Properly flatten openssh/dist.

407 files changed, 0 insertions, 109174 deletions

diff --git a/crypto/openssh/COPYING.Ylonen b/crypto/openssh/COPYING.Ylonen
deleted file mode 100644
index 5e681ed..0000000
--- a/crypto/openssh/COPYING.Ylonen
+++ /dev/null
@@ -1,70 +0,0 @@
-This file is part of the ssh software, Copyright (c) 1995 Tatu Ylonen, Finland
-
-
-COPYING POLICY AND OTHER LEGAL ISSUES
-
-As far as I am concerned, the code I have written for this software
-can be used freely for any purpose.  Any derived versions of this
-software must be clearly marked as such, and if the derived work is
-incompatible with the protocol description in the RFC file, it must be
-called by a name other than "ssh" or "Secure Shell".
-
-However, I am not implying to give any licenses to any patents or
-copyrights held by third parties, and the software includes parts that
-are not under my direct control.  As far as I know, all included
-source code is used in accordance with the relevant license agreements
-and can be used freely for any purpose (the GNU license being the most
-restrictive); see below for details.
-
-[ RSA is no longer included. ]
-[ IDEA is no longer included. ]
-[ DES is now external. ]
-[ GMP is now external. No more GNU licence. ]
-[ Zlib is now external. ]
-[ The make-ssh-known-hosts script is no longer included. ]
-[ TSS has been removed. ]
-[ MD5 is now external. ]
-[ RC4 support has been removed. ]
-[ Blowfish is now external. ]
-
-The 32-bit CRC implementation in crc32.c is due to Gary S. Brown.
-Comments in the file indicate it may be used for any purpose without
-restrictions.
-
-The 32-bit CRC compensation attack detector in deattack.c was
-contributed by CORE SDI S.A. under a BSD-style license. See
-http://www.core-sdi.com/english/ssh/ for details.
-
-Note that any information and cryptographic algorithms used in this
-software are publicly available on the Internet and at any major
-bookstore, scientific library, and patent office worldwide.  More
-information can be found e.g. at "http://www.cs.hut.fi/crypto".
-
-The legal status of this program is some combination of all these
-permissions and restrictions.  Use only at your own responsibility.
-You will be responsible for any legal consequences yourself; I am not
-making any claims whether possessing or using this is legal or not in
-your country, and I am not taking any responsibility on your behalf.
-
-
-			    NO WARRANTY
-
-BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
-IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
diff --git a/crypto/openssh/CREDITS b/crypto/openssh/CREDITS
deleted file mode 100644
index eaf105a..0000000
--- a/crypto/openssh/CREDITS
+++ /dev/null
@@ -1,105 +0,0 @@
-Tatu Ylonen <ylo@cs.hut.fi> - Creator of SSH
-
-Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
-Theo de Raadt, and Dug Song - Creators of OpenSSH
-
-Ahsan Rashid <arms@sco.com> - UnixWare long passwords
-Alain St-Denis <Alain.St-Denis@ec.gc.ca> - Irix fix
-Alexandre Oliva <oliva@lsd.ic.unicamp.br> - AIX fixes
-Andre Lucas <andre@ae-35.com> - new login code, many fixes
-Andreas Steinmetz <ast@domdv.de> - Shadow password expiry support
-Andrew McGill <andrewm@datrix.co.za> - SCO fixes
-Andrew Morgan <morgan@transmeta.com> - PAM bugfixes
-Andrew Stribblehill <a.d.stribblehill@durham.ac.uk> - Bugfixes
-Andy Sloane <andy@guildsoftware.com> - bugfixes
-Aran Cox <acox@cv.telegroup.com> - SCO bugfixes
-Arkadiusz Miskiewicz <misiek@pld.org.pl> - IPv6 compat fixes
-Ben Lindstrom <mouring@eviladmin.org> - NeXT support
-Ben Taylor <bent@clark.net> - Solaris debugging and fixes
-Bratislav ILICH <bilic@zepter.ru> - Configure fix
-Charles Levert <charles@comm.polymtl.ca> - SunOS 4 & bug fixes
-Chip Salzenberg <chip@valinux.com> - Assorted patches
-Chris Adams <cmadams@hiwaay.net> - OSF SIA support
-Chris Saia <csaia@wtower.com> - SuSE packaging
-Chris, the Young One <cky@pobox.com> - Password auth fixes
-Christos Zoulas <christos@zoulas.com> - Autoconf fixes
-Chun-Chung Chen <cjj@u.washington.edu> - RPM fixes
-Corinna Vinschen <vinschen@redhat.com> - Cygwin support
-Chad Mynhier <mynhier@interstel.net> - Solaris Process Contract support
-Dan Brosemer <odin@linuxfreak.com> - Autoconf support, build fixes
-Darren Hall <dhall@virage.org> - AIX patches
-Darren Tucker <dtucker@zip.com.au> - AIX BFF package scripts
-David Agraz <dagraz@jahoopa.com> - Build fixes
-David Del Piero <David.DelPiero@qed.qld.gov.au> - bug fixes
-David Hesprich <darkgrue@gue-tech.org> - Configure fixes
-David Rankin <drankin@bohemians.lexington.ky.us> - libwrap, AIX, NetBSD fixes
-Dag-Erling Smørgrav <des at freebsd.org> - Challenge-Response PAM code.
-Dhiraj Gulati <dgulati@sco.com> - UnixWare long passwords
-Ed Eden <ede370@stl.rural.usda.gov> - configure fixes
-Garrick James <garrick@james.net> - configure fixes
-Gary E. Miller <gem@rellim.com> - SCO support
-Ged Lodder <lodder@yacc.com.au> - HPUX fixes and enhancements
-Gert Doering <gd@hilb1.medat.de> - bug and portability fixes
-HARUYAMA Seigo <haruyama@unixuser.org> - Translations & doc fixes
-Hideaki YOSHIFUJI <yoshfuji@ecei.tohoku.ac.jp> - IPv6 and bug fixes
-Hiroshi Takekawa <takekawa@sr3.t.u-tokyo.ac.jp> - Configure fixes
-Holger Trapp <Holger.Trapp@Informatik.TU-Chemnitz.DE> - KRB4/AFS config patch
-IWAMURO Motonori <iwa@mmp.fujitsu.co.jp> - bugfixes
-Jani Hakala <jahakala@cc.jyu.fi> - Patches
-Jarno Huuskonen <jhuuskon@hytti.uku.fi> - Bugfixes
-Jim Knoble <jmknoble@pobox.com> - Many patches
-Jonchen (email unknown) - the original author of PAM support of SSH
-Juergen Keil <jk@tools.de> - scp bugfixing
-KAMAHARA Junzo <kamahara@cc.kshosen.ac.jp> - Configure fixes
-Kees Cook <cook@cpoint.net> - scp fixes
-Kenji Miyake <kenji@miyake.org> - Configure fixes
-Kevin Cawlfield <cawlfiel@us.ibm.com> - AIX fixes.
-Kevin O'Connor <kevin_oconnor@standardandpoors.com> - RSAless operation
-Kevin Steves <stevesk@pobox.com> - HP support, bugfixes, improvements
-Kiyokazu SUTO <suto@ks-and-ks.ne.jp> - Bugfixes
-Larry Jones <larry.jones@sdrc.com> - Bugfixes
-Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> - Bugfixes
-Marc G. Fournier <marc.fournier@acadiau.ca> - Solaris patches
-Mark D. Baushke <mdb@juniper.net> - bug fixes
-Martin Johansson <fatbob@acc.umu.se> - Linux fixes
-Mark D. Roth <roth+openssh@feep.net> - Features, bug fixes
-Mark Miller <markm@swoon.net> - Bugfixes
-Matt Richards <v2matt@btv.ibm.com> - AIX patches
-Michael Steffens <michael_steffens at hp.com> - HP-UX fixes
-Michael Stone <mstone@cs.loyola.edu> - Irix enhancements
-Nakaji Hiroyuki <nakaji@tutrp.tut.ac.jp> - Sony News-OS patch
-Nalin Dahyabhai <nalin.dahyabhai@pobox.com> - PAM environment patch
-Nate Itkin <nitkin@europa.com> - SunOS 4.1.x fixes
-Niels Kristian Bech Jensen <nkbj@image.dk> - Assorted patches
-Pavel Kankovsky <peak@argo.troja.mff.cuni.cz> - Security fixes
-Pavel Troller <patrol@omni.sinus.cz> - Bugfixes
-Pekka Savola <pekkas@netcore.fi> - Bugfixes
-Peter Kocks <peter.kocks@baygate.com> - Makefile fixes
-Peter Stuge <stuge@cdy.org> - mdoc2man.awk script
-Phil Hands <phil@hands.com> - Debian scripts, assorted patches
-Phil Karn <karn@ka9q.ampr.org> - Autoconf fixes
-Philippe WILLEM <Philippe.WILLEM@urssaf.fr> - Bugfixes
-Phill Camp <P.S.S.Camp@ukc.ac.uk> - login code fix
-Rip Loomis <loomisg@cist.saic.com> - Solaris package support, fixes
-Robert Dahlem <Robert.Dahlem at siemens.com> - Reliant Unix fixes
-Roumen Petrov <openssh@roumenpetrov.info> - Compile & configure fixes
-SAKAI Kiyotaka <ksakai@kso.netwk.ntt-at.co.jp> - Multiple bugfixes
-Simon Wilkinson <sxw@dcs.ed.ac.uk> - PAM fixes, Compat with MIT KrbV
-Solar Designer <solar@openwall.com> - many patches and technical assistance
-Svante Signell <svante.signell@telia.com> - Bugfixes
-Thomas Neumann <tom@smart.ruhr.de> - Shadow passwords
-Tim Rice <tim@multitalents.net> - Portability & SCO fixes
-Tobias Oetiker <oetiker@ee.ethz.ch> - Bugfixes
-Tom Bertelson's <tbert@abac.com> - AIX auth fixes
-Tor-Ake Fransson <torake@hotmail.com> - AIX support
-Tudor Bosman <tudorb@jm.nu> - MD5 password support
-Udo Schweigert <ust@cert.siemens.de> - ReliantUNIX support
-Wendy Palm <wendyp at cray.com> - Cray support.
-Zack Weinberg <zack@wolery.cumb.org> - GNOME askpass enhancement
-
-Apologies to anyone I have missed.
-
-Damien Miller <djm@mindrot.org>
-
-$Id: CREDITS,v 1.81 2006/08/30 17:24:41 djm Exp $
-
diff --git a/crypto/openssh/ChangeLog b/crypto/openssh/ChangeLog
deleted file mode 100644
index 2755591..0000000
--- a/crypto/openssh/ChangeLog
+++ /dev/null
@@ -1,2609 +0,0 @@
-20061107
- - (dtucker) [sshd.c] Use privsep_pw if we have it, but only require it
-   if we absolutely need it.  Pointed out by Corinna, ok djm@
- - (dtucker) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2006/11/06 21:25:28
-     [auth-rsa.c kexgexc.c kexdhs.c key.c ssh-dss.c sshd.c kexgexs.c
-     ssh-keygen.c bufbn.c moduli.c scard.c kexdhc.c sshconnect1.c dh.c rsa.c]
-     add missing checks for openssl return codes; with & ok djm@
-   - markus@cvs.openbsd.org 2006/11/07 10:31:31
-     [monitor.c version.h]
-     correctly check for bad signatures in the monitor, otherwise the monitor
-     and the unpriv process can get out of sync. with dtucker@, ok djm@,
-     dtucker@
- - (dtucker) [README contrib/{caldera,redhat,contrib}/openssh.spec] Bump
-   versions.
- - (dtucker) [dh.c] Type fix for BN_hex2bn; ok markus@
- - (dtucker) Release 4.5p1.
-
-20061105
- - (djm) OpenBSD CVS Sync
-   - otto@cvs.openbsd.org 2006/10/28 18:08:10
-     [ssh.1]
-     correct/expand example of usage of -w; ok jmc@ stevesk@
-   - markus@cvs.openbsd.org 2006/10/31 16:33:12
-     [kexdhc.c kexdhs.c kexgexc.c kexgexs.c]
-     check DH_compute_key() for -1 even if it should not happen because of
-     earlier calls to dh_pub_is_valid(); report krahmer at suse.de; ok djm
-
-20061101
- - (dtucker) [openbsd-compat/port-solaris.c] Bug #1255: Make only hwerr
-   events fatal in Solaris process contract support and tell it to signal
-   only processes in the same process group when something happens.
-   Based on information from andrew.benham at thus.net and similar to
-   a patch from Chad Mynhier.  ok djm@
-
-20061027
-- (djm) [auth.c] gc some dead code
-
-20061023
- - (djm) OpenBSD CVS Sync
-   - ray@cvs.openbsd.org 2006/09/30 17:48:22
-     [sftp.c]
-     Clear errno before calling the strtol functions.
-     From Paul Stoeber <x0001 at x dot de1 dot cc>.
-     OK deraadt@.
-   - djm@cvs.openbsd.org 2006/10/06 02:29:19
-     [ssh-agent.c ssh-keyscan.c ssh.c]
-     sys/resource.h needs sys/time.h; prompted by brad@
-     (NB. Id sync only for portable)
-   - djm@cvs.openbsd.org 2006/10/09 23:36:11
-     [session.c]
-     xmalloc -> xcalloc that was missed previously, from portable
-     (NB. Id sync only for portable, obviously)
-   - markus@cvs.openbsd.org 2006/10/10 10:12:45
-     [sshconnect.c]
-     sleep before retrying (not after) since sleep changes errno; fixes
-     pr 5250; rad@twig.com; ok dtucker djm
-   - markus@cvs.openbsd.org 2006/10/11 12:38:03
-     [clientloop.c serverloop.c]
-     exit instead of doing a blocking tcp send if we detect a client/server
-     timeout, since the tcp sendqueue might be already full (of alive
-     requests); ok dtucker, report mpf
-   - djm@cvs.openbsd.org 2006/10/22 02:25:50
-     [sftp-client.c]
-     cancel progress meter when upload write fails; ok deraadt@
- - (tim) [Makefile.in scard/Makefile.in] Add datarootdir= lines to keep
-   autoconf 2.60 from complaining.
-
-20061018
- - (dtucker) OpenBSD CVS Sync
-   - ray@cvs.openbsd.org 2006/09/25 04:55:38
-     [ssh-keyscan.1 ssh.1]
-     Change "a SSH" to "an SSH".  Hurray, I'm not the only one who
-     pronounces "SSH" as "ess-ess-aich".
-     OK jmc@ and stevesk@.
- - (dtucker) [sshd.c] Reshuffle storing of pw struct; prevents warnings
-   on older versions of OS X.  ok djm@
-
-20061016
- - (dtucker) [monitor_fdpass.c] Include sys/in.h, required for cmsg macros
-   on older (2.0) Linuxes.  Based on patch from thmo-13 at gmx de.
-
-20061006
- - (tim) [buildpkg.sh.in] Use uname -r instead of -v in OS_VER for Solaris.
-   Differentiate between OpenServer 5 and OpenServer 6
- - (dtucker) [configure.ac] Set put -lselinux into $LIBS while testing for
-   SELinux functions so they're detected correctly.  Patch from pebenito at
-   gentoo.org.
- - (tim) [buildpkg.sh.in] Some systems have really limited nawk (OpenServer).
-   Allow setting alternate awk in openssh-config.local.
-
-20061003
- - (tim) [configure.ac] Move CHECK_HEADERS test before platform specific
-   section so additional platform specific CHECK_HEADER tests will work
-   correctly. Fixes "<net/if_tap.h> on FreeBSD" problem report by des AT des.no
-   Feedback and "seems like a good idea" dtucker@
-
-20061001
- - (dtucker) [audit-bsm.c] Include errno.h.  Pointed out by des at des.no.
-
-20060929
- - (dtucker) [configure.ac] Bug #1239: Fix configure test for OpenSSH engine
-   support.  Patch from andrew.benham at thus net.
-
-20060928
- - (dtucker) [entropy.c] Bug #1238: include signal.h to fix compilation error
-   on Solaris 8 w/out /dev/random or prngd.  Patch from rl at
-   math.technion.ac.il.
-
-20060926
- - (dtucker) [bufaux.h] nuke bufaux.h; it's already gone from OpenBSD and not
-   referenced any more.  ok djm@
- - (dtucker) [sftp-server.8] Resync; spotted by djm@
- - (dtucker) Release 4.4p1.
-
-20060924
- - (tim) [configure.ac] Remove CFLAGS hack for UnixWare 1.x/2.x (added
-   to rev 1.308) to work around broken gcc 2.x header file.
-
-20060923
- - (dtucker) [configure.ac] Bug #1234: Put opensc libs into $LIBS rather than
-   $LDFLAGS.  Patch from vapier at gentoo org.
-
-20060922
- - (dtucker) [packet.c canohost.c] Include arpa/inet.h for htonl macros on
-   some platforms (eg HP-UX 11.00).  From santhi.amirta at gmail com.
-
-20060921
- - (dtucker) OpenBSD CVS Sync
-   - otto@cvs.openbsd.org 2006/09/19 05:52:23
-     [sftp.c]
-     Use S_IS* macros insted of masking with S_IF* flags. The latter may
-     have multiple bits set, which lead to surprising results. Spotted by
-     Paul Stoeber, more to come. ok millert@ pedro@ jaredy@ djm@
-   - markus@cvs.openbsd.org 2006/09/19 21:14:08
-     [packet.c]
-     client NULL deref on protocol error; Tavis Ormandy, Google Security Team
- - (dtucker) [defines.h] Include unistd.h before defining getpgrp; fixes
-   build error on Ultrix.  From Bernhard Simon.
-
-20060918
- - (dtucker) [configure.ac] On AIX, check to see if the compiler will allow
-   macro redefinitions, and if not, remove "-qlanglvl=ansi" from the flags.
-   Allows build out of the box with older VAC and XLC compilers.  Found by
-   David Bronder and Bernhard Simon.
- - (dtucker) [openbsd-compat/port-aix.{c,h}] Reduce scope of includes.
-   Prevents macro redefinition warnings of "RDONLY".
-
-20060916
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2006/09/16 19:53:37
-     [deattack.c deattack.h packet.c]
-     limit maximum work performed by the CRC compensation attack detector,
-     problem reported by Tavis Ormandy, Google Security Team;
-     ok markus@ deraadt@
- - (djm) Add openssh.xml to .cvsignore and sort it
- - (dtucker) [auth-pam.c] Propogate TZ environment variable to PAM auth
-   process so that any logging it does is with the right timezone.  From
-   Scott Strickler, ok djm@.
- - (dtucker) [monitor.c] Correctly handle auditing of single commands when
-   using Protocol 1.  From jhb at freebsd.
- - (djm) [sshd.c] Fix warning/API abuse; ok dtucker@
- - (dtucker) [INSTALL] Add info about audit support.
-
-20060912
- - (djm) [Makefile.in buildpkg.sh.in configure.ac openssh.xml.in]
-   Support SMF in Solaris Packages if enabled by configure. Patch from
-   Chad Mynhier, tested by dtucker@
-
-20060911
- - (dtucker) [cipher-aes.c] Include string.h for memcpy and friends.  Noted
-   by Pekka Savola.
-
-20060910
- - (dtucker) [contrib/aix/buildbff.sh] Ensure that perl is available.
- - (dtucker) [configure.ac] Add -lcrypt to let DragonFly build OOTB.
-
-20060909
- - (dtucker) [openbsd-compat/bsd-snprintf.c] Add stdarg.h.
- - (dtucker) [contrib/aix/buildbff.sh] Always create privsep user.
- - (dtucker) [buildpkg.sh.in] Always create privsep user.  ok djm@
-
-20060908
- - (dtucker) [auth-sia.c] Add includes required for build on Tru64.  Patch
-   from Chris Adams.
- - (dtucker) [configure.ac] The BSM header test needs time.h in some cases.
-
-20060907
- - (djm) [sshd.c auth.c] Set up fakepw() with privsep uid/gid, so it can
-   be used to drop privilege to; fixes Solaris GSSAPI crash reported by
-   Magnus Abrante; suggestion and feedback dtucker@
-   NB. this change will require that the privilege separation user must
-   exist on all the time, not just when UsePrivilegeSeparation=yes
- - (tim) [configure.ac] s/BROKEN_UPDWTMP/BROKEN_UPDWTMPX/ on SCO OSR6
- - (dtucker) [loginrec.c] Wrap paths.h in HAVE_PATHS_H.
- - (dtucker) [regress/cfgmatch.sh] stop_client is racy, so give us a better
-   chance of winning.
-
-20060905
- - (dtucker) [configure.ac] s/AC_DEFINES/AC_DEFINE/ spotted by Roumen Petrov.
- - (dtucker) [loginrec.c] Include paths.h for _PATH_BTMP.
-
-20060904
- - (dtucker) [configure.ac] Define BROKEN_UPDWTMP on SCO OSR6 as the native
-   updwdtmp seems to generate invalid wtmp entries.  From Roger Cornelius,
-   ok djm@
-
-20060903
- - (dtucker) [configure.ac openbsd-compat/openbsd-compat.h] Check for
-   declaration of writev(2) and declare it ourselves if necessary.  Makes
-   the atomiciov() calls build on really old systems.  ok djm@
-
-20060902
- - (dtucker) [openbsd-compat/port-irix.c] Add errno.h, found by Iain Morgan.
- - (dtucker) [ssh-keyscan.c ssh-rand-helper.c ssh.c sshconnect.c
-   openbsd-compat/bindresvport.c openbsd-compat/getrrsetbyname.c
-   openbsd-compat/port-tun.c openbsd-compat/rresvport.c] Include <arpa/inet.h>
-   for hton* and ntoh* macros.  Required on (at least) HP-UX since we define
-   _XOPEN_SOURCE_EXTENDED.  Found by santhi.amirta at gmail com.
-
-20060901
- - (djm) [audit-bsm.c audit.c auth-bsdauth.c auth-chall.c auth-pam.c]
-   [auth-rsa.c auth-shadow.c auth-sia.c auth1.c auth2-chall.c]
-   [auth2-gss.c auth2-kbdint.c auth2-none.c authfd.c authfile.c]
-   [cipher-3des1.c cipher-aes.c cipher-bf1.c cipher-ctr.c clientloop.c]
-   [dh.c dns.c entropy.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
-   [kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c loginrec.c mac.c]
-   [md5crypt.c monitor.c monitor_wrap.c readconf.c rsa.c]
-   [scard-opensc.c scard.c session.c ssh-add.c ssh-agent.c ssh-dss.c]
-   [ssh-keygen.c ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c]
-   [sshconnect1.c sshconnect2.c sshd.c]
-   [openbsd-compat/bsd-cray.c openbsd-compat/port-aix.c]
-   [openbsd-compat/port-linux.c openbsd-compat/port-solaris.c]
-   [openbsd-compat/port-uw.c]
-   Lots of headers for SCO OSR6, mainly adding stdarg.h for log.h;
-   compile problems reported by rac AT tenzing.org
- - (djm) [includes.h monitor.c openbsd-compat/bindresvport.c]
-   [openbsd-compat/rresvport.c] Some more headers: netinet/in.h 
-   sys/socket.h and unistd.h in various places
- - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Fix implict declaration
-   warnings for binary_open and binary_close.  Patch from Corinna Vinschen.
- - (dtucker) [configure.ac includes.h openbsd-compat/glob.{c,h}] Explicitly
-   test for GLOB_NOMATCH and use our glob functions if it's not found.
-   Stops sftp from segfaulting when attempting to get a nonexistent file on
-   Cygwin (previous versions of OpenSSH didn't use the native glob). Partly
-   from and tested by Corinna Vinschen.
- - (dtucker) [README contrib/{caldera,redhat,suse}/openssh.spec]  Crank
-   versions.
-
-20060831
- - (djm) [CREDITS LICENCE Makefile.in auth.c configure.ac includes.h ]
-   [platform.c platform.h sshd.c openbsd-compat/Makefile.in]
-   [openbsd-compat/openbsd-compat.h openbsd-compat/port-solaris.c]
-   [openbsd-compat/port-solaris.h] Add support for Solaris process
-   contracts, enabled with --use-solaris-contracts. Patch from Chad
-   Mynhier, tweaked by dtucker@ and myself; ok dtucker@
- - (dtucker) [contrib/cygwin/ssh-host-config] Add SeTcbPrivilege privilege
-   while setting up the ssh service account.  Patch from Corinna Vinschen.
-
-20060830
- - (djm) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2006/08/21 08:14:01
-     [sshd_config.5]
-     Document HostbasedUsesNameFromPacketOnly.  Corrections from jmc@,
-     ok jmc@ djm@
-   - dtucker@cvs.openbsd.org 2006/08/21 08:15:57
-     [sshd.8]
-     Add more detail about what permissions are and aren't accepted for
-     authorized_keys files.  Corrections jmc@, ok djm@, "looks good" jmc@
-   - djm@cvs.openbsd.org 2006/08/29 10:40:19
-     [channels.c session.c]
-     normalise some inconsistent (but harmless) NULL pointer checks
-     spotted by the Stanford SATURN tool, via Isil Dillig;
-     ok markus@ deraadt@
-   - dtucker@cvs.openbsd.org 2006/08/29 12:02:30
-     [gss-genr.c]
-     Work around a problem in Heimdal that occurs when KRB5CCNAME file is
-     missing, by checking whether or not kerberos allocated us a context
-     before attempting to free it.  Patch from Simon Wilkinson, tested by
-     biorn@, ok djm@
-   - dtucker@cvs.openbsd.org 2006/08/30 00:06:51
-     [sshconnect2.c]
-     Fix regression where SSH2 banner is printed at loglevels ERROR and FATAL
-     where previously it weren't.  bz #1221, found by Dean Kopesky, ok djm@
-   - djm@cvs.openbsd.org 2006/08/30 00:14:37
-     [version.h]
-     crank to 4.4
- - (djm) [openbsd-compat/xcrypt.c] needs unistd.h
- - (dtucker) [auth.c openbsd-compat/port-aix.c] Bug #1207: always call
-   loginsuccess on AIX immediately after authentication to clear the failed
-   login count.  Previously this would only happen when an interactive
-   session starts (ie when a pty is allocated) but this means that accounts
-   that have primarily non-interactive sessions (eg scp's) may gradually
-   accumulate enough failures to lock out an account.  This change may have
-   a side effect of creating two audit records, one with a tty of "ssh"
-   corresponding to the authentication and one with the allocated pty per
-   interactive session.
-
-20060824
- - (dtucker) [openbsd-compat/basename.c] Include errno.h.
- - (dtucker) [openbsd-compat/bsd-misc.c] Add includes needed for select(2) on
-   older systems.
- - (dtucker) [openbsd-compat/bsd-misc.c] Include <sys/select.h> for select(2)
-   on POSIX systems.
- - (dtucker) [openbsd-compat/bsd-openpty.c] Include for ioctl(2).
- - (dtucker) [openbsd-compat/rresvport.c] Include <stdlib.h> for malloc.
- - (dtucker) [openbsd-compat/xmmap.c] Move #define HAVE_MMAP to prevent
-   unused variable warning when we have a broken or missing mmap(2).
-
-20060822
- - (dtucker) [Makefile.in] Bug #1177: fix incorrect path for sshrc in
-   Makefile.  Patch from santhi.amirta at gmail, ok djm.
-
-20060820
- - (dtucker) [log.c] Move ifdef to prevent unused variable warning.
- - (dtucker) [configure.ac] Save $LIBS during PAM library tests and restore
-   afterward.  Removes the need to mangle $LIBS later to remove -lpam and -ldl.
- - (dtucker) [configure.ac] Relocate --with-pam parts in preparation for
-   fixing bug #1181.  No changes yet.
- - (dtucker) [configure.ac] Bug #1181: Explicitly test to see if OpenSSL
-   (0.9.8a and presumably newer) requires -ldl to successfully link.
- - (dtucker) [configure.ac] Remove errant "-".
-
-20060819
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2006/08/18 22:41:29
-     [gss-genr.c]
-     GSSAPI error code should be 0 and not -1; from simon@sxw.org.uk
- - (dtucker) [openbsd-compat/regress/Makefile.in] Add $(EXEEXT) and add a
-   single rule for the test progs.
-
-20060818
- - (dtucker) [configure.ac openbsd-compat/bsd-closefrom.c] Resync with
-   closefrom.c from sudo.
- - (dtucker) [openbsd-compat/bsd-closefrom.c] Comment out rcsid.
- - (dtucker) [openbsd-compat/regress/snprintftest.c] Newline on error.
- - (dtucker) [openbsd-compat/regress/Makefile.in] Use implicit rules for the
-   test progs instead; they work better than what we have.
- - (djm) OpenBSD CVS Sync
-   - stevesk@cvs.openbsd.org 2006/08/06 01:13:32
-     [compress.c monitor.c monitor_wrap.c]
-     "zlib.h" can be <zlib.h>; ok djm@ markus@
-   - miod@cvs.openbsd.org 2006/08/12 20:46:46
-     [monitor.c monitor_wrap.c]
-     Revert previous include file ordering change, for ssh to compile under
-     gcc2 (or until openssl include files are cleaned of parameter names
-     in function prototypes)
-   - dtucker@cvs.openbsd.org 2006/08/14 12:40:25
-     [servconf.c servconf.h sshd_config.5]
-     Add ability to match groups to Match keyword in sshd_config.  Feedback
-     djm@, stevesk@, ok stevesk@.
-   - djm@cvs.openbsd.org 2006/08/16 11:47:15
-     [sshd.c]
-     factor inetd connection, TCP listen and main TCP accept loop out of
-     main() into separate functions to improve readability; ok markus@
-   - deraadt@cvs.openbsd.org 2006/08/18 09:13:26
-     [log.c log.h sshd.c]
-     make signal handler termination path shorter; risky code pointed out by
-     mark dowd; ok djm markus
-   - markus@cvs.openbsd.org 2006/08/18 09:15:20
-     [auth.h session.c sshd.c]
-     delay authentication related cleanups until we're authenticated and
-     all alarms have been cancelled; ok deraadt
-   - djm@cvs.openbsd.org 2006/08/18 10:27:16
-     [misc.h]
-     reorder so prototypes are sorted by the files they refer to; no
-     binary change
-   - djm@cvs.openbsd.org 2006/08/18 13:54:54
-     [gss-genr.c ssh-gss.h sshconnect2.c]
-     bz #1218 - disable SPNEGO as per RFC4462; diff from simon AT sxw.org.uk
-     ok markus@
-   - djm@cvs.openbsd.org 2006/08/18 14:40:34
-     [gss-genr.c ssh-gss.h]
-     constify host argument to match the rest of the GSSAPI functions and
-     unbreak compilation with -Werror
- - (djm) Disable sigdie() for platforms that cannot safely syslog inside
-   a signal handler (basically all of them, excepting OpenBSD);
-   ok dtucker@
-
-20060817
- - (dtucker) [openbsd-compat/fake-rfc2553.c openbsd-compat/setproctitle.c]
-   Include stdlib.h for malloc and friends.
- - (dtucker) [configure.ac openbsd-compat/bsd-closefrom.c] Use F_CLOSEM fcntl
-   for closefrom() on AIX.  Pointed out by William Ahern.
- - (dtucker) [openbsd-compat/regress/{Makefile.in,closefromtest.c}] Regress
-   test for closefrom() in compat code.
-
-20060816
- - (djm) [audit-bsm.c] Sprinkle in some headers
-
-20060815
- - (dtucker) [LICENCE] Add Reyk to the list for the compat dir.
-
-20060806
- - (djm) [openbsd-compat/bsd-getpeereid.c] Add some headers to quiet warnings
-   on Solaris 10
-
-20060806
- - (dtucker) [defines.h] With the includes.h changes we no longer get the
-   name clash on "YES" so we can remove the workaround for it.
- - (dtucker) [openbsd-compat/{bsd-asprintf.c,bsd-openpty.c,bsd-snprintf.c,
-   glob.c}] Include stdlib.h for malloc and friends in compat code.
-
-20060805
- - (djm) OpenBSD CVS Sync
-   - stevesk@cvs.openbsd.org 2006/07/24 13:58:22
-     [sshconnect.c]
-     disable tunnel forwarding when no strict host key checking
-     and key changed; ok djm@ markus@ dtucker@
-   - stevesk@cvs.openbsd.org 2006/07/25 02:01:34
-     [scard.c]
-     need #include <string.h>
-   - stevesk@cvs.openbsd.org 2006/07/25 02:59:21
-     [channels.c clientloop.c packet.c scp.c serverloop.c sftp-client.c]
-     [sftp-server.c ssh-agent.c ssh-keyscan.c sshconnect.c sshd.c]
-     move #include <sys/time.h> out of includes.h
-   - stevesk@cvs.openbsd.org 2006/07/26 02:35:17
-     [atomicio.c auth.c dh.c authfile.c buffer.c clientloop.c kex.c]
-     [groupaccess.c gss-genr.c kexgexs.c misc.c monitor.c monitor_mm.c]
-     [packet.c scp.c serverloop.c session.c sftp-client.c sftp-common.c]
-     [sftp-server.c sftp.c ssh-add.c ssh-agent.c ssh-keygen.c sshlogin.c]
-     [uidswap.c xmalloc.c]
-     move #include <sys/param.h> out of includes.h
-   - stevesk@cvs.openbsd.org 2006/07/26 13:57:17
-     [authfd.c authfile.c dh.c canohost.c channels.c clientloop.c compat.c]
-     [hostfile.c kex.c log.c misc.c moduli.c monitor.c packet.c readpass.c]
-     [scp.c servconf.c session.c sftp-server.c sftp.c ssh-add.c ssh-agent.c]
-     [ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh.c sshconnect.c]
-     [sshconnect1.c sshd.c xmalloc.c]
-     move #include <stdlib.h> out of includes.h
-   - jmc@cvs.openbsd.org 2006/07/27 08:00:50
-     [ssh_config.5]
-     avoid confusing wording in HashKnownHosts:
-     originally spotted by alan amesbury;
-     ok deraadt
-   - jmc@cvs.openbsd.org 2006/07/27 08:00:50
-     [ssh_config.5]
-     avoid confusing wording in HashKnownHosts:
-     originally spotted by alan amesbury;
-     ok deraadt
-   - dtucker@cvs.openbsd.org 2006/08/01 11:34:36
-     [sshconnect.c]
-     Allow fallback to known_hosts entries without port qualifiers for
-     non-standard ports too, so that all existing known_hosts entries will be
-     recognised.  Requested by, feedback and ok markus@
-   - stevesk@cvs.openbsd.org 2006/08/01 23:22:48
-     [auth-passwd.c auth-rhosts.c auth-rsa.c auth.c auth.h auth1.c]
-     [auth2-chall.c auth2-pubkey.c authfile.c buffer.c canohost.c]
-     [channels.c clientloop.c dh.c dns.c dns.h hostfile.c kex.c kexdhc.c]
-     [kexgexc.c kexgexs.c key.c key.h log.c misc.c misc.h moduli.c]
-     [monitor_wrap.c packet.c progressmeter.c readconf.c readpass.c scp.c]
-     [servconf.c session.c sftp-client.c sftp-common.c sftp-server.c sftp.c]
-     [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh.c sshconnect.c]
-     [sshconnect1.c sshconnect2.c sshd.c sshlogin.c sshtty.c uuencode.c]
-     [uuencode.h xmalloc.c]
-     move #include <stdio.h> out of includes.h
-   - stevesk@cvs.openbsd.org 2006/08/01 23:36:12
-     [authfile.c channels.c progressmeter.c scard.c servconf.c ssh.c]
-     clean extra spaces
-   - deraadt@cvs.openbsd.org 2006/08/03 03:34:42
-     [OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c]
-     [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
-     [auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c]
-     [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ]
-     [auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c]
-     [buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c]
-     [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
-     [compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c]
-     [groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
-     [kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c]
-     [key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c]
-     [monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c]
-     [monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c]
-     [readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h]
-     [serverloop.c session.c session.h sftp-client.c sftp-common.c]
-     [sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c]
-     [ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c]
-     [ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c]
-     [sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c]
-     [uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h]
-     [loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h]
-     almost entirely get rid of the culture of ".h files that include .h files"
-     ok djm, sort of ok stevesk
-     makes the pain stop in one easy step
-     NB. portable commit contains everything *except* removing includes.h, as
-     that will take a fair bit more work as we move headers that are required
-     for portability workarounds to defines.h. (also, this step wasn't "easy")
-   - stevesk@cvs.openbsd.org 2006/08/04 20:46:05
-     [monitor.c session.c ssh-agent.c]
-     spaces
- - (djm) [auth-pam.c defines.h] Move PAM related bits to auth-pam.c
- - (djm) [auth-pam.c auth.c bufaux.h entropy.c openbsd-compat/port-tun.c]
-   remove last traces of bufaux.h - it was merged into buffer.h in the big
-   includes.h commit
- - (djm) [auth.c loginrec.c] Missing netinet/in.h for loginrec
- - (djm) [openbsd-compat/regress/snprintftest.c]
-   [openbsd-compat/regress/strduptest.c] Add missing includes so they pass
-   compilation with "-Wall -Werror"
- - (djm) [auth-pam.c auth-shadow.c auth2-none.c cleanup.c sshd.c]
-   [openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Sprinkle more
-   includes for Linux in
- - (dtucker) [cleanup.c] Need defines.h for __dead.
- - (dtucker) [auth2-gss.c] We still need the #ifdef GSSAPI in -portable.
- - (dtucker) [openbsd-compat/{bsd-arc4random.c,port-tun.c,xmmap.c}] Lots of
-   #include stdarg.h, needed for log.h.
- - (dtucker) [entropy.c] Needs unistd.h too.
- - (dtucker) [ssh-rand-helper.c] Needs stdarg.h for log.h.
- - (dtucker) [openbsd-compat/getrrsetbyname.c] Nees stdlib.h for malloc.
- - (dtucker) [openbsd-compat/strtonum.c] Include stdlib.h for strtoll,
-   otherwise it is implicitly declared as returning an int.
- - (dtucker) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2006/08/05 07:52:52
-     [auth2-none.c sshd.c monitor_wrap.c]
-     Add headers required to build with KERBEROS5=no.  ok djm@
-   - dtucker@cvs.openbsd.org 2006/08/05 08:00:33
-     [auth-skey.c]
-     Add headers required to build with -DSKEY.  ok djm@
-   - dtucker@cvs.openbsd.org 2006/08/05 08:28:24
-     [monitor_wrap.c auth-skey.c auth2-chall.c]
-     Zap unused variables in -DSKEY code.  ok djm@
-   - dtucker@cvs.openbsd.org 2006/08/05 08:34:04
-     [packet.c]
-     Typo in comment
- - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Add headers required to compile
-   on Cygwin.
- - (dtucker) [openbsd-compat/fake-rfc2553.c] Add headers needed for inet_ntoa.
- - (dtucker) [auth-skey.c] monitor_wrap.h needs ssh-gss.h.
- - (dtucker) [audit.c audit.h] Repair headers.
- - (dtucker) [audit-bsm.c] Add additional headers now required.
-
-20060804
- - (dtucker) [configure.ac] The "crippled AES" test does not work on recent
-   versions of Solaris, so use AC_LINK_IFELSE to actually link the test program
-   rather than just compiling it.  Spotted by dlg@.
-
-20060802
- - (dtucker) [openbsd-compat/daemon.c] Add unistd.h for fork() prototype.
-
-20060725
- - (dtucker) [openbsd-compat/xmmap.c] Need fcntl.h for O_RDRW.
-
-20060724
- - (djm) OpenBSD CVS Sync
-   - jmc@cvs.openbsd.org 2006/07/12 13:39:55
-     [sshd_config.5]
-      - new sentence, new line
-      - s/The the/The/
-      - kill a bad comma
-   - stevesk@cvs.openbsd.org 2006/07/12 22:28:52
-     [auth-options.c canohost.c channels.c includes.h readconf.c]
-     [servconf.c ssh-keyscan.c ssh.c sshconnect.c sshd.c]
-     move #include <netdb.h> out of includes.h; ok djm@
-   - stevesk@cvs.openbsd.org 2006/07/12 22:42:32
-     [includes.h ssh.c ssh-rand-helper.c]
-     move #include <stddef.h> out of includes.h
-   - stevesk@cvs.openbsd.org 2006/07/14 01:15:28
-     [monitor_wrap.h]
-     don't need incompletely-typed 'struct passwd' now with
-     #include <pwd.h>; ok markus@
-   - stevesk@cvs.openbsd.org 2006/07/17 01:31:10
-     [authfd.c authfile.c channels.c cleanup.c clientloop.c groupaccess.c]
-     [includes.h log.c misc.c msg.c packet.c progressmeter.c readconf.c]
-     [readpass.c scp.c servconf.c sftp-client.c sftp-server.c sftp.c]
-     [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh.c]
-     [sshconnect.c sshlogin.c sshpty.c uidswap.c]
-     move #include <unistd.h> out of includes.h
-   - dtucker@cvs.openbsd.org 2006/07/17 12:02:24
-     [auth-options.c]
-     Use '\0' rather than 0 to terminates strings; ok djm@
-   - dtucker@cvs.openbsd.org 2006/07/17 12:06:00
-     [channels.c channels.h servconf.c sshd_config.5]
-     Add PermitOpen directive to sshd_config which is equivalent to the
-     "permitopen" key option.  Allows server admin to allow TCP port
-     forwarding only two specific host/port pairs.  Useful when combined
-     with Match.
-     If permitopen is used in both sshd_config and a key option, both
-     must allow a given connection before it will be permitted.
-     Note that users can still use external forwarders such as netcat,
-     so to be those must be controlled too for the limits to be effective.
-     Feedback & ok djm@, man page corrections & ok jmc@.
-   - jmc@cvs.openbsd.org 2006/07/18 07:50:40
-     [sshd_config.5]
-     tweak; ok dtucker
-   - jmc@cvs.openbsd.org 2006/07/18 07:56:28
-     [scp.1]
-     replace DIAGNOSTICS with .Ex;
-   - jmc@cvs.openbsd.org 2006/07/18 08:03:09
-     [ssh-agent.1 sshd_config.5]
-     mark up angle brackets;
-   - dtucker@cvs.openbsd.org 2006/07/18 08:22:23
-     [sshd_config.5]
-     Clarify description of Match, with minor correction from jmc@
-   - stevesk@cvs.openbsd.org 2006/07/18 22:27:55
-     [dh.c]
-     remove unneeded includes; ok djm@
-   - dtucker@cvs.openbsd.org 2006/07/19 08:56:41
-     [servconf.c sshd_config.5]
-     Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost to
-     Match.  ok djm@
-   - dtucker@cvs.openbsd.org 2006/07/19 13:07:10
-     [servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5]
-     Add ForceCommand keyword to sshd_config, equivalent to the "command="
-     key option, man page entry and example in sshd_config.
-     Feedback & ok djm@, man page corrections & ok jmc@
-   - stevesk@cvs.openbsd.org 2006/07/20 15:26:15
-     [auth1.c serverloop.c session.c sshconnect2.c]
-     missed some needed #include <unistd.h> when KERBEROS5=no; issue from
-     massimo@cedoc.mo.it
-   - dtucker@cvs.openbsd.org 2006/07/21 12:43:36
-     [channels.c channels.h servconf.c servconf.h sshd_config.5]
-     Make PermitOpen take a list of permitted ports and act more like most
-     other keywords (ie the first match is the effective setting). This
-     also makes it easier to override a previously set PermitOpen. ok djm@
-   - stevesk@cvs.openbsd.org 2006/07/21 21:13:30
-     [channels.c]
-     more ARGSUSED (lint) for dispatch table-driven functions; ok djm@
-   - stevesk@cvs.openbsd.org 2006/07/21 21:26:55
-     [progressmeter.c]
-     ARGSUSED for signal handler
-   - stevesk@cvs.openbsd.org 2006/07/22 19:08:54
-     [includes.h moduli.c progressmeter.c scp.c sftp-common.c]
-     [sftp-server.c ssh-agent.c sshlogin.c]
-     move #include <time.h> out of includes.h
-   - stevesk@cvs.openbsd.org 2006/07/22 20:48:23
-     [atomicio.c auth-options.c auth-passwd.c auth-rhosts.c auth-rsa.c]
-     [auth.c auth1.c auth2-chall.c auth2-hostbased.c auth2-passwd.c auth2.c]
-     [authfd.c authfile.c bufaux.c bufbn.c buffer.c canohost.c channels.c]
-     [cipher-3des1.c cipher-bf1.c cipher-ctr.c cipher.c clientloop.c]
-     [compat.c deattack.c dh.c dns.c gss-genr.c gss-serv.c hostfile.c]
-     [includes.h kex.c kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c log.c]
-     [mac.c match.c md-sha256.c misc.c moduli.c monitor.c monitor_fdpass.c]
-     [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c rsa.c]
-     [progressmeter.c readconf.c readpass.c scp.c servconf.c serverloop.c]
-     [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c sftp.c]
-     [ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c]
-     [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c sshconnect2.c]
-     [sshd.c sshlogin.c sshpty.c ttymodes.c uidswap.c xmalloc.c]
-     move #include <string.h> out of includes.h
-   - stevesk@cvs.openbsd.org 2006/07/23 01:11:05
-     [auth.h dispatch.c kex.h sftp-client.c]
-     #include <signal.h> for sig_atomic_t; need this prior to <sys/param.h>
-     move
- - (djm) [acss.c auth-krb5.c auth-options.c auth-pam.c auth-shadow.c]
-   [canohost.c channels.c cipher-acss.c defines.h dns.c gss-genr.c]
-   [gss-serv-krb5.c gss-serv.c log.h loginrec.c logintest.c readconf.c]
-   [servconf.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rand-helper.c]
-   [ssh.c sshconnect.c sshd.c openbsd-compat/bindresvport.c]
-   [openbsd-compat/bsd-arc4random.c openbsd-compat/bsd-misc.c]
-   [openbsd-compat/getrrsetbyname.c openbsd-compat/glob.c]
-   [openbsd-compat/mktemp.c openbsd-compat/port-linux.c]
-   [openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c]
-   [openbsd-compat/setproctitle.c openbsd-compat/xmmap.c]
-   make the portable tree compile again - sprinkle unistd.h and string.h 
-   back in. Don't redefine __unused, as it turned out to be used in
-   headers on Linux, and replace its use in auth-pam.c with ARGSUSED
- - (djm) [openbsd-compat/glob.c]
-   Move get_arg_max() into the ifdef HAVE_GLOB block so that it compiles
-   on OpenBSD (or other platforms with a decent glob implementation) with
-   -Werror
- - (djm) [uuencode.c]
-   Add resolv.h, is it contains the prototypes for __b64_ntop/__b64_pton on
-   some platforms
- - (djm) [session.c]
-   fix compile error with -Werror -Wall: 'path' is only used in
-   do_setup_env() if HAVE_LOGIN_CAP is not defined
- - (djm) [openbsd-compat/basename.c openbsd-compat/bsd-closefrom.c]
-   [openbsd-compat/bsd-cray.c openbsd-compat/bsd-openpty.c]
-   [openbsd-compat/bsd-snprintf.c openbsd-compat/fake-rfc2553.c]
-   [openbsd-compat/port-aix.c openbsd-compat/port-irix.c]
-   [openbsd-compat/rresvport.c]
-   These look to need string.h and/or unistd.h (based on a grep for function
-   names)
- - (djm) [Makefile.in]
-   Remove generated openbsd-compat/regress/Makefile in distclean target
- - (djm) [regress/Makefile regress/agent-getpeereid.sh regress/cfgmatch.sh]
-   [regress/cipher-speed.sh regress/forcecommand.sh regress/forwarding.sh]
-   Sync regress tests to -current; include dtucker@'s new cfgmatch and 
-   forcecommand tests. Add cipher-speed.sh test (not linked in yet)
- - (dtucker) [cleanup.c] Since config.h defines _LARGE_FILES on AIX, including
-   system headers before defines.h will cause conflicting definitions.
- - (dtucker) [regress/forcecommand.sh] Portablize.
-
-20060713
- - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h
-
-20060712
- - (dtucker) [configure.ac defines.h] Only define SHUT_RD (and friends) and
-   O_NONBLOCK if they're really needed.  Fixes build errors on HP-UX, old
-   Linuxes and probably more.
- - (dtucker) [configure.ac] OpenBSD needs <sys/types.h> before <sys/socket.h>
-   for SHUT_RD.
- - (dtucker) [openbsd-compat/port-tun.c] OpenBSD needs <netinet/in.h> before
-   <netinet/ip.h>.
- - (dtucker) OpenBSD CVS Sync
-   - stevesk@cvs.openbsd.org 2006/07/10 16:01:57
-     [sftp-glob.c sftp-common.h sftp.c]
-     buffer.h only needed in sftp-common.h and remove some unneeded
-     user includes; ok djm@
-   - jmc@cvs.openbsd.org 2006/07/10 16:04:21
-     [sshd.8]
-     s/and and/and/
-   - stevesk@cvs.openbsd.org 2006/07/10 16:37:36
-     [readpass.c log.h scp.c fatal.c xmalloc.c includes.h ssh-keyscan.c misc.c
-     auth.c packet.c log.c]
-     move #include <stdarg.h> out of includes.h; ok markus@
-   - dtucker@cvs.openbsd.org 2006/07/11 10:12:07
-     [ssh.c]
-     Only copy the part of environment variable that we actually use.  Prevents
-     ssh bailing when SendEnv is used and an environment variable with a really
-     long value exists.  ok djm@
-   - markus@cvs.openbsd.org 2006/07/11 18:50:48
-     [clientloop.c ssh.1 ssh.c channels.c ssh_config.5 readconf.h session.c
-     channels.h readconf.c]
-     add ExitOnForwardFailure: terminate the connection if ssh(1)
-     cannot set up all requested dynamic, local, and remote port
-     forwardings. ok djm, dtucker, stevesk, jmc
-   - stevesk@cvs.openbsd.org 2006/07/11 20:07:25
-     [scp.c auth.c monitor.c serverloop.c sftp-server.c sshpty.c readpass.c
-     sshd.c monitor_wrap.c monitor_fdpass.c ssh-agent.c ttymodes.c atomicio.c
-     includes.h session.c sshlogin.c monitor_mm.c packet.c sshconnect2.c
-     sftp-client.c nchan.c clientloop.c sftp.c misc.c canohost.c channels.c
-     ssh-keygen.c progressmeter.c uidswap.c msg.c readconf.c sshconnect.c]
-     move #include <errno.h> out of includes.h; ok markus@
-   - stevesk@cvs.openbsd.org 2006/07/11 20:16:43
-     [ssh.c]
-     cast asterisk field precision argument to int to remove warning;
-     ok markus@
-   - stevesk@cvs.openbsd.org 2006/07/11 20:27:56
-     [authfile.c ssh.c]
-     need <errno.h> here also (it's also included in <openssl/err.h>)
-   - dtucker@cvs.openbsd.org 2006/07/12 11:34:58
-     [sshd.c servconf.h servconf.c sshd_config.5 auth.c]
-     Add support for conditional directives to sshd_config via a "Match"
-     keyword, which works similarly to the "Host" directive in ssh_config.
-     Lines after a Match line override the default set in the main section
-     if the condition on the Match line is true, eg
-     AllowTcpForwarding yes
-     Match User anoncvs
-             AllowTcpForwarding no
-     will allow port forwarding by all users except "anoncvs".
-     Currently only a very small subset of directives are supported.
-     ok djm@
- - (dtucker) [loginrec.c openbsd-compat/xmmap.c openbsd-compat/bindresvport.c
-   openbsd-compat/glob.c openbsd-compat/mktemp.c openbsd-compat/port-tun.c
-   openbsd-compat/readpassphrase.c openbsd-compat/strtonum.c] Include <errno.h>.
- - (dtucker) [openbsd-compat/setproctitle.c] Include stdarg.h.
- - (dtucker) [ssh-keyscan.c ssh-rand-helper.c] More errno.h here too.
- - (dtucker) [openbsd-compat/openbsd-compat.h] v*printf needs stdarg.h.
- - (dtucker) [openbsd-compat/bsd-asprintf.c openbsd-compat/port-aix.c
-   openbsd-compat/rresvport.c] More errno.h.
-
-20060711
- - (dtucker) [configure.ac ssh-keygen.c openbsd-compat/bsd-openpty.c
-   openbsd-compat/daemon.c] Add includes needed by open(2).  Conditionally
-   include paths.h.  Fixes build error on Solaris.
- - (dtucker) [entropy.c] More fcntl.h, this time on AIX (and probably
-   others).
-
-20060710
- - (dtucker) [INSTALL] New autoconf version: 2.60.
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2006/06/14 10:50:42
-     [sshconnect.c]
-     limit the number of pre-banner characters we will accept; ok markus@
-   - djm@cvs.openbsd.org 2006/06/26 10:36:15
-     [clientloop.c]
-     mention optional bind_address in runtime port forwarding setup
-     command-line help. patch from santhi.amirta AT gmail.com
-   - stevesk@cvs.openbsd.org 2006/07/02 17:12:58
-     [ssh.1 ssh.c ssh_config.5 sshd_config.5]
-     more details and clarity for tun(4) device forwarding; ok and help
-     jmc@
-   - stevesk@cvs.openbsd.org 2006/07/02 18:36:47
-     [gss-serv-krb5.c gss-serv.c]
-     no "servconf.h" needed here
-     (gss-serv-krb5.c change not applied, portable needs the server options)
-   - stevesk@cvs.openbsd.org 2006/07/02 22:45:59
-     [groupaccess.c groupaccess.h includes.h session.c sftp-common.c sshpty.c]
-     move #include <grp.h> out of includes.h
-     (portable needed uidswap.c too)
-   - stevesk@cvs.openbsd.org 2006/07/02 23:01:55
-     [clientloop.c ssh.1]
-     use -KR[bind_address:]port here; ok djm@
-   - stevesk@cvs.openbsd.org 2006/07/03 08:54:20
-     [includes.h ssh.c sshconnect.c sshd.c]
-     move #include "version.h" out of includes.h; ok markus@
-   - stevesk@cvs.openbsd.org 2006/07/03 17:59:32
-     [channels.c includes.h]
-     move #include <arpa/inet.h> out of includes.h; old ok djm@
-     (portable needed session.c too)
-   - stevesk@cvs.openbsd.org 2006/07/05 02:42:09
-     [canohost.c hostfile.c includes.h misc.c packet.c readconf.c]
-     [serverloop.c sshconnect.c uuencode.c]
-     move #include <netinet/in.h> out of includes.h; ok deraadt@
-     (also ssh-rand-helper.c logintest.c loginrec.c)
-   - djm@cvs.openbsd.org 2006/07/06 10:47:05
-     [servconf.c servconf.h session.c sshd_config.5]
-     support arguments to Subsystem commands; ok markus@
-   - djm@cvs.openbsd.org 2006/07/06 10:47:57
-     [sftp-server.8 sftp-server.c]
-     add commandline options to enable logging of transactions; ok markus@
-   - stevesk@cvs.openbsd.org 2006/07/06 16:03:53
-     [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c]
-     [auth-rhosts.c auth-rsa.c auth.c auth.h auth2-hostbased.c]
-     [auth2-pubkey.c auth2.c includes.h misc.c misc.h monitor.c]
-     [monitor_wrap.c monitor_wrap.h scp.c serverloop.c session.c]
-     [session.h sftp-common.c ssh-add.c ssh-keygen.c ssh-keysign.c]
-     [ssh.c sshconnect.c sshconnect.h sshd.c sshpty.c sshpty.h uidswap.c]
-     [uidswap.h]
-     move #include <pwd.h> out of includes.h; ok markus@
-   - stevesk@cvs.openbsd.org 2006/07/06 16:22:39
-     [ssh-keygen.c]
-     move #include "dns.h" up
-   - stevesk@cvs.openbsd.org 2006/07/06 17:36:37
-     [monitor_wrap.h]
-     typo in comment
-   - stevesk@cvs.openbsd.org 2006/07/08 21:47:12
-     [authfd.c canohost.c clientloop.c dns.c dns.h includes.h]
-     [monitor_fdpass.c nchan.c packet.c servconf.c sftp.c ssh-agent.c]
-     [ssh-keyscan.c ssh.c sshconnect.h sshd.c sshlogin.h]
-     move #include <sys/socket.h> out of includes.h
-   - stevesk@cvs.openbsd.org 2006/07/08 21:48:53
-     [monitor.c session.c]
-     missed these from last commit:
-     move #include <sys/socket.h> out of includes.h
-   - stevesk@cvs.openbsd.org 2006/07/08 23:30:06
-     [log.c]
-     move user includes after /usr/include files
-   - stevesk@cvs.openbsd.org 2006/07/09 15:15:11
-     [auth2-none.c authfd.c authfile.c includes.h misc.c monitor.c]
-     [readpass.c scp.c serverloop.c sftp-client.c sftp-server.c]
-     [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c]
-     [sshlogin.c sshpty.c]
-     move #include <fcntl.h> out of includes.h
-   - stevesk@cvs.openbsd.org 2006/07/09 15:27:59
-     [ssh-add.c]
-     use O_RDONLY vs. 0 in open(); no binary change
-   - djm@cvs.openbsd.org 2006/07/10 11:24:54
-     [sftp-server.c]
-     remove optind - it isn't used here
-   - djm@cvs.openbsd.org 2006/07/10 11:25:53
-     [sftp-server.c]
-     don't log variables that aren't yet set
- - (djm) [loginrec.c ssh-rand-helper.c sshd.c openbsd-compat/glob.c]
-   [openbsd-compat/mktemp.c openbsd-compat/openbsd-compat.h]
-   [openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c]
-   [openbsd-compat/xcrypt.c] Fix includes.h fallout, mainly fcntl.h
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2006/07/10 12:03:20
-     [scp.c]
-     duplicate argv at the start of main() because it gets modified later;
-     pointed out by deraadt@ ok markus@
-   - djm@cvs.openbsd.org 2006/07/10 12:08:08
-     [channels.c]
-     fix misparsing of SOCKS 5 packets that could result in a crash;
-     reported by mk@ ok markus@
-   - dtucker@cvs.openbsd.org 2006/07/10 12:46:51
-     [misc.c misc.h sshd.8 sshconnect.c]
-     Add port identifier to known_hosts for non-default ports, based originally
-     on a patch from Devin Nate in bz#910.
-     For any connection using the default port or using a HostKeyAlias the
-     format is unchanged, otherwise the host name or address is enclosed
-     within square brackets in the same format as sshd's ListenAddress.
-     Tested by many, ok markus@.
- - (dtucker) [openbsd-compat/openbsd-compat.h] Need to include <sys/socket.h>
-   for struct sockaddr on platforms that use the fake-rfc stuff.
-
-20060706
- - (dtucker) [configure.ac] Try AIX blibpath test in different order when
-   compiling with gcc.  gcc 4.1.x will accept (but ignore) -b flags so
-   configure would not select the correct libpath linker flags.
- - (dtucker) [INSTALL] A bit more info on autoconf.
-
-20060705
- - (dtucker) [ssh-rand-helper.c] Don't exit if mkdir fails because the
-   target already exists.
-
-20060630
- - (dtucker) [openbsd-compat/openbsd-compat.h] SNPRINTF_CONST for snprintf
-   declaration too.  Patch from russ at sludge.net.
- - (dtucker) [openbsd-compat/getrrsetbyname.c] Undef _res before defining it,
-   prevents warnings on platforms where _res is in the system headers.
- - (dtucker) [INSTALL] Bug #1202: Note when autoconf is required and which
-   version.
-
-20060627
- - (dtucker) [configure.ac] Bug #1203: Add missing '[', which causes problems
-   with autoconf 2.60.  Patch from vapier at gentoo.org.
-
-20060625
- - (dtucker) [channels.c serverloop.c] Apply the bug #1102 workaround to ptys
-   only, otherwise sshd can hang exiting non-interactive sessions.
-
-20060624
- - (dtucker) [configure.ac] Bug #1193: Define PASSWD_NEEDS_USERNAME on Solaris.
-   Works around limitation in Solaris' passwd program for changing passwords
-   where the username is longer than 8 characters.  ok djm@
- - (dtucker) [serverloop.c] Get ifdef/ifndef the right way around for the bug
-   #1102 workaround.
-
-20060623
- - (dtucker) [README.platform configure.ac openbsd-compat/port-tun.c] Add
-   tunnel support for Mac OS X/Darwin via a third-party tun driver.  Patch
-   from reyk@, tested by anil@
- - (dtucker) [channels.c configure.ac serverloop.c] Bug #1102: Around AIX
-   4.3.3 ML3 or so, the AIX pty layer starting passing zero-length writes
-   on the pty slave as zero-length reads on the pty master, which sshd
-   interprets as the descriptor closing.  Since most things don't do zero
-   length writes this rarely matters, but occasionally it happens, and when
-   it does the SSH pty session appears to hang, so we add a special case for
-   this condition.  ok djm@
-
-20060613
- - (djm) [getput.h] This file has been replaced by functions in misc.c
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2006/05/08 10:49:48
-     [sshconnect2.c]
-     uint32_t -> u_int32_t (which we use everywhere else)
-     (Id sync only - portable already had this)
-   - markus@cvs.openbsd.org 2006/05/16 09:00:00
-     [clientloop.c]
-     missing free; from Kylene Hall
-   - markus@cvs.openbsd.org 2006/05/17 12:43:34
-     [scp.c sftp.c ssh-agent.c ssh-keygen.c sshconnect.c]
-     fix leak; coverity via Kylene Jo Hall
-   - miod@cvs.openbsd.org 2006/05/18 21:27:25
-     [kexdhc.c kexgexc.c]
-     paramter -> parameter
-   - dtucker@cvs.openbsd.org 2006/05/29 12:54:08
-     [ssh_config.5]
-     Add gssapi-with-mic to PreferredAuthentications default list; ok jmc
-   - dtucker@cvs.openbsd.org 2006/05/29 12:56:33
-     [ssh_config]
-     Add GSSAPIAuthentication and GSSAPIDelegateCredentials to examples in
-     sample ssh_config.  ok markus@
-   - jmc@cvs.openbsd.org 2006/05/29 16:10:03
-     [ssh_config.5]
-     oops - previous was too long; split the list of auths up
-   - mk@cvs.openbsd.org 2006/05/30 11:46:38
-     [ssh-add.c]
-     Sync usage() with man page and reality.
-     ok deraadt dtucker
-   - jmc@cvs.openbsd.org 2006/05/29 16:13:23
-     [ssh.1]
-     add GSSAPI to the list of authentication methods supported;
-   - mk@cvs.openbsd.org 2006/05/30 11:46:38
-     [ssh-add.c]
-     Sync usage() with man page and reality.
-     ok deraadt dtucker
-   - markus@cvs.openbsd.org 2006/06/01 09:21:48
-     [sshd.c]
-     call get_remote_ipaddr() early; fixes logging after client disconnects;
-     report mpf@; ok dtucker@
-   - markus@cvs.openbsd.org 2006/06/06 10:20:20
-     [readpass.c sshconnect.c sshconnect.h sshconnect2.c uidswap.c]
-     replace remaining setuid() calls with permanently_set_uid() and
-     check seteuid() return values; report Marcus Meissner; ok dtucker djm
-   - markus@cvs.openbsd.org 2006/06/08 14:45:49
-     [readpass.c sshconnect.c sshconnect2.c uidswap.c uidswap.h]
-     do not set the gid, noted by solar; ok djm
-   - djm@cvs.openbsd.org 2006/06/13 01:18:36
-     [ssh-agent.c]
-     always use a format string, even when printing a constant
-   - djm@cvs.openbsd.org 2006/06/13 02:17:07
-     [ssh-agent.c]
-     revert; i am on drugs. spotted by alexander AT beard.se
-
-20060521
- - (dtucker) [auth.c monitor.c] Now that we don't log from both the monitor
-   and slave, we can remove the special-case handling in the audit hook in
-   auth_log.
-
-20060517
- - (dtucker) [ssh-rand-helper.c] Check return code of mkdir and fix file
-   pointer leak.  From kjhall at us.ibm.com, found by coverity.
-
-20060515
- - (dtucker) [openbsd-compat/getrrsetbyname.c] Use _compat_res instead of
-   _res, prevents problems on some platforms that have _res as a global but
-   don't have getrrsetbyname(), eg IRIX 5.3.  Found and tested by
-   georg.schwarz at freenet.de, ok djm@.
- - (dtucker) [defines.h] Find a value for IOV_MAX or use a conservative
-   default.  Patch originally from tim@, ok djm
- - (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and
-   do not allow kbdint again after the PAM account check fails.  ok djm@
-
-20060506
- - (dtucker) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2006/04/25 08:02:27
-     [authfile.c authfile.h sshconnect2.c ssh.c sshconnect1.c]
-     Prevent ssh from trying to open private keys with bad permissions more than
-     once or prompting for their passphrases (which it subsequently ignores
-     anyway), similar to a previous change in ssh-add.  bz #1186, ok djm@
-   - djm@cvs.openbsd.org 2006/05/04 14:55:23
-     [dh.c]
-     tighter DH exponent checks here too; feedback and ok markus@
-   - djm@cvs.openbsd.org 2006/04/01 05:37:46
-     [OVERVIEW]
-     $OpenBSD$ in here too
-   - dtucker@cvs.openbsd.org 2006/05/06 08:35:40
-     [auth-krb5.c]
-     Add $OpenBSD$ in comment here too
-
-20060504
- - (dtucker) [auth-pam.c groupaccess.c monitor.c monitor_wrap.c scard-opensc.c
-   session.c ssh-rand-helper.c sshd.c openbsd-compat/bsd-cygwin_util.c
-   openbsd-compat/setproctitle.c] Convert malloc(foo*bar) -> calloc(foo,bar)
-   in Portable-only code; since calloc zeros, remove now-redundant memsets.
-   Also add a couple of sanity checks.  With & ok djm@
-
-20060503
- - (dtucker) [packet.c] Remove in_systm.h since it's also in includes.h
-   and double including it on IRIX 5.3 causes problems.  From Georg Schwarz,
-   "no objections" tim@
-
-20060423
- - (djm) OpenBSD CVS Sync
-   - deraadt@cvs.openbsd.org 2006/04/01 05:42:20
-     [scp.c]
-     minimal lint cleanup (unused crud, and some size_t); ok djm
-   - djm@cvs.openbsd.org 2006/04/01 05:50:29
-     [scp.c]
-     xasprintification; ok deraadt@
-   - djm@cvs.openbsd.org 2006/04/01 05:51:34
-     [atomicio.c]
-     ANSIfy; requested deraadt@
-   - dtucker@cvs.openbsd.org 2006/04/02 08:34:52
-     [ssh-keysign.c]
-     sessionid can be 32 bytes now too when sha256 kex is used; ok djm@
-   - djm@cvs.openbsd.org 2006/04/03 07:10:38
-     [gss-genr.c]
-     GSSAPI buffers shouldn't be nul-terminated, spotted in bugzilla #1066
-     by dleonard AT vintela.com. use xasprintf() to simplify code while in
-     there; "looks right" deraadt@
-   - djm@cvs.openbsd.org 2006/04/16 00:48:52
-     [buffer.c buffer.h channels.c]
-     Fix condition where we could exit with a fatal error when an input
-     buffer became too large and the remote end had advertised a big window.
-     The problem was a mismatch in the backoff math between the channels code
-     and the buffer code, so make a buffer_check_alloc() function that the
-     channels code can use to propsectivly check whether an incremental
-     allocation will succeed.  bz #1131, debugged with the assistance of
-     cove AT wildpackets.com; ok dtucker@ deraadt@
-   - djm@cvs.openbsd.org 2006/04/16 00:52:55
-     [atomicio.c atomicio.h]
-     introduce atomiciov() function that wraps readv/writev to retry
-     interrupted transfers like atomicio() does for read/write;
-     feedback deraadt@ dtucker@ stevesk@ ok deraadt@
-   - djm@cvs.openbsd.org 2006/04/16 00:54:10
-     [sftp-client.c]
-     avoid making a tiny 4-byte write to send the packet length of sftp
-     commands, which would result in a separate tiny packet on the wire by
-     using atomiciov(writev, ...) to write the length and the command in one
-     pass; ok deraadt@
-   - djm@cvs.openbsd.org 2006/04/16 07:59:00
-     [atomicio.c]
-     reorder sanity test so that it cannot dereference past the end of the
-     iov array; well spotted canacar@!
-   - dtucker@cvs.openbsd.org 2006/04/18 10:44:28
-     [bufaux.c bufbn.c Makefile.in]
-     Move Buffer bignum functions into their own file, bufbn.c. This means
-     that sftp and sftp-server (which use the Buffer functions in bufaux.c 
-     but not the bignum ones) no longer need to be linked with libcrypto.
-     ok markus@
-   - djm@cvs.openbsd.org 2006/04/20 09:27:09
-     [auth.h clientloop.c dispatch.c dispatch.h kex.h]
-     replace the last non-sig_atomic_t flag used in a signal handler with a
-     sig_atomic_t, unfortunately with some knock-on effects in other (non-
-     signal) contexts in which it is used; ok markus@
-   - markus@cvs.openbsd.org 2006/04/20 09:47:59
-     [sshconnect.c]
-     simplify; ok djm@
-   - djm@cvs.openbsd.org 2006/04/20 21:53:44
-     [includes.h session.c sftp.c]
-     Switch from using pipes to socketpairs for communication between
-     sftp/scp and ssh, and between sshd and its subprocesses. This saves
-     a file descriptor per session and apparently makes userland ppp over
-     ssh work; ok markus@ deraadt@ (ID Sync only - portable makes this
-     decision on a per-platform basis)
-   - djm@cvs.openbsd.org 2006/04/22 04:06:51
-     [uidswap.c]
-     use setres[ug]id() to permanently revoke privileges; ok deraadt@
-     (ID Sync only - portable already uses setres[ug]id() whenever possible)
-   - stevesk@cvs.openbsd.org 2006/04/22 18:29:33
-     [crc32.c]
-     remove extra spaces
- - (djm) [auth.h dispatch.h kex.h] sprinkle in signal.h to get
-   sig_atomic_t
-
-20060421
- - (djm) [Makefile.in configure.ac session.c sshpty.c]
-   [contrib/redhat/sshd.init openbsd-compat/Makefile.in]
-   [openbsd-compat/openbsd-compat.h openbsd-compat/port-linux.c]
-   [openbsd-compat/port-linux.h] Add support for SELinux, setting 
-   the execution and TTY contexts. based on patch from Daniel Walsh,
-   bz #880; ok dtucker@
-
-20060418
- - (djm) [canohost.c] Reorder IP options check so that it isn't broken
-   by mapped addresses; bz #1179 reported by markw wtech-llc.com;
-   ok dtucker@
-
-20060331
- - OpenBSD CVS Sync
-   - deraadt@cvs.openbsd.org 2006/03/27 01:21:18
-     [xmalloc.c]
-     we can do the size & nmemb check before the integer overflow check; 
-     evol
-   - deraadt@cvs.openbsd.org 2006/03/27 13:03:54
-     [dh.c]
-     use strtonum() instead of atoi(), limit dhg size to 64k; ok djm
-   - djm@cvs.openbsd.org 2006/03/27 23:15:46
-     [sftp.c]
-     always use a format string for addargs; spotted by mouring@
-   - deraadt@cvs.openbsd.org 2006/03/28 00:12:31
-     [README.tun ssh.c]
-     spacing
-   - deraadt@cvs.openbsd.org 2006/03/28 01:52:28
-     [channels.c]
-     do not accept unreasonable X ports numbers; ok djm
-   - deraadt@cvs.openbsd.org 2006/03/28 01:53:43
-     [ssh-agent.c]
-     use strtonum() to parse the pid from the file, and range check it
-     better; ok djm
-   - djm@cvs.openbsd.org 2006/03/30 09:41:25
-     [channels.c]
-     ARGSUSED for dispatch table-driven functions
-   - djm@cvs.openbsd.org 2006/03/30 09:58:16
-     [authfd.c bufaux.c deattack.c gss-serv.c mac.c misc.c misc.h]
-     [monitor_wrap.c msg.c packet.c sftp-client.c sftp-server.c ssh-agent.c]
-     replace {GET,PUT}_XXBIT macros with functionally similar functions,
-     silencing a heap of lint warnings. also allows them to use
-     __bounded__ checking which can't be applied to macros; requested
-     by and feedback from deraadt@
-   - djm@cvs.openbsd.org 2006/03/30 10:41:25
-     [ssh.c ssh_config.5]
-     add percent escape chars to the IdentityFile option, bz #1159 based
-     on a patch by imaging AT math.ualberta.ca; feedback and ok dtucker@
-   - dtucker@cvs.openbsd.org 2006/03/30 11:05:17
-     [ssh-keygen.c]
-     Correctly handle truncated files while converting keys; ok djm@
-   - dtucker@cvs.openbsd.org 2006/03/30 11:40:21
-     [auth.c monitor.c]
-     Prevent duplicate log messages when privsep=yes; ok djm@
-   - jmc@cvs.openbsd.org 2006/03/31 09:09:30
-     [ssh_config.5]
-     kill trailing whitespace;
-   - djm@cvs.openbsd.org 2006/03/31 09:13:56
-     [ssh_config.5]
-     remote user escape is %r not %h; spotted by jmc@
-
-20060326
- - OpenBSD CVS Sync
-   - jakob@cvs.openbsd.org 2006/03/15 08:46:44
-     [ssh-keygen.c]
-     if no key file are given when printing the DNS host record, use the
-     host key file(s) as default. ok djm@
-   - biorn@cvs.openbsd.org 2006/03/16 10:31:45
-     [scp.c]
-     Try to display errormessage even if remout == -1
-     ok djm@, markus@
-   - djm@cvs.openbsd.org 2006/03/17 22:31:50
-     [authfd.c]
-     another unreachable found by lint
-   - djm@cvs.openbsd.org 2006/03/17 22:31:11
-     [authfd.c]
-     unreachanble statement, found by lint
-   - djm@cvs.openbsd.org 2006/03/19 02:22:32
-     [serverloop.c]
-     memory leaks detected by Coverity via elad AT netbsd.org;
-     ok deraadt@ dtucker@
-   - djm@cvs.openbsd.org 2006/03/19 02:22:56
-     [sftp.c]
-     more memory leaks detected by Coverity via elad AT netbsd.org;
-     deraadt@ ok
-   - djm@cvs.openbsd.org 2006/03/19 02:23:26
-     [hostfile.c]
-     FILE* leak detected by Coverity via elad AT netbsd.org;
-     ok deraadt@
-   - djm@cvs.openbsd.org 2006/03/19 02:24:05
-     [dh.c readconf.c servconf.c]
-     potential NULL pointer dereferences detected by Coverity
-     via elad AT netbsd.org; ok deraadt@
-   - djm@cvs.openbsd.org 2006/03/19 07:41:30
-     [sshconnect2.c]
-     memory leaks detected by Coverity via elad AT netbsd.org;
-     deraadt@ ok
-   - dtucker@cvs.openbsd.org 2006/03/19 11:51:52
-     [servconf.c]
-     Correct strdelim null test; ok djm@
-   - deraadt@cvs.openbsd.org 2006/03/19 18:52:11
-     [auth1.c authfd.c channels.c]
-     spacing
-   - deraadt@cvs.openbsd.org 2006/03/19 18:53:12
-     [kex.c kex.h monitor.c myproposal.h session.c]
-     spacing
-   - deraadt@cvs.openbsd.org 2006/03/19 18:56:41
-     [clientloop.c progressmeter.c serverloop.c sshd.c]
-     ARGSUSED for signal handlers
-   - deraadt@cvs.openbsd.org 2006/03/19 18:59:49
-     [ssh-keyscan.c]
-     please lint
-   - deraadt@cvs.openbsd.org 2006/03/19 18:59:30
-     [ssh.c]
-     spacing
-   - deraadt@cvs.openbsd.org 2006/03/19 18:59:09
-     [authfile.c]
-     whoever thought that break after return was a good idea needs to
-     get their head examimed
-   - djm@cvs.openbsd.org 2006/03/20 04:09:44
-     [monitor.c]
-     memory leaks detected by Coverity via elad AT netbsd.org;
-     deraadt@ ok
-     that should be all of them now
-   - djm@cvs.openbsd.org 2006/03/20 11:38:46
-     [key.c]
-     (really) last of the Coverity diffs: avoid possible NULL deref in
-     key_free. via elad AT netbsd.org; markus@ ok
-   - deraadt@cvs.openbsd.org 2006/03/20 17:10:19
-     [auth.c key.c misc.c packet.c ssh-add.c]
-     in a switch (), break after return or goto is stupid
-   - deraadt@cvs.openbsd.org 2006/03/20 17:13:16
-     [key.c]
-     djm did a typo
-   - deraadt@cvs.openbsd.org 2006/03/20 17:17:23
-     [ssh-rsa.c]
-     in a switch (), break after return or goto is stupid
-   - deraadt@cvs.openbsd.org 2006/03/20 18:14:02
-     [channels.c clientloop.c monitor_wrap.c monitor_wrap.h serverloop.c]
-     [ssh.c sshpty.c sshpty.h]
-     sprinkle u_int throughout pty subsystem, ok markus
-   - deraadt@cvs.openbsd.org 2006/03/20 18:17:20
-     [auth1.c auth2.c sshd.c]
-     sprinkle some ARGSUSED for table driven functions (which sometimes 
-     must ignore their args)
-   - deraadt@cvs.openbsd.org 2006/03/20 18:26:55
-     [channels.c monitor.c session.c session.h ssh-agent.c ssh-keygen.c]
-     [ssh-rsa.c ssh.c sshlogin.c]
-     annoying spacing fixes getting in the way of real diffs
-   - deraadt@cvs.openbsd.org 2006/03/20 18:27:50
-     [monitor.c]
-     spacing
-   - deraadt@cvs.openbsd.org 2006/03/20 18:35:12
-     [channels.c]
-     x11_fake_data is only ever used as u_char *
-   - deraadt@cvs.openbsd.org 2006/03/20 18:41:43
-     [dns.c]
-     cast xstrdup to propert u_char *
-   - deraadt@cvs.openbsd.org 2006/03/20 18:42:27
-     [canohost.c match.c ssh.c sshconnect.c]
-     be strict with tolower() casting
-   - deraadt@cvs.openbsd.org 2006/03/20 18:48:34
-     [channels.c fatal.c kex.c packet.c serverloop.c]
-     spacing
-   - deraadt@cvs.openbsd.org 2006/03/20 21:11:53
-     [ttymodes.c]
-     spacing
-   - djm@cvs.openbsd.org 2006/03/25 00:05:41
-     [auth-bsdauth.c auth-skey.c auth.c auth2-chall.c channels.c]
-     [clientloop.c deattack.c gss-genr.c kex.c key.c misc.c moduli.c]
-     [monitor.c monitor_wrap.c packet.c scard.c sftp-server.c ssh-agent.c]
-     [ssh-keyscan.c ssh.c sshconnect.c sshconnect2.c sshd.c uuencode.c]
-     [xmalloc.c xmalloc.h]
-     introduce xcalloc() and xasprintf() failure-checked allocations 
-     functions and use them throughout openssh
-
-     xcalloc is particularly important because malloc(nmemb * size) is a
-     dangerous idiom (subject to integer overflow) and it is time for it 
-     to die
-
-     feedback and ok deraadt@
-   - djm@cvs.openbsd.org 2006/03/25 01:13:23
-     [buffer.c channels.c deattack.c misc.c scp.c session.c sftp-client.c]
-     [sftp-server.c ssh-agent.c ssh-rsa.c xmalloc.c xmalloc.h auth-pam.c]
-     [uidswap.c]
-     change OpenSSH's xrealloc() function from being xrealloc(p, new_size)
-     to xrealloc(p, new_nmemb, new_itemsize).
-
-     realloc is particularly prone to integer overflows because it is
-     almost always allocating "n * size" bytes, so this is a far safer 
-     API; ok deraadt@
-   - djm@cvs.openbsd.org 2006/03/25 01:30:23
-     [sftp.c]
-     "abormally" is a perfectly cromulent word, but "abnormally" is better
-   - djm@cvs.openbsd.org 2006/03/25 13:17:03
-     [atomicio.c auth-bsdauth.c auth-chall.c auth-options.c auth-passwd.c]
-     [auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth-skey.c auth.c auth1.c]
-     [auth2-chall.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
-     [auth2-passwd.c auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c]
-     [buffer.c canohost.c channels.c cipher-3des1.c cipher-bf1.c]
-     [cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c compress.c]
-     [deattack.c dh.c dispatch.c fatal.c groupaccess.c hostfile.c kex.c]
-     [kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c]
-     [mac.c match.c md-sha256.c misc.c monitor.c monitor_fdpass.c]
-     [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c progressmeter.c]
-     [readconf.c readpass.c rsa.c scard.c scp.c servconf.c serverloop.c]
-     [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c]
-     [sftp.c ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c]
-     [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c]
-     [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c]
-     [uidswap.c uuencode.c xmalloc.c]
-     Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
-     Theo nuked - our scripts to sync -portable need them in the files
-   - deraadt@cvs.openbsd.org 2006/03/25 18:29:35
-     [auth-rsa.c authfd.c packet.c]
-     needed casts (always will be needed)
-   - deraadt@cvs.openbsd.org 2006/03/25 18:30:55
-     [clientloop.c serverloop.c]
-     spacing
-   - deraadt@cvs.openbsd.org 2006/03/25 18:36:15
-     [sshlogin.c sshlogin.h]
-     nicer size_t and time_t types
-   - deraadt@cvs.openbsd.org 2006/03/25 18:40:14
-     [ssh-keygen.c]
-     cast strtonum() result to right type
-   - deraadt@cvs.openbsd.org 2006/03/25 18:41:45
-     [ssh-agent.c]
-     mark two more signal handlers ARGSUSED
-   - deraadt@cvs.openbsd.org 2006/03/25 18:43:30
-     [channels.c]
-     use strtonum() instead of atoi() [limit X screens to 400, sorry]
-   - deraadt@cvs.openbsd.org 2006/03/25 18:56:55
-     [bufaux.c channels.c packet.c]
-     remove (char *) casts to a function that accepts void * for the arg
-   - deraadt@cvs.openbsd.org 2006/03/25 18:58:10
-     [channels.c]
-     delete cast not required
-   - djm@cvs.openbsd.org 2006/03/25 22:22:43
-     [atomicio.h auth-options.h auth.h auth2-gss.c authfd.h authfile.h]
-     [bufaux.h buffer.h canohost.h channels.h cipher.h clientloop.h]
-     [compat.h compress.h crc32.c crc32.h deattack.h dh.h dispatch.h]
-     [dns.c dns.h getput.h groupaccess.h gss-genr.c gss-serv-krb5.c]
-     [gss-serv.c hostfile.h includes.h kex.h key.h log.h mac.h match.h]
-     [misc.h monitor.h monitor_fdpass.h monitor_mm.h monitor_wrap.h msg.h]
-     [myproposal.h packet.h pathnames.h progressmeter.h readconf.h rsa.h]
-     [scard.h servconf.h serverloop.h session.h sftp-common.h sftp.h]
-     [ssh-gss.h ssh.h ssh1.h ssh2.h sshconnect.h sshlogin.h sshpty.h]
-     [ttymodes.h uidswap.h uuencode.h xmalloc.h]
-     standardise spacing in $OpenBSD$ tags; requested by deraadt@
-   - deraadt@cvs.openbsd.org 2006/03/26 01:31:48
-     [uuencode.c]
-     typo
-
-20060325
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2006/03/16 04:24:42
-     [ssh.1]
-     Add RFC4419 (Diffie-Hellman group exchange KEX) to the list of SSH RFCs
-     that OpenSSH supports
-   - deraadt@cvs.openbsd.org 2006/03/19 18:51:18
-     [atomicio.c auth-bsdauth.c auth-chall.c auth-krb5.c auth-options.c]
-     [auth-pam.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c]
-     [auth-shadow.c auth-skey.c auth.c auth1.c auth2-chall.c]
-     [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c]
-     [auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c buffer.c]
-     [canohost.c channels.c cipher-3des1.c cipher-acss.c cipher-aes.c]
-     [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
-     [compress.c deattack.c dh.c dispatch.c dns.c entropy.c fatal.c]
-     [groupaccess.c hostfile.c includes.h kex.c kexdh.c kexdhc.c]
-     [kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c loginrec.c]
-     [loginrec.h logintest.c mac.c match.c md-sha256.c md5crypt.c misc.c]
-     [monitor.c monitor_fdpass.c monitor_mm.c monitor_wrap.c msg.c]
-     [nchan.c packet.c progressmeter.c readconf.c readpass.c rsa.c]
-     [scard.c scp.c servconf.c serverloop.c session.c sftp-client.c]
-     [sftp-common.c sftp-glob.c sftp-server.c sftp.c ssh-add.c]
-     [ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
-     [ssh-rand-helper.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c]
-     [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c]
-     [uidswap.c uuencode.c xmalloc.c openbsd-compat/bsd-arc4random.c]
-     [openbsd-compat/bsd-closefrom.c openbsd-compat/bsd-cygwin_util.c]
-     [openbsd-compat/bsd-getpeereid.c openbsd-compat/bsd-misc.c]
-     [openbsd-compat/bsd-nextstep.c openbsd-compat/bsd-snprintf.c]
-     [openbsd-compat/bsd-waitpid.c openbsd-compat/fake-rfc2553.c]
-     RCSID() can die
-   - deraadt@cvs.openbsd.org 2006/03/19 18:53:12
-     [kex.h myproposal.h]
-     spacing
-   - djm@cvs.openbsd.org 2006/03/20 04:07:22
-     [auth2-gss.c]
-     GSSAPI related leaks detected by Coverity via elad AT netbsd.org;
-     reviewed by simon AT sxw.org.uk; deraadt@ ok
-   - djm@cvs.openbsd.org 2006/03/20 04:07:49
-     [gss-genr.c]
-     more GSSAPI related leaks detected by Coverity via elad AT netbsd.org;
-     reviewed by simon AT sxw.org.uk; deraadt@ ok
-   - djm@cvs.openbsd.org 2006/03/20 04:08:18
-     [gss-serv.c]
-     last lot of GSSAPI related leaks detected by Coverity via
-     elad AT netbsd.org; reviewed by simon AT sxw.org.uk; deraadt@ ok
-   - deraadt@cvs.openbsd.org 2006/03/20 18:14:02
-     [monitor_wrap.h sshpty.h]
-     sprinkle u_int throughout pty subsystem, ok markus
-   - deraadt@cvs.openbsd.org 2006/03/20 18:26:55
-     [session.h]
-     annoying spacing fixes getting in the way of real diffs
-   - deraadt@cvs.openbsd.org 2006/03/20 18:41:43
-     [dns.c]
-     cast xstrdup to propert u_char *
-   - jakob@cvs.openbsd.org 2006/03/22 21:16:24
-     [ssh.1]
-     simplify SSHFP example; ok jmc@
-   - djm@cvs.openbsd.org 2006/03/22 21:27:15
-     [deattack.c deattack.h]
-     remove IV support from the CRC attack detector, OpenSSH has never used
-     it - it only applied to IDEA-CFB, which we don't support.
-     prompted by NetBSD Coverity report via elad AT netbsd.org;
-     feedback markus@ "nuke it" deraadt@
-
-20060318
- - (djm) [auth-pam.c] Fix memleak in error path, from Coverity via
-   elad AT NetBSD.org
- - (dtucker) [openbsd-compat/bsd-snprintf.c] Bug #1173: make fmtint() take
-   a LLONG rather than a long.  Fixes scp'ing of large files on platforms
-   with missing/broken snprintfs.  Patch from e.borovac at bom.gov.au.
-
-20060316
- - (dtucker) [entropy.c] Add headers for WIFEXITED and friends.
- - (dtucker) [configure.ac md-sha256.c] NetBSD has sha2.h in
-   /usr/include/crypto.  Hint from djm@.
- - (tim) [kex.c myproposal.h md-sha256.c openbsd-compat/sha2.c,h]
-   Disable sha256 when openssl < 0.9.7. Patch from djm@.
- - (djm) [kex.c] Slightly more clean deactivation of dhgex-sha256 on old
-   OpenSSL; ok tim
-
-20060315
- - (djm) OpenBSD CVS Sync:
-   - msf@cvs.openbsd.org 2006/02/06 15:54:07
-     [ssh.1]
-     - typo fix
-     ok jmc@
-   - jmc@cvs.openbsd.org 2006/02/06 21:44:47
-     [ssh.1]
-     make this a little less ambiguous...
-   - stevesk@cvs.openbsd.org 2006/02/07 01:08:04
-     [auth-rhosts.c includes.h]
-     move #include <netgroup.h> out of includes.h; ok markus@
-   - stevesk@cvs.openbsd.org 2006/02/07 01:18:09
-     [includes.h ssh-agent.c ssh-keyscan.c sshconnect2.c]
-     move #include <sys/queue.h> out of includes.h; ok markus@
-   - stevesk@cvs.openbsd.org 2006/02/07 01:42:00
-     [channels.c clientloop.c clientloop.h includes.h packet.h]
-     [serverloop.c sshpty.c sshpty.h sshtty.c ttymodes.c]
-     move #include <termios.h> out of includes.h; ok markus@
-   - stevesk@cvs.openbsd.org 2006/02/07 01:52:50
-     [sshtty.c]
-     "log.h" not needed
-   - stevesk@cvs.openbsd.org 2006/02/07 03:47:05
-     [hostfile.c]
-     "packet.h" not needed
-   - stevesk@cvs.openbsd.org 2006/02/07 03:59:20
-     [deattack.c]
-     duplicate #include
-   - stevesk@cvs.openbsd.org 2006/02/08 12:15:27
-     [auth.c clientloop.c includes.h misc.c monitor.c readpass.c]
-     [session.c sftp.c ssh-agent.c ssh-keysign.c ssh.c sshconnect.c]
-     [sshd.c sshpty.c]
-     move #include <paths.h> out of includes.h; ok markus@
-   - stevesk@cvs.openbsd.org 2006/02/08 12:32:49
-     [includes.h misc.c]
-     move #include <netinet/tcp.h> out of includes.h; ok markus@
-   - stevesk@cvs.openbsd.org 2006/02/08 13:15:44
-     [gss-serv.c monitor.c]
-     small KNF
-   - stevesk@cvs.openbsd.org 2006/02/08 14:16:59
-     [sshconnect.c]
-     <openssl/bn.h> not needed
-   - stevesk@cvs.openbsd.org 2006/02/08 14:31:30
-     [includes.h ssh-agent.c ssh-keyscan.c ssh.c]
-     move #include <sys/resource.h> out of includes.h; ok markus@
-   - stevesk@cvs.openbsd.org 2006/02/08 14:38:18
-     [includes.h packet.c]
-     move #include <netinet/in_systm.h> and <netinet/ip.h> out of
-     includes.h; ok markus@
-   - stevesk@cvs.openbsd.org 2006/02/08 23:51:24
-     [includes.h scp.c sftp-glob.c sftp-server.c]
-     move #include <dirent.h> out of includes.h; ok markus@
-   - stevesk@cvs.openbsd.org 2006/02/09 00:32:07
-     [includes.h]
-     #include <sys/endian.h> not needed; ok djm@
-     NB. ID Sync only - we still need this (but it may move later)
-   - jmc@cvs.openbsd.org 2006/02/09 10:10:47
-     [sshd.8]
-     - move some text into a CAVEATS section
-     - merge the COMMAND EXECUTION... section into AUTHENTICATION
-   - stevesk@cvs.openbsd.org 2006/02/10 00:27:13
-     [channels.c clientloop.c includes.h misc.c progressmeter.c sftp.c]
-     [ssh.c sshd.c sshpty.c]
-     move #include <sys/ioctl.h> out of includes.h; ok markus@
-   - stevesk@cvs.openbsd.org 2006/02/10 01:44:27
-     [includes.h monitor.c readpass.c scp.c serverloop.c session.c]
-     [sftp.c sshconnect.c sshconnect2.c sshd.c]
-     move #include <sys/wait.h> out of includes.h; ok markus@
-   - otto@cvs.openbsd.org 2006/02/11 19:31:18
-     [atomicio.c]
-     type correctness; from Ray Lai in PR 5011; ok millert@
-   - djm@cvs.openbsd.org 2006/02/12 06:45:34
-     [ssh.c ssh_config.5]
-     add a %l expansion code to the ControlPath, which is filled in with the
-     local hostname at runtime. Requested by henning@ to avoid some problems
-     with /home on NFS; ok dtucker@
-   - djm@cvs.openbsd.org 2006/02/12 10:44:18
-     [readconf.c]
-     raise error when the user specifies a RekeyLimit that is smaller than 16
-     (the smallest of our cipher's blocksize) or big enough to cause integer
-     wraparound; ok & feedback dtucker@
-   - jmc@cvs.openbsd.org 2006/02/12 10:49:44
-     [ssh_config.5]
-     slight rewording; ok djm
-   - jmc@cvs.openbsd.org 2006/02/12 10:52:41
-     [sshd.8]
-     rework the description of authorized_keys a little;
-   - jmc@cvs.openbsd.org 2006/02/12 17:57:19
-     [sshd.8]
-     sort the list of options permissable w/ authorized_keys;
-     ok djm dtucker
-   - jmc@cvs.openbsd.org 2006/02/13 10:16:39
-     [sshd.8]
-     no need to subsection the authorized_keys examples - instead, convert
-     this to look like an actual file. also use proto 2 keys, and use IETF
-     example addresses;
-   - jmc@cvs.openbsd.org 2006/02/13 10:21:25
-     [sshd.8]
-     small tweaks for the ssh_known_hosts section;
-   - jmc@cvs.openbsd.org 2006/02/13 11:02:26
-     [sshd.8]
-     turn this into an example ssh_known_hosts file; ok djm
-   - jmc@cvs.openbsd.org 2006/02/13 11:08:43
-     [sshd.8]
-     - avoid nasty line split
-     - `*' does not need to be escaped
-   - jmc@cvs.openbsd.org 2006/02/13 11:27:25
-     [sshd.8]
-     sort FILES and use a -compact list;
-   - david@cvs.openbsd.org 2006/02/15 05:08:24
-     [sftp-client.c]
-     typo in comment; ok djm@
-   - jmc@cvs.openbsd.org 2006/02/15 16:53:20
-     [ssh.1]
-     remove the IETF draft references and replace them with some updated RFCs;
-   - jmc@cvs.openbsd.org 2006/02/15 16:55:33
-     [sshd.8]
-     remove ietf draft references; RFC list now maintained in ssh.1;
-   - jmc@cvs.openbsd.org 2006/02/16 09:05:34
-     [sshd.8]
-     sync some of the FILES entries w/ ssh.1;
-   - jmc@cvs.openbsd.org 2006/02/19 19:52:10
-     [sshd.8]
-     move the sshrc stuff out of FILES, and into its own section:
-     FILES is not a good place to document how stuff works;
-   - jmc@cvs.openbsd.org 2006/02/19 20:02:17
-     [sshd.8]
-     sync the (s)hosts.equiv FILES entries w/ those from ssh.1;
-   - jmc@cvs.openbsd.org 2006/02/19 20:05:00
-     [sshd.8]
-     grammar;
-   - jmc@cvs.openbsd.org 2006/02/19 20:12:25
-     [ssh_config.5]
-     add some vertical space;
-   - stevesk@cvs.openbsd.org 2006/02/20 16:36:15
-     [authfd.c channels.c includes.h session.c ssh-agent.c ssh.c]
-     move #include <sys/un.h> out of includes.h; ok djm@
-   - stevesk@cvs.openbsd.org 2006/02/20 17:02:44
-     [clientloop.c includes.h monitor.c progressmeter.c scp.c]
-     [serverloop.c session.c sftp.c ssh-agent.c ssh.c sshd.c]
-     move #include <signal.h> out of includes.h; ok markus@
-   - stevesk@cvs.openbsd.org 2006/02/20 17:19:54
-     [auth-rhosts.c auth-rsa.c auth.c auth2-none.c auth2-pubkey.c]
-     [authfile.c clientloop.c includes.h readconf.c scp.c session.c]
-     [sftp-client.c sftp-common.c sftp-common.h sftp-glob.c]
-     [sftp-server.c sftp.c ssh-add.c ssh-keygen.c ssh.c sshconnect.c]
-     [sshconnect2.c sshd.c sshpty.c]
-     move #include <sys/stat.h> out of includes.h; ok markus@
-   - stevesk@cvs.openbsd.org 2006/02/22 00:04:45
-     [canohost.c clientloop.c includes.h match.c readconf.c scp.c ssh.c]
-     [sshconnect.c]
-     move #include <ctype.h> out of includes.h; ok djm@
-   - jmc@cvs.openbsd.org 2006/02/24 10:25:14
-     [ssh_config.5]
-     add section on patterns;
-     from dtucker + myself
-   - jmc@cvs.openbsd.org 2006/02/24 10:33:54
-     [sshd_config.5]
-     signpost to PATTERNS;
-   - jmc@cvs.openbsd.org 2006/02/24 10:37:07
-     [ssh_config.5]
-     tidy up the refs to PATTERNS;
-   - jmc@cvs.openbsd.org 2006/02/24 10:39:52
-     [sshd.8]
-     signpost to PATTERNS section;
-   - jmc@cvs.openbsd.org 2006/02/24 20:22:16
-     [ssh-keysign.8 ssh_config.5 sshd_config.5]
-     some consistency fixes;
-   - jmc@cvs.openbsd.org 2006/02/24 20:31:31
-     [ssh.1 ssh_config.5 sshd.8 sshd_config.5]
-     more consistency fixes;
-   - jmc@cvs.openbsd.org 2006/02/24 23:20:07
-     [ssh_config.5]
-     some grammar/wording fixes;
-   - jmc@cvs.openbsd.org 2006/02/24 23:43:57
-     [sshd_config.5]
-     some grammar/wording fixes;
-   - jmc@cvs.openbsd.org 2006/02/24 23:51:17
-     [sshd_config.5]
-     oops - bits i missed;
-   - jmc@cvs.openbsd.org 2006/02/25 12:26:17
-     [ssh_config.5]
-     document the possible values for KbdInteractiveDevices;
-     help/ok dtucker
-   - jmc@cvs.openbsd.org 2006/02/25 12:28:34
-     [sshd_config.5]
-     document the order in which allow/deny directives are processed;
-     help/ok dtucker
-   - jmc@cvs.openbsd.org 2006/02/26 17:17:18
-     [ssh_config.5]
-     move PATTERNS to the end of the main body; requested by dtucker
-   - jmc@cvs.openbsd.org 2006/02/26 18:01:13
-     [sshd_config.5]
-     subsection is pointless here;
-   - jmc@cvs.openbsd.org 2006/02/26 18:03:10
-     [ssh_config.5]
-     comma;
-   - djm@cvs.openbsd.org 2006/02/28 01:10:21
-     [session.c]
-     fix logout recording when privilege separation is disabled, analysis and
-     patch from vinschen at redhat.com; tested by dtucker@ ok deraadt@
-     NB. ID sync only - patch already in portable
-   - djm@cvs.openbsd.org 2006/03/04 04:12:58
-     [serverloop.c]
-     move a debug() outside of a signal handler; ok markus@ a little while back
-   - djm@cvs.openbsd.org 2006/03/12 04:23:07
-     [ssh.c]
-     knf nit
-   - djm@cvs.openbsd.org 2006/03/13 08:16:00
-     [sshd.c]
-     don't log that we are listening on a socket before the listen() call
-     actually succeeds, bz #1162 reported by Senthil Kumar; ok dtucker@
-   - dtucker@cvs.openbsd.org 2006/03/13 08:33:00
-     [packet.c]
-     Set TCP_NODELAY for all connections not just "interactive" ones.  Fixes
-     poor performance and protocol stalls under some network conditions (mindrot
-     bugs #556 and #981). Patch originally from markus@, ok djm@
-   - dtucker@cvs.openbsd.org 2006/03/13 08:43:16
-     [ssh-keygen.c]
-     Make ssh-keygen handle CR and CRLF line termination when converting IETF
-     format keys, in adition to vanilla LF.  mindrot #1157, tested by Chris
-     Pepper, ok djm@
-   - dtucker@cvs.openbsd.org 2006/03/13 10:14:29
-     [misc.c ssh_config.5 sshd_config.5]
-     Allow config directives to contain whitespace by surrounding them by double
-     quotes.  mindrot #482, man page help from jmc@, ok djm@
-   - dtucker@cvs.openbsd.org 2006/03/13 10:26:52
-     [authfile.c authfile.h ssh-add.c]
-     Make ssh-add check file permissions before attempting to load private
-     key files multiple times; it will fail anyway and this prevents confusing
-     multiple prompts and warnings.  mindrot #1138, ok djm@
-   - djm@cvs.openbsd.org 2006/03/14 00:15:39
-     [canohost.c]
-     log the originating address and not just the name when a reverse
-     mapping check fails, requested by linux AT linuon.com
-   - markus@cvs.openbsd.org 2006/03/14 16:32:48
-     [ssh_config.5 sshd_config.5]
-     *AliveCountMax applies to protcol v2 only; ok dtucker, djm
-   - djm@cvs.openbsd.org 2006/03/07 09:07:40
-     [kex.c kex.h monitor.c myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
-     Implement the diffie-hellman-group-exchange-sha256 key exchange method
-     using the SHA256 code in libc (and wrapper to make it into an OpenSSL
-     EVP), interop tested against CVS PuTTY
-     NB. no portability bits committed yet
- - (djm) [configure.ac defines.h kex.c md-sha256.c]
-   [openbsd-compat/sha2.h openbsd-compat/openbsd-compat.h]
-   [openbsd-compat/sha2.c] First stab at portability glue for SHA256
-   KEX support, should work with libc SHA256 support or OpenSSL
-   EVP_sha256 if present
- - (djm) [includes.h] Restore accidentally dropped netinet/in.h
- - (djm) [Makefile.in openbsd-compat/Makefile.in] Add added files
- - (djm) [md-sha256.c configure.ac] md-sha256.c needs sha2.h if present
- - (djm) [regress/.cvsignore] Ignore Makefile here
- - (djm) [loginrec.c] Need stat.h
- - (djm) [openbsd-compat/sha2.h] Avoid include macro clash with
-   system sha2.h
- - (djm) [ssh-rand-helper.c] Needs a bunch of headers
- - (djm) [ssh-agent.c] Restore dropped stat.h
- - (djm) [openbsd-compat/sha2.h openbsd-compat/sha2.c] Comment out 
-   SHA384, which we don't need and doesn't compile without tweaks
- - (djm) [auth-pam.c clientloop.c includes.h monitor.c session.c]
-   [sftp-client.c ssh-keysign.c ssh.c sshconnect.c sshconnect2.c]
-   [sshd.c openbsd-compat/bsd-misc.c openbsd-compat/bsd-openpty.c]
-   [openbsd-compat/glob.c openbsd-compat/mktemp.c]
-   [openbsd-compat/readpassphrase.c] Lots of include fixes for
-   OpenSolaris
- - (tim) [includes.h] put sys/stat.h back in to quiet some "macro redefined:"
- - (tim) [openssh/sshpty.c openssh/openbsd-compat/port-tun.c] put in some
-   includes removed from includes.h
- - (dtucker) [configure.ac] Fix glob test conversion to AC_TRY_COMPILE
- - (djm) [includes.h] Put back paths.h, it is needed in defines.h
- - (dtucker) [openbsd-compat/openbsd-compat.h] AIX (at least) needs
-   sys/ioctl.h for struct winsize.
- - (dtucker) [configure.ac] login_cap.h requires sys/types.h on NetBSD.
-
-20060313
- - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong)
-   since not all platforms support it.  Instead, use internal equivalent while
-   computing LLONG_MIN and LLONG_MAX.  Remove special case for alpha-dec-osf*
-   as it's no longer required.  Tested by Bernhard Simon, ok djm@
-
-20060304
- - (dtucker) [contrib/cygwin/ssh-host-config] Require use of lastlog as a
-   file rather than directory, required as Cygwin will be importing lastlog(1).
-   Also tightens up permissions on the file.  Patch from vinschen@redhat.com.
- - (dtucker) [gss-serv-krb5.c] Bug #1166: Correct #ifdefs for gssapi_krb5.h
-   includes.  Patch from gentoo.riverrat at gmail.com.
-
-20060226
- - (dtucker) [configure.ac] Bug #1156: QNX apparently needs SSHD_ACQUIRES_CTTY
-   patch from kraai at ftbfs.org.
-
-20060223
- - (dtucker) [sshd_config sshd_config.5] Update UsePAM to reflect current
-   reality.  Pointed out by tryponraj at gmail.com.
-
-20060222
- - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Minor tidy up: only
-   compile in compat code if required.
-
-20060221
- - (dtucker) [openbsd-compat/openssl-compat.h] Prevent warning about
-   redefinition of SSLeay_add_all_algorithms.
-
-20060220
- - (dtucker) [INSTALL configure.ac openbsd-compat/openssl-compat.{c,h}]
-   Add optional enabling of OpenSSL's (hardware) Engine support, via
-   configure --with-ssl-engine.  Based in part on a diff by michal at
-   logix.cz.
-
-20060219
- - (dtucker) [Makefile.in configure.ac, added openbsd-compat/regress/]
-   Add first attempt at regress tests for compat library.  ok djm@
-
-20060214
- - (tim) [buildpkg.sh.in] Make the names consistent.
-   s/pkg_post_make_install_fixes.sh/pkg-post-make-install-fixes.sh/ OK dtucker@
-
-20060212
- - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Make loop counter unsigned
-   to silence compiler warning, from vinschen at redhat.com.
- - (tim) [configure.ac] Bug #1149. Disable /etc/default/login check for QNX.
- - (dtucker) [README version.h contrib/caldera/openssh.spec
-   contrib/redhat/openssh.spec contrib/suse/openssh.spec] Bump version
-   strings to match 4.3p2 release.
-
-20060208
- - (tim) [session.c] Logout records were not updated on systems with
-   post auth privsep disabled due to bug 1086 changes. Analysis and patch
-   by vinschen at redhat.com. OK tim@, dtucker@.
- - (dtucker) [configure.ac] Typo in Ultrix and NewsOS sections (NEED_SETPRGP
-   -> NEED_SETPGRP), reported by Bernhard Simon.  ok tim@
-
-20060206
- - (tim) [configure.ac] Remove unnecessary tests for net/if.h and 
-   netinet/in_systm.h. OK dtucker@.
-
-20060205
- - (tim) [configure.ac] Add AC_REVISION. Add sys/time.h to lastlog.h test
-   for Solaris. OK dtucker@.
- - (tim) [configure.ac] Bug #1149. Changes in QNX section only. Patch by
-   kraai at ftbfs.org.
-
-20060203
- - (tim) [configure.ac] test for egrep (AC_PROG_EGREP) before first
-   AC_CHECK_HEADERS test. Without it, if AC_CHECK_HEADERS is first run
-   by a platform specific check, builtin standard includes tests will be
-   skipped on the other platforms.
-   Analysis and suggestion by vinschen at redhat.com, patch by dtucker@.
-   OK tim@, djm@.
-
-20060202
- - (dtucker) [configure.ac] Bug #1148: Fix "crippled AES" test so that it
-   works with picky compilers.  Patch from alex.kiernan at thus.net.
-
-20060201
- - (djm) [regress/test-exec.sh] Try 'logname' as well as 'whoami' to 
-   determine the user's login name - needed for regress tests on Solaris 
-   10 and OpenSolaris
- - (djm) OpenBSD CVS Sync
-   - jmc@cvs.openbsd.org 2006/02/01 09:06:50
-     [sshd.8]
-     - merge sections on protocols 1 and 2 into a single section
-     - remove configuration file section
-     ok markus
-   - jmc@cvs.openbsd.org 2006/02/01 09:11:41
-     [sshd.8]
-     small tweak;
- - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
-   [contrib/suse/openssh.spec] Update versions ahead of release
-   - markus@cvs.openbsd.org 2006/02/01 11:27:22
-     [version.h]
-     openssh 4.3
- - (djm) Release OpenSSH 4.3p1
-
-20060131
- - (djm) OpenBSD CVS Sync
-   - jmc@cvs.openbsd.org 2006/01/20 11:21:45
-     [ssh_config.5]
-     - word change, agreed w/ markus
-     - consistency fixes
-   - jmc@cvs.openbsd.org 2006/01/25 09:04:34
-     [sshd.8]
-     move the options description up the page, and a few additional tweaks
-     whilst in here;
-     ok markus
-   - jmc@cvs.openbsd.org 2006/01/25 09:07:22
-     [sshd.8]
-     move subsections to full sections;
-   - jmc@cvs.openbsd.org 2006/01/26 08:47:56
-     [ssh.1]
-     add a section on verifying host keys in dns;
-     written with a lot of help from jakob;
-     feedback dtucker/markus;
-     ok markus
-   - reyk@cvs.openbsd.org 2006/01/30 12:22:22
-     [channels.c]
-     mark channel as write failed or dead instead of read failed on error
-     of the channel output filter.
