Resolve conflicts.

svn path=/head/; revision=113911
2003-04-23 17:13:13 +00:00 · 2003-04-23 17:13:13 +00:00 · e73e9afa91 · 2020-12-20 02:59:44 +00:00
commit e73e9afa91
parent 486cd0043e
47 changed files with 827 additions and 622 deletions
--- a/crypto/openssh/acconfig.h
+++ b/crypto/openssh/acconfig.h
@ -1,4 +1,4 @@
-/* $Id: acconfig.h,v 1.145 2002/09/26 00:38:48 tim Exp $ */
+/* $Id: acconfig.h,v 1.149 2003/03/10 00:38:10 djm Exp $ */
 /* $FreeBSD$ */
 #ifndef _CONFIG_H
@ -368,6 +368,19 @@
 /* Define if your platform needs to skip post auth file descriptor passing */
 #undef DISABLE_FD_PASSING
 /* Silly mkstemp() */
 #undef HAVE_STRICT_MKSTEMP
 /* Setproctitle emulation */
 #undef SETPROCTITLE_STRATEGY
 #undef SETPROCTITLE_PS_PADDING
 /* Some systems put this outside of libc */
 #undef HAVE_NANOSLEEP
 /* Pushing STREAMS modules incorrectly acquires a controlling TTY */
 #undef STREAMS_PUSH_ACQUIRES_CTTY
@BOTTOM@
 /* ******************* Shouldn't need to edit below this line ************** */
--- a/crypto/openssh/auth-krb4.c
+++ b/crypto/openssh/auth-krb4.c
@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth-krb4.c,v 1.28 2002/09/26 11:38:43 markus Exp $");
+RCSID("$OpenBSD: auth-krb4.c,v 1.29 2003/02/21 10:34:48 mpech Exp $");
 RCSID("$FreeBSD$");
 #include "ssh.h"
@ -272,7 +272,7 @@ auth_krb4(Authctxt *authctxt, KTEXT auth, char **client, KTEXT reply)
 		reply->length = r;
 	/* Clear session key. */
-	memset(&adat.session, 0, sizeof(&adat.session));
+	memset(&adat.session, 0, sizeof(adat.session));
 	return (1);
 }
 #endif /* KRB4 */
--- a/crypto/openssh/auth-krb5.c
+++ b/crypto/openssh/auth-krb5.c
@ -28,7 +28,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth-krb5.c,v 1.9 2002/09/09 06:48:06 itojun Exp $");
+RCSID("$OpenBSD: auth-krb5.c,v 1.10 2002/11/21 23:03:51 deraadt Exp $");
 RCSID("$FreeBSD$");
 #include "ssh.h"
@ -108,7 +108,7 @@ auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *reply)
 	if (problem)
 		goto err;
-	problem = krb5_sname_to_principal(authctxt->krb5_ctx,  NULL, NULL ,
+	problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
 	    KRB5_NT_SRV_HST, &server);
 	if (problem)
 		goto err;
--- a/crypto/openssh/auth-pam.c
+++ b/crypto/openssh/auth-pam.c
@ -38,7 +38,7 @@ extern char *__progname;
 extern int use_privsep;
-RCSID("$Id: auth-pam.c,v 1.54 2002/07/28 20:24:08 stevesk Exp $");
+RCSID("$Id: auth-pam.c,v 1.55 2003/01/22 04:42:26 djm Exp $");
 RCSID("$FreeBSD$");
 #define NEW_AUTHTOK_MSG \
@ -211,14 +211,6 @@ int auth_pam_password(Authctxt *authctxt, const char *password)
 	do_pam_set_conv(&conv);
 	/* deny if no user. */
 	if (pw == NULL)
 		return 0;
 	if (pw->pw_uid == 0 && options.permit_root_login == PERMIT_NO_PASSWD)
 		return 0;
 	if (*password == '\0' && options.permit_empty_passwd == 0)
 		return 0;
 	__pampasswd = password;
 	pamstate = INITIAL_LOGIN;
--- a/crypto/openssh/auth-passwd.c
+++ b/crypto/openssh/auth-passwd.c
@ -100,33 +100,26 @@ extern char *aixloginmsg;
 int
 auth_password(Authctxt *authctxt, const char *password)
 {
 #if defined(USE_PAM)
 	if (*password == '\0' && options.permit_empty_passwd == 0)
 		return 0;
 	return auth_pam_password(authctxt, password);
 #elif defined(HAVE_OSF_SIA)
 	if (*password == '\0' && options.permit_empty_passwd == 0)
 		return 0;
 	return auth_sia_password(authctxt, password);
 #else
 	struct passwd * pw = authctxt->pw;
 #if !defined(USE_PAM) && !defined(HAVE_OSF_SIA)
 	char *encrypted_password;
 	char *pw_password;
 	char *salt;
-#if defined(__hpux) || defined(HAVE_SECUREWARE)
+# if defined(__hpux) || defined(HAVE_SECUREWARE)
 	struct pr_passwd *spw;
-#endif /* __hpux || HAVE_SECUREWARE */
+# endif /* __hpux || HAVE_SECUREWARE */
-#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
+# if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
 	struct spwd *spw;
-#endif
+# endif
-#if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
+# if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
 	struct passwd_adjunct *spw;
-#endif
+# endif
-#ifdef WITH_AIXAUTHENTICATE
+# ifdef WITH_AIXAUTHENTICATE
 	char *authmsg;
 	int authsuccess;
 	int reenter = 1;
-#endif
+# endif
 #endif /* !defined(USE_PAM) && !defined(HAVE_OSF_SIA) */
 	/* deny if no user. */
 	if (pw == NULL)
@ -137,15 +130,21 @@ auth_password(Authctxt *authctxt, const char *password)
 #endif
 	if (*password == '\0' && options.permit_empty_passwd == 0)
 		return 0;
-#ifdef KRB5
+
 #if defined(USE_PAM)
 	return auth_pam_password(authctxt, password);
 #elif defined(HAVE_OSF_SIA)
 	return auth_sia_password(authctxt, password);
 #else
 # ifdef KRB5
 	if (options.kerberos_authentication == 1) {
 		int ret = auth_krb5_password(authctxt, password);
 		if (ret == 1 || ret == 0)
 			return ret;
 		/* Fall back to ordinary passwd authentication. */
 	}
-#endif
+# endif
-#ifdef HAVE_CYGWIN
+# ifdef HAVE_CYGWIN
 	if (is_winnt) {
 		HANDLE hToken = cygwin_logon_user(pw, password);
@ -154,8 +153,8 @@ auth_password(Authctxt *authctxt, const char *password)
 		cygwin_set_impersonation_token(hToken);
 		return 1;
 	}
-#endif
+# endif
-#ifdef WITH_AIXAUTHENTICATE
+# ifdef WITH_AIXAUTHENTICATE
 	authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
 	if (authsuccess)
@ -166,47 +165,47 @@ auth_password(Authctxt *authctxt, const char *password)
 				aixloginmsg = NULL;
 	return(authsuccess);
-#endif
+# endif
-#ifdef KRB4
+# ifdef KRB4
 	if (options.kerberos_authentication == 1) {
 		int ret = auth_krb4_password(authctxt, password);
 		if (ret == 1 || ret == 0)
 			return ret;
 		/* Fall back to ordinary passwd authentication. */
 	}
-#endif
+# endif
-#ifdef BSD_AUTH
+# ifdef BSD_AUTH
 	if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
 	    (char *)password) == 0)
 		return 0;
 	else
 		return 1;
-#endif
+# endif
 	pw_password = pw->pw_passwd;
 	/*
 	 * Various interfaces to shadow or protected password data
 	 */
-#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
+# if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
 	spw = getspnam(pw->pw_name);
 	if (spw != NULL)
 		pw_password = spw->sp_pwdp;
-#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
+# endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
-#if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
+# if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
 	if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL)
 		pw_password = spw->pwa_passwd;
-#endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */
+# endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */
-#ifdef HAVE_SECUREWARE
+# ifdef HAVE_SECUREWARE
 	if ((spw = getprpwnam(pw->pw_name)) != NULL)
 		pw_password = spw->ufld.fd_encrypt;
-#endif /* HAVE_SECUREWARE */
+# endif /* HAVE_SECUREWARE */
-#if defined(__hpux) && !defined(HAVE_SECUREWARE)
+# if defined(__hpux) && !defined(HAVE_SECUREWARE)
 	if (iscomsec() && (spw = getprpwnam(pw->pw_name)) != NULL)
 		pw_password = spw->ufld.fd_encrypt;
-#endif /* defined(__hpux) && !defined(HAVE_SECUREWARE) */
+# endif /* defined(__hpux) && !defined(HAVE_SECUREWARE) */
 	/* Check for users with no password. */
 	if ((password[0] == '\0') && (pw_password[0] == '\0'))
@ -217,25 +216,25 @@ auth_password(Authctxt *authctxt, const char *password)
 	else
 		salt = "xx";
-#ifdef HAVE_MD5_PASSWORDS
+# ifdef HAVE_MD5_PASSWORDS
 	if (is_md5_salt(salt))
 		encrypted_password = md5_crypt(password, salt);
 	else
 		encrypted_password = crypt(password, salt);
-#else /* HAVE_MD5_PASSWORDS */
+# else /* HAVE_MD5_PASSWORDS */
-# if defined(__hpux) && !defined(HAVE_SECUREWARE)
+#  if defined(__hpux) && !defined(HAVE_SECUREWARE)
 	if (iscomsec())
 		encrypted_password = bigcrypt(password, salt);
 	else
 		encrypted_password = crypt(password, salt);
 # else
 #  ifdef HAVE_SECUREWARE
 	encrypted_password = bigcrypt(password, salt);
 #  else
 #   ifdef HAVE_SECUREWARE
 	encrypted_password = bigcrypt(password, salt);
 #   else
 	encrypted_password = crypt(password, salt);
-#  endif /* HAVE_SECUREWARE */
+#   endif /* HAVE_SECUREWARE */
-# endif /* __hpux && !defined(HAVE_SECUREWARE) */
+#  endif /* __hpux && !defined(HAVE_SECUREWARE) */
-#endif /* HAVE_MD5_PASSWORDS */
+# endif /* HAVE_MD5_PASSWORDS */
 	/* Authentication is accepted if the encrypted passwords are identical. */
 	return (strcmp(encrypted_password, pw_password) == 0);
--- a/crypto/openssh/auth.c
+++ b/crypto/openssh/auth.c
@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.45 2002/09/20 18:41:29 stevesk Exp $");
+RCSID("$OpenBSD: auth.c,v 1.46 2002/11/04 10:07:53 markus Exp $");
 RCSID("$FreeBSD$");
 #ifdef HAVE_LOGIN_H
@ -80,17 +80,20 @@ allowed_user(struct passwd * pw)
 	char *loginmsg;
 #endif /* WITH_AIXAUTHENTICATE */
 #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
-	!defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
+    !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
 	struct spwd *spw;
 	time_t today;
 #endif
 	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
 	if (!pw || !pw->pw_name)
 		return 0;
 #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
    !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
 #define	DAY		(24L * 60 * 60) /* 1 day in seconds */
-	spw = getspnam(pw->pw_name);
+	if ((spw = getspnam(pw->pw_name)) != NULL) {
-	if (spw != NULL) {
+		today = time(NULL) / DAY;
 		time_t today = time(NULL) / DAY;
 		debug3("allowed_user: today %d sp_expire %d sp_lstchg %d"
 		    " sp_max %d", (int)today, (int)spw->sp_expire,
 		    (int)spw->sp_lstchg, (int)spw->sp_max);
@ -117,10 +120,6 @@ allowed_user(struct passwd * pw)
 			return 0;
 		}
 	}
 #else
 	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
 	if (!pw || !pw->pw_name)
 		return 0;
 #endif
 	/*
@ -203,7 +202,15 @@ allowed_user(struct passwd * pw)
 	}
 #ifdef WITH_AIXAUTHENTICATE
-	if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) {
+	/*
 	 * Don't check loginrestrictions() for root account (use
 	 * PermitRootLogin to control logins via ssh), or if running as
 	 * non-root user (since loginrestrictions will always fail).
