44 files changed, 392 insertions, 329 deletions

diff --git a/regress/Makefile b/regress/Makefile
index 6ef5d9cce..ab2a6ae7b 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.62 2013/01/18 00:45:29 djm Exp $
+#       $OpenBSD: Makefile,v 1.65 2013/04/18 02:46:12 djm Exp $
 
 REGRESS_TARGETS=        t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec
 tests:          $(REGRESS_TARGETS)
@@ -8,6 +8,7 @@ interop interop-tests: t-exec-interop
 
 clean:
         for F in $(CLEANFILES); do rm -f $(OBJ)$$F; done
+        test -z "${SUDO}" || ${SUDO} rm -f ${SUDO_CLEAN}
         rm -rf $(OBJ).putty
 
 distclean:      clean
@@ -38,6 +39,7 @@ LTESTS= 	connect \
                 key-options \
                 scp \
                 sftp \
+                sftp-chroot \
                 sftp-cmds \
                 sftp-badcmds \
                 sftp-batch \
@@ -82,8 +84,11 @@ CLEANFILES=	t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
                 putty.rsa2 sshd_proxy_orig ssh_proxy_bak \
                 key.rsa-* key.dsa-* key.ecdsa-* \
                 authorized_principals_${USER} expect actual ready \
-                sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-*
+                sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-* \
+                ssh.log failed-ssh.log sshd.log failed-sshd.log \
+                regress.log failed-regress.log ssh-log-wrapper.sh
 
+SUDO_CLEAN+=    /var/run/testdata_${USER} /var/run/keycommand_${USER}
 
 # Enable all malloc(3) randomisations and checks
 TEST_ENV=      "MALLOC_OPTIONS=AFGJPRX"
@@ -150,14 +155,14 @@ t-exec:	${LTESTS:=.sh}
         @if [ "x$?" = "x" ]; then exit 0; fi; \
         for TEST in ""$?; do \
                 echo "run test $${TEST}" ... 1>&2; \
-                (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \
+                (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} ${TEST_SHELL} ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \
         done
 
 t-exec-interop: ${INTEROP_TESTS:=.sh}
         @if [ "x$?" = "x" ]; then exit 0; fi; \
         for TEST in ""$?; do \
                 echo "run test $${TEST}" ... 1>&2; \
-                (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \
+                (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} ${TEST_SHELL} ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \
         done
 
 # Not run by default
diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh
index faf654c04..d5ae2d6e2 100644
--- a/regress/agent-getpeereid.sh
+++ b/regress/agent-getpeereid.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: agent-getpeereid.sh,v 1.4 2007/11/25 15:35:09 jmc Exp $
+#       $OpenBSD: agent-getpeereid.sh,v 1.5 2013/05/17 10:33:09 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="disallow agent attach from other uid"
@@ -18,7 +18,6 @@ if [ -z "$SUDO" ]; then
         exit 0
 fi
 
-
 trace "start agent"
 eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null
 r=$?
diff --git a/regress/agent-timeout.sh b/regress/agent-timeout.sh
index 3a40e7af8..68826594e 100644
--- a/regress/agent-timeout.sh
+++ b/regress/agent-timeout.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: agent-timeout.sh,v 1.1 2002/06/06 00:38:40 markus Exp $
+#       $OpenBSD: agent-timeout.sh,v 1.2 2013/05/17 01:16:09 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="agent timeout test"
diff --git a/regress/agent.sh b/regress/agent.sh
index 094cf694b..be7d91334 100644
--- a/regress/agent.sh
+++ b/regress/agent.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: agent.sh,v 1.7 2007/11/25 15:35:09 jmc Exp $
+#       $OpenBSD: agent.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="simple agent test"
@@ -19,7 +19,7 @@ else
                 fail "ssh-add -l did not fail with exit code 1"
         fi
         trace "overwrite authorized keys"
-        echon > $OBJ/authorized_keys_$USER
+        printf '' > $OBJ/authorized_keys_$USER
         for t in rsa rsa1; do
                 # generate user key for agent
                 rm -f $OBJ/$t-agent
diff --git a/regress/bsd.regress.mk b/regress/bsd.regress.mk
deleted file mode 100644
index 9b8011a01..000000000
--- a/regress/bsd.regress.mk
+++ /dev/null
@@ -1,79 +0,0 @@
-#       $OpenBSD: bsd.regress.mk,v 1.9 2002/02/17 01:10:15 marc Exp $
-# No man pages for regression tests.
-NOMAN=
-
-# No installation.
-install:
-
-# If REGRESSTARGETS is defined and PROG is not defined, set NOPROG
-.if defined(REGRESSTARGETS) && !defined(PROG)
-NOPROG=
-.endif
-
-.include <bsd.prog.mk>
-
-.MAIN: all
-all: regress
-
-# XXX - Need full path to REGRESSLOG, otherwise there will be much pain.
-
-REGRESSLOG?=/dev/null
-REGRESSNAME=${.CURDIR:S/${BSDSRCDIR}\/regress\///}
-
-.if defined(PROG) && !empty(PROG)
-run-regress-${PROG}: ${PROG}
-        ./${PROG}
-.endif
-
-.if !defined(REGRESSTARGETS)
-REGRESSTARGETS=run-regress-${PROG}
-.  if defined(REGRESSSKIP)
-REGRESSSKIPTARGETS=run-regress-${PROG}
-.  endif
-.endif
-
-REGRESSSKIPSLOW?=no
-
-#.if (${REGRESSSKIPSLOW:L} == "yes") && defined(REGRESSSLOWTARGETS)
-
-.if (${REGRESSSKIPSLOW} == "yes") && defined(REGRESSSLOWTARGETS)
-REGRESSSKIPTARGETS+=${REGRESSSLOWTARGETS}
-.endif
-
-.if defined(REGRESSROOTTARGETS)
-ROOTUSER!=id -g
-SUDO?=
-. if (${ROOTUSER} != 0) && empty(SUDO)
-REGRESSSKIPTARGETS+=${REGRESSROOTTARGETS}
-. endif
-.endif
-
-REGRESSSKIPTARGETS?=
-
-regress:
-.for RT in ${REGRESSTARGETS} 
-.  if ${REGRESSSKIPTARGETS:M${RT}}
-        @echo -n "SKIP " >> ${REGRESSLOG}
-.  else
-# XXX - we need a better method to see if a test fails due to timeout or just
-#       normal failure.
-.   if !defined(REGRESSMAXTIME)
-        @if cd ${.CURDIR} && ${MAKE} ${RT}; then \
-            echo -n "SUCCESS " >> ${REGRESSLOG} ; \
-        else \
-            echo -n "FAIL " >> ${REGRESSLOG} ; \
-            echo FAILED ; \
-        fi
-.   else
-        @if cd ${.CURDIR} && (ulimit -t ${REGRESSMAXTIME} ; ${MAKE} ${RT}); then \
-            echo -n "SUCCESS " >> ${REGRESSLOG} ; \
-        else \
-            echo -n "FAIL (possible timeout) " >> ${REGRESSLOG} ; \
-            echo FAILED ; \
-        fi
-.   endif
-.  endif
-        @echo ${REGRESSNAME}/${RT:S/^run-regress-//} >> ${REGRESSLOG}
-.endfor
-
-.PHONY: regress
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 6216abd87..35cd39293 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cert-hostkey.sh,v 1.6 2011/05/20 02:43:36 djm Exp $
+#       $OpenBSD: cert-hostkey.sh,v 1.7 2013/05/17 00:37:40 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="certified host keys"
@@ -18,8 +18,8 @@ HOSTS='localhost-with-alias,127.0.0.1,::1'
 ${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/host_ca_key ||\
         fail "ssh-keygen of host_ca_key failed"
 (
-        echon '@cert-authority '
-        echon "$HOSTS "
+        printf '@cert-authority '
+        printf "$HOSTS "
         cat $OBJ/host_ca_key.pub
 ) > $OBJ/known_hosts-cert
 