-     ok markus@
-   - jmc@cvs.openbsd.org 2006/01/30 13:37:49
-     [ssh.1]
-     remove an incorrect sentence;
-     reported by roumen petrov;
-     ok djm markus
-   - djm@cvs.openbsd.org 2006/01/31 10:19:02
-     [misc.c misc.h scp.c sftp.c]
-     fix local arbitrary command execution vulnerability on local/local and
-     remote/remote copies (CVE-2006-0225, bz #1094), patch by
-     t8m AT centrum.cz, polished by dtucker@ and myself; ok markus@
-   - djm@cvs.openbsd.org 2006/01/31 10:35:43
-     [scp.c]
-     "scp a b c" shouldn't clobber "c" when it is not a directory, report and
-     fix from biorn@; ok markus@
- - (djm) Sync regress tests to OpenBSD:
-   - dtucker@cvs.openbsd.org 2005/03/10 10:20:39
-     [regress/forwarding.sh]
-     Regress test for ClearAllForwardings (bz #994); ok markus@
-   - dtucker@cvs.openbsd.org 2005/04/25 09:54:09
-     [regress/multiplex.sh]
-     Don't call cleanup in multiplex as test-exec will cleanup anyway
-     found by tim@, ok djm@
-     NB. ID sync only, we already had this
-   - djm@cvs.openbsd.org 2005/05/20 23:14:15
-     [regress/test-exec.sh]
-     force addressfamily=inet for tests, unbreaking dynamic-forward regress for
-     recently committed nc SOCKS5 changes
-   - djm@cvs.openbsd.org 2005/05/24 04:10:54
-     [regress/try-ciphers.sh]
-     oops, new arcfour modes here too
-   - markus@cvs.openbsd.org 2005/06/30 11:02:37
-     [regress/scp.sh]
-     allow SUDO=sudo; from Alexander Bluhm
-   - grunk@cvs.openbsd.org 2005/11/14 21:25:56
-     [regress/agent-getpeereid.sh]
-     all other scripts in this dir use $SUDO, not 'sudo', so pull this even
-     ok markus@
-   - dtucker@cvs.openbsd.org 2005/12/14 04:36:39
-     [regress/scp-ssh-wrapper.sh]
-     Fix assumption about how many args scp will pass; ok djm@
-     NB. ID sync only, we already had this
-   - djm@cvs.openbsd.org 2006/01/27 06:49:21
-     [scp.sh]
-     regress test for local to local scp copies; ok dtucker@
-   - djm@cvs.openbsd.org 2006/01/31 10:23:23
-     [scp.sh]
-     regression test for CVE-2006-0225 written by dtucker@
-   - djm@cvs.openbsd.org 2006/01/31 10:36:33
-     [scp.sh]
-     regress test for "scp a b c" where "c" is not a directory
-
-20060129
- - (dtucker) [configure.ac opensshd.init.in] Bug #1144: Use /bin/sh for the
-   opensshd.init script interpretter if /sbin/sh does not exist.  ok tim@
-
-20060120
- - (dtucker) OpenBSD CVS Sync
-   - jmc@cvs.openbsd.org 2006/01/15 17:37:05
-     [ssh.1]
-     correction from deraadt
-   - jmc@cvs.openbsd.org 2006/01/18 10:53:29
-     [ssh.1]
-     add a section on ssh-based vpn, based on reyk's README.tun;
-   - dtucker@cvs.openbsd.org 2006/01/20 00:14:55
-     [scp.1 ssh.1 ssh_config.5 sftp.1]
-     Document RekeyLimit.  Based on patch from jan.iven at cern.ch from mindrot
-     #1056 with feedback from jmc, djm and markus; ok jmc@ djm@
-
-20060114
- - (djm) OpenBSD CVS Sync
-   - jmc@cvs.openbsd.org 2006/01/06 13:27:32
-     [ssh.1]
-     weed out some duplicate info in the known_hosts FILES entries;
-     ok djm
-   - jmc@cvs.openbsd.org 2006/01/06 13:29:10
-     [ssh.1]
-     final round of whacking FILES for duplicate info, and some consistency
-     fixes;
-     ok djm
-   - jmc@cvs.openbsd.org 2006/01/12 14:44:12
-     [ssh.1]
-     split sections on tcp and x11 forwarding into two sections.
-     add an example in the tcp section, based on sth i wrote for ssh faq;
-     help + ok: djm markus dtucker
-   - jmc@cvs.openbsd.org 2006/01/12 18:48:48
-     [ssh.1]
-     refer to `TCP' rather than `TCP/IP' in the context of connection
-     forwarding;
-     ok markus
-   - jmc@cvs.openbsd.org 2006/01/12 22:20:00
-     [sshd.8]
-     refer to TCP forwarding, rather than TCP/IP forwarding;
-   - jmc@cvs.openbsd.org 2006/01/12 22:26:02
-     [ssh_config.5]
-     refer to TCP forwarding, rather than TCP/IP forwarding;
-   - jmc@cvs.openbsd.org 2006/01/12 22:34:12
-     [ssh.1]
-     back out a sentence - AUTHENTICATION already documents this;
-
-20060109
- - (dtucker) [contrib/cygwin/ssh-host-config] Make sshd service depend on
-   tcpip service so it's always started after IP is up.  Patch from
-   vinschen at redhat.com.
-
-20060106
- - (djm) OpenBSD CVS Sync
-   - jmc@cvs.openbsd.org 2006/01/03 16:31:10
-     [ssh.1]
-     move FILES to a -compact list, and make each files an item in that list.
-     this avoids nastly line wrap when we have long pathnames, and treats
-     each file as a separate item;
-     remove the .Pa too, since it is useless.
-   - jmc@cvs.openbsd.org 2006/01/03 16:35:30
-     [ssh.1]
-     use a larger width for the ENVIRONMENT list;
-   - jmc@cvs.openbsd.org 2006/01/03 16:52:36
-     [ssh.1]
-     put FILES in some sort of order: sort by pathname
-   - jmc@cvs.openbsd.org 2006/01/03 16:55:18
-     [ssh.1]
-     tweak the description of ~/.ssh/environment
-   - jmc@cvs.openbsd.org 2006/01/04 18:42:46
-     [ssh.1]
-     chop out some duplication in the .{r,s}hosts/{h,sh}osts.equiv FILES
-     entries;
-     ok markus
-   - jmc@cvs.openbsd.org 2006/01/04 18:45:01
-     [ssh.1]
-     remove .Xr's to rsh(1) and telnet(1): they are hardly needed;
-   - jmc@cvs.openbsd.org 2006/01/04 19:40:24
-     [ssh.1]
-     +.Xr ssh-keyscan 1 ,
-   - jmc@cvs.openbsd.org 2006/01/04 19:50:09
-     [ssh.1]
-     -.Xr gzip 1 ,
-   - djm@cvs.openbsd.org 2006/01/05 23:43:53
-     [misc.c]
-     check that stdio file descriptors are actually closed before clobbering
-     them in sanitise_stdfd(). problems occurred when a lower numbered fd was
-     closed, but higher ones weren't. spotted by, and patch tested by
-     Frédéric Olivié
-
-20060103
- - (djm) [channels.c] clean up harmless merge error, from reyk@
-
-20060103
- - (djm) OpenBSD CVS Sync
-   - jmc@cvs.openbsd.org 2006/01/02 17:09:49
-     [ssh_config.5 sshd_config.5]
-     some corrections from michael knudsen;
-
-20060102
- - (djm) [README.tun] Add README.tun, missed during sync of tun(4) support
- - (djm) OpenBSD CVS Sync
-   - jmc@cvs.openbsd.org 2005/12/31 10:46:17
-     [ssh.1]
-     merge the "LOGIN SESSION AND REMOTE EXECUTION" and "SERVER
-     AUTHENTICATION" sections into "AUTHENTICATION";
-     some rewording done to make the text read better, plus some
-     improvements from djm;
-     ok djm
-   - jmc@cvs.openbsd.org 2005/12/31 13:44:04
-     [ssh.1]
-     clean up ENVIRONMENT a little;
-   - jmc@cvs.openbsd.org 2005/12/31 13:45:19
-     [ssh.1]
-     .Nm does not require an argument;
-   - stevesk@cvs.openbsd.org 2006/01/01 08:59:27
-     [includes.h misc.c]
-     move <net/if.h>; ok djm@
-   - stevesk@cvs.openbsd.org 2006/01/01 10:08:48
-     [misc.c]
-     no trailing "\n" for debug()
-   - djm@cvs.openbsd.org 2006/01/02 01:20:31
-     [sftp-client.c sftp-common.h sftp-server.c]
-     use a common max. packet length, no binary change
-   - reyk@cvs.openbsd.org 2006/01/02 07:53:44
-     [misc.c]
-     clarify tun(4) opening - set the mode and bring the interface up. also
-     (re)sets the tun(4) layer 2 LINK0 flag for existing tunnel interfaces.
-     suggested and ok by djm@
-   - jmc@cvs.openbsd.org 2006/01/02 12:31:06
-     [ssh.1]
-     start to cut some duplicate info from FILES;
-     help/ok djm
-
-20060101
- - (djm) [Makefile.in configure.ac includes.h misc.c]
-         [openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Add support
-         for tunnel forwarding for FreeBSD and NetBSD. NetBSD's support is
-         limited to IPv4 tunnels only, and most versions don't support the
-         tap(4) device at all.
- - (djm) [configure.ac] Fix linux/if_tun.h test
- - (djm) [openbsd-compat/port-tun.c] Linux needs linux/if.h too
-
-20051229
- - (djm) OpenBSD CVS Sync
-   - stevesk@cvs.openbsd.org 2005/12/28 22:46:06
-     [canohost.c channels.c clientloop.c]
-     use 'break-in' for consistency; ok deraadt@ ok and input jmc@
-   - reyk@cvs.openbsd.org 2005/12/30 15:56:37
-     [channels.c channels.h clientloop.c]
-     add channel output filter interface.
-     ok djm@, suggested by markus@
-   - jmc@cvs.openbsd.org 2005/12/30 16:59:00
-     [sftp.1]
-     do not suggest that interactive authentication will work
-     with the -b flag;
-     based on a diff from john l. scarfone;
-     ok djm
-   - stevesk@cvs.openbsd.org 2005/12/31 01:38:45
-     [ssh.1]
-     document -MM; ok djm@
- - (djm) [openbsd-compat/port-tun.c openbsd-compat/port-tun.h configure.ac]
-   [serverloop.c ssh.c openbsd-compat/Makefile.in]
-   [openbsd-compat/openbsd-compat.h] Implement tun(4) forwarding 
-   compatability support for Linux, diff from reyk@
- - (djm) [configure.ac] Disable Linux tun(4) compat code if linux/tun.h does
-   not exist
- - (djm) [configure.ac] oops, make that linux/if_tun.h
-
-20051229
- - (tim) [buildpkg.sh.in] grep for $SSHDUID instead of $SSHDGID on /etc/passwd
-
-20051224
- - (djm) OpenBSD CVS Sync
-   - jmc@cvs.openbsd.org 2005/12/20 21:59:43
-     [ssh.1]
-     merge the sections on protocols 1 and 2 into one section on
-     authentication;
-     feedback djm dtucker
-     ok deraadt markus dtucker
-   - jmc@cvs.openbsd.org 2005/12/20 22:02:50
-     [ssh.1]
-     .Ss -> .Sh: subsections have not made this page more readable
-   - jmc@cvs.openbsd.org 2005/12/20 22:09:41
-     [ssh.1]
-     move info on ssh return values and config files up into the main
-     description;
-   - jmc@cvs.openbsd.org 2005/12/21 11:48:16
-     [ssh.1]
-     -L and -R descriptions are now above, not below, ~C description;
-   - jmc@cvs.openbsd.org 2005/12/21 11:57:25
-     [ssh.1]
-     options now described `above', rather than `later';
-   - jmc@cvs.openbsd.org 2005/12/21 12:53:31
-     [ssh.1]
-     -Y does X11 forwarding too;
-     ok markus
-   - stevesk@cvs.openbsd.org 2005/12/21 22:44:26
-     [sshd.8]
-     clarify precedence of -p, Port, ListenAddress; ok and help jmc@
-   - jmc@cvs.openbsd.org 2005/12/22 10:31:40
-     [ssh_config.5]
-     put the description of "UsePrivilegedPort" in the correct place;
-   - jmc@cvs.openbsd.org 2005/12/22 11:23:42
-     [ssh.1]
-     expand the description of -w somewhat;
-     help/ok reyk
-   - jmc@cvs.openbsd.org 2005/12/23 14:55:53
-     [ssh.1]
-     - sync the description of -e w/ synopsis
-     - simplify the description of -I
-     - note that -I is only available if support compiled in, and that it
-     isn't by default
-     feedback/ok djm@
-   - jmc@cvs.openbsd.org 2005/12/23 23:46:23
-     [ssh.1]
-     less mark up for -c;
-   - djm@cvs.openbsd.org 2005/12/24 02:27:41
-     [session.c sshd.c]
-     eliminate some code duplicated in privsep and non-privsep paths, and
-     explicitly clear SIGALRM handler; "groovy" deraadt@
-
-20051220
- - (dtucker) OpenBSD CVS Sync
-   - reyk@cvs.openbsd.org 2005/12/13 15:03:02
-     [serverloop.c]
-     if forced_tun_device is not set, it is -1 and not SSH_TUNID_ANY
-   - jmc@cvs.openbsd.org 2005/12/16 18:07:08
-     [ssh.1]
-     move the option descriptions up the page: start of a restructure;
-     ok markus deraadt
-   - jmc@cvs.openbsd.org 2005/12/16 18:08:53
-     [ssh.1]
-     simplify a sentence;
-   - jmc@cvs.openbsd.org 2005/12/16 18:12:22
-     [ssh.1]
-     make the description of -c a little nicer;
-   - jmc@cvs.openbsd.org 2005/12/16 18:14:40
-     [ssh.1]
-     signpost the protocol sections;
-   - stevesk@cvs.openbsd.org 2005/12/17 21:13:05
-     [ssh_config.5 session.c]
-     spelling: fowarding, fowarded
-   - stevesk@cvs.openbsd.org 2005/12/17 21:36:42
-     [ssh_config.5]
-     spelling: intented -> intended
-   - dtucker@cvs.openbsd.org 2005/12/20 04:41:07
-     [ssh.c]
-     exit(255) on error to match description in ssh(1); bz #1137; ok deraadt@
-
-20051219
- - (dtucker) [cipher-aes.c cipher-ctr.c cipher.c configure.ac
-   openbsd-compat/openssl-compat.h] Check for and work around broken AES
-   ciphers >128bit on (some) Solaris 10 systems.  ok djm@
-
-20051217
- - (dtucker) [defines.h] HP-UX system headers define "YES" and "NO" which
-   scp.c also uses, so undef them here.
- - (dtucker) [configure.ac openbsd-compat/bsd-snprintf.c] Bug #1133: Our
-   snprintf replacement can have a conflicting declaration in HP-UX's system
-   headers (const vs. no const) so we now check for and work around it.  Patch
-   from the dynamic duo of David Leonard and Ted Percival.
-
-20051214
- - (dtucker) OpenBSD CVS Sync (regress/)
-   - dtucker@cvs.openbsd.org 2005/12/30 04:36:39
-     [regress/scp-ssh-wrapper.sh]
-     Fix assumption about how many args scp will pass; ok djm@
-
-20051213
- - (djm) OpenBSD CVS Sync
-   - jmc@cvs.openbsd.org 2005/11/30 11:18:27
-     [ssh.1]
-     timezone -> time zone
-   - jmc@cvs.openbsd.org 2005/11/30 11:45:20
-     [ssh.1]
-     avoid ambiguities in describing TZ;
-     ok djm@
-   - reyk@cvs.openbsd.org 2005/12/06 22:38:28
-     [auth-options.c auth-options.h channels.c channels.h clientloop.c]
-     [misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h]
-     [serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c]
-     [sshconnect.h sshd.8 sshd_config sshd_config.5]
-     Add support for tun(4) forwarding over OpenSSH, based on an idea and
-     initial channel code bits by markus@. This is a simple and easy way to
-     use OpenSSH for ad hoc virtual private network connections, e.g.
-     administrative tunnels or secure wireless access. It's based on a new
-     ssh channel and works similar to the existing TCP forwarding support,
-     except that it depends on the tun(4) network interface on both ends of
-     the connection for layer 2 or layer 3 tunneling. This diff also adds
-     support for LocalCommand in the ssh(1) client.
-     ok djm@, markus@, jmc@ (manpages), tested and discussed with others
-   - djm@cvs.openbsd.org 2005/12/07 03:52:22
-     [clientloop.c]
-     reyk forgot to compile with -Werror (missing header)
-   - jmc@cvs.openbsd.org 2005/12/07 10:52:13
-     [ssh.1]
-     - avoid line split in SYNOPSIS
-     - add args to -w
-     - kill trailing whitespace
-   - jmc@cvs.openbsd.org 2005/12/08 14:59:44
-     [ssh.1 ssh_config.5]
-     make `!command' a little clearer;
-     ok reyk
-   - jmc@cvs.openbsd.org 2005/12/08 15:06:29
-     [ssh_config.5]
-     keep options in order;
-   - reyk@cvs.openbsd.org 2005/12/08 18:34:11
-     [auth-options.c includes.h misc.c misc.h readconf.c servconf.c]
-     [serverloop.c ssh.c ssh_config.5 sshd_config.5 configure.ac]
-     two changes to the new ssh tunnel support. this breaks compatibility
-     with the initial commit but is required for a portable approach.
-     - make the tunnel id u_int and platform friendly, use predefined types.
-     - support configuration of layer 2 (ethernet) or layer 3
-     (point-to-point, default) modes. configuration is done using the
-     Tunnel (yes|point-to-point|ethernet|no) option is ssh_config(5) and
-     restricted by the PermitTunnel (yes|point-to-point|ethernet|no) option
-     in sshd_config(5).
-     ok djm@, man page bits by jmc@
-   - jmc@cvs.openbsd.org 2005/12/08 21:37:50
-     [ssh_config.5]
-     new sentence, new line;
-   - markus@cvs.openbsd.org 2005/12/12 13:46:18
-     [channels.c channels.h session.c]
-     make sure protocol messages for internal channels are ignored.
-     allow adjust messages for non-open channels; with and ok djm@
- - (djm) [misc.c] Disable tunnel code for non-OpenBSD (for now), enable
-   again by providing a sys_tun_open() function for your platform and 
-   setting the CUSTOM_SYS_TUN_OPEN define. More work is required to match 
-   OpenBSD's tunnel protocol, which prepends the address family to the 
-   packet
-
-20051201
- - (djm) [envpass.sh] Remove regress script that was accidentally committed 
-   in top level directory and not noticed for over a year :)
-
-20051129
- - (tim) [ssh-keygen.c] Move DSA length test after setting default when
-   bits == 0.
- - (dtucker) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2005/11/29 02:04:55
-     [ssh-keygen.c]
-     Populate default key sizes before checking them; from & ok tim@
- - (tim) [configure.ac sshd.8] Enable locked account check (a "*LK*" string)
-   for UnixWare.
-
-20051128
- - (dtucker) [regress/yes-head.sh] Work around breakage caused by some
-   versions of GNU head.  Based on patch from zappaman at buraphalinux.org
- - (dtucker) [includes.h] Bug #1122: __USE_GNU is a glibc internal macro, use
-   _GNU_SOURCE instead.  Patch from t8m at centrum.cz.
- - (dtucker) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2005/11/28 05:16:53
-     [ssh-keygen.1 ssh-keygen.c]
-     Enforce DSA key length of exactly 1024 bits to comply with FIPS-186-2,
-     increase minumum RSA key size to 768 bits and update man page to reflect
-     these.  Patch originally bz#1119 (senthilkumar_sen at hotpop.com),
-     ok djm@, grudging ok deraadt@.
-   - dtucker@cvs.openbsd.org 2005/11/28 06:02:56
-     [ssh-agent.1]
-     Update agent socket path templates to reflect reality, correct xref for
-     time formats.  bz#1121, patch from openssh at roumenpetrov.info, ok djm@
-
-20051126
- - (dtucker) [configure.ac] Bug #1126: AIX 5.2 and 5.3 (and presumably newer,
-   when they're available) need the real UID set otherwise pam_chauthtok will
-   set ADMCHG after changing the password, forcing the user to change it
-   again immediately.
-
-20051125
- - (dtucker) [configure.ac] Apply tim's fix for older systems where the
-   resolver state in resolv.h is "state" not "__res_state".  With slight
-   modification by me to also work on old AIXes.  ok djm@
- - (dtucker) [progressmeter.c scp.c sftp-server.c] Use correct casts for
-   snprintf formats, fixes warnings on some 64 bit platforms.  Patch from
-   shaw at vranix.com, ok djm@
-
-20051124
- - (djm) [configure.ac openbsd-compat/Makefile.in openbsd-compat/bsd-asprintf.c 
-   openbsd-compat/bsd-snprintf.c openbsd-compat/openbsd-compat.h] Add an 
-   asprintf() implementation, after syncing our {v,}snprintf() implementation
-   with some extra fixes from Samba's version. With help and debugging from 
-   dtucker and tim; ok dtucker@
- - (dtucker) [configure.ac] Fix typos in comments and AC_SEARCH_LIB argument
-   order in Reliant Unix block.  Patch from johane at lysator.liu.se.
- - (dtucker) [regress/test-exec.sh] Use 1024 bit keys since we generate so
-   many and use them only once.  Speeds up testing on older/slower hardware.
-
-20051122
- - (dtucker) OpenBSD CVS Sync
-   - deraadt@cvs.openbsd.org 2005/11/12 18:37:59
-     [ssh-add.c]
-     space
-   - deraadt@cvs.openbsd.org 2005/11/12 18:38:15
-     [scp.c]
-     avoid close(-1), as in rcp; ok cloder
-   - millert@cvs.openbsd.org 2005/11/15 11:59:54
-     [includes.h]
-     Include sys/queue.h explicitly instead of assuming some other header
-     will pull it in.  At the moment it gets pulled in by sys/select.h
-     (which ssh has no business including) via event.h.  OK markus@
-     (ID sync only in -portable)
-   - dtucker@cvs.openbsd.org 2005/11/21 09:42:10
-     [auth-krb5.c]
-     Perform Kerberos calls even for invalid users to prevent leaking
-     information about account validity.  bz #975, patch originally from
-     Senthil Kumar, sanity checked by Simon Wilkinson, tested by djm@, biorn@,
-     ok markus@
-   - dtucker@cvs.openbsd.org 2005/11/22 03:36:03
-     [hostfile.c]
-     Correct format/arguments to debug call; spotted by shaw at vranix.com
-     ok djm@
- - (dtucker) [loginrec.c] Add casts to prevent compiler warnings, patch
-   from shaw at vranix.com.
-
-20051120
- - (dtucker) [openbsd-compat/openssl-compat.h] Add comment explaining what
-   is going on.
-
-20051112
- - (dtucker) [openbsd-compat/getrrsetbyname.c] Restore Portable-specific
-   ifdef lost during sync.  Spotted by tim@.
- - (dtucker) [openbsd-compat/{realpath.c,stroll.c,rresvport.c}] $OpenBSD tag.
- - (dtucker) [configure.ac] Use "$AWK" instead of "awk" in gcc version test.
- - (dtucker) [configure.ac] Remove duplicate utimes() check.  ok djm@
- - (dtucker) [regress/reconfigure.sh] Fix potential race in the reconfigure
-   test: if sshd takes too long to reconfigure the subsequent connection will
-   fail.  Zap pidfile before HUPing sshd which will rewrite it when it's ready.
-
-20051110
- - (dtucker) [openbsd-compat/setenv.c] Merge changes for __findenv from
-   OpenBSD getenv.c revs 1.4 - 1.8 (ANSIfication of arguments, removal of
-   "register").
- - (dtucker) [openbsd-compat/setenv.c] Make __findenv static, remove
-   unnecessary prototype.
- - (dtucker) [openbsd-compat/setenv.c] Sync changes from OpenBSD setenv.c
-   revs 1.7 - 1.9.
- - (dtucker) [auth-krb5.c] Fix -Wsign-compare warning in non-Heimdal path.
-   Patch from djm@.
- - (dtucker) [configure.ac] Disable pointer-sign warnings on gcc 4.0+
-   since they're not useful right now.  Patch from djm@.
- - (dtucker) [openbsd-compat/getgrouplist.c] Sync OpenBSD revs 1.10 - 1.2 (ANSI
-   prototypes, removal of "register").
- - (dtucker) [openbsd-compat/strlcat.c] Sync OpenBSD revs 1.11 - 1.12 (removal
-   of "register").
- - (dtucker) [openbsd-compat/{LOTS}] Move the "OPENBSD ORIGINAL" markers to
-   after the copyright notices.  Having them at the top next to the CVSIDs
-   guarantees a conflict for each and every sync.
- - (dtucker) [openbsd-compat/strlcpy.c] Update from OpenBSD 1.8 -> 1.10.
- - (dtucker) [openbsd-compat/sigact.h] Add "OPENBSD ORIGINAL" marker.
- - (dtucker) [openbsd-compat/strmode.c] Update from OpenBSD 1.5 -> 1.7.
-   Removal of rcsid, "whiteout" inode type.
- - (dtucker) [openbsd-compat/basename.c] Update from OpenBSD 1.11 -> 1.14.
-   Removal of rcsid, will no longer strlcpy parts of the string.
- - (dtucker) [openbsd-compat/strtoll.c] Update from OpenBSD 1.4 -> 1.5.
- - (dtucker) [openbsd-compat/strtoul.c] Update from OpenBSD 1.5 -> 1.7.
- - (dtucker) [openbsd-compat/readpassphrase.c] Update from OpenBSD 1.16 -> 1.18.
- - (dtucker) [openbsd-compat/readpassphrase.h] Update from OpenBSD 1.3 -> 1.5.
- - (dtucker) [openbsd-compat/glob.c] Update from OpenBSD 1.22 -> 1.25.
- - (dtucker) [openbsd-compat/glob.h] Update from OpenBSD 1.8 -> 1.9.
- - (dtucker) [openbsd-compat/getcwd.c] Update from OpenBSD 1.9 -> 1.14.
- - (dtucker) [openbsd-compat/getcwd.c] Replace lstat with fstat to match up
-   with OpenBSD code since we don't support platforms without fstat any more.
- - (dtucker) [openbsd-compat/inet_aton.c] Update from OpenBSD 1.7 -> 1.9.
- - (dtucker) [openbsd-compat/inet_ntoa.c] Update from OpenBSD 1.4 -> 1.6.
- - (dtucker) [openbsd-compat/inet_ntop.c] Update from OpenBSD 1.5 -> 1.7.
- - (dtucker) [openbsd-compat/daemon.c] Update from OpenBSD 1.5 -> 1.6.
- - (dtucker) [openbsd-compat/strsep.c] Update from OpenBSD 1.5 -> 1.6.
- - (dtucker) [openbsd-compat/daemon.c] Update from OpenBSD 1.10 -> 1.13.
- - (dtucker) [openbsd-compat/mktemp.c] Update from OpenBSD 1.17 -> 1.19.
- - (dtucker) [openbsd-compat/rresvport.c] Update from OpenBSD 1.6 -> 1.8.
- - (dtucker) [openbsd-compat/bindresvport.c] Add "OPENBSD ORIGINAL" marker.
- - (dtucker) [openbsd-compat/bindresvport.c] Update from OpenBSD 1.16 -> 1.17.
- - (dtucker) [openbsd-compat/sigact.c] Update from OpenBSD 1.3 -> 1.4.
-   Id and copyright sync only, there were no substantial changes we need.
- - (dtucker) [openbsd-compat/bsd-closefrom.c openbsd-compat/base64.c]
-   -Wsign-compare fixes from djm.
- - (dtucker) [openbsd-compat/sigact.h] Update from OpenBSD 1.2 -> 1.3.
-   Id and copyright sync only, there were no substantial changes we need.
- - (dtucker) [configure.ac] Try to get the gcc version number in a way that
-   doesn't change between versions, and use a safer default.
-
-20051105
- - (djm) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2005/10/07 11:13:57
-     [ssh-keygen.c]
-     change DSA default back to 1024, as it's defined for 1024 bits only
-     and this causes interop problems with other clients.  moreover,
-     in order to improve the security of DSA you need to change more
-     components of DSA key generation (e.g. the internal SHA1 hash);
-     ok deraadt
-   - djm@cvs.openbsd.org 2005/10/10 10:23:08
-     [channels.c channels.h clientloop.c serverloop.c session.c]
-     fix regression I introduced in 4.2: X11 forwardings initiated after
-     a session has exited (e.g. "(sleep 5; xterm) &") would not start.
-     bz #1086 reported by t8m AT centrum.cz; ok markus@ dtucker@
-   - djm@cvs.openbsd.org 2005/10/11 23:37:37
-     [channels.c]
-     bz #1076 set SO_REUSEADDR on X11 forwarding listner sockets, preventing
-     bind() failure when a previous connection's listeners are in TIME_WAIT,
-     reported by plattner AT inf.ethz.ch; ok dtucker@
-   - stevesk@cvs.openbsd.org 2005/10/13 14:03:01
-     [auth2-gss.c gss-genr.c gss-serv.c]
-     remove unneeded #includes; ok markus@
-   - stevesk@cvs.openbsd.org 2005/10/13 14:20:37
-     [gss-serv.c]
-     spelling in comments
-   - stevesk@cvs.openbsd.org 2005/10/13 19:08:08
-     [gss-serv-krb5.c gss-serv.c]
-     unused declarations; ok deraadt@
-     (id sync only for gss-serv-krb5.c)
-   - stevesk@cvs.openbsd.org 2005/10/13 19:13:41
-     [dns.c]
-     unneeded #include, unused declaration, little knf; ok deraadt@
-   - stevesk@cvs.openbsd.org 2005/10/13 22:24:31
-     [auth2-gss.c gss-genr.c gss-serv.c monitor.c]
-     KNF; ok djm@
-   - stevesk@cvs.openbsd.org 2005/10/14 02:17:59
-     [ssh-keygen.c ssh.c sshconnect2.c]
-     no trailing "\n" for log functions; ok djm@
-   - stevesk@cvs.openbsd.org 2005/10/14 02:29:37
-     [channels.c clientloop.c]
-     free()->xfree(); ok djm@
-   - stevesk@cvs.openbsd.org 2005/10/15 15:28:12
-     [sshconnect.c]
-     make external definition static; ok deraadt@
-   - stevesk@cvs.openbsd.org 2005/10/17 13:45:05
-     [dns.c]
-     fix memory leaks from 2 sources:
-         1) key_fingerprint_raw()
-         2) malloc in dns_read_rdata()
-     ok jakob@
-   - stevesk@cvs.openbsd.org 2005/10/17 14:01:28
-     [dns.c]
-     remove #ifdef LWRES; ok jakob@
-   - stevesk@cvs.openbsd.org 2005/10/17 14:13:35
-     [dns.c dns.h]
-     more cleanups; ok jakob@
-   - djm@cvs.openbsd.org 2005/10/30 01:23:19
-     [ssh_config.5]
-     mention control socket fallback behaviour, reported by 
-     tryponraj AT gmail.com
-   - djm@cvs.openbsd.org 2005/10/30 04:01:03
-     [ssh-keyscan.c]
-     make ssh-keygen discard junk from server before SSH- ident, spotted by
-     dave AT cirt.net; ok dtucker@
-   - djm@cvs.openbsd.org 2005/10/30 04:03:24
-     [ssh.c]
-     fix misleading debug message; ok dtucker@
-   - dtucker@cvs.openbsd.org 2005/10/30 08:29:29
-     [canohost.c sshd.c]
-     Check for connections with IP options earlier and drop silently.  ok djm@
-   - jmc@cvs.openbsd.org 2005/10/30 08:43:47
-     [ssh_config.5]
-     remove trailing whitespace;
-   - djm@cvs.openbsd.org 2005/10/30 08:52:18
-     [clientloop.c packet.c serverloop.c session.c ssh-agent.c ssh-keygen.c]
-     [ssh.c sshconnect.c sshconnect1.c sshd.c]
-     no need to escape single quotes in comments, no binary change
-   - dtucker@cvs.openbsd.org 2005/10/31 06:15:04
-     [sftp.c]
-     Fix sorting with "ls -1" command. From Robert Tsai, "looks right" deraadt@
-   - djm@cvs.openbsd.org 2005/10/31 11:12:49
-     [ssh-keygen.1 ssh-keygen.c]
-     generate a protocol 2 RSA key by default
-   - djm@cvs.openbsd.org 2005/10/31 11:48:29
-     [serverloop.c]
-     make sure we clean up wtmp, etc. file when we receive a SIGTERM,
-     SIGINT or SIGQUIT when running without privilege separation (the
-     normal privsep case is already OK). Patch mainly by dtucker@ and
-     senthilkumar_sen AT hotpop.com; ok dtucker@
-   - jmc@cvs.openbsd.org 2005/10/31 19:55:25
-     [ssh-keygen.1]
-     grammar;
-   - dtucker@cvs.openbsd.org 2005/11/03 13:38:29
-     [canohost.c]
-     Cache reverse lookups with and without DNS separately; ok markus@
-   - djm@cvs.openbsd.org 2005/11/04 05:15:59
-     [kex.c kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c]
-     remove hardcoded hash lengths in key exchange code, allowing
-     implementation of KEX methods with different hashes (e.g. SHA-256);
-     ok markus@ dtucker@ stevesk@
-   - djm@cvs.openbsd.org 2005/11/05 05:01:15
-     [bufaux.c]
-     Fix leaks in error paths, bz #1109 and #1110 reported by kremenek AT
-     cs.stanford.edu; ok dtucker@
- - (dtucker) [README.platform] Add PAM section.
- - (djm) [openbsd-compat/getrrsetbyname.c] Sync to latest OpenBSD version,
-   resolving memory leak bz#1111 reported by kremenek AT cs.stanford.edu;
-   ok dtucker@
-
-20051102
- - (dtucker) [openbsd-compat/bsd-misc.c] Bug #1108: fix broken strdup().
-   Reported by olavi at ipunplugged.com and antoine.brodin at laposte.net
-   via FreeBSD.
-
-20051030
- - (djm) [contrib/suse/openssh.spec contrib/suse/rc.
-   sshd contrib/suse/sysconfig.ssh] Bug #1106: Updated SuSE spec and init 
-   files from imorgan AT nas.nasa.gov
- - (dtucker) [session.c] Bug #1045do not check /etc/nologin when PAM is
-   enabled, instead allow PAM to handle it.  Note that on platforms using PAM,
-   the pam_nologin module should be added to sshd's session stack in order to
-   maintain exising behaviour.  Based on patch and discussion from t8m at
-   centrum.cz, ok djm@
-
-20051025
- - (dtucker) [configure.ac] Relocate LLONG_MAX calculation to after the
-   sizeof(long long) checks, to make fixing bug #1104 easier (no changes
-   yet).
- - (dtucker) [configure.ac] Bug #1104: Tru64's printf family doesn't
-   understand "%lld", even though the compiler has "long long", so handle
-   it as a special case.  Patch tested by mcaskill.scott at epa.gov.
- - (dtucker) [contrib/cygwin/ssh-user-config] Remove duplicate yes/no
-   prompt.  Patch from vinschen at redhat.com.
-
-20051017
- - (dtucker) [configure.ac] Bug #1097: Fix configure for cross-compiling.
-   /etc/default/login report and testing from aabaker at iee.org, corrections
-   from tim@.
-
-20051009
- - (dtucker) [configure.ac defines.h openbsd-compat/vis.{c,h}] Sync current
-   versions from OpenBSD.  ok djm@
-
-20051008
- - (dtucker) [configure.ac] Bug #1098: define $MAIL for HP-UX; report from
-   brian.smith at agilent com.
- - (djm) [configure.ac] missing 'test' call for -with-Werror test
-
-20051005
- - (dtucker) [configure.ac sshd.8] Enable locked account check (a prepended
-   "*LOCKED*" string) for FreeBSD.  Patch jeremie at le-hen.org and
-   senthilkumar_sen at hotpop.com.
-
-20051003
- - (dtucker) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2005/09/07 08:53:53
-     [channels.c]
-     enforce chanid != NULL; ok djm
-   - markus@cvs.openbsd.org 2005/09/09 19:18:05
-     [clientloop.c]
-     typo; from mark at mcs.vuw.ac.nz, bug #1082
-   - djm@cvs.openbsd.org 2005/09/13 23:40:07
-     [sshd.c ssh.c misc.h sftp.c ssh-keygen.c ssh-keysign.c sftp-server.c
-     scp.c misc.c ssh-keyscan.c ssh-add.c ssh-agent.c]
-     ensure that stdio fds are attached; ok deraadt@
-   - djm@cvs.openbsd.org 2005/09/19 11:37:34
-     [ssh_config.5 ssh.1]
-     mention ability to specify bind_address for DynamicForward and -D options;
-     bz#1077 spotted by Haruyama Seigo
-   - djm@cvs.openbsd.org 2005/09/19 11:47:09
-     [sshd.c]
-     stop connection abort on rekey with delayed compression enabled when
-     post-auth privsep is disabled (e.g. when root is logged in); ok dtucker@
-   - djm@cvs.openbsd.org 2005/09/19 11:48:10
-     [gss-serv.c]
-     typo
-   - jmc@cvs.openbsd.org 2005/09/19 15:38:27
-     [ssh.1]
-     some more .Bk/.Ek to avoid ugly line split;
-   - jmc@cvs.openbsd.org 2005/09/19 15:42:44
-     [ssh.c]
-     update -D usage here too;
-   - djm@cvs.openbsd.org 2005/09/19 23:31:31
-     [ssh.1]
-     spelling nit from stevesk@
-   - djm@cvs.openbsd.org 2005/09/21 23:36:54
-     [sshd_config.5]
-     aquire -> acquire, from stevesk@
-   - djm@cvs.openbsd.org 2005/09/21 23:37:11
-     [sshd.c]
-     change label at markus@'s request
-   - jaredy@cvs.openbsd.org 2005/09/30 20:34:26
-     [ssh-keyscan.1]
-     deploy .An -nosplit; ok jmc
-   - dtucker@cvs.openbsd.org 2005/10/03 07:44:42
-     [canohost.c]
-     Relocate check_ip_options call to prevent logging of garbage for
-     connections with IP options set.  bz#1092 from David Leonard,
-     "looks good" deraadt@
- - (dtucker) [regress/README.regress] Bug #989: Document limitation that scp
-   is required in the system path for the multiplex test to work.
-
-20050930
- - (dtucker) [openbsd-compat/openbsd-compat.h] Bug #1096: Add prototype
-   for strtoll.  Patch from o.flebbe at science-computing.de.
- - (dtucker) [monitor.c] Bug #1087: Send loginmsg to preauth privsep
-   child during PAM account check without clearing it.  This restores the
-   post-login warnings such as LDAP password expiry.  Patch from Tomas Mraz
-   with help from several others.
-
-20050929
- - (dtucker) [monitor_wrap.c] Remove duplicate definition of loginmsg
-   introduced during sync.
-
-20050928
- - (dtucker) [entropy.c] Use u_char for receiving RNG seed for consistency.
- - (dtucker) [auth-pam.c] Bug #1028: send final non-query messages from
-   PAM via keyboard-interactive.  Patch tested by the folks at Vintela.
-
-20050927
- - (dtucker) [entropy.c] Remove unnecessary tests for getuid and geteuid
-   calls, since they can't possibly fail.  ok djm@
- - (dtucker) [entropy.c entropy.h sshd.c] Pass RNG seed to the reexec'ed
-   process when sshd relies on ssh-random-helper.  Should result in faster
-   logins on systems without a real random device or prngd.  ok djm@
-
-20050924
- - (dtucker) [auth2.c] Move start_pam() calls out of if-else block to remove
-   duplicate call.  ok djm@
-
-20050922
- - (dtucker) [configure.ac] Use -R linker flag for libedit too; patch from
-   skeleten at shillest.net.
- - (dtucker) [configure.ac] Fix help for --with-opensc; patch from skeleten at
-   shillest.net.
-
-20050919
- - (tim) [aclocal.m4 configure.ac] Delete acconfig.h and add templates to
-   AC_DEFINE and AC_DEFINE_UNQUOTED to quiet autoconf 2.59 warning messages.
-   ok dtucker@
-
-20050912
- - (tim) [configure.ac] Bug 1078. Fix --without-kerberos5. Reported by
-   Mike Frysinger.
-
-20050908
- - (tim) [defines.h openbsd-compat/port-uw.c] Add long password support to
-   OpenServer 6 and add osr5bigcrypt support so when someone migrates
-   passwords between UnixWare and OpenServer they will still work. OK dtucker@
-
-$Id: ChangeLog,v 1.4588.2.1 2006/11/07 13:02:59 dtucker Exp $
diff --git a/crypto/openssh/INSTALL b/crypto/openssh/INSTALL
deleted file mode 100644
index 1c784a5..0000000
--- a/crypto/openssh/INSTALL
+++ /dev/null
@@ -1,253 +0,0 @@
-1. Prerequisites
-----------------
-
-You will need working installations of Zlib and OpenSSL.
-
-Zlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems):
-http://www.gzip.org/zlib/
-
-OpenSSL 0.9.6 or greater:
-http://www.openssl.org/
-
-(OpenSSL 0.9.5a is partially supported, but some ciphers (SSH protocol 1
-Blowfish) do not work correctly.)
-
-The remaining items are optional.
-
-OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system
-supports it. PAM is standard on Redhat and Debian Linux, Solaris and
-HP-UX 11.
-
-NB. If you operating system supports /dev/random, you should configure
-OpenSSL to use it. OpenSSH relies on OpenSSL's direct support of
-/dev/random. If you don't you will have to rely on ssh-rand-helper, which
-is inferior to a good kernel-based solution.
-
-PAM:
-http://www.kernel.org/pub/linux/libs/pam/
-
-If you wish to build the GNOME passphrase requester, you will need the GNOME
-libraries and headers.
-
-GNOME:
-http://www.gnome.org/
-
-Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11
-passphrase requester. This is maintained separately at:
-
-http://www.jmknoble.net/software/x11-ssh-askpass/
-
-PRNGD:
-
-If your system lacks Kernel based random collection, the use of Lutz
-Jaenicke's PRNGd is recommended.
-
-http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html
-
-EGD:
-
-The Entropy Gathering Daemon (EGD) is supported if you have a system which
-lacks /dev/random and don't want to use OpenSSH's internal entropy collection.
-
-http://www.lothar.com/tech/crypto/
-
-S/Key Libraries:
-
-If you wish to use --with-skey then you will need the library below
-installed.  No other S/Key library is currently known to be supported.
-
-http://www.sparc.spb.su/solaris/skey/
-
-LibEdit:
-
-sftp supports command-line editing via NetBSD's libedit.  If your platform
-has it available natively you can use that, alternatively you might try
-these multi-platform ports:
-
-http://www.thrysoee.dk/editline/
-http://sourceforge.net/projects/libedit/
-
-Autoconf:
-
-If you modify configure.ac or configure doesn't exist (eg if you checked
-the code out of CVS yourself) then you will need autoconf-2.60 to rebuild
-the automatically generated files by running "autoreconf".
-
-http://www.gnu.org/software/autoconf/
-
-Basic Security Module (BSM):
-
-Native BSM support is know to exist in Solaris from at least 2.5.1,
-FreeBSD 6.1 and OS X.  Alternatively, you may use the OpenBSM
-implementation (http://www.openbsm.org).
-
-
-2. Building / Installation
---------------------------
-
-To install OpenSSH with default options:
-
-./configure
-make
-make install
-
-This will install the OpenSSH binaries in /usr/local/bin, configuration files
-in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different
-installation prefix, use the --prefix option to configure:
-
-./configure --prefix=/opt
-make
-make install
-
-Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override
-specific paths, for example:
-
-./configure --prefix=/opt --sysconfdir=/etc/ssh
-make
-make install
-
-This will install the binaries in /opt/{bin,lib,sbin}, but will place the
-configuration files in /etc/ssh.
-
-If you are using Privilege Separation (which is enabled by default)
-then you will also need to create the user, group and directory used by
-sshd for privilege separation.  See README.privsep for details.
-
-If you are using PAM, you may need to manually install a PAM control
-file as "/etc/pam.d/sshd" (or wherever your system prefers to keep
-them).  Note that the service name used to start PAM is __progname,
-which is the basename of the path of your sshd (e.g., the service name
-for /usr/sbin/osshd will be osshd).  If you have renamed your sshd
-executable, your PAM configuration may need to be modified.
-
-A generic PAM configuration is included as "contrib/sshd.pam.generic",
-you may need to edit it before using it on your system. If you are
-using a recent version of Red Hat Linux, the config file in
-contrib/redhat/sshd.pam should be more useful.  Failure to install a
-valid PAM file may result in an inability to use password
-authentication.  On HP-UX 11 and Solaris, the standard /etc/pam.conf
-configuration will work with sshd (sshd will match the other service
-name).
-
-There are a few other options to the configure script:
-
---with-audit=[module] enable additional auditing via the specified module.
-Currently, drivers for "debug" (additional info via syslog) and "bsm"
-(Sun's Basic Security Module) are supported.
-
---with-pam enables PAM support. If PAM support is compiled in, it must
-also be enabled in sshd_config (refer to the UsePAM directive).
-
---with-prngd-socket=/some/file allows you to enable EGD or PRNGD
-support and to specify a PRNGd socket. Use this if your Unix lacks
-/dev/random and you don't want to use OpenSSH's builtin entropy
-collection support.
-
---with-prngd-port=portnum allows you to enable EGD or PRNGD support
-and to specify a EGD localhost TCP port. Use this if your Unix lacks
-/dev/random and you don't want to use OpenSSH's builtin entropy
-collection support.
-
---with-lastlog=FILE will specify the location of the lastlog file.
-./configure searches a few locations for lastlog, but may not find
-it if lastlog is installed in a different place.
-
---without-lastlog will disable lastlog support entirely.
-
---with-osfsia, --without-osfsia will enable or disable OSF1's Security
-Integration Architecture.  The default for OSF1 machines is enable.
-
---with-skey=PATH will enable S/Key one time password support. You will
-need the S/Key libraries and header files installed for this to work.
-
---with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny)
-support. You will need libwrap.a and tcpd.h installed.
-
---with-md5-passwords will enable the use of MD5 passwords. Enable this
-if your operating system uses MD5 passwords and the system crypt() does
-not support them directly (see the crypt(3/3c) man page). If enabled, the
-resulting binary will support both MD5 and traditional crypt passwords.
-
---with-utmpx enables utmpx support. utmpx support is automatic for
-some platforms.
-
---without-shadow disables shadow password support.
-
---with-ipaddr-display forces the use of a numeric IP address in the
-$DISPLAY environment variable. Some broken systems need this.
-
---with-default-path=PATH allows you to specify a default $PATH for sessions
-started by sshd. This replaces the standard path entirely.
-
---with-pid-dir=PATH specifies the directory in which the ssh.pid file is
-created.
-
---with-xauth=PATH specifies the location of the xauth binary
-
---with-ssl-dir=DIR allows you to specify where your OpenSSL libraries
-are installed.
-
---with-ssl-engine enables OpenSSL's (hardware) ENGINE support
-
---with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
-real (AF_INET) IPv4 addresses. Works around some quirks on Linux.
-
---with-opensc=DIR
---with-sectok=DIR allows for OpenSC or sectok smartcard libraries to
-be used with OpenSSH.  See 'README.smartcard' for more details.
-
-If you need to pass special options to the compiler or linker, you
-can specify these as environment variables before running ./configure.
-For example:
-
-CFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure
-
-3. Configuration
-----------------
-
-The runtime configuration files are installed by in ${prefix}/etc or
-whatever you specified as your --sysconfdir (/usr/local/etc by default).
-
-The default configuration should be instantly usable, though you should
-review it to ensure that it matches your security requirements.
-
-To generate a host key, run "make host-key". Alternately you can do so
-manually using the following commands:
-
-    ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N ""
-    ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""
-    ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ""
-
-Replacing /etc/ssh with the correct path to the configuration directory.
-(${prefix}/etc or whatever you specified with --sysconfdir during
-configuration)
-
-If you have configured OpenSSH with EGD support, ensure that EGD is
-running and has collected some Entropy.
-
-For more information on configuration, please refer to the manual pages
-for sshd, ssh and ssh-agent.
-
-4. (Optional) Send survey
--------------------------
-
-$ make survey
-[check the contents of the file "survey" to ensure there's no information
-that you consider sensitive]
-$ make send-survey
-
-This will send configuration information for the currently configured
-host to a survey address.  This will help determine which configurations
-are actually in use, and what valid combinations of configure options
-exist.  The raw data is available only to the OpenSSH developers, however
-summary data may be published.
-
-5. Problems?
-------------
-
-If you experience problems compiling, installing or running OpenSSH.
-Please refer to the "reporting bugs" section of the webpage at
-http://www.openssh.com/
-
-
-$Id: INSTALL,v 1.76 2006/09/17 12:55:52 dtucker Exp $
diff --git a/crypto/openssh/LICENCE b/crypto/openssh/LICENCE
deleted file mode 100644
index 0c2ff06..0000000
--- a/crypto/openssh/LICENCE
+++ /dev/null
@@ -1,337 +0,0 @@
-This file is part of the OpenSSH software.
-
-The licences which components of this software fall under are as
-follows.  First, we will summarize and say that all components
-are under a BSD licence, or a licence more free than that.
-
-OpenSSH contains no GPL code.
-
-1)
-     * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-     *                    All rights reserved
-     *
-     * As far as I am concerned, the code I have written for this software
-     * can be used freely for any purpose.  Any derived versions of this
-     * software must be clearly marked as such, and if the derived work is
-     * incompatible with the protocol description in the RFC file, it must be
-     * called by a name other than "ssh" or "Secure Shell".
-
-    [Tatu continues]
-     *  However, I am not implying to give any licenses to any patents or
-     * copyrights held by third parties, and the software includes parts that
-     * are not under my direct control.  As far as I know, all included
-     * source code is used in accordance with the relevant license agreements
-     * and can be used freely for any purpose (the GNU license being the most
-     * restrictive); see below for details.
-
-    [However, none of that term is relevant at this point in time.  All of
-    these restrictively licenced software components which he talks about
-    have been removed from OpenSSH, i.e.,
-
-     - RSA is no longer included, found in the OpenSSL library
-     - IDEA is no longer included, its use is deprecated
-     - DES is now external, in the OpenSSL library
-     - GMP is no longer used, and instead we call BN code from OpenSSL
-     - Zlib is now external, in a library
-     - The make-ssh-known-hosts script is no longer included
-     - TSS has been removed
-     - MD5 is now external, in the OpenSSL library
-     - RC4 support has been replaced with ARC4 support from OpenSSL
-     - Blowfish is now external, in the OpenSSL library
-
-    [The licence continues]
-
-    Note that any information and cryptographic algorithms used in this
-    software are publicly available on the Internet and at any major
-    bookstore, scientific library, and patent office worldwide.  More
-    information can be found e.g. at "http://www.cs.hut.fi/crypto".
-
-    The legal status of this program is some combination of all these
-    permissions and restrictions.  Use only at your own responsibility.
-    You will be responsible for any legal consequences yourself; I am not
-    making any claims whether possessing or using this is legal or not in
-    your country, and I am not taking any responsibility on your behalf.
-
-
-			    NO WARRANTY
-
-    BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-    FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
-    OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-    PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-    OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-    MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
-    TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
-    PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-    REPAIR OR CORRECTION.
-
-    IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-    WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-    REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-    INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-    OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-    TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-    YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-    PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGES.
-
-2)
-    The 32-bit CRC compensation attack detector in deattack.c was
-    contributed by CORE SDI S.A. under a BSD-style license.
-
-     * Cryptographic attack detector for ssh - source code
-     *
-     * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina.
-     *
-     * All rights reserved. Redistribution and use in source and binary
-     * forms, with or without modification, are permitted provided that
-     * this copyright notice is retained.
-     *
-     * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
-     * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE
-     * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
-     * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS
-     * SOFTWARE.
-     *
-     * Ariel Futoransky <futo@core-sdi.com>
-     * <http://www.core-sdi.com>
-
-3)
-    ssh-keyscan was contributed by David Mazieres under a BSD-style
-    license.
-
-     * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
-     *
-     * Modification and redistribution in source and binary forms is
-     * permitted provided that due credit is given to the author and the
-     * OpenBSD project by leaving this copyright notice intact.
-
-4)
-    The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers
-    and Paulo Barreto is in the public domain and distributed
-    with the following license:
-
-     * @version 3.0 (December 2000)
-     *
-     * Optimised ANSI C code for the Rijndael cipher (now AES)
-     *
-     * @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
-     * @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
-     * @author Paulo Barreto <paulo.barreto@terra.com.br>
-     *
-     * This code is hereby placed in the public domain.
-     *
-     * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
-     * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-     * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-     * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
-     * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-     * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-     * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-     * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-     * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-     * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
-     * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-5)
-    One component of the ssh source code is under a 3-clause BSD license,
-    held by the University of California, since we pulled these parts from
-    original Berkeley code.
-
-     * Copyright (c) 1983, 1990, 1992, 1993, 1995
-     *      The Regents of the University of California.  All rights reserved.
-     *
-     * Redistribution and use in source and binary forms, with or without
-     * modification, are permitted provided that the following conditions
-     * are met:
-     * 1. Redistributions of source code must retain the above copyright
-     *    notice, this list of conditions and the following disclaimer.
-     * 2. Redistributions in binary form must reproduce the above copyright
-     *    notice, this list of conditions and the following disclaimer in the
-     *    documentation and/or other materials provided with the distribution.
-     * 3. Neither the name of the University nor the names of its contributors
-     *    may be used to endorse or promote products derived from this software
-     *    without specific prior written permission.
-     *
-     * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
-     * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-     * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-     * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
-     * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-     * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-     * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-     * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-     * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-     * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-     * SUCH DAMAGE.
-
-6)
-    Remaining components of the software are provided under a standard
-    2-term BSD licence with the following names as copyright holders:
-
-	Markus Friedl
-	Theo de Raadt
-	Niels Provos
-	Dug Song
-	Aaron Campbell
-	Damien Miller
-	Kevin Steves
-	Daniel Kouril
-	Wesley Griffin
-	Per Allansson
-	Nils Nordman
-	Simon Wilkinson
-
-    Portable OpenSSH additionally includes code from the following copyright
-    holders, also under the 2-term BSD license:
-
-	Ben Lindstrom
-	Tim Rice
-	Andre Lucas
-	Chris Adams
-	Corinna Vinschen
-	Cray Inc.
-	Denis Parker
-	Gert Doering
-	Jakob Schlyter
-	Jason Downs
-	Juha Yrjölä
-	Michael Stone
-	Networks Associates Technology, Inc.
-	Solar Designer
-	Todd C. Miller
-	Wayne Schroeder
-	William Jones
-	Darren Tucker
-	Sun Microsystems
-	The SCO Group
-
-     * Redistribution and use in source and binary forms, with or without
-     * modification, are permitted provided that the following conditions
-     * are met:
-     * 1. Redistributions of source code must retain the above copyright
-     *    notice, this list of conditions and the following disclaimer.
-     * 2. Redistributions in binary form must reproduce the above copyright
-     *    notice, this list of conditions and the following disclaimer in the
-     *    documentation and/or other materials provided with the distribution.
-     *
-     * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-     * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-     * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-     * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-     * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-     * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-     * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-     * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-     * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-     * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-8) Portable OpenSSH contains the following additional licenses:
-
-    a) md5crypt.c, md5crypt.h
-
-	 * "THE BEER-WARE LICENSE" (Revision 42):
-	 * <phk@login.dknet.dk> wrote this file.  As long as you retain this
-	 * notice you can do whatever you want with this stuff. If we meet
-	 * some day, and you think this stuff is worth it, you can buy me a
-	 * beer in return.   Poul-Henning Kamp
-
-    b) snprintf replacement
-
-	* Copyright Patrick Powell 1995
-	* This code is based on code written by Patrick Powell
-	* (papowell@astart.com) It may be used for any purpose as long as this
-	* notice remains intact on all source code distributions
-
-    c) Compatibility code (openbsd-compat)
-
-       Apart from the previously mentioned licenses, various pieces of code
-       in the openbsd-compat/ subdirectory are licensed as follows:
-
-       Some code is licensed under a 3-term BSD license, to the following
-       copyright holders:
-
-	Todd C. Miller
-	Theo de Raadt
-	Damien Miller
-	Eric P. Allman
-	The Regents of the University of California
-	Constantin S. Svintsoff
-
-	* Redistribution and use in source and binary forms, with or without
-	* modification, are permitted provided that the following conditions
-	* are met:
-	* 1. Redistributions of source code must retain the above copyright
-	*    notice, this list of conditions and the following disclaimer.
-	* 2. Redistributions in binary form must reproduce the above copyright
-	*    notice, this list of conditions and the following disclaimer in the
-	*    documentation and/or other materials provided with the distribution.
-	* 3. Neither the name of the University nor the names of its contributors
-	*    may be used to endorse or promote products derived from this software
-	*    without specific prior written permission.
-	*
-	* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
-	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-	* ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
-	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-	* SUCH DAMAGE.
-
-       Some code is licensed under an ISC-style license, to the following
-       copyright holders:
-
-	Internet Software Consortium.
-	Todd C. Miller
-	Reyk Floeter
-	Chad Mynhier
-
-	* Permission to use, copy, modify, and distribute this software for any
-	* purpose with or without fee is hereby granted, provided that the above
-	* copyright notice and this permission notice appear in all copies.
-	*
-	* THE SOFTWARE IS PROVIDED "AS IS" AND TODD C. MILLER DISCLAIMS ALL
-	* WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
-	* OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL TODD C. MILLER BE LIABLE
-	* FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
-	* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
-	* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-       Some code is licensed under a MIT-style license to the following
-       copyright holders:
-
-	Free Software Foundation, Inc.
-
-	* Permission is hereby granted, free of charge, to any person obtaining a  *
-	* copy of this software and associated documentation files (the            *
-	* "Software"), to deal in the Software without restriction, including      *
-	* without limitation the rights to use, copy, modify, merge, publish,      *
-	* distribute, distribute with modifications, sublicense, and/or sell       *
-	* copies of the Software, and to permit persons to whom the Software is    *
-	* furnished to do so, subject to the following conditions:                 *
-	*                                                                          *
-	* The above copyright notice and this permission notice shall be included  *
-	* in all copies or substantial portions of the Software.                   *
-	*                                                                          *
-	* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS  *
-	* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF               *
-	* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.   *
-	* IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,   *
-	* DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR    *
-	* OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR    *
-	* THE USE OR OTHER DEALINGS IN THE SOFTWARE.                               *
-	*                                                                          *
-	* Except as contained in this notice, the name(s) of the above copyright   *
-	* holders shall not be used in advertising or otherwise to promote the     *
-	* sale, use or other dealings in this Software without prior written       *
-	* authorization.                                                           *
-	****************************************************************************/
-
-
-------
-$OpenBSD: LICENCE,v 1.19 2004/08/30 09:18:08 markus Exp $
diff --git a/crypto/openssh/Makefile b/crypto/openssh/Makefile
deleted file mode 100644
index 0b9c668..0000000
--- a/crypto/openssh/Makefile
+++ /dev/null
@@ -1,14 +0,0 @@
-#	$OpenBSD: Makefile,v 1.11 2002/05/23 19:24:30 markus Exp $
-
-.include <bsd.own.mk>
-
-SUBDIR=	lib ssh sshd ssh-add ssh-keygen ssh-agent scp sftp-server \
-	ssh-keysign ssh-keyscan sftp scard
-
-distribution:
-	install -C -o root -g wheel -m 0644 ${.CURDIR}/ssh_config \
-	    ${DESTDIR}/etc/ssh/ssh_config
-	install -C -o root -g wheel -m 0644 ${.CURDIR}/sshd_config \
-	    ${DESTDIR}/etc/ssh/sshd_config
-
-.include <bsd.subdir.mk>
diff --git a/crypto/openssh/Makefile.in b/crypto/openssh/Makefile.in
deleted file mode 100644
index fb6426b..0000000
--- a/crypto/openssh/Makefile.in
+++ /dev/null
@@ -1,438 +0,0 @@
-# $Id: Makefile.in,v 1.283 2006/10/23 21:44:47 tim Exp $
-
-# uncomment if you run a non bourne compatable shell. Ie. csh
-#SHELL = @SH@
-
-AUTORECONF=autoreconf
-
-prefix=@prefix@
-exec_prefix=@exec_prefix@
-bindir=@bindir@
-sbindir=@sbindir@
-libexecdir=@libexecdir@
-datadir=@datadir@
-datarootdir=@datarootdir@
-mandir=@mandir@
-mansubdir=@mansubdir@
-sysconfdir=@sysconfdir@
-piddir=@piddir@
-srcdir=@srcdir@
-top_srcdir=@top_srcdir@
-
-DESTDIR=
-VPATH=@srcdir@
-SSH_PROGRAM=@bindir@/ssh
-ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
-SFTP_SERVER=$(libexecdir)/sftp-server
-SSH_KEYSIGN=$(libexecdir)/ssh-keysign
-RAND_HELPER=$(libexecdir)/ssh-rand-helper
-PRIVSEP_PATH=@PRIVSEP_PATH@
-SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
-STRIP_OPT=@STRIP_OPT@
-
-PATHS= -DSSHDIR=\"$(sysconfdir)\" \
-	-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
-	-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
-	-D_PATH_SFTP_SERVER=\"$(SFTP_SERVER)\" \
-	-D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \
-	-D_PATH_SSH_PIDDIR=\"$(piddir)\" \
-	-D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \
-	-DSSH_RAND_HELPER=\"$(RAND_HELPER)\"
-
-CC=@CC@
-LD=@LD@
-CFLAGS=@CFLAGS@
-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
-LIBS=@LIBS@
-LIBSELINUX=@LIBSELINUX@
-SSHDLIBS=@SSHDLIBS@
-LIBEDIT=@LIBEDIT@
-LIBPAM=@LIBPAM@
-LIBWRAP=@LIBWRAP@
-AR=@AR@
-AWK=@AWK@
-RANLIB=@RANLIB@
-INSTALL=@INSTALL@
-PERL=@PERL@
-SED=@SED@
-ENT=@ENT@
-XAUTH_PATH=@XAUTH_PATH@
-LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
-EXEEXT=@EXEEXT@
-
-INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
-INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@
-
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT)
-
-LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
-	canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
-	cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
-	compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
-	log.o match.o md-sha256.o moduli.o nchan.o packet.o \
-	readpass.o rsa.o ttymodes.o xmalloc.o \
-	atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
-	monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
-	kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \
-	entropy.o scard-opensc.o gss-genr.o
-
-SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
-	sshconnect.o sshconnect1.o sshconnect2.o
-
-SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
-	sshpty.o sshlogin.o servconf.o serverloop.o \
-	auth.o auth1.o auth2.o auth-options.o session.o \
-	auth-chall.o auth2-chall.o groupaccess.o \
-	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
-	auth2-none.o auth2-passwd.o auth2-pubkey.o \
-	monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \
-	auth-krb5.o \
-	auth2-gss.o gss-serv.o gss-serv-krb5.o \
-	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
-	audit.o audit-bsm.o platform.o
-
-MANPAGES	= scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
-MANPAGES_IN	= scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
-MANTYPE		= @MANTYPE@
-
-CONFIGFILES=sshd_config.out ssh_config.out moduli.out
-CONFIGFILES_IN=sshd_config ssh_config moduli
-
-PATHSUBS	= \
-	-e 's|/etc/ssh/ssh_prng_cmds|$(sysconfdir)/ssh_prng_cmds|g' \
-	-e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \
-	-e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \
-	-e 's|/etc/ssh/sshd_config|$(sysconfdir)/sshd_config|g' \
-	-e 's|/usr/libexec|$(libexecdir)|g' \
-	-e 's|/etc/shosts.equiv|$(sysconfdir)/shosts.equiv|g' \
-	-e 's|/etc/ssh/ssh_host_key|$(sysconfdir)/ssh_host_key|g' \
-	-e 's|/etc/ssh/ssh_host_dsa_key|$(sysconfdir)/ssh_host_dsa_key|g' \
-	-e 's|/etc/ssh/ssh_host_rsa_key|$(sysconfdir)/ssh_host_rsa_key|g' \
-	-e 's|/var/run/sshd.pid|$(piddir)/sshd.pid|g' \
-	-e 's|/etc/ssh/moduli|$(sysconfdir)/moduli|g' \
-	-e 's|/etc/ssh/sshrc|$(sysconfdir)/sshrc|g' \
-	-e 's|/usr/X11R6/bin/xauth|$(XAUTH_PATH)|g' \
-	-e 's|/var/empty|$(PRIVSEP_PATH)|g' \
-	-e 's|/usr/bin:/bin:/usr/sbin:/sbin|@user_path@|g'
-
-FIXPATHSCMD	= $(SED) $(PATHSUBS)
-
-all: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS)
-
-$(LIBSSH_OBJS): Makefile.in config.h
-$(SSHOBJS): Makefile.in config.h
-$(SSHDOBJS): Makefile.in config.h
-
-.c.o:
-	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
-
-LIBCOMPAT=openbsd-compat/libopenbsd-compat.a
-$(LIBCOMPAT): always
-	(cd openbsd-compat && $(MAKE))
-always:
-
-libssh.a: $(LIBSSH_OBJS)
-	$(AR) rv $@ $(LIBSSH_OBJS)
-	$(RANLIB) $@
-
-ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
-	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-
-sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
-	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(SSHDLIBS) $(LIBS)
-
-scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
-	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-
-ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
-	$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-
-ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o
-	$(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-
-ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
-	$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-
-ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o
-	$(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-
-ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
-	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-
-sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o
-	$(LD) -o $@ sftp-server.o sftp-common.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-
-sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
-	$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
-
-ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o
-	$(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-
-# test driver for the loginrec code - not built by default
-logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
-	$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
-
-$(MANPAGES): $(MANPAGES_IN)
-	if test "$(MANTYPE)" = "cat"; then \
-		manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \
-	else \
-		manpage=$(srcdir)/`echo $@ | sed 's/\.out$$//'`; \
-	fi; \
-	if test "$(MANTYPE)" = "man"; then \
-		$(FIXPATHSCMD) $${manpage} | $(AWK) -f $(srcdir)/mdoc2man.awk > $@; \
-	else \
-		$(FIXPATHSCMD) $${manpage} > $@; \
-	fi
-
-$(CONFIGFILES): $(CONFIGFILES_IN)
-	conffile=`echo $@ | sed 's/.out$$//'`; \
-	$(FIXPATHSCMD) $(srcdir)/$${conffile} > $@
-
-ssh_prng_cmds.out:	ssh_prng_cmds
-	if test ! -z "$(INSTALL_SSH_PRNG_CMDS)"; then \
-		$(PERL) $(srcdir)/fixprogs ssh_prng_cmds $(ENT); \
-	fi
-
-# fake rule to stop make trying to compile moduli.o into a binary "moduli.o"
-moduli:
-	echo
-
-clean:	regressclean
-	rm -f *.o *.a $(TARGETS) logintest config.cache config.log
-	rm -f *.out core survey
-	(cd openbsd-compat && $(MAKE) clean)
-
-distclean:	regressclean
-	rm -f *.o *.a $(TARGETS) logintest config.cache config.log
-	rm -f *.out core opensshd.init openssh.xml
-	rm -f Makefile buildpkg.sh config.h config.status ssh_prng_cmds
-	rm -f survey.sh openbsd-compat/regress/Makefile *~ 
-	rm -rf autom4te.cache
-	(cd openbsd-compat && $(MAKE) distclean)
-	(cd scard && $(MAKE) distclean)
-	if test -d pkg ; then \
-		rm -fr pkg ; \
-	fi
-
-veryclean: distclean
-	rm -f configure config.h.in *.0
-
-mrproper: veryclean
-
-realclean: veryclean
-
-catman-do:
-	@for f in $(MANPAGES_IN) ; do \
-		base=`echo $$f | sed 's/\..*$$//'` ; \
-		echo "$$f -> $$base.0" ; \
-		nroff -mandoc $$f | cat -v | sed -e 's/.\^H//g' \
-			>$$base.0 ; \
-	done
-
-distprep: catman-do
-	$(AUTORECONF)
-	-rm -rf autom4te.cache
-	(cd scard && $(MAKE) -f Makefile.in distprep)
-
-install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
-install-nokeys: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf
-install-nosysconf: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files
-
-check-config:
-	-$(DESTDIR)$(sbindir)/sshd -t -f $(DESTDIR)$(sysconfdir)/sshd_config
-
-scard-install:
-	(cd scard && $(MAKE) DESTDIR=$(DESTDIR) install)
-
-install-files: scard-install
-	$(srcdir)/mkinstalldirs $(DESTDIR)$(bindir)
-	$(srcdir)/mkinstalldirs $(DESTDIR)$(sbindir)
-	$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)
-	$(srcdir)/mkinstalldirs $(DESTDIR)$(datadir)
-	$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)1
-	$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)5
-	$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8
-	$(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir)
-	(umask 022 ; $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH))
-	$(INSTALL) -m 0755 $(STRIP_OPT) ssh $(DESTDIR)$(bindir)/ssh
-	$(INSTALL) -m 0755 $(STRIP_OPT) scp $(DESTDIR)$(bindir)/scp
-	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-add $(DESTDIR)$(bindir)/ssh-add
-	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent $(DESTDIR)$(bindir)/ssh-agent
-	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen $(DESTDIR)$(bindir)/ssh-keygen
-	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan $(DESTDIR)$(bindir)/ssh-keyscan
-	$(INSTALL) -m 0755 $(STRIP_OPT) sshd $(DESTDIR)$(sbindir)/sshd
-	if test ! -z "$(INSTALL_SSH_RAND_HELPER)" ; then \
-		$(INSTALL) -m 0755 $(STRIP_OPT) ssh-rand-helper $(DESTDIR)$(libexecdir)/ssh-rand-helper ; \
-	fi
-	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign $(DESTDIR)$(SSH_KEYSIGN)
-	$(INSTALL) -m 0755 $(STRIP_OPT) sftp $(DESTDIR)$(bindir)/sftp
-	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server $(DESTDIR)$(SFTP_SERVER)
-	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-	$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-	$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-	$(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
-	$(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
-	$(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
-	$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
-	$(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
-	$(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
-	if [ ! -z "$(INSTALL_SSH_RAND_HELPER)" ]; then \
-		$(INSTALL) -m 644 ssh-rand-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8 ; \
-	fi
-	$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
-	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
-	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-	-rm -f $(DESTDIR)$(bindir)/slogin
-	ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
-	ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
-
-install-sysconf:
-	if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
-		$(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \
-	fi
-	@if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_config ]; then \
-		$(INSTALL) -m 644 ssh_config.out $(DESTDIR)$(sysconfdir)/ssh_config; \
-	else \
-		echo "$(DESTDIR)$(sysconfdir)/ssh_config already exists, install will not overwrite"; \
-	fi
-	@if [ ! -f $(DESTDIR)$(sysconfdir)/sshd_config ]; then \
-		$(INSTALL) -m 644 sshd_config.out $(DESTDIR)$(sysconfdir)/sshd_config; \
-	else \
-		echo "$(DESTDIR)$(sysconfdir)/sshd_config already exists, install will not overwrite"; \
-	fi
-	@if [ -f ssh_prng_cmds ] && [ ! -z "$(INSTALL_SSH_PRNG_CMDS)" ]; then \
-		if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_prng_cmds ] ; then \
-			$(INSTALL) -m 644 ssh_prng_cmds.out $(DESTDIR)$(sysconfdir)/ssh_prng_cmds; \
-		else \
-			echo "$(DESTDIR)$(sysconfdir)/ssh_prng_cmds already exists, install will not overwrite"; \
-		fi ; \
-	fi
-	@if [ ! -f $(DESTDIR)$(sysconfdir)/moduli ]; then \
-		if [ -f $(DESTDIR)$(sysconfdir)/primes ]; then \
-			echo "moving $(DESTDIR)$(sysconfdir)/primes to $(DESTDIR)$(sysconfdir)/moduli"; \
-			mv "$(DESTDIR)$(sysconfdir)/primes" "$(DESTDIR)$(sysconfdir)/moduli"; \
-		else \
-			$(INSTALL) -m 644 moduli.out $(DESTDIR)$(sysconfdir)/moduli; \
-		fi ; \
-	else \
-		echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
-	fi
-
-host-key: ssh-keygen$(EXEEXT)
-	@if [ -z "$(DESTDIR)" ] ; then \
-		if [ -f "$(DESTDIR)$(sysconfdir)/ssh_host_key" ] ; then \
-			echo "$(DESTDIR)$(sysconfdir)/ssh_host_key already exists, skipping." ; \
-		else \
-			./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N "" ; \
-		fi ; \
-		if [ -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key ] ; then \
-			echo "$(DESTDIR)$(sysconfdir)/ssh_host_dsa_key already exists, skipping." ; \
-		else \
-			./ssh-keygen -t dsa -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N "" ; \
-		fi ; \
-		if [ -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key ] ; then \
-			echo "$(DESTDIR)$(sysconfdir)/ssh_host_rsa_key already exists, skipping." ; \
-		else \
-			./ssh-keygen -t rsa -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key -N "" ; \
-		fi ; \
-	fi ;
-
-host-key-force: ssh-keygen$(EXEEXT)
-	./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N ""
-	./ssh-keygen -t dsa -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N ""
-	./ssh-keygen -t rsa -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key -N ""
-
-uninstallall:	uninstall
-	-rm -f $(DESTDIR)$(sysconfdir)/ssh_config
-	-rm -f $(DESTDIR)$(sysconfdir)/sshd_config
-	-rm -f $(DESTDIR)$(sysconfdir)/ssh_prng_cmds
-	-rmdir $(DESTDIR)$(sysconfdir)
-	-rmdir $(DESTDIR)$(bindir)
-	-rmdir $(DESTDIR)$(sbindir)
-	-rmdir $(DESTDIR)$(mandir)/$(mansubdir)1
-	-rmdir $(DESTDIR)$(mandir)/$(mansubdir)8
-	-rmdir $(DESTDIR)$(mandir)
-	-rmdir $(DESTDIR)$(libexecdir)
-
-uninstall:
-	-rm -f $(DESTDIR)$(bindir)/slogin
-	-rm -f $(DESTDIR)$(bindir)/ssh$(EXEEXT)
-	-rm -f $(DESTDIR)$(bindir)/scp$(EXEEXT)
-	-rm -f $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
-	-rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
-	-rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
-	-rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
-	-rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
-	-rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
-	-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-	-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
-	-rm -f $(DESTDIR)$(RAND_HELPER)$(EXEEXT)
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
-
-tests:	$(TARGETS)
-	BUILDDIR=`pwd`; \
-	[ -d `pwd`/regress ]  ||  mkdir -p `pwd`/regress; \
-	[ -f `pwd`/regress/Makefile ]  || \
-	    ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile ; \
-	TEST_SHELL="@TEST_SHELL@"; \
-	TEST_SSH_SSH="$${BUILDDIR}/ssh"; \
-	TEST_SSH_SSHD="$${BUILDDIR}/sshd"; \
-	TEST_SSH_SSHAGENT="$${BUILDDIR}/ssh-agent"; \
-	TEST_SSH_SSHADD="$${BUILDDIR}/ssh-add"; \
-	TEST_SSH_SSHKEYGEN="$${BUILDDIR}/ssh-keygen"; \
-	TEST_SSH_SSHKEYSCAN="$${BUILDDIR}/ssh-keyscan"; \
-	TEST_SSH_SFTP="$${BUILDDIR}/sftp"; \
-	TEST_SSH_SFTPSERVER="$${BUILDDIR}/sftp-server"; \
-	cd $(srcdir)/regress || exit $$?; \
-	$(MAKE) \
-		.OBJDIR="$${BUILDDIR}/regress" \
-		.CURDIR="`pwd`" \
-		BUILDDIR="$${BUILDDIR}" \
-		OBJ="$${BUILDDIR}/regress/" \
-		PATH="$${BUILDDIR}:$${PATH}" \
-		TEST_SHELL="$${TEST_SHELL}" \
-		TEST_SSH_SSH="$${TEST_SSH_SSH}" \
-		TEST_SSH_SSHD="$${TEST_SSH_SSHD}" \
-		TEST_SSH_SSHAGENT="$${TEST_SSH_SSHAGENT}" \
-		TEST_SSH_SSHADD="$${TEST_SSH_SSHADD}" \
-		TEST_SSH_SSHKEYGEN="$${TEST_SSH_SSHKEYGEN}" \
-		TEST_SSH_SSHKEYSCAN="$${TEST_SSH_SSHKEYSCAN}" \
-		TEST_SSH_SFTP="$${TEST_SSH_SFTP}" \
-		TEST_SSH_SFTPSERVER="$${TEST_SSH_SFTPSERVER}" \
-		EXEEXT="$(EXEEXT)" \
-		$@
-
-compat-tests: $(LIBCOMPAT)
-	(cd openbsd-compat/regress && $(MAKE))
-
-regressclean:
-	if [ -f regress/Makefile ] && [ -r regress/Makefile ]; then \
-		(cd regress && $(MAKE) clean) \
-	fi
-
-survey: survey.sh ssh
-	@$(SHELL) ./survey.sh > survey
-	@echo 'The survey results have been placed in the file "survey" in the'
-	@echo 'current directory.  Please review the file then send with'
-	@echo '"make send-survey".'
-
-send-survey:	survey
-	mail portable-survey@mindrot.org <survey
-
-package: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS)
-	if [ "@MAKE_PACKAGE_SUPPORTED@" = yes ]; then \
-		sh buildpkg.sh; \
-	fi
-
diff --git a/crypto/openssh/Makefile.inc b/crypto/openssh/Makefile.inc
deleted file mode 100644
index c68f59a..0000000
--- a/crypto/openssh/Makefile.inc
+++ /dev/null
@@ -1,26 +0,0 @@
-#	$OpenBSD: Makefile.inc,v 1.23 2002/03/06 00:23:27 markus Exp $
-
-CFLAGS+=	-I${.CURDIR}/..
-
-CDIAGFLAGS=	-Wall
-#CDIAGFLAGS+=	-Werror
-CDIAGFLAGS+=	-Wpointer-arith
-CDIAGFLAGS+=	-Wno-uninitialized
-#CDIAGFLAGS+=	-Wstrict-prototypes
-CDIAGFLAGS+=	-Wmissing-prototypes
-CDIAGFLAGS+=	-Wunused
-
-#DEBUG=-g
-
-#CFLAGS+=	-DSMARTCARD
-#LDADD+=	-lsectok
-
-.include <bsd.obj.mk>
-
-.if exists(${.CURDIR}/../lib/${__objdir})
-LDADD+=         -L${.CURDIR}/../lib/${__objdir} -lssh
-DPADD+=         ${.CURDIR}/../lib/${__objdir}/libssh.a
-.else
-LDADD+=         -L${.CURDIR}/../lib -lssh
-DPADD+=         ${.CURDIR}/../lib/libssh.a
-.endif
diff --git a/crypto/openssh/OVERVIEW b/crypto/openssh/OVERVIEW
deleted file mode 100644
index 2e1cc0b..0000000
--- a/crypto/openssh/OVERVIEW
+++ /dev/null
@@ -1,168 +0,0 @@
-[Note: This file has not been updated for OpenSSH versions after
-OpenSSH-1.2 and should be considered OBSOLETE.  It has been left in
-the distribution because some of its information may still be useful
-to developers.]
-
-This document is intended for those who wish to read the ssh source
-code.  This tries to give an overview of the structure of the code.
-
-Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>
-Updated 17 Nov 1995.
-Updated 19 Oct 1999 for OpenSSH-1.2
-Updated 20 May 2001 note obsolete for > OpenSSH-1.2
-
-The software consists of ssh (client), sshd (server), scp, sdist, and
-the auxiliary programs ssh-keygen, ssh-agent, ssh-add, and
-make-ssh-known-hosts.  The main program for each of these is in a .c
-file with the same name.
-
-There are some subsystems/abstractions that are used by a number of
-these programs.
-
-  Buffer manipulation routines
-
-    - These provide an arbitrary size buffer, where data can be appended.
-      Data can be consumed from either end.  The code is used heavily
-      throughout ssh.  The basic buffer manipulation functions are in
-      buffer.c (header buffer.h), and additional code to manipulate specific
-      data types is in bufaux.c.
-
-  Compression Library
-
-    - Ssh uses the GNU GZIP compression library (ZLIB).
-
-  Encryption/Decryption
-
-    - Ssh contains several encryption algorithms.  These are all
-      accessed through the cipher.h interface.  The interface code is
-      in cipher.c, and the implementations are in libc.
-
-  Multiple Precision Integer Library
-
-    - Uses the SSLeay BIGNUM sublibrary.
-
-  Random Numbers
-
-    - Uses arc4random() and such.
-
-  RSA key generation, encryption, decryption
-
-    - Ssh uses the RSA routines in libssl.
-
-  RSA key files
-
-    - RSA keys are stored in files with a special format.  The code to
-      read/write these files is in authfile.c.  The files are normally
-      encrypted with a passphrase.  The functions to read passphrases
-      are in readpass.c (the same code is used to read passwords).
-
-  Binary packet protocol
-
-    - The ssh binary packet protocol is implemented in packet.c.  The
-      code in packet.c does not concern itself with packet types or their
-      execution; it contains code to build packets, to receive them and
-      extract data from them, and the code to compress and/or encrypt
-      packets.  CRC code comes from crc32.c.
-
-    - The code in packet.c calls the buffer manipulation routines
-      (buffer.c, bufaux.c), compression routines (compress.c, zlib),
-      and the encryption routines.
-
-  X11, TCP/IP, and Agent forwarding
-
-    - Code for various types of channel forwarding is in channels.c.
-      The file defines a generic framework for arbitrary communication
-      channels inside the secure channel, and uses this framework to
-      implement X11 forwarding, TCP/IP forwarding, and authentication
-      agent forwarding.
-      The new, Protocol 1.5, channel close implementation is in nchan.c
-
-  Authentication agent
-
-    - Code to communicate with the authentication agent is in authfd.c.
-
-  Authentication methods
-
-    - Code for various authentication methods resides in auth-*.c
-      (auth-passwd.c, auth-rh-rsa.c, auth-rhosts.c, auth-rsa.c).  This
-      code is linked into the server.  The routines also manipulate
-      known hosts files using code in hostfile.c.  Code in canohost.c
-      is used to retrieve the canonical host name of the remote host.
-      Code in match.c is used to match host names.
-
-    - In the client end, authentication code is in sshconnect.c.  It
-      reads Passwords/passphrases using code in readpass.c.  It reads
-      RSA key files with authfile.c.  It communicates the
-      authentication agent using authfd.c.
-
-  The ssh client
-
-    - The client main program is in ssh.c.  It first parses arguments
-      and reads configuration (readconf.c), then calls ssh_connect (in
-      sshconnect.c) to open a connection to the server (possibly via a
-      proxy), and performs authentication (ssh_login in sshconnect.c).
-      It then makes any pty, forwarding, etc. requests.  It may call
-      code in ttymodes.c to encode current tty modes.  Finally it
-      calls client_loop in clientloop.c.  This does the real work for
-      the session.
-
-    - The client is suid root.  It tries to temporarily give up this
-      rights while reading the configuration data.  The root
-      privileges are only used to make the connection (from a
-      privileged socket).  Any extra privileges are dropped before
-      calling ssh_login.
-
-  Pseudo-tty manipulation and tty modes
-
-    - Code to allocate and use a pseudo tty is in pty.c.  Code to
-      encode and set terminal modes is in ttymodes.c.
-
-  Logging in (updating utmp, lastlog, etc.)
-
-    - The code to do things that are done when a user logs in are in
-      login.c.  This includes things such as updating the utmp, wtmp,
-      and lastlog files.  Some of the code is in sshd.c.
-
-  Writing to the system log and terminal
-
-    - The programs use the functions fatal(), log(), debug(), error()
-      in many places to write messages to system log or user's
-      terminal.  The implementation that logs to system log is in
-      log-server.c; it is used in the server program.  The other
-      programs use an implementation that sends output to stderr; it
-      is in log-client.c.  The definitions are in ssh.h.
-
-  The sshd server (daemon)
-
-    - The sshd daemon starts by processing arguments and reading the
-      configuration file (servconf.c).  It then reads the host key,
-      starts listening for connections, and generates the server key.
-      The server key will be regenerated every hour by an alarm.
-
-    - When the server receives a connection, it forks, disables the
-      regeneration alarm, and starts communicating with the client.
-      They first perform identification string exchange, then
-      negotiate encryption, then perform authentication, preparatory
-      operations, and finally the server enters the normal session
-      mode by calling server_loop in serverloop.c.  This does the real
-      work, calling functions in other modules.
-
-    - The code for the server is in sshd.c.  It contains a lot of
-      stuff, including:
-	- server main program
-	- waiting for connections
-	- processing new connection
-	- authentication
-	- preparatory operations
-	- building up the execution environment for the user program
-	- starting the user program.
-
-  Auxiliary files
-
-    - There are several other files in the distribution that contain
-      various auxiliary routines:
-	ssh.h	     the main header file for ssh (various definitions)
-	uidswap.c    uid-swapping
-	xmalloc.c    "safe" malloc routines
-
-$OpenBSD: OVERVIEW,v 1.11 2006/08/03 03:34:41 deraadt Exp $
diff --git a/crypto/openssh/README b/crypto/openssh/README
deleted file mode 100644
index fb53b55..0000000
--- a/crypto/openssh/README
+++ /dev/null
@@ -1,65 +0,0 @@
-See http://www.openssh.com/txt/release-4.5 for the release notes.
-
-- A Japanese translation of this document and of the OpenSSH FAQ is
-- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
-- Thanks to HARUYAMA Seigo <haruyama@unixuser.org>
-
-This is the port of OpenBSD's excellent OpenSSH[0] to Linux and other
-Unices.
-
-OpenSSH is based on the last free version of Tatu Ylonen's sample
-implementation with all patent-encumbered algorithms removed (to
-external libraries), all known security bugs fixed, new features
-reintroduced and many other clean-ups.  OpenSSH has been created by
-Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt,
-and Dug Song. It has a homepage at http://www.openssh.com/
-
-This port consists of the re-introduction of autoconf support, PAM
-support, EGD[1]/PRNGD[2] support and replacements for OpenBSD library
-functions that are (regrettably) absent from other unices. This port
-has been best tested on AIX, Cygwin, HP-UX, Linux, MacOS/X,
-NetBSD, OpenBSD, OpenServer, Solaris, Unicos, and UnixWare.
-
-This version actively tracks changes in the OpenBSD CVS repository.
-
-The PAM support is now more functional than the popular packages of
-commercial ssh-1.2.x. It checks "account" and "session" modules for
-all logins, not just when using password authentication.
-
-OpenSSH depends on Zlib[3], OpenSSL[4] and optionally PAM[5].
-
-There is now several mailing lists for this port of OpenSSH. Please
-refer to http://www.openssh.com/list.html for details on how to join.
-
-Please send bug reports and patches to the mailing list
-openssh-unix-dev@mindrot.org. The list is open to posting by
-unsubscribed users.Code contribution are welcomed, but please follow the 
-OpenBSD style guidelines[6].
-
-Please refer to the INSTALL document for information on how to install
-OpenSSH on your system. There are a number of differences between this
-port of OpenSSH and F-Secure SSH 1.x, please refer to the OpenSSH FAQ[7]
-for details and general tips.
-
-Damien Miller <djm@mindrot.org>
-
-Miscellania -
-
-This version of OpenSSH is based upon code retrieved from the OpenBSD
-CVS repository which in turn was based on the last free sample
-implementation released by Tatu Ylonen.
-
-References -
-
-[0] http://www.openssh.com/faq.html
-[1] http://www.lothar.com/tech/crypto/
-[2] http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html
-[3] http://www.gzip.org/zlib/
-[4] http://www.openssl.org/
-[5] http://www.openpam.org
-    http://www.kernel.org/pub/linux/libs/pam/ 
-    (PAM also is standard on Solaris and HP-UX 11)
-[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
-[7] http://www.openssh.com/faq.html
-
-$Id: README,v 1.64 2006/11/07 12:25:45 dtucker Exp $
diff --git a/crypto/openssh/README.dns b/crypto/openssh/README.dns
deleted file mode 100644
index 9787918..0000000
--- a/crypto/openssh/README.dns
+++ /dev/null
@@ -1,47 +0,0 @@
-How to verify host keys using OpenSSH and DNS
----------------------------------------------
-
-OpenSSH contains support for verifying host keys using DNS as described in
-draft-ietf-secsh-dns-05.txt. The document contains very brief instructions
-on how to use this feature. Configuring DNS is out of the scope of this
-document.
-
-
-(1) Server: Generate and publish the DNS RR
-
-To create a DNS resource record (RR) containing a fingerprint of the
-public host key, use the following command:
-
-	ssh-keygen -r hostname -f keyfile -g
-
-where "hostname" is your fully qualified hostname and "keyfile" is the
-file containing the public host key file. If you have multiple keys,
-you should generate one RR for each key.
-
-In the example above, ssh-keygen will print the fingerprint in a
-generic DNS RR format parsable by most modern name server
-implementations. If your nameserver has support for the SSHFP RR
-you can omit the -g flag and ssh-keygen will print a standard SSHFP RR.
-
-To publish the fingerprint using the DNS you must add the generated RR
-to your DNS zone file and sign your zone.
-
-
-(2) Client: Enable ssh to verify host keys using DNS
-
-To enable the ssh client to verify host keys using DNS, you have to
-add the following option to the ssh configuration file
-($HOME/.ssh/config or /etc/ssh/ssh_config):
-
-    VerifyHostKeyDNS yes
-
-Upon connection the client will try to look up the fingerprint RR
-using DNS. If the fingerprint received from the DNS server matches
-the remote host key, the user will be notified.
-
-
-	Jakob Schlyter
-	Wesley Griffin
-
-
-$OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $
diff --git a/crypto/openssh/README.openssh2 b/crypto/openssh/README.openssh2
deleted file mode 100644
index 12c90aa..0000000
--- a/crypto/openssh/README.openssh2
+++ /dev/null
@@ -1,44 +0,0 @@
-$Id: README.openssh2,v 1.8 2000/05/07 18:30:03 markus Exp $
-
-howto:
-	1) generate server key:
-		$ ssh-keygen -d -f /etc/ssh_host_dsa_key -N ''
-	2) enable ssh2:
-		server: add 'Protocol 2,1' to /etc/sshd_config
-		client: ssh -o 'Protocol 2,1', or add to .ssh/config
-	3) DSA authentication similar to RSA (add keys to ~/.ssh/authorized_keys2)
-	   interop w/ ssh.com dsa-keys:
-		ssh-keygen -f /key/from/ssh.com -X >> ~/.ssh/authorized_keys2
-	   and vice versa
-		ssh-keygen -f /privatekey/from/openssh -x > ~/.ssh2/mykey.pub
-		echo Key mykey.pub >> ~/.ssh2/authorization
-
-works:
-	secsh-transport: works w/o rekey
-		proposal exchange, i.e. different enc/mac/comp per direction
-		encryption: blowfish-cbc, 3des-cbc, arcfour, cast128-cbc
-		mac: hmac-md5, hmac-sha1, (hmac-ripemd160)
-		compression: zlib, none
-	secsh-userauth: passwd and pubkey with DSA
-	secsh-connection: pty+shell or command, flow control works (window adjust)
-		tcp-forwarding: -L works, -R incomplete
-		x11-fwd
-	dss/dsa: host key database in ~/.ssh/known_hosts2
-	client interops w/ sshd2, lshd
-	server interops w/ ssh2, lsh, ssh.com's Windows client, SecureCRT, F-Secure SSH Client 4.0, SecureFX (secure ftp)
-	server supports multiple concurrent sessions (e.g. with SSH.com Windows client)
-todo:
-	re-keying
-	secsh-connection features:
-		 tcp-forwarding, agent-fwd
-	auth other than passwd, and DSA-pubkey:
-		 keyboard-interactive, (PGP-pubkey?)
-	config
-	server-auth w/ old host-keys
-	cleanup
-	advanced key storage?
-	keynote
-	sftp
-
--markus
-$Date: 2000/05/07 18:30:03 $
diff --git a/crypto/openssh/README.platform b/crypto/openssh/README.platform
deleted file mode 100644
index b7dc3f9..0000000
--- a/crypto/openssh/README.platform
+++ /dev/null
@@ -1,70 +0,0 @@
-This file contains notes about OpenSSH on specific platforms.
-
-AIX
----
-As of OpenSSH 3.8p1, sshd will now honour an accounts password expiry
-settings, where previously it did not.  Because of this, it's possible for
-sites that have used OpenSSH's sshd exclusively to have accounts which
-have passwords expired longer than the inactive time (ie the "Weeks between
-password EXPIRATION and LOCKOUT" setting in SMIT or the maxexpired
-chuser attribute).
-
-Accounts in this state must have their passwords reset manually by the
-administrator.  As a precaution, it is recommended that the administrative
-passwords be reset before upgrading from OpenSSH <3.8.
-
-As of OpenSSH 4.0, configure will attempt to detect if your version
-and maintenance level of AIX has a working getaddrinfo, and will use it
-if found.  This will enable IPv6 support.  If for some reason configure
-gets it wrong, or if you want to build binaries to work on earlier MLs
-than the build host then you can add "-DBROKEN_GETADDRINFO" to CFLAGS
-to force the previous IPv4-only behaviour.
-
-IPv6 known to work: 5.1ML7 5.2ML2 5.2ML5
-IPv6 known broken: 4.3.3ML11 5.1ML4
-
-Cygwin
-------
-To build on Cygwin, OpenSSH requires the following packages:
-gcc, gcc-mingw-core, mingw-runtime, binutils, make, openssl,
-openssl-devel, zlib, minres, minires-devel.
-
-
-Darwin and MacOS X
-------------------
-Darwin does not provide a tun(4) driver required for OpenSSH-based
-virtual private networks. The BSD manpage still exists, but the driver
-has been removed in recent releases of Darwin and MacOS X.
-
-Nevertheless, tunnel support is known to work with Darwin 8 and
-MacOS X 10.4 in Point-to-Point (Layer 3) and Ethernet (Layer 2) mode
-using a third party driver. More information is available at:
-	http://www-user.rhrk.uni-kl.de/~nissler/tuntap/
-
-
-Solaris
--------
-If you enable BSM auditing on Solaris, you need to update audit_event(4)
-for praudit(1m) to give sensible output.  The following line needs to be
-added to /etc/security/audit_event:
-
-	32800:AUE_openssh:OpenSSH login:lo
-
-The BSM audit event range available for third party TCB applications is
-32768 - 65535.  Event number 32800 has been choosen for AUE_openssh.
-There is no official registry of 3rd party event numbers, so if this
-number is already in use on your system, you may change it at build time
-by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.
-
-
-Platforms using PAM
--------------------
-As of OpenSSH 4.3p1, sshd will no longer check /etc/nologin itself when
-PAM is enabled.  To maintain existing behaviour, pam_nologin should be
-added to sshd's session stack which will prevent users from starting shell
-sessions.  Alternatively, pam_nologin can be added to either the auth or
-account stacks which will prevent authentication entirely, but will still
-return the output from pam_nologin to the client.
-
-
-$Id: README.platform,v 1.7 2006/06/23 11:05:13 dtucker Exp $
diff --git a/crypto/openssh/README.privsep b/crypto/openssh/README.privsep
deleted file mode 100644
index f565e72..0000000
--- a/crypto/openssh/README.privsep
+++ /dev/null
@@ -1,63 +0,0 @@
-Privilege separation, or privsep, is method in OpenSSH by which
-operations that require root privilege are performed by a separate
-privileged monitor process.  Its purpose is to prevent privilege
-escalation by containing corruption to an unprivileged process.
-More information is available at:
-	http://www.citi.umich.edu/u/provos/ssh/privsep.html
-
-Privilege separation is now enabled by default; see the
-UsePrivilegeSeparation option in sshd_config(5).
-
-On systems which lack mmap or anonymous (MAP_ANON) memory mapping,
-compression must be disabled in order for privilege separation to
-function.
-
-When privsep is enabled, during the pre-authentication phase sshd will
-chroot(2) to "/var/empty" and change its privileges to the "sshd" user
-and its primary group.  sshd is a pseudo-account that should not be
-used by other daemons, and must be locked and should contain a
-"nologin" or invalid shell.
-
-You should do something like the following to prepare the privsep
-preauth environment:
-
-	# mkdir /var/empty
-	# chown root:sys /var/empty
-	# chmod 755 /var/empty
-	# groupadd sshd
-	# useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
-
-/var/empty should not contain any files.
-
-configure supports the following options to change the default
-privsep user and chroot directory:
-
-  --with-privsep-path=xxx Path for privilege separation chroot
-  --with-privsep-user=user Specify non-privileged user for privilege separation
-
-Privsep requires operating system support for file descriptor passing.
-Compression will be disabled on systems without a working mmap MAP_ANON.
-
-PAM-enabled OpenSSH is known to function with privsep on AIX, FreeBSD, 
-HP-UX (including Trusted Mode), Linux, NetBSD and Solaris.
-
-On Cygwin, Tru64 Unix, OpenServer, and Unicos only the pre-authentication
-part of privsep is supported.  Post-authentication privsep is disabled
-automatically (so you won't see the additional process mentioned below).
-
-Note that for a normal interactive login with a shell, enabling privsep
-will require 1 additional process per login session.
-
-Given the following process listing (from HP-UX):
-
-     UID   PID  PPID  C    STIME TTY       TIME COMMAND
-    root  1005     1  0 10:45:17 ?         0:08 /opt/openssh/sbin/sshd -u0
-    root  6917  1005  0 15:19:16 ?         0:00 sshd: stevesk [priv]
- stevesk  6919  6917  0 15:19:17 ?         0:03 sshd: stevesk@2
- stevesk  6921  6919  0 15:19:17 pts/2     0:00 -bash
-
-process 1005 is the sshd process listening for new connections.
-process 6917 is the privileged monitor process, 6919 is the user owned
-sshd process and 6921 is the shell process.
-
-$Id: README.privsep,v 1.16 2005/06/04 23:21:41 djm Exp $
diff --git a/crypto/openssh/README.smartcard b/crypto/openssh/README.smartcard
deleted file mode 100644
index fdf83ec..0000000
--- a/crypto/openssh/README.smartcard
+++ /dev/null
@@ -1,93 +0,0 @@
-How to use smartcards with OpenSSH?
-
-OpenSSH contains experimental support for authentication using
-Cyberflex smartcards and TODOS card readers, in addition to the cards
-with PKCS#15 structure supported by OpenSC. To enable this you
-need to:
-
-Using libsectok:
-
-(1) enable sectok support in OpenSSH:
-
-	$ ./configure --with-sectok
-
-(2) If you have used a previous version of ssh with your card, you
-    must remove the old applet and keys.
-
-	$ sectok
-	sectok> login -d
-	sectok> junload Ssh.bin
-	sectok> delete 0012
-	sectok> delete sh
-	sectok> quit
-
-(3) load the Java Cardlet to the Cyberflex card and set card passphrase:
-
-	$ sectok
-	sectok> login -d
-	sectok> jload /usr/libdata/ssh/Ssh.bin
-	sectok> setpass
-	Enter new AUT0 passphrase:
-	Re-enter passphrase:
-	sectok> quit
-
-	Do not forget the passphrase.  There is no way to
-	recover if you do.
-
-	IMPORTANT WARNING: If you attempt to login with the
-	wrong passphrase three times in a row, you will
-	destroy your card.
-
-(4) load a RSA key to the card:
-
-	$ ssh-keygen -f /path/to/rsakey -U 1
-	(where 1 is the reader number, you can also try 0)
-
-	In spite of the name, this does not generate a key.
-	It just loads an already existing key on to the card.
-
-(5) Optional: If you don't want to use a card passphrase, change the
-    acl on the private key file:
-
-	$ sectok
-	sectok> login -d
-	sectok> acl 0012 world: w
-	 world: w
-	 AUT0: w inval
-	sectok> quit
-
-	If you do this, anyone who has access to your card
-	can assume your identity.  This is not recommended.
-
-
-Using OpenSC:
-
-(1) install OpenSC:
-
-	Sources and instructions are available from
-	http://www.opensc.org/
-
-(2) enable OpenSC support in OpenSSH:
-
-	$ ./configure --with-opensc[=/path/to/opensc] [options]
-
-(3) load a RSA key to the card:
-
-	Not supported yet.
-
-
-Common operations:
-
-(1) tell the ssh client to use the card reader:
-
-	$ ssh -I 1 otherhost
-
-(2) or tell the agent (don't forget to restart) to use the smartcard:
-
-	$ ssh-add -s 1
-
-
--markus,
-Tue Jul 17 23:54:51 CEST 2001
-
-$OpenBSD: README.smartcard,v 1.9 2003/11/21 11:57:02 djm Exp $
diff --git a/crypto/openssh/README.tun b/crypto/openssh/README.tun
deleted file mode 100644
index 5e1cb07..0000000
--- a/crypto/openssh/README.tun
+++ /dev/null
@@ -1,132 +0,0 @@
-How to use OpenSSH-based virtual private networks
--------------------------------------------------
-
-OpenSSH contains support for VPN tunneling using the tun(4) network
-tunnel pseudo-device which is available on most platforms, either for
-layer 2 or 3 traffic.
-
-The following brief instructions on how to use this feature use
-a network configuration specific to the OpenBSD operating system.
-
-(1) Server: Enable support for SSH tunneling
-
-To enable the ssh server to accept tunnel requests from the client, you
-have to add the following option to the ssh server configuration file
-(/etc/ssh/sshd_config):
-
-	PermitTunnel yes
-
-Restart the server or send the hangup signal (SIGHUP) to let the server
-reread it's configuration.
-
-(2) Server: Restrict client access and assign the tunnel
-
-The OpenSSH server simply uses the file /root/.ssh/authorized_keys to
-restrict the client to connect to a specified tunnel and to
-automatically start the related interface configuration command. These
-settings are optional but recommended:
-
-	tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... reyk@openbsd.org
-
-(3) Client: Configure the local network tunnel interface
-
-Use the hostname.if(5) interface-specific configuration file to set up
-the network tunnel configuration with OpenBSD. For example, use the
-following configuration in /etc/hostname.tun0 to set up the layer 3
-tunnel on the client:
-
-	inet 192.168.5.1 255.255.255.252 192.168.5.2
-
-OpenBSD also supports layer 2 tunneling over the tun device by adding
-the link0 flag:
-
-	inet 192.168.1.78 255.255.255.0 192.168.1.255 link0
-
-Layer 2 tunnels can be used in combination with an Ethernet bridge(4)
-interface, like the following example for /etc/bridgename.bridge0:
-
-	add tun0
-	add sis0
-	up
-
-(4) Client: Configure the OpenSSH client
-
-To establish tunnel forwarding for connections to a specified
-remote host by default, use the following ssh client configuration for
-the privileged user (in /root/.ssh/config):
-
-	Host sshgateway
-		Tunnel yes
-		TunnelDevice 0:any
-		PermitLocalCommand yes
-	        LocalCommand sh /etc/netstart tun0
-
-A more complicated configuration is possible to establish a tunnel to
-a remote host which is not directly accessible by the client.
-The following example describes a client configuration to connect to
-the remote host over two ssh hops in between. It uses the OpenSSH
-ProxyCommand in combination with the nc(1) program to forward the final
-ssh tunnel destination over multiple ssh sessions.
-
-	Host access.somewhere.net
-	        User puffy
-	Host dmzgw
-	        User puffy
-	        ProxyCommand ssh access.somewhere.net nc dmzgw 22
-	Host sshgateway
-	        Tunnel Ethernet
-	        TunnelDevice 0:any
-	        PermitLocalCommand yes
-	        LocalCommand sh /etc/netstart tun0
-	        ProxyCommand ssh dmzgw nc sshgateway 22
-
-The following network plan illustrates the previous configuration in
-combination with layer 2 tunneling and Ethernet bridging.
-
-+--------+       (          )      +----------------------+
-| Client |------(  Internet  )-----| access.somewhere.net |
-+--------+       (          )      +----------------------+
-    : 192.168.1.78                             |
-    :.............................         +-------+
-     Forwarded ssh connection    :         | dmzgw |
-     Layer 2 tunnel              :         +-------+
-                                 :             |
-                                 :             |
-                                 :      +------------+
-                                 :......| sshgateway |
-                                      | +------------+
---- real connection                 Bridge ->  |          +----------+
-... "virtual connection"                     [ X ]--------| somehost |
-[X] switch                                                +----------+
-                                                          192.168.1.25
-
-(5) Client: Connect to the server and establish the tunnel
-
-Finally connect to the OpenSSH server to establish the tunnel by using
-the following command:
-
-	ssh sshgateway
-
-It is also possible to tell the client to fork into the background after
-the connection has been successfully established:
-
-	ssh -f sshgateway true
-
-Without the ssh configuration done in step (4), it is also possible
-to use the following command lines:
-
-	ssh -fw 0:1 sshgateway true
-	ifconfig tun0 192.168.5.1 192.168.5.2 netmask 255.255.255.252
-
-Using OpenSSH tunnel forwarding is a simple way to establish secure
-and ad hoc virtual private networks. Possible fields of application
-could be wireless networks or administrative VPN tunnels.
-
-Nevertheless, ssh tunneling requires some packet header overhead and
-runs on top of TCP. It is still suggested to use the IP Security
-Protocol (IPSec) for robust and permanent VPN connections and to
-interconnect corporate networks.
-
-	Reyk Floeter
-
-$OpenBSD: README.tun,v 1.4 2006/03/28 00:12:31 deraadt Exp $
diff --git a/crypto/openssh/RFC.nroff b/crypto/openssh/RFC.nroff
deleted file mode 100644
index d6baed6..0000000
--- a/crypto/openssh/RFC.nroff
+++ /dev/null
@@ -1,1780 +0,0 @@
-.\" -*- nroff -*-
-.\"
-.\" $OpenBSD: RFC.nroff,v 1.2 2000/10/16 09:38:44 djm Exp $
-.\"
-.pl 10.0i
-.po 0
-.ll 7.2i
-.lt 7.2i
-.nr LL 7.2i
-.nr LT 7.2i
-.ds LF Ylonen
-.ds RF FORMFEED[Page %]
-.ds CF
-.ds LH Internet-Draft
-.ds RH 15 November 1995
-.ds CH SSH (Secure Shell) Remote Login Protocol
-.na
-.hy 0
-.in 0
-Network Working Group					       T. Ylonen
-Internet-Draft			       Helsinki University of Technology
-draft-ylonen-ssh-protocol-00.txt			15 November 1995
-Expires: 15 May 1996
-
-.in 3
-
-.ce
-The SSH (Secure Shell) Remote Login Protocol
-
-.ti 0
-Status of This Memo
-
-This document is an Internet-Draft.   Internet-Drafts  are  working
-documents of the Internet Engineering Task Force (IETF), its areas,
-and its working groups.  Note that other groups may also distribute
-working documents as Internet-Drafts.
-
-Internet-Drafts are draft documents valid  for  a  maximum  of  six
-months  and  may  be updated, replaced, or obsoleted by other docu-
-ments at any time.  It is inappropriate to use  Internet-Drafts  as
-reference  material  or  to  cite them other than as ``work in pro-
-gress.''
-
-To learn the current status of any Internet-Draft, please check the
-``1id-abstracts.txt'' listing contained in the Internet- Drafts Shadow
-Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
-munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
-ftp.isi.edu (US West Coast).
-
-The distribution of  this  memo  is  unlimited.
-
-.ti 0
-Introduction
-
-SSH (Secure Shell) is a program to log into another computer over a
-network, to execute commands in a remote machine, and to move files
-from one machine to another.  It provides strong authentication and
-secure communications over insecure networks.  Its features include
-the following:
-.IP o
-Closes several security holes (e.g., IP, routing, and DNS spoofing).
-New authentication methods: .rhosts together with RSA [RSA] based host
-authentication, and pure RSA authentication.
-.IP o
-All communications are automatically and transparently encrypted.
-Encryption is also used to protect integrity.
-.IP o
-X11 connection forwarding provides secure X11 sessions.
-.IP o
-Arbitrary TCP/IP ports can be redirected over the encrypted channel
-in both directions.
-.IP o
-Client RSA-authenticates the server machine in the beginning of every
-connection to prevent trojan horses (by routing or DNS spoofing) and
-man-in-the-middle attacks, and the server RSA-authenticates the client
-machine before accepting .rhosts or /etc/hosts.equiv authentication
-(to prevent DNS, routing, or IP spoofing).
-.IP o
-An authentication agent, running in the user's local workstation or
-laptop, can be used to hold the user's RSA authentication keys.
-.RT
-
-The goal has been to make the software as easy to use as possible for
-ordinary users.  The protocol has been designed to be as secure as
-possible while making it possible to create implementations that
-are easy to use and install.  The sample implementation has a number
-of convenient features that are not described in this document as they
-are not relevant for the protocol.
-
-
-.ti 0
-Overview of the Protocol
-
-The software consists of a server program running on a server machine,
-and a client program running on a client machine (plus a few auxiliary
-programs).  The machines are connected by an insecure IP [RFC0791]
-network (that can be monitored, tampered with, and spoofed by hostile
-parties).
-
-A connection is always initiated by the client side.  The server
-listens on a specific port waiting for connections.  Many clients may
-connect to the same server machine.
-
-The client and the server are connected via a TCP/IP [RFC0793] socket
-that is used for bidirectional communication.  Other types of
-transport can be used but are currently not defined.
-
-When the client connects the server, the server accepts the connection
-and responds by sending back its version identification string.  The
-client parses the server's identification, and sends its own
-identification.  The purpose of the identification strings is to
-validate that the connection was to the correct port, declare the
-protocol version number used, and to declare the software version used
-on each side (for debugging purposes).  The identification strings are
-human-readable.  If either side fails to understand or support the
-other side's version, it closes the connection.
-
-After the protocol identification phase, both sides switch to a packet
-based binary protocol.  The server starts by sending its host key
-(every host has an RSA key used to authenticate the host), server key
-(an RSA key regenerated every hour), and other information to the
-client.  The client then generates a 256 bit session key, encrypts it
-using both RSA keys (see below for details), and sends the encrypted
-session key and selected cipher type to the server.  Both sides then
-turn on encryption using the selected algorithm and key.  The server
-sends an encrypted confirmation message to the client.
-
-The client then authenticates itself using any of a number of
-authentication methods.  The currently supported authentication
-methods are .rhosts or /etc/hosts.equiv authentication (disabled by
-default), the same with RSA-based host authentication, RSA
-authentication, and password authentication.
-
-After successful authentication, the client makes a number of requests
-to prepare for the session.  Typical requests include allocating a
-pseudo tty, starting X11 [X11] or TCP/IP port forwarding, starting
-authentication agent forwarding, and executing the shell or a command.
-
-When a shell or command is executed, the connection enters interactive
-session mode.  In this mode, data is passed in both directions,
-new forwarded connections may be opened, etc.  The interactive session
-normally terminates when the server sends the exit status of the
-program to the client.
-
-
-The protocol makes several reservations for future extensibility.
-First of all, the initial protocol identification messages include the
-protocol version number.  Second, the first packet by both sides
-includes a protocol flags field, which can be used to agree on
-extensions in a compatible manner.  Third, the authentication and
-session preparation phases work so that the client sends requests to
-the server, and the server responds with success or failure.  If the
-client sends a request that the server does not support, the server
-simply returns failure for it.  This permits compatible addition of
-new authentication methods and preparation operations.  The
-interactive session phase, on the other hand, works asynchronously and
-does not permit the use of any extensions (because there is no easy
-and reliable way to signal rejection to the other side and problems
-would be hard to debug).  Any compatible extensions to this phase must
-be agreed upon during any of the earlier phases.
