribute, sublicense, and/or sell copies
+** of the Software, and to permit persons to whom the Software is
+** furnished to do so, subject to the following conditions:
+**
+** The above copyright notice and this permission notice shall be
+** included in all copies or substantial portions of the Software.
+**
+** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY
+** KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
+** WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
+** AND NONINFRINGEMENT.  IN NO EVENT SHALL DAMIEN MILLER OR INTERNET
+** BUSINESS SOLUTIONS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+** ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
+** OR OTHER DEALINGS IN THE SOFTWARE.
+**
+** Except as contained in this notice, the name of Internet Business
+** Solutions shall not be used in advertising or otherwise to promote
+** the sale, use or other dealings in this Software without prior
+** written authorization from Internet Business Solutions.
+**
+*/
diff --git a/debian/ssh-askpass-gnome.dirs b/debian/ssh-askpass-gnome.dirs
new file mode 100644
index 000000000..6c255ea63
--- /dev/null
+++ b/debian/ssh-askpass-gnome.dirs
@@ -0,0 +1 @@
+usr/lib/ssh/
diff --git a/debian/ssh-askpass-gnome.postinst b/debian/ssh-askpass-gnome.postinst
new file mode 100644
index 000000000..7441cca29
--- /dev/null
+++ b/debian/ssh-askpass-gnome.postinst
@@ -0,0 +1,53 @@
+#! /bin/sh
+# postinst script for ssh-askpass-gnome
+#
+# see: dh_installdeb(1)
+set -e
+# summary of how this script can be called:
+#        * <postinst> `configure' <most-recently-configured-version>
+#        * <old-postinst> `abort-upgrade' <new version>
+#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+#          <new-version>
+#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+#          <failed-install-package> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+#
+# quoting from the policy:
+#     Any necessary prompting should almost always be confined to the
+#     post-installation script, and should be protected with a conditional
+#     so that unnecessary prompting doesn't happen if a package's
+#     installation fails and the `postinst' is called with `abort-upgrade',
+#     `abort-remove' or `abort-deconfigure'.
+case "$1" in
+    configure)
+        update-alternatives --quiet \
+            --install /usr/bin/ssh-askpass ssh-askpass \
+                      /usr/lib/ssh/gnome-ssh-askpass 30 \
+            --slave /usr/share/man/man1/ssh-askpass.1.gz \
+                    ssh-askpass.1.gz /usr/share/man/man1/gnome-ssh-askpass.1.gz
+    ;;
+    abort-upgrade|abort-remove|abort-deconfigure)
+    ;;
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 0
+    ;;
+esac
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+#DEBHELPER#
+exit 0
diff --git a/debian/ssh-askpass-gnome.prerm b/debian/ssh-askpass-gnome.prerm
new file mode 100644
index 000000000..6f3f5756d
--- /dev/null
+++ b/debian/ssh-askpass-gnome.prerm
@@ -0,0 +1,41 @@
+#! /bin/sh
+# prerm script for ssh-askpass-gnome
+#
+# see: dh_installdeb(1)
+set -e
+# summary of how this script can be called:
+#        * <prerm> `remove'
+#        * <old-prerm> `upgrade' <new-version>
+#        * <new-prerm> `failed-upgrade' <old-version>
+#        * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
+#        * <deconfigured's-prerm> `deconfigure' `in-favour'
+#          <package-being-installed> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+case "$1" in
+    remove|deconfigure)
+        update-alternatives --quiet --remove ssh-askpass /usr/lib/ssh/gnome-ssh-askpass
+#       install-info --quiet --remove /usr/info/ssh-askpass.info.gz
+        ;;
+    upgrade)
+#       install-info --quiet --remove /usr/info/ssh-askpass.info.gz
+        ;;
+    failed-upgrade)
+        ;;
+    *)
+        echo "prerm called with unknown argument \`$1'" >&2
+        exit 0
+    ;;
+esac
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+#DEBHELPER#
+exit 0
diff --git a/debian/ssh.pam b/debian/ssh.pam
new file mode 100644
index 000000000..a4478cf4a
--- /dev/null
+++ b/debian/ssh.pam
@@ -0,0 +1,22 @@
+#%PAM-1.0
+auth       required     pam_nologin.so
+auth       required     pam_unix.so
+auth       required     pam_env.so # [1]
+account    required     pam_unix.so
+session    required     pam_unix.so
+session    optional     pam_lastlog.so # [1]
+session    optional     pam_motd.so # [1]
+session    optional     pam_mail.so standard noenv # [1]
+session    required     pam_limits.so
+password   required     pam_unix.so
+# Alternate strength checking for password. Note that this
+# requires the libpam-cracklib package to be installed.
+# You will need to comment out the password line above and
+# uncomment the next two in order to use this.
+#
+# password required       pam_cracklib.so retry=3 minlen=6 difok=3
+# password required       pam_unix.so use_authtok nullok md5
diff --git a/debian/templates b/debian/templates
new file mode 100644
index 000000000..b56f8a5ec
--- /dev/null
+++ b/debian/templates
@@ -0,0 +1,151 @@
+Template: ssh/privsep_tell
+Type: note
+Description: Privilege separation
+ This version of OpenSSH contains the new privilege separation
+ option. This significantly reduces the quantity of code that runs as
+ root, and therefore reduces the impact of security holes in sshd.
+ .
+ Unfortunately, privilege separation interacts badly with PAM. Any
+ PAM session modules that need to run as root (pam_mkhomedir, for
+ example) will fail, and PAM keyboard-interactive authentication 
+ won't work.
+ .
+ Privilege separation is turned on by default, so if you decide you
+ want it turned off, you need to add "UsePrivilegeSeparation no" to
+ /etc/ssh/sshd_config.
+ .
+ NB! If you are running a 2.0 series Linux kernel, then privilege
+ separation will not work at all, and your sshd will fail to start
+ unless you explicitly turn privilege separation off.
+Template: ssh/privsep_ask
+Type: boolean
+Default: true
+Description: Enable Privilege separation
+ This version of OpenSSH contains the new privilege separation
+ option. This significantly reduces the quantity of code that runs as
+ root, and therefore reduces the impact of security holes in sshd.
+ .
+ Unfortunately, privilege separation interacts badly with PAM. Any
+ PAM session modules that need to run as root (pam_mkhomedir, for
+ example) will fail, and PAM keyboard-interactive authentication 
+ won't work.
+ .
+ Since you've opted to have me generate an sshd_config file for you,
+ you can choose whether or not to have Privilege Separation turned on
+ or not. Unless you are running 2.0 (in which case you *must* say no
+ here or your sshd won't start at all) or know you need to use PAM
+ features that won't work with this option, you should say yes here.
+Template: ssh/new_config
+Type: boolean
+Default: true
+Description: Generate new configuration file
+ This version of OpenSSH has a considerably changed configuration file from 
+ the version shipped in Debian 'Potato', which you appear to be upgrading from.
+ I can now generate you a new configuration file (/etc/ssh/sshd.config), which
+ will work with the new server version, but will not contain any customisations
+ you made with the old version. 
+ .
+ Please note that this new configuration file will set the value of 
+ 'PermitRootLogin' to yes (meaning that anyone knowing the root password can
+ ssh directly in as root). It is the opinion of the maintainer that this is
+ the correct default (see README.Debian for more details), but you can always
+ edit sshd_config and set it to no if you wish.
+ .
+ It is strongly recommended that you let me generate a new configuration file 
+ for you.
+Template: ssh/protocol2_only
+Type: boolean
+Default: true
+Description: Allow SSH protocol 2 only
+ This version of OpenSSH supports version 2 of the ssh protocol, which
+ is much more secure.  Disabling ssh 1 is encouraged, however this
+ will slow things down on low end machines and might prevent older
+ clients from connecting (the ssh client shipped with "potato" is affected).
+ .
+ Also please note that keys used for protocol 1 are different so you will
+ not be able to use them if you only allow protocol 2 connections.
+ .
+ If you later change your mind about this setting, README.Debian has 
+ instructions on what to do to your sshd_config file.
+Template: ssh/ssh2_keys_merged
+Type: note
+Description: ssh2 keys merged in configuration files
+ As of version 3 OpenSSH no longer uses separate files for ssh1 and
+ ssh2 keys. This means the authorized_keys2 and known_hosts2 files
+ are no longer needed. They will still be read in order to maintain
+ backwards compatibility
+Template: ssh/use_old_init_script
+Type: boolean
+Default: false
+Description: Do you want to continue (and risk killing active ssh sessions) ?
+ The version of /etc/init.d/ssh that you have installed, is likely to kill
+ all running sshd instances.  If you are doing this upgrade via an ssh
+ session, that would be a Bad Thing(tm).
+ .
+ You can fix this by adding "--pidfile /var/run/sshd.pid" to the
+ start-stop-daemon line in the stop section of the file.
+Template: ssh/forward_warning
+Type: note
+Description: NOTE: Forwarding of X11 and Authorization disabled by default.
+ For security reasons, the Debian version of ssh has ForwardX11 and
+ ForwardAgent set to ``off'' by default.
+ .
+ You can enable it for servers you trust, either
+ in one of the configuration files, or with the -X command line option.
+ .
+ More details can be found in /usr/share/doc/ssh/README.Debian
+Template: ssh/insecure_rshd
+Type: note
+Description: Warning: rsh-server is installed --- probably not a good idea
+ having rsh-server installed undermines the security that you were probably
+ wanting to obtain by installing ssh.  I'd advise you to remove that package.
+Template: ssh/insecure_telnetd
+Type: note
+Description: Warning: telnetd is installed --- probably not a good idea
+ I'd advise you to either remove the telnetd package (if you don't actually
+ need to offer telnet access) or install telnetd-ssl so that there is at
+ least some chance that telnet sessions will not be sending unencrypted
+ login/password and session information over the network.
+Template: ssh/encrypted_host_key_but_no_keygen
+Type: note
+Description: Warning: you must create a new host key
+ There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted.
+ OpenSSH can not handle this host key file, and I can't find the
+ ssh-keygen utility from the old (non-free) SSH installation.
+ .
+ You will need to generate a new host key.
+Template: ssh/SUID_client
+Type: boolean
+Default: true
+Description: Do you want /usr/lib/ssh-keysign to be installed SUID root?
+ You have the option of installing the ssh-keysign helper with the SUID
+ bit set.
+ .
+ If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2
+ host-based authentication.
+ .
+ If in doubt, I suggest you install it with SUID.  If it causes
+ problems you can change your mind later by running:   dpkg-reconfigure ssh 
+Template: ssh/run_sshd
+Type: boolean
+Default: true
+Description: Do you want to run the sshd server ?
+ This package contains both the ssh client, and the sshd server.
+ .
+ Normally the sshd Secure Shell Server will be run to allow remote
+ logins via ssh.
+ .
+ If you are only interested in using the ssh client for outbound
+ connections on this machine, and don't want to log into it at all
+ using ssh, then you can disable sshd here.
diff --git a/debian/templates.da b/debian/templates.da
new file mode 100644
index 000000000..c17c60039
--- /dev/null
+++ b/debian/templates.da
@@ -0,0 +1,157 @@
+Template: ssh/protocol2_only
+Type: boolean
+Default: true
+Description: Allow SSH protocol 2 only
+ This version of OpenSSH supports version 2 of the ssh protocol, which is
+ much more secure.  Disabling ssh 1 is encouraged, however this will slow
+ things down on low end machines and might prevent older clients from
+ connecting.
+ .
+ Also please note that keys used for protocol 1 are different so you will
+ not be able to use them if you only allow protocol 2 connections.
+Description-da: Tillad kun SSH protokol 2
+ Denne udgave af OpenSSH underst�tter version 2 af ssh-protokollen, som er
+ betydeligt mere sikker. Det anbefales af deaktivere version 1. Dog kan det
+ sl�ve langsomme maskiner, og forhindre �ldre klienter i at opn� forbindelse.
+Template: ssh/ssh2_keys_merged
+Type: note
+Description: ssh2 keys merged in configuration files
+ As of version 3 OpenSSH no longer uses seperate files for ssh1 and ssh2
+ keys. This means the authorized_keys2 and known_hosts2 files are no longer
+ needed. They will still be read in order to maintain backwards
+ compatibility
+Description-da: ssh2-n�gler flettet i ops�tningsfilerne
+ Siden version 3 har OpenSSH ikke l�ngere separate filer for ssh1- og
+ ssh2-n�gler. Det betyder, at filerne authorized_keys2 og known_hosts2 ikke
+ l�ngere er n�dvendige. De vil stadig dog stadig blive l�st for
+ bagudkompatilitetens skyld.
+Template: ssh/use_old_init_script
+Type: boolean
+Default: false
+Description: Do you want to continue (and risk killing active ssh sessions) ?
+ The version of /etc/init.d/ssh that you have installed, is likely to kill
+ all running sshd instances.  If you are doing this upgrade via an ssh
+ session, that would be a Bad Thing(tm).
+ .
+ You can fix this by adding "--pidfile /var/run/sshd.pid" to the
+ start-stop-daemon line in the stop section of the file.
+Description-da: Vil du forts�tte (og risikere at afbryde aktive ssh-forbindelser)?
+ Den udgave af /etc/init.d/ssh, du har installeret, vil sandsynligvis afbryde
+ alle sshd-d�moner. Det vil v�re en rigtigt d�rlig id�, hvis du er ved at
+ opgradering via en ssh-forbindelse.
+ .
+ Du kan afhj�lpe dette ved at tilf�je "--pidfile /var/run/sshd.pid" til
+ 'start-stop-daemon'-linjen i stop-afsnittet af filen.
+Template: ssh/forward_warning
+Type: note
+Description: NOTE: Forwarding of X11 and Authorization disabled by default.
+ For security reasons, the Debian version of ssh has ForwardX11 and
+ ForwardAgent set to ``off'' by default.
+ .
+ You can enable it for servers you trust, either in one of the
+ configuration files, or with the -X command line option.
+ .
+ More details can be found in /usr/share/doc/ssh/README.Debian
+Description-da: BEM�RK: Videregivelse af X11 og adgangkontrol er som standard deaktiveret.
+ Af sikkerhedsgrunde har Debianudgaven af ssh sat ForwardX11 og ForwardAgent
+ til 'off' som standard.
+ .
+ Du kan aktivere dem for servere, du stoler p� i en af ops�tningsfilerne
+ eller med kommandolinjetilvalget '-X'.
+Template: ssh/insecure_rshd
+Type: note
+Description: Warning: rsh-server is installed --- probably not a good idea
+ having rsh-server installed undermines the security that you were probably
+ wanting to obtain by installing ssh.  I'd advise you to remove that
+ package.
+Description-da: Advarsel: rsh-serveren er installeret --- sikkert ikke en god id�
+ Den sikkerhed, du nok �nskede at opn� ved at installere ssh undermineres
+ ved, at du har rsh-server installeret. Jeg vil r�de dig til at fjerne
+ pakken rsh-server.
+Template: ssh/insecure_telnetd
+Type: note
+Description: Warning: telnetd is installed --- probably not a good idea
+ I'd advise you to either remove the telnetd package (if you don't actually
+ need to offer telnet access) or install telnetd-ssl so that there is at
+ least some chance that telnet sessions will not be sending unencrypted
+ login/password and session information over the network.
+Description-da: Advarsel: telnetd er installeret --- sikkert ikke en god id�
+ Jeg vil r�de dig til enten at fjerne pakken telnetd (hvis du i virkeligheden
+ ikke har brug for at tilbyde telnet-adgang) eller installere telnetd-ssl, s�
+ der i det mindste er en mulighed for, at telnet-sessioner ikke sender
+ adgangskoder og sessions-oplysninger ukrypteret over netv�rket.
+Template: ssh/encrypted_host_key_but_no_keygen
+Type: note
+Description: Warning: you must create a new host key
+ There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted. OpenSSH
+ can not handle this host key file, and I can't find the ssh-keygen utility
+ from the old (non-free) SSH installation.
+ .
+ You will need to generate a new host key.
+Description-da: Advarsel: du skal oprette en ny v�rtsn�gle
+ Der ligger en gammel, IDEA-krypteret /etc/ssh/ssh_host_key. OpenSSH kan
+ ikke h�ndtere s�dan en v�rtsn�glefil, og jeg kan ikke finde v�rkt�jet
+ ssh-keygen fra den gamle (ikke-frie, 'non-free') SSH-installation.
+Template: ssh/SUID_client
+Type: boolean
+Default: false
+Description: Do you want /usr/bin/ssh to be installed SUID root?
+ You have the option of installing the ssh client with the SUID bit set.
+ .
+ If you make ssh SUID, you will be able to use Rhosts/RhostsRSA
+ authentication, but will not be able to use socks via the LD_PRELOAD
+ trick.  This is the traditional approach.
+ .
+ If you do not make ssh SUID, you will be able to use socks, but
+ Rhosts/RhostsRSA authentication will stop working, which may stop you
+ logging in to remote systems.  It will also mean that the source port will
+ be above 1024, which may confound firewall rules you've set up.
+ .
+ If in doubt, I suggest you install it with SUID.  If it causes problems
+ you can change your mind later by running:   dpkg-reconfigure ssh 
+Description-da: Vil du have, at /usr/bin/ssh bliver installeret 'SUID root'?
+ Du har mulighed for at installere ssh-klienten med SUID-flaget sat.
+ .
+ Hvis du g�r ssh SUID, vil du kunne bruge adgangskontrollen
+ Rhosts/RhostsRSA, men vil ikke kunne bruge socks med LD_PRELOAD-tricket.
+ Det vil v�re den almindelige fremgangsm�de.
+ .
+ Hvis du ikke g�r ssh SUID, vil du kunne bruge socks, men adgangskontrol
+ med Rhosts/RhostRSA vil holde op med at virke, hvilket kan forhindre dig
+ i at logge ind p� fjerne systemer. Det vil ogs� betyde, at kildeporten
+ vil ligge over 1024, hvilket kan kollidere med eventuelle brandmure, du
+ har sat op.
+ .
+ Hvis du er i tvivl, foresl�r jeg, at du installerer den med SUID. Hvis det
+ giver problemer, kan du senere ombestemme dig ved at k�re:
+ 'dpkg-reconfigure ssh'.
+Template: ssh/run_sshd
+Type: boolean
+Default: true
+Description: Do you want to run the sshd server ?
+ This package contains both the ssh client, and the sshd server.
+ .
+ Normally the sshd Secure Shell Server will be run to allow remote logins
+ via ssh.
+ .
+ If you are only interested in using the ssh client for outbound
+ connections on this machine, and don't want to log into it at all using
+ ssh, then you can disable sshd here.
+Description-da: Vil du k�re sshd-serveren?
+ Denne pakke indeholder b�de ssh-klienten og sshd-serveren.
+ .
+ Normalt vil sshd sikker skalserver ('Secure Shell Server') blive aktiveret
+ og tillade fjerne brugere i at logge p� via ssh.
+ .
+ Hvis du udelukkende er interesseret i at bruge ssh-klienten til udg�ende
+ forbindelser fra denne maskine, og ikke �nsker at tilg� denne maskine
+ udefra via ssh, kan du nu deaktivere sshd.
diff --git a/debian/templates.de b/debian/templates.de
new file mode 100644
index 000000000..5feb24cd9
--- /dev/null
+++ b/debian/templates.de
@@ -0,0 +1,95 @@
+Template: ssh/use_old_init_script
+Type: boolean
+Default: false
+Description: Do you want to continue (and risk killing active ssh sessions) ?
+ The version of /etc/init.d/ssh that you have installed, is likely to kill
+ all running sshd instances.  If you are doing this upgrade via an ssh
+ session, that would be a Bad Thing(tm).
+ .
+ You can fix this by adding "--pidfile /var/run/sshd.pid" to the
+ start-stop-daemon line in the stop section of the file.
+Description-de: Wollen Sie weitermachen (und das Killen der Session riskieren)?
+ Die Version von /etc/init.d/ssh, die Sie installiert haben, wird 
+ vermutlich Ihre aktiven ssh-Instanzen killen. Wenn Sie das Upgrade
+ via ssh erledigen, dann ist das ein Problem.
+ .
+ Sie k�nnen das Problem beheben, indem sie "--pidfile /var/run/sshd.pid"
+ an die start-stop-daemon Zeile in dem Bereich stop der Datei 
+ /etc/init.d/ssh erg�nzen.
+Template: ssh/forward_warning
+Type: note
+Description: NOTE: Forwarding of X11 and Authorization disabled by default.
+ For security reasons, the Debian version of ssh has ForwardX11 and
+ ForwardAgent set to ``off'' by default.
+ .
+ You can enable it for servers you trust, either
+ in one of the configuration files, or with the -X command line option.
+ .
+ More details can be found in /usr/share/doc/ssh/README.Debian
+Description-de: HINWEIS: Forwarden von X11 und Authorisierung ist abgeschaltet.
+ Aus Sicherheitsgr�nden sind die Debian Pakete von ssh ForwardX11 und
+ ForwardAgent auf "off" gesetzt.
+ .
+ Sie k�nnen dies f�r Server, denen Sie trauen, entweder per Eintrag in
+ die Konfigurations Dateien oder per Kommando-Zeilen Option -X �ndern.
+ .
+ Weitere Details koennen Sie in /usr/share/doc/ssh/README.Debian finden.
+Template: ssh/insecure_rshd
+Type: note
+Description: Warning: rsh-server is installed --- probably not a good idea
+ having rsh-server installed undermines the security that you were probably
+ wanting to obtain by installing ssh.  I'd advise you to remove that package.
+Description-de: Warnung: rsh-server ist installiert --- m�glicherweise
+ ist es eine schlechte Idee, den rsh-server installiert zu haben, da er 
+ die Sicherheit untergr�bt. Wir empfehlen, das Paket zu entfernen.
+Template: ssh/insecure_telnetd
+Type: note
+Description: Warning: telnetd is installed --- probably not a good idea
+ I'd advise you to either remove the telnetd package (if you don't actually
+ need to offer telnet access) or install telnetd-ssl so that there is at
+ least some chance that telnet sessions will not be sending unencrypted
+ login/password and session information over the network.