 	 */
 	if ((pw->pw_uid != 0) && (geteuid() == 0) &&
 	    loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) {
 		int loginrestrict_errno = errno;
 		if (loginmsg && *loginmsg) {
 			/* Remove embedded newlines (if any) */
 			char *p;
@ -213,9 +220,13 @@ allowed_user(struct passwd * pw)
 			}
 			/* Remove trailing newline */
 			*--p = '\0';
-			log("Login restricted for %s: %.100s", pw->pw_name, loginmsg);
+			log("Login restricted for %s: %.100s", pw->pw_name, 
 			    loginmsg);
 		}
-		return 0;
+		/* Don't fail if /etc/nologin  set */
 	    	if (!(loginrestrict_errno == EPERM && 
 		    stat(_PATH_NOLOGIN, &st) == 0))
 			return 0;
 	}
 #endif /* WITH_AIXAUTHENTICATE */
@ -418,6 +429,7 @@ secure_filename(FILE *f, const char *file, struct passwd *pw,
 	uid_t uid = pw->pw_uid;
 	char buf[MAXPATHLEN], homedir[MAXPATHLEN];
 	char *cp;
 	int comparehome = 0;
 	struct stat st;
 	if (realpath(file, buf) == NULL) {
@ -425,11 +437,8 @@ secure_filename(FILE *f, const char *file, struct passwd *pw,
 		    strerror(errno));
 		return -1;
 	}
-	if (realpath(pw->pw_dir, homedir) == NULL) {
+	if (realpath(pw->pw_dir, homedir) != NULL)
-		snprintf(err, errlen, "realpath %s failed: %s", pw->pw_dir,
+		comparehome = 1;
 		    strerror(errno));
 		return -1;
 	}
 	/* check the open file to avoid races */
 	if (fstat(fileno(f), &st) < 0 ||
@ -458,7 +467,7 @@ secure_filename(FILE *f, const char *file, struct passwd *pw,
 		}
 		/* If are passed the homedir then we can stop */
-		if (strcmp(homedir, buf) == 0) {
+		if (comparehome && strcmp(homedir, buf) == 0) {
 			debug3("secure_filename: terminating check at '%s'",
 			    buf);
 			break;
@ -488,6 +497,11 @@ getpwnamallow(const char *user)
 	if (pw == NULL) {
 		log("Illegal user %.100s from %.100s",
 		    user, get_remote_ipaddr());
 #ifdef WITH_AIXAUTHENTICATE
 		loginfailed(user,
 		    get_canonical_hostname(options.verify_reverse_mapping),
 		    "ssh");
 #endif
 		return (NULL);
 	}
 	if (!allowed_user(pw))
--- a/crypto/openssh/auth1.c
+++ b/crypto/openssh/auth1.c
@ -10,7 +10,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.44 2002/09/26 11:38:43 markus Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.47 2003/02/06 21:22:42 markus Exp $");
 RCSID("$FreeBSD$");
 #include "xmalloc.h"
@ -163,7 +163,7 @@ do_authloop(Authctxt *authctxt)
 						snprintf(info, sizeof(info),
 						    " tktuser %.100s",
 						    client_user);
- 
+
 						/* Send response to client */
 						packet_start(
 						    SSH_SMSG_AUTH_KERBEROS_RESPONSE);
@ -298,7 +298,6 @@ do_authloop(Authctxt *authctxt)
 			debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE");
 			if (options.challenge_response_authentication == 1) {
 				char *response = packet_get_string(&dlen);
 				debug("got response '%s'", response);
 				packet_check_eom();
 				authenticated = verify_response(authctxt, response);
 				memset(response, 'r', dlen);
@ -342,8 +341,7 @@ do_authloop(Authctxt *authctxt)
 		}
 #else
 		/* Special handling for root */
-		if (!use_privsep &&
+		if (authenticated && authctxt->pw->pw_uid == 0 &&
 		    authenticated && authctxt->pw->pw_uid == 0 &&
 		    !auth_root_allowed(get_authname(type)))
 			authenticated = 0;
 #endif
--- a/crypto/openssh/auth2-pam.c
+++ b/crypto/openssh/auth2-pam.c
@ -1,5 +1,5 @@
 #include "includes.h"
-RCSID("$Id: auth2-pam.c,v 1.14 2002/06/28 16:48:12 mouring Exp $");
+RCSID("$Id: auth2-pam.c,v 1.15 2003/01/08 01:37:03 djm Exp $");
 RCSID("$FreeBSD$");
 #ifdef USE_PAM
@ -155,8 +155,7 @@ input_userauth_info_response_pam(int type, u_int32_t seqnr, void *ctxt)
 		resp = packet_get_string(&rlen);
 		context_pam2.responses[j].resp_retcode = PAM_SUCCESS;
-		context_pam2.responses[j].resp = xstrdup(resp);
+		context_pam2.responses[j].resp = resp;
 		xfree(resp);
 		context_pam2.num_received++;
 	}
--- a/crypto/openssh/auth2.c
+++ b/crypto/openssh/auth2.c
@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.95 2002/08/22 21:33:58 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.96 2003/02/06 21:22:43 markus Exp $");
 RCSID("$FreeBSD$");
 #include "canohost.h"
@ -235,8 +235,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 		    authctxt->user);
 	/* Special handling for root */
-	if (!use_privsep &&
+	if (authenticated && authctxt->pw->pw_uid == 0 &&
 	    authenticated && authctxt->pw->pw_uid == 0 &&
 	    !auth_root_allowed(method))
 		authenticated = 0;
--- a/crypto/openssh/authfd.c
+++ b/crypto/openssh/authfd.c
@ -35,7 +35,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: authfd.c,v 1.57 2002/09/11 18:27:26 stevesk Exp $");
+RCSID("$OpenBSD: authfd.c,v 1.58 2003/01/23 13:50:27 markus Exp $");
 RCSID("$FreeBSD$");
 #include <openssl/evp.h>
@ -500,10 +500,10 @@ ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment)
 int
 ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key,
-    const char *comment, u_int life)
+    const char *comment, u_int life, u_int confirm)
 {
 	Buffer msg;
-	int type, constrained = (life != 0);
+	int type, constrained = (life || confirm);
 	buffer_init(&msg);
@ -533,6 +533,8 @@ ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key,
 			buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME);
 			buffer_put_int(&msg, life);
 		}
 		if (confirm != 0)
 			buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_CONFIRM);
 	}
 	if (ssh_request_reply(auth, &msg, &msg) == 0) {
 		buffer_free(&msg);
@ -546,7 +548,7 @@ ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key,
 int
 ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment)
 {
-	return ssh_add_identity_constrained(auth, key, comment, 0);
+	return ssh_add_identity_constrained(auth, key, comment, 0, 0);
 }
 /*
--- a/crypto/openssh/authfile.c
+++ b/crypto/openssh/authfile.c
@ -36,7 +36,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: authfile.c,v 1.50 2002/06/24 14:55:38 markus Exp $");
+RCSID("$OpenBSD: authfile.c,v 1.52 2003/03/13 11:42:18 markus Exp $");
 RCSID("$FreeBSD$");
 #include <openssl/err.h>
@ -233,12 +233,17 @@ key_load_public_rsa1(int fd, const char *filename, char **commentp)
 {
 	Buffer buffer;
 	Key *pub;
 	struct stat st;
 	char *cp;
 	int i;
 	off_t len;
-	len = lseek(fd, (off_t) 0, SEEK_END);
+	if (fstat(fd, &st) < 0) {
-	lseek(fd, (off_t) 0, SEEK_SET);
+		error("fstat for key file %.200s failed: %.100s",
 		    filename, strerror(errno));
 		return NULL;
 	}
 	len = st.st_size;
 	buffer_init(&buffer);
 	cp = buffer_append_space(&buffer, len);
@ -319,9 +324,15 @@ key_load_private_rsa1(int fd, const char *filename, const char *passphrase,
 	CipherContext ciphercontext;
 	Cipher *cipher;
 	Key *prv = NULL;
 	struct stat st;
-	len = lseek(fd, (off_t) 0, SEEK_END);
+	if (fstat(fd, &st) < 0) {
-	lseek(fd, (off_t) 0, SEEK_SET);
+		error("fstat for key file %.200s failed: %.100s",
 		    filename, strerror(errno));
 		close(fd);
 		return NULL;
 	}
 	len = st.st_size;
 	buffer_init(&buffer);
 	cp = buffer_append_space(&buffer, len);
@ -411,6 +422,12 @@ key_load_private_rsa1(int fd, const char *filename, const char *passphrase,
 	rsa_generate_additional_parameters(prv->rsa);
 	buffer_free(&decrypted);
 	/* enable blinding */
 	if (RSA_blinding_on(prv->rsa, NULL) != 1) {
 		error("key_load_private_rsa1: RSA_blinding_on failed");
 		goto fail;
 	}
 	close(fd);
 	return prv;
@ -450,6 +467,11 @@ key_load_private_pem(int fd, int type, const char *passphrase,
 #ifdef DEBUG_PK
 		RSA_print_fp(stderr, prv->rsa, 8);
 #endif
 		if (RSA_blinding_on(prv->rsa, NULL) != 1) {
 			error("key_load_private_pem: RSA_blinding_on failed");
 			key_free(prv);
 			prv = NULL;
 		}
 	} else if (pk->type == EVP_PKEY_DSA &&
 	    (type == KEY_UNSPEC||type==KEY_DSA)) {
 		prv = key_new(KEY_UNSPEC);
--- a/crypto/openssh/bufaux.c
+++ b/crypto/openssh/bufaux.c
@ -37,7 +37,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: bufaux.c,v 1.27 2002/06/26 08:53:12 markus Exp $");
+RCSID("$OpenBSD: bufaux.c,v 1.28 2002/10/23 10:40:16 markus Exp $");
 RCSID("$FreeBSD$");
 #include <openssl/bn.h>
@ -226,7 +226,7 @@ buffer_get_string(Buffer *buffer, u_int *length_ptr)
 	/* Get the length. */
 	len = buffer_get_int(buffer);
 	if (len > 256 * 1024)
-		fatal("buffer_get_string: bad string length %d", len);
+		fatal("buffer_get_string: bad string length %u", len);
 	/* Allocate space for the string.  Add one byte for a null character. */
 	value = xmalloc(len + 1);
 	/* Get the string. */
--- a/crypto/openssh/canohost.c
+++ b/crypto/openssh/canohost.c
@ -12,7 +12,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: canohost.c,v 1.34 2002/09/23 20:46:27 stevesk Exp $");
+RCSID("$OpenBSD: canohost.c,v 1.35 2002/11/26 02:38:54 stevesk Exp $");
 RCSID("$FreeBSD$");
 #include "packet.h"
@ -39,7 +39,7 @@ get_remote_hostname(int socket, int verify_reverse_mapping)
 	/* Get IP address of client. */
 	fromlen = sizeof(from);
 	memset(&from, 0, sizeof(from));
-	if (getpeername(socket, (struct sockaddr *) &from, &fromlen) < 0) {
+	if (getpeername(socket, (struct sockaddr *)&from, &fromlen) < 0) {
 		debug("getpeername failed: %.100s", strerror(errno));
 		fatal_cleanup();
 	}
@ -60,11 +60,14 @@ get_remote_hostname(int socket, int verify_reverse_mapping)
 			memset(&from, 0, sizeof(from));
 			from4->sin_family = AF_INET;
 			fromlen = sizeof(*from4);
 			memcpy(&from4->sin_addr, &addr, sizeof(addr));
 			from4->sin_port = port;
 		}
 	}
 #endif
 	if (from.ss_family == AF_INET6)
 		fromlen = sizeof(struct sockaddr_in6);
 	if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop),
 	    NULL, 0, NI_NUMERICHOST) != 0)
@ -203,8 +206,8 @@ get_canonical_hostname(int verify_reverse_mapping)
 }
 /*
- * Returns the remote IP-address of socket as a string.  The returned
+ * Returns the local/remote IP-address/hostname of socket as a string.
- * string must be freed.
+ * The returned string must be freed.
 */
 static char *
 get_socket_address(int socket, int remote, int flags)
@ -226,10 +229,15 @@ get_socket_address(int socket, int remote, int flags)
 		    < 0)
 			return NULL;
 	}
 	/* Work around Linux IPv6 weirdness */
 	if (addr.ss_family == AF_INET6)
 		addrlen = sizeof(struct sockaddr_in6);
 	/* Get the address in ascii. */
 	if (getnameinfo((struct sockaddr *)&addr, addrlen, ntop, sizeof(ntop),
 	    NULL, 0, flags) != 0) {
-		error("get_socket_ipaddr: getnameinfo %d failed", flags);
+		error("get_socket_address: getnameinfo %d failed", flags);
 		return NULL;
 	}
 	return xstrdup(ntop);
@ -315,11 +323,16 @@ get_sock_port(int sock, int local)
 			return 0;
 		}
 	} else {
-		if (getpeername(sock, (struct sockaddr *) & from, &fromlen) < 0) {
+		if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) {
 			debug("getpeername failed: %.100s", strerror(errno));
 			fatal_cleanup();
 		}
 	}
 	/* Work around Linux IPv6 weirdness */
 	if (from.ss_family == AF_INET6)
 		fromlen = sizeof(struct sockaddr_in6);
 	/* Return port number. */
 	if (getnameinfo((struct sockaddr *)&from, fromlen, NULL, 0,
 	    strport, sizeof(strport), NI_NUMERICSERV) != 0)
--- a/crypto/openssh/channels.c
+++ b/crypto/openssh/channels.c
@ -39,7 +39,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: channels.c,v 1.183 2002/09/17 07:47:02 itojun Exp $");
+RCSID("$OpenBSD: channels.c,v 1.187 2003/03/05 22:33:43 markus Exp $");
 RCSID("$FreeBSD$");
 #include "ssh.h"
@ -414,13 +414,13 @@ channel_not_very_much_buffered_data(void)
 #if 0
 			if (!compat20 &&
 			    buffer_len(&c->input) > packet_get_maxsize()) {
-				debug("channel %d: big input buffer %d",
+				debug2("channel %d: big input buffer %d",
 				    c->self, buffer_len(&c->input));
 				return 0;
 			}
 #endif
 			if (buffer_len(&c->output) > packet_get_maxsize()) {
-				debug("channel %d: big output buffer %d > %d",
+				debug2("channel %d: big output buffer %d > %d",
 				    c->self, buffer_len(&c->output),
 				    packet_get_maxsize());
 				return 0;
@ -579,7 +579,7 @@ channel_send_open(int id)
 		log("channel_send_open: %d: bad id", id);
 		return;
 	}
-	debug("send channel open %d", id);
+	debug2("channel %d: send open", id);
 	packet_start(SSH2_MSG_CHANNEL_OPEN);
 	packet_put_cstring(c->ctype);
 	packet_put_int(c->self);
@ -589,15 +589,15 @@ channel_send_open(int id)
 }
 void
-channel_request_start(int local_id, char *service, int wantconfirm)
+channel_request_start(int id, char *service, int wantconfirm)
 {
-	Channel *c = channel_lookup(local_id);
+	Channel *c = channel_lookup(id);
 	if (c == NULL) {
-		log("channel_request_start: %d: unknown channel id", local_id);
+		log("channel_request_start: %d: unknown channel id", id);
 		return;
 	}
-	debug("channel request %d: %s", local_id, service) ;
+	debug("channel %d: request %s", id, service) ;
 	packet_start(SSH2_MSG_CHANNEL_REQUEST);
 	packet_put_int(c->remote_id);
 	packet_put_cstring(service);
@ -1998,6 +1998,7 @@ channel_input_port_open(int type, u_int32_t seq, void *ctxt)
 		c->remote_id = remote_id;