-
-.ti 0
-The Binary Packet Protocol
-
-After the protocol identification strings, both sides only send
-specially formatted packets.  The packet layout is as follows:
-.IP o
-Packet length: 32 bit unsigned integer, coded as four 8-bit bytes, msb
-first.  Gives the length of the packet, not including the length field
-and padding.  The maximum length of a packet (not including the length
-field and padding) is 262144 bytes.
-.IP o
-Padding: 1-8 bytes of random data (or zeroes if not encrypting).  The
-amount of padding is (8 - (length % 8)) bytes (where % stands for the
-modulo operator).  The rationale for always having some random padding
-at the beginning of each packet is to make known plaintext attacks
-more difficult.
-.IP o
-Packet type: 8-bit unsigned byte.  The value 255 is reserved for
-future extension.
-.IP o
-Data: binary data bytes, depending on the packet type.  The number of
-data bytes is the "length" field minus 5.
-.IP o
-Check bytes: 32-bit crc, four 8-bit bytes, msb first.  The crc is the
-Cyclic Redundancy Check, with the polynomial 0xedb88320, of the
-Padding, Packet type, and Data fields.  The crc is computed before
-any encryption.
-.RT
-
-The packet, except for the length field, may be encrypted using any of
-a number of algorithms.  The length of the encrypted part (Padding +
-Type + Data + Check) is always a multiple of 8 bytes.  Typically the
-cipher is used in a chained mode, with all packets chained together as
-if it was a single data stream (the length field is never included in
-the encryption process).  Details of encryption are described below.
-
-When the session starts, encryption is turned off.  Encryption is
-enabled after the client has sent the session key.  The encryption
-algorithm to use is selected by the client.
-
-
-.ti 0
-Packet Compression
-
-If compression is supported (it is an optional feature, see
-SSH_CMSG_REQUEST_COMPRESSION below), the packet type and data fields
-of the packet are compressed using the gzip deflate algorithm [GZIP].
-If compression is in effect, the packet length field indicates the
-length of the compressed data, plus 4 for the crc.  The amount of
-padding is computed from the compressed data, so that the amount of
-data to be encrypted becomes a multiple of 8 bytes.
-
-When compressing, the packets (type + data portions) in each direction
-are compressed as if they formed a continuous data stream, with only the
-current compression block flushed between packets.  This corresponds
-to the GNU ZLIB library Z_PARTIAL_FLUSH option.  The compression
-dictionary is not flushed between packets.  The two directions are
-compressed independently of each other.
-
-
-.ti 0
-Packet Encryption
-
-The protocol supports several encryption methods.  During session
-initialization, the server sends a bitmask of all encryption methods
-that it supports, and the client selects one of these methods.  The
-client also generates a 256-bit random session key (32 8-bit bytes) and
-sends it to the server.
-
-The encryption methods supported by the current implementation, and
-their codes are:
-.TS
-center;
-l r l.
-SSH_CIPHER_NONE	0	   No encryption
-SSH_CIPHER_IDEA	1	   IDEA in CFB mode
-SSH_CIPHER_DES	2	   DES in CBC mode
-SSH_CIPHER_3DES	3	   Triple-DES in CBC mode
-SSH_CIPHER_TSS	4	   An experimental stream cipher
-SSH_CIPHER_RC4	5	   RC4
-.TE
-
-All implementations are required to support SSH_CIPHER_DES and
-SSH_CIPHER_3DES.  Supporting SSH_CIPHER_IDEA, SSH_CIPHER_RC4, and
-SSH_CIPHER_NONE is recommended.  Support for SSH_CIPHER_TSS is
-optional (and it is not described in this document).  Other ciphers
-may be added at a later time; support for them is optional.
-
-For encryption, the encrypted portion of the packet is considered a
-linear byte stream.  The length of the stream is always a multiple of
-8.  The encrypted portions of consecutive packets (in the same
-direction) are encrypted as if they were a continuous buffer (that is,
-any initialization vectors are passed from the previous packet to the
-next packet).  Data in each direction is encrypted independently.
-.IP SSH_CIPHER_DES
-The key is taken from the first 8 bytes of the session key.  The least
-significant bit of each byte is ignored.  This results in 56 bits of
-key data.  DES [DES] is used in CBC mode.  The iv (initialization vector) is
-initialized to all zeroes.
-.IP SSH_CIPHER_3DES
-The variant of triple-DES used here works as follows: there are three
-independent DES-CBC ciphers, with independent initialization vectors.
-The data (the whole encrypted data stream) is first encrypted with the
-first cipher, then decrypted with the second cipher, and finally
-encrypted with the third cipher.  All these operations are performed
-in CBC mode.
-
-The key for the first cipher is taken from the first 8 bytes of the
-session key; the key for the next cipher from the next 8 bytes, and
-the key for the third cipher from the following 8 bytes.  All three
-initialization vectors are initialized to zero.
-
-(Note: the variant of 3DES used here differs from some other
-descriptions.)
-.IP SSH_CIPHER_IDEA
-The key is taken from the first 16 bytes of the session key.  IDEA
-[IDEA] is used in CFB mode.  The initialization vector is initialized
-to all zeroes.
-.IP SSH_CIPHER_TSS
-All 32 bytes of the session key are used as the key.
-
-There is no reference available for the TSS algorithm; it is currently
-only documented in the sample implementation source code.  The
-security of this cipher is unknown (but it is quite fast).  The cipher
-is basically a stream cipher that uses MD5 as a random number
-generator and takes feedback from the data.
-.IP SSH_CIPHER_RC4
-The first 16 bytes of the session key are used as the key for the
-server to client direction.  The remaining 16 bytes are used as the
-key for the client to server direction.  This gives independent
-128-bit keys for each direction.
-
-This algorithm is the alleged RC4 cipher posted to the Usenet in 1995.
-It is widely believed to be equivalent with the original RSADSI RC4
-cipher.  This is a very fast algorithm.
-.RT
-
-
-.ti 0
-Data Type Encodings
-
-The Data field of each packet contains data encoded as described in
-this section.  There may be several data items; each item is coded as
-described here, and their representations are concatenated together
-(without any alignment or padding).
-
-Each data type is stored as follows:
-.IP "8-bit byte"
-The byte is stored directly as a single byte.
-.IP "32-bit unsigned integer"
-Stored in 4 bytes, msb first.
-.IP "Arbitrary length binary string"
-First 4 bytes are the length of the string, msb first (not including
-the length itself).  The following "length" bytes are the string
-value.  There are no terminating null characters.
-.IP "Multiple-precision integer"
-First 2 bytes are the number of bits in the integer, msb first (for
-example, the value 0x00012345 would have 17 bits).  The value zero has
-zero bits.  It is permissible that the number of bits be larger than the
-real number of bits.
-
-The number of bits is followed by (bits + 7) / 8 bytes of binary data,
-msb first, giving the value of the integer.
-.RT
-
-
-.ti 0
-TCP/IP Port Number and Other Options
-
-The server listens for connections on TCP/IP port 22.
-
-The client may connect the server from any port.  However, if the
-client wishes to use any form of .rhosts or /etc/hosts.equiv
-authentication, it must connect from a privileged port (less than
-1024).
-
-For the IP Type of Service field [RFC0791], it is recommended that
-interactive sessions (those having a user terminal or forwarding X11
-connections) use the IPTOS_LOWDELAY, and non-interactive connections
-use IPTOS_THROUGHPUT.
-
-It is recommended that keepalives are used, because otherwise programs
-on the server may never notice if the other end of the connection is
-rebooted.
-
-
-.ti 0
-Protocol Version Identification
-
-After the socket is opened, the server sends an identification string,
-which is of the form
-"SSH-<protocolmajor>.<protocolminor>-<version>\\n", where
-<protocolmajor> and <protocolminor> are integers and specify the
-protocol version number (not software distribution version).
-<version> is server side software version string (max 40 characters);
-it is not interpreted by the remote side but may be useful for
-debugging.
-
-The client parses the server's string, and sends a corresponding
-string with its own information in response.  If the server has lower
-version number, and the client contains special code to emulate it,
-the client responds with the lower number; otherwise it responds with
-its own number.  The server then compares the version number the
-client sent with its own, and determines whether they can work
-together.  The server either disconnects, or sends the first packet
-using the binary packet protocol and both sides start working
-according to the lower of the protocol versions.
-
-By convention, changes which keep the protocol compatible with
-previous versions keep the same major protocol version; changes that
-are not compatible increment the major version (which will hopefully
-never happen).  The version described in this document is 1.3.
-
-The client will
-
-.ti 0
-Key Exchange and Server Host Authentication
-
-The first message sent by the server using the packet protocol is
-SSH_SMSG_PUBLIC_KEY.  It declares the server's host key, server public
-key, supported ciphers, supported authentication methods, and flags
-for protocol extensions.  It also contains a 64-bit random number
-(cookie) that must be returned in the client's reply (to make IP
-spoofing more difficult).  No encryption is used for this message.
-
-Both sides compute a session id as follows.  The modulus of the server
-key is interpreted as a byte string (without explicit length field,
-with minimum length able to hold the whole value), most significant
-byte first.  This string is concatenated with the server host key
-interpreted the same way.  Additionally, the cookie is concatenated
-with this.  Both sides compute MD5 of the resulting string.  The
-resulting 16 bytes (128 bits) are stored by both parties and are
-called the session id.
-
-The client responds with a SSH_CMSG_SESSION_KEY message, which
-contains the selected cipher type, a copy of the 64-bit cookie sent by
-the server, client's protocol flags, and a session key encrypted
-with both the server's host key and server key.  No encryption is used
-for this message.
-
-The session key is 32 8-bit bytes (a total of 256 random bits
-generated by the client).  The client first xors the 16 bytes of the
-session id with the first 16 bytes of the session key.  The resulting
-string is then encrypted using the smaller key (one with smaller
-modulus), and the result is then encrypted using the other key.  The
-number of bits in the public modulus of the two keys must differ by at
-least 128 bits.
-
-At each encryption step, a multiple-precision integer is constructed
-from the data to be encrypted as follows (the integer is here
-interpreted as a sequence of bytes, msb first; the number of bytes is
-the number of bytes needed to represent the modulus).
-
-The most significant byte (which is only partial as the value must be
-less than the public modulus, which is never a power of two) is zero.
-
-The next byte contains the value 2 (which stands for public-key
-encrypted data in the PKCS standard [PKCS#1]).  Then, there are
-non-zero random bytes to fill any unused space, a zero byte, and the
-data to be encrypted in the least significant bytes, the last byte of
-the data in the least significant byte.
-
-This algorithm is used twice.  First, it is used to encrypt the 32
-random bytes generated by the client to be used as the session key
-(xored by the session id).  This value is converted to an integer as
-described above, and encrypted with RSA using the key with the smaller
-modulus.  The resulting integer is converted to a byte stream, msb
-first.  This byte stream is padded and encrypted identically using the
-key with the larger modulus.
-
-After the client has sent the session key, it starts to use the
-selected algorithm and key for decrypting any received packets, and
-for encrypting any sent packets.  Separate ciphers are used for
-different directions (that is, both directions have separate
-initialization vectors or other state for the ciphers).
-
-When the server has received the session key message, and has turned
-on encryption, it sends a SSH_SMSG_SUCCESS message to the client.
-
-The recommended size of the host key is 1024 bits, and 768 bits for
-the server key.  The minimum size is 512 bits for the smaller key.
-
-
-.ti 0
-Declaring the User Name
-
-The client then sends a SSH_CMSG_USER message to the server.  This
-message specifies the user name to log in as.
-
-The server validates that such a user exists, checks whether
-authentication is needed, and responds with either SSH_SMSG_SUCCESS or
-SSH_SMSG_FAILURE.  SSH_SMSG_SUCCESS indicates that no authentication
-is needed for this user (no password), and authentication phase has
-now been completed.  SSH_SMSG_FAILURE indicates that authentication is
-needed (or the user does not exist).
-
-If the user does not exist, it is recommended that this returns
-failure, but the server keeps reading messages from the client, and
-responds to any messages (except SSH_MSG_DISCONNECT, SSH_MSG_IGNORE,
-and SSH_MSG_DEBUG) with SSH_SMSG_FAILURE.  This way the client cannot
-be certain whether the user exists.
-
-
-.ti 0
-Authentication Phase
-
-Provided the server didn't immediately accept the login, an
-authentication exchange begins.  The client sends messages to the
-server requesting different types of authentication in arbitrary order as
-many times as desired (however, the server may close the connection
-after a timeout).  The server always responds with SSH_SMSG_SUCCESS if
-it has accepted the authentication, and with SSH_SMSG_FAILURE if it has
-denied authentication with the requested method or it does not
-recognize the message.  Some authentication methods cause an exchange
-of further messages before the final result is sent.  The
-authentication phase ends when the server responds with success.
-
-The recommended value for the authentication timeout (timeout before
-disconnecting if no successful authentication has been made) is 5
-minutes.
-
-The following authentication methods are currently supported:
-.TS
-center;
-l r l.
-SSH_AUTH_RHOSTS	1	.rhosts or /etc/hosts.equiv
-SSH_AUTH_RSA	2	pure RSA authentication
-SSH_AUTH_PASSWORD	3	password authentication
-SSH_AUTH_RHOSTS_RSA	4	.rhosts with RSA host authentication
-.TE
-.IP SSH_AUTH_RHOSTS
-
-This is the authentication method used by rlogin and rsh [RFC1282].
-
-The client sends SSH_CMSG_AUTH_RHOSTS with the client-side user name
-as an argument.
-
-The server checks whether to permit authentication.  On UNIX systems,
-this is usually done by checking /etc/hosts.equiv, and .rhosts in the
-user's home directory.  The connection must come from a privileged
-port.
-
-It is recommended that the server checks that there are no IP options
-(such as source routing) specified for the socket before accepting
-this type of authentication.  The client host name should be
-reverse-mapped and then forward mapped to ensure that it has the
-proper IP-address.
-
-This authentication method trusts the remote host (root on the remote
-host can pretend to be any other user on that host), the name
-services, and partially the network: anyone who can see packets coming
-out from the server machine can do IP-spoofing and pretend to be any
-machine; however, the protocol prevents blind IP-spoofing (which used
-to be possible with rlogin).
-
-Many sites probably want to disable this authentication method because
-of the fundamental insecurity of conventional .rhosts or
-/etc/hosts.equiv authentication when faced with spoofing.  It is
-recommended that this method not be supported by the server by
-default.
-.IP SSH_AUTH_RHOSTS_RSA
-
-In addition to conventional .rhosts and hosts.equiv authentication,
-this method additionally requires that the client host be
-authenticated using RSA.
-
-The client sends SSH_CMSG_AUTH_RHOSTS_RSA specifying the client-side
-user name, and the public host key of the client host.
-
-The server first checks if normal .rhosts or /etc/hosts.equiv
-authentication would be accepted, and if not, responds with
-SSH_SMSG_FAILURE.  Otherwise, it checks whether it knows the host key
-for the client machine (using the same name for the host that was used
-for checking the .rhosts and /etc/hosts.equiv files).  If it does not
-know the RSA key for the client, access is denied and SSH_SMSG_FAILURE
-is sent.
-
-If the server knows the host key of the client machine, it verifies
-that the given host key matches that known for the client.  If not,
-access is denied and SSH_SMSG_FAILURE is sent.
-
-The server then sends a SSH_SMSG_AUTH_RSA_CHALLENGE message containing
-an encrypted challenge for the client.  The challenge is 32 8-bit
-random bytes (256 bits).  When encrypted, the highest (partial) byte
-is left as zero, the next byte contains the value 2, the following are
-non-zero random bytes, followed by a zero byte, and the challenge put
-in the remaining bytes.  This is then encrypted using RSA with the
-client host's public key.  (The padding and encryption algorithm is
-the same as that used for the session key.)
-
-The client decrypts the challenge using its private host key,
-concatenates this with the session id, and computes an MD5 checksum
-of the resulting 48 bytes.  The MD5 output is returned as 16 bytes in
-a SSH_CMSG_AUTH_RSA_RESPONSE message.  (MD5 is used to deter chosen
-plaintext attacks against RSA; the session id binds it to a specific
-session).
-
-The server verifies that the MD5 of the decrypted challenge returned by
-the client matches that of the original value, and sends SSH_SMSG_SUCCESS if
-so.  Otherwise it sends SSH_SMSG_FAILURE and refuses the
-authentication attempt.
-
-This authentication method trusts the client side machine in that root
-on that machine can pretend to be any user on that machine.
-Additionally, it trusts the client host key.  The name and/or IP
-address of the client host is only used to select the public host key.
-The same host name is used when scanning .rhosts or /etc/hosts.equiv
-and when selecting the host key.  It would in principle be possible to
-eliminate the host name entirely and substitute it directly by the
-host key.  IP and/or DNS [RFC1034] spoofing can only be used
-to pretend to be a host for which the attacker has the private host
-key.
-.IP SSH_AUTH_RSA
-
-The idea behind RSA authentication is that the server recognizes the
-public key offered by the client, generates a random challenge, and
-encrypts the challenge with the public key.  The client must then
-prove that it has the corresponding private key by decrypting the
-challenge.
-
-The client sends SSH_CMSG_AUTH_RSA with public key modulus (n) as an
-argument.
-
-The server may respond immediately with SSH_SMSG_FAILURE if it does
-not permit authentication with this key.  Otherwise it generates a
-challenge, encrypts it using the user's public key (stored on the
-server and identified using the modulus), and sends
-SSH_SMSG_AUTH_RSA_CHALLENGE with the challenge (mp-int) as an
-argument.
-
-The challenge is 32 8-bit random bytes (256 bits).  When encrypted,
-the highest (partial) byte is left as zero, the next byte contains the
-value 2, the following are non-zero random bytes, followed by a zero
-byte, and the challenge put in the remaining bytes.  This is then
-encrypted with the public key.  (The padding and encryption algorithm
-is the same as that used for the session key.)
-
-The client decrypts the challenge using its private key, concatenates
-it with the session id, and computes an MD5 checksum of the resulting
-48 bytes.  The MD5 output is returned as 16 bytes in a
-SSH_CMSG_AUTH_RSA_RESPONSE message.  (Note that the MD5 is necessary
-to avoid chosen plaintext attacks against RSA; the session id binds it
-to a specific session.)
-
-The server verifies that the MD5 of the decrypted challenge returned
-by the client matches that of the original value, and sends
-SSH_SMSG_SUCCESS if so.  Otherwise it sends SSH_SMSG_FAILURE and
-refuses the authentication attempt.
-
-This authentication method does not trust the remote host, the
-network, name services, or anything else.  Authentication is based
-solely on the possession of the private identification keys.  Anyone
-in possession of the private keys can log in, but nobody else.
-
-The server may have additional requirements for a successful
-authentiation.  For example, to limit damage due to a compromised RSA
-key, a server might restrict access to a limited set of hosts.
-.IP SSH_AUTH_PASSWORD
-
-The client sends a SSH_CMSG_AUTH_PASSWORD message with the plain text
-password.  (Note that even though the password is plain text inside
-the message, it is normally encrypted by the packet mechanism.)
-
-The server verifies the password, and sends SSH_SMSG_SUCCESS if
-authentication was accepted and SSH_SMSG_FAILURE otherwise.
-
-Note that the password is read from the user by the client; the user
-never interacts with a login program.
-
-This authentication method does not trust the remote host, the
-network, name services or anything else.  Authentication is based
-solely on the possession of the password.  Anyone in possession of the
-password can log in, but nobody else.
-.RT
-
-.ti 0
-Preparatory Operations
-
-After successful authentication, the server waits for a request from
-the client, processes the request, and responds with SSH_SMSG_SUCCESS
-whenever a request has been successfully processed.  If it receives a
-message that it does not recognize or it fails to honor a request, it
-returns SSH_SMSG_FAILURE.  It is expected that new message types might
-be added to this phase in future.
-
-The following messages are currently defined for this phase.
-.IP SSH_CMSG_REQUEST_COMPRESSION
-Requests that compression be enabled for this session.  A
-gzip-compatible compression level (1-9) is passed as an argument.
-.IP SSH_CMSG_REQUEST_PTY
-Requests that a pseudo terminal device be allocated for this session.
-The user terminal type and terminal modes are supplied as arguments.
-.IP SSH_CMSG_X11_REQUEST_FORWARDING
-Requests forwarding of X11 connections from the remote machine to the
-local machine over the secure channel.  Causes an internet-domain
-socket to be allocated and the DISPLAY variable to be set on the server.
-X11 authentication data is automatically passed to the server, and the
-client may implement spoofing of authentication data for added
-security.  The authentication data is passed as arguments.
-.IP SSH_CMSG_PORT_FORWARD_REQUEST
-Requests forwarding of a TCP/IP port on the server host over the
-secure channel.  What happens is that whenever a connection is made to
-the port on the server, a connection will be made from the client end
-to the specified host/port.  Any user can forward unprivileged ports;
-only the root can forward privileged ports (as determined by
-authentication done earlier).
-.IP SSH_CMSG_AGENT_REQUEST_FORWARDING
-Requests forwarding of the connection to the authentication agent.
-.IP SSH_CMSG_EXEC_SHELL
-Starts a shell (command interpreter) for the user, and moves into
-interactive session mode.
-.IP SSH_CMSG_EXEC_CMD
-Executes the given command (actually "<shell> -c <command>" or
-equivalent) for the user, and moves into interactive session mode.
-.RT
-
-
-.ti 0
-Interactive Session and Exchange of Data
-
-During the interactive session, any data written by the shell or
-command running on the server machine is forwarded to stdin or
-stderr on the client machine, and any input available from stdin on
-the client machine is forwarded to the program on the server machine.
-
-All exchange is asynchronous; either side can send at any time, and
-there are no acknowledgements (TCP/IP already provides reliable
-transport, and the packet protocol protects against tampering or IP
-spoofing).
-
-When the client receives EOF from its standard input, it will send
-SSH_CMSG_EOF; however, this in no way terminates the exchange.  The
-exchange terminates and interactive mode is left when the server sends
-SSH_SMSG_EXITSTATUS to indicate that the client program has
-terminated.  Alternatively, either side may disconnect at any time by
-sending SSH_MSG_DISCONNECT or closing the connection.
-
-The server may send any of the following messages:
-.IP SSH_SMSG_STDOUT_DATA
-Data written to stdout by the program running on the server.  The data
-is passed as a string argument.  The client writes this data to
-stdout.
-.IP SSH_SMSG_STDERR_DATA
-Data written to stderr by the program running on the server.  The data
-is passed as a string argument.  The client writes this data to
-stderr.  (Note that if the program is running on a tty, it is not
-possible to separate stdout and stderr data, and all data will be sent
-as stdout data.)
-.IP SSH_SMSG_EXITSTATUS
-Indicates that the shell or command has exited.  Exit status is passed
-as an integer argument.  This message causes termination of the
-interactive session.
-.IP SSH_SMSG_AGENT_OPEN
-Indicates that someone on the server side is requesting a connection
-to the authentication agent.  The server-side channel number is passed
-as an argument.  The client must respond with either
-SSH_CHANNEL_OPEN_CONFIRMATION or SSH_CHANNEL_OPEN_FAILURE.
-.IP SSH_SMSG_X11_OPEN
-Indicates that a connection has been made to the X11 socket on the
-server side and should be forwarded to the real X server.  An integer
-argument indicates the channel number allocated for this connection on
-the server side.  The client should send back either
-SSH_MSG_CHANNEL_OPEN_CONFIRMATION or SSH_MSG_CHANNEL_OPEN_FAILURE with
-the same server side channel number.
-.IP SSH_MSG_PORT_OPEN
-Indicates that a connection has been made to a port on the server side
-for which forwarding has been requested.  Arguments are server side
-channel number, host name to connect to, and port to connect to.  The
-client should send back either
-SSH_MSG_CHANNEL_OPEN_CONFIRMATION or SSH_MSG_CHANNEL_OPEN_FAILURE with
-the same server side channel number.
-.IP SSH_MSG_CHANNEL_OPEN_CONFIRMATION
-This is sent by the server to indicate that it has opened a connection
-as requested in a previous message.  The first argument indicates the
-client side channel number, and the second argument is the channel number
-that the server has allocated for this connection.
-.IP SSH_MSG_CHANNEL_OPEN_FAILURE
-This is sent by the server to indicate that it failed to open a
-connection as requested in a previous message.  The client-side
-channel number is passed as an argument.  The client will close the
-descriptor associated with the channel and free the channel.
-.IP SSH_MSG_CHANNEL_DATA
-This packet contains data for a channel from the server.  The first
-argument is the client-side channel number, and the second argument (a
-string) is the data.
-.IP SSH_MSG_CHANNEL_CLOSE
-This is sent by the server to indicate that whoever was in the other
-end of the channel has closed it.  The argument is the client side channel
-number.  The client will let all buffered data in the channel to
-drain, and when ready, will close the socket, free the channel, and
-send the server a SSH_MSG_CHANNEL_CLOSE_CONFIRMATION message for the
-channel.
-.IP SSH_MSG_CHANNEL_CLOSE_CONFIRMATION
-This is send by the server to indicate that a channel previously
-closed by the client has now been closed on the server side as well.
-The argument indicates the client channel number.  The client frees
-the channel.
-.RT
-
-The client may send any of the following messages:
-.IP SSH_CMSG_STDIN_DATA
-This is data to be sent as input to the program running on the server.
-The data is passed as a string.
-.IP SSH_CMSG_EOF
-Indicates that the client has encountered EOF while reading standard
-input.  The server will allow any buffered input data to drain, and
-will then close the input to the program.
-.IP SSH_CMSG_WINDOW_SIZE
-Indicates that window size on the client has been changed.  The server
-updates the window size of the tty and causes SIGWINCH to be sent to
-the program.  The new window size is passed as four integer arguments:
-row, col, xpixel, ypixel.
-.IP SSH_MSG_PORT_OPEN
-Indicates that a connection has been made to a port on the client side
-for which forwarding has been requested.  Arguments are client side
-channel number, host name to connect to, and port to connect to.  The
-server should send back either SSH_MSG_CHANNEL_OPEN_CONFIRMATION or
-SSH_MSG_CHANNEL_OPEN_FAILURE with the same client side channel number.
-.IP SSH_MSG_CHANNEL_OPEN_CONFIRMATION
-This is sent by the client to indicate that it has opened a connection
-as requested in a previous message.  The first argument indicates the
-server side channel number, and the second argument is the channel
-number that the client has allocated for this connection.
-.IP SSH_MSG_CHANNEL_OPEN_FAILURE
-This is sent by the client to indicate that it failed to open a
-connection as requested in a previous message.  The server side
-channel number is passed as an argument.  The server will close the
-descriptor associated with the channel and free the channel.
-.IP SSH_MSG_CHANNEL_DATA
-This packet contains data for a channel from the client.  The first
-argument is the server side channel number, and the second argument (a
-string) is the data.
-.IP SSH_MSG_CHANNEL_CLOSE
-This is sent by the client to indicate that whoever was in the other
-end of the channel has closed it.  The argument is the server channel
-number.  The server will allow buffered data to drain, and when ready,
-will close the socket, free the channel, and send the client a
-SSH_MSG_CHANNEL_CLOSE_CONFIRMATION message for the channel.
-.IP SSH_MSG_CHANNEL_CLOSE_CONFIRMATION
-This is send by the client to indicate that a channel previously
-closed by the server has now been closed on the client side as well.
-The argument indicates the server channel number.  The server frees
-the channel.
-.RT
-
-Any unsupported messages during interactive mode cause the connection
-to be terminated with SSH_MSG_DISCONNECT and an error message.
-Compatible protocol upgrades should agree about any extensions during
-the preparation phase or earlier.
-
-
-.ti 0
-Termination of the Connection
-
-Normal termination of the connection is always initiated by the server
-by sending SSH_SMSG_EXITSTATUS after the program has exited.  The
-client responds to this message by sending SSH_CMSG_EXIT_CONFIRMATION
-and closes the socket; the server then closes the socket.  There are
-two purposes for the confirmation: some systems may lose previously
-sent data when the socket is closed, and closing the client side first
-causes any TCP/IP TIME_WAIT [RFC0793] waits to occur on the client side, not
-consuming server resources.
-
-If the program terminates due to a signal, the server will send
-SSH_MSG_DISCONNECT with an appropriate message.  If the connection is
-closed, all file descriptors to the program will be closed and the
-server will exit.  If the program runs on a tty, the kernel sends it
-the SIGHUP signal when the pty master side is closed.
-
-.ti 0
-Protocol Flags
-
-Both the server and the client pass 32 bits of protocol flags to the
-other side.  The flags are intended for compatible protocol extension;
-the server first announces which added capabilities it supports, and
-the client then sends the capabilities that it supports.
-
-The following flags are currently defined (the values are bit masks):
-.IP "1 SSH_PROTOFLAG_SCREEN_NUMBER"
-This flag can only be sent by the client.  It indicates that the X11
-forwarding requests it sends will include the screen number.
-.IP "2 SSH_PROTOFLAG_HOST_IN_FWD_OPEN"
-If both sides specify this flag, SSH_SMSG_X11_OPEN and
-SSH_MSG_PORT_OPEN messages will contain an additional field containing
-a description of the host at the other end of the connection.
-.RT
-
-.ti 0
-Detailed Description of Packet Types and Formats
-
-The supported packet types and the corresponding message numbers are
-given in the following table.  Messages with _MSG_ in their name may
-be sent by either side.  Messages with _CMSG_ are only sent by the
-client, and messages with _SMSG_ only by the server.
-
-A packet may contain additional data after the arguments specified
-below.  Any such data should be ignored by the receiver.  However, it
-is recommended that no such data be stored without good reason.  (This
-helps build compatible extensions.)
-.IP "0 SSH_MSG_NONE"
-This code is reserved.  This message type is never sent.
-.IP "1 SSH_MSG_DISCONNECT"
-.TS
-;
-l l.
-string	Cause of disconnection
-.TE
-This message may be sent by either party at any time.  It causes the
-immediate disconnection of the connection.  The message is intended to
-be displayed to a human, and describes the reason for disconnection.
-.IP "2 SSH_SMSG_PUBLIC_KEY"
-.TS
-;
-l l.
-8 bytes	anti_spoofing_cookie
-32-bit int	server_key_bits
-mp-int	server_key_public_exponent
-mp-int	server_key_public_modulus
-32-bit int	host_key_bits
-mp-int	host_key_public_exponent
-mp-int	host_key_public_modulus
-32-bit int	protocol_flags
-32-bit int	supported_ciphers_mask
-32-bit int	supported_authentications_mask
-.TE
-Sent as the first message by the server.  This message gives the
-server's host key, server key, protocol flags (intended for compatible
-protocol extension), supported_ciphers_mask (which is the
-bitwise or of (1 << cipher_number), where << is the left shift
-operator, for all supported ciphers), and
-supported_authentications_mask (which is the bitwise or of (1 <<
-authentication_type) for all supported authentication types).  The
-anti_spoofing_cookie is 64 random bytes, and must be sent back
-verbatim by the client in its reply.  It is used to make IP-spoofing
-more difficult (encryption and host keys are the real defense against
-spoofing).
-.IP "3 SSH_CMSG_SESSION_KEY"
-.TS
-;
-l l.
-1 byte	cipher_type (must be one of the supported values)
-8 bytes	anti_spoofing_cookie (must match data sent by the server)
-mp-int	double-encrypted session key
-32-bit int	protocol_flags
-.TE
-Sent by the client as the first message in the session.  Selects the
-cipher to use, and sends the encrypted session key to the server.  The
-anti_spoofing_cookie must be the same bytes that were sent by the
-server.  Protocol_flags is intended for negotiating compatible
-protocol extensions.
-.IP "4 SSH_CMSG_USER"
-.TS
-;
-l l.
-string	user login name on server
-.TE
-Sent by the client to begin authentication.  Specifies the user name
-on the server to log in as.  The server responds with SSH_SMSG_SUCCESS
-if no authentication is needed for this user, or SSH_SMSG_FAILURE if
-authentication is needed (or the user does not exist).  [Note to the
-implementator: the user name is of arbitrary size.  The implementation
-must be careful not to overflow internal buffers.]
-.IP "5 SSH_CMSG_AUTH_RHOSTS"
-.TS
-;
-l l.
-string	client-side user name
-.TE
-Requests authentication using /etc/hosts.equiv and .rhosts (or
-equivalent mechanisms).  This authentication method is normally
-disabled in the server because it is not secure (but this is the
-method used by rsh and rlogin).  The server responds with
-SSH_SMSG_SUCCESS if authentication was successful, and
-SSH_SMSG_FAILURE if access was not granted.  The server should check
-that the client side port number is less than 1024 (a privileged
-port), and immediately reject authentication if it is not.  Supporting
-this authentication method is optional.  This method should normally
-not be enabled in the server because it is not safe.  (However, not
-enabling this only helps if rlogind and rshd are disabled.)
-.IP "6 SSH_CMSG_AUTH_RSA"
-.TS
-;
-l l.
-mp-int	identity_public_modulus
-.TE
-Requests authentication using pure RSA authentication.  The server
-checks if the given key is permitted to log in, and if so, responds
-with SSH_SMSG_AUTH_RSA_CHALLENGE.  Otherwise, it responds with
-SSH_SMSG_FAILURE.  The client often tries several different keys in
-sequence until one supported by the server is found.  Authentication
-is accepted if the client gives the correct response to the challenge.
-The server is free to add other criteria for authentication, such as a
-requirement that the connection must come from a certain host.  Such
-additions are not visible at the protocol level.  Supporting this
-authentication method is optional but recommended.
-.IP "7 SSH_SMSG_AUTH_RSA_CHALLENGE"
-.TS
-;
-l l.
-mp-int	encrypted challenge
-.TE
-Presents an RSA authentication challenge to the client.  The challenge
-is a 256-bit random value encrypted as described elsewhere in this
-document.  The client must decrypt the challenge using the RSA private
-key, compute MD5 of the challenge plus session id, and send back the
-resulting 16 bytes using SSH_CMSG_AUTH_RSA_RESPONSE.
-.IP "8 SSH_CMSG_AUTH_RSA_RESPONSE"
-.TS
-;
-l l.
-16 bytes	MD5 of decrypted challenge
-.TE
-This message is sent by the client in response to an RSA challenge.
-The MD5 checksum is returned instead of the decrypted challenge to
-deter known-plaintext attacks against the RSA key.  The server
-responds to this message with either SSH_SMSG_SUCCESS or
-SSH_SMSG_FAILURE.
-.IP "9 SSH_CMSG_AUTH_PASSWORD"
-.TS
-;
-l l.
-string	plain text password
-.TE
-Requests password authentication using the given password.  Note that
-even though the password is plain text inside the packet, the whole
-packet is normally encrypted by the packet layer.  It would not be
-possible for the client to perform password encryption/hashing,
-because it cannot know which kind of encryption/hashing, if any, the
-server uses.  The server responds to this message with
-SSH_SMSG_SUCCESS or SSH_SMSG_FAILURE.
-.IP "10 SSH_CMSG_REQUEST_PTY"
-.TS
-;
-l l.
-string	TERM environment variable value (e.g. vt100)
-32-bit int	terminal height, rows (e.g., 24)
-32-bit int	terminal width, columns (e.g., 80)
-32-bit int	terminal width, pixels (0 if no graphics) (e.g., 480)
-32-bit int	terminal height, pixels (0 if no graphics) (e.g., 640)
-n bytes	tty modes encoded in binary
-.TE
-Requests a pseudo-terminal to be allocated for this command.  This
-message can be used regardless of whether the session will later
-execute the shell or a command.  If a pty has been requested with this
-message, the shell or command will run on a pty.  Otherwise it will
-communicate with the server using pipes, sockets or some other similar
-mechanism.
-
-The terminal type gives the type of the user's terminal.  In the UNIX
-environment it is passed to the shell or command in the TERM
-environment variable.
-
-The width and height values give the initial size of the user's
-terminal or window.  All values can be zero if not supported by the
-operating system.  The server will pass these values to the kernel if
-supported.
-
-Terminal modes are encoded into a byte stream in a portable format.
-The exact format is described later in this document.
-
-The server responds to the request with either SSH_SMSG_SUCCESS or
-SSH_SMSG_FAILURE.  If the server does not have the concept of pseudo
-terminals, it should return success if it is possible to execute a
-shell or a command so that it looks to the client as if it was running
-on a pseudo terminal.
-.IP "11 SSH_CMSG_WINDOW_SIZE"
-.TS
-;
-l l.
-32-bit int	terminal height, rows
-32-bit int	terminal width, columns
-32-bit int	terminal width, pixels
-32-bit int	terminal height, pixels
-.TE
-This message can only be sent by the client during the interactive
-session.  This indicates that the size of the user's window has
-changed, and provides the new size.  The server will update the
-kernel's notion of the window size, and a SIGWINCH signal or
-equivalent will be sent to the shell or command (if supported by the
-operating system).
-.IP "12 SSH_CMSG_EXEC_SHELL"
-
-(no arguments)
-
-Starts a shell (command interpreter), and enters interactive session
-mode.
-.IP "13 SSH_CMSG_EXEC_CMD"
-.TS
-;
-l l.
-string	command to execute
-.TE
-Starts executing the given command, and enters interactive session
-mode.  On UNIX, the command is run as "<shell> -c <command>", where
-<shell> is the user's login shell.
-.IP "14 SSH_SMSG_SUCCESS"
-
-(no arguments)
-
-This message is sent by the server in response to the session key, a
-successful authentication request, and a successfully completed
-preparatory operation.
-.IP "15 SSH_SMSG_FAILURE"
-
-(no arguments)
-
-This message is sent by the server in response to a failed
-authentication operation to indicate that the user has not yet been
-successfully authenticated, and in response to a failed preparatory
-operation.  This is also sent in response to an authentication or
-preparatory operation request that is not recognized or supported.
-.IP "16 SSH_CMSG_STDIN_DATA"
-.TS
-;
-l l.
-string	data
-.TE
-Delivers data from the client to be supplied as input to the shell or
-program running on the server side.  This message can only be used in
-the interactive session mode.  No acknowledgement is sent for this
-message.
-.IP "17 SSH_SMSG_STDOUT_DATA"
-.TS
-;
-l l.
-string	data
-.TE
-Delivers data from the server that was read from the standard output of
-the shell or program running on the server side.  This message can
-only be used in the interactive session mode.  No acknowledgement is
-sent for this message.
-.IP "18 SSH_SMSG_STDERR_DATA"
-.TS
-;
-l l.
-string	data
-.TE
-Delivers data from the server that was read from the standard error of
-the shell or program running on the server side.  This message can
-only be used in the interactive session mode.  No acknowledgement is
-sent for this message.
-.IP "19 SSH_CMSG_EOF"
-
-(no arguments)
-
-This message is sent by the client to indicate that EOF has been
-reached on the input.  Upon receiving this message, and after all
-buffered input data has been sent to the shell or program, the server
-will close the input file descriptor to the program.  This message can
-only be used in the interactive session mode.  No acknowledgement is
-sent for this message.
-.IP "20 SSH_SMSG_EXITSTATUS"
-.TS
-;
-l l.
-32-bit int	exit status of the command
-.TE
-Returns the exit status of the shell or program after it has exited.
-The client should respond with SSH_CMSG_EXIT_CONFIRMATION when it has
-received this message.  This will be the last message sent by the
-server.  If the program being executed dies with a signal instead of
-exiting normally, the server should terminate the session with
-SSH_MSG_DISCONNECT (which can be used to pass a human-readable string
-indicating that the program died due to a signal) instead of using
-this message.
-.IP "21 SSH_MSG_CHANNEL_OPEN_CONFIRMATION"
-.TS
-;
-l l.
-32-bit int	remote_channel
-32-bit int	local_channel
-.TE
-This is sent in response to any channel open request if the channel
-has been successfully opened.  Remote_channel is the channel number
-received in the initial open request; local_channel is the channel
-number the side sending this message has allocated for the channel.
-Data can be transmitted on the channel after this message.
-.IP "22 SSH_MSG_CHANNEL_OPEN_FAILURE"
-.TS
-;
-l l.
-32-bit int	remote_channel
-.TE
-This message indicates that an earlier channel open request by the
-other side has failed or has been denied.  Remote_channel is the
-channel number given in the original request.
-.IP "23 SSH_MSG_CHANNEL_DATA"
-.TS
-;
-l l.
-32-bit int	remote_channel
-string	data
-.TE
-Data is transmitted in a channel in these messages.  A channel is
-bidirectional, and both sides can send these messages.  There is no
-acknowledgement for these messages.  It is possible that either side
-receives these messages after it has sent SSH_MSG_CHANNEL_CLOSE for
-the channel.  These messages cannot be received after the party has
-sent or received SSH_MSG_CHANNEL_CLOSE_CONFIRMATION.
-.IP "24 SSH_MSG_CHANNEL_CLOSE"
-.TS
-;
-l l.
-32-bit int	remote_channel
-.TE
-When a channel is closed at one end of the connection, that side sends
-this message.  Upon receiving this message, the channel should be
-closed.  When this message is received, if the channel is already
-closed (the receiving side has sent this message for the same channel
-earlier), the channel is freed and no further action is taken;
-otherwise the channel is freed and SSH_MSG_CHANNEL_CLOSE_CONFIRMATION
-is sent in response.  (It is possible that the channel is closed
-simultaneously at both ends.)
-.IP "25 SSH_MSG_CHANNEL_CLOSE_CONFIRMATION"
-.TS
-;
-l l.
-32-bit int	remote_channel
-.TE
-This message is sent in response to SSH_MSG_CHANNEL_CLOSE unless the
-channel was already closed.  When this message is sent or received,
-the channel is freed.
-.IP "26 (OBSOLETED; was unix-domain X11 forwarding)
-.IP "27 SSH_SMSG_X11_OPEN"
-.TS
-;
-l l.
-32-bit int	local_channel
-string	originator_string (see below)
-.TE
-This message can be sent by the server during the interactive session
-mode to indicate that a client has connected the fake X server.
-Local_channel is the channel number that the server has allocated for
-the connection.  The client should try to open a connection to the
-real X server, and respond with SSH_MSG_CHANNEL_OPEN_CONFIRMATION or
-SSH_MSG_CHANNEL_OPEN_FAILURE.
-
-The field originator_string is present if both sides
-specified SSH_PROTOFLAG_HOST_IN_FWD_OPEN in the protocol flags.  It
-contains a description of the host originating the connection.
-.IP "28 SSH_CMSG_PORT_FORWARD_REQUEST"
-.TS
-;
-l l.
-32-bit int	server_port
-string	host_to_connect
-32-bit int	port_to_connect
-.TE
-Sent by the client in the preparatory phase, this message requests
-that server_port on the server machine be forwarded over the secure
-channel to the client machine, and from there to the specified host
-and port.  The server should start listening on the port, and send
-SSH_MSG_PORT_OPEN whenever a connection is made to it.  Supporting
-this message is optional, and the server is free to reject any forward
-request.  For example, it is highly recommended that unless the user
-has been authenticated as root, forwarding any privileged port numbers
-(below 1024) is denied.
-.IP "29 SSH_MSG_PORT_OPEN"
-.TS
-;
-l l.
-32-bit int	local_channel
-string	host_name
-32-bit int	port
-string	originator_string (see below)
-.TE
-Sent by either party in interactive session mode, this message
-indicates that a connection has been opened to a forwarded TCP/IP
-port.  Local_channel is the channel number that the sending party has
-allocated for the connection.  Host_name is the host the connection
-should be be forwarded to, and the port is the port on that host to
-connect.  The receiving party should open the connection, and respond
-with SSH_MSG_CHANNEL_OPEN_CONFIRMATION or
-SSH_MSG_CHANNEL_OPEN_FAILURE.  It is recommended that the receiving
-side check the host_name and port for validity to avoid compromising
-local security by compromised remote side software.  Particularly, it
-is recommended that the client permit connections only to those ports
-for which it has requested forwarding with SSH_CMSG_PORT_FORWARD_REQUEST.
-
-The field originator_string is present if both sides
-specified SSH_PROTOFLAG_HOST_IN_FWD_OPEN in the protocol flags.  It
-contains a description of the host originating the connection.
-.IP "30 SSH_CMSG_AGENT_REQUEST_FORWARDING"
-
-(no arguments)
-
-Requests that the connection to the authentication agent be forwarded
-over the secure channel.  The method used by clients to contact the
-authentication agent within each machine is implementation and machine
-dependent.  If the server accepts this request, it should arrange that
-any clients run from this session will actually contact the server
-program when they try to contact the authentication agent.  The server
-should then send a SSH_SMSG_AGENT_OPEN to open a channel to the agent,
-and the client should forward the connection to the real
-authentication agent.  Supporting this message is optional.
-.IP "31 SSH_SMSG_AGENT_OPEN"
-.TS
-;
-l l.
-32-bit int	local_channel
-.TE
-Sent by the server in interactive session mode, this message requests
-opening a channel to the authentication agent.  The client should open
-a channel, and respond with either SSH_MSG_CHANNEL_OPEN_CONFIRMATION
-or SSH_MSG_CHANNEL_OPEN_FAILURE.
-.IP "32 SSH_MSG_IGNORE"
-.TS
-;
-l l.
-string	data
-.TE
-Either party may send this message at any time.  This message, and the
-argument string, is silently ignored.  This message might be used in
-some implementations to make traffic analysis more difficult.  This
-message is not currently sent by the implementation, but all
-implementations are required to recognize and ignore it.
-.IP "33 SSH_CMSG_EXIT_CONFIRMATION"
-
-(no arguments)
-
-Sent by the client in response to SSH_SMSG_EXITSTATUS.  This is the
-last message sent by the client.
-.IP "34 SSH_CMSG_X11_REQUEST_FORWARDING"
-.TS
-;
-l l.
-string	x11_authentication_protocol
-string	x11_authentication_data
-32-bit int	screen number (if SSH_PROTOFLAG_SCREEN_NUMBER)
-.TE
-Sent by the client during the preparatory phase, this message requests
-that the server create a fake X11 display and set the DISPLAY
-environment variable accordingly.  An internet-domain display is
-preferable.  The given authentication protocol and the associated data
-should be recorded by the server so that it is used as authentication
-on connections (e.g., in .Xauthority).  The authentication protocol
-must be one of the supported X11 authentication protocols, e.g.,
-"MIT-MAGIC-COOKIE-1".  Authentication data must be a lowercase hex
-string of even length.  Its interpretation is protocol dependent.
-The data is in a format that can be used with e.g. the xauth program.
-Supporting this message is optional.
-
-The client is permitted (and recommended) to generate fake
-authentication information and send fake information to the server.
-This way, a corrupt server will not have access to the user's terminal
-after the connection has terminated.  The correct authorization codes
-will also not be left hanging around in files on the server (many
-users keep the same X session for months, thus protecting the
-authorization data becomes important).
-
-X11 authentication spoofing works by initially sending fake (random)
-authentication data to the server, and interpreting the first packet
-sent by the X11 client after the connection has been opened.  The
-first packet contains the client's authentication.  If the packet
-contains the correct fake data, it is replaced by the client by the
-correct authentication data, and then sent to the X server.
-.IP "35 SSH_CMSG_AUTH_RHOSTS_RSA"
-.TS
-;
-l l.
-string	clint-side user name
-32-bit int	client_host_key_bits
-mp-int	client_host_key_public_exponent
-mp-int	client_host_key_public_modulus
-.TE
-Requests authentication using /etc/hosts.equiv and .rhosts (or
-equivalent) together with RSA host authentication.  The server should
-check that the client side port number is less than 1024 (a privileged
-port), and immediately reject authentication if it is not.  The server
-responds with SSH_SMSG_FAILURE or SSH_SMSG_AUTH_RSA_CHALLENGE.  The
-client must respond to the challenge with the proper
-SSH_CMSG_AUTH_RSA_RESPONSE.  The server then responds with success if
-access was granted, or failure if the client gave a wrong response.
-Supporting this authentication method is optional but recommended in
-most environments.
-.IP "36 SSH_MSG_DEBUG"
-.TS
-;
-l l.
-string	debugging message sent to the other side
-.TE
-This message may be sent by either party at any time.  It is used to
-send debugging messages that may be informative to the user in
-solving various problems.  For example, if authentication fails
-because of some configuration error (e.g., incorrect permissions for
-some file), it can be very helpful for the user to make the cause of
-failure available.  On the other hand, one should not make too much
-information available for security reasons.  It is recommended that
-the client provides an option to display the debugging information
-sent by the sender (the user probably does not want to see it by default).
-The server can log debugging data sent by the client (if any).  Either
-party is free to ignore any received debugging data.  Every
-implementation must be able to receive this message, but no
-implementation is required to send these.
-.IP "37 SSH_CMSG_REQUEST_COMPRESSION"
-.TS
-;
-l l.
-32-bit int	gzip compression level (1-9)
-.TE
-This message can be sent by the client in the preparatory operations
-phase.  The server responds with SSH_SMSG_FAILURE if it does not
-support compression or does not want to compress; it responds with
-SSH_SMSG_SUCCESS if it accepted the compression request.  In the
-latter case the response to this packet will still be uncompressed,
-but all further packets in either direction will be compressed by gzip.
-.RT
-
-
-.ti 0
-Encoding of Terminal Modes
-
-Terminal modes (as passed in SSH_CMSG_REQUEST_PTY) are encoded into a
-byte stream.  It is intended that the coding be portable across
-different environments.
-
-The tty mode description is a stream of bytes.  The stream consists of
-opcode-argument pairs.  It is terminated by opcode TTY_OP_END (0).
-Opcodes 1-127 have one-byte arguments.  Opcodes 128-159 have 32-bit
-integer arguments (stored msb first).  Opcodes 160-255 are not yet
-defined, and cause parsing to stop (they should only be used after any
-other data).
-
-The client puts in the stream any modes it knows about, and the server
-ignores any modes it does not know about.  This allows some degree of
-machine-independence, at least between systems that use a POSIX-like
-[POSIX] tty interface.  The protocol can support other systems as
-well, but the client may need to fill reasonable values for a number
-of parameters so the server pty gets set to a reasonable mode (the
-server leaves all unspecified mode bits in their default values, and
-only some combinations make sense).
-
-The following opcodes have been defined.  The naming of opcodes mostly
-follows the POSIX terminal mode flags.
-.IP "0 TTY_OP_END"
-Indicates end of options.
-.IP "1 VINTR"
-Interrupt character; 255 if none.  Similarly for the other characters.
-Not all of these characters are supported on all systems.
-.IP "2 VQUIT"
-The quit character (sends SIGQUIT signal on UNIX systems).
-.IP "3 VERASE"
-Erase the character to left of the cursor.
-.IP "4 VKILL"
-Kill the current input line.
-.IP "5 VEOF "
-End-of-file character (sends EOF from the terminal).
-.IP "6 VEOL "
-End-of-line character in addition to carriage return and/or linefeed.
-.IP "7 VEOL2"
-Additional end-of-line character.
-.IP "8 VSTART"
-Continues paused output (normally ^Q).
-.IP "9 VSTOP"
-Pauses output (^S).
-.IP "10 VSUSP"
-Suspends the current program.
-.IP "11 VDSUSP"
-Another suspend character.
-.IP "12 VREPRINT"
-Reprints the current input line.
-.IP "13 VWERASE"
-Erases a word left of cursor.
-.IP "14 VLNEXT"
-More special input characters; these are probably not supported on
-most systems.
-.IP "15 VFLUSH"
-.IP "16 VSWTCH"
-.IP "17 VSTATUS"
-.IP "18 VDISCARD"
-
-.IP "30 IGNPAR"
-The ignore parity flag.  The next byte should be 0 if this flag is not
-set, and 1 if it is set.
-.IP "31 PARMRK"
-More flags.  The exact definitions can be found in the POSIX standard.
-.IP "32 INPCK"
-.IP "33 ISTRIP"
-.IP "34 INLCR"
-.IP "35 IGNCR"
-.IP "36 ICRNL"
-.IP "37 IUCLC"
-.IP "38 IXON"
-.IP "39 IXANY"
-.IP "40 IXOFF"
-.IP "41 IMAXBEL"
-
-.IP "50 ISIG"
-.IP "51 ICANON"
-.IP "52 XCASE"
-.IP "53 ECHO"
-.IP "54 ECHOE"
-.IP "55 ECHOK"
-.IP "56 ECHONL"
-.IP "57 NOFLSH"
-.IP "58 TOSTOP"
-.IP "59 IEXTEN"
-.IP "60 ECHOCTL"
-.IP "61 ECHOKE"
-.IP "62 PENDIN"
-
-.IP "70 OPOST"
-.IP "71 OLCUC"
-.IP "72 ONLCR"
-.IP "73 OCRNL"
-.IP "74 ONOCR"
-.IP "75 ONLRET"
-
-.IP "90 CS7"
-.IP "91 CS8"
-.IP "92 PARENB"
-.IP "93 PARODD"
-
-.IP "192 TTY_OP_ISPEED"
-Specifies the input baud rate in bits per second.
-.IP "193 TTY_OP_OSPEED"
-Specifies the output baud rate in bits per second.
-.RT
-
-
-.ti 0
-The Authentication Agent Protocol
-
-The authentication agent is a program that can be used to hold RSA
-authentication keys for the user (in future, it might hold data for
-other authentication types as well).  An authorized program can send
-requests to the agent to generate a proper response to an RSA
-challenge.  How the connection is made to the agent (or its
-representative) inside a host and how access control is done inside a
-host is implementation-dependent; however, how it is forwarded and how
-one interacts with it is specified in this protocol.  The connection
-to the agent is normally automatically forwarded over the secure
-channel.
-
-A program that wishes to use the agent first opens a connection to its
-local representative (typically, the agent itself or an SSH server).
-It then writes a request to the connection, and waits for response.
-It is recommended that at least five minutes of timeout are provided
-waiting for the agent to respond to an authentication challenge (this
-gives sufficient time for the user to cut-and-paste the challenge to a
-separate machine, perform the computation there, and cut-and-paste the
-result back if so desired).
-
-Messages sent to and by the agent are in the following format:
-.TS
-;
-l l.
-4 bytes	Length, msb first.  Does not include length itself.
-1 byte	Packet type.  The value 255 is reserved for future extensions.
-data	Any data, depending on packet type.  Encoding as in the ssh packet
-protocol.
-.TE
-
-The following message types are currently defined:
-.IP "1 SSH_AGENTC_REQUEST_RSA_IDENTITIES"
-
-(no arguments)
-
-Requests the agent to send a list of all RSA keys for which it can
-answer a challenge.
-.IP "2 SSH_AGENT_RSA_IDENTITIES_ANSWER"
-.TS
-;
-l l.
-32-bit int	howmany
-howmany times:
-32-bit int	bits
-mp-int	public exponent
-mp-int	public modulus
-string	comment
-.TE
-The agent sends this message in response to the to
-SSH_AGENTC_REQUEST_RSA_IDENTITIES.  The answer lists all RSA keys for
-which the agent can answer a challenge.  The comment field is intended
-to help identify each key; it may be printed by an application to
-indicate which key is being used.  If the agent is not holding any
-keys, howmany will be zero.
-.IP "3 SSH_AGENTC_RSA_CHALLENGE
-.TS
-;
-l l.
-32-bit int	bits
-mp-int	public exponent
-mp-int	public modulus
-mp-int	challenge
-16 bytes	session_id
-32-bit int	response_type
-.TE
-Requests RSA decryption of random challenge to authenticate the other
-side.  The challenge will be decrypted with the RSA private key
-corresponding to the given public key.
-
-The decrypted challenge must contain a zero in the highest (partial)
-byte, 2 in the next byte, followed by non-zero random bytes, a zero
-byte, and then the real challenge value in the lowermost bytes.  The
-real challenge must be 32 8-bit bytes (256 bits).
-
-Response_type indicates the format of the response to be returned.
-Currently the only supported value is 1, which means to compute MD5 of
-the real challenge plus session id, and return the resulting 16 bytes
-in a SSH_AGENT_RSA_RESPONSE message.
-.IP "4 SSH_AGENT_RSA_RESPONSE"
-.TS
-;
-l l.
-16 bytes	MD5 of decrypted challenge
-.TE
-Answers an RSA authentication challenge.  The response is 16 bytes:
-the MD5 checksum of the 32-byte challenge.
-.IP "5 SSH_AGENT_FAILURE"
-
-(no arguments)
-
-This message is sent whenever the agent fails to answer a request
-properly.  For example, if the agent cannot answer a challenge (e.g.,
-no longer has the proper key), it can respond with this.  The agent
-also responds with this message if it receives a message it does not
-recognize.
-.IP "6 SSH_AGENT_SUCCESS"
-
-(no arguments)
-
-This message is sent by the agent as a response to certain requests
-that do not otherwise cause a message be sent.  Currently, this is
-only sent in response to SSH_AGENTC_ADD_RSA_IDENTITY and
-SSH_AGENTC_REMOVE_RSA_IDENTITY.
-.IP "7 SSH_AGENTC_ADD_RSA_IDENTITY"
-.TS
-;
-l l.
-32-bit int	bits
-mp-int	public modulus
-mp-int	public exponent
-mp-int	private exponent
-mp-int	multiplicative inverse of p mod q
-mp-int	p
-mp-int	q
-string	comment
-.TE
-Registers an RSA key with the agent.  After this request, the agent can
-use this RSA key to answer requests.  The agent responds with
-SSH_AGENT_SUCCESS or SSH_AGENT_FAILURE.
-.IP "8 SSH_AGENT_REMOVE_RSA_IDENTITY"
-.TS
-;
-l l.
-32-bit int	bits
-mp-int	public exponent
-mp-int	public modulus
-.TE
-Removes an RSA key from the agent.  The agent will no longer accept
-challenges for this key and will not list it as a supported identity.
-The agent responds with SSH_AGENT_SUCCESS or SSH_AGENT_FAILURE.
-.RT
-
-If the agent receives a message that it does not understand, it
-responds with SSH_AGENT_FAILURE.  This permits compatible future
-extensions.
-
-It is possible that several clients have a connection open to the
-authentication agent simultaneously.  Each client will use a separate
-connection (thus, any SSH connection can have multiple agent
-connections active simultaneously).
-
-
-.ti 0
-References
-
-.IP "[DES] "
-FIPS PUB 46-1: Data Encryption Standard.  National Bureau of
-Standards, January 1988.  FIPS PUB 81: DES Modes of Operation.
-National Bureau of Standards, December 1980.  Bruce Schneier: Applied
-Cryptography.  John Wiley & Sons, 1994.  J. Seberry and J. Pieprzyk:
-Cryptography: An Introduction to Computer Security.  Prentice-Hall,
-1989.
-.IP "[GZIP] "
-The GNU GZIP program; available for anonymous ftp at prep.ai.mit.edu.
-Please let me know if you know a paper describing the algorithm.
-.IP "[IDEA] "
-Xuejia Lai: On the Design and Security of Block Ciphers, ETH Series in
-Information Processing, vol. 1, Hartung-Gorre Verlag, Konstanz,
-Switzerland, 1992.  Bruce Schneier: Applied Cryptography, John Wiley &
-Sons, 1994.  See also the following patents: PCT/CH91/00117, EP 0 482
-154 B1, US Pat. 5,214,703.
-.IP [PKCS#1]
-PKCS #1: RSA Encryption Standard.  Version 1.5, RSA Laboratories,
-November 1993.  Available for anonymous ftp at ftp.rsa.com.
-.IP [POSIX]
-Portable Operating System Interface (POSIX) - Part 1: Application
-Program Interface (API) [C language], ISO/IEC 9945-1, IEEE Std 1003.1,
-1990.
-.IP [RFC0791]
-J. Postel: Internet Protocol, RFC 791, USC/ISI, September 1981.
-.IP [RFC0793]
-J. Postel: Transmission Control Protocol, RFC 793, USC/ISI, September
-1981.
-.IP [RFC1034]
-P. Mockapetris: Domain Names - Concepts and Facilities, RFC 1034,
-USC/ISI, November 1987.
-.IP [RFC1282]
-B. Kantor: BSD Rlogin, RFC 1258, UCSD, December 1991.
-.IP "[RSA] "
-Bruce Schneier: Applied Cryptography.  John Wiley & Sons, 1994.  See
-also R. Rivest, A. Shamir, and L. M. Adleman: Cryptographic
-Communications System and Method.  US Patent 4,405,829, 1983.
-.IP "[X11] "
-R. Scheifler: X Window System Protocol, X Consortium Standard, Version
-11, Release 6.  Massachusetts Institute of Technology, Laboratory of
-Computer Science, 1994.
-.RT
-
-
-.ti 0
-Security Considerations
-
-This protocol deals with the very issue of user authentication and
-security.
-
-First of all, as an implementation issue, the server program will have
-to run as root (or equivalent) on the server machine.  This is because
-the server program will need be able to change to an arbitrary user
-id.  The server must also be able to create a privileged TCP/IP port.
-
-The client program will need to run as root if any variant of .rhosts
-authentication is to be used.  This is because the client program will
-need to create a privileged port.  The client host key is also usually
-stored in a file which is readable by root only.  The client needs the
-host key in .rhosts authentication only.  Root privileges can be
-dropped as soon as the privileged port has been created and the host
-key has been read.
-
-The SSH protocol offers major security advantages over existing telnet
-and rlogin protocols.
-.IP o
-IP spoofing is restricted to closing a connection (by encryption, host
-keys, and the special random cookie).  If encryption is not used, IP
-spoofing is possible for those who can hear packets going out from the
-server.
-.IP o
-DNS spoofing is made ineffective (by host keys).
-.IP o
-Routing spoofing is made ineffective (by host keys).
-.IP o
-All data is encrypted with strong algorithms to make eavesdropping as
-difficult as possible.  This includes encrypting any authentication
-information such as passwords.  The information for decrypting session
-keys is destroyed every hour.
-.IP o
-Strong authentication methods: .rhosts combined with RSA host
-authentication, and pure RSA authentication.
-.IP o
-X11 connections and arbitrary TCP/IP ports can be forwarded securely.
-.IP o
-Man-in-the-middle attacks are deterred by using the server host key to
-encrypt the session key.
-.IP o
-Trojan horses to catch a password by routing manipulation are deterred
-by checking that the host key of the server machine matches that
-stored on the client host.
-.RT
-
-The security of SSH against man-in-the-middle attacks and the security
-of the new form of .rhosts authentication, as well as server host
-validation, depends on the integrity of the host key and the files
-containing known host keys.
-
-The host key is normally stored in a root-readable file.  If the host
-key is compromised, it permits attackers to use IP, DNS and routing
-spoofing as with current rlogin and rsh.  It should never be any worse
-than the current situation.
-
-The files containing known host keys are not sensitive.  However, if an
-attacker gets to modify the known host key files, it has the same
-consequences as a compromised host key, because the attacker can then
-change the recorded host key.
-
-The security improvements obtained by this protocol for X11 are of
-particular significance.  Previously, there has been no way to protect
-data communicated between an X server and a client running on a remote
-machine.  By creating a fake display on the server, and forwarding all
-X11 requests over the secure channel, SSH can be used to run any X11
-applications securely without any cooperation with the vendors of the
-X server or the application.
-
-Finally, the security of this program relies on the strength of the
-underlying cryptographic algorithms.  The RSA algorithm is used for
-authentication key exchange.  It is widely believed to be secure.  Of
-the algorithms used to encrypt the session, DES has a rather small key
-these days, probably permitting governments and organized criminals to
-break it in very short time with specialized hardware.  3DES is
-probably safe (but slower).  IDEA is widely believed to be secure.
-People have varying degrees of confidence in the other algorithms.
-This program is not secure if used with no encryption at all.
-
-
-.ti 0
-Additional Information
-
-Additional information (especially on the implementation and mailing
-lists) is available via WWW at http://www.cs.hut.fi/ssh.
-
-Comments should be sent to Tatu Ylonen <ylo@cs.hut.fi> or the SSH
-Mailing List <ssh@clinet.fi>.
-
-.ti 0
-Author's Address
-
-.TS
-;
-l.
-Tatu Ylonen
-Helsinki University of Technology
-Otakaari 1
-FIN-02150 Espoo, Finland
-
-Phone: +358-0-451-3374
-Fax: +358-0-451-3293
-EMail: ylo@cs.hut.fi
-.TE
diff --git a/crypto/openssh/TODO b/crypto/openssh/TODO
deleted file mode 100644
index e8aaa4b..0000000
--- a/crypto/openssh/TODO
+++ /dev/null
@@ -1,86 +0,0 @@
-Documentation:
-
-- Update the docs
-  - Update README
-  - Update INSTALL
-  - Merge INSTALL & README.privsep
-
-- Install FAQ?
-
-- General FAQ on S/Key, TIS, RSA, RSA2, DSA, etc and suggestions on when it
-  would be best to use them.
-
-- Create a Documentation/ directory?
-
-Programming:
-
-- Grep for 'XXX' comments and fix
-
-- Link order is incorrect for some systems using Kerberos 4 and AFS. Result
-  is multiple inclusion of DES symbols. Holger Trapp
-  <holger.trapp@hrz.tu-chemnitz.de> reports that changing the configure
-  generated link order from:
-	-lresolv -lkrb -lz -lnsl  -lutil -lkafs -lkrb -ldes -lcrypto
-  to:
-	-lresolv -lkrb -lz -lnsl  -lutil -lcrypto -lkafs -lkrb -ldes
-  fixing the problem.
-
-- Write a test program that calls stat() to search for EGD/PRNGd socket
-  rather than use the (non-portable) "test -S".
-
-- More platforms for for setproctitle() emulation (testing needed)
-
-- Improve PAM ChallengeResponseAuthentication
- - Informational messages
- - Use different PAM service name for kbdint vs regular auth (suggest from
-   Solar Designer)
- - Ability to select which ChallengeResponseAuthentications may be used
-   and order to try them in e.g. "ChallengeResponseAuthentication skey, pam"
-
-- Complete Tru64 SIA support
- - It looks like we could merge it into the password auth code to cut down
-   on diff size. Maybe PAM password auth too?
-
-- Finish integrating kernel-level auditing code for IRIX and SOLARIS
-  (Gilbert.r.loomis@saic.com)
-
-- 64-bit builds on HP-UX 11.X (stevesk@pobox.com):
-  - utmp/wtmp get corrupted (something in loginrec?)
-  - can't build with PAM (no 64-bit libpam yet)
-
-Clean up configure/makefiles:
-- Clean up configure.ac - There are a few double #defined variables
-  left to do.  HAVE_LOGIN is one of them.  Consider NOT looking for
-  information in wtmpx or utmpx or any of that stuff if it's not detected
-  from the start
-
-- Replace the whole u_intXX_t evilness in acconfig.h with something better???
- - Do it in configure.ac
-
-- Consider splitting the u_intXX_t test for sys/bitype.h  into seperate test
-  to allow people to (right/wrongfully) link against Bind directly.
-
-- Consider splitting configure.ac into seperate files which do logically
-  similar tests. E.g move all the type detection stuff into one file,
-  entropy related stuff into another.
-
-Packaging:
-- HP-UX: Provide DEPOT package scripts.
-  (gilbert.r.loomis@saic.com)
-
-PrivSep Issues:
-- mmap() issues.
-  + /dev/zero solution (Solaris)
-  + No/broken MAP_ANON (Irix)
-  + broken /dev/zero parse (Linux)
-- PAM
-  + See above PAM notes
-- AIX
-  + usrinfo() does not set TTY, but only required for legacy systems.  Works
-    with PrivSep.
-- OSF
-  + SIA is broken
-- Cygwin
-  + Privsep for Pre-auth only (no fd passing)
-
-$Id: TODO,v 1.58 2004/12/06 11:40:11 dtucker Exp $
diff --git a/crypto/openssh/WARNING.RNG b/crypto/openssh/WARNING.RNG
deleted file mode 100644
index 97da74f..0000000
--- a/crypto/openssh/WARNING.RNG
+++ /dev/null
@@ -1,95 +0,0 @@
-This document contains a description of portable OpenSSH's random
-number collection code. An alternate reading of this text could
-well be titled "Why I should pressure my system vendor to supply
-/dev/random in their OS".
-
-Why is this important? OpenSSH depends on good, unpredictable numbers
-for generating keys, performing digital signatures and forming
-cryptographic challenges. If the random numbers that it uses are
-predictable, then the strength of the whole system is compromised.
-
-A particularly pernicious problem arises with DSA keys (used by the
-ssh2 protocol). Performing a DSA signature (which is required for
-authentication), entails the use of a 160 bit random number.  If an
-attacker can predict this number, then they can deduce your *private*
-key and impersonate you or your hosts.
-
-If you are using the builtin random number support (configure will
-tell you if this is the case), then read this document in its entirety.
-Alternately, you can use Lutz Jaenicke's PRNGd - a small daemon which
-collects random numbers and makes them available by a socket.
-
-Please also request that your OS vendor provides a kernel-based random
-number collector (/dev/random) in future versions of your operating
-systems by default.
-
-On to the description...
-
-The portable OpenSSH contains random number collection support for
-systems which lack a kernel entropy pool (/dev/random).
-
-This collector (as of 3.1 and beyond) comes as an external application
-that allows the local admin to decide on how to implement entropy
-collection.
-
-The default entropy collector operates by executing the programs listed
-in ($etcdir)/ssh_prng_cmds, reading their output and adding it to the
-PRNG supplied by OpenSSL (which is hash-based). It also stirs in the
-output of several system calls and timings from the execution of the
-programs that it runs.
-
-The ssh_prng_cmds file also specifies a 'rate' for each program. This
-represents the number of bits of randomness per byte of output from
-the specified program.
-
-The random number code will also read and save a seed file to
-~/.ssh/prng_seed. This contents of this file are added to the random
-number generator at startup. The goal here is to maintain as much
-randomness between sessions as possible.
-
-The default entropy collection code has two main problems:
-
-1. It is slow.
-
-Executing each program in the list can take a large amount of time,
-especially on slower machines. Additionally some program can take a
-disproportionate time to execute.
-
-Tuning the random helper can be done by running ./ssh-random-helper in
-very verbose mode ("-vvv") and identifying the commands that are taking
-excessive amounts of time or hanging altogher.  Any problem commands can
-be modified or removed from ssh_prng_cmds.
-
-The default entropy collector will timeout programs which take too long
-to execute, the actual timeout used can be adjusted with the
---with-entropy-timeout configure option. OpenSSH will not try to
-re-execute programs which have not been found, have had a non-zero
-exit status or have timed out more than a couple of times.
-
-2. Estimating the real 'rate' of program outputs is non-trivial
-
-The shear volume of the task is problematic: there are currently
-around 50 commands in the ssh_prng_cmds list, portable OpenSSH
-supports at least 12 different OSs. That is already 600 sets of data
-to be analysed, without taking into account the numerous differences
-between versions of each OS.
-
-On top of this, the different commands can produce varying amounts of
-usable data depending on how busy the machine is, how long it has been
-up and various other factors.
-
-To make matters even more complex, some of the commands are reporting
-largely the same data as other commands (eg. the various "ps" calls).
-
-
-How to avoid the default entropy code?
-
-The best way is to read the OpenSSL documentation and recompile OpenSSL
-to use prngd or egd.  Some platforms (like earily solaris) have 3rd
-party /dev/random devices that can be also used for this task.
-
-If you are forced to use ssh-rand-helper consider still downloading
-prngd/egd and configure OpenSSH using --with-prngd-port=xx or
---with-prngd-socket=xx (refer to INSTALL for more information).
-
-$Id: WARNING.RNG,v 1.8 2005/05/26 01:47:54 djm Exp $
diff --git a/crypto/openssh/aclocal.m4 b/crypto/openssh/aclocal.m4
deleted file mode 100644
index b68a470..0000000
--- a/crypto/openssh/aclocal.m4
+++ /dev/null
@@ -1,86 +0,0 @@
-dnl $Id: aclocal.m4,v 1.6 2005/09/19 16:33:39 tim Exp $
-dnl
-dnl OpenSSH-specific autoconf macros
-dnl
-
-
-dnl OSSH_CHECK_HEADER_FOR_FIELD(field, header, symbol)
-dnl Does AC_EGREP_HEADER on 'header' for the string 'field'
-dnl If found, set 'symbol' to be defined. Cache the result.
-dnl TODO: This is not foolproof, better to compile and read from there
-AC_DEFUN(OSSH_CHECK_HEADER_FOR_FIELD, [
-# look for field '$1' in header '$2'
-	dnl This strips characters illegal to m4 from the header filename
-	ossh_safe=`echo "$2" | sed 'y%./+-%__p_%'`
-	dnl
-	ossh_varname="ossh_cv_$ossh_safe""_has_"$1
-	AC_MSG_CHECKING(for $1 field in $2)
-	AC_CACHE_VAL($ossh_varname, [
-		AC_EGREP_HEADER($1, $2, [ dnl
-			eval "$ossh_varname=yes" dnl
-		], [ dnl
-			eval "$ossh_varname=no" dnl
-		]) dnl
-	])
-	ossh_result=`eval 'echo $'"$ossh_varname"`
-	if test -n "`echo $ossh_varname`"; then
-		AC_MSG_RESULT($ossh_result)
-		if test "x$ossh_result" = "xyes"; then
-			AC_DEFINE($3, 1, [Define if you have $1 in $2])
-		fi
-	else
-		AC_MSG_RESULT(no)
-	fi
-])
-
-dnl OSSH_PATH_ENTROPY_PROG(variablename, command):
-dnl Tidiness function, sets 'undef' if not found, and does the AC_SUBST
-AC_DEFUN(OSSH_PATH_ENTROPY_PROG, [
-	AC_PATH_PROG($1, $2)
-	if test -z "[$]$1" ; then
-		$1="undef"
-	fi
-	AC_SUBST($1)
-])
-
-dnl Check for socklen_t: historically on BSD it is an int, and in
-dnl POSIX 1g it is a type of its own, but some platforms use different
-dnl types for the argument to getsockopt, getpeername, etc.  So we
-dnl have to test to find something that will work.
-AC_DEFUN([TYPE_SOCKLEN_T],
-[
-   AC_CHECK_TYPE([socklen_t], ,[
-      AC_MSG_CHECKING([for socklen_t equivalent])
-      AC_CACHE_VAL([curl_cv_socklen_t_equiv],
-      [
-	 # Systems have either "struct sockaddr *" or
-	 # "void *" as the second argument to getpeername
-	 curl_cv_socklen_t_equiv=
-	 for arg2 in "struct sockaddr" void; do
-	    for t in int size_t unsigned long "unsigned long"; do
-	       AC_TRY_COMPILE([
-		  #include <sys/types.h>
-		  #include <sys/socket.h>
-
-		  int getpeername (int, $arg2 *, $t *);
-	       ],[
-		  $t len;
-		  getpeername(0,0,&len);
-	       ],[
-		  curl_cv_socklen_t_equiv="$t"
-		  break
-	       ])
-	    done
-	 done
-
-	 if test "x$curl_cv_socklen_t_equiv" = x; then
-	    AC_MSG_ERROR([Cannot find a type to use in place of socklen_t])
-	 fi
-      ])
-      AC_MSG_RESULT($curl_cv_socklen_t_equiv)
-      AC_DEFINE_UNQUOTED(socklen_t, $curl_cv_socklen_t_equiv,
-			[type to use in place of socklen_t if not defined])],
-      [#include <sys/types.h>
-#include <sys/socket.h>])
-])
-
diff --git a/crypto/openssh/acss.c b/crypto/openssh/acss.c
deleted file mode 100644
index 86e2c01..0000000
--- a/crypto/openssh/acss.c
+++ /dev/null
@@ -1,267 +0,0 @@
-/*	$Id: acss.c,v 1.4 2006/07/24 04:51:01 djm Exp $ */
-/*
- * Copyright (c) 2004 The OpenBSD project
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "includes.h"
-
-#include <string.h>
-
-#include <openssl/evp.h>
-
-#if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00906000L)
-
-#include "acss.h"
-
-/* decryption sbox */
-static unsigned char sboxdec[] = {
-	0x33, 0x73, 0x3b, 0x26, 0x63, 0x23, 0x6b, 0x76,
-	0x3e, 0x7e, 0x36, 0x2b, 0x6e, 0x2e, 0x66, 0x7b,
-	0xd3, 0x93, 0xdb, 0x06, 0x43, 0x03, 0x4b, 0x96,
-	0xde, 0x9e, 0xd6, 0x0b, 0x4e, 0x0e, 0x46, 0x9b,
-	0x57, 0x17, 0x5f, 0x82, 0xc7, 0x87, 0xcf, 0x12,
-	0x5a, 0x1a, 0x52, 0x8f, 0xca, 0x8a, 0xc2, 0x1f,
-	0xd9, 0x99, 0xd1, 0x00, 0x49, 0x09, 0x41, 0x90,
-	0xd8, 0x98, 0xd0, 0x01, 0x48, 0x08, 0x40, 0x91,
-	0x3d, 0x7d, 0x35, 0x24, 0x6d, 0x2d, 0x65, 0x74,
-	0x3c, 0x7c, 0x34, 0x25, 0x6c, 0x2c, 0x64, 0x75,
-	0xdd, 0x9d, 0xd5, 0x04, 0x4d, 0x0d, 0x45, 0x94,
-	0xdc, 0x9c, 0xd4, 0x05, 0x4c, 0x0c, 0x44, 0x95,
-	0x59, 0x19, 0x51, 0x80, 0xc9, 0x89, 0xc1, 0x10,
-	0x58, 0x18, 0x50, 0x81, 0xc8, 0x88, 0xc0, 0x11,
-	0xd7, 0x97, 0xdf, 0x02, 0x47, 0x07, 0x4f, 0x92,
-	0xda, 0x9a, 0xd2, 0x0f, 0x4a, 0x0a, 0x42, 0x9f,
-	0x53, 0x13, 0x5b, 0x86, 0xc3, 0x83, 0xcb, 0x16,
-	0x5e, 0x1e, 0x56, 0x8b, 0xce, 0x8e, 0xc6, 0x1b,
-	0xb3, 0xf3, 0xbb, 0xa6, 0xe3, 0xa3, 0xeb, 0xf6,
-	0xbe, 0xfe, 0xb6, 0xab, 0xee, 0xae, 0xe6, 0xfb,
-	0x37, 0x77, 0x3f, 0x22, 0x67, 0x27, 0x6f, 0x72,
-	0x3a, 0x7a, 0x32, 0x2f, 0x6a, 0x2a, 0x62, 0x7f,
-	0xb9, 0xf9, 0xb1, 0xa0, 0xe9, 0xa9, 0xe1, 0xf0,
-	0xb8, 0xf8, 0xb0, 0xa1, 0xe8, 0xa8, 0xe0, 0xf1,
-	0x5d, 0x1d, 0x55, 0x84, 0xcd, 0x8d, 0xc5, 0x14,
-	0x5c, 0x1c, 0x54, 0x85, 0xcc, 0x8c, 0xc4, 0x15,
-	0xbd, 0xfd, 0xb5, 0xa4, 0xed, 0xad, 0xe5, 0xf4,
-	0xbc, 0xfc, 0xb4, 0xa5, 0xec, 0xac, 0xe4, 0xf5,
-	0x39, 0x79, 0x31, 0x20, 0x69, 0x29, 0x61, 0x70,
-	0x38, 0x78, 0x30, 0x21, 0x68, 0x28, 0x60, 0x71,
-	0xb7, 0xf7, 0xbf, 0xa2, 0xe7, 0xa7, 0xef, 0xf2,
-	0xba, 0xfa, 0xb2, 0xaf, 0xea, 0xaa, 0xe2, 0xff
-};
-
-/* encryption sbox */
-static unsigned char sboxenc[] = {
-	0x33, 0x3b, 0x73, 0x15, 0x53, 0x5b, 0x13, 0x75,
-	0x3d, 0x35, 0x7d, 0x1b, 0x5d, 0x55, 0x1d, 0x7b,
-	0x67, 0x6f, 0x27, 0x81, 0xc7, 0xcf, 0x87, 0x21,
-	0x69, 0x61, 0x29, 0x8f, 0xc9, 0xc1, 0x89, 0x2f,
-	0xe3, 0xeb, 0xa3, 0x05, 0x43, 0x4b, 0x03, 0xa5,
-	0xed, 0xe5, 0xad, 0x0b, 0x4d, 0x45, 0x0d, 0xab,
-	0xea, 0xe2, 0xaa, 0x00, 0x4a, 0x42, 0x0a, 0xa0,
-	0xe8, 0xe0, 0xa8, 0x02, 0x48, 0x40, 0x08, 0xa2,
-	0x3e, 0x36, 0x7e, 0x14, 0x5e, 0x56, 0x1e, 0x74,
-	0x3c, 0x34, 0x7c, 0x16, 0x5c, 0x54, 0x1c, 0x76,
-	0x6a, 0x62, 0x2a, 0x80, 0xca, 0xc2, 0x8a, 0x20,
-	0x68, 0x60, 0x28, 0x82, 0xc8, 0xc0, 0x88, 0x22,
-	0xee, 0xe6, 0xae, 0x04, 0x4e, 0x46, 0x0e, 0xa4,
-	0xec, 0xe4, 0xac, 0x06, 0x4c, 0x44, 0x0c, 0xa6,
-	0xe7, 0xef, 0xa7, 0x01, 0x47, 0x4f, 0x07, 0xa1,
-	0xe9, 0xe1, 0xa9, 0x0f, 0x49, 0x41, 0x09, 0xaf,
-	0x63, 0x6b, 0x23, 0x85, 0xc3, 0xcb, 0x83, 0x25,
-	0x6d, 0x65, 0x2d, 0x8b, 0xcd, 0xc5, 0x8d, 0x2b,
-	0x37, 0x3f, 0x77, 0x11, 0x57, 0x5f, 0x17, 0x71,
-	0x39, 0x31, 0x79, 0x1f, 0x59, 0x51, 0x19, 0x7f,
-	0xb3, 0xbb, 0xf3, 0x95, 0xd3, 0xdb, 0x93, 0xf5,
-	0xbd, 0xb5, 0xfd, 0x9b, 0xdd, 0xd5, 0x9d, 0xfb,
-	0xba, 0xb2, 0xfa, 0x90, 0xda, 0xd2, 0x9a, 0xf0,
-	0xb8, 0xb0, 0xf8, 0x92, 0xd8, 0xd0, 0x98, 0xf2,
-	0x6e, 0x66, 0x2e, 0x84, 0xce, 0xc6, 0x8e, 0x24,
-	0x6c, 0x64, 0x2c, 0x86, 0xcc, 0xc4, 0x8c, 0x26,
-	0x3a, 0x32, 0x7a, 0x10, 0x5a, 0x52, 0x1a, 0x70,
-	0x38, 0x30, 0x78, 0x12, 0x58, 0x50, 0x18, 0x72,
-	0xbe, 0xb6, 0xfe, 0x94, 0xde, 0xd6, 0x9e, 0xf4,
-	0xbc, 0xb4, 0xfc, 0x96, 0xdc, 0xd4, 0x9c, 0xf6,
-	0xb7, 0xbf, 0xf7, 0x91, 0xd7, 0xdf, 0x97, 0xf1,
-	0xb9, 0xb1, 0xf9, 0x9f, 0xd9, 0xd1, 0x99, 0xff
-};
-
-static unsigned char reverse[] = {
-	0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0,
-	0x10, 0x90, 0x50, 0xd0, 0x30, 0xb0, 0x70, 0xf0,
-	0x08, 0x88, 0x48, 0xc8, 0x28, 0xa8, 0x68, 0xe8,
-	0x18, 0x98, 0x58, 0xd8, 0x38, 0xb8, 0x78, 0xf8,
-	0x04, 0x84, 0x44, 0xc4, 0x24, 0xa4, 0x64, 0xe4,
-	0x14, 0x94, 0x54, 0xd4, 0x34, 0xb4, 0x74, 0xf4,
-	0x0c, 0x8c, 0x4c, 0xcc, 0x2c, 0xac, 0x6c, 0xec,
-	0x1c, 0x9c, 0x5c, 0xdc, 0x3c, 0xbc, 0x7c, 0xfc,
-	0x02, 0x82, 0x42, 0xc2, 0x22, 0xa2, 0x62, 0xe2,
-	0x12, 0x92, 0x52, 0xd2, 0x32, 0xb2, 0x72, 0xf2,
-	0x0a, 0x8a, 0x4a, 0xca, 0x2a, 0xaa, 0x6a, 0xea,
-	0x1a, 0x9a, 0x5a, 0xda, 0x3a, 0xba, 0x7a, 0xfa,
-	0x06, 0x86, 0x46, 0xc6, 0x26, 0xa6, 0x66, 0xe6,
-	0x16, 0x96, 0x56, 0xd6, 0x36, 0xb6, 0x76, 0xf6,
-	0x0e, 0x8e, 0x4e, 0xce, 0x2e, 0xae, 0x6e, 0xee,
-	0x1e, 0x9e, 0x5e, 0xde, 0x3e, 0xbe, 0x7e, 0xfe,
-	0x01, 0x81, 0x41, 0xc1, 0x21, 0xa1, 0x61, 0xe1,
-	0x11, 0x91, 0x51, 0xd1, 0x31, 0xb1, 0x71, 0xf1,
-	0x09, 0x89, 0x49, 0xc9, 0x29, 0xa9, 0x69, 0xe9,
-	0x19, 0x99, 0x59, 0xd9, 0x39, 0xb9, 0x79, 0xf9,
-	0x05, 0x85, 0x45, 0xc5, 0x25, 0xa5, 0x65, 0xe5,
-	0x15, 0x95, 0x55, 0xd5, 0x35, 0xb5, 0x75, 0xf5,
-	0x0d, 0x8d, 0x4d, 0xcd, 0x2d, 0xad, 0x6d, 0xed,
-	0x1d, 0x9d, 0x5d, 0xdd, 0x3d, 0xbd, 0x7d, 0xfd,
-	0x03, 0x83, 0x43, 0xc3, 0x23, 0xa3, 0x63, 0xe3,
-	0x13, 0x93, 0x53, 0xd3, 0x33, 0xb3, 0x73, 0xf3,
-	0x0b, 0x8b, 0x4b, 0xcb, 0x2b, 0xab, 0x6b, 0xeb,
-	0x1b, 0x9b, 0x5b, 0xdb, 0x3b, 0xbb, 0x7b, 0xfb,
-	0x07, 0x87, 0x47, 0xc7, 0x27, 0xa7, 0x67, 0xe7,
-	0x17, 0x97, 0x57, 0xd7, 0x37, 0xb7, 0x77, 0xf7,
-	0x0f, 0x8f, 0x4f, 0xcf, 0x2f, 0xaf, 0x6f, 0xef,
-	0x1f, 0x9f, 0x5f, 0xdf, 0x3f, 0xbf, 0x7f, 0xff
-};
-
-/*
- * Two linear feedback shift registers are used:
- *
- * lfsr17:  polynomial of degree 17, primitive modulo 2 (listed in Schneier)
- *          x^15 + x + 1
- * lfsr25:  polynomial of degree 25, not know if primitive modulo 2
- *          x^13 + x^5 + x^4 + x^1 + 1
- *
- * Output bits are discarded, instead the feedback bits are added to produce
- * the cipher stream.  Depending on the mode, feedback bytes may be inverted
- * bit-wise before addition.
- *
- * The lfsrs are seeded with bytes from the raw key:
- *
- * lfsr17:  byte 0[0:7] at bit 9
- *          byte 1[0:7] at bit 0
- *
- * lfsr25:  byte 2[0:4] at bit 16
- *          byte 2[5:7] at bit 22
- *          byte 3[0:7] at bit 8
- *          byte 4[0:7] at bit 0
- *
- * To prevent 0 cycles, 1's are inject at bit 8 in lfrs17 and bit 21 in
- * lfsr25.
- *
- */
-
-int
-acss(ACSS_KEY *key, unsigned long len, const unsigned char *in,
-    unsigned char *out)
-{
-	unsigned long i;
-	unsigned long lfsr17tmp, lfsr25tmp, lfsrsumtmp;
-
-	lfsrsumtmp = lfsr17tmp = lfsr25tmp = 0;
-
-	/* keystream is sum of lfsrs */
-	for (i = 0; i < len; i++) {
-		lfsr17tmp = key->lfsr17 ^ (key->lfsr17 >> 14);
-		key->lfsr17 = (key->lfsr17 >> 8)
-			^ (lfsr17tmp << 9)
-			^ (lfsr17tmp << 12)
-			^ (lfsr17tmp << 15);
-		key->lfsr17 &= 0x1ffff;	/* 17 bit LFSR */
-
-		lfsr25tmp = key->lfsr25
-			^ (key->lfsr25 >> 3)
-			^ (key->lfsr25 >> 4)
-			^ (key->lfsr25 >> 12);
-		key->lfsr25 = (key->lfsr25 >> 8) ^ (lfsr25tmp << 17);
-		key->lfsr25 &= 0x1ffffff;	/* 25 bit LFSR */
-
-		lfsrsumtmp = key->lfsrsum;
-
-		/* addition */
-		switch (key->mode) {
-		case ACSS_AUTHENTICATE:
-		case ACSS_DATA:
-			key->lfsrsum = 0xff & ~(key->lfsr17 >> 9);
-			key->lfsrsum += key->lfsr25 >> 17;
-			break;
-		case ACSS_SESSIONKEY:
-			key->lfsrsum = key->lfsr17 >> 9;
-			key->lfsrsum += key->lfsr25 >> 17;
-			break;
-		case ACSS_TITLEKEY:
-			key->lfsrsum = key->lfsr17 >> 9;
-			key->lfsrsum += 0xff & ~(key->lfsr25 >> 17);
-			break;
-		default:
-			return 1;
-		}
-		key->lfsrsum += (lfsrsumtmp >> 8);
-
-		if (key->encrypt) {
-			out[i] = sboxenc[(in[i] ^ key->lfsrsum) & 0xff];
-		} else {
-			out[i] = (sboxdec[in[i]] ^ key->lfsrsum) & 0xff;
-		}
-	}
-
-	return 0;
-}
-
-static void
-acss_seed(ACSS_KEY *key)
-{
-	int i;
-
-	/* if available, mangle with subkey */
-	if (key->subkey_avilable) {
-		for (i = 0; i < ACSS_KEYSIZE; i++)
-			key->seed[i] = reverse[key->data[i] ^ key->subkey[i]];
-	} else {
-		for (i = 0; i < ACSS_KEYSIZE; i++)
-			key->seed[i] = reverse[key->data[i]];
-	}
-
-	/* seed lfsrs */
-	key->lfsr17 = key->seed[1]
-		| (key->seed[0] << 9)
-		| (1 << 8);	/* inject 1 at bit 9 */
-	key->lfsr25 = key->seed[4]
-		| (key->seed[3] << 8)
-		| ((key->seed[2] & 0x1f) << 16)
-		| ((key->seed[2] & 0xe0) << 17)
-			| (1 << 21);	/* inject 1 at bit 22 */
-
-	key->lfsrsum = 0;
-}
-
-void
-acss_setkey(ACSS_KEY *key, const unsigned char *data, int enc, int mode)
-{
-	memcpy(key->data, data, sizeof(key->data));
-	memset(key->subkey, 0, sizeof(key->subkey));
-
-	if (enc != -1)
-		key->encrypt = enc;
-	key->mode = mode;
-	key->subkey_avilable = 0;
-
-	acss_seed(key);
-}
-
-void
-acss_setsubkey(ACSS_KEY *key, const unsigned char *subkey)
-{
-	memcpy(key->subkey, subkey, sizeof(key->subkey));
-	key->subkey_avilable = 1;
-	acss_seed(key);
-}
-#endif
diff --git a/crypto/openssh/acss.h b/crypto/openssh/acss.h
deleted file mode 100644
index 91b4895..0000000
--- a/crypto/openssh/acss.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*	$Id: acss.h,v 1.2 2004/02/06 04:22:43 dtucker Exp $ */
-/*
- * Copyright (c) 2004 The OpenBSD project
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef _ACSS_H_
-#define _ACSS_H_
-
-/* 40bit key */
-#define ACSS_KEYSIZE		5
-
-/* modes of acss */
-#define ACSS_AUTHENTICATE	0
-#define ACSS_SESSIONKEY		1
-#define ACSS_TITLEKEY		2
-#define ACSS_DATA		3
-
-typedef struct acss_key_st {
-	unsigned int	lfsr17;		/* current state of lfsrs */
-	unsigned int	lfsr25;
-	unsigned int	lfsrsum;
-	unsigned char	seed[ACSS_KEYSIZE];
-	unsigned char	data[ACSS_KEYSIZE];
-	unsigned char	subkey[ACSS_KEYSIZE];
-	int		encrypt;	/* XXX make these bit flags? */
-	int		mode;
-	int		seeded;
-	int		subkey_avilable;
-} ACSS_KEY;
-
-void acss_setkey(ACSS_KEY *, const unsigned char *, int, int);
-void acss_setsubkey(ACSS_KEY *, const unsigned char *);
-int acss(ACSS_KEY *, unsigned long, const unsigned char *, unsigned char *);
-
-#endif /* ifndef _ACSS_H_ */
diff --git a/crypto/openssh/atomicio.c b/crypto/openssh/atomicio.c
deleted file mode 100644
index f651a29..0000000
--- a/crypto/openssh/atomicio.c
+++ /dev/null
@@ -1,120 +0,0 @@
-/* $OpenBSD: atomicio.c,v 1.23 2006/08/03 03:34:41 deraadt Exp $ */
-/*
- * Copyright (c) 2006 Damien Miller. All rights reserved.
- * Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
- * Copyright (c) 1995,1999 Theo de Raadt.  All rights reserved.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/param.h>
-#include <sys/uio.h>
-
-#include <errno.h>
-#include <string.h>
-
-#include "atomicio.h"
-
-/*
- * ensure all of data on socket comes through. f==read || f==vwrite
- */
-size_t
-atomicio(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n)
-{
-	char *s = _s;
-	size_t pos = 0;
-	ssize_t res;
-
-	while (n > pos) {
-		res = (f) (fd, s + pos, n - pos);
-		switch (res) {
-		case -1:
-#ifdef EWOULDBLOCK
-			if (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK)
-#else
-			if (errno == EINTR || errno == EAGAIN)
-#endif
-				continue;
-			return 0;
-		case 0:
-			errno = EPIPE;
-			return pos;
-		default:
-			pos += (size_t)res;
-		}
-	}
-	return (pos);
-}
-
-/*
- * ensure all of data on socket comes through. f==readv || f==writev
- */
-size_t
-atomiciov(ssize_t (*f) (int, const struct iovec *, int), int fd,
-    const struct iovec *_iov, int iovcnt)
-{
-	size_t pos = 0, rem;
-	ssize_t res;
-	struct iovec iov_array[IOV_MAX], *iov = iov_array;
-
-	if (iovcnt > IOV_MAX) {
-		errno = EINVAL;
-		return 0;
-	}
-	/* Make a copy of the iov array because we may modify it below */
-	memcpy(iov, _iov, iovcnt * sizeof(*_iov));
-
-	for (; iovcnt > 0 && iov[0].iov_len > 0;) {
-		res = (f) (fd, iov, iovcnt);
-		switch (res) {
-		case -1:
-			if (errno == EINTR || errno == EAGAIN)
-				continue;
-			return 0;
-		case 0:
-			errno = EPIPE;
-			return pos;
-		default:
-			rem = (size_t)res;
-			pos += rem;
-			/* skip completed iov entries */
-			while (iovcnt > 0 && rem >= iov[0].iov_len) {
-				rem -= iov[0].iov_len;
-				iov++;
-				iovcnt--;
-			}
-			/* This shouldn't happen... */
-			if (rem > 0 && (iovcnt <= 0 || rem > iov[0].iov_len)) {
-				errno = EFAULT;
-				return 0;
-			}
-			if (iovcnt == 0)
-				break;
-			/* update pointer in partially complete iov */
-			iov[0].iov_base = ((char *)iov[0].iov_base) + rem;
-			iov[0].iov_len -= rem;
-		}
-	}
-	return pos;
-}
diff --git a/crypto/openssh/atomicio.h b/crypto/openssh/atomicio.h
deleted file mode 100644
index 2fcd25d..0000000
--- a/crypto/openssh/atomicio.h
+++ /dev/null
@@ -1,45 +0,0 @@
-/* $OpenBSD: atomicio.h,v 1.10 2006/08/03 03:34:41 deraadt Exp $ */
-
-/*
- * Copyright (c) 2006 Damien Miller.  All rights reserved.
- * Copyright (c) 1995,1999 Theo de Raadt.  All rights reserved.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef _ATOMICIO_H
-#define _ATOMICIO_H
-
-/*
- * Ensure all of data on socket comes through. f==read || f==vwrite
- */
-size_t	atomicio(ssize_t (*)(int, void *, size_t), int, void *, size_t);
-
-#define vwrite (ssize_t (*)(int, void *, size_t))write
-
-/*
- * ensure all of data on socket comes through. f==readv || f==writev
- */
-size_t	atomiciov(ssize_t (*)(int, const struct iovec *, int),
-    int, const struct iovec *, int);
-
-#endif /* _ATOMICIO_H */
diff --git a/crypto/openssh/audit-bsm.c b/crypto/openssh/audit-bsm.c
deleted file mode 100644
index c26b4ca..0000000
--- a/crypto/openssh/audit-bsm.c
+++ /dev/null
@@ -1,337 +0,0 @@
-/* $Id: audit-bsm.c,v 1.5 2006/09/30 22:09:50 dtucker Exp $ */
-
-/*
- * TODO
- *
- * - deal with overlap between this and sys_auth_allowed_user
- *   sys_auth_record_login and record_failed_login.
- */
-
-/*
- * Copyright 1988-2002 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- */
-/* #pragma ident	"@(#)bsmaudit.c	1.1	01/09/17 SMI" */
-
-#include "includes.h"
-#if defined(USE_BSM_AUDIT)
-
-#include <sys/types.h>
-
-#include <errno.h>
-#include <stdarg.h>
-#include <unistd.h>
-
-#include "ssh.h"
-#include "log.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "xmalloc.h"
-
-#ifndef AUE_openssh
-# define AUE_openssh     32800
-#endif
-#include <bsm/audit.h>
-#include <bsm/libbsm.h>
-#include <bsm/audit_uevents.h>
-#include <bsm/audit_record.h>
-#include <locale.h>
-
-#if defined(HAVE_GETAUDIT_ADDR)
-#define	AuditInfoStruct		auditinfo_addr
-#define AuditInfoTermID		au_tid_addr_t
-#define GetAuditFunc(a,b)	getaudit_addr((a),(b))
-#define GetAuditFuncText	"getaudit_addr"
-#define SetAuditFunc(a,b)	setaudit_addr((a),(b))
-#define SetAuditFuncText	"setaudit_addr"
-#define AUToSubjectFunc		au_to_subject_ex
-#define AUToReturnFunc(a,b)	au_to_return32((a), (int32_t)(b))
-#else
-#define	AuditInfoStruct		auditinfo
-#define AuditInfoTermID		au_tid_t
-#define GetAuditFunc(a,b)	getaudit(a)
-#define GetAuditFuncText	"getaudit"
-#define SetAuditFunc(a,b)	setaudit(a)
-#define SetAuditFuncText	"setaudit"
-#define AUToSubjectFunc		au_to_subject
-#define AUToReturnFunc(a,b)	au_to_return((a), (u_int)(b))
-#endif
-
-extern int	cannot_audit(int);
-extern void	aug_init(void);
-extern dev_t	aug_get_port(void);
-extern int 	aug_get_machine(char *, u_int32_t *, u_int32_t *);
-extern void	aug_save_auid(au_id_t);
-extern void	aug_save_uid(uid_t);
-extern void	aug_save_euid(uid_t);
-extern void	aug_save_gid(gid_t);
-extern void	aug_save_egid(gid_t);
-extern void	aug_save_pid(pid_t);
-extern void	aug_save_asid(au_asid_t);
-extern void	aug_save_tid(dev_t, unsigned int);
-extern void	aug_save_tid_ex(dev_t, u_int32_t *, u_int32_t);
-extern int	aug_save_me(void);
-extern int	aug_save_namask(void);
-extern void	aug_save_event(au_event_t);
-extern void	aug_save_sorf(int);
-extern void	aug_save_text(char *);
-extern void	aug_save_text1(char *);
-extern void	aug_save_text2(char *);
-extern void	aug_save_na(int);
-extern void	aug_save_user(char *);
-extern void	aug_save_path(char *);
-extern int	aug_save_policy(void);
-extern void	aug_save_afunc(int (*)(int));
-extern int	aug_audit(void);
-extern int	aug_na_selected(void);
-extern int	aug_selected(void);
-extern int	aug_daemon_session(void);
-
-#ifndef HAVE_GETTEXT
-# define gettext(a)	(a)
-#endif
-
-extern Authctxt *the_authctxt;
-static AuditInfoTermID ssh_bsm_tid;
-
-/* Below is the low-level BSM interface code */
-
-/*
- * Check if the specified event is selected (enabled) for auditing.
- * Returns 1 if the event is selected, 0 if not and -1 on failure.
- */
-static int
-selected(char *username, uid_t uid, au_event_t event, int sf)
-{
-	int rc, sorf;
-	char naflags[512];
-	struct au_mask mask;
-
-	mask.am_success = mask.am_failure = 0;
-	if (uid < 0) {
-		/* get flags for non-attributable (to a real user) events */
-		rc = getacna(naflags, sizeof(naflags));
-		if (rc == 0)
-			(void) getauditflagsbin(naflags, &mask);
-	} else
-		rc = au_user_mask(username, &mask);
-
-	sorf = (sf == 0) ? AU_PRS_SUCCESS : AU_PRS_FAILURE;
-	return(au_preselect(event, &mask, sorf, AU_PRS_REREAD));
-}
-
-static void
-bsm_audit_record(int typ, char *string, au_event_t event_no)
-{
-	int		ad, rc, sel;
-	uid_t		uid = -1;
-	gid_t		gid = -1;
-	pid_t		pid = getpid();
-	AuditInfoTermID	tid = ssh_bsm_tid;
-
-	if (the_authctxt != NULL && the_authctxt->valid) {
-		uid = the_authctxt->pw->pw_uid;
-		gid = the_authctxt->pw->pw_gid;
-	}
-
-	rc = (typ == 0) ? 0 : -1;
-	sel = selected(the_authctxt->user, uid, event_no, rc);
-	debug3("BSM audit: typ %d rc %d \"%s\"", typ, rc, string);
-	if (!sel)
-		return;	/* audit event does not match mask, do not write */
-
-	debug3("BSM audit: writing audit new record");
-	ad = au_open();
-
-	(void) au_write(ad, AUToSubjectFunc(uid, uid, gid, uid, gid,
-	    pid, pid, &tid));
-	(void) au_write(ad, au_to_text(string));
-	(void) au_write(ad, AUToReturnFunc(typ, rc));
-
-	rc = au_close(ad, AU_TO_WRITE, event_no);
-	if (rc < 0)
-		error("BSM audit: %s failed to write \"%s\" record: %s",
-		    __func__, string, strerror(errno));
-}
-
-static void
-bsm_audit_session_setup(void)
-{
-	int rc;
-	struct AuditInfoStruct info;
-	au_mask_t mask;
-
-	if (the_authctxt == NULL) {
-		error("BSM audit: session setup internal error (NULL ctxt)");
-		return;
-	}
-
-	if (the_authctxt->valid)
-		info.ai_auid = the_authctxt->pw->pw_uid;
-	else
-		info.ai_auid = -1;
-	info.ai_asid = getpid();
-	mask.am_success = 0;
-	mask.am_failure = 0;
-
-	(void) au_user_mask(the_authctxt->user, &mask);
-
-	info.ai_mask.am_success  = mask.am_success;
-	info.ai_mask.am_failure  = mask.am_failure;
-
-	info.ai_termid = ssh_bsm_tid;
-
-	rc = SetAuditFunc(&info, sizeof(info));
-	if (rc < 0)
-		error("BSM audit: %s: %s failed: %s", __func__,
-		    SetAuditFuncText, strerror(errno));
-}
-
-static void
-bsm_audit_bad_login(const char *what)
-{
-	char textbuf[BSM_TEXTBUFSZ];
-
-	if (the_authctxt->valid) {
-		(void) snprintf(textbuf, sizeof (textbuf),
-			gettext("invalid %s for user %s"),
-			    what, the_authctxt->user);
-		bsm_audit_record(4, textbuf, AUE_openssh);
-	} else {
-		(void) snprintf(textbuf, sizeof (textbuf),
-			gettext("invalid user name \"%s\""),
-			    the_authctxt->user);
-		bsm_audit_record(3, textbuf, AUE_openssh);
-	}
-}
-
-/* Below is the sshd audit API code */
-
-void
-audit_connection_from(const char *host, int port)
-{
-	AuditInfoTermID *tid = &ssh_bsm_tid;
-	char buf[1024];
-
-	if (cannot_audit(0))
-		return;
-	debug3("BSM audit: connection from %.100s port %d", host, port);
-
-	/* populate our terminal id structure */
-#if defined(HAVE_GETAUDIT_ADDR)
-	tid->at_port = (dev_t)port;
-	aug_get_machine((char *)host, &(tid->at_addr[0]), &(tid->at_type));
-	snprintf(buf, sizeof(buf), "%08x %08x %08x %08x", tid->at_addr[0],
-	    tid->at_addr[1], tid->at_addr[2], tid->at_addr[3]);
-	debug3("BSM audit: iptype %d machine ID %s", (int)tid->at_type, buf);
-#else
-	/* this is used on IPv4-only machines */
-	tid->port = (dev_t)port;
-	tid->machine = inet_addr(host);
-	snprintf(buf, sizeof(buf), "%08x", tid->machine);
-	debug3("BSM audit: machine ID %s", buf);
-#endif
-}
-
-void
-audit_run_command(const char *command)
-{
-	/* not implemented */
-}
-
-void
-audit_session_open(const char *ttyn)
-{
-	/* not implemented */
-}
-
-void
-audit_session_close(const char *ttyn)
-{
-	/* not implemented */
-}
-
-void
-audit_event(ssh_audit_event_t event)
-{
-	char    textbuf[BSM_TEXTBUFSZ];
-	static int logged_in = 0;
-	const char *user = the_authctxt ? the_authctxt->user : "(unknown user)";
-
-	if (cannot_audit(0))
-		return;
-
-	switch(event) {
-	case SSH_AUTH_SUCCESS:
-		logged_in = 1;
-		bsm_audit_session_setup();
-		snprintf(textbuf, sizeof(textbuf),
-		    gettext("successful login %s"), user);
-		bsm_audit_record(0, textbuf, AUE_openssh);
-		break;
-
-	case SSH_CONNECTION_CLOSE:
-		/*
-		 * We can also get a close event if the user attempted auth
-		 * but never succeeded.
-		 */
-		if (logged_in) {
-			snprintf(textbuf, sizeof(textbuf),
-			    gettext("sshd logout %s"), the_authctxt->user);
-			bsm_audit_record(0, textbuf, AUE_logout);
-		} else {
-			debug("%s: connection closed without authentication",
-			    __func__);
-		}
-		break;
-
-	case SSH_NOLOGIN:
-		bsm_audit_record(1,
-		    gettext("logins disabled by /etc/nologin"), AUE_openssh);
-		break;
-
-	case SSH_LOGIN_EXCEED_MAXTRIES:
-		snprintf(textbuf, sizeof(textbuf),
-		    gettext("too many tries for user %s"), the_authctxt->user);
-		bsm_audit_record(1, textbuf, AUE_openssh);
-		break;
-
-	case SSH_LOGIN_ROOT_DENIED:
-		bsm_audit_record(2, gettext("not_console"), AUE_openssh);
-		break;
-
-	case SSH_AUTH_FAIL_PASSWD:
-		bsm_audit_bad_login("password");
-		break;
-
-	case SSH_AUTH_FAIL_KBDINT:
-		bsm_audit_bad_login("interactive password entry");
-		break;
-
-	default:
-		debug("%s: unhandled event %d", __func__, event);
-	}
-}
-#endif /* BSM */
diff --git a/crypto/openssh/audit.c b/crypto/openssh/audit.c
deleted file mode 100644
index dbea34c..0000000
--- a/crypto/openssh/audit.c
+++ /dev/null
@@ -1,186 +0,0 @@
-/* $Id: audit.c,v 1.5 2006/09/01 05:38:36 djm Exp $ */
-
-/*
- * Copyright (c) 2004, 2005 Darren Tucker.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <stdarg.h>
-#include <string.h>
-
-#ifdef SSH_AUDIT_EVENTS
-
-#include "audit.h"
-#include "log.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-
-/*
- * Care must be taken when using this since it WILL NOT be initialized when
- * audit_connection_from() is called and MAY NOT be initialized when
- * audit_event(CONNECTION_ABANDON) is called.  Test for NULL before using.