+Description-de: Warnung: telnetd ist installiert --- schlechte Idee
+ Wir empfehlen das telnetd Paket zu entfernen (falls Sie keinen telnet Zugang
+ anbieten) oder telnetd-ssl zu installieren, so da� Sie verhindern k�nnen,
+ da� Login und Password unverschl�sselt durch das Netz gesendet
+ werden.
+Template: ssh/encrypted_host_key_but_no_keygen
+Type: note
+Description: Warning: you must create a new host key
+ There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted.
+ OpenSSH can not handle this host key file, and I can't find the
+ ssh-keygen utility from the old (non-free) SSH installation.
+ .
+ You will need to generate a new host key.
+Description-de: Warnung: Sie m�ssen einen neuen Host Key erzeugen
+ Es existiert eine alte Variante von /etc/ssh/ssh_host_key welche
+ per IDEA verschl�sselt ist. OpenSSH kann eine solche Host Key Datei
+ nicht lesen und ssh-keygen von der alten (nicht-freien) ssh Installation
+ kann nicht gefunden werden.
+Template: ssh/run_sshd
+Type: boolean
+Default: true
+Description: Do you want to run the sshd server ?
+ This package contains both the ssh client, and the sshd server.
+ .
+ Normally the sshd Secure Shell Server will be run to allow remote
+ logins via ssh.
+ .
+ If you are only interested in using the ssh client for outbound
+ connections on this machine, and don't want to log into it at all
+ using ssh, then you can disable sshd here.
+Description-de: M�chten Sie den sshd Server starten?
+ Das Paket enth�lt sowohl den Client als auch den sshd Server.
+ .
+ Normal wird der sshd Secure Shell Server f�r Remote Logins per ssh
+ gestartet.
+ .
+ Wenn Sie nur den ssh client nutzen wollen, um sich mit anderen Rechnern
+ zu verbinden und sich nicht per ssh in diesen Computer einloggen wollen, 
+ dann k�nnen Sie hier den sshd abschalten.
diff --git a/debian/templates.es b/debian/templates.es
new file mode 100644
index 000000000..8d7b25a34
--- /dev/null
+++ b/debian/templates.es
@@ -0,0 +1,266 @@
+Template: ssh/run_sshd
+Type: boolean
+Default: true
+Description: Do you want to run the sshd server ?
+ This package contains both the ssh client, and the sshd server.
+ .
+ Normally the sshd Secure Shell Server will be run to allow remote logins
+ via ssh.
+ .
+ If you are only interested in using the ssh client for outbound
+ connections on this machine, and don't want to log into it at all using
+ ssh, then you can disable sshd here.
+Description-es: �Quiere ejecutar el servidor sshd?
+ Este paquete contiene el cliente ssh y el servidor sshd.
+ .
+ Generalmente, el servidor de ssh (Secure Shell Server) se ejecuta para
+ permitir el acceso remoto mediante ssh.
+ .
+ Si s�lo est� interesado en usar el cliente ssh en conexiones salientes del
+ sistema y no quiere acceder a �l mediante ssh, entonces puede desactivar
+ sshd.
+Template: ssh/use_old_init_script
+Type: boolean
+Default: false
+Description: Do you want to continue (and risk killing active ssh sessions) ?
+ The version of /etc/init.d/ssh that you have installed, is likely to kill
+ all running sshd instances.  If you are doing this upgrade via an ssh
+ session, that would be a Bad Thing(tm).
+ .
+ You can fix this by adding "--pidfile /var/run/sshd.pid" to the
+ start-stop-daemon line in the stop section of the file.
+Description-es: �Desea continuar, a�n a riesgo de matar las sesiones ssh activas?
+ La versi�n de /etc/init.d/ssh que tiene instalada es muy probable que
+ mate el demonio ssh. Si est� actualizando a trav�s de una sesi�n ssh,
+ puede que no sea muy buena idea.
+ .
+ Puede arreglarlo a�adiendo "--pidfile /var/run/sshd.pid" a la l�nea
+ 'start-stop-daemon', en la secci�n 'stop' del fichero.
+Template: ssh/SUID_client
+Type: boolean
+Default: true
+Description: Do you want /usr/lib/ssh-keysign to be installed SUID root?
+ You have the option of installing the ssh-keysign helper with the SUID bit
+ set.
+ .
+ If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2
+ host-based authentication.
+ .
+ If in doubt, I suggest you install it with SUID.  If it causes problems
+ you can change your mind later by running:   dpkg-reconfigure ssh
+Description-es: �Quiere instalar /usr/lib/ssh-keysign SUID root?
+ Puede instalar ssh-keysign con el bit SUID (se ejecutar� con privilegios
+ de root).
+ .
+ Si hace ssh-keysign SUID, podr� usar la autentificiaci�n basada en
+ servidor de la versi�n 2 del protocolo SSH.
+ .
+ Si duda, se recomienda que lo instale SUID. Si surgen problemas puede
+ cambiar de opini�n posteriormente ejecutando �dpkg-reconfigure ssh�.
+Template: ssh/encrypted_host_key_but_no_keygen
+Type: note
+Description: Warning: you must create a new host key
+ There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted. OpenSSH
+ can not handle this host key file, and I can't find the ssh-keygen utility
+ from the old (non-free) SSH installation.
+ .
+ You will need to generate a new host key.
+Description-es: Aviso: debe crear una nueva clave para su servidor
+ Su sistema tiene un /etc/ssh/ssh_host_key antiguo, que usa cifrado IDEA.
+ OpenSSH no puede manejar este fichero de claves y tampoco se encuentra la
+ utilidad ssh-keygen incluida en el paquete ssh no libre.
+ .
+ Necesitar� generar una nueva clave para su servidor.
+Template: ssh/insecure_telnetd
+Type: note
+Description: Warning: telnetd is installed --- probably not a good idea
+ I'd advise you to either remove the telnetd package (if you don't actually
+ need to offer telnet access) or install telnetd-ssl so that there is at
+ least some chance that telnet sessions will not be sending unencrypted
+ login/password and session information over the network.
+Description-es: Aviso: tiene telnetd instalado
+ Es muy aconsejable que borre el paquete telnetd si no necesita realmente
+ ofrecer acceso mediante telnet o instalar telnetd-ssl para que las
+ contrase�as, nombres de usuario y dem�s informaci�n de las sesiones telnet
+ no viajen sin cifrar por la red.
+Template: ssh/forward_warning
+Type: note
+Description: NOTE: Forwarding of X11 and Authorization disabled by default.
+ For security reasons, the Debian version of ssh has ForwardX11 and
+ ForwardAgent set to ``off'' by default.
+ .
+ You can enable it for servers you trust, either in one of the
+ configuration files, or with the -X command line option.
+ .
+ More details can be found in /usr/share/doc/ssh/README.Debian
+Description-es: NOTA: Reenv�o de X11 y Autorizaci�n desactivadas por defecto.
+ Por razones de seguridad, la versi�n de ssh de Debian tiene por defecto
+ ForwardX11 y ForwardAgent desactivadas.
+ .
+ Puede activar estas opciones para los servidores en los que conf�e, en los
+ ficheros de configuraci�n o con la opci�n -X en l�nea de comandos.
+ .
+ Puede encontrar m�s detalles en /usr/share/doc/ssh/README.Debian.
+Template: ssh/privsep_tell
+Type: note
+Description: Privilege separation
+ This version of OpenSSH contains the new privilege separation option. This
+ significantly reduces the quantity of code that runs as root, and
+ therefore reduces the impact of security holes in sshd.
+ .
+ Unfortunately, privilege separation interacts badly with PAM. Any PAM
+ session modules that need to run as root (pam_mkhomedir, for example) will
+ fail, and PAM keyboard-interactive authentication won't work.
+ .
+ Privilege separation is turned on by default, so if you decide you want it
+ turned off, you need to add "UsePrivilegeSeparation no" to
+ /etc/ssh/sshd_config.
+ .
+ NB! If you are running a 2.0 series Linux kernel, then privilege
+ separation will not work at all, and your sshd will fail to start unless
+ you explicitly turn privilege separation off.
+Description-es: Separaci�n de privilegios
+ Esta versi�n de OpenSSH incluye una nueva opci�n de separaci�n de
+ privilegios que reduce significativamente la cantidad de c�digo que se
+ ejecuta como root, por lo que reduce el impacto de posibles agujeros de
+ seguridad en sshd.
+ .
+ Desafortunadamente, la separaci�n de privilegios no interact�a
+ correctamente con PAM. Cualquier m�dulo PAM que necesite ejecutarse como
+ root (como, por ejemplo, pam_mkhomedir) y la autentificaci�n interactiva
+ PAM con teclado no funcionar�n.
+ .
+ La separaci�n de privilegios est� activa por defecto, por lo que si decide
+ desactivarla, tiene que a�adir "UsePrivilegeSeparation no" al fichero
+ /etc/ssh/sshd_config.
+ .
+ Nota: Si utiliza un n�cleo Linux de la serie 2.0, la separaci�n de
+ privilegios fallar� estrepitosamente y sshd no funcionar� a no ser que la
+ desactive.
+Template: ssh/ssh2_keys_merged
+Type: note
+Description: ssh2 keys merged in configuration files
+ As of version 3 OpenSSH no longer uses separate files for ssh1 and ssh2
+ keys. This means the authorized_keys2 and known_hosts2 files are no longer
+ needed. They will still be read in order to maintain backwards
+ compatibility
+Description-es: Las claves ssh2 ya se incluyen en los ficheros de configuraci�n
+ A partir de la versi�n 3, OpenSSH ya no utiliza ficheros diferentes para
+ las claves ssh1 y ssh2. Esto quiere decir que ya no son necesarios los
+ ficheros authorized_keys2 y known_hosts2, aunque a�n se seguir�n leyendo
+ para mantener compatibilidad hacia atr�s.
+Template: ssh/protocol2_only
+Type: boolean
+Default: true
+Description: Allow SSH protocol 2 only
+ This version of OpenSSH supports version 2 of the ssh protocol, which is
+ much more secure.  Disabling ssh 1 is encouraged, however this will slow
+ things down on low end machines and might prevent older clients from
+ connecting (the ssh client shipped with "potato" is affected).
+ .
+ Also please note that keys used for protocol 1 are different so you will
+ not be able to use them if you only allow protocol 2 connections.
+ .
+ If you later change your mind about this setting, README.Debian has
+ instructions on what to do to your sshd_config file.
+Description-es: Permitir s�lo la versi�n 2 del protocolo SSH
+ Esta versi�n de OpenSSH soporta la versi�n 2 del protocolo ssh, que es
+ mucho m�s segura que la anterior. Se recomienda desactivar la versi�n 1,
+ aunque funcionar� m�s lento en m�quinas modestas y puede impedir que se
+ conecten clientes antiguos, como, por ejemplo, el incluido en "potato".
+ .
+ Tambi�n tenga en cuenta que las claves utilizadas para el protocolo 1 son
+ diferentes, por lo que no podr� usarlas si �nicamente permite conexiones
+ mediante la versi�n 2 del protocolo.
+ .
+ Si m�s tarde cambia de opini�n, el fichero README.Debian contiene
+ instrucciones sobre c�mo modificar en el fichero sshd_config.
+Template: ssh/insecure_rshd
+Type: note
+Description: Warning: rsh-server is installed --- probably not a good idea
+ having rsh-server installed undermines the security that you were probably
+ wanting to obtain by installing ssh.  I'd advise you to remove that
+ package.
+Description-es: Aviso: tiene rsh-server instalado
+ Tener rsh-server instalado representa un menoscabo de la seguridad que
+ probablemente desea obtener instalando ssh. Es muy aconsejable que borre
+ ese paquete.
+Template: ssh/privsep_ask
+Type: boolean
+Default: true
+Description: Enable Privilege separation
+ This version of OpenSSH contains the new privilege separation option. This
+ significantly reduces the quantity of code that runs as root, and
+ therefore reduces the impact of security holes in sshd.
+ .
+ Unfortunately, privilege separation interacts badly with PAM. Any PAM
+ session modules that need to run as root (pam_mkhomedir, for example) will
+ fail, and PAM keyboard-interactive authentication won't work.
+ .
+ Since you've opted to have me generate an sshd_config file for you, you
+ can choose whether or not to have Privilege Separation turned on or not.
+ Unless you are running 2.0 (in which case you *must* say no here or your
+ sshd won't start at all) or know you need to use PAM features that won't
+ work with this option, you should say yes here.
+Description-es: Activar separaci�n de privilegios
+ Esta versi�n de OpenSSH incluye una nueva opci�n de separaci�n de
+ privilegios que reduce significativamente la cantidad de c�digo que se
+ ejecuta como root, por lo que reduce el impacto de posibles agujeros de
+ seguridad en sshd.
+ .
+ Desafortunadamente, la separaci�n de privilegios no interact�a
+ correctamente con PAM. Cualquier m�dulo PAM que necesite ejecutarse como
+ root (como, por ejemplo, pam_mkhomedir) y la autentificaci�n PAM mediante
+ teclado no funcionar�n.
+ .
+ Puesto que ha elegido crear autom�ticamente el fichero sshd_config, puede
+ decidir ahora si quiere activar la opci�n de separaci�n de privilegios. A
+ menos que utilice la versi�n 2.0 (en cuyo caso debe responer no aqu� o
+ sshd no arrancar�) o sepa que necesita usar ciertas caracter�sticas de PAM
+ que funcionan con esta opci�n, deber�a responder s� a esta pregunta.
+Template: ssh/new_config
+Type: boolean
+Default: true
+Description: Generate new configuration file
+ This version of OpenSSH has a considerably changed configuration file from
+ the version shipped in Debian 'Potato', which you appear to be upgrading
+ from. I can now generate you a new configuration file
+ (/etc/ssh/sshd.config), which will work with the new server version, but
+ will not contain any customisations you made with the old version.
+ .
+ Please note that this new configuration file will set the value of
+ 'PermitRootLogin' to yes (meaning that anyone knowing the root password
+ can ssh directly in as root). It is the opinion of the maintainer that
+ this is the correct default (see README.Debian for more details), but you
+ can always edit sshd_config and set it to no if you wish.
+ .
+ It is strongly recommended that you let me generate a new configuration
+ file for you.
+Description-es: Generar un nuevo fichero de configuraci�n
+ Esta versi�n de OpenSSH tiene un fichero de configuraci�n
+ considerablemente diferente del incluido en Debian Potato, que es la
+ versi�n desde la que parece estar actualizando. Puede crear
+ autom�ticamente un nuevo fichero de configuraci�n (/etc/ssh/sshd_config),
+ que funcionar� con la nueva versi�n del servidor, pero no incuir� las
+ modificaciones que hiciera en la versi�n antigua.
+ .
+ Adem�s, recuerde que este nuevo fichero de configuraci�n dir� s� en la
+ opci�n 'PermitRootLogin', por lo que cualquiera que conozca la contrase�a
+ de root podr� entrar mediante ssh directamente como root. En opini�n del
+ mantenedor �sta es la opci�n predeterminada m�s adecuada (puede leer
+ README.Debian si quiere conocer m�s detalles), pero siempre puede editar
+ sshd_config y poner no si lo desea.
+ .
+ Es muy recomendable que permita que se genere un nuevo fichero de
+ configuraci�n ahora.
diff --git a/debian/templates.fr b/debian/templates.fr
new file mode 100644
index 000000000..5eee0f92a
--- /dev/null
+++ b/debian/templates.fr
@@ -0,0 +1,278 @@
+Template: ssh/privsep_tell
+Type: note
+Description: Privilege separation
+ This version of OpenSSH contains the new privilege separation
+ option. This significantly reduces the quantity of code that runs as
+ root, and therefore reduces the impact of security holes in sshd.
+ .
+ Unfortunately, privilege separation interacts badly with PAM. Any
+ PAM session modules that need to run as root (pam_mkhomedir, for
+ example) will fail, and PAM keyboard-interactive authentication 
+ won't work.
+ .
+ Privilege separation is turned on by default, so if you decide you
+ want it turned off, you need to add "UsePrivilegeSeparation no" to
+ /etc/ssh/sshd_config.
+ .
+ NB! If you are running a 2.0 series Linux kernel, then privilege
+ separation will not work at all, and your sshd will fail to start
+ unless you explicitly turn privilege separation off.
+Description-fr: S�paration des privil�ges
+ Cette version d'OpenSSH est livr�e avec la nouvelle option de
+ s�paration des privil�ges. Cela r�duit de mani�re significative la
+ quantit� de code s'ex�cutant en tant que super-utilisateur, et donc
+ r�duit l'impact des trous de s�curit� dans sshd.
+ .
+ Malheureusement, la s�paration des privil�ges interagit mal avec PAM.
+ Tous les modules de session PAM qui doivent �tre ex�cut�s en tant
+ que super-utilisateur (pam_mkhomedir, par exemple) ne s'ex�cuteront
+ pas, et l'authentification interactive au clavier ne fonctionnera pas.
+ .
+ La s�paration des privil�ges est activ�e par d�faut ; si vous
+ souhaitez la d�sactiver, vous devez ajouter ��UsePrivilegeSeparation
+ no�� dans /etc/ssh/sshd_config.
+ .
+ NB�! Si vous avez un noyau Linux de la s�rie des 2.0, la s�paration
+ des privil�ges ne fonctionne pas, et votre d�mon sshd ne se lancera
+ que si vous avez explicitement d�sactiv� la s�paration des privil�ges.
+Template: ssh/privsep_ask
+Type: boolean
+Default: true
+Description: Enable Privilege separation
+ This version of OpenSSH contains the new privilege separation
+ option. This significantly reduces the quantity of code that runs as
+ root, and therefore reduces the impact of security holes in sshd.
+ .
+ Unfortunately, privilege separation interacts badly with PAM. Any
+ PAM session modules that need to run as root (pam_mkhomedir, for
+ example) will fail, and PAM keyboard-interactive authentication 
+ won't work.
+ .
+ Since you've opted to have me generate an sshd_config file for you,
+ you can choose whether or not to have Privilege Separation turned on
+ or not. Unless you are running 2.0 (in which case you *must* say no
+ here or your sshd won't start at all) or know you need to use PAM
+ features that won't work with this option, you should say yes here.
+Description-fr: Activer la s�paration des privil�ges
+ Cette version d'OpenSSH est livr�e avec la nouvelle option de
+ s�paration des privil�ges. Cela r�duit de mani�re significative la
+ quantit� de code s'ex�cutant en tant que super-utilisateur, et donc
+ r�duit l'impact des trous de s�curit� dans sshd.
+ .
+ Malheureusement, la s�paration des privil�ges interagit mal avec PAM.
+ Tous les modules de session PAM qui doivent �tre ex�cut�s en tant
+ que super-utilisateur (pam_mkhomedir, par exemple) ne s'ex�cuteront
+ pas, et l'authentification interactive au clavier ne fonctionnera pas.
+ .
+ Comme vous souhaitez que je g�n�re le fichier de configuration
+ sshd_config � votre place, vous pouvez choisir d'activer ou non
+ l'option de s�paration des privil�ges. Si vous utilisez un noyau 2.0
+ (dans ce cas vous *devez* d�sactiver cette option ou alors sshd ne se
+ lancera pas) ou bien si vous avez besoin de fonctionnalit�s PAM, cela
+ ne fonctionnera pas si cette option est activ�e, dans le cas contraire
+ vous devriez l'activer.
+Template: ssh/new_config
+Type: boolean
+Default: true
+Description: Generate new configuration file
+ This version of OpenSSH has a considerably changed configuration file from 
+ the version shipped in Debian 'Potato', which you appear to be upgrading from.
+ I can now generate you a new configuration file (/etc/ssh/sshd.config), which
+ will work with the new server version, but will not contain any customisations
+ you made with the old version. 
+ .
+ Please note that this new configuration file will set the value of 
+ 'PermitRootLogin' to yes (meaning that anyone knowing the root password can
+ ssh directly in as root). It is the opinion of the maintainer that this is
+ the correct default (see README.Debian for more details), but you can always
+ edit sshd_config and set it to no if you wish.
+ .
+ It is strongly recommended that you let me generate a new configuration file 
+ for you.
+Description-fr: Cr�er un nouveau fichier de configuration
+ Cette version d'OpenSSH utilise un fichier de configuration qui a
+ �norm�ment chang� depuis la version contenue dans la distribution
+ Debian ��Potato��, depuis laquelle vous semblez faire une mise � jour.
+ Je peux g�n�rer maintenant pour vous un nouveau fichier de
+ configuration (/etc/ssh/sshd.config) qui marchera avec la nouvelle
+ version du serveur, mais ne contiendra aucun des r�glages que vous avez
+ faits sur l'ancienne version.
+ .
+ Veuillez noter que ce nouveau fichier de configuration positionnera la
+ valeur de ��PermitRootLogin�� � ��yes�� (ce qui signifie que quiconque
+ connaissant le mot de passe du super-utilisateur peut se connecter
+ en tant que tel sur la machine). Le responsable du paquet
+ pense que c'est l� un comportement par d�faut normal (lisez
+ README.Debian pour plus d'informations), mais vous pouvez toujours
+ �diter le fichier sshd_config et changer cela.
+ .
+ Il est fortement recommand� que vous me laissiez g�n�rer le nouveau
+ fichier de configuration.
+Template: ssh/protocol2_only
+Type: boolean
+Default: true
+Description: Allow SSH protocol 2 only
+ This version of OpenSSH supports version 2 of the ssh protocol, which
+ is much more secure.  Disabling ssh 1 is encouraged, however this
+ will slow things down on low end machines and might prevent older
+ clients from connecting (the ssh client shipped with "potato" is affected).
+ .
+ Also please note that keys used for protocol 1 are different so you will
+ not be able to use them if you only allow protocol 2 connections.
+ .
+ If you later change your mind about this setting, README.Debian has 
+ instructions on what to do to your sshd_config file.