 	}
 	if (c == NULL) {
 		xfree(originator_string);
 		packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
 		packet_put_int(remote_id);
 		packet_send();
@ -2282,7 +2283,10 @@ connect_to(const char *host, u_short port)
 		}
 		sock = socket(ai->ai_family, SOCK_STREAM, 0);
 		if (sock < 0) {
-			error("socket: %.100s", strerror(errno));
+			if (ai->ai_next == NULL)
 				error("socket: %.100s", strerror(errno));
 			else
 				verbose("socket: %.100s", strerror(errno));
 			continue;
 		}
 		if (fcntl(sock, F_SETFL, O_NONBLOCK) < 0)
@ -2607,6 +2611,7 @@ x11_input_open(int type, u_int32_t seq, void *ctxt)
 		/* Send refusal to the remote host. */
 		packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
 		packet_put_int(remote_id);
 		xfree(remote_host);
 	} else {
 		/* Send a confirmation to the remote host. */
 		packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
--- a/crypto/openssh/cipher.c
+++ b/crypto/openssh/cipher.c
@ -35,7 +35,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: cipher.c,v 1.61 2002/07/12 15:50:17 markus Exp $");
+RCSID("$OpenBSD: cipher.c,v 1.62 2002/11/21 22:45:31 markus Exp $");
 RCSID("$FreeBSD$");
 #include "xmalloc.h"
@ -240,7 +240,7 @@ cipher_init(CipherContext *cc, Cipher *cipher,
 		    cipher->name);
 	klen = EVP_CIPHER_CTX_key_length(&cc->evp);
 	if (klen > 0 && keylen != klen) {
-		debug("cipher_init: set keylen (%d -> %d)", klen, keylen);
+		debug2("cipher_init: set keylen (%d -> %d)", klen, keylen);
 		if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0)
 			fatal("cipher_init: set keylen failed (%d -> %d)",
 			    klen, keylen);
--- a/crypto/openssh/compat.c
+++ b/crypto/openssh/compat.c
@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: compat.c,v 1.65 2002/09/27 10:42:09 mickey Exp $");
+RCSID("$OpenBSD: compat.c,v 1.66 2003/04/01 10:31:26 markus Exp $");
 RCSID("$FreeBSD$");
 #include "buffer.h"
@ -86,10 +86,12 @@ compat_datafellows(const char *version)
 		{ "*MindTerm*",		0 },
 		{ "2.1.0*",		SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
 					SSH_OLD_SESSIONID|SSH_BUG_DEBUG|
-					SSH_BUG_RSASIGMD5|SSH_BUG_HBSERVICE },
+					SSH_BUG_RSASIGMD5|SSH_BUG_HBSERVICE|
 					SSH_BUG_FIRSTKEX },
 		{ "2.1 *",		SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
 					SSH_OLD_SESSIONID|SSH_BUG_DEBUG|
-					SSH_BUG_RSASIGMD5|SSH_BUG_HBSERVICE },
+					SSH_BUG_RSASIGMD5|SSH_BUG_HBSERVICE|
 					SSH_BUG_FIRSTKEX },
 		{ "2.0.13*,"
 		  "2.0.14*,"
 		  "2.0.15*,"
@ -101,26 +103,28 @@ compat_datafellows(const char *version)
 					SSH_BUG_PKSERVICE|SSH_BUG_X11FWD|
 					SSH_BUG_PKOK|SSH_BUG_RSASIGMD5|
 					SSH_BUG_HBSERVICE|SSH_BUG_OPENFAILURE|
-					SSH_BUG_DUMMYCHAN },
+					SSH_BUG_DUMMYCHAN|SSH_BUG_FIRSTKEX },
 		{ "2.0.11*,"
 		  "2.0.12*",		SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
 					SSH_OLD_SESSIONID|SSH_BUG_DEBUG|
 					SSH_BUG_PKSERVICE|SSH_BUG_X11FWD|
 					SSH_BUG_PKAUTH|SSH_BUG_PKOK|
 					SSH_BUG_RSASIGMD5|SSH_BUG_OPENFAILURE|
-					SSH_BUG_DUMMYCHAN },
+					SSH_BUG_DUMMYCHAN|SSH_BUG_FIRSTKEX },
 		{ "2.0.*",		SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
 					SSH_OLD_SESSIONID|SSH_BUG_DEBUG|
 					SSH_BUG_PKSERVICE|SSH_BUG_X11FWD|
 					SSH_BUG_PKAUTH|SSH_BUG_PKOK|
 					SSH_BUG_RSASIGMD5|SSH_BUG_OPENFAILURE|
-					SSH_BUG_DERIVEKEY|SSH_BUG_DUMMYCHAN },
+					SSH_BUG_DERIVEKEY|SSH_BUG_DUMMYCHAN|
 					SSH_BUG_FIRSTKEX },
 		{ "2.2.0*,"
 		  "2.3.0*",		SSH_BUG_HMAC|SSH_BUG_DEBUG|
-					SSH_BUG_RSASIGMD5 },
+					SSH_BUG_RSASIGMD5|SSH_BUG_FIRSTKEX },
-		{ "2.3.*",		SSH_BUG_DEBUG|SSH_BUG_RSASIGMD5 },
+		{ "2.3.*",		SSH_BUG_DEBUG|SSH_BUG_RSASIGMD5|
 					SSH_BUG_FIRSTKEX },
 		{ "2.4",		SSH_OLD_SESSIONID },	/* Van Dyke */
-		{ "2.*",		SSH_BUG_DEBUG },
+		{ "2.*",		SSH_BUG_DEBUG|SSH_BUG_FIRSTKEX },
 		{ "3.0.*",		SSH_BUG_DEBUG },
 		{ "3.0 SecureCRT*",	SSH_OLD_SESSIONID },
 		{ "1.7 SecureFX*",	SSH_OLD_SESSIONID },
--- a/crypto/openssh/compat.h
+++ b/crypto/openssh/compat.h
@ -1,4 +1,4 @@
-/*	$OpenBSD: compat.h,v 1.33 2002/09/27 10:42:09 mickey Exp $	*/
+/*	$OpenBSD: compat.h,v 1.34 2003/04/01 10:31:26 markus Exp $	*/
 /*	$FreeBSD$	*/
 /*
@ -56,6 +56,7 @@
 #define SSH_BUG_EXTEOF		0x00200000
 #define SSH_BUG_K5USER		0x00400000
 #define SSH_BUG_PROBE		0x00800000
 #define SSH_BUG_FIRSTKEX	0x01000000
 void     enable_compat13(void);
 void     enable_compat20(void);
--- a/crypto/openssh/configure.ac
+++ b/crypto/openssh/configure.ac
@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.89 2002/09/26 00:38:47 tim Exp $
+# $Id: configure.ac,v 1.113 2003/03/21 01:18:09 mouring Exp $
 # $FreeBSD$
 AC_INIT
@ -15,6 +15,7 @@ AC_PROG_RANLIB
 AC_PROG_INSTALL
 AC_PATH_PROG(AR, ar)
 AC_PATH_PROGS(PERL, perl5 perl)
 AC_PATH_PROG(SED, sed)
 AC_SUBST(PERL)
 AC_PATH_PROG(ENT, ent)
 AC_SUBST(ENT)
@ -82,8 +83,11 @@ case "$host" in
 	dnl AIX handles lastlog as part of its login message
 	AC_DEFINE(DISABLE_LASTLOG)
 	AC_DEFINE(LOGIN_NEEDS_UTMPX)
 	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_CLOBBER_ARGV)
 	AC_DEFINE(SETPROCTITLE_PS_PADDING, '\0')
 	;;
 *-*-cygwin*)
 	check_for_libcrypt_later=1
 	LIBS="$LIBS /usr/lib/textmode.o"
 	AC_DEFINE(HAVE_CYGWIN)
 	AC_DEFINE(USE_PIPES)
@ -122,7 +126,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
 	AC_DEFINE(LOGIN_NEEDS_UTMPX)
 	AC_DEFINE(DISABLE_SHADOW)
 	AC_DEFINE(DISABLE_UTMP)
-	AC_DEFINE(SPT_TYPE,SPT_PSTAT)
+	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT)
 	LIBS="$LIBS -lsec -lsecpw"
 	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
 	disable_ptmx_check=yes
@ -138,7 +142,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
 	AC_DEFINE(LOGIN_NEEDS_UTMPX)
 	AC_DEFINE(DISABLE_SHADOW)
 	AC_DEFINE(DISABLE_UTMP)
-	AC_DEFINE(SPT_TYPE,SPT_PSTAT)
+	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT)
 	LIBS="$LIBS -lsec"
 	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
 	;;
@ -151,7 +155,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
 	AC_DEFINE(LOGIN_NEEDS_UTMPX)
 	AC_DEFINE(DISABLE_SHADOW)
 	AC_DEFINE(DISABLE_UTMP)
-	AC_DEFINE(SPT_TYPE,SPT_PSTAT)
+	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_PSTAT)
 	LIBS="$LIBS -lsec"
 	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
 	;;
@ -178,6 +182,8 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
 	check_for_libcrypt_later=1
 	AC_DEFINE(DONT_TRY_OTHER_AF)
 	AC_DEFINE(PAM_TTY_KLUDGE)
 	AC_DEFINE(SETPROCTITLE_STRATEGY,PS_USE_CLOBBER_ARGV)
 	AC_DEFINE(SETPROCTITLE_PS_PADDING, '\0')
 	inet6_default_4in6=yes
 	;;
 mips-sony-bsd|mips-sony-newsos4)
@ -211,6 +217,7 @@ mips-sony-bsd|mips-sony-newsos4)
 	AC_DEFINE(LOGIN_NEEDS_UTMPX)
 	AC_DEFINE(LOGIN_NEEDS_TERM)
 	AC_DEFINE(PAM_TTY_KLUDGE)
 	AC_DEFINE(STREAMS_PUSH_ACQUIRES_CTTY)
 	# hardwire lastlog location (can't detect it on some versions)
 	conf_lastlog_location="/var/adm/lastlog"
 	AC_MSG_CHECKING(for obsolete utmp and wtmp in solaris2.x)
@ -279,6 +286,9 @@ mips-sony-bsd|mips-sony-newsos4)
 	do_sco3_extra_lib_check=yes
 	;;
 *-*-sco3.2v5*)
 	if test -z "$GCC"; then
 		CFLAGS="$CFLAGS -belf"
 	fi
 	CPPFLAGS="$CPPFLAGS -I/usr/local/include"
 	LDFLAGS="$LDFLAGS -L/usr/local/lib"
 	LIBS="$LIBS -lprot -lx -ltinfo -lm"
@ -291,8 +301,6 @@ mips-sony-bsd|mips-sony-newsos4)
 	MANTYPE=man
 	;;
 *-*-unicosmk*)
 	no_libsocket=1
 	no_libnsl=1
 	AC_DEFINE(USE_PIPES)
 	AC_DEFINE(DISABLE_FD_PASSING)
 	LDFLAGS="$LDFLAGS"
@ -300,8 +308,6 @@ mips-sony-bsd|mips-sony-newsos4)
 	MANTYPE=cat
 	;;
 *-*-unicos*)
 	no_libsocket=1
 	no_libnsl=1
 	AC_DEFINE(USE_PIPES)
 	AC_DEFINE(DISABLE_FD_PASSING)
 	AC_DEFINE(NO_SSH_LASTLOG)
@ -326,11 +332,13 @@ mips-sony-bsd|mips-sony-newsos4)
 			AC_MSG_RESULT(yes)
 			AC_DEFINE(HAVE_OSF_SIA)
 			AC_DEFINE(DISABLE_LOGIN)
 			AC_DEFINE(DISABLE_FD_PASSING)
 			LIBS="$LIBS -lsecurity -ldb -lm -laud"
 		else
 			AC_MSG_RESULT(no)
 		fi
 	fi
 	AC_DEFINE(DISABLE_FD_PASSING)
 	;;
 *-*-nto-qnx)
@ -378,13 +386,13 @@ AC_ARG_WITH(libs,
 # Checks for header files.
 AC_CHECK_HEADERS(bstring.h crypt.h endian.h floatingpoint.h \
-	getopt.h glob.h ia.h lastlog.h limits.h login.h \
+	getopt.h glob.h ia.h lastlog.h libgen.h limits.h login.h \
 	login_cap.h maillock.h netdb.h netgroup.h \
 	netinet/in_systm.h paths.h pty.h readpassphrase.h \
 	rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \
 	strings.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h \
-	sys/mman.h sys/select.h sys/stat.h \
+	sys/mman.h sys/pstat.h sys/select.h sys/stat.h \
-	sys/stropts.h sys/sysmacros.h sys/time.h \
+	sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h \
 	sys/un.h time.h tmpdir.h ttyent.h usersec.h \
 	util.h utime.h utmp.h utmpx.h)
@ -630,18 +638,25 @@ AC_ARG_WITH(tcp-wrappers,
 	]
 )
-dnl    Checks for library functions.
+dnl    Checks for library functions. Please keep in alphabetical order
-AC_CHECK_FUNCS(arc4random b64_ntop bcopy bindresvport_sa \
+AC_CHECK_FUNCS(\
-	clock fchmod fchown freeaddrinfo futimes gai_strerror \
+	arc4random __b64_ntop b64_ntop __b64_pton b64_pton basename bcopy \
-	getaddrinfo getcwd getgrouplist getnameinfo getopt getpeereid\
+	bindresvport_sa clock fchmod fchown freeaddrinfo futimes \
-	getrlimit getrusage getttyent glob inet_aton inet_ntoa \
+	gai_strerror getaddrinfo getcwd getgrouplist getnameinfo getopt \
-	inet_ntop innetgr login_getcapbool md5_crypt memmove \
+	getpeereid _getpty getrlimit getrusage getttyent glob inet_aton \
-	mkdtemp mmap ngetaddrinfo openpty ogetaddrinfo readpassphrase \
+	inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove \
-	realpath recvmsg rresvport_af sendmsg setdtablesize setegid \
+	mkdtemp mmap ngetaddrinfo nsleep ogetaddrinfo openpty pstat \
-	setenv seteuid setgroups setlogin setproctitle setresgid setreuid \
+	readpassphrase realpath recvmsg rresvport_af sendmsg setdtablesize \
-	setrlimit setsid setpcred setvbuf sigaction sigvec snprintf \
+	setegid setenv seteuid setgroups setlogin setpcred setproctitle \
-	socketpair strerror strlcat strlcpy strmode strsep sysconf tcgetpgrp \
+	setresgid setreuid setrlimit setsid setvbuf sigaction sigvec \
-	truncate utimes vhangup vsnprintf waitpid __b64_ntop _getpty)
+	snprintf socketpair strerror strlcat strlcpy strmode strnvis \
 	sysconf tcgetpgrp truncate utimes vhangup vsnprintf waitpid \
 )
 AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP))
 dnl Make sure strsep prototype is defined before defining HAVE_STRSEP
 AC_CHECK_DECL(strsep, [AC_CHECK_FUNCS(strsep)])
 dnl IRIX and Solaris 2.5.1 have dirname() in libgen
 AC_CHECK_FUNCS(dirname, [AC_CHECK_HEADERS(libgen.h)] ,[
@ -716,6 +731,32 @@ int main(void){char b[5];snprintf(b,5,"123456789");exit(b[4]!='\0');}
 	)
 fi
 dnl see whether mkstemp() requires XXXXXX
 if test "x$ac_cv_func_mkdtemp" = "xyes" ; then
 AC_MSG_CHECKING([for (overly) strict mkstemp])
 AC_TRY_RUN(
 	[
 #include <stdlib.h>
 main() { char template[]="conftest.mkstemp-test";
 if (mkstemp(template) == -1)
 	exit(1);
 unlink(template); exit(0);
 }
 	],
 	[
 		AC_MSG_RESULT(no)
 	],
 	[ 
 		AC_MSG_RESULT(yes)
 		AC_DEFINE(HAVE_STRICT_MKSTEMP)
 	],
 	[
 		AC_MSG_RESULT(yes)
 		AC_DEFINE(HAVE_STRICT_MKSTEMP)
 	] 
 )
 fi
 AC_FUNC_GETPGRP
 # Check for PAM libs
@ -1479,12 +1520,16 @@ if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
 	have_struct_timeval=1
 fi
-# If we don't have int64_t then we can't compile sftp-server.  So don't
+AC_CHECK_TYPES(struct timespec)
-# even attempt to do it. 
+
 # We need int64_t or else certian parts of the compile will fail.
 if test "x$ac_cv_have_int64_t" = "xno" -a \
 	"x$ac_cv_sizeof_long_int" != "x8" -a \
 	"x$ac_cv_sizeof_long_long_int" = "x0" ; then
-	NO_SFTP='#'
+	echo "OpenSSH requires int64_t support.  Contact your vendor or install"
 	echo "an alternative compiler (I.E., GCC) before continuing."
 	echo ""
 	exit 1;
 else
 dnl test snprintf (broken on SCO w/gcc)
 	AC_TRY_RUN(
@ -1514,7 +1559,6 @@ main() { exit(0); }
 		], [ true ], [ AC_DEFINE(BROKEN_SNPRINTF) ]
 	)
 fi
 AC_SUBST(NO_SFTP)
 dnl Checks for structure members
 OSSH_CHECK_HEADER_FOR_FIELD(ut_host, utmp.h, HAVE_HOST_IN_UTMP)
@ -1946,6 +1990,17 @@ AC_ARG_WITH(xauth,
 	]
 )
 STRIP_OPT=-s
 AC_ARG_ENABLE(strip,
 	[  --disable-strip         Disable calling strip(1) on install],
 	[
 		if test "x$enableval" = "xno" ; then
 			STRIP_OPT=
 		fi
 	]
 )
 AC_SUBST(STRIP_OPT)
 if test -z "$xauth_path" ; then
 	XAUTH_PATH="undefined"
 	AC_SUBST(XAUTH_PATH)
@ -2100,7 +2155,11 @@ Edit /etc/login.conf instead.])
 # include <paths.h>
 #endif
 #ifndef _PATH_STDPATH
-# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
+# ifdef _PATH_USERPATH	/* Irix */
 #  define _PATH_STDPATH _PATH_USERPATH
 # else
 #  define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
 # endif
 #endif
 #include <sys/types.h>
 #include <sys/stat.h>
@ -2539,12 +2598,6 @@ if test "x$PAM_MSG" = "xyes" ; then
 	echo ""
 fi
 if test ! -z "$NO_SFTP"; then
 	echo "sftp-server will be disabled.  Your compiler does not "
 	echo "support 64bit integers."