- */
-extern Authctxt *the_authctxt;
-
-/* Maybe add the audit class to struct Authmethod? */
-ssh_audit_event_t
-audit_classify_auth(const char *method)
-{
-	if (strcmp(method, "none") == 0)
-		return SSH_AUTH_FAIL_NONE;
-	else if (strcmp(method, "password") == 0)
-		return SSH_AUTH_FAIL_PASSWD;
-	else if (strcmp(method, "publickey") == 0 ||
-	    strcmp(method, "rsa") == 0)
-		return SSH_AUTH_FAIL_PUBKEY;
-	else if (strncmp(method, "keyboard-interactive", 20) == 0 ||
-	    strcmp(method, "challenge-response") == 0)
-		return SSH_AUTH_FAIL_KBDINT;
-	else if (strcmp(method, "hostbased") == 0 ||
-	    strcmp(method, "rhosts-rsa") == 0)
-		return SSH_AUTH_FAIL_HOSTBASED;
-	else if (strcmp(method, "gssapi-with-mic") == 0)
-		return SSH_AUTH_FAIL_GSSAPI;
-	else
-		return SSH_AUDIT_UNKNOWN;
-}
-
-/* helper to return supplied username */
-const char *
-audit_username(void)
-{
-	static const char unknownuser[] = "(unknown user)";
-	static const char invaliduser[] = "(invalid user)";
-
-	if (the_authctxt == NULL || the_authctxt->user == NULL)
-		return (unknownuser);
-	if (!the_authctxt->valid)
-		return (invaliduser);
-	return (the_authctxt->user);
-}
-
-const char *
-audit_event_lookup(ssh_audit_event_t ev)
-{
-	int i;
-	static struct event_lookup_struct {
-		ssh_audit_event_t event;
-		const char *name;
-	} event_lookup[] = {
-		{SSH_LOGIN_EXCEED_MAXTRIES,	"LOGIN_EXCEED_MAXTRIES"},
-		{SSH_LOGIN_ROOT_DENIED,		"LOGIN_ROOT_DENIED"},
-		{SSH_AUTH_SUCCESS,		"AUTH_SUCCESS"},
-		{SSH_AUTH_FAIL_NONE,		"AUTH_FAIL_NONE"},
-		{SSH_AUTH_FAIL_PASSWD,		"AUTH_FAIL_PASSWD"},
-		{SSH_AUTH_FAIL_KBDINT,		"AUTH_FAIL_KBDINT"},
-		{SSH_AUTH_FAIL_PUBKEY,		"AUTH_FAIL_PUBKEY"},
-		{SSH_AUTH_FAIL_HOSTBASED,	"AUTH_FAIL_HOSTBASED"},
-		{SSH_AUTH_FAIL_GSSAPI,		"AUTH_FAIL_GSSAPI"},
-		{SSH_INVALID_USER,		"INVALID_USER"},
-		{SSH_NOLOGIN,			"NOLOGIN"},
-		{SSH_CONNECTION_CLOSE,		"CONNECTION_CLOSE"},
-		{SSH_CONNECTION_ABANDON,	"CONNECTION_ABANDON"},
-		{SSH_AUDIT_UNKNOWN,		"AUDIT_UNKNOWN"}
-	};
-
-	for (i = 0; event_lookup[i].event != SSH_AUDIT_UNKNOWN; i++)
-		if (event_lookup[i].event == ev)
-			break;
-	return(event_lookup[i].name);
-}
-
-# ifndef CUSTOM_SSH_AUDIT_EVENTS
-/*
- * Null implementations of audit functions.
- * These get used if SSH_AUDIT_EVENTS is defined but no audit module is enabled.
- */
-
-/*
- * Called after a connection has been accepted but before any authentication
- * has been attempted.
- */
-void
-audit_connection_from(const char *host, int port)
-{
-	debug("audit connection from %s port %d euid %d", host, port,
-	    (int)geteuid());
-}
-
-/*
- * Called when various events occur (see audit.h for a list of possible
- * events and what they mean).
- */
-void
-audit_event(ssh_audit_event_t event)
-{
-	debug("audit event euid %d user %s event %d (%s)", geteuid(),
-	    audit_username(), event, audit_event_lookup(event));
-}
-
-/*
- * Called when a user session is started.  Argument is the tty allocated to
- * the session, or NULL if no tty was allocated.
- *
- * Note that this may be called multiple times if multiple sessions are used
- * within a single connection.
- */
-void
-audit_session_open(const char *ttyn)
-{
-	const char *t = ttyn ? ttyn : "(no tty)";
-
-	debug("audit session open euid %d user %s tty name %s", geteuid(),
-	    audit_username(), t);
-}
-
-/*
- * Called when a user session is closed.  Argument is the tty allocated to
- * the session, or NULL if no tty was allocated.
- *
- * Note that this may be called multiple times if multiple sessions are used
- * within a single connection.
- */
-void
-audit_session_close(const char *ttyn)
-{
-	const char *t = ttyn ? ttyn : "(no tty)";
-
-	debug("audit session close euid %d user %s tty name %s", geteuid(),
-	    audit_username(), t);
-}
-
-/*
- * This will be called when a user runs a non-interactive command.  Note that
- * it may be called multiple times for a single connection since SSH2 allows
- * multiple sessions within a single connection.
- */
-void
-audit_run_command(const char *command)
-{
-	debug("audit run command euid %d user %s command '%.200s'", geteuid(),
-	    audit_username(), command);
-}
-# endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
-#endif /* SSH_AUDIT_EVENTS */
diff --git a/crypto/openssh/audit.h b/crypto/openssh/audit.h
deleted file mode 100644
index 695f723..0000000
--- a/crypto/openssh/audit.h
+++ /dev/null
@@ -1,54 +0,0 @@
-/* $Id: audit.h,v 1.3 2006/08/05 14:05:10 dtucker Exp $ */
-
-/*
- * Copyright (c) 2004, 2005 Darren Tucker.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef _SSH_AUDIT_H
-# define _SSH_AUDIT_H
-enum ssh_audit_event_type {
-	SSH_LOGIN_EXCEED_MAXTRIES,
-	SSH_LOGIN_ROOT_DENIED,
-	SSH_AUTH_SUCCESS,
-	SSH_AUTH_FAIL_NONE,
-	SSH_AUTH_FAIL_PASSWD,
-	SSH_AUTH_FAIL_KBDINT,	/* keyboard-interactive or challenge-response */
-	SSH_AUTH_FAIL_PUBKEY,	/* ssh2 pubkey or ssh1 rsa */
-	SSH_AUTH_FAIL_HOSTBASED,	/* ssh2 hostbased or ssh1 rhostsrsa */
-	SSH_AUTH_FAIL_GSSAPI,
-	SSH_INVALID_USER,
-	SSH_NOLOGIN,		/* denied by /etc/nologin, not implemented */
-	SSH_CONNECTION_CLOSE,	/* closed after attempting auth or session */
-	SSH_CONNECTION_ABANDON,	/* closed without completing auth */
-	SSH_AUDIT_UNKNOWN
-};
-typedef enum ssh_audit_event_type ssh_audit_event_t;
-
-void	audit_connection_from(const char *, int);
-void	audit_event(ssh_audit_event_t);
-void	audit_session_open(const char *);
-void	audit_session_close(const char *);
-void	audit_run_command(const char *);
-ssh_audit_event_t audit_classify_auth(const char *);
-
-#endif /* _SSH_AUDIT_H */
diff --git a/crypto/openssh/auth-bsdauth.c b/crypto/openssh/auth-bsdauth.c
deleted file mode 100644
index 37d527d..0000000
--- a/crypto/openssh/auth-bsdauth.c
+++ /dev/null
@@ -1,138 +0,0 @@
-/* $OpenBSD: auth-bsdauth.c,v 1.10 2006/08/03 03:34:41 deraadt Exp $ */
-/*
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <stdarg.h>
-
-#ifdef BSD_AUTH
-#include "xmalloc.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "log.h"
-#include "buffer.h"
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-#include "monitor_wrap.h"
-
-static void *
-bsdauth_init_ctx(Authctxt *authctxt)
-{
-	return authctxt;
-}
-
-int
-bsdauth_query(void *ctx, char **name, char **infotxt,
-   u_int *numprompts, char ***prompts, u_int **echo_on)
-{
-	Authctxt *authctxt = ctx;
-	char *challenge = NULL;
-
-	if (authctxt->as != NULL) {
-		debug2("bsdauth_query: try reuse session");
-		challenge = auth_getitem(authctxt->as, AUTHV_CHALLENGE);
-		if (challenge == NULL) {
-			auth_close(authctxt->as);
-			authctxt->as = NULL;
-		}
-	}
-
-	if (challenge == NULL) {
-		debug2("bsdauth_query: new bsd auth session");
-		debug3("bsdauth_query: style %s",
-		    authctxt->style ? authctxt->style : "<default>");
-		authctxt->as = auth_userchallenge(authctxt->user,
-		    authctxt->style, "auth-ssh", &challenge);
-		if (authctxt->as == NULL)
-			challenge = NULL;
-		debug2("bsdauth_query: <%s>", challenge ? challenge : "empty");
-	}
-
-	if (challenge == NULL)
-		return -1;
-
-	*name = xstrdup("");
-	*infotxt = xstrdup("");
-	*numprompts = 1;
-	*prompts = xcalloc(*numprompts, sizeof(char *));
-	*echo_on = xcalloc(*numprompts, sizeof(u_int));
-	(*prompts)[0] = xstrdup(challenge);
-
-	return 0;
-}
-
-int
-bsdauth_respond(void *ctx, u_int numresponses, char **responses)
-{
-	Authctxt *authctxt = ctx;
-	int authok;
-
-	if (!authctxt->valid)
-		return -1;
-
-	if (authctxt->as == 0)
-		error("bsdauth_respond: no bsd auth session");
-
-	if (numresponses != 1)
-		return -1;
-
-	authok = auth_userresponse(authctxt->as, responses[0], 0);
-	authctxt->as = NULL;
-	debug3("bsdauth_respond: <%s> = <%d>", responses[0], authok);
-
-	return (authok == 0) ? -1 : 0;
-}
-
-static void
-bsdauth_free_ctx(void *ctx)
-{
-	Authctxt *authctxt = ctx;
-
-	if (authctxt && authctxt->as) {
-		auth_close(authctxt->as);
-		authctxt->as = NULL;
-	}
-}
-
-KbdintDevice bsdauth_device = {
-	"bsdauth",
-	bsdauth_init_ctx,
-	bsdauth_query,
-	bsdauth_respond,
-	bsdauth_free_ctx
-};
-
-KbdintDevice mm_bsdauth_device = {
-	"bsdauth",
-	bsdauth_init_ctx,
-	mm_bsdauth_query,
-	mm_bsdauth_respond,
-	bsdauth_free_ctx
-};
-#endif
diff --git a/crypto/openssh/auth-chall.c b/crypto/openssh/auth-chall.c
deleted file mode 100644
index 919b1ea..0000000
--- a/crypto/openssh/auth-chall.c
+++ /dev/null
@@ -1,123 +0,0 @@
-/* $OpenBSD: auth-chall.c,v 1.12 2006/08/03 03:34:41 deraadt Exp $ */
-/*
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <stdarg.h>
-
-#include "xmalloc.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "log.h"
-#include "servconf.h"
-
-/* limited protocol v1 interface to kbd-interactive authentication */
-
-extern KbdintDevice *devices[];
-static KbdintDevice *device;
-extern ServerOptions options;
-
-char *
-get_challenge(Authctxt *authctxt)
-{
-	char *challenge, *name, *info, **prompts;
-	u_int i, numprompts;
-	u_int *echo_on;
-
-#ifdef USE_PAM
-	if (!options.use_pam)
-		remove_kbdint_device("pam");
-#endif
-
-	device = devices[0]; /* we always use the 1st device for protocol 1 */
-	if (device == NULL)
-		return NULL;
-	if ((authctxt->kbdintctxt = device->init_ctx(authctxt)) == NULL)
-		return NULL;
-	if (device->query(authctxt->kbdintctxt, &name, &info,
-	    &numprompts, &prompts, &echo_on)) {
-		device->free_ctx(authctxt->kbdintctxt);
-		authctxt->kbdintctxt = NULL;
-		return NULL;
-	}
-	if (numprompts < 1)
-		fatal("get_challenge: numprompts < 1");
-	challenge = xstrdup(prompts[0]);
-	for (i = 0; i < numprompts; i++)
-		xfree(prompts[i]);
-	xfree(prompts);
-	xfree(name);
-	xfree(echo_on);
-	xfree(info);
-
-	return (challenge);
-}
-int
-verify_response(Authctxt *authctxt, const char *response)
-{
-	char *resp[1], *name, *info, **prompts;
-	u_int i, numprompts, *echo_on;
-	int authenticated = 0;
-
-	if (device == NULL)
-		return 0;
-	if (authctxt->kbdintctxt == NULL)
-		return 0;
-	resp[0] = (char *)response;
-	switch (device->respond(authctxt->kbdintctxt, 1, resp)) {
-	case 0: /* Success */
-		authenticated = 1;
-		break;
-	case 1: /* Postponed - retry with empty query for PAM */
-		if ((device->query(authctxt->kbdintctxt, &name, &info,
-		    &numprompts, &prompts, &echo_on)) != 0)
-			break;
-		if (numprompts == 0 &&
-		    device->respond(authctxt->kbdintctxt, 0, resp) == 0)
-			authenticated = 1;
-
-		for (i = 0; i < numprompts; i++)
-			xfree(prompts[i]);
-		xfree(prompts);
-		xfree(name);
-		xfree(echo_on);
-		xfree(info);
-		break;
-	}
-	device->free_ctx(authctxt->kbdintctxt);
-	authctxt->kbdintctxt = NULL;
-	return authenticated;
-}
-void
-abandon_challenge_response(Authctxt *authctxt)
-{
-	if (authctxt->kbdintctxt != NULL) {
-		device->free_ctx(authctxt->kbdintctxt);
-		authctxt->kbdintctxt = NULL;
-	}
-}
diff --git a/crypto/openssh/auth-krb5.c b/crypto/openssh/auth-krb5.c
deleted file mode 100644
index b3bbfee..0000000
--- a/crypto/openssh/auth-krb5.c
+++ /dev/null
@@ -1,249 +0,0 @@
-/* $OpenBSD: auth-krb5.c,v 1.19 2006/08/03 03:34:41 deraadt Exp $ */
-/*
- *    Kerberos v5 authentication and ticket-passing routines.
- *
- * $FreeBSD$
- */
-/*
- * Copyright (c) 2002 Daniel Kouril.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <pwd.h>
-#include <stdarg.h>
-
-#include "xmalloc.h"
-#include "ssh.h"
-#include "ssh1.h"
-#include "packet.h"
-#include "log.h"
-#include "buffer.h"
-#include "servconf.h"
-#include "uidswap.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-
-#ifdef KRB5
-#include <errno.h>
-#include <unistd.h>
-#include <string.h>
-#include <krb5.h>
-
-extern ServerOptions	 options;
-
-static int
-krb5_init(void *context)
-{
-	Authctxt *authctxt = (Authctxt *)context;
-	krb5_error_code problem;
-
-	if (authctxt->krb5_ctx == NULL) {
-		problem = krb5_init_context(&authctxt->krb5_ctx);
-		if (problem)
-			return (problem);
-	}
-	return (0);
-}
-
-int
-auth_krb5_password(Authctxt *authctxt, const char *password)
-{
-#ifndef HEIMDAL
-	krb5_creds creds;
-	krb5_principal server;
-#endif
-	krb5_error_code problem;
-	krb5_ccache ccache = NULL;
-	int len;
-
-	temporarily_use_uid(authctxt->pw);
-
-	problem = krb5_init(authctxt);
-	if (problem)
-		goto out;
-
-	problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name,
-		    &authctxt->krb5_user);
-	if (problem)
-		goto out;
-
-#ifdef HEIMDAL
-	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
-	if (problem)
-		goto out;
-
-	problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
-		authctxt->krb5_user);
-	if (problem)
-		goto out;
-
-	restore_uid();
-
-	problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
-	    ccache, password, 1, NULL);
-
-	temporarily_use_uid(authctxt->pw);
-
-	if (problem)
-		goto out;
-
-	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
-	    &authctxt->krb5_fwd_ccache);
-	if (problem)
-		goto out;
-
-	problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
-	    authctxt->krb5_fwd_ccache);
-	krb5_cc_destroy(authctxt->krb5_ctx, ccache);
-	ccache = NULL;
-	if (problem)
-		goto out;
-
-#else
-	problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
-	    authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
-	if (problem)
-		goto out;
-
-	problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
-	    KRB5_NT_SRV_HST, &server);
-	if (problem)
-		goto out;
-
-	restore_uid();
-	problem = krb5_verify_init_creds(authctxt->krb5_ctx, &creds, server,
-	    NULL, NULL, NULL);
-	krb5_free_principal(authctxt->krb5_ctx, server);
-	temporarily_use_uid(authctxt->pw);
-	if (problem)
-		goto out;
-
-	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
-			  authctxt->pw->pw_name)) {
-		problem = -1;
-		goto out;
-	}
-
-	problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
-	if (problem)
-		goto out;
-
-	problem = krb5_cc_initialize(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
-				     authctxt->krb5_user);
-	if (problem)
-		goto out;
-
-	problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
-				 &creds);
-	if (problem)
-		goto out;
-#endif
-
-	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
-
-	len = strlen(authctxt->krb5_ticket_file) + 6;
-	authctxt->krb5_ccname = xmalloc(len);
-	snprintf(authctxt->krb5_ccname, len, "FILE:%s",
-	    authctxt->krb5_ticket_file);
-
-#ifdef USE_PAM
-	if (options.use_pam)
-		do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
-#endif
-
- out:
-	restore_uid();
-
-	if (problem) {
-		if (ccache)
-			krb5_cc_destroy(authctxt->krb5_ctx, ccache);
-
-		if (authctxt->krb5_ctx != NULL && problem!=-1)
-			debug("Kerberos password authentication failed: %s",
-			    krb5_get_err_text(authctxt->krb5_ctx, problem));
-		else
-			debug("Kerberos password authentication failed: %d",
-			    problem);
-
-		krb5_cleanup_proc(authctxt);
-
-		if (options.kerberos_or_local_passwd)
-			return (-1);
-		else
-			return (0);
-	}
-	return (authctxt->valid ? 1 : 0);
-}
-
-void
-krb5_cleanup_proc(Authctxt *authctxt)
-{
-	debug("krb5_cleanup_proc called");
-	if (authctxt->krb5_fwd_ccache) {
-		krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
-		authctxt->krb5_fwd_ccache = NULL;
-	}
-	if (authctxt->krb5_user) {
-		krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
-		authctxt->krb5_user = NULL;
-	}
-	if (authctxt->krb5_ctx) {
-		krb5_free_context(authctxt->krb5_ctx);
-		authctxt->krb5_ctx = NULL;
-	}
-}
-
-#ifndef HEIMDAL
-krb5_error_code
-ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
-	int tmpfd, ret;
-	char ccname[40];
-	mode_t old_umask;
-
-	ret = snprintf(ccname, sizeof(ccname),
-	    "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
-	if (ret < 0 || (size_t)ret >= sizeof(ccname))
-		return ENOMEM;
-
-	old_umask = umask(0177);
-	tmpfd = mkstemp(ccname + strlen("FILE:"));
-	umask(old_umask);
-	if (tmpfd == -1) {
-		logit("mkstemp(): %.100s", strerror(errno));
-		return errno;
-	}
-
-	if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
-		logit("fchmod(): %.100s", strerror(errno));
-		close(tmpfd);
-		return errno;
-	}
-	close(tmpfd);
-
-	return (krb5_cc_resolve(ctx, ccname, ccache));
-}
-#endif /* !HEIMDAL */
-#endif /* KRB5 */
diff --git a/crypto/openssh/auth-options.c b/crypto/openssh/auth-options.c
deleted file mode 100644
index ca5e1c9..0000000
--- a/crypto/openssh/auth-options.c
+++ /dev/null
@@ -1,357 +0,0 @@
-/* $OpenBSD: auth-options.c,v 1.40 2006/08/03 03:34:41 deraadt Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <netdb.h>
-#include <pwd.h>
-#include <string.h>
-#include <stdio.h>
-#include <stdarg.h>
-
-#include "xmalloc.h"
-#include "match.h"
-#include "log.h"
-#include "canohost.h"
-#include "buffer.h"
-#include "channels.h"
-#include "auth-options.h"
-#include "servconf.h"
-#include "misc.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-#include "monitor_wrap.h"
-
-/* Flags set authorized_keys flags */
-int no_port_forwarding_flag = 0;
-int no_agent_forwarding_flag = 0;
-int no_x11_forwarding_flag = 0;
-int no_pty_flag = 0;
-
-/* "command=" option. */
-char *forced_command = NULL;
-
-/* "environment=" options. */
-struct envstring *custom_environment = NULL;
-
-/* "tunnel=" option. */
-int forced_tun_device = -1;
-
-extern ServerOptions options;
-
-void
-auth_clear_options(void)
-{
-	no_agent_forwarding_flag = 0;
-	no_port_forwarding_flag = 0;
-	no_pty_flag = 0;
-	no_x11_forwarding_flag = 0;
-	while (custom_environment) {
-		struct envstring *ce = custom_environment;
-		custom_environment = ce->next;
-		xfree(ce->s);
-		xfree(ce);
-	}
-	if (forced_command) {
-		xfree(forced_command);
-		forced_command = NULL;
-	}
-	forced_tun_device = -1;
-	channel_clear_permitted_opens();
-	auth_debug_reset();
-}
-
-/*
- * return 1 if access is granted, 0 if not.
- * side effect: sets key option flags
- */
-int
-auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
-{
-	const char *cp;
-	int i;
-
-	/* reset options */
-	auth_clear_options();
-
-	if (!opts)
-		return 1;
-
-	while (*opts && *opts != ' ' && *opts != '\t') {
-		cp = "no-port-forwarding";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			auth_debug_add("Port forwarding disabled.");
-			no_port_forwarding_flag = 1;
-			opts += strlen(cp);
-			goto next_option;
-		}
-		cp = "no-agent-forwarding";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			auth_debug_add("Agent forwarding disabled.");
-			no_agent_forwarding_flag = 1;
-			opts += strlen(cp);
-			goto next_option;
-		}
-		cp = "no-X11-forwarding";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			auth_debug_add("X11 forwarding disabled.");
-			no_x11_forwarding_flag = 1;
-			opts += strlen(cp);
-			goto next_option;
-		}
-		cp = "no-pty";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			auth_debug_add("Pty allocation disabled.");
-			no_pty_flag = 1;
-			opts += strlen(cp);
-			goto next_option;
-		}
-		cp = "command=\"";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			opts += strlen(cp);
-			forced_command = xmalloc(strlen(opts) + 1);
-			i = 0;
-			while (*opts) {
-				if (*opts == '"')
-					break;
-				if (*opts == '\\' && opts[1] == '"') {
-					opts += 2;
-					forced_command[i++] = '"';
-					continue;
-				}
-				forced_command[i++] = *opts++;
-			}
-			if (!*opts) {
-				debug("%.100s, line %lu: missing end quote",
-				    file, linenum);
-				auth_debug_add("%.100s, line %lu: missing end quote",
-				    file, linenum);
-				xfree(forced_command);
-				forced_command = NULL;
-				goto bad_option;
-			}
-			forced_command[i] = '\0';
-			auth_debug_add("Forced command: %.900s", forced_command);
-			opts++;
-			goto next_option;
-		}
-		cp = "environment=\"";
-		if (options.permit_user_env &&
-		    strncasecmp(opts, cp, strlen(cp)) == 0) {
-			char *s;
-			struct envstring *new_envstring;
-
-			opts += strlen(cp);
-			s = xmalloc(strlen(opts) + 1);
-			i = 0;
-			while (*opts) {
-				if (*opts == '"')
-					break;
-				if (*opts == '\\' && opts[1] == '"') {
-					opts += 2;
-					s[i++] = '"';
-					continue;
-				}
-				s[i++] = *opts++;
-			}
-			if (!*opts) {
-				debug("%.100s, line %lu: missing end quote",
-				    file, linenum);
-				auth_debug_add("%.100s, line %lu: missing end quote",
-				    file, linenum);
-				xfree(s);
-				goto bad_option;
-			}
-			s[i] = '\0';
-			auth_debug_add("Adding to environment: %.900s", s);
-			debug("Adding to environment: %.900s", s);
-			opts++;
-			new_envstring = xmalloc(sizeof(struct envstring));
-			new_envstring->s = s;
-			new_envstring->next = custom_environment;
-			custom_environment = new_envstring;
-			goto next_option;
-		}
-		cp = "from=\"";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			const char *remote_ip = get_remote_ipaddr();
-			const char *remote_host = get_canonical_hostname(
-			    options.use_dns);
-			char *patterns = xmalloc(strlen(opts) + 1);
-
-			opts += strlen(cp);
-			i = 0;
-			while (*opts) {
-				if (*opts == '"')
-					break;
-				if (*opts == '\\' && opts[1] == '"') {
-					opts += 2;
-					patterns[i++] = '"';
-					continue;
-				}
-				patterns[i++] = *opts++;
-			}
-			if (!*opts) {
-				debug("%.100s, line %lu: missing end quote",
-				    file, linenum);
-				auth_debug_add("%.100s, line %lu: missing end quote",
-				    file, linenum);
-				xfree(patterns);
-				goto bad_option;
-			}
-			patterns[i] = '\0';
-			opts++;
-			if (match_host_and_ip(remote_host, remote_ip,
-			    patterns) != 1) {
-				xfree(patterns);
-				logit("Authentication tried for %.100s with "
-				    "correct key but not from a permitted "
-				    "host (host=%.200s, ip=%.200s).",
-				    pw->pw_name, remote_host, remote_ip);
-				auth_debug_add("Your host '%.200s' is not "
-				    "permitted to use this key for login.",
-				    remote_host);
-				/* deny access */
-				return 0;
-			}
-			xfree(patterns);
-			/* Host name matches. */
-			goto next_option;
-		}
-		cp = "permitopen=\"";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			char *host, *p;
-			u_short port;
-			char *patterns = xmalloc(strlen(opts) + 1);
-
-			opts += strlen(cp);
-			i = 0;
-			while (*opts) {
-				if (*opts == '"')
-					break;
-				if (*opts == '\\' && opts[1] == '"') {
-					opts += 2;
-					patterns[i++] = '"';
-					continue;
-				}
-				patterns[i++] = *opts++;
-			}
-			if (!*opts) {
-				debug("%.100s, line %lu: missing end quote",
-				    file, linenum);
-				auth_debug_add("%.100s, line %lu: missing "
-				    "end quote", file, linenum);
-				xfree(patterns);
-				goto bad_option;
-			}
-			patterns[i] = '\0';
-			opts++;
-			p = patterns;
-			host = hpdelim(&p);
-			if (host == NULL || strlen(host) >= NI_MAXHOST) {
-				debug("%.100s, line %lu: Bad permitopen "
-				    "specification <%.100s>", file, linenum,
-				    patterns);
-				auth_debug_add("%.100s, line %lu: "
-				    "Bad permitopen specification", file,
-				    linenum);
-				xfree(patterns);
-				goto bad_option;
-			}
-			host = cleanhostname(host);
-			if (p == NULL || (port = a2port(p)) == 0) {
-				debug("%.100s, line %lu: Bad permitopen port "
-				    "<%.100s>", file, linenum, p ? p : "");
-				auth_debug_add("%.100s, line %lu: "
-				    "Bad permitopen port", file, linenum);
-				xfree(patterns);
-				goto bad_option;
-			}
-			if (options.allow_tcp_forwarding)
-				channel_add_permitted_opens(host, port);
-			xfree(patterns);
-			goto next_option;
-		}
-		cp = "tunnel=\"";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			char *tun = NULL;
-			opts += strlen(cp);
-			tun = xmalloc(strlen(opts) + 1);
-			i = 0;
-			while (*opts) {
-				if (*opts == '"')
-					break;
-				tun[i++] = *opts++;
-			}
-			if (!*opts) {
-				debug("%.100s, line %lu: missing end quote",
-				    file, linenum);
-				auth_debug_add("%.100s, line %lu: missing end quote",
-				    file, linenum);
-				xfree(tun);
-				forced_tun_device = -1;
-				goto bad_option;
-			}
-			tun[i] = '\0';
-			forced_tun_device = a2tun(tun, NULL);
-			xfree(tun);
-			if (forced_tun_device == SSH_TUNID_ERR) {
-				debug("%.100s, line %lu: invalid tun device",
-				    file, linenum);
-				auth_debug_add("%.100s, line %lu: invalid tun device",
-				    file, linenum);
-				forced_tun_device = -1;
-				goto bad_option;
-			}
-			auth_debug_add("Forced tun device: %d", forced_tun_device);
-			opts++;
-			goto next_option;
-		}
-next_option:
-		/*
-		 * Skip the comma, and move to the next option
-		 * (or break out if there are no more).
-		 */
-		if (!*opts)
-			fatal("Bugs in auth-options.c option processing.");
-		if (*opts == ' ' || *opts == '\t')
-			break;		/* End of options. */
-		if (*opts != ',')
-			goto bad_option;
-		opts++;
-		/* Process the next option. */
-	}
-
-	if (!use_privsep)
-		auth_debug_send();
-
-	/* grant access */
-	return 1;
-
-bad_option:
-	logit("Bad options in %.100s file, line %lu: %.50s",
-	    file, linenum, opts);
-	auth_debug_add("Bad options in %.100s file, line %lu: %.50s",
-	    file, linenum, opts);
-
-	if (!use_privsep)
-		auth_debug_send();
-
-	/* deny access */
-	return 0;
-}
diff --git a/crypto/openssh/auth-options.h b/crypto/openssh/auth-options.h
deleted file mode 100644
index 853f8b5..0000000
--- a/crypto/openssh/auth-options.h
+++ /dev/null
@@ -1,36 +0,0 @@
-/* $OpenBSD: auth-options.h,v 1.16 2006/08/03 03:34:41 deraadt Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#ifndef AUTH_OPTIONS_H
-#define AUTH_OPTIONS_H
-
-/* Linked list of custom environment strings */
-struct envstring {
-	struct envstring *next;
-	char   *s;
-};
-
-/* Flags that may be set in authorized_keys options. */
-extern int no_port_forwarding_flag;
-extern int no_agent_forwarding_flag;
-extern int no_x11_forwarding_flag;
-extern int no_pty_flag;
-extern char *forced_command;
-extern struct envstring *custom_environment;
-extern int forced_tun_device;
-
-int	auth_parse_options(struct passwd *, char *, char *, u_long);
-void	auth_clear_options(void);
-
-#endif
diff --git a/crypto/openssh/auth-pam.c b/crypto/openssh/auth-pam.c
deleted file mode 100644
index 6893d57..0000000
--- a/crypto/openssh/auth-pam.c
+++ /dev/null
@@ -1,1220 +0,0 @@
-/*-
- * Copyright (c) 2002 Networks Associates Technology, Inc.
- * All rights reserved.
- *
- * This software was developed for the FreeBSD Project by ThinkSec AS and
- * NAI Labs, the Security Research Division of Network Associates, Inc.
- * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
- * DARPA CHATS research program.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-/*
- * Copyright (c) 2003,2004 Damien Miller <djm@mindrot.org>
- * Copyright (c) 2003,2004 Darren Tucker <dtucker@zip.com.au>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* Based on $FreeBSD$ */
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/wait.h>
-
-#include <errno.h>
-#include <signal.h>
-#include <stdarg.h>
-#include <string.h>
-#include <unistd.h>
-
-#ifdef USE_PAM
-#if defined(HAVE_SECURITY_PAM_APPL_H)
-#include <security/pam_appl.h>
-#elif defined (HAVE_PAM_PAM_APPL_H)
-#include <pam/pam_appl.h>
-#endif
-
-/* OpenGroup RFC86.0 and XSSO specify no "const" on arguments */
-#ifdef PAM_SUN_CODEBASE
-# define sshpam_const		/* Solaris, HP-UX, AIX */
-#else
-# define sshpam_const	const	/* LinuxPAM, OpenPAM */
-#endif
-
-/* Ambiguity in spec: is it an array of pointers or a pointer to an array? */
-#ifdef PAM_SUN_CODEBASE
-# define PAM_MSG_MEMBER(msg, n, member) ((*(msg))[(n)].member)
-#else
-# define PAM_MSG_MEMBER(msg, n, member) ((msg)[(n)]->member)
-#endif
-
-#include "xmalloc.h"
-#include "buffer.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "auth-pam.h"
-#include "canohost.h"
-#include "log.h"
-#include "msg.h"
-#include "packet.h"
-#include "misc.h"
-#include "servconf.h"
-#include "ssh2.h"
-#include "auth-options.h"
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-#include "monitor_wrap.h"
-
-extern ServerOptions options;
-extern Buffer loginmsg;
-extern int compat20;
-extern u_int utmp_len;
-
-/* so we don't silently change behaviour */
-#ifdef USE_POSIX_THREADS
-# error "USE_POSIX_THREADS replaced by UNSUPPORTED_POSIX_THREADS_HACK"
-#endif
-
-/*
- * Formerly known as USE_POSIX_THREADS, using this is completely unsupported
- * and generally a bad idea.  Use at own risk and do not expect support if
- * this breaks.
- */
-#ifdef UNSUPPORTED_POSIX_THREADS_HACK
-#include <pthread.h>
-/*
- * Avoid namespace clash when *not* using pthreads for systems *with*
- * pthreads, which unconditionally define pthread_t via sys/types.h
- * (e.g. Linux)
- */
-typedef pthread_t sp_pthread_t;
-#else
-typedef pid_t sp_pthread_t;
-#endif
-
-struct pam_ctxt {
-	sp_pthread_t	 pam_thread;
-	int		 pam_psock;
-	int		 pam_csock;
-	int		 pam_done;
-};
-
-static void sshpam_free_ctx(void *);
-static struct pam_ctxt *cleanup_ctxt;
-
-#ifndef UNSUPPORTED_POSIX_THREADS_HACK
-/*
- * Simulate threads with processes.
- */
-
-static int sshpam_thread_status = -1;
-static mysig_t sshpam_oldsig;
-
-static void
-sshpam_sigchld_handler(int sig)
-{
-	signal(SIGCHLD, SIG_DFL);
-	if (cleanup_ctxt == NULL)
-		return;	/* handler called after PAM cleanup, shouldn't happen */
-	if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, WNOHANG)
-	    <= 0) {
-		/* PAM thread has not exitted, privsep slave must have */
-		kill(cleanup_ctxt->pam_thread, SIGTERM);
-		if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, 0)
-		    <= 0)
-			return; /* could not wait */
-	}
-	if (WIFSIGNALED(sshpam_thread_status) &&
-	    WTERMSIG(sshpam_thread_status) == SIGTERM)
-		return;	/* terminated by pthread_cancel */
-	if (!WIFEXITED(sshpam_thread_status))
-		fatal("PAM: authentication thread exited unexpectedly");
-	if (WEXITSTATUS(sshpam_thread_status) != 0)
-		fatal("PAM: authentication thread exited uncleanly");
-}
-
-/* ARGSUSED */
-static void
-pthread_exit(void *value)
-{
-	_exit(0);
-}
-
-/* ARGSUSED */
-static int
-pthread_create(sp_pthread_t *thread, const void *attr,
-    void *(*thread_start)(void *), void *arg)
-{
-	pid_t pid;
-	struct pam_ctxt *ctx = arg;
-
-	sshpam_thread_status = -1;
-	switch ((pid = fork())) {
-	case -1:
-		error("fork(): %s", strerror(errno));
-		return (-1);
-	case 0:
-		close(ctx->pam_psock);
-		ctx->pam_psock = -1;
-		thread_start(arg);
-		_exit(1);
-	default:
-		*thread = pid;
-		close(ctx->pam_csock);
-		ctx->pam_csock = -1;
-		sshpam_oldsig = signal(SIGCHLD, sshpam_sigchld_handler);
-		return (0);
-	}
-}
-
-static int
-pthread_cancel(sp_pthread_t thread)
-{
-	signal(SIGCHLD, sshpam_oldsig);
-	return (kill(thread, SIGTERM));
-}
-
-/* ARGSUSED */
-static int
-pthread_join(sp_pthread_t thread, void **value)
-{
-	int status;
-
-	if (sshpam_thread_status != -1)
-		return (sshpam_thread_status);
-	signal(SIGCHLD, sshpam_oldsig);
-	waitpid(thread, &status, 0);
-	return (status);
-}
-#endif
-
-
-static pam_handle_t *sshpam_handle = NULL;
-static int sshpam_err = 0;
-static int sshpam_authenticated = 0;
-static int sshpam_session_open = 0;
-static int sshpam_cred_established = 0;
-static int sshpam_account_status = -1;
-static char **sshpam_env = NULL;
-static Authctxt *sshpam_authctxt = NULL;
-static const char *sshpam_password = NULL;
-static char badpw[] = "\b\n\r\177INCORRECT";
-
-/* Some PAM implementations don't implement this */
-#ifndef HAVE_PAM_GETENVLIST
-static char **
-pam_getenvlist(pam_handle_t *pamh)
-{
-	/*
-	 * XXX - If necessary, we can still support envrionment passing
-	 * for platforms without pam_getenvlist by searching for known
-	 * env vars (e.g. KRB5CCNAME) from the PAM environment.
-	 */
-	 return NULL;
-}
-#endif
-
-/*
- * Some platforms, notably Solaris, do not enforce password complexity
- * rules during pam_chauthtok() if the real uid of the calling process
- * is 0, on the assumption that it's being called by "passwd" run by root.
- * This wraps pam_chauthtok and sets/restore the real uid so PAM will do
- * the right thing.
- */
-#ifdef SSHPAM_CHAUTHTOK_NEEDS_RUID
-static int
-sshpam_chauthtok_ruid(pam_handle_t *pamh, int flags)
-{
-	int result;
-
-	if (sshpam_authctxt == NULL)
-		fatal("PAM: sshpam_authctxt not initialized");
-	if (setreuid(sshpam_authctxt->pw->pw_uid, -1) == -1)
-		fatal("%s: setreuid failed: %s", __func__, strerror(errno));
-	result = pam_chauthtok(pamh, flags);
-	if (setreuid(0, -1) == -1)
-		fatal("%s: setreuid failed: %s", __func__, strerror(errno));
-	return result;
-}
-# define pam_chauthtok(a,b)	(sshpam_chauthtok_ruid((a), (b)))
-#endif
-
-void
-sshpam_password_change_required(int reqd)
-{
-	debug3("%s %d", __func__, reqd);
-	if (sshpam_authctxt == NULL)
-		fatal("%s: PAM authctxt not initialized", __func__);
-	sshpam_authctxt->force_pwchange = reqd;
-	if (reqd) {
-		no_port_forwarding_flag |= 2;
-		no_agent_forwarding_flag |= 2;
-		no_x11_forwarding_flag |= 2;
-	} else {
-		no_port_forwarding_flag &= ~2;
-		no_agent_forwarding_flag &= ~2;
-		no_x11_forwarding_flag &= ~2;
-	}
-}
-
-/* Import regular and PAM environment from subprocess */
-static void
-import_environments(Buffer *b)
-{
-	char *env;
-	u_int i, num_env;
-	int err;
-
-	debug3("PAM: %s entering", __func__);
-
-#ifndef UNSUPPORTED_POSIX_THREADS_HACK
-	/* Import variables set by do_pam_account */
-	sshpam_account_status = buffer_get_int(b);
-	sshpam_password_change_required(buffer_get_int(b));
-
-	/* Import environment from subprocess */
-	num_env = buffer_get_int(b);
-	if (num_env > 1024)
-		fatal("%s: received %u environment variables, expected <= 1024",
-		    __func__, num_env);
-	sshpam_env = xcalloc(num_env + 1, sizeof(*sshpam_env));
-	debug3("PAM: num env strings %d", num_env);
-	for(i = 0; i < num_env; i++)
-		sshpam_env[i] = buffer_get_string(b, NULL);
-
-	sshpam_env[num_env] = NULL;
-
-	/* Import PAM environment from subprocess */
-	num_env = buffer_get_int(b);
-	debug("PAM: num PAM env strings %d", num_env);
-	for(i = 0; i < num_env; i++) {
-		env = buffer_get_string(b, NULL);
-
-#ifdef HAVE_PAM_PUTENV
-		/* Errors are not fatal here */
-		if ((err = pam_putenv(sshpam_handle, env)) != PAM_SUCCESS) {
-			error("PAM: pam_putenv: %s",
-			    pam_strerror(sshpam_handle, sshpam_err));
-		}
-#endif
-	}
-#endif
-}
-
-/*
- * Conversation function for authentication thread.
- */
-static int
-sshpam_thread_conv(int n, sshpam_const struct pam_message **msg,
-    struct pam_response **resp, void *data)
-{
-	Buffer buffer;
-	struct pam_ctxt *ctxt;
-	struct pam_response *reply;
-	int i;
-
-	debug3("PAM: %s entering, %d messages", __func__, n);
-	*resp = NULL;
-
-	if (data == NULL) {
-		error("PAM: conversation function passed a null context");
-		return (PAM_CONV_ERR);
-	}
-	ctxt = data;
-	if (n <= 0 || n > PAM_MAX_NUM_MSG)
-		return (PAM_CONV_ERR);
-
-	if ((reply = calloc(n, sizeof(*reply))) == NULL)
-		return (PAM_CONV_ERR);
-
-	buffer_init(&buffer);
-	for (i = 0; i < n; ++i) {
-		switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
-		case PAM_PROMPT_ECHO_OFF:
-			buffer_put_cstring(&buffer,
-			    PAM_MSG_MEMBER(msg, i, msg));
-			if (ssh_msg_send(ctxt->pam_csock,
-			    PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1)
-				goto fail;
-			if (ssh_msg_recv(ctxt->pam_csock, &buffer) == -1)
-				goto fail;
-			if (buffer_get_char(&buffer) != PAM_AUTHTOK)
-				goto fail;
-			reply[i].resp = buffer_get_string(&buffer, NULL);
-			break;
-		case PAM_PROMPT_ECHO_ON:
-			buffer_put_cstring(&buffer,
-			    PAM_MSG_MEMBER(msg, i, msg));
-			if (ssh_msg_send(ctxt->pam_csock,
-			    PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1)
-				goto fail;
-			if (ssh_msg_recv(ctxt->pam_csock, &buffer) == -1)
-				goto fail;
-			if (buffer_get_char(&buffer) != PAM_AUTHTOK)
-				goto fail;
-			reply[i].resp = buffer_get_string(&buffer, NULL);
-			break;
-		case PAM_ERROR_MSG:
-			buffer_put_cstring(&buffer,
-			    PAM_MSG_MEMBER(msg, i, msg));
-			if (ssh_msg_send(ctxt->pam_csock,
-			    PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1)
-				goto fail;
-			break;
-		case PAM_TEXT_INFO:
-			buffer_put_cstring(&buffer,
-			    PAM_MSG_MEMBER(msg, i, msg));
-			if (ssh_msg_send(ctxt->pam_csock,
-			    PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1)
-				goto fail;
-			break;
-		default:
-			goto fail;
-		}
-		buffer_clear(&buffer);
-	}
-	buffer_free(&buffer);
-	*resp = reply;
-	return (PAM_SUCCESS);
-
- fail:
-	for(i = 0; i < n; i++) {
-		if (reply[i].resp != NULL)
-			xfree(reply[i].resp);
-	}
-	xfree(reply);
-	buffer_free(&buffer);
-	return (PAM_CONV_ERR);
-}
-
-/*
- * Authentication thread.
- */
-static void *
-sshpam_thread(void *ctxtp)
-{
-	struct pam_ctxt *ctxt = ctxtp;
-	Buffer buffer;
-	struct pam_conv sshpam_conv;
-	int flags = (options.permit_empty_passwd == 0 ?
-	    PAM_DISALLOW_NULL_AUTHTOK : 0);
-#ifndef UNSUPPORTED_POSIX_THREADS_HACK
-	extern char **environ;
-	char **env_from_pam;
-	u_int i;
-	const char *pam_user;
-	const char **ptr_pam_user = &pam_user;
-	char *tz = getenv("TZ");
-
-	pam_get_item(sshpam_handle, PAM_USER,
-	    (sshpam_const void **)ptr_pam_user);
-
-	environ[0] = NULL;
-	if (tz != NULL)
-		if (setenv("TZ", tz, 1) == -1)
-			error("PAM: could not set TZ environment: %s",
-			    strerror(errno));
-
-	if (sshpam_authctxt != NULL) {
-		setproctitle("%s [pam]",
-		    sshpam_authctxt->valid ? pam_user : "unknown");
-	}
-#endif
-
-	sshpam_conv.conv = sshpam_thread_conv;
-	sshpam_conv.appdata_ptr = ctxt;
-
-	if (sshpam_authctxt == NULL)
-		fatal("%s: PAM authctxt not initialized", __func__);
-
-	buffer_init(&buffer);
-	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
-	    (const void *)&sshpam_conv);
-	if (sshpam_err != PAM_SUCCESS)
-		goto auth_fail;
-	sshpam_err = pam_authenticate(sshpam_handle, flags);
-	if (sshpam_err != PAM_SUCCESS)
-		goto auth_fail;
-
-	if (compat20) {
-		if (!do_pam_account()) {
-			sshpam_err = PAM_ACCT_EXPIRED;
-			goto auth_fail;
-		}
-		if (sshpam_authctxt->force_pwchange) {
-			sshpam_err = pam_chauthtok(sshpam_handle,
-			    PAM_CHANGE_EXPIRED_AUTHTOK);
-			if (sshpam_err != PAM_SUCCESS)
-				goto auth_fail;
-			sshpam_password_change_required(0);
-		}
-	}
-
-	buffer_put_cstring(&buffer, "OK");
-
-#ifndef UNSUPPORTED_POSIX_THREADS_HACK
-	/* Export variables set by do_pam_account */
-	buffer_put_int(&buffer, sshpam_account_status);
-	buffer_put_int(&buffer, sshpam_authctxt->force_pwchange);
-
-	/* Export any environment strings set in child */
-	for(i = 0; environ[i] != NULL; i++)
-		; /* Count */
-	buffer_put_int(&buffer, i);
-	for(i = 0; environ[i] != NULL; i++)
-		buffer_put_cstring(&buffer, environ[i]);
-
-	/* Export any environment strings set by PAM in child */
-	env_from_pam = pam_getenvlist(sshpam_handle);
-	for(i = 0; env_from_pam != NULL && env_from_pam[i] != NULL; i++)
-		; /* Count */
-	buffer_put_int(&buffer, i);
-	for(i = 0; env_from_pam != NULL && env_from_pam[i] != NULL; i++)
-		buffer_put_cstring(&buffer, env_from_pam[i]);
-#endif /* UNSUPPORTED_POSIX_THREADS_HACK */
-
-	/* XXX - can't do much about an error here */
-	ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer);
-	buffer_free(&buffer);
-	pthread_exit(NULL);
-
- auth_fail:
-	buffer_put_cstring(&buffer,
-	    pam_strerror(sshpam_handle, sshpam_err));
-	/* XXX - can't do much about an error here */
-	if (sshpam_err == PAM_ACCT_EXPIRED)
-		ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, &buffer);
-	else
-		ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
-	buffer_free(&buffer);
-	pthread_exit(NULL);
-
-	return (NULL); /* Avoid warning for non-pthread case */
-}
-
-void
-sshpam_thread_cleanup(void)
-{
-	struct pam_ctxt *ctxt = cleanup_ctxt;
-
-	debug3("PAM: %s entering", __func__);
-	if (ctxt != NULL && ctxt->pam_thread != 0) {
-		pthread_cancel(ctxt->pam_thread);
-		pthread_join(ctxt->pam_thread, NULL);
-		close(ctxt->pam_psock);
-		close(ctxt->pam_csock);
-		memset(ctxt, 0, sizeof(*ctxt));
-		cleanup_ctxt = NULL;
-	}
-}
-
-static int
-sshpam_null_conv(int n, sshpam_const struct pam_message **msg,
-    struct pam_response **resp, void *data)
-{
-	debug3("PAM: %s entering, %d messages", __func__, n);
-	return (PAM_CONV_ERR);
-}
-
-static struct pam_conv null_conv = { sshpam_null_conv, NULL };
-
-static int
-sshpam_store_conv(int n, sshpam_const struct pam_message **msg,
-    struct pam_response **resp, void *data)
-{
-	struct pam_response *reply;
-	int i;
-	size_t len;
-
-	debug3("PAM: %s called with %d messages", __func__, n);
-	*resp = NULL;
-
-	if (n <= 0 || n > PAM_MAX_NUM_MSG)
-		return (PAM_CONV_ERR);
-
-	if ((reply = calloc(n, sizeof(*reply))) == NULL)
-		return (PAM_CONV_ERR);
-
-	for (i = 0; i < n; ++i) {
-		switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
-		case PAM_ERROR_MSG:
-		case PAM_TEXT_INFO:
-			len = strlen(PAM_MSG_MEMBER(msg, i, msg));
-			buffer_append(&loginmsg, PAM_MSG_MEMBER(msg, i, msg), len);
-			buffer_append(&loginmsg, "\n", 1 );
-			reply[i].resp_retcode = PAM_SUCCESS;
-			break;
-		default:
-			goto fail;
-		}
-	}
-	*resp = reply;
-	return (PAM_SUCCESS);
-
- fail:
-	for(i = 0; i < n; i++) {
-		if (reply[i].resp != NULL)
-			xfree(reply[i].resp);
-	}
-	xfree(reply);
-	return (PAM_CONV_ERR);
-}
-
-static struct pam_conv store_conv = { sshpam_store_conv, NULL };
-
-void
-sshpam_cleanup(void)
-{
-	debug("PAM: cleanup");
-	if (sshpam_handle == NULL)
-		return;
-	pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
-	if (sshpam_cred_established) {
-		pam_setcred(sshpam_handle, PAM_DELETE_CRED);
-		sshpam_cred_established = 0;
-	}
-	if (sshpam_session_open) {
-		pam_close_session(sshpam_handle, PAM_SILENT);
-		sshpam_session_open = 0;
-	}
-	sshpam_authenticated = 0;
-	pam_end(sshpam_handle, sshpam_err);
-	sshpam_handle = NULL;
-}
-
-static int
-sshpam_init(Authctxt *authctxt)
-{
-	extern char *__progname;
-	const char *pam_rhost, *pam_user, *user = authctxt->user;
-	const char **ptr_pam_user = &pam_user;
-
-	if (sshpam_handle != NULL) {
-		/* We already have a PAM context; check if the user matches */
-		sshpam_err = pam_get_item(sshpam_handle,
-		    PAM_USER, (sshpam_const void **)ptr_pam_user);
-		if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0)
-			return (0);
-		pam_end(sshpam_handle, sshpam_err);
-		sshpam_handle = NULL;
-	}
-	debug("PAM: initializing for \"%s\"", user);
-	sshpam_err =
-	    pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle);
-	sshpam_authctxt = authctxt;
-
-	if (sshpam_err != PAM_SUCCESS) {
-		pam_end(sshpam_handle, sshpam_err);
-		sshpam_handle = NULL;
-		return (-1);
-	}
-	pam_rhost = get_remote_name_or_ip(utmp_len, options.use_dns);
-	debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost);
-	sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost);
-	if (sshpam_err != PAM_SUCCESS) {
-		pam_end(sshpam_handle, sshpam_err);
-		sshpam_handle = NULL;
-		return (-1);
-	}
-#ifdef PAM_TTY_KLUDGE
-	/*
-	 * Some silly PAM modules (e.g. pam_time) require a TTY to operate.
-	 * sshd doesn't set the tty until too late in the auth process and
-	 * may not even set one (for tty-less connections)
-	 */
-	debug("PAM: setting PAM_TTY to \"ssh\"");
-	sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, "ssh");
-	if (sshpam_err != PAM_SUCCESS) {
-		pam_end(sshpam_handle, sshpam_err);
-		sshpam_handle = NULL;
-		return (-1);
-	}
-#endif
-	return (0);
-}
-
-static void *
-sshpam_init_ctx(Authctxt *authctxt)
-{
-	struct pam_ctxt *ctxt;
-	int socks[2];
-
-	debug3("PAM: %s entering", __func__);
-	/*
-	 * Refuse to start if we don't have PAM enabled or do_pam_account
-	 * has previously failed.
-	 */
-	if (!options.use_pam || sshpam_account_status == 0)
-		return NULL;
-
-	/* Initialize PAM */
-	if (sshpam_init(authctxt) == -1) {
-		error("PAM: initialization failed");
-		return (NULL);
-	}
-
-	ctxt = xmalloc(sizeof *ctxt);
-	memset(ctxt, 0, sizeof(*ctxt));
-
-	/* Start the authentication thread */
-	if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
-		error("PAM: failed create sockets: %s", strerror(errno));
-		xfree(ctxt);
-		return (NULL);
-	}
-	ctxt->pam_psock = socks[0];
-	ctxt->pam_csock = socks[1];
-	if (pthread_create(&ctxt->pam_thread, NULL, sshpam_thread, ctxt) == -1) {
-		error("PAM: failed to start authentication thread: %s",
-		    strerror(errno));
-		close(socks[0]);
-		close(socks[1]);
-		xfree(ctxt);
-		return (NULL);
-	}
-	cleanup_ctxt = ctxt;
-	return (ctxt);
-}
-
-static int
-sshpam_query(void *ctx, char **name, char **info,
-    u_int *num, char ***prompts, u_int **echo_on)
-{
-	Buffer buffer;
-	struct pam_ctxt *ctxt = ctx;
-	size_t plen;
-	u_char type;
-	char *msg;
-	size_t len, mlen;
-
-	debug3("PAM: %s entering", __func__);
-	buffer_init(&buffer);
-	*name = xstrdup("");
-	*info = xstrdup("");
-	*prompts = xmalloc(sizeof(char *));
-	**prompts = NULL;
-	plen = 0;
-	*echo_on = xmalloc(sizeof(u_int));
-	while (ssh_msg_recv(ctxt->pam_psock, &buffer) == 0) {
-		type = buffer_get_char(&buffer);
-		msg = buffer_get_string(&buffer, NULL);
-		mlen = strlen(msg);
-		switch (type) {
-		case PAM_PROMPT_ECHO_ON:
-		case PAM_PROMPT_ECHO_OFF:
-			*num = 1;
-			len = plen + mlen + 1;
-			**prompts = xrealloc(**prompts, 1, len);
-			strlcpy(**prompts + plen, msg, len - plen);
-			plen += mlen;
-			**echo_on = (type == PAM_PROMPT_ECHO_ON);
-			xfree(msg);
-			return (0);
-		case PAM_ERROR_MSG:
-		case PAM_TEXT_INFO:
-			/* accumulate messages */
-			len = plen + mlen + 2;
-			**prompts = xrealloc(**prompts, 1, len);
-			strlcpy(**prompts + plen, msg, len - plen);
-			plen += mlen;
-			strlcat(**prompts + plen, "\n", len - plen);
-			plen++;
-			xfree(msg);
-			break;
-		case PAM_ACCT_EXPIRED:
-			sshpam_account_status = 0;
-			/* FALLTHROUGH */
-		case PAM_AUTH_ERR:
-			debug3("PAM: %s", pam_strerror(sshpam_handle, type));
-			if (**prompts != NULL && strlen(**prompts) != 0) {
-				*info = **prompts;
-				**prompts = NULL;
-				*num = 0;
-				**echo_on = 0;
-				ctxt->pam_done = -1;
-				xfree(msg);
-				return 0;
-			}
-			/* FALLTHROUGH */
-		case PAM_SUCCESS:
-			if (**prompts != NULL) {
-				/* drain any accumulated messages */
-				debug("PAM: %s", **prompts);
-				buffer_append(&loginmsg, **prompts,
-				    strlen(**prompts));
-				xfree(**prompts);
-				**prompts = NULL;
-			}
-			if (type == PAM_SUCCESS) {
-				if (!sshpam_authctxt->valid ||
-				    (sshpam_authctxt->pw->pw_uid == 0 &&
-				    options.permit_root_login != PERMIT_YES))
-					fatal("Internal error: PAM auth "
-					    "succeeded when it should have "
-					    "failed");
-				import_environments(&buffer);
-				*num = 0;
-				**echo_on = 0;
-				ctxt->pam_done = 1;
-				xfree(msg);
-				return (0);
-			}
-			error("PAM: %s for %s%.100s from %.100s", msg,
-			    sshpam_authctxt->valid ? "" : "illegal user ",
-			    sshpam_authctxt->user,
-			    get_remote_name_or_ip(utmp_len, options.use_dns));
-			/* FALLTHROUGH */
-		default:
-			*num = 0;
-			**echo_on = 0;
-			xfree(msg);
-			ctxt->pam_done = -1;
-			return (-1);
-		}
-	}
-	return (-1);
-}
-
-/* XXX - see also comment in auth-chall.c:verify_response */
-static int
-sshpam_respond(void *ctx, u_int num, char **resp)
-{
-	Buffer buffer;
-	struct pam_ctxt *ctxt = ctx;
-
-	debug2("PAM: %s entering, %u responses", __func__, num);
-	switch (ctxt->pam_done) {
-	case 1:
-		sshpam_authenticated = 1;
-		return (0);
-	case 0:
-		break;
-	default:
-		return (-1);
-	}
-	if (num != 1) {
-		error("PAM: expected one response, got %u", num);
-		return (-1);
-	}
-	buffer_init(&buffer);
-	if (sshpam_authctxt->valid &&
-	    (sshpam_authctxt->pw->pw_uid != 0 ||
-	    options.permit_root_login == PERMIT_YES))
-		buffer_put_cstring(&buffer, *resp);
-	else
-		buffer_put_cstring(&buffer, badpw);
-	if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
-		buffer_free(&buffer);
-		return (-1);
-	}
-	buffer_free(&buffer);
-	return (1);
-}
-
-static void
-sshpam_free_ctx(void *ctxtp)
-{
-	struct pam_ctxt *ctxt = ctxtp;
-
-	debug3("PAM: %s entering", __func__);
-	sshpam_thread_cleanup();
-	xfree(ctxt);
-	/*
-	 * We don't call sshpam_cleanup() here because we may need the PAM
-	 * handle at a later stage, e.g. when setting up a session.  It's
-	 * still on the cleanup list, so pam_end() *will* be called before
-	 * the server process terminates.
-	 */
-}
-
-KbdintDevice sshpam_device = {
-	"pam",
-	sshpam_init_ctx,
-	sshpam_query,
-	sshpam_respond,
-	sshpam_free_ctx
-};
-
-KbdintDevice mm_sshpam_device = {
-	"pam",
-	mm_sshpam_init_ctx,
-	mm_sshpam_query,
-	mm_sshpam_respond,
-	mm_sshpam_free_ctx
-};
-
-/*
- * This replaces auth-pam.c
- */
-void
-start_pam(Authctxt *authctxt)
-{
-	if (!options.use_pam)
-		fatal("PAM: initialisation requested when UsePAM=no");
-
-	if (sshpam_init(authctxt) == -1)
-		fatal("PAM: initialisation failed");
-}
-
-void
-finish_pam(void)
-{
-	sshpam_cleanup();
-}
-
-u_int
-do_pam_account(void)
-{
-	debug("%s: called", __func__);
-	if (sshpam_account_status != -1)
-		return (sshpam_account_status);
-
-	sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
-	debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err,
-	    pam_strerror(sshpam_handle, sshpam_err));
-
-	if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) {
-		sshpam_account_status = 0;
-		return (sshpam_account_status);
-	}
-
-	if (sshpam_err == PAM_NEW_AUTHTOK_REQD)
-		sshpam_password_change_required(1);
-
-	sshpam_account_status = 1;
-	return (sshpam_account_status);
-}
-
-void
-do_pam_set_tty(const char *tty)
-{
-	if (tty != NULL) {
-		debug("PAM: setting PAM_TTY to \"%s\"", tty);
-		sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, tty);
-		if (sshpam_err != PAM_SUCCESS)
-			fatal("PAM: failed to set PAM_TTY: %s",
-			    pam_strerror(sshpam_handle, sshpam_err));
-	}
-}
-
-void
-do_pam_setcred(int init)
-{
-	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
-	    (const void *)&store_conv);
-	if (sshpam_err != PAM_SUCCESS)
-		fatal("PAM: failed to set PAM_CONV: %s",
-		    pam_strerror(sshpam_handle, sshpam_err));
-	if (init) {
-		debug("PAM: establishing credentials");
-		sshpam_err = pam_setcred(sshpam_handle, PAM_ESTABLISH_CRED);
-	} else {
-		debug("PAM: reinitializing credentials");
-		sshpam_err = pam_setcred(sshpam_handle, PAM_REINITIALIZE_CRED);
-	}
-	if (sshpam_err == PAM_SUCCESS) {
-		sshpam_cred_established = 1;
-		return;
-	}
-	if (sshpam_authenticated)
-		fatal("PAM: pam_setcred(): %s",
-		    pam_strerror(sshpam_handle, sshpam_err));
-	else
-		debug("PAM: pam_setcred(): %s",
-		    pam_strerror(sshpam_handle, sshpam_err));
-}
-
-static int
-sshpam_tty_conv(int n, sshpam_const struct pam_message **msg,
-    struct pam_response **resp, void *data)
-{
-	char input[PAM_MAX_MSG_SIZE];
-	struct pam_response *reply;
-	int i;
-
-	debug3("PAM: %s called with %d messages", __func__, n);
-
-	*resp = NULL;
-
-	if (n <= 0 || n > PAM_MAX_NUM_MSG || !isatty(STDIN_FILENO))
-		return (PAM_CONV_ERR);
-
-	if ((reply = calloc(n, sizeof(*reply))) == NULL)
-		return (PAM_CONV_ERR);
-
-	for (i = 0; i < n; ++i) {
-		switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
-		case PAM_PROMPT_ECHO_OFF:
-			reply[i].resp =
-			    read_passphrase(PAM_MSG_MEMBER(msg, i, msg),
-			    RP_ALLOW_STDIN);
-			reply[i].resp_retcode = PAM_SUCCESS;
-			break;
-		case PAM_PROMPT_ECHO_ON:
-			fprintf(stderr, "%s\n", PAM_MSG_MEMBER(msg, i, msg));
-			fgets(input, sizeof input, stdin);
-			if ((reply[i].resp = strdup(input)) == NULL)
-				goto fail;
-			reply[i].resp_retcode = PAM_SUCCESS;
-			break;
-		case PAM_ERROR_MSG:
-		case PAM_TEXT_INFO:
-			fprintf(stderr, "%s\n", PAM_MSG_MEMBER(msg, i, msg));
-			reply[i].resp_retcode = PAM_SUCCESS;
-			break;
-		default:
-			goto fail;
-		}
-	}
-	*resp = reply;
-	return (PAM_SUCCESS);
-
- fail:
-	for(i = 0; i < n; i++) {
-		if (reply[i].resp != NULL)
-			xfree(reply[i].resp);
-	}
-	xfree(reply);
-	return (PAM_CONV_ERR);
-}
-
-static struct pam_conv tty_conv = { sshpam_tty_conv, NULL };
-
-/*
- * XXX this should be done in the authentication phase, but ssh1 doesn't
- * support that
- */
-void
-do_pam_chauthtok(void)
-{
-	if (use_privsep)
-		fatal("Password expired (unable to change with privsep)");
-	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
-	    (const void *)&tty_conv);
-	if (sshpam_err != PAM_SUCCESS)
-		fatal("PAM: failed to set PAM_CONV: %s",
-		    pam_strerror(sshpam_handle, sshpam_err));
-	debug("PAM: changing password");
-	sshpam_err = pam_chauthtok(sshpam_handle, PAM_CHANGE_EXPIRED_AUTHTOK);
-	if (sshpam_err != PAM_SUCCESS)
-		fatal("PAM: pam_chauthtok(): %s",
-		    pam_strerror(sshpam_handle, sshpam_err));
-}
-
-void
-do_pam_session(void)
-{
-	debug3("PAM: opening session");
-	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
-	    (const void *)&store_conv);
-	if (sshpam_err != PAM_SUCCESS)
-		fatal("PAM: failed to set PAM_CONV: %s",
-		    pam_strerror(sshpam_handle, sshpam_err));
-	sshpam_err = pam_open_session(sshpam_handle, 0);
-	if (sshpam_err == PAM_SUCCESS)
-		sshpam_session_open = 1;
-	else {
-		sshpam_session_open = 0;
-		disable_forwarding();
-		error("PAM: pam_open_session(): %s",
-		    pam_strerror(sshpam_handle, sshpam_err));
-	}
-
-}
-
-int
-is_pam_session_open(void)
-{
-	return sshpam_session_open;
-}
-
-/*
- * Set a PAM environment string. We need to do this so that the session
- * modules can handle things like Kerberos/GSI credentials that appear
- * during the ssh authentication process.
- */
-int
-do_pam_putenv(char *name, char *value)
-{
-	int ret = 1;
-#ifdef HAVE_PAM_PUTENV
-	char *compound;
-	size_t len;
-
-	len = strlen(name) + strlen(value) + 2;
-	compound = xmalloc(len);
-
-	snprintf(compound, len, "%s=%s", name, value);
-	ret = pam_putenv(sshpam_handle, compound);
-	xfree(compound);
-#endif
-
-	return (ret);
-}
-
-char **
-fetch_pam_child_environment(void)
-{
-	return sshpam_env;
-}
-
-char **
-fetch_pam_environment(void)
-{
-	return (pam_getenvlist(sshpam_handle));
-}
-
-void
-free_pam_environment(char **env)
-{
-	char **envp;
-
-	if (env == NULL)
-		return;
-
-	for (envp = env; *envp; envp++)
-		xfree(*envp);
-	xfree(env);
-}
-
-/*
- * "Blind" conversation function for password authentication.  Assumes that
- * echo-off prompts are for the password and stores messages for later
- * display.
- */
-static int
-sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg,
-    struct pam_response **resp, void *data)
-{
-	struct pam_response *reply;
-	int i;
-	size_t len;
-
-	debug3("PAM: %s called with %d messages", __func__, n);
-
-	*resp = NULL;
-
-	if (n <= 0 || n > PAM_MAX_NUM_MSG)
-		return (PAM_CONV_ERR);
-
-	if ((reply = malloc(n * sizeof(*reply))) == NULL)
-		return (PAM_CONV_ERR);
-	memset(reply, 0, n * sizeof(*reply));
-
-	for (i = 0; i < n; ++i) {
-		switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
-		case PAM_PROMPT_ECHO_OFF:
-			if (sshpam_password == NULL)
-				goto fail;
-			if ((reply[i].resp = strdup(sshpam_password)) == NULL)
-				goto fail;
-			reply[i].resp_retcode = PAM_SUCCESS;
-			break;
-		case PAM_ERROR_MSG:
-		case PAM_TEXT_INFO:
-			len = strlen(PAM_MSG_MEMBER(msg, i, msg));
-			if (len > 0) {
-				buffer_append(&loginmsg,
-				    PAM_MSG_MEMBER(msg, i, msg), len);
-				buffer_append(&loginmsg, "\n", 1);
-			}
-			if ((reply[i].resp = strdup("")) == NULL)
-				goto fail;
-			reply[i].resp_retcode = PAM_SUCCESS;
-			break;
-		default:
-			goto fail;
-		}
-	}
-	*resp = reply;
-	return (PAM_SUCCESS);
-
- fail:
-	for(i = 0; i < n; i++) {
-		if (reply[i].resp != NULL)
-			xfree(reply[i].resp);
-	}
-	xfree(reply);
-	return (PAM_CONV_ERR);
-}
-
-static struct pam_conv passwd_conv = { sshpam_passwd_conv, NULL };
-
-/*
- * Attempt password authentication via PAM
- */
-int
-sshpam_auth_passwd(Authctxt *authctxt, const char *password)
-{
-	int flags = (options.permit_empty_passwd == 0 ?
-	    PAM_DISALLOW_NULL_AUTHTOK : 0);
-
-	if (!options.use_pam || sshpam_handle == NULL)
-		fatal("PAM: %s called when PAM disabled or failed to "
-		    "initialise.", __func__);
-
-	sshpam_password = password;
-	sshpam_authctxt = authctxt;
-
-	/*
-	 * If the user logging in is invalid, or is root but is not permitted
-	 * by PermitRootLogin, use an invalid password to prevent leaking
-	 * information via timing (eg if the PAM config has a delay on fail).
-	 */
-	if (!authctxt->valid || (authctxt->pw->pw_uid == 0 &&
-	    options.permit_root_login != PERMIT_YES))
-		sshpam_password = badpw;
-
-	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
-	    (const void *)&passwd_conv);
-	if (sshpam_err != PAM_SUCCESS)
-		fatal("PAM: %s: failed to set PAM_CONV: %s", __func__,
-		    pam_strerror(sshpam_handle, sshpam_err));
-
-	sshpam_err = pam_authenticate(sshpam_handle, flags);
-	sshpam_password = NULL;
-	if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
-		debug("PAM: password authentication accepted for %.100s",
-		    authctxt->user);
-		return 1;
-	} else {
-		debug("PAM: password authentication failed for %.100s: %s",
-		    authctxt->valid ? authctxt->user : "an illegal user",
-		    pam_strerror(sshpam_handle, sshpam_err));
-		return 0;
-	}
-}
-#endif /* USE_PAM */
diff --git a/crypto/openssh/auth-pam.h b/crypto/openssh/auth-pam.h
deleted file mode 100644
index a1a2b52..0000000
--- a/crypto/openssh/auth-pam.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/* $Id: auth-pam.h,v 1.27 2004/09/11 12:17:26 dtucker Exp $ */
-
-/*
- * Copyright (c) 2000 Damien Miller.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-#ifdef USE_PAM
-
-#if !defined(SSHD_PAM_SERVICE)
-# define SSHD_PAM_SERVICE		__progname
-#endif
-
-void start_pam(Authctxt *);
-void finish_pam(void);
-u_int do_pam_account(void);
-void do_pam_session(void);
-void do_pam_set_tty(const char *);
-void do_pam_setcred(int );
-void do_pam_chauthtok(void);
-int do_pam_putenv(char *, char *);
-char ** fetch_pam_environment(void);
-char ** fetch_pam_child_environment(void);
-void free_pam_environment(char **);
-void sshpam_thread_cleanup(void);
-void sshpam_cleanup(void);
-int sshpam_auth_passwd(Authctxt *, const char *);
-int is_pam_session_open(void);
-
-#endif /* USE_PAM */
diff --git a/crypto/openssh/auth-passwd.c b/crypto/openssh/auth-passwd.c
deleted file mode 100644
index be62837..0000000
--- a/crypto/openssh/auth-passwd.c
+++ /dev/null
@@ -1,214 +0,0 @@
-/* $OpenBSD: auth-passwd.c,v 1.40 2006/08/03 03:34:41 deraadt Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Password authentication.  This file contains the functions to check whether
- * the password is valid for the user.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- * Copyright (c) 1999 Dug Song.  All rights reserved.
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <pwd.h>
-#include <stdio.h>
-#include <string.h>
-#include <stdarg.h>
-
-#include "packet.h"
-#include "buffer.h"
-#include "log.h"
-#include "servconf.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "auth-options.h"
-
-extern Buffer loginmsg;
-extern ServerOptions options;
-
-#ifdef HAVE_LOGIN_CAP
-extern login_cap_t *lc;
-#endif
-
-
-#define DAY		(24L * 60 * 60) /* 1 day in seconds */
-#define TWO_WEEKS	(2L * 7 * DAY)	/* 2 weeks in seconds */
-
-void
-disable_forwarding(void)
-{
-	no_port_forwarding_flag = 1;
-	no_agent_forwarding_flag = 1;
-	no_x11_forwarding_flag = 1;
-}
-
-/*
- * Tries to authenticate the user using password.  Returns true if
- * authentication succeeds.
- */
-int
-auth_password(Authctxt *authctxt, const char *password)
-{
-	struct passwd * pw = authctxt->pw;
-	int result, ok = authctxt->valid;
-#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
-	static int expire_checked = 0;
-#endif
-
-#ifndef HAVE_CYGWIN
-	if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
-		ok = 0;
-#endif
-	if (*password == '\0' && options.permit_empty_passwd == 0)
-		return 0;
-
-#ifdef KRB5
-	if (options.kerberos_authentication == 1) {
-		int ret = auth_krb5_password(authctxt, password);
-		if (ret == 1 || ret == 0)
-			return ret && ok;
-		/* Fall back to ordinary passwd authentication. */
-	}
-#endif
-#ifdef HAVE_CYGWIN
-	if (is_winnt) {
-		HANDLE hToken = cygwin_logon_user(pw, password);
-
-		if (hToken == INVALID_HANDLE_VALUE)
-			return 0;
-		cygwin_set_impersonation_token(hToken);
-		return ok;
-	}
-#endif
-#ifdef USE_PAM
-	if (options.use_pam)
-		return (sshpam_auth_passwd(authctxt, password) && ok);
-#endif
-#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
-	if (!expire_checked) {
-		expire_checked = 1;
-		if (auth_shadow_pwexpired(authctxt))
-			authctxt->force_pwchange = 1;
-	}
-#endif
-	result = sys_auth_passwd(authctxt, password);
-	if (authctxt->force_pwchange)
-		disable_forwarding();
-	return (result && ok);
-}
-
-#ifdef BSD_AUTH
-static void
-warn_expiry(Authctxt *authctxt, auth_session_t *as)
-{
-	char buf[256];
-	quad_t pwtimeleft, actimeleft, daysleft, pwwarntime, acwarntime;
-
-	pwwarntime = acwarntime = TWO_WEEKS;
-
-	pwtimeleft = auth_check_change(as);
-	actimeleft = auth_check_expire(as);
-#ifdef HAVE_LOGIN_CAP
-	if (authctxt->valid) {
-		pwwarntime = login_getcaptime(lc, "password-warn", TWO_WEEKS,
-		    TWO_WEEKS);
-		acwarntime = login_getcaptime(lc, "expire-warn", TWO_WEEKS,
-		    TWO_WEEKS);
-	}
-#endif
-	if (pwtimeleft != 0 && pwtimeleft < pwwarntime) {
-		daysleft = pwtimeleft / DAY + 1;
-		snprintf(buf, sizeof(buf),
-		    "Your password will expire in %lld day%s.\n",
-		    daysleft, daysleft == 1 ? "" : "s");
-		buffer_append(&loginmsg, buf, strlen(buf));
-	}
-	if (actimeleft != 0 && actimeleft < acwarntime) {
-		daysleft = actimeleft / DAY + 1;
-		snprintf(buf, sizeof(buf),
-		    "Your account will expire in %lld day%s.\n",
-		    daysleft, daysleft == 1 ? "" : "s");
-		buffer_append(&loginmsg, buf, strlen(buf));
-	}
-}
-
-int
-sys_auth_passwd(Authctxt *authctxt, const char *password)
-{
-	struct passwd *pw = authctxt->pw;
-	auth_session_t *as;
-	static int expire_checked = 0;
-
-	as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh",
-	    (char *)password);
-	if (as == NULL)
-		return (0);
-	if (auth_getstate(as) & AUTH_PWEXPIRED) {
-		auth_close(as);
-		disable_forwarding();
-		authctxt->force_pwchange = 1;
-		return (1);
-	} else {
-		if (!expire_checked) {
-			expire_checked = 1;
-			warn_expiry(authctxt, as);
-		}
-		return (auth_close(as));
-	}
-}
-#elif !defined(CUSTOM_SYS_AUTH_PASSWD)
-int
-sys_auth_passwd(Authctxt *authctxt, const char *password)
-{
-	struct passwd *pw = authctxt->pw;
-	char *encrypted_password;
-
-	/* Just use the supplied fake password if authctxt is invalid */
-	char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
-
-	/* Check for users with no password. */
-	if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
-		return (1);
-
-	/* Encrypt the candidate password using the proper salt. */
-	encrypted_password = xcrypt(password,
-	    (pw_password[0] && pw_password[1]) ? pw_password : "xx");
-
-	/*
-	 * Authentication is accepted if the encrypted passwords
-	 * are identical.
-	 */
-	return (strcmp(encrypted_password, pw_password) == 0);
-}
-#endif
diff --git a/crypto/openssh/auth-rh-rsa.c b/crypto/openssh/auth-rh-rsa.c
deleted file mode 100644
index eca7502..0000000
--- a/crypto/openssh/auth-rh-rsa.c
+++ /dev/null
@@ -1,100 +0,0 @@
-/* $OpenBSD: auth-rh-rsa.c,v 1.42 2006/08/03 03:34:41 deraadt Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Rhosts or /etc/hosts.equiv authentication combined with RSA host
- * authentication.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <pwd.h>
-#include <stdarg.h>
-
-#include "packet.h"
-#include "uidswap.h"
-#include "log.h"
-#include "buffer.h"
-#include "servconf.h"
-#include "key.h"
-#include "hostfile.h"
-#include "pathnames.h"
-#include "auth.h"
-#include "canohost.h"
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-#include "monitor_wrap.h"
-
-/* import */
-extern ServerOptions options;
-
-int
-auth_rhosts_rsa_key_allowed(struct passwd *pw, char *cuser, char *chost,
-    Key *client_host_key)
-{
-	HostStatus host_status;
-
-	/* Check if we would accept it using rhosts authentication. */
-	if (!auth_rhosts(pw, cuser))
-		return 0;
-
-	host_status = check_key_in_hostfiles(pw, client_host_key,
-	    chost, _PATH_SSH_SYSTEM_HOSTFILE,
-	    options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE);
-
-	return (host_status == HOST_OK);
-}
-
-/*
- * Tries to authenticate the user using the .rhosts file and the host using
- * its host key.  Returns true if authentication succeeds.
- */
-int
-auth_rhosts_rsa(Authctxt *authctxt, char *cuser, Key *client_host_key)
-{
-	char *chost;
-	struct passwd *pw = authctxt->pw;
-
-	debug("Trying rhosts with RSA host authentication for client user %.100s",
-	    cuser);
-
-	if (!authctxt->valid || client_host_key == NULL ||
-	    client_host_key->rsa == NULL)
-		return 0;
-
-	chost = (char *)get_canonical_hostname(options.use_dns);
-	debug("Rhosts RSA authentication: canonical host %.900s", chost);
-
-	if (!PRIVSEP(auth_rhosts_rsa_key_allowed(pw, cuser, chost, client_host_key))) {
-		debug("Rhosts with RSA host authentication denied: unknown or invalid host key");
-		packet_send_debug("Your host key cannot be verified: unknown or invalid host key.");
-		return 0;
-	}
-	/* A matching host key was found and is known. */
-
-	/* Perform the challenge-response dialog with the client for the host key. */
-	if (!auth_rsa_challenge_dialog(client_host_key)) {
-		logit("Client on %.800s failed to respond correctly to host authentication.",
-		    chost);
-		return 0;
-	}
-	/*
-	 * We have authenticated the user using .rhosts or /etc/hosts.equiv,
-	 * and the host using RSA. We accept the authentication.
-	 */
-
-	verbose("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.",
-	    pw->pw_name, cuser, chost);
-	packet_send_debug("Rhosts with RSA host authentication accepted.");
-	return 1;
-}
diff --git a/crypto/openssh/auth-rhosts.c b/crypto/openssh/auth-rhosts.c
deleted file mode 100644
index cd0a796..0000000
--- a/crypto/openssh/auth-rhosts.c
+++ /dev/null
@@ -1,309 +0,0 @@
-/* $OpenBSD: auth-rhosts.c,v 1.41 2006/08/03 03:34:41 deraadt Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Rhosts authentication.  This file contains code to check whether to admit
- * the login based on rhosts authentication.  This file also processes
- * /etc/hosts.equiv.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/stat.h>
-
-#ifdef HAVE_NETGROUP_H
-# include <netgroup.h>
-#endif
-#include <pwd.h>
-#include <stdio.h>
-#include <string.h>
-#include <stdarg.h>
-
-#include "packet.h"
-#include "buffer.h"
-#include "uidswap.h"
-#include "pathnames.h"
-#include "log.h"
-#include "servconf.h"
-#include "canohost.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-
-/* import */
-extern ServerOptions options;
-extern int use_privsep;
-
-/*
- * This function processes an rhosts-style file (.rhosts, .shosts, or
- * /etc/hosts.equiv).  This returns true if authentication can be granted
- * based on the file, and returns zero otherwise.
- */
-
-static int
-check_rhosts_file(const char *filename, const char *hostname,
-		  const char *ipaddr, const char *client_user,
-		  const char *server_user)
-{
-	FILE *f;
-	char buf[1024];	/* Must not be larger than host, user, dummy below. */
-
-	/* Open the .rhosts file, deny if unreadable */
-	f = fopen(filename, "r");
-	if (!f)
-		return 0;
-
-	while (fgets(buf, sizeof(buf), f)) {
-		/* All three must be at least as big as buf to avoid overflows. */
-		char hostbuf[1024], userbuf[1024], dummy[1024], *host, *user, *cp;
-		int negated;
-
-		for (cp = buf; *cp == ' ' || *cp == '\t'; cp++)
-			;
-		if (*cp == '#' || *cp == '\n' || !*cp)
-			continue;
-
-		/*
-		 * NO_PLUS is supported at least on OSF/1.  We skip it (we
-		 * don't ever support the plus syntax).
-		 */
-		if (strncmp(cp, "NO_PLUS", 7) == 0)
-			continue;
-
-		/*
-		 * This should be safe because each buffer is as big as the
-		 * whole string, and thus cannot be overwritten.
-		 */
-		switch (sscanf(buf, "%1023s %1023s %1023s", hostbuf, userbuf,
-		    dummy)) {
-		case 0:
-			auth_debug_add("Found empty line in %.100s.", filename);
-			continue;
-		case 1:
-			/* Host name only. */
-			strlcpy(userbuf, server_user, sizeof(userbuf));
-			break;
-		case 2:
-			/* Got both host and user name. */
-			break;
-		case 3:
-			auth_debug_add("Found garbage in %.100s.", filename);
-			continue;
-		default:
-			/* Weird... */
-			continue;
-		}
-
-		host = hostbuf;
-		user = userbuf;
-		negated = 0;
-
-		/* Process negated host names, or positive netgroups. */
-		if (host[0] == '-') {
-			negated = 1;
-			host++;
-		} else if (host[0] == '+')
-			host++;
-
-		if (user[0] == '-') {
-			negated = 1;
-			user++;
-		} else if (user[0] == '+')
-			user++;
-
-		/* Check for empty host/user names (particularly '+'). */
-		if (!host[0] || !user[0]) {
-			/* We come here if either was '+' or '-'. */
-			auth_debug_add("Ignoring wild host/user names in %.100s.",
-			    filename);
-			continue;
-		}
-		/* Verify that host name matches. */
-		if (host[0] == '@') {
-			if (!innetgr(host + 1, hostname, NULL, NULL) &&
-			    !innetgr(host + 1, ipaddr, NULL, NULL))
-				continue;
-		} else if (strcasecmp(host, hostname) && strcmp(host, ipaddr) != 0)
-			continue;	/* Different hostname. */
-
-		/* Verify that user name matches. */
-		if (user[0] == '@') {
-			if (!innetgr(user + 1, NULL, client_user, NULL))
-				continue;
-		} else if (strcmp(user, client_user) != 0)
-			continue;	/* Different username. */
-
-		/* Found the user and host. */
-		fclose(f);
-
-		/* If the entry was negated, deny access. */
-		if (negated) {
-			auth_debug_add("Matched negative entry in %.100s.",
-			    filename);
-			return 0;
-		}
-		/* Accept authentication. */
-		return 1;
-	}
-
-	/* Authentication using this file denied. */
-	fclose(f);
-	return 0;
-}
-
-/*
- * Tries to authenticate the user using the .shosts or .rhosts file. Returns
- * true if authentication succeeds.  If ignore_rhosts is true, only
- * /etc/hosts.equiv will be considered (.rhosts and .shosts are ignored).
- */
-
-int
-auth_rhosts(struct passwd *pw, const char *client_user)
-{
-	const char *hostname, *ipaddr;
-
-	hostname = get_canonical_hostname(options.use_dns);
-	ipaddr = get_remote_ipaddr();
-	return auth_rhosts2(pw, client_user, hostname, ipaddr);
-}
-
-static int
-auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostname,
-    const char *ipaddr)
-{
-	char buf[1024];
-	struct stat st;
-	static const char *rhosts_files[] = {".shosts", ".rhosts", NULL};
-	u_int rhosts_file_index;
-
-	debug2("auth_rhosts2: clientuser %s hostname %s ipaddr %s",
-	    client_user, hostname, ipaddr);
-
-	/* Switch to the user's uid. */
-	temporarily_use_uid(pw);
-	/*
-	 * Quick check: if the user has no .shosts or .rhosts files, return
-	 * failure immediately without doing costly lookups from name
-	 * servers.
-	 */
-	for (rhosts_file_index = 0; rhosts_files[rhosts_file_index];
-	    rhosts_file_index++) {
-		/* Check users .rhosts or .shosts. */
-		snprintf(buf, sizeof buf, "%.500s/%.100s",
-			 pw->pw_dir, rhosts_files[rhosts_file_index]);
-		if (stat(buf, &st) >= 0)
-			break;
-	}
-	/* Switch back to privileged uid. */
-	restore_uid();
-
-	/* Deny if The user has no .shosts or .rhosts file and there are no system-wide files. */
-	if (!rhosts_files[rhosts_file_index] &&
-	    stat(_PATH_RHOSTS_EQUIV, &st) < 0 &&
-	    stat(_PATH_SSH_HOSTS_EQUIV, &st) < 0)
-		return 0;
-
-	/* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */
-	if (pw->pw_uid != 0) {
-		if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr,
-		    client_user, pw->pw_name)) {
-			auth_debug_add("Accepted for %.100s [%.100s] by /etc/hosts.equiv.",
-			    hostname, ipaddr);
-			return 1;
-		}
-		if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr,
-		    client_user, pw->pw_name)) {
-			auth_debug_add("Accepted for %.100s [%.100s] by %.100s.",
-			    hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV);
-			return 1;
-		}
-	}
-	/*
-	 * Check that the home directory is owned by root or the user, and is
-	 * not group or world writable.
-	 */
-	if (stat(pw->pw_dir, &st) < 0) {
-		logit("Rhosts authentication refused for %.100s: "
-		    "no home directory %.200s", pw->pw_name, pw->pw_dir);
-		auth_debug_add("Rhosts authentication refused for %.100s: "
-		    "no home directory %.200s", pw->pw_name, pw->pw_dir);
-		return 0;
-	}
-	if (options.strict_modes &&
-	    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
-	    (st.st_mode & 022) != 0)) {
-		logit("Rhosts authentication refused for %.100s: "
-		    "bad ownership or modes for home directory.", pw->pw_name);
-		auth_debug_add("Rhosts authentication refused for %.100s: "
-		    "bad ownership or modes for home directory.", pw->pw_name);
-		return 0;
-	}
-	/* Temporarily use the user's uid. */
-	temporarily_use_uid(pw);
-
-	/* Check all .rhosts files (currently .shosts and .rhosts). */
-	for (rhosts_file_index = 0; rhosts_files[rhosts_file_index];
-	    rhosts_file_index++) {
-		/* Check users .rhosts or .shosts. */
-		snprintf(buf, sizeof buf, "%.500s/%.100s",
-			 pw->pw_dir, rhosts_files[rhosts_file_index]);
-		if (stat(buf, &st) < 0)
-			continue;
-
-		/*
-		 * Make sure that the file is either owned by the user or by
-		 * root, and make sure it is not writable by anyone but the
-		 * owner.  This is to help avoid novices accidentally
-		 * allowing access to their account by anyone.
-		 */
-		if (options.strict_modes &&
-		    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
-		    (st.st_mode & 022) != 0)) {
-			logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
-			    pw->pw_name, buf);
-			auth_debug_add("Bad file modes for %.200s", buf);
-			continue;
-		}
-		/* Check if we have been configured to ignore .rhosts and .shosts files. */
-		if (options.ignore_rhosts) {
-			auth_debug_add("Server has been configured to ignore %.100s.",
-			    rhosts_files[rhosts_file_index]);
-			continue;
-		}
-		/* Check if authentication is permitted by the file. */
-		if (check_rhosts_file(buf, hostname, ipaddr, client_user, pw->pw_name)) {
-			auth_debug_add("Accepted by %.100s.",
-			    rhosts_files[rhosts_file_index]);
-			/* Restore the privileged uid. */
-			restore_uid();
-			auth_debug_add("Accepted host %s ip %s client_user %s server_user %s",
-				hostname, ipaddr, client_user, pw->pw_name);
-			return 1;
-		}
-	}
-
-	/* Restore the privileged uid. */
-	restore_uid();
-	return 0;
-}
-
-int
-auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
-    const char *ipaddr)
-{
-	int ret;
-
-	auth_debug_reset();
-	ret = auth_rhosts2_raw(pw, client_user, hostname, ipaddr);
-	if (!use_privsep)
-		auth_debug_send();
-	return ret;
-}
diff --git a/crypto/openssh/auth-rsa.c b/crypto/openssh/auth-rsa.c
deleted file mode 100644
index 69f9a58..0000000
--- a/crypto/openssh/auth-rsa.c
+++ /dev/null
@@ -1,343 +0,0 @@
-/* $OpenBSD: auth-rsa.c,v 1.72 2006/11/06 21:25:27 markus Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * RSA-based authentication.  This code determines whether to admit a login
- * based on RSA authentication.  This file also contains functions to check
- * validity of the host key.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/stat.h>
-
-#include <openssl/rsa.h>
-#include <openssl/md5.h>
-
-#include <pwd.h>
-#include <stdio.h>
-#include <stdarg.h>
-#include <string.h>
-
-#include "xmalloc.h"
-#include "rsa.h"
-#include "packet.h"
-#include "ssh1.h"
-#include "uidswap.h"
-#include "match.h"
-#include "buffer.h"
-#include "auth-options.h"
-#include "pathnames.h"
-#include "log.h"
-#include "servconf.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-#include "monitor_wrap.h"
-#include "ssh.h"
-#include "misc.h"
-
-/* import */
-extern ServerOptions options;
-
-/*
- * Session identifier that is used to bind key exchange and authentication
- * responses to a particular session.
- */
-extern u_char session_id[16];
-
-/*
- * The .ssh/authorized_keys file contains public keys, one per line, in the
- * following format:
- *   options bits e n comment
- * where bits, e and n are decimal numbers,
- * and comment is any string of characters up to newline.  The maximum
- * length of a line is SSH_MAX_PUBKEY_BYTES characters.  See sshd(8) for a
- * description of the options.
- */
-
-BIGNUM *
-auth_rsa_generate_challenge(Key *key)
-{
-	BIGNUM *challenge;
-	BN_CTX *ctx;
-
-	if ((challenge = BN_new()) == NULL)
-		fatal("auth_rsa_generate_challenge: BN_new() failed");
-	/* Generate a random challenge. */
-	if (BN_rand(challenge, 256, 0, 0) == 0)
-		fatal("auth_rsa_generate_challenge: BN_rand failed");
-	if ((ctx = BN_CTX_new()) == NULL)
-		fatal("auth_rsa_generate_challenge: BN_CTX_new failed");
-	if (BN_mod(challenge, challenge, key->rsa->n, ctx) == 0)
-		fatal("auth_rsa_generate_challenge: BN_mod failed");
-	BN_CTX_free(ctx);
-
-	return challenge;
-}
-
-int
-auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16])
-{
-	u_char buf[32], mdbuf[16];
-	MD5_CTX md;
-	int len;
-
-	/* don't allow short keys */
-	if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
-		error("auth_rsa_verify_response: RSA modulus too small: %d < minimum %d bits",
-		    BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
-		return (0);
-	}
-
-	/* The response is MD5 of decrypted challenge plus session id. */
-	len = BN_num_bytes(challenge);
-	if (len <= 0 || len > 32)
-		fatal("auth_rsa_verify_response: bad challenge length %d", len);
-	memset(buf, 0, 32);
-	BN_bn2bin(challenge, buf + 32 - len);
-	MD5_Init(&md);
-	MD5_Update(&md, buf, 32);
-	MD5_Update(&md, session_id, 16);
-	MD5_Final(mdbuf, &md);
-
-	/* Verify that the response is the original challenge. */
-	if (memcmp(response, mdbuf, 16) != 0) {
-		/* Wrong answer. */
-		return (0);
-	}
-	/* Correct answer. */
-	return (1);
-}
-
-/*
- * Performs the RSA authentication challenge-response dialog with the client,
- * and returns true (non-zero) if the client gave the correct answer to
- * our challenge; returns zero if the client gives a wrong answer.
- */
-
-int
-auth_rsa_challenge_dialog(Key *key)
-{
-	BIGNUM *challenge, *encrypted_challenge;
-	u_char response[16];
-	int i, success;
-
-	if ((encrypted_challenge = BN_new()) == NULL)
-		fatal("auth_rsa_challenge_dialog: BN_new() failed");
-
-	challenge = PRIVSEP(auth_rsa_generate_challenge(key));
-
-	/* Encrypt the challenge with the public key. */
-	rsa_public_encrypt(encrypted_challenge, challenge, key->rsa);
-
-	/* Send the encrypted challenge to the client. */
-	packet_start(SSH_SMSG_AUTH_RSA_CHALLENGE);
-	packet_put_bignum(encrypted_challenge);
-	packet_send();
-	BN_clear_free(encrypted_challenge);
-	packet_write_wait();
-
-	/* Wait for a response. */
-	packet_read_expect(SSH_CMSG_AUTH_RSA_RESPONSE);
-	for (i = 0; i < 16; i++)
-		response[i] = (u_char)packet_get_char();
-	packet_check_eom();
-
-	success = PRIVSEP(auth_rsa_verify_response(key, challenge, response));
-	BN_clear_free(challenge);
-	return (success);
-}
-
-/*
- * check if there's user key matching client_n,
- * return key if login is allowed, NULL otherwise
- */
-
-int
-auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
-{
-	char line[SSH_MAX_PUBKEY_BYTES], *file;
-	int allowed = 0;
-	u_int bits;
-	FILE *f;
-	u_long linenum = 0;
-	struct stat st;
-	Key *key;
-
-	/* Temporarily use the user's uid. */
-	temporarily_use_uid(pw);
-
-	/* The authorized keys. */
-	file = authorized_keys_file(pw);
-	debug("trying public RSA key file %s", file);
-
-	/* Fail quietly if file does not exist */
-	if (stat(file, &st) < 0) {
-		/* Restore the privileged uid. */
-		restore_uid();
-		xfree(file);
-		return (0);
-	}
-	/* Open the file containing the authorized keys. */
-	f = fopen(file, "r");
-	if (!f) {
-		/* Restore the privileged uid. */
-		restore_uid();
-		xfree(file);
-		return (0);
-	}
-	if (options.strict_modes &&
-	    secure_filename(f, file, pw, line, sizeof(line)) != 0) {
-		xfree(file);
-		fclose(f);
-		logit("Authentication refused: %s", line);
-		restore_uid();
-		return (0);
-	}
-
-	/* Flag indicating whether the key is allowed. */
-	allowed = 0;
-
-	key = key_new(KEY_RSA1);
-
-	/*
-	 * Go though the accepted keys, looking for the current key.  If
-	 * found, perform a challenge-response dialog to verify that the
-	 * user really has the corresponding private key.
-	 */
-	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
-		char *cp;
-		char *key_options;
-		int keybits;
-
-		/* Skip leading whitespace, empty and comment lines. */
-		for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
-			;
-		if (!*cp || *cp == '\n' || *cp == '#')
-			continue;
-
-		/*
-		 * Check if there are options for this key, and if so,
-		 * save their starting address and skip the option part
-		 * for now.  If there are no options, set the starting
-		 * address to NULL.
-		 */
-		if (*cp < '0' || *cp > '9') {
-			int quoted = 0;
-			key_options = cp;
-			for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
-				if (*cp == '\\' && cp[1] == '"')
-					cp++;	/* Skip both */
-				else if (*cp == '"')
-					quoted = !quoted;
-			}
-		} else
-			key_options = NULL;
-
-		/* Parse the key from the line. */
-		if (hostfile_read_key(&cp, &bits, key) == 0) {
-			debug("%.100s, line %lu: non ssh1 key syntax",
-			    file, linenum);
-			continue;
-		}
-		/* cp now points to the comment part. */
-
-		/* Check if the we have found the desired key (identified by its modulus). */
-		if (BN_cmp(key->rsa->n, client_n) != 0)
-			continue;
-
-		/* check the real bits  */
-		keybits = BN_num_bits(key->rsa->n);
-		if (keybits < 0 || bits != (u_int)keybits)
-			logit("Warning: %s, line %lu: keysize mismatch: "
-			    "actual %d vs. announced %d.",
-			    file, linenum, BN_num_bits(key->rsa->n), bits);
-
-		/* We have found the desired key. */
-		/*
-		 * If our options do not allow this key to be used,
-		 * do not send challenge.
-		 */
-		if (!auth_parse_options(pw, key_options, file, linenum))
-			continue;
-
-		/* break out, this key is allowed */
-		allowed = 1;
-		break;
-	}
-
-	/* Restore the privileged uid. */
-	restore_uid();
-
-	/* Close the file. */
-	xfree(file);
-	fclose(f);
-
-	/* return key if allowed */
-	if (allowed && rkey != NULL)
-		*rkey = key;
-	else
-		key_free(key);
-	return (allowed);
-}
-
-/*
- * Performs the RSA authentication dialog with the client.  This returns
- * 0 if the client could not be authenticated, and 1 if authentication was
- * successful.  This may exit if there is a serious protocol violation.
- */
-int
-auth_rsa(Authctxt *authctxt, BIGNUM *client_n)
-{
-	Key *key;
-	char *fp;
-	struct passwd *pw = authctxt->pw;
-
-	/* no user given */
-	if (!authctxt->valid)
-		return 0;
-
-	if (!PRIVSEP(auth_rsa_key_allowed(pw, client_n, &key))) {
-		auth_clear_options();
-		return (0);
-	}
-
-	/* Perform the challenge-response dialog for this key. */
-	if (!auth_rsa_challenge_dialog(key)) {
-		/* Wrong response. */
-		verbose("Wrong response to RSA authentication challenge.");
-		packet_send_debug("Wrong response to RSA authentication challenge.");
-		/*
-		 * Break out of the loop. Otherwise we might send
-		 * another challenge and break the protocol.
-		 */
-		key_free(key);
-		return (0);
-	}
-	/*
-	 * Correct response.  The client has been successfully
-	 * authenticated. Note that we have not yet processed the
-	 * options; this will be reset if the options cause the
-	 * authentication to be rejected.
-	 */
-	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-	verbose("Found matching %s key: %s",
-	    key_type(key), fp);
-	xfree(fp);
-	key_free(key);
-
-	packet_send_debug("RSA authentication accepted.");
-	return (1);
-}
diff --git a/crypto/openssh/auth-shadow.c b/crypto/openssh/auth-shadow.c
deleted file mode 100644
index 8b3160a..0000000
--- a/crypto/openssh/auth-shadow.c
+++ /dev/null
@@ -1,141 +0,0 @@
-/*
- * Copyright (c) 2004 Darren Tucker.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
-#include <shadow.h>
-#include <stdarg.h>
-#include <string.h>
-
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "buffer.h"
-#include "log.h"
-
-#ifdef DAY
-# undef DAY
-#endif
-#define DAY	(24L * 60 * 60) /* 1 day in seconds */
-
-extern Buffer loginmsg;
-
-/*
- * For the account and password expiration functions, we assume the expiry
- * occurs the day after the day specified.
- */
-
-/*
- * Check if specified account is expired.  Returns 1 if account is expired,
- * 0 otherwise.
- */
-int
-auth_shadow_acctexpired(struct spwd *spw)
-{
-	time_t today;
-	int daysleft;
-	char buf[256];
-
-	today = time(NULL) / DAY;
-	daysleft = spw->sp_expire - today;
-	debug3("%s: today %d sp_expire %d days left %d", __func__, (int)today,
-	    (int)spw->sp_expire, daysleft);
-
-	if (spw->sp_expire == -1) {
-		debug3("account expiration disabled");
-	} else if (daysleft < 0) {
-		logit("Account %.100s has expired", spw->sp_namp);
-		return 1;
-	} else if (daysleft <= spw->sp_warn) {
-		debug3("account will expire in %d days", daysleft);
-		snprintf(buf, sizeof(buf),
-		    "Your account will expire in %d day%s.\n", daysleft,
-		    daysleft == 1 ? "" : "s");
-		buffer_append(&loginmsg, buf, strlen(buf));
-	}
-
-	return 0;
-}
-
-/*
- * Checks password expiry for platforms that use shadow passwd files.
- * Returns: 1 = password expired, 0 = password not expired
- */
-int
-auth_shadow_pwexpired(Authctxt *ctxt)
-{
-	struct spwd *spw = NULL;
-	const char *user = ctxt->pw->pw_name;
-	char buf[256];
-	time_t today;
-	int daysleft, disabled = 0;
-
-	if ((spw = getspnam((char *)user)) == NULL) {
-		error("Could not get shadow information for %.100s", user);
-		return 0;
-	}
-
-	today = time(NULL) / DAY;
-	debug3("%s: today %d sp_lstchg %d sp_max %d", __func__, (int)today,
-	    (int)spw->sp_lstchg, (int)spw->sp_max);
-
-#if defined(__hpux) && !defined(HAVE_SECUREWARE)
-	if (iscomsec()) {
-		struct pr_passwd *pr;
-
-		pr = getprpwnam((char *)user);
-
-		/* Test for Trusted Mode expiry disabled */
-		if (pr != NULL && pr->ufld.fd_min == 0 &&
-		    pr->ufld.fd_lifetime == 0 && pr->ufld.fd_expire == 0 &&
-		    pr->ufld.fd_pw_expire_warning == 0 &&
-		    pr->ufld.fd_schange != 0)
-			disabled = 1;
-	}
-#endif
-
-	/* TODO: check sp_inact */
-	daysleft = spw->sp_lstchg + spw->sp_max - today;
-	if (disabled) {
-		debug3("password expiration disabled");
-	} else if (spw->sp_lstchg == 0) {
-		logit("User %.100s password has expired (root forced)", user);
-		return 1;
-	} else if (spw->sp_max == -1) {
-		debug3("password expiration disabled");
-	} else if (daysleft < 0) {
-		logit("User %.100s password has expired (password aged)", user);
-		return 1;
-	} else if (daysleft <= spw->sp_warn) {
-		debug3("password will expire in %d days", daysleft);
-		snprintf(buf, sizeof(buf),
-		    "Your password will expire in %d day%s.\n", daysleft,
-		    daysleft == 1 ? "" : "s");
-		buffer_append(&loginmsg, buf, strlen(buf));
-	}
-
-	return 0;
-}
-#endif	/* USE_SHADOW && HAS_SHADOW_EXPIRE */
diff --git a/crypto/openssh/auth-sia.c b/crypto/openssh/auth-sia.c
deleted file mode 100644
index a9e1c25..0000000
--- a/crypto/openssh/auth-sia.c
+++ /dev/null
@@ -1,114 +0,0 @@
-/*
- * Copyright (c) 2002 Chris Adams.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#ifdef HAVE_OSF_SIA
-#include <sia.h>
-#include <siad.h>
-#include <pwd.h>
-#include <signal.h>
-#include <setjmp.h>
-#include <sys/resource.h>
-#include <unistd.h>
-#include <stdarg.h>
-#include <string.h>
-
-#include "ssh.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "auth-sia.h"
-#include "log.h"
-#include "servconf.h"
-#include "canohost.h"
-#include "uidswap.h"
-
-extern ServerOptions options;
-extern int saved_argc;
-extern char **saved_argv;
-
-int
-sys_auth_passwd(Authctxt *authctxt, const char *pass)
-{
-	int ret;
-	SIAENTITY *ent = NULL;
-	const char *host;
-
-	host = get_canonical_hostname(options.use_dns);
-
-	if (!authctxt->user || pass == NULL || pass[0] == '\0')
-		return (0);
-
-	if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user,
-	    NULL, 0, NULL) != SIASUCCESS)
-		return (0);
-
-	if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) {
-		error("Couldn't authenticate %s from %s",
-		    authctxt->user, host);
-		if (ret & SIASTOP)
-			sia_ses_release(&ent);
-
-		return (0);
-	}
-
-	sia_ses_release(&ent);
-
-	return (1);
-}
-
-void
-session_setup_sia(struct passwd *pw, char *tty)
-{
-	SIAENTITY *ent = NULL;
-	const char *host;
-
-	host = get_canonical_hostname(options.use_dns);
-
-	if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name,
-	    tty, 0, NULL) != SIASUCCESS)
-		fatal("sia_ses_init failed");
-
-	if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) {
-		sia_ses_release(&ent);
-		fatal("sia_make_entity_pwd failed");
-	}
-
-	ent->authtype = SIA_A_NONE;
-	if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS)
-		fatal("Couldn't establish session for %s from %s",
-		    pw->pw_name, host);
-
-	if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS)
-		fatal("Couldn't launch session for %s from %s",
-		    pw->pw_name, host);
-
-	sia_ses_release(&ent);
-
-	setuid(0);
-	permanently_set_uid(pw);
-}
-
-#endif /* HAVE_OSF_SIA */
diff --git a/crypto/openssh/auth-sia.h b/crypto/openssh/auth-sia.h
deleted file mode 100644
index 27cbb93..0000000
--- a/crypto/openssh/auth-sia.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * Copyright (c) 2002 Chris Adams.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#ifdef HAVE_OSF_SIA
-
-void	session_setup_sia(struct passwd *, char *);
-
-#endif /* HAVE_OSF_SIA */
diff --git a/crypto/openssh/auth-skey.c b/crypto/openssh/auth-skey.c
deleted file mode 100644
index 25073db..0000000
--- a/crypto/openssh/auth-skey.c
+++ /dev/null
@@ -1,107 +0,0 @@
-/* $OpenBSD: auth-skey.c,v 1.26 2006/08/05 08:28:24 dtucker Exp $ */
-/*
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#ifdef SKEY
-
-#include <sys/types.h>
-
-#include <pwd.h>
-#include <stdio.h>
-
-#include <skey.h>
-
-#include "xmalloc.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "ssh-gss.h"
-#include "monitor_wrap.h"
-
-static void *
-skey_init_ctx(Authctxt *authctxt)
-{
-	return authctxt;
-}
-
-int
-skey_query(void *ctx, char **name, char **infotxt,
-    u_int* numprompts, char ***prompts, u_int **echo_on)
-{
-	Authctxt *authctxt = ctx;
-	char challenge[1024];
-	struct skey skey;
-
-	if (_compat_skeychallenge(&skey, authctxt->user, challenge,
-	    sizeof(challenge)) == -1)
-		return -1;
-
-	*name  = xstrdup("");
-	*infotxt  = xstrdup("");
-	*numprompts = 1;
-	*prompts = xcalloc(*numprompts, sizeof(char *));
-	*echo_on = xcalloc(*numprompts, sizeof(u_int));
-
-	xasprintf(*prompts, "%s%s", challenge, SKEY_PROMPT);
-
-	return 0;
-}
-
-int
-skey_respond(void *ctx, u_int numresponses, char **responses)
-{
-	Authctxt *authctxt = ctx;
-
-	if (authctxt->valid &&
-	    numresponses == 1 &&
-	    skey_haskey(authctxt->pw->pw_name) == 0 &&
-	    skey_passcheck(authctxt->pw->pw_name, responses[0]) != -1)
-	    return 0;
-	return -1;
-}
-
-static void
-skey_free_ctx(void *ctx)
-{
-	/* we don't have a special context */
-}
-
-KbdintDevice skey_device = {
-	"skey",
-	skey_init_ctx,
-	skey_query,
-	skey_respond,
-	skey_free_ctx
-};
-
-KbdintDevice mm_skey_device = {
-	"skey",
-	skey_init_ctx,
-	mm_skey_query,
-	mm_skey_respond,
-	skey_free_ctx
-};
-#endif /* SKEY */
diff --git a/crypto/openssh/auth.c b/crypto/openssh/auth.c
deleted file mode 100644
index 5d23343..0000000
--- a/crypto/openssh/auth.c
+++ /dev/null
@@ -1,581 +0,0 @@
-/* $OpenBSD: auth.c,v 1.75 2006/08/03 03:34:41 deraadt Exp $ */
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/param.h>
-
-#include <netinet/in.h>
-
-#include <errno.h>
-#ifdef HAVE_PATHS_H
-# include <paths.h>
-#endif
-#include <pwd.h>
-#ifdef HAVE_LOGIN_H
-#include <login.h>
-#endif
-#ifdef USE_SHADOW
-#include <shadow.h>
-#endif
-#ifdef HAVE_LIBGEN_H
-#include <libgen.h>
-#endif
-#include <stdarg.h>
-#include <stdio.h>
-#include <string.h>
-
-#include "xmalloc.h"
-#include "match.h"
-#include "groupaccess.h"
-#include "log.h"
-#include "buffer.h"
-#include "servconf.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "auth-options.h"
-#include "canohost.h"
-#include "uidswap.h"
-#include "misc.h"
-#include "packet.h"
-#include "loginrec.h"
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-#include "monitor_wrap.h"
-
-/* import */
-extern ServerOptions options;
-extern int use_privsep;
-extern Buffer loginmsg;
-extern struct passwd *privsep_pw;
-
-/* Debugging messages */
-Buffer auth_debug;
-int auth_debug_init;
-
-/*
- * Check if the user is allowed to log in via ssh. If user is listed
- * in DenyUsers or one of user's groups is listed in DenyGroups, false
- * will be returned. If AllowUsers isn't empty and user isn't listed
- * there, or if AllowGroups isn't empty and one of user's groups isn't
- * listed there, false will be returned.
- * If the user's shell is not executable, false will be returned.
- * Otherwise true is returned.
- */
-int
-allowed_user(struct passwd * pw)
-{
-	struct stat st;
-	const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
-	char *shell;
-	u_int i;
-#ifdef USE_SHADOW
-	struct spwd *spw = NULL;
-#endif
-
-	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
-	if (!pw || !pw->pw_name)
-		return 0;
-
-#ifdef USE_SHADOW
-	if (!options.use_pam)
-		spw = getspnam(pw->pw_name);
-#ifdef HAS_SHADOW_EXPIRE
-	if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
-		return 0;
-#endif /* HAS_SHADOW_EXPIRE */
-#endif /* USE_SHADOW */
-
-	/* grab passwd field for locked account check */
-#ifdef USE_SHADOW
-	if (spw != NULL)
-#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
-		passwd = get_iaf_password(pw);
-#else
-		passwd = spw->sp_pwdp;
-#endif /* HAVE_LIBIAF  && !BROKEN_LIBIAF */
-#else
-	passwd = pw->pw_passwd;
-#endif
-
-	/* check for locked account */
-	if (!options.use_pam && passwd && *passwd) {
-		int locked = 0;
-
-#ifdef LOCKED_PASSWD_STRING
-		if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
-			 locked = 1;
-#endif
-#ifdef LOCKED_PASSWD_PREFIX
-		if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
-		    strlen(LOCKED_PASSWD_PREFIX)) == 0)
-			 locked = 1;
-#endif
-#ifdef LOCKED_PASSWD_SUBSTR
-		if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
-			locked = 1;
-#endif
-#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
-		free(passwd);
-#endif /* HAVE_LIBIAF  && !BROKEN_LIBIAF */
-		if (locked) {
-			logit("User %.100s not allowed because account is locked",
-			    pw->pw_name);
-			return 0;
-		}
-	}
-
-	/*
-	 * Get the shell from the password data.  An empty shell field is
-	 * legal, and means /bin/sh.