@@ -66,25 +66,25 @@ done
 
 # Revoked certificates with key present
 (
-        echon '@cert-authority '
-        echon "$HOSTS "
+        printf '@cert-authority '
+        printf "$HOSTS "
         cat $OBJ/host_ca_key.pub
-        echon '@revoked '
-        echon "* "
+        printf '@revoked '
+        printf "* "
         cat $OBJ/cert_host_key_rsa.pub
         if test "x$TEST_SSH_ECC" = "xyes"; then
-                echon '@revoked '
-                echon "* "
+                printf '@revoked '
+                printf "* "
                 cat $OBJ/cert_host_key_ecdsa.pub
         fi
-        echon '@revoked '
-        echon "* "
+        printf '@revoked '
+        printf "* "
         cat $OBJ/cert_host_key_dsa.pub
-        echon '@revoked '
-        echon "* "
+        printf '@revoked '
+        printf "* "
         cat $OBJ/cert_host_key_rsa_v00.pub
-        echon '@revoked '
-        echon "* "
+        printf '@revoked '
+        printf "* "
         cat $OBJ/cert_host_key_dsa_v00.pub
 ) > $OBJ/known_hosts-cert
 for privsep in yes no ; do
@@ -108,11 +108,11 @@ done
 
 # Revoked CA
 (
-        echon '@cert-authority '
-        echon "$HOSTS "
+        printf '@cert-authority '
+        printf "$HOSTS "
         cat $OBJ/host_ca_key.pub
-        echon '@revoked '
-        echon "* "
+        printf '@revoked '
+        printf "* "
         cat $OBJ/host_ca_key.pub
 ) > $OBJ/known_hosts-cert
 for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do 
@@ -132,8 +132,8 @@ done
 
 # Create a CA key and add it to known hosts
 (
-        echon '@cert-authority '
-        echon "$HOSTS "
+        printf '@cert-authority '
+        printf "$HOSTS "
         cat $OBJ/host_ca_key.pub
 ) > $OBJ/known_hosts-cert
 
@@ -200,7 +200,7 @@ for v in v01 v00 ;  do
                     -n $HOSTS $OBJ/cert_host_key_${ktype} ||
                         fail "couldn't sign cert_host_key_${ktype}"
                 (
-                        echon "$HOSTS "
+                        printf "$HOSTS "
                         cat $OBJ/cert_host_key_${ktype}.pub
                 ) > $OBJ/known_hosts-cert
                 (
@@ -220,8 +220,8 @@ done
 
 # Wrong certificate
 (
-        echon '@cert-authority '
-        echon "$HOSTS "
+        printf '@cert-authority '
+        printf "$HOSTS "
         cat $OBJ/host_ca_key.pub
 ) > $OBJ/known_hosts-cert
 for v in v01 v00 ;  do 
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 3bba9f8f2..6018b38f4 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cert-userkey.sh,v 1.10 2013/01/18 00:45:29 djm Exp $
+#       $OpenBSD: cert-userkey.sh,v 1.11 2013/05/17 00:37:40 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="certified user keys"
@@ -126,7 +126,7 @@ for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do
                 # Wrong principals list
                 verbose "$tid: ${_prefix} wrong principals key option"
                 (
-                        echon 'cert-authority,principals="gregorsamsa" '
+                        printf 'cert-authority,principals="gregorsamsa" '
                         cat $OBJ/user_ca_key.pub
                 ) > $OBJ/authorized_keys_$USER
                 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
@@ -138,7 +138,7 @@ for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do
                 # Correct principals list
                 verbose "$tid: ${_prefix} correct principals key option"
                 (
-                        echon 'cert-authority,principals="mekmitasdigoat" '
+                        printf 'cert-authority,principals="mekmitasdigoat" '
                         cat $OBJ/user_ca_key.pub
                 ) > $OBJ/authorized_keys_$USER
                 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
@@ -154,7 +154,7 @@ basic_tests() {
         if test "x$auth" = "xauthorized_keys" ; then
                 # Add CA to authorized_keys
                 (
-                        echon 'cert-authority '
+                        printf 'cert-authority '
                         cat $OBJ/user_ca_key.pub
                 ) > $OBJ/authorized_keys_$USER
         else
@@ -264,7 +264,7 @@ test_one() {
                         if test "x$auth" = "xauthorized_keys" ; then
                                 # Add CA to authorized_keys
                                 (
-                                        echon "cert-authority${auth_opt} "
+                                        printf "cert-authority${auth_opt} "
                                         cat $OBJ/user_ca_key.pub
                                 ) > $OBJ/authorized_keys_$USER
                         else
diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh
index 0603fab64..80cf22930 100644
--- a/regress/cfgmatch.sh
+++ b/regress/cfgmatch.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cfgmatch.sh,v 1.6 2011/06/03 05:35:10 dtucker Exp $
+#       $OpenBSD: cfgmatch.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="sshd_config match"
@@ -15,7 +15,7 @@ start_client()
         rm -f $pidfile
         ${SSH} -q -$p $fwd "$@" somehost \
             exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \
-            >>$TEST_SSH_LOGFILE 2>&1 &
+            >>$TEST_REGRESS_LOGFILE 2>&1 &
         client_pid=$!
         # Wait for remote end
         n=0
@@ -34,21 +34,20 @@ stop_client()
         pid=`cat $pidfile`
         if [ ! -z "$pid" ]; then
                 kill $pid
-                sleep 1
         fi
         wait
 }
 
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
-grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
-echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy
 echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config
-echo "Match user $USER" >>$OBJ/sshd_proxy
-echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy
 echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
 echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config
 
+grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
+echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy
 echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy
+echo "Match user $USER" >>$OBJ/sshd_proxy
+echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy
 echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
 echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy
 
@@ -75,9 +74,9 @@ for p in 1 2; do
 done
 
 # Retry previous with key option, should also be denied.
-echon 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER
+printf 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER
 cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
-echon 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER
+printf 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER
 cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
 for p in 1 2; do
         trace "match permitopen proxy w/key opts proto $p"
diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh
index 65e5f35ec..489d9f5fa 100644
--- a/regress/cipher-speed.sh
+++ b/regress/cipher-speed.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cipher-speed.sh,v 1.7 2013/01/12 11:23:53 djm Exp $
+#       $OpenBSD: cipher-speed.sh,v 1.9 2013/05/17 04:29:14 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="cipher speed"
diff --git a/regress/conch-ciphers.sh b/regress/conch-ciphers.sh
index 5b65cd993..199d863a0 100644
--- a/regress/conch-ciphers.sh
+++ b/regress/conch-ciphers.sh
@@ -1,11 +1,8 @@
-#       $OpenBSD: conch-ciphers.sh,v 1.2 2008/06/30 10:43:03 djm Exp $
+#       $OpenBSD: conch-ciphers.sh,v 1.3 2013/05/17 04:29:14 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="conch ciphers"
 
-DATA=/bin/ls
-COPY=${OBJ}/copy
-
 if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then
         echo "conch interop tests not enabled"
         exit 0
diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh
index d1ab8059b..42fa8acdc 100644
--- a/regress/dynamic-forward.sh
+++ b/regress/dynamic-forward.sh
@@ -1,12 +1,10 @@
-#       $OpenBSD: dynamic-forward.sh,v 1.9 2011/06/03 00:29:52 dtucker Exp $
+#       $OpenBSD: dynamic-forward.sh,v 1.10 2013/05/17 04:29:14 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="dynamic forwarding"
 
