From 9cfa8b3fee2f79940b0b9e5a4ffbc5f095861529 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dag-Erling=20Sm=C3=B8rgrav?= <des@FreeBSD.org>
Date: Tue, 10 Sep 2013 22:26:11 +0000
Subject: [PATCH] Clean up the OpenSSH build.  It is now possible to build most
 components as static binaries, if desired.  The one exception is sshd, which
 runs into trouble due to libpam.a's includion of pam_ssh.

Make OpenSSH use LDNS if available.  This allows it to verify signed
SSHFP records.

Approved by:	re (blanket)
---
 Makefile.inc1                             | 11 ++++++++--
 secure/lib/libssh/Makefile                | 19 ++++++++++-------
 secure/libexec/sftp-server/Makefile       | 20 +++++++++++++++---
 secure/libexec/ssh-keysign/Makefile       | 18 +++++++++++++---
 secure/libexec/ssh-pkcs11-helper/Makefile | 22 +++++++++++++++++---
 secure/usr.bin/scp/Makefile               | 18 ++++++++++++++--
 secure/usr.bin/sftp/Makefile              | 20 +++++++++++++++---
 secure/usr.bin/ssh-add/Makefile           | 20 +++++++++++++++---
 secure/usr.bin/ssh-agent/Makefile         | 20 +++++++++++++++---
 secure/usr.bin/ssh-keygen/Makefile        | 22 ++++++++++++++++----
 secure/usr.bin/ssh-keyscan/Makefile       | 16 +++++++++++++--
 secure/usr.bin/ssh/Makefile               | 16 ++++++++++-----
 secure/usr.sbin/sshd/Makefile             | 25 +++++++++++++++--------
 13 files changed, 199 insertions(+), 48 deletions(-)

diff --git a/Makefile.inc1 b/Makefile.inc1
index bbb9d89b746b..63c24ca0b828 100644
--- a/Makefile.inc1
+++ b/Makefile.inc1
@@ -1470,8 +1470,8 @@ _prebuild_libs=	${_kerberos5_lib_libasn1} \
 		${_cddl_lib_libumem} ${_cddl_lib_libnvpair} \
 		${_cddl_lib_libzfs_core} \
 		lib/libutil ${_lib_libypclnt} lib/libz lib/msun \
-		${_secure_lib_libcrypto} ${_secure_lib_libssh} \
-		${_secure_lib_libssl}
+		${_secure_lib_libcrypto} ${_lib_libldns} \
+		${_secure_lib_libssh} ${_secure_lib_libssl}
 
 .if ${MK_ATF} != "no"
 _lib_atf_libatf_c=	lib/atf/libatf-c
@@ -1507,9 +1507,16 @@ cddl/lib/libzfs_core__L: cddl/lib/libnvpair__L
 _secure_lib_libcrypto= secure/lib/libcrypto
 _secure_lib_libssl= secure/lib/libssl
 lib/libradius__L secure/lib/libssl__L: secure/lib/libcrypto__L
+.if ${MK_LDNS} != "no"
+_lib_libldns= lib/libldns
+lib/libldns__L: secure/lib/libcrypto__L
+.endif
 .if ${MK_OPENSSH} != "no"
 _secure_lib_libssh= secure/lib/libssh
 secure/lib/libssh__L: lib/libz__L secure/lib/libcrypto__L lib/libcrypt__L
+.if ${MK_LDNS} != "no"
+secure/lib/libssh__L: lib/libldns__L
+.endif
 .if ${MK_KERBEROS_SUPPORT} != "no"
 secure/lib/libssh__L: lib/libgssapi__L kerberos5/lib/libkrb5__L \
     kerberos5/lib/libhx509__L kerberos5/lib/libasn1__L lib/libcom_err__L \
diff --git a/secure/lib/libssh/Makefile b/secure/lib/libssh/Makefile
index 3d30a18de80f..387272b35627 100644
--- a/secure/lib/libssh/Makefile
+++ b/secure/lib/libssh/Makefile
@@ -21,17 +21,22 @@ SRCS=	authfd.c authfile.c bufaux.c bufbn.c buffer.c \
 # compiled directly into sshd instead.
 