-	 */
-	shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
-
-	/* deny if shell does not exists or is not executable */
-	if (stat(shell, &st) != 0) {
-		logit("User %.100s not allowed because shell %.100s does not exist",
-		    pw->pw_name, shell);
-		return 0;
-	}
-	if (S_ISREG(st.st_mode) == 0 ||
-	    (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) {
-		logit("User %.100s not allowed because shell %.100s is not executable",
-		    pw->pw_name, shell);
-		return 0;
-	}
-
-	if (options.num_deny_users > 0 || options.num_allow_users > 0 ||
-	    options.num_deny_groups > 0 || options.num_allow_groups > 0) {
-		hostname = get_canonical_hostname(options.use_dns);
-		ipaddr = get_remote_ipaddr();
-	}
-
-	/* Return false if user is listed in DenyUsers */
-	if (options.num_deny_users > 0) {
-		for (i = 0; i < options.num_deny_users; i++)
-			if (match_user(pw->pw_name, hostname, ipaddr,
-			    options.deny_users[i])) {
-				logit("User %.100s from %.100s not allowed "
-				    "because listed in DenyUsers",
-				    pw->pw_name, hostname);
-				return 0;
-			}
-	}
-	/* Return false if AllowUsers isn't empty and user isn't listed there */
-	if (options.num_allow_users > 0) {
-		for (i = 0; i < options.num_allow_users; i++)
-			if (match_user(pw->pw_name, hostname, ipaddr,
-			    options.allow_users[i]))
-				break;
-		/* i < options.num_allow_users iff we break for loop */
-		if (i >= options.num_allow_users) {
-			logit("User %.100s from %.100s not allowed because "
-			    "not listed in AllowUsers", pw->pw_name, hostname);
-			return 0;
-		}
-	}
-	if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
-		/* Get the user's group access list (primary and supplementary) */
-		if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
-			logit("User %.100s from %.100s not allowed because "
-			    "not in any group", pw->pw_name, hostname);
-			return 0;
-		}
-
-		/* Return false if one of user's groups is listed in DenyGroups */
-		if (options.num_deny_groups > 0)
-			if (ga_match(options.deny_groups,
-			    options.num_deny_groups)) {
-				ga_free();
-				logit("User %.100s from %.100s not allowed "
-				    "because a group is listed in DenyGroups",
-				    pw->pw_name, hostname);
-				return 0;
-			}
-		/*
-		 * Return false if AllowGroups isn't empty and one of user's groups
-		 * isn't listed there
-		 */
-		if (options.num_allow_groups > 0)
-			if (!ga_match(options.allow_groups,
-			    options.num_allow_groups)) {
-				ga_free();
-				logit("User %.100s from %.100s not allowed "
-				    "because none of user's groups are listed "
-				    "in AllowGroups", pw->pw_name, hostname);
-				return 0;
-			}
-		ga_free();
-	}
-
-#ifdef CUSTOM_SYS_AUTH_ALLOWED_USER
-	if (!sys_auth_allowed_user(pw, &loginmsg))
-		return 0;
-#endif
-
-	/* We found no reason not to let this user try to log on... */
-	return 1;
-}
-
-void
-auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
-{
-	void (*authlog) (const char *fmt,...) = verbose;
-	char *authmsg;
-
-	if (use_privsep && !mm_is_monitor() && !authctxt->postponed)
-		return;
-
-	/* Raise logging level */
-	if (authenticated == 1 ||
-	    !authctxt->valid ||
-	    authctxt->failures >= options.max_authtries / 2 ||
-	    strcmp(method, "password") == 0)
-		authlog = logit;
-
-	if (authctxt->postponed)
-		authmsg = "Postponed";
-	else
-		authmsg = authenticated ? "Accepted" : "Failed";
-
-	authlog("%s %s for %s%.100s from %.200s port %d%s",
-	    authmsg,
-	    method,
-	    authctxt->valid ? "" : "invalid user ",
-	    authctxt->user,
-	    get_remote_ipaddr(),
-	    get_remote_port(),
-	    info);
-
-#ifdef CUSTOM_FAILED_LOGIN
-	if (authenticated == 0 && !authctxt->postponed &&
-	    (strcmp(method, "password") == 0 ||
-	    strncmp(method, "keyboard-interactive", 20) == 0 ||
-	    strcmp(method, "challenge-response") == 0))
-		record_failed_login(authctxt->user,
-		    get_canonical_hostname(options.use_dns), "ssh");
-# ifdef WITH_AIXAUTHENTICATE
-	if (authenticated)
-		sys_auth_record_login(authctxt->user,
-		    get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
-# endif
-#endif
-#ifdef SSH_AUDIT_EVENTS
-	if (authenticated == 0 && !authctxt->postponed)
-		audit_event(audit_classify_auth(method));
-#endif
-}
-
-/*
- * Check whether root logins are disallowed.
- */
-int
-auth_root_allowed(char *method)
-{
-	switch (options.permit_root_login) {
-	case PERMIT_YES:
-		return 1;
-	case PERMIT_NO_PASSWD:
-		if (strcmp(method, "password") != 0)
-			return 1;
-		break;
-	case PERMIT_FORCED_ONLY:
-		if (forced_command) {
-			logit("Root login accepted for forced command.");
-			return 1;
-		}
-		break;
-	}
-	logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
-	return 0;
-}
-
-
-/*
- * Given a template and a passwd structure, build a filename
- * by substituting % tokenised options. Currently, %% becomes '%',
- * %h becomes the home directory and %u the username.
- *
- * This returns a buffer allocated by xmalloc.
- */
-static char *
-expand_authorized_keys(const char *filename, struct passwd *pw)
-{
-	char *file, ret[MAXPATHLEN];
-	int i;
-
-	file = percent_expand(filename, "h", pw->pw_dir,
-	    "u", pw->pw_name, (char *)NULL);
-
-	/*
-	 * Ensure that filename starts anchored. If not, be backward
-	 * compatible and prepend the '%h/'
-	 */
-	if (*file == '/')
-		return (file);
-
-	i = snprintf(ret, sizeof(ret), "%s/%s", pw->pw_dir, file);
-	if (i < 0 || (size_t)i >= sizeof(ret))
-		fatal("expand_authorized_keys: path too long");
-	xfree(file);
-	return (xstrdup(ret));
-}
-
-char *
-authorized_keys_file(struct passwd *pw)
-{
-	return expand_authorized_keys(options.authorized_keys_file, pw);
-}
-
-char *
-authorized_keys_file2(struct passwd *pw)
-{
-	return expand_authorized_keys(options.authorized_keys_file2, pw);
-}
-
-/* return ok if key exists in sysfile or userfile */
-HostStatus
-check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
-    const char *sysfile, const char *userfile)
-{
-	Key *found;
-	char *user_hostfile;
-	struct stat st;
-	HostStatus host_status;
-
-	/* Check if we know the host and its host key. */
-	found = key_new(key->type);
-	host_status = check_host_in_hostfile(sysfile, host, key, found, NULL);
-
-	if (host_status != HOST_OK && userfile != NULL) {
-		user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
-		if (options.strict_modes &&
-		    (stat(user_hostfile, &st) == 0) &&
-		    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
-		    (st.st_mode & 022) != 0)) {
-			logit("Authentication refused for %.100s: "
-			    "bad owner or modes for %.200s",
-			    pw->pw_name, user_hostfile);
-		} else {
-			temporarily_use_uid(pw);
-			host_status = check_host_in_hostfile(user_hostfile,
-			    host, key, found, NULL);
-			restore_uid();
-		}
-		xfree(user_hostfile);
-	}
-	key_free(found);
-
-	debug2("check_key_in_hostfiles: key %s for %s", host_status == HOST_OK ?
-	    "ok" : "not found", host);
-	return host_status;
-}
-
-
-/*
- * Check a given file for security. This is defined as all components
- * of the path to the file must be owned by either the owner of
- * of the file or root and no directories must be group or world writable.
- *
- * XXX Should any specific check be done for sym links ?
- *
- * Takes an open file descriptor, the file name, a uid and and
- * error buffer plus max size as arguments.
- *
- * Returns 0 on success and -1 on failure
- */
-int
-secure_filename(FILE *f, const char *file, struct passwd *pw,
-    char *err, size_t errlen)
-{
-	uid_t uid = pw->pw_uid;
-	char buf[MAXPATHLEN], homedir[MAXPATHLEN];
-	char *cp;
-	int comparehome = 0;
-	struct stat st;
-
-	if (realpath(file, buf) == NULL) {
-		snprintf(err, errlen, "realpath %s failed: %s", file,
-		    strerror(errno));
-		return -1;
-	}
-	if (realpath(pw->pw_dir, homedir) != NULL)
-		comparehome = 1;
-
-	/* check the open file to avoid races */
-	if (fstat(fileno(f), &st) < 0 ||
-	    (st.st_uid != 0 && st.st_uid != uid) ||
-	    (st.st_mode & 022) != 0) {
-		snprintf(err, errlen, "bad ownership or modes for file %s",
-		    buf);
-		return -1;
-	}
-
-	/* for each component of the canonical path, walking upwards */
-	for (;;) {
-		if ((cp = dirname(buf)) == NULL) {
-			snprintf(err, errlen, "dirname() failed");
-			return -1;
-		}
-		strlcpy(buf, cp, sizeof(buf));
-
-		debug3("secure_filename: checking '%s'", buf);
-		if (stat(buf, &st) < 0 ||
-		    (st.st_uid != 0 && st.st_uid != uid) ||
-		    (st.st_mode & 022) != 0) {
-			snprintf(err, errlen,
-			    "bad ownership or modes for directory %s", buf);
-			return -1;
-		}
-
-		/* If are passed the homedir then we can stop */
-		if (comparehome && strcmp(homedir, buf) == 0) {
-			debug3("secure_filename: terminating check at '%s'",
-			    buf);
-			break;
-		}
-		/*
-		 * dirname should always complete with a "/" path,
-		 * but we can be paranoid and check for "." too
-		 */
-		if ((strcmp("/", buf) == 0) || (strcmp(".", buf) == 0))
-			break;
-	}
-	return 0;
-}
-
-struct passwd *
-getpwnamallow(const char *user)
-{
-#ifdef HAVE_LOGIN_CAP
-	extern login_cap_t *lc;
-#ifdef BSD_AUTH
-	auth_session_t *as;
-#endif
-#endif
-	struct passwd *pw;
-
-	parse_server_match_config(&options, user,
-	    get_canonical_hostname(options.use_dns), get_remote_ipaddr());
-
-	pw = getpwnam(user);
-	if (pw == NULL) {
-		logit("Invalid user %.100s from %.100s",
-		    user, get_remote_ipaddr());
-#ifdef CUSTOM_FAILED_LOGIN
-		record_failed_login(user,
-		    get_canonical_hostname(options.use_dns), "ssh");
-#endif
-#ifdef SSH_AUDIT_EVENTS
-		audit_event(SSH_INVALID_USER);
-#endif /* SSH_AUDIT_EVENTS */
-		return (NULL);
-	}
-	if (!allowed_user(pw))
-		return (NULL);
-#ifdef HAVE_LOGIN_CAP
-	if ((lc = login_getclass(pw->pw_class)) == NULL) {
-		debug("unable to get login class: %s", user);
-		return (NULL);
-	}
-#ifdef BSD_AUTH
-	if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
-	    auth_approval(as, lc, pw->pw_name, "ssh") <= 0) {
-		debug("Approval failure for %s", user);
-		pw = NULL;
-	}
-	if (as != NULL)
-		auth_close(as);
-#endif
-#endif
-	if (pw != NULL)
-		return (pwcopy(pw));
-	return (NULL);
-}
-
-void
-auth_debug_add(const char *fmt,...)
-{
-	char buf[1024];
-	va_list args;
-
-	if (!auth_debug_init)
-		return;
-
-	va_start(args, fmt);
-	vsnprintf(buf, sizeof(buf), fmt, args);
-	va_end(args);
-	buffer_put_cstring(&auth_debug, buf);
-}
-
-void
-auth_debug_send(void)
-{
-	char *msg;
-
-	if (!auth_debug_init)
-		return;
-	while (buffer_len(&auth_debug)) {
-		msg = buffer_get_string(&auth_debug, NULL);
-		packet_send_debug("%s", msg);
-		xfree(msg);
-	}
-}
-
-void
-auth_debug_reset(void)
-{
-	if (auth_debug_init)
-		buffer_clear(&auth_debug);
-	else {
-		buffer_init(&auth_debug);
-		auth_debug_init = 1;
-	}
-}
-
-struct passwd *
-fakepw(void)
-{
-	static struct passwd fake;
-
-	memset(&fake, 0, sizeof(fake));
-	fake.pw_name = "NOUSER";
-	fake.pw_passwd =
-	    "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK";
-	fake.pw_gecos = "NOUSER";
-	fake.pw_uid = privsep_pw->pw_uid;
-	fake.pw_gid = privsep_pw->pw_gid;
-#ifdef HAVE_PW_CLASS_IN_PASSWD
-	fake.pw_class = "";
-#endif
-	fake.pw_dir = "/nonexist";
-	fake.pw_shell = "/nonexist";
-
-	return (&fake);
-}
diff --git a/crypto/openssh/auth.h b/crypto/openssh/auth.h
deleted file mode 100644
index 8c554b6..0000000
--- a/crypto/openssh/auth.h
+++ /dev/null
@@ -1,199 +0,0 @@
-/* $OpenBSD: auth.h,v 1.58 2006/08/18 09:15:20 markus Exp $ */
-
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-#ifndef AUTH_H
-#define AUTH_H
-
-#include <signal.h>
-
-#include <openssl/rsa.h>
-
-#ifdef HAVE_LOGIN_CAP
-#include <login_cap.h>
-#endif
-#ifdef BSD_AUTH
-#include <bsd_auth.h>
-#endif
-#ifdef KRB5
-#include <krb5.h>
-#endif
-
-typedef struct Authctxt Authctxt;
-typedef struct Authmethod Authmethod;
-typedef struct KbdintDevice KbdintDevice;
-
-struct Authctxt {
-	sig_atomic_t	 success;
-	int		 authenticated;	/* authenticated and alarms cancelled */
-	int		 postponed;	/* authentication needs another step */
-	int		 valid;		/* user exists and is allowed to login */
-	int		 attempt;
-	int		 failures;
-	int		 force_pwchange;
-	char		*user;		/* username sent by the client */
-	char		*service;
-	struct passwd	*pw;		/* set if 'valid' */
-	char		*style;
-	void		*kbdintctxt;
-#ifdef BSD_AUTH
-	auth_session_t	*as;
-#endif
-#ifdef KRB5
-	krb5_context	 krb5_ctx;
-	krb5_ccache	 krb5_fwd_ccache;
-	krb5_principal	 krb5_user;
-	char		*krb5_ticket_file;
-	char		*krb5_ccname;
-#endif
-	Buffer		*loginmsg;
-	void		*methoddata;
-};
-/*
- * Every authentication method has to handle authentication requests for
- * non-existing users, or for users that are not allowed to login. In this
- * case 'valid' is set to 0, but 'user' points to the username requested by
- * the client.
- */
-
-struct Authmethod {
-	char	*name;
-	int	(*userauth)(Authctxt *authctxt);
-	int	*enabled;
-};
-
-/*
- * Keyboard interactive device:
- * init_ctx	returns: non NULL upon success
- * query	returns: 0 - success, otherwise failure
- * respond	returns: 0 - success, 1 - need further interaction,
- *		otherwise - failure
- */
-struct KbdintDevice
-{
-	const char *name;
-	void*	(*init_ctx)(Authctxt*);
-	int	(*query)(void *ctx, char **name, char **infotxt,
-		    u_int *numprompts, char ***prompts, u_int **echo_on);
-	int	(*respond)(void *ctx, u_int numresp, char **responses);
-	void	(*free_ctx)(void *ctx);
-};
-
-int      auth_rhosts(struct passwd *, const char *);
-int
-auth_rhosts2(struct passwd *, const char *, const char *, const char *);
-
-int	 auth_rhosts_rsa(Authctxt *, char *, Key *);
-int      auth_password(Authctxt *, const char *);
-int      auth_rsa(Authctxt *, BIGNUM *);
-int      auth_rsa_challenge_dialog(Key *);
-BIGNUM	*auth_rsa_generate_challenge(Key *);
-int	 auth_rsa_verify_response(Key *, BIGNUM *, u_char[]);
-int	 auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
-
-int	 auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
-int	 hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
-int	 user_key_allowed(struct passwd *, Key *);
-
-#ifdef KRB5
-int	auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
-int	auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
-int	auth_krb5_password(Authctxt *authctxt, const char *password);
-void	krb5_cleanup_proc(Authctxt *authctxt);
-#endif /* KRB5 */
-
-#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
-#include <shadow.h>
-int auth_shadow_acctexpired(struct spwd *);
-int auth_shadow_pwexpired(Authctxt *);
-#endif
-
-#include "auth-pam.h"
-#include "audit.h"
-void remove_kbdint_device(const char *);
-
-void disable_forwarding(void);
-
-void	do_authentication(Authctxt *);
-void	do_authentication2(Authctxt *);
-
-void	auth_log(Authctxt *, int, char *, char *);
-void	userauth_finish(Authctxt *, int, char *);
-void	userauth_send_banner(const char *);
-int	auth_root_allowed(char *);
-
-char	*auth2_read_banner(void);
-
-void	privsep_challenge_enable(void);
-
-int	auth2_challenge(Authctxt *, char *);
-void	auth2_challenge_stop(Authctxt *);
-int	bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **);
-int	bsdauth_respond(void *, u_int, char **);
-int	skey_query(void *, char **, char **, u_int *, char ***, u_int **);
-int	skey_respond(void *, u_int, char **);
-
-int	allowed_user(struct passwd *);
-struct passwd * getpwnamallow(const char *user);
-
-char	*get_challenge(Authctxt *);
-int	verify_response(Authctxt *, const char *);
-void	abandon_challenge_response(Authctxt *);
-
-char	*authorized_keys_file(struct passwd *);
-char	*authorized_keys_file2(struct passwd *);
-
-int
-secure_filename(FILE *, const char *, struct passwd *, char *, size_t);
-
-HostStatus
-check_key_in_hostfiles(struct passwd *, Key *, const char *,
-    const char *, const char *);
-
-/* hostkey handling */
-Key	*get_hostkey_by_index(int);
-Key	*get_hostkey_by_type(int);
-int	 get_hostkey_index(Key *);
-int	 ssh1_session_key(BIGNUM *);
-
-/* debug messages during authentication */
-void	 auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
-void	 auth_debug_send(void);
-void	 auth_debug_reset(void);
-
-struct passwd *fakepw(void);
-
-int	 sys_auth_passwd(Authctxt *, const char *);
-
-#define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
-
-#define SKEY_PROMPT "\nS/Key Password: "
-
-#if defined(KRB5) && !defined(HEIMDAL)
-#include <krb5.h>
-krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
-#endif
-#endif
diff --git a/crypto/openssh/auth1.c b/crypto/openssh/auth1.c
deleted file mode 100644
index b9d6b11..0000000
--- a/crypto/openssh/auth1.c
+++ /dev/null
@@ -1,442 +0,0 @@
-/* $OpenBSD: auth1.c,v 1.70 2006/08/03 03:34:41 deraadt Exp $ */
-/*
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <stdarg.h>
-#include <stdio.h>
-#include <string.h>
-#include <unistd.h>
-#include <pwd.h>
-
-#include "xmalloc.h"
-#include "rsa.h"
-#include "ssh1.h"
-#include "packet.h"
-#include "buffer.h"
-#include "log.h"
-#include "servconf.h"
-#include "compat.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "channels.h"
-#include "session.h"
-#include "uidswap.h"
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-#include "monitor_wrap.h"
-#include "buffer.h"
-
-/* import */
-extern ServerOptions options;
-extern Buffer loginmsg;
-
-static int auth1_process_password(Authctxt *, char *, size_t);
-static int auth1_process_rsa(Authctxt *, char *, size_t);
-static int auth1_process_rhosts_rsa(Authctxt *, char *, size_t);
-static int auth1_process_tis_challenge(Authctxt *, char *, size_t);
-static int auth1_process_tis_response(Authctxt *, char *, size_t);
-
-static char *client_user = NULL;    /* Used to fill in remote user for PAM */
-
-struct AuthMethod1 {
-	int type;
-	char *name;
-	int *enabled;
-	int (*method)(Authctxt *, char *, size_t);
-};
-
-const struct AuthMethod1 auth1_methods[] = {
-	{
-		SSH_CMSG_AUTH_PASSWORD, "password",
-		&options.password_authentication, auth1_process_password
-	},
-	{
-		SSH_CMSG_AUTH_RSA, "rsa",
-		&options.rsa_authentication, auth1_process_rsa
-	},
-	{
-		SSH_CMSG_AUTH_RHOSTS_RSA, "rhosts-rsa",
-		&options.rhosts_rsa_authentication, auth1_process_rhosts_rsa
-	},
-	{
-		SSH_CMSG_AUTH_TIS, "challenge-response",
-		&options.challenge_response_authentication,
-		auth1_process_tis_challenge
-	},
-	{
-		SSH_CMSG_AUTH_TIS_RESPONSE, "challenge-response",
-		&options.challenge_response_authentication,
-		auth1_process_tis_response
-	},
-	{ -1, NULL, NULL, NULL}
-};
-
-static const struct AuthMethod1
-*lookup_authmethod1(int type)
-{
-	int i;
-
-	for (i = 0; auth1_methods[i].name != NULL; i++)
-		if (auth1_methods[i].type == type)
-			return (&(auth1_methods[i]));
-
-	return (NULL);
-}
-
-static char *
-get_authname(int type)
-{
-	const struct AuthMethod1 *a;
-	static char buf[64];
-
-	if ((a = lookup_authmethod1(type)) != NULL)
-		return (a->name);
-	snprintf(buf, sizeof(buf), "bad-auth-msg-%d", type);
-	return (buf);
-}
-
-/*ARGSUSED*/
-static int
-auth1_process_password(Authctxt *authctxt, char *info, size_t infolen)
-{
-	int authenticated = 0;
-	char *password;
-	u_int dlen;
-
-	/*
-	 * Read user password.  It is in plain text, but was
-	 * transmitted over the encrypted channel so it is
-	 * not visible to an outside observer.
-	 */
-	password = packet_get_string(&dlen);
-	packet_check_eom();
-
-	/* Try authentication with the password. */
-	authenticated = PRIVSEP(auth_password(authctxt, password));
-
-	memset(password, 0, dlen);
-	xfree(password);
-
-	return (authenticated);
-}
-
-/*ARGSUSED*/
-static int
-auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen)
-{
-	int authenticated = 0;
-	BIGNUM *n;
-
-	/* RSA authentication requested. */
-	if ((n = BN_new()) == NULL)
-		fatal("do_authloop: BN_new failed");
-	packet_get_bignum(n);
-	packet_check_eom();
-	authenticated = auth_rsa(authctxt, n);
-	BN_clear_free(n);
-
-	return (authenticated);
-}
-
-/*ARGSUSED*/
-static int
-auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen)
-{
-	int keybits, authenticated = 0;
-	u_int bits;
-	Key *client_host_key;
-	u_int ulen;
-
-	/*
-	 * Get client user name.  Note that we just have to
-	 * trust the client; root on the client machine can
-	 * claim to be any user.
-	 */
-	client_user = packet_get_string(&ulen);
-
-	/* Get the client host key. */
-	client_host_key = key_new(KEY_RSA1);
-	bits = packet_get_int();
-	packet_get_bignum(client_host_key->rsa->e);
-	packet_get_bignum(client_host_key->rsa->n);
-
-	keybits = BN_num_bits(client_host_key->rsa->n);
-	if (keybits < 0 || bits != (u_int)keybits) {
-		verbose("Warning: keysize mismatch for client_host_key: "
-		    "actual %d, announced %d",
-		    BN_num_bits(client_host_key->rsa->n), bits);
-	}
-	packet_check_eom();
-
-	authenticated = auth_rhosts_rsa(authctxt, client_user,
-	    client_host_key);
-	key_free(client_host_key);
-
-	snprintf(info, infolen, " ruser %.100s", client_user);
-
-	return (authenticated);
-}
-
-/*ARGSUSED*/
-static int
-auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen)
-{
-	char *challenge;
-
-	if ((challenge = get_challenge(authctxt)) == NULL)
-		return (0);
-
-	debug("sending challenge '%s'", challenge);
-	packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
-	packet_put_cstring(challenge);
-	xfree(challenge);
-	packet_send();
-	packet_write_wait();
-
-	return (-1);
-}
-
-/*ARGSUSED*/
-static int
-auth1_process_tis_response(Authctxt *authctxt, char *info, size_t infolen)
-{
-	int authenticated = 0;
-	char *response;
-	u_int dlen;
-
-	response = packet_get_string(&dlen);
-	packet_check_eom();
-	authenticated = verify_response(authctxt, response);
-	memset(response, 'r', dlen);
-	xfree(response);
-
-	return (authenticated);
-}
-
-/*
- * read packets, try to authenticate the user and
- * return only if authentication is successful
- */
-static void
-do_authloop(Authctxt *authctxt)
-{
-	int authenticated = 0;
-	char info[1024];
-	int prev = 0, type = 0;
-	const struct AuthMethod1 *meth;
-
-	debug("Attempting authentication for %s%.100s.",
-	    authctxt->valid ? "" : "invalid user ", authctxt->user);
-
-	/* If the user has no password, accept authentication immediately. */
-	if (options.password_authentication &&
-#ifdef KRB5
-	    (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
-#endif
-	    PRIVSEP(auth_password(authctxt, ""))) {
-#ifdef USE_PAM
-		if (options.use_pam && (PRIVSEP(do_pam_account())))
-#endif
-		{
-			auth_log(authctxt, 1, "without authentication", "");
-			return;
-		}
-	}
-
-	/* Indicate that authentication is needed. */
-	packet_start(SSH_SMSG_FAILURE);
-	packet_send();
-	packet_write_wait();
-
-	for (;;) {
-		/* default to fail */
-		authenticated = 0;
-
-		info[0] = '\0';
-
-		/* Get a packet from the client. */
-		prev = type;
-		type = packet_read();
-
-		/*
-		 * If we started challenge-response authentication but the
-		 * next packet is not a response to our challenge, release
-		 * the resources allocated by get_challenge() (which would
-		 * normally have been released by verify_response() had we
-		 * received such a response)
-		 */
-		if (prev == SSH_CMSG_AUTH_TIS &&
-		    type != SSH_CMSG_AUTH_TIS_RESPONSE)
-			abandon_challenge_response(authctxt);
-
-		if ((meth = lookup_authmethod1(type)) == NULL) {
-			logit("Unknown message during authentication: "
-			    "type %d", type);
-			goto skip;
-		}
-
-		if (!*(meth->enabled)) {
-			verbose("%s authentication disabled.", meth->name);
-			goto skip;
-		}
-
-		authenticated = meth->method(authctxt, info, sizeof(info));
-		if (authenticated == -1)
-			continue; /* "postponed" */
-
-#ifdef BSD_AUTH
-		if (authctxt->as) {
-			auth_close(authctxt->as);
-			authctxt->as = NULL;
-		}
-#endif
-		if (!authctxt->valid && authenticated)
-			fatal("INTERNAL ERROR: authenticated invalid user %s",
-			    authctxt->user);
-
-#ifdef _UNICOS
-		if (authenticated && cray_access_denied(authctxt->user)) {
-			authenticated = 0;
-			fatal("Access denied for user %s.",authctxt->user);
-		}
-#endif /* _UNICOS */
-
-#ifdef HAVE_CYGWIN
-		if (authenticated &&
-		    !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,
-		    authctxt->pw)) {
-			packet_disconnect("Authentication rejected for uid %d.",
-			    authctxt->pw == NULL ? -1 : authctxt->pw->pw_uid);
-			authenticated = 0;
-		}
-#else
-		/* Special handling for root */
-		if (authenticated && authctxt->pw->pw_uid == 0 &&
-		    !auth_root_allowed(meth->name)) {
- 			authenticated = 0;
-# ifdef SSH_AUDIT_EVENTS
-			PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED));
-# endif
-		}
-#endif
-
-#ifdef USE_PAM
-		if (options.use_pam && authenticated &&
-		    !PRIVSEP(do_pam_account())) {
-			char *msg;
-			size_t len;
-
-			error("Access denied for user %s by PAM account "
-			    "configuration", authctxt->user);
-			len = buffer_len(&loginmsg);
-			buffer_append(&loginmsg, "\0", 1);
-			msg = buffer_ptr(&loginmsg);
-			/* strip trailing newlines */
-			if (len > 0)
-				while (len > 0 && msg[--len] == '\n')
-					msg[len] = '\0';
-			else
-				msg = "Access denied.";
-			packet_disconnect(msg);
-		}
-#endif
-
- skip:
-		/* Log before sending the reply */
-		auth_log(authctxt, authenticated, get_authname(type), info);
-
-		if (client_user != NULL) {
-			xfree(client_user);
-			client_user = NULL;
-		}
-
-		if (authenticated)
-			return;
-
-		if (authctxt->failures++ > options.max_authtries) {
-#ifdef SSH_AUDIT_EVENTS
-			PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
-#endif
-			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
-		}
-
-		packet_start(SSH_SMSG_FAILURE);
-		packet_send();
-		packet_write_wait();
-	}
-}
-
-/*
- * Performs authentication of an incoming connection.  Session key has already
- * been exchanged and encryption is enabled.
- */
-void
-do_authentication(Authctxt *authctxt)
-{
-	u_int ulen;
-	char *user, *style = NULL;
-
-	/* Get the name of the user that we wish to log in as. */
-	packet_read_expect(SSH_CMSG_USER);
-
-	/* Get the user name. */
-	user = packet_get_string(&ulen);
-	packet_check_eom();
-
-	if ((style = strchr(user, ':')) != NULL)
-		*style++ = '\0';
-
-	authctxt->user = user;
-	authctxt->style = style;
-
-	/* Verify that the user is a valid user. */
-	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
-		authctxt->valid = 1;
-	else {
-		debug("do_authentication: invalid user %s", user);
-		authctxt->pw = fakepw();
-	}
-
-	setproctitle("%s%s", authctxt->valid ? user : "unknown",
-	    use_privsep ? " [net]" : "");
-
-#ifdef USE_PAM
-	if (options.use_pam)
-		PRIVSEP(start_pam(authctxt));
-#endif
-
-	/*
-	 * If we are not running as root, the user must have the same uid as
-	 * the server.
-	 */
-#ifndef HAVE_CYGWIN
-	if (!use_privsep && getuid() != 0 && authctxt->pw &&
-	    authctxt->pw->pw_uid != getuid())
-		packet_disconnect("Cannot change user when server not running as root.");
-#endif
-
-	/*
-	 * Loop until the user has been authenticated or the connection is
-	 * closed, do_authloop() returns only if authentication is successful
-	 */
-	do_authloop(authctxt);
-
-	/* The user has been authenticated and accepted. */
-	packet_start(SSH_SMSG_SUCCESS);
-	packet_send();
-	packet_write_wait();
-}
diff --git a/crypto/openssh/auth2-chall.c b/crypto/openssh/auth2-chall.c
deleted file mode 100644
index b78b739..0000000
--- a/crypto/openssh/auth2-chall.c
+++ /dev/null
@@ -1,378 +0,0 @@
-/* $OpenBSD: auth2-chall.c,v 1.31 2006/08/05 08:28:24 dtucker Exp $ */
-/*
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- * Copyright (c) 2001 Per Allansson.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <stdarg.h>
-#include <stdio.h>
-#include <string.h>
-
-#include "xmalloc.h"
-#include "ssh2.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "buffer.h"
-#include "packet.h"
-#include "dispatch.h"
-#include "log.h"
-#include "servconf.h"
-
-/* import */
-extern ServerOptions options;
-
-static int auth2_challenge_start(Authctxt *);
-static int send_userauth_info_request(Authctxt *);
-static void input_userauth_info_response(int, u_int32_t, void *);
-
-#ifdef BSD_AUTH
-extern KbdintDevice bsdauth_device;
-#else
-#ifdef USE_PAM
-extern KbdintDevice sshpam_device;
-#endif
-#ifdef SKEY
-extern KbdintDevice skey_device;
-#endif
-#endif
-
-KbdintDevice *devices[] = {
-#ifdef BSD_AUTH
-	&bsdauth_device,
-#else
-#ifdef USE_PAM
-	&sshpam_device,
-#endif
-#ifdef SKEY
-	&skey_device,
-#endif
-#endif
-	NULL
-};
-
-typedef struct KbdintAuthctxt KbdintAuthctxt;
-struct KbdintAuthctxt
-{
-	char *devices;
-	void *ctxt;
-	KbdintDevice *device;
-	u_int nreq;
-};
-
-#ifdef USE_PAM
-void
-remove_kbdint_device(const char *devname)
-{
-	int i, j;
-
-	for (i = 0; devices[i] != NULL; i++)
-		if (strcmp(devices[i]->name, devname) == 0) {
-			for (j = i; devices[j] != NULL; j++)
-				devices[j] = devices[j+1];
-			i--;
-		}
-}
-#endif
-
-static KbdintAuthctxt *
-kbdint_alloc(const char *devs)
-{
-	KbdintAuthctxt *kbdintctxt;
-	Buffer b;
-	int i;
-
-#ifdef USE_PAM
-	if (!options.use_pam)
-		remove_kbdint_device("pam");
-#endif
-
-	kbdintctxt = xmalloc(sizeof(KbdintAuthctxt));
-	if (strcmp(devs, "") == 0) {
-		buffer_init(&b);
-		for (i = 0; devices[i]; i++) {
-			if (buffer_len(&b) > 0)
-				buffer_append(&b, ",", 1);
-			buffer_append(&b, devices[i]->name,
-			    strlen(devices[i]->name));
-		}
-		buffer_append(&b, "\0", 1);
-		kbdintctxt->devices = xstrdup(buffer_ptr(&b));
-		buffer_free(&b);
-	} else {
-		kbdintctxt->devices = xstrdup(devs);
-	}
-	debug("kbdint_alloc: devices '%s'", kbdintctxt->devices);
-	kbdintctxt->ctxt = NULL;
-	kbdintctxt->device = NULL;
-	kbdintctxt->nreq = 0;
-
-	return kbdintctxt;
-}
-static void
-kbdint_reset_device(KbdintAuthctxt *kbdintctxt)
-{
-	if (kbdintctxt->ctxt) {
-		kbdintctxt->device->free_ctx(kbdintctxt->ctxt);
-		kbdintctxt->ctxt = NULL;
-	}
-	kbdintctxt->device = NULL;
-}
-static void
-kbdint_free(KbdintAuthctxt *kbdintctxt)
-{
-	if (kbdintctxt->device)
-		kbdint_reset_device(kbdintctxt);
-	if (kbdintctxt->devices) {
-		xfree(kbdintctxt->devices);
-		kbdintctxt->devices = NULL;
-	}
-	xfree(kbdintctxt);
-}
-/* get next device */
-static int
-kbdint_next_device(KbdintAuthctxt *kbdintctxt)
-{
-	size_t len;
-	char *t;
-	int i;
-
-	if (kbdintctxt->device)
-		kbdint_reset_device(kbdintctxt);
-	do {
-		len = kbdintctxt->devices ?
-		    strcspn(kbdintctxt->devices, ",") : 0;
-
-		if (len == 0)
-			break;
-		for (i = 0; devices[i]; i++)
-			if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
-				kbdintctxt->device = devices[i];
-		t = kbdintctxt->devices;
-		kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
-		xfree(t);
-		debug2("kbdint_next_device: devices %s", kbdintctxt->devices ?
-		    kbdintctxt->devices : "<empty>");
-	} while (kbdintctxt->devices && !kbdintctxt->device);
-
-	return kbdintctxt->device ? 1 : 0;
-}
-
-/*
- * try challenge-response, set authctxt->postponed if we have to
- * wait for the response.
- */
-int
-auth2_challenge(Authctxt *authctxt, char *devs)
-{
-	debug("auth2_challenge: user=%s devs=%s",
-	    authctxt->user ? authctxt->user : "<nouser>",
-	    devs ? devs : "<no devs>");
-
-	if (authctxt->user == NULL || !devs)
-		return 0;
-	if (authctxt->kbdintctxt == NULL)
-		authctxt->kbdintctxt = kbdint_alloc(devs);
-	return auth2_challenge_start(authctxt);
-}
-
-/* unregister kbd-int callbacks and context */
-void
-auth2_challenge_stop(Authctxt *authctxt)
-{
-	/* unregister callback */
-	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
-	if (authctxt->kbdintctxt != NULL)  {
-		kbdint_free(authctxt->kbdintctxt);
-		authctxt->kbdintctxt = NULL;
-	}
-}
-
-/* side effect: sets authctxt->postponed if a reply was sent*/
-static int
-auth2_challenge_start(Authctxt *authctxt)
-{
-	KbdintAuthctxt *kbdintctxt = authctxt->kbdintctxt;
-
-	debug2("auth2_challenge_start: devices %s",
-	    kbdintctxt->devices ?  kbdintctxt->devices : "<empty>");
-
-	if (kbdint_next_device(kbdintctxt) == 0) {
-		auth2_challenge_stop(authctxt);
-		return 0;
-	}
-	debug("auth2_challenge_start: trying authentication method '%s'",
-	    kbdintctxt->device->name);
-
-	if ((kbdintctxt->ctxt = kbdintctxt->device->init_ctx(authctxt)) == NULL) {
-		auth2_challenge_stop(authctxt);
-		return 0;
-	}
-	if (send_userauth_info_request(authctxt) == 0) {
-		auth2_challenge_stop(authctxt);
-		return 0;
-	}
-	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,
-	    &input_userauth_info_response);
-
-	authctxt->postponed = 1;
-	return 0;
-}
-
-static int
-send_userauth_info_request(Authctxt *authctxt)
-{
-	KbdintAuthctxt *kbdintctxt;
-	char *name, *instr, **prompts;
-	u_int i, *echo_on;
-
-	kbdintctxt = authctxt->kbdintctxt;
-	if (kbdintctxt->device->query(kbdintctxt->ctxt,
-	    &name, &instr, &kbdintctxt->nreq, &prompts, &echo_on))
-		return 0;
-
-	packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST);
-	packet_put_cstring(name);
-	packet_put_cstring(instr);
-	packet_put_cstring("");		/* language not used */
-	packet_put_int(kbdintctxt->nreq);
-	for (i = 0; i < kbdintctxt->nreq; i++) {
-		packet_put_cstring(prompts[i]);
-		packet_put_char(echo_on[i]);
-	}
-	packet_send();
-	packet_write_wait();
-
-	for (i = 0; i < kbdintctxt->nreq; i++)
-		xfree(prompts[i]);
-	xfree(prompts);
-	xfree(echo_on);
-	xfree(name);
-	xfree(instr);
-	return 1;
-}
-
-static void
-input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
-{
-	Authctxt *authctxt = ctxt;
-	KbdintAuthctxt *kbdintctxt;
-	int authenticated = 0, res, len;
-	u_int i, nresp;
-	char **response = NULL, *method;
-
-	if (authctxt == NULL)
-		fatal("input_userauth_info_response: no authctxt");
-	kbdintctxt = authctxt->kbdintctxt;
-	if (kbdintctxt == NULL || kbdintctxt->ctxt == NULL)
-		fatal("input_userauth_info_response: no kbdintctxt");
-	if (kbdintctxt->device == NULL)
-		fatal("input_userauth_info_response: no device");
-
-	authctxt->postponed = 0;	/* reset */
-	nresp = packet_get_int();
-	if (nresp != kbdintctxt->nreq)
-		fatal("input_userauth_info_response: wrong number of replies");
-	if (nresp > 100)
-		fatal("input_userauth_info_response: too many replies");
-	if (nresp > 0) {
-		response = xcalloc(nresp, sizeof(char *));
-		for (i = 0; i < nresp; i++)
-			response[i] = packet_get_string(NULL);
-	}
-	packet_check_eom();
-
-	res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response);
-
-	for (i = 0; i < nresp; i++) {
-		memset(response[i], 'r', strlen(response[i]));
-		xfree(response[i]);
-	}
-	if (response)
-		xfree(response);
-
-	switch (res) {
-	case 0:
-		/* Success! */
-		authenticated = authctxt->valid ? 1 : 0;
-		break;
-	case 1:
-		/* Authentication needs further interaction */
-		if (send_userauth_info_request(authctxt) == 1)
-			authctxt->postponed = 1;
-		break;
-	default:
-		/* Failure! */
-		break;
-	}
-
-	len = strlen("keyboard-interactive") + 2 +
-		strlen(kbdintctxt->device->name);
-	method = xmalloc(len);
-	snprintf(method, len, "keyboard-interactive/%s",
-	    kbdintctxt->device->name);
-
-	if (!authctxt->postponed) {
-		if (authenticated) {
-			auth2_challenge_stop(authctxt);
-		} else {
-			/* start next device */
-			/* may set authctxt->postponed */
-			auth2_challenge_start(authctxt);
-		}
-	}
-	userauth_finish(authctxt, authenticated, method);
-	xfree(method);
-}
-
-void
-privsep_challenge_enable(void)
-{
-#if defined(BSD_AUTH) || defined(USE_PAM) || defined(SKEY)
-	int n = 0;
-#endif
-#ifdef BSD_AUTH
-	extern KbdintDevice mm_bsdauth_device;
-#endif
-#ifdef USE_PAM
-	extern KbdintDevice mm_sshpam_device;
-#endif
-#ifdef SKEY
-	extern KbdintDevice mm_skey_device;
-#endif
-
-#ifdef BSD_AUTH
-	devices[n++] = &mm_bsdauth_device;
-#else
-#ifdef USE_PAM
-	devices[n++] = &mm_sshpam_device;
-#endif
-#ifdef SKEY
-	devices[n++] = &mm_skey_device;
-#endif
-#endif
-}
diff --git a/crypto/openssh/auth2-gss.c b/crypto/openssh/auth2-gss.c
deleted file mode 100644
index c77c841..0000000
--- a/crypto/openssh/auth2-gss.c
+++ /dev/null
@@ -1,301 +0,0 @@
-/* $OpenBSD: auth2-gss.c,v 1.15 2006/08/03 03:34:41 deraadt Exp $ */
-
-/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#ifdef GSSAPI
-
-#include <sys/types.h>
-
-#include <stdarg.h>
-
-#include "xmalloc.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "ssh2.h"
-#include "log.h"
-#include "dispatch.h"
-#include "buffer.h"
-#include "servconf.h"
-#include "packet.h"
-#include "ssh-gss.h"
-#include "monitor_wrap.h"
-
-extern ServerOptions options;
-
-static void input_gssapi_token(int type, u_int32_t plen, void *ctxt);
-static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
-static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
-static void input_gssapi_errtok(int, u_int32_t, void *);
-
-/*
- * We only support those mechanisms that we know about (ie ones that we know
- * how to check local user kuserok and the like)
- */
-static int
-userauth_gssapi(Authctxt *authctxt)
-{
-	gss_OID_desc goid = {0, NULL};
-	Gssctxt *ctxt = NULL;
-	int mechs;
-	gss_OID_set supported;
-	int present;
-	OM_uint32 ms;
-	u_int len;
-	u_char *doid = NULL;
-
-	if (!authctxt->valid || authctxt->user == NULL)
-		return (0);
-
-	mechs = packet_get_int();
-	if (mechs == 0) {
-		debug("Mechanism negotiation is not supported");
-		return (0);
-	}
-
-	ssh_gssapi_supported_oids(&supported);
-	do {
-		mechs--;
-
-		if (doid)
-			xfree(doid);
-
-		present = 0;
-		doid = packet_get_string(&len);
-
-		if (len > 2 && doid[0] == SSH_GSS_OIDTYPE &&
-		    doid[1] == len - 2) {
-			goid.elements = doid + 2;
-			goid.length   = len - 2;
-			gss_test_oid_set_member(&ms, &goid, supported,
-			    &present);
-		} else {
-			logit("Badly formed OID received");
-		}
-	} while (mechs > 0 && !present);
-
-	gss_release_oid_set(&ms, &supported);
-
-	if (!present) {
-		xfree(doid);
-		return (0);
-	}
-
-	if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
-		if (ctxt != NULL)
-			ssh_gssapi_delete_ctx(&ctxt);
-		xfree(doid);
-		return (0);
-	}
-
-	authctxt->methoddata = (void *)ctxt;
-
-	packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE);
-
-	/* Return the OID that we received */
-	packet_put_string(doid, len);
-
-	packet_send();
-	xfree(doid);
-
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token);
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok);
-	authctxt->postponed = 1;
-
-	return (0);
-}
-
-static void
-input_gssapi_token(int type, u_int32_t plen, void *ctxt)
-{
-	Authctxt *authctxt = ctxt;
-	Gssctxt *gssctxt;
-	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
-	gss_buffer_desc recv_tok;
-	OM_uint32 maj_status, min_status, flags;
-	u_int len;
-
-	if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
-		fatal("No authentication or GSSAPI context");
-
-	gssctxt = authctxt->methoddata;
-	recv_tok.value = packet_get_string(&len);
-	recv_tok.length = len; /* u_int vs. size_t */
-
-	packet_check_eom();
-
-	maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
-	    &send_tok, &flags));
-
-	xfree(recv_tok.value);
-
-	if (GSS_ERROR(maj_status)) {
-		if (send_tok.length != 0) {
-			packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK);
-			packet_put_string(send_tok.value, send_tok.length);
-			packet_send();
-		}
-		authctxt->postponed = 0;
-		dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
-		userauth_finish(authctxt, 0, "gssapi-with-mic");
-	} else {
-		if (send_tok.length != 0) {
-			packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
-			packet_put_string(send_tok.value, send_tok.length);
-			packet_send();
-		}
-		if (maj_status == GSS_S_COMPLETE) {
-			dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
-			if (flags & GSS_C_INTEG_FLAG)
-				dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC,
-				    &input_gssapi_mic);
-			else
-				dispatch_set(
-				    SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
-				    &input_gssapi_exchange_complete);
-		}
-	}
-
-	gss_release_buffer(&min_status, &send_tok);
-}
-
-static void
-input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
-{
-	Authctxt *authctxt = ctxt;
-	Gssctxt *gssctxt;
-	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
-	gss_buffer_desc recv_tok;
-	OM_uint32 maj_status;
-	u_int len;
-
-	if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
-		fatal("No authentication or GSSAPI context");
-
-	gssctxt = authctxt->methoddata;
-	recv_tok.value = packet_get_string(&len);
-	recv_tok.length = len;
-
-	packet_check_eom();
-
-	/* Push the error token into GSSAPI to see what it says */
-	maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
-	    &send_tok, NULL));
-
-	xfree(recv_tok.value);
-
-	/* We can't return anything to the client, even if we wanted to */
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
-
-	/* The client will have already moved on to the next auth */
-
-	gss_release_buffer(&maj_status, &send_tok);
-}
-
-/*
- * This is called when the client thinks we've completed authentication.
- * It should only be enabled in the dispatch handler by the function above,
- * which only enables it once the GSSAPI exchange is complete.
- */
-
-static void
-input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
-{
-	Authctxt *authctxt = ctxt;
-	Gssctxt *gssctxt;
-	int authenticated;
-
-	if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
-		fatal("No authentication or GSSAPI context");
-
-	gssctxt = authctxt->methoddata;
-
-	/*
-	 * We don't need to check the status, because we're only enabled in
-	 * the dispatcher once the exchange is complete
-	 */
-
-	packet_check_eom();
-
-	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
-
-	authctxt->postponed = 0;
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
-	userauth_finish(authctxt, authenticated, "gssapi-with-mic");
-}
-
-static void
-input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
-{
-	Authctxt *authctxt = ctxt;
-	Gssctxt *gssctxt;
-	int authenticated = 0;
-	Buffer b;
-	gss_buffer_desc mic, gssbuf;
-	u_int len;
-
-	if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
-		fatal("No authentication or GSSAPI context");
-
-	gssctxt = authctxt->methoddata;
-
-	mic.value = packet_get_string(&len);
-	mic.length = len;
-
-	ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
-	    "gssapi-with-mic");
-
-	gssbuf.value = buffer_ptr(&b);
-	gssbuf.length = buffer_len(&b);
-
-	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
-		authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
-	else
-		logit("GSSAPI MIC check failed");
-
-	buffer_free(&b);
-	xfree(mic.value);
-
-	authctxt->postponed = 0;
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
-	userauth_finish(authctxt, authenticated, "gssapi-with-mic");
-}
-
-Authmethod method_gssapi = {
-	"gssapi-with-mic",
-	userauth_gssapi,
-	&options.gss_authentication
-};
-
-#endif /* GSSAPI */
diff --git a/crypto/openssh/auth2-hostbased.c b/crypto/openssh/auth2-hostbased.c
deleted file mode 100644
index 663dec5..0000000
--- a/crypto/openssh/auth2-hostbased.c
+++ /dev/null
@@ -1,191 +0,0 @@
-/* $OpenBSD: auth2-hostbased.c,v 1.11 2006/08/03 03:34:41 deraadt Exp $ */
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <pwd.h>
-#include <string.h>
-#include <stdarg.h>
-
-#include "xmalloc.h"
-#include "ssh2.h"
-#include "packet.h"
-#include "buffer.h"
-#include "log.h"
-#include "servconf.h"
-#include "compat.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "canohost.h"
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-#include "monitor_wrap.h"
-#include "pathnames.h"
-
-/* import */
-extern ServerOptions options;
-extern u_char *session_id2;
-extern u_int session_id2_len;
-
-static int
-userauth_hostbased(Authctxt *authctxt)
-{
-	Buffer b;
-	Key *key = NULL;
-	char *pkalg, *cuser, *chost, *service;
-	u_char *pkblob, *sig;
-	u_int alen, blen, slen;
-	int pktype;
-	int authenticated = 0;
-
-	if (!authctxt->valid) {
-		debug2("userauth_hostbased: disabled because of invalid user");
-		return 0;
-	}
-	pkalg = packet_get_string(&alen);
-	pkblob = packet_get_string(&blen);
-	chost = packet_get_string(NULL);
-	cuser = packet_get_string(NULL);
-	sig = packet_get_string(&slen);
-
-	debug("userauth_hostbased: cuser %s chost %s pkalg %s slen %d",
-	    cuser, chost, pkalg, slen);
-#ifdef DEBUG_PK
-	debug("signature:");
-	buffer_init(&b);
-	buffer_append(&b, sig, slen);
-	buffer_dump(&b);
-	buffer_free(&b);
-#endif
-	pktype = key_type_from_name(pkalg);
-	if (pktype == KEY_UNSPEC) {
-		/* this is perfectly legal */
-		logit("userauth_hostbased: unsupported "
-		    "public key algorithm: %s", pkalg);
-		goto done;
-	}
-	key = key_from_blob(pkblob, blen);
-	if (key == NULL) {
-		error("userauth_hostbased: cannot decode key: %s", pkalg);
-		goto done;
-	}
-	if (key->type != pktype) {
-		error("userauth_hostbased: type mismatch for decoded key "
-		    "(received %d, expected %d)", key->type, pktype);
-		goto done;
-	}
-	service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
-	    authctxt->service;
-	buffer_init(&b);
-	buffer_put_string(&b, session_id2, session_id2_len);
-	/* reconstruct packet */
-	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
-	buffer_put_cstring(&b, authctxt->user);
-	buffer_put_cstring(&b, service);
-	buffer_put_cstring(&b, "hostbased");
-	buffer_put_string(&b, pkalg, alen);
-	buffer_put_string(&b, pkblob, blen);
-	buffer_put_cstring(&b, chost);
-	buffer_put_cstring(&b, cuser);
-#ifdef DEBUG_PK
-	buffer_dump(&b);
-#endif
-	/* test for allowed key and correct signature */
-	authenticated = 0;
-	if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
-	    PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
-			buffer_len(&b))) == 1)
-		authenticated = 1;
-
-	buffer_free(&b);
-done:
-	debug2("userauth_hostbased: authenticated %d", authenticated);
-	if (key != NULL)
-		key_free(key);
-	xfree(pkalg);
-	xfree(pkblob);
-	xfree(cuser);
-	xfree(chost);
-	xfree(sig);
-	return authenticated;
-}
-
-/* return 1 if given hostkey is allowed */
-int
-hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
-    Key *key)
-{
-	const char *resolvedname, *ipaddr, *lookup;
-	HostStatus host_status;
-	int len;
-
-	resolvedname = get_canonical_hostname(options.use_dns);
-	ipaddr = get_remote_ipaddr();
-
-	debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s",
-	    chost, resolvedname, ipaddr);
-
-	if (options.hostbased_uses_name_from_packet_only) {
-		if (auth_rhosts2(pw, cuser, chost, chost) == 0)
-			return 0;
-		lookup = chost;
-	} else {
-		if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') {
-			debug2("stripping trailing dot from chost %s", chost);
-			chost[len - 1] = '\0';
-		}
-		if (strcasecmp(resolvedname, chost) != 0)
-			logit("userauth_hostbased mismatch: "
-			    "client sends %s, but we resolve %s to %s",
-			    chost, ipaddr, resolvedname);
-		if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0)
-			return 0;
-		lookup = resolvedname;
-	}
-	debug2("userauth_hostbased: access allowed by auth_rhosts2");
-
-	host_status = check_key_in_hostfiles(pw, key, lookup,
-	    _PATH_SSH_SYSTEM_HOSTFILE,
-	    options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE);
-
-	/* backward compat if no key has been found. */
-	if (host_status == HOST_NEW)
-		host_status = check_key_in_hostfiles(pw, key, lookup,
-		    _PATH_SSH_SYSTEM_HOSTFILE2,
-		    options.ignore_user_known_hosts ? NULL :
-		    _PATH_SSH_USER_HOSTFILE2);
-
-	return (host_status == HOST_OK);
-}
-
-Authmethod method_hostbased = {
-	"hostbased",
-	userauth_hostbased,
-	&options.hostbased_authentication
-};
diff --git a/crypto/openssh/auth2-kbdint.c b/crypto/openssh/auth2-kbdint.c
deleted file mode 100644
index a4fc9e6..0000000
--- a/crypto/openssh/auth2-kbdint.c
+++ /dev/null
@@ -1,72 +0,0 @@
-/* $OpenBSD: auth2-kbdint.c,v 1.5 2006/08/03 03:34:41 deraadt Exp $ */
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <stdarg.h>
-
-#include "xmalloc.h"
-#include "packet.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "log.h"
-#include "buffer.h"
-#include "servconf.h"
-
-/* import */
-extern ServerOptions options;
-
-static int
-userauth_kbdint(Authctxt *authctxt)
-{
-	int authenticated = 0;
-	char *lang, *devs;
-
-	lang = packet_get_string(NULL);
-	devs = packet_get_string(NULL);
-	packet_check_eom();
-
-	debug("keyboard-interactive devs %s", devs);
-
-	if (options.challenge_response_authentication)
-		authenticated = auth2_challenge(authctxt, devs);
-
-	xfree(devs);
-	xfree(lang);
-#ifdef HAVE_CYGWIN
-	if (check_nt_auth(0, authctxt->pw) == 0)
-		authenticated = 0;
-#endif
-	return authenticated;
-}
-
-Authmethod method_kbdint = {
-	"keyboard-interactive",
-	userauth_kbdint,
-	&options.kbd_interactive_authentication
-};
diff --git a/crypto/openssh/auth2-none.c b/crypto/openssh/auth2-none.c
deleted file mode 100644
index 952b448..0000000
--- a/crypto/openssh/auth2-none.c
+++ /dev/null
@@ -1,140 +0,0 @@
-/* $OpenBSD: auth2-none.c,v 1.13 2006/08/05 07:52:52 dtucker Exp $ */
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/uio.h>
-
-#include <fcntl.h>
-#include <stdarg.h>
-#include <unistd.h>
-
-#include "xmalloc.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "packet.h"
-#include "log.h"
-#include "buffer.h"
-#include "servconf.h"
-#include "atomicio.h"
-#include "compat.h"
-#include "ssh2.h"
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-#include "monitor_wrap.h"
-
-/* import */
-extern ServerOptions options;
-
-/* "none" is allowed only one time */
-static int none_enabled = 1;
-
-char *
-auth2_read_banner(void)
-{
-	struct stat st;
-	char *banner = NULL;
-	size_t len, n;
-	int fd;
-
-	if ((fd = open(options.banner, O_RDONLY)) == -1)
-		return (NULL);
-	if (fstat(fd, &st) == -1) {
-		close(fd);
-		return (NULL);
-	}
-	if (st.st_size > 1*1024*1024) {
-		close(fd);
-		return (NULL);
-	}
-
-	len = (size_t)st.st_size;		/* truncate */
-	banner = xmalloc(len + 1);
-	n = atomicio(read, fd, banner, len);
-	close(fd);
-
-	if (n != len) {
-		xfree(banner);
-		return (NULL);
-	}
-	banner[n] = '\0';
-
-	return (banner);
-}
-
-void
-userauth_send_banner(const char *msg)
-{
-	if (datafellows & SSH_BUG_BANNER)
-		return;
-
-	packet_start(SSH2_MSG_USERAUTH_BANNER);
-	packet_put_cstring(msg);
-	packet_put_cstring("");		/* language, unused */
-	packet_send();
-	debug("%s: sent", __func__);
-}
-
-static void
-userauth_banner(void)
-{
-	char *banner = NULL;
-
-	if (options.banner == NULL || (datafellows & SSH_BUG_BANNER))
-		return;
-
-	if ((banner = PRIVSEP(auth2_read_banner())) == NULL)
-		goto done;
-	userauth_send_banner(banner);
-
-done:
-	if (banner)
-		xfree(banner);
-}
-
-static int
-userauth_none(Authctxt *authctxt)
-{
-	none_enabled = 0;
-	packet_check_eom();
-	userauth_banner();
-#ifdef HAVE_CYGWIN
-	if (check_nt_auth(1, authctxt->pw) == 0)
-		return (0);
-#endif
-	if (options.password_authentication)
-		return (PRIVSEP(auth_password(authctxt, "")));
-	return (0);
-}
-
-Authmethod method_none = {
-	"none",
-	userauth_none,
-	&none_enabled
-};
diff --git a/crypto/openssh/auth2-passwd.c b/crypto/openssh/auth2-passwd.c
deleted file mode 100644
index 421c5c2..0000000
--- a/crypto/openssh/auth2-passwd.c
+++ /dev/null
@@ -1,84 +0,0 @@
-/* $OpenBSD: auth2-passwd.c,v 1.9 2006/08/03 03:34:41 deraadt Exp $ */
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <string.h>
-#include <stdarg.h>
-
-#include "xmalloc.h"
-#include "packet.h"
-#include "log.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "buffer.h"
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-#include "monitor_wrap.h"
-#include "servconf.h"
-
-/* import */
-extern ServerOptions options;
-
-static int
-userauth_passwd(Authctxt *authctxt)
-{
-	char *password, *newpass;
-	int authenticated = 0;
-	int change;
-	u_int len, newlen;
-
-	change = packet_get_char();
-	password = packet_get_string(&len);
-	if (change) {
-		/* discard new password from packet */
-		newpass = packet_get_string(&newlen);
-		memset(newpass, 0, newlen);
-		xfree(newpass);
-	}
-	packet_check_eom();
-
-	if (change)
-		logit("password change not supported");
-	else if (PRIVSEP(auth_password(authctxt, password)) == 1)
-		authenticated = 1;
-#ifdef HAVE_CYGWIN
-	if (check_nt_auth(1, authctxt->pw) == 0)
-		authenticated = 0;
-#endif
-	memset(password, 0, len);
-	xfree(password);
-	return authenticated;
-}
-
-Authmethod method_passwd = {
-	"password",
-	userauth_passwd,
-	&options.password_authentication
-};
diff --git a/crypto/openssh/auth2-pubkey.c b/crypto/openssh/auth2-pubkey.c
deleted file mode 100644
index 9863cd9..0000000
--- a/crypto/openssh/auth2-pubkey.c
+++ /dev/null
@@ -1,292 +0,0 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.15 2006/08/03 03:34:41 deraadt Exp $ */
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/stat.h>
-
-#include <pwd.h>
-#include <stdio.h>
-#include <stdarg.h>
-
-#include "xmalloc.h"
-#include "ssh.h"
-#include "ssh2.h"
-#include "packet.h"
-#include "buffer.h"
-#include "log.h"
-#include "servconf.h"
-#include "compat.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "pathnames.h"
-#include "uidswap.h"
-#include "auth-options.h"
-#include "canohost.h"
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-#include "monitor_wrap.h"
-#include "misc.h"
-
-/* import */
-extern ServerOptions options;
-extern u_char *session_id2;
-extern u_int session_id2_len;
-
-static int
-userauth_pubkey(Authctxt *authctxt)
-{
-	Buffer b;
-	Key *key = NULL;
-	char *pkalg;
-	u_char *pkblob, *sig;
-	u_int alen, blen, slen;
-	int have_sig, pktype;
-	int authenticated = 0;
-
-	if (!authctxt->valid) {
-		debug2("userauth_pubkey: disabled because of invalid user");
-		return 0;
-	}
-	have_sig = packet_get_char();
-	if (datafellows & SSH_BUG_PKAUTH) {
-		debug2("userauth_pubkey: SSH_BUG_PKAUTH");
-		/* no explicit pkalg given */
-		pkblob = packet_get_string(&blen);
-		buffer_init(&b);
-		buffer_append(&b, pkblob, blen);
-		/* so we have to extract the pkalg from the pkblob */
-		pkalg = buffer_get_string(&b, &alen);
-		buffer_free(&b);
-	} else {
-		pkalg = packet_get_string(&alen);
-		pkblob = packet_get_string(&blen);
-	}
-	pktype = key_type_from_name(pkalg);
-	if (pktype == KEY_UNSPEC) {
-		/* this is perfectly legal */
-		logit("userauth_pubkey: unsupported public key algorithm: %s",
-		    pkalg);
-		goto done;
-	}
-	key = key_from_blob(pkblob, blen);
-	if (key == NULL) {
-		error("userauth_pubkey: cannot decode key: %s", pkalg);
-		goto done;
-	}
-	if (key->type != pktype) {
-		error("userauth_pubkey: type mismatch for decoded key "
-		    "(received %d, expected %d)", key->type, pktype);
-		goto done;
-	}
-	if (have_sig) {
-		sig = packet_get_string(&slen);
-		packet_check_eom();
-		buffer_init(&b);
-		if (datafellows & SSH_OLD_SESSIONID) {
-			buffer_append(&b, session_id2, session_id2_len);
-		} else {
-			buffer_put_string(&b, session_id2, session_id2_len);
-		}
-		/* reconstruct packet */
-		buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
-		buffer_put_cstring(&b, authctxt->user);
-		buffer_put_cstring(&b,
-		    datafellows & SSH_BUG_PKSERVICE ?
-		    "ssh-userauth" :
-		    authctxt->service);
-		if (datafellows & SSH_BUG_PKAUTH) {
-			buffer_put_char(&b, have_sig);
-		} else {
-			buffer_put_cstring(&b, "publickey");
-			buffer_put_char(&b, have_sig);
-			buffer_put_cstring(&b, pkalg);
-		}
-		buffer_put_string(&b, pkblob, blen);
-#ifdef DEBUG_PK
-		buffer_dump(&b);
-#endif
-		/* test for correct signature */
-		authenticated = 0;
-		if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
-		    PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
-		    buffer_len(&b))) == 1)
-			authenticated = 1;
-		buffer_free(&b);
-		xfree(sig);
-	} else {
-		debug("test whether pkalg/pkblob are acceptable");
-		packet_check_eom();
-
-		/* XXX fake reply and always send PK_OK ? */
-		/*
-		 * XXX this allows testing whether a user is allowed
-		 * to login: if you happen to have a valid pubkey this
-		 * message is sent. the message is NEVER sent at all
-		 * if a user is not allowed to login. is this an
-		 * issue? -markus
-		 */
-		if (PRIVSEP(user_key_allowed(authctxt->pw, key))) {
-			packet_start(SSH2_MSG_USERAUTH_PK_OK);
-			packet_put_string(pkalg, alen);
-			packet_put_string(pkblob, blen);
-			packet_send();
-			packet_write_wait();
-			authctxt->postponed = 1;
-		}
-	}
-	if (authenticated != 1)
-		auth_clear_options();
-done:
-	debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg);
-	if (key != NULL)
-		key_free(key);
-	xfree(pkalg);
-	xfree(pkblob);
-#ifdef HAVE_CYGWIN
-	if (check_nt_auth(0, authctxt->pw) == 0)
-		authenticated = 0;
-#endif
-	return authenticated;
-}
-
-/* return 1 if user allows given key */
-static int
-user_key_allowed2(struct passwd *pw, Key *key, char *file)
-{
-	char line[SSH_MAX_PUBKEY_BYTES];
-	int found_key = 0;
-	FILE *f;
-	u_long linenum = 0;
-	struct stat st;
-	Key *found;
-	char *fp;
-
-	/* Temporarily use the user's uid. */
-	temporarily_use_uid(pw);
-
-	debug("trying public key file %s", file);
-
-	/* Fail quietly if file does not exist */
-	if (stat(file, &st) < 0) {
-		/* Restore the privileged uid. */
-		restore_uid();
-		return 0;
-	}
-	/* Open the file containing the authorized keys. */
-	f = fopen(file, "r");
-	if (!f) {
-		/* Restore the privileged uid. */
-		restore_uid();
-		return 0;
-	}
-	if (options.strict_modes &&
-	    secure_filename(f, file, pw, line, sizeof(line)) != 0) {
-		fclose(f);
-		logit("Authentication refused: %s", line);
-		restore_uid();
-		return 0;
-	}
-
-	found_key = 0;
-	found = key_new(key->type);
-
-	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
-		char *cp, *key_options = NULL;
-
-		/* Skip leading whitespace, empty and comment lines. */
-		for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
-			;
-		if (!*cp || *cp == '\n' || *cp == '#')
-			continue;
-
-		if (key_read(found, &cp) != 1) {
-			/* no key?  check if there are options for this key */
-			int quoted = 0;
-			debug2("user_key_allowed: check options: '%s'", cp);
-			key_options = cp;
-			for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
-				if (*cp == '\\' && cp[1] == '"')
-					cp++;	/* Skip both */
-				else if (*cp == '"')
-					quoted = !quoted;
-			}
-			/* Skip remaining whitespace. */
-			for (; *cp == ' ' || *cp == '\t'; cp++)
-				;
-			if (key_read(found, &cp) != 1) {
-				debug2("user_key_allowed: advance: '%s'", cp);
-				/* still no key?  advance to next line*/
-				continue;
-			}
-		}
-		if (key_equal(found, key) &&
-		    auth_parse_options(pw, key_options, file, linenum) == 1) {
-			found_key = 1;
-			debug("matching key found: file %s, line %lu",
-			    file, linenum);
-			fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
-			verbose("Found matching %s key: %s",
-			    key_type(found), fp);
-			xfree(fp);
-			break;
-		}
-	}
-	restore_uid();
-	fclose(f);
-	key_free(found);
-	if (!found_key)
-		debug2("key not found");
-	return found_key;
-}
-
-/* check whether given key is in .ssh/authorized_keys* */
-int
-user_key_allowed(struct passwd *pw, Key *key)
-{
-	int success;
-	char *file;
-
-	file = authorized_keys_file(pw);
-	success = user_key_allowed2(pw, key, file);
-	xfree(file);
-	if (success)
-		return success;
-
-	/* try suffix "2" for backward compat, too */
-	file = authorized_keys_file2(pw);
-	success = user_key_allowed2(pw, key, file);
-	xfree(file);
-	return success;
-}
-
-Authmethod method_pubkey = {
-	"publickey",
-	userauth_pubkey,
-	&options.pubkey_authentication
-};
diff --git a/crypto/openssh/auth2-skey.c b/crypto/openssh/auth2-skey.c
deleted file mode 100644
index 9de08fc..0000000
--- a/crypto/openssh/auth2-skey.c
+++ /dev/null
@@ -1,104 +0,0 @@
-#include "includes.h"
-RCSID("$OpenBSD: auth2-skey.c,v 1.1 2000/10/11 20:14:38 markus Exp $");
-
-#include "ssh.h"
-#include "ssh2.h"
-#include "auth.h"
-#include "packet.h"
-#include "xmalloc.h"
-#include "dispatch.h"
-
-void	send_userauth_into_request(Authctxt *authctxt, int echo);
-void	input_userauth_info_response(int type, int plen, void *ctxt);
-
-/*
- * try skey authentication, always return -1 (= postponed) since we have to
- * wait for the s/key response.
- */
-int
-auth2_skey(Authctxt *authctxt)
-{
-	send_userauth_into_request(authctxt, 0);
-	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, &input_userauth_info_response);
-	return -1;
-}
-
-void
-send_userauth_into_request(Authctxt *authctxt, int echo)
-{
-	int retval = -1;
-	struct skey skey;
-	char challenge[SKEY_MAX_CHALLENGE];
-	char *fake;
-
-	if (authctxt->user == NULL)
-		fatal("send_userauth_into_request: internal error: no user");
-
-	/* get skey challenge */
-	if (authctxt->valid)
-		retval = skeychallenge(&skey, authctxt->user, challenge);
-
-	if (retval == -1) {
-		fake = skey_fake_keyinfo(authctxt->user);
-		strlcpy(challenge, fake, sizeof challenge);
-	}
-	/* send our info request */
-	packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST);
-	packet_put_cstring("S/Key Authentication");	/* Name */
-	packet_put_cstring(challenge);			/* Instruction */
-	packet_put_cstring("");				/* Language */
-	packet_put_int(1);			 	/* Number of prompts */
-	packet_put_cstring(echo ?
-		 "Response [Echo]: ": "Response: ");	/* Prompt */
-	packet_put_char(echo);				/* Echo */
-	packet_send();
-	packet_write_wait();
-	memset(challenge, 'c', sizeof challenge);
-}
-
-void
-input_userauth_info_response(int type, int plen, void *ctxt)
-{
-	Authctxt *authctxt = ctxt;
-	int authenticated = 0;
-	unsigned int nresp, rlen;
-	char *resp, *method;
-
-	if (authctxt == NULL)
-		fatal("input_userauth_info_response: no authentication context");
-
-	if (authctxt->attempt++ >= AUTH_FAIL_MAX)
-		packet_disconnect("too many failed userauth_requests");
-
-	nresp = packet_get_int();
-	if (nresp == 1) {
-		/* we only support s/key and assume s/key for nresp == 1 */
-		method = "s/key";
-		resp = packet_get_string(&rlen);
-		packet_done();
-		if (strlen(resp) == 0) {
-			/*
-			 * if we received a null response, resend prompt with
-			 * echo enabled
-			 */
-			authenticated = -1;
-			userauth_log(authctxt, authenticated, method);
-			send_userauth_into_request(authctxt, 1);
-		} else {
-			/* verify skey response */
-			if (authctxt->valid &&
-			    skey_haskey(authctxt->pw->pw_name) == 0 &&
-			    skey_passcheck(authctxt->pw->pw_name, resp) != -1) {
-				authenticated = 1;
-			} else {
-				authenticated = 0;
-			}
-			memset(resp, 'r', rlen);
-			/* unregister callback */
-			dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
-			userauth_log(authctxt, authenticated, method);
-			userauth_reply(authctxt, authenticated);
-		}
-		xfree(resp);
-	}
-}
diff --git a/crypto/openssh/auth2.c b/crypto/openssh/auth2.c
deleted file mode 100644
index 2d880b5..0000000
--- a/crypto/openssh/auth2.c
+++ /dev/null
@@ -1,329 +0,0 @@
-/* $OpenBSD: auth2.c,v 1.113 2006/08/03 03:34:41 deraadt Exp $ */
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <pwd.h>
-#include <stdarg.h>
-#include <string.h>
-
-#include "xmalloc.h"
-#include "ssh2.h"
-#include "packet.h"
-#include "log.h"
-#include "buffer.h"
-#include "servconf.h"
-#include "compat.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "dispatch.h"
-#include "pathnames.h"
-#include "buffer.h"
-
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-#include "monitor_wrap.h"
-
-/* import */
-extern ServerOptions options;
-extern u_char *session_id2;
-extern u_int session_id2_len;
-extern Buffer loginmsg;
-
-/* methods */
-
-extern Authmethod method_none;
-extern Authmethod method_pubkey;
-extern Authmethod method_passwd;
-extern Authmethod method_kbdint;
-extern Authmethod method_hostbased;
-#ifdef GSSAPI
-extern Authmethod method_gssapi;
-#endif
-
-Authmethod *authmethods[] = {
-	&method_none,
-	&method_pubkey,
-#ifdef GSSAPI
-	&method_gssapi,
-#endif
-	&method_passwd,
-	&method_kbdint,
-	&method_hostbased,
-	NULL
-};
-
-/* protocol */
-
-static void input_service_request(int, u_int32_t, void *);
-static void input_userauth_request(int, u_int32_t, void *);
-
-/* helper */
-static Authmethod *authmethod_lookup(const char *);
-static char *authmethods_get(void);
-int user_key_allowed(struct passwd *, Key *);
-
-/*
- * loop until authctxt->success == TRUE
- */
-
-void
-do_authentication2(Authctxt *authctxt)
-{
-	/* challenge-response is implemented via keyboard interactive */
-	if (options.challenge_response_authentication)
-		options.kbd_interactive_authentication = 1;
-
-	dispatch_init(&dispatch_protocol_error);
-	dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
-	dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);
-}
-
-/*ARGSUSED*/
-static void
-input_service_request(int type, u_int32_t seq, void *ctxt)
-{
-	Authctxt *authctxt = ctxt;
-	u_int len;
-	int acceptit = 0;
-	char *service = packet_get_string(&len);
-	packet_check_eom();
-
-	if (authctxt == NULL)
-		fatal("input_service_request: no authctxt");
-
-	if (strcmp(service, "ssh-userauth") == 0) {
-		if (!authctxt->success) {
-			acceptit = 1;
-			/* now we can handle user-auth requests */
-			dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request);
-		}
-	}
-	/* XXX all other service requests are denied */
-
-	if (acceptit) {
-		packet_start(SSH2_MSG_SERVICE_ACCEPT);
-		packet_put_cstring(service);
-		packet_send();
-		packet_write_wait();
-	} else {
-		debug("bad service request %s", service);
-		packet_disconnect("bad service request %s", service);
-	}
-	xfree(service);
-}
-
-/*ARGSUSED*/
-static void
-input_userauth_request(int type, u_int32_t seq, void *ctxt)
-{
-	Authctxt *authctxt = ctxt;
-	Authmethod *m = NULL;
-	char *user, *service, *method, *style = NULL;
-	int authenticated = 0;
-
-	if (authctxt == NULL)
-		fatal("input_userauth_request: no authctxt");
-
-	user = packet_get_string(NULL);
-	service = packet_get_string(NULL);
-	method = packet_get_string(NULL);
-	debug("userauth-request for user %s service %s method %s", user, service, method);
-	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
-
-	if ((style = strchr(user, ':')) != NULL)
-		*style++ = 0;
-
-	if (authctxt->attempt++ == 0) {
-		/* setup auth context */
-		authctxt->pw = PRIVSEP(getpwnamallow(user));
-		authctxt->user = xstrdup(user);
-		if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
-			authctxt->valid = 1;
-			debug2("input_userauth_request: setting up authctxt for %s", user);
-		} else {
-			logit("input_userauth_request: invalid user %s", user);
-			authctxt->pw = fakepw();
-#ifdef SSH_AUDIT_EVENTS
-			PRIVSEP(audit_event(SSH_INVALID_USER));
-#endif
-		}
-#ifdef USE_PAM
-		if (options.use_pam)
-			PRIVSEP(start_pam(authctxt));
-#endif
-		setproctitle("%s%s", authctxt->valid ? user : "unknown",
-		    use_privsep ? " [net]" : "");
-		authctxt->service = xstrdup(service);
-		authctxt->style = style ? xstrdup(style) : NULL;
-		if (use_privsep)
-			mm_inform_authserv(service, style);
-	} else if (strcmp(user, authctxt->user) != 0 ||
-	    strcmp(service, authctxt->service) != 0) {
-		packet_disconnect("Change of username or service not allowed: "
-		    "(%s,%s) -> (%s,%s)",
-		    authctxt->user, authctxt->service, user, service);
-	}
-	/* reset state */
-	auth2_challenge_stop(authctxt);
-
-#ifdef GSSAPI
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
-#endif
-
-	authctxt->postponed = 0;
-
-	/* try to authenticate user */
-	m = authmethod_lookup(method);
-	if (m != NULL) {
-		debug2("input_userauth_request: try method %s", method);
-		authenticated =	m->userauth(authctxt);
-	}
-	userauth_finish(authctxt, authenticated, method);
-
-	xfree(service);
-	xfree(user);
-	xfree(method);
-}
-
-void
-userauth_finish(Authctxt *authctxt, int authenticated, char *method)
-{
-	char *methods;
-
-	if (!authctxt->valid && authenticated)
-		fatal("INTERNAL ERROR: authenticated invalid user %s",
-		    authctxt->user);
-
-	/* Special handling for root */
-	if (authenticated && authctxt->pw->pw_uid == 0 &&
-	    !auth_root_allowed(method)) {
-		authenticated = 0;
-#ifdef SSH_AUDIT_EVENTS
-		PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED));
-#endif
-	}
-
-#ifdef USE_PAM
-	if (options.use_pam && authenticated) {
-		if (!PRIVSEP(do_pam_account())) {
-			/* if PAM returned a message, send it to the user */
-			if (buffer_len(&loginmsg) > 0) {
-				buffer_append(&loginmsg, "\0", 1);
-				userauth_send_banner(buffer_ptr(&loginmsg));
-				packet_write_wait();
-			}
-			fatal("Access denied for user %s by PAM account "
-			    "configuration", authctxt->user);
-		}
-	}
-#endif
-
-#ifdef _UNICOS
-	if (authenticated && cray_access_denied(authctxt->user)) {
-		authenticated = 0;
-		fatal("Access denied for user %s.",authctxt->user);
-	}
-#endif /* _UNICOS */
-
-	/* Log before sending the reply */
-	auth_log(authctxt, authenticated, method, " ssh2");
-
-	if (authctxt->postponed)
-		return;
-
-	/* XXX todo: check if multiple auth methods are needed */
-	if (authenticated == 1) {
-		/* turn off userauth */
-		dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
-		packet_start(SSH2_MSG_USERAUTH_SUCCESS);
-		packet_send();
-		packet_write_wait();
-		/* now we can break out */
-		authctxt->success = 1;
-	} else {
-		if (authctxt->failures++ > options.max_authtries) {
-#ifdef SSH_AUDIT_EVENTS
-			PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
-#endif
-			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
-		}
-		methods = authmethods_get();
-		packet_start(SSH2_MSG_USERAUTH_FAILURE);
-		packet_put_cstring(methods);
-		packet_put_char(0);	/* XXX partial success, unused */
-		packet_send();
-		packet_write_wait();
-		xfree(methods);
-	}
-}
-
-#define	DELIM	","
-
-static char *
-authmethods_get(void)
-{
-	Buffer b;
-	char *list;
-	int i;
-
-	buffer_init(&b);
-	for (i = 0; authmethods[i] != NULL; i++) {
-		if (strcmp(authmethods[i]->name, "none") == 0)
-			continue;
-		if (authmethods[i]->enabled != NULL &&
-		    *(authmethods[i]->enabled) != 0) {
-			if (buffer_len(&b) > 0)
-				buffer_append(&b, ",", 1);
-			buffer_append(&b, authmethods[i]->name,
-			    strlen(authmethods[i]->name));
-		}
-	}
-	buffer_append(&b, "\0", 1);
-	list = xstrdup(buffer_ptr(&b));
-	buffer_free(&b);
-	return list;
-}
-
-static Authmethod *
-authmethod_lookup(const char *name)
-{
-	int i;
-
-	if (name != NULL)
-		for (i = 0; authmethods[i] != NULL; i++)
-			if (authmethods[i]->enabled != NULL &&
-			    *(authmethods[i]->enabled) != 0 &&
-			    strcmp(name, authmethods[i]->name) == 0)
-				return authmethods[i];
-	debug2("Unrecognized authentication method name: %s",
-	    name ? name : "NULL");
-	return NULL;
-}
diff --git a/crypto/openssh/authfd.c b/crypto/openssh/authfd.c
deleted file mode 100644
index 61faad1..0000000
--- a/crypto/openssh/authfd.c
+++ /dev/null
@@ -1,671 +0,0 @@
-/* $OpenBSD: authfd.c,v 1.80 2006/08/03 03:34:41 deraadt Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Functions for connecting the local authentication agent.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- * SSH2 implementation,
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/un.h>
-#include <sys/socket.h>
-
-#include <openssl/evp.h>
-
-#include <openssl/crypto.h>
-#include <fcntl.h>
-#include <stdlib.h>
-#include <signal.h>
-#include <stdarg.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "xmalloc.h"
-#include "ssh.h"
-#include "rsa.h"
-#include "buffer.h"
-#include "key.h"
-#include "authfd.h"
-#include "cipher.h"
-#include "kex.h"
-#include "compat.h"
-#include "log.h"
-#include "atomicio.h"
-#include "misc.h"
-
-static int agent_present = 0;
-
-/* helper */
-int	decode_reply(int type);
-
-/* macro to check for "agent failure" message */
-#define agent_failed(x) \
-    ((x == SSH_AGENT_FAILURE) || (x == SSH_COM_AGENT2_FAILURE) || \
-    (x == SSH2_AGENT_FAILURE))
-
-int
-ssh_agent_present(void)
-{
-	int authfd;
-
-	if (agent_present)
-		return 1;
-	if ((authfd = ssh_get_authentication_socket()) == -1)
-		return 0;
-	else {
-		ssh_close_authentication_socket(authfd);
-		return 1;
-	}
-}
-
-/* Returns the number of the authentication fd, or -1 if there is none. */
-
-int
-ssh_get_authentication_socket(void)
-{
-	const char *authsocket;
-	int sock;
-	struct sockaddr_un sunaddr;
-
-	authsocket = getenv(SSH_AUTHSOCKET_ENV_NAME);
-	if (!authsocket)
-		return -1;
-
-	sunaddr.sun_family = AF_UNIX;
-	strlcpy(sunaddr.sun_path, authsocket, sizeof(sunaddr.sun_path));
-
-	sock = socket(AF_UNIX, SOCK_STREAM, 0);
-	if (sock < 0)
-		return -1;
-
-	/* close on exec */
-	if (fcntl(sock, F_SETFD, 1) == -1) {
-		close(sock);
-		return -1;
-	}
-	if (connect(sock, (struct sockaddr *)&sunaddr, sizeof sunaddr) < 0) {
-		close(sock);
-		return -1;
-	}
-	agent_present = 1;
-	return sock;
-}
-
-static int
-ssh_request_reply(AuthenticationConnection *auth, Buffer *request, Buffer *reply)
-{
-	u_int l, len;
-	char buf[1024];
-
-	/* Get the length of the message, and format it in the buffer. */
-	len = buffer_len(request);
-	put_u32(buf, len);
-
-	/* Send the length and then the packet to the agent. */
-	if (atomicio(vwrite, auth->fd, buf, 4) != 4 ||
-	    atomicio(vwrite, auth->fd, buffer_ptr(request),
-	    buffer_len(request)) != buffer_len(request)) {
-		error("Error writing to authentication socket.");
-		return 0;
-	}
-	/*
-	 * Wait for response from the agent.  First read the length of the
-	 * response packet.
-	 */
-	if (atomicio(read, auth->fd, buf, 4) != 4) {
-	    error("Error reading response length from authentication socket.");
-	    return 0;
-	}
-
-	/* Extract the length, and check it for sanity. */
-	len = get_u32(buf);
-	if (len > 256 * 1024)
-		fatal("Authentication response too long: %u", len);
-
-	/* Read the rest of the response in to the buffer. */
-	buffer_clear(reply);
-	while (len > 0) {
-		l = len;
-		if (l > sizeof(buf))
-			l = sizeof(buf);
-		if (atomicio(read, auth->fd, buf, l) != l) {
-			error("Error reading response from authentication socket.");
-			return 0;
-		}
-		buffer_append(reply, buf, l);
-		len -= l;
-	}
-	return 1;
-}
-
-/*
- * Closes the agent socket if it should be closed (depends on how it was
- * obtained).  The argument must have been returned by
- * ssh_get_authentication_socket().
- */
-
-void
-ssh_close_authentication_socket(int sock)
-{
-	if (getenv(SSH_AUTHSOCKET_ENV_NAME))
-		close(sock);
-}
-
-/*
- * Opens and connects a private socket for communication with the
- * authentication agent.  Returns the file descriptor (which must be
- * shut down and closed by the caller when no longer needed).
- * Returns NULL if an error occurred and the connection could not be
- * opened.
- */
-
-AuthenticationConnection *
-ssh_get_authentication_connection(void)
-{
-	AuthenticationConnection *auth;
-	int sock;
-
-	sock = ssh_get_authentication_socket();
-
-	/*
-	 * Fail if we couldn't obtain a connection.  This happens if we
-	 * exited due to a timeout.
-	 */
-	if (sock < 0)
-		return NULL;
-
-	auth = xmalloc(sizeof(*auth));
-	auth->fd = sock;
-	buffer_init(&auth->identities);
-	auth->howmany = 0;
-
-	return auth;
-}
-
-/*
- * Closes the connection to the authentication agent and frees any associated
- * memory.
- */
-
-void
-ssh_close_authentication_connection(AuthenticationConnection *auth)
-{
-	buffer_free(&auth->identities);
-	close(auth->fd);
-	xfree(auth);
-}
-
-/* Lock/unlock agent */
-int
-ssh_lock_agent(AuthenticationConnection *auth, int lock, const char *password)
-{
-	int type;
-	Buffer msg;
-
-	buffer_init(&msg);
-	buffer_put_char(&msg, lock ? SSH_AGENTC_LOCK : SSH_AGENTC_UNLOCK);
-	buffer_put_cstring(&msg, password);
-
-	if (ssh_request_reply(auth, &msg, &msg) == 0) {
-		buffer_free(&msg);
-		return 0;
-	}
-	type = buffer_get_char(&msg);
-	buffer_free(&msg);
-	return decode_reply(type);
-}
-
-/*
- * Returns the first authentication identity held by the agent.
- */
-
-int
-ssh_get_num_identities(AuthenticationConnection *auth, int version)
-{
-	int type, code1 = 0, code2 = 0;
-	Buffer request;
-
-	switch (version) {
-	case 1:
-		code1 = SSH_AGENTC_REQUEST_RSA_IDENTITIES;
-		code2 = SSH_AGENT_RSA_IDENTITIES_ANSWER;
-		break;
-	case 2:
-		code1 = SSH2_AGENTC_REQUEST_IDENTITIES;
-		code2 = SSH2_AGENT_IDENTITIES_ANSWER;
-		break;
-	default:
-		return 0;
-	}
-
-	/*
-	 * Send a message to the agent requesting for a list of the
-	 * identities it can represent.
-	 */
-	buffer_init(&request);
-	buffer_put_char(&request, code1);
-
-	buffer_clear(&auth->identities);
-	if (ssh_request_reply(auth, &request, &auth->identities) == 0) {
-		buffer_free(&request);
-		return 0;
-	}
-	buffer_free(&request);
-
-	/* Get message type, and verify that we got a proper answer. */
-	type = buffer_get_char(&auth->identities);
-	if (agent_failed(type)) {
-		return 0;
-	} else if (type != code2) {
-		fatal("Bad authentication reply message type: %d", type);
-	}
-
-	/* Get the number of entries in the response and check it for sanity. */
-	auth->howmany = buffer_get_int(&auth->identities);
-	if ((u_int)auth->howmany > 1024)
-		fatal("Too many identities in authentication reply: %d",
-		    auth->howmany);
-
-	return auth->howmany;
-}
-
-Key *
-ssh_get_first_identity(AuthenticationConnection *auth, char **comment, int version)
-{
-	/* get number of identities and return the first entry (if any). */
-	if (ssh_get_num_identities(auth, version) > 0)
-		return ssh_get_next_identity(auth, comment, version);
-	return NULL;
-}
-
-Key *
-ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int version)
-{
-	int keybits;
-	u_int bits;
-	u_char *blob;
-	u_int blen;
-	Key *key = NULL;
-
-	/* Return failure if no more entries. */
-	if (auth->howmany <= 0)
-		return NULL;
-
-	/*
-	 * Get the next entry from the packet.  These will abort with a fatal
-	 * error if the packet is too short or contains corrupt data.
-	 */
-	switch (version) {
-	case 1:
-		key = key_new(KEY_RSA1);
-		bits = buffer_get_int(&auth->identities);
-		buffer_get_bignum(&auth->identities, key->rsa->e);
-		buffer_get_bignum(&auth->identities, key->rsa->n);
-		*comment = buffer_get_string(&auth->identities, NULL);
-		keybits = BN_num_bits(key->rsa->n);
-		if (keybits < 0 || bits != (u_int)keybits)
-			logit("Warning: identity keysize mismatch: actual %d, announced %u",
-			    BN_num_bits(key->rsa->n), bits);
-		break;
-	case 2:
-		blob = buffer_get_string(&auth->identities, &blen);
-		*comment = buffer_get_string(&auth->identities, NULL);
-		key = key_from_blob(blob, blen);
-		xfree(blob);
-		break;
-	default:
-		return NULL;
-	}
-	/* Decrement the number of remaining entries. */
-	auth->howmany--;
-	return key;
-}
-
-/*
- * Generates a random challenge, sends it to the agent, and waits for
- * response from the agent.  Returns true (non-zero) if the agent gave the
- * correct answer, zero otherwise.  Response type selects the style of
- * response desired, with 0 corresponding to protocol version 1.0 (no longer
- * supported) and 1 corresponding to protocol version 1.1.
- */
-
-int
-ssh_decrypt_challenge(AuthenticationConnection *auth,
-    Key* key, BIGNUM *challenge,
-    u_char session_id[16],
-    u_int response_type,
-    u_char response[16])
-{
-	Buffer buffer;
-	int success = 0;
-	int i;
-	int type;
-
-	if (key->type != KEY_RSA1)
-		return 0;
-	if (response_type == 0) {
-		logit("Compatibility with ssh protocol version 1.0 no longer supported.");
-		return 0;
-	}
-	buffer_init(&buffer);
-	buffer_put_char(&buffer, SSH_AGENTC_RSA_CHALLENGE);
-	buffer_put_int(&buffer, BN_num_bits(key->rsa->n));
-	buffer_put_bignum(&buffer, key->rsa->e);
-	buffer_put_bignum(&buffer, key->rsa->n);
-	buffer_put_bignum(&buffer, challenge);
-	buffer_append(&buffer, session_id, 16);
-	buffer_put_int(&buffer, response_type);
-
-	if (ssh_request_reply(auth, &buffer, &buffer) == 0) {
-		buffer_free(&buffer);
-		return 0;
-	}
-	type = buffer_get_char(&buffer);
-
-	if (agent_failed(type)) {
-		logit("Agent admitted failure to authenticate using the key.");
-	} else if (type != SSH_AGENT_RSA_RESPONSE) {
-		fatal("Bad authentication response: %d", type);
-	} else {
-		success = 1;
-		/*
-		 * Get the response from the packet.  This will abort with a
-		 * fatal error if the packet is corrupt.
-		 */
-		for (i = 0; i < 16; i++)
-			response[i] = (u_char)buffer_get_char(&buffer);
-	}
-	buffer_free(&buffer);
-	return success;
-}
-
-/* ask agent to sign data, returns -1 on error, 0 on success */
-int
-ssh_agent_sign(AuthenticationConnection *auth,
-    Key *key,
-    u_char **sigp, u_int *lenp,
-    u_char *data, u_int datalen)
-{
-	extern int datafellows;
-	Buffer msg;
-	u_char *blob;
-	u_int blen;
-	int type, flags = 0;
-	int ret = -1;
-
-	if (key_to_blob(key, &blob, &blen) == 0)
-		return -1;
-
-	if (datafellows & SSH_BUG_SIGBLOB)
-		flags = SSH_AGENT_OLD_SIGNATURE;
-
-	buffer_init(&msg);
-	buffer_put_char(&msg, SSH2_AGENTC_SIGN_REQUEST);
-	buffer_put_string(&msg, blob, blen);
-	buffer_put_string(&msg, data, datalen);
-	buffer_put_int(&msg, flags);
-	xfree(blob);
-
-	if (ssh_request_reply(auth, &msg, &msg) == 0) {
-		buffer_free(&msg);
-		return -1;
-	}
-	type = buffer_get_char(&msg);
-	if (agent_failed(type)) {
-		logit("Agent admitted failure to sign using the key.");
-	} else if (type != SSH2_AGENT_SIGN_RESPONSE) {
-		fatal("Bad authentication response: %d", type);
-	} else {
-		ret = 0;
-		*sigp = buffer_get_string(&msg, lenp);
-	}
-	buffer_free(&msg);
-	return ret;
-}
-
-/* Encode key for a message to the agent. */
-
-static void
-ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment)
-{
-	buffer_put_int(b, BN_num_bits(key->n));
-	buffer_put_bignum(b, key->n);
-	buffer_put_bignum(b, key->e);
-	buffer_put_bignum(b, key->d);
-	/* To keep within the protocol: p < q for ssh. in SSL p > q */
-	buffer_put_bignum(b, key->iqmp);	/* ssh key->u */
-	buffer_put_bignum(b, key->q);	/* ssh key->p, SSL key->q */
-	buffer_put_bignum(b, key->p);	/* ssh key->q, SSL key->p */
-	buffer_put_cstring(b, comment);
-}
-
-static void
-ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment)
-{
-	buffer_put_cstring(b, key_ssh_name(key));
-	switch (key->type) {
-	case KEY_RSA:
-		buffer_put_bignum2(b, key->rsa->n);
-		buffer_put_bignum2(b, key->rsa->e);
-		buffer_put_bignum2(b, key->rsa->d);
-		buffer_put_bignum2(b, key->rsa->iqmp);
-		buffer_put_bignum2(b, key->rsa->p);
-		buffer_put_bignum2(b, key->rsa->q);
-		break;
-	case KEY_DSA:
-		buffer_put_bignum2(b, key->dsa->p);
-		buffer_put_bignum2(b, key->dsa->q);
-		buffer_put_bignum2(b, key->dsa->g);
-		buffer_put_bignum2(b, key->dsa->pub_key);
-		buffer_put_bignum2(b, key->dsa->priv_key);
-		break;
-	}
-	buffer_put_cstring(b, comment);
-}
-
-/*
- * Adds an identity to the authentication server.  This call is not meant to
- * be used by normal applications.
- */
-
-int
-ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key,
-    const char *comment, u_int life, u_int confirm)
-{
-	Buffer msg;
-	int type, constrained = (life || confirm);
-
-	buffer_init(&msg);
-
-	switch (key->type) {
-	case KEY_RSA1:
-		type = constrained ?
-		    SSH_AGENTC_ADD_RSA_ID_CONSTRAINED :
-		    SSH_AGENTC_ADD_RSA_IDENTITY;
-		buffer_put_char(&msg, type);
-		ssh_encode_identity_rsa1(&msg, key->rsa, comment);
-		break;
-	case KEY_RSA:
-	case KEY_DSA:
-		type = constrained ?
-		    SSH2_AGENTC_ADD_ID_CONSTRAINED :
-		    SSH2_AGENTC_ADD_IDENTITY;
-		buffer_put_char(&msg, type);
-		ssh_encode_identity_ssh2(&msg, key, comment);
-		break;
-	default:
-		buffer_free(&msg);
-		return 0;
-	}
-	if (constrained) {
-		if (life != 0) {
-			buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME);
-			buffer_put_int(&msg, life);
-		}
-		if (confirm != 0)
-			buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_CONFIRM);
-	}
-	if (ssh_request_reply(auth, &msg, &msg) == 0) {
-		buffer_free(&msg);
-		return 0;
-	}
-	type = buffer_get_char(&msg);
-	buffer_free(&msg);
-	return decode_reply(type);
-}
-
-int
-ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment)
-{
-	return ssh_add_identity_constrained(auth, key, comment, 0, 0);
-}
-
-/*
- * Removes an identity from the authentication server.  This call is not
- * meant to be used by normal applications.
- */
-
-int
-ssh_remove_identity(AuthenticationConnection *auth, Key *key)
-{
-	Buffer msg;
-	int type;
-	u_char *blob;
-	u_int blen;
-
-	buffer_init(&msg);
-
-	if (key->type == KEY_RSA1) {
-		buffer_put_char(&msg, SSH_AGENTC_REMOVE_RSA_IDENTITY);
-		buffer_put_int(&msg, BN_num_bits(key->rsa->n));
-		buffer_put_bignum(&msg, key->rsa->e);
-		buffer_put_bignum(&msg, key->rsa->n);
-	} else if (key->type == KEY_DSA || key->type == KEY_RSA) {
-		key_to_blob(key, &blob, &blen);
-		buffer_put_char(&msg, SSH2_AGENTC_REMOVE_IDENTITY);
-		buffer_put_string(&msg, blob, blen);
-		xfree(blob);
-	} else {
-		buffer_free(&msg);
-		return 0;
-	}
-	if (ssh_request_reply(auth, &msg, &msg) == 0) {
-		buffer_free(&msg);
-		return 0;
-	}
-	type = buffer_get_char(&msg);
-	buffer_free(&msg);
-	return decode_reply(type);
-}
-
-int
-ssh_update_card(AuthenticationConnection *auth, int add,
-    const char *reader_id, const char *pin, u_int life, u_int confirm)
-{
-	Buffer msg;
-	int type, constrained = (life || confirm);
-
-	if (add) {
-		type = constrained ?
-		    SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED :
-		    SSH_AGENTC_ADD_SMARTCARD_KEY;
-	} else
-		type = SSH_AGENTC_REMOVE_SMARTCARD_KEY;
-
-	buffer_init(&msg);
-	buffer_put_char(&msg, type);
-	buffer_put_cstring(&msg, reader_id);
-	buffer_put_cstring(&msg, pin);
-
-	if (constrained) {
-		if (life != 0) {
-			buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME);
-			buffer_put_int(&msg, life);
-		}
-		if (confirm != 0)
-			buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_CONFIRM);
-	}
-
-	if (ssh_request_reply(auth, &msg, &msg) == 0) {
-		buffer_free(&msg);
-		return 0;
-	}
-	type = buffer_get_char(&msg);
-	buffer_free(&msg);
-	return decode_reply(type);
-}
-
-/*
- * Removes all identities from the agent.  This call is not meant to be used
- * by normal applications.
- */
-
-int
-ssh_remove_all_identities(AuthenticationConnection *auth, int version)
-{
-	Buffer msg;
-	int type;
-	int code = (version==1) ?
-		SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES :
-		SSH2_AGENTC_REMOVE_ALL_IDENTITIES;
-
-	buffer_init(&msg);
-	buffer_put_char(&msg, code);
-
-	if (ssh_request_reply(auth, &msg, &msg) == 0) {
-		buffer_free(&msg);
-		return 0;
-	}
-	type = buffer_get_char(&msg);
-	buffer_free(&msg);
-	return decode_reply(type);
-}
-
-int
-decode_reply(int type)
-{
-	switch (type) {
-	case SSH_AGENT_FAILURE:
-	case SSH_COM_AGENT2_FAILURE:
-	case SSH2_AGENT_FAILURE:
-		logit("SSH_AGENT_FAILURE");
-		return 0;
-	case SSH_AGENT_SUCCESS:
-		return 1;
-	default:
-		fatal("Bad response from authentication agent: %d", type);
-	}
-	/* NOTREACHED */
-	return 0;
-}
diff --git a/crypto/openssh/authfd.h b/crypto/openssh/authfd.h
deleted file mode 100644
index 3da2561..0000000
--- a/crypto/openssh/authfd.h
+++ /dev/null
@@ -1,95 +0,0 @@
-/* $OpenBSD: authfd.h,v 1.36 2006/08/03 03:34:41 deraadt Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Functions to interface with the SSH_AUTHENTICATION_FD socket.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#ifndef AUTHFD_H
-#define AUTHFD_H
-
-/* Messages for the authentication agent connection. */
-#define SSH_AGENTC_REQUEST_RSA_IDENTITIES	1
-#define SSH_AGENT_RSA_IDENTITIES_ANSWER		2
-#define SSH_AGENTC_RSA_CHALLENGE		3
-#define SSH_AGENT_RSA_RESPONSE			4
-#define SSH_AGENT_FAILURE			5
-#define SSH_AGENT_SUCCESS			6
-#define SSH_AGENTC_ADD_RSA_IDENTITY		7
-#define SSH_AGENTC_REMOVE_RSA_IDENTITY		8
-#define SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES	9
-
-/* private OpenSSH extensions for SSH2 */
-#define SSH2_AGENTC_REQUEST_IDENTITIES		11
-#define SSH2_AGENT_IDENTITIES_ANSWER		12
-#define SSH2_AGENTC_SIGN_REQUEST		13
-#define SSH2_AGENT_SIGN_RESPONSE		14
-#define SSH2_AGENTC_ADD_IDENTITY		17
-#define SSH2_AGENTC_REMOVE_IDENTITY		18
-#define SSH2_AGENTC_REMOVE_ALL_IDENTITIES	19
-
-/* smartcard */
-#define SSH_AGENTC_ADD_SMARTCARD_KEY		20
-#define SSH_AGENTC_REMOVE_SMARTCARD_KEY		21
-
-/* lock/unlock the agent */
-#define SSH_AGENTC_LOCK				22
-#define SSH_AGENTC_UNLOCK			23
-
-/* add key with constraints */
-#define SSH_AGENTC_ADD_RSA_ID_CONSTRAINED	24
-#define SSH2_AGENTC_ADD_ID_CONSTRAINED		25
-#define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
-
-#define	SSH_AGENT_CONSTRAIN_LIFETIME		1
-#define	SSH_AGENT_CONSTRAIN_CONFIRM		2
-
-/* extended failure messages */
-#define SSH2_AGENT_FAILURE			30
-
-/* additional error code for ssh.com's ssh-agent2 */
-#define SSH_COM_AGENT2_FAILURE			102
-
-#define	SSH_AGENT_OLD_SIGNATURE			0x01
-
-typedef struct {
-	int	fd;
-	Buffer	identities;
-	int	howmany;
-}	AuthenticationConnection;
-
-int	ssh_agent_present(void);
-int	ssh_get_authentication_socket(void);
-void	ssh_close_authentication_socket(int);
-
-AuthenticationConnection *ssh_get_authentication_connection(void);
-void	ssh_close_authentication_connection(AuthenticationConnection *);
-int	 ssh_get_num_identities(AuthenticationConnection *, int);
-Key	*ssh_get_first_identity(AuthenticationConnection *, char **, int);
-Key	*ssh_get_next_identity(AuthenticationConnection *, char **, int);
-int	 ssh_add_identity(AuthenticationConnection *, Key *, const char *);
-int	 ssh_add_identity_constrained(AuthenticationConnection *, Key *,
-    const char *, u_int, u_int);
-int	 ssh_remove_identity(AuthenticationConnection *, Key *);
-int	 ssh_remove_all_identities(AuthenticationConnection *, int);
-int	 ssh_lock_agent(AuthenticationConnection *, int, const char *);
-int	 ssh_update_card(AuthenticationConnection *, int, const char *,
-    const char *, u_int, u_int);
-
-int
-ssh_decrypt_challenge(AuthenticationConnection *, Key *, BIGNUM *, u_char[16],
-    u_int, u_char[16]);
-
-int
-ssh_agent_sign(AuthenticationConnection *, Key *, u_char **, u_int *, u_char *,
-    u_int);
-
-#endif				/* AUTHFD_H */
diff --git a/crypto/openssh/authfile.c b/crypto/openssh/authfile.c
deleted file mode 100644
index 735c647..0000000
--- a/crypto/openssh/authfile.c
+++ /dev/null
@@ -1,679 +0,0 @@
-/* $OpenBSD: authfile.c,v 1.76 2006/08/03 03:34:41 deraadt Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * This file contains functions for reading and writing identity files, and
- * for reading the passphrase from the user.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- *
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/param.h>
-#include <sys/uio.h>
-
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/pem.h>
-
-#include <errno.h>
-#include <fcntl.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "xmalloc.h"
-#include "cipher.h"
-#include "buffer.h"
-#include "key.h"
-#include "ssh.h"
-#include "log.h"
-#include "authfile.h"
-#include "rsa.h"
-#include "misc.h"
-#include "atomicio.h"
-
-/* Version identification string for SSH v1 identity files. */
-static const char authfile_id_string[] =
-    "SSH PRIVATE KEY FILE FORMAT 1.1\n";
-
-/*
- * Saves the authentication (private) key in a file, encrypting it with
- * passphrase.  The identification of the file (lowest 64 bits of n) will
- * precede the key to provide identification of the key without needing a
- * passphrase.
- */
-
-static int
-key_save_private_rsa1(Key *key, const char *filename, const char *passphrase,
-    const char *comment)
-{
-	Buffer buffer, encrypted;
-	u_char buf[100], *cp;
-	int fd, i, cipher_num;
-	CipherContext ciphercontext;
-	Cipher *cipher;
-	u_int32_t rnd;
-
-	/*
-	 * If the passphrase is empty, use SSH_CIPHER_NONE to ease converting
-	 * to another cipher; otherwise use SSH_AUTHFILE_CIPHER.
-	 */
-	cipher_num = (strcmp(passphrase, "") == 0) ?
-	    SSH_CIPHER_NONE : SSH_AUTHFILE_CIPHER;
-	if ((cipher = cipher_by_number(cipher_num)) == NULL)
-		fatal("save_private_key_rsa: bad cipher");
-
-	/* This buffer is used to built the secret part of the private key. */
-	buffer_init(&buffer);
-
-	/* Put checkbytes for checking passphrase validity. */
-	rnd = arc4random();
-	buf[0] = rnd & 0xff;
-	buf[1] = (rnd >> 8) & 0xff;
-	buf[2] = buf[0];
-	buf[3] = buf[1];
-	buffer_append(&buffer, buf, 4);
-
-	/*
-	 * Store the private key (n and e will not be stored because they
-	 * will be stored in plain text, and storing them also in encrypted
-	 * format would just give known plaintext).
-	 */
-	buffer_put_bignum(&buffer, key->rsa->d);
-	buffer_put_bignum(&buffer, key->rsa->iqmp);
-	buffer_put_bignum(&buffer, key->rsa->q);	/* reverse from SSL p */
-	buffer_put_bignum(&buffer, key->rsa->p);	/* reverse from SSL q */
-
-	/* Pad the part to be encrypted until its size is a multiple of 8. */
-	while (buffer_len(&buffer) % 8 != 0)
-		buffer_put_char(&buffer, 0);
-
-	/* This buffer will be used to contain the data in the file. */
-	buffer_init(&encrypted);
-
-	/* First store keyfile id string. */
-	for (i = 0; authfile_id_string[i]; i++)
-		buffer_put_char(&encrypted, authfile_id_string[i]);
-	buffer_put_char(&encrypted, 0);
-
-	/* Store cipher type. */
-	buffer_put_char(&encrypted, cipher_num);
-	buffer_put_int(&encrypted, 0);	/* For future extension */
-
-	/* Store public key.  This will be in plain text. */
-	buffer_put_int(&encrypted, BN_num_bits(key->rsa->n));
-	buffer_put_bignum(&encrypted, key->rsa->n);
-	buffer_put_bignum(&encrypted, key->rsa->e);
-	buffer_put_cstring(&encrypted, comment);
-
-	/* Allocate space for the private part of the key in the buffer. */
-	cp = buffer_append_space(&encrypted, buffer_len(&buffer));
-
-	cipher_set_key_string(&ciphercontext, cipher, passphrase,
-	    CIPHER_ENCRYPT);
-	cipher_crypt(&ciphercontext, cp,
-	    buffer_ptr(&buffer), buffer_len(&buffer));
-	cipher_cleanup(&ciphercontext);
-	memset(&ciphercontext, 0, sizeof(ciphercontext));
-
-	/* Destroy temporary data. */
-	memset(buf, 0, sizeof(buf));
-	buffer_free(&buffer);
-
-	fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0600);
-	if (fd < 0) {
-		error("open %s failed: %s.", filename, strerror(errno));
-		buffer_free(&encrypted);
-		return 0;
-	}
-	if (atomicio(vwrite, fd, buffer_ptr(&encrypted),
-	    buffer_len(&encrypted)) != buffer_len(&encrypted)) {
-		error("write to key file %s failed: %s", filename,
-		    strerror(errno));
-		buffer_free(&encrypted);
-		close(fd);
-		unlink(filename);
-		return 0;
-	}
-	close(fd);
-	buffer_free(&encrypted);
-	return 1;
-}
-
-/* save SSH v2 key in OpenSSL PEM format */
-static int
-key_save_private_pem(Key *key, const char *filename, const char *_passphrase,
-    const char *comment)
-{
-	FILE *fp;
-	int fd;
-	int success = 0;
-	int len = strlen(_passphrase);
-	u_char *passphrase = (len > 0) ? (u_char *)_passphrase : NULL;
-	const EVP_CIPHER *cipher = (len > 0) ? EVP_des_ede3_cbc() : NULL;
-
-	if (len > 0 && len <= 4) {
-		error("passphrase too short: have %d bytes, need > 4", len);
-		return 0;
-	}
-	fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0600);
-	if (fd < 0) {
-		error("open %s failed: %s.", filename, strerror(errno));
-		return 0;
-	}
-	fp = fdopen(fd, "w");
-	if (fp == NULL) {
-		error("fdopen %s failed: %s.", filename, strerror(errno));
-		close(fd);
-		return 0;
-	}
-	switch (key->type) {
-	case KEY_DSA:
-		success = PEM_write_DSAPrivateKey(fp, key->dsa,
-		    cipher, passphrase, len, NULL, NULL);
-		break;
-	case KEY_RSA:
-		success = PEM_write_RSAPrivateKey(fp, key->rsa,
-		    cipher, passphrase, len, NULL, NULL);
-		break;
-	}
-	fclose(fp);
-	return success;
-}
-
-int
-key_save_private(Key *key, const char *filename, const char *passphrase,
-    const char *comment)
-{
-	switch (key->type) {
-	case KEY_RSA1:
-		return key_save_private_rsa1(key, filename, passphrase,
-		    comment);
-	case KEY_DSA:
-	case KEY_RSA:
-		return key_save_private_pem(key, filename, passphrase,
-		    comment);
-	default:
-		break;
-	}
-	error("key_save_private: cannot save key type %d", key->type);
-	return 0;
-}
-
-/*
- * Loads the public part of the ssh v1 key file.  Returns NULL if an error was
- * encountered (the file does not exist or is not readable), and the key
- * otherwise.