 	echo ""
 fi
 if test ! -z "$RAND_HELPER_CMDHASH" ; then
 	echo "WARNING: you are using the builtin random number collection "
 	echo "service. Please read WARNING.RNG and request that your OS "
--- a/crypto/openssh/includes.h
+++ b/crypto/openssh/includes.h
@ -158,6 +158,10 @@ __RCSID(msg)
 # include <tmpdir.h>
 #endif
 #ifdef HAVE_LIBUTIL_H
 # include <libutil.h> /* Openpty on FreeBSD at least */
 #endif
 #include <openssl/opensslv.h> /* For OPENSSL_VERSION_NUMBER */
 #include "defines.h"
--- a/crypto/openssh/key.c
+++ b/crypto/openssh/key.c
@ -32,7 +32,7 @@
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 #include "includes.h"
-RCSID("$OpenBSD: key.c,v 1.49 2002/09/09 14:54:14 markus Exp $");
+RCSID("$OpenBSD: key.c,v 1.51 2003/02/12 09:33:04 markus Exp $");
 RCSID("$FreeBSD$");
 #include <openssl/evp.h>
@ -40,8 +40,6 @@ RCSID("$FreeBSD$");
 #include "xmalloc.h"
 #include "key.h"
 #include "rsa.h"
 #include "ssh-dss.h"
 #include "ssh-rsa.h"
 #include "uuencode.h"
 #include "buffer.h"
 #include "bufaux.h"
@ -411,14 +409,14 @@ key_read(Key *ret, char **cpp)
 	case KEY_DSA:
 		space = strchr(cp, ' ');
 		if (space == NULL) {
-			debug3("key_read: no space");
+			debug3("key_read: missing whitespace");
 			return -1;
 		}
 		*space = '\0';
 		type = key_type_from_name(cp);
 		*space = ' ';
 		if (type == KEY_UNSPEC) {
-			debug3("key_read: no key found");
+			debug3("key_read: missing keytype");
 			return -1;
 		}
 		cp = space+1;
--- a/crypto/openssh/loginrec.c
+++ b/crypto/openssh/loginrec.c
@ -163,7 +163,7 @@
 #include "log.h"
 #include "atomicio.h"
-RCSID("$Id: loginrec.c,v 1.44 2002/09/26 00:38:49 tim Exp $");
+RCSID("$Id: loginrec.c,v 1.47 2003/03/10 00:23:07 djm Exp $");
 RCSID("$FreeBSD$");
 #ifdef HAVE_UTIL_H
@ -610,6 +610,9 @@ void
 construct_utmp(struct logininfo *li,
 		    struct utmp *ut)
 {
 # ifdef HAVE_ADDR_V6_IN_UTMP
 	struct sockaddr_in6 *sa6;
 #  endif
 	memset(ut, '\0', sizeof(*ut));
 	/* First fill out fields used for both logins and logouts */
@ -663,6 +666,19 @@ construct_utmp(struct logininfo *li,
 	if (li->hostaddr.sa.sa_family == AF_INET)
 		ut->ut_addr = li->hostaddr.sa_in.sin_addr.s_addr;
 # endif
 # ifdef HAVE_ADDR_V6_IN_UTMP
 	/* this is just a 128-bit IPv6 address */
 	if (li->hostaddr.sa.sa_family == AF_INET6) {
 		sa6 = ((struct sockaddr_in6 *)&li->hostaddr.sa);
 		memcpy(ut->ut_addr_v6, sa6->sin6_addr.s6_addr, 16);
 		if (IN6_IS_ADDR_V4MAPPED(&sa6->sin6_addr)) {
 			ut->ut_addr_v6[0] = ut->ut_addr_v6[3];
 			ut->ut_addr_v6[1] = 0;
 			ut->ut_addr_v6[2] = 0;
 			ut->ut_addr_v6[3] = 0;
 		}
 	}
 # endif
 }
 #endif /* USE_UTMP || USE_WTMP || USE_LOGIN */
@ -691,6 +707,9 @@ set_utmpx_time(struct logininfo *li, struct utmpx *utx)
 void
 construct_utmpx(struct logininfo *li, struct utmpx *utx)
 {
 # ifdef HAVE_ADDR_V6_IN_UTMP
 	struct sockaddr_in6 *sa6;
 #  endif
 	memset(utx, '\0', sizeof(*utx));
 # ifdef HAVE_ID_IN_UTMPX
 	line_abbrevname(utx->ut_id, li->line, sizeof(utx->ut_id));
@ -727,6 +746,19 @@ construct_utmpx(struct logininfo *li, struct utmpx *utx)
 	if (li->hostaddr.sa.sa_family == AF_INET)
 		utx->ut_addr = li->hostaddr.sa_in.sin_addr.s_addr;
 # endif
 # ifdef HAVE_ADDR_V6_IN_UTMP
 	/* this is just a 128-bit IPv6 address */
 	if (li->hostaddr.sa.sa_family == AF_INET6) {
 		sa6 = ((struct sockaddr_in6 *)&li->hostaddr.sa);
 		memcpy(ut->ut_addr_v6, sa6->sin6_addr.s6_addr, 16);
 		if (IN6_IS_ADDR_V4MAPPED(&sa6->sin6_addr)) {
 			ut->ut_addr_v6[0] = ut->ut_addr_v6[3];
 			ut->ut_addr_v6[1] = 0;
 			ut->ut_addr_v6[2] = 0;
 			ut->ut_addr_v6[3] = 0;
 		}
 	}
 # endif
 # ifdef HAVE_SYSLEN_IN_UTMPX
 	/* ut_syslen is the length of the utx_host string */
 	utx->ut_syslen = MIN(strlen(li->hostname), sizeof(utx->ut_host));
@ -1315,6 +1347,7 @@ syslogin_perform_login(struct logininfo *li)
 	}
 	construct_utmp(li, ut);
 	login(ut);
 	free(ut);
 	return 1;
 }
@ -1492,22 +1525,32 @@ int
 lastlog_get_entry(struct logininfo *li)
 {
 	struct lastlog last;
-	int fd;
+	int fd, ret;
 	if (!lastlog_openseek(li, &fd, O_RDONLY))
-		return 0;
+		return (0);
 	if (atomicio(read, fd, &last, sizeof(last)) != sizeof(last)) {
 		close(fd);
 		log("lastlog_get_entry: Error reading from %s: %s",
 		    LASTLOG_FILE, strerror(errno));
 		return 0;
 	}
 	ret = atomicio(read, fd, &last, sizeof(last));
 	close(fd);
-	lastlog_populate_entry(li, &last);
+	switch (ret) {
 	case 0:
 		memset(&last, '\0', sizeof(last));
 		/* FALLTHRU */
 	case sizeof(last):
 		lastlog_populate_entry(li, &last);
 		return (1);
 	case -1:
 		error("%s: Error reading from %s: %s", __func__, 
 		    LASTLOG_FILE, strerror(errno));
 		return (0);
 	default:
 		error("%s: Error reading from %s: Expecting %d, got %d",
 		    __func__, LASTLOG_FILE, sizeof(last), ret);
 		return (0);
 	}
-	return 1;
+	/* NOTREACHED */
 	return (0);
 }
 #endif /* USE_LASTLOG */
--- a/crypto/openssh/monitor.c
+++ b/crypto/openssh/monitor.c
@ -25,7 +25,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.29 2002/09/26 11:38:43 markus Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.36 2003/04/01 10:22:21 markus Exp $");
 RCSID("$FreeBSD$");
 #include <openssl/dh.h>
@ -651,20 +651,20 @@ mm_answer_bsdauthquery(int socket, Buffer *m)
 	u_int numprompts;
 	u_int *echo_on;
 	char **prompts;
-	int res;
+	u_int success;
-	res = bsdauth_query(authctxt, &name, &infotxt, &numprompts,
+	success = bsdauth_query(authctxt, &name, &infotxt, &numprompts,
-	    &prompts, &echo_on);
+	    &prompts, &echo_on) < 0 ? 0 : 1;
 	buffer_clear(m);
-	buffer_put_int(m, res);
+	buffer_put_int(m, success);
-	if (res != -1)
+	if (success)
 		buffer_put_cstring(m, prompts[0]);
-	debug3("%s: sending challenge res: %d", __func__, res);
+	debug3("%s: sending challenge success: %u", __func__, success);
 	mm_request_send(socket, MONITOR_ANS_BSDAUTHQUERY, m);
-	if (res != -1) {
+	if (success) {
 		xfree(name);
 		xfree(infotxt);
 		xfree(prompts);
@ -708,16 +708,16 @@ mm_answer_skeyquery(int socket, Buffer *m)
 {
 	struct skey skey;
 	char challenge[1024];
-	int res;
+	u_int success;
-	res = skeychallenge(&skey, authctxt->user, challenge);
+	success = skeychallenge(&skey, authctxt->user, challenge) < 0 ? 0 : 1;
 	buffer_clear(m);
-	buffer_put_int(m, res);
+	buffer_put_int(m, success);
-	if (res != -1)
+	if (success)
 		buffer_put_cstring(m, challenge);
-	debug3("%s: sending challenge res: %d", __func__, res);
+	debug3("%s: sending challenge success: %u", __func__, success);
 	mm_request_send(socket, MONITOR_ANS_SKEYQUERY, m);
 	return (0);
@ -920,8 +920,9 @@ mm_answer_keyallowed(int socket, Buffer *m)
 			fatal("%s: unknown key type %d", __func__, type);
 			break;
 		}
 		key_free(key);
 	}
 	if (key != NULL)
 		key_free(key);
 	/* clear temporarily storage (used by verify) */
 	monitor_reset_key_state();
@ -940,6 +941,7 @@ mm_answer_keyallowed(int socket, Buffer *m)
 	buffer_clear(m);
 	buffer_put_int(m, allowed);
 	buffer_put_int(m, forced_command != NULL);
 	mm_append_debug(m);
@ -1302,6 +1304,7 @@ mm_answer_rsa_keyallowed(int socket, Buffer *m)
 	}
 	buffer_clear(m);
 	buffer_put_int(m, allowed);
 	buffer_put_int(m, forced_command != NULL);
 	/* clear temporarily storage (used by generate challenge) */
 	monitor_reset_key_state();
@ -1316,8 +1319,9 @@ mm_answer_rsa_keyallowed(int socket, Buffer *m)
 		key_blob = blob;
 		key_bloblen = blen;
 		key_blobtype = MM_RSAUSERKEY;
 		key_free(key);
 	}
 	if (key != NULL)
 		key_free(key);
 	mm_append_debug(m);
@ -1358,6 +1362,9 @@ mm_answer_rsa_challenge(int socket, Buffer *m)
 	mm_request_send(socket, MONITOR_ANS_RSACHALLENGE, m);
 	monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 1);
 	xfree(blob);
 	key_free(key);
 	return (0);
 }
@ -1388,6 +1395,7 @@ mm_answer_rsa_response(int socket, Buffer *m)
 		fatal("%s: received bad response to challenge", __func__);
 	success = auth_rsa_verify_response(key, ssh1_challenge, response);
 	xfree(blob);
 	key_free(key);
 	xfree(response);
@ -1572,6 +1580,8 @@ mm_get_kex(Buffer *m)
 	    (memcmp(kex->session_id, session_id2, session_id2_len) != 0))
 		fatal("mm_get_get: internal error: bad session id");
 	kex->we_need = buffer_get_int(m);
 	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
 	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
 	kex->server = 1;
 	kex->hostkey_type = buffer_get_int(m);
 	kex->kex_type = buffer_get_int(m);
@ -1665,7 +1675,7 @@ mm_get_keystate(struct monitor *pmonitor)
 void *
 mm_zalloc(struct mm_master *mm, u_int ncount, u_int size)
 {
-	size_t len = size * ncount;
+	size_t len = (size_t) size * ncount;
 	void *address;
 	if (len == 0 || ncount > SIZE_T_MAX / size)
--- a/crypto/openssh/monitor_wrap.c
+++ b/crypto/openssh/monitor_wrap.c
@ -25,7 +25,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: monitor_wrap.c,v 1.19 2002/09/26 11:38:43 markus Exp $");
+RCSID("$OpenBSD: monitor_wrap.c,v 1.24 2003/04/01 10:22:21 markus Exp $");
 RCSID("$FreeBSD$");
 #include <openssl/bn.h>
@ -35,6 +35,7 @@ RCSID("$FreeBSD$");
 #include "dh.h"
 #include "kex.h"
 #include "auth.h"
 #include "auth-options.h"
 #include "buffer.h"
 #include "bufaux.h"
 #include "packet.h"
@ -313,7 +314,7 @@ mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key)
 	Buffer m;
 	u_char *blob;
 	u_int len;
-	int allowed = 0;
+	int allowed = 0, have_forced = 0;
 	debug3("%s entering", __func__);
@ -335,6 +336,11 @@ mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key)
 	allowed = buffer_get_int(&m);
 	/* fake forced command */
 	auth_clear_options();
 	have_forced = buffer_get_int(&m);
 	forced_command = have_forced ? xstrdup("true") : NULL;
 	/* Send potential debug messages */
 	mm_send_debug(&m);
@ -797,7 +803,7 @@ mm_bsdauth_query(void *ctx, char **name, char **infotxt,
   u_int *numprompts, char ***prompts, u_int **echo_on)
 {
 	Buffer m;
-	int res;
+	u_int success;
 	char *challenge;
 	debug3("%s: entering", __func__);
@ -807,8 +813,8 @@ mm_bsdauth_query(void *ctx, char **name, char **infotxt,
 	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_BSDAUTHQUERY,
 	    &m);
-	res = buffer_get_int(&m);
+	success = buffer_get_int(&m);
-	if (res == -1) {
+	if (success == 0) {
 		debug3("%s: no challenge", __func__);
 		buffer_free(&m);
 		return (-1);
@ -855,7 +861,8 @@ mm_skey_query(void *ctx, char **name, char **infotxt,
   u_int *numprompts, char ***prompts, u_int **echo_on)
 {
 	Buffer m;
-	int len, res;
+	int len;
 	u_int success;
 	char *p, *challenge;
 	debug3("%s: entering", __func__);
@ -865,8 +872,8 @@ mm_skey_query(void *ctx, char **name, char **infotxt,
 	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SKEYQUERY,
 	    &m);
-	res = buffer_get_int(&m);
+	success = buffer_get_int(&m);
-	if (res == -1) {
+	if (success == 0) {
 		debug3("%s: no challenge", __func__);
 		buffer_free(&m);
 		return (-1);
@ -937,7 +944,7 @@ mm_auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
 	Key *key;
 	u_char *blob;
 	u_int blen;
-	int allowed = 0;
+	int allowed = 0, have_forced = 0;
 	debug3("%s entering", __func__);
@ -949,6 +956,11 @@ mm_auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
 	allowed = buffer_get_int(&m);
 	/* fake forced command */
 	auth_clear_options();
 	have_forced = buffer_get_int(&m);
 	forced_command = have_forced ? xstrdup("true") : NULL;
 	if (allowed && rkey != NULL) {
 		blob = buffer_get_string(&m, &blen);
 		if ((key = key_from_blob(blob, blen)) == NULL)
@ -1054,7 +1066,7 @@ mm_auth_krb4(Authctxt *authctxt, void *_auth, char **client, void *_reply)
 		xfree(p);
 	}
 	buffer_free(&m);
-	return (success); 
+	return (success);
 }
 #endif
--- a/crypto/openssh/packet.h
+++ b/crypto/openssh/packet.h
@ -1,4 +1,4 @@
-/*	$OpenBSD: packet.h,v 1.35 2002/06/19 18:01:00 markus Exp $	*/
+/*	$OpenBSD: packet.h,v 1.37 2003/04/01 10:22:21 markus Exp $	*/
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
--- a/crypto/openssh/readconf.c
+++ b/crypto/openssh/readconf.c
@ -12,7 +12,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.100 2002/06/19 00:27:55 deraadt Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.104 2003/04/01 10:22:21 markus Exp $");
 RCSID("$FreeBSD$");
 #include "ssh.h"
@ -115,6 +115,7 @@ typedef enum {
 	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
 	oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
 	oEnableSSHKeysign,
 	oVersionAddendum,
 	oDeprecated
 } OpCodes;
@ -187,6 +188,7 @@ static struct {
 	{ "bindaddress", oBindAddress },
 	{ "smartcarddevice", oSmartcardDevice },
 	{ "clearallforwardings", oClearAllForwardings },
 	{ "enablesshkeysign", oEnableSSHKeysign },
 	{ "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
 	{ "versionaddendum", oVersionAddendum },
 	{ NULL, oBadOption }
@ -269,14 +271,16 @@ parse_token(const char *cp, const char *filename, int linenum)
 * Processes a single option line as used in the configuration files. This
 * only sets those values that have not already been set.