 FWDPORT=`expr $PORT + 1`
 
-DATA=/bin/ls${EXEEXT}
-
 if have_prog nc && nc -h 2>&1 | grep "proxy address" >/dev/null; then
         proxycmd="nc -x 127.0.0.1:$FWDPORT -X"
 elif have_prog connect; then
diff --git a/regress/forcecommand.sh b/regress/forcecommand.sh
index 99e51a60f..44d2b7ffd 100644
--- a/regress/forcecommand.sh
+++ b/regress/forcecommand.sh
@@ -1,13 +1,13 @@
-#       $OpenBSD: forcecommand.sh,v 1.1 2006/07/19 13:09:28 dtucker Exp $
+#       $OpenBSD: forcecommand.sh,v 1.2 2013/05/17 00:37:40 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="forced command"
 
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
 
-echon 'command="true" ' >$OBJ/authorized_keys_$USER
+printf 'command="true" ' >$OBJ/authorized_keys_$USER
 cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
-echon 'command="true" ' >>$OBJ/authorized_keys_$USER
+printf 'command="true" ' >>$OBJ/authorized_keys_$USER
 cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
 
 for p in 1 2; do
@@ -16,9 +16,9 @@ for p in 1 2; do
             fail "forced command in key proto $p"
 done
 
-echon 'command="false" ' >$OBJ/authorized_keys_$USER
+printf 'command="false" ' >$OBJ/authorized_keys_$USER
 cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
-echon 'command="false" ' >>$OBJ/authorized_keys_$USER
+printf 'command="false" ' >>$OBJ/authorized_keys_$USER
 cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
 
 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
diff --git a/regress/forwarding.sh b/regress/forwarding.sh
index f9c367beb..94873f22c 100644
--- a/regress/forwarding.sh
+++ b/regress/forwarding.sh
@@ -1,7 +1,8 @@
-#       $OpenBSD: forwarding.sh,v 1.8 2012/06/01 00:47:35 djm Exp $
+#       $OpenBSD: forwarding.sh,v 1.11 2013/06/10 21:56:43 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="local and remote forwarding"
+
 DATA=/bin/ls${EXEEXT}
 
 start_sshd
@@ -26,9 +27,9 @@ for p in 1 2; do
 
         trace "transfer over forwarded channels and check result"
         ${SSH} -$q -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \
-                somehost cat $DATA > $OBJ/ls.copy
-        test -f $OBJ/ls.copy                    || fail "failed copy $DATA"
-        cmp $DATA $OBJ/ls.copy                  || fail "corrupted copy of $DATA"
+                somehost cat ${DATA} > ${COPY}
+        test -f ${COPY}         || fail "failed copy of ${DATA}"
+        cmp ${DATA} ${COPY}     || fail "corrupted copy of ${DATA}"
 
         sleep 10
 done
@@ -75,7 +76,7 @@ for p in 1 2; do
         else
                 # this one should fail
                 ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \
-                     2>>$TEST_SSH_LOGFILE && \
+                     >>$TEST_REGRESS_LOGFILE 2>&1 && \
                         fail "local forwarding not cleared"
         fi
         sleep 10
@@ -88,7 +89,7 @@ for p in 1 2; do
         else
                 # this one should fail
                 ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \
-                     2>>$TEST_SSH_LOGFILE && \
+                     >>$TEST_REGRESS_LOGFILE 2>&1 && \
                         fail "remote forwarding not cleared"
         fi
         sleep 10
@@ -103,3 +104,18 @@ for p in 2; do
                 fail "stdio forwarding proto $p"
         fi
 done
+
+echo "LocalForward ${base}01 127.0.0.1:$PORT" >> $OBJ/ssh_config
+echo "RemoteForward ${base}02 127.0.0.1:${base}01" >> $OBJ/ssh_config
+for p in 1 2; do
+        trace "config file: start forwarding, fork to background"
+        ${SSH} -$p -F $OBJ/ssh_config -f somehost sleep 10
+
+        trace "config file: transfer over forwarded channels and check result"
+        ${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \
+                somehost cat ${DATA} > ${COPY}
+        test -f ${COPY}         || fail "failed copy of ${DATA}"
+        cmp ${DATA} ${COPY}     || fail "corrupted copy of ${DATA}"
+
+        wait
+done
diff --git a/regress/integrity.sh b/regress/integrity.sh
index 4d46926d5..1d17fe10a 100644
--- a/regress/integrity.sh
+++ b/regress/integrity.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: integrity.sh,v 1.7 2013/02/20 08:27:50 djm Exp $
+#       $OpenBSD: integrity.sh,v 1.10 2013/05/17 01:32:11 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="integrity"
@@ -21,12 +21,13 @@ config_defined HAVE_EVP_SHA256 &&
 config_defined OPENSSL_HAVE_EVPGCM && \
         macs="$macs aes128-gcm@openssh.com aes256-gcm@openssh.com"
 
-# sshd-command for proxy (see test-exec.sh)
-cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy"
+# avoid DH group exchange as the extra traffic makes it harder to get the
+# offset into the stream right.
+echo "KexAlgorithms diffie-hellman-group14-sha1,diffie-hellman-group1-sha1" \
+        >> $OBJ/ssh_proxy
 
-jot() {
-        awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }"
-}
+# sshd-command for proxy (see test-exec.sh)
+cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSHD_LOGFILE} -i -f $OBJ/sshd_proxy"
 
 for m in $macs; do
         trace "test $tid: mac $m"
@@ -47,14 +48,15 @@ for m in $macs; do
                         aes*gcm*)       macopt="-c $m";;
                         *)              macopt="-m $m";;
                 esac
-                output=`${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \
-                    999.999.999.999 'printf "%4096s" " "' 2>&1`
+                verbose "test $tid: $m @$off"
+                ${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \
+                    999.999.999.999 'printf "%4096s" " "' >/dev/null
                 if [ $? -eq 0 ]; then
                         fail "ssh -m $m succeeds with bit-flip at $off"
                 fi
                 ecnt=`expr $ecnt + 1`
-                output=`echo $output | tr -s '\r\n' '.'`
-                verbose "test $tid: $m @$off $output"
+                output=$(tail -2 $TEST_SSH_LOGFILE | egrep -v "^debug" | \
+                     tr -s '\r\n' '.')
                 case "$output" in
                 Bad?packet*)    elen=`expr $elen + 1`; skip=3;;
                 Corrupted?MAC* | Decryption?integrity?check?failed*)
diff --git a/regress/keytype.sh b/regress/keytype.sh
index cb40c6864..59586bf0d 100644
--- a/regress/keytype.sh
+++ b/regress/keytype.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: keytype.sh,v 1.1 2010/09/02 16:12:55 markus Exp $
+#       $OpenBSD: keytype.sh,v 1.2 2013/05/17 00:37:40 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="login with different key types"
@@ -40,7 +40,7 @@ for ut in $ktypes; do
                         echo IdentityFile $OBJ/key.$ut 
                 ) > $OBJ/ssh_proxy
                 (
-                        echon 'localhost-with-alias,127.0.0.1,::1 '
+                        printf 'localhost-with-alias,127.0.0.1,::1 '
                         cat $OBJ/key.$ht.pub
                 ) > $OBJ/known_hosts
                 cat $OBJ/key.$ut.pub > $OBJ/authorized_keys_$USER
diff --git a/regress/krl.sh b/regress/krl.sh
index 62a239c38..de9cc8764 100644
--- a/regress/krl.sh
+++ b/regress/krl.sh
@@ -39,10 +39,6 @@ serial: 799
 serial: 599-701
 EOF
 