+Description-fr: Permettre seulement la version 2 du protocole SSH
+ Cette version d'OpenSSH conna�t la version 2 du protocole ssh, qui est
+ bien plus s�re. D�sactiver ssh 1 est une bonne chose, cependant cela
+ peut ralentir les machines peu puissantes et pourrait emp�cher ceux qui
+ utilisent des vieilles versions de la partie cliente de se connecter
+ (le client ssh de la distribution Debian ��Potato�� en fait partie).
+ .
+ De plus, les cl�s utilis�es par la version 1 du protocole sont
+ diff�rentes et vous ne pourrez pas les utiliser si vous
+ n'autorisez que les connexions utilisant la version 2 du protocole.
+ .
+ Si vous changez d'avis ult�rieurement et d�cidez de modifier ce
+ r�glage, les instructions fournies dans le fichier README.Debian vous
+ indiquent comment modifier le fichier sshd_config.
+Template: ssh/ssh2_keys_merged
+Type: note
+Description: ssh2 keys merged in configuration files
+ As of version 3 OpenSSH no longer uses separate files for ssh1 and
+ ssh2 keys. This means the authorized_keys2 and known_hosts2 files
+ are no longer needed. They will still be read in order to maintain
+ backwards compatibility
+Description-fr: Cl�s pour ssh2 fusionn�es dans les fichiers de configuration
+ OpenSSH, depuis sa version 3, n'utilise plus de fichiers distincts pour
+ les cl�s ssh1 et ssh2. Cela signifie que les fichiers authorized_keys2
+ et known_hosts2 ne sont plus utiles. Ils seront n�anmoins lus afin de
+ pr�server la compatibilit� descendante.
+Template: ssh/use_old_init_script
+Type: boolean
+Default: false
+Description: Do you want to continue (and risk killing active ssh sessions) ?
+ The version of /etc/init.d/ssh that you have installed, is likely to kill
+ all running sshd instances.  If you are doing this upgrade via an ssh
+ session, that would be a Bad Thing(tm).
+ .
+ You can fix this by adding "--pidfile /var/run/sshd.pid" to the
+ start-stop-daemon line in the stop section of the file.
+Description-fr: Voulez-vous continuer (et risquer de rompre les sessions ssh actives)�?
+ Il est probable que la version de /etc/init.d/ssh install�e en ce moment
+ tue toutes les instances de sshd en cours. En cas de mise � jour par ssh,
+ �a serait une mauvaise id�e.
+ .
+ Vous pouvez corriger cela en ajoutant dans /etc/init.d/ssh ��--pidfile
+ /var/run/sshd.pid�� � la ligne ��start-stop-daemon�� dans la section
+ ��stop�� du fichier.
+Template: ssh/forward_warning
+Type: note
+Description: NOTE: Forwarding of X11 and Authorization disabled by default.
+ For security reasons, the Debian version of ssh has ForwardX11 and
+ ForwardAgent set to ``off'' by default.
+ .
+ You can enable it for servers you trust, either
+ in one of the configuration files, or with the -X command line option.
+ .
+ More details can be found in /usr/share/doc/ssh/README.Debian
+Description-fr: NOTE�: suivi de session X11 et d'agent d'autorisation d�sactiv�s par d�faut.
+ Pour des raisons de s�curit�, la version Debian de ssh positionne les
+ options ForwardX11 et ForwardAgent � ��Off�� par d�faut.
+ .
+ Vous pouvez activer ces options pour les serveurs en qui vous avez
+ confiance, soit dans un des fichiers de configuration, soit avec l'option
+ -X de la ligne de commande.
+ .
+ Plus d'informations sont disponibles dans /usr/share/doc/ssh/README.Debian.
+Template: ssh/insecure_rshd
+Type: note
+Description: Warning: rsh-server is installed --- probably not a good idea
+ having rsh-server installed undermines the security that you were probably
+ wanting to obtain by installing ssh.  I'd advise you to remove that package.
+Description-fr: Attention�: rsh-server est install� -- ce n'est probablement pas une bonne id�e
+ Avoir un serveur rsh install� affaiblit la s�curit� que vous vouliez
+ probablement obtenir en installant ssh. Je vous conseille de
+ supprimer ce paquet.
+Template: ssh/insecure_telnetd
+Type: note
+Description: Warning: telnetd is installed --- probably not a good idea
+ I'd advise you to either remove the telnetd package (if you don't actually
+ need to offer telnet access) or install telnetd-ssl so that there is at
+ least some chance that telnet sessions will not be sending unencrypted
+ login/password and session information over the network.
+Description-fr: Attention�: telnetd est install� -- ce n'est probablement pas une bonne id�e
+ Je vous conseille soit d'enlever le paquet telnetd (si ce service
+ n'est pas n�cessaire), soit de le remplacer par le paquet telnetd-ssl pour
+ qu'il y ait au moins une chance que les sessions telnet soient chiffr�es
+ et que les mots de passe et noms d'utilisateurs ne passent pas en clair
+ sur le r�seau.
+Template: ssh/encrypted_host_key_but_no_keygen
+Type: note
+Description: Warning: you must create a new host key
+ There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted.
+ OpenSSH can not handle this host key file, and I can't find the
+ ssh-keygen utility from the old (non-free) SSH installation.
+ .
+ You will need to generate a new host key.
+Description-fr: Attention�: vous devez cr�er une nouvelle cl� d'h�te
+ Il existe un vieux /etc/ssh/ssh_host_key qui est chiffr� avec IDEA.
+ OpenSSH ne peut utiliser ce fichier de cl�, et je ne peux trouver
+ l'utilitaire ssh-keygen de l'installation pr�c�dente (non libre) de SSH.
+ .
+ Vous aurez besoin de g�n�rer une nouvelle cl� d'h�te.
+Template: ssh/SUID_client
+Type: boolean
+Default: true
+Description: Do you want /usr/lib/ssh-keysign to be installed SUID root?
+ You have the option of installing the ssh-keysign helper with the SUID
+ bit set.
+ .
+ If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2
+ host-based authentication.
+ .
+ If in doubt, I suggest you install it with SUID.  If it causes
+ problems you can change your mind later by running:   dpkg-reconfigure ssh 
+Description-fr: Voulez-vous que /usr/lib/ssh-keysign soit install� avec le bit SETUID activ�?
+ Vous avez la possibilit� d'installer ssh-keysign avec le bit SETUID
+ activ�.
+ .
+ Si vous mettez ssh-keysign avec le bit SETUID, vous permettrez
+ l'authentification bas�e sur les h�tes, disponible dans la version 2 du
+ protocole SSH.
+ .
+ Dans le doute, je vous sugg�re de l'installer avec le bit SETUID
+ activ�. Si cela vous cause des probl�mes, vous pourrez revenir sur
+ votre d�cision avec ��dpkg-reconfigure ssh��.
+Template: ssh/run_sshd
+Type: boolean
+Default: true
+Description: Do you want to run the sshd server ?
+ This package contains both the ssh client, and the sshd server.
+ .
+ Normally the sshd Secure Shell Server will be run to allow remote
+ logins via ssh.
+ .
+ If you are only interested in using the ssh client for outbound
+ connections on this machine, and don't want to log into it at all
+ using ssh, then you can disable sshd here.
+Description-fr: Voulez-vous utiliser le serveur sshd�?
+ Ce paquet contient � la fois le client ssh et le serveur sshd.
+ .
+ Normalement le serveur sshd est lanc� pour permettre les connexions
+ distantes via ssh.
+ .
+ Si vous d�sirez seulement utiliser le client ssh pour des connexions vers
+ l'ext�rieur, ou si vous ne voulez pas vous connecter sur cette machine 
+ via ssh, vous pouvez d�sactiver sshd maintenant.
diff --git a/debian/templates.ja b/debian/templates.ja
new file mode 100644
index 000000000..cdcc829cc
--- /dev/null
+++ b/debian/templates.ja
@@ -0,0 +1,205 @@
+Template: ssh/new_config
+Type: boolean
+Default: true
+Description: Generate new configuration file
+ This version of OpenSSH has a considerably changed configuration file from 
+ the version shipped in Debian 'Potato', which you appear to be upgrading from.
+ I can now generate you a new configuration file (/etc/ssh/sshd.config), which
+ will work with the new server version, but will not contain any customisations
+ you made with the old version. 
+ .
+ Please note that this new configuration file will set the value of 
+ 'PermitRootLogin' to yes (meaning that anyone knowing the root password can
+ ssh directly in as root). It is the opinion of the maintainer that this is
+ the correct default (see README.Debian for more details), but you can always
+ edit sshd_config and set it to no if you wish.
+ .
+ It is strongly recommended that you let me generate a new configuration file 
+ for you 
+Description-ja: ����������ե��������ޤ�
+ OpenSSH �Τ��ΥС������ϡ�Debian 'Potato' �˴ޤޤ�Ƥ���С������
+ (���ޡ����ΥС�����󤫤�ΥС�����󥢥åפ��ߤƤ���Ȥ���) ���顢
+ ����ե����뤬�������Ѳ����Ƥ��ޤ������ޡ��������С������Υ����Ф�
+ �Ȥ����Ȥ��Ǥ��뿷��������ե����� (/etc/ssh/sshd/config) ��ư����
+ ���뤳�Ȥ��Ǥ��ޤ��������Υե�����ϡ��Ť��С�����������ե������
+ �ޤޤ�뤢�ʤ������꤬�����ޤޤ�ޤ���
+ .
+ ���ο���������ե�����ϡ���PermitRootLogin�פ��yes�פ����ꤷ�ޤ���
+ (�Ĥޤꡢroot �Υѥ���ɤ��ΤäƤ���ͤʤ�ï�Ǥ�ľ�ܥ�������Ǥ���
+ ��)������Ǥ褤���Ȥ����Τ����Υѥå������Υ��ƥʤΰո��Ǥ��� (�ܤ�
+ ���� README.Debian ���ɤ�ǲ�����)��sshd_config ���Խ����ơ�no�פ���
+ �ꤹ�뤳�Ȥ�Ǥ��ޤ���
+ .
+ ����������ե������ư�������뤳�Ȥ򶯤������ᤷ�ޤ���
+Template: ssh/protocol2_only
+Type: boolean
+Default: true
+Description: Allow SSH protocol 2 only
+ This version of OpenSSH supports version 2 of the ssh protocol, which
+ is much more secure.  Disabling ssh 1 is encouraged, however this
+ will slow things down on low end machines and might prevent older
+ clients from connecting (the ssh client shipped with "potato" is affected).
+ .
+ Also please note that keys used for protocol 1 are different so you will
+ not be able to use them if you only allow protocol 2 connections.
+ .
+ If you later change your mind about this setting, README.Debian has 
+ instructions on what to do to your sshd_config file.
+Description-ja: SSH �ץ��ȥ��� 2 �Τߤ���Ĥ��ޤ�
+ OpenSSH �Τ��ΥС������ϡ����äȰ����ʡ�ssh �ץ��ȥ���ΥС������
+ 2 �򥵥ݡ��Ȥ��Ƥ��ޤ���ssh 1 ��ػߤ��뤳�Ȥ򤪴��ᤷ�ޤ������٤���
+ ����Ǥ�ư��٤��ʤä��ꡢ�Ť����饤����Ȥ�����³�Ǥ��ʤ��ʤä���
+ ���ޤ� ("potato" �� ssh ���饤����Ȥ���³�Ǥ��ʤ��ʤ�ޤ�)��
+ .
+ �ޤ����ץ��ȥ��� 1 �ǻȤ������ϰۤʤ뤿�ᡢ�ץ��ȥ��� 2 ��ͭ���ˤ���
+ �����ǤϤ��Υ�����Ȥ����Ȥ��Ǥ��ޤ���
+ .
+ �⤷���夢�ʤ����ͤ����Ѥ����顢README.Debian ���ɤ�� sshd_config ��
+ �ɤΤ褦���ѹ�������褤����ʬ����ޤ���
+Template: ssh/ssh2_keys_merged
+Type: note
+Description: ssh2 keys merged in configuration files
+ As of version 3 OpenSSH no longer uses separate files for ssh1 and
+ ssh2 keys. This means the authorized_keys2 and known_hosts2 files
+ are no longer needed. They will still be read in order to maintain
+ backwards compatibility
+Description-ja: ssh2 ����������ե���������礵��ޤ�
+ OpenSSH �ΥС������ 3 �ϡ�ssh1 �� ssh2 �Υ����˸��̤Υե������Ȥ�
+ �ޤ��󡣤Ĥޤꡢauthorized_keys2 �ե������ known_hosts2 �ե�����Ϥ�
+ �Ϥ����פȤʤ�ޤ����������ߴ������ݤĤ���ˤϤ����Υե����뤬ɬ��
+ �Ǥ���
+Template: ssh/use_old_init_script
+Type: boolean
+Default: false
+Description: Do you want to continue (and risk killing active ssh sessions) ?
+ The version of /etc/init.d/ssh that you have installed, is likely to kill
+ all running sshd instances.  If you are doing this upgrade via an ssh
+ session, that would be a Bad Thing(tm).
+ .
+ You can fix this by adding "--pidfile /var/run/sshd.pid" to the
+ start-stop-daemon line in the stop section of the file.
+Description-ja: ³���Ƥ����Ǥ��� (��³��� ssh ���å�����ڤ�뤫�⤷��ޤ���)
+ ���ޥ��󥹥ȡ��뤷�� /etc/init.d/ssh �ϡ������餯�¹���� sshd ������
+ ��ߤ����ޤ������ΥС�����󥢥åפ� ssh ���å������Ѥ��ƹԤ��Τϴ�
+ ��ä���꤫���Ǥ���
+ .
+ ���ξ�����������ˤϡ�/etc/init.d/ssh �� stop ����������
+ start-stop-daemon �ιԤˡ�--pidfile /var/run/sshd.pid�פ��ɲä��ޤ���
+Template: ssh/forward_warning
+Type: note
+Description: NOTE: Forwarding of X11 and Authorization disabled by default.
+ For security reasons, the Debian version of ssh has ForwardX11 and
+ ForwardAgent set to ``off'' by default.
+ .
+ You can enable it for servers you trust, either
+ in one of the configuration files, or with the -X command line option.
+ .
+ More details can be found in /usr/share/doc/ssh/README.Debian
+Description-ja: ����: X11 ��ǧ�ڤΥե���ǥ��󥰤ϥǥե���ȤǤ϶ػߤ���ޤ�
+ �������ƥ������ͳ���顢Debian �� ssh �Ǥ� ForwardX11 ��
+ ForwardAgent �ϥǥե���ȤǤϡ�off�פ����ꤵ��ޤ���
+ .
+ ����ե������Ȥä��ꡢ-X ���ޥ�ɥ饤�󥪥ץ�����Ȥä��ꤹ��
+ ���Ȥǡ����ѤǤ��륵���Ф��Ф��Ƶ��Ĥ��뤳�Ȥ��Ǥ��ޤ���
+ .
+ �ܺ٤� /usr/share/doc/ssh/README.Debian ���ɤ�ǲ�������
+Template: ssh/insecure_rshd
+Type: note
+Description: Warning: rsh-server is installed --- probably not a good idea
+ having rsh-server installed undermines the security that you were probably
+ wanting to obtain by installing ssh.  I'd advise you to remove that package.
+Description-ja: �ٹ�: rsh-server �����󥹥ȡ��뤵��Ƥ��ޤ������֤��ɤ��ͤ��ǤϤ���ޤ���
+ rsh-server �����󥹥ȡ��뤵��Ƥ���ȡ����ʤ��� ssh �ˤ�ä���������
+ �פäƤ���Ǥ������������ƥ���»�ʤ��ޤ������Υѥå������򥢥�
+ �󥹥ȡ��뤹�뤳�Ȥ򤪴��ᤷ�ޤ���
+Template: ssh/insecure_telnetd
+Type: note
+Description: Warning: telnetd is installed --- probably not a good idea
+ I'd advise you to either remove the telnetd package (if you don't actually
+ need to offer telnet access) or install telnetd-ssl so that there is at
+ least some chance that telnet sessions will not be sending unencrypted
+ login/password and session information over the network.
+Description-ja: �ٹ�: telnetd �����󥹥ȡ��뤵��Ƥ��ޤ������֤��ɤ��ͤ��ǤϤ���ޤ���
+ (�⤷ telnet �����������󶡤������ȻפäƤ��ʤ��ΤǤ�����) telnetd
+ �ѥå������򥢥󥤥󥹥ȡ��뤹�뤫���ޤ��ϡ�telnetd-ssh �ѥå�������
+ ���󥹥ȡ��뤷�ƾ��ʤ��Ȥ�ͥåȥ�����Ź沽����Ƥ��ʤ��桼��̾
+ ��ѥ���ɤ䥻�å�������ή��ʤ��褦�ˤ��뤳�Ȥ򤪴��ᤷ�ޤ���
+Template: ssh/encrypted_host_key_but_no_keygen
+Type: note
+Description: Warning: you must create a new host key
+ There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted.
+ OpenSSH can not handle this host key file, and I can't find the
+ ssh-keygen utility from the old (non-free) SSH installation.
+ .
+ You will need to generate a new host key.
+Description-ja: �ٹ�: �������ۥ��ȥ�������ʤ��Ȥ����ޤ���
+ IDEA �ǰŹ沽���줿�Ť������� /etc/ssh/ssh_host_key �ˤ���ޤ���
+ OpenSSH �Ϥ��Υۥ��ȥ����ե�����򰷤��ޤ��󡣤ޤ��������󥹥ȡ���
+ ����Ƥ���Ť� (�ե꡼�ǤϤʤ�) SSH �ˤ� ssh-keygen �桼�ƥ���ƥ�
+ ���ޤޤ�Ƥ��ޤ���
+ .
+ �������ۥ��ȥ�������ɬ�פ�����ޤ���
+Template: ssh/SUID_client
+Type: boolean
+Default: true
+Description: Do you want /usr/bin/ssh to be installed SUID root?
+ You have the option of installing the ssh client with the SUID bit set.
+ .
+ If you make ssh SUID, you will be able to use Rhosts/RhostsRSA
+ authentication, but will not be able to use socks via the LD_PRELOAD
+ trick.  This is the traditional approach.
+ .
+ If you do not make ssh SUID, you will be able to use socks, but
+ Rhosts/RhostsRSA authentication will stop working, which may stop you
+ logging in to remote systems.  It will also mean that the source
+ port will be above 1024, which may confound firewall rules you've set up.
+ .
+ If in doubt, I suggest you install it with SUID.  If it causes
+ problems you can change your mind later by running:   dpkg-reconfigure ssh 
+Description-ja: /usr/bin/ssh �� SUID root �ǥ��󥹥ȡ��뤷�ޤ���?
+ ssh ���饤����Ȥ򥤥󥹥ȡ��뤹��ݡ�SUID �ӥåȤ����ꤹ�뤫���ʤ���
+ �����֤��Ȥ��Ǥ��ޤ���
+ .
+ SUID �����ꤹ��С�Rhosts/RhostsRSA ǧ�ڤ�Ȥ����Ȥ��Ǥ��ޤ�����
+ LD_PRELOAD �ȥ�å����Ѥ��� socks ��Ȥ����Ȥ��Ǥ��ʤ��ʤ�ޤ�������
+ ������Ū�ʤ�꤫���Ǥ���
+ .
+ SUID �����ꤷ�ʤ���С�socks ��Ȥ����Ȥ��Ǥ��ޤ�����Rhosts/RhostRSA
+ ǧ�ڤ�Ư���ʤ��ʤꡢ��⡼�ȥ����ƥ�ؤΥ������󤬤Ǥ��ʤ��ʤ뤫�⤷
+ ��ޤ��󡣤ޤ����������ݡ��Ȥ� 1024 �ʾ�Ȥʤꡢ���ʤ������ꤷ���ե�
+ ������������Υ롼����𤵤��뤫�⤷��ޤ���
+ .
+ �⤷ʬ����ʤ���С�SUID �����ꤷ�����֤ǥ��󥹥ȡ��뤹�뤳�Ȥ򤪴���
+ ���ޤ�������Ǥ⤷�������꤬����С�dpkg-reconfigure ssh ��¹Ԥ��뤳
+ �Ȥ�������ѹ����뤳�Ȥ��Ǥ��ޤ���
+Template: ssh/run_sshd
+Type: boolean
+Default: true
+Description: Do you want to run the sshd server ?
+ This package contains both the ssh client, and the sshd server.
+ .
+ Normally the sshd Secure Shell Server will be run to allow remote
+ logins via ssh.
+ .
+ If you are only interested in using the ssh client for outbound
+ connections on this machine, and don't want to log into it at all
+ using ssh, then you can disable sshd here.
+Description-ja: sshd �����Ф�¹Ԥ��ޤ���?
+ ���Υѥå������ϡ�ssh ���饤����Ȥ� sshd �����Ф�ξ����ޤ�Ǥ��ޤ���
+ .
+ �̾sshd �����奢�����륵���Фϡ�ssh ���Ѥ�����⡼�Ȥ���Υ�������
+ ���ǽ�ˤ��뤿��˼¹Ԥ��ޤ���
+ .
+ �⤷ ssh ���饤����Ȥ�ȤäƤ��Υޥ��󤫤�¾�ޥ���ؤ���³���������
+ �ǡ����Υޥ���ؤ� ssh ��Ȥäƥ������󤷤ʤ��ΤǤ����顢������ sshd
+ ��¹Ԥ��ʤ��Ǥ����ޤ���
diff --git a/debian/templates.pl b/debian/templates.pl
new file mode 100644
index 000000000..d4b8fda6d
--- /dev/null
+++ b/debian/templates.pl
@@ -0,0 +1,264 @@
+Template: ssh/privsep_tell
+Type: note
+Description: Privilege separation
+ This version of OpenSSH contains the new privilege separation
+ option. This significantly reduces the quantity of code that runs as
+ root, and therefore reduces the impact of security holes in sshd.
+ .
+ Unfortunately, privilege separation interacts badly with PAM. Any
+ PAM session modules that need to run as root (pam_mkhomedir, for
+ example) will fail, and PAM keyboard-interactive authentication 
+ won't work.
+ .