- */
-
-static Key *
-key_load_public_rsa1(int fd, const char *filename, char **commentp)
-{
-	Buffer buffer;
-	Key *pub;
-	struct stat st;
-	char *cp;
-	u_int i;
-	size_t len;
-
-	if (fstat(fd, &st) < 0) {
-		error("fstat for key file %.200s failed: %.100s",
-		    filename, strerror(errno));
-		return NULL;
-	}
-	if (st.st_size > 1*1024*1024) {
-		error("key file %.200s too large", filename);
-		return NULL;
-	}
-	len = (size_t)st.st_size;		/* truncated */
-
-	buffer_init(&buffer);
-	cp = buffer_append_space(&buffer, len);
-
-	if (atomicio(read, fd, cp, len) != len) {
-		debug("Read from key file %.200s failed: %.100s", filename,
-		    strerror(errno));
-		buffer_free(&buffer);
-		return NULL;
-	}
-
-	/* Check that it is at least big enough to contain the ID string. */
-	if (len < sizeof(authfile_id_string)) {
-		debug3("Not a RSA1 key file %.200s.", filename);
-		buffer_free(&buffer);
-		return NULL;
-	}
-	/*
-	 * Make sure it begins with the id string.  Consume the id string
-	 * from the buffer.
-	 */
-	for (i = 0; i < sizeof(authfile_id_string); i++)
-		if (buffer_get_char(&buffer) != authfile_id_string[i]) {
-			debug3("Not a RSA1 key file %.200s.", filename);
-			buffer_free(&buffer);
-			return NULL;
-		}
-	/* Skip cipher type and reserved data. */
-	(void) buffer_get_char(&buffer);	/* cipher type */
-	(void) buffer_get_int(&buffer);		/* reserved */
-
-	/* Read the public key from the buffer. */
-	(void) buffer_get_int(&buffer);
-	pub = key_new(KEY_RSA1);
-	buffer_get_bignum(&buffer, pub->rsa->n);
-	buffer_get_bignum(&buffer, pub->rsa->e);
-	if (commentp)
-		*commentp = buffer_get_string(&buffer, NULL);
-	/* The encrypted private part is not parsed by this function. */
-
-	buffer_free(&buffer);
-	return pub;
-}
-
-/* load public key from private-key file, works only for SSH v1 */
-Key *
-key_load_public_type(int type, const char *filename, char **commentp)
-{
-	Key *pub;
-	int fd;
-
-	if (type == KEY_RSA1) {
-		fd = open(filename, O_RDONLY);
-		if (fd < 0)
-			return NULL;
-		pub = key_load_public_rsa1(fd, filename, commentp);
-		close(fd);
-		return pub;
-	}
-	return NULL;
-}
-
-/*
- * Loads the private key from the file.  Returns 0 if an error is encountered
- * (file does not exist or is not readable, or passphrase is bad). This
- * initializes the private key.
- * Assumes we are called under uid of the owner of the file.
- */
-
-static Key *
-key_load_private_rsa1(int fd, const char *filename, const char *passphrase,
-    char **commentp)
-{
-	u_int i;
-	int check1, check2, cipher_type;
-	size_t len;
-	Buffer buffer, decrypted;
-	u_char *cp;
-	CipherContext ciphercontext;
-	Cipher *cipher;
-	Key *prv = NULL;
-	struct stat st;
-
-	if (fstat(fd, &st) < 0) {
-		error("fstat for key file %.200s failed: %.100s",
-		    filename, strerror(errno));
-		close(fd);
-		return NULL;
-	}
-	if (st.st_size > 1*1024*1024) {
-		error("key file %.200s too large", filename);
-		close(fd);
-		return (NULL);
-	}
-	len = (size_t)st.st_size;		/* truncated */
-
-	buffer_init(&buffer);
-	cp = buffer_append_space(&buffer, len);
-
-	if (atomicio(read, fd, cp, len) != len) {
-		debug("Read from key file %.200s failed: %.100s", filename,
-		    strerror(errno));
-		buffer_free(&buffer);
-		close(fd);
-		return NULL;
-	}
-
-	/* Check that it is at least big enough to contain the ID string. */
-	if (len < sizeof(authfile_id_string)) {
-		debug3("Not a RSA1 key file %.200s.", filename);
-		buffer_free(&buffer);
-		close(fd);
-		return NULL;
-	}
-	/*
-	 * Make sure it begins with the id string.  Consume the id string
-	 * from the buffer.
-	 */
-	for (i = 0; i < sizeof(authfile_id_string); i++)
-		if (buffer_get_char(&buffer) != authfile_id_string[i]) {
-			debug3("Not a RSA1 key file %.200s.", filename);
-			buffer_free(&buffer);
-			close(fd);
-			return NULL;
-		}
-
-	/* Read cipher type. */
-	cipher_type = buffer_get_char(&buffer);
-	(void) buffer_get_int(&buffer);	/* Reserved data. */
-
-	/* Read the public key from the buffer. */
-	(void) buffer_get_int(&buffer);
-	prv = key_new_private(KEY_RSA1);
-
-	buffer_get_bignum(&buffer, prv->rsa->n);
-	buffer_get_bignum(&buffer, prv->rsa->e);
-	if (commentp)
-		*commentp = buffer_get_string(&buffer, NULL);
-	else
-		xfree(buffer_get_string(&buffer, NULL));
-
-	/* Check that it is a supported cipher. */
-	cipher = cipher_by_number(cipher_type);
-	if (cipher == NULL) {
-		debug("Unsupported cipher %d used in key file %.200s.",
-		    cipher_type, filename);
-		buffer_free(&buffer);
-		goto fail;
-	}
-	/* Initialize space for decrypted data. */
-	buffer_init(&decrypted);
-	cp = buffer_append_space(&decrypted, buffer_len(&buffer));
-
-	/* Rest of the buffer is encrypted.  Decrypt it using the passphrase. */
-	cipher_set_key_string(&ciphercontext, cipher, passphrase,
-	    CIPHER_DECRYPT);
-	cipher_crypt(&ciphercontext, cp,
-	    buffer_ptr(&buffer), buffer_len(&buffer));
-	cipher_cleanup(&ciphercontext);
-	memset(&ciphercontext, 0, sizeof(ciphercontext));
-	buffer_free(&buffer);
-
-	check1 = buffer_get_char(&decrypted);
-	check2 = buffer_get_char(&decrypted);
-	if (check1 != buffer_get_char(&decrypted) ||
-	    check2 != buffer_get_char(&decrypted)) {
-		if (strcmp(passphrase, "") != 0)
-			debug("Bad passphrase supplied for key file %.200s.",
-			    filename);
-		/* Bad passphrase. */
-		buffer_free(&decrypted);
-		goto fail;
-	}
-	/* Read the rest of the private key. */
-	buffer_get_bignum(&decrypted, prv->rsa->d);
-	buffer_get_bignum(&decrypted, prv->rsa->iqmp);		/* u */
-	/* in SSL and SSH v1 p and q are exchanged */
-	buffer_get_bignum(&decrypted, prv->rsa->q);		/* p */
-	buffer_get_bignum(&decrypted, prv->rsa->p);		/* q */
-
-	/* calculate p-1 and q-1 */
-	rsa_generate_additional_parameters(prv->rsa);
-
-	buffer_free(&decrypted);
-
-	/* enable blinding */
-	if (RSA_blinding_on(prv->rsa, NULL) != 1) {
-		error("key_load_private_rsa1: RSA_blinding_on failed");
-		goto fail;
-	}
-	close(fd);
-	return prv;
-
-fail:
-	if (commentp)
-		xfree(*commentp);
-	close(fd);
-	key_free(prv);
-	return NULL;
-}
-
-Key *
-key_load_private_pem(int fd, int type, const char *passphrase,
-    char **commentp)
-{
-	FILE *fp;
-	EVP_PKEY *pk = NULL;
-	Key *prv = NULL;
-	char *name = "<no key>";
-
-	fp = fdopen(fd, "r");
-	if (fp == NULL) {
-		error("fdopen failed: %s", strerror(errno));
-		close(fd);
-		return NULL;
-	}
-	pk = PEM_read_PrivateKey(fp, NULL, NULL, (char *)passphrase);
-	if (pk == NULL) {
-		debug("PEM_read_PrivateKey failed");
-		(void)ERR_get_error();
-	} else if (pk->type == EVP_PKEY_RSA &&
-	    (type == KEY_UNSPEC||type==KEY_RSA)) {
-		prv = key_new(KEY_UNSPEC);
-		prv->rsa = EVP_PKEY_get1_RSA(pk);
-		prv->type = KEY_RSA;
-		name = "rsa w/o comment";
-#ifdef DEBUG_PK
-		RSA_print_fp(stderr, prv->rsa, 8);
-#endif
-		if (RSA_blinding_on(prv->rsa, NULL) != 1) {
-			error("key_load_private_pem: RSA_blinding_on failed");
-			key_free(prv);
-			prv = NULL;
-		}
-	} else if (pk->type == EVP_PKEY_DSA &&
-	    (type == KEY_UNSPEC||type==KEY_DSA)) {
-		prv = key_new(KEY_UNSPEC);
-		prv->dsa = EVP_PKEY_get1_DSA(pk);
-		prv->type = KEY_DSA;
-		name = "dsa w/o comment";
-#ifdef DEBUG_PK
-		DSA_print_fp(stderr, prv->dsa, 8);
-#endif
-	} else {
-		error("PEM_read_PrivateKey: mismatch or "
-		    "unknown EVP_PKEY save_type %d", pk->save_type);
-	}
-	fclose(fp);
-	if (pk != NULL)
-		EVP_PKEY_free(pk);
-	if (prv != NULL && commentp)
-		*commentp = xstrdup(name);
-	debug("read PEM private key done: type %s",
-	    prv ? key_type(prv) : "<unknown>");
-	return prv;
-}
-
-int
-key_perm_ok(int fd, const char *filename)
-{
-	struct stat st;
-
-	if (fstat(fd, &st) < 0)
-		return 0;
-	/*
-	 * if a key owned by the user is accessed, then we check the
-	 * permissions of the file. if the key owned by a different user,
-	 * then we don't care.
-	 */
-#ifdef HAVE_CYGWIN
-	if (check_ntsec(filename))
-#endif
-	if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) {
-		error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
-		error("@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @");
-		error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
-		error("Permissions 0%3.3o for '%s' are too open.",
-		    (u_int)st.st_mode & 0777, filename);
-		error("It is recommended that your private key files are NOT accessible by others.");
-		error("This private key will be ignored.");
-		return 0;
-	}
-	return 1;
-}
-
-Key *
-key_load_private_type(int type, const char *filename, const char *passphrase,
-    char **commentp, int *perm_ok)
-{
-	int fd;
-
-	fd = open(filename, O_RDONLY);
-	if (fd < 0)
-		return NULL;
-	if (!key_perm_ok(fd, filename)) {
-		if (perm_ok != NULL)
-			*perm_ok = 0;
-		error("bad permissions: ignore key: %s", filename);
-		close(fd);
-		return NULL;
-	}
-	if (perm_ok != NULL)
-		*perm_ok = 1;
-	switch (type) {
-	case KEY_RSA1:
-		return key_load_private_rsa1(fd, filename, passphrase,
-		    commentp);
-		/* closes fd */
-	case KEY_DSA:
-	case KEY_RSA:
-	case KEY_UNSPEC:
-		return key_load_private_pem(fd, type, passphrase, commentp);
-		/* closes fd */
-	default:
-		close(fd);
-		break;
-	}
-	return NULL;
-}
-
-Key *
-key_load_private(const char *filename, const char *passphrase,
-    char **commentp)
-{
-	Key *pub, *prv;
-	int fd;
-
-	fd = open(filename, O_RDONLY);
-	if (fd < 0)
-		return NULL;
-	if (!key_perm_ok(fd, filename)) {
-		error("bad permissions: ignore key: %s", filename);
-		close(fd);
-		return NULL;
-	}
-	pub = key_load_public_rsa1(fd, filename, commentp);
-	lseek(fd, (off_t) 0, SEEK_SET);		/* rewind */
-	if (pub == NULL) {
-		/* closes fd */
-		prv = key_load_private_pem(fd, KEY_UNSPEC, passphrase, NULL);
-		/* use the filename as a comment for PEM */
-		if (commentp && prv)
-			*commentp = xstrdup(filename);
-	} else {
-		/* it's a SSH v1 key if the public key part is readable */
-		key_free(pub);
-		/* closes fd */
-		prv = key_load_private_rsa1(fd, filename, passphrase, NULL);
-	}
-	return prv;
-}
-
-static int
-key_try_load_public(Key *k, const char *filename, char **commentp)
-{
-	FILE *f;
-	char line[SSH_MAX_PUBKEY_BYTES];
-	char *cp;
-	u_long linenum = 0;
-
-	f = fopen(filename, "r");
-	if (f != NULL) {
-		while (read_keyfile_line(f, filename, line, sizeof(line),
-			    &linenum) != -1) {
-			cp = line;
-			switch (*cp) {
-			case '#':
-			case '\n':
-			case '\0':
-				continue;
-			}
-			/* Skip leading whitespace. */
-			for (; *cp && (*cp == ' ' || *cp == '\t'); cp++)
-				;
-			if (*cp) {
-				if (key_read(k, &cp) == 1) {
-					if (commentp)
-						*commentp=xstrdup(filename);
-					fclose(f);
-					return 1;
-				}
-			}
-		}
-		fclose(f);
-	}
-	return 0;
-}
-
-/* load public key from ssh v1 private or any pubkey file */
-Key *
-key_load_public(const char *filename, char **commentp)
-{
-	Key *pub;
-	char file[MAXPATHLEN];
-
-	/* try rsa1 private key */
-	pub = key_load_public_type(KEY_RSA1, filename, commentp);
-	if (pub != NULL)
-		return pub;
-
-	/* try rsa1 public key */
-	pub = key_new(KEY_RSA1);
-	if (key_try_load_public(pub, filename, commentp) == 1)
-		return pub;
-	key_free(pub);
-
-	/* try ssh2 public key */
-	pub = key_new(KEY_UNSPEC);
-	if (key_try_load_public(pub, filename, commentp) == 1)
-		return pub;
-	if ((strlcpy(file, filename, sizeof file) < sizeof(file)) &&
-	    (strlcat(file, ".pub", sizeof file) < sizeof(file)) &&
-	    (key_try_load_public(pub, file, commentp) == 1))
-		return pub;
-	key_free(pub);
-	return NULL;
-}
diff --git a/crypto/openssh/authfile.h b/crypto/openssh/authfile.h
deleted file mode 100644
index a6c7493..0000000
--- a/crypto/openssh/authfile.h
+++ /dev/null
@@ -1,26 +0,0 @@
-/* $OpenBSD: authfile.h,v 1.13 2006/04/25 08:02:27 dtucker Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#ifndef AUTHFILE_H
-#define AUTHFILE_H
-
-int	 key_save_private(Key *, const char *, const char *, const char *);
-Key	*key_load_public(const char *, char **);
-Key	*key_load_public_type(int, const char *, char **);
-Key	*key_load_private(const char *, const char *, char **);
-Key	*key_load_private_type(int, const char *, const char *, char **, int *);
-Key	*key_load_private_pem(int, int, const char *, char **);
-int	 key_perm_ok(int, const char *);
-
-#endif
diff --git a/crypto/openssh/aux.c b/crypto/openssh/aux.c
deleted file mode 100644
index 899142d..0000000
--- a/crypto/openssh/aux.c
+++ /dev/null
@@ -1,36 +0,0 @@
-#include "includes.h"
-RCSID("$OpenBSD: aux.c,v 1.2 2000/05/17 09:47:59 markus Exp $");
-
-#include "ssh.h"
-
-char *
-chop(char *s)
-{
-	char *t = s;
-	while (*t) {
-		if(*t == '\n' || *t == '\r') {
-			*t = '\0';
-			return s;
-		}
-		t++;
-	}
-	return s;
-
-}
-
-void
-set_nonblock(int fd)
-{
-	int val;
-	val = fcntl(fd, F_GETFL, 0);
-	if (val < 0) {
-		error("fcntl(%d, F_GETFL, 0): %s", fd, strerror(errno));
-		return;
-	}
-	if (val & O_NONBLOCK)
-		return;
-	debug("fd %d setting O_NONBLOCK", fd);
-	val |= O_NONBLOCK;
-	if (fcntl(fd, F_SETFL, val) == -1)
-		error("fcntl(%d, F_SETFL, O_NONBLOCK): %s", fd, strerror(errno));
-}
diff --git a/crypto/openssh/bufaux.c b/crypto/openssh/bufaux.c
deleted file mode 100644
index cbdc22c..0000000
--- a/crypto/openssh/bufaux.c
+++ /dev/null
@@ -1,249 +0,0 @@
-/* $OpenBSD: bufaux.c,v 1.44 2006/08/03 03:34:41 deraadt Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Auxiliary functions for storing and retrieving various data types to/from
- * Buffers.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- *
- * SSH2 packet format added by Markus Friedl
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <openssl/bn.h>
-
-#include <string.h>
-#include <stdarg.h>
-
-#include "xmalloc.h"
-#include "buffer.h"
-#include "log.h"
-#include "misc.h"
-
-/*
- * Returns integers from the buffer (msb first).
- */
-
-int
-buffer_get_short_ret(u_short *ret, Buffer *buffer)
-{
-	u_char buf[2];
-
-	if (buffer_get_ret(buffer, (char *) buf, 2) == -1)
-		return (-1);
-	*ret = get_u16(buf);
-	return (0);
-}
-
-u_short
-buffer_get_short(Buffer *buffer)
-{
-	u_short ret;
-
-	if (buffer_get_short_ret(&ret, buffer) == -1)
-		fatal("buffer_get_short: buffer error");
-
-	return (ret);
-}
-
-int
-buffer_get_int_ret(u_int *ret, Buffer *buffer)
-{
-	u_char buf[4];
-
-	if (buffer_get_ret(buffer, (char *) buf, 4) == -1)
-		return (-1);
-	*ret = get_u32(buf);
-	return (0);
-}
-
-u_int
-buffer_get_int(Buffer *buffer)
-{
-	u_int ret;
-
-	if (buffer_get_int_ret(&ret, buffer) == -1)
-		fatal("buffer_get_int: buffer error");
-
-	return (ret);
-}
-
-int
-buffer_get_int64_ret(u_int64_t *ret, Buffer *buffer)
-{
-	u_char buf[8];
-
-	if (buffer_get_ret(buffer, (char *) buf, 8) == -1)
-		return (-1);
-	*ret = get_u64(buf);
-	return (0);
-}
-
-u_int64_t
-buffer_get_int64(Buffer *buffer)
-{
-	u_int64_t ret;
-
-	if (buffer_get_int64_ret(&ret, buffer) == -1)
-		fatal("buffer_get_int: buffer error");
-
-	return (ret);
-}
-
-/*
- * Stores integers in the buffer, msb first.
- */
-void
-buffer_put_short(Buffer *buffer, u_short value)
-{
-	char buf[2];
-
-	put_u16(buf, value);
-	buffer_append(buffer, buf, 2);
-}
-
-void
-buffer_put_int(Buffer *buffer, u_int value)
-{
-	char buf[4];
-
-	put_u32(buf, value);
-	buffer_append(buffer, buf, 4);
-}
-
-void
-buffer_put_int64(Buffer *buffer, u_int64_t value)
-{
-	char buf[8];
-
-	put_u64(buf, value);
-	buffer_append(buffer, buf, 8);
-}
-
-/*
- * Returns an arbitrary binary string from the buffer.  The string cannot
- * be longer than 256k.  The returned value points to memory allocated
- * with xmalloc; it is the responsibility of the calling function to free
- * the data.  If length_ptr is non-NULL, the length of the returned data
- * will be stored there.  A null character will be automatically appended
- * to the returned string, and is not counted in length.
- */
-void *
-buffer_get_string_ret(Buffer *buffer, u_int *length_ptr)
-{
-	u_char *value;
-	u_int len;
-
-	/* Get the length. */
-	len = buffer_get_int(buffer);
-	if (len > 256 * 1024) {
-		error("buffer_get_string_ret: bad string length %u", len);
-		return (NULL);
-	}
-	/* Allocate space for the string.  Add one byte for a null character. */
-	value = xmalloc(len + 1);
-	/* Get the string. */
-	if (buffer_get_ret(buffer, value, len) == -1) {
-		error("buffer_get_string_ret: buffer_get failed");
-		xfree(value);
-		return (NULL);
-	}
-	/* Append a null character to make processing easier. */
-	value[len] = 0;
-	/* Optionally return the length of the string. */
-	if (length_ptr)
-		*length_ptr = len;
-	return (value);
-}
-
-void *
-buffer_get_string(Buffer *buffer, u_int *length_ptr)
-{
-	void *ret;
-
-	if ((ret = buffer_get_string_ret(buffer, length_ptr)) == NULL)
-		fatal("buffer_get_string: buffer error");
-	return (ret);
-}
-
-/*
- * Stores and arbitrary binary string in the buffer.
- */
-void
-buffer_put_string(Buffer *buffer, const void *buf, u_int len)
-{
-	buffer_put_int(buffer, len);
-	buffer_append(buffer, buf, len);
-}
-void
-buffer_put_cstring(Buffer *buffer, const char *s)
-{
-	if (s == NULL)
-		fatal("buffer_put_cstring: s == NULL");
-	buffer_put_string(buffer, s, strlen(s));
-}
-
-/*
- * Returns a character from the buffer (0 - 255).
- */
-int
-buffer_get_char_ret(char *ret, Buffer *buffer)
-{
-	if (buffer_get_ret(buffer, ret, 1) == -1) {
-		error("buffer_get_char_ret: buffer_get_ret failed");
-		return (-1);
-	}
-	return (0);
-}
-
-int
-buffer_get_char(Buffer *buffer)
-{
-	char ch;
-
-	if (buffer_get_char_ret(&ch, buffer) == -1)
-		fatal("buffer_get_char: buffer error");
-	return (u_char) ch;
-}
-
-/*
- * Stores a character in the buffer.
- */
-void
-buffer_put_char(Buffer *buffer, int value)
-{
-	char ch = value;
-
-	buffer_append(buffer, &ch, 1);
-}
diff --git a/crypto/openssh/bufaux.h b/crypto/openssh/bufaux.h
deleted file mode 100644
index 8a53598..0000000
--- a/crypto/openssh/bufaux.h
+++ /dev/null
@@ -1,55 +0,0 @@
-/* $OpenBSD: bufaux.h,v 1.22 2006/03/25 22:22:42 djm Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#ifndef BUFAUX_H
-#define BUFAUX_H
-
-#include "buffer.h"
-#include <openssl/bn.h>
-
-void    buffer_put_bignum(Buffer *, const BIGNUM *);
-void    buffer_put_bignum2(Buffer *, const BIGNUM *);
-void	buffer_get_bignum(Buffer *, BIGNUM *);
-void	buffer_get_bignum2(Buffer *, BIGNUM *);
-
-u_short	buffer_get_short(Buffer *);
-void	buffer_put_short(Buffer *, u_short);
-
-u_int	buffer_get_int(Buffer *);
-void    buffer_put_int(Buffer *, u_int);
-
-u_int64_t buffer_get_int64(Buffer *);
-void	buffer_put_int64(Buffer *, u_int64_t);
-
-int     buffer_get_char(Buffer *);
-void    buffer_put_char(Buffer *, int);
-
-void   *buffer_get_string(Buffer *, u_int *);
-void    buffer_put_string(Buffer *, const void *, u_int);
-void	buffer_put_cstring(Buffer *, const char *);
-
-#define buffer_skip_string(b) \
-    do { u_int l = buffer_get_int(b); buffer_consume(b, l); } while (0)
-
-int	buffer_put_bignum_ret(Buffer *, const BIGNUM *);
-int	buffer_get_bignum_ret(Buffer *, BIGNUM *);
-int	buffer_put_bignum2_ret(Buffer *, const BIGNUM *);
-int	buffer_get_bignum2_ret(Buffer *, BIGNUM *);
-int	buffer_get_short_ret(u_short *, Buffer *);
-int	buffer_get_int_ret(u_int *, Buffer *);
-int	buffer_get_int64_ret(u_int64_t *, Buffer *);
-void	*buffer_get_string_ret(Buffer *, u_int *);
-int	buffer_get_char_ret(char *, Buffer *);
-
-#endif				/* BUFAUX_H */
diff --git a/crypto/openssh/bufbn.c b/crypto/openssh/bufbn.c
deleted file mode 100644
index 9706ba8..0000000
--- a/crypto/openssh/bufbn.c
+++ /dev/null
@@ -1,221 +0,0 @@
-/* $OpenBSD: bufbn.c,v 1.4 2006/11/06 21:25:28 markus Exp $*/
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Auxiliary functions for storing and retrieving various data types to/from
- * Buffers.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- *
- * SSH2 packet format added by Markus Friedl
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <openssl/bn.h>
-
-#include <string.h>
-#include <stdarg.h>
-
-#include "xmalloc.h"
-#include "buffer.h"
-#include "log.h"
-#include "misc.h"
-
-/*
- * Stores an BIGNUM in the buffer with a 2-byte msb first bit count, followed
- * by (bits+7)/8 bytes of binary data, msb first.
- */
-int
-buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value)
-{
-	int bits = BN_num_bits(value);
-	int bin_size = (bits + 7) / 8;
-	u_char *buf = xmalloc(bin_size);
-	int oi;
-	char msg[2];
-
-	/* Get the value of in binary */
-	oi = BN_bn2bin(value, buf);
-	if (oi != bin_size) {
-		error("buffer_put_bignum_ret: BN_bn2bin() failed: oi %d != bin_size %d",
-		    oi, bin_size);
-		xfree(buf);
-		return (-1);
-	}
-
-	/* Store the number of bits in the buffer in two bytes, msb first. */
-	put_u16(msg, bits);
-	buffer_append(buffer, msg, 2);
-	/* Store the binary data. */
-	buffer_append(buffer, buf, oi);
-
-	memset(buf, 0, bin_size);
-	xfree(buf);
-
-	return (0);
-}
-
-void
-buffer_put_bignum(Buffer *buffer, const BIGNUM *value)
-{
-	if (buffer_put_bignum_ret(buffer, value) == -1)
-		fatal("buffer_put_bignum: buffer error");
-}
-
-/*
- * Retrieves an BIGNUM from the buffer.
- */
-int
-buffer_get_bignum_ret(Buffer *buffer, BIGNUM *value)
-{
-	u_int bits, bytes;
-	u_char buf[2], *bin;
-
-	/* Get the number for bits. */
-	if (buffer_get_ret(buffer, (char *) buf, 2) == -1) {
-		error("buffer_get_bignum_ret: invalid length");
-		return (-1);
-	}
-	bits = get_u16(buf);
-	/* Compute the number of binary bytes that follow. */
-	bytes = (bits + 7) / 8;
-	if (bytes > 8 * 1024) {
-		error("buffer_get_bignum_ret: cannot handle BN of size %d", bytes);
-		return (-1);
-	}
-	if (buffer_len(buffer) < bytes) {
-		error("buffer_get_bignum_ret: input buffer too small");
-		return (-1);
-	}
-	bin = buffer_ptr(buffer);
-	if (BN_bin2bn(bin, bytes, value) == NULL) {
-		error("buffer_get_bignum_ret: BN_bin2bn failed");
-		return (-1);
-	}
-	if (buffer_consume_ret(buffer, bytes) == -1) {
-		error("buffer_get_bignum_ret: buffer_consume failed");
-		return (-1);
-	}
-	return (0);
-}
-
-void
-buffer_get_bignum(Buffer *buffer, BIGNUM *value)
-{
-	if (buffer_get_bignum_ret(buffer, value) == -1)
-		fatal("buffer_get_bignum: buffer error");
-}
-
-/*
- * Stores an BIGNUM in the buffer in SSH2 format.
- */
-int
-buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)
-{
-	u_int bytes;
-	u_char *buf;
-	int oi;
-	u_int hasnohigh = 0;
-
-	if (BN_is_zero(value)) {
-		buffer_put_int(buffer, 0);
-		return 0;
-	}
-	if (value->neg) {
-		error("buffer_put_bignum2_ret: negative numbers not supported");
-		return (-1);
-	}
-	bytes = BN_num_bytes(value) + 1; /* extra padding byte */
-	if (bytes < 2) {
-		error("buffer_put_bignum2_ret: BN too small");
-		return (-1);
-	}
-	buf = xmalloc(bytes);
-	buf[0] = 0x00;
-	/* Get the value of in binary */
-	oi = BN_bn2bin(value, buf+1);
-	if (oi < 0 || (u_int)oi != bytes - 1) {
-		error("buffer_put_bignum2_ret: BN_bn2bin() failed: "
-		    "oi %d != bin_size %d", oi, bytes);
-		xfree(buf);
-		return (-1);
-	}
-	hasnohigh = (buf[1] & 0x80) ? 0 : 1;
-	buffer_put_string(buffer, buf+hasnohigh, bytes-hasnohigh);
-	memset(buf, 0, bytes);
-	xfree(buf);
-	return (0);
-}
-
-void
-buffer_put_bignum2(Buffer *buffer, const BIGNUM *value)
-{
-	if (buffer_put_bignum2_ret(buffer, value) == -1)
-		fatal("buffer_put_bignum2: buffer error");
-}
-
-int
-buffer_get_bignum2_ret(Buffer *buffer, BIGNUM *value)
-{
-	u_int len;
-	u_char *bin;
-
-	if ((bin = buffer_get_string_ret(buffer, &len)) == NULL) {
-		error("buffer_get_bignum2_ret: invalid bignum");
-		return (-1);
-	}
-
-	if (len > 0 && (bin[0] & 0x80)) {
-		error("buffer_get_bignum2_ret: negative numbers not supported");
-		xfree(bin);
-		return (-1);
-	}
-	if (len > 8 * 1024) {
-		error("buffer_get_bignum2_ret: cannot handle BN of size %d", len);
-		xfree(bin);
-		return (-1);
-	}
-	if (BN_bin2bn(bin, len, value) == NULL) {
-		error("buffer_get_bignum2_ret: BN_bin2bn failed");
-		return (-1);
-	}
-	xfree(bin);
-	return (0);
-}
-
-void
-buffer_get_bignum2(Buffer *buffer, BIGNUM *value)
-{
-	if (buffer_get_bignum2_ret(buffer, value) == -1)
-		fatal("buffer_get_bignum2: buffer error");
-}
diff --git a/crypto/openssh/buffer.c b/crypto/openssh/buffer.c
deleted file mode 100644
index e02e1e3..0000000
--- a/crypto/openssh/buffer.c
+++ /dev/null
@@ -1,252 +0,0 @@
-/* $OpenBSD: buffer.c,v 1.31 2006/08/03 03:34:41 deraadt Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Functions for manipulating fifo buffers (that can grow if needed).
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-
-#include <sys/param.h>
-
-#include <stdio.h>
-#include <string.h>
-#include <stdarg.h>
-
-#include "xmalloc.h"
-#include "buffer.h"
-#include "log.h"
-
-#define	BUFFER_MAX_CHUNK	0x100000
-#define	BUFFER_MAX_LEN		0xa00000
-#define	BUFFER_ALLOCSZ		0x008000
-
-/* Initializes the buffer structure. */
-
-void
-buffer_init(Buffer *buffer)
-{
-	const u_int len = 4096;
-
-	buffer->alloc = 0;
-	buffer->buf = xmalloc(len);
-	buffer->alloc = len;
-	buffer->offset = 0;
-	buffer->end = 0;
-}
-
-/* Frees any memory used for the buffer. */
-
-void
-buffer_free(Buffer *buffer)
-{
-	if (buffer->alloc > 0) {
-		memset(buffer->buf, 0, buffer->alloc);
-		buffer->alloc = 0;
-		xfree(buffer->buf);
-	}
-}
-
-/*
- * Clears any data from the buffer, making it empty.  This does not actually
- * zero the memory.
- */
-
-void
-buffer_clear(Buffer *buffer)
-{
-	buffer->offset = 0;
-	buffer->end = 0;
-}
-
-/* Appends data to the buffer, expanding it if necessary. */
-
-void
-buffer_append(Buffer *buffer, const void *data, u_int len)
-{
-	void *p;
-	p = buffer_append_space(buffer, len);
-	memcpy(p, data, len);
-}
-
-static int
-buffer_compact(Buffer *buffer)
-{
-	/*
-	 * If the buffer is quite empty, but all data is at the end, move the
-	 * data to the beginning.
-	 */
-	if (buffer->offset > MIN(buffer->alloc, BUFFER_MAX_CHUNK)) {
-		memmove(buffer->buf, buffer->buf + buffer->offset,
-			buffer->end - buffer->offset);
-		buffer->end -= buffer->offset;
-		buffer->offset = 0;
-		return (1);
-	}
-	return (0);
-}
-
-/*
- * Appends space to the buffer, expanding the buffer if necessary. This does
- * not actually copy the data into the buffer, but instead returns a pointer
- * to the allocated region.
- */
-
-void *
-buffer_append_space(Buffer *buffer, u_int len)
-{
-	u_int newlen;
-	void *p;
-
-	if (len > BUFFER_MAX_CHUNK)
-		fatal("buffer_append_space: len %u not supported", len);
-
-	/* If the buffer is empty, start using it from the beginning. */
-	if (buffer->offset == buffer->end) {
-		buffer->offset = 0;
-		buffer->end = 0;
-	}
-restart:
-	/* If there is enough space to store all data, store it now. */
-	if (buffer->end + len < buffer->alloc) {
-		p = buffer->buf + buffer->end;
-		buffer->end += len;
-		return p;
-	}
-
-	/* Compact data back to the start of the buffer if necessary */
-	if (buffer_compact(buffer))
-		goto restart;
-
-	/* Increase the size of the buffer and retry. */
-	newlen = roundup(buffer->alloc + len, BUFFER_ALLOCSZ);
-	if (newlen > BUFFER_MAX_LEN)
-		fatal("buffer_append_space: alloc %u not supported",
-		    newlen);
-	buffer->buf = xrealloc(buffer->buf, 1, newlen);
-	buffer->alloc = newlen;
-	goto restart;
-	/* NOTREACHED */
-}
-
-/*
- * Check whether an allocation of 'len' will fit in the buffer
- * This must follow the same math as buffer_append_space
- */
-int
-buffer_check_alloc(Buffer *buffer, u_int len)
-{
-	if (buffer->offset == buffer->end) {
-		buffer->offset = 0;
-		buffer->end = 0;
-	}
- restart:
-	if (buffer->end + len < buffer->alloc)
-		return (1);
-	if (buffer_compact(buffer))
-		goto restart;
-	if (roundup(buffer->alloc + len, BUFFER_ALLOCSZ) <= BUFFER_MAX_LEN)
-		return (1);
-	return (0);
-}
-
-/* Returns the number of bytes of data in the buffer. */
-
-u_int
-buffer_len(Buffer *buffer)
-{
-	return buffer->end - buffer->offset;
-}
-
-/* Gets data from the beginning of the buffer. */
-
-int
-buffer_get_ret(Buffer *buffer, void *buf, u_int len)
-{
-	if (len > buffer->end - buffer->offset) {
-		error("buffer_get_ret: trying to get more bytes %d than in buffer %d",
-		    len, buffer->end - buffer->offset);
-		return (-1);
-	}
-	memcpy(buf, buffer->buf + buffer->offset, len);
-	buffer->offset += len;
-	return (0);
-}
-
-void
-buffer_get(Buffer *buffer, void *buf, u_int len)
-{
-	if (buffer_get_ret(buffer, buf, len) == -1)
-		fatal("buffer_get: buffer error");
-}
-
-/* Consumes the given number of bytes from the beginning of the buffer. */
-
-int
-buffer_consume_ret(Buffer *buffer, u_int bytes)
-{
-	if (bytes > buffer->end - buffer->offset) {
-		error("buffer_consume_ret: trying to get more bytes than in buffer");
-		return (-1);
-	}
-	buffer->offset += bytes;
-	return (0);
-}
-
-void
-buffer_consume(Buffer *buffer, u_int bytes)
-{
-	if (buffer_consume_ret(buffer, bytes) == -1)
-		fatal("buffer_consume: buffer error");
-}
-
-/* Consumes the given number of bytes from the end of the buffer. */
-
-int
-buffer_consume_end_ret(Buffer *buffer, u_int bytes)
-{
-	if (bytes > buffer->end - buffer->offset)
-		return (-1);
-	buffer->end -= bytes;
-	return (0);
-}
-
-void
-buffer_consume_end(Buffer *buffer, u_int bytes)
-{
-	if (buffer_consume_end_ret(buffer, bytes) == -1)
-		fatal("buffer_consume_end: trying to get more bytes than in buffer");
-}
-
-/* Returns a pointer to the first used byte in the buffer. */
-
-void *
-buffer_ptr(Buffer *buffer)
-{
-	return buffer->buf + buffer->offset;
-}
-
-/* Dumps the contents of the buffer to stderr. */
-
-void
-buffer_dump(Buffer *buffer)
-{
-	u_int i;
-	u_char *ucp = buffer->buf;
-
-	for (i = buffer->offset; i < buffer->end; i++) {
-		fprintf(stderr, "%02x", ucp[i]);
-		if ((i-buffer->offset)%16==15)
-			fprintf(stderr, "\r\n");
-		else if ((i-buffer->offset)%2==1)
-			fprintf(stderr, " ");
-	}
-	fprintf(stderr, "\r\n");
-}
diff --git a/crypto/openssh/buffer.h b/crypto/openssh/buffer.h
deleted file mode 100644
index ecc4aea..0000000
--- a/crypto/openssh/buffer.h
+++ /dev/null
@@ -1,85 +0,0 @@
-/* $OpenBSD: buffer.h,v 1.16 2006/08/03 03:34:41 deraadt Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Code for manipulating FIFO buffers.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#ifndef BUFFER_H
-#define BUFFER_H
-
-typedef struct {
-	u_char	*buf;		/* Buffer for data. */
-	u_int	 alloc;		/* Number of bytes allocated for data. */
-	u_int	 offset;	/* Offset of first byte containing data. */
-	u_int	 end;		/* Offset of last byte containing data. */
-}       Buffer;
-
-void	 buffer_init(Buffer *);
-void	 buffer_clear(Buffer *);
-void	 buffer_free(Buffer *);
-
-u_int	 buffer_len(Buffer *);
-void	*buffer_ptr(Buffer *);
-
-void	 buffer_append(Buffer *, const void *, u_int);
-void	*buffer_append_space(Buffer *, u_int);
-
-int	 buffer_check_alloc(Buffer *, u_int);
-
-void	 buffer_get(Buffer *, void *, u_int);
-
-void	 buffer_consume(Buffer *, u_int);
-void	 buffer_consume_end(Buffer *, u_int);
-
-void     buffer_dump(Buffer *);
-
-int	 buffer_get_ret(Buffer *, void *, u_int);
-int	 buffer_consume_ret(Buffer *, u_int);
-int	 buffer_consume_end_ret(Buffer *, u_int);
-
-#include <openssl/bn.h>
-
-void    buffer_put_bignum(Buffer *, const BIGNUM *);
-void    buffer_put_bignum2(Buffer *, const BIGNUM *);
-void	buffer_get_bignum(Buffer *, BIGNUM *);
-void	buffer_get_bignum2(Buffer *, BIGNUM *);
-
-u_short	buffer_get_short(Buffer *);
-void	buffer_put_short(Buffer *, u_short);
-
-u_int	buffer_get_int(Buffer *);
-void    buffer_put_int(Buffer *, u_int);
-
-u_int64_t buffer_get_int64(Buffer *);
-void	buffer_put_int64(Buffer *, u_int64_t);
-
-int     buffer_get_char(Buffer *);
-void    buffer_put_char(Buffer *, int);
-
-void   *buffer_get_string(Buffer *, u_int *);
-void    buffer_put_string(Buffer *, const void *, u_int);
-void	buffer_put_cstring(Buffer *, const char *);
-
-#define buffer_skip_string(b) \
-    do { u_int l = buffer_get_int(b); buffer_consume(b, l); } while (0)
-
-int	buffer_put_bignum_ret(Buffer *, const BIGNUM *);
-int	buffer_get_bignum_ret(Buffer *, BIGNUM *);
-int	buffer_put_bignum2_ret(Buffer *, const BIGNUM *);
-int	buffer_get_bignum2_ret(Buffer *, BIGNUM *);
-int	buffer_get_short_ret(u_short *, Buffer *);
-int	buffer_get_int_ret(u_int *, Buffer *);
-int	buffer_get_int64_ret(u_int64_t *, Buffer *);
-void	*buffer_get_string_ret(Buffer *, u_int *);
-int	buffer_get_char_ret(char *, Buffer *);
-
-#endif				/* BUFFER_H */
diff --git a/crypto/openssh/buildpkg.sh.in b/crypto/openssh/buildpkg.sh.in
deleted file mode 100644
index 17349f7..0000000
--- a/crypto/openssh/buildpkg.sh.in
+++ /dev/null
@@ -1,682 +0,0 @@
-#!/bin/sh
-#
-# Fake Root Solaris/SVR4/SVR5 Build System - Prototype
-#
-# The following code has been provide under Public Domain License.  I really
-# don't care what you use it for.  Just as long as you don't complain to me
-# nor my employer if you break it. - Ben Lindstrom (mouring@eviladmin.org)
-#
-umask 022
-#
-# Options for building the package
-# You can create a openssh-config.local with your customized options
-#
-REMOVE_FAKE_ROOT_WHEN_DONE=yes
-#
-# uncommenting TEST_DIR and using
-# configure --prefix=/var/tmp --with-privsep-path=/var/tmp/empty
-# and
-# PKGNAME=tOpenSSH should allow testing a package without interfering
-# with a real OpenSSH package on a system. This is not needed on systems
-# that support the -R option to pkgadd.
-#TEST_DIR=/var/tmp	# leave commented out for production build
-PKGNAME=OpenSSH
-# revisions within the same version (REV=a)
-#REV=
-SYSVINIT_NAME=opensshd
-AWK=${AWK:="nawk"}
-MAKE=${MAKE:="make"}
-SSHDUID=67	# Default privsep uid
-SSHDGID=67	# Default privsep gid
-# uncomment these next three as needed
-#PERMIT_ROOT_LOGIN=no
-#X11_FORWARDING=yes
-#USR_LOCAL_IS_SYMLINK=yes
-# System V init run levels
-SYSVINITSTART=S98
-SYSVINITSTOPT=K30
-# We will source these if they exist
-POST_MAKE_INSTALL_FIXES=./pkg-post-make-install-fixes.sh
-POST_PROTOTYPE_EDITS=./pkg-post-prototype-edit.sh
-# We'll be one level deeper looking for these
-PKG_PREINSTALL_LOCAL=../pkg-preinstall.local
-PKG_POSTINSTALL_LOCAL=../pkg-postinstall.local
-PKG_PREREMOVE_LOCAL=../pkg-preremove.local
-PKG_POSTREMOVE_LOCAL=../pkg-postremove.local
-PKG_REQUEST_LOCAL=../pkg-request.local
-# end of sourced files
-#
-OPENSSHD=opensshd.init
-OPENSSH_MANIFEST=openssh.xml
-OPENSSH_FMRI=svc:/site/openssh:default
-
-PATH_GROUPADD_PROG=@PATH_GROUPADD_PROG@
-PATH_USERADD_PROG=@PATH_USERADD_PROG@
-PATH_PASSWD_PROG=@PATH_PASSWD_PROG@
-#
-# list of system directories we do NOT want to change owner/group/perms
-# when installing our package
-SYSTEM_DIR="/etc	\
-/etc/init.d		\
-/etc/rcS.d		\
-/etc/rc0.d		\
-/etc/rc1.d		\
-/etc/rc2.d		\
-/etc/opt		\
-/lib			\
-/lib/svc		\
-/lib/svc/method		\
-/lib/svc/method/site	\
-/opt			\
-/opt/bin		\
-/usr			\
-/usr/bin		\
-/usr/lib		\
-/usr/sbin		\
-/usr/share		\
-/usr/share/man		\
-/usr/share/man/man1	\
-/usr/share/man/man8	\
-/usr/local		\
-/usr/local/bin		\
-/usr/local/etc		\
-/usr/local/libexec	\
-/usr/local/man		\
-/usr/local/man/man1	\
-/usr/local/man/man8	\
-/usr/local/sbin		\
-/usr/local/share	\
-/var			\
-/var/opt		\
-/var/run		\
-/var/svc		\
-/var/svc/manifest	\
-/var/svc/manifest/site  \
-/var/tmp		\
-/tmp"
-
-# We may need to build as root so we make sure PATH is set up
-# only set the path if it's not set already
-[ -d /opt/bin ]  &&  {
-	echo $PATH | grep ":/opt/bin"  > /dev/null 2>&1
-	[ $? -ne 0 ] && PATH=$PATH:/opt/bin
-}
-[ -d /usr/local/bin ]  &&  {
-	echo $PATH | grep ":/usr/local/bin"  > /dev/null 2>&1
-	[ $? -ne 0 ] && PATH=$PATH:/usr/local/bin
-}
-[ -d /usr/ccs/bin ]  &&  {
-	echo $PATH | grep ":/usr/ccs/bin"  > /dev/null 2>&1
-	[ $? -ne 0 ] && PATH=$PATH:/usr/ccs/bin
-}
-export PATH
-#
-
-[ -f Makefile ]  ||  {
-	echo "Please run this script from your build directory"
-	exit 1
-}
-
-# we will look for openssh-config.local to override the above options
-[ -s ./openssh-config.local ]  &&  . ./openssh-config.local
-
-START=`pwd`
-FAKE_ROOT=$START/pkg
-
-## Fill in some details, like prefix and sysconfdir
-for confvar in prefix exec_prefix bindir sbindir libexecdir datadir mandir sysconfdir piddir srcdir
-do
-	eval $confvar=`grep "^$confvar=" Makefile | cut -d = -f 2`
-done
-
-## Are we using Solaris' SMF?
-DO_SMF=0
-if egrep "^#define USE_SOLARIS_PROCESS_CONTRACTS" config.h > /dev/null 2>&1
-then
-	DO_SMF=1
-fi
-
-## Collect value of privsep user
-for confvar in SSH_PRIVSEP_USER
-do
-	eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' config.h`
-done
-
-## Set privsep defaults if not defined
-if [ -z "$SSH_PRIVSEP_USER" ]
-then
-	SSH_PRIVSEP_USER=sshd
-fi
-
-## Extract common info requires for the 'info' part of the package.
-VERSION=`./ssh -V 2>&1 | sed -e 's/,.*//'`
-
-ARCH=`uname -m`
-DEF_MSG="\n"
-OS_VER=`uname -v`
-SCRIPT_SHELL=/sbin/sh
-UNAME_R=`uname -r`
-UNAME_S=`uname -s`
-case ${UNAME_S} in
-	SunOS)	UNAME_S=Solaris
-		OS_VER=${UNAME_R}
-		ARCH=`uname -p`
-		RCS_D=yes
-		DEF_MSG="(default: n)"
-		;;
-	SCO_SV)	case ${UNAME_R} in
-			3.2)	UNAME_S=OpenServer5
-		OS_VER=`uname -X | grep Release | sed -e 's/^Rel.*3.2v//'`
-				;;
-			5)	UNAME_S=OpenServer6
-				;;
-		esac
-		SCRIPT_SHELL=/bin/sh
-		RC1_D=no
-		DEF_MSG="(default: n)"
-		;;
-esac
-
-case `basename $0` in
-	buildpkg.sh)
-## Start by faking root install
-echo "Faking root install..."
-[ -d $FAKE_ROOT ]  &&  rm -fr $FAKE_ROOT
-mkdir $FAKE_ROOT
-${MAKE} install-nokeys DESTDIR=$FAKE_ROOT
-if [ $? -gt 0 ]
-then
-	echo "Fake root install failed, stopping."
-	exit 1
-fi
-
-## Setup our run level stuff while we are at it.
-if [ $DO_SMF -eq 1 ]
-then
-	# For Solaris' SMF, /lib/svc/method/site is the preferred place
-	# for start/stop scripts that aren't supplied with the OS, and
-	# similarly /var/svc/manifest/site for manifests.
-	mkdir -p $FAKE_ROOT${TEST_DIR}/lib/svc/method/site
-	mkdir -p $FAKE_ROOT${TEST_DIR}/var/svc/manifest/site
-
-	cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}/lib/svc/method/site/${SYSVINIT_NAME}
-	chmod 744 $FAKE_ROOT${TEST_DIR}/lib/svc/method/site/${SYSVINIT_NAME}
-
-	cp ${OPENSSH_MANIFEST} $FAKE_ROOT${TEST_DIR}/var/svc/manifest/site
-	chmod 644 $FAKE_ROOT${TEST_DIR}/var/svc/manifest/site/${OPENSSH_MANIFEST}
-else
-	mkdir -p $FAKE_ROOT${TEST_DIR}/etc/init.d
-
-	cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}/etc/init.d/${SYSVINIT_NAME}
-	chmod 744 $FAKE_ROOT${TEST_DIR}/etc/init.d/${SYSVINIT_NAME}
-fi
-
-[ "${PERMIT_ROOT_LOGIN}" = no ]  &&  \
-	perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \
-		$FAKE_ROOT/${sysconfdir}/sshd_config
-[ "${X11_FORWARDING}" = yes ]  &&  \
-	perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \
-		$FAKE_ROOT/${sysconfdir}/sshd_config
-# fix PrintMotd
-perl -p -i -e "s/#PrintMotd yes/PrintMotd no/" \
-	$FAKE_ROOT/${sysconfdir}/sshd_config
-
-# We don't want to overwrite config files on multiple installs
-mv $FAKE_ROOT/${sysconfdir}/ssh_config $FAKE_ROOT/${sysconfdir}/ssh_config.default
-mv $FAKE_ROOT/${sysconfdir}/sshd_config $FAKE_ROOT/${sysconfdir}/sshd_config.default
-[ -f $FAKE_ROOT/${sysconfdir}/ssh_prng_cmds ]  &&  \
-mv $FAKE_ROOT/${sysconfdir}/ssh_prng_cmds $FAKE_ROOT/${sysconfdir}/ssh_prng_cmds.default
-
-# local tweeks here
-[ -s "${POST_MAKE_INSTALL_FIXES}" ]  &&  . ${POST_MAKE_INSTALL_FIXES}
-
-cd $FAKE_ROOT
-
-## Ok, this is outright wrong, but it will work.  I'm tired of pkgmk
-## whining.
-for i in *; do
-  PROTO_ARGS="$PROTO_ARGS $i=/$i";
-done
-
-## Build info file
-echo "Building pkginfo file..."
-cat > pkginfo << _EOF
-PKG=$PKGNAME
-NAME="OpenSSH Portable for ${UNAME_S}"
-DESC="Secure Shell remote access utility; replaces telnet and rlogin/rsh."
-VENDOR="OpenSSH Portable Team - http://www.openssh.com/portable.html"
-ARCH=$ARCH
-VERSION=$VERSION$REV
-CATEGORY="Security,application"
-BASEDIR=/
-CLASSES="none"
-PSTAMP="${UNAME_S} ${OS_VER} ${ARCH} `date '+%d%b%Y %H:%M'`"
-_EOF
-
-## Build empty depend file that may get updated by $POST_PROTOTYPE_EDITS
-echo "Building depend file..."
-touch depend
-
-## Build space file
-echo "Building space file..."
-if [ $DO_SMF -eq 1 ]
-then
-	# XXX Is this necessary?  If not, remove space line from mk-proto.awk.
-	touch space
-else
-	cat > space << _EOF
-# extra space required by start/stop links added by installf 
-# in postinstall
-$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1
-$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME} 0 1
-_EOF
-	[ "$RC1_D" = no ]  ||  \
-	echo "$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1" >> space
-	[ "$RCS_D" = yes ]  &&  \
-	echo "$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1" >> space
-fi
-
-## Build preinstall file
-echo "Building preinstall file..."
-cat > preinstall << _EOF
-#! ${SCRIPT_SHELL}
-#
-_EOF
-
-# local preinstall changes here
-[ -s "${PKG_PREINSTALL_LOCAL}" ]  &&  . ${PKG_PREINSTALL_LOCAL}
-
-cat >> preinstall << _EOF
-#
-if [ "\${PRE_INS_STOP}" = "yes" ]
-then
-	if [ $DO_SMF -eq 1 ] 
-	then
-		svcadm disable $OPENSSH_FMRI
-	else
-		${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} stop
-	fi
-fi
-
-exit 0
-_EOF
-
-## Build postinstall file
-echo "Building postinstall file..."
-cat > postinstall << _EOF
-#! ${SCRIPT_SHELL}
-#
-[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config ]  ||  \\
-	cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config.default \\
-		\${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config
-[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config ]  ||  \\
-	cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config.default \\
-		\${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config
-[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds.default ]  &&  {
-	[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds ]  ||  \\
-	cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds.default \\
-		\${PKG_INSTALL_ROOT}${sysconfdir}/ssh_prng_cmds
-}
-
-# make rc?.d dirs only if we are doing a test install
-[ -n "${TEST_DIR}" ]  &&  [ $DO_SMF -ne 1 ] && {
-	[ "$RCS_D" = yes ]  &&  mkdir -p ${TEST_DIR}/etc/rcS.d
-	mkdir -p ${TEST_DIR}/etc/rc0.d
-	[ "$RC1_D" = no ]  ||  mkdir -p ${TEST_DIR}/etc/rc1.d
-	mkdir -p ${TEST_DIR}/etc/rc2.d
-}
-
-if [ $DO_SMF -eq 1 ]
-then
-	# Delete the existing service, if it exists, then import the 
-	# new one.
-	if svcs $OPENSSH_FMRI > /dev/null 2>&1
-	then
-		svccfg delete -f $OPENSSH_FMRI
-	fi
-	# NOTE, if manifest enables sshd by default, this will actually
-	# start the daemon, which may not be what the user wants.
-	svccfg import ${TEST_DIR}/var/svc/manifest/site/$OPENSSH_MANIFEST
-else
-	if [ "\${USE_SYM_LINKS}" = yes ]
-	then
-		[ "$RCS_D" = yes ]  &&  \
-	installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
-		installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
-		[ "$RC1_D" = no ]  ||  \
-		installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
-		installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
-	else
-		[ "$RCS_D" = yes ]  &&  \
-	installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
-		installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
-		[ "$RC1_D" = no ]  ||  \
-		installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
-		installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
-	fi
-fi
-
-# If piddir doesn't exist we add it. (Ie. --with-pid-dir=/var/opt/ssh)
-[ -d $piddir ]  ||  installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR$piddir d 0755 root sys
-
-_EOF
-
-# local postinstall changes here
-[ -s "${PKG_POSTINSTALL_LOCAL}" ]  &&  . ${PKG_POSTINSTALL_LOCAL}
-
-cat >> postinstall << _EOF
-installf -f ${PKGNAME}
-
-# Use chroot to handle PKG_INSTALL_ROOT
-if [ ! -z "\${PKG_INSTALL_ROOT}" ]
-then
-	chroot="chroot \${PKG_INSTALL_ROOT}"
-fi
-# If this is a test build, we will skip the groupadd/useradd/passwd commands
-if [ ! -z "${TEST_DIR}" ]
-then
-	chroot=echo
-fi
-
-	echo "PrivilegeSeparation user always required."
-	if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
-	then
-		echo "PrivSep user $SSH_PRIVSEP_USER already exists."
-		SSH_PRIVSEP_GROUP=\`grep "^$SSH_PRIVSEP_USER:" \${PKG_INSTALL_ROOT}/etc/passwd | awk -F: '{print \$4}'\`
-		SSH_PRIVSEP_GROUP=\`grep ":\$SSH_PRIVSEP_GROUP:" \${PKG_INSTALL_ROOT}/etc/group | awk -F: '{print \$1}'\`
-	else
-		DO_PASSWD=yes
-	fi
-	[ -z "\$SSH_PRIVSEP_GROUP" ]  &&  SSH_PRIVSEP_GROUP=$SSH_PRIVSEP_USER
-
-	# group required?
-	if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'\$SSH_PRIVSEP_GROUP'\$' >/dev/null
-	then
-		echo "PrivSep group \$SSH_PRIVSEP_GROUP already exists."
-	else
-		DO_GROUP=yes
-	fi
-
-	# create group if required
-	[ "\$DO_GROUP" = yes ]  &&  {
-		# Use gid of 67 if possible
-		if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSHDGID'\$' >/dev/null
-		then
-			:
-		else
-			sshdgid="-g $SSHDGID"
-		fi
-		echo "Creating PrivSep group \$SSH_PRIVSEP_GROUP."
-		\$chroot ${PATH_GROUPADD_PROG} \$sshdgid \$SSH_PRIVSEP_GROUP
-	}
-
-	# Create user if required
-	[ "\$DO_PASSWD" = yes ]  &&  {
-		# Use uid of 67 if possible
-		if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDUID'\$' >/dev/null
-		then
-			:
-		else
-			sshduid="-u $SSHDUID"
-		fi
-		echo "Creating PrivSep user $SSH_PRIVSEP_USER."
-		\$chroot ${PATH_USERADD_PROG} -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER \$sshduid $SSH_PRIVSEP_USER
-		\$chroot ${PATH_PASSWD_PROG} -l $SSH_PRIVSEP_USER
-	}
-
-if [ "\${POST_INS_START}" = "yes" ]
-then
-	if [ $DO_SMF -eq 1 ]
-	then
-		# See svccfg import note above.  The service may already
-		# be started.
-		svcadm enable $OPENSSH_FMRI
-	else
-		${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} start
-	fi
-fi
-exit 0
-_EOF
-
-## Build preremove file
-echo "Building preremove file..."
-cat > preremove << _EOF
-#! ${SCRIPT_SHELL}
-#
-if [ $DO_SMF -eq 1 ] 
-then
-	svcadm disable $OPENSSH_FMRI
-else
-	${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} stop
-fi
-_EOF
-
-# local preremove changes here
-[ -s "${PKG_PREREMOVE_LOCAL}" ]  &&  . ${PKG_PREREMOVE_LOCAL}
-
-cat >> preremove << _EOF
-exit 0
-_EOF
-
-## Build postremove file
-echo "Building postremove file..."
-cat > postremove << _EOF
-#! ${SCRIPT_SHELL}
-#
-if [ $DO_SMF -eq 1 ]
-then
-	if svcs $OPENSSH_FMRI > /dev/null 2>&1
-	then
-		svccfg delete -f $OPENSSH_FMRI
-	fi
-fi
-_EOF
-
-# local postremove changes here
-[ -s "${PKG_POSTREMOVE_LOCAL}" ]  &&  . ${PKG_POSTREMOVE_LOCAL}
-
-cat >> postremove << _EOF
-exit 0
-_EOF
-
-## Build request file
-echo "Building request file..."
-cat > request << _EOF
-trap 'exit 3' 15
-
-_EOF
-
-[ -x /usr/bin/ckyorn ]  ||  cat >> request << _EOF
-
-ckyorn() {
-# for some strange reason OpenServer5 has no ckyorn
-# We build a striped down version here
-
-DEFAULT=n
-PROMPT="Yes or No [yes,no,?,quit]"
-HELP_PROMPT="        Enter y or yes if your answer is yes; n or no if your answer is no."
-USAGE="usage: ckyorn [options]
-where options may include:
-        -d default
-        -h help
-        -p prompt
-"
-
-if [ \$# != 0 ]
-then
-	while getopts d:p:h: c
-	do
-		case \$c in
-			h)	HELP_PROMPT="\$OPTARG" ;;
-			d)	DEFAULT=\$OPTARG ;;
-			p)	PROMPT=\$OPTARG ;;
-			\\?)	echo "\$USAGE" 1>&2
-				exit 1 ;;
-		esac
-	done
-	shift \`expr \$OPTIND - 1\`
-fi
-
-while true
-do
-	echo "\${PROMPT}\\c " 1>&2
-	read key
-	[ -z "\$key" ]  &&  key=\$DEFAULT
-	case \$key in
-		[n,N]|[n,N][o,O]|[y,Y]|[y,Y][e,E][s,S])	echo "\${key}\\c"
-			exit 0 ;;
-		\\?)	echo \$HELP_PROMPT 1>&2 ;;
-		q|quit)	echo "q\\c" 1>&2
-			exit 3 ;;
-	esac
-done
-
-}
-
-_EOF
-
-if [ $DO_SMF -eq 1 ]
-then
-	# This could get hairy, as the running sshd may not be under SMF.
-	# We'll assume an earlier version of OpenSSH started via SMF.
-	cat >> request << _EOF
-PRE_INS_STOP=no
-POST_INS_START=no
-# determine if should restart the daemon
-if [ -s ${piddir}/sshd.pid  ] && \
-    /usr/bin/svcs $OPENSSH_FMRI 2>&1 | egrep "^online" > /dev/null 2>&1
-then
-	ans=\`ckyorn -d n \
--p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$?
-	case \$ans in
-		[y,Y]*)	PRE_INS_STOP=yes
-			POST_INS_START=yes
-			;;
-	esac
-
-else
-
-# determine if we should start sshd
-	ans=\`ckyorn -d n \
--p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$?
-	case \$ans in
-		[y,Y]*)	POST_INS_START=yes ;;
-	esac
-fi
-
-# make parameters available to installation service,
-# and so to any other packaging scripts
-cat >\$1 <<!
-PRE_INS_STOP='\$PRE_INS_STOP'
-POST_INS_START='\$POST_INS_START'
-!
-
-_EOF
-else
-	cat >> request << _EOF
-USE_SYM_LINKS=no
-PRE_INS_STOP=no
-POST_INS_START=no
-# Use symbolic links?
-ans=\`ckyorn -d n \
--p "Do you want symbolic links for the start/stop scripts? ${DEF_MSG}"\` || exit \$?
-case \$ans in
-	[y,Y]*)	USE_SYM_LINKS=yes ;;
-esac
-
-# determine if should restart the daemon
-if [ -s ${piddir}/sshd.pid  -a  -f ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} ]
-then
-	ans=\`ckyorn -d n \
--p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$?
-	case \$ans in
-		[y,Y]*)	PRE_INS_STOP=yes
-			POST_INS_START=yes
-			;;
-	esac
-
-else
-
-# determine if we should start sshd
-	ans=\`ckyorn -d n \
--p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$?
-	case \$ans in
-		[y,Y]*)	POST_INS_START=yes ;;
-	esac
-fi
-
-# make parameters available to installation service,
-# and so to any other packaging scripts
-cat >\$1 <<!
-USE_SYM_LINKS='\$USE_SYM_LINKS'
-PRE_INS_STOP='\$PRE_INS_STOP'
-POST_INS_START='\$POST_INS_START'
-!
-
-_EOF
-fi
-
-# local request changes here
-[ -s "${PKG_REQUEST_LOCAL}" ]  &&  . ${PKG_REQUEST_LOCAL}
-
-cat >> request << _EOF
-exit 0
-
-_EOF
-
-## Next Build our prototype
-echo "Building prototype file..."
-cat >mk-proto.awk << _EOF
-	    BEGIN { print "i pkginfo"; print "i depend"; \\
-		    print "i preinstall"; print "i postinstall"; \\
- 		    print "i preremove"; print "i postremove"; \\
-		    print "i request"; print "i space"; \\
-		    split("$SYSTEM_DIR",sys_files); }
-	    {
-	     for (dir in sys_files) { if ( \$3 != sys_files[dir] )
-		     { if ( \$1 == "s" )
-			{ \$5=""; \$6=""; }
-		     else
-			{ \$5="root"; \$6="sys"; }
-		     }
-		else
-		     { \$4="?"; \$5="?"; \$6="?"; break;}
-	    } }
-	    { print; }
-_EOF
-
-find . | egrep -v "prototype|pkginfo|mk-proto.awk" | sort | \
-	pkgproto $PROTO_ARGS | ${AWK} -f mk-proto.awk > prototype
-
-# /usr/local is a symlink on some systems
-[ "${USR_LOCAL_IS_SYMLINK}" = yes ]  &&  {
-	grep -v "^d none /usr/local ? ? ?$" prototype > prototype.new
-	mv prototype.new prototype
-}
-
-## Step back a directory and now build the package.
-cd ..
-# local prototype tweeks here
-[ -s "${POST_PROTOTYPE_EDITS}" ]  &&  . ${POST_PROTOTYPE_EDITS}
-
-echo "Building package.."
-pkgmk -d ${FAKE_ROOT} -f $FAKE_ROOT/prototype -o
-echo | pkgtrans -os ${FAKE_ROOT} ${START}/$PKGNAME-$VERSION$REV-$UNAME_S-$ARCH.pkg
-	;;
-
-	justpkg.sh)
-rm -fr ${FAKE_ROOT}/${PKGNAME}
-grep -v "^PSTAMP=" $FAKE_ROOT/pkginfo > $$tmp
-mv $$tmp $FAKE_ROOT/pkginfo
-cat >> $FAKE_ROOT/pkginfo << _EOF
-PSTAMP="${UNAME_S} ${OS_VER} ${ARCH} `date '+%d%b%Y %H:%M'`"
-_EOF
-pkgmk -d ${FAKE_ROOT} -f $FAKE_ROOT/prototype -o
-echo | pkgtrans -os ${FAKE_ROOT} ${START}/$PKGNAME-$VERSION$REV-$UNAME_S-$ARCH.pkg
-	;;
-
-esac
-
-[ "${REMOVE_FAKE_ROOT_WHEN_DONE}" = yes ]  &&  rm -rf $FAKE_ROOT
-exit 0
-
diff --git a/crypto/openssh/canohost.c b/crypto/openssh/canohost.c
deleted file mode 100644
index 2345cc3..0000000
--- a/crypto/openssh/canohost.c
+++ /dev/null
@@ -1,417 +0,0 @@
-/* $OpenBSD: canohost.c,v 1.61 2006/08/03 03:34:41 deraadt Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Functions for returning the canonical host name of the remote site.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <netdb.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <stdarg.h>
-
-#include "xmalloc.h"
-#include "packet.h"
-#include "log.h"
-#include "canohost.h"
-
-static void check_ip_options(int, char *);
-
-/*
- * Return the canonical name of the host at the other end of the socket. The
- * caller should free the returned string with xfree.
- */
-
-static char *
-get_remote_hostname(int sock, int use_dns)
-{
-	struct sockaddr_storage from;
-	int i;
-	socklen_t fromlen;
-	struct addrinfo hints, *ai, *aitop;
-	char name[NI_MAXHOST], ntop[NI_MAXHOST], ntop2[NI_MAXHOST];
-
-	/* Get IP address of client. */
-	fromlen = sizeof(from);
-	memset(&from, 0, sizeof(from));
-	if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) {
-		debug("getpeername failed: %.100s", strerror(errno));
-		cleanup_exit(255);
-	}
-
-	if (from.ss_family == AF_INET)
-		check_ip_options(sock, ntop);
-
-	ipv64_normalise_mapped(&from, &fromlen);
-
-	if (from.ss_family == AF_INET6)
-		fromlen = sizeof(struct sockaddr_in6);
-
-	if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop),
-	    NULL, 0, NI_NUMERICHOST) != 0)
-		fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed");
-
-	if (!use_dns)
-		return xstrdup(ntop);
-
-	debug3("Trying to reverse map address %.100s.", ntop);
-	/* Map the IP address to a host name. */
-	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-	    NULL, 0, NI_NAMEREQD) != 0) {
-		/* Host name not found.  Use ip address. */
-		return xstrdup(ntop);
-	}
-
-	/*
-	 * if reverse lookup result looks like a numeric hostname,
-	 * someone is trying to trick us by PTR record like following:
-	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
-	 */
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
-	hints.ai_flags = AI_NUMERICHOST;
-	if (getaddrinfo(name, "0", &hints, &ai) == 0) {
-		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
-		    name, ntop);
-		freeaddrinfo(ai);
-		return xstrdup(ntop);
-	}
-
-	/*
-	 * Convert it to all lowercase (which is expected by the rest
-	 * of this software).
-	 */
-	for (i = 0; name[i]; i++)
-		if (isupper(name[i]))
-			name[i] = (char)tolower(name[i]);
-	/*
-	 * Map it back to an IP address and check that the given
-	 * address actually is an address of this host.  This is
-	 * necessary because anyone with access to a name server can
-	 * define arbitrary names for an IP address. Mapping from
-	 * name to IP address can be trusted better (but can still be
-	 * fooled if the intruder has access to the name server of
-	 * the domain).
-	 */
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_family = from.ss_family;
-	hints.ai_socktype = SOCK_STREAM;
-	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-		logit("reverse mapping checking getaddrinfo for %.700s "
-		    "[%s] failed - POSSIBLE BREAK-IN ATTEMPT!", name, ntop);
-		return xstrdup(ntop);
-	}
-	/* Look for the address from the list of addresses. */
-	for (ai = aitop; ai; ai = ai->ai_next) {
-		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-		    (strcmp(ntop, ntop2) == 0))
-				break;
-	}
-	freeaddrinfo(aitop);
-	/* If we reached the end of the list, the address was not there. */
-	if (!ai) {
-		/* Address not found for the host name. */
-		logit("Address %.100s maps to %.600s, but this does not "
-		    "map back to the address - POSSIBLE BREAK-IN ATTEMPT!",
-		    ntop, name);
-		return xstrdup(ntop);
-	}
-	return xstrdup(name);
-}
-
-/*
- * If IP options are supported, make sure there are none (log and
- * disconnect them if any are found).  Basically we are worried about
- * source routing; it can be used to pretend you are somebody
- * (ip-address) you are not. That itself may be "almost acceptable"
- * under certain circumstances, but rhosts autentication is useless
- * if source routing is accepted. Notice also that if we just dropped
- * source routing here, the other side could use IP spoofing to do
- * rest of the interaction and could still bypass security.  So we
- * exit here if we detect any IP options.
- */
-/* IPv4 only */
-static void
-check_ip_options(int sock, char *ipaddr)
-{
-#ifdef IP_OPTIONS
-	u_char options[200];
-	char text[sizeof(options) * 3 + 1];
-	socklen_t option_size;
-	u_int i;
-	int ipproto;
-	struct protoent *ip;
-
-	if ((ip = getprotobyname("ip")) != NULL)
-		ipproto = ip->p_proto;
-	else
-		ipproto = IPPROTO_IP;
-	option_size = sizeof(options);
-	if (getsockopt(sock, ipproto, IP_OPTIONS, options,
-	    &option_size) >= 0 && option_size != 0) {
-		text[0] = '\0';
-		for (i = 0; i < option_size; i++)
-			snprintf(text + i*3, sizeof(text) - i*3,
-			    " %2.2x", options[i]);
-		fatal("Connection from %.100s with IP options:%.800s",
-		    ipaddr, text);
-	}
-#endif /* IP_OPTIONS */
-}
-
-void
-ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len)
-{
-	struct sockaddr_in6 *a6 = (struct sockaddr_in6 *)addr;
-	struct sockaddr_in *a4 = (struct sockaddr_in *)addr;
-	struct in_addr inaddr;
-	u_int16_t port;
-
-	if (addr->ss_family != AF_INET6 ||
-	    !IN6_IS_ADDR_V4MAPPED(&a6->sin6_addr))
-		return;
-
-	debug3("Normalising mapped IPv4 in IPv6 address");
-
-	memcpy(&inaddr, ((char *)&a6->sin6_addr) + 12, sizeof(inaddr));
-	port = a6->sin6_port;
-
-	memset(addr, 0, sizeof(*a4));
-
-	a4->sin_family = AF_INET;
-	*len = sizeof(*a4);
-	memcpy(&a4->sin_addr, &inaddr, sizeof(inaddr));
-	a4->sin_port = port;
-}
-
-/*
- * Return the canonical name of the host in the other side of the current
- * connection.  The host name is cached, so it is efficient to call this
- * several times.
- */
-
-const char *
-get_canonical_hostname(int use_dns)
-{
-	char *host;
-	static char *canonical_host_name = NULL;
-	static char *remote_ip = NULL;
-
-	/* Check if we have previously retrieved name with same option. */
-	if (use_dns && canonical_host_name != NULL)
-		return canonical_host_name;
-	if (!use_dns && remote_ip != NULL)
-		return remote_ip;
-
-	/* Get the real hostname if socket; otherwise return UNKNOWN. */
-	if (packet_connection_is_on_socket())
-		host = get_remote_hostname(packet_get_connection_in(), use_dns);
-	else
-		host = "UNKNOWN";
-
-	if (use_dns)
-		canonical_host_name = host;
-	else
-		remote_ip = host;
-	return host;
-}
-
-/*
- * Returns the local/remote IP-address/hostname of socket as a string.
- * The returned string must be freed.
- */
-static char *
-get_socket_address(int sock, int remote, int flags)
-{
-	struct sockaddr_storage addr;
-	socklen_t addrlen;
-	char ntop[NI_MAXHOST];
-	int r;
-
-	/* Get IP address of client. */
-	addrlen = sizeof(addr);
-	memset(&addr, 0, sizeof(addr));
-
-	if (remote) {
-		if (getpeername(sock, (struct sockaddr *)&addr, &addrlen)
-		    < 0)
-			return NULL;
-	} else {
-		if (getsockname(sock, (struct sockaddr *)&addr, &addrlen)
-		    < 0)
-			return NULL;
-	}
-
-	/* Work around Linux IPv6 weirdness */
-	if (addr.ss_family == AF_INET6)
-		addrlen = sizeof(struct sockaddr_in6);
-
-	ipv64_normalise_mapped(&addr, &addrlen);
-
-	/* Get the address in ascii. */
-	if ((r = getnameinfo((struct sockaddr *)&addr, addrlen, ntop,
-	    sizeof(ntop), NULL, 0, flags)) != 0) {
-		error("get_socket_address: getnameinfo %d failed: %s", flags,
-		    r == EAI_SYSTEM ? strerror(errno) : gai_strerror(r));
-		return NULL;
-	}
-	return xstrdup(ntop);
-}
-
-char *
-get_peer_ipaddr(int sock)
-{
-	char *p;
-
-	if ((p = get_socket_address(sock, 1, NI_NUMERICHOST)) != NULL)
-		return p;
-	return xstrdup("UNKNOWN");
-}
-
-char *
-get_local_ipaddr(int sock)
-{
-	char *p;
-
-	if ((p = get_socket_address(sock, 0, NI_NUMERICHOST)) != NULL)
-		return p;
-	return xstrdup("UNKNOWN");
-}
-
-char *
-get_local_name(int sock)
-{
-	return get_socket_address(sock, 0, NI_NAMEREQD);
-}
-
-/*
- * Returns the IP-address of the remote host as a string.  The returned
- * string must not be freed.
- */
-
-const char *
-get_remote_ipaddr(void)
-{
-	static char *canonical_host_ip = NULL;
-
-	/* Check whether we have cached the ipaddr. */
-	if (canonical_host_ip == NULL) {
-		if (packet_connection_is_on_socket()) {
-			canonical_host_ip =
-			    get_peer_ipaddr(packet_get_connection_in());
-			if (canonical_host_ip == NULL)
-				cleanup_exit(255);
-		} else {
-			/* If not on socket, return UNKNOWN. */
-			canonical_host_ip = xstrdup("UNKNOWN");
-		}
-	}
-	return canonical_host_ip;
-}
-
-const char *
-get_remote_name_or_ip(u_int utmp_len, int use_dns)
-{
-	static const char *remote = "";
-	if (utmp_len > 0)
-		remote = get_canonical_hostname(use_dns);
-	if (utmp_len == 0 || strlen(remote) > utmp_len)
-		remote = get_remote_ipaddr();
-	return remote;
-}
-
-/* Returns the local/remote port for the socket. */
-
-static int
-get_sock_port(int sock, int local)
-{
-	struct sockaddr_storage from;
-	socklen_t fromlen;
-	char strport[NI_MAXSERV];
-	int r;
-
-	/* Get IP address of client. */
-	fromlen = sizeof(from);
-	memset(&from, 0, sizeof(from));
-	if (local) {
-		if (getsockname(sock, (struct sockaddr *)&from, &fromlen) < 0) {
-			error("getsockname failed: %.100s", strerror(errno));
-			return 0;
-		}
-	} else {
-		if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) {
-			debug("getpeername failed: %.100s", strerror(errno));
-			return -1;
-		}
-	}
-
-	/* Work around Linux IPv6 weirdness */
-	if (from.ss_family == AF_INET6)
-		fromlen = sizeof(struct sockaddr_in6);
-
-	/* Return port number. */
-	if ((r = getnameinfo((struct sockaddr *)&from, fromlen, NULL, 0,
-	    strport, sizeof(strport), NI_NUMERICSERV)) != 0)
-		fatal("get_sock_port: getnameinfo NI_NUMERICSERV failed: %s",
-		    r == EAI_SYSTEM ? strerror(errno) : gai_strerror(r));
-	return atoi(strport);
-}
-
-/* Returns remote/local port number for the current connection. */
-
-static int
-get_port(int local)
-{
-	/*
-	 * If the connection is not a socket, return 65535.  This is
-	 * intentionally chosen to be an unprivileged port number.
-	 */
-	if (!packet_connection_is_on_socket())
-		return 65535;
-
-	/* Get socket and return the port number. */
-	return get_sock_port(packet_get_connection_in(), local);
-}
-
-int
-get_peer_port(int sock)
-{
-	return get_sock_port(sock, 0);
-}
-
-int
-get_remote_port(void)
-{
-	static int port = -1;
-
-	/* Cache to avoid getpeername() on a dead connection */
-	if (port == -1)
-		port = get_port(0);
-
-	return port;
-}
-
-int
-get_local_port(void)
-{
-	return get_port(1);
-}
diff --git a/crypto/openssh/canohost.h b/crypto/openssh/canohost.h
deleted file mode 100644
index e33e894..0000000
--- a/crypto/openssh/canohost.h
+++ /dev/null
@@ -1,27 +0,0 @@
-/* $OpenBSD: canohost.h,v 1.9 2006/03/25 22:22:42 djm Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-const char	*get_canonical_hostname(int);
-const char	*get_remote_ipaddr(void);
-const char	*get_remote_name_or_ip(u_int, int);
-
-char		*get_peer_ipaddr(int);
-int		 get_peer_port(int);
-char		*get_local_ipaddr(int);
-char		*get_local_name(int);
-
-int		 get_remote_port(void);
-int		 get_local_port(void);
-
-void		 ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *);
diff --git a/crypto/openssh/channels.c b/crypto/openssh/channels.c
deleted file mode 100644
index 26b63a1..0000000
--- a/crypto/openssh/channels.c
+++ /dev/null
@@ -1,3227 +0,0 @@
-/* $OpenBSD: channels.c,v 1.266 2006/08/29 10:40:18 djm Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * This file contains functions for generic socket connection forwarding.
- * There is also code for initiating connection forwarding for X11 connections,
- * arbitrary tcp/ip connections, and the authentication agent connection.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- * SSH2 support added by Markus Friedl.
- * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
- * Copyright (c) 1999 Dug Song.  All rights reserved.
- * Copyright (c) 1999 Theo de Raadt.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/ioctl.h>
-#include <sys/un.h>
-#include <sys/socket.h>
-#ifdef HAVE_SYS_TIME_H
-# include <sys/time.h>
-#endif
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include <errno.h>
-#include <netdb.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <termios.h>
-#include <unistd.h>
-#include <stdarg.h>
-
-#include "xmalloc.h"
-#include "ssh.h"
-#include "ssh1.h"
-#include "ssh2.h"
-#include "packet.h"
-#include "log.h"
-#include "misc.h"
-#include "buffer.h"
-#include "channels.h"
-#include "compat.h"
-#include "canohost.h"
-#include "key.h"
-#include "authfd.h"
-#include "pathnames.h"
-
-/* -- channel core */
-
-/*
- * Pointer to an array containing all allocated channels.  The array is
- * dynamically extended as needed.
- */
-static Channel **channels = NULL;
-
-/*
- * Size of the channel array.  All slots of the array must always be
- * initialized (at least the type field); unused slots set to NULL
- */
-static u_int channels_alloc = 0;
-
-/*
- * Maximum file descriptor value used in any of the channels.  This is
- * updated in channel_new.
- */
-static int channel_max_fd = 0;
-
-
-/* -- tcp forwarding */
-
-/*
- * Data structure for storing which hosts are permitted for forward requests.
- * The local sides of any remote forwards are stored in this array to prevent
- * a corrupt remote server from accessing arbitrary TCP/IP ports on our local
- * network (which might be behind a firewall).
- */
-typedef struct {
-	char *host_to_connect;		/* Connect to 'host'. */
-	u_short port_to_connect;	/* Connect to 'port'. */
-	u_short listen_port;		/* Remote side should listen port number. */
-} ForwardPermission;
-
-/* List of all permitted host/port pairs to connect by the user. */
-static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
-
-/* List of all permitted host/port pairs to connect by the admin. */
-static ForwardPermission permitted_adm_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
-
-/* Number of permitted host/port pairs in the array permitted by the user. */
-static int num_permitted_opens = 0;
-
-/* Number of permitted host/port pair in the array permitted by the admin. */
-static int num_adm_permitted_opens = 0;
-
-/*
- * If this is true, all opens are permitted.  This is the case on the server
- * on which we have to trust the client anyway, and the user could do
- * anything after logging in anyway.
- */
-static int all_opens_permitted = 0;
-
-
-/* -- X11 forwarding */
-
-/* Maximum number of fake X11 displays to try. */
-#define MAX_DISPLAYS  1000
-
-/* Saved X11 local (client) display. */
-static char *x11_saved_display = NULL;
-
-/* Saved X11 authentication protocol name. */
-static char *x11_saved_proto = NULL;
-
-/* Saved X11 authentication data.  This is the real data. */
-static char *x11_saved_data = NULL;
-static u_int x11_saved_data_len = 0;
-
-/*
- * Fake X11 authentication data.  This is what the server will be sending us;
- * we should replace any occurrences of this by the real data.
- */
-static u_char *x11_fake_data = NULL;
-static u_int x11_fake_data_len;
-
-
-/* -- agent forwarding */
-
-#define	NUM_SOCKS	10
-
-/* AF_UNSPEC or AF_INET or AF_INET6 */
-static int IPv4or6 = AF_UNSPEC;
-
-/* helper */
-static void port_open_helper(Channel *c, char *rtype);
-
-/* -- channel core */
-
-Channel *
-channel_by_id(int id)
-{
-	Channel *c;
-
-	if (id < 0 || (u_int)id >= channels_alloc) {
-		logit("channel_by_id: %d: bad id", id);
-		return NULL;
-	}
-	c = channels[id];
-	if (c == NULL) {
-		logit("channel_by_id: %d: bad id: channel free", id);
-		return NULL;
-	}
-	return c;
-}
-
-/*
- * Returns the channel if it is allowed to receive protocol messages.
- * Private channels, like listening sockets, may not receive messages.
- */
-Channel *
-channel_lookup(int id)
-{
-	Channel *c;
-
-	if ((c = channel_by_id(id)) == NULL)
-		return (NULL);
-
-	switch (c->type) {
-	case SSH_CHANNEL_X11_OPEN:
-	case SSH_CHANNEL_LARVAL:
-	case SSH_CHANNEL_CONNECTING:
-	case SSH_CHANNEL_DYNAMIC:
-	case SSH_CHANNEL_OPENING:
-	case SSH_CHANNEL_OPEN:
-	case SSH_CHANNEL_INPUT_DRAINING:
-	case SSH_CHANNEL_OUTPUT_DRAINING:
-		return (c);
-	}
-	logit("Non-public channel %d, type %d.", id, c->type);
-	return (NULL);
-}
-
-/*
- * Register filedescriptors for a channel, used when allocating a channel or
- * when the channel consumer/producer is ready, e.g. shell exec'd
- */
-static void
-channel_register_fds(Channel *c, int rfd, int wfd, int efd,
-    int extusage, int nonblock)
-{
-	/* Update the maximum file descriptor value. */
-	channel_max_fd = MAX(channel_max_fd, rfd);
-	channel_max_fd = MAX(channel_max_fd, wfd);
-	channel_max_fd = MAX(channel_max_fd, efd);
-
-	/* XXX set close-on-exec -markus */
-
-	c->rfd = rfd;
-	c->wfd = wfd;
-	c->sock = (rfd == wfd) ? rfd : -1;
-	c->ctl_fd = -1; /* XXX: set elsewhere */
-	c->efd = efd;
-	c->extended_usage = extusage;
-
-	/* XXX ugly hack: nonblock is only set by the server */
-	if (nonblock && isatty(c->rfd)) {
-		debug2("channel %d: rfd %d isatty", c->self, c->rfd);
-		c->isatty = 1;
-		if (!isatty(c->wfd)) {
-			error("channel %d: wfd %d is not a tty?",
-			    c->self, c->wfd);
-		}
-	} else {
-		c->isatty = 0;
-	}
-	c->wfd_isatty = isatty(c->wfd);
-
-	/* enable nonblocking mode */
-	if (nonblock) {
-		if (rfd != -1)
-			set_nonblock(rfd);
-		if (wfd != -1)
-			set_nonblock(wfd);
-		if (efd != -1)
-			set_nonblock(efd);
-	}
-}
-
-/*
- * Allocate a new channel object and set its type and socket. This will cause
- * remote_name to be freed.
- */
-Channel *
-channel_new(char *ctype, int type, int rfd, int wfd, int efd,
-    u_int window, u_int maxpack, int extusage, char *remote_name, int nonblock)
-{
-	int found;
-	u_int i;
-	Channel *c;
-
-	/* Do initial allocation if this is the first call. */
-	if (channels_alloc == 0) {
-		channels_alloc = 10;
-		channels = xcalloc(channels_alloc, sizeof(Channel *));
-		for (i = 0; i < channels_alloc; i++)
-			channels[i] = NULL;
-	}
-	/* Try to find a free slot where to put the new channel. */
-	for (found = -1, i = 0; i < channels_alloc; i++)
-		if (channels[i] == NULL) {
-			/* Found a free slot. */
-			found = (int)i;
-			break;
-		}
-	if (found < 0) {
-		/* There are no free slots.  Take last+1 slot and expand the array.  */
-		found = channels_alloc;
-		if (channels_alloc > 10000)
-			fatal("channel_new: internal error: channels_alloc %d "
-			    "too big.", channels_alloc);
-		channels = xrealloc(channels, channels_alloc + 10,
-		    sizeof(Channel *));
-		channels_alloc += 10;
-		debug2("channel: expanding %d", channels_alloc);
-		for (i = found; i < channels_alloc; i++)
-			channels[i] = NULL;
-	}
-	/* Initialize and return new channel. */
-	c = channels[found] = xcalloc(1, sizeof(Channel));
-	buffer_init(&c->input);
-	buffer_init(&c->output);
-	buffer_init(&c->extended);
-	c->ostate = CHAN_OUTPUT_OPEN;
-	c->istate = CHAN_INPUT_OPEN;
-	c->flags = 0;
-	channel_register_fds(c, rfd, wfd, efd, extusage, nonblock);
-	c->self = found;
-	c->type = type;
-	c->ctype = ctype;
-	c->local_window = window;
-	c->local_window_max = window;
-	c->local_consumed = 0;
-	c->local_maxpacket = maxpack;
-	c->remote_id = -1;
-	c->remote_name = xstrdup(remote_name);
-	c->remote_window = 0;
-	c->remote_maxpacket = 0;
-	c->force_drain = 0;
-	c->single_connection = 0;
-	c->detach_user = NULL;
-	c->detach_close = 0;
-	c->confirm = NULL;
-	c->confirm_ctx = NULL;
-	c->input_filter = NULL;
-	c->output_filter = NULL;
-	debug("channel %d: new [%s]", found, remote_name);
-	return c;
-}
-
-static int
-channel_find_maxfd(void)
-{
-	u_int i;
-	int max = 0;
-	Channel *c;
-
-	for (i = 0; i < channels_alloc; i++) {
-		c = channels[i];
-		if (c != NULL) {
-			max = MAX(max, c->rfd);
-			max = MAX(max, c->wfd);
-			max = MAX(max, c->efd);
-		}
-	}
-	return max;
-}
-
-int
-channel_close_fd(int *fdp)
-{
-	int ret = 0, fd = *fdp;
-
-	if (fd != -1) {
-		ret = close(fd);
-		*fdp = -1;
-		if (fd == channel_max_fd)
-			channel_max_fd = channel_find_maxfd();
-	}
-	return ret;
-}
-
-/* Close all channel fd/socket. */
-static void
-channel_close_fds(Channel *c)
-{
-	debug3("channel %d: close_fds r %d w %d e %d c %d",
-	    c->self, c->rfd, c->wfd, c->efd, c->ctl_fd);
-
-	channel_close_fd(&c->sock);
-	channel_close_fd(&c->ctl_fd);
-	channel_close_fd(&c->rfd);
-	channel_close_fd(&c->wfd);
-	channel_close_fd(&c->efd);
-}
-
-/* Free the channel and close its fd/socket. */
-void
-channel_free(Channel *c)
-{
-	char *s;
-	u_int i, n;
-
-	for (n = 0, i = 0; i < channels_alloc; i++)
-		if (channels[i])
-			n++;
-	debug("channel %d: free: %s, nchannels %u", c->self,
-	    c->remote_name ? c->remote_name : "???", n);
-
-	s = channel_open_message();
-	debug3("channel %d: status: %s", c->self, s);
-	xfree(s);
-
-	if (c->sock != -1)
-		shutdown(c->sock, SHUT_RDWR);
-	if (c->ctl_fd != -1)
-		shutdown(c->ctl_fd, SHUT_RDWR);
-	channel_close_fds(c);
-	buffer_free(&c->input);
-	buffer_free(&c->output);
-	buffer_free(&c->extended);
-	if (c->remote_name) {
-		xfree(c->remote_name);
-		c->remote_name = NULL;
-	}
-	channels[c->self] = NULL;
-	xfree(c);
-}
-
-void
-channel_free_all(void)
-{
-	u_int i;
-
-	for (i = 0; i < channels_alloc; i++)
-		if (channels[i] != NULL)
-			channel_free(channels[i]);
-}
-
-/*
- * Closes the sockets/fds of all channels.  This is used to close extra file
- * descriptors after a fork.
- */
-void
-channel_close_all(void)
-{
-	u_int i;
-
-	for (i = 0; i < channels_alloc; i++)
-		if (channels[i] != NULL)
-			channel_close_fds(channels[i]);
-}
-
-/*
- * Stop listening to channels.
- */
-void
-channel_stop_listening(void)
-{
-	u_int i;
-	Channel *c;
-
-	for (i = 0; i < channels_alloc; i++) {
-		c = channels[i];
-		if (c != NULL) {
-			switch (c->type) {
-			case SSH_CHANNEL_AUTH_SOCKET:
-			case SSH_CHANNEL_PORT_LISTENER:
-			case SSH_CHANNEL_RPORT_LISTENER:
-			case SSH_CHANNEL_X11_LISTENER:
-				channel_close_fd(&c->sock);
-				channel_free(c);
-				break;
-			}
-		}
-	}
-}
-
-/*
- * Returns true if no channel has too much buffered data, and false if one or
- * more channel is overfull.
- */
-int
-channel_not_very_much_buffered_data(void)
-{
-	u_int i;
-	Channel *c;
-
-	for (i = 0; i < channels_alloc; i++) {
-		c = channels[i];
-		if (c != NULL && c->type == SSH_CHANNEL_OPEN) {
-#if 0
-			if (!compat20 &&
-			    buffer_len(&c->input) > packet_get_maxsize()) {
-				debug2("channel %d: big input buffer %d",
-				    c->self, buffer_len(&c->input));
-				return 0;
-			}
-#endif
-			if (buffer_len(&c->output) > packet_get_maxsize()) {
-				debug2("channel %d: big output buffer %u > %u",
-				    c->self, buffer_len(&c->output),
-				    packet_get_maxsize());
-				return 0;
-			}
-		}
-	}
-	return 1;
-}
-
-/* Returns true if any channel is still open. */
-int
-channel_still_open(void)
-{
-	u_int i;
-	Channel *c;
-
-	for (i = 0; i < channels_alloc; i++) {
-		c = channels[i];
-		if (c == NULL)
-			continue;
-		switch (c->type) {
-		case SSH_CHANNEL_X11_LISTENER:
-		case SSH_CHANNEL_PORT_LISTENER:
-		case SSH_CHANNEL_RPORT_LISTENER:
-		case SSH_CHANNEL_CLOSED:
-		case SSH_CHANNEL_AUTH_SOCKET:
-		case SSH_CHANNEL_DYNAMIC:
-		case SSH_CHANNEL_CONNECTING:
-		case SSH_CHANNEL_ZOMBIE:
-			continue;
-		case SSH_CHANNEL_LARVAL:
-			if (!compat20)
-				fatal("cannot happen: SSH_CHANNEL_LARVAL");
-			continue;
-		case SSH_CHANNEL_OPENING:
-		case SSH_CHANNEL_OPEN:
-		case SSH_CHANNEL_X11_OPEN:
-			return 1;
-		case SSH_CHANNEL_INPUT_DRAINING:
-		case SSH_CHANNEL_OUTPUT_DRAINING:
-			if (!compat13)
-				fatal("cannot happen: OUT_DRAIN");
-			return 1;
-		default:
-			fatal("channel_still_open: bad channel type %d", c->type);
-			/* NOTREACHED */
-		}
-	}
-	return 0;
-}
-
-/* Returns the id of an open channel suitable for keepaliving */
-int
-channel_find_open(void)
-{
-	u_int i;
-	Channel *c;
-
-	for (i = 0; i < channels_alloc; i++) {
-		c = channels[i];
-		if (c == NULL || c->remote_id < 0)
-			continue;
-		switch (c->type) {
-		case SSH_CHANNEL_CLOSED:
-		case SSH_CHANNEL_DYNAMIC:
-		case SSH_CHANNEL_X11_LISTENER:
-		case SSH_CHANNEL_PORT_LISTENER:
-		case SSH_CHANNEL_RPORT_LISTENER:
-		case SSH_CHANNEL_OPENING:
-		case SSH_CHANNEL_CONNECTING:
-		case SSH_CHANNEL_ZOMBIE:
-			continue;
-		case SSH_CHANNEL_LARVAL:
-		case SSH_CHANNEL_AUTH_SOCKET:
-		case SSH_CHANNEL_OPEN:
-		case SSH_CHANNEL_X11_OPEN:
-			return i;
-		case SSH_CHANNEL_INPUT_DRAINING:
-		case SSH_CHANNEL_OUTPUT_DRAINING:
-			if (!compat13)
-				fatal("cannot happen: OUT_DRAIN");
-			return i;
-		default:
-			fatal("channel_find_open: bad channel type %d", c->type);
-			/* NOTREACHED */
-		}
-	}
-	return -1;
-}
-
-
-/*
- * Returns a message describing the currently open forwarded connections,
- * suitable for sending to the client.  The message contains crlf pairs for
- * newlines.
- */
-char *
-channel_open_message(void)
-{
-	Buffer buffer;
-	Channel *c;
-	char buf[1024], *cp;
-	u_int i;
-
-	buffer_init(&buffer);
-	snprintf(buf, sizeof buf, "The following connections are open:\r\n");
-	buffer_append(&buffer, buf, strlen(buf));
-	for (i = 0; i < channels_alloc; i++) {
-		c = channels[i];
-		if (c == NULL)
-			continue;
-		switch (c->type) {
-		case SSH_CHANNEL_X11_LISTENER:
-		case SSH_CHANNEL_PORT_LISTENER:
-		case SSH_CHANNEL_RPORT_LISTENER:
-		case SSH_CHANNEL_CLOSED:
-		case SSH_CHANNEL_AUTH_SOCKET:
-		case SSH_CHANNEL_ZOMBIE:
-			continue;
-		case SSH_CHANNEL_LARVAL:
-		case SSH_CHANNEL_OPENING:
-		case SSH_CHANNEL_CONNECTING:
-		case SSH_CHANNEL_DYNAMIC:
-		case SSH_CHANNEL_OPEN:
-		case SSH_CHANNEL_X11_OPEN:
-		case SSH_CHANNEL_INPUT_DRAINING:
-		case SSH_CHANNEL_OUTPUT_DRAINING:
-			snprintf(buf, sizeof buf,
-			    "  #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d cfd %d)\r\n",
-			    c->self, c->remote_name,
-			    c->type, c->remote_id,
-			    c->istate, buffer_len(&c->input),
-			    c->ostate, buffer_len(&c->output),
-			    c->rfd, c->wfd, c->ctl_fd);
-			buffer_append(&buffer, buf, strlen(buf));
-			continue;
-		default:
-			fatal("channel_open_message: bad channel type %d", c->type);
-			/* NOTREACHED */
-		}
-	}
-	buffer_append(&buffer, "\0", 1);
-	cp = xstrdup(buffer_ptr(&buffer));
-	buffer_free(&buffer);
-	return cp;
-}
-
-void
-channel_send_open(int id)
-{
-	Channel *c = channel_lookup(id);
-
-	if (c == NULL) {
-		logit("channel_send_open: %d: bad id", id);
-		return;
-	}
-	debug2("channel %d: send open", id);
-	packet_start(SSH2_MSG_CHANNEL_OPEN);
-	packet_put_cstring(c->ctype);
-	packet_put_int(c->self);
-	packet_put_int(c->local_window);
-	packet_put_int(c->local_maxpacket);
-	packet_send();
-}
-
-void
-channel_request_start(int id, char *service, int wantconfirm)
-{
-	Channel *c = channel_lookup(id);
-
-	if (c == NULL) {
-		logit("channel_request_start: %d: unknown channel id", id);
-		return;
-	}
-	debug2("channel %d: request %s confirm %d", id, service, wantconfirm);
-	packet_start(SSH2_MSG_CHANNEL_REQUEST);
-	packet_put_int(c->remote_id);
-	packet_put_cstring(service);
-	packet_put_char(wantconfirm);
-}
-
-void
-channel_register_confirm(int id, channel_callback_fn *fn, void *ctx)
-{
-	Channel *c = channel_lookup(id);
-
-	if (c == NULL) {
-		logit("channel_register_comfirm: %d: bad id", id);
-		return;
-	}
-	c->confirm = fn;
-	c->confirm_ctx = ctx;
-}
-
-void
-channel_register_cleanup(int id, channel_callback_fn *fn, int do_close)
-{
-	Channel *c = channel_by_id(id);
-
-	if (c == NULL) {
-		logit("channel_register_cleanup: %d: bad id", id);
-		return;
-	}
-	c->detach_user = fn;
-	c->detach_close = do_close;
-}
-
-void
-channel_cancel_cleanup(int id)
-{
-	Channel *c = channel_by_id(id);
-
-	if (c == NULL) {
-		logit("channel_cancel_cleanup: %d: bad id", id);
-		return;
-	}
-	c->detach_user = NULL;
-	c->detach_close = 0;
-}
-
-void
-channel_register_filter(int id, channel_infilter_fn *ifn,
-    channel_outfilter_fn *ofn)
-{
-	Channel *c = channel_lookup(id);
-
-	if (c == NULL) {
-		logit("channel_register_filter: %d: bad id", id);
-		return;
-	}
-	c->input_filter = ifn;
-	c->output_filter = ofn;
-}
-
-void
-channel_set_fds(int id, int rfd, int wfd, int efd,
-    int extusage, int nonblock, u_int window_max)
-{
-	Channel *c = channel_lookup(id);
-
-	if (c == NULL || c->type != SSH_CHANNEL_LARVAL)
-		fatal("channel_activate for non-larval channel %d.", id);
-	channel_register_fds(c, rfd, wfd, efd, extusage, nonblock);
-	c->type = SSH_CHANNEL_OPEN;
-	c->local_window = c->local_window_max = window_max;
-	packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
-	packet_put_int(c->remote_id);
-	packet_put_int(c->local_window);
-	packet_send();
-}
-
-/*
- * 'channel_pre*' are called just before select() to add any bits relevant to
- * channels in the select bitmasks.
- */
-/*
- * 'channel_post*': perform any appropriate operations for channels which
- * have events pending.
- */
-typedef void chan_fn(Channel *c, fd_set *readset, fd_set *writeset);
-chan_fn *channel_pre[SSH_CHANNEL_MAX_TYPE];
-chan_fn *channel_post[SSH_CHANNEL_MAX_TYPE];
-
-/* ARGSUSED */
-static void
-channel_pre_listener(Channel *c, fd_set *readset, fd_set *writeset)
-{
-	FD_SET(c->sock, readset);
-}
-
-/* ARGSUSED */
-static void
-channel_pre_connecting(Channel *c, fd_set *readset, fd_set *writeset)
-{
-	debug3("channel %d: waiting for connection", c->self);
-	FD_SET(c->sock, writeset);
-}
-
-static void
-channel_pre_open_13(Channel *c, fd_set *readset, fd_set *writeset)
-{
-	if (buffer_len(&c->input) < packet_get_maxsize())
-		FD_SET(c->sock, readset);
-	if (buffer_len(&c->output) > 0)
-		FD_SET(c->sock, writeset);
-}
-
-static void
-channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset)
-{
-	u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
-
-	if (c->istate == CHAN_INPUT_OPEN &&
-	    limit > 0 &&
-	    buffer_len(&c->input) < limit &&
-	    buffer_check_alloc(&c->input, CHAN_RBUF))
-		FD_SET(c->rfd, readset);
-	if (c->ostate == CHAN_OUTPUT_OPEN ||
-	    c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
-		if (buffer_len(&c->output) > 0) {
-			FD_SET(c->wfd, writeset);
-		} else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
-			if (CHANNEL_EFD_OUTPUT_ACTIVE(c))
-				debug2("channel %d: obuf_empty delayed efd %d/(%d)",
-				    c->self, c->efd, buffer_len(&c->extended));
-			else
-				chan_obuf_empty(c);
-		}
-	}
-	/** XXX check close conditions, too */
-	if (compat20 && c->efd != -1) {
-		if (c->extended_usage == CHAN_EXTENDED_WRITE &&
-		    buffer_len(&c->extended) > 0)
-			FD_SET(c->efd, writeset);
-		else if (!(c->flags & CHAN_EOF_SENT) &&
-		    c->extended_usage == CHAN_EXTENDED_READ &&
-		    buffer_len(&c->extended) < c->remote_window)
-			FD_SET(c->efd, readset);
-	}
-	/* XXX: What about efd? races? */
-	if (compat20 && c->ctl_fd != -1 &&
-	    c->istate == CHAN_INPUT_OPEN && c->ostate == CHAN_OUTPUT_OPEN)
-		FD_SET(c->ctl_fd, readset);
-}
-
-/* ARGSUSED */
-static void
-channel_pre_input_draining(Channel *c, fd_set *readset, fd_set *writeset)
-{
-	if (buffer_len(&c->input) == 0) {
-		packet_start(SSH_MSG_CHANNEL_CLOSE);
-		packet_put_int(c->remote_id);
-		packet_send();
-		c->type = SSH_CHANNEL_CLOSED;
-		debug2("channel %d: closing after input drain.", c->self);
-	}
-}
-
-/* ARGSUSED */
-static void
-channel_pre_output_draining(Channel *c, fd_set *readset, fd_set *writeset)
-{
-	if (buffer_len(&c->output) == 0)
-		chan_mark_dead(c);
-	else
-		FD_SET(c->sock, writeset);
-}
-
-/*
- * This is a special state for X11 authentication spoofing.  An opened X11
- * connection (when authentication spoofing is being done) remains in this
- * state until the first packet has been completely read.  The authentication
- * data in that packet is then substituted by the real data if it matches the
- * fake data, and the channel is put into normal mode.
- * XXX All this happens at the client side.
- * Returns: 0 = need more data, -1 = wrong cookie, 1 = ok
- */
-static int
-x11_open_helper(Buffer *b)
-{
-	u_char *ucp;
-	u_int proto_len, data_len;
-
-	/* Check if the fixed size part of the packet is in buffer. */
-	if (buffer_len(b) < 12)
-		return 0;
-
-	/* Parse the lengths of variable-length fields. */
-	ucp = buffer_ptr(b);
-	if (ucp[0] == 0x42) {	/* Byte order MSB first. */
-		proto_len = 256 * ucp[6] + ucp[7];
-		data_len = 256 * ucp[8] + ucp[9];
-	} else if (ucp[0] == 0x6c) {	/* Byte order LSB first. */
-		proto_len = ucp[6] + 256 * ucp[7];
-		data_len = ucp[8] + 256 * ucp[9];
-	} else {
-		debug2("Initial X11 packet contains bad byte order byte: 0x%x",
-		    ucp[0]);
-		return -1;
-	}
-
-	/* Check if the whole packet is in buffer. */
-	if (buffer_len(b) <
-	    12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3))
-		return 0;
-
-	/* Check if authentication protocol matches. */
-	if (proto_len != strlen(x11_saved_proto) ||
-	    memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) {
-		debug2("X11 connection uses different authentication protocol.");
-		return -1;
-	}
-	/* Check if authentication data matches our fake data. */
-	if (data_len != x11_fake_data_len ||
-	    memcmp(ucp + 12 + ((proto_len + 3) & ~3),
-		x11_fake_data, x11_fake_data_len) != 0) {
-		debug2("X11 auth data does not match fake data.");
-		return -1;
-	}
-	/* Check fake data length */
-	if (x11_fake_data_len != x11_saved_data_len) {
-		error("X11 fake_data_len %d != saved_data_len %d",
-		    x11_fake_data_len, x11_saved_data_len);
-		return -1;
-	}
-	/*
-	 * Received authentication protocol and data match
-	 * our fake data. Substitute the fake data with real
-	 * data.
-	 */
-	memcpy(ucp + 12 + ((proto_len + 3) & ~3),
-	    x11_saved_data, x11_saved_data_len);
-	return 1;
-}
-
-static void
-channel_pre_x11_open_13(Channel *c, fd_set *readset, fd_set *writeset)
-{
-	int ret = x11_open_helper(&c->output);
-
-	if (ret == 1) {
-		/* Start normal processing for the channel. */
-		c->type = SSH_CHANNEL_OPEN;
-		channel_pre_open_13(c, readset, writeset);
-	} else if (ret == -1) {
-		/*
-		 * We have received an X11 connection that has bad
-		 * authentication information.