-jot() {
-        awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }"
-}
-
 # A specification that revokes some certificated by key ID.
 touch $OBJ/revoked-keyid
 for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do
diff --git a/regress/localcommand.sh b/regress/localcommand.sh
index feade7a9d..8a9b56971 100644
--- a/regress/localcommand.sh
+++ b/regress/localcommand.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: localcommand.sh,v 1.1 2007/10/29 06:57:13 dtucker Exp $
+#       $OpenBSD: localcommand.sh,v 1.2 2013/05/17 10:24:48 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="localcommand"
diff --git a/regress/login-timeout.sh b/regress/login-timeout.sh
index 55fbb324d..d73923b9c 100644
--- a/regress/login-timeout.sh
+++ b/regress/login-timeout.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: login-timeout.sh,v 1.4 2005/02/27 23:13:36 djm Exp $
+#       $OpenBSD: login-timeout.sh,v 1.5 2013/05/17 10:23:52 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="connect after login grace timeout"
diff --git a/regress/modpipe.c b/regress/modpipe.c
index 9629aa80b..85747cf7d 100755
--- a/regress/modpipe.c
+++ b/regress/modpipe.c
@@ -14,7 +14,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $OpenBSD: modpipe.c,v 1.4 2013/02/20 08:29:27 djm Exp $ */
+/* $OpenBSD: modpipe.c,v 1.5 2013/05/10 03:46:14 djm Exp $ */
 
 #include "includes.h"
 
@@ -25,7 +25,7 @@
 #include <stdarg.h>
 #include <stdlib.h>
 #include <errno.h>
-#include "openbsd-compat/getopt.c"
+#include "openbsd-compat/getopt_long.c"
 
 static void err(int, const char *, ...) __attribute__((format(printf, 2, 3)));
 static void errx(int, const char *, ...) __attribute__((format(printf, 2, 3)));
diff --git a/regress/multiplex.sh b/regress/multiplex.sh
index 1e6cc7606..3e697e691 100644
--- a/regress/multiplex.sh
+++ b/regress/multiplex.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: multiplex.sh,v 1.17 2012/10/05 02:05:30 dtucker Exp $
+#       $OpenBSD: multiplex.sh,v 1.21 2013/05/17 04:29:14 dtucker Exp $
 #       Placed in the Public Domain.
 
 CTL=/tmp/openssh.regress.ctl-sock.$$
@@ -10,8 +10,7 @@ if config_defined DISABLE_FD_PASSING ; then
         exit 0
 fi
 
-DATA=/bin/ls${EXEEXT}
-COPY=$OBJ/ls.copy
+P=3301  # test port
 
 wait_for_mux_master_ready()
 {
@@ -25,10 +24,16 @@ wait_for_mux_master_ready()
 
 start_sshd
 
-trace "start master, fork to background"
-${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost &
-MASTER_PID=$!
-wait_for_mux_master_ready
+start_mux_master()
+{
+        trace "start master, fork to background"
+        ${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost \
+            -E $TEST_REGRESS_LOGFILE 2>&1 &
+        MASTER_PID=$!
+        wait_for_mux_master_ready
+}
+
+start_mux_master
 
 verbose "test $tid: envpass"
 trace "env passing over multiplexed connection"
@@ -55,13 +60,13 @@ cmp ${DATA} ${COPY}		|| fail "ssh -S ctl: corrupted copy of ${DATA}"
 rm -f ${COPY}
 trace "sftp transfer over multiplexed connection and check result"
 echo "get ${DATA} ${COPY}" | \
-        ${SFTP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost >>$TEST_SSH_LOGFILE 2>&1
+        ${SFTP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost >>$TEST_REGRESS_LOGFILE 2>&1
 test -f ${COPY}                 || fail "sftp: failed copy ${DATA}" 
 cmp ${DATA} ${COPY}             || fail "sftp: corrupted copy of ${DATA}"
 
 rm -f ${COPY}
 trace "scp transfer over multiplexed connection and check result"
-${SCP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost:${DATA} ${COPY} >>$TEST_SSH_LOGFILE 2>&1
+${SCP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost:${DATA} ${COPY} >>$TEST_REGRESS_LOGFILE 2>&1
 test -f ${COPY}                 || fail "scp: failed copy ${DATA}" 
 cmp ${DATA} ${COPY}             || fail "scp: corrupted copy of ${DATA}"
 
@@ -87,11 +92,31 @@ for s in 0 1 4 5 44; do
 done
 
 verbose "test $tid: cmd check"
-${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost >>$TEST_SSH_LOGFILE 2>&1 \
+${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \
     || fail "check command failed" 
 
+verbose "test $tid: cmd forward local"
+${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -L $P:localhost:$PORT otherhost \
+     || fail "request local forward failed"
+${SSH} -F $OBJ/ssh_config -p$P otherhost true \
+     || fail "connect to local forward port failed"
+${SSH} -F $OBJ/ssh_config -S $CTL -Ocancel -L $P:localhost:$PORT otherhost \
+     || fail "cancel local forward failed"
+${SSH} -F $OBJ/ssh_config -p$P otherhost true \
+     && fail "local forward port still listening"
+
+verbose "test $tid: cmd forward remote"
+${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -R $P:localhost:$PORT otherhost \
+     || fail "request remote forward failed"
+${SSH} -F $OBJ/ssh_config -p$P otherhost true \
+     || fail "connect to remote forwarded port failed"
+${SSH} -F $OBJ/ssh_config -S $CTL -Ocancel -R $P:localhost:$PORT otherhost \
+     || fail "cancel remote forward failed"
+${SSH} -F $OBJ/ssh_config -p$P otherhost true \
+     && fail "remote forward port still listening"
+
 verbose "test $tid: cmd exit"
-${SSH} -F $OBJ/ssh_config -S $CTL -Oexit otherhost >>$TEST_SSH_LOGFILE 2>&1 \
+${SSH} -F $OBJ/ssh_config -S $CTL -Oexit otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \
     || fail "send exit command failed" 
 
 # Wait for master to exit
@@ -101,15 +126,13 @@ kill -0 $MASTER_PID >/dev/null 2>&1 && fail "exit command failed"
 # Restart master and test -O stop command with master using -N
 verbose "test $tid: cmd stop"
 trace "restart master, fork to background"
-${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost &
-MASTER_PID=$!
-wait_for_mux_master_ready
+start_mux_master
 
 # start a long-running command then immediately request a stop
 ${SSH} -F $OBJ/ssh_config -S $CTL otherhost "sleep 10; exit 0" \
-     >>$TEST_SSH_LOGFILE 2>&1 &
+     >>$TEST_REGRESS_LOGFILE 2>&1 &
 SLEEP_PID=$!
-${SSH} -F $OBJ/ssh_config -S $CTL -Ostop otherhost >>$TEST_SSH_LOGFILE 2>&1 \
+${SSH} -F $OBJ/ssh_config -S $CTL -Ostop otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \
     || fail "send stop command failed"
 
 # wait until both long-running command and master have exited.
diff --git a/regress/portnum.sh b/regress/portnum.sh
index 1de0680fe..c56b869a3 100644
--- a/regress/portnum.sh
+++ b/regress/portnum.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: portnum.sh,v 1.1 2009/08/13 00:57:17 djm Exp $
+#       $OpenBSD: portnum.sh,v 1.2 2013/05/17 10:34:30 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="port number parsing"
diff --git a/regress/proto-version.sh b/regress/proto-version.sh
index 1651a69e1..b876dd7ec 100644
--- a/regress/proto-version.sh
+++ b/regress/proto-version.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: proto-version.sh,v 1.3 2002/03/15 13:08:56 markus Exp $
+#       $OpenBSD: proto-version.sh,v 1.4 2013/05/17 00:37:40 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="sshd version with different protocol combinations"
@@ -8,7 +8,7 @@ check_version ()
 {
         version=$1
         expect=$2
-        banner=`echon | ${SSHD} -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy`
+        banner=`printf '' | ${SSHD} -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy`
         case ${banner} in
         SSH-1.99-*)
                 proto=199
diff --git a/regress/proxy-connect.sh b/regress/proxy-connect.sh
index 6a36b2513..76e602dd6 100644
--- a/regress/proxy-connect.sh
+++ b/regress/proxy-connect.sh
@@ -1,8 +1,9 @@
-#       $OpenBSD: proxy-connect.sh,v 1.5 2002/12/09 15:28:46 markus Exp $
+#       $OpenBSD: proxy-connect.sh,v 1.6 2013/03/07 00:20:34 djm Exp $
 #       Placed in the Public Domain.
 