+ Privilege separation is turned on by default, so if you decide you
+ want it turned off, you need to add "UsePrivilegeSeparation no" to
+ /etc/ssh/sshd_config.
+ .
+ NB! If you are running a 2.0 series Linux kernel, then privilege
+ separation will not work at all, and your sshd will fail to start
+ unless you explicitly turn privilege separation off.
+Description-pl: Separacja uprawnie�
+ Ta wersja OpenSSH zawiera now� opcj� separacji uprawnie�. Znacz�co
+ zmniejsza ona ilo�� kodu, kt�ry jest uruchamiany jako root i co
+ za tym idzie redukuje efekty luk bezpiecze�stwa w sshd.
+ .
+ Niestety separacja uprawnie� �le reaguje z PAMem. Jakikolwiek modu�
+ sesji PAM, kt�ry musi by� uruchamiany jako root (pam_mkhomedir, na
+ przyk�ad) zawiedzie. Nie b�dzie dzia�a� r�wnie� interaktywna 
+ autentykacja z klawiatury (keyboard-interactive authentication).
+ .
+ Separacja uprawnie� jest domy�lnie w��czona, wi�c je�li zdecydujesz
+ si� j� wy��czy�, musisz doda� "UsePrivilegeSeparation no" do pliku
+ /etc/ssh/sshd_config.
+ .
+ UWAGA! Je�eli u�ywasz j�dra Linux'a z serii 2.0, to separacja uprawnie�
+ w og�le nie b�dzie dzia�a� i sshd nie wystartuje dop�ki w�asnor�cznie
+ nie wy��czysz separacji uprawnie� w /etc/ssh/sshd_config.
+Template: ssh/privsep_ask
+Type: boolean
+Default: true
+Description: Enable Privilege separation
+ This version of OpenSSH contains the new privilege separation
+ option. This significantly reduces the quantity of code that runs as
+ root, and therefore reduces the impact of security holes in sshd.
+ .
+ Unfortunately, privilege separation interacts badly with PAM. Any
+ PAM session modules that need to run as root (pam_mkhomedir, for
+ example) will fail, and PAM keyboard-interactive authentication 
+ won't work.
+ .
+ Since you've opted to have me generate an sshd_config file for you,
+ you can choose whether or not to have Privilege Separation turned on
+ or not. Unless you are running 2.0 (in which case you *must* say no
+ here or your sshd won't start at all) or know you need to use PAM
+ features that won't work with this option, you should say yes here.
+Description-pl: W��czenie separacji uprawnie�
+ Ta wersja OpenSSH zawiera now� opcj� separacji uprawnie�. Znacz�co
+ zmniejsza ona ilo�� kodu, kt�ry jest uruchamiany jako root i co
+ za tym idzie redukuje efekty luk bezpiecze�stwa w sshd.
+ .
+ Niestety separacja uprawnie� �le reaguje z PAMem. Jakikolwiek modu�
+ sesji PAM, kt�ry musi by� uruchamiany jako root (pam_mkhomedir, na
+ przyk�ad) zawiedzie. Nie b�dzie dzia�a� r�wnie� interaktywna 
+ autentykacja z klawiatury (keyboard-interactive authentication).
+ .
+ Zdecydowa�e� si� na to abym wygenerowa� dla ciebie plik sshd_config,
+ i mo�esz wybra� czy chcesz w��czy� Separacj� Uprawnie�, czy te� nie.
+ Je�li nie u�ywasz j�dra z serii 2.0 (w kt�rym to przypadku *musisz*
+ odpowiedzie� tutaj 'nie' albo sshd w og�le nie ruszy) i je�li nie 
+ musisz korzysta� z mo�liwo�ci PAMa, kt�re nie b�d� dzia�a�y z t� opcj�,
+ powiniene� odpowiedzie� tutaj 'tak'.
+Template: ssh/new_config
+Type: boolean
+Default: true
+Description: Generate new configuration file
+ This version of OpenSSH has a considerably changed configuration file from 
+ the version shipped in Debian 'Potato', which you appear to be upgrading from.
+ I can now generate you a new configuration file (/etc/ssh/sshd.config), which
+ will work with the new server version, but will not contain any customisations
+ you made with the old version. 
+ .
+ Please note that this new configuration file will set the value of 
+ 'PermitRootLogin' to yes (meaning that anyone knowing the root password can
+ ssh directly in as root). It is the opinion of the maintainer that this is
+ the correct default (see README.Debian for more details), but you can always
+ edit sshd_config and set it to no if you wish.
+ .
+ It is strongly recommended that you let me generate a new configuration file 
+ for you.
+Description-pl: Wygeneruj nowy plik konfiguracyjny
+ W tej wersji OpenSSH zmieni� si� plik konfiguracyjny w stosunku do wersji 
+ dostarczanej z Debianem 'Potato', kt�r� zdajesz si� aktualizowa�. Mog� teraz 
+ wygenerowa� nowy plik konfiguracyjny (/etc/ssh/sshd.config), kt�ry b�dzie
+ dzia�a� z now� wersj� serwera, ale nie b�dzie zawiera� �adnych dokonanych
+ przez ciebie w starej wersji zmian.
+ .
+ Zauwa� prosz�, �e nowy plik konfiguracyjny b�dzie ustawia� warto�� opcji
+ 'PermitRootLogin' na 'tak' (co oznacza, �e ka�dy kto zna has�o root'a mo�e
+ zdalnie zalogowa� si� przez ssh jako root). W opinii opiekuna pakietu to
+ jest poprawna warto�� domy�lna (szczeg�y w README.Debian), ale mo�esz sobie
+ wyedytowa� sshd_config i ustawi� t� opcj� na 'nie' je�li si� z t� opini� nie
+ zgadzasz.
+ .
+ Jest bardzo wskazane aby� pozwoli� mi wygenerowa� nowy plik konfiguracyjny.
+Template: ssh/protocol2_only
+Type: boolean
+Default: true
+Description: Allow SSH protocol 2 only
+ This version of OpenSSH supports version 2 of the ssh protocol, which
+ is much more secure.  Disabling ssh 1 is encouraged, however this
+ will slow things down on low end machines and might prevent older
+ clients from connecting (the ssh client shipped with "potato" is affected).
+ .
+ Also please note that keys used for protocol 1 are different so you will
+ not be able to use them if you only allow protocol 2 connections.
+ .
+ If you later change your mind about this setting, README.Debian has 
+ instructions on what to do to your sshd_config file.
+Description-pl: Zezwalaj wy��cznie na wersj� 2 protoko�u SSH
+ Ta wersja OpenSSH wspiera drug� wersj� protoko�u ssh, kt�ra jest znacznie
+ bardziej bezpieczna. Wy��czenie ssh 1 jest zalecane, cho� spowalnia to
+ dzia�anie na starych maszynach i mo�e uniemo�liwi� po��czenie starszym
+ wersjom klient�w (dotyczy to np. klienta ssh do��czanego do "potato").
+ .
+ Ponadto, zauwa� prosz�, �e klucze u�ywane przez protok� 1 s� inne, wi�c
+ nie b�dziesz m�g� ich u�ywa� je�li zezwolisz na korzystanie wy��cznie z
+ wersji 2 protoko�u.
+ .
+ Je�li p�niej zmienisz zdanie co do tego ustawienia, to instrukcje co 
+ zmieni� w sshd_config znajduj� si� w README.Debian.
+Template: ssh/ssh2_keys_merged
+Type: note
+Description: ssh2 keys merged in configuration files
+ As of version 3 OpenSSH no longer uses separate files for ssh1 and
+ ssh2 keys. This means the authorized_keys2 and known_hosts2 files
+ are no longer needed. They will still be read in order to maintain
+ backwards compatibility
+Description-pl: klucze ssh2 w��czone do plik�w konfiguracyjnych
+ Pocz�wszy od wersji 3 OpenSSH nie u�ywa ju� osobnych plik�w dla kluczy
+ ssh1 i ssh2. Oznacza to, �e pliki authorized_keys2 i known_hosts2 nie
+ s� ju� potrzebne. B�d� one jednak odczytywane aby zachowa� wsteczn�
+ kompatybilno��.
+Template: ssh/use_old_init_script
+Type: boolean
+Default: false
+Description: Do you want to continue (and risk killing active ssh sessions) ?
+ The version of /etc/init.d/ssh that you have installed, is likely to kill
+ all running sshd instances.  If you are doing this upgrade via an ssh
+ session, that would be a Bad Thing(tm).
+ .
+ You can fix this by adding "--pidfile /var/run/sshd.pid" to the
+ start-stop-daemon line in the stop section of the file.
+Description-pl: Czy chcesz kontynuowa� (i ryzykowa� zabicie aktywnych sesji ssh) ?
+ Zainstalowana w�a�nie wersja /etc/init.d/ssh mo�e zabi� wszystkie dzia�aj�ce
+ obecnie kopie sshd. Je�li robisz ten upgrade via ssh, to by�aby Z�a Rzecz(tm).
+ .
+ Mo�esz to naprawi� dodaj�c "--pidfile /var/run/sshd.pid" do linijki
+ start-stop-daemon w sekcji stop tego pliku.
+Template: ssh/forward_warning
+Type: note
+Description: NOTE: Forwarding of X11 and Authorization disabled by default.
+ For security reasons, the Debian version of ssh has ForwardX11 and
+ ForwardAgent set to ``off'' by default.
+ .
+ You can enable it for servers you trust, either
+ in one of the configuration files, or with the -X command line option.
+ .
+ More details can be found in /usr/share/doc/ssh/README.Debian
+Description-pl: UWAGA: Przekazywanie (forwarding) X11 i Autoryzacji jest domy�lnie wy��czone.
+ Ze wzgl�d�w bezpiecze�stwa Debianowa wersja ssh ma ForwardX11 i ForwardAgent
+ ustawione  domy�lnie na 'off'.
+ .
+ Dla zaufanych serwer�w mo�esz w��czy� te opcje w pliku konfiguracyjnym lub
+ przy pomocy opcji -X z linii komend.
+ .
+ Wi�cej szczeg��w znajdziesz w /usr/share/doc/ssh/README.Debian.
+Template: ssh/insecure_rshd
+Type: note
+Description: Warning: rsh-server is installed --- probably not a good idea
+ having rsh-server installed undermines the security that you were probably
+ wanting to obtain by installing ssh.  I'd advise you to remove that package.
+Description-pl: Uwaga: serwer rsh jest zainstalowany --- prawdopodobnie nienajlepszy pomys�
+ Posiadanie zainstalowanego serwera rsh podminowuje zabezpieczenia, kt�re 
+ prawdopodobnie starasz si� uzyska� instaluj�c ssh. Radzi�bym usun�� ten 
+ pakiet.
+Template: ssh/insecure_telnetd
+Type: note
+Description: Warning: telnetd is installed --- probably not a good idea
+ I'd advise you to either remove the telnetd package (if you don't actually
+ need to offer telnet access) or install telnetd-ssl so that there is at
+ least some chance that telnet sessions will not be sending unencrypted
+ login/password and session information over the network.
+Description-pl: Uwaga: telnetd jest zainstalowany --- prawdopodobnie nienajlepszy pomys�
+ Radzi�bym albo usun�� pakiet telnetd (je�li nie potrzebujesz koniecznie
+ udost�pnia� telnet'a) albo zainstalowa� telnetd-ssl aby by�a cho� szansza,
+ �e sesje telnet nie b�d� przesy�a� niezaszyfrowanego loginu/has�a oraz 
+ danych sesji przez sie�.
+Template: ssh/encrypted_host_key_but_no_keygen
+Type: note
+Description: Warning: you must create a new host key
+ There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted.
+ OpenSSH can not handle this host key file, and I can't find the
+ ssh-keygen utility from the old (non-free) SSH installation.
+ .
+ You will need to generate a new host key.
+Description-pl: Uwaga: musisz utworzy� nowy klucz hosta 
+ Istnieje stary /etc/ssh/ssh_host_key, kt�ry jest zaszyfrowany przez
+ IDEA. OpenSSH nie umie korzysta� z tak zaszyfrowanego klucza, a nie
+ mo�e znale�� polecenia ssh-keygen ze starego SSH (non-free).
+ .
+ B�dziesz musia� wygenerowa� nowy klucz hosta.
+Template: ssh/SUID_client
+Type: boolean
+Default: true
+Description: Do you want /usr/lib/ssh-keysign to be installed SUID root?
+ You have the option of installing the ssh-keysign helper with the SUID
+ bit set.
+ .
+ If you make ssh-keysign SUID, you will be able to use SSH's Protocol 2
+ host-based authentication.
+ .
+ If in doubt, I suggest you install it with SUID.  If it causes
+ problems you can change your mind later by running:   dpkg-reconfigure ssh 
+Description-pl: Czy chcesz aby /usr/lib/ssh-keysign by� zainstalowany jako SUID root? 
+ Masz mo�liwo�� zainstalowania pomocniczego programu ssh-keysign z w��czonym
+ bitem SETUID.
+ .
+ Je�li uczynisz ssh-keysign SUIDowym, b�dziesz m�g� u�ywa� opartej na hostach
+ autentykacji drugiej wersji protoko�u SSH.
+ .
+ Je�li masz w�tpliwo�ci, radz� zainstalowa� go z SUIDem. Je�li to sprawia
+ problemy, mo�esz zmieni� swoje zdanie uruchamiaj�c p�niej polecenie:
+ dpkg-reconfigure ssh
+Template: ssh/run_sshd
+Type: boolean
+Default: true
+Description: Do you want to run the sshd server ?
+ This package contains both the ssh client, and the sshd server.
+ .
+ Normally the sshd Secure Shell Server will be run to allow remote
+ logins via ssh.
+ .
+ If you are only interested in using the ssh client for outbound
+ connections on this machine, and don't want to log into it at all
+ using ssh, then you can disable sshd here.
+Description-pl: Czy chcesz uruchamia� serwer sshd ?
+ Ten pakiet zawiera zar�wno klienta ssh, jak i serwer sshd.
+ .
+ Normalnie serwer sshd (Secure Shell Server) b�dzie uruchomiony aby
+ umo�liwi� zdalny dost�p przez ssh.
+ .
+ Je�li jeste� zainteresowny u�ywaniem wy��cznie klienta ssh dla po��cze�
+ wychodz�cych z tej maszyny, i nie chcesz si� na ni� logowa� przy pomocy
+ ssh, to mo�esz teraz wy��czy� serwer sshd.
diff --git a/debian/templates.pt_BR b/debian/templates.pt_BR
new file mode 100644
index 000000000..2d0b3e1e7
--- /dev/null
+++ b/debian/templates.pt_BR
@@ -0,0 +1,181 @@
+Template: ssh/upgrade_to_openssh
+Type: boolean
+Description: Are you sure you want to upgrade to OpenSSH?
+ This version of ssh (a.k.a. OpenSSH) is supposed to be a 100% compatible
+ drop in replacement for the original (non-free) implemetation.
+ .
+ If you find that it is not, please report the problem as a bug.
+ .
+ You can still find the old version of ssh in the ssh-nonfree package
+ (although the only reason you are likely to want that is if you also
+ want to install the ssh2 package).
+ .
+ NOTE: If you're upgrading a machine remotely, via ssh, make sure you have at
+ least one other ssh session running as root, and once this is installed,
+ check that you can still log in (with a third session), before logging out.
+Description-pt_BR: Voc� tem certeza que quer atualizar para o OpenSSH ?
+ Esta vers�o do ssh (tamb�m conhecida como OpenSSH) � supostamente um
+ substituto 100% compat�vel para a implementa��o original (non-free).
+ .
+ Caso voc� ache que n�o �, por favor reporte o problema como um bug.
+ .
+ Voc� continuar� a encontrar a vers�o antiga do ssh no pacote ssh-nonfree
+ (embora a �nica raz�o pela qual voc� queira isso � se voc� tamb�m quer
+ instalar o pacote ssh2).
+ .
+ NOTA: Se voc� est� atualizando uma m�quina remotamente, via ssh,
+ certifique-se que voc� possui pelo menos outra sess�o ssh executando como
+ root e, uma vez que o pacote esteja instalado, verifique se voc� continua
+ podendo se logar (com uma terceira sess�o) antes de se desconectar
+ (logging out).
+Template: ssh/ancient_version
+Type: note
+Description: You are trying to upgrade from an ancient version of non-free ssh
+ This is bound to be using IDEA encryption for your identity files.
+ You should upgrade to a vaguely contemporary (1.2.15 or later) version of
+ non-free ssh, and then upgrade all your key files using ssh-keygen -u
+ before attempting to migrate to OpenSSH.
+ .
+ Alternatively, you could just forget about that, and generate new keys.
+Description-pt_BR: Voc� est� tentando atualizar a partir de uma vers�o antiga do ssh non-free
+ Isto est� ligado a estar usando encripta��o IDEA para seus arquivos de
+ identidade. Voc� dever� atualizar para uma vers�o vagamente contempor�nea
+ (1.2.15 ou superior) do ssh non-free, e ent�o atualizar todos seus
+ arquivos de chaves usando ssh-keygen -u antes de tentar migrar para
+ OpenSSH.
+ .
+ Alternativamente, voc� poderia somente esquecer tudo isso e gerar
+ novas chaves.
+Template: ssh/use_old_init_script
+Type: boolean
+Description: Do you want to continue (and risk killing active ssh sessions) ?
+ The version of /etc/init.d/ssh that you have installed, is likely to kill
+ all running sshd instances.  If you are doing this upgrade via an ssh
+ session, that would be a Bad Thing(tm).
+ .
+ You can fix this by adding "--pidfile /var/run/sshd.pid" to the
+ start-stop-daemon line in the stop section of the file.
+Description-pt_BR: Voc� quer continuar (e arriscar matar sess�es ssh ativas) ?
+ A vers�o de /etc/init.d/ssh que voc� possui instalada est� prestes a
+ matar todas as inst�ncias sshd sendo executadas. Se voc� est� fazendo
+ esta atualiza��o atrav�s de uma sess�o ssh, isto seria uma Coisa
+ Ruim(tm).
+ .
+ Voc� pode corrigir isto adicionando "--pidfile /var/run/sshd.pid" na
+ linha start-stop-daemon na se��o stop deste arquivo.
+Template: ssh/forward_warning
+Type: note
+Description: NOTE: Forwarding of X11 and Authorization disabled by default.
+ For security reasons, the Debian version of ssh has ForwardX11 and
+ ForwardAgent set to ``off'' by default.
+ .
+ You can enable it for servers you trust, either
+ in one of the configuration files, or with the -X command line option.
+ .
+ More details can be found in /usr/share/doc/ssh/README.Debian
+Description-pt_BR: NOTA: Forwarding de X11 e Authorization desabilitados por padr�o.
+ Por raz�es de seguran�a, a vers�o Debian do ssh tem as op��es ForwardX11
+ e ForwardAgent definidas como ``off'' por padr�o.
+ .
+ Voc� pode habilitar isso para servidores que voc� confia, ou em um dos
+ arquivos de configura��o, ou com a op��o de linha de comando -X.
+ .
+ Maiores detalhes podem ser encontrados em
+ /usr/share/doc/ssh/README.Debian.
+Template: ssh/insecure_rshd
+Type: note
+Description: Warning: rsh-server is installed --- probably not a good idea
+ having rsh-server installed undermines the security that you were probably
+ wanting to obtain by installing ssh.  I'd advise you to remove that package.
+Description-pt_BR: Aviso: rsh-server est� instalado --- provavelmente n�o � uma boa id�ia
+ Possuir o rsh-server instalado minar� a seguran�a que voc� estava
+ provavelmente querendo obter instalando o ssh. Eu recomendaria a voc�
+ remover este pacote.
+Template: ssh/insecure_telnetd
+Type: note
+Description: Warning: telnetd is installed --- probably not a good idea
+ I'd advise you to either remove the telnetd package (if you don't actually
+ need to offer telnet access) or install telnetd-ssl so that there is at
+ least some chance that telnet sessions will not be sending unencrypted
+ login/password and session information over the network.
+Description-pt_BR: Aviso: telnetd est� instalado --- provavelmente n�o � uma boa id�ia
+ Eu recomendaria a voc� ou remover o pacote telnetd (se voc� atualmente
+ n�o precisa oferecer acesso telnet) ou instalar telnetd-ssl. Assim existe
+ pelo menos uma chance das sess�es telnet n�o enviarem login/senha n�o
+ encriptados e informa��es de sess�o atrav�s da rede.
+Template: ssh/encrypted_host_key_but_no_keygen
+Type: note
+Description: Warning: you must create a new host key
+ There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted.
+ OpenSSH can not handle this host key file, and I can't find the
+ ssh-keygen utility from the old (non-free) SSH installation.
+ .
+ You will need to generate a new host key.
+Description-pt_BR: Aviso: voc� deve criar uma nova host key
+ Existe uma antiga /etc/ssh/ssh_host_key, a qual � encriptada usando IDEA.
+ O OpenSSH n�o pode gerenciar este arquivo host key e eu n�o consigo
+ encontrar o utilit�rio ssh-keygen da antiga (non-free) instala��o SSH.
+ .
+ Voc� precisar� gerar uma nova host key.
+Template: ssh/SUID_client
+Type: boolean
+Default: false
+Description: Do you want /usr/bin/ssh to be installed SUID root?
+ You have the option of installing the ssh client with the SUID bit set.
+ .
+ If you make ssh SUID, you will be able to use Rhosts/RhostsRSA
+ authentication, but will not be able to use socks via the LD_PRELOAD
+ trick.  This is the traditional approach.
+ .
+ If you do not make ssh SUID, you will be able to use socks, but
+ Rhosts/RhostsRSA authentication will stop working, which may stop you
+ logging in to remote systems.  It will also mean that the source
+ port will be above 1024, which may confound firewall rules you've set up.
+ .
+ If in doubt, I suggest you install it without SUID.  If it causes
+ problems you can change your mind later by running:   dpkg-reconfigure ssh
+Description-pt_BR: Voc� quer que /usr/bin/ssh seja instalado SUID root ?
+ Voc� tem a op��o de instalar o cliente ssh com o bit SUID setado.