 # Portability layer
-SRCS+=	bsd-misc.c fmt_scaled.c getrrsetbyname.c glob.c \
+SRCS+=	bsd-misc.c fmt_scaled.c glob.c \
 	openssl-compat.c port-tun.c strtonum.c timingsafe_bcmp.c \
 	vis.c xcrypt.c xmmap.c
 
-.if defined(COMPAT_GETADDRINFO)
-SRCS+=	getaddrinfo.c getnameinfo.c name6.c rcmd.c bindresvport.c
+.if ${MK_LDNS} == "no"
+SRCS+=	getrrsetbyname.c
+.else
+LDNSDIR=	${.CURDIR}/../../../contrib/ldns
+CFLAGS+=	-DHAVE_LDNS=1 -I${LDNSDIR}
+SRCS+=	getrrsetbyname-ldns.c
+DPADD+=	${LIBLDNS}
+LDADD+=	-lldns
+USEPRIVATELIB+= ldns
 .endif
 
 CFLAGS+= -I${SSHDIR} -include ssh_namespace.h
-DPADD=	${LIBZ}
-LDADD=	-lz
 
 .if ${MK_KERBEROS_SUPPORT} != "no"
 CFLAGS+= -DGSSAPI -DHAVE_GSSAPI_GSSAPI_H=1 -DKRB5 -DHEIMDAL
@@ -45,8 +50,8 @@ CFLAGS+= -DNONE_CIPHER_ENABLED
 
 NO_LINT=
 
-DPADD+=	${LIBCRYPTO} ${LIBCRYPT}
-LDADD+=	-lcrypto -lcrypt
+DPADD+=	${LIBCRYPTO} ${LIBCRYPT} ${LIBZ}
+LDADD+=	-lcrypto -lcrypt -lz
 
 .include <bsd.lib.mk>
 
diff --git a/secure/libexec/sftp-server/Makefile b/secure/libexec/sftp-server/Makefile
index 3755c986df57..ef56013ff3bc 100644
--- a/secure/libexec/sftp-server/Makefile
+++ b/secure/libexec/sftp-server/Makefile
@@ -1,17 +1,31 @@
 # $FreeBSD$
 
+.include <bsd.own.mk>
+
 PROG=   sftp-server
 SRCS=   sftp-server.c sftp-common.c sftp-server-main.c
 MAN=	sftp-server.8
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 
-# required when linking with a dynamic libssh 
+.if !defined(NO_SHARED)
+# required when linking with a dynamic libssh
 SRCS+=	roaming_dummy.c
+.endif
 
-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
-LDADD=  -lssh -lcrypt -lcrypto -lz
+DPADD=	${LIBSSH}
+LDADD=  -lssh
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+=	${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+=	-lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}
diff --git a/secure/libexec/ssh-keysign/Makefile b/secure/libexec/ssh-keysign/Makefile
index 66528e3ff1a2..7deda1976ba3 100644
--- a/secure/libexec/ssh-keysign/Makefile
+++ b/secure/libexec/ssh-keysign/Makefile
@@ -1,15 +1,27 @@
 # $FreeBSD$
 
+.include <bsd.own.mk>
+
 PROG=	ssh-keysign
-SRCS=	ssh-keysign.c readconf.c roaming_dummy.c
+SRCS=	ssh-keysign.c roaming_dummy.c readconf.c
 MAN=	ssh-keysign.8
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 BINMODE=4555
 
-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
-LDADD=	-lssh -lcrypt -lcrypto -lz
+DPADD=	${LIBSSH}
+LDADD=	-lssh
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}
diff --git a/secure/libexec/ssh-pkcs11-helper/Makefile b/secure/libexec/ssh-pkcs11-helper/Makefile
index ec57a613b0b4..4682929e2d93 100644
--- a/secure/libexec/ssh-pkcs11-helper/Makefile
+++ b/secure/libexec/ssh-pkcs11-helper/Makefile
@@ -1,15 +1,31 @@
 # $FreeBSD$
 
+.include <bsd.own.mk>
+
 PROG=	ssh-pkcs11-helper
 SRCS=	ssh-pkcs11.c ssh-pkcs11-helper.c
-SRCS+=	roaming_dummy.c
 MAN=	ssh-pkcs11-helper.8
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 
-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
-LDADD=	-lssh -lcrypt -lcrypto -lz
+.if !defined(NO_SHARED)
+# required when linking with a dynamic libssh
+SRCS+=	roaming_dummy.c
+.endif
+
+DPADD=	${LIBSSH}
+LDADD=	-lssh
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}
diff --git a/secure/usr.bin/scp/Makefile b/secure/usr.bin/scp/Makefile
index fe248ab76368..c33470ca9ef3 100644
--- a/secure/usr.bin/scp/Makefile
+++ b/secure/usr.bin/scp/Makefile
@@ -1,16 +1,30 @@
 # $FreeBSD$
 
+.include <bsd.own.mk>
+
 PROG=	scp
 SRCS=	scp.c
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 
+.if !defined(NO_SHARED)
 # required when linking with a dynamic libssh
 SRCS+=	roaming_dummy.c
+.endif
 