 tid="proxy connect"
 
+verbose "plain username"
 for p in 1 2; do
         ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
         if [ $? -ne 0 ]; then
@@ -16,3 +17,10 @@ for p in 1 2; do
                 fail "bad SSH_CONNECTION"
         fi
 done
+
+verbose "username with style"
+for p in 1 2; do
+        ${SSH} -$p -F $OBJ/ssh_proxy ${USER}:style@999.999.999.999 true || \
+                fail "ssh proxyconnect protocol $p failed"
+done
+
diff --git a/regress/putty-ciphers.sh b/regress/putty-ciphers.sh
index 928ea60d2..724a98cc1 100644
--- a/regress/putty-ciphers.sh
+++ b/regress/putty-ciphers.sh
@@ -1,11 +1,8 @@
-#       $OpenBSD: putty-ciphers.sh,v 1.3 2008/11/10 02:06:35 djm Exp $
+#       $OpenBSD: putty-ciphers.sh,v 1.4 2013/05/17 04:29:14 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="putty ciphers"
 
-DATA=/bin/ls
-COPY=${OBJ}/copy
-
 if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
         echo "putty interop tests not enabled"
         exit 0
diff --git a/regress/putty-kex.sh b/regress/putty-kex.sh
index 293885a8a..1844d6599 100644
--- a/regress/putty-kex.sh
+++ b/regress/putty-kex.sh
@@ -1,11 +1,8 @@
-#       $OpenBSD: putty-kex.sh,v 1.2 2008/06/30 10:31:11 djm Exp $
+#       $OpenBSD: putty-kex.sh,v 1.3 2013/05/17 04:29:14 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="putty KEX"
 
-DATA=/bin/ls
-COPY=${OBJ}/copy
-
 if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
         echo "putty interop tests not enabled"
         exit 0
diff --git a/regress/putty-transfer.sh b/regress/putty-transfer.sh
index 9e1e1550a..aec0e04ee 100644
--- a/regress/putty-transfer.sh
+++ b/regress/putty-transfer.sh
@@ -1,11 +1,8 @@
-#       $OpenBSD: putty-transfer.sh,v 1.2 2008/06/30 10:31:11 djm Exp $
+#       $OpenBSD: putty-transfer.sh,v 1.3 2013/05/17 04:29:14 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="putty transfer data"
 
-DATA=/bin/ls
-COPY=${OBJ}/copy
-
 if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
         echo "putty interop tests not enabled"
         exit 0
diff --git a/regress/reexec.sh b/regress/reexec.sh
index 9464eb699..433573f06 100644
--- a/regress/reexec.sh
+++ b/regress/reexec.sh
@@ -1,12 +1,10 @@
-#       $OpenBSD: reexec.sh,v 1.5 2004/10/08 02:01:50 djm Exp $
+#       $OpenBSD: reexec.sh,v 1.7 2013/05/17 10:23:52 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="reexec tests"
 
-DATA=/bin/ls${EXEEXT}
-COPY=${OBJ}/copy
-SSHD_ORIG=$SSHD${EXEEXT}
-SSHD_COPY=$OBJ/sshd${EXEEXT}
+SSHD_ORIG=$SSHD
+SSHD_COPY=$OBJ/sshd
 
 # Start a sshd and then delete it
 start_sshd_copy ()
diff --git a/regress/rekey.sh b/regress/rekey.sh
index 3c5f266fc..8eb7efaf9 100644
--- a/regress/rekey.sh
+++ b/regress/rekey.sh
@@ -1,23 +1,18 @@
-#       $OpenBSD: rekey.sh,v 1.1 2003/03/28 13:58:28 markus Exp $
+#       $OpenBSD: rekey.sh,v 1.8 2013/05/17 04:29:14 dtucker Exp $
 #       Placed in the Public Domain.
 
-tid="rekey during transfer data"
+tid="rekey"
 
-DATA=${OBJ}/data
-COPY=${OBJ}/copy
-LOG=${OBJ}/log
+LOG=${TEST_SSH_LOGFILE}
 
-rm -f ${COPY} ${LOG} ${DATA}
-touch ${DATA}
-dd if=/bin/ls${EXEEXT} of=${DATA} bs=1k seek=511 count=1 > /dev/null 2>&1
+rm -f ${LOG}
 
 for s in 16 1k 128k 256k; do
-        trace "rekeylimit ${s}"
-        rm -f ${COPY}
+        verbose "client rekeylimit ${s}"
+        rm -f ${COPY} ${LOG}
         cat $DATA | \
                 ${SSH} -oCompression=no -oRekeyLimit=$s \
-                        -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" \
-                2> ${LOG}
+                        -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
         if [ $? -ne 0 ]; then
                 fail "ssh failed"
         fi
@@ -29,4 +24,86 @@ for s in 16 1k 128k 256k; do
                 fail "no rekeying occured"
         fi
 done
-rm -f ${COPY} ${LOG} ${DATA}
+
+for s in 5 10; do
+        verbose "client rekeylimit default ${s}"
+        rm -f ${COPY} ${LOG}
+        cat $DATA | \
+                ${SSH} -oCompression=no -oRekeyLimit="default $s" -F \
+                        $OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3"
+        if [ $? -ne 0 ]; then
+                fail "ssh failed"
+        fi
+        cmp $DATA ${COPY}               || fail "corrupted copy"
+        n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
+        n=`expr $n - 1`
+        trace "$n rekeying(s)"
+        if [ $n -lt 1 ]; then
+                fail "no rekeying occured"
+        fi
+done
+
+for s in 5 10; do
+        verbose "client rekeylimit default ${s} no data"
+        rm -f ${COPY} ${LOG}
+        ${SSH} -oCompression=no -oRekeyLimit="default $s" -F \
+                $OBJ/ssh_proxy somehost "sleep $s;sleep 3"
+        if [ $? -ne 0 ]; then
+                fail "ssh failed"
+        fi
+        n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
+        n=`expr $n - 1`
+        trace "$n rekeying(s)"
+        if [ $n -lt 1 ]; then
+                fail "no rekeying occured"
+        fi
+done
+
+echo "rekeylimit default 5" >>$OBJ/sshd_proxy
+for s in 5 10; do
+        verbose "server rekeylimit default ${s} no data"
+        rm -f ${COPY} ${LOG}
+        ${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "sleep $s;sleep 3"
+        if [ $? -ne 0 ]; then
+                fail "ssh failed"
+        fi
+        n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
+        n=`expr $n - 1`
+        trace "$n rekeying(s)"
+        if [ $n -lt 1 ]; then
+                fail "no rekeying occured"
+        fi
+done
+
+verbose "rekeylimit parsing"
+for size in 16 1k 1K 1m 1M 1g 1G; do
+    for time in 1 1m 1M 1h 1H 1d 1D 1w 1W; do
+        case $size in
+                16)     bytes=16 ;;
+                1k|1K)  bytes=1024 ;;
+                1m|1M)  bytes=1048576 ;;
+                1g|1G)  bytes=1073741824 ;;
+        esac
+        case $time in
+                1)      seconds=1 ;;
+                1m|1M)  seconds=60 ;;
+                1h|1H)  seconds=3600 ;;
+                1d|1D)  seconds=86400 ;;
+                1w|1W)  seconds=604800 ;;
+        esac
+
+        b=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \
+            awk '/rekeylimit/{print $2}'`
+        s=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \
+            awk '/rekeylimit/{print $3}'`
+
+        if [ "$bytes" != "$b" ]; then
+                fatal "rekeylimit size: expected $bytes got $b"
+        fi
+        if [ "$seconds" != "$s" ]; then
+                fatal "rekeylimit time: expected $time got $s"
+        fi
+    done
+done
+
+rm -f ${COPY} ${DATA}
diff --git a/regress/runtests.sh b/regress/runtests.sh
deleted file mode 100755
index 9808eb8a7..000000000
--- a/regress/runtests.sh
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/sh
-
-TEST_SSH_SSH=../ssh
-TEST_SSH_SSHD=../sshd
-TEST_SSH_SSHAGENT=../ssh-agent
-TEST_SSH_SSHADD=../ssh-add
-TEST_SSH_SSHKEYGEN=../ssh-keygen
-TEST_SSH_SSHKEYSCAN=../ssh-keyscan
-TEST_SSH_SFTP=../sftp
-TEST_SSH_SFTPSERVER=../sftp-server
-
-pmake
-
diff --git a/regress/scp.sh b/regress/scp.sh
index c5d412dd9..29c5b35d4 100644
--- a/regress/scp.sh
+++ b/regress/scp.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: scp.sh,v 1.7 2006/01/31 10:36:33 djm Exp $
+#       $OpenBSD: scp.sh,v 1.9 2013/05/17 10:35:43 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="scp"
@@ -12,8 +12,6 @@ else
         DIFFOPT="-r"
 fi
 