+ .
+ Se voc� fizer o ssh SUID, voc� conseguir� usar autentica��o
+ Rhosts/RhostsRSA, mas n�o ser� capaz de usar socks atrav�s do truque
+ LD_PRELOAD. Isto � o tradicional.
+ .
+ Se voc� n�o fizer o ssh SUID, voc� poder� usar socks, mas a autentica��o
+ Rhosts/RhostsRSA ir� parar de funcionar, o que poder� lhe impedir de
+ logar em sistemas remotos. Isto significar� tamb�m que a porta fonte
+ estar� acima de 1024, o que poder� confundir regras de firewall que voc�
+ tenha definido.
+ .
+ Caso esteja em d�vida, eu sugiro a voc� instalar sem SUID. Se isso causar
+ problemas voc� pode mudar sua escolha posteriormente executando:
+ dpkg-reconfigure ssh.
+Template: ssh/run_sshd
+Type: boolean
+Default: true
+Description: Do you want to run the sshd server ?
+ This package contains both the ssh client, and the sshd server.
+ .
+ Normally the sshd Secure Shell Server will be run to allow remote
+ logins via ssh.
+ .
+ If you are only interested in using the ssh client for outbound
+ connections on this machine, and don't want to log into it at all
+ using ssh, then you can disable sshd here.
+Description-pt_BR: Voc� quer executar o servidor sshd ?
+ Este pacote cont�m ambos o cliente ssh e o servidor sshd.
+ .
+ Normalmente o sshd Secure Shell Server ser� executado para permitir
+ logins remotos via ssh.
+ .
+ Se voc� est� interessado somente em usar o cliente ssh para conex�es
+ para fora desta m�quina, e n�o quer logar na mesma usando ssh, ent�o voc�
+ pode desabilitar o sshd aqui.
diff --git a/debian/templates.ru b/debian/templates.ru
new file mode 100644
index 000000000..39038ff22
--- /dev/null
+++ b/debian/templates.ru
@@ -0,0 +1,207 @@
+Template: ssh/upgrade_to_openssh
+Type: boolean
+Description: Are you sure you want to upgrade to OpenSSH?
+ This version of ssh (a.k.a. OpenSSH) is supposed to be a 100% compatible
+ drop in replacement for the original (non-free) implemetation.
+ .
+ If you find that it is not, please report the problem as a bug.
+ .
+ You can still find the old version of ssh in the ssh-nonfree package
+ (although the only reason you are likely to want that is if you also
+ want to install the ssh2 package).
+ .
+ NOTE: If you're upgrading a machine remotely, via ssh, make sure you have at
+ least one other ssh session running as root, and once this is installed,
+ check that you can still log in (with a third session), before logging out.
+Description-ru: �� �������, ��� ������ �������� OpenSSH?
+ ��� ������ ssh(�� �� OpenSSH) �������� 100%-����������� � ������������
+ (�����������) �����������.
+ .
+ ���� �� ���������� ��������, ��, ����������, �������� �� ���� ������.
+ .
+ ��  ������  ��  ��������  ����� ������ ������ ssh � ������ ssh-nonfree
+ (���� ������������� ���������� ��� ������������ ������, ���� �� ������
+ ���������� ��� � ����� ssh2).
+ .
+ ����������: ���� �� �������� ���������� ������ ����� ssh, �� ���������
+ ���  ���  �������  ���  ���� ������ ssh �������� �� root, � ��� ������
+ �������  ����������  ����������,  ���������,  ���  ��  ������� ����� �
+ ������� (��������� ������ ������), ����� ��� ��� �������������.
+Template: ssh/protocol2_default
+Type: note
+Description: SSH uses protocol 2 by default.
+ This version of SSH (unlike previous ones) uses ssh
+ protocol version 2 by default. The key file formats have changed
+ between the protocol versions, so your old key files will not be
+ useful. You may either pass the '-1' option to ssh to force it to use
+ the older protocol (and your old keys), or generate new keys. Protocol
+ version 2 is thought to be more secure, so this is the preferred
+ course of action. See README.Debian for a little more information
+ .
+ Also, due to problems with IPv4 and IPv6 interoperation, IPv4 is now
+ the default (this is a change from previous versions). Passing ssh the
+ -6 flag will cause IPv6 addresses to be used. Once the current issues
+ with using IPv6 on machines with IPv4 addresses have been solved, the
+ previous default will be restored
+Description-ru: SSH ���������� �� ��������� �������� ������ 2.
+ ���  ������  SSH  (�  �������  ��  ����������) ���������� �� ���������
+ ��������  ������  2.  �  ����  ������  ��������� ������� ������ ������
+ ������,  ��� ��� ���� ������ ����� ������ ������������. �� ������ ����
+ ���������  �����  '-1' ��� ssh, ����� ������������� ������������ �����
+ ������  ������  ���������,  ����  ������������ �����  �����.  ��������
+ ������  2  ����� ����������, � ������� ������������� �� ���������. ��.
+ ����������� � ����� README.Debian.
+ .
+ �����   ��-��  �������  ������������������  IPv4  �  IPv6,  ������  ��
+ ���������  ��  ���������  ������������  IPv4  (� ������� �� ����������
+ ������).  ����� ������������ IPv6, ���� ������ ���� -6. ��� ������ ���
+ ���������  �  ��������������  IPv6  ��  �������  � �������� IPv4 �����
+ ������, �� ������� ��������� �� ��������� ����� �������������.
+Template: ssh/ancient_version
+Type: note
+Description: You are trying to upgrade from an ancient version of non-free ssh
+ This is bound to be using IDEA encryption for your identity files.
+ You should upgrade to a vaguely contemporary (1.2.15 or later) version of
+ non-free ssh, and then upgrade all your key files using ssh-keygen -u
+ before attempting to migrate to OpenSSH.
+ .
+ Alternatively, you could just forget about that, and generate new keys.
+Description-ru: �� ��������� �������� ������� ������ ������������� ssh
+ ���  ����������  ��������������   ����������  IDEA  ���  �����  ������
+ �������������. ������������� �������� ����� ����������� ������ (1.2.15
+ ���  �����  �������) ������������� ssh, � ����� �������� ���� ��������
+ ����� �������� `ssh-keygen -u` ����� �������� ������� �� OpenSSH.
+ .
+ ��� �������, ������ ������ ��� ���� ���� � ������������� ����� �����.
+Template: ssh/use_old_init_script
+Type: boolean
+Description: Do you want to continue (and risk killing active ssh sessions) ?
+ The version of /etc/init.d/ssh that you have installed, is likely to kill
+ all running sshd instances.  If you are doing this upgrade via an ssh
+ session, that would be a Bad Thing(tm).
+ .
+ You can fix this by adding "--pidfile /var/run/sshd.pid" to the
+ start-stop-daemon line in the stop section of the file.
+Description-ru: �� ������ ���������� (������ �������� �������� ssh-����������)?
+ ������  /etc/init.d/ssh,  �������  ��  ��������������, ����� ����� ���
+ ����������  ��������  ssh.  ���� �� ������������� ��� ���������� �����
+ ssh ������, �� ��� ������ ���� (tm).
+ .
+ ��� ����� ��������� ����������� "--pidfile /var/run/sshd.pid" � ������
+ start-stop-daemon � ������� stop ����� �����.
+Template: ssh/forward_warning
+Type: note
+Description: NOTE: Forwarding of X11 and Authorization disabled by default.
+ For security reasons, the Debian version of ssh has ForwardX11 and
+ ForwardAgent set to ``off'' by default.
+ .
+ You can enable it for servers you trust, either
+ in one of the configuration files, or with the -X command line option.
+ .
+ More details can be found in /usr/share/doc/ssh/README.Debian
+Description-ru: ����������: ���������� X11 � Authorization �������� �� ���������.
+ �� �������� ������������, � ������ ��� Debian ssh ����� ForwardX11 �
+ ForwardAgent �������������� � ``off'' �� ���������.
+ .
+ �� ������ ��������� �� ��� ��������, ������� ��������� ���� � ����� ��
+ ����������� ������, ��� ���������� ��������� ������ -X.
+ .
+ ������������� ���������� ����� ����� � /usr/share/doc/ssh/README.Debian
+Template: ssh/insecure_rshd
+Type: note
+Description: Warning: rsh-server is installed --- probably not a good idea
+ having rsh-server installed undermines the security that you were probably
+ wanting to obtain by installing ssh.  I'd advise you to remove that package.
+Description-ru: ��������������: ���������� rsh-server --- ������, �� ����� ������
+ �������������  rsh-server  �������  ������������,  ������� �� ��������
+ ������ �������� ������������ ssh. ������������� ������� ���� �����.
+Template: ssh/insecure_telnetd
+Type: note
+Description: Warning: telnetd is installed --- probably not a good idea
+ I'd advise you to either remove the telnetd package (if you don't actually
+ need to offer telnet access) or install telnetd-ssl so that there is at
+ least some chance that telnet sessions will not be sending unencrypted
+ login/password and session information over the network.
+Description-ru: ��������������: ���������� telnetd --- ������, �� ����� ������
+ � ������������ �� ��� ������� ����� telnetd (���� ��� ������������� ��
+ ����� ������ telnet) ��� ����������  telnet-ssl,  �����  ����� ���� ��
+ �����������  ��  ����������  ��  ����  ���������������  ����� � ������
+ ������������� � ������ ���������� � telnet-�������.
+Template: ssh/encrypted_host_key_but_no_keygen
+Type: note
+Description: Warning: you must create a new host key
+ There is an old /etc/ssh/ssh_host_key, which is IDEA encrypted.
+ OpenSSH can not handle this host key file, and I can't find the
+ ssh-keygen utility from the old (non-free) SSH installation.
+ .
+ You will need to generate a new host key.
+Description-ru: ��������������: �� ������ ������� ����� ���� ������.
+ ���� ������ /etc/ssh/ssh_host_key, ������� ���������� IDEA. OpenSSH ��
+ �����  ��������  �  ����  ������  ������,  �  �  �� ���� ����� ������� 
+ ssh-keygen �� ������ (�����������) ����������� SSH.
+ .
+ ��� ���� ����� ������������� ����� ���� �����.
+Template: ssh/SUID_client
+Type: boolean
+Default: true
+Description: Do you want /usr/bin/ssh to be installed SUID root?
+ You have the option of installing the ssh client with the SUID bit set.
+ .
+ If you make ssh SUID, you will be able to use Rhosts/RhostsRSA
+ authentication, but will not be able to use socks via the LD_PRELOAD
+ trick.  This is the traditional approach.
+ .
+ If you do not make ssh SUID, you will be able to use socks, but
+ Rhosts/RhostsRSA authentication will stop working, which may stop you
+ logging in to remote systems.  It will also mean that the source
+ port will be above 1024, which may confound firewall rules you've set up.
+ .
+ If in doubt, I suggest you install it with SUID.  If it causes
+ problems you can change your mind later by running:   dpkg-reconfigure ssh 
+Description-ru: ������ ���������� /usr/bin/ssh ��� SUID root?
+ ��  ������  �����������  ���������� /usr/bin/ssh � ������������� �����
+ SUID.
+ .
+ ����  ��  �������  ssh SUID, �� �� ������� ������������ ��������������
+ Rhosts/RhostsRSA,  ��  �� ������� ������������ socks ����� LD_PRELOAD.
+ ��� ������������ ���������.
+ .
+ ����  ��  �������� ssh SUID, �� �� ������� ������������ socks, �� ����
+ ��������������  Rhosts/RhostsRSA  �� ����� ��������, ��� ����� �������
+ ����������� ���� ����������� �� ��������� ��������. ����� ��� ��������
+ ��� ����� ������������� ����� ����� ������ 1024, ��� ����� �� ��������
+ ������ ������������� ���� ������ ��������.
+ .
+ ���� �� �� ������, ��� ������, �� ������������� ���������� ��� � �����
+ SUID. ���� �� ����� �����������, �� ��� ��������� ����� ����� ��������
+ ��������: "dpkg-reconfigure ssh".
+Template: ssh/run_sshd
+Type: boolean
+Default: true
+Description: Do you want to run the sshd server ?
+ This package contains both the ssh client, and the sshd server.
+ .
+ Normally the sshd Secure Shell Server will be run to allow remote
+ logins via ssh.
+ .
+ If you are only interested in using the ssh client for outbound
+ connections on this machine, and don't want to log into it at all
+ using ssh, then you can disable sshd here.
+Description-ru: ������ ��������� ������ sshd?
+ ���� ����� �������� � ssh-������, � ssh-������.
+ .
+ ������  sshd  Secure Shell Server  �����������  ��� ���������� ����� �
+ ����������� � ������� ����� ssh.
+ .
+ ����  ���  ����������  ������  ������������� ssh-������� ��� ���������
+ ���������� �  ����  ������, � ��  �� ������ ������� � �� ������� �����
+ ssh, �� �� ������ ������ ��������� sshd.
diff --git a/entropy.c b/entropy.c
index dcc8689c9..a95519e90 100644
--- a/entropy.c
+++ b/entropy.c
@@ -136,6 +136,8 @@ seed_rng(void)
 void
 init_rng(void) 
 {
+#if defined (DISABLED_BY_DEBIAN)
+  /* drow: Is this check still too strict for Debian?  */
        /*
         * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
         * We match major, minor, fix and status (not patch)
@@ -143,6 +145,7 @@ init_rng(void)
        if ((SSLeay() ^ OPENSSL_VERSION_NUMBER) & ~0xff0L)
                fatal("OpenSSL version mismatch. Built against %lx, you "
                    "have %lx", OPENSSL_VERSION_NUMBER, SSLeay());
+#endif
 #ifndef OPENSSL_PRNG_ONLY
        if ((original_uid = getuid()) == -1)
diff --git a/log.c b/log.c
index 96626d7d4..12ac11df7 100644
--- a/log.c
+++ b/log.c
@@ -76,8 +76,9 @@ static struct {
        LogLevel val;
 } log_levels[] =
 {
-        { "QUIET",      SYSLOG_LEVEL_QUIET },
+        { "SILENT",     SYSLOG_LEVEL_SILENT },
        { "FATAL",      SYSLOG_LEVEL_FATAL },
+        { "QUIET",      SYSLOG_LEVEL_QUIET },
        { "ERROR",      SYSLOG_LEVEL_ERROR },
        { "INFO",       SYSLOG_LEVEL_INFO },
        { "VERBOSE",    SYSLOG_LEVEL_VERBOSE },
@@ -266,8 +267,9 @@ log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
        argv0 = av0;
        switch (level) {
-        case SYSLOG_LEVEL_QUIET:
+        case SYSLOG_LEVEL_SILENT:
        case SYSLOG_LEVEL_FATAL:
+        case SYSLOG_LEVEL_QUIET:
        case SYSLOG_LEVEL_ERROR:
        case SYSLOG_LEVEL_INFO:
        case SYSLOG_LEVEL_VERBOSE:
diff --git a/log.h b/log.h
index 917fafa69..9819eceaa 100644
--- a/log.h
+++ b/log.h
@@ -37,8 +37,9 @@ typedef enum {
 }       SyslogFacility;
 typedef enum {
-        SYSLOG_LEVEL_QUIET,
+        SYSLOG_LEVEL_SILENT,
        SYSLOG_LEVEL_FATAL,
+        SYSLOG_LEVEL_QUIET,
        SYSLOG_LEVEL_ERROR,
        SYSLOG_LEVEL_INFO,
        SYSLOG_LEVEL_VERBOSE,
diff --git a/openbsd-compat/fake-queue.h b/openbsd-compat/fake-queue.h
deleted file mode 100644
index 176fe3174..000000000
--- a/openbsd-compat/fake-queue.h
+++ /dev/null
@@ -1,584 +0,0 @@
-/*      $OpenBSD: queue.h,v 1.22 2001/06/23 04:39:35 angelos Exp $      */
-/*      $NetBSD: queue.h,v 1.11 1996/05/16 05:17:14 mycroft Exp $       */
-/*
- * Copyright (c) 1991, 1993
- *      The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by the University of
- *      California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *      @(#)queue.h     8.5 (Berkeley) 8/20/94
- */
-#ifndef _FAKE_QUEUE_H_
-#define _FAKE_QUEUE_H_
-/*
- * Ignore all <sys/queue.h> since older platforms have broken/incomplete
- * <sys/queue.h> that are too hard to work around.
- */
-#undef SLIST_HEAD
-#undef SLIST_HEAD_INITIALIZER
-#undef SLIST_ENTRY
-#undef SLIST_FIRST
-#undef SLIST_END
-#undef SLIST_EMPTY
-#undef SLIST_NEXT
-#undef SLIST_FOREACH
-#undef SLIST_INIT
-#undef SLIST_INSERT_AFTER
-#undef SLIST_INSERT_HEAD
-#undef SLIST_REMOVE_HEAD
-#undef SLIST_REMOVE
-#undef LIST_HEAD
-#undef LIST_HEAD_INITIALIZER
-#undef LIST_ENTRY
-#undef LIST_FIRST
-#undef LIST_END
-#undef LIST_EMPTY
-#undef LIST_NEXT
-#undef LIST_FOREACH
-#undef LIST_INIT
-#undef LIST_INSERT_AFTER
-#undef LIST_INSERT_BEFORE
-#undef LIST_INSERT_HEAD
-#undef LIST_REMOVE
-#undef LIST_REPLACE
-#undef SIMPLEQ_HEAD
-#undef SIMPLEQ_HEAD_INITIALIZER
-#undef SIMPLEQ_ENTRY
-#undef SIMPLEQ_FIRST
-#undef SIMPLEQ_END
-#undef SIMPLEQ_EMPTY
-#undef SIMPLEQ_NEXT
-#undef SIMPLEQ_FOREACH
-#undef SIMPLEQ_INIT
-#undef SIMPLEQ_INSERT_HEAD
-#undef SIMPLEQ_INSERT_TAIL
-#undef SIMPLEQ_INSERT_AFTER
-#undef SIMPLEQ_REMOVE_HEAD
-#undef TAILQ_HEAD
-#undef TAILQ_HEAD_INITIALIZER
-#undef TAILQ_ENTRY
-#undef TAILQ_FIRST
-#undef TAILQ_END
-#undef TAILQ_NEXT
-#undef TAILQ_LAST
-#undef TAILQ_PREV
-#undef TAILQ_EMPTY
-#undef TAILQ_FOREACH
-#undef TAILQ_FOREACH_REVERSE
-#undef TAILQ_INIT
-#undef TAILQ_INSERT_HEAD
-#undef TAILQ_INSERT_TAIL
-#undef TAILQ_INSERT_AFTER
-#undef TAILQ_INSERT_BEFORE
-#undef TAILQ_REMOVE
-#undef TAILQ_REPLACE
-#undef CIRCLEQ_HEAD
-#undef CIRCLEQ_HEAD_INITIALIZER
-#undef CIRCLEQ_ENTRY
-#undef CIRCLEQ_FIRST
-#undef CIRCLEQ_LAST
-#undef CIRCLEQ_END
-#undef CIRCLEQ_NEXT
-#undef CIRCLEQ_PREV
-#undef CIRCLEQ_EMPTY
-#undef CIRCLEQ_FOREACH
-#undef CIRCLEQ_FOREACH_REVERSE
-#undef CIRCLEQ_INIT
-#undef CIRCLEQ_INSERT_AFTER
-#undef CIRCLEQ_INSERT_BEFORE
-#undef CIRCLEQ_INSERT_HEAD
-#undef CIRCLEQ_INSERT_TAIL
-#undef CIRCLEQ_REMOVE
-#undef CIRCLEQ_REPLACE
-/*
- * This file defines five types of data structures: singly-linked lists, 
- * lists, simple queues, tail queues, and circular queues.
- *
- *
- * A singly-linked list is headed by a single forward pointer. The elements
- * are singly linked for minimum space and pointer manipulation overhead at
- * the expense of O(n) removal for arbitrary elements. New elements can be
- * added to the list after an existing element or at the head of the list.
- * Elements being removed from the head of the list should use the explicit
- * macro for this purpose for optimum efficiency. A singly-linked list may
- * only be traversed in the forward direction.  Singly-linked lists are ideal
- * for applications with large datasets and few or no removals or for
- * implementing a LIFO queue.
- *
- * A list is headed by a single forward pointer (or an array of forward
- * pointers for a hash table header). The elements are doubly linked
- * so that an arbitrary element can be removed without a need to
- * traverse the list. New elements can be added to the list before
- * or after an existing element or at the head of the list. A list
- * may only be traversed in the forward direction.
- *
- * A simple queue is headed by a pair of pointers, one the head of the
- * list and the other to the tail of the list. The elements are singly
- * linked to save space, so elements can only be removed from the
- * head of the list. New elements can be added to the list before or after
- * an existing element, at the head of the list, or at the end of the
- * list. A simple queue may only be traversed in the forward direction.
- *
- * A tail queue is headed by a pair of pointers, one to the head of the
- * list and the other to the tail of the list. The elements are doubly
- * linked so that an arbitrary element can be removed without a need to
- * traverse the list. New elements can be added to the list before or
- * after an existing element, at the head of the list, or at the end of
- * the list. A tail queue may be traversed in either direction.
- *
- * A circle queue is headed by a pair of pointers, one to the head of the
- * list and the other to the tail of the list. The elements are doubly
- * linked so that an arbitrary element can be removed without a need to
- * traverse the list. New elements can be added to the list before or after
- * an existing element, at the head of the list, or at the end of the list.
- * A circle queue may be traversed in either direction, but has a more
- * complex end of list detection.
- *
- * For details on the use of these macros, see the queue(3) manual page.
- */
-/*
- * Singly-linked List definitions.
- */
-#define SLIST_HEAD(name, type)                                          \
-struct name {                                                           \
-        struct type *slh_first; /* first element */                     \
-}
- 
-#define SLIST_HEAD_INITIALIZER(head)                                    \
-        { NULL }
- 
-#define SLIST_ENTRY(type)                                               \
-struct {                                                                \
-        struct type *sle_next;  /* next element */                      \
-}
- 
-/*
- * Singly-linked List access methods.