-		 */
-		logit("X11 connection rejected because of wrong authentication.");
-		buffer_clear(&c->input);
-		buffer_clear(&c->output);
-		channel_close_fd(&c->sock);
-		c->sock = -1;
-		c->type = SSH_CHANNEL_CLOSED;
-		packet_start(SSH_MSG_CHANNEL_CLOSE);
-		packet_put_int(c->remote_id);
-		packet_send();
-	}
-}
-
-static void
-channel_pre_x11_open(Channel *c, fd_set *readset, fd_set *writeset)
-{
-	int ret = x11_open_helper(&c->output);
-
-	/* c->force_drain = 1; */
-
-	if (ret == 1) {
-		c->type = SSH_CHANNEL_OPEN;
-		channel_pre_open(c, readset, writeset);
-	} else if (ret == -1) {
-		logit("X11 connection rejected because of wrong authentication.");
-		debug2("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate);
-		chan_read_failed(c);
-		buffer_clear(&c->input);
-		chan_ibuf_empty(c);
-		buffer_clear(&c->output);
-		/* for proto v1, the peer will send an IEOF */
-		if (compat20)
-			chan_write_failed(c);
-		else
-			c->type = SSH_CHANNEL_OPEN;
-		debug2("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate);
-	}
-}
-
-/* try to decode a socks4 header */
-/* ARGSUSED */
-static int
-channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset)
-{
-	char *p, *host;
-	u_int len, have, i, found;
-	char username[256];
-	struct {
-		u_int8_t version;
-		u_int8_t command;
-		u_int16_t dest_port;
-		struct in_addr dest_addr;
-	} s4_req, s4_rsp;
-
-	debug2("channel %d: decode socks4", c->self);
-
-	have = buffer_len(&c->input);
-	len = sizeof(s4_req);
-	if (have < len)
-		return 0;
-	p = buffer_ptr(&c->input);
-	for (found = 0, i = len; i < have; i++) {
-		if (p[i] == '\0') {
-			found = 1;
-			break;
-		}
-		if (i > 1024) {
-			/* the peer is probably sending garbage */
-			debug("channel %d: decode socks4: too long",
-			    c->self);
-			return -1;
-		}
-	}
-	if (!found)
-		return 0;
-	buffer_get(&c->input, (char *)&s4_req.version, 1);
-	buffer_get(&c->input, (char *)&s4_req.command, 1);
-	buffer_get(&c->input, (char *)&s4_req.dest_port, 2);
-	buffer_get(&c->input, (char *)&s4_req.dest_addr, 4);
-	have = buffer_len(&c->input);
-	p = buffer_ptr(&c->input);
-	len = strlen(p);
-	debug2("channel %d: decode socks4: user %s/%d", c->self, p, len);
-	if (len > have)
-		fatal("channel %d: decode socks4: len %d > have %d",
-		    c->self, len, have);
-	strlcpy(username, p, sizeof(username));
-	buffer_consume(&c->input, len);
-	buffer_consume(&c->input, 1);		/* trailing '\0' */
-
-	host = inet_ntoa(s4_req.dest_addr);
-	strlcpy(c->path, host, sizeof(c->path));
-	c->host_port = ntohs(s4_req.dest_port);
-
-	debug2("channel %d: dynamic request: socks4 host %s port %u command %u",
-	    c->self, host, c->host_port, s4_req.command);
-
-	if (s4_req.command != 1) {
-		debug("channel %d: cannot handle: socks4 cn %d",
-		    c->self, s4_req.command);
-		return -1;
-	}
-	s4_rsp.version = 0;			/* vn: 0 for reply */
-	s4_rsp.command = 90;			/* cd: req granted */
-	s4_rsp.dest_port = 0;			/* ignored */
-	s4_rsp.dest_addr.s_addr = INADDR_ANY;	/* ignored */
-	buffer_append(&c->output, &s4_rsp, sizeof(s4_rsp));
-	return 1;
-}
-
-/* try to decode a socks5 header */
-#define SSH_SOCKS5_AUTHDONE	0x1000
-#define SSH_SOCKS5_NOAUTH	0x00
-#define SSH_SOCKS5_IPV4		0x01
-#define SSH_SOCKS5_DOMAIN	0x03
-#define SSH_SOCKS5_IPV6		0x04
-#define SSH_SOCKS5_CONNECT	0x01
-#define SSH_SOCKS5_SUCCESS	0x00
-
-/* ARGSUSED */
-static int
-channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset)
-{
-	struct {
-		u_int8_t version;
-		u_int8_t command;
-		u_int8_t reserved;
-		u_int8_t atyp;
-	} s5_req, s5_rsp;
-	u_int16_t dest_port;
-	u_char *p, dest_addr[255+1];
-	u_int have, need, i, found, nmethods, addrlen, af;
-
-	debug2("channel %d: decode socks5", c->self);
-	p = buffer_ptr(&c->input);
-	if (p[0] != 0x05)
-		return -1;
-	have = buffer_len(&c->input);
-	if (!(c->flags & SSH_SOCKS5_AUTHDONE)) {
-		/* format: ver | nmethods | methods */
-		if (have < 2)
-			return 0;
-		nmethods = p[1];
-		if (have < nmethods + 2)
-			return 0;
-		/* look for method: "NO AUTHENTICATION REQUIRED" */
-		for (found = 0, i = 2 ; i < nmethods + 2; i++) {
-			if (p[i] == SSH_SOCKS5_NOAUTH) {
-				found = 1;
-				break;
-			}
-		}
-		if (!found) {
-			debug("channel %d: method SSH_SOCKS5_NOAUTH not found",
-			    c->self);
-			return -1;
-		}
-		buffer_consume(&c->input, nmethods + 2);
-		buffer_put_char(&c->output, 0x05);		/* version */
-		buffer_put_char(&c->output, SSH_SOCKS5_NOAUTH);	/* method */
-		FD_SET(c->sock, writeset);
-		c->flags |= SSH_SOCKS5_AUTHDONE;
-		debug2("channel %d: socks5 auth done", c->self);
-		return 0;				/* need more */
-	}
-	debug2("channel %d: socks5 post auth", c->self);
-	if (have < sizeof(s5_req)+1)
-		return 0;			/* need more */
-	memcpy(&s5_req, p, sizeof(s5_req));
-	if (s5_req.version != 0x05 ||
-	    s5_req.command != SSH_SOCKS5_CONNECT ||
-	    s5_req.reserved != 0x00) {
-		debug2("channel %d: only socks5 connect supported", c->self);
-		return -1;
-	}
-	switch (s5_req.atyp){
-	case SSH_SOCKS5_IPV4:
-		addrlen = 4;
-		af = AF_INET;
-		break;
-	case SSH_SOCKS5_DOMAIN:
-		addrlen = p[sizeof(s5_req)];
-		af = -1;
-		break;
-	case SSH_SOCKS5_IPV6:
-		addrlen = 16;
-		af = AF_INET6;
-		break;
-	default:
-		debug2("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp);
-		return -1;
-	}
-	need = sizeof(s5_req) + addrlen + 2;
-	if (s5_req.atyp == SSH_SOCKS5_DOMAIN)
-		need++;
-	if (have < need)
-		return 0;
-	buffer_consume(&c->input, sizeof(s5_req));
-	if (s5_req.atyp == SSH_SOCKS5_DOMAIN)
-		buffer_consume(&c->input, 1);    /* host string length */
-	buffer_get(&c->input, (char *)&dest_addr, addrlen);
-	buffer_get(&c->input, (char *)&dest_port, 2);
-	dest_addr[addrlen] = '\0';
-	if (s5_req.atyp == SSH_SOCKS5_DOMAIN)
-		strlcpy(c->path, (char *)dest_addr, sizeof(c->path));
-	else if (inet_ntop(af, dest_addr, c->path, sizeof(c->path)) == NULL)
-		return -1;
-	c->host_port = ntohs(dest_port);
-
-	debug2("channel %d: dynamic request: socks5 host %s port %u command %u",
-	    c->self, c->path, c->host_port, s5_req.command);
-
-	s5_rsp.version = 0x05;
-	s5_rsp.command = SSH_SOCKS5_SUCCESS;
-	s5_rsp.reserved = 0;			/* ignored */
-	s5_rsp.atyp = SSH_SOCKS5_IPV4;
-	((struct in_addr *)&dest_addr)->s_addr = INADDR_ANY;
-	dest_port = 0;				/* ignored */
-
-	buffer_append(&c->output, &s5_rsp, sizeof(s5_rsp));
-	buffer_append(&c->output, &dest_addr, sizeof(struct in_addr));
-	buffer_append(&c->output, &dest_port, sizeof(dest_port));
-	return 1;
-}
-
-/* dynamic port forwarding */
-static void
-channel_pre_dynamic(Channel *c, fd_set *readset, fd_set *writeset)
-{
-	u_char *p;
-	u_int have;
-	int ret;
-
-	have = buffer_len(&c->input);
-	c->delayed = 0;
-	debug2("channel %d: pre_dynamic: have %d", c->self, have);
-	/* buffer_dump(&c->input); */
-	/* check if the fixed size part of the packet is in buffer. */
-	if (have < 3) {
-		/* need more */
-		FD_SET(c->sock, readset);
-		return;
-	}
-	/* try to guess the protocol */
-	p = buffer_ptr(&c->input);
-	switch (p[0]) {
-	case 0x04:
-		ret = channel_decode_socks4(c, readset, writeset);
-		break;
-	case 0x05:
-		ret = channel_decode_socks5(c, readset, writeset);
-		break;
-	default:
-		ret = -1;
-		break;
-	}
-	if (ret < 0) {
-		chan_mark_dead(c);
-	} else if (ret == 0) {
-		debug2("channel %d: pre_dynamic: need more", c->self);
-		/* need more */
-		FD_SET(c->sock, readset);
-	} else {
-		/* switch to the next state */
-		c->type = SSH_CHANNEL_OPENING;
-		port_open_helper(c, "direct-tcpip");
-	}
-}
-
-/* This is our fake X11 server socket. */
-/* ARGSUSED */
-static void
-channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset)
-{
-	Channel *nc;
-	struct sockaddr addr;
-	int newsock;
-	socklen_t addrlen;
-	char buf[16384], *remote_ipaddr;
-	int remote_port;
-
-	if (FD_ISSET(c->sock, readset)) {
-		debug("X11 connection requested.");
-		addrlen = sizeof(addr);
-		newsock = accept(c->sock, &addr, &addrlen);
-		if (c->single_connection) {
-			debug2("single_connection: closing X11 listener.");
-			channel_close_fd(&c->sock);
-			chan_mark_dead(c);
-		}
-		if (newsock < 0) {
-			error("accept: %.100s", strerror(errno));
-			return;
-		}
-		set_nodelay(newsock);
-		remote_ipaddr = get_peer_ipaddr(newsock);
-		remote_port = get_peer_port(newsock);
-		snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
-		    remote_ipaddr, remote_port);
-
-		nc = channel_new("accepted x11 socket",
-		    SSH_CHANNEL_OPENING, newsock, newsock, -1,
-		    c->local_window_max, c->local_maxpacket, 0, buf, 1);
-		if (compat20) {
-			packet_start(SSH2_MSG_CHANNEL_OPEN);
-			packet_put_cstring("x11");
-			packet_put_int(nc->self);
-			packet_put_int(nc->local_window_max);
-			packet_put_int(nc->local_maxpacket);
-			/* originator ipaddr and port */
-			packet_put_cstring(remote_ipaddr);
-			if (datafellows & SSH_BUG_X11FWD) {
-				debug2("ssh2 x11 bug compat mode");
-			} else {
-				packet_put_int(remote_port);
-			}
-			packet_send();
-		} else {
-			packet_start(SSH_SMSG_X11_OPEN);
-			packet_put_int(nc->self);
-			if (packet_get_protocol_flags() &
-			    SSH_PROTOFLAG_HOST_IN_FWD_OPEN)
-				packet_put_cstring(buf);
-			packet_send();
-		}
-		xfree(remote_ipaddr);
-	}
-}
-
-static void
-port_open_helper(Channel *c, char *rtype)
-{
-	int direct;
-	char buf[1024];
-	char *remote_ipaddr = get_peer_ipaddr(c->sock);
-	int remote_port = get_peer_port(c->sock);
-
-	direct = (strcmp(rtype, "direct-tcpip") == 0);
-
-	snprintf(buf, sizeof buf,
-	    "%s: listening port %d for %.100s port %d, "
-	    "connect from %.200s port %d",
-	    rtype, c->listening_port, c->path, c->host_port,
-	    remote_ipaddr, remote_port);
-
-	xfree(c->remote_name);
-	c->remote_name = xstrdup(buf);
-
-	if (compat20) {
-		packet_start(SSH2_MSG_CHANNEL_OPEN);
-		packet_put_cstring(rtype);
-		packet_put_int(c->self);
-		packet_put_int(c->local_window_max);
-		packet_put_int(c->local_maxpacket);
-		if (direct) {
-			/* target host, port */
-			packet_put_cstring(c->path);
-			packet_put_int(c->host_port);
-		} else {
-			/* listen address, port */
-			packet_put_cstring(c->path);
-			packet_put_int(c->listening_port);
-		}
-		/* originator host and port */
-		packet_put_cstring(remote_ipaddr);
-		packet_put_int((u_int)remote_port);
-		packet_send();
-	} else {
-		packet_start(SSH_MSG_PORT_OPEN);
-		packet_put_int(c->self);
-		packet_put_cstring(c->path);
-		packet_put_int(c->host_port);
-		if (packet_get_protocol_flags() &
-		    SSH_PROTOFLAG_HOST_IN_FWD_OPEN)
-			packet_put_cstring(c->remote_name);
-		packet_send();
-	}
-	xfree(remote_ipaddr);
-}
-
-static void
-channel_set_reuseaddr(int fd)
-{
-	int on = 1;
-
-	/*
-	 * Set socket options.
-	 * Allow local port reuse in TIME_WAIT.
-	 */
-	if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) == -1)
-		error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno));
-}
-
-/*
- * This socket is listening for connections to a forwarded TCP/IP port.
- */
-/* ARGSUSED */
-static void
-channel_post_port_listener(Channel *c, fd_set *readset, fd_set *writeset)
-{
-	Channel *nc;
-	struct sockaddr addr;
-	int newsock, nextstate;
-	socklen_t addrlen;
-	char *rtype;
-
-	if (FD_ISSET(c->sock, readset)) {
-		debug("Connection to port %d forwarding "
-		    "to %.100s port %d requested.",
-		    c->listening_port, c->path, c->host_port);
-
-		if (c->type == SSH_CHANNEL_RPORT_LISTENER) {
-			nextstate = SSH_CHANNEL_OPENING;
-			rtype = "forwarded-tcpip";
-		} else {
-			if (c->host_port == 0) {
-				nextstate = SSH_CHANNEL_DYNAMIC;
-				rtype = "dynamic-tcpip";
-			} else {
-				nextstate = SSH_CHANNEL_OPENING;
-				rtype = "direct-tcpip";
-			}
-		}
-
-		addrlen = sizeof(addr);
-		newsock = accept(c->sock, &addr, &addrlen);
-		if (newsock < 0) {
-			error("accept: %.100s", strerror(errno));
-			return;
-		}
-		set_nodelay(newsock);
-		nc = channel_new(rtype, nextstate, newsock, newsock, -1,
-		    c->local_window_max, c->local_maxpacket, 0, rtype, 1);
-		nc->listening_port = c->listening_port;
-		nc->host_port = c->host_port;
-		strlcpy(nc->path, c->path, sizeof(nc->path));
-
-		if (nextstate == SSH_CHANNEL_DYNAMIC) {
-			/*
-			 * do not call the channel_post handler until
-			 * this flag has been reset by a pre-handler.
-			 * otherwise the FD_ISSET calls might overflow
-			 */
-			nc->delayed = 1;
-		} else {
-			port_open_helper(nc, rtype);
-		}
-	}
-}
-
-/*
- * This is the authentication agent socket listening for connections from
- * clients.
- */
-/* ARGSUSED */
-static void
-channel_post_auth_listener(Channel *c, fd_set *readset, fd_set *writeset)
-{
-	Channel *nc;
-	int newsock;
-	struct sockaddr addr;
-	socklen_t addrlen;
-
-	if (FD_ISSET(c->sock, readset)) {
-		addrlen = sizeof(addr);
-		newsock = accept(c->sock, &addr, &addrlen);
-		if (newsock < 0) {
-			error("accept from auth socket: %.100s", strerror(errno));
-			return;
-		}
-		nc = channel_new("accepted auth socket",
-		    SSH_CHANNEL_OPENING, newsock, newsock, -1,
-		    c->local_window_max, c->local_maxpacket,
-		    0, "accepted auth socket", 1);
-		if (compat20) {
-			packet_start(SSH2_MSG_CHANNEL_OPEN);
-			packet_put_cstring("auth-agent@openssh.com");
-			packet_put_int(nc->self);
-			packet_put_int(c->local_window_max);
-			packet_put_int(c->local_maxpacket);
-		} else {
-			packet_start(SSH_SMSG_AGENT_OPEN);
-			packet_put_int(nc->self);
-		}
-		packet_send();
-	}
-}
-
-/* ARGSUSED */
-static void
-channel_post_connecting(Channel *c, fd_set *readset, fd_set *writeset)
-{
-	int err = 0;
-	socklen_t sz = sizeof(err);
-
-	if (FD_ISSET(c->sock, writeset)) {
-		if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &err, &sz) < 0) {
-			err = errno;
-			error("getsockopt SO_ERROR failed");
-		}
-		if (err == 0) {
-			debug("channel %d: connected", c->self);
-			c->type = SSH_CHANNEL_OPEN;
-			if (compat20) {
-				packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);
-				packet_put_int(c->remote_id);
-				packet_put_int(c->self);
-				packet_put_int(c->local_window);
-				packet_put_int(c->local_maxpacket);
-			} else {
-				packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
-				packet_put_int(c->remote_id);
-				packet_put_int(c->self);
-			}
-		} else {
-			debug("channel %d: not connected: %s",
-			    c->self, strerror(err));
-			if (compat20) {
-				packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE);
-				packet_put_int(c->remote_id);
-				packet_put_int(SSH2_OPEN_CONNECT_FAILED);
-				if (!(datafellows & SSH_BUG_OPENFAILURE)) {
-					packet_put_cstring(strerror(err));
-					packet_put_cstring("");
-				}
-			} else {
-				packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
-				packet_put_int(c->remote_id);
-			}
-			chan_mark_dead(c);
-		}
-		packet_send();
-	}
-}
-
-/* ARGSUSED */
-static int
-channel_handle_rfd(Channel *c, fd_set *readset, fd_set *writeset)
-{
-	char buf[CHAN_RBUF];
-	int len;
-
-	if (c->rfd != -1 &&
-	    FD_ISSET(c->rfd, readset)) {
-		errno = 0;
-		len = read(c->rfd, buf, sizeof(buf));
-		if (len < 0 && (errno == EINTR || errno == EAGAIN))
-			return 1;
-#ifndef PTY_ZEROREAD
-		if (len <= 0) {
-#else
-		if ((!c->isatty && len <= 0) ||
-		    (c->isatty && (len < 0 || (len == 0 && errno != 0)))) {
-#endif
-			debug2("channel %d: read<=0 rfd %d len %d",
-			    c->self, c->rfd, len);
-			if (c->type != SSH_CHANNEL_OPEN) {
-				debug2("channel %d: not open", c->self);
-				chan_mark_dead(c);
-				return -1;
-			} else if (compat13) {
-				buffer_clear(&c->output);
-				c->type = SSH_CHANNEL_INPUT_DRAINING;
-				debug2("channel %d: input draining.", c->self);
-			} else {
-				chan_read_failed(c);
-			}
-			return -1;
-		}
-		if (c->input_filter != NULL) {
-			if (c->input_filter(c, buf, len) == -1) {
-				debug2("channel %d: filter stops", c->self);
-				chan_read_failed(c);
-			}
-		} else if (c->datagram) {
-			buffer_put_string(&c->input, buf, len);
-		} else {
-			buffer_append(&c->input, buf, len);
-		}
-	}
-	return 1;
-}
-
-/* ARGSUSED */
-static int
-channel_handle_wfd(Channel *c, fd_set *readset, fd_set *writeset)
-{
-	struct termios tio;
-	u_char *data = NULL, *buf;
-	u_int dlen;
-	int len;
-
-	/* Send buffered output data to the socket. */
-	if (c->wfd != -1 &&
-	    FD_ISSET(c->wfd, writeset) &&
-	    buffer_len(&c->output) > 0) {
-		if (c->output_filter != NULL) {
-			if ((buf = c->output_filter(c, &data, &dlen)) == NULL) {
-				debug2("channel %d: filter stops", c->self);
-				if (c->type != SSH_CHANNEL_OPEN)
-					chan_mark_dead(c);
-				else
-					chan_write_failed(c);
-				return -1;
-			}
-		} else if (c->datagram) {
-			buf = data = buffer_get_string(&c->output, &dlen);
-		} else {
-			buf = data = buffer_ptr(&c->output);
-			dlen = buffer_len(&c->output);
-		}
-
-		if (c->datagram) {
-			/* ignore truncated writes, datagrams might get lost */
-			c->local_consumed += dlen + 4;
-			len = write(c->wfd, buf, dlen);
-			xfree(data);
-			if (len < 0 && (errno == EINTR || errno == EAGAIN))
-				return 1;
-			if (len <= 0) {
-				if (c->type != SSH_CHANNEL_OPEN)
-					chan_mark_dead(c);
-				else
-					chan_write_failed(c);
-				return -1;
-			}
-			return 1;
-		}
-#ifdef _AIX
-		/* XXX: Later AIX versions can't push as much data to tty */
-		if (compat20 && c->wfd_isatty)
-			dlen = MIN(dlen, 8*1024);
-#endif
-
-		len = write(c->wfd, buf, dlen);
-		if (len < 0 && (errno == EINTR || errno == EAGAIN))
-			return 1;
-		if (len <= 0) {
-			if (c->type != SSH_CHANNEL_OPEN) {
-				debug2("channel %d: not open", c->self);
-				chan_mark_dead(c);
-				return -1;
-			} else if (compat13) {
-				buffer_clear(&c->output);
-				debug2("channel %d: input draining.", c->self);
-				c->type = SSH_CHANNEL_INPUT_DRAINING;
-			} else {
-				chan_write_failed(c);
-			}
-			return -1;
-		}
-		if (compat20 && c->isatty && dlen >= 1 && buf[0] != '\r') {
-			if (tcgetattr(c->wfd, &tio) == 0 &&
-			    !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) {
-				/*
-				 * Simulate echo to reduce the impact of
-				 * traffic analysis. We need to match the
-				 * size of a SSH2_MSG_CHANNEL_DATA message
-				 * (4 byte channel id + buf)
-				 */
-				packet_send_ignore(4 + len);
-				packet_send();
-			}
-		}
-		buffer_consume(&c->output, len);
-		if (compat20 && len > 0) {
-			c->local_consumed += len;
-		}
-	}
-	return 1;
-}
-
-static int
-channel_handle_efd(Channel *c, fd_set *readset, fd_set *writeset)
-{
-	char buf[CHAN_RBUF];
-	int len;
-
-/** XXX handle drain efd, too */
-	if (c->efd != -1) {
-		if (c->extended_usage == CHAN_EXTENDED_WRITE &&
-		    FD_ISSET(c->efd, writeset) &&
-		    buffer_len(&c->extended) > 0) {
-			len = write(c->efd, buffer_ptr(&c->extended),
-			    buffer_len(&c->extended));
-			debug2("channel %d: written %d to efd %d",
-			    c->self, len, c->efd);
-			if (len < 0 && (errno == EINTR || errno == EAGAIN))
-				return 1;
-			if (len <= 0) {
-				debug2("channel %d: closing write-efd %d",
-				    c->self, c->efd);
-				channel_close_fd(&c->efd);
-			} else {
-				buffer_consume(&c->extended, len);
-				c->local_consumed += len;
-			}
-		} else if (c->extended_usage == CHAN_EXTENDED_READ &&
-		    FD_ISSET(c->efd, readset)) {
-			len = read(c->efd, buf, sizeof(buf));
-			debug2("channel %d: read %d from efd %d",
-			    c->self, len, c->efd);
-			if (len < 0 && (errno == EINTR || errno == EAGAIN))
-				return 1;
-			if (len <= 0) {
-				debug2("channel %d: closing read-efd %d",
-				    c->self, c->efd);
-				channel_close_fd(&c->efd);
-			} else {
-				buffer_append(&c->extended, buf, len);
-			}
-		}
-	}
-	return 1;
-}
-
-/* ARGSUSED */
-static int
-channel_handle_ctl(Channel *c, fd_set *readset, fd_set *writeset)
-{
-	char buf[16];
-	int len;
-
-	/* Monitor control fd to detect if the slave client exits */
-	if (c->ctl_fd != -1 && FD_ISSET(c->ctl_fd, readset)) {
-		len = read(c->ctl_fd, buf, sizeof(buf));
-		if (len < 0 && (errno == EINTR || errno == EAGAIN))
-			return 1;
-		if (len <= 0) {
-			debug2("channel %d: ctl read<=0", c->self);
-			if (c->type != SSH_CHANNEL_OPEN) {
-				debug2("channel %d: not open", c->self);
-				chan_mark_dead(c);
-				return -1;
-			} else {
-				chan_read_failed(c);
-				chan_write_failed(c);
-			}
-			return -1;
-		} else
-			fatal("%s: unexpected data on ctl fd", __func__);
-	}
-	return 1;
-}
-
-static int
-channel_check_window(Channel *c)
-{
-	if (c->type == SSH_CHANNEL_OPEN &&
-	    !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
-	    c->local_window < c->local_window_max/2 &&
-	    c->local_consumed > 0) {
-		packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
-		packet_put_int(c->remote_id);
-		packet_put_int(c->local_consumed);
-		packet_send();
-		debug2("channel %d: window %d sent adjust %d",
-		    c->self, c->local_window,
-		    c->local_consumed);
-		c->local_window += c->local_consumed;
-		c->local_consumed = 0;
-	}
-	return 1;
-}
-
-static void
-channel_post_open(Channel *c, fd_set *readset, fd_set *writeset)
-{
-	if (c->delayed)
-		return;
-	channel_handle_rfd(c, readset, writeset);
-	channel_handle_wfd(c, readset, writeset);
-	if (!compat20)
-		return;
-	channel_handle_efd(c, readset, writeset);
-	channel_handle_ctl(c, readset, writeset);
-	channel_check_window(c);
-}
-
-/* ARGSUSED */
-static void
-channel_post_output_drain_13(Channel *c, fd_set *readset, fd_set *writeset)
-{
-	int len;
-
-	/* Send buffered output data to the socket. */
-	if (FD_ISSET(c->sock, writeset) && buffer_len(&c->output) > 0) {
-		len = write(c->sock, buffer_ptr(&c->output),
-			    buffer_len(&c->output));
-		if (len <= 0)
-			buffer_clear(&c->output);
-		else
-			buffer_consume(&c->output, len);
-	}
-}
-
-static void
-channel_handler_init_20(void)
-{
-	channel_pre[SSH_CHANNEL_OPEN] =			&channel_pre_open;
-	channel_pre[SSH_CHANNEL_X11_OPEN] =		&channel_pre_x11_open;
-	channel_pre[SSH_CHANNEL_PORT_LISTENER] =	&channel_pre_listener;
-	channel_pre[SSH_CHANNEL_RPORT_LISTENER] =	&channel_pre_listener;
-	channel_pre[SSH_CHANNEL_X11_LISTENER] =		&channel_pre_listener;
-	channel_pre[SSH_CHANNEL_AUTH_SOCKET] =		&channel_pre_listener;
-	channel_pre[SSH_CHANNEL_CONNECTING] =		&channel_pre_connecting;
-	channel_pre[SSH_CHANNEL_DYNAMIC] =		&channel_pre_dynamic;
-
-	channel_post[SSH_CHANNEL_OPEN] =		&channel_post_open;
-	channel_post[SSH_CHANNEL_PORT_LISTENER] =	&channel_post_port_listener;
-	channel_post[SSH_CHANNEL_RPORT_LISTENER] =	&channel_post_port_listener;
-	channel_post[SSH_CHANNEL_X11_LISTENER] =	&channel_post_x11_listener;
-	channel_post[SSH_CHANNEL_AUTH_SOCKET] =		&channel_post_auth_listener;
-	channel_post[SSH_CHANNEL_CONNECTING] =		&channel_post_connecting;
-	channel_post[SSH_CHANNEL_DYNAMIC] =		&channel_post_open;
-}
-
-static void
-channel_handler_init_13(void)
-{
-	channel_pre[SSH_CHANNEL_OPEN] =			&channel_pre_open_13;
-	channel_pre[SSH_CHANNEL_X11_OPEN] =		&channel_pre_x11_open_13;
-	channel_pre[SSH_CHANNEL_X11_LISTENER] =		&channel_pre_listener;
-	channel_pre[SSH_CHANNEL_PORT_LISTENER] =	&channel_pre_listener;
-	channel_pre[SSH_CHANNEL_AUTH_SOCKET] =		&channel_pre_listener;
-	channel_pre[SSH_CHANNEL_INPUT_DRAINING] =	&channel_pre_input_draining;
-	channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] =	&channel_pre_output_draining;
-	channel_pre[SSH_CHANNEL_CONNECTING] =		&channel_pre_connecting;
-	channel_pre[SSH_CHANNEL_DYNAMIC] =		&channel_pre_dynamic;
-
-	channel_post[SSH_CHANNEL_OPEN] =		&channel_post_open;
-	channel_post[SSH_CHANNEL_X11_LISTENER] =	&channel_post_x11_listener;
-	channel_post[SSH_CHANNEL_PORT_LISTENER] =	&channel_post_port_listener;
-	channel_post[SSH_CHANNEL_AUTH_SOCKET] =		&channel_post_auth_listener;
-	channel_post[SSH_CHANNEL_OUTPUT_DRAINING] =	&channel_post_output_drain_13;
-	channel_post[SSH_CHANNEL_CONNECTING] =		&channel_post_connecting;
-	channel_post[SSH_CHANNEL_DYNAMIC] =		&channel_post_open;
-}
-
-static void
-channel_handler_init_15(void)
-{
-	channel_pre[SSH_CHANNEL_OPEN] =			&channel_pre_open;
-	channel_pre[SSH_CHANNEL_X11_OPEN] =		&channel_pre_x11_open;
-	channel_pre[SSH_CHANNEL_X11_LISTENER] =		&channel_pre_listener;
-	channel_pre[SSH_CHANNEL_PORT_LISTENER] =	&channel_pre_listener;
-	channel_pre[SSH_CHANNEL_AUTH_SOCKET] =		&channel_pre_listener;
-	channel_pre[SSH_CHANNEL_CONNECTING] =		&channel_pre_connecting;
-	channel_pre[SSH_CHANNEL_DYNAMIC] =		&channel_pre_dynamic;
-
-	channel_post[SSH_CHANNEL_X11_LISTENER] =	&channel_post_x11_listener;
-	channel_post[SSH_CHANNEL_PORT_LISTENER] =	&channel_post_port_listener;
-	channel_post[SSH_CHANNEL_AUTH_SOCKET] =		&channel_post_auth_listener;
-	channel_post[SSH_CHANNEL_OPEN] =		&channel_post_open;
-	channel_post[SSH_CHANNEL_CONNECTING] =		&channel_post_connecting;
-	channel_post[SSH_CHANNEL_DYNAMIC] =		&channel_post_open;
-}
-
-static void
-channel_handler_init(void)
-{
-	int i;
-
-	for (i = 0; i < SSH_CHANNEL_MAX_TYPE; i++) {
-		channel_pre[i] = NULL;
-		channel_post[i] = NULL;
-	}
-	if (compat20)
-		channel_handler_init_20();
-	else if (compat13)
-		channel_handler_init_13();
-	else
-		channel_handler_init_15();
-}
-
-/* gc dead channels */
-static void
-channel_garbage_collect(Channel *c)
-{
-	if (c == NULL)
-		return;
-	if (c->detach_user != NULL) {
-		if (!chan_is_dead(c, c->detach_close))
-			return;
-		debug2("channel %d: gc: notify user", c->self);
-		c->detach_user(c->self, NULL);
-		/* if we still have a callback */
-		if (c->detach_user != NULL)
-			return;
-		debug2("channel %d: gc: user detached", c->self);
-	}
-	if (!chan_is_dead(c, 1))
-		return;
-	debug2("channel %d: garbage collecting", c->self);
-	channel_free(c);
-}
-
-static void
-channel_handler(chan_fn *ftab[], fd_set *readset, fd_set *writeset)
-{
-	static int did_init = 0;
-	u_int i;
-	Channel *c;
-
-	if (!did_init) {
-		channel_handler_init();
-		did_init = 1;
-	}
-	for (i = 0; i < channels_alloc; i++) {
-		c = channels[i];
-		if (c == NULL)
-			continue;
-		if (ftab[c->type] != NULL)
-			(*ftab[c->type])(c, readset, writeset);
-		channel_garbage_collect(c);
-	}
-}
-
-/*
- * Allocate/update select bitmasks and add any bits relevant to channels in
- * select bitmasks.
- */
-void
-channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
-    u_int *nallocp, int rekeying)
-{
-	u_int n, sz, nfdset;
-
-	n = MAX(*maxfdp, channel_max_fd);
-
-	nfdset = howmany(n+1, NFDBITS);
-	/* Explicitly test here, because xrealloc isn't always called */
-	if (nfdset && SIZE_T_MAX / nfdset < sizeof(fd_mask))
-		fatal("channel_prepare_select: max_fd (%d) is too large", n);
-	sz = nfdset * sizeof(fd_mask);
-
-	/* perhaps check sz < nalloc/2 and shrink? */
-	if (*readsetp == NULL || sz > *nallocp) {
-		*readsetp = xrealloc(*readsetp, nfdset, sizeof(fd_mask));
-		*writesetp = xrealloc(*writesetp, nfdset, sizeof(fd_mask));
-		*nallocp = sz;
-	}
-	*maxfdp = n;
-	memset(*readsetp, 0, sz);
-	memset(*writesetp, 0, sz);
-
-	if (!rekeying)
-		channel_handler(channel_pre, *readsetp, *writesetp);
-}
-
-/*
- * After select, perform any appropriate operations for channels which have
- * events pending.
- */
-void
-channel_after_select(fd_set *readset, fd_set *writeset)
-{
-	channel_handler(channel_post, readset, writeset);
-}
-
-
-/* If there is data to send to the connection, enqueue some of it now. */
-void
-channel_output_poll(void)
-{
-	Channel *c;
-	u_int i, len;
-
-	for (i = 0; i < channels_alloc; i++) {
-		c = channels[i];
-		if (c == NULL)
-			continue;
-
-		/*
-		 * We are only interested in channels that can have buffered
-		 * incoming data.
-		 */
-		if (compat13) {
-			if (c->type != SSH_CHANNEL_OPEN &&
-			    c->type != SSH_CHANNEL_INPUT_DRAINING)
-				continue;
-		} else {
-			if (c->type != SSH_CHANNEL_OPEN)
-				continue;
-		}
-		if (compat20 &&
-		    (c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) {
-			/* XXX is this true? */
-			debug3("channel %d: will not send data after close", c->self);
-			continue;
-		}
-
-		/* Get the amount of buffered data for this channel. */
-		if ((c->istate == CHAN_INPUT_OPEN ||
-		    c->istate == CHAN_INPUT_WAIT_DRAIN) &&
-		    (len = buffer_len(&c->input)) > 0) {
-			if (c->datagram) {
-				if (len > 0) {
-					u_char *data;
-					u_int dlen;
-
-					data = buffer_get_string(&c->input,
-					    &dlen);
-					packet_start(SSH2_MSG_CHANNEL_DATA);
-					packet_put_int(c->remote_id);
-					packet_put_string(data, dlen);
-					packet_send();
-					c->remote_window -= dlen + 4;
-					xfree(data);
-				}
-				continue;
-			}
-			/*
-			 * Send some data for the other side over the secure
-			 * connection.
-			 */
-			if (compat20) {
-				if (len > c->remote_window)
-					len = c->remote_window;
-				if (len > c->remote_maxpacket)
-					len = c->remote_maxpacket;
-			} else {
-				if (packet_is_interactive()) {
-					if (len > 1024)
-						len = 512;
-				} else {
-					/* Keep the packets at reasonable size. */
-					if (len > packet_get_maxsize()/2)
-						len = packet_get_maxsize()/2;
-				}
-			}
-			if (len > 0) {
-				packet_start(compat20 ?
-				    SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA);
-				packet_put_int(c->remote_id);
-				packet_put_string(buffer_ptr(&c->input), len);
-				packet_send();
-				buffer_consume(&c->input, len);
-				c->remote_window -= len;
-			}
-		} else if (c->istate == CHAN_INPUT_WAIT_DRAIN) {
-			if (compat13)
-				fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3");
-			/*
-			 * input-buffer is empty and read-socket shutdown:
-			 * tell peer, that we will not send more data: send IEOF.
-			 * hack for extended data: delay EOF if EFD still in use.
-			 */
-			if (CHANNEL_EFD_INPUT_ACTIVE(c))
-				debug2("channel %d: ibuf_empty delayed efd %d/(%d)",
-				    c->self, c->efd, buffer_len(&c->extended));
-			else
-				chan_ibuf_empty(c);
-		}
-		/* Send extended data, i.e. stderr */
-		if (compat20 &&
-		    !(c->flags & CHAN_EOF_SENT) &&
-		    c->remote_window > 0 &&
-		    (len = buffer_len(&c->extended)) > 0 &&
-		    c->extended_usage == CHAN_EXTENDED_READ) {
-			debug2("channel %d: rwin %u elen %u euse %d",
-			    c->self, c->remote_window, buffer_len(&c->extended),
-			    c->extended_usage);
-			if (len > c->remote_window)
-				len = c->remote_window;
-			if (len > c->remote_maxpacket)
-				len = c->remote_maxpacket;
-			packet_start(SSH2_MSG_CHANNEL_EXTENDED_DATA);
-			packet_put_int(c->remote_id);
-			packet_put_int(SSH2_EXTENDED_DATA_STDERR);
-			packet_put_string(buffer_ptr(&c->extended), len);
-			packet_send();
-			buffer_consume(&c->extended, len);
-			c->remote_window -= len;
-			debug2("channel %d: sent ext data %d", c->self, len);
-		}
-	}
-}
-
-
-/* -- protocol input */
-
-/* ARGSUSED */
-void
-channel_input_data(int type, u_int32_t seq, void *ctxt)
-{
-	int id;
-	char *data;
-	u_int data_len;
-	Channel *c;
-
-	/* Get the channel number and verify it. */
-	id = packet_get_int();
-	c = channel_lookup(id);
-	if (c == NULL)
-		packet_disconnect("Received data for nonexistent channel %d.", id);
-
-	/* Ignore any data for non-open channels (might happen on close) */
-	if (c->type != SSH_CHANNEL_OPEN &&
-	    c->type != SSH_CHANNEL_X11_OPEN)
-		return;
-
-	/* Get the data. */
-	data = packet_get_string(&data_len);
-
-	/*
-	 * Ignore data for protocol > 1.3 if output end is no longer open.
-	 * For protocol 2 the sending side is reducing its window as it sends
-	 * data, so we must 'fake' consumption of the data in order to ensure
-	 * that window updates are sent back.  Otherwise the connection might
-	 * deadlock.
-	 */
-	if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN) {
-		if (compat20) {
-			c->local_window -= data_len;
-			c->local_consumed += data_len;
-		}
-		xfree(data);
-		return;
-	}
-
-	if (compat20) {
-		if (data_len > c->local_maxpacket) {
-			logit("channel %d: rcvd big packet %d, maxpack %d",
-			    c->self, data_len, c->local_maxpacket);
-		}
-		if (data_len > c->local_window) {
-			logit("channel %d: rcvd too much data %d, win %d",
-			    c->self, data_len, c->local_window);
-			xfree(data);
-			return;
-		}
-		c->local_window -= data_len;
-	}
-	packet_check_eom();
-	if (c->datagram)
-		buffer_put_string(&c->output, data, data_len);
-	else
-		buffer_append(&c->output, data, data_len);
-	xfree(data);
-}
-
-/* ARGSUSED */
-void
-channel_input_extended_data(int type, u_int32_t seq, void *ctxt)
-{
-	int id;
-	char *data;
-	u_int data_len, tcode;
-	Channel *c;
-
-	/* Get the channel number and verify it. */
-	id = packet_get_int();
-	c = channel_lookup(id);
-
-	if (c == NULL)
-		packet_disconnect("Received extended_data for bad channel %d.", id);
-	if (c->type != SSH_CHANNEL_OPEN) {
-		logit("channel %d: ext data for non open", id);
-		return;
-	}
-	if (c->flags & CHAN_EOF_RCVD) {
-		if (datafellows & SSH_BUG_EXTEOF)
-			debug("channel %d: accepting ext data after eof", id);
-		else
-			packet_disconnect("Received extended_data after EOF "
-			    "on channel %d.", id);
-	}
-	tcode = packet_get_int();
-	if (c->efd == -1 ||
-	    c->extended_usage != CHAN_EXTENDED_WRITE ||
-	    tcode != SSH2_EXTENDED_DATA_STDERR) {
-		logit("channel %d: bad ext data", c->self);
-		return;
-	}
-	data = packet_get_string(&data_len);
-	packet_check_eom();
-	if (data_len > c->local_window) {
-		logit("channel %d: rcvd too much extended_data %d, win %d",
-		    c->self, data_len, c->local_window);
-		xfree(data);
-		return;
-	}
-	debug2("channel %d: rcvd ext data %d", c->self, data_len);
-	c->local_window -= data_len;
-	buffer_append(&c->extended, data, data_len);
-	xfree(data);
-}
-
-/* ARGSUSED */
-void
-channel_input_ieof(int type, u_int32_t seq, void *ctxt)
-{
-	int id;
-	Channel *c;
-
-	id = packet_get_int();
-	packet_check_eom();
-	c = channel_lookup(id);
-	if (c == NULL)
-		packet_disconnect("Received ieof for nonexistent channel %d.", id);
-	chan_rcvd_ieof(c);
-
-	/* XXX force input close */
-	if (c->force_drain && c->istate == CHAN_INPUT_OPEN) {
-		debug("channel %d: FORCE input drain", c->self);
-		c->istate = CHAN_INPUT_WAIT_DRAIN;
-		if (buffer_len(&c->input) == 0)
-			chan_ibuf_empty(c);
-	}
-
-}
-
-/* ARGSUSED */
-void
-channel_input_close(int type, u_int32_t seq, void *ctxt)
-{
-	int id;
-	Channel *c;
-
-	id = packet_get_int();
-	packet_check_eom();
-	c = channel_lookup(id);
-	if (c == NULL)
-		packet_disconnect("Received close for nonexistent channel %d.", id);
-
-	/*
-	 * Send a confirmation that we have closed the channel and no more
-	 * data is coming for it.
-	 */
-	packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION);
-	packet_put_int(c->remote_id);
-	packet_send();
-
-	/*
-	 * If the channel is in closed state, we have sent a close request,
-	 * and the other side will eventually respond with a confirmation.
-	 * Thus, we cannot free the channel here, because then there would be
-	 * no-one to receive the confirmation.  The channel gets freed when
-	 * the confirmation arrives.
-	 */
-	if (c->type != SSH_CHANNEL_CLOSED) {
-		/*
-		 * Not a closed channel - mark it as draining, which will
-		 * cause it to be freed later.
-		 */
-		buffer_clear(&c->input);
-		c->type = SSH_CHANNEL_OUTPUT_DRAINING;
-	}
-}
-
-/* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */
-/* ARGSUSED */
-void
-channel_input_oclose(int type, u_int32_t seq, void *ctxt)
-{
-	int id = packet_get_int();
-	Channel *c = channel_lookup(id);
-
-	packet_check_eom();
-	if (c == NULL)
-		packet_disconnect("Received oclose for nonexistent channel %d.", id);
-	chan_rcvd_oclose(c);
-}
-
-/* ARGSUSED */
-void
-channel_input_close_confirmation(int type, u_int32_t seq, void *ctxt)
-{
-	int id = packet_get_int();
-	Channel *c = channel_lookup(id);
-
-	packet_check_eom();
-	if (c == NULL)
-		packet_disconnect("Received close confirmation for "
-		    "out-of-range channel %d.", id);
-	if (c->type != SSH_CHANNEL_CLOSED)
-		packet_disconnect("Received close confirmation for "
-		    "non-closed channel %d (type %d).", id, c->type);
-	channel_free(c);
-}
-
-/* ARGSUSED */
-void
-channel_input_open_confirmation(int type, u_int32_t seq, void *ctxt)
-{
-	int id, remote_id;
-	Channel *c;
-
-	id = packet_get_int();
-	c = channel_lookup(id);
-
-	if (c==NULL || c->type != SSH_CHANNEL_OPENING)
-		packet_disconnect("Received open confirmation for "
-		    "non-opening channel %d.", id);
-	remote_id = packet_get_int();
-	/* Record the remote channel number and mark that the channel is now open. */
-	c->remote_id = remote_id;
-	c->type = SSH_CHANNEL_OPEN;
-
-	if (compat20) {
-		c->remote_window = packet_get_int();
-		c->remote_maxpacket = packet_get_int();
-		if (c->confirm) {
-			debug2("callback start");
-			c->confirm(c->self, c->confirm_ctx);
-			debug2("callback done");
-		}
-		debug2("channel %d: open confirm rwindow %u rmax %u", c->self,
-		    c->remote_window, c->remote_maxpacket);
-	}
-	packet_check_eom();
-}
-
-static char *
-reason2txt(int reason)
-{
-	switch (reason) {
-	case SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED:
-		return "administratively prohibited";
-	case SSH2_OPEN_CONNECT_FAILED:
-		return "connect failed";
-	case SSH2_OPEN_UNKNOWN_CHANNEL_TYPE:
-		return "unknown channel type";
-	case SSH2_OPEN_RESOURCE_SHORTAGE:
-		return "resource shortage";
-	}
-	return "unknown reason";
-}
-
-/* ARGSUSED */
-void
-channel_input_open_failure(int type, u_int32_t seq, void *ctxt)
-{
-	int id, reason;
-	char *msg = NULL, *lang = NULL;
-	Channel *c;
-
-	id = packet_get_int();
-	c = channel_lookup(id);
-
-	if (c==NULL || c->type != SSH_CHANNEL_OPENING)
-		packet_disconnect("Received open failure for "
-		    "non-opening channel %d.", id);
-	if (compat20) {
-		reason = packet_get_int();
-		if (!(datafellows & SSH_BUG_OPENFAILURE)) {
-			msg  = packet_get_string(NULL);
-			lang = packet_get_string(NULL);
-		}
-		logit("channel %d: open failed: %s%s%s", id,
-		    reason2txt(reason), msg ? ": ": "", msg ? msg : "");
-		if (msg != NULL)
-			xfree(msg);
-		if (lang != NULL)
-			xfree(lang);
-	}
-	packet_check_eom();
-	/* Free the channel.  This will also close the socket. */
-	channel_free(c);
-}
-
-/* ARGSUSED */
-void
-channel_input_window_adjust(int type, u_int32_t seq, void *ctxt)
-{
-	Channel *c;
-	int id;
-	u_int adjust;
-
-	if (!compat20)
-		return;
-
-	/* Get the channel number and verify it. */
-	id = packet_get_int();
-	c = channel_lookup(id);
-
-	if (c == NULL) {
-		logit("Received window adjust for non-open channel %d.", id);
-		return;
-	}
-	adjust = packet_get_int();
-	packet_check_eom();
-	debug2("channel %d: rcvd adjust %u", id, adjust);
-	c->remote_window += adjust;
-}
-
-/* ARGSUSED */
-void
-channel_input_port_open(int type, u_int32_t seq, void *ctxt)
-{
-	Channel *c = NULL;
-	u_short host_port;
-	char *host, *originator_string;
-	int remote_id, sock = -1;
-
-	remote_id = packet_get_int();
-	host = packet_get_string(NULL);
-	host_port = packet_get_int();
-
-	if (packet_get_protocol_flags() & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) {
-		originator_string = packet_get_string(NULL);
-	} else {
-		originator_string = xstrdup("unknown (remote did not supply name)");
-	}
-	packet_check_eom();
-	sock = channel_connect_to(host, host_port);
-	if (sock != -1) {
-		c = channel_new("connected socket",
-		    SSH_CHANNEL_CONNECTING, sock, sock, -1, 0, 0, 0,
-		    originator_string, 1);
-		c->remote_id = remote_id;
-	}
-	xfree(originator_string);
-	if (c == NULL) {
-		packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
-		packet_put_int(remote_id);
-		packet_send();
-	}
-	xfree(host);
-}
-
-
-/* -- tcp forwarding */
-
-void
-channel_set_af(int af)
-{
-	IPv4or6 = af;
-}
-
-static int
-channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_port,
-    const char *host_to_connect, u_short port_to_connect, int gateway_ports)
-{
-	Channel *c;
-	int sock, r, success = 0, wildcard = 0, is_client;
-	struct addrinfo hints, *ai, *aitop;
-	const char *host, *addr;
-	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
-
-	host = (type == SSH_CHANNEL_RPORT_LISTENER) ?
-	    listen_addr : host_to_connect;
-	is_client = (type == SSH_CHANNEL_PORT_LISTENER);
-
-	if (host == NULL) {
-		error("No forward host name.");
-		return 0;
-	}
-	if (strlen(host) > SSH_CHANNEL_PATH_LEN - 1) {
-		error("Forward host name too long.");
-		return 0;
-	}
-
-	/*
-	 * Determine whether or not a port forward listens to loopback,
-	 * specified address or wildcard. On the client, a specified bind
-	 * address will always override gateway_ports. On the server, a
-	 * gateway_ports of 1 (``yes'') will override the client's
-	 * specification and force a wildcard bind, whereas a value of 2
-	 * (``clientspecified'') will bind to whatever address the client
-	 * asked for.
-	 *
-	 * Special-case listen_addrs are:
-	 *
-	 * "0.0.0.0"               -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR
-	 * "" (empty string), "*"  -> wildcard v4/v6
-	 * "localhost"             -> loopback v4/v6
-	 */
-	addr = NULL;
-	if (listen_addr == NULL) {
-		/* No address specified: default to gateway_ports setting */
-		if (gateway_ports)
-			wildcard = 1;
-	} else if (gateway_ports || is_client) {
-		if (((datafellows & SSH_OLD_FORWARD_ADDR) &&
-		    strcmp(listen_addr, "0.0.0.0") == 0) ||
-		    *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 ||
-		    (!is_client && gateway_ports == 1))
-			wildcard = 1;
-		else if (strcmp(listen_addr, "localhost") != 0)
-			addr = listen_addr;
-	}
-
-	debug3("channel_setup_fwd_listener: type %d wildcard %d addr %s",
-	    type, wildcard, (addr == NULL) ? "NULL" : addr);
-
-	/*
-	 * getaddrinfo returns a loopback address if the hostname is
-	 * set to NULL and hints.ai_flags is not AI_PASSIVE
-	 */
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_family = IPv4or6;
-	hints.ai_flags = wildcard ? AI_PASSIVE : 0;
-	hints.ai_socktype = SOCK_STREAM;
-	snprintf(strport, sizeof strport, "%d", listen_port);
-	if ((r = getaddrinfo(addr, strport, &hints, &aitop)) != 0) {
-		if (addr == NULL) {
-			/* This really shouldn't happen */
-			packet_disconnect("getaddrinfo: fatal error: %s",
-			    gai_strerror(r));
-		} else {
-			error("channel_setup_fwd_listener: "
-			    "getaddrinfo(%.64s): %s", addr, gai_strerror(r));
-		}
-		return 0;
-	}
-
-	for (ai = aitop; ai; ai = ai->ai_next) {
-		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-			continue;
-		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
-		    strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
-			error("channel_setup_fwd_listener: getnameinfo failed");
-			continue;
-		}
-		/* Create a port to listen for the host. */
-		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
-		if (sock < 0) {
-			/* this is no error since kernel may not support ipv6 */
-			verbose("socket: %.100s", strerror(errno));
-			continue;
-		}
-
-		channel_set_reuseaddr(sock);
-
-		debug("Local forwarding listening on %s port %s.", ntop, strport);
-
-		/* Bind the socket to the address. */
-		if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
-			/* address can be in use ipv6 address is already bound */
-			if (!ai->ai_next)
-				error("bind: %.100s", strerror(errno));
-			else
-				verbose("bind: %.100s", strerror(errno));
-
-			close(sock);
-			continue;
-		}
-		/* Start listening for connections on the socket. */
-		if (listen(sock, SSH_LISTEN_BACKLOG) < 0) {
-			error("listen: %.100s", strerror(errno));
-			close(sock);
-			continue;
-		}
-		/* Allocate a channel number for the socket. */
-		c = channel_new("port listener", type, sock, sock, -1,
-		    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
-		    0, "port listener", 1);
-		strlcpy(c->path, host, sizeof(c->path));
-		c->host_port = port_to_connect;
-		c->listening_port = listen_port;
-		success = 1;
-	}
-	if (success == 0)
-		error("channel_setup_fwd_listener: cannot listen to port: %d",
-		    listen_port);
-	freeaddrinfo(aitop);
-	return success;
-}
-
-int
-channel_cancel_rport_listener(const char *host, u_short port)
-{
-	u_int i;
-	int found = 0;
-
-	for (i = 0; i < channels_alloc; i++) {
-		Channel *c = channels[i];
-
-		if (c != NULL && c->type == SSH_CHANNEL_RPORT_LISTENER &&
-		    strncmp(c->path, host, sizeof(c->path)) == 0 &&
-		    c->listening_port == port) {
-			debug2("%s: close channel %d", __func__, i);
-			channel_free(c);
-			found = 1;
-		}
-	}
-
-	return (found);
-}
-
-/* protocol local port fwd, used by ssh (and sshd in v1) */
-int
-channel_setup_local_fwd_listener(const char *listen_host, u_short listen_port,
-    const char *host_to_connect, u_short port_to_connect, int gateway_ports)
-{
-	return channel_setup_fwd_listener(SSH_CHANNEL_PORT_LISTENER,
-	    listen_host, listen_port, host_to_connect, port_to_connect,
-	    gateway_ports);
-}
-
-/* protocol v2 remote port fwd, used by sshd */
-int
-channel_setup_remote_fwd_listener(const char *listen_address,
-    u_short listen_port, int gateway_ports)
-{
-	return channel_setup_fwd_listener(SSH_CHANNEL_RPORT_LISTENER,
-	    listen_address, listen_port, NULL, 0, gateway_ports);
-}
-
-/*
- * Initiate forwarding of connections to port "port" on remote host through
- * the secure channel to host:port from local side.
- */
-
-int
-channel_request_remote_forwarding(const char *listen_host, u_short listen_port,
-    const char *host_to_connect, u_short port_to_connect)
-{
-	int type, success = 0;
-
-	/* Record locally that connection to this host/port is permitted. */
-	if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
-		fatal("channel_request_remote_forwarding: too many forwards");
-
-	/* Send the forward request to the remote side. */
-	if (compat20) {
-		const char *address_to_bind;
-		if (listen_host == NULL)
-			address_to_bind = "localhost";
-		else if (*listen_host == '\0' || strcmp(listen_host, "*") == 0)
-			address_to_bind = "";
-		else
-			address_to_bind = listen_host;
-
-		packet_start(SSH2_MSG_GLOBAL_REQUEST);
-		packet_put_cstring("tcpip-forward");
-		packet_put_char(1);			/* boolean: want reply */
-		packet_put_cstring(address_to_bind);
-		packet_put_int(listen_port);
-		packet_send();
-		packet_write_wait();
-		/* Assume that server accepts the request */
-		success = 1;
-	} else {
-		packet_start(SSH_CMSG_PORT_FORWARD_REQUEST);
-		packet_put_int(listen_port);
-		packet_put_cstring(host_to_connect);
-		packet_put_int(port_to_connect);
-		packet_send();
-		packet_write_wait();
-
-		/* Wait for response from the remote side. */
-		type = packet_read();
-		switch (type) {
-		case SSH_SMSG_SUCCESS:
-			success = 1;
-			break;
-		case SSH_SMSG_FAILURE:
-			break;
-		default:
-			/* Unknown packet */
-			packet_disconnect("Protocol error for port forward request:"
-			    "received packet type %d.", type);
-		}
-	}
-	if (success) {
-		permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect);
-		permitted_opens[num_permitted_opens].port_to_connect = port_to_connect;
-		permitted_opens[num_permitted_opens].listen_port = listen_port;
-		num_permitted_opens++;
-	}
-	return (success ? 0 : -1);
-}
-
-/*
- * Request cancellation of remote forwarding of connection host:port from
- * local side.
- */
-void
-channel_request_rforward_cancel(const char *host, u_short port)
-{
-	int i;
-
-	if (!compat20)
-		return;
-
-	for (i = 0; i < num_permitted_opens; i++) {
-		if (permitted_opens[i].host_to_connect != NULL &&
-		    permitted_opens[i].listen_port == port)
-			break;
-	}
-	if (i >= num_permitted_opens) {
-		debug("%s: requested forward not found", __func__);
-		return;
-	}
-	packet_start(SSH2_MSG_GLOBAL_REQUEST);
-	packet_put_cstring("cancel-tcpip-forward");
-	packet_put_char(0);
-	packet_put_cstring(host == NULL ? "" : host);
-	packet_put_int(port);
-	packet_send();
-
-	permitted_opens[i].listen_port = 0;
-	permitted_opens[i].port_to_connect = 0;
-	xfree(permitted_opens[i].host_to_connect);
-	permitted_opens[i].host_to_connect = NULL;
-}
-
-/*
- * This is called after receiving CHANNEL_FORWARDING_REQUEST.  This initates
- * listening for the port, and sends back a success reply (or disconnect
- * message if there was an error).
- */
-int
-channel_input_port_forward_request(int is_root, int gateway_ports)
-{
-	u_short port, host_port;
-	int success = 0;
-	char *hostname;
-
-	/* Get arguments from the packet. */
-	port = packet_get_int();
-	hostname = packet_get_string(NULL);
-	host_port = packet_get_int();
-
-#ifndef HAVE_CYGWIN
-	/*
-	 * Check that an unprivileged user is not trying to forward a
-	 * privileged port.
-	 */
-	if (port < IPPORT_RESERVED && !is_root)
-		packet_disconnect(
-		    "Requested forwarding of port %d but user is not root.",
-		    port);
-	if (host_port == 0)
-		packet_disconnect("Dynamic forwarding denied.");
-#endif
-
-	/* Initiate forwarding */
-	success = channel_setup_local_fwd_listener(NULL, port, hostname,
-	    host_port, gateway_ports);
-
-	/* Free the argument string. */
-	xfree(hostname);
-
-	return (success ? 0 : -1);
-}
-
-/*
- * Permits opening to any host/port if permitted_opens[] is empty.  This is
- * usually called by the server, because the user could connect to any port
- * anyway, and the server has no way to know but to trust the client anyway.
- */
-void
-channel_permit_all_opens(void)
-{
-	if (num_permitted_opens == 0)
-		all_opens_permitted = 1;
-}
-
-void
-channel_add_permitted_opens(char *host, int port)
-{
-	if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
-		fatal("channel_add_permitted_opens: too many forwards");
-	debug("allow port forwarding to host %s port %d", host, port);
-
-	permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host);
-	permitted_opens[num_permitted_opens].port_to_connect = port;
-	num_permitted_opens++;
-
-	all_opens_permitted = 0;
-}
-
-int
-channel_add_adm_permitted_opens(char *host, int port)
-{
-	if (num_adm_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
-		fatal("channel_add_adm_permitted_opens: too many forwards");
-	debug("config allows port forwarding to host %s port %d", host, port);
-
-	permitted_adm_opens[num_adm_permitted_opens].host_to_connect
-	     = xstrdup(host);
-	permitted_adm_opens[num_adm_permitted_opens].port_to_connect = port;
-	return ++num_adm_permitted_opens;
-}
-
-void
-channel_clear_permitted_opens(void)
-{
-	int i;
-
-	for (i = 0; i < num_permitted_opens; i++)
-		if (permitted_opens[i].host_to_connect != NULL)
-			xfree(permitted_opens[i].host_to_connect);
-	num_permitted_opens = 0;
-}
-
-void
-channel_clear_adm_permitted_opens(void)
-{
-	int i;
-
-	for (i = 0; i < num_adm_permitted_opens; i++)
-		if (permitted_adm_opens[i].host_to_connect != NULL)
-			xfree(permitted_adm_opens[i].host_to_connect);
-	num_adm_permitted_opens = 0;
-}
-
-/* return socket to remote host, port */
-static int
-connect_to(const char *host, u_short port)
-{
-	struct addrinfo hints, *ai, *aitop;
-	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
-	int gaierr;
-	int sock = -1;
-
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_family = IPv4or6;
-	hints.ai_socktype = SOCK_STREAM;
-	snprintf(strport, sizeof strport, "%d", port);
-	if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) {
-		error("connect_to %.100s: unknown host (%s)", host,
-		    gai_strerror(gaierr));
-		return -1;
-	}
-	for (ai = aitop; ai; ai = ai->ai_next) {
-		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-			continue;
-		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
-		    strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
-			error("connect_to: getnameinfo failed");
-			continue;
-		}
-		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
-		if (sock < 0) {
-			if (ai->ai_next == NULL)
-				error("socket: %.100s", strerror(errno));
-			else
-				verbose("socket: %.100s", strerror(errno));
-			continue;
-		}
-		if (set_nonblock(sock) == -1)
-			fatal("%s: set_nonblock(%d)", __func__, sock);
-		if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0 &&
-		    errno != EINPROGRESS) {
-			error("connect_to %.100s port %s: %.100s", ntop, strport,
-			    strerror(errno));
-			close(sock);
-			continue;	/* fail -- try next */
-		}
-		break; /* success */
-
-	}
-	freeaddrinfo(aitop);
-	if (!ai) {
-		error("connect_to %.100s port %d: failed.", host, port);
-		return -1;
-	}
-	/* success */
-	set_nodelay(sock);
-	return sock;
-}
-
-int
-channel_connect_by_listen_address(u_short listen_port)
-{
-	int i;
-
-	for (i = 0; i < num_permitted_opens; i++)
-		if (permitted_opens[i].host_to_connect != NULL &&
-		    permitted_opens[i].listen_port == listen_port)
-			return connect_to(
-			    permitted_opens[i].host_to_connect,
-			    permitted_opens[i].port_to_connect);
-	error("WARNING: Server requests forwarding for unknown listen_port %d",
-	    listen_port);
-	return -1;
-}
-
-/* Check if connecting to that port is permitted and connect. */
-int
-channel_connect_to(const char *host, u_short port)
-{
-	int i, permit, permit_adm = 1;
-
-	permit = all_opens_permitted;
-	if (!permit) {
-		for (i = 0; i < num_permitted_opens; i++)
-			if (permitted_opens[i].host_to_connect != NULL &&
-			    permitted_opens[i].port_to_connect == port &&
-			    strcmp(permitted_opens[i].host_to_connect, host) == 0)
-				permit = 1;
-	}
-
-	if (num_adm_permitted_opens > 0) {
-		permit_adm = 0;
-		for (i = 0; i < num_adm_permitted_opens; i++)
-			if (permitted_adm_opens[i].host_to_connect != NULL &&
-			    permitted_adm_opens[i].port_to_connect == port &&
-			    strcmp(permitted_adm_opens[i].host_to_connect, host)
-			    == 0)
-				permit_adm = 1;
-	}
-
-	if (!permit || !permit_adm) {
-		logit("Received request to connect to host %.100s port %d, "
-		    "but the request was denied.", host, port);
-		return -1;
-	}
-	return connect_to(host, port);
-}
-
-void
-channel_send_window_changes(void)
-{
-	u_int i;
-	struct winsize ws;
-
-	for (i = 0; i < channels_alloc; i++) {
-		if (channels[i] == NULL || !channels[i]->client_tty ||
-		    channels[i]->type != SSH_CHANNEL_OPEN)
-			continue;
-		if (ioctl(channels[i]->rfd, TIOCGWINSZ, &ws) < 0)
-			continue;
-		channel_request_start(i, "window-change", 0);
-		packet_put_int((u_int)ws.ws_col);
-		packet_put_int((u_int)ws.ws_row);
-		packet_put_int((u_int)ws.ws_xpixel);
-		packet_put_int((u_int)ws.ws_ypixel);
-		packet_send();
-	}
-}
-
-/* -- X11 forwarding */
-
-/*
- * Creates an internet domain socket for listening for X11 connections.
- * Returns 0 and a suitable display number for the DISPLAY variable
- * stored in display_numberp , or -1 if an error occurs.
- */
-int
-x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
-    int single_connection, u_int *display_numberp, int **chanids)
-{
-	Channel *nc = NULL;
-	int display_number, sock;
-	u_short port;
-	struct addrinfo hints, *ai, *aitop;
-	char strport[NI_MAXSERV];
-	int gaierr, n, num_socks = 0, socks[NUM_SOCKS];
-
-	if (chanids == NULL)
-		return -1;
-
-	for (display_number = x11_display_offset;
-	    display_number < MAX_DISPLAYS;
-	    display_number++) {
-		port = 6000 + display_number;
-		memset(&hints, 0, sizeof(hints));
-		hints.ai_family = IPv4or6;
-		hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
-		hints.ai_socktype = SOCK_STREAM;
-		snprintf(strport, sizeof strport, "%d", port);
-		if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
-			error("getaddrinfo: %.100s", gai_strerror(gaierr));
-			return -1;
-		}
-		for (ai = aitop; ai; ai = ai->ai_next) {
-			if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-				continue;
-			sock = socket(ai->ai_family, ai->ai_socktype,
-			    ai->ai_protocol);
-			if (sock < 0) {
-				if ((errno != EINVAL) && (errno != EAFNOSUPPORT)) {
-					error("socket: %.100s", strerror(errno));
-					freeaddrinfo(aitop);
-					return -1;
-				} else {
-					debug("x11_create_display_inet: Socket family %d not supported",
-						 ai->ai_family);
-					continue;
-				}
-			}
-#ifdef IPV6_V6ONLY
-			if (ai->ai_family == AF_INET6) {
-				int on = 1;
-				if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0)
-					error("setsockopt IPV6_V6ONLY: %.100s", strerror(errno));
-			}
-#endif
-			channel_set_reuseaddr(sock);
-			if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
-				debug2("bind port %d: %.100s", port, strerror(errno));
-				close(sock);
-
-				if (ai->ai_next)
-					continue;
-
-				for (n = 0; n < num_socks; n++) {
-					close(socks[n]);
-				}
-				num_socks = 0;
-				break;
-			}
-			socks[num_socks++] = sock;
-#ifndef DONT_TRY_OTHER_AF
-			if (num_socks == NUM_SOCKS)
-				break;
-#else
-			if (x11_use_localhost) {
-				if (num_socks == NUM_SOCKS)
-					break;
-			} else {
-				break;
-			}
-#endif
-		}
-		freeaddrinfo(aitop);
-		if (num_socks > 0)
-			break;
-	}
-	if (display_number >= MAX_DISPLAYS) {
-		error("Failed to allocate internet-domain X11 display socket.");
-		return -1;
-	}
-	/* Start listening for connections on the socket. */
-	for (n = 0; n < num_socks; n++) {
-		sock = socks[n];
-		if (listen(sock, SSH_LISTEN_BACKLOG) < 0) {
-			error("listen: %.100s", strerror(errno));
-			close(sock);
-			return -1;
-		}
-	}
-
-	/* Allocate a channel for each socket. */
-	*chanids = xcalloc(num_socks + 1, sizeof(**chanids));
-	for (n = 0; n < num_socks; n++) {
-		sock = socks[n];
-		nc = channel_new("x11 listener",
-		    SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
-		    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
-		    0, "X11 inet listener", 1);
-		nc->single_connection = single_connection;
-		(*chanids)[n] = nc->self;
-	}
-	(*chanids)[n] = -1;
-
-	/* Return the display number for the DISPLAY environment variable. */
-	*display_numberp = display_number;
-	return (0);
-}
-
-static int
-connect_local_xsocket(u_int dnr)
-{
-	int sock;
-	struct sockaddr_un addr;
-
-	sock = socket(AF_UNIX, SOCK_STREAM, 0);
-	if (sock < 0)
-		error("socket: %.100s", strerror(errno));
-	memset(&addr, 0, sizeof(addr));
-	addr.sun_family = AF_UNIX;
-	snprintf(addr.sun_path, sizeof addr.sun_path, _PATH_UNIX_X, dnr);
-	if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0)
-		return sock;
-	close(sock);
-	error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
-	return -1;
-}
-
-int
-x11_connect_display(void)
-{
-	u_int display_number;
-	const char *display;
-	char buf[1024], *cp;
-	struct addrinfo hints, *ai, *aitop;
-	char strport[NI_MAXSERV];
-	int gaierr, sock = 0;
-
-	/* Try to open a socket for the local X server. */
-	display = getenv("DISPLAY");
-	if (!display) {
-		error("DISPLAY not set.");
-		return -1;
-	}
-	/*
-	 * Now we decode the value of the DISPLAY variable and make a
-	 * connection to the real X server.
-	 */
-
-	/*
-	 * Check if it is a unix domain socket.  Unix domain displays are in
-	 * one of the following formats: unix:d[.s], :d[.s], ::d[.s]
-	 */
-	if (strncmp(display, "unix:", 5) == 0 ||
-	    display[0] == ':') {
-		/* Connect to the unix domain socket. */
-		if (sscanf(strrchr(display, ':') + 1, "%u", &display_number) != 1) {
-			error("Could not parse display number from DISPLAY: %.100s",
-			    display);
-			return -1;
-		}
-		/* Create a socket. */
-		sock = connect_local_xsocket(display_number);
-		if (sock < 0)
-			return -1;
-
-		/* OK, we now have a connection to the display. */
-		return sock;
-	}
-	/*
-	 * Connect to an inet socket.  The DISPLAY value is supposedly
-	 * hostname:d[.s], where hostname may also be numeric IP address.
-	 */
-	strlcpy(buf, display, sizeof(buf));
-	cp = strchr(buf, ':');
-	if (!cp) {
-		error("Could not find ':' in DISPLAY: %.100s", display);
-		return -1;
-	}
-	*cp = 0;
-	/* buf now contains the host name.  But first we parse the display number. */
-	if (sscanf(cp + 1, "%u", &display_number) != 1) {
-		error("Could not parse display number from DISPLAY: %.100s",
-		    display);
-		return -1;
-	}
-
-	/* Look up the host address */
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_family = IPv4or6;
-	hints.ai_socktype = SOCK_STREAM;
-	snprintf(strport, sizeof strport, "%u", 6000 + display_number);
-	if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
-		error("%.100s: unknown host. (%s)", buf, gai_strerror(gaierr));
-		return -1;
-	}
-	for (ai = aitop; ai; ai = ai->ai_next) {
-		/* Create a socket. */
-		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
-		if (sock < 0) {
-			debug2("socket: %.100s", strerror(errno));
-			continue;
-		}
-		/* Connect it to the display. */
-		if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
-			debug2("connect %.100s port %u: %.100s", buf,
-			    6000 + display_number, strerror(errno));
-			close(sock);
-			continue;
-		}
-		/* Success */
-		break;
-	}
-	freeaddrinfo(aitop);
-	if (!ai) {
-		error("connect %.100s port %u: %.100s", buf, 6000 + display_number,
-		    strerror(errno));
-		return -1;
-	}
-	set_nodelay(sock);
-	return sock;
-}
-
-/*
- * This is called when SSH_SMSG_X11_OPEN is received.  The packet contains
- * the remote channel number.  We should do whatever we want, and respond
- * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE.
- */
-
-/* ARGSUSED */
-void
-x11_input_open(int type, u_int32_t seq, void *ctxt)
-{
-	Channel *c = NULL;
-	int remote_id, sock = 0;
-	char *remote_host;
-
-	debug("Received X11 open request.");
-
-	remote_id = packet_get_int();
-
-	if (packet_get_protocol_flags() & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) {
-		remote_host = packet_get_string(NULL);
-	} else {
-		remote_host = xstrdup("unknown (remote did not supply name)");
-	}
-	packet_check_eom();
-
-	/* Obtain a connection to the real X display. */
-	sock = x11_connect_display();
-	if (sock != -1) {
-		/* Allocate a channel for this connection. */
-		c = channel_new("connected x11 socket",
-		    SSH_CHANNEL_X11_OPEN, sock, sock, -1, 0, 0, 0,
-		    remote_host, 1);
-		c->remote_id = remote_id;
-		c->force_drain = 1;
-	}
-	xfree(remote_host);
-	if (c == NULL) {
-		/* Send refusal to the remote host. */
-		packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
-		packet_put_int(remote_id);
-	} else {
-		/* Send a confirmation to the remote host. */
-		packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
-		packet_put_int(remote_id);
-		packet_put_int(c->self);
-	}
-	packet_send();
-}
-
-/* dummy protocol handler that denies SSH-1 requests (agent/x11) */
-/* ARGSUSED */
-void
-deny_input_open(int type, u_int32_t seq, void *ctxt)
-{
-	int rchan = packet_get_int();
-
-	switch (type) {
-	case SSH_SMSG_AGENT_OPEN:
-		error("Warning: ssh server tried agent forwarding.");
-		break;
-	case SSH_SMSG_X11_OPEN:
-		error("Warning: ssh server tried X11 forwarding.");
-		break;
-	default:
-		error("deny_input_open: type %d", type);
-		break;
-	}
-	error("Warning: this is probably a break-in attempt by a malicious server.");
-	packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
-	packet_put_int(rchan);
-	packet_send();
-}
-
-/*
- * Requests forwarding of X11 connections, generates fake authentication
- * data, and enables authentication spoofing.
- * This should be called in the client only.
- */
-void
-x11_request_forwarding_with_spoofing(int client_session_id, const char *disp,
-    const char *proto, const char *data)
-{
-	u_int data_len = (u_int) strlen(data) / 2;
-	u_int i, value;
-	char *new_data;
-	int screen_number;
-	const char *cp;
-	u_int32_t rnd = 0;
-
-	if (x11_saved_display == NULL)
-		x11_saved_display = xstrdup(disp);
-	else if (strcmp(disp, x11_saved_display) != 0) {
-		error("x11_request_forwarding_with_spoofing: different "
-		    "$DISPLAY already forwarded");
-		return;
-	}
-
-	cp = strchr(disp, ':');
-	if (cp)
-		cp = strchr(cp, '.');
-	if (cp)
-		screen_number = (u_int)strtonum(cp + 1, 0, 400, NULL);
-	else
-		screen_number = 0;
-
-	if (x11_saved_proto == NULL) {
-		/* Save protocol name. */
-		x11_saved_proto = xstrdup(proto);
-		/*
-		 * Extract real authentication data and generate fake data
-		 * of the same length.
-		 */
-		x11_saved_data = xmalloc(data_len);
-		x11_fake_data = xmalloc(data_len);
-		for (i = 0; i < data_len; i++) {
-			if (sscanf(data + 2 * i, "%2x", &value) != 1)
-				fatal("x11_request_forwarding: bad "
-				    "authentication data: %.100s", data);
-			if (i % 4 == 0)
-				rnd = arc4random();
-			x11_saved_data[i] = value;
-			x11_fake_data[i] = rnd & 0xff;
-			rnd >>= 8;
-		}
-		x11_saved_data_len = data_len;
-		x11_fake_data_len = data_len;
-	}
-
-	/* Convert the fake data into hex. */
-	new_data = tohex(x11_fake_data, data_len);
-
-	/* Send the request packet. */
-	if (compat20) {
-		channel_request_start(client_session_id, "x11-req", 0);
-		packet_put_char(0);	/* XXX bool single connection */
-	} else {
-		packet_start(SSH_CMSG_X11_REQUEST_FORWARDING);
-	}
-	packet_put_cstring(proto);
-	packet_put_cstring(new_data);
-	packet_put_int(screen_number);
-	packet_send();
-	packet_write_wait();
-	xfree(new_data);
-}
-
-
-/* -- agent forwarding */
-
-/* Sends a message to the server to request authentication fd forwarding. */
-
-void
-auth_request_forwarding(void)
-{
-	packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING);
-	packet_send();
-	packet_write_wait();
-}
diff --git a/crypto/openssh/channels.h b/crypto/openssh/channels.h
deleted file mode 100644
index 2674f09..0000000
--- a/crypto/openssh/channels.h
+++ /dev/null
@@ -1,250 +0,0 @@
-/* $OpenBSD: channels.h,v 1.88 2006/08/03 03:34:42 deraadt Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-/*
- * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef CHANNEL_H
-#define CHANNEL_H
-
-/* Definitions for channel types. */
-#define SSH_CHANNEL_X11_LISTENER	1	/* Listening for inet X11 conn. */
-#define SSH_CHANNEL_PORT_LISTENER	2	/* Listening on a port. */
-#define SSH_CHANNEL_OPENING		3	/* waiting for confirmation */
-#define SSH_CHANNEL_OPEN		4	/* normal open two-way channel */
-#define SSH_CHANNEL_CLOSED		5	/* waiting for close confirmation */
-#define SSH_CHANNEL_AUTH_SOCKET		6	/* authentication socket */
-#define SSH_CHANNEL_X11_OPEN		7	/* reading first X11 packet */
-#define SSH_CHANNEL_INPUT_DRAINING	8	/* sending remaining data to conn */
-#define SSH_CHANNEL_OUTPUT_DRAINING	9	/* sending remaining data to app */
-#define SSH_CHANNEL_LARVAL		10	/* larval session */
-#define SSH_CHANNEL_RPORT_LISTENER	11	/* Listening to a R-style port  */
-#define SSH_CHANNEL_CONNECTING		12
-#define SSH_CHANNEL_DYNAMIC		13
-#define SSH_CHANNEL_ZOMBIE		14	/* Almost dead. */
-#define SSH_CHANNEL_MAX_TYPE		15
-
-#define SSH_CHANNEL_PATH_LEN		256
-
-struct Channel;
-typedef struct Channel Channel;
-
-typedef void channel_callback_fn(int, void *);
-typedef int channel_infilter_fn(struct Channel *, char *, int);
-typedef u_char *channel_outfilter_fn(struct Channel *, u_char **, u_int *);
-
-struct Channel {
-	int     type;		/* channel type/state */
-	int     self;		/* my own channel identifier */
-	int     remote_id;	/* channel identifier for remote peer */
-	u_int   istate;		/* input from channel (state of receive half) */
-	u_int   ostate;		/* output to channel  (state of transmit half) */
-	int     flags;		/* close sent/rcvd */
-	int     rfd;		/* read fd */
-	int     wfd;		/* write fd */
-	int     efd;		/* extended fd */
-	int     sock;		/* sock fd */
-	int     ctl_fd;		/* control fd (client sharing) */
-	int     isatty;		/* rfd is a tty */
-	int     wfd_isatty;	/* wfd is a tty */
-	int	client_tty;	/* (client) TTY has been requested */
-	int     force_drain;	/* force close on iEOF */
-	int     delayed;		/* fdset hack */
-	Buffer  input;		/* data read from socket, to be sent over
-				 * encrypted connection */
-	Buffer  output;		/* data received over encrypted connection for
-				 * send on socket */
-	Buffer  extended;
-	char    path[SSH_CHANNEL_PATH_LEN];
-		/* path for unix domain sockets, or host name for forwards */
-	int     listening_port;	/* port being listened for forwards */
-	int     host_port;	/* remote port to connect for forwards */
-	char   *remote_name;	/* remote hostname */
-
-	u_int	remote_window;
-	u_int	remote_maxpacket;
-	u_int	local_window;
-	u_int	local_window_max;
-	u_int	local_consumed;
-	u_int	local_maxpacket;
-	int     extended_usage;
-	int	single_connection;
-
-	char   *ctype;		/* type */
-
-	/* callback */
-	channel_callback_fn	*confirm;
-	void			*confirm_ctx;
-	channel_callback_fn	*detach_user;
-	int			detach_close;
-
-	/* filter */
-	channel_infilter_fn	*input_filter;
-	channel_outfilter_fn	*output_filter;
-
-	int     datagram;	/* keep boundaries */
-};
-
-#define CHAN_EXTENDED_IGNORE		0
-#define CHAN_EXTENDED_READ		1
-#define CHAN_EXTENDED_WRITE		2
-
-/* default window/packet sizes for tcp/x11-fwd-channel */
-#define CHAN_SES_PACKET_DEFAULT	(32*1024)
-#define CHAN_SES_WINDOW_DEFAULT	(4*CHAN_SES_PACKET_DEFAULT)
-#define CHAN_TCP_PACKET_DEFAULT	(32*1024)
-#define CHAN_TCP_WINDOW_DEFAULT	(4*CHAN_TCP_PACKET_DEFAULT)
-#define CHAN_X11_PACKET_DEFAULT	(16*1024)
-#define CHAN_X11_WINDOW_DEFAULT	(4*CHAN_X11_PACKET_DEFAULT)
-
-/* possible input states */
-#define CHAN_INPUT_OPEN			0
-#define CHAN_INPUT_WAIT_DRAIN		1
-#define CHAN_INPUT_WAIT_OCLOSE		2
-#define CHAN_INPUT_CLOSED		3
-
-/* possible output states */
-#define CHAN_OUTPUT_OPEN		0
-#define CHAN_OUTPUT_WAIT_DRAIN		1
-#define CHAN_OUTPUT_WAIT_IEOF		2
-#define CHAN_OUTPUT_CLOSED		3
-
-#define CHAN_CLOSE_SENT			0x01
-#define CHAN_CLOSE_RCVD			0x02
-#define CHAN_EOF_SENT			0x04
-#define CHAN_EOF_RCVD			0x08
-
-#define CHAN_RBUF	16*1024
-
-/* check whether 'efd' is still in use */
-#define CHANNEL_EFD_INPUT_ACTIVE(c) \
-	(compat20 && c->extended_usage == CHAN_EXTENDED_READ && \
-	(c->efd != -1 || \
-	buffer_len(&c->extended) > 0))
-#define CHANNEL_EFD_OUTPUT_ACTIVE(c) \
-	(compat20 && c->extended_usage == CHAN_EXTENDED_WRITE && \
-	c->efd != -1 && (!(c->flags & (CHAN_EOF_RCVD|CHAN_CLOSE_RCVD)) || \
-	buffer_len(&c->extended) > 0))
-
-/* channel management */
-
-Channel	*channel_by_id(int);
-Channel	*channel_lookup(int);
-Channel *channel_new(char *, int, int, int, int, u_int, u_int, int, char *, int);
-void	 channel_set_fds(int, int, int, int, int, int, u_int);
-void	 channel_free(Channel *);
-void	 channel_free_all(void);
-void	 channel_stop_listening(void);
-
-void	 channel_send_open(int);
-void	 channel_request_start(int, char *, int);
-void	 channel_register_cleanup(int, channel_callback_fn *, int);
-void	 channel_register_confirm(int, channel_callback_fn *, void *);
-void	 channel_register_filter(int, channel_infilter_fn *, channel_outfilter_fn *);
-void	 channel_cancel_cleanup(int);
-int	 channel_close_fd(int *);
-void	 channel_send_window_changes(void);
-
-/* protocol handler */
-
-void	 channel_input_close(int, u_int32_t, void *);
-void	 channel_input_close_confirmation(int, u_int32_t, void *);
-void	 channel_input_data(int, u_int32_t, void *);
-void	 channel_input_extended_data(int, u_int32_t, void *);
-void	 channel_input_ieof(int, u_int32_t, void *);
-void	 channel_input_oclose(int, u_int32_t, void *);
-void	 channel_input_open_confirmation(int, u_int32_t, void *);
-void	 channel_input_open_failure(int, u_int32_t, void *);
-void	 channel_input_port_open(int, u_int32_t, void *);
-void	 channel_input_window_adjust(int, u_int32_t, void *);
-
-/* file descriptor handling (read/write) */
-
-void	 channel_prepare_select(fd_set **, fd_set **, int *, u_int*, int);
-void     channel_after_select(fd_set *, fd_set *);
-void     channel_output_poll(void);
-
-int      channel_not_very_much_buffered_data(void);
-void     channel_close_all(void);
-int      channel_still_open(void);
-char	*channel_open_message(void);
-int	 channel_find_open(void);
-
-/* tcp forwarding */
-void	 channel_set_af(int af);
-void     channel_permit_all_opens(void);
-void	 channel_add_permitted_opens(char *, int);
-int	 channel_add_adm_permitted_opens(char *, int);
-void	 channel_clear_permitted_opens(void);
-void	 channel_clear_adm_permitted_opens(void);
-int      channel_input_port_forward_request(int, int);
-int	 channel_connect_to(const char *, u_short);
-int	 channel_connect_by_listen_address(u_short);
-int	 channel_request_remote_forwarding(const char *, u_short,
-	     const char *, u_short);
-int	 channel_setup_local_fwd_listener(const char *, u_short,
-	     const char *, u_short, int);
-void	 channel_request_rforward_cancel(const char *host, u_short port);
-int	 channel_setup_remote_fwd_listener(const char *, u_short, int);
-int	 channel_cancel_rport_listener(const char *, u_short);
-
-/* x11 forwarding */
-
-int	 x11_connect_display(void);
-int	 x11_create_display_inet(int, int, int, u_int *, int **);
-void     x11_input_open(int, u_int32_t, void *);
-void	 x11_request_forwarding_with_spoofing(int, const char *, const char *,
-	    const char *);
-void	 deny_input_open(int, u_int32_t, void *);
-
-/* agent forwarding */
-
-void	 auth_request_forwarding(void);
-
-/* channel close */
-
-int	 chan_is_dead(Channel *, int);
-void	 chan_mark_dead(Channel *);
-
-/* channel events */
-
-void	 chan_rcvd_oclose(Channel *);
-void	 chan_read_failed(Channel *);
-void	 chan_ibuf_empty(Channel *);
-
-void	 chan_rcvd_ieof(Channel *);
-void	 chan_write_failed(Channel *);
-void	 chan_obuf_empty(Channel *);
-
-#endif
diff --git a/crypto/openssh/cipher-3des1.c b/crypto/openssh/cipher-3des1.c
deleted file mode 100644
index fc16e20..0000000
--- a/crypto/openssh/cipher-3des1.c
+++ /dev/null
@@ -1,184 +0,0 @@
-/* $OpenBSD: cipher-3des1.c,v 1.6 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Copyright (c) 2003 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <openssl/evp.h>
-
-#include <stdarg.h>
-#include <string.h>
-
-#include "xmalloc.h"
-#include "log.h"
-
-#if OPENSSL_VERSION_NUMBER < 0x00906000L
-#define SSH_OLD_EVP
-#endif
-
-/*
- * This is used by SSH1:
- *
- * What kind of triple DES are these 2 routines?
- *
- * Why is there a redundant initialization vector?
- *
- * If only iv3 was used, then, this would till effect have been
- * outer-cbc. However, there is also a private iv1 == iv2 which
- * perhaps makes differential analysis easier. On the other hand, the
- * private iv1 probably makes the CRC-32 attack ineffective. This is a
- * result of that there is no longer any known iv1 to use when
- * choosing the X block.
- */
-struct ssh1_3des_ctx
-{
-	EVP_CIPHER_CTX	k1, k2, k3;
-};
-
-const EVP_CIPHER * evp_ssh1_3des(void);
-void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
-
-static int
-ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
-    int enc)
-{
-	struct ssh1_3des_ctx *c;
-	u_char *k1, *k2, *k3;
-
-	if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
-		c = xmalloc(sizeof(*c));
-		EVP_CIPHER_CTX_set_app_data(ctx, c);
-	}
-	if (key == NULL)
-		return (1);
-	if (enc == -1)
-		enc = ctx->encrypt;
-	k1 = k2 = k3 = (u_char *) key;
-	k2 += 8;
-	if (EVP_CIPHER_CTX_key_length(ctx) >= 16+8) {
-		if (enc)
-			k3 += 16;
-		else
-			k1 += 16;
-	}
-	EVP_CIPHER_CTX_init(&c->k1);
-	EVP_CIPHER_CTX_init(&c->k2);
-	EVP_CIPHER_CTX_init(&c->k3);
-#ifdef SSH_OLD_EVP
-	EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc);
-	EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc);
-	EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc);
-#else
-	if (EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc) == 0 ||
-	    EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc) == 0 ||
-	    EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc) == 0) {
-		memset(c, 0, sizeof(*c));
-		xfree(c);
-		EVP_CIPHER_CTX_set_app_data(ctx, NULL);
-		return (0);
-	}
-#endif
-	return (1);
-}
-
-static int
-ssh1_3des_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, u_int len)
-{
-	struct ssh1_3des_ctx *c;
-
-	if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
-		error("ssh1_3des_cbc: no context");
-		return (0);
-	}
-#ifdef SSH_OLD_EVP
-	EVP_Cipher(&c->k1, dest, (u_char *)src, len);
-	EVP_Cipher(&c->k2, dest, dest, len);
-	EVP_Cipher(&c->k3, dest, dest, len);
-#else
-	if (EVP_Cipher(&c->k1, dest, (u_char *)src, len) == 0 ||
-	    EVP_Cipher(&c->k2, dest, dest, len) == 0 ||
-	    EVP_Cipher(&c->k3, dest, dest, len) == 0)
-		return (0);
-#endif
-	return (1);
-}
-
-static int
-ssh1_3des_cleanup(EVP_CIPHER_CTX *ctx)
-{
-	struct ssh1_3des_ctx *c;
-
-	if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
-		EVP_CIPHER_CTX_cleanup(&c->k1);
-		EVP_CIPHER_CTX_cleanup(&c->k2);
-		EVP_CIPHER_CTX_cleanup(&c->k3);
-		memset(c, 0, sizeof(*c));
-		xfree(c);
-		EVP_CIPHER_CTX_set_app_data(ctx, NULL);
-	}
-	return (1);
-}
-
-void
-ssh1_3des_iv(EVP_CIPHER_CTX *evp, int doset, u_char *iv, int len)
-{
-	struct ssh1_3des_ctx *c;
-
-	if (len != 24)
-		fatal("%s: bad 3des iv length: %d", __func__, len);
-	if ((c = EVP_CIPHER_CTX_get_app_data(evp)) == NULL)
-		fatal("%s: no 3des context", __func__);
-	if (doset) {
-		debug3("%s: Installed 3DES IV", __func__);
-		memcpy(c->k1.iv, iv, 8);
-		memcpy(c->k2.iv, iv + 8, 8);
-		memcpy(c->k3.iv, iv + 16, 8);
-	} else {
-		debug3("%s: Copying 3DES IV", __func__);
-		memcpy(iv, c->k1.iv, 8);
-		memcpy(iv + 8, c->k2.iv, 8);
-		memcpy(iv + 16, c->k3.iv, 8);
-	}
-}
-
-const EVP_CIPHER *
-evp_ssh1_3des(void)
-{
-	static EVP_CIPHER ssh1_3des;
-
-	memset(&ssh1_3des, 0, sizeof(EVP_CIPHER));
-	ssh1_3des.nid = NID_undef;
-	ssh1_3des.block_size = 8;
-	ssh1_3des.iv_len = 0;
-	ssh1_3des.key_len = 16;
-	ssh1_3des.init = ssh1_3des_init;
-	ssh1_3des.cleanup = ssh1_3des_cleanup;
-	ssh1_3des.do_cipher = ssh1_3des_cbc;
-#ifndef SSH_OLD_EVP
-	ssh1_3des.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH;
-#endif
-	return (&ssh1_3des);
-}
diff --git a/crypto/openssh/cipher-acss.c b/crypto/openssh/cipher-acss.c
deleted file mode 100644
index cb0bf73..0000000
--- a/crypto/openssh/cipher-acss.c
+++ /dev/null
@@ -1,85 +0,0 @@
-/*
- * Copyright (c) 2004 The OpenBSD project
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "includes.h"
-
-#include <openssl/evp.h>
-
-#include <string.h>
-
-#if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00907000L)
-
-#include "acss.h"
-
-#define data(ctx) ((EVP_ACSS_KEY *)(ctx)->cipher_data)
-
-typedef struct {
-	ACSS_KEY ks;
-} EVP_ACSS_KEY;
-
-#define EVP_CTRL_SET_ACSS_MODE          0xff06
-#define EVP_CTRL_SET_ACSS_SUBKEY        0xff07
-
-static int
-acss_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-    const unsigned char *iv, int enc)
-{
-	acss_setkey(&data(ctx)->ks,key,enc,ACSS_DATA);
-	return 1;
-}
-
-static int
-acss_ciph(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in,
-    unsigned int inl)
-{
-	acss(&data(ctx)->ks,inl,in,out);
-	return 1;
-}
-
-static int
-acss_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
-{
-	switch(type) {
-	case EVP_CTRL_SET_ACSS_MODE:
-		data(ctx)->ks.mode = arg;
-		return 1;
-	case EVP_CTRL_SET_ACSS_SUBKEY:
-		acss_setsubkey(&data(ctx)->ks,(unsigned char *)ptr);
-		return 1;
-	default:
-		return -1;
-	}
-}
-
-const EVP_CIPHER *
-evp_acss(void)
-{
-	static EVP_CIPHER acss_cipher;
-
-	memset(&acss_cipher, 0, sizeof(EVP_CIPHER));
-
-	acss_cipher.nid = NID_undef;
-	acss_cipher.block_size = 1;
-	acss_cipher.key_len = 5;
-	acss_cipher.init = acss_init_key;
-	acss_cipher.do_cipher = acss_ciph;
-	acss_cipher.ctx_size = sizeof(EVP_ACSS_KEY);
-	acss_cipher.ctrl = acss_ctrl;
-
-	return (&acss_cipher);
-}
-#endif
-
diff --git a/crypto/openssh/cipher-aes.c b/crypto/openssh/cipher-aes.c
deleted file mode 100644
index 3ea5949..0000000
--- a/crypto/openssh/cipher-aes.c
+++ /dev/null
@@ -1,164 +0,0 @@
-/*
- * Copyright (c) 2003 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-/* compatibility with old or broken OpenSSL versions */
-#include "openbsd-compat/openssl-compat.h"
-
-#ifdef USE_BUILTIN_RIJNDAEL
-#include <sys/types.h>
-
-#include <openssl/evp.h>
-
-#include <stdarg.h>
-#include <string.h>
-
-#include "rijndael.h"
-#include "xmalloc.h"
-#include "log.h"
-
-#define RIJNDAEL_BLOCKSIZE 16
-struct ssh_rijndael_ctx
-{
-	rijndael_ctx	r_ctx;
-	u_char		r_iv[RIJNDAEL_BLOCKSIZE];
-};
-
-const EVP_CIPHER * evp_rijndael(void);
-void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
-
-static int
-ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
-    int enc)
-{
-	struct ssh_rijndael_ctx *c;
-
-	if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
-		c = xmalloc(sizeof(*c));
-		EVP_CIPHER_CTX_set_app_data(ctx, c);
-	}
-	if (key != NULL) {
-		if (enc == -1)
-			enc = ctx->encrypt;
-		rijndael_set_key(&c->r_ctx, (u_char *)key,
-		    8*EVP_CIPHER_CTX_key_length(ctx), enc);
-	}
-	if (iv != NULL)
-		memcpy(c->r_iv, iv, RIJNDAEL_BLOCKSIZE);
-	return (1);
-}
-
-static int
-ssh_rijndael_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
-    u_int len)
-{
-	struct ssh_rijndael_ctx *c;
-	u_char buf[RIJNDAEL_BLOCKSIZE];
-	u_char *cprev, *cnow, *plain, *ivp;
-	int i, j, blocks = len / RIJNDAEL_BLOCKSIZE;
-
-	if (len == 0)
-		return (1);
-	if (len % RIJNDAEL_BLOCKSIZE)
-		fatal("ssh_rijndael_cbc: bad len %d", len);
-	if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
-		error("ssh_rijndael_cbc: no context");
-		return (0);
-	}
-	if (ctx->encrypt) {
-		cnow  = dest;
-		plain = (u_char *)src;
-		cprev = c->r_iv;
-		for (i = 0; i < blocks; i++, plain+=RIJNDAEL_BLOCKSIZE,
-		    cnow+=RIJNDAEL_BLOCKSIZE) {
-			for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++)
-				buf[j] = plain[j] ^ cprev[j];
-			rijndael_encrypt(&c->r_ctx, buf, cnow);
-			cprev = cnow;
-		}
-		memcpy(c->r_iv, cprev, RIJNDAEL_BLOCKSIZE);
-	} else {
-		cnow  = (u_char *) (src+len-RIJNDAEL_BLOCKSIZE);
-		plain = dest+len-RIJNDAEL_BLOCKSIZE;
-
-		memcpy(buf, cnow, RIJNDAEL_BLOCKSIZE);
-		for (i = blocks; i > 0; i--, cnow-=RIJNDAEL_BLOCKSIZE,
-		    plain-=RIJNDAEL_BLOCKSIZE) {
-			rijndael_decrypt(&c->r_ctx, cnow, plain);
-			ivp = (i == 1) ? c->r_iv : cnow-RIJNDAEL_BLOCKSIZE;
-			for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++)
-				plain[j] ^= ivp[j];
-		}
-		memcpy(c->r_iv, buf, RIJNDAEL_BLOCKSIZE);
-	}
-	return (1);
-}
-
-static int
-ssh_rijndael_cleanup(EVP_CIPHER_CTX *ctx)
-{
-	struct ssh_rijndael_ctx *c;
-
-	if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
-		memset(c, 0, sizeof(*c));
-		xfree(c);
-		EVP_CIPHER_CTX_set_app_data(ctx, NULL);
-	}
-	return (1);
-}
-
-void
-ssh_rijndael_iv(EVP_CIPHER_CTX *evp, int doset, u_char * iv, u_int len)
-{
-	struct ssh_rijndael_ctx *c;
-
-	if ((c = EVP_CIPHER_CTX_get_app_data(evp)) == NULL)
-		fatal("ssh_rijndael_iv: no context");
-	if (doset)
-		memcpy(c->r_iv, iv, len);
-	else
-		memcpy(iv, c->r_iv, len);
-}
-
-const EVP_CIPHER *
-evp_rijndael(void)
-{
-	static EVP_CIPHER rijndal_cbc;
-
-	memset(&rijndal_cbc, 0, sizeof(EVP_CIPHER));
-	rijndal_cbc.nid = NID_undef;
-	rijndal_cbc.block_size = RIJNDAEL_BLOCKSIZE;
-	rijndal_cbc.iv_len = RIJNDAEL_BLOCKSIZE;
-	rijndal_cbc.key_len = 16;
-	rijndal_cbc.init = ssh_rijndael_init;
-	rijndal_cbc.cleanup = ssh_rijndael_cleanup;
-	rijndal_cbc.do_cipher = ssh_rijndael_cbc;
-#ifndef SSH_OLD_EVP
-	rijndal_cbc.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
-	    EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
-#endif
-	return (&rijndal_cbc);
-}
-#endif /* USE_BUILTIN_RIJNDAEL */
diff --git a/crypto/openssh/cipher-bf1.c b/crypto/openssh/cipher-bf1.c
deleted file mode 100644
index 292488c..0000000
--- a/crypto/openssh/cipher-bf1.c
+++ /dev/null
@@ -1,108 +0,0 @@
-/* $OpenBSD: cipher-bf1.c,v 1.5 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Copyright (c) 2003 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <openssl/evp.h>
-
-#include <stdarg.h>
-#include <string.h>
-
-#include "xmalloc.h"
-#include "log.h"
-
-#if OPENSSL_VERSION_NUMBER < 0x00906000L
-#define SSH_OLD_EVP
-#endif
-
-/*
- * SSH1 uses a variation on Blowfish, all bytes must be swapped before
- * and after encryption/decryption. Thus the swap_bytes stuff (yuk).
- */
-
-const EVP_CIPHER * evp_ssh1_bf(void);
-
-static void
-swap_bytes(const u_char *src, u_char *dst, int n)
-{
-	u_char c[4];
-
-	/* Process 4 bytes every lap. */
-	for (n = n / 4; n > 0; n--) {
-		c[3] = *src++;
-		c[2] = *src++;
-		c[1] = *src++;
-		c[0] = *src++;
-
-		*dst++ = c[0];
-		*dst++ = c[1];
-		*dst++ = c[2];
-		*dst++ = c[3];
-	}
-}
-
-#ifdef SSH_OLD_EVP
-static void bf_ssh1_init (EVP_CIPHER_CTX * ctx, const unsigned char *key,
-			  const unsigned char *iv, int enc)
-{
-	if (iv != NULL)
-		memcpy (&(ctx->oiv[0]), iv, 8);
-	memcpy (&(ctx->iv[0]), &(ctx->oiv[0]), 8);
-	if (key != NULL)
-		BF_set_key (&(ctx->c.bf_ks), EVP_CIPHER_CTX_key_length (ctx),
-			    key);
-}
-#endif
-
-static int (*orig_bf)(EVP_CIPHER_CTX *, u_char *, const u_char *, u_int) = NULL;
-
-static int
-bf_ssh1_cipher(EVP_CIPHER_CTX *ctx, u_char *out, const u_char *in, u_int len)
-{
-	int ret;
-
-	swap_bytes(in, out, len);
-	ret = (*orig_bf)(ctx, out, out, len);
-	swap_bytes(out, out, len);
-	return (ret);
-}
-
-const EVP_CIPHER *
-evp_ssh1_bf(void)
-{
-	static EVP_CIPHER ssh1_bf;
-
-	memcpy(&ssh1_bf, EVP_bf_cbc(), sizeof(EVP_CIPHER));
-	orig_bf = ssh1_bf.do_cipher;
-	ssh1_bf.nid = NID_undef;
-#ifdef SSH_OLD_EVP
-	ssh1_bf.init = bf_ssh1_init;
-#endif
-	ssh1_bf.do_cipher = bf_ssh1_cipher;
-	ssh1_bf.key_len = 32;
-	return (&ssh1_bf);
-}
diff --git a/crypto/openssh/cipher-ctr.c b/crypto/openssh/cipher-ctr.c
deleted file mode 100644
index b24f3a4..0000000
--- a/crypto/openssh/cipher-ctr.c
+++ /dev/null
@@ -1,152 +0,0 @@
-/* $OpenBSD: cipher-ctr.c,v 1.10 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Copyright (c) 2003 Markus Friedl <markus@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <stdarg.h>
-#include <string.h>
-
-#include <openssl/evp.h>
-
-#include "xmalloc.h"
-#include "log.h"
-
-/* compatibility with old or broken OpenSSL versions */
-#include "openbsd-compat/openssl-compat.h"
-
-#ifdef USE_BUILTIN_RIJNDAEL
-#include "rijndael.h"
-#define AES_KEY rijndael_ctx
-#define AES_BLOCK_SIZE 16
-#define AES_encrypt(a, b, c) rijndael_encrypt(c, a, b)
-#define AES_set_encrypt_key(a, b, c) rijndael_set_key(c, (char *)a, b, 1)
-#else
-#include <openssl/aes.h>
-#endif
-
-const EVP_CIPHER *evp_aes_128_ctr(void);
-void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
-
-struct ssh_aes_ctr_ctx
-{
-	AES_KEY		aes_ctx;
-	u_char		aes_counter[AES_BLOCK_SIZE];
-};
-
-/*
- * increment counter 'ctr',
- * the counter is of size 'len' bytes and stored in network-byte-order.
- * (LSB at ctr[len-1], MSB at ctr[0])
- */
-static void
-ssh_ctr_inc(u_char *ctr, u_int len)
-{
-	int i;
-
-	for (i = len - 1; i >= 0; i--)
-		if (++ctr[i])	/* continue on overflow */
-			return;
-}
-
-static int
-ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
-    u_int len)
-{
-	struct ssh_aes_ctr_ctx *c;
-	u_int n = 0;
-	u_char buf[AES_BLOCK_SIZE];
-
-	if (len == 0)
-		return (1);
-	if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL)
-		return (0);
-
-	while ((len--) > 0) {
-		if (n == 0) {
-			AES_encrypt(c->aes_counter, buf, &c->aes_ctx);
-			ssh_ctr_inc(c->aes_counter, AES_BLOCK_SIZE);
-		}
-		*(dest++) = *(src++) ^ buf[n];
-		n = (n + 1) % AES_BLOCK_SIZE;
-	}
-	return (1);
-}
-
-static int
-ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
-    int enc)
-{
-	struct ssh_aes_ctr_ctx *c;
-
-	if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
-		c = xmalloc(sizeof(*c));
-		EVP_CIPHER_CTX_set_app_data(ctx, c);
-	}
-	if (key != NULL)
-		AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-		    &c->aes_ctx);
-	if (iv != NULL)
-		memcpy(c->aes_counter, iv, AES_BLOCK_SIZE);
-	return (1);
-}
-
-static int
-ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx)
-{
-	struct ssh_aes_ctr_ctx *c;
-
-	if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
-		memset(c, 0, sizeof(*c));
-		xfree(c);
-		EVP_CIPHER_CTX_set_app_data(ctx, NULL);
-	}
-	return (1);
-}
-
-void
-ssh_aes_ctr_iv(EVP_CIPHER_CTX *evp, int doset, u_char * iv, u_int len)
-{
-	struct ssh_aes_ctr_ctx *c;
-
-	if ((c = EVP_CIPHER_CTX_get_app_data(evp)) == NULL)
-		fatal("ssh_aes_ctr_iv: no context");
-	if (doset)
-		memcpy(c->aes_counter, iv, len);
-	else
-		memcpy(iv, c->aes_counter, len);
-}
-
-const EVP_CIPHER *
-evp_aes_128_ctr(void)
-{
-	static EVP_CIPHER aes_ctr;
-
-	memset(&aes_ctr, 0, sizeof(EVP_CIPHER));
-	aes_ctr.nid = NID_undef;
-	aes_ctr.block_size = AES_BLOCK_SIZE;
-	aes_ctr.iv_len = AES_BLOCK_SIZE;
-	aes_ctr.key_len = 16;
-	aes_ctr.init = ssh_aes_ctr_init;
-	aes_ctr.cleanup = ssh_aes_ctr_cleanup;
-	aes_ctr.do_cipher = ssh_aes_ctr;
-#ifndef SSH_OLD_EVP
-	aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
-	    EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
-#endif
-	return (&aes_ctr);
-}
diff --git a/crypto/openssh/cipher.c b/crypto/openssh/cipher.c
deleted file mode 100644
index b264063..0000000
--- a/crypto/openssh/cipher.c
+++ /dev/null
@@ -1,424 +0,0 @@
-/* $OpenBSD: cipher.c,v 1.81 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- *
- * Copyright (c) 1999 Niels Provos.  All rights reserved.
- * Copyright (c) 1999, 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <openssl/md5.h>
-
-#include <string.h>
-#include <stdarg.h>
-
-#include "xmalloc.h"
-#include "log.h"
-#include "cipher.h"
-
-/* compatibility with old or broken OpenSSL versions */
-#include "openbsd-compat/openssl-compat.h"
-
-extern const EVP_CIPHER *evp_ssh1_bf(void);
-extern const EVP_CIPHER *evp_ssh1_3des(void);
-extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
-extern const EVP_CIPHER *evp_aes_128_ctr(void);
-extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
-
-struct Cipher {
-	char	*name;
-	int	number;		/* for ssh1 only */
-	u_int	block_size;
-	u_int	key_len;
-	u_int	discard_len;
-	const EVP_CIPHER	*(*evptype)(void);
-} ciphers[] = {
-	{ "none",		SSH_CIPHER_NONE, 8, 0, 0, EVP_enc_null },
-	{ "des",		SSH_CIPHER_DES, 8, 8, 0, EVP_des_cbc },
-	{ "3des",		SSH_CIPHER_3DES, 8, 16, 0, evp_ssh1_3des },
-	{ "blowfish",		SSH_CIPHER_BLOWFISH, 8, 32, 0, evp_ssh1_bf },
-
-	{ "3des-cbc",		SSH_CIPHER_SSH2, 8, 24, 0, EVP_des_ede3_cbc },
-	{ "blowfish-cbc",	SSH_CIPHER_SSH2, 8, 16, 0, EVP_bf_cbc },
-	{ "cast128-cbc",	SSH_CIPHER_SSH2, 8, 16, 0, EVP_cast5_cbc },
-	{ "arcfour",		SSH_CIPHER_SSH2, 8, 16, 0, EVP_rc4 },
-	{ "arcfour128",		SSH_CIPHER_SSH2, 8, 16, 1536, EVP_rc4 },
-	{ "arcfour256",		SSH_CIPHER_SSH2, 8, 32, 1536, EVP_rc4 },
-	{ "aes128-cbc",		SSH_CIPHER_SSH2, 16, 16, 0, EVP_aes_128_cbc },
-	{ "aes192-cbc",		SSH_CIPHER_SSH2, 16, 24, 0, EVP_aes_192_cbc },
-	{ "aes256-cbc",		SSH_CIPHER_SSH2, 16, 32, 0, EVP_aes_256_cbc },
-	{ "rijndael-cbc@lysator.liu.se",
-				SSH_CIPHER_SSH2, 16, 32, 0, EVP_aes_256_cbc },
-	{ "aes128-ctr",		SSH_CIPHER_SSH2, 16, 16, 0, evp_aes_128_ctr },
-	{ "aes192-ctr",		SSH_CIPHER_SSH2, 16, 24, 0, evp_aes_128_ctr },
-	{ "aes256-ctr",		SSH_CIPHER_SSH2, 16, 32, 0, evp_aes_128_ctr },
-#ifdef USE_CIPHER_ACSS
-	{ "acss@openssh.org",	SSH_CIPHER_SSH2, 16, 5, 0, EVP_acss },
-#endif
-	{ NULL,			SSH_CIPHER_INVALID, 0, 0, 0, NULL }
-};
-
-/*--*/
-
-u_int
-cipher_blocksize(const Cipher *c)
-{
-	return (c->block_size);
-}
-
-u_int
-cipher_keylen(const Cipher *c)
-{
-	return (c->key_len);
-}
-
-u_int
-cipher_get_number(const Cipher *c)
-{
-	return (c->number);
-}
-
-u_int
-cipher_mask_ssh1(int client)
-{
-	u_int mask = 0;
-	mask |= 1 << SSH_CIPHER_3DES;		/* Mandatory */
-	mask |= 1 << SSH_CIPHER_BLOWFISH;
-	if (client) {
-		mask |= 1 << SSH_CIPHER_DES;
-	}
-	return mask;
-}
-
-Cipher *
-cipher_by_name(const char *name)
-{
-	Cipher *c;
-	for (c = ciphers; c->name != NULL; c++)
-		if (strcmp(c->name, name) == 0)
-			return c;
-	return NULL;
-}
-
-Cipher *
-cipher_by_number(int id)
-{
-	Cipher *c;
-	for (c = ciphers; c->name != NULL; c++)
-		if (c->number == id)
-			return c;
-	return NULL;
-}
-
-#define	CIPHER_SEP	","
-int
-ciphers_valid(const char *names)
-{
-	Cipher *c;
-	char *cipher_list, *cp;
-	char *p;
-
-	if (names == NULL || strcmp(names, "") == 0)
-		return 0;
-	cipher_list = cp = xstrdup(names);
-	for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
-	    (p = strsep(&cp, CIPHER_SEP))) {
-		c = cipher_by_name(p);
-		if (c == NULL || c->number != SSH_CIPHER_SSH2) {
-			debug("bad cipher %s [%s]", p, names);
-			xfree(cipher_list);
-			return 0;
-		} else {
-			debug3("cipher ok: %s [%s]", p, names);
-		}
-	}
-	debug3("ciphers ok: [%s]", names);
-	xfree(cipher_list);
-	return 1;
-}
-
-/*
- * Parses the name of the cipher.  Returns the number of the corresponding
- * cipher, or -1 on error.
- */
-
-int
-cipher_number(const char *name)
-{
-	Cipher *c;
-	if (name == NULL)
-		return -1;
-	for (c = ciphers; c->name != NULL; c++)
-		if (strcasecmp(c->name, name) == 0)
-			return c->number;
-	return -1;
-}
-
-char *
-cipher_name(int id)
-{
-	Cipher *c = cipher_by_number(id);
-	return (c==NULL) ? "<unknown>" : c->name;
-}
-
-void
-cipher_init(CipherContext *cc, Cipher *cipher,
-    const u_char *key, u_int keylen, const u_char *iv, u_int ivlen,
-    int do_encrypt)
-{
-	static int dowarn = 1;
-#ifdef SSH_OLD_EVP
-	EVP_CIPHER *type;
-#else
-	const EVP_CIPHER *type;
-	int klen;
-#endif
-	u_char *junk, *discard;
-
-	if (cipher->number == SSH_CIPHER_DES) {
-		if (dowarn) {
-			error("Warning: use of DES is strongly discouraged "
-			    "due to cryptographic weaknesses");
-			dowarn = 0;
-		}
-		if (keylen > 8)
-			keylen = 8;
-	}
-	cc->plaintext = (cipher->number == SSH_CIPHER_NONE);
-
-	if (keylen < cipher->key_len)
-		fatal("cipher_init: key length %d is insufficient for %s.",
-		    keylen, cipher->name);
-	if (iv != NULL && ivlen < cipher->block_size)
-		fatal("cipher_init: iv length %d is insufficient for %s.",
-		    ivlen, cipher->name);
-	cc->cipher = cipher;
-
-	type = (*cipher->evptype)();
-
-	EVP_CIPHER_CTX_init(&cc->evp);
-#ifdef SSH_OLD_EVP
-	if (type->key_len > 0 && type->key_len != keylen) {
-		debug("cipher_init: set keylen (%d -> %d)",
-		    type->key_len, keylen);
-		type->key_len = keylen;
-	}
-	EVP_CipherInit(&cc->evp, type, (u_char *)key, (u_char *)iv,
-	    (do_encrypt == CIPHER_ENCRYPT));
-#else
-	if (EVP_CipherInit(&cc->evp, type, NULL, (u_char *)iv,
-	    (do_encrypt == CIPHER_ENCRYPT)) == 0)
-		fatal("cipher_init: EVP_CipherInit failed for %s",
-		    cipher->name);
-	klen = EVP_CIPHER_CTX_key_length(&cc->evp);
-	if (klen > 0 && keylen != (u_int)klen) {
-		debug2("cipher_init: set keylen (%d -> %d)", klen, keylen);
-		if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0)
-			fatal("cipher_init: set keylen failed (%d -> %d)",
-			    klen, keylen);
-	}
-	if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0)
-		fatal("cipher_init: EVP_CipherInit: set key failed for %s",
-		    cipher->name);
-#endif
-
-	if (cipher->discard_len > 0) {
-		junk = xmalloc(cipher->discard_len);
-		discard = xmalloc(cipher->discard_len);
-		if (EVP_Cipher(&cc->evp, discard, junk,
-		    cipher->discard_len) == 0)
-			fatal("evp_crypt: EVP_Cipher failed during discard");
-		memset(discard, 0, cipher->discard_len);
-		xfree(junk);
-		xfree(discard);
-	}
-}
-
-void
-cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
-{
-	if (len % cc->cipher->block_size)
-		fatal("cipher_encrypt: bad plaintext length %d", len);
-	if (EVP_Cipher(&cc->evp, dest, (u_char *)src, len) == 0)
-		fatal("evp_crypt: EVP_Cipher failed");
-}
-
-void
-cipher_cleanup(CipherContext *cc)
-{
-	if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0)
-		error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed");
-}
-
-/*
- * Selects the cipher, and keys if by computing the MD5 checksum of the
- * passphrase and using the resulting 16 bytes as the key.