-DATA=/bin/ls${EXEEXT}
-COPY=${OBJ}/copy
 COPY2=${OBJ}/copy2
 DIR=${COPY}.dd
 DIR2=${COPY}.dd2
diff --git a/regress/sftp-badcmds.sh b/regress/sftp-badcmds.sh
index 08009f26b..7f85c4f22 100644
--- a/regress/sftp-badcmds.sh
+++ b/regress/sftp-badcmds.sh
@@ -1,12 +1,10 @@
-#       $OpenBSD: sftp-badcmds.sh,v 1.4 2009/08/13 01:11:55 djm Exp $
+#       $OpenBSD: sftp-badcmds.sh,v 1.6 2013/05/17 10:26:26 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="sftp invalid commands"
 
-DATA=/bin/ls${EXEEXT}
 DATA2=/bin/sh${EXEEXT}
 NONEXIST=/NONEXIST.$$
-COPY=${OBJ}/copy
 GLOBFILES=`(cd /bin;echo l*)`
 
 rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd
diff --git a/regress/sftp-batch.sh b/regress/sftp-batch.sh
index a51ef0782..41011549b 100644
--- a/regress/sftp-batch.sh
+++ b/regress/sftp-batch.sh
@@ -1,10 +1,8 @@
-#       $OpenBSD: sftp-batch.sh,v 1.4 2009/08/13 01:11:55 djm Exp $
+#       $OpenBSD: sftp-batch.sh,v 1.5 2013/05/17 04:29:14 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="sftp batchfile"
 
-DATA=/bin/ls${EXEEXT}
-COPY=${OBJ}/copy
 BATCH=${OBJ}/sftp.bb
 
 rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${BATCH}.*
diff --git a/regress/sftp-chroot.sh b/regress/sftp-chroot.sh
new file mode 100644
index 000000000..03b9bc6d7
--- /dev/null
+++ b/regress/sftp-chroot.sh
@@ -0,0 +1,25 @@
+#       $OpenBSD: sftp-chroot.sh,v 1.2 2013/05/17 04:29:14 dtucker Exp $
+#       Placed in the Public Domain.
+
+tid="sftp in chroot"
+
+CHROOT=/var/run
+FILENAME=testdata_${USER}
+PRIVDATA=${CHROOT}/${FILENAME}
+
+if [ -z "$SUDO" ]; then
+  echo "skipped: need SUDO to create file in /var/run, test won't work without"
+  exit 0
+fi
+
+$SUDO sh -c "echo mekmitastdigoat > $PRIVDATA" || \
+        fatal "create $PRIVDATA failed"
+
+start_sshd -oChrootDirectory=$CHROOT -oForceCommand="internal-sftp -d /"
+
+verbose "test $tid: get"
+${SFTP} -qS "$SSH" -F $OBJ/ssh_config host:/${FILENAME} $COPY || \
+        fatal "Fetch ${FILENAME} failed"
+cmp $PRIVDATA $COPY || fail "$PRIVDATA $COPY differ"
+
+$SUDO rm $PRIVDATA
diff --git a/regress/sftp-cmds.sh b/regress/sftp-cmds.sh
index 2e0300e16..aad7fcac2 100644
--- a/regress/sftp-cmds.sh
+++ b/regress/sftp-cmds.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: sftp-cmds.sh,v 1.12 2012/06/01 00:52:52 djm Exp $
+#       $OpenBSD: sftp-cmds.sh,v 1.14 2013/06/21 02:26:26 djm Exp $
 #       Placed in the Public Domain.
 
 # XXX - TODO: 
@@ -7,8 +7,6 @@
 
 tid="sftp commands"
 
-DATA=/bin/ls${EXEEXT}
-COPY=${OBJ}/copy
 # test that these files are readable!
 for i in `(cd /bin;echo l*)`
 do
@@ -108,7 +106,7 @@ rm -f ${COPY}.dd/*
 verbose "$tid: get to directory"
 echo "get $DATA ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
         || fail "get failed"
-cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after get"
+cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after get"
 
 rm -f ${COPY}.dd/*
 verbose "$tid: glob get to directory"
@@ -122,7 +120,7 @@ rm -f ${COPY}.dd/*
 verbose "$tid: get to local dir"
 (echo "lcd ${COPY}.dd"; echo "get $DATA" ) | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
         || fail "get failed"
-cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after get"
+cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after get"
 
 rm -f ${COPY}.dd/*
 verbose "$tid: glob get to local dir"
@@ -156,7 +154,7 @@ rm -f ${COPY}.dd/*
 verbose "$tid: put to directory"
 echo "put $DATA ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
         || fail "put failed"
-cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after put"
+cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after put"
 
 rm -f ${COPY}.dd/*
 verbose "$tid: glob put to directory"
@@ -170,7 +168,7 @@ rm -f ${COPY}.dd/*
 verbose "$tid: put to local dir"
 (echo "cd ${COPY}.dd"; echo "put $DATA") | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
         || fail "put failed"
-cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after put"
+cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after put"
 
 rm -f ${COPY}.dd/*
 verbose "$tid: glob put to local dir"
diff --git a/regress/sftp.sh b/regress/sftp.sh
index f84fa6f4e..b8e9f7527 100644
--- a/regress/sftp.sh
+++ b/regress/sftp.sh
@@ -1,11 +1,8 @@
-#       $OpenBSD: sftp.sh,v 1.3 2009/08/13 01:11:55 djm Exp $
+#       $OpenBSD: sftp.sh,v 1.5 2013/05/17 10:28:11 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="basic sftp put/get"
 
-DATA=/bin/ls${EXEEXT}
-COPY=${OBJ}/copy
-
 SFTPCMDFILE=${OBJ}/batch
 cat >$SFTPCMDFILE <<EOF
 version
diff --git a/regress/ssh-com-client.sh b/regress/ssh-com-client.sh
index 324a0a723..e4f80cf0a 100644
--- a/regress/ssh-com-client.sh
+++ b/regress/ssh-com-client.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: ssh-com-client.sh,v 1.6 2004/02/24 17:06:52 markus Exp $
+#       $OpenBSD: ssh-com-client.sh,v 1.7 2013/05/17 04:29:14 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="connect with ssh.com client"
@@ -67,10 +67,6 @@ EOF
 # we need a real server (no ProxyConnect option)
 start_sshd
 