- */
-#define SLIST_FIRST(head)       ((head)->slh_first)
-#define SLIST_END(head)         NULL
-#define SLIST_EMPTY(head)       (SLIST_FIRST(head) == SLIST_END(head))
-#define SLIST_NEXT(elm, field)  ((elm)->field.sle_next)
-#define SLIST_FOREACH(var, head, field)                                 \
-        for((var) = SLIST_FIRST(head);                                  \
-            (var) != SLIST_END(head);                                   \
-            (var) = SLIST_NEXT(var, field))
-/*
- * Singly-linked List functions.
- */
-#define SLIST_INIT(head) {                                              \
-        SLIST_FIRST(head) = SLIST_END(head);                            \
-}
-#define SLIST_INSERT_AFTER(slistelm, elm, field) do {                   \
-        (elm)->field.sle_next = (slistelm)->field.sle_next;             \
-        (slistelm)->field.sle_next = (elm);                             \
-} while (0)
-#define SLIST_INSERT_HEAD(head, elm, field) do {                        \
-        (elm)->field.sle_next = (head)->slh_first;                      \
-        (head)->slh_first = (elm);                                      \
-} while (0)
-#define SLIST_REMOVE_HEAD(head, field) do {                             \
-        (head)->slh_first = (head)->slh_first->field.sle_next;          \
-} while (0)
-#define SLIST_REMOVE(head, elm, type, field) do {                       \
-        if ((head)->slh_first == (elm)) {                               \
-                SLIST_REMOVE_HEAD((head), field);                       \
-        }                                                               \
-        else {                                                          \
-                struct type *curelm = (head)->slh_first;                \
-                while( curelm->field.sle_next != (elm) )                \
-                        curelm = curelm->field.sle_next;                \
-                curelm->field.sle_next =                                \
-                    curelm->field.sle_next->field.sle_next;             \
-        }                                                               \
-} while (0)
-/*
- * List definitions.
- */
-#define LIST_HEAD(name, type)                                           \
-struct name {                                                           \
-        struct type *lh_first;  /* first element */                     \
-}
-#define LIST_HEAD_INITIALIZER(head)                                     \
-        { NULL }
-#define LIST_ENTRY(type)                                                \
-struct {                                                                \
-        struct type *le_next;   /* next element */                      \
-        struct type **le_prev;  /* address of previous next element */  \
-}
-/*
- * List access methods
- */
-#define LIST_FIRST(head)                ((head)->lh_first)
-#define LIST_END(head)                  NULL
-#define LIST_EMPTY(head)                (LIST_FIRST(head) == LIST_END(head))
-#define LIST_NEXT(elm, field)           ((elm)->field.le_next)
-#define LIST_FOREACH(var, head, field)                                  \
-        for((var) = LIST_FIRST(head);                                   \
-            (var)!= LIST_END(head);                                     \
-            (var) = LIST_NEXT(var, field))
-/*
- * List functions.
- */
-#define LIST_INIT(head) do {                                            \
-        LIST_FIRST(head) = LIST_END(head);                              \
-} while (0)
-#define LIST_INSERT_AFTER(listelm, elm, field) do {                     \
-        if (((elm)->field.le_next = (listelm)->field.le_next) != NULL)  \
-                (listelm)->field.le_next->field.le_prev =               \
-                    &(elm)->field.le_next;                              \
-        (listelm)->field.le_next = (elm);                               \
-        (elm)->field.le_prev = &(listelm)->field.le_next;               \
-} while (0)
-#define LIST_INSERT_BEFORE(listelm, elm, field) do {                    \
-        (elm)->field.le_prev = (listelm)->field.le_prev;                \
-        (elm)->field.le_next = (listelm);                               \
-        *(listelm)->field.le_prev = (elm);                              \
-        (listelm)->field.le_prev = &(elm)->field.le_next;               \
-} while (0)
-#define LIST_INSERT_HEAD(head, elm, field) do {                         \
-        if (((elm)->field.le_next = (head)->lh_first) != NULL)          \
-                (head)->lh_first->field.le_prev = &(elm)->field.le_next;\
-        (head)->lh_first = (elm);                                       \
-        (elm)->field.le_prev = &(head)->lh_first;                       \
-} while (0)
-#define LIST_REMOVE(elm, field) do {                                    \
-        if ((elm)->field.le_next != NULL)                               \
-                (elm)->field.le_next->field.le_prev =                   \
-                    (elm)->field.le_prev;                               \
-        *(elm)->field.le_prev = (elm)->field.le_next;                   \
-} while (0)
-#define LIST_REPLACE(elm, elm2, field) do {                             \
-        if (((elm2)->field.le_next = (elm)->field.le_next) != NULL)     \
-                (elm2)->field.le_next->field.le_prev =                  \
-                    &(elm2)->field.le_next;                             \
-        (elm2)->field.le_prev = (elm)->field.le_prev;                   \
-        *(elm2)->field.le_prev = (elm2);                                \
-} while (0)
-/*
- * Simple queue definitions.
- */
-#define SIMPLEQ_HEAD(name, type)                                        \
-struct name {                                                           \
-        struct type *sqh_first; /* first element */                     \
-        struct type **sqh_last; /* addr of last next element */         \
-}
-#define SIMPLEQ_HEAD_INITIALIZER(head)                                  \
-        { NULL, &(head).sqh_first }
-#define SIMPLEQ_ENTRY(type)                                             \
-struct {                                                                \
-        struct type *sqe_next;  /* next element */                      \
-}
-/*
- * Simple queue access methods.
- */
-#define SIMPLEQ_FIRST(head)         ((head)->sqh_first)
-#define SIMPLEQ_END(head)           NULL
-#define SIMPLEQ_EMPTY(head)         (SIMPLEQ_FIRST(head) == SIMPLEQ_END(head))
-#define SIMPLEQ_NEXT(elm, field)    ((elm)->field.sqe_next)
-#define SIMPLEQ_FOREACH(var, head, field)                               \
-        for((var) = SIMPLEQ_FIRST(head);                                \
-            (var) != SIMPLEQ_END(head);                                 \
-            (var) = SIMPLEQ_NEXT(var, field))
-/*
- * Simple queue functions.
- */
-#define SIMPLEQ_INIT(head) do {                                         \
-        (head)->sqh_first = NULL;                                       \
-        (head)->sqh_last = &(head)->sqh_first;                          \
-} while (0)
-#define SIMPLEQ_INSERT_HEAD(head, elm, field) do {                      \
-        if (((elm)->field.sqe_next = (head)->sqh_first) == NULL)        \
-                (head)->sqh_last = &(elm)->field.sqe_next;              \
-        (head)->sqh_first = (elm);                                      \
-} while (0)
-#define SIMPLEQ_INSERT_TAIL(head, elm, field) do {                      \
-        (elm)->field.sqe_next = NULL;                                   \
-        *(head)->sqh_last = (elm);                                      \
-        (head)->sqh_last = &(elm)->field.sqe_next;                      \
-} while (0)
-#define SIMPLEQ_INSERT_AFTER(head, listelm, elm, field) do {            \
-        if (((elm)->field.sqe_next = (listelm)->field.sqe_next) == NULL)\
-                (head)->sqh_last = &(elm)->field.sqe_next;              \
-        (listelm)->field.sqe_next = (elm);                              \
-} while (0)
-#define SIMPLEQ_REMOVE_HEAD(head, elm, field) do {                      \
-        if (((head)->sqh_first = (elm)->field.sqe_next) == NULL)        \
-                (head)->sqh_last = &(head)->sqh_first;                  \
-} while (0)
-/*
- * Tail queue definitions.
- */
-#define TAILQ_HEAD(name, type)                                          \
-struct name {                                                           \
-        struct type *tqh_first; /* first element */                     \
-        struct type **tqh_last; /* addr of last next element */         \
-}
-#define TAILQ_HEAD_INITIALIZER(head)                                    \
-        { NULL, &(head).tqh_first }
-#define TAILQ_ENTRY(type)                                               \
-struct {                                                                \
-        struct type *tqe_next;  /* next element */                      \
-        struct type **tqe_prev; /* address of previous next element */  \
-}
-/* 
- * tail queue access methods 
- */
-#define TAILQ_FIRST(head)               ((head)->tqh_first)
-#define TAILQ_END(head)                 NULL
-#define TAILQ_NEXT(elm, field)          ((elm)->field.tqe_next)
-#define TAILQ_LAST(head, headname)                                      \
-        (*(((struct headname *)((head)->tqh_last))->tqh_last))
-/* XXX */
-#define TAILQ_PREV(elm, headname, field)                                \
-        (*(((struct headname *)((elm)->field.tqe_prev))->tqh_last))
-#define TAILQ_EMPTY(head)                                               \
-        (TAILQ_FIRST(head) == TAILQ_END(head))
-#define TAILQ_FOREACH(var, head, field)                                 \
-        for((var) = TAILQ_FIRST(head);                                  \
-            (var) != TAILQ_END(head);                                   \
-            (var) = TAILQ_NEXT(var, field))
-#define TAILQ_FOREACH_REVERSE(var, head, field, headname)               \
-        for((var) = TAILQ_LAST(head, headname);                         \
-            (var) != TAILQ_END(head);                                   \
-            (var) = TAILQ_PREV(var, headname, field))
-/*
- * Tail queue functions.
- */
-#define TAILQ_INIT(head) do {                                           \
-        (head)->tqh_first = NULL;                                       \
-        (head)->tqh_last = &(head)->tqh_first;                          \
-} while (0)
-#define TAILQ_INSERT_HEAD(head, elm, field) do {                        \
-        if (((elm)->field.tqe_next = (head)->tqh_first) != NULL)        \
-                (head)->tqh_first->field.tqe_prev =                     \
-                    &(elm)->field.tqe_next;                             \
-        else                                                            \
-                (head)->tqh_last = &(elm)->field.tqe_next;              \
-        (head)->tqh_first = (elm);                                      \
-        (elm)->field.tqe_prev = &(head)->tqh_first;                     \
-} while (0)
-#define TAILQ_INSERT_TAIL(head, elm, field) do {                        \
-        (elm)->field.tqe_next = NULL;                                   \
-        (elm)->field.tqe_prev = (head)->tqh_last;                       \
-        *(head)->tqh_last = (elm);                                      \
-        (head)->tqh_last = &(elm)->field.tqe_next;                      \
-} while (0)
-#define TAILQ_INSERT_AFTER(head, listelm, elm, field) do {              \
-        if (((elm)->field.tqe_next = (listelm)->field.tqe_next) != NULL)\
-                (elm)->field.tqe_next->field.tqe_prev =                 \
-                    &(elm)->field.tqe_next;                             \
-        else                                                            \
-                (head)->tqh_last = &(elm)->field.tqe_next;              \
-        (listelm)->field.tqe_next = (elm);                              \
-        (elm)->field.tqe_prev = &(listelm)->field.tqe_next;             \
-} while (0)
-#define TAILQ_INSERT_BEFORE(listelm, elm, field) do {                   \
-        (elm)->field.tqe_prev = (listelm)->field.tqe_prev;              \
-        (elm)->field.tqe_next = (listelm);                              \
-        *(listelm)->field.tqe_prev = (elm);                             \
-        (listelm)->field.tqe_prev = &(elm)->field.tqe_next;             \
-} while (0)
-#define TAILQ_REMOVE(head, elm, field) do {                             \
-        if (((elm)->field.tqe_next) != NULL)                            \
-                (elm)->field.tqe_next->field.tqe_prev =                 \
-                    (elm)->field.tqe_prev;                              \
-        else                                                            \
-                (head)->tqh_last = (elm)->field.tqe_prev;               \
-        *(elm)->field.tqe_prev = (elm)->field.tqe_next;                 \
-} while (0)
-#define TAILQ_REPLACE(head, elm, elm2, field) do {                      \
-        if (((elm2)->field.tqe_next = (elm)->field.tqe_next) != NULL)   \
-                (elm2)->field.tqe_next->field.tqe_prev =                \
-                    &(elm2)->field.tqe_next;                            \
-        else                                                            \
-                (head)->tqh_last = &(elm2)->field.tqe_next;             \
-        (elm2)->field.tqe_prev = (elm)->field.tqe_prev;                 \
-        *(elm2)->field.tqe_prev = (elm2);                               \
-} while (0)
-/*
- * Circular queue definitions.
- */
-#define CIRCLEQ_HEAD(name, type)                                        \
-struct name {                                                           \
-        struct type *cqh_first;         /* first element */             \
-        struct type *cqh_last;          /* last element */              \
-}
-#define CIRCLEQ_HEAD_INITIALIZER(head)                                  \
-        { CIRCLEQ_END(&head), CIRCLEQ_END(&head) }
-#define CIRCLEQ_ENTRY(type)                                             \
-struct {                                                                \
-        struct type *cqe_next;          /* next element */              \
-        struct type *cqe_prev;          /* previous element */          \
-}
-/*
- * Circular queue access methods 
- */
-#define CIRCLEQ_FIRST(head)             ((head)->cqh_first)
-#define CIRCLEQ_LAST(head)              ((head)->cqh_last)
-#define CIRCLEQ_END(head)               ((void *)(head))
-#define CIRCLEQ_NEXT(elm, field)        ((elm)->field.cqe_next)
-#define CIRCLEQ_PREV(elm, field)        ((elm)->field.cqe_prev)
-#define CIRCLEQ_EMPTY(head)                                             \
-        (CIRCLEQ_FIRST(head) == CIRCLEQ_END(head))
-#define CIRCLEQ_FOREACH(var, head, field)                               \
-        for((var) = CIRCLEQ_FIRST(head);                                \
-            (var) != CIRCLEQ_END(head);                                 \
-            (var) = CIRCLEQ_NEXT(var, field))
-#define CIRCLEQ_FOREACH_REVERSE(var, head, field)                       \
-        for((var) = CIRCLEQ_LAST(head);                                 \
-            (var) != CIRCLEQ_END(head);                                 \
-            (var) = CIRCLEQ_PREV(var, field))
-/*
- * Circular queue functions.
- */
-#define CIRCLEQ_INIT(head) do {                                         \
-        (head)->cqh_first = CIRCLEQ_END(head);                          \
-        (head)->cqh_last = CIRCLEQ_END(head);                           \
-} while (0)
-#define CIRCLEQ_INSERT_AFTER(head, listelm, elm, field) do {            \
-        (elm)->field.cqe_next = (listelm)->field.cqe_next;              \
-        (elm)->field.cqe_prev = (listelm);                              \
-        if ((listelm)->field.cqe_next == CIRCLEQ_END(head))             \
-                (head)->cqh_last = (elm);                               \
-        else                                                            \
-                (listelm)->field.cqe_next->field.cqe_prev = (elm);      \
-        (listelm)->field.cqe_next = (elm);                              \
-} while (0)
-#define CIRCLEQ_INSERT_BEFORE(head, listelm, elm, field) do {           \
-        (elm)->field.cqe_next = (listelm);                              \
-        (elm)->field.cqe_prev = (listelm)->field.cqe_prev;              \
-        if ((listelm)->field.cqe_prev == CIRCLEQ_END(head))             \
-                (head)->cqh_first = (elm);                              \
-        else                                                            \
-                (listelm)->field.cqe_prev->field.cqe_next = (elm);      \
-        (listelm)->field.cqe_prev = (elm);                              \
-} while (0)
-#define CIRCLEQ_INSERT_HEAD(head, elm, field) do {                      \
-        (elm)->field.cqe_next = (head)->cqh_first;                      \
-        (elm)->field.cqe_prev = CIRCLEQ_END(head);                      \
-        if ((head)->cqh_last == CIRCLEQ_END(head))                      \
-                (head)->cqh_last = (elm);                               \
-        else                                                            \
-                (head)->cqh_first->field.cqe_prev = (elm);              \
-        (head)->cqh_first = (elm);                                      \
-} while (0)
-#define CIRCLEQ_INSERT_TAIL(head, elm, field) do {                      \
-        (elm)->field.cqe_next = CIRCLEQ_END(head);                      \
-        (elm)->field.cqe_prev = (head)->cqh_last;                       \
-        if ((head)->cqh_first == CIRCLEQ_END(head))                     \
-                (head)->cqh_first = (elm);                              \
-        else                                                            \
-                (head)->cqh_last->field.cqe_next = (elm);               \
-        (head)->cqh_last = (elm);                                       \
-} while (0)
-#define CIRCLEQ_REMOVE(head, elm, field) do {                           \
-        if ((elm)->field.cqe_next == CIRCLEQ_END(head))                 \
-                (head)->cqh_last = (elm)->field.cqe_prev;               \
-        else                                                            \
-                (elm)->field.cqe_next->field.cqe_prev =                 \
-                    (elm)->field.cqe_prev;                              \
-        if ((elm)->field.cqe_prev == CIRCLEQ_END(head))                 \
-                (head)->cqh_first = (elm)->field.cqe_next;              \
-        else                                                            \
-                (elm)->field.cqe_prev->field.cqe_next =                 \
-                    (elm)->field.cqe_next;                              \
-} while (0)
-#define CIRCLEQ_REPLACE(head, elm, elm2, field) do {                    \
-        if (((elm2)->field.cqe_next = (elm)->field.cqe_next) ==         \
-            CIRCLEQ_END(head))                                          \
-                (head).cqh_last = (elm2);                               \
-        else                                                            \
-                (elm2)->field.cqe_next->field.cqe_prev = (elm2);        \
-        if (((elm2)->field.cqe_prev = (elm)->field.cqe_prev) ==         \
-            CIRCLEQ_END(head))                                          \
-                (head).cqh_first = (elm2);                              \
-        else                                                            \
-                (elm2)->field.cqe_prev->field.cqe_next = (elm2);        \
-} while (0)
-#endif  /* !_FAKE_QUEUE_H_ */
diff --git a/openbsd-compat/tree.h b/openbsd-compat/tree.h
deleted file mode 100644
index 30b4a8561..000000000
--- a/openbsd-compat/tree.h
+++ /dev/null
@@ -1,667 +0,0 @@
-/*
- * Copyright 2002 Niels Provos <provos@citi.umich.edu>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-#ifndef _SYS_TREE_H_
-#define _SYS_TREE_H_
-/*
- * This file defines data structures for different types of trees:
- * splay trees and red-black trees.
- *
- * A splay tree is a self-organizing data structure.  Every operation
- * on the tree causes a splay to happen.  The splay moves the requested
- * node to the root of the tree and partly rebalances it.
- *
- * This has the benefit that request locality causes faster lookups as
- * the requested nodes move to the top of the tree.  On the other hand,
- * every lookup causes memory writes.
- *
- * The Balance Theorem bounds the total access time for m operations
- * and n inserts on an initially empty tree as O((m + n)lg n).  The
- * amortized cost for a sequence of m accesses to a splay tree is O(lg n);
- *
- * A red-black tree is a binary search tree with the node color as an
- * extra attribute.  It fulfills a set of conditions:
- *      - every search path from the root to a leaf consists of the
- *        same number of black nodes,
- *      - each red node (except for the root) has a black parent,
- *      - each leaf node is black.
- *
- * Every operation on a red-black tree is bounded as O(lg n).
- * The maximum height of a red-black tree is 2lg (n+1).