 */
 #define WHITESPACE " \t\r\n"
 int
 process_config_line(Options *options, const char *host,
 		    char *line, const char *filename, int linenum,
 		    int *activep)
 {
-	char buf[256], *s, *string, **charptr, *endofnumber, *keyword, *arg;
+	char buf[256], *s, **charptr, *endofnumber, *keyword, *arg;
 	int opcode, *intptr, value;
 	size_t len;
 	u_short fwd_port, fwd_host_port;
 	char sfwd_host_port[6];
@ -489,16 +493,9 @@ process_config_line(Options *options, const char *host,
 	case oProxyCommand:
 		charptr = &options->proxy_command;
-		string = xstrdup("");
+		len = strspn(s, WHITESPACE "=");
 		while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
 			string = xrealloc(string, strlen(string) + strlen(arg) + 2);
 			strcat(string, " ");
 			strcat(string, arg);
 		}
 		if (*activep && *charptr == NULL)
-			*charptr = string;
+			*charptr = xstrdup(s + len);
 		else
 			xfree(string);
 		return 0;
 	case oPort:
@ -672,6 +669,10 @@ process_config_line(Options *options, const char *host,
 			*intptr = value;
 		break;
 	case oEnableSSHKeysign:
 		intptr = &options->enable_ssh_keysign;
 		goto parse_flag;
 	case oVersionAddendum:
 		ssh_version_set_addendum(strtok(s, "\n"));
 		do {
@ -802,6 +803,7 @@ initialize_options(Options * options)
 	options->preferred_authentications = NULL;
 	options->bind_address = NULL;
 	options->smartcard_device = NULL;
 	options->enable_ssh_keysign = - 1;
 	options->no_host_authentication_for_localhost = - 1;
 }
@ -917,6 +919,8 @@ fill_default_options(Options * options)
 		clear_forwardings(options);
 	if (options->no_host_authentication_for_localhost == - 1)
 		options->no_host_authentication_for_localhost = 0;
 	if (options->enable_ssh_keysign == -1)
 		options->enable_ssh_keysign = 0;
 	/* options->proxy_command should not be set by default */
 	/* options->user will be set in the main program if appropriate */
 	/* options->hostname will be set in the main program if appropriate */
--- a/crypto/openssh/readconf.h
+++ b/crypto/openssh/readconf.h
@ -1,4 +1,4 @@
-/*	$OpenBSD: readconf.h,v 1.43 2002/06/08 05:17:01 markus Exp $	*/
+/*	$OpenBSD: readconf.h,v 1.46 2003/04/01 10:22:21 markus Exp $	*/
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -99,6 +99,8 @@ typedef struct {
 	int     num_remote_forwards;
 	Forward remote_forwards[SSH_MAX_FORWARDS_PER_DIRECTION];
 	int	clear_forwardings;
 	int	enable_ssh_keysign;
 	int	no_host_authentication_for_localhost;
 }       Options;
--- a/crypto/openssh/scp.c
+++ b/crypto/openssh/scp.c
@ -75,7 +75,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: scp.c,v 1.91 2002/06/19 00:27:55 deraadt Exp $");
+RCSID("$OpenBSD: scp.c,v 1.102 2003/03/05 22:33:43 markus Exp $");
 RCSID("$FreeBSD$");
 #include "xmalloc.h"
@ -83,6 +83,7 @@ RCSID("$FreeBSD$");
 #include "pathnames.h"
 #include "log.h"
 #include "misc.h"
 #include "progressmeter.h"
 #ifdef HAVE___PROGNAME
 extern char *__progname;
@ -90,29 +91,13 @@ extern char *__progname;
 char *__progname;
 #endif
-/* For progressmeter() -- number of seconds before xfer considered "stalled" */
+void bwlimit(int);
 #define STALLTIME	5
 /* alarm() interval for updating progress meter */
 #define PROGRESSTIME	1
 /* Visual statistics about files as they are transferred. */
 void progressmeter(int);
 /* Returns width of the terminal (for progress meter calculations). */
 int getttywidth(void);
 int do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc);
 /* Struct for addargs */
 arglist args;
-/* Time a transfer started. */
+/* Bandwidth limit */
-static struct timeval start;
+off_t limitbw = 0;
 /* Number of bytes of current file transferred so far. */
 volatile off_t statbytes;
 /* Total size of current file. */
 off_t totalbytes = 0;
 /* Name of current file being transferred. */
 char *curfile;
@ -126,6 +111,9 @@ int showprogress = 1;
 /* This is the program to execute for the secured connection. ("ssh" or -S) */
 char *ssh_program = _PATH_SSH_PROGRAM;
 /* This is used to store the pid of ssh_program */
 pid_t do_cmd_pid;
 /*
 * This function executes the given command as the specified user on the
 * given host.  This returns < 0 if execution fails, and >= 0 otherwise. This
@ -160,7 +148,8 @@ do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc)
 	close(reserved[1]);
 	/* For a child to execute the command on the remote host using ssh. */
-	if (fork() == 0)  {
+	do_cmd_pid = fork();
 	if (do_cmd_pid == 0) {
 		/* Child. */
 		close(pin[1]);
 		close(pout[0]);
@ -178,6 +167,8 @@ do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc)
 		execvp(ssh_program, args.list);
 		perror(ssh_program);
 		exit(1);
 	} else if (do_cmd_pid == -1) {
 		fatal("fork: %s", strerror(errno));
 	}
 	/* Parent.  Close the other side, and return the local side. */
 	close(pin[0]);
@ -220,8 +211,9 @@ main(argc, argv)
 	int argc;
 	char *argv[];
 {
-	int ch, fflag, tflag;
+	int ch, fflag, tflag, status;
-	char *targ;
+	double speed;
 	char *targ, *endp;
 	extern char *optarg;
 	extern int optind;
@ -234,9 +226,11 @@ main(argc, argv)
 	addargs(&args, "-oClearAllForwardings yes");
 	fflag = tflag = 0;
-	while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46S:o:F:")) != -1)
+	while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q1246S:o:F:")) != -1)
 		switch (ch) {
 		/* User-visible flags. */
 		case '1':
 		case '2':
 		case '4':
 		case '6':
 		case 'C':
@ -254,6 +248,12 @@ main(argc, argv)
 		case 'B':
 			addargs(&args, "-oBatchmode yes");
 			break;
 		case 'l':
 			speed = strtod(optarg, &endp);
 			if (speed <= 0 || *endp != '\0')
 				usage();
 			limitbw = speed * 1024;
 			break;
 		case 'p':
 			pflag = 1;
 			break;
@ -318,6 +318,7 @@ main(argc, argv)
 		targetshouldbedirectory = 1;
 	remin = remout = -1;
 	do_cmd_pid = -1;
 	/* Command to be executed on remote system using "ssh". */
 	(void) snprintf(cmd, sizeof cmd, "scp%s%s%s%s",
 	    verbose_mode ? " -v" : "",
@ -333,6 +334,22 @@ main(argc, argv)
 		if (targetshouldbedirectory)
 			verifydir(argv[argc - 1]);
 	}
 	/*
 	 * Finally check the exit status of the ssh process, if one was forked
 	 * and no error has occured yet
 	 */
 	if (do_cmd_pid != -1 && errs == 0) {
 		if (remin != -1)
 		    (void) close(remin);
 		if (remout != -1)
 		    (void) close(remout);
 		if (waitpid(do_cmd_pid, &status, 0) == -1)
 			errs = 1;
 		else {
 			if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
 				errs = 1;
 		}
 	}
 	exit(errs != 0);
 }
@ -348,14 +365,12 @@ toremote(targ, argc, argv)
 	if (*targ == 0)
 		targ = ".";
-	if ((thost = strchr(argv[argc - 1], '@'))) {
+	if ((thost = strrchr(argv[argc - 1], '@'))) {
 		/* user@host */
 		*thost++ = 0;
 		tuser = argv[argc - 1];
 		if (*tuser == '\0')
 			tuser = NULL;
 		else if (!okname(tuser))
 			exit(1);
 	} else {
 		thost = argv[argc - 1];
 		tuser = NULL;
@ -369,7 +384,7 @@ toremote(targ, argc, argv)
 			*src++ = 0;
 			if (*src == 0)
 				src = ".";
-			host = strchr(argv[i], '@');
+			host = strrchr(argv[i], '@');
 			len = strlen(ssh_program) + strlen(argv[i]) +
 			    strlen(src) + (tuser ? strlen(tuser) : 0) +
 			    strlen(thost) + strlen(targ) +
@ -381,8 +396,14 @@ toremote(targ, argc, argv)
 				suser = argv[i];
 				if (*suser == '\0')
 					suser = pwd->pw_name;
-				else if (!okname(suser))
+				else if (!okname(suser)) {
 					xfree(bp);
 					continue;
 				}
 				if (tuser && !okname(tuser)) {
 					xfree(bp);
 					continue;
 				}
 				snprintf(bp, len,
 				    "%s%s %s -n "
 				    "-l %s %s %s %s '%s%s%s:%s'",
@ -448,7 +469,7 @@ tolocal(argc, argv)
 		*src++ = 0;
 		if (*src == 0)
 			src = ".";
-		if ((host = strchr(argv[i], '@')) == NULL) {
+		if ((host = strrchr(argv[i], '@')) == NULL) {
 			host = argv[i];
 			suser = NULL;
 		} else {
@ -456,8 +477,6 @@ tolocal(argc, argv)
 			suser = argv[i];
 			if (*suser == '\0')
 				suser = pwd->pw_name;
 			else if (!okname(suser))
 				continue;
 		}
 		host = cleanhostname(host);
 		len = strlen(src) + CMDNEEDS + 20;
@ -483,7 +502,7 @@ source(argc, argv)
 	struct stat stb;
 	static BUF buffer;
 	BUF *bp;
-	off_t i, amt, result;
+	off_t i, amt, result, statbytes;
 	int fd, haderr, indx;
 	char *last, *name, buf[2048];
 	int len;
@ -548,7 +567,6 @@ syserr:			run_err("%s: %s", name, strerror(errno));
 #endif
 		if (verbose_mode) {
 			fprintf(stderr, "Sending file modes: %s", buf);
 			fflush(stderr);
 		}
 		(void) atomicio(write, remout, buf, strlen(buf));
 		if (response() < 0)
@ -557,10 +575,8 @@ syserr:			run_err("%s: %s", name, strerror(errno));
 next:			(void) close(fd);
 			continue;
 		}
-		if (showprogress) {
+		if (showprogress)
-			totalbytes = stb.st_size;
+			start_progress_meter(curfile, stb.st_size, &statbytes);
 			progressmeter(-1);
 		}
 		/* Keep writing after an error so that we stay sync'd up. */
 		for (haderr = i = 0; i < stb.st_size; i += bp->cnt) {
 			amt = bp->cnt;
@ -579,9 +595,11 @@ next:			(void) close(fd);
 					haderr = result >= 0 ? EIO : errno;
 				statbytes += result;
 			}
 			if (limitbw)
 				bwlimit(amt);
 		}
 		if (showprogress)
-			progressmeter(1);
+			stop_progress_meter();
 		if (close(fd) < 0 && !haderr)
 			haderr = errno;
@ -648,6 +666,60 @@ rsource(name, statp)
 	(void) response();
 }
 void
 bwlimit(int amount)
 {
 	static struct timeval bwstart, bwend;
 	static int lamt, thresh = 16384;
 	u_int64_t wait;
 	struct timespec ts, rm;
 	if (!timerisset(&bwstart)) {
 		gettimeofday(&bwstart, NULL);
 		return;
 	}
 	lamt += amount;
 	if (lamt < thresh)
 		return;
 	gettimeofday(&bwend, NULL);
 	timersub(&bwend, &bwstart, &bwend);
 	if (!timerisset(&bwend))
 		return;
 	lamt *= 8;
 	wait = (double)1000000L * lamt / limitbw;
 	bwstart.tv_sec = wait / 1000000L;
 	bwstart.tv_usec = wait % 1000000L;
 	if (timercmp(&bwstart, &bwend, >)) {
 		timersub(&bwstart, &bwend, &bwend);
 		/* Adjust the wait time */
 		if (bwend.tv_sec) {
 			thresh /= 2;
 			if (thresh < 2048)
 				thresh = 2048;
 		} else if (bwend.tv_usec < 100) {
 			thresh *= 2;
 			if (thresh > 32768)
 				thresh = 32768;
 		}
 		TIMEVAL_TO_TIMESPEC(&bwend, &ts);
 		while (nanosleep(&ts, &rm) == -1) {
 			if (errno != EINTR)
 				break;
 			ts = rm;
 		}
 	}
 	lamt = 0;
 	gettimeofday(&bwstart, NULL);
 }
 void
 sink(argc, argv)
 	int argc;
@ -661,7 +733,7 @@ sink(argc, argv)
 	BUF *bp;
 	off_t i, j;
 	int amt, count, exists, first, mask, mode, ofd, omode;
-	off_t size;
+	off_t size, statbytes;
 	int setimes, targisdir, wrerrno = 0;
 	char ch, *cp, *np, *targ, *why, *vect[1], buf[2048];
 	struct timeval tv[2];
@ -823,11 +895,9 @@ bad:			run_err("%s: %s", np, strerror(errno));
 		cp = bp->buf;
 		wrerr = NO;
 		if (showprogress) {
 			totalbytes = size;
 			progressmeter(-1);
 		}
 		statbytes = 0;
 		if (showprogress)
 			start_progress_meter(curfile, size, &statbytes);
 		for (count = i = 0; i < size; i += 4096) {
 			amt = 4096;
 			if (i + amt > size)
@ -847,6 +917,10 @@ bad:			run_err("%s: %s", np, strerror(errno));
 				cp += j;
 				statbytes += j;
 			} while (amt > 0);
 			if (limitbw)
 				bwlimit(4096);
 			if (count == bp->cnt) {
 				/* Keep reading so we stay sync'd up. */
 				if (wrerr == NO) {
@ -861,13 +935,13 @@ bad:			run_err("%s: %s", np, strerror(errno));
 			}
 		}
 		if (showprogress)
-			progressmeter(1);
+			stop_progress_meter();
 		if (count != 0 && wrerr == NO &&
 		    (j = atomicio(write, ofd, bp->buf, count)) != count) {
 			wrerr = YES;
 			wrerrno = j >= 0 ? EIO : errno;
 		}
-		if (ftruncate(ofd, size)) {
+		if (wrerr == NO && ftruncate(ofd, size) != 0) {
 			run_err("%s: truncate: %s", np, strerror(errno));
 			wrerr = DISPLAYED;
 		}
@ -956,8 +1030,8 @@ void
 usage(void)
 {
 	(void) fprintf(stderr,
-	    "usage: scp [-pqrvBC46] [-F config] [-S program] [-P port]\n"
+	    "usage: scp [-pqrvBC1246] [-F config] [-S program] [-P port]\n"
-	    "           [-c cipher] [-i identity] [-o option]\n"
+	    "           [-c cipher] [-i identity] [-l limit] [-o option]\n"
 	    "           [[user@]host1:]file1 [...] [[user@]host2:]file2\n");
 	exit(1);
 }
@ -1014,9 +1088,18 @@ okname(cp0)
 		c = (int)*cp;
 		if (c & 0200)
 			goto bad;
-		if (!isalpha(c) && !isdigit(c) &&
+		if (!isalpha(c) && !isdigit(c)) {
-		    c != '_' && c != '-' && c != '.' && c != '+')
+			switch (c) {
-			goto bad;
+			case '\'':
 			case '"':
 			case '`':
 			case ' ':
 			case '#':
 				goto bad;
 			default:
 				break;
 			}
 		}
 	} while (*++cp);
 	return (1);
@ -1037,10 +1120,9 @@ allocbuf(bp, fd, blksize)
 		run_err("fstat: %s", strerror(errno));
 		return (0);
 	}
-	if (stb.st_blksize == 0)
+	size = roundup(stb.st_blksize, blksize);
 	if (size == 0)
 		size = blksize;
 	else
 		size = roundup(stb.st_blksize, blksize);
 #else /* HAVE_STRUCT_STAT_ST_BLKSIZE */
 	size = blksize;
 #endif /* HAVE_STRUCT_STAT_ST_BLKSIZE */
@ -1066,149 +1148,3 @@ lostconn(signo)
 	else
 		exit(1);
 }
 static void
 updateprogressmeter(int ignore)
 {
 	int save_errno = errno;
 	progressmeter(0);
 	signal(SIGALRM, updateprogressmeter);
 	alarm(PROGRESSTIME);
 	errno = save_errno;
 }
 static int
 foregroundproc(void)
 {
 	static pid_t pgrp = -1;
 	int ctty_pgrp;
 	if (pgrp == -1)
 		pgrp = getpgrp();
 #ifdef HAVE_TCGETPGRP
 	return ((ctty_pgrp = tcgetpgrp(STDOUT_FILENO)) != -1 &&
 		ctty_pgrp == pgrp);
 #else
 	return ((ioctl(STDOUT_FILENO, TIOCGPGRP, &ctty_pgrp) != -1 &&
 		 ctty_pgrp == pgrp));
 #endif
 }
 void
 progressmeter(int flag)
 {
 	static const char prefixes[] = " KMGTP";
 	static struct timeval lastupdate;
 	static off_t lastsize;
 	struct timeval now, td, wait;
 	off_t cursize, abbrevsize;
 	double elapsed;
 	int ratio, barlength, i, remaining;
 	char buf[512];
 	if (flag == -1) {
 		(void) gettimeofday(&start, (struct timezone *) 0);
 		lastupdate = start;
 		lastsize = 0;
 	}
 	if (foregroundproc() == 0)
 		return;
 	(void) gettimeofday(&now, (struct timezone *) 0);
 	cursize = statbytes;
 	if (totalbytes != 0) {
 		ratio = 100.0 * cursize / totalbytes;
 		ratio = MAX(ratio, 0);
 		ratio = MIN(ratio, 100);
 	} else
 		ratio = 100;
 	snprintf(buf, sizeof(buf), "\r%-20.20s %3d%% ", curfile, ratio);
 	barlength = getttywidth() - 51;
 	if (barlength > 0) {
 		i = barlength * ratio / 100;
 		snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
 		    "|%.*s%*s|", i,
 		    "*******************************************************"
 		    "*******************************************************"
 		    "*******************************************************"
 		    "*******************************************************"
 		    "*******************************************************"
 		    "*******************************************************"
 		    "*******************************************************",
 		    barlength - i, "");
 	}
 	i = 0;
 	abbrevsize = cursize;
 	while (abbrevsize >= 100000 && i < sizeof(prefixes)) {
 		i++;
 		abbrevsize >>= 10;
 	}
 	snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), " %5lu %c%c ",
 	    (unsigned long) abbrevsize, prefixes[i],
 	    prefixes[i] == ' ' ? ' ' : 'B');
 	timersub(&now, &lastupdate, &wait);
 	if (cursize > lastsize) {
 		lastupdate = now;
 		lastsize = cursize;
 		if (wait.tv_sec >= STALLTIME) {
 			start.tv_sec += wait.tv_sec;
 			start.tv_usec += wait.tv_usec;
 		}
 		wait.tv_sec = 0;
 	}
 	timersub(&now, &start, &td);
 	elapsed = td.tv_sec + (td.tv_usec / 1000000.0);
 	if (flag != 1 &&
 	    (statbytes <= 0 || elapsed <= 0.0 || cursize > totalbytes)) {
 		snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
 		    "   --:-- ETA");
 	} else if (wait.tv_sec >= STALLTIME) {
 		snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
 		    " - stalled -");
 	} else {
 		if (flag != 1)
 			remaining = (int)(totalbytes / (statbytes / elapsed) -
 			    elapsed);
 		else
 			remaining = elapsed;
 		i = remaining / 3600;
 		if (i)
 			snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
 			    "%2d:", i);
 		else
 			snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
 			    "   ");
 		i = remaining % 3600;
 		snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),
 		    "%02d:%02d%s", i / 60, i % 60,
 		    (flag != 1) ? " ETA" : "    ");
 	}
 	atomicio(write, fileno(stdout), buf, strlen(buf));
 	if (flag == -1) {
 		mysignal(SIGALRM, updateprogressmeter);
 		alarm(PROGRESSTIME);
 	} else if (flag == 1) {
 		alarm(0);
 		atomicio(write, fileno(stdout), "\n", 1);
 		statbytes = 0;
 	}
 }
 int
 getttywidth(void)
 {
 	struct winsize winsize;
 	if (ioctl(fileno(stdout), TIOCGWINSZ, &winsize) != -1)
 		return (winsize.ws_col ? winsize.ws_col : 80);
 	else
 		return (80);
 }
--- a/crypto/openssh/servconf.c
+++ b/crypto/openssh/servconf.c
@ -10,7 +10,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.115 2002/09/04 18:52:42 stevesk Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.116 2003/02/21 09:05:53 markus Exp $");
 RCSID("$FreeBSD$");
 #if defined(KRB4)
@ -957,6 +957,7 @@ read_server_config(ServerOptions *options, const char *filename)
 	char line[1024];
 	FILE *f;
 	debug2("read_server_config: filename %s", filename);
 	f = fopen(filename, "r");
 	if (!f) {
 		perror(filename);
--- a/crypto/openssh/serverloop.c
+++ b/crypto/openssh/serverloop.c
@ -35,7 +35,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: serverloop.c,v 1.104 2002/09/19 16:03:15 stevesk Exp $");
+RCSID("$OpenBSD: serverloop.c,v 1.106 2003/04/01 10:22:21 markus Exp $");
 RCSID("$FreeBSD$");
 #include "xmalloc.h"
--- a/crypto/openssh/session.c
+++ b/crypto/openssh/session.c
@ -33,7 +33,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.150 2002/09/16 19:55:33 stevesk Exp $");
+RCSID("$OpenBSD: session.c,v 1.154 2003/03/05 22:33:43 markus Exp $");
 RCSID("$FreeBSD$");
 #include "ssh.h"
@ -202,6 +202,8 @@ auth_input_request_forwarding(struct passwd * pw)
 void
 do_authenticated(Authctxt *authctxt)
 {
 	setproctitle("%s", authctxt->pw->pw_name);
 	/*
 	 * Cancel the alarm we set to limit the time taken for
 	 * authentication.