-DATA=/bin/ls${EXEEXT}
-COPY=${OBJ}/copy
-rm -f ${COPY}
-
 # go for it
 for v in ${VERSIONS}; do
         ssh2=${TEST_COMBASE}/${v}/ssh2
diff --git a/regress/ssh-com-sftp.sh b/regress/ssh-com-sftp.sh
index be6f4e0dc..fabfa4983 100644
--- a/regress/ssh-com-sftp.sh
+++ b/regress/ssh-com-sftp.sh
@@ -1,10 +1,8 @@
-#       $OpenBSD: ssh-com-sftp.sh,v 1.6 2009/08/20 18:43:07 djm Exp $
+#       $OpenBSD: ssh-com-sftp.sh,v 1.7 2013/05/17 04:29:14 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="basic sftp put/get with ssh.com server"
 
-DATA=/bin/ls${EXEEXT}
-COPY=${OBJ}/copy
 SFTPCMDFILE=${OBJ}/batch
 
 cat >$SFTPCMDFILE <<EOF
diff --git a/regress/ssh-com.sh b/regress/ssh-com.sh
index 7bcd85b65..6c5cfe888 100644
--- a/regress/ssh-com.sh
+++ b/regress/ssh-com.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: ssh-com.sh,v 1.7 2004/02/24 17:06:52 markus Exp $
+#       $OpenBSD: ssh-com.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="connect to ssh.com server"
@@ -70,7 +70,7 @@ done
 
 # convert and append DSA hostkey
 (
-        echon 'ssh2-localhost-with-alias,127.0.0.1,::1 '
+        printf 'ssh2-localhost-with-alias,127.0.0.1,::1 '
         ${SSHKEYGEN} -if ${SRC}/dsa_ssh2.pub
 ) >> $OBJ/known_hosts
 
diff --git a/regress/sshd-log-wrapper.sh b/regress/sshd-log-wrapper.sh
index c7a5ef3a6..a9386be4d 100644
--- a/regress/sshd-log-wrapper.sh
+++ b/regress/sshd-log-wrapper.sh
@@ -1,5 +1,5 @@
 #!/bin/sh
-#       $OpenBSD: sshd-log-wrapper.sh,v 1.2 2005/02/27 11:40:30 dtucker Exp $
+#       $OpenBSD: sshd-log-wrapper.sh,v 1.3 2013/04/07 02:16:03 dtucker Exp $
 #       Placed in the Public Domain.
 #
 # simple wrapper for sshd proxy mode to catch stderr output
@@ -10,4 +10,4 @@ log=$2
 shift
 shift
 
-exec $sshd $@ -e 2>>$log
+exec $sshd -E$log $@
diff --git a/regress/stderr-after-eof.sh b/regress/stderr-after-eof.sh
index 05a5ea56d..218ac6b68 100644
--- a/regress/stderr-after-eof.sh
+++ b/regress/stderr-after-eof.sh
@@ -1,29 +1,13 @@
-#       $OpenBSD: stderr-after-eof.sh,v 1.1 2002/03/23 16:38:09 markus Exp $
+#       $OpenBSD: stderr-after-eof.sh,v 1.2 2013/05/17 04:29:14 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="stderr data after eof"
 
-DATA=/etc/motd
-DATA=${OBJ}/data
-COPY=${OBJ}/copy
-
-if have_prog md5sum; then
-        CHECKSUM=md5sum
-elif have_prog openssl; then
-        CHECKSUM="openssl md5"
-elif have_prog cksum; then
-        CHECKSUM=cksum
-elif have_prog sum; then
-        CHECKSUM=sum
-else
-        fatal "No checksum program available, aborting $tid test"
-fi
-
 # setup data
 rm -f ${DATA} ${COPY}
 cp /dev/null ${DATA}
 for i in 1 2 3 4 5 6; do
-        (date;echo $i) | $CHECKSUM >> ${DATA}
+        (date;echo $i) | md5 >> ${DATA}
 done
 
 ${SSH} -2 -F $OBJ/ssh_proxy otherhost \
diff --git a/regress/stderr-data.sh b/regress/stderr-data.sh
index 1daf79bb5..b0bd2355c 100644
--- a/regress/stderr-data.sh
+++ b/regress/stderr-data.sh
@@ -1,12 +1,8 @@
-#       $OpenBSD: stderr-data.sh,v 1.2 2002/03/27 22:39:52 markus Exp $
+#       $OpenBSD: stderr-data.sh,v 1.3 2013/05/17 04:29:14 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="stderr data transfer"
 
-DATA=/bin/ls${EXEEXT}
-COPY=${OBJ}/copy
-rm -f ${COPY}
-
 for n in '' -n; do
 for p in 1 2; do
         verbose "test $tid: proto $p ($n)"
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index aa4e6e5c0..eee446264 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: test-exec.sh,v 1.37 2010/02/24 06:21:56 djm Exp $
+#       $OpenBSD: test-exec.sh,v 1.46 2013/06/21 02:26:26 djm Exp $
 #       Placed in the Public Domain.
 
 #SUDO=sudo
@@ -136,30 +136,49 @@ case "$SSHD" in
 *) SSHD=`which sshd` ;;
 esac
 
+# Logfiles.
+# SSH_LOGFILE should be the debug output of ssh(1) only
+# SSHD_LOGFILE should be the debug output of sshd(8) only
+# REGRESS_LOGFILE is the output of the test itself stdout and stderr
 if [ "x$TEST_SSH_LOGFILE" = "x" ]; then
-        TEST_SSH_LOGFILE=/dev/null
+        TEST_SSH_LOGFILE=$OBJ/ssh.log
+fi
+if [ "x$TEST_SSHD_LOGFILE" = "x" ]; then
+        TEST_SSHD_LOGFILE=$OBJ/sshd.log
+fi
+if [ "x$TEST_REGRESS_LOGFILE" = "x" ]; then
+        TEST_REGRESS_LOGFILE=$OBJ/regress.log
 fi
 
-# Some data for test copies
-DATA=$OBJ/testdata
-cat $SSHD${EXEEXT} $SSHD${EXEEXT} $SSHD${EXEEXT} $SSHD${EXEEXT} >$DATA
+# truncate logfiles
+>$TEST_SSH_LOGFILE
+>$TEST_SSHD_LOGFILE
+>$TEST_REGRESS_LOGFILE
+
+# Create wrapper ssh with logging.  We can't just specify "SSH=ssh -E..."
+# because sftp and scp don't handle spaces in arguments.
+SSHLOGWRAP=$OBJ/ssh-log-wrapper.sh
+echo "#!/bin/sh" > $SSHLOGWRAP
+echo "exec ${SSH} -E${TEST_SSH_LOGFILE} "'"$@"' >>$SSHLOGWRAP
+
+chmod a+rx $OBJ/ssh-log-wrapper.sh
+SSH="$SSHLOGWRAP"
+
+# Some test data.  We make a copy because some tests will overwrite it.
+# The tests may assume that $DATA exists and is writable and $COPY does
+# not exist.
+DATANAME=data
+DATA=$OBJ/${DATANAME}
+cat $SSHD $SSHD $SSHD $SSHD >${DATA}
+chmod u+w ${DATA}
+COPY=$OBJ/copy
+rm -f ${COPY}
 
 # these should be used in tests
 export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP
 #echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP
 