- */
-#define SPLAY_HEAD(name, type)                                          \
-struct name {                                                           \
-        struct type *sph_root; /* root of the tree */                   \
-}
-#define SPLAY_INITIALIZER(root)                                         \
-        { NULL }
-#define SPLAY_INIT(root) do {                                           \
-        (root)->sph_root = NULL;                                        \
-} while (0)
-#define SPLAY_ENTRY(type)                                               \
-struct {                                                                \
-        struct type *spe_left; /* left element */                       \
-        struct type *spe_right; /* right element */                     \
-}
-#define SPLAY_LEFT(elm, field)          (elm)->field.spe_left
-#define SPLAY_RIGHT(elm, field)         (elm)->field.spe_right
-#define SPLAY_ROOT(head)                (head)->sph_root
-#define SPLAY_EMPTY(head)               (SPLAY_ROOT(head) == NULL)
-/* SPLAY_ROTATE_{LEFT,RIGHT} expect that tmp hold SPLAY_{RIGHT,LEFT} */
-#define SPLAY_ROTATE_RIGHT(head, tmp, field) do {                       \
-        SPLAY_LEFT((head)->sph_root, field) = SPLAY_RIGHT(tmp, field);  \
-        SPLAY_RIGHT(tmp, field) = (head)->sph_root;                     \
-        (head)->sph_root = tmp;                                         \
-} while (0)
-        
-#define SPLAY_ROTATE_LEFT(head, tmp, field) do {                        \
-        SPLAY_RIGHT((head)->sph_root, field) = SPLAY_LEFT(tmp, field);  \
-        SPLAY_LEFT(tmp, field) = (head)->sph_root;                      \
-        (head)->sph_root = tmp;                                         \
-} while (0)
-#define SPLAY_LINKLEFT(head, tmp, field) do {                           \
-        SPLAY_LEFT(tmp, field) = (head)->sph_root;                      \
-        tmp = (head)->sph_root;                                         \
-        (head)->sph_root = SPLAY_LEFT((head)->sph_root, field);         \
-} while (0)
-#define SPLAY_LINKRIGHT(head, tmp, field) do {                          \
-        SPLAY_RIGHT(tmp, field) = (head)->sph_root;                     \
-        tmp = (head)->sph_root;                                         \
-        (head)->sph_root = SPLAY_RIGHT((head)->sph_root, field);        \
-} while (0)
-#define SPLAY_ASSEMBLE(head, node, left, right, field) do {             \
-        SPLAY_RIGHT(left, field) = SPLAY_LEFT((head)->sph_root, field); \
-        SPLAY_LEFT(right, field) = SPLAY_RIGHT((head)->sph_root, field);\
-        SPLAY_LEFT((head)->sph_root, field) = SPLAY_RIGHT(node, field); \
-        SPLAY_RIGHT((head)->sph_root, field) = SPLAY_LEFT(node, field); \
-} while (0)
-/* Generates prototypes and inline functions */
-#define SPLAY_PROTOTYPE(name, type, field, cmp)                         \
-void name##_SPLAY(struct name *, struct type *);                        \
-void name##_SPLAY_MINMAX(struct name *, int);                           \
-                                                                        \
-static __inline void                                                    \
-name##_SPLAY_INSERT(struct name *head, struct type *elm)                \
-{                                                                       \
-    if (SPLAY_EMPTY(head)) {                                            \
-            SPLAY_LEFT(elm, field) = SPLAY_RIGHT(elm, field) = NULL;    \
-    } else {                                                            \
-            int __comp;                                                 \
-            name##_SPLAY(head, elm);                                    \
-            __comp = (cmp)(elm, (head)->sph_root);                      \
-            if(__comp < 0) {                                            \
-                    SPLAY_LEFT(elm, field) = SPLAY_LEFT((head)->sph_root, field);\
-                    SPLAY_RIGHT(elm, field) = (head)->sph_root;         \
-                    SPLAY_LEFT((head)->sph_root, field) = NULL;         \
-            } else if (__comp > 0) {                                    \
-                    SPLAY_RIGHT(elm, field) = SPLAY_RIGHT((head)->sph_root, field);\
-                    SPLAY_LEFT(elm, field) = (head)->sph_root;          \
-                    SPLAY_RIGHT((head)->sph_root, field) = NULL;        \
-            } else                                                      \
-                    return;                                             \
-    }                                                                   \
-    (head)->sph_root = (elm);                                           \
-}                                                                       \
-                                                                        \
-static __inline void                                                    \
-name##_SPLAY_REMOVE(struct name *head, struct type *elm)                \
-{                                                                       \
-        struct type *__tmp;                                             \
-        if (SPLAY_EMPTY(head))                                          \
-                return;                                                 \
-        name##_SPLAY(head, elm);                                        \
-        if ((cmp)(elm, (head)->sph_root) == 0) {                        \
-                if (SPLAY_LEFT((head)->sph_root, field) == NULL) {      \
-                        (head)->sph_root = SPLAY_RIGHT((head)->sph_root, field);\
-                } else {                                                \
-                        __tmp = SPLAY_RIGHT((head)->sph_root, field);   \
-                        (head)->sph_root = SPLAY_LEFT((head)->sph_root, field);\
-                        name##_SPLAY(head, elm);                        \
-                        SPLAY_RIGHT((head)->sph_root, field) = __tmp;   \
-                }                                                       \
-        }                                                               \
-}                                                                       \
-                                                                        \
-/* Finds the node with the same key as elm */                           \
-static __inline struct type *                                           \
-name##_SPLAY_FIND(struct name *head, struct type *elm)                  \
-{                                                                       \
-        if (SPLAY_EMPTY(head))                                          \
-                return(NULL);                                           \
-        name##_SPLAY(head, elm);                                        \
-        if ((cmp)(elm, (head)->sph_root) == 0)                          \
-                return (head->sph_root);                                \
-        return (NULL);                                                  \
-}                                                                       \
-                                                                        \
-static __inline struct type *                                           \
-name##_SPLAY_NEXT(struct name *head, struct type *elm)                  \
-{                                                                       \
-        name##_SPLAY(head, elm);                                        \
-        if (SPLAY_RIGHT(elm, field) != NULL) {                          \
-                elm = SPLAY_RIGHT(elm, field);                          \
-                while (SPLAY_LEFT(elm, field) != NULL) {                \
-                        elm = SPLAY_LEFT(elm, field);                   \
-                }                                                       \
-        } else                                                          \
-                elm = NULL;                                             \
-        return (elm);                                                   \
-}                                                                       \
-                                                                        \
-static __inline struct type *                                           \
-name##_SPLAY_MIN_MAX(struct name *head, int val)                        \
-{                                                                       \
-        name##_SPLAY_MINMAX(head, val);                                 \
-        return (SPLAY_ROOT(head));                                      \
-}
-/* Main splay operation.
- * Moves node close to the key of elm to top
- */
-#define SPLAY_GENERATE(name, type, field, cmp)                          \
-void name##_SPLAY(struct name *head, struct type *elm)                  \
-{                                                                       \
-        struct type __node, *__left, *__right, *__tmp;                  \
-        int __comp;                                                     \
-\
-        SPLAY_LEFT(&__node, field) = SPLAY_RIGHT(&__node, field) = NULL;\
-        __left = __right = &__node;                                     \
-\
-        while ((__comp = (cmp)(elm, (head)->sph_root))) {               \
-                if (__comp < 0) {                                       \
-                        __tmp = SPLAY_LEFT((head)->sph_root, field);    \
-                        if (__tmp == NULL)                              \
-                                break;                                  \
-                        if ((cmp)(elm, __tmp) < 0){                     \
-                                SPLAY_ROTATE_RIGHT(head, __tmp, field); \
-                                if (SPLAY_LEFT((head)->sph_root, field) == NULL)\
-                                        break;                          \
-                        }                                               \
-                        SPLAY_LINKLEFT(head, __right, field);           \
-                } else if (__comp > 0) {                                \
-                        __tmp = SPLAY_RIGHT((head)->sph_root, field);   \
-                        if (__tmp == NULL)                              \
-                                break;                                  \
-                        if ((cmp)(elm, __tmp) > 0){                     \
-                                SPLAY_ROTATE_LEFT(head, __tmp, field);  \
-                                if (SPLAY_RIGHT((head)->sph_root, field) == NULL)\
-                                        break;                          \
-                        }                                               \
-                        SPLAY_LINKRIGHT(head, __left, field);           \
-                }                                                       \
-        }                                                               \
-        SPLAY_ASSEMBLE(head, &__node, __left, __right, field);          \
-}                                                                       \
-                                                                        \
-/* Splay with either the minimum or the maximum element                 \
- * Used to find minimum or maximum element in tree.                     \
- */                                                                     \
-void name##_SPLAY_MINMAX(struct name *head, int __comp) \
-{                                                                       \
-        struct type __node, *__left, *__right, *__tmp;                  \
-\
-        SPLAY_LEFT(&__node, field) = SPLAY_RIGHT(&__node, field) = NULL;\
-        __left = __right = &__node;                                     \
-\
-        while (1) {                                                     \
-                if (__comp < 0) {                                       \
-                        __tmp = SPLAY_LEFT((head)->sph_root, field);    \
-                        if (__tmp == NULL)                              \
-                                break;                                  \
-                        if (__comp < 0){                                \
-                                SPLAY_ROTATE_RIGHT(head, __tmp, field); \
-                                if (SPLAY_LEFT((head)->sph_root, field) == NULL)\
-                                        break;                          \
-                        }                                               \
-                        SPLAY_LINKLEFT(head, __right, field);           \
-                } else if (__comp > 0) {                                \
-                        __tmp = SPLAY_RIGHT((head)->sph_root, field);   \
-                        if (__tmp == NULL)                              \
-                                break;                                  \
-                        if (__comp > 0) {                               \
-                                SPLAY_ROTATE_LEFT(head, __tmp, field);  \
-                                if (SPLAY_RIGHT((head)->sph_root, field) == NULL)\
-                                        break;                          \
-                        }                                               \
-                        SPLAY_LINKRIGHT(head, __left, field);           \
-                }                                                       \
-        }                                                               \
-        SPLAY_ASSEMBLE(head, &__node, __left, __right, field);          \
-}
-#define SPLAY_NEGINF    -1
-#define SPLAY_INF       1
-#define SPLAY_INSERT(name, x, y)        name##_SPLAY_INSERT(x, y)
-#define SPLAY_REMOVE(name, x, y)        name##_SPLAY_REMOVE(x, y)
-#define SPLAY_FIND(name, x, y)          name##_SPLAY_FIND(x, y)
-#define SPLAY_NEXT(name, x, y)          name##_SPLAY_NEXT(x, y)
-#define SPLAY_MIN(name, x)              (SPLAY_EMPTY(x) ? NULL  \
-                                        : name##_SPLAY_MIN_MAX(x, SPLAY_NEGINF))
-#define SPLAY_MAX(name, x)              (SPLAY_EMPTY(x) ? NULL  \
-                                        : name##_SPLAY_MIN_MAX(x, SPLAY_INF))
-#define SPLAY_FOREACH(x, name, head)                                    \
-        for ((x) = SPLAY_MIN(name, head);                               \
-             (x) != NULL;                                               \
-             (x) = SPLAY_NEXT(name, head, x))
-/* Macros that define a red-back tree */
-#define RB_HEAD(name, type)                                             \
-struct name {                                                           \
-        struct type *rbh_root; /* root of the tree */                   \
-}
-#define RB_INITIALIZER(root)                                            \
-        { NULL }
-#define RB_INIT(root) do {                                              \
-        (root)->rbh_root = NULL;                                        \
-} while (0)
-#define RB_BLACK        0
-#define RB_RED          1
-#define RB_ENTRY(type)                                                  \
-struct {                                                                \
-        struct type *rbe_left;          /* left element */              \
-        struct type *rbe_right;         /* right element */             \
-        struct type *rbe_parent;        /* parent element */            \
-        int rbe_color;                  /* node color */                \
-}
-#define RB_LEFT(elm, field)             (elm)->field.rbe_left
-#define RB_RIGHT(elm, field)            (elm)->field.rbe_right
-#define RB_PARENT(elm, field)           (elm)->field.rbe_parent
-#define RB_COLOR(elm, field)            (elm)->field.rbe_color
-#define RB_ROOT(head)                   (head)->rbh_root
-#define RB_EMPTY(head)                  (RB_ROOT(head) == NULL)
-#define RB_SET(elm, parent, field) do {                                 \
-        RB_PARENT(elm, field) = parent;                                 \
-        RB_LEFT(elm, field) = RB_RIGHT(elm, field) = NULL;              \
-        RB_COLOR(elm, field) = RB_RED;                                  \
-} while (0)
-#define RB_SET_BLACKRED(black, red, field) do {                         \
-        RB_COLOR(black, field) = RB_BLACK;                              \
-        RB_COLOR(red, field) = RB_RED;                                  \
-} while (0)
-#ifndef RB_AUGMENT
-#define RB_AUGMENT(x)
-#endif
-#define RB_ROTATE_LEFT(head, elm, tmp, field) do {                      \
-        (tmp) = RB_RIGHT(elm, field);                                   \
-        if ((RB_RIGHT(elm, field) = RB_LEFT(tmp, field))) {             \
-                RB_PARENT(RB_LEFT(tmp, field), field) = (elm);          \
-        }                                                               \
-        RB_AUGMENT(elm);                                                \
-        if ((RB_PARENT(tmp, field) = RB_PARENT(elm, field))) {          \
-                if ((elm) == RB_LEFT(RB_PARENT(elm, field), field))     \
-                        RB_LEFT(RB_PARENT(elm, field), field) = (tmp);  \
-                else                                                    \
-                        RB_RIGHT(RB_PARENT(elm, field), field) = (tmp); \
-                RB_AUGMENT(RB_PARENT(elm, field));                      \
-        } else                                                          \
-                (head)->rbh_root = (tmp);                               \
-        RB_LEFT(tmp, field) = (elm);                                    \
-        RB_PARENT(elm, field) = (tmp);                                  \
-        RB_AUGMENT(tmp);                                                \
-} while (0)
-#define RB_ROTATE_RIGHT(head, elm, tmp, field) do {                     \
-        (tmp) = RB_LEFT(elm, field);                                    \
-        if ((RB_LEFT(elm, field) = RB_RIGHT(tmp, field))) {             \
-                RB_PARENT(RB_RIGHT(tmp, field), field) = (elm);         \
-        }                                                               \
-        RB_AUGMENT(elm);                                                \
-        if ((RB_PARENT(tmp, field) = RB_PARENT(elm, field))) {          \
-                if ((elm) == RB_LEFT(RB_PARENT(elm, field), field))     \
-                        RB_LEFT(RB_PARENT(elm, field), field) = (tmp);  \
-                else                                                    \
-                        RB_RIGHT(RB_PARENT(elm, field), field) = (tmp); \
-                RB_AUGMENT(RB_PARENT(elm, field));                      \
-        } else                                                          \
-                (head)->rbh_root = (tmp);                               \
-        RB_RIGHT(tmp, field) = (elm);                                   \
-        RB_PARENT(elm, field) = (tmp);                                  \
-        RB_AUGMENT(tmp);                                                \
-} while (0)
-/* Generates prototypes and inline functions */
-#define RB_PROTOTYPE(name, type, field, cmp)                            \
-void name##_RB_INSERT_COLOR(struct name *, struct type *);      \
-void name##_RB_REMOVE_COLOR(struct name *, struct type *, struct type *);\
-void name##_RB_REMOVE(struct name *, struct type *);                    \
-struct type *name##_RB_INSERT(struct name *, struct type *);            \
-struct type *name##_RB_FIND(struct name *, struct type *);              \
-struct type *name##_RB_NEXT(struct name *, struct type *);              \
-struct type *name##_RB_MINMAX(struct name *, int);                      \
-                                                                        \
-/* Main rb operation.
- * Moves node close to the key of elm to top
- */
-#define RB_GENERATE(name, type, field, cmp)                             \
-void                                                                    \
-name##_RB_INSERT_COLOR(struct name *head, struct type *elm)             \
-{                                                                       \
-        struct type *parent, *gparent, *tmp;                            \
-        while ((parent = RB_PARENT(elm, field)) &&                      \
-            RB_COLOR(parent, field) == RB_RED) {                        \
-                gparent = RB_PARENT(parent, field);                     \
-                if (parent == RB_LEFT(gparent, field)) {                \
-                        tmp = RB_RIGHT(gparent, field);                 \
-                        if (tmp && RB_COLOR(tmp, field) == RB_RED) {    \
-                                RB_COLOR(tmp, field) = RB_BLACK;        \
-                                RB_SET_BLACKRED(parent, gparent, field);\
-                                elm = gparent;                          \
-                                continue;                               \
-                        }                                               \
-                        if (RB_RIGHT(parent, field) == elm) {           \
-                                RB_ROTATE_LEFT(head, parent, tmp, field);\
-                                tmp = parent;                           \
-                                parent = elm;                           \
-                                elm = tmp;                              \
-                        }                                               \
-                        RB_SET_BLACKRED(parent, gparent, field);        \
-                        RB_ROTATE_RIGHT(head, gparent, tmp, field);     \
-                } else {                                                \
-                        tmp = RB_LEFT(gparent, field);                  \
-                        if (tmp && RB_COLOR(tmp, field) == RB_RED) {    \
-                                RB_COLOR(tmp, field) = RB_BLACK;        \
-                                RB_SET_BLACKRED(parent, gparent, field);\
-                                elm = gparent;                          \
-                                continue;                               \
-                        }                                               \
-                        if (RB_LEFT(parent, field) == elm) {            \
-                                RB_ROTATE_RIGHT(head, parent, tmp, field);\
-                                tmp = parent;                           \
-                                parent = elm;                           \
-                                elm = tmp;                              \
-                        }                                               \
-                        RB_SET_BLACKRED(parent, gparent, field);        \
-                        RB_ROTATE_LEFT(head, gparent, tmp, field);      \
-                }                                                       \
-        }                                                               \
-        RB_COLOR(head->rbh_root, field) = RB_BLACK;                     \
-}                                                                       \
-                                                                        \
-void                                                                    \
-name##_RB_REMOVE_COLOR(struct name *head, struct type *parent, struct type *elm) \
-{                                                                       \
-        struct type *tmp;                                               \
-        while ((elm == NULL || RB_COLOR(elm, field) == RB_BLACK) &&     \
-            elm != RB_ROOT(head)) {                                     \
-                if (RB_LEFT(parent, field) == elm) {                    \
-                        tmp = RB_RIGHT(parent, field);                  \
-                        if (RB_COLOR(tmp, field) == RB_RED) {           \
-                                RB_SET_BLACKRED(tmp, parent, field);    \
-                                RB_ROTATE_LEFT(head, parent, tmp, field);\
-                                tmp = RB_RIGHT(parent, field);          \
-                        }                                               \
-                        if ((RB_LEFT(tmp, field) == NULL ||             \
-                            RB_COLOR(RB_LEFT(tmp, field), field) == RB_BLACK) &&\
-                            (RB_RIGHT(tmp, field) == NULL ||            \
-                            RB_COLOR(RB_RIGHT(tmp, field), field) == RB_BLACK)) {\
-                                RB_COLOR(tmp, field) = RB_RED;          \
-                                elm = parent;                           \
-                                parent = RB_PARENT(elm, field);         \
-                        } else {                                        \
-                                if (RB_RIGHT(tmp, field) == NULL ||     \
-                                    RB_COLOR(RB_RIGHT(tmp, field), field) == RB_BLACK) {\
-                                        struct type *oleft;             \
-                                        if ((oleft = RB_LEFT(tmp, field)))\
-                                                RB_COLOR(oleft, field) = RB_BLACK;\
-                                        RB_COLOR(tmp, field) = RB_RED;  \
-                                        RB_ROTATE_RIGHT(head, tmp, oleft, field);\
-                                        tmp = RB_RIGHT(parent, field);  \
-                                }                                       \
-                                RB_COLOR(tmp, field) = RB_COLOR(parent, field);\
-                                RB_COLOR(parent, field) = RB_BLACK;     \
-                                if (RB_RIGHT(tmp, field))               \
-                                        RB_COLOR(RB_RIGHT(tmp, field), field) = RB_BLACK;\
-                                RB_ROTATE_LEFT(head, parent, tmp, field);\
-                                elm = RB_ROOT(head);                    \
-                                break;                                  \
-                        }                                               \
-                } else {                                                \
-                        tmp = RB_LEFT(parent, field);                   \
-                        if (RB_COLOR(tmp, field) == RB_RED) {           \
-                                RB_SET_BLACKRED(tmp, parent, field);    \
-                                RB_ROTATE_RIGHT(head, parent, tmp, field);\
-                                tmp = RB_LEFT(parent, field);           \
-                        }                                               \
-                        if ((RB_LEFT(tmp, field) == NULL ||             \
-                            RB_COLOR(RB_LEFT(tmp, field), field) == RB_BLACK) &&\
-                            (RB_RIGHT(tmp, field) == NULL ||            \
-                            RB_COLOR(RB_RIGHT(tmp, field), field) == RB_BLACK)) {\
-                                RB_COLOR(tmp, field) = RB_RED;          \
-                                elm = parent;                           \
-                                parent = RB_PARENT(elm, field);         \
-                        } else {                                        \
-                                if (RB_LEFT(tmp, field) == NULL ||      \
-                                    RB_COLOR(RB_LEFT(tmp, field), field) == RB_BLACK) {\
-                                        struct type *oright;            \
-                                        if ((oright = RB_RIGHT(tmp, field)))\
-                                                RB_COLOR(oright, field) = RB_BLACK;\
-                                        RB_COLOR(tmp, field) = RB_RED;  \
-                                        RB_ROTATE_LEFT(head, tmp, oright, field);\
-                                        tmp = RB_LEFT(parent, field);   \
-                                }                                       \
-                                RB_COLOR(tmp, field) = RB_COLOR(parent, field);\
-                                RB_COLOR(parent, field) = RB_BLACK;     \
-                                if (RB_LEFT(tmp, field))                \
-                                        RB_COLOR(RB_LEFT(tmp, field), field) = RB_BLACK;\
-                                RB_ROTATE_RIGHT(head, parent, tmp, field);\
-                                elm = RB_ROOT(head);                    \
-                                break;                                  \
-                        }                                               \
-                }                                                       \
-        }                                                               \
-        if (elm)                                                        \
-                RB_COLOR(elm, field) = RB_BLACK;                        \
-}                                                                       \
-                                                                        \
-void                                                                    \
-name##_RB_REMOVE(struct name *head, struct type *elm)                   \
-{                                                                       \
-        struct type *child, *parent;                                    \
-        int color;                                                      \
-        if (RB_LEFT(elm, field) == NULL)                                \
-                child = RB_RIGHT(elm, field);                           \
-        else if (RB_RIGHT(elm, field) == NULL)                          \
-                child = RB_LEFT(elm, field);                            \
-        else {                                                          \
-                struct type *old = elm, *left;                          \
-                elm = RB_RIGHT(elm, field);                             \
-                while ((left = RB_LEFT(elm, field)))                    \
-                        elm = left;                                     \
-                child = RB_RIGHT(elm, field);                           \
-                parent = RB_PARENT(elm, field);                         \
-                color = RB_COLOR(elm, field);                           \
-                if (child)                                              \
-                        RB_PARENT(child, field) = parent;               \
-                if (parent) {                                           \
-                        if (RB_LEFT(parent, field) == elm)              \
-                                RB_LEFT(parent, field) = child;         \
-                        else                                            \
-                                RB_RIGHT(parent, field) = child;        \
-                        RB_AUGMENT(parent);                             \
-                } else                                                  \
-                        RB_ROOT(head) = child;                          \
-                if (RB_PARENT(elm, field) == old)                       \
-                        parent = elm;                                   \
-                (elm)->field = (old)->field;                            \
-                if (RB_PARENT(old, field)) {                            \
-                        if (RB_LEFT(RB_PARENT(old, field), field) == old)\
-                                RB_LEFT(RB_PARENT(old, field), field) = elm;\
-                        else                                            \
-                                RB_RIGHT(RB_PARENT(old, field), field) = elm;\
-                        RB_AUGMENT(RB_PARENT(old, field));              \
-                } else                                                  \
-                        RB_ROOT(head) = elm;                            \
-                RB_PARENT(RB_LEFT(old, field), field) = elm;            \
-                if (RB_RIGHT(old, field))                               \
-                        RB_PARENT(RB_RIGHT(old, field), field) = elm;   \
-                if (parent) {                                           \
-                        left = parent;                                  \
-                        do {                                            \
-                                RB_AUGMENT(left);                       \
-                        } while ((left = RB_PARENT(left, field)));      \
-                }                                                       \
-                goto color;                                             \
-        }                                                               \
-        parent = RB_PARENT(elm, field);                                 \
-        color = RB_COLOR(elm, field);                                   \
-        if (child)                                                      \
-                RB_PARENT(child, field) = parent;                       \
-        if (parent) {                                                   \
-                if (RB_LEFT(parent, field) == elm)                      \
-                        RB_LEFT(parent, field) = child;                 \
-                else                                                    \
-                        RB_RIGHT(parent, field) = child;                \
-                RB_AUGMENT(parent);                                     \
-        } else                                                          \
-                RB_ROOT(head) = child;                                  \
-color:                                                                  \
-        if (color == RB_BLACK)                                          \
-                name##_RB_REMOVE_COLOR(head, parent, child);            \
-}                                                                       \
-                                                                        \
-/* Inserts a node into the RB tree */                                   \
-struct type *                                                           \
-name##_RB_INSERT(struct name *head, struct type *elm)                   \
-{                                                                       \
-        struct type *tmp;                                               \
-        struct type *parent = NULL;                                     \
-        int comp = 0;                                                   \
-        tmp = RB_ROOT(head);                                            \
-        while (tmp) {                                                   \
-                parent = tmp;                                           \
-                comp = (cmp)(elm, parent);                              \
-                if (comp < 0)                                           \
-                        tmp = RB_LEFT(tmp, field);                      \
-                else if (comp > 0)                                      \
-                        tmp = RB_RIGHT(tmp, field);                     \
-                else                                                    \
-                        return (tmp);                                   \
-        }                                                               \
-        RB_SET(elm, parent, field);                                     \
-        if (parent != NULL) {                                           \
-                if (comp < 0)                                           \
-                        RB_LEFT(parent, field) = elm;                   \
-                else                                                    \
-                        RB_RIGHT(parent, field) = elm;                  \
-                RB_AUGMENT(parent);                                     \
-        } else                                                          \
-                RB_ROOT(head) = elm;                                    \
-        name##_RB_INSERT_COLOR(head, elm);                              \
-        return (NULL);                                                  \
-}                                                                       \
-                                                                        \
-/* Finds the node with the same key as elm */                           \
-struct type *                                                           \
-name##_RB_FIND(struct name *head, struct type *elm)                     \
-{                                                                       \
-        struct type *tmp = RB_ROOT(head);                               \
-        int comp;                                                       \
-        while (tmp) {                                                   \
-                comp = cmp(elm, tmp);                                   \
-                if (comp < 0)                                           \
-                        tmp = RB_LEFT(tmp, field);                      \
-                else if (comp > 0)                                      \
-                        tmp = RB_RIGHT(tmp, field);                     \
-                else                                                    \
-                        return (tmp);                                   \
-        }                                                               \
-        return (NULL);                                                  \
-}                                                                       \
-                                                                        \
-struct type *                                                           \
-name##_RB_NEXT(struct name *head, struct type *elm)                     \
-{                                                                       \
-        if (RB_RIGHT(elm, field)) {                                     \
-                elm = RB_RIGHT(elm, field);                             \
-                while (RB_LEFT(elm, field))                             \
-                        elm = RB_LEFT(elm, field);                      \
-        } else {                                                        \
-                if (RB_PARENT(elm, field) &&                            \
-                    (elm == RB_LEFT(RB_PARENT(elm, field), field)))     \
-                        elm = RB_PARENT(elm, field);                    \
-                else {                                                  \
-                        while (RB_PARENT(elm, field) &&                 \
-                            (elm == RB_RIGHT(RB_PARENT(elm, field), field)))\
-                                elm = RB_PARENT(elm, field);            \
-                        elm = RB_PARENT(elm, field);                    \
-                }                                                       \
-        }                                                               \
-        return (elm);                                                   \
-}                                                                       \
-                                                                        \
-struct type *                                                           \
-name##_RB_MINMAX(struct name *head, int val)                            \
-{                                                                       \
-        struct type *tmp = RB_ROOT(head);                               \
-        struct type *parent = NULL;                                     \
-        while (tmp) {                                                   \
-                parent = tmp;                                           \
-                if (val < 0)                                            \
-                        tmp = RB_LEFT(tmp, field);                      \
-                else                                                    \
-                        tmp = RB_RIGHT(tmp, field);                     \
-        }                                                               \
-        return (parent);                                                \
-}
-#define RB_NEGINF       -1
-#define RB_INF  1
-#define RB_INSERT(name, x, y)   name##_RB_INSERT(x, y)
-#define RB_REMOVE(name, x, y)   name##_RB_REMOVE(x, y)
-#define RB_FIND(name, x, y)     name##_RB_FIND(x, y)
-#define RB_NEXT(name, x, y)     name##_RB_NEXT(x, y)
-#define RB_MIN(name, x)         name##_RB_MINMAX(x, RB_NEGINF)
-#define RB_MAX(name, x)         name##_RB_MINMAX(x, RB_INF)
-#define RB_FOREACH(x, name, head)                                       \
-        for ((x) = RB_MIN(name, head);                                  \
-             (x) != NULL;                                               \
-             (x) = name##_RB_NEXT(head, x))
-#endif  /* _SYS_TREE_H_ */
diff --git a/packet.c b/packet.c
index bd347ef0f..dbd3791d2 100644
--- a/packet.c
+++ b/packet.c
@@ -77,6 +77,8 @@ RCSID("$OpenBSD: packet.c,v 1.97 2002/07/04 08:12:15 deraadt Exp $");
 static int connection_in = -1;
 static int connection_out = -1;
+static int setup_timeout = -1;
 /* Protocol flags for the remote side. */
 static u_int remote_protocol_flags = 0;
@@ -131,7 +133,7 @@ static u_char extra_pad = 0;
 * packet_set_encryption_key is called.