@ -968,7 +970,7 @@ do_setup_env(Session *s, const char *shell)
 {
 	char buf[256];
 	u_int i, envsize;
-	char **env;
+	char **env, *laddr;
 #ifdef HAVE_LOGIN_CAP
 	extern char **environ;
 	char **senv, **var;
@ -994,6 +996,9 @@ do_setup_env(Session *s, const char *shell)
 		/* Set basic environment. */
 		child_set_env(&env, &envsize, "USER", pw->pw_name);
 		child_set_env(&env, &envsize, "LOGNAME", pw->pw_name);
 #ifdef _AIX
 		child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
 #endif
 		child_set_env(&env, &envsize, "HOME", pw->pw_dir);
 		snprintf(buf, sizeof buf, "%.200s/%.50s",
 			 _PATH_MAILDIR, pw->pw_name);
@ -1055,9 +1060,10 @@ do_setup_env(Session *s, const char *shell)
 	    get_remote_ipaddr(), get_remote_port(), get_local_port());
 	child_set_env(&env, &envsize, "SSH_CLIENT", buf);
 	laddr = get_local_ipaddr(packet_get_connection_in());
 	snprintf(buf, sizeof buf, "%.50s %d %.50s %d",
-	    get_remote_ipaddr(), get_remote_port(),
+	    get_remote_ipaddr(), get_remote_port(), laddr, get_local_port());
-	    get_local_ipaddr(packet_get_connection_in()), get_local_port());
+	xfree(laddr);
 	child_set_env(&env, &envsize, "SSH_CONNECTION", buf);
 	if (s->ttyfd != -1)
@ -1176,8 +1182,10 @@ do_rc_files(Session *s, const char *shell)
 		/* Add authority data to .Xauthority if appropriate. */
 		if (debug_flag) {
 			fprintf(stderr,
-			    "Running %.500s add "
+			    "Running %.500s remove %.100s\n",
-			    "%.100s %.100s %.100s\n",
+  			    options.xauth_location, s->auth_display);
 			fprintf(stderr,
 			    "%.500s add %.100s %.100s %.100s\n",
 			    options.xauth_location, s->auth_display,
 			    s->auth_proto, s->auth_data);
 		}
@ -1185,6 +1193,8 @@ do_rc_files(Session *s, const char *shell)
 		    options.xauth_location);
 		f = popen(cmd, "w");
 		if (f) {
 			fprintf(f, "remove %s\n",
 			    s->auth_display);
 			fprintf(f, "add %s %s %s\n",
 			    s->auth_display, s->auth_proto,
 			    s->auth_data);
@ -1217,6 +1227,7 @@ do_nologin(struct passwd *pw)
 		while (fgets(buf, sizeof(buf), f))
 			fputs(buf, stderr);
 		fclose(f);
 		fflush(NULL);
 		exit(254);
 	}
 }
@ -1225,11 +1236,11 @@ do_nologin(struct passwd *pw)
 void
 do_setusercontext(struct passwd *pw)
 {
-#ifdef HAVE_CYGWIN
+#ifndef HAVE_CYGWIN
-	if (is_winnt) {
+	if (getuid() == 0 || geteuid() == 0)
 #else /* HAVE_CYGWIN */
 	if (getuid() == 0 || geteuid() == 0) {
 #endif /* HAVE_CYGWIN */
 	{
 #ifdef HAVE_SETPCRED
 		setpcred(pw->pw_name);
 #endif /* HAVE_SETPCRED */
@ -1279,6 +1290,10 @@ do_setusercontext(struct passwd *pw)
 		permanently_set_uid(pw);
 #endif
 	}
 #ifdef HAVE_CYGWIN
 	if (is_winnt)
 #endif
 	if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
 		fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
 }
@ -1339,7 +1354,7 @@ do_child(Session *s, const char *command)
 	 */
 	if (!options.use_login) {
 #ifdef HAVE_OSF_SIA
-		session_setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty);
+		session_setup_sia(pw, s->ttyfd == -1 ? NULL : s->tty);
 		if (!check_quietlogin(s, command))
 			do_motd();
 #else /* HAVE_OSF_SIA */
@ -1353,12 +1368,17 @@ do_child(Session *s, const char *command)
 	 * legal, and means /bin/sh.
 	 */
 	shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
 	/*
 	 * Make sure $SHELL points to the shell from the password file,
 	 * even if shell is overridden from login.conf
 	 */
 	env = do_setup_env(s, shell);
 #ifdef HAVE_LOGIN_CAP
 	shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
 #endif
 	env = do_setup_env(s, shell);
 	/* we have to stash the hostname before we close our socket. */
 	if (options.use_login)
 		hostname = get_remote_name_or_ip(utmp_len,
@ -2026,13 +2046,22 @@ session_tty_list(void)
 {
 	static char buf[1024];
 	int i;
 	char *cp;
 	buf[0] = '\0';
 	for (i = 0; i < MAX_SESSIONS; i++) {
 		Session *s = &sessions[i];
 		if (s->used && s->ttyfd != -1) {
 			if (strncmp(s->tty, "/dev/", 5) != 0) {
 				cp = strrchr(s->tty, '/');
 				cp = (cp == NULL) ? s->tty : cp + 1;
 			} else
 				cp = s->tty + 5;
 			if (buf[0] != '\0')
 				strlcat(buf, ",", sizeof buf);
-			strlcat(buf, strrchr(s->tty, '/') + 1, sizeof buf);
+			strlcat(buf, cp, sizeof buf);
 		}
 	}
 	if (buf[0] == '\0')
--- a/crypto/openssh/ssh-add.c
+++ b/crypto/openssh/ssh-add.c
@ -35,7 +35,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-add.c,v 1.63 2002/09/19 15:51:23 markus Exp $");
+RCSID("$OpenBSD: ssh-add.c,v 1.66 2003/03/05 22:33:43 markus Exp $");
 RCSID("$FreeBSD$");
 #include <openssl/evp.h>
@ -71,6 +71,9 @@ static char *default_files[] = {
 /* Default lifetime (0 == forever) */
 static int lifetime = 0;
 /* User has to confirm key use */
 static int confirm = 0;
 /* we keep a cache of one passphrases */
 static char *pass = NULL;
 static void
@ -166,12 +169,16 @@ add_file(AuthenticationConnection *ac, const char *filename)
 		}
 	}
-	if (ssh_add_identity_constrained(ac, private, comment, lifetime)) {
+ 	if (ssh_add_identity_constrained(ac, private, comment, lifetime,
 	    confirm)) {
 		fprintf(stderr, "Identity added: %s (%s)\n", filename, comment);
 		ret = 0;
 		if (lifetime != 0)
-                        fprintf(stderr,
+			fprintf(stderr,
 			    "Lifetime set to %d seconds\n", lifetime);
 		if (confirm != 0)
 			fprintf(stderr,
 			    "The user has to confirm each use of the key\n");
 	} else if (ssh_add_identity(ac, private, comment)) {
 		fprintf(stderr, "Identity added: %s (%s)\n", filename, comment);
 		ret = 0;
@ -189,6 +196,7 @@ static int
 update_card(AuthenticationConnection *ac, int add, const char *id)
 {
 	char *pin;
 	int ret = -1;
 	pin = read_passphrase("Enter passphrase for smartcard: ", RP_ALLOW_STDIN);
 	if (pin == NULL)
@ -197,12 +205,14 @@ update_card(AuthenticationConnection *ac, int add, const char *id)
 	if (ssh_update_card(ac, add, id, pin)) {
 		fprintf(stderr, "Card %s: %s\n",
 		    add ? "added" : "removed", id);
-		return 0;
+		ret = 0;
 	} else {
 		fprintf(stderr, "Could not %s card: %s\n",
 		    add ? "add" : "remove", id);
-		return -1;
+		ret = -1;
 	}
 	xfree(pin);
 	return ret;
 }
 static int
@ -293,6 +303,7 @@ usage(void)
 	fprintf(stderr, "  -x          Lock agent.\n");
 	fprintf(stderr, "  -X          Unlock agent.\n");
 	fprintf(stderr, "  -t life     Set lifetime (in seconds) when adding identities.\n");
 	fprintf(stderr, "  -c          Require confirmation to sign using identities\n");
 #ifdef SMARTCARD
 	fprintf(stderr, "  -s reader   Add key in smartcard reader.\n");
 	fprintf(stderr, "  -e reader   Remove key in smartcard reader.\n");
@ -320,7 +331,7 @@ main(int argc, char **argv)
 		fprintf(stderr, "Could not open a connection to your authentication agent.\n");
 		exit(2);
 	}
-	while ((ch = getopt(argc, argv, "lLdDxXe:s:t:")) != -1) {
+	while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:")) != -1) {
 		switch (ch) {
 		case 'l':
 		case 'L':
@ -334,6 +345,9 @@ main(int argc, char **argv)
 				ret = 1;
 			goto done;
 			break;
 		case 'c':
 			confirm = 1;
 			break;
 		case 'd':
 			deleting = 1;
 			break;
--- a/crypto/openssh/ssh-agent.c
+++ b/crypto/openssh/ssh-agent.c
@ -35,7 +35,7 @@
 #include "includes.h"
 #include "openbsd-compat/sys-queue.h"
-RCSID("$OpenBSD: ssh-agent.c,v 1.105 2002/10/01 20:34:12 markus Exp $");
+RCSID("$OpenBSD: ssh-agent.c,v 1.108 2003/03/13 11:44:50 markus Exp $");
 RCSID("$FreeBSD$");
 #include <openssl/evp.h>
@ -51,6 +51,8 @@ RCSID("$FreeBSD$");
 #include "authfd.h"
 #include "compat.h"
 #include "log.h"
 #include "readpass.h"
 #include "misc.h"
 #ifdef SMARTCARD
 #include "scard.h"
@ -78,6 +80,7 @@ typedef struct identity {
 	Key *key;
 	char *comment;
 	u_int death;
 	u_int confirm;
 } Identity;
 typedef struct {
@ -107,6 +110,9 @@ extern char *__progname;
 char *__progname;
 #endif
 /* Default lifetime (0 == forever) */
 static int lifetime = 0;
 static void
 close_socket(SocketEntry *e)
 {
@ -160,6 +166,30 @@ lookup_identity(Key *key, int version)
 	return (NULL);
 }
 /* Check confirmation of keysign request */
 static int
 confirm_key(Identity *id)
 {
 	char *p, prompt[1024];
 	int ret = -1;
 	p = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
 	snprintf(prompt, sizeof(prompt), "Allow use of key %s?\n"
 	    "Key fingerprint %s.", id->comment, p);
 	xfree(p);
 	p = read_passphrase(prompt, RP_ALLOW_EOF);
 	if (p != NULL) {
 		/*
 		 * Accept empty responses and responses consisting 
 		 * of the word "yes" as affirmative.
 		 */
 		if (*p == '\0' || *p == '\n' || strcasecmp(p, "yes") == 0)
 			ret = 0;
 		xfree(p);
 	}
 	return (ret);
 }
 /* send list of supported public keys to 'client' */
 static void
 process_request_identities(SocketEntry *e, int version)
@ -223,7 +253,7 @@ process_authentication_challenge1(SocketEntry *e)
 		goto failure;
 	id = lookup_identity(key, 1);
-	if (id != NULL) {
+	if (id != NULL && (!id->confirm || confirm_key(id) == 0)) {
 		Key *private = id->key;
 		/* Decrypt the challenge using the private key. */
 		if (rsa_private_decrypt(challenge, challenge, private->rsa) <= 0)
@ -283,7 +313,7 @@ process_sign_request2(SocketEntry *e)
 	key = key_from_blob(blob, blen);
 	if (key != NULL) {
 		Identity *id = lookup_identity(key, 2);
-		if (id != NULL)
+		if (id != NULL && (!id->confirm || confirm_key(id) == 0))
 			ok = key_sign(id->key, &signature, &slen, data, dlen);
 	}
 	key_free(key);
@ -403,7 +433,7 @@ static void
 process_add_identity(SocketEntry *e, int version)
 {
 	Idtab *tab = idtab_lookup(version);
-	int type, success = 0, death = 0;
+	int type, success = 0, death = 0, confirm = 0;
 	char *type_name, *comment;
 	Key *k = NULL;
@ -454,6 +484,17 @@ process_add_identity(SocketEntry *e, int version)
 		}
 		break;
 	}
 	/* enable blinding */
 	switch (k->type) {
 	case KEY_RSA:
 	case KEY_RSA1:
 		if (RSA_blinding_on(k->rsa, NULL) != 1) {
 			error("process_add_identity: RSA_blinding_on failed");
 			key_free(k);
 			goto send;
 		}
 		break;
 	}
 	comment = buffer_get_string(&e->request, NULL);
 	if (k == NULL) {
 		xfree(comment);
@ -465,15 +506,21 @@ process_add_identity(SocketEntry *e, int version)
 		case SSH_AGENT_CONSTRAIN_LIFETIME:
 			death = time(NULL) + buffer_get_int(&e->request);
 			break;
 		case SSH_AGENT_CONSTRAIN_CONFIRM:
 			confirm = 1;
 			break;
 		default:
 			break;
 		}
 	}
 	if (lifetime && !death)
 		death = time(NULL) + lifetime;
 	if (lookup_identity(k, version) == NULL) {
 		Identity *id = xmalloc(sizeof(Identity));
 		id->key = k;
 		id->comment = comment;
 		id->death = death;
 		id->confirm = confirm;
 		TAILQ_INSERT_TAIL(&tab->idlist, id, next);
 		/* Increment the number of identities. */
 		tab->nentries++;
@ -558,6 +605,7 @@ process_add_smartcard_key (SocketEntry *e)
 			id->key = k;
 			id->comment = xstrdup("smartcard key");
 			id->death = 0;
 			id->confirm = 0;
 			TAILQ_INSERT_TAIL(&tab->idlist, id, next);
 			tab->nentries++;
 			success = 1;
@ -931,13 +979,15 @@ usage(void)
 	fprintf(stderr, "  -k          Kill the current agent.\n");
 	fprintf(stderr, "  -d          Debug mode.\n");
 	fprintf(stderr, "  -a socket   Bind agent socket to given name.\n");
 	fprintf(stderr, "  -t life     Default identity lifetime (seconds).\n");
 	exit(1);
 }
 int
 main(int ac, char **av)
 {
-	int sock, c_flag = 0, d_flag = 0, k_flag = 0, s_flag = 0, ch, nalloc;
+	int c_flag = 0, d_flag = 0, k_flag = 0, s_flag = 0;
 	int sock, fd,  ch, nalloc;
 	char *shell, *format, *pidstr, *agentsocket = NULL;
 	fd_set *readsetp = NULL, *writesetp = NULL;
 	struct sockaddr_un sunaddr;
@ -963,7 +1013,7 @@ main(int ac, char **av)
 	init_rng();
 	seed_rng();
-	while ((ch = getopt(ac, av, "cdksa:")) != -1) {
+	while ((ch = getopt(ac, av, "cdksa:t:")) != -1) {
 		switch (ch) {
 		case 'c':
 			if (s_flag)
@ -986,6 +1036,12 @@ main(int ac, char **av)
 		case 'a':
 			agentsocket = optarg;
 			break;
 		case 't':
 			if ((lifetime = convtime(optarg)) == -1) {
 				fprintf(stderr, "Invalid lifetime\n");
 				usage();
 			}
 			break;
 		default:
 			usage();
 		}
@ -1118,9 +1174,14 @@ main(int ac, char **av)
 	}
 	(void)chdir("/");
-	close(0);
+	if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) {
-	close(1);
+		/* XXX might close listen socket */
-	close(2);
+		(void)dup2(fd, STDIN_FILENO);
 		(void)dup2(fd, STDOUT_FILENO);
 		(void)dup2(fd, STDERR_FILENO);
 		if (fd > 2)
 			close(fd);
 	}
 #ifdef HAVE_SETRLIMIT
 	/* deny core dumps, since memory contains unencrypted private keys */
--- a/crypto/openssh/ssh-dss.h
+++ b/crypto/openssh/ssh-dss.h
@ -1,32 +0,0 @@
 /*	$OpenBSD: ssh-dss.h,v 1.6 2002/02/24 19:14:59 markus Exp $	*/
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 #ifndef DSA_H
 #define DSA_H
 int	 ssh_dss_sign(Key *, u_char **, u_int *, u_char *, u_int);
 int	 ssh_dss_verify(Key *, u_char *, u_int, u_char *, u_int);
 #endif
--- a/crypto/openssh/ssh-keyscan.c
+++ b/crypto/openssh/ssh-keyscan.c
@ -7,7 +7,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keyscan.c,v 1.40 2002/07/06 17:47:58 stevesk Exp $");
+RCSID("$OpenBSD: ssh-keyscan.c,v 1.41 2003/02/16 17:09:57 markus Exp $");
 RCSID("$FreeBSD$");
 #include "openbsd-compat/sys-queue.h"
@ -355,6 +355,8 @@ keygrab_ssh2(con *c)
 	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = c->c_keytype == KT_DSA?