-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
-LDADD=	-lssh -lcrypt -lcrypto -lz
+DPADD=	${LIBSSH}
+LDADD=	-lssh
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}
diff --git a/secure/usr.bin/sftp/Makefile b/secure/usr.bin/sftp/Makefile
index 8164dac7b6e2..924e1a702163 100644
--- a/secure/usr.bin/sftp/Makefile
+++ b/secure/usr.bin/sftp/Makefile
@@ -1,16 +1,30 @@
 # $FreeBSD$
 
+.include <bsd.own.mk>
+
 PROG=	sftp
 SRCS=   sftp.c sftp-client.c sftp-common.c sftp-glob.c progressmeter.c
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 
-# required when linking with a dynamic libssh 
+.if !defined(NO_SHARED)
+# required when linking with a dynamic libssh
 SRCS+=	roaming_dummy.c
+.endif
 
-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ} ${LIBEDIT} ${LIBNCURSES}
-LDADD=	-lssh -lcrypt -lcrypto -lz -ledit -lncurses
+DPADD=	${LIBSSH} ${LIBEDIT} ${LIBNCURSES}
+LDADD=	-lssh -ledit -lncurses
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}
diff --git a/secure/usr.bin/ssh-add/Makefile b/secure/usr.bin/ssh-add/Makefile
index cb14ce6c81fc..316a6071280b 100644
--- a/secure/usr.bin/ssh-add/Makefile
+++ b/secure/usr.bin/ssh-add/Makefile
@@ -1,16 +1,30 @@
 # $FreeBSD$
 
+.include <bsd.own.mk>
+
 PROG=	ssh-add
 SRCS+=	ssh-add.c
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 
-# required when linking with a dynamic libssh 
+.if !defined(NO_SHARED)
+# required when linking with a dynamic libssh
 SRCS+=	roaming_dummy.c
+.endif
 
-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
-LDADD=	-lssh -lcrypt -lcrypto -lz
+DPADD=	${LIBSSH}
+LDADD=	-lssh
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}
diff --git a/secure/usr.bin/ssh-agent/Makefile b/secure/usr.bin/ssh-agent/Makefile
index 29620d18613f..353abaced410 100644
--- a/secure/usr.bin/ssh-agent/Makefile
+++ b/secure/usr.bin/ssh-agent/Makefile
@@ -1,16 +1,30 @@
 # $FreeBSD$
 
+.include <bsd.own.mk>
+
 PROG=	ssh-agent
 SRCS=	ssh-agent.c
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 
-# required when linking with a dynamic libssh 
+.if !defined(NO_SHARED)
+# required when linking with a dynamic libssh
 SRCS+=	roaming_dummy.c
+.endif
 
-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
-LDADD=	-lssh -lcrypt -lcrypto -lz
+DPADD=	${LIBSSH}
+LDADD=	-lssh
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}
diff --git a/secure/usr.bin/ssh-keygen/Makefile b/secure/usr.bin/ssh-keygen/Makefile
index 48e486e573e0..75934d9bff91 100644
--- a/secure/usr.bin/ssh-keygen/Makefile
+++ b/secure/usr.bin/ssh-keygen/Makefile
@@ -1,16 +1,30 @@
 # $FreeBSD$
 
+.include <bsd.own.mk>
+
 PROG=	ssh-keygen
 SRCS=	ssh-keygen.c
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 
-# required when linking with a dynamic libssh 
-SRCS+=  roaming_dummy.c
+.if !defined(NO_SHARED)
+# required when linking with a dynamic libssh
+SRCS+=	roaming_dummy.c
+.endif
 
-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
-LDADD=	-lssh -lcrypt -lcrypto -lz
+DPADD=	${LIBSSH}
+LDADD=	-lssh
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+DPADD+=	${LIBLDNS}
+LDADD+=	-lldns
+USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}
diff --git a/secure/usr.bin/ssh-keyscan/Makefile b/secure/usr.bin/ssh-keyscan/Makefile
index cc82d07e1b08..7dcb4d10826e 100644
--- a/secure/usr.bin/ssh-keyscan/Makefile
+++ b/secure/usr.bin/ssh-keyscan/Makefile
@@ -1,13 +1,25 @@
 # $FreeBSD$
 
+.include <bsd.own.mk>
+
 PROG=	ssh-keyscan
 SRCS=	ssh-keyscan.c roaming_dummy.c
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 
-DPADD=	${LIBSSH} ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
-LDADD=	-lssh -lcrypt -lcrypto -lz
+DPADD=	${LIBSSH}
+LDADD=	-lssh
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
+
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}
diff --git a/secure/usr.bin/ssh/Makefile b/secure/usr.bin/ssh/Makefile
index a5e580879d6b..459d21f386a0 100644
--- a/secure/usr.bin/ssh/Makefile
+++ b/secure/usr.bin/ssh/Makefile
@@ -1,5 +1,4 @@
 # $FreeBSD$
-#
 