 */
 void
-packet_set_connection(int fd_in, int fd_out)
+packet_set_connection(int fd_in, int fd_out, int new_setup_timeout)
 {
        Cipher *none = cipher_by_name("none");
@@ -139,6 +141,7 @@ packet_set_connection(int fd_in, int fd_out)
                fatal("packet_set_connection: cannot load cipher 'none'");
        connection_in = fd_in;
        connection_out = fd_out;
+        setup_timeout = new_setup_timeout;
        cipher_init(&send_context, none, "", 0, NULL, 0, CIPHER_ENCRYPT);
        cipher_init(&receive_context, none, "", 0, NULL, 0, CIPHER_DECRYPT);
        newkeys[MODE_IN] = newkeys[MODE_OUT] = NULL;
@@ -745,6 +748,7 @@ packet_read_seqnr(u_int32_t *seqnr_p)
        int type, len;
        fd_set *setp;
        char buf[8192];
+        struct timeval tv, *tvp;
        DBG(debug("packet_read()"));
        setp = (fd_set *)xmalloc(howmany(connection_in+1, NFDBITS) *
@@ -776,11 +780,21 @@ packet_read_seqnr(u_int32_t *seqnr_p)
                    sizeof(fd_mask));
                FD_SET(connection_in, setp);
+                if (setup_timeout > 0) {
+                  tvp = &tv;
+                  tv.tv_sec = setup_timeout;
+                  tv.tv_usec = 0;
+                } else
+                  tvp = 0;
                /* Wait for some data to arrive. */
-                while (select(connection_in + 1, setp, NULL, NULL, NULL) == -1 &&
+                while (select(connection_in + 1, setp, NULL, NULL, tvp) == -1 &&
                    (errno == EAGAIN || errno == EINTR))
                        ;
+                if (!FD_ISSET(connection_in, setp))
+                  fatal("packet_read: Setup timeout expired, giving up");
                /* Read data from the socket. */
                len = read(connection_in, buf, sizeof(buf));
                if (len == 0) {
diff --git a/packet.h b/packet.h
index 3ff75593a..483472d50 100644
--- a/packet.h
+++ b/packet.h
@@ -18,7 +18,7 @@
 #include <openssl/bn.h>
-void     packet_set_connection(int, int);
+void     packet_set_connection(int, int, int);
 void     packet_set_nonblocking(void);
 int      packet_get_connection_in(void);
 int      packet_get_connection_out(void);
diff --git a/readconf.c b/readconf.c
index bae06be12..097d4082d 100644
--- a/readconf.c
+++ b/readconf.c
@@ -81,6 +81,8 @@ RCSID("$OpenBSD: readconf.c,v 1.100 2002/06/19 00:27:55 deraadt Exp $");
     RhostsRSAAuthentication yes
     StrictHostKeyChecking yes
     KeepAlives no
+     ProtocolKeepAlives 0
+     SetupTimeOut 0
     IdentityFile ~/.ssh/identity
     Port 22
     EscapeChar ~
@@ -114,6 +116,7 @@ typedef enum {
        oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
        oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
+        oProtocolKeepAlives, oSetupTimeOut,
        oDeprecated
 } OpCodes;
@@ -186,6 +189,8 @@ static struct {
        { "smartcarddevice", oSmartcardDevice },
        { "clearallforwardings", oClearAllForwardings },
        { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
+        { "protocolkeepalives", oProtocolKeepAlives },
+        { "setuptimeout", oSetupTimeOut },
        { NULL, oBadOption }
 };
@@ -411,6 +416,14 @@ parse_flag:
                intptr = &options->no_host_authentication_for_localhost;
                goto parse_flag;
+        case oProtocolKeepAlives:
+                intptr = &options->protocolkeepalives;
+                goto parse_int;
+        case oSetupTimeOut:
+                intptr = &options->setuptimeout;
+                goto parse_int;
        case oNumberOfPasswordPrompts:
                intptr = &options->number_of_password_prompts;
                goto parse_int;
@@ -766,6 +779,8 @@ initialize_options(Options * options)
        options->strict_host_key_checking = -1;
        options->compression = -1;
        options->keepalives = -1;
+        options->protocolkeepalives = -1;
+        options->setuptimeout = -1;
        options->compression_level = -1;
        options->port = -1;
        options->connection_attempts = -1;
@@ -853,6 +868,14 @@ fill_default_options(Options * options)
                options->compression = 0;
        if (options->keepalives == -1)
                options->keepalives = 1;
+        if (options->protocolkeepalives == -1){
+          if (options->batch_mode == 1) /*in batch mode, default is 5mins */
+                options->protocolkeepalives = 300;
+          else  options->protocolkeepalives = 0;}
+        if (options->setuptimeout == -1){
+          if (options->batch_mode == 1) /*in batch mode, default is 5mins */
+                options->setuptimeout = 300;
+          else  options->setuptimeout = 0;}
        if (options->compression_level == -1)
                options->compression_level = 6;
        if (options->port == -1)
diff --git a/readconf.h b/readconf.h
index 92af535d0..9457dfe86 100644
--- a/readconf.h
+++ b/readconf.h
@@ -61,6 +61,8 @@ typedef struct {
        int     compression_level;      /* Compression level 1 (fast) to 9
                                         * (best). */
        int     keepalives;     /* Set SO_KEEPALIVE. */
+        int     protocolkeepalives; /* ssh-level keepalives */
+        int     setuptimeout; /* timeout in the protocol banner exchange */
        LogLevel log_level;     /* Level for logging. */
        int     port;           /* Port to connect. */
diff --git a/scp.1 b/scp.1
index 396ab64be..cf2f421e6 100644
--- a/scp.1
+++ b/scp.1
@@ -19,7 +19,7 @@
 .Nd secure copy (remote file copy program)
 .Sh SYNOPSIS
 .Nm scp
-.Op Fl pqrvBC46
+.Op Fl pqrvBC1246
 .Op Fl F Ar ssh_config
 .Op Fl S Ar program
 .Op Fl P Ar port
@@ -125,6 +125,14 @@ for which there is no separate
 command-line flag.  For example, forcing the use of protocol
 version 1 is specified using
 .Ic scp -oProtocol=1 .
+.It Fl 1
+Forces
+.Nm
+to try protocol version 1 only.
+.It Fl 2
+Forces
+.Nm
+to try protocol version 2 only.
 .It Fl 4
 Forces
 .Nm
diff --git a/scp.c b/scp.c
index 921ffeedc..10235b1be 100644
--- a/scp.c
+++ b/scp.c
@@ -233,9 +233,11 @@ main(argc, argv)
        addargs(&args, "-oClearAllForwardings yes");
        fflag = tflag = 0;
-        while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46S:o:F:")) != -1)
+        while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q1246S:o:F:")) != -1)
                switch (ch) {
                /* User-visible flags. */
+                case '1':
+                case '2':
                case '4':
                case '6':
                case 'C':
diff --git a/serverloop.c b/serverloop.c
index 58e20dfb9..e66d529e9 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -610,7 +610,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
                        if (!channel_still_open())
                                break;
                        if (!waiting_termination) {
-                                const char *s = "Waiting for forwarded connections to terminate...\r\n";
+                                const char *s = "Waiting for forwarded connections to terminate... (press ~& to background)\r\n";
                                char *cp;
                                waiting_termination = 1;
                                buffer_append(&stderr_buffer, s, strlen(s));
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index 8c14d6d26..788953705 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -349,7 +349,7 @@ keygrab_ssh2(con *c)
 {
        int j;
-        packet_set_connection(c->c_fd, c->c_fd);
+        packet_set_connection(c->c_fd, c->c_fd, timeout);
        enable_compat20();
        myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = c->c_keytype == KT_DSA?
            "ssh-dss": "ssh-rsa";
diff --git a/ssh.1 b/ssh.1
index 27808b1f3..d8999da48 100644
--- a/ssh.1
+++ b/ssh.1
@@ -533,6 +533,10 @@ per-host basis in the configuration file.
 .It Fl q
 Quiet mode.
 Causes all warning and diagnostic messages to be suppressed.
+Only fatal errors are displayed.
+If a second
+.Fl q
+is given then even fatal errors are suppressed.
 .It Fl s
 May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use
 of SSH as a secure transport for other applications (eg. sftp). The
diff --git a/ssh.c b/ssh.c
index 2c589de82..24e541bc6 100644
--- a/ssh.c
+++ b/ssh.c
@@ -366,7 +366,12 @@ again:
                                exit(0);
                        break;
                case 'q':
-                        options.log_level = SYSLOG_LEVEL_QUIET;
+                        if (options.log_level == SYSLOG_LEVEL_QUIET) {
+                                options.log_level = SYSLOG_LEVEL_SILENT;
+                        }
+                        else if (options.log_level != SYSLOG_LEVEL_SILENT) {
+                                options.log_level = SYSLOG_LEVEL_QUIET;
+                        }
                        break;
                case 'e':
                        if (optarg[0] == '^' && optarg[2] == 0 &&
diff --git a/ssh_config.5 b/ssh_config.5
index ac05a0cea..67fa0845c 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -126,8 +126,15 @@ This option applies to protocol version 1 only.
 If set to
 .Dq yes ,
 passphrase/password querying will be disabled.
+In addition, the 
+.Cm ProtocolKeepAlives 
+and
+.Cm SetupTimeOut
+options will both be set to 300 seconds by default.
 This option is useful in scripts and other batch jobs where no user
-is present to supply the password.
+is present to supply the password,
+and where it is desirable to detect a
+broken network swiftly.
 The argument must be
 .Dq yes
 or
@@ -354,7 +361,12 @@ identities will be tried in sequence.
 Specifies whether the system should send TCP keepalive messages to the
 other side.
 If they are sent, death of the connection or crash of one
-of the machines will be properly noticed.
+of the machines will be properly noticed.  This option only uses TCP
+keepalives (as opposed to using ssh level keepalives), so takes a long
+time to notice when the connection dies.  As such, you probably want
+the
+.Cm ProtocolKeepAlives
+option as well.
 However, this means that
 connections will die if the route is down temporarily, and some people
 find it annoying.
@@ -453,6 +465,13 @@ This means that
 .Nm ssh
 tries version 2 and falls back to version 1
 if version 2 is not available.
+.It Cm ProtocolKeepAlives
+Specifies the interval in seconds at which IGNORE packets will be sent to
+the server during idle periods. Use this option in scripts to detect
+when the network fails. The argument must be an integer. The default
+is 0 (disabled), or 300 if the 
+.Cm BatchMode
+option is set.
 .It Cm ProxyCommand
 Specifies the command to use to connect to the server.
 The command
@@ -541,6 +560,19 @@ running.
 The default is
 .Dq yes .
 Note that this option applies to protocol version 1 only.
+.It Cm SetupTimeOut
+Normally,
+.Nm ssh
+blocks indefinitely whilst waiting to receive the ssh banner and other
+setup protocol from the server, during the session setup.  This can cause
+.Nm ssh
+to hang under certain circumstances.  If this option is set,
+.Nm ssh
+will give up if no data from the server is received for the specified
+number of seconds. The argument must be an integer. The default is 0
+(disabled), or 300 if
+.Cm BatchMode
+is set.
 .It Cm SmartcardDevice
 Specifies which smartcard device to use. The argument to this keyword is
 the device
diff --git a/sshconnect.c b/sshconnect.c
index 776d72065..95e0f6d77 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -47,6 +47,13 @@ extern pid_t proxy_command_pid;
 #define INET6_ADDRSTRLEN 46
 #endif
+static sig_atomic_t banner_timedout;
+static void banner_alarm_catch (int signum)
+{
+        banner_timedout = 1;
+}
 static int show_other_keys(const char *, Key *);
 /*
@@ -153,7 +160,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
        buffer_free(&command);
        /* Set the connection file descriptors. */
-        packet_set_connection(pout[0], pin[1]);
+        packet_set_connection(pout[0], pin[1], options.setuptimeout);
        /* Indicate OK return */
        return 0;
@@ -346,7 +353,7 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
                error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
        /* Set the connection. */
-        packet_set_connection(sock, sock);
+        packet_set_connection(sock, sock, options.setuptimeout);
        return 0;
 }
@@ -363,24 +370,41 @@ ssh_exchange_identification(void)
        int connection_in = packet_get_connection_in();
        int connection_out = packet_get_connection_out();
        int minor1 = PROTOCOL_MINOR_1;
+        struct sigaction sa, osa;
-        /* Read other side\'s version identification. */
+        /* Read other side's version identification.
+         * If SetupTimeOut has been set, give up after
+         * the specified amount of time
+         */
+        if(options.setuptimeout > 0){
+                memset(&sa, 0, sizeof(sa));
+                sa.sa_handler = banner_alarm_catch;
+                /*throw away any pending alarms, since we'd block otherwise*/
+                alarm(0);
+                sigaction(SIGALRM, &sa, &osa);
+                alarm(options.setuptimeout);
+        }
        for (;;) {
-                for (i = 0; i < sizeof(buf) - 1; i++) {
+                for (i = 0; i < sizeof(buf) - 1; ) {
-                        int len = atomicio(read, connection_in, &buf[i], 1);
+                        int len = read(connection_in, &buf[i], 1);
-                        if (len < 0)
+                        if (banner_timedout)
+                                fatal("ssh_exchange_identification: Timeout waiting for version information.");
+                        if (len < 0) {
+                                if (errno == EINTR)
+                                        continue;
                                fatal("ssh_exchange_identification: read: %.100s", strerror(errno));
+                        }
                        if (len != 1)
                                fatal("ssh_exchange_identification: Connection closed by remote host");
-                        if (buf[i] == '\r') {
-                                buf[i] = '\n';
-                                buf[i + 1] = 0;
-                                continue;               /**XXX wait for \n */
-                        }
                        if (buf[i] == '\n') {
                                buf[i + 1] = 0;
                                break;
                        }
+                        if (buf[i] == '\r') {
+                                buf[i] = '\n';
+                                buf[i + 1] = 0;         /**XXX wait for \n */
+                        }
+                        i++;
                }
                buf[sizeof(buf) - 1] = 0;
                if (strncmp(buf, "SSH-", 4) == 0)
@@ -389,6 +413,14 @@ ssh_exchange_identification(void)
        }
        server_version_string = xstrdup(buf);
+        /* If SetupTimeOut has been set, unset the alarm now, and
+         * put the correct handler for SIGALRM back.
+         */
+        if (options.setuptimeout > 0) {
+                alarm(0);
+                sigaction(SIGALRM,&osa,NULL);
+        }
        /*
         * Check that the versions match.  In future this might accept
         * several versions and set appropriate flags to handle them.
diff --git a/sshd.8 b/sshd.8
index 22ab70e00..1605922fb 100644
--- a/sshd.8
+++ b/sshd.8
@@ -256,9 +256,12 @@ Ports specified in the configuration file are ignored when a
 command-line port is specified.
 .It Fl q
 Quiet mode.
-Nothing is sent to the system log.
+Only fatal errors are sent to the system log.
 Normally the beginning,
 authentication, and termination of each connection is logged.
+If a second 
+.Fl q
+is given then nothing is sent to the system log.
 .It Fl t
 Test mode.
 Only check the validity of the configuration file and sanity of the keys.
diff --git a/sshd.c b/sshd.c
index f8bd7ce54..35685643f 100644
--- a/sshd.c
+++ b/sshd.c
@@ -870,7 +870,12 @@ main(int ac, char **av)
                        /* ignored */
                        break;
                case 'q':
-                        options.log_level = SYSLOG_LEVEL_QUIET;
+                        if (options.log_level == SYSLOG_LEVEL_QUIET) { 
+                                options.log_level = SYSLOG_LEVEL_SILENT; 
+                        } 
+                        else if (options.log_level != SYSLOG_LEVEL_SILENT) { 
+                                options.log_level = SYSLOG_LEVEL_QUIET; 
+                        } 
                        break;
                case 'b':
                        options.server_key_bits = atoi(optarg);
@@ -1168,7 +1173,7 @@ main(int ac, char **av)
                        /* Bind the socket to the desired port. */
                        if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
-                                if (!ai->ai_next)
+                                if (!num_listen_socks && !ai->ai_next)
                                    error("Bind to port %s on %s failed: %.200s.",
                                            strport, ntop, strerror(errno));
                                close(listen_sock);
@@ -1421,7 +1426,7 @@ main(int ac, char **av)
         * Register our connection.  This turns encryption off because we do
         * not have a key.
         */
-        packet_set_connection(sock_in, sock_out);
+        packet_set_connection(sock_in, sock_out, -1);
        remote_port = get_remote_port();
        remote_ip = get_remote_ipaddr();