-# helper
-echon()
-{
-       if [ "x`echo -n`" = "x" ]; then
-               echo -n "$@"
-       elif [ "x`echo '\c'`" = "x" ]; then
-               echo "$@\c"
-       else
-               fatal "Don't know how to echo without newline."
-       fi
-}
-
+# Portable specific functions
 have_prog()
 {
         saved_IFS="$IFS"
@@ -175,6 +194,37 @@ have_prog()
         return 1
 }
 
+jot() {
+        awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }"
+}
+
+# Check whether preprocessor symbols are defined in config.h.
+config_defined ()
+{
+        str=$1
+        while test "x$2" != "x" ; do
+                str="$str|$2"
+                shift
+        done
+        egrep "^#define.*($str)" ${BUILDDIR}/config.h >/dev/null 2>&1
+}
+
+md5 () {
+        if have_prog md5sum; then
+                md5sum
+        elif have_prog openssl; then
+                openssl md5
+        elif have_prog cksum; then
+                cksum
+        elif have_prog sum; then
+                sum
+        else
+                wc -c
+        fi
+}
+# End of portable specific functions
+
+# helper
 cleanup ()
 {
         if [ -f $PIDFILE ]; then
@@ -199,9 +249,26 @@ cleanup ()
         fi
 }
 
+start_debug_log ()
+{
+        echo "trace: $@" >$TEST_REGRESS_LOGFILE
+        echo "trace: $@" >$TEST_SSH_LOGFILE
+        echo "trace: $@" >$TEST_SSHD_LOGFILE
+}
+
+save_debug_log ()
+{
+        echo $@ >>$TEST_REGRESS_LOGFILE
+        echo $@ >>$TEST_SSH_LOGFILE
+        echo $@ >>$TEST_SSHD_LOGFILE
+        (cat $TEST_REGRESS_LOGFILE; echo) >>$OBJ/failed-regress.log
+        (cat $TEST_SSH_LOGFILE; echo) >>$OBJ/failed-ssh.log
+        (cat $TEST_SSHD_LOGFILE; echo) >>$OBJ/failed-sshd.log
+}
+
 trace ()
 {
-        echo "trace: $@" >>$TEST_SSH_LOGFILE
+        start_debug_log $@
         if [ "X$TEST_SSH_TRACE" = "Xyes" ]; then
                 echo "$@"
         fi
@@ -209,7 +276,7 @@ trace ()
 
 verbose ()
 {
-        echo "verbose: $@" >>$TEST_SSH_LOGFILE
+        start_debug_log $@
         if [ "X$TEST_SSH_QUIET" != "Xyes" ]; then
                 echo "$@"
         fi
@@ -223,31 +290,21 @@ warn ()
 
 fail ()
 {
-        echo "FAIL: $@" >>$TEST_SSH_LOGFILE
+        save_debug_log "FAIL: $@"
         RESULT=1
         echo "$@"
+
 }
 
 fatal ()
 {
-        echo "FATAL: $@" >>$TEST_SSH_LOGFILE
-        echon "FATAL: "
+        save_debug_log "FATAL: $@"
+        printf "FATAL: "
         fail "$@"
         cleanup
         exit $RESULT
 }
 
-# Check whether preprocessor symbols are defined in config.h.
-config_defined ()
-{
-        str=$1
-        while test "x$2" != "x" ; do
-                str="$str|$2"
-                shift
-        done
-        egrep "^#define.*($str)" ${BUILDDIR}/config.h >/dev/null 2>&1
-}
-
 RESULT=0
 PIDFILE=$OBJ/pidfile
 
@@ -263,7 +320,7 @@ cat << EOF > $OBJ/sshd_config
         #ListenAddress          ::1
         PidFile                 $PIDFILE
         AuthorizedKeysFile      $OBJ/authorized_keys_%u
-        LogLevel                VERBOSE
+        LogLevel                DEBUG3
         AcceptEnv               _XXX_TEST_*
         AcceptEnv               _XXX_TEST
         Subsystem       sftp    $SFTPSERVER
@@ -295,8 +352,10 @@ Host *
         ChallengeResponseAuthentication no
         HostbasedAuthentication no
         PasswordAuthentication  no
+        RhostsRSAAuthentication no
         BatchMode               yes
         StrictHostKeyChecking   yes
+        LogLevel                DEBUG3
 EOF
 
 if [ ! -z "$TEST_SSH_SSH_CONFOPTS" ]; then
@@ -309,13 +368,15 @@ rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER
 trace "generate keys"
 for t in rsa rsa1; do
         # generate user key
-        rm -f $OBJ/$t
-        ${SSHKEYGEN} -b 1024 -q -N '' -t $t  -f $OBJ/$t ||\
-                fail "ssh-keygen for $t failed"
+        if [ ! -f $OBJ/$t ] || [ ${SSHKEYGEN} -nt $OBJ/$t ]; then
+                rm -f $OBJ/$t
+                ${SSHKEYGEN} -q -N '' -t $t  -f $OBJ/$t ||\
+                        fail "ssh-keygen for $t failed"
+        fi
 
         # known hosts file for client
         (
-                echon 'localhost-with-alias,127.0.0.1,::1 '
+                printf 'localhost-with-alias,127.0.0.1,::1 '
                 cat $OBJ/$t.pub
         ) >> $OBJ/known_hosts
 
@@ -370,7 +431,7 @@ if test "$REGRESS_INTEROP_PUTTY" = "yes" ; then
         echo "Hostname=127.0.0.1" >> ${OBJ}/.putty/sessions/localhost_proxy
         echo "PortNumber=$PORT" >> ${OBJ}/.putty/sessions/localhost_proxy
         echo "ProxyMethod=5" >> ${OBJ}/.putty/sessions/localhost_proxy
-        echo "ProxyTelnetCommand=sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy" >> ${OBJ}/.putty/sessions/localhost_proxy 
+        echo "ProxyTelnetCommand=sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSHD_LOGFILE} -i -f $OBJ/sshd_proxy" >> ${OBJ}/.putty/sessions/localhost_proxy
 
         REGRESS_INTEROP_PUTTY=yes
 fi
@@ -378,7 +439,7 @@ fi
 # create a proxy version of the client config
 (
         cat $OBJ/ssh_config
-        echo proxycommand ${SUDO} sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy
+        echo proxycommand ${SUDO} sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSHD_LOGFILE} -i -f $OBJ/sshd_proxy
 ) > $OBJ/ssh_proxy
 
 # check proxy config
@@ -388,7 +449,7 @@ start_sshd ()
 {
         # start sshd
         $SUDO ${SSHD} -f $OBJ/sshd_config "$@" -t || fatal "sshd_config broken"
-        $SUDO ${SSHD} -f $OBJ/sshd_config -e "$@" >>$TEST_SSH_LOGFILE 2>&1
+        $SUDO ${SSHD} -f $OBJ/sshd_config "$@" -E$TEST_SSHD_LOGFILE
 
         trace "wait for sshd"
         i=0;
diff --git a/regress/transfer.sh b/regress/transfer.sh
index 13ea367d5..1ae3ef5bf 100644
--- a/regress/transfer.sh
+++ b/regress/transfer.sh
@@ -1,11 +1,8 @@
-#       $OpenBSD: transfer.sh,v 1.1 2002/03/27 00:03:37 markus Exp $
+#       $OpenBSD: transfer.sh,v 1.2 2013/05/17 04:29:14 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="transfer data"
 
-DATA=/bin/ls${EXEEXT}
-COPY=${OBJ}/copy
-
 for p in 1 2; do
         verbose "$tid: proto $p"
         rm -f ${COPY}
diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh
index 084a1457a..e17c9f5e9 100644
--- a/regress/try-ciphers.sh
+++ b/regress/try-ciphers.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: try-ciphers.sh,v 1.19 2013/02/11 23:58:51 djm Exp $
+#       $OpenBSD: try-ciphers.sh,v 1.20 2013/05/17 10:16:26 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="try ciphers"