 	    "ssh-dss": "ssh-rsa";
 	c->c_kex = kex_setup(myproposal);
 	c->c_kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
 	c->c_kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
 	c->c_kex->verify_host_key = hostjump;
 	if (!(j = setjmp(kexjmp))) {
--- a/crypto/openssh/ssh-rsa.h
+++ b/crypto/openssh/ssh-rsa.h
@ -1,32 +0,0 @@
 /*	$OpenBSD: ssh-rsa.h,v 1.6 2002/02/24 19:14:59 markus Exp $	*/
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 #ifndef SSH_RSA_H
 #define SSH_RSA_H
 int	 ssh_rsa_sign(Key *, u_char **, u_int *, u_char *, u_int);
 int	 ssh_rsa_verify(Key *, u_char *, u_int, u_char *, u_int);
 #endif
--- a/crypto/openssh/ssh.1
+++ b/crypto/openssh/ssh.1
@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.167 2002/09/27 15:46:21 stevesk Exp $
+.\" $OpenBSD: ssh.1,v 1.168 2003/03/28 10:11:43 jmc Exp $
 .\" $FreeBSD$
 .Dd September 25, 1999
 .Dt SSH 1
@ -49,6 +49,7 @@
 .Op Ar command
 .Pp
 .Nm ssh
 .Bk -words
 .Op Fl afgknqstvxACNTX1246
 .Op Fl b Ar bind_address
 .Op Fl c Ar cipher_spec
@ -67,6 +68,8 @@
 .Sm on
 .Xc
 .Oc
 .Ek
 .Bk -words
 .Oo Fl R Xo
 .Sm off
 .Ar port :
@ -78,6 +81,7 @@
 .Op Fl D Ar port
 .Ar hostname | user@hostname
 .Op Ar command
 .Ek
 .Sh DESCRIPTION
 .Nm
 (SSH client) is a program for logging into a remote machine and for
@ -363,7 +367,7 @@ variable is set to
 .Fl A
 and
 .Fl a
-options described later) and 
+options described later) and
 the user is using an authentication agent, the connection to the agent
 is automatically forwarded to the remote side.
 .Pp
@ -405,10 +409,11 @@ Disables forwarding of the authentication agent connection.
 Enables forwarding of the authentication agent connection.
 This can also be specified on a per-host basis in a configuration file.
 .Pp
-Agent forwarding should be enabled with caution.  Users with the
+Agent forwarding should be enabled with caution.
-ability to bypass file permissions on the remote host (for the agent's
+Users with the ability to bypass file permissions on the remote host
-Unix-domain socket) can access the local agent through the forwarded
+(for the agent's Unix-domain socket)
-connection.  An attacker cannot obtain key material from the agent,
+can access the local agent through the forwarded connection.
 An attacker cannot obtain key material from the agent,
 however they can perform operations on the keys that enable them to
 authenticate using the identities loaded into the agent.
 .It Fl b Ar bind_address
@ -430,8 +435,8 @@ is only supported in the
 client for interoperability with legacy protocol 1 implementations
 that do not support the
 .Ar 3des
-cipher.  Its use is strongly discouraged due to cryptographic
+cipher.
-weaknesses.
+Its use is strongly discouraged due to cryptographic weaknesses.
 .It Fl c Ar cipher_spec
 Additionally, for protocol version 2 a comma-separated list of ciphers can
 be specified in order of preference.
@ -568,11 +573,11 @@ Disables X11 forwarding.
 Enables X11 forwarding.
 This can also be specified on a per-host basis in a configuration file.
 .Pp
-X11 forwarding should be enabled with caution.  Users with the ability
+X11 forwarding should be enabled with caution.
-to bypass file permissions on the remote host (for the user's X
+Users with the ability to bypass file permissions on the remote host
-authorization database) can access the local X11 display through the
+(for the user's X authorization database)
-forwarded connection.  An attacker may then be able to perform
+can access the local X11 display through the forwarded connection.
-activities such as keystroke monitoring.
+An attacker may then be able to perform activities such as keystroke monitoring.
 .It Fl C
 Requests compression of all data (including stdin, stdout, stderr, and
 data for forwarded X11 and TCP/IP connections).
@ -639,7 +644,8 @@ This works by allocating a socket to listen to
 on the local side, and whenever a connection is made to this port, the
 connection is forwarded over the secure channel, and the application
 protocol is then used to determine where to connect to from the
-remote machine.  Currently the SOCKS4 protocol is supported, and
+remote machine.
 Currently the SOCKS4 protocol is supported, and
 .Nm
 will act as a SOCKS4 server.
 Only root can forward privileged ports.
--- a/crypto/openssh/ssh.c
+++ b/crypto/openssh/ssh.c
@ -40,7 +40,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.186 2002/09/19 01:58:18 djm Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.190 2003/02/06 09:27:29 markus Exp $");
 RCSID("$FreeBSD$");
 #include <openssl/evp.h>
@ -496,9 +496,9 @@ main(int ac, char **av)
 	av += optind;
 	if (ac > 0 && !host && **av != '-') {
-		if (strchr(*av, '@')) {
+		if (strrchr(*av, '@')) {
 			p = xstrdup(*av);
-			cp = strchr(p, '@');
+			cp = strrchr(p, '@');
 			if (cp == NULL || cp == p)
 				usage();
 			options.user = p;
@ -506,12 +506,11 @@ main(int ac, char **av)
 			host = ++cp;
 		} else
 			host = *av;
-		ac--, av++;
+		if (ac > 1) {
-		if (ac > 0) {
+			optind = optreset = 1;
 			optind = 0;
 			optreset = 1;
 			goto again;
 		}
 		ac--, av++;
 	}
 	/* Check that we got a host name. */
@ -620,6 +619,10 @@ main(int ac, char **av)
 		}
 	}
 	if (options.proxy_command != NULL &&
 	    strcmp(options.proxy_command, "none") == 0)
 		options.proxy_command = NULL;
 	/* Disable rhosts authentication if not running as root. */
 #ifdef HAVE_CYGWIN
 	/* Ignore uid if running under Windows */
@ -1044,7 +1047,7 @@ ssh_session2_setup(int id, void *arg)
 	int interactive = 0;
 	struct termios tio;
-	debug("ssh_session2_setup: id %d", id);
+	debug2("ssh_session2_setup: id %d", id);
 	if (tty_flag) {
 		struct winsize ws;
--- a/crypto/openssh/ssh_config
+++ b/crypto/openssh/ssh_config
@ -35,4 +35,4 @@
 #   Cipher 3des
 #   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
 #   EscapeChar ~
-#   VersionAddendum FreeBSD-20030201
+#   VersionAddendum FreeBSD-20030423
--- a/crypto/openssh/ssh_config.5
+++ b/crypto/openssh/ssh_config.5
@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.5 2002/08/29 22:54:10 stevesk Exp $
+.\" $OpenBSD: ssh_config.5,v 1.7 2003/03/28 10:11:43 jmc Exp $
 .\" $FreeBSD$
 .Dd September 25, 1999
 .Dt SSH_CONFIG 5
@ -177,8 +177,8 @@ is only supported in the
 client for interoperability with legacy protocol 1 implementations
 that do not support the
 .Ar 3des
-cipher.  Its use is strongly discouraged due to cryptographic
+cipher.
-weaknesses.
+Its use is strongly discouraged due to cryptographic weaknesses.
 The default is
 .Dq 3des .
 .It Cm Ciphers
@ -194,7 +194,8 @@ The default is
 .It Cm ClearAllForwardings
 Specifies that all local, remote and dynamic port forwardings
 specified in the configuration files or on the command line be
-cleared.  This option is primarily useful when used from the
+cleared.
 This option is primarily useful when used from the
 .Nm ssh
 command line to clear port forwardings set in
 configuration files, and is automatically set by
@ -231,13 +232,14 @@ The default is 1.
 Specifies that a TCP/IP port on the local machine be forwarded
 over the secure channel, and the application
 protocol is then used to determine where to connect to from the
-remote machine.  The argument must be a port number.
+remote machine.
 The argument must be a port number.
 Currently the SOCKS4 protocol is supported, and
 .Nm ssh
 will act as a SOCKS4 server.
 Multiple forwardings may be specified, and
-additional forwardings can be given on the command line.  Only
+additional forwardings can be given on the command line.
-the superuser can forward privileged ports.
+Only the superuser can forward privileged ports.
 .It Cm EscapeChar
 Sets the escape character (default:
 .Ql ~ ) .
@ -260,10 +262,11 @@ or
 The default is
 .Dq no .
 .Pp
-Agent forwarding should be enabled with caution.  Users with the
+Agent forwarding should be enabled with caution.
-ability to bypass file permissions on the remote host (for the agent's
+Users with the ability to bypass file permissions on the remote host
-Unix-domain socket) can access the local agent through the forwarded
+(for the agent's Unix-domain socket)
-connection.  An attacker cannot obtain key material from the agent,
+can access the local agent through the forwarded connection.
 An attacker cannot obtain key material from the agent,
 however they can perform operations on the keys that enable them to
 authenticate using the identities loaded into the agent.
 .It Cm ForwardX11
@ -278,18 +281,18 @@ or
 The default is
 .Dq no .
 .Pp
-X11 forwarding should be enabled with caution.  Users with the ability
+X11 forwarding should be enabled with caution.
-to bypass file permissions on the remote host (for the user's X
+Users with the ability to bypass file permissions on the remote host
-authorization database) can access the local X11 display through the
+(for the user's X authorization database)
-forwarded connection.  An attacker may then be able to perform
+can access the local X11 display through the forwarded connection.
-activities such as keystroke monitoring.
+An attacker may then be able to perform activities such as keystroke monitoring.
 .It Cm GatewayPorts
 Specifies whether remote hosts are allowed to connect to local
 forwarded ports.
 By default,
 .Nm ssh
-binds local port forwardings to the loopback address.  This
+binds local port forwardings to the loopback address.
-prevents other remote hosts from connecting to forwarded ports.
+This prevents other remote hosts from connecting to forwarded ports.
 .Cm GatewayPorts
 can be used to specify that
 .Nm ssh
@ -396,8 +399,9 @@ Gives the verbosity level that is used when logging messages from
 .Nm ssh .
 The possible values are:
 QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.
-The default is INFO.  DEBUG and DEBUG1 are equivalent.  DEBUG2
+The default is INFO.
-and DEBUG3 each specify higher levels of verbose output.
+DEBUG and DEBUG1 are equivalent.
 DEBUG2 and DEBUG3 each specify higher levels of verbose output.
 .It Cm MACs
 Specifies the MAC (message authentication code) algorithms
 in order of preference.
@ -475,6 +479,9 @@ somewhere.
 Host key management will be done using the
 HostName of the host being connected (defaulting to the name typed by
 the user).
 Setting the command to
 .Dq none
 disables this option entirely.
 Note that
 .Cm CheckHostIP
 is not available for connects with a proxy command.
@ -616,7 +623,7 @@ host key database instead of
 Specifies a string to append to the regular version string to identify
 OS- or site-specific modifications.
 The default is
-.Dq FreeBSD-20030201 .
+.Dq FreeBSD-20030423 .