 .include <bsd.own.mk>
 
@@ -16,10 +15,17 @@ SRCS=	ssh.c readconf.c clientloop.c sshtty.c \
 # gss-genr.c really belongs in libssh; see src/secure/lib/libssh/Makefile
 SRCS+=	gss-genr.c
 
-DPADD=	${LIBSSH} ${LIBUTIL} ${LIBZ}
-LDADD=	-lssh -lutil -lz
+DPADD=	${LIBSSH} ${LIBUTIL}
+LDADD=	-lssh -lutil
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+DPADD+=	${LIBLDNS}
+LDADD+=	-lldns
+USEPRIVATELIB+= ldns
+.endif
+
 .if ${MK_KERBEROS_SUPPORT} != "no"
 CFLAGS+= -DGSSAPI -DHAVE_GSSAPI_GSSAPI_H=1 -DKRB5 -DHEIMDAL
 DPADD+=	 ${LIBGSSAPI}
@@ -30,8 +36,8 @@ LDADD+=	 -lgssapi
 CFLAGS+= -DNONE_CIPHER_ENABLED
 .endif
 
-DPADD+=	${LIBCRYPT} ${LIBCRYPTO}
-LDADD+=	-lcrypt -lcrypto
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
 
 .if defined(LOCALBASE)
 CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"
diff --git a/secure/usr.sbin/sshd/Makefile b/secure/usr.sbin/sshd/Makefile
index bb37ae4775f0..daba994df52c 100644
--- a/secure/usr.sbin/sshd/Makefile
+++ b/secure/usr.sbin/sshd/Makefile
@@ -1,5 +1,4 @@
 # $FreeBSD$
-#
 
 .include <bsd.own.mk>
 
@@ -25,10 +24,17 @@ SRCS+=	gss-genr.c
 MAN=	sshd.8 sshd_config.5
 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h
 
-DPADD=	${LIBSSH} ${LIBUTIL} ${LIBZ} ${LIBWRAP} ${LIBPAM}
-LDADD=	-lssh -lutil -lz -lwrap ${MINUSLPAM}
+DPADD=	${LIBSSH} ${LIBUTIL} ${LIBWRAP} ${LIBPAM}
+LDADD=	-lssh -lutil -lwrap ${MINUSLPAM}
 USEPRIVATELIB= ssh
 
+.if ${MK_LDNS} != "no"
+CFLAGS+=	-DHAVE_LDNS=1
+#DPADD+=	${LIBLDNS}
+#LDADD+=	-lldns
+#USEPRIVATELIB+= ldns
+.endif
+
 .if ${MK_AUDIT} != "no"
 CFLAGS+= -DUSE_BSM_AUDIT -DHAVE_GETAUDIT_ADDR
 DPADD+=  ${LIBBSM}
@@ -36,17 +42,20 @@ LDADD+=  -lbsm
 .endif
 
 .if ${MK_KERBEROS_SUPPORT} != "no"
-CFLAGS+= -DGSSAPI -DHAVE_GSSAPI_GSSAPI_H=1 -DHAVE_GSSAPI_GSSAPI_KRB5_H=1 -DKRB5 -DHEIMDAL
-DPADD+=	 ${LIBGSSAPI_KRB5} ${LIBGSSAPI} ${LIBKRB5} ${LIBASN1}
-LDADD+=	 -lgssapi_krb5 -lgssapi -lkrb5 -lasn1
+CFLAGS+= -DGSSAPI -DKRB5 -DHEIMDAL \
+	-DHAVE_GSSAPI_GSSAPI_H=1 -DHAVE_GSSAPI_GSSAPI_KRB5_H=1
+DPADD+=	 ${LIBGSSAPI_KRB5} ${LIBGSSAPI} ${LIBKRB5} ${LIBHX509} ${LIBASN1} \
+	${LIBCOM_ERR} ${LIBROKEN} ${LIBWIND} ${LIBHEIMBASE} ${LIBHEIMIPCC}
+LDADD+=	 -lgssapi_krb5 -lgssapi -lkrb5 -lhx509 -lasn1 \
+	-lcom_err -lroken -lwind -lheimbase -lheimipcc
 .endif
 
 .if ${MK_OPENSSH_NONE_CIPHER} != "no"
 CFLAGS+= -DNONE_CIPHER_ENABLED
 .endif
 
-DPADD+=	${LIBCRYPTO} ${LIBCRYPT}
-LDADD+=	-lcrypto -lcrypt
+DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+LDADD+= -lcrypt -lcrypto -lz
 
 .if defined(LOCALBASE)
 CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"