 .It Cm XAuthLocation
 Specifies the full pathname of the
 .Xr xauth 1
--- a/crypto/openssh/sshconnect.c
+++ b/crypto/openssh/sshconnect.c
@ -13,7 +13,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect.c,v 1.135 2002/09/19 01:58:18 djm Exp $");
+RCSID("$OpenBSD: sshconnect.c,v 1.137 2002/11/21 23:03:51 deraadt Exp $");
 RCSID("$FreeBSD$");
 #include <openssl/bn.h>
@ -248,7 +248,7 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
 	 */
 	int full_failure = 1;
-	debug("ssh_connect: needpriv %d", needpriv);
+	debug2("ssh_connect: needpriv %d", needpriv);
 	/* Get default port if port has not been set. */
 	if (port == 0) {
@ -650,10 +650,10 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key,
 			    "%s key fingerprint is %s.\n"
 			    "Are you sure you want to continue connecting "
 			    "(yes/no)? ",
-			     host, ip,
+			    host, ip,
-			     has_keys ? ",\nbut keys of different type are already "
+			    has_keys ? ",\nbut keys of different type are already "
-			     "known for this host." : ".",
+			    "known for this host." : ".",
-			     type, fp);
+			    type, fp);
 			xfree(fp);
 			if (!confirm(msg))
 				goto fail;
--- a/crypto/openssh/sshconnect2.c
+++ b/crypto/openssh/sshconnect2.c
@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.107 2002/07/01 19:48:46 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.114 2003/04/01 10:22:21 markus Exp $");
 RCSID("$FreeBSD$");
 #include "ssh.h"
@ -111,6 +111,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
 	/* start key exchange */
 	kex = kex_setup(myproposal);
 	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
 	kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
 	kex->client_version_string=client_version_string;
 	kex->server_version_string=server_version_string;
 	kex->verify_host_key=&verify_host_key_callback;
@ -129,7 +131,6 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
 	packet_send();
 	packet_write_wait();
 #endif
 	debug("done: ssh_kex2.");
 }
 /*
@ -225,24 +226,23 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
 	if (options.challenge_response_authentication)
 		options.kbd_interactive_authentication = 1;
 	debug("send SSH2_MSG_SERVICE_REQUEST");
 	packet_start(SSH2_MSG_SERVICE_REQUEST);
 	packet_put_cstring("ssh-userauth");
 	packet_send();
 	debug("SSH2_MSG_SERVICE_REQUEST sent");
 	packet_write_wait();
 	type = packet_read();
-	if (type != SSH2_MSG_SERVICE_ACCEPT) {
+	if (type != SSH2_MSG_SERVICE_ACCEPT)
-		fatal("denied SSH2_MSG_SERVICE_ACCEPT: %d", type);
+		fatal("Server denied authentication request: %d", type);
 	}
 	if (packet_remaining() > 0) {
 		char *reply = packet_get_string(NULL);
-		debug("service_accept: %s", reply);
+		debug2("service_accept: %s", reply);
 		xfree(reply);
 	} else {
-		debug("buggy server: service_accept w/o service");
+		debug2("buggy server: service_accept w/o service");
 	}
 	packet_check_eom();
-	debug("got SSH2_MSG_SERVICE_ACCEPT");
+	debug("SSH2_MSG_SERVICE_ACCEPT received");
 	if (options.preferred_authentications == NULL)
 		options.preferred_authentications = authmethods_get();
@ -274,7 +274,7 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
 	if (authctxt.agent != NULL)
 		ssh_close_authentication_connection(authctxt.agent);
-	debug("ssh-userauth2 successful: method %s", authctxt.method->name);
+	debug("Authentication succeeded (%s).", authctxt.method->name);
 }
 void
 userauth(Authctxt *authctxt, char *authlist)
@ -348,7 +348,7 @@ input_userauth_failure(int type, u_int32_t seq, void *ctxt)
 	if (partial != 0)
 		log("Authenticated with partial success.");
-	debug("authentications that can continue: %s", authlist);
+	debug("Authentications that can continue: %s", authlist);
 	clear_auth_state(authctxt);
 	userauth(authctxt, authlist);
@ -380,7 +380,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
 	}
 	packet_check_eom();
-	debug("input_userauth_pk_ok: pkalg %s blen %u lastkey %p hint %d",
+	debug("Server accepts key: pkalg %s blen %u lastkey %p hint %d",
 	    pkalg, blen, authctxt->last_key, authctxt->last_key_hint);
 	do {
@ -765,7 +765,7 @@ userauth_pubkey_agent(Authctxt *authctxt)
 	if (k == NULL) {
 		debug2("userauth_pubkey_agent: no more keys");
 	} else {
-		debug("userauth_pubkey_agent: testing agent key %s", comment);
+		debug("Offering agent key: %s", comment);
 		xfree(comment);
 		ret = send_pubkey_test(authctxt, k, agent_sign_cb, -1);
 		if (ret == 0)
@ -793,7 +793,7 @@ userauth_pubkey(Authctxt *authctxt)
 		key = options.identity_keys[idx];
 		filename = options.identity_files[idx];
 		if (key == NULL) {
-			debug("try privkey: %s", filename);
+			debug("Trying private key: %s", filename);
 			key = load_identity_file(filename);
 			if (key != NULL) {
 				sent = sign_and_send_pubkey(authctxt, key,
@ -801,7 +801,7 @@ userauth_pubkey(Authctxt *authctxt)
 				key_free(key);
 			}
 		} else if (key->type != KEY_RSA1) {
-			debug("try pubkey: %s", filename);
+			debug("Offering public key: %s", filename);
 			sent = send_pubkey_test(authctxt, key,
 			    identity_sign_cb, idx);
 		}
@ -907,7 +907,7 @@ ssh_keysign(Key *key, u_char **sigp, u_int *lenp,
 	pid_t pid;
 	int to[2], from[2], status, version = 2;
-	debug("ssh_keysign called");
+	debug2("ssh_keysign called");
 	if (stat(_PATH_SSH_KEY_SIGN, &st) < 0) {
 		error("ssh_keysign: no installed: %s", strerror(errno));
@ -996,7 +996,7 @@ userauth_hostbased(Authctxt *authctxt)
 		}
 	}
 	if (!found) {
-		debug("userauth_hostbased: no more client hostkeys");
+		debug("No more client hostkeys for hostbased authentication.");
 		return 0;
 	}
 	if (key_to_blob(private, &blob, &blen) == 0) {
@ -1015,6 +1015,7 @@ userauth_hostbased(Authctxt *authctxt)
 	strlcpy(chost, p, len);
 	strlcat(chost, ".", len);
 	debug2("userauth_hostbased: chost %s", chost);
 	xfree(p);
 	service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
 	    authctxt->service;
@ -1110,7 +1111,6 @@ static char *preferred = NULL;
 static Authmethod *
 authmethod_get(char *authlist)
 {
 	char *name = NULL;
 	u_int next;
@ -1131,7 +1131,7 @@ authmethod_get(char *authlist)
 	for (;;) {
 		if ((name = match_list(preferred, supported, &next)) == NULL) {
-			debug("no more auth methods to try");
+			debug("No more authentication methods to try.");
 			current = NULL;
 			return NULL;
 		}
@ -1141,7 +1141,7 @@ authmethod_get(char *authlist)
 		if ((current = authmethod_lookup(name)) != NULL &&
 		    authmethod_is_enabled(current)) {
 			debug3("authmethod_is_enabled %s", name);
-			debug("next auth method to try is %s", name);
+			debug("Next authentication method: %s", name);
 			return current;
 		}
 	}
--- a/crypto/openssh/sshd.8
+++ b/crypto/openssh/sshd.8
@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.193 2002/09/24 20:59:44 todd Exp $
+.\" $OpenBSD: sshd.8,v 1.194 2003/01/31 21:54:40 jmc Exp $
 .\" $FreeBSD$
 .Dd September 25, 1999
 .Dt SSHD 8
@ -44,6 +44,7 @@
 .Nd OpenSSH SSH daemon
 .Sh SYNOPSIS
 .Nm sshd
 .Bk -words
 .Op Fl deiqtD46
 .Op Fl b Ar bits
 .Op Fl f Ar config_file
@ -53,6 +54,7 @@
 .Op Fl o Ar option
 .Op Fl p Ar port
 .Op Fl u Ar len
 .Ek
 .Sh DESCRIPTION
 .Nm
 (SSH Daemon) is the daemon program for
@ -76,7 +78,7 @@ This implementation of
 .Nm
 supports both SSH protocol version 1 and 2 simultaneously.
 .Nm
-works as follows.
+works as follows:
 .Pp
 .Ss SSH protocol version 1
 .Pp
@ -87,7 +89,7 @@ the daemon starts, it generates a server RSA key (normally 768 bits).
 This key is normally regenerated every hour if it has been used, and
 is never stored on disk.
 .Pp
-Whenever a client connects the daemon responds with its public
+Whenever a client connects, the daemon responds with its public
 host and server keys.
 The client compares the
 RSA host key against its own database to verify that it has not changed.
@ -120,7 +122,7 @@ System security is not improved unless
 .Nm rshd ,
 .Nm rlogind ,
 and
-.Xr rexecd
+.Nm rexecd
 are disabled (thus completely disabling
 .Xr rlogin
 and
@ -190,7 +192,9 @@ The server sends verbose debug output to the system
 log, and does not put itself in the background.
 The server also will not fork and will only process one connection.
 This option is only intended for debugging for the server.
-Multiple -d options increase the debugging level.
+Multiple
 .Fl d
 options increase the debugging level.
 Maximum is 3.
 .It Fl e
 When this option is specified,
@ -224,7 +228,8 @@ the different protocol versions and host key algorithms.
 .It Fl i
 Specifies that
 .Nm
-is being run from inetd.
+is being run from
 .Xr inetd 8 .
 .Nm
 is normally not run
 from inetd because it needs to generate the server key before it can
@ -281,7 +286,7 @@ should be put into the
 .Pa utmp
 file.
 .Fl u0
-is also be used to prevent
+may also be used to prevent
 .Nm
 from making DNS requests unless the authentication
 mechanism or configuration requires it.
@ -447,7 +452,7 @@ authentication.
 The command supplied by the user (if any) is ignored.
 The command is run on a pty if the client requests a pty;
 otherwise it is run without a tty.
-If a 8-bit clean channel is required,
+If an 8-bit clean channel is required,
 one must not request a pty or should specify
 .Cm no-pty .
 A quote may be included in the command by quoting it with a backslash.
@ -628,7 +633,7 @@ These files should be writable only by root/the owner.
 .Pa /etc/ssh/ssh_known_hosts
 should be world-readable, and
 .Pa $HOME/.ssh/known_hosts
-can but need not be world-readable.
+can, but need not be, world-readable.
 .It Pa /etc/nologin
 If this file exists,
 .Nm
@ -645,7 +650,7 @@ Further details are described in
 This file contains host-username pairs, separated by a space, one per
 line.
 The given user on the corresponding host is permitted to log in
-without password.
+without a password.
 The same file is used by rlogind and rshd.
 The file must
 be writable only by the user; it is recommended that it not be
--- a/crypto/openssh/sshd.c
+++ b/crypto/openssh/sshd.c
@ -42,7 +42,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.260 2002/09/27 10:42:09 mickey Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.263 2003/02/16 17:09:57 markus Exp $");
 RCSID("$FreeBSD$");
 #include <openssl/dh.h>
@ -207,8 +207,8 @@ int *startup_pipes = NULL;
 int startup_pipe;		/* in child */
 /* variables used for privilege separation */
-extern struct monitor *pmonitor;
+int use_privsep;
-extern int use_privsep;
+struct monitor *pmonitor;
 /* Prototypes for various functions defined later in this file. */
 void destroy_sensitive_data(void);
@ -832,9 +832,17 @@ main(int ac, char **av)
 	__progname = get_progname(av[0]);
 	init_rng();
-	/* Save argv. */
+	/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
 	saved_argc = ac;
 	saved_argv = av;
 	saved_argv = xmalloc(sizeof(*saved_argv) * ac);
 	for (i = 0; i < ac; i++)
 		saved_argv[i] = xstrdup(av[i]);
 #ifndef HAVE_SETPROCTITLE
 	/* Prepare for later setproctitle emulation */
 	compat_init_setproctitle(ac, av);
 #endif
 	/* Initialize configuration options to their default values. */
 	initialize_server_options(&options);
@ -949,7 +957,7 @@ main(int ac, char **av)
 	    SYSLOG_LEVEL_INFO : options.log_level,
 	    options.log_facility == SYSLOG_FACILITY_NOT_SET ?
 	    SYSLOG_FACILITY_AUTH : options.log_facility,
-	    !inetd_flag);
+	    log_stderr || !inetd_flag);
 #ifdef _UNICOS
 	/* Cray can define user privs drop all prives now!
@ -1063,8 +1071,8 @@ main(int ac, char **av)
 #else
 		if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
 #endif
-			fatal("Bad owner or mode for %s",
+			fatal("%s must be owned by root and not group or "
-			    _PATH_PRIVSEP_CHROOT_DIR);
+			    "world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
 	}
 	/* Configuration looks good, so exit if in test mode. */
@ -1397,8 +1405,12 @@ main(int ac, char **av)
 	 * setlogin() affects the entire process group.  We don't
 	 * want the child to be able to affect the parent.
 	 */
-#if 0
+#if !defined(STREAMS_PUSH_ACQUIRES_CTTY)
-	/* XXX: this breaks Solaris */
+	/*
 	 * If setsid is called on Solaris, sshd will acquire the controlling
 	 * terminal while pushing STREAMS modules. This will prevent the
 	 * shell from acquiring it later.
 	 */
 	if (!debug_flag && !inetd_flag && setsid() < 0)
 		error("setsid: %.100s", strerror(errno));
 #endif
@ -1822,6 +1834,8 @@ do_ssh2_kex(void)
 	/* start key exchange */
 	kex = kex_setup(myproposal);
 	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
 	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
 	kex->server = 1;
 	kex->client_version_string=client_version_string;
 	kex->server_version_string=server_version_string;
--- a/crypto/openssh/sshd_config
+++ b/crypto/openssh/sshd_config
@ -14,7 +14,7 @@
 # Note that some of FreeBSD's defaults differ from OpenBSD's, and
 # FreeBSD has a few additional options.
-#VersionAddendum FreeBSD-20030201
+#VersionAddendum FreeBSD-20030423
 #Port 22
 #Protocol 2,1
--- a/crypto/openssh/sshd_config.5
+++ b/crypto/openssh/sshd_config.5
@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.13 2002/09/16 20:12:11 stevesk Exp $
+.\" $OpenBSD: sshd_config.5,v 1.15 2003/03/28 10:11:43 jmc Exp $
 .\" $FreeBSD$
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
@ -90,7 +90,7 @@ own forwarders.
 .It Cm AllowUsers
 This keyword can be followed by a list of user name patterns, separated
 by spaces.
-If specified, login is allowed only for users names that
+If specified, login is allowed only for user names that
 match one of the patterns.
 .Ql \&*
 and
@ -219,8 +219,8 @@ Specifies whether remote hosts are allowed to connect to ports
 forwarded for the client.
 By default,
 .Nm sshd
-binds remote port forwardings to the loopback address.  This
+binds remote port forwardings to the loopback address.
-prevents other remote hosts from connecting to forwarded ports.
+This prevents other remote hosts from connecting to forwarded ports.
 .Cm GatewayPorts
 can be used to specify that
 .Nm sshd
@ -376,7 +376,8 @@ is not specified,
 will listen on the address and all prior
 .Cm Port
 options specified. The default is to listen on all local
-addresses.  Multiple
+addresses.
 Multiple
 .Cm ListenAddress
 options are permitted. Additionally, any
 .Cm Port
@ -391,10 +392,10 @@ Gives the verbosity level that is used when logging messages from
 .Nm sshd .
 The possible values are:
 QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.
-The default is INFO.  DEBUG and DEBUG1 are equivalent.  DEBUG2
+The default is INFO.
-and DEBUG3 each specify higher levels of debugging output.
+DEBUG and DEBUG1 are equivalent.
-Logging with a DEBUG level violates the privacy of users
+DEBUG2 and DEBUG3 each specify higher levels of debugging output.
-and is not recommended.
+Logging with a DEBUG level violates the privacy of users and is not recommended.
 .It Cm MACs
 Specifies the available MAC (message authentication code) algorithms.
 The MAC algorithm is used in protocol version 2
@ -622,16 +623,18 @@ will be disabled because
 .Xr login 1
 does not know how to handle
 .Xr xauth 1
-cookies.  If
+cookies.
 If
 .Cm UsePrivilegeSeparation
 is specified, it will be disabled after authentication.
 .It Cm UsePrivilegeSeparation
 Specifies whether
 .Nm sshd
 separates privileges by creating an unprivileged child process
-to deal with incoming network traffic.  After successful authentication,
+to deal with incoming network traffic.
-another process will be created that has the privilege of the authenticated
+After successful authentication, another process will be created that has
-user.  The goal of privilege separation is to prevent privilege
+the privilege of the authenticated user.
 The goal of privilege separation is to prevent privilege
 escalation by containing any corruption within the unprivileged processes.
 The default is
 .Dq yes .
@ -647,7 +650,7 @@ The default is
 Specifies a string to append to the regular version string to identify
 OS- or site-specific modifications.
 The default is
-.Dq FreeBSD-20030201 .
+.Dq FreeBSD-20030423 .
 .It Cm X11DisplayOffset
 Specifies the first display number available for
 .Nm sshd Ns 's
@ -694,7 +697,8 @@ is enabled.
 Specifies whether
 .Nm sshd
 should bind the X11 forwarding server to the loopback address or to
-the wildcard address.  By default,
+the wildcard address.
 By default,
 .Nm sshd
 binds the forwarding server to the loopback address and sets the
 hostname part of the
--- a/crypto/openssh/sshpty.c
+++ b/crypto/openssh/sshpty.c
@ -12,7 +12,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: sshpty.c,v 1.7 2002/06/24 17:57:20 deraadt Exp $");
+RCSID("$OpenBSD: sshpty.c,v 1.8 2003/02/03 08:56:16 markus Exp $");
 RCSID("$FreeBSD$");
 #ifdef HAVE_UTIL_H
@ -395,7 +395,7 @@ pty_setowner(struct passwd *pw, const char *ttyname)
 		if (chown(ttyname, pw->pw_uid, gid) < 0) {
 			if (errno == EROFS &&
 			    (st.st_uid == pw->pw_uid || st.st_uid == 0))
-				error("chown(%.100s, %u, %u) failed: %.100s",
+				debug("chown(%.100s, %u, %u) failed: %.100s",
 				    ttyname, (u_int)pw->pw_uid, (u_int)gid,
 				    strerror(errno));
 			else
@ -409,7 +409,7 @@ pty_setowner(struct passwd *pw, const char *ttyname)
 		if (chmod(ttyname, mode) < 0) {
 			if (errno == EROFS &&
 			    (st.st_mode & (S_IRGRP | S_IROTH)) == 0)
-				error("chmod(%.100s, 0%o) failed: %.100s",
+				debug("chmod(%.100s, 0%o) failed: %.100s",
 				    ttyname, mode, strerror(errno));
 			else
 				fatal("chmod(%.100s, 0%o) failed: %.100s",
--- a/crypto/openssh/version.h
+++ b/crypto/openssh/version.h
@ -1,11 +1,11 @@
-/* $OpenBSD: version.h,v 1.35 2002/10/01 13:24:50 markus Exp $ */
+/* $OpenBSD: version.h,v 1.37 2003/04/01 10:56:46 markus Exp $ */
 /* $FreeBSD$ */
 #ifndef SSH_VERSION
 #define SSH_VERSION             (ssh_version_get())
-#define SSH_VERSION_BASE        "OpenSSH_3.5p1"
+#define SSH_VERSION_BASE        "OpenSSH_3.6.1p1"
-#define SSH_VERSION_ADDENDUM    "FreeBSD-20030201"
+#define SSH_VERSION_ADDENDUM    "FreeBSD-20030423"
 const char *ssh_version_get(void);
 void ssh_version_set_addendum(const char *add);