- */
-
-void
-cipher_set_key_string(CipherContext *cc, Cipher *cipher,
-    const char *passphrase, int do_encrypt)
-{
-	MD5_CTX md;
-	u_char digest[16];
-
-	MD5_Init(&md);
-	MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase));
-	MD5_Final(digest, &md);
-
-	cipher_init(cc, cipher, digest, 16, NULL, 0, do_encrypt);
-
-	memset(digest, 0, sizeof(digest));
-	memset(&md, 0, sizeof(md));
-}
-
-/*
- * Exports an IV from the CipherContext required to export the key
- * state back from the unprivileged child to the privileged parent
- * process.
- */
-
-int
-cipher_get_keyiv_len(const CipherContext *cc)
-{
-	Cipher *c = cc->cipher;
-	int ivlen;
-
-	if (c->number == SSH_CIPHER_3DES)
-		ivlen = 24;
-	else
-		ivlen = EVP_CIPHER_CTX_iv_length(&cc->evp);
-	return (ivlen);
-}
-
-void
-cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len)
-{
-	Cipher *c = cc->cipher;
-	int evplen;
-
-	switch (c->number) {
-	case SSH_CIPHER_SSH2:
-	case SSH_CIPHER_DES:
-	case SSH_CIPHER_BLOWFISH:
-		evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
-		if (evplen <= 0)
-			return;
-		if ((u_int)evplen != len)
-			fatal("%s: wrong iv length %d != %d", __func__,
-			    evplen, len);
-#ifdef USE_BUILTIN_RIJNDAEL
-		if (c->evptype == evp_rijndael)
-			ssh_rijndael_iv(&cc->evp, 0, iv, len);
-		else
-#endif
-		if (c->evptype == evp_aes_128_ctr)
-			ssh_aes_ctr_iv(&cc->evp, 0, iv, len);
-		else
-			memcpy(iv, cc->evp.iv, len);
-		break;
-	case SSH_CIPHER_3DES:
-		ssh1_3des_iv(&cc->evp, 0, iv, 24);
-		break;
-	default:
-		fatal("%s: bad cipher %d", __func__, c->number);
-	}
-}
-
-void
-cipher_set_keyiv(CipherContext *cc, u_char *iv)
-{
-	Cipher *c = cc->cipher;
-	int evplen = 0;
-
-	switch (c->number) {
-	case SSH_CIPHER_SSH2:
-	case SSH_CIPHER_DES:
-	case SSH_CIPHER_BLOWFISH:
-		evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
-		if (evplen == 0)
-			return;
-#ifdef USE_BUILTIN_RIJNDAEL
-		if (c->evptype == evp_rijndael)
-			ssh_rijndael_iv(&cc->evp, 1, iv, evplen);
-		else
-#endif
-		if (c->evptype == evp_aes_128_ctr)
-			ssh_aes_ctr_iv(&cc->evp, 1, iv, evplen);
-		else
-			memcpy(cc->evp.iv, iv, evplen);
-		break;
-	case SSH_CIPHER_3DES:
-		ssh1_3des_iv(&cc->evp, 1, iv, 24);
-		break;
-	default:
-		fatal("%s: bad cipher %d", __func__, c->number);
-	}
-}
-
-#if OPENSSL_VERSION_NUMBER < 0x00907000L
-#define EVP_X_STATE(evp)	&(evp).c
-#define EVP_X_STATE_LEN(evp)	sizeof((evp).c)
-#else
-#define EVP_X_STATE(evp)	(evp).cipher_data
-#define EVP_X_STATE_LEN(evp)	(evp).cipher->ctx_size
-#endif
-
-int
-cipher_get_keycontext(const CipherContext *cc, u_char *dat)
-{
-	Cipher *c = cc->cipher;
-	int plen = 0;
-
-	if (c->evptype == EVP_rc4 || c->evptype == EVP_acss) {
-		plen = EVP_X_STATE_LEN(cc->evp);
-		if (dat == NULL)
-			return (plen);
-		memcpy(dat, EVP_X_STATE(cc->evp), plen);
-	}
-	return (plen);
-}
-
-void
-cipher_set_keycontext(CipherContext *cc, u_char *dat)
-{
-	Cipher *c = cc->cipher;
-	int plen;
-
-	if (c->evptype == EVP_rc4 || c->evptype == EVP_acss) {
-		plen = EVP_X_STATE_LEN(cc->evp);
-		memcpy(EVP_X_STATE(cc->evp), dat, plen);
-	}
-}
diff --git a/crypto/openssh/cipher.h b/crypto/openssh/cipher.h
deleted file mode 100644
index 49bbc16..0000000
--- a/crypto/openssh/cipher.h
+++ /dev/null
@@ -1,91 +0,0 @@
-/* $OpenBSD: cipher.h,v 1.36 2006/03/25 22:22:42 djm Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef CIPHER_H
-#define CIPHER_H
-
-#include <openssl/evp.h>
-/*
- * Cipher types for SSH-1.  New types can be added, but old types should not
- * be removed for compatibility.  The maximum allowed value is 31.
- */
-#define SSH_CIPHER_SSH2		-3
-#define SSH_CIPHER_INVALID	-2	/* No valid cipher selected. */
-#define SSH_CIPHER_NOT_SET	-1	/* None selected (invalid number). */
-#define SSH_CIPHER_NONE		0	/* no encryption */
-#define SSH_CIPHER_IDEA		1	/* IDEA CFB */
-#define SSH_CIPHER_DES		2	/* DES CBC */
-#define SSH_CIPHER_3DES		3	/* 3DES CBC */
-#define SSH_CIPHER_BROKEN_TSS	4	/* TRI's Simple Stream encryption CBC */
-#define SSH_CIPHER_BROKEN_RC4	5	/* Alleged RC4 */
-#define SSH_CIPHER_BLOWFISH	6
-#define SSH_CIPHER_RESERVED	7
-#define SSH_CIPHER_MAX		31
-
-#define CIPHER_ENCRYPT		1
-#define CIPHER_DECRYPT		0
-
-typedef struct Cipher Cipher;
-typedef struct CipherContext CipherContext;
-
-struct Cipher;
-struct CipherContext {
-	int	plaintext;
-	EVP_CIPHER_CTX evp;
-	Cipher *cipher;
-};
-
-u_int	 cipher_mask_ssh1(int);
-Cipher	*cipher_by_name(const char *);
-Cipher	*cipher_by_number(int);
-int	 cipher_number(const char *);
-char	*cipher_name(int);
-int	 ciphers_valid(const char *);
-void	 cipher_init(CipherContext *, Cipher *, const u_char *, u_int,
-    const u_char *, u_int, int);
-void	 cipher_crypt(CipherContext *, u_char *, const u_char *, u_int);
-void	 cipher_cleanup(CipherContext *);
-void	 cipher_set_key_string(CipherContext *, Cipher *, const char *, int);
-u_int	 cipher_blocksize(const Cipher *);
-u_int	 cipher_keylen(const Cipher *);
-
-u_int	 cipher_get_number(const Cipher *);
-void	 cipher_get_keyiv(CipherContext *, u_char *, u_int);
-void	 cipher_set_keyiv(CipherContext *, u_char *);
-int	 cipher_get_keyiv_len(const CipherContext *);
-int	 cipher_get_keycontext(const CipherContext *, u_char *);
-void	 cipher_set_keycontext(CipherContext *, u_char *);
-#endif				/* CIPHER_H */
diff --git a/crypto/openssh/cleanup.c b/crypto/openssh/cleanup.c
deleted file mode 100644
index 238f965..0000000
--- a/crypto/openssh/cleanup.c
+++ /dev/null
@@ -1,32 +0,0 @@
-/* $OpenBSD: cleanup.c,v 1.5 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Copyright (c) 2003 Markus Friedl <markus@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <unistd.h>
-#include <stdarg.h>
-
-#include "log.h"
-
-/* default implementation */
-void
-cleanup_exit(int i)
-{
-	_exit(i);
-}
diff --git a/crypto/openssh/cli.c b/crypto/openssh/cli.c
deleted file mode 100644
index 8f0b2b8..0000000
--- a/crypto/openssh/cli.c
+++ /dev/null
@@ -1,231 +0,0 @@
-/*	$OpenBSD: cli.c,v 1.11 2001/03/06 00:33:04 deraadt Exp $	*/
-
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: cli.c,v 1.11 2001/03/06 00:33:04 deraadt Exp $");
-
-#include "xmalloc.h"
-#include "log.h"
-#include "cli.h"
-
-#include <vis.h>
-
-static int cli_input = -1;
-static int cli_output = -1;
-static int cli_from_stdin = 0;
-
-sigset_t oset;
-sigset_t nset;
-struct sigaction nsa;
-struct sigaction osa;
-struct termios ntio;
-struct termios otio;
-int echo_modified;
-
-volatile int intr;
-
-static int
-cli_open(int from_stdin)
-{
-	if (cli_input >= 0 && cli_output >= 0 && cli_from_stdin == from_stdin)
-		return 1;
-
-	if (from_stdin) {
-		if (!cli_from_stdin && cli_input >= 0) {
-			(void)close(cli_input);
-		}
-		cli_input = STDIN_FILENO;
-		cli_output = STDERR_FILENO;
-	} else {
-		cli_input = cli_output = open(_PATH_TTY, O_RDWR);
-		if (cli_input < 0)
-			fatal("You have no controlling tty.  Cannot read passphrase.");
-	}
-
-	cli_from_stdin = from_stdin;
-
-	return cli_input >= 0 && cli_output >= 0 && cli_from_stdin == from_stdin;
-}
-
-static void
-cli_close(void)
-{
-	if (!cli_from_stdin && cli_input >= 0)
-		close(cli_input);
-	cli_input = -1;
-	cli_output = -1;
-	cli_from_stdin = 0;
-	return;
-}
-
-void
-intrcatch(int sig)
-{
-	intr = 1;
-}
-
-static void
-cli_echo_disable(void)
-{
-	sigemptyset(&nset);
-	sigaddset(&nset, SIGTSTP);
-	(void) sigprocmask(SIG_BLOCK, &nset, &oset);
-
-	intr = 0;
-
-	memset(&nsa, 0, sizeof(nsa));
-	nsa.sa_handler = intrcatch;
-	(void) sigaction(SIGINT, &nsa, &osa);
-
-	echo_modified = 0;
-	if (tcgetattr(cli_input, &otio) == 0 && (otio.c_lflag & ECHO)) {
-		echo_modified = 1;
-		ntio = otio;
-		ntio.c_lflag &= ~(ECHO | ECHOE | ECHOK | ECHONL);
-		(void) tcsetattr(cli_input, TCSANOW, &ntio);
-	}
-	return;
-}
-
-static void
-cli_echo_restore(void)
-{
-	if (echo_modified != 0) {
-		tcsetattr(cli_input, TCSANOW, &otio);
-		echo_modified = 0;
-	}
-
-	(void) sigprocmask(SIG_SETMASK, &oset, NULL);
-	(void) sigaction(SIGINT, &osa, NULL);
-
-	if (intr != 0) {
-		kill(getpid(), SIGINT);
-		sigemptyset(&nset);
-		/* XXX tty has not neccessarily drained by now? */
-		sigsuspend(&nset);
-		intr = 0;
-	}
-	return;
-}
-
-static int
-cli_read(char* buf, int size, int echo)
-{
-	char ch = 0;
-	int i = 0;
-	int n;
-
-	if (!echo)
-		cli_echo_disable();
-
-	while (ch != '\n') {
-		n = read(cli_input, &ch, 1);
-		if (n == -1 && (errno == EAGAIN || errno == EINTR))
-			continue;
-		if (n != 1)
-			break;
-		if (ch == '\n' || intr != 0)
-			break;
-		if (i < size)
-			buf[i++] = ch;
-	}
-	buf[i] = '\0';
-
-	if (!echo)
-		cli_echo_restore();
-	if (!intr && !echo)
-		(void) write(cli_output, "\n", 1);
-	return i;
-}
-
-static int
-cli_write(char* buf, int size)
-{
-	int i, len, pos, ret = 0;
-	char *output, *p;
-
-	output = xmalloc(4*size);
-	for (p = output, i = 0; i < size; i++) {
-		if (buf[i] == '\n' || buf[i] == '\r')
-			*p++ = buf[i];
-		else
-			p = vis(p, buf[i], 0, 0);
-	}
-	len = p - output;
-
-	for (pos = 0; pos < len; pos += ret) {
-		ret = write(cli_output, output + pos, len - pos);
-		if (ret == -1) {
-			xfree(output);
-			return -1;
-		}
-	}
-	xfree(output);
-	return 0;
-}
-
-/*
- * Presents a prompt and returns the response allocated with xmalloc().
- * Uses /dev/tty or stdin/out depending on arg.  Optionally disables echo
- * of response depending on arg.  Tries to ensure that no other userland
- * buffer is storing the response.
- */
-char*
-cli_read_passphrase(char* prompt, int from_stdin, int echo_enable)
-{
-	char	buf[BUFSIZ];
-	char*	p;
-
-	if (!cli_open(from_stdin))
-		fatal("Cannot read passphrase.");
-
-	fflush(stdout);
-
-	cli_write(prompt, strlen(prompt));
-	cli_read(buf, sizeof buf, echo_enable);
-
-	cli_close();
-
-	p = xstrdup(buf);
-	memset(buf, 0, sizeof(buf));
-	return (p);
-}
-
-char*
-cli_prompt(char* prompt, int echo_enable)
-{
-	return cli_read_passphrase(prompt, 0, echo_enable);
-}
-
-void
-cli_mesg(char* mesg)
-{
-	cli_open(0);
-	cli_write(mesg, strlen(mesg));
-	cli_write("\n", strlen("\n"));
-	cli_close();
-	return;
-}
diff --git a/crypto/openssh/cli.h b/crypto/openssh/cli.h
deleted file mode 100644
index 6f57c9b..0000000
--- a/crypto/openssh/cli.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/*	$OpenBSD: cli.h,v 1.4 2001/03/01 03:38:33 deraadt Exp $	*/
-
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/* $OpenBSD: cli.h,v 1.4 2001/03/01 03:38:33 deraadt Exp $ */
-
-#ifndef CLI_H
-#define CLI_H
-
-/*
- * Presents a prompt and returns the response allocated with xmalloc().
- * Uses /dev/tty or stdin/out depending on arg.  Optionally disables echo
- * of response depending on arg.  Tries to ensure that no other userland
- * buffer is storing the response.
- */
-char *	cli_read_passphrase(char * prompt, int from_stdin, int echo_enable);
-char *	cli_prompt(char * prompt, int echo_enable);
-void	cli_mesg(char * mesg);
-
-#endif /* CLI_H */
diff --git a/crypto/openssh/clientloop.c b/crypto/openssh/clientloop.c
deleted file mode 100644
index 4c51081..0000000
--- a/crypto/openssh/clientloop.c
+++ /dev/null
@@ -1,2047 +0,0 @@
-/* $OpenBSD: clientloop.c,v 1.176 2006/10/11 12:38:03 markus Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * The main loop for the interactive session (client side).
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- *
- * Copyright (c) 1999 Theo de Raadt.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- *
- * SSH2 support added by Markus Friedl.
- * Copyright (c) 1999, 2000, 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/ioctl.h>
-#include <sys/param.h>
-#ifdef HAVE_SYS_STAT_H
-# include <sys/stat.h>
-#endif
-#ifdef HAVE_SYS_TIME_H
-# include <sys/time.h>
-#endif
-#include <sys/socket.h>
-
-#include <ctype.h>
-#include <errno.h>
-#ifdef HAVE_PATHS_H
-#include <paths.h>
-#endif
-#include <signal.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <termios.h>
-#include <pwd.h>
-#include <unistd.h>
-
-#include "xmalloc.h"
-#include "ssh.h"
-#include "ssh1.h"
-#include "ssh2.h"
-#include "packet.h"
-#include "buffer.h"
-#include "compat.h"
-#include "channels.h"
-#include "dispatch.h"
-#include "key.h"
-#include "cipher.h"
-#include "kex.h"
-#include "log.h"
-#include "readconf.h"
-#include "clientloop.h"
-#include "sshconnect.h"
-#include "authfd.h"
-#include "atomicio.h"
-#include "sshpty.h"
-#include "misc.h"
-#include "monitor_fdpass.h"
-#include "match.h"
-#include "msg.h"
-
-/* import options */
-extern Options options;
-
-/* Flag indicating that stdin should be redirected from /dev/null. */
-extern int stdin_null_flag;
-
-/* Flag indicating that no shell has been requested */
-extern int no_shell_flag;
-
-/* Control socket */
-extern int control_fd;
-
-/*
- * Name of the host we are connecting to.  This is the name given on the
- * command line, or the HostName specified for the user-supplied name in a
- * configuration file.
- */
-extern char *host;
-
-/*
- * Flag to indicate that we have received a window change signal which has
- * not yet been processed.  This will cause a message indicating the new
- * window size to be sent to the server a little later.  This is volatile
- * because this is updated in a signal handler.
- */
-static volatile sig_atomic_t received_window_change_signal = 0;
-static volatile sig_atomic_t received_signal = 0;
-
-/* Flag indicating whether the user's terminal is in non-blocking mode. */
-static int in_non_blocking_mode = 0;
-
-/* Common data for the client loop code. */
-static volatile sig_atomic_t quit_pending; /* Set non-zero to quit the loop. */
-static int escape_char;		/* Escape character. */
-static int escape_pending;	/* Last character was the escape character */
-static int last_was_cr;		/* Last character was a newline. */
-static int exit_status;		/* Used to store the exit status of the command. */
-static int stdin_eof;		/* EOF has been encountered on standard error. */
-static Buffer stdin_buffer;	/* Buffer for stdin data. */
-static Buffer stdout_buffer;	/* Buffer for stdout data. */
-static Buffer stderr_buffer;	/* Buffer for stderr data. */
-static u_long stdin_bytes, stdout_bytes, stderr_bytes;
-static u_int buffer_high;/* Soft max buffer size. */
-static int connection_in;	/* Connection to server (input). */
-static int connection_out;	/* Connection to server (output). */
-static int need_rekeying;	/* Set to non-zero if rekeying is requested. */
-static int session_closed = 0;	/* In SSH2: login session closed. */
-static int server_alive_timeouts = 0;
-
-static void client_init_dispatch(void);
-int	session_ident = -1;
-
-struct confirm_ctx {
-	int want_tty;
-	int want_subsys;
-	int want_x_fwd;
-	int want_agent_fwd;
-	Buffer cmd;
-	char *term;
-	struct termios tio;
-	char **env;
-};
-
-/*XXX*/
-extern Kex *xxx_kex;
-
-void ssh_process_session2_setup(int, int, int, Buffer *);
-
-/* Restores stdin to blocking mode. */
-
-static void
-leave_non_blocking(void)
-{
-	if (in_non_blocking_mode) {
-		unset_nonblock(fileno(stdin));
-		in_non_blocking_mode = 0;
-	}
-}
-
-/* Puts stdin terminal in non-blocking mode. */
-
-static void
-enter_non_blocking(void)
-{
-	in_non_blocking_mode = 1;
-	set_nonblock(fileno(stdin));
-}
-
-/*
- * Signal handler for the window change signal (SIGWINCH).  This just sets a
- * flag indicating that the window has changed.
- */
-/*ARGSUSED */
-static void
-window_change_handler(int sig)
-{
-	received_window_change_signal = 1;
-	signal(SIGWINCH, window_change_handler);
-}
-
-/*
- * Signal handler for signals that cause the program to terminate.  These
- * signals must be trapped to restore terminal modes.
- */
-/*ARGSUSED */
-static void
-signal_handler(int sig)
-{
-	received_signal = sig;
-	quit_pending = 1;
-}
-
-/*
- * Returns current time in seconds from Jan 1, 1970 with the maximum
- * available resolution.
- */
-
-static double
-get_current_time(void)
-{
-	struct timeval tv;
-	gettimeofday(&tv, NULL);
-	return (double) tv.tv_sec + (double) tv.tv_usec / 1000000.0;
-}
-
-#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
-void
-client_x11_get_proto(const char *display, const char *xauth_path,
-    u_int trusted, char **_proto, char **_data)
-{
-	char cmd[1024];
-	char line[512];
-	char xdisplay[512];
-	static char proto[512], data[512];
-	FILE *f;
-	int got_data = 0, generated = 0, do_unlink = 0, i;
-	char *xauthdir, *xauthfile;
-	struct stat st;
-
-	xauthdir = xauthfile = NULL;
-	*_proto = proto;
-	*_data = data;
-	proto[0] = data[0] = '\0';
-
-	if (xauth_path == NULL ||(stat(xauth_path, &st) == -1)) {
-		debug("No xauth program.");
-	} else {
-		if (display == NULL) {
-			debug("x11_get_proto: DISPLAY not set");
-			return;
-		}
-		/*
-		 * Handle FamilyLocal case where $DISPLAY does
-		 * not match an authorization entry.  For this we
-		 * just try "xauth list unix:displaynum.screennum".
-		 * XXX: "localhost" match to determine FamilyLocal
-		 *      is not perfect.
-		 */
-		if (strncmp(display, "localhost:", 10) == 0) {
-			snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
-			    display + 10);
-			display = xdisplay;
-		}
-		if (trusted == 0) {
-			xauthdir = xmalloc(MAXPATHLEN);
-			xauthfile = xmalloc(MAXPATHLEN);
-			strlcpy(xauthdir, "/tmp/ssh-XXXXXXXXXX", MAXPATHLEN);
-			if (mkdtemp(xauthdir) != NULL) {
-				do_unlink = 1;
-				snprintf(xauthfile, MAXPATHLEN, "%s/xauthfile",
-				    xauthdir);
-				snprintf(cmd, sizeof(cmd),
-				    "%s -f %s generate %s " SSH_X11_PROTO
-				    " untrusted timeout 1200 2>" _PATH_DEVNULL,
-				    xauth_path, xauthfile, display);
-				debug2("x11_get_proto: %s", cmd);
-				if (system(cmd) == 0)
-					generated = 1;
-			}
-		}
-		snprintf(cmd, sizeof(cmd),
-		    "%s %s%s list %s 2>" _PATH_DEVNULL,
-		    xauth_path,
-		    generated ? "-f " : "" ,
-		    generated ? xauthfile : "",
-		    display);
-		debug2("x11_get_proto: %s", cmd);
-		f = popen(cmd, "r");
-		if (f && fgets(line, sizeof(line), f) &&
-		    sscanf(line, "%*s %511s %511s", proto, data) == 2)
-			got_data = 1;
-		if (f)
-			pclose(f);
-	}
-
-	if (do_unlink) {
-		unlink(xauthfile);
-		rmdir(xauthdir);
-	}
-	if (xauthdir)
-		xfree(xauthdir);
-	if (xauthfile)
-		xfree(xauthfile);
-
-	/*
-	 * If we didn't get authentication data, just make up some
-	 * data.  The forwarding code will check the validity of the
-	 * response anyway, and substitute this data.  The X11
-	 * server, however, will ignore this fake data and use
-	 * whatever authentication mechanisms it was using otherwise
-	 * for the local connection.
-	 */
-	if (!got_data) {
-		u_int32_t rnd = 0;
-
-		logit("Warning: No xauth data; "
-		    "using fake authentication data for X11 forwarding.");
-		strlcpy(proto, SSH_X11_PROTO, sizeof proto);
-		for (i = 0; i < 16; i++) {
-			if (i % 4 == 0)
-				rnd = arc4random();
-			snprintf(data + 2 * i, sizeof data - 2 * i, "%02x",
-			    rnd & 0xff);
-			rnd >>= 8;
-		}
-	}
-}
-
-/*
- * This is called when the interactive is entered.  This checks if there is
- * an EOF coming on stdin.  We must check this explicitly, as select() does
- * not appear to wake up when redirecting from /dev/null.
- */
-
-static void
-client_check_initial_eof_on_stdin(void)
-{
-	int len;
-	char buf[1];
-
-	/*
-	 * If standard input is to be "redirected from /dev/null", we simply
-	 * mark that we have seen an EOF and send an EOF message to the
-	 * server. Otherwise, we try to read a single character; it appears
-	 * that for some files, such /dev/null, select() never wakes up for
-	 * read for this descriptor, which means that we never get EOF.  This
-	 * way we will get the EOF if stdin comes from /dev/null or similar.
-	 */
-	if (stdin_null_flag) {
-		/* Fake EOF on stdin. */
-		debug("Sending eof.");
-		stdin_eof = 1;
-		packet_start(SSH_CMSG_EOF);
-		packet_send();
-	} else {
-		enter_non_blocking();
-
-		/* Check for immediate EOF on stdin. */
-		len = read(fileno(stdin), buf, 1);
-		if (len == 0) {
-			/* EOF.  Record that we have seen it and send EOF to server. */
-			debug("Sending eof.");
-			stdin_eof = 1;
-			packet_start(SSH_CMSG_EOF);
-			packet_send();
-		} else if (len > 0) {
-			/*
-			 * Got data.  We must store the data in the buffer,
-			 * and also process it as an escape character if
-			 * appropriate.
-			 */
-			if ((u_char) buf[0] == escape_char)
-				escape_pending = 1;
-			else
-				buffer_append(&stdin_buffer, buf, 1);
-		}
-		leave_non_blocking();
-	}
-}
-
-
-/*
- * Make packets from buffered stdin data, and buffer them for sending to the
- * connection.
- */
-
-static void
-client_make_packets_from_stdin_data(void)
-{
-	u_int len;
-
-	/* Send buffered stdin data to the server. */
-	while (buffer_len(&stdin_buffer) > 0 &&
-	    packet_not_very_much_data_to_write()) {
-		len = buffer_len(&stdin_buffer);
-		/* Keep the packets at reasonable size. */
-		if (len > packet_get_maxsize())
-			len = packet_get_maxsize();
-		packet_start(SSH_CMSG_STDIN_DATA);
-		packet_put_string(buffer_ptr(&stdin_buffer), len);
-		packet_send();
-		buffer_consume(&stdin_buffer, len);
-		stdin_bytes += len;
-		/* If we have a pending EOF, send it now. */
-		if (stdin_eof && buffer_len(&stdin_buffer) == 0) {
-			packet_start(SSH_CMSG_EOF);
-			packet_send();
-		}
-	}
-}
-
-/*
- * Checks if the client window has changed, and sends a packet about it to
- * the server if so.  The actual change is detected elsewhere (by a software
- * interrupt on Unix); this just checks the flag and sends a message if
- * appropriate.
- */
-
-static void
-client_check_window_change(void)
-{
-	struct winsize ws;
-
-	if (! received_window_change_signal)
-		return;
-	/** XXX race */
-	received_window_change_signal = 0;
-
-	debug2("client_check_window_change: changed");
-
-	if (compat20) {
-		channel_send_window_changes();
-	} else {
-		if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) < 0)
-			return;
-		packet_start(SSH_CMSG_WINDOW_SIZE);
-		packet_put_int((u_int)ws.ws_row);
-		packet_put_int((u_int)ws.ws_col);
-		packet_put_int((u_int)ws.ws_xpixel);
-		packet_put_int((u_int)ws.ws_ypixel);
-		packet_send();
-	}
-}
-
-static void
-client_global_request_reply(int type, u_int32_t seq, void *ctxt)
-{
-	server_alive_timeouts = 0;
-	client_global_request_reply_fwd(type, seq, ctxt);
-}
-
-static void
-server_alive_check(void)
-{
-	if (++server_alive_timeouts > options.server_alive_count_max) {
-		logit("Timeout, server not responding.");
-		cleanup_exit(255);
-	}
-	packet_start(SSH2_MSG_GLOBAL_REQUEST);
-	packet_put_cstring("keepalive@openssh.com");
-	packet_put_char(1);     /* boolean: want reply */
-	packet_send();
-}
-
-/*
- * Waits until the client can do something (some data becomes available on
- * one of the file descriptors).
- */
-static void
-client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp,
-    int *maxfdp, u_int *nallocp, int rekeying)
-{
-	struct timeval tv, *tvp;
-	int ret;
-
-	/* Add any selections by the channel mechanism. */
-	channel_prepare_select(readsetp, writesetp, maxfdp, nallocp, rekeying);
-
-	if (!compat20) {
-		/* Read from the connection, unless our buffers are full. */
-		if (buffer_len(&stdout_buffer) < buffer_high &&
-		    buffer_len(&stderr_buffer) < buffer_high &&
-		    channel_not_very_much_buffered_data())
-			FD_SET(connection_in, *readsetp);
-		/*
-		 * Read from stdin, unless we have seen EOF or have very much
-		 * buffered data to send to the server.
-		 */
-		if (!stdin_eof && packet_not_very_much_data_to_write())
-			FD_SET(fileno(stdin), *readsetp);
-
-		/* Select stdout/stderr if have data in buffer. */
-		if (buffer_len(&stdout_buffer) > 0)
-			FD_SET(fileno(stdout), *writesetp);
-		if (buffer_len(&stderr_buffer) > 0)
-			FD_SET(fileno(stderr), *writesetp);
-	} else {
-		/* channel_prepare_select could have closed the last channel */
-		if (session_closed && !channel_still_open() &&
-		    !packet_have_data_to_write()) {
-			/* clear mask since we did not call select() */
-			memset(*readsetp, 0, *nallocp);
-			memset(*writesetp, 0, *nallocp);
-			return;
-		} else {
-			FD_SET(connection_in, *readsetp);
-		}
-	}
-
-	/* Select server connection if have data to write to the server. */
-	if (packet_have_data_to_write())
-		FD_SET(connection_out, *writesetp);
-
-	if (control_fd != -1)
-		FD_SET(control_fd, *readsetp);
-
-	/*
-	 * Wait for something to happen.  This will suspend the process until
-	 * some selected descriptor can be read, written, or has some other
-	 * event pending.
-	 */
-
-	if (options.server_alive_interval == 0 || !compat20)
-		tvp = NULL;
-	else {
-		tv.tv_sec = options.server_alive_interval;
-		tv.tv_usec = 0;
-		tvp = &tv;
-	}
-	ret = select((*maxfdp)+1, *readsetp, *writesetp, NULL, tvp);
-	if (ret < 0) {
-		char buf[100];
-
-		/*
-		 * We have to clear the select masks, because we return.
-		 * We have to return, because the mainloop checks for the flags
-		 * set by the signal handlers.
-		 */
-		memset(*readsetp, 0, *nallocp);
-		memset(*writesetp, 0, *nallocp);
-
-		if (errno == EINTR)
-			return;
-		/* Note: we might still have data in the buffers. */
-		snprintf(buf, sizeof buf, "select: %s\r\n", strerror(errno));
-		buffer_append(&stderr_buffer, buf, strlen(buf));
-		quit_pending = 1;
-	} else if (ret == 0)
-		server_alive_check();
-}
-
-static void
-client_suspend_self(Buffer *bin, Buffer *bout, Buffer *berr)
-{
-	/* Flush stdout and stderr buffers. */
-	if (buffer_len(bout) > 0)
-		atomicio(vwrite, fileno(stdout), buffer_ptr(bout), buffer_len(bout));
-	if (buffer_len(berr) > 0)
-		atomicio(vwrite, fileno(stderr), buffer_ptr(berr), buffer_len(berr));
-
-	leave_raw_mode();
-
-	/*
-	 * Free (and clear) the buffer to reduce the amount of data that gets
-	 * written to swap.
-	 */
-	buffer_free(bin);
-	buffer_free(bout);
-	buffer_free(berr);
-
-	/* Send the suspend signal to the program itself. */
-	kill(getpid(), SIGTSTP);
-
-	/* Reset window sizes in case they have changed */
-	received_window_change_signal = 1;
-
-	/* OK, we have been continued by the user. Reinitialize buffers. */
-	buffer_init(bin);
-	buffer_init(bout);
-	buffer_init(berr);
-
-	enter_raw_mode();
-}
-
-static void
-client_process_net_input(fd_set *readset)
-{
-	int len;
-	char buf[8192];
-
-	/*
-	 * Read input from the server, and add any such data to the buffer of
-	 * the packet subsystem.
-	 */
-	if (FD_ISSET(connection_in, readset)) {
-		/* Read as much as possible. */
-		len = read(connection_in, buf, sizeof(buf));
-		if (len == 0) {
-			/* Received EOF.  The remote host has closed the connection. */
-			snprintf(buf, sizeof buf, "Connection to %.300s closed by remote host.\r\n",
-				 host);
-			buffer_append(&stderr_buffer, buf, strlen(buf));
-			quit_pending = 1;
-			return;
-		}
-		/*
-		 * There is a kernel bug on Solaris that causes select to
-		 * sometimes wake up even though there is no data available.
-		 */
-		if (len < 0 && (errno == EAGAIN || errno == EINTR))
-			len = 0;
-
-		if (len < 0) {
-			/* An error has encountered.  Perhaps there is a network problem. */
-			snprintf(buf, sizeof buf, "Read from remote host %.300s: %.100s\r\n",
-				 host, strerror(errno));
-			buffer_append(&stderr_buffer, buf, strlen(buf));
-			quit_pending = 1;
-			return;
-		}
-		packet_process_incoming(buf, len);
-	}
-}
-
-static void
-client_subsystem_reply(int type, u_int32_t seq, void *ctxt)
-{
-	int id;
-	Channel *c;
-
-	id = packet_get_int();
-	packet_check_eom();
-
-	if ((c = channel_lookup(id)) == NULL) {
-		error("%s: no channel for id %d", __func__, id);
-		return;
-	}
-
-	if (type == SSH2_MSG_CHANNEL_SUCCESS)
-		debug2("Request suceeded on channel %d", id);
-	else if (type == SSH2_MSG_CHANNEL_FAILURE) {
-		error("Request failed on channel %d", id);
-		channel_free(c);
-	}
-}
-
-static void
-client_extra_session2_setup(int id, void *arg)
-{
-	struct confirm_ctx *cctx = arg;
-	const char *display;
-	Channel *c;
-	int i;
-
-	if (cctx == NULL)
-		fatal("%s: cctx == NULL", __func__);
-	if ((c = channel_lookup(id)) == NULL)
-		fatal("%s: no channel for id %d", __func__, id);
-
-	display = getenv("DISPLAY");
-	if (cctx->want_x_fwd && options.forward_x11 && display != NULL) {
-		char *proto, *data;
-		/* Get reasonable local authentication information. */
-		client_x11_get_proto(display, options.xauth_location,
-		    options.forward_x11_trusted, &proto, &data);
-		/* Request forwarding with authentication spoofing. */
-		debug("Requesting X11 forwarding with authentication spoofing.");
-		x11_request_forwarding_with_spoofing(id, display, proto, data);
-		/* XXX wait for reply */
-	}
-
-	if (cctx->want_agent_fwd && options.forward_agent) {
-		debug("Requesting authentication agent forwarding.");
-		channel_request_start(id, "auth-agent-req@openssh.com", 0);
-		packet_send();
-	}
-
-	client_session2_setup(id, cctx->want_tty, cctx->want_subsys,
-	    cctx->term, &cctx->tio, c->rfd, &cctx->cmd, cctx->env,
-	    client_subsystem_reply);
-
-	c->confirm_ctx = NULL;
-	buffer_free(&cctx->cmd);
-	xfree(cctx->term);
-	if (cctx->env != NULL) {
-		for (i = 0; cctx->env[i] != NULL; i++)
-			xfree(cctx->env[i]);
-		xfree(cctx->env);
-	}
-	xfree(cctx);
-}
-
-static void
-client_process_control(fd_set *readset)
-{
-	Buffer m;
-	Channel *c;
-	int client_fd, new_fd[3], ver, allowed;
-	socklen_t addrlen;
-	struct sockaddr_storage addr;
-	struct confirm_ctx *cctx;
-	char *cmd;
-	u_int i, len, env_len, command, flags;
-	uid_t euid;
-	gid_t egid;
-
-	/*
-	 * Accept connection on control socket
-	 */
-	if (control_fd == -1 || !FD_ISSET(control_fd, readset))
-		return;
-
-	memset(&addr, 0, sizeof(addr));
-	addrlen = sizeof(addr);
-	if ((client_fd = accept(control_fd,
-	    (struct sockaddr*)&addr, &addrlen)) == -1) {
-		error("%s accept: %s", __func__, strerror(errno));
-		return;
-	}
-
-	if (getpeereid(client_fd, &euid, &egid) < 0) {
-		error("%s getpeereid failed: %s", __func__, strerror(errno));
-		close(client_fd);
-		return;
-	}
-	if ((euid != 0) && (getuid() != euid)) {
-		error("control mode uid mismatch: peer euid %u != uid %u",
-		    (u_int) euid, (u_int) getuid());
-		close(client_fd);
-		return;
-	}
-
-	unset_nonblock(client_fd);
-
-	/* Read command */
-	buffer_init(&m);
-	if (ssh_msg_recv(client_fd, &m) == -1) {
-		error("%s: client msg_recv failed", __func__);
-		close(client_fd);
-		buffer_free(&m);
-		return;
-	}
-	if ((ver = buffer_get_char(&m)) != SSHMUX_VER) {
-		error("%s: wrong client version %d", __func__, ver);
-		buffer_free(&m);
-		close(client_fd);
-		return;
-	}
-
-	allowed = 1;
-	command = buffer_get_int(&m);
-	flags = buffer_get_int(&m);
-
-	buffer_clear(&m);
-
-	switch (command) {
-	case SSHMUX_COMMAND_OPEN:
-		if (options.control_master == SSHCTL_MASTER_ASK ||
-		    options.control_master == SSHCTL_MASTER_AUTO_ASK)
-			allowed = ask_permission("Allow shared connection "
-			    "to %s? ", host);
-		/* continue below */
-		break;
-	case SSHMUX_COMMAND_TERMINATE:
-		if (options.control_master == SSHCTL_MASTER_ASK ||
-		    options.control_master == SSHCTL_MASTER_AUTO_ASK)
-			allowed = ask_permission("Terminate shared connection "
-			    "to %s? ", host);
-		if (allowed)
-			quit_pending = 1;
-		/* FALLTHROUGH */
-	case SSHMUX_COMMAND_ALIVE_CHECK:
-		/* Reply for SSHMUX_COMMAND_TERMINATE and ALIVE_CHECK */
-		buffer_clear(&m);
-		buffer_put_int(&m, allowed);
-		buffer_put_int(&m, getpid());
-		if (ssh_msg_send(client_fd, SSHMUX_VER, &m) == -1) {
-			error("%s: client msg_send failed", __func__);
-			close(client_fd);
-			buffer_free(&m);
-			return;
-		}
-		buffer_free(&m);
-		close(client_fd);
-		return;
-	default:
-		error("Unsupported command %d", command);
-		buffer_free(&m);
-		close(client_fd);
-		return;
-	}
-
-	/* Reply for SSHMUX_COMMAND_OPEN */
-	buffer_clear(&m);
-	buffer_put_int(&m, allowed);
-	buffer_put_int(&m, getpid());
-	if (ssh_msg_send(client_fd, SSHMUX_VER, &m) == -1) {
-		error("%s: client msg_send failed", __func__);
-		close(client_fd);
-		buffer_free(&m);
-		return;
-	}
-
-	if (!allowed) {
-		error("Refused control connection");
-		close(client_fd);
-		buffer_free(&m);
-		return;
-	}
-
-	buffer_clear(&m);
-	if (ssh_msg_recv(client_fd, &m) == -1) {
-		error("%s: client msg_recv failed", __func__);
-		close(client_fd);
-		buffer_free(&m);
-		return;
-	}
-	if ((ver = buffer_get_char(&m)) != SSHMUX_VER) {
-		error("%s: wrong client version %d", __func__, ver);
-		buffer_free(&m);
-		close(client_fd);
-		return;
-	}
-
-	cctx = xcalloc(1, sizeof(*cctx));
-	cctx->want_tty = (flags & SSHMUX_FLAG_TTY) != 0;
-	cctx->want_subsys = (flags & SSHMUX_FLAG_SUBSYS) != 0;
-	cctx->want_x_fwd = (flags & SSHMUX_FLAG_X11_FWD) != 0;
-	cctx->want_agent_fwd = (flags & SSHMUX_FLAG_AGENT_FWD) != 0;
-	cctx->term = buffer_get_string(&m, &len);
-
-	cmd = buffer_get_string(&m, &len);
-	buffer_init(&cctx->cmd);
-	buffer_append(&cctx->cmd, cmd, strlen(cmd));
-
-	env_len = buffer_get_int(&m);
-	env_len = MIN(env_len, 4096);
-	debug3("%s: receiving %d env vars", __func__, env_len);
-	if (env_len != 0) {
-		cctx->env = xcalloc(env_len + 1, sizeof(*cctx->env));
-		for (i = 0; i < env_len; i++)
-			cctx->env[i] = buffer_get_string(&m, &len);
-		cctx->env[i] = NULL;
-	}
-
-	debug2("%s: accepted tty %d, subsys %d, cmd %s", __func__,
-	    cctx->want_tty, cctx->want_subsys, cmd);
-	xfree(cmd);
-
-	/* Gather fds from client */
-	new_fd[0] = mm_receive_fd(client_fd);
-	new_fd[1] = mm_receive_fd(client_fd);
-	new_fd[2] = mm_receive_fd(client_fd);
-
-	debug2("%s: got fds stdin %d, stdout %d, stderr %d", __func__,
-	    new_fd[0], new_fd[1], new_fd[2]);
-
-	/* Try to pick up ttymodes from client before it goes raw */
-	if (cctx->want_tty && tcgetattr(new_fd[0], &cctx->tio) == -1)
-		error("%s: tcgetattr: %s", __func__, strerror(errno));
-
-	/* This roundtrip is just for synchronisation of ttymodes */
-	buffer_clear(&m);
-	if (ssh_msg_send(client_fd, SSHMUX_VER, &m) == -1) {
-		error("%s: client msg_send failed", __func__);
-		close(client_fd);
-		close(new_fd[0]);
-		close(new_fd[1]);
-		close(new_fd[2]);
-		buffer_free(&m);
-		xfree(cctx->term);
-		if (env_len != 0) {
-			for (i = 0; i < env_len; i++)
-				xfree(cctx->env[i]);
-			xfree(cctx->env);
-		}
-		return;
-	}
-	buffer_free(&m);
-
-	/* enable nonblocking unless tty */
-	if (!isatty(new_fd[0]))
-		set_nonblock(new_fd[0]);
-	if (!isatty(new_fd[1]))
-		set_nonblock(new_fd[1]);
-	if (!isatty(new_fd[2]))
-		set_nonblock(new_fd[2]);
-
-	set_nonblock(client_fd);
-
-	c = channel_new("session", SSH_CHANNEL_OPENING,
-	    new_fd[0], new_fd[1], new_fd[2],
-	    CHAN_SES_WINDOW_DEFAULT, CHAN_SES_PACKET_DEFAULT,
-	    CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0);
-
-	/* XXX */
-	c->ctl_fd = client_fd;
-
-	debug3("%s: channel_new: %d", __func__, c->self);
-
-	channel_send_open(c->self);
-	channel_register_confirm(c->self, client_extra_session2_setup, cctx);
-}
-
-static void
-process_cmdline(void)
-{
-	void (*handler)(int);
-	char *s, *cmd, *cancel_host;
-	int delete = 0;
-	int local = 0;
-	u_short cancel_port;
-	Forward fwd;
-
-	leave_raw_mode();
-	handler = signal(SIGINT, SIG_IGN);
-	cmd = s = read_passphrase("\r\nssh> ", RP_ECHO);
-	if (s == NULL)
-		goto out;
-	while (*s && isspace(*s))
-		s++;
-	if (*s == '-')
-		s++;	/* Skip cmdline '-', if any */
-	if (*s == '\0')
-		goto out;
-
-	if (*s == 'h' || *s == 'H' || *s == '?') {
-		logit("Commands:");
-		logit("      -L[bind_address:]port:host:hostport    "
-		    "Request local forward");
-		logit("      -R[bind_address:]port:host:hostport    "
-		    "Request remote forward");
-		logit("      -KR[bind_address:]port                 "
-		    "Cancel remote forward");
-		if (!options.permit_local_command)
-			goto out;
-		logit("      !args                                  "
-		    "Execute local command");
-		goto out;
-	}
-
-	if (*s == '!' && options.permit_local_command) {
-		s++;
-		ssh_local_cmd(s);
-		goto out;
-	}
-
-	if (*s == 'K') {
-		delete = 1;
-		s++;
-	}
-	if (*s != 'L' && *s != 'R') {
-		logit("Invalid command.");
-		goto out;
-	}
-	if (*s == 'L')
-		local = 1;
-	if (local && delete) {
-		logit("Not supported.");
-		goto out;
-	}
-	if ((!local || delete) && !compat20) {
-		logit("Not supported for SSH protocol version 1.");
-		goto out;
-	}
-
-	s++;
-	while (*s && isspace(*s))
-		s++;
-
-	if (delete) {
-		cancel_port = 0;
-		cancel_host = hpdelim(&s);	/* may be NULL */
-		if (s != NULL) {
-			cancel_port = a2port(s);
-			cancel_host = cleanhostname(cancel_host);
-		} else {
-			cancel_port = a2port(cancel_host);
-			cancel_host = NULL;
-		}
-		if (cancel_port == 0) {
-			logit("Bad forwarding close port");
-			goto out;
-		}
-		channel_request_rforward_cancel(cancel_host, cancel_port);
-	} else {
-		if (!parse_forward(&fwd, s)) {
-			logit("Bad forwarding specification.");
-			goto out;
-		}
-		if (local) {
-			if (channel_setup_local_fwd_listener(fwd.listen_host,
-			    fwd.listen_port, fwd.connect_host,
-			    fwd.connect_port, options.gateway_ports) < 0) {
-				logit("Port forwarding failed.");
-				goto out;
-			}
-		} else {
-			if (channel_request_remote_forwarding(fwd.listen_host,
-			    fwd.listen_port, fwd.connect_host,
-			    fwd.connect_port) < 0) {
-				logit("Port forwarding failed.");
-				goto out;
-			}
-		}
-
-		logit("Forwarding port.");
-	}
-
-out:
-	signal(SIGINT, handler);
-	enter_raw_mode();
-	if (cmd)
-		xfree(cmd);
-}
-
-/* process the characters one by one */
-static int
-process_escapes(Buffer *bin, Buffer *bout, Buffer *berr, char *buf, int len)
-{
-	char string[1024];
-	pid_t pid;
-	int bytes = 0;
-	u_int i;
-	u_char ch;
-	char *s;
-
-	if (len <= 0)
-		return (0);
-
-	for (i = 0; i < (u_int)len; i++) {
-		/* Get one character at a time. */
-		ch = buf[i];
-
-		if (escape_pending) {
-			/* We have previously seen an escape character. */
-			/* Clear the flag now. */
-			escape_pending = 0;
-
-			/* Process the escaped character. */
-			switch (ch) {
-			case '.':
-				/* Terminate the connection. */
-				snprintf(string, sizeof string, "%c.\r\n", escape_char);
-				buffer_append(berr, string, strlen(string));
-
-				quit_pending = 1;
-				return -1;
-
-			case 'Z' - 64:
-				/* Suspend the program. */
-				/* Print a message to that effect to the user. */
-				snprintf(string, sizeof string, "%c^Z [suspend ssh]\r\n", escape_char);
-				buffer_append(berr, string, strlen(string));
-
-				/* Restore terminal modes and suspend. */
-				client_suspend_self(bin, bout, berr);
-
-				/* We have been continued. */
-				continue;
-
-			case 'B':
-				if (compat20) {
-					snprintf(string, sizeof string,
-					    "%cB\r\n", escape_char);
-					buffer_append(berr, string,
-					    strlen(string));
-					channel_request_start(session_ident,
-					    "break", 0);
-					packet_put_int(1000);
-					packet_send();
-				}
-				continue;
-
-			case 'R':
-				if (compat20) {
-					if (datafellows & SSH_BUG_NOREKEY)
-						logit("Server does not support re-keying");
-					else
-						need_rekeying = 1;
-				}
-				continue;
-
-			case '&':
-				/*
-				 * Detach the program (continue to serve connections,
-				 * but put in background and no more new connections).
-				 */
-				/* Restore tty modes. */
-				leave_raw_mode();
-
-				/* Stop listening for new connections. */
-				channel_stop_listening();
-
-				snprintf(string, sizeof string,
-				    "%c& [backgrounded]\n", escape_char);
-				buffer_append(berr, string, strlen(string));
-
-				/* Fork into background. */
-				pid = fork();
-				if (pid < 0) {
-					error("fork: %.100s", strerror(errno));
-					continue;
-				}
-				if (pid != 0) {	/* This is the parent. */
-					/* The parent just exits. */
-					exit(0);
-				}
-				/* The child continues serving connections. */
-				if (compat20) {
-					buffer_append(bin, "\004", 1);
-					/* fake EOF on stdin */
-					return -1;
-				} else if (!stdin_eof) {
-					/*
-					 * Sending SSH_CMSG_EOF alone does not always appear
-					 * to be enough.  So we try to send an EOF character
-					 * first.
-					 */
-					packet_start(SSH_CMSG_STDIN_DATA);
-					packet_put_string("\004", 1);
-					packet_send();
-					/* Close stdin. */
-					stdin_eof = 1;
-					if (buffer_len(bin) == 0) {
-						packet_start(SSH_CMSG_EOF);
-						packet_send();
-					}
-				}
-				continue;
-
-			case '?':
-				snprintf(string, sizeof string,
-"%c?\r\n\
-Supported escape sequences:\r\n\
-%c.  - terminate connection\r\n\
-%cB  - send a BREAK to the remote system\r\n\
-%cC  - open a command line\r\n\
-%cR  - Request rekey (SSH protocol 2 only)\r\n\
-%c^Z - suspend ssh\r\n\
-%c#  - list forwarded connections\r\n\
-%c&  - background ssh (when waiting for connections to terminate)\r\n\
-%c?  - this message\r\n\
-%c%c  - send the escape character by typing it twice\r\n\
-(Note that escapes are only recognized immediately after newline.)\r\n",
-				    escape_char, escape_char, escape_char, escape_char,
-				    escape_char, escape_char, escape_char, escape_char,
-				    escape_char, escape_char, escape_char);
-				buffer_append(berr, string, strlen(string));
-				continue;
-
-			case '#':
-				snprintf(string, sizeof string, "%c#\r\n", escape_char);
-				buffer_append(berr, string, strlen(string));
-				s = channel_open_message();
-				buffer_append(berr, s, strlen(s));
-				xfree(s);
-				continue;
-
-			case 'C':
-				process_cmdline();
-				continue;
-
-			default:
-				if (ch != escape_char) {
-					buffer_put_char(bin, escape_char);
-					bytes++;
-				}
-				/* Escaped characters fall through here */
-				break;
-			}
-		} else {
-			/*
-			 * The previous character was not an escape char. Check if this
-			 * is an escape.
-			 */
-			if (last_was_cr && ch == escape_char) {
-				/* It is. Set the flag and continue to next character. */
-				escape_pending = 1;
-				continue;
-			}
-		}
-
-		/*
-		 * Normal character.  Record whether it was a newline,
-		 * and append it to the buffer.
-		 */
-		last_was_cr = (ch == '\r' || ch == '\n');
-		buffer_put_char(bin, ch);
-		bytes++;
-	}
-	return bytes;
-}
-
-static void
-client_process_input(fd_set *readset)
-{
-	int len;
-	char buf[8192];
-
-	/* Read input from stdin. */
-	if (FD_ISSET(fileno(stdin), readset)) {
-		/* Read as much as possible. */
-		len = read(fileno(stdin), buf, sizeof(buf));
-		if (len < 0 && (errno == EAGAIN || errno == EINTR))
-			return;		/* we'll try again later */
-		if (len <= 0) {
-			/*
-			 * Received EOF or error.  They are treated
-			 * similarly, except that an error message is printed
-			 * if it was an error condition.
-			 */
-			if (len < 0) {
-				snprintf(buf, sizeof buf, "read: %.100s\r\n", strerror(errno));
-				buffer_append(&stderr_buffer, buf, strlen(buf));
-			}
-			/* Mark that we have seen EOF. */
-			stdin_eof = 1;
-			/*
-			 * Send an EOF message to the server unless there is
-			 * data in the buffer.  If there is data in the
-			 * buffer, no message will be sent now.  Code
-			 * elsewhere will send the EOF when the buffer
-			 * becomes empty if stdin_eof is set.
-			 */
-			if (buffer_len(&stdin_buffer) == 0) {
-				packet_start(SSH_CMSG_EOF);
-				packet_send();
-			}
-		} else if (escape_char == SSH_ESCAPECHAR_NONE) {
-			/*
-			 * Normal successful read, and no escape character.
-			 * Just append the data to buffer.
-			 */
-			buffer_append(&stdin_buffer, buf, len);
-		} else {
-			/*
-			 * Normal, successful read.  But we have an escape character
-			 * and have to process the characters one by one.
-			 */
-			if (process_escapes(&stdin_buffer, &stdout_buffer,
-			    &stderr_buffer, buf, len) == -1)
-				return;
-		}
-	}
-}
-
-static void
-client_process_output(fd_set *writeset)
-{
-	int len;
-	char buf[100];
-
-	/* Write buffered output to stdout. */
-	if (FD_ISSET(fileno(stdout), writeset)) {
-		/* Write as much data as possible. */
-		len = write(fileno(stdout), buffer_ptr(&stdout_buffer),
-		    buffer_len(&stdout_buffer));
-		if (len <= 0) {
-			if (errno == EINTR || errno == EAGAIN)
-				len = 0;
-			else {
-				/*
-				 * An error or EOF was encountered.  Put an
-				 * error message to stderr buffer.
-				 */
-				snprintf(buf, sizeof buf, "write stdout: %.50s\r\n", strerror(errno));
-				buffer_append(&stderr_buffer, buf, strlen(buf));
-				quit_pending = 1;
-				return;
-			}
-		}
-		/* Consume printed data from the buffer. */
-		buffer_consume(&stdout_buffer, len);
-		stdout_bytes += len;
-	}
-	/* Write buffered output to stderr. */
-	if (FD_ISSET(fileno(stderr), writeset)) {
-		/* Write as much data as possible. */
-		len = write(fileno(stderr), buffer_ptr(&stderr_buffer),
-		    buffer_len(&stderr_buffer));
-		if (len <= 0) {
-			if (errno == EINTR || errno == EAGAIN)
-				len = 0;
-			else {
-				/* EOF or error, but can't even print error message. */
-				quit_pending = 1;
-				return;
-			}
-		}
-		/* Consume printed characters from the buffer. */
-		buffer_consume(&stderr_buffer, len);
-		stderr_bytes += len;
-	}
-}
-
-/*
- * Get packets from the connection input buffer, and process them as long as
- * there are packets available.
- *
- * Any unknown packets received during the actual
- * session cause the session to terminate.  This is
- * intended to make debugging easier since no
- * confirmations are sent.  Any compatible protocol
- * extensions must be negotiated during the
- * preparatory phase.
- */
-
-static void
-client_process_buffered_input_packets(void)
-{
-	dispatch_run(DISPATCH_NONBLOCK, &quit_pending, compat20 ? xxx_kex : NULL);
-}
-
-/* scan buf[] for '~' before sending data to the peer */
-
-static int
-simple_escape_filter(Channel *c, char *buf, int len)
-{
-	/* XXX we assume c->extended is writeable */
-	return process_escapes(&c->input, &c->output, &c->extended, buf, len);
-}
-
-static void
-client_channel_closed(int id, void *arg)
-{
-	channel_cancel_cleanup(id);
-	session_closed = 1;
-	leave_raw_mode();
-}
-
-/*
- * Implements the interactive session with the server.  This is called after
- * the user has been authenticated, and a command has been started on the
- * remote host.  If escape_char != SSH_ESCAPECHAR_NONE, it is the character
- * used as an escape character for terminating or suspending the session.
- */
-
-int
-client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
-{
-	fd_set *readset = NULL, *writeset = NULL;
-	double start_time, total_time;
-	int max_fd = 0, max_fd2 = 0, len, rekeying = 0;
-	u_int nalloc = 0;
-	char buf[100];
-
-	debug("Entering interactive session.");
-
-	start_time = get_current_time();
-
-	/* Initialize variables. */
-	escape_pending = 0;
-	last_was_cr = 1;
-	exit_status = -1;
-	stdin_eof = 0;
-	buffer_high = 64 * 1024;
-	connection_in = packet_get_connection_in();
-	connection_out = packet_get_connection_out();
-	max_fd = MAX(connection_in, connection_out);
-	if (control_fd != -1)
-		max_fd = MAX(max_fd, control_fd);
-
-	if (!compat20) {
-		/* enable nonblocking unless tty */
-		if (!isatty(fileno(stdin)))
-			set_nonblock(fileno(stdin));
-		if (!isatty(fileno(stdout)))
-			set_nonblock(fileno(stdout));
-		if (!isatty(fileno(stderr)))
-			set_nonblock(fileno(stderr));
-		max_fd = MAX(max_fd, fileno(stdin));
-		max_fd = MAX(max_fd, fileno(stdout));
-		max_fd = MAX(max_fd, fileno(stderr));
-	}
-	stdin_bytes = 0;
-	stdout_bytes = 0;
-	stderr_bytes = 0;
-	quit_pending = 0;
-	escape_char = escape_char_arg;
-
-	/* Initialize buffers. */
-	buffer_init(&stdin_buffer);
-	buffer_init(&stdout_buffer);
-	buffer_init(&stderr_buffer);
-
-	client_init_dispatch();
-
-	/*
-	 * Set signal handlers, (e.g. to restore non-blocking mode)
-	 * but don't overwrite SIG_IGN, matches behaviour from rsh(1)
-	 */
-	if (signal(SIGHUP, SIG_IGN) != SIG_IGN)
-		signal(SIGHUP, signal_handler);
-	if (signal(SIGINT, SIG_IGN) != SIG_IGN)
-		signal(SIGINT, signal_handler);
-	if (signal(SIGQUIT, SIG_IGN) != SIG_IGN)
-		signal(SIGQUIT, signal_handler);
-	if (signal(SIGTERM, SIG_IGN) != SIG_IGN)
-		signal(SIGTERM, signal_handler);
-	signal(SIGWINCH, window_change_handler);
-
-	if (have_pty)
-		enter_raw_mode();
-
-	if (compat20) {
-		session_ident = ssh2_chan_id;
-		if (escape_char != SSH_ESCAPECHAR_NONE)
-			channel_register_filter(session_ident,
-			    simple_escape_filter, NULL);
-		if (session_ident != -1)
-			channel_register_cleanup(session_ident,
-			    client_channel_closed, 0);
-	} else {
-		/* Check if we should immediately send eof on stdin. */
-		client_check_initial_eof_on_stdin();
-	}
-
-	/* Main loop of the client for the interactive session mode. */
-	while (!quit_pending) {
-
-		/* Process buffered packets sent by the server. */
-		client_process_buffered_input_packets();
-
-		if (compat20 && session_closed && !channel_still_open())
-			break;
-
-		rekeying = (xxx_kex != NULL && !xxx_kex->done);
-
-		if (rekeying) {
-			debug("rekeying in progress");
-		} else {
-			/*
-			 * Make packets of buffered stdin data, and buffer
-			 * them for sending to the server.
-			 */
-			if (!compat20)
-				client_make_packets_from_stdin_data();
-
-			/*
-			 * Make packets from buffered channel data, and
-			 * enqueue them for sending to the server.
-			 */
-			if (packet_not_very_much_data_to_write())
-				channel_output_poll();
-
-			/*
-			 * Check if the window size has changed, and buffer a
-			 * message about it to the server if so.
-			 */
-			client_check_window_change();
-
-			if (quit_pending)
-				break;
-		}
-		/*
-		 * Wait until we have something to do (something becomes
-		 * available on one of the descriptors).
-		 */
-		max_fd2 = max_fd;
-		client_wait_until_can_do_something(&readset, &writeset,
-		    &max_fd2, &nalloc, rekeying);
-
-		if (quit_pending)
-			break;
-
-		/* Do channel operations unless rekeying in progress. */
-		if (!rekeying) {
-			channel_after_select(readset, writeset);
-			if (need_rekeying || packet_need_rekeying()) {
-				debug("need rekeying");
-				xxx_kex->done = 0;
-				kex_send_kexinit(xxx_kex);
-				need_rekeying = 0;
-			}
-		}
-
-		/* Buffer input from the connection.  */
-		client_process_net_input(readset);
-
-		/* Accept control connections.  */
-		client_process_control(readset);
-
-		if (quit_pending)
-			break;
-
-		if (!compat20) {
-			/* Buffer data from stdin */
-			client_process_input(readset);
-			/*
-			 * Process output to stdout and stderr.  Output to
-			 * the connection is processed elsewhere (above).
-			 */
-			client_process_output(writeset);
-		}
-
-		/* Send as much buffered packet data as possible to the sender. */
-		if (FD_ISSET(connection_out, writeset))
-			packet_write_poll();
-	}
-	if (readset)
-		xfree(readset);
-	if (writeset)
-		xfree(writeset);
-
-	/* Terminate the session. */
-
-	/* Stop watching for window change. */
-	signal(SIGWINCH, SIG_DFL);
-
-	channel_free_all();
-
-	if (have_pty)
-		leave_raw_mode();
-
-	/* restore blocking io */
-	if (!isatty(fileno(stdin)))
-		unset_nonblock(fileno(stdin));
-	if (!isatty(fileno(stdout)))
-		unset_nonblock(fileno(stdout));
-	if (!isatty(fileno(stderr)))
-		unset_nonblock(fileno(stderr));
-
-	/*
-	 * If there was no shell or command requested, there will be no remote
-	 * exit status to be returned.  In that case, clear error code if the
-	 * connection was deliberately terminated at this end.
-	 */
-	if (no_shell_flag && received_signal == SIGTERM) {
-		received_signal = 0;
-		exit_status = 0;
-	}
-
-	if (received_signal)
-		fatal("Killed by signal %d.", (int) received_signal);
-
-	/*
-	 * In interactive mode (with pseudo tty) display a message indicating
-	 * that the connection has been closed.
-	 */
-	if (have_pty && options.log_level != SYSLOG_LEVEL_QUIET) {
-		snprintf(buf, sizeof buf, "Connection to %.64s closed.\r\n", host);
-		buffer_append(&stderr_buffer, buf, strlen(buf));
-	}
-
-	/* Output any buffered data for stdout. */
-	while (buffer_len(&stdout_buffer) > 0) {
-		len = write(fileno(stdout), buffer_ptr(&stdout_buffer),
-		    buffer_len(&stdout_buffer));
-		if (len <= 0) {
-			error("Write failed flushing stdout buffer.");
-			break;
-		}
-		buffer_consume(&stdout_buffer, len);
-		stdout_bytes += len;
-	}
-
-	/* Output any buffered data for stderr. */
-	while (buffer_len(&stderr_buffer) > 0) {
-		len = write(fileno(stderr), buffer_ptr(&stderr_buffer),
-		    buffer_len(&stderr_buffer));
-		if (len <= 0) {
-			error("Write failed flushing stderr buffer.");
-			break;
-		}
-		buffer_consume(&stderr_buffer, len);
-		stderr_bytes += len;
-	}
-
-	/* Clear and free any buffers. */
-	memset(buf, 0, sizeof(buf));
-	buffer_free(&stdin_buffer);
-	buffer_free(&stdout_buffer);
-	buffer_free(&stderr_buffer);
-
-	/* Report bytes transferred, and transfer rates. */
-	total_time = get_current_time() - start_time;
-	debug("Transferred: stdin %lu, stdout %lu, stderr %lu bytes in %.1f seconds",
-	    stdin_bytes, stdout_bytes, stderr_bytes, total_time);
-	if (total_time > 0)
-		debug("Bytes per second: stdin %.1f, stdout %.1f, stderr %.1f",
-		    stdin_bytes / total_time, stdout_bytes / total_time,
-		    stderr_bytes / total_time);
-
-	/* Return the exit status of the program. */
-	debug("Exit status %d", exit_status);
-	return exit_status;
-}
-
-/*********/
-
-static void
-client_input_stdout_data(int type, u_int32_t seq, void *ctxt)
-{
-	u_int data_len;
-	char *data = packet_get_string(&data_len);
-	packet_check_eom();
-	buffer_append(&stdout_buffer, data, data_len);
-	memset(data, 0, data_len);
-	xfree(data);
-}
-static void
-client_input_stderr_data(int type, u_int32_t seq, void *ctxt)
-{
-	u_int data_len;
-	char *data = packet_get_string(&data_len);
-	packet_check_eom();
-	buffer_append(&stderr_buffer, data, data_len);
-	memset(data, 0, data_len);
-	xfree(data);
-}
-static void
-client_input_exit_status(int type, u_int32_t seq, void *ctxt)
-{
-	exit_status = packet_get_int();
-	packet_check_eom();
-	/* Acknowledge the exit. */
-	packet_start(SSH_CMSG_EXIT_CONFIRMATION);
-	packet_send();
-	/*
-	 * Must wait for packet to be sent since we are
-	 * exiting the loop.
-	 */
-	packet_write_wait();
-	/* Flag that we want to exit. */
-	quit_pending = 1;
-}
-static void
-client_input_agent_open(int type, u_int32_t seq, void *ctxt)
-{
-	Channel *c = NULL;
-	int remote_id, sock;
-
-	/* Read the remote channel number from the message. */
-	remote_id = packet_get_int();
-	packet_check_eom();
-
-	/*
-	 * Get a connection to the local authentication agent (this may again
-	 * get forwarded).
-	 */
-	sock = ssh_get_authentication_socket();
-
-	/*
-	 * If we could not connect the agent, send an error message back to
-	 * the server. This should never happen unless the agent dies,
-	 * because authentication forwarding is only enabled if we have an
-	 * agent.
-	 */
-	if (sock >= 0) {
-		c = channel_new("", SSH_CHANNEL_OPEN, sock, sock,
-		    -1, 0, 0, 0, "authentication agent connection", 1);
-		c->remote_id = remote_id;
-		c->force_drain = 1;
-	}
-	if (c == NULL) {
-		packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
-		packet_put_int(remote_id);
-	} else {
-		/* Send a confirmation to the remote host. */
-		debug("Forwarding authentication connection.");
-		packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
-		packet_put_int(remote_id);
-		packet_put_int(c->self);
-	}
-	packet_send();
-}
-
-static Channel *
-client_request_forwarded_tcpip(const char *request_type, int rchan)
-{
-	Channel *c = NULL;
-	char *listen_address, *originator_address;
-	int listen_port, originator_port;
-	int sock;
-
-	/* Get rest of the packet */
-	listen_address = packet_get_string(NULL);
-	listen_port = packet_get_int();
-	originator_address = packet_get_string(NULL);
-	originator_port = packet_get_int();
-	packet_check_eom();
-
-	debug("client_request_forwarded_tcpip: listen %s port %d, originator %s port %d",
-	    listen_address, listen_port, originator_address, originator_port);
-
-	sock = channel_connect_by_listen_address(listen_port);
-	if (sock < 0) {
-		xfree(originator_address);
-		xfree(listen_address);
-		return NULL;
-	}
-	c = channel_new("forwarded-tcpip",
-	    SSH_CHANNEL_CONNECTING, sock, sock, -1,
-	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0,
-	    originator_address, 1);
-	xfree(originator_address);
-	xfree(listen_address);
-	return c;
-}
-
-static Channel *
-client_request_x11(const char *request_type, int rchan)
-{
-	Channel *c = NULL;
-	char *originator;
-	int originator_port;
-	int sock;
-
-	if (!options.forward_x11) {
-		error("Warning: ssh server tried X11 forwarding.");
-		error("Warning: this is probably a break-in attempt by a malicious server.");
-		return NULL;
-	}
-	originator = packet_get_string(NULL);
-	if (datafellows & SSH_BUG_X11FWD) {
-		debug2("buggy server: x11 request w/o originator_port");
-		originator_port = 0;
-	} else {
-		originator_port = packet_get_int();
-	}
-	packet_check_eom();
-	/* XXX check permission */
-	debug("client_request_x11: request from %s %d", originator,
-	    originator_port);
-	xfree(originator);
-	sock = x11_connect_display();
-	if (sock < 0)
-		return NULL;
-	c = channel_new("x11",
-	    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
-	    CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
-	c->force_drain = 1;
-	return c;
-}
-
-static Channel *
-client_request_agent(const char *request_type, int rchan)
-{
-	Channel *c = NULL;
-	int sock;
-
-	if (!options.forward_agent) {
-		error("Warning: ssh server tried agent forwarding.");
-		error("Warning: this is probably a break-in attempt by a malicious server.");
-		return NULL;
-	}
-	sock =  ssh_get_authentication_socket();
-	if (sock < 0)
-		return NULL;
-	c = channel_new("authentication agent connection",
-	    SSH_CHANNEL_OPEN, sock, sock, -1,
-	    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0,
-	    "authentication agent connection", 1);
-	c->force_drain = 1;
-	return c;
-}
-
-/* XXXX move to generic input handler */
-static void
-client_input_channel_open(int type, u_int32_t seq, void *ctxt)
-{
-	Channel *c = NULL;
-	char *ctype;
-	int rchan;
-	u_int rmaxpack, rwindow, len;
-
-	ctype = packet_get_string(&len);
-	rchan = packet_get_int();
-	rwindow = packet_get_int();
-	rmaxpack = packet_get_int();
-
-	debug("client_input_channel_open: ctype %s rchan %d win %d max %d",
-	    ctype, rchan, rwindow, rmaxpack);
-
-	if (strcmp(ctype, "forwarded-tcpip") == 0) {
-		c = client_request_forwarded_tcpip(ctype, rchan);
-	} else if (strcmp(ctype, "x11") == 0) {
-		c = client_request_x11(ctype, rchan);
-	} else if (strcmp(ctype, "auth-agent@openssh.com") == 0) {
-		c = client_request_agent(ctype, rchan);
-	}
-/* XXX duplicate : */
-	if (c != NULL) {
-		debug("confirm %s", ctype);
-		c->remote_id = rchan;
-		c->remote_window = rwindow;
-		c->remote_maxpacket = rmaxpack;
-		if (c->type != SSH_CHANNEL_CONNECTING) {
-			packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);
-			packet_put_int(c->remote_id);
-			packet_put_int(c->self);
-			packet_put_int(c->local_window);
-			packet_put_int(c->local_maxpacket);
-			packet_send();
-		}
-	} else {
-		debug("failure %s", ctype);
-		packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE);
-		packet_put_int(rchan);
-		packet_put_int(SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED);
-		if (!(datafellows & SSH_BUG_OPENFAILURE)) {
-			packet_put_cstring("open failed");
-			packet_put_cstring("");
-		}
-		packet_send();
-	}
-	xfree(ctype);
-}
-static void
-client_input_channel_req(int type, u_int32_t seq, void *ctxt)
-{
-	Channel *c = NULL;
-	int exitval, id, reply, success = 0;
-	char *rtype;
-
-	id = packet_get_int();
-	rtype = packet_get_string(NULL);
-	reply = packet_get_char();
-
-	debug("client_input_channel_req: channel %d rtype %s reply %d",
-	    id, rtype, reply);
-
-	if (id == -1) {
-		error("client_input_channel_req: request for channel -1");
-	} else if ((c = channel_lookup(id)) == NULL) {
-		error("client_input_channel_req: channel %d: unknown channel", id);
-	} else if (strcmp(rtype, "exit-status") == 0) {
-		exitval = packet_get_int();
-		if (id == session_ident) {
-			success = 1;
-			exit_status = exitval;
-		} else if (c->ctl_fd == -1) {
-			error("client_input_channel_req: unexpected channel %d",
-			    session_ident);
-		} else {
-			atomicio(vwrite, c->ctl_fd, &exitval, sizeof(exitval));
-			success = 1;
-		}
-		packet_check_eom();
-	}
-	if (reply) {
-		packet_start(success ?
-		    SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE);
-		packet_put_int(id);
-		packet_send();
-	}
-	xfree(rtype);
-}
-static void
-client_input_global_request(int type, u_int32_t seq, void *ctxt)
-{
-	char *rtype;
-	int want_reply;
-	int success = 0;
-
-	rtype = packet_get_string(NULL);
-	want_reply = packet_get_char();
-	debug("client_input_global_request: rtype %s want_reply %d",
-	    rtype, want_reply);
-	if (want_reply) {
-		packet_start(success ?
-		    SSH2_MSG_REQUEST_SUCCESS : SSH2_MSG_REQUEST_FAILURE);
-		packet_send();
-		packet_write_wait();
-	}
-	xfree(rtype);
-}
-
-void
-client_session2_setup(int id, int want_tty, int want_subsystem,
-    const char *term, struct termios *tiop, int in_fd, Buffer *cmd, char **env,
-    dispatch_fn *subsys_repl)
-{
-	int len;
-	Channel *c = NULL;
-
-	debug2("%s: id %d", __func__, id);
-
-	if ((c = channel_lookup(id)) == NULL)
-		fatal("client_session2_setup: channel %d: unknown channel", id);
-
-	if (want_tty) {
-		struct winsize ws;
-		struct termios tio;
-
-		/* Store window size in the packet. */
-		if (ioctl(in_fd, TIOCGWINSZ, &ws) < 0)
-			memset(&ws, 0, sizeof(ws));
-
-		channel_request_start(id, "pty-req", 0);
-		packet_put_cstring(term != NULL ? term : "");
-		packet_put_int((u_int)ws.ws_col);
-		packet_put_int((u_int)ws.ws_row);
-		packet_put_int((u_int)ws.ws_xpixel);
-		packet_put_int((u_int)ws.ws_ypixel);
-		tio = get_saved_tio();
-		tty_make_modes(-1, tiop != NULL ? tiop : &tio);
-		packet_send();
-		/* XXX wait for reply */
-		c->client_tty = 1;
-	}
-
-	/* Transfer any environment variables from client to server */
-	if (options.num_send_env != 0 && env != NULL) {
-		int i, j, matched;
-		char *name, *val;
-
-		debug("Sending environment.");
-		for (i = 0; env[i] != NULL; i++) {
-			/* Split */
-			name = xstrdup(env[i]);
-			if ((val = strchr(name, '=')) == NULL) {
-				xfree(name);
-				continue;
-			}
-			*val++ = '\0';
-
-			matched = 0;
-			for (j = 0; j < options.num_send_env; j++) {
-				if (match_pattern(name, options.send_env[j])) {
-					matched = 1;
-					break;
-				}
-			}
-			if (!matched) {
-				debug3("Ignored env %s", name);
-				xfree(name);
-				continue;
-			}
-
-			debug("Sending env %s = %s", name, val);
-			channel_request_start(id, "env", 0);
-			packet_put_cstring(name);
-			packet_put_cstring(val);
-			packet_send();
-			xfree(name);
-		}
-	}
-
-	len = buffer_len(cmd);
-	if (len > 0) {
-		if (len > 900)
-			len = 900;
-		if (want_subsystem) {
-			debug("Sending subsystem: %.*s", len, (u_char*)buffer_ptr(cmd));
-			channel_request_start(id, "subsystem", subsys_repl != NULL);
-			if (subsys_repl != NULL) {
-				/* register callback for reply */
-				/* XXX we assume that client_loop has already been called */
-				dispatch_set(SSH2_MSG_CHANNEL_FAILURE, subsys_repl);
-				dispatch_set(SSH2_MSG_CHANNEL_SUCCESS, subsys_repl);
-			}
-		} else {
-			debug("Sending command: %.*s", len, (u_char*)buffer_ptr(cmd));
-			channel_request_start(id, "exec", 0);
-		}
-		packet_put_string(buffer_ptr(cmd), buffer_len(cmd));
-		packet_send();
-	} else {
-		channel_request_start(id, "shell", 0);
-		packet_send();
-	}
-}
-
-static void
-client_init_dispatch_20(void)
-{
-	dispatch_init(&dispatch_protocol_error);
-
-	dispatch_set(SSH2_MSG_CHANNEL_CLOSE, &channel_input_oclose);
-	dispatch_set(SSH2_MSG_CHANNEL_DATA, &channel_input_data);
-	dispatch_set(SSH2_MSG_CHANNEL_EOF, &channel_input_ieof);
-	dispatch_set(SSH2_MSG_CHANNEL_EXTENDED_DATA, &channel_input_extended_data);
-	dispatch_set(SSH2_MSG_CHANNEL_OPEN, &client_input_channel_open);
-	dispatch_set(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation);
-	dispatch_set(SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure);
-	dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &client_input_channel_req);
-	dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust);
-	dispatch_set(SSH2_MSG_GLOBAL_REQUEST, &client_input_global_request);
-
-	/* rekeying */
-	dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit);
-
-	/* global request reply messages */
-	dispatch_set(SSH2_MSG_REQUEST_FAILURE, &client_global_request_reply);
-	dispatch_set(SSH2_MSG_REQUEST_SUCCESS, &client_global_request_reply);
-}
-static void
-client_init_dispatch_13(void)
-{
-	dispatch_init(NULL);
-	dispatch_set(SSH_MSG_CHANNEL_CLOSE, &channel_input_close);
-	dispatch_set(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION, &channel_input_close_confirmation);
-	dispatch_set(SSH_MSG_CHANNEL_DATA, &channel_input_data);
-	dispatch_set(SSH_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation);
-	dispatch_set(SSH_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure);
-	dispatch_set(SSH_MSG_PORT_OPEN, &channel_input_port_open);
-	dispatch_set(SSH_SMSG_EXITSTATUS, &client_input_exit_status);
-	dispatch_set(SSH_SMSG_STDERR_DATA, &client_input_stderr_data);
-	dispatch_set(SSH_SMSG_STDOUT_DATA, &client_input_stdout_data);
-
-	dispatch_set(SSH_SMSG_AGENT_OPEN, options.forward_agent ?
-	    &client_input_agent_open : &deny_input_open);
-	dispatch_set(SSH_SMSG_X11_OPEN, options.forward_x11 ?
-	    &x11_input_open : &deny_input_open);
-}
-static void
-client_init_dispatch_15(void)
-{
-	client_init_dispatch_13();
-	dispatch_set(SSH_MSG_CHANNEL_CLOSE, &channel_input_ieof);
-	dispatch_set(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION, & channel_input_oclose);
-}
-static void
-client_init_dispatch(void)
-{
-	if (compat20)
-		client_init_dispatch_20();
-	else if (compat13)
-		client_init_dispatch_13();
-	else
-		client_init_dispatch_15();
-}
-
-/* client specific fatal cleanup */
-void
-cleanup_exit(int i)
-{
-	leave_raw_mode();
-	leave_non_blocking();
-	if (options.control_path != NULL && control_fd != -1)
-		unlink(options.control_path);
-	_exit(i);
-}
diff --git a/crypto/openssh/clientloop.h b/crypto/openssh/clientloop.h
deleted file mode 100644
index beec62f..0000000
--- a/crypto/openssh/clientloop.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/* $OpenBSD: clientloop.h,v 1.16 2006/03/25 22:22:42 djm Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-/*
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include <termios.h>
-
-/* Client side main loop for the interactive session. */
-int	 client_loop(int, int, int);
-void	 client_x11_get_proto(const char *, const char *, u_int,
-	    char **, char **);
-void	 client_global_request_reply_fwd(int, u_int32_t, void *);
-void	 client_session2_setup(int, int, int, const char *, struct termios *,
-	    int, Buffer *, char **, dispatch_fn *);
-
-/* Multiplexing protocol version */
-#define SSHMUX_VER			1
-
-/* Multiplexing control protocol flags */
-#define SSHMUX_COMMAND_OPEN		1	/* Open new connection */
-#define SSHMUX_COMMAND_ALIVE_CHECK	2	/* Check master is alive */
-#define SSHMUX_COMMAND_TERMINATE	3	/* Ask master to exit */
-
-#define SSHMUX_FLAG_TTY			(1)	/* Request tty on open */
-#define SSHMUX_FLAG_SUBSYS		(1<<1)	/* Subsystem request on open */
-#define SSHMUX_FLAG_X11_FWD		(1<<2)	/* Request X11 forwarding */
-#define SSHMUX_FLAG_AGENT_FWD		(1<<3)	/* Request agent forwarding */
diff --git a/crypto/openssh/compat.c b/crypto/openssh/compat.c
deleted file mode 100644
index da67f94..0000000
--- a/crypto/openssh/compat.c
+++ /dev/null
@@ -1,235 +0,0 @@
-/* $OpenBSD: compat.c,v 1.76 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <stdlib.h>
-#include <string.h>
-#include <stdarg.h>
-
-#include "xmalloc.h"
-#include "buffer.h"
-#include "packet.h"
-#include "compat.h"
-#include "log.h"
-#include "match.h"
-
-int compat13 = 0;
-int compat20 = 0;
-int datafellows = 0;
-
-void
-enable_compat20(void)
-{
-	debug("Enabling compatibility mode for protocol 2.0");
-	compat20 = 1;
-}
-void
-enable_compat13(void)
-{
-	debug("Enabling compatibility mode for protocol 1.3");
-	compat13 = 1;
-}
-/* datafellows bug compatibility */
-void
-compat_datafellows(const char *version)
-{
-	int i;
-	static struct {
-		char	*pat;
-		int	bugs;
-	} check[] = {
-		{ "OpenSSH-2.0*,"
-		  "OpenSSH-2.1*,"
-		  "OpenSSH_2.1*,"
-		  "OpenSSH_2.2*",	SSH_OLD_SESSIONID|SSH_BUG_BANNER|
-					SSH_OLD_DHGEX|SSH_BUG_NOREKEY|
-					SSH_BUG_EXTEOF|SSH_OLD_FORWARD_ADDR},
-		{ "OpenSSH_2.3.0*",	SSH_BUG_BANNER|SSH_BUG_BIGENDIANAES|
-					SSH_OLD_DHGEX|SSH_BUG_NOREKEY|
-					SSH_BUG_EXTEOF|SSH_OLD_FORWARD_ADDR},
-		{ "OpenSSH_2.3.*",	SSH_BUG_BIGENDIANAES|SSH_OLD_DHGEX|
-					SSH_BUG_NOREKEY|SSH_BUG_EXTEOF|
-					SSH_OLD_FORWARD_ADDR},
-		{ "OpenSSH_2.5.0p1*,"
-		  "OpenSSH_2.5.1p1*",
-					SSH_BUG_BIGENDIANAES|SSH_OLD_DHGEX|
-					SSH_BUG_NOREKEY|SSH_BUG_EXTEOF|
-					SSH_OLD_FORWARD_ADDR},
-		{ "OpenSSH_2.5.0*,"
-		  "OpenSSH_2.5.1*,"
-		  "OpenSSH_2.5.2*",	SSH_OLD_DHGEX|SSH_BUG_NOREKEY|
-					SSH_BUG_EXTEOF|SSH_OLD_FORWARD_ADDR},
-		{ "OpenSSH_2.5.3*",	SSH_BUG_NOREKEY|SSH_BUG_EXTEOF|
-					SSH_OLD_FORWARD_ADDR},
-		{ "OpenSSH_2.*,"
-		  "OpenSSH_3.0*,"
-		  "OpenSSH_3.1*",	SSH_BUG_EXTEOF|SSH_OLD_FORWARD_ADDR},
-		{ "OpenSSH_3.*",	SSH_OLD_FORWARD_ADDR },
-		{ "Sun_SSH_1.0*",	SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
-		{ "OpenSSH*",		0 },
-		{ "*MindTerm*",		0 },
-		{ "2.1.0*",		SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
-					SSH_OLD_SESSIONID|SSH_BUG_DEBUG|
-					SSH_BUG_RSASIGMD5|SSH_BUG_HBSERVICE|
-					SSH_BUG_FIRSTKEX },
-		{ "2.1 *",		SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
-					SSH_OLD_SESSIONID|SSH_BUG_DEBUG|
-					SSH_BUG_RSASIGMD5|SSH_BUG_HBSERVICE|
-					SSH_BUG_FIRSTKEX },
-		{ "2.0.13*,"
-		  "2.0.14*,"
-		  "2.0.15*,"
-		  "2.0.16*,"
-		  "2.0.17*,"
-		  "2.0.18*,"
-		  "2.0.19*",		SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
-					SSH_OLD_SESSIONID|SSH_BUG_DEBUG|
-					SSH_BUG_PKSERVICE|SSH_BUG_X11FWD|
-					SSH_BUG_PKOK|SSH_BUG_RSASIGMD5|
-					SSH_BUG_HBSERVICE|SSH_BUG_OPENFAILURE|
-					SSH_BUG_DUMMYCHAN|SSH_BUG_FIRSTKEX },
-		{ "2.0.11*,"
-		  "2.0.12*",		SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
-					SSH_OLD_SESSIONID|SSH_BUG_DEBUG|
-					SSH_BUG_PKSERVICE|SSH_BUG_X11FWD|
-					SSH_BUG_PKAUTH|SSH_BUG_PKOK|
-					SSH_BUG_RSASIGMD5|SSH_BUG_OPENFAILURE|
-					SSH_BUG_DUMMYCHAN|SSH_BUG_FIRSTKEX },
-		{ "2.0.*",		SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
-					SSH_OLD_SESSIONID|SSH_BUG_DEBUG|
-					SSH_BUG_PKSERVICE|SSH_BUG_X11FWD|
-					SSH_BUG_PKAUTH|SSH_BUG_PKOK|
-					SSH_BUG_RSASIGMD5|SSH_BUG_OPENFAILURE|
-					SSH_BUG_DERIVEKEY|SSH_BUG_DUMMYCHAN|
-					SSH_BUG_FIRSTKEX },
-		{ "2.2.0*,"
-		  "2.3.0*",		SSH_BUG_HMAC|SSH_BUG_DEBUG|
-					SSH_BUG_RSASIGMD5|SSH_BUG_FIRSTKEX },
-		{ "2.3.*",		SSH_BUG_DEBUG|SSH_BUG_RSASIGMD5|
-					SSH_BUG_FIRSTKEX },
-		{ "2.4",		SSH_OLD_SESSIONID },	/* Van Dyke */
-		{ "2.*",		SSH_BUG_DEBUG|SSH_BUG_FIRSTKEX },
-		{ "3.0.*",		SSH_BUG_DEBUG },
-		{ "3.0 SecureCRT*",	SSH_OLD_SESSIONID },
-		{ "1.7 SecureFX*",	SSH_OLD_SESSIONID },
-		{ "1.2.18*,"
-		  "1.2.19*,"
-		  "1.2.20*,"
-		  "1.2.21*,"
-		  "1.2.22*",		SSH_BUG_IGNOREMSG },
-		{ "1.3.2*",		/* F-Secure */
-					SSH_BUG_IGNOREMSG },
-		{ "*SSH Compatible Server*",			/* Netscreen */
-					SSH_BUG_PASSWORDPAD },
-		{ "*OSU_0*,"
-		  "OSU_1.0*,"
-		  "OSU_1.1*,"
-		  "OSU_1.2*,"
-		  "OSU_1.3*,"
-		  "OSU_1.4*,"
-		  "OSU_1.5alpha1*,"
-		  "OSU_1.5alpha2*,"
-		  "OSU_1.5alpha3*",	SSH_BUG_PASSWORDPAD },
-		{ "*SSH_Version_Mapper*",
-					SSH_BUG_SCANNER },
-		{ "Probe-*",
-					SSH_BUG_PROBE },
-		{ NULL,			0 }
-	};
-
-	/* process table, return first match */
-	for (i = 0; check[i].pat; i++) {
-		if (match_pattern_list(version, check[i].pat,
-		    strlen(check[i].pat), 0) == 1) {
-			debug("match: %s pat %s", version, check[i].pat);
-			datafellows = check[i].bugs;
-			return;
-		}
-	}
-	debug("no match: %s", version);
-}
-
-#define	SEP	","
-int
-proto_spec(const char *spec)
-{
-	char *s, *p, *q;
-	int ret = SSH_PROTO_UNKNOWN;
-
-	if (spec == NULL)
-		return ret;
-	q = s = xstrdup(spec);
-	for ((p = strsep(&q, SEP)); p && *p != '\0'; (p = strsep(&q, SEP))) {
-		switch (atoi(p)) {
-		case 1:
-			if (ret == SSH_PROTO_UNKNOWN)
-				ret |= SSH_PROTO_1_PREFERRED;
-			ret |= SSH_PROTO_1;
-			break;
-		case 2:
-			ret |= SSH_PROTO_2;
-			break;
-		default:
-			logit("ignoring bad proto spec: '%s'.", p);
-			break;
-		}
-	}
-	xfree(s);
-	return ret;
-}
-
-char *
-compat_cipher_proposal(char *cipher_prop)
-{
-	Buffer b;
-	char *orig_prop, *fix_ciphers;
-	char *cp, *tmp;
-
-	if (!(datafellows & SSH_BUG_BIGENDIANAES))
-		return(cipher_prop);
-
-	buffer_init(&b);
-	tmp = orig_prop = xstrdup(cipher_prop);
-	while ((cp = strsep(&tmp, ",")) != NULL) {
-		if (strncmp(cp, "aes", 3) != 0) {
-			if (buffer_len(&b) > 0)
-				buffer_append(&b, ",", 1);
-			buffer_append(&b, cp, strlen(cp));
-		}
-	}
-	buffer_append(&b, "\0", 1);
-	fix_ciphers = xstrdup(buffer_ptr(&b));
-	buffer_free(&b);
-	xfree(orig_prop);
-	debug2("Original cipher proposal: %s", cipher_prop);
-	debug2("Compat cipher proposal: %s", fix_ciphers);
-	if (!*fix_ciphers)
-		fatal("No available ciphers found.");
-
-	return(fix_ciphers);
-}
diff --git a/crypto/openssh/compat.h b/crypto/openssh/compat.h
deleted file mode 100644
index 83d469d..0000000
--- a/crypto/openssh/compat.h
+++ /dev/null
@@ -1,69 +0,0 @@
-/* $OpenBSD: compat.h,v 1.40 2006/03/25 22:22:43 djm Exp $ */
-
-/*
- * Copyright (c) 1999, 2000, 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef COMPAT_H
-#define COMPAT_H
-
-#define	SSH_PROTO_UNKNOWN	0x00
-#define	SSH_PROTO_1		0x01
-#define	SSH_PROTO_1_PREFERRED	0x02
-#define	SSH_PROTO_2		0x04
-
-#define SSH_BUG_SIGBLOB		0x00000001
-#define SSH_BUG_PKSERVICE	0x00000002
-#define SSH_BUG_HMAC		0x00000004
-#define SSH_BUG_X11FWD		0x00000008
-#define SSH_OLD_SESSIONID	0x00000010
-#define SSH_BUG_PKAUTH		0x00000020
-#define SSH_BUG_DEBUG		0x00000040
-#define SSH_BUG_BANNER		0x00000080
-#define SSH_BUG_IGNOREMSG	0x00000100
-#define SSH_BUG_PKOK		0x00000200
-#define SSH_BUG_PASSWORDPAD	0x00000400
-#define SSH_BUG_SCANNER		0x00000800
-#define SSH_BUG_BIGENDIANAES	0x00001000
-#define SSH_BUG_RSASIGMD5	0x00002000
-#define SSH_OLD_DHGEX		0x00004000
-#define SSH_BUG_NOREKEY		0x00008000
-#define SSH_BUG_HBSERVICE	0x00010000
-#define SSH_BUG_OPENFAILURE	0x00020000
-#define SSH_BUG_DERIVEKEY	0x00040000
-#define SSH_BUG_DUMMYCHAN	0x00100000
-#define SSH_BUG_EXTEOF		0x00200000
-#define SSH_BUG_PROBE		0x00400000
-#define SSH_BUG_FIRSTKEX	0x00800000
-#define SSH_OLD_FORWARD_ADDR	0x01000000
-
-void     enable_compat13(void);
-void     enable_compat20(void);
-void     compat_datafellows(const char *);
-int	 proto_spec(const char *);
-char	*compat_cipher_proposal(char *);
-
-extern int compat13;
-extern int compat20;
-extern int datafellows;
-#endif
diff --git a/crypto/openssh/compress.c b/crypto/openssh/compress.c
deleted file mode 100644
index c058d22..0000000
--- a/crypto/openssh/compress.c
+++ /dev/null
@@ -1,166 +0,0 @@
-/* $OpenBSD: compress.c,v 1.25 2006/08/06 01:13:32 stevesk Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Interface to packet compression for ssh.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <stdarg.h>
-#include <zlib.h>
-
-#include "log.h"
-#include "buffer.h"
-#include "compress.h"
-
-z_stream incoming_stream;
-z_stream outgoing_stream;
-static int compress_init_send_called = 0;
-static int compress_init_recv_called = 0;
-static int inflate_failed = 0;
-static int deflate_failed = 0;
-
-/*
- * Initializes compression; level is compression level from 1 to 9
- * (as in gzip).
- */
-
-void
-buffer_compress_init_send(int level)
-{
-	if (compress_init_send_called == 1)
-		deflateEnd(&outgoing_stream);
-	compress_init_send_called = 1;
-	debug("Enabling compression at level %d.", level);
-	if (level < 1 || level > 9)
-		fatal("Bad compression level %d.", level);
-	deflateInit(&outgoing_stream, level);
-}
-void
-buffer_compress_init_recv(void)
-{
-	if (compress_init_recv_called == 1)
-		inflateEnd(&incoming_stream);
-	compress_init_recv_called = 1;
-	inflateInit(&incoming_stream);
-}
-
-/* Frees any data structures allocated for compression. */
-
-void
-buffer_compress_uninit(void)
-{
-	debug("compress outgoing: raw data %llu, compressed %llu, factor %.2f",
-	    (unsigned long long)outgoing_stream.total_in,
-	    (unsigned long long)outgoing_stream.total_out,
-	    outgoing_stream.total_in == 0 ? 0.0 :
-	    (double) outgoing_stream.total_out / outgoing_stream.total_in);
-	debug("compress incoming: raw data %llu, compressed %llu, factor %.2f",
-	    (unsigned long long)incoming_stream.total_out,
-	    (unsigned long long)incoming_stream.total_in,
-	    incoming_stream.total_out == 0 ? 0.0 :
-	    (double) incoming_stream.total_in / incoming_stream.total_out);
-	if (compress_init_recv_called == 1 && inflate_failed == 0)
-		inflateEnd(&incoming_stream);
-	if (compress_init_send_called == 1 && deflate_failed == 0)
-		deflateEnd(&outgoing_stream);
-}
-
-/*
- * Compresses the contents of input_buffer into output_buffer.  All packets
- * compressed using this function will form a single compressed data stream;
- * however, data will be flushed at the end of every call so that each
- * output_buffer can be decompressed independently (but in the appropriate
- * order since they together form a single compression stream) by the
- * receiver.  This appends the compressed data to the output buffer.
- */
-
-void
-buffer_compress(Buffer * input_buffer, Buffer * output_buffer)
-{
-	u_char buf[4096];
-	int status;
-
-	/* This case is not handled below. */
-	if (buffer_len(input_buffer) == 0)
-		return;
-
-	/* Input is the contents of the input buffer. */
-	outgoing_stream.next_in = buffer_ptr(input_buffer);
-	outgoing_stream.avail_in = buffer_len(input_buffer);
-
-	/* Loop compressing until deflate() returns with avail_out != 0. */
-	do {
-		/* Set up fixed-size output buffer. */
-		outgoing_stream.next_out = buf;
-		outgoing_stream.avail_out = sizeof(buf);
-
-		/* Compress as much data into the buffer as possible. */
-		status = deflate(&outgoing_stream, Z_PARTIAL_FLUSH);
-		switch (status) {
-		case Z_OK:
-			/* Append compressed data to output_buffer. */
-			buffer_append(output_buffer, buf,
-			    sizeof(buf) - outgoing_stream.avail_out);
-			break;
-		default:
-			deflate_failed = 1;
-			fatal("buffer_compress: deflate returned %d", status);
-			/* NOTREACHED */
-		}
-	} while (outgoing_stream.avail_out == 0);
-}
-
-/*
- * Uncompresses the contents of input_buffer into output_buffer.  All packets
- * uncompressed using this function will form a single compressed data
- * stream; however, data will be flushed at the end of every call so that
- * each output_buffer.  This must be called for the same size units that the
- * buffer_compress was called, and in the same order that buffers compressed
- * with that.  This appends the uncompressed data to the output buffer.
- */
-
-void
-buffer_uncompress(Buffer * input_buffer, Buffer * output_buffer)
-{
-	u_char buf[4096];
-	int status;
-
-	incoming_stream.next_in = buffer_ptr(input_buffer);
-	incoming_stream.avail_in = buffer_len(input_buffer);
-
-	for (;;) {
-		/* Set up fixed-size output buffer. */
-		incoming_stream.next_out = buf;
-		incoming_stream.avail_out = sizeof(buf);
-
-		status = inflate(&incoming_stream, Z_PARTIAL_FLUSH);
-		switch (status) {
-		case Z_OK:
-			buffer_append(output_buffer, buf,
-			    sizeof(buf) - incoming_stream.avail_out);
-			break;
-		case Z_BUF_ERROR:
-			/*
-			 * Comments in zlib.h say that we should keep calling
-			 * inflate() until we get an error.  This appears to
-			 * be the error that we get.
-			 */
-			return;
-		default:
-			inflate_failed = 1;
-			fatal("buffer_uncompress: inflate returned %d", status);
-			/* NOTREACHED */
-		}
-	}
-}
diff --git a/crypto/openssh/compress.h b/crypto/openssh/compress.h
deleted file mode 100644
index 418d6fd..0000000
--- a/crypto/openssh/compress.h
+++ /dev/null
@@ -1,25 +0,0 @@
-/* $OpenBSD: compress.h,v 1.12 2006/03/25 22:22:43 djm Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Interface to packet compression for ssh.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#ifndef COMPRESS_H
-#define COMPRESS_H
-
-void	 buffer_compress_init_send(int);
-void	 buffer_compress_init_recv(void);
-void     buffer_compress_uninit(void);
-void     buffer_compress(Buffer *, Buffer *);
-void     buffer_uncompress(Buffer *, Buffer *);
-
-#endif				/* COMPRESS_H */
diff --git a/crypto/openssh/config.guess b/crypto/openssh/config.guess
deleted file mode 100755
index 6d71f75..0000000
--- a/crypto/openssh/config.guess
+++ /dev/null
@@ -1,1499 +0,0 @@
-#! /bin/sh
-# Attempt to guess a canonical system name.
-#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
-
-timestamp='2005-05-27'
-
-# This file is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
-# 02110-1301, USA.
-#
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-
-# Originally written by Per Bothner <per@bothner.com>.
-# Please send patches to <config-patches@gnu.org>.  Submit a context
-# diff and a properly formatted ChangeLog entry.
-#
-# This script attempts to guess a canonical system name similar to
-# config.sub.  If it succeeds, it prints the system name on stdout, and
-# exits with 0.  Otherwise, it exits with 1.
-#
-# The plan is that this can be called by configure scripts if you
-# don't specify an explicit build system type.
-
-me=`echo "$0" | sed -e 's,.*/,,'`
-
-usage="\
-Usage: $0 [OPTION]
-
-Output the configuration name of the system \`$me' is run on.
-
-Operation modes:
-  -h, --help         print this help, then exit
-  -t, --time-stamp   print date of last modification, then exit
-  -v, --version      print version number, then exit
-
-Report bugs and patches to <config-patches@gnu.org>."
-
-version="\
-GNU config.guess ($timestamp)
-
-Originally written by Per Bothner.
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
-Free Software Foundation, Inc.
-
-This is free software; see the source for copying conditions.  There is NO
-warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
-
-help="
-Try \`$me --help' for more information."
-
-# Parse command line
-while test $# -gt 0 ; do
-  case $1 in
-    --time-stamp | --time* | -t )
-       echo "$timestamp" ; exit ;;
-    --version | -v )
-       echo "$version" ; exit ;;
-    --help | --h* | -h )
-       echo "$usage"; exit ;;
-    -- )     # Stop option processing
-       shift; break ;;
-    - )	# Use stdin as input.
-       break ;;
-    -* )
-       echo "$me: invalid option $1$help" >&2
-       exit 1 ;;
-    * )
-       break ;;
-  esac
-done
-
-if test $# != 0; then
-  echo "$me: too many arguments$help" >&2
-  exit 1
-fi
-
-trap 'exit 1' 1 2 15
-
-# CC_FOR_BUILD -- compiler used by this script. Note that the use of a
-# compiler to aid in system detection is discouraged as it requires
-# temporary files to be created and, as you can see below, it is a
-# headache to deal with in a portable fashion.
-
-# Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still
-# use `HOST_CC' if defined, but it is deprecated.
-
-# Portable tmp directory creation inspired by the Autoconf team.
-
-set_cc_for_build='
-trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ;
-trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ;
-: ${TMPDIR=/tmp} ;
- { tmp=`(umask 077 && mktemp -d -q "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } ||
- { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } ||
- { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } ||
- { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ;
-dummy=$tmp/dummy ;
-tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ;
-case $CC_FOR_BUILD,$HOST_CC,$CC in
- ,,)    echo "int x;" > $dummy.c ;
-	for c in cc gcc c89 c99 ; do
-	  if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then
-	     CC_FOR_BUILD="$c"; break ;
-	  fi ;
-	done ;
-	if test x"$CC_FOR_BUILD" = x ; then
-	  CC_FOR_BUILD=no_compiler_found ;
-	fi
-	;;
- ,,*)   CC_FOR_BUILD=$CC ;;
- ,*,*)  CC_FOR_BUILD=$HOST_CC ;;
-esac ;'
-
-# This is needed to find uname on a Pyramid OSx when run in the BSD universe.
-# (ghazi@noc.rutgers.edu 1994-08-24)
-if (test -f /.attbin/uname) >/dev/null 2>&1 ; then
-	PATH=$PATH:/.attbin ; export PATH
-fi
-
-UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown
-UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown
-UNAME_SYSTEM=`(uname -s) 2>/dev/null`  || UNAME_SYSTEM=unknown
-UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
-
-# Note: order is significant - the case branches are not exclusive.
-
-case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
-    *:NetBSD:*:*)
-	# NetBSD (nbsd) targets should (where applicable) match one or
-	# more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*,
-	# *-*-netbsdecoff* and *-*-netbsd*.  For targets that recently
-	# switched to ELF, *-*-netbsd* would select the old
-	# object file format.  This provides both forward
-	# compatibility and a consistent mechanism for selecting the
-	# object file format.
-	#
-	# Note: NetBSD doesn't particularly care about the vendor
-	# portion of the name.  We always set it to "unknown".
-	sysctl="sysctl -n hw.machine_arch"
-	UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \
-	    /usr/sbin/$sysctl 2>/dev/null || echo unknown)`
-	case "${UNAME_MACHINE_ARCH}" in
-	    armeb) machine=armeb-unknown ;;
-	    arm*) machine=arm-unknown ;;
-	    sh3el) machine=shl-unknown ;;
-	    sh3eb) machine=sh-unknown ;;
-	    *) machine=${UNAME_MACHINE_ARCH}-unknown ;;
-	esac
-	# The Operating System including object format, if it has switched
-	# to ELF recently, or will in the future.
-	case "${UNAME_MACHINE_ARCH}" in
-	    arm*|i386|m68k|ns32k|sh3*|sparc|vax)
-		eval $set_cc_for_build
-		if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
-			| grep __ELF__ >/dev/null
-		then
-		    # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout).
-		    # Return netbsd for either.  FIX?
-		    os=netbsd
-		else
-		    os=netbsdelf
-		fi
-		;;
-	    *)
-	        os=netbsd
-		;;
-	esac
-	# The OS release
-	# Debian GNU/NetBSD machines have a different userland, and
-	# thus, need a distinct triplet. However, they do not need
-	# kernel version information, so it can be replaced with a
-	# suitable tag, in the style of linux-gnu.
-	case "${UNAME_VERSION}" in
-	    Debian*)
-		release='-gnu'
-		;;
-	    *)
-		release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
-		;;
-	esac
-	# Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM:
-	# contains redundant information, the shorter form:
-	# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
-	echo "${machine}-${os}${release}"
-	exit ;;
-    amd64:OpenBSD:*:*)
-	echo x86_64-unknown-openbsd${UNAME_RELEASE}
-	exit ;;
-    amiga:OpenBSD:*:*)
-	echo m68k-unknown-openbsd${UNAME_RELEASE}
-	exit ;;
-    cats:OpenBSD:*:*)
-	echo arm-unknown-openbsd${UNAME_RELEASE}
-	exit ;;
-    hp300:OpenBSD:*:*)
-	echo m68k-unknown-openbsd${UNAME_RELEASE}
-	exit ;;
-    luna88k:OpenBSD:*:*)
-    	echo m88k-unknown-openbsd${UNAME_RELEASE}
-	exit ;;
-    mac68k:OpenBSD:*:*)
-	echo m68k-unknown-openbsd${UNAME_RELEASE}
-	exit ;;
-    macppc:OpenBSD:*:*)
-	echo powerpc-unknown-openbsd${UNAME_RELEASE}
-	exit ;;
-    mvme68k:OpenBSD:*:*)
-	echo m68k-unknown-openbsd${UNAME_RELEASE}
-	exit ;;
-    mvme88k:OpenBSD:*:*)
-	echo m88k-unknown-openbsd${UNAME_RELEASE}
-	exit ;;
-    mvmeppc:OpenBSD:*:*)
-	echo powerpc-unknown-openbsd${UNAME_RELEASE}
-	exit ;;
-    sgi:OpenBSD:*:*)
-	echo mips64-unknown-openbsd${UNAME_RELEASE}
-	exit ;;
-    sun3:OpenBSD:*:*)
-	echo m68k-unknown-openbsd${UNAME_RELEASE}
-	exit ;;
-    *:OpenBSD:*:*)
-	echo ${UNAME_MACHINE}-unknown-openbsd${UNAME_RELEASE}
-	exit ;;
-    *:ekkoBSD:*:*)
-	echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE}
-	exit ;;
-    macppc:MirBSD:*:*)
-	echo powerppc-unknown-mirbsd${UNAME_RELEASE}
-	exit ;;
-    *:MirBSD:*:*)
-	echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE}
-	exit ;;
-    alpha:OSF1:*:*)
-	case $UNAME_RELEASE in
-	*4.0)
-		UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
-		;;
-	*5.*)
-	        UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'`
-		;;
-	esac
-	# According to Compaq, /usr/sbin/psrinfo has been available on
-	# OSF/1 and Tru64 systems produced since 1995.  I hope that
-	# covers most systems running today.  This code pipes the CPU
-	# types through head -n 1, so we only detect the type of CPU 0.
-	ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^  The alpha \(.*\) processor.*$/\1/p' | head -n 1`
-	case "$ALPHA_CPU_TYPE" in
-	    "EV4 (21064)")
-		UNAME_MACHINE="alpha" ;;
-	    "EV4.5 (21064)")
-		UNAME_MACHINE="alpha" ;;
-	    "LCA4 (21066/21068)")
-		UNAME_MACHINE="alpha" ;;
-	    "EV5 (21164)")
-		UNAME_MACHINE="alphaev5" ;;
-	    "EV5.6 (21164A)")
-		UNAME_MACHINE="alphaev56" ;;
-	    "EV5.6 (21164PC)")
-		UNAME_MACHINE="alphapca56" ;;
-	    "EV5.7 (21164PC)")
-		UNAME_MACHINE="alphapca57" ;;
-	    "EV6 (21264)")
-		UNAME_MACHINE="alphaev6" ;;
-	    "EV6.7 (21264A)")
-		UNAME_MACHINE="alphaev67" ;;
-	    "EV6.8CB (21264C)")
-		UNAME_MACHINE="alphaev68" ;;
-	    "EV6.8AL (21264B)")
-		UNAME_MACHINE="alphaev68" ;;
-	    "EV6.8CX (21264D)")
-		UNAME_MACHINE="alphaev68" ;;
-	    "EV6.9A (21264/EV69A)")
-		UNAME_MACHINE="alphaev69" ;;
-	    "EV7 (21364)")
-		UNAME_MACHINE="alphaev7" ;;
-	    "EV7.9 (21364A)")
-		UNAME_MACHINE="alphaev79" ;;
-	esac
-	# A Pn.n version is a patched version.
-	# A Vn.n version is a released version.
-	# A Tn.n version is a released field test version.
-	# A Xn.n version is an unreleased experimental baselevel.
-	# 1.2 uses "1.2" for uname -r.
-	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
-	exit ;;
-    Alpha\ *:Windows_NT*:*)
-	# How do we know it's Interix rather than the generic POSIX subsystem?
-	# Should we change UNAME_MACHINE based on the output of uname instead
-	# of the specific Alpha model?
-	echo alpha-pc-interix
-	exit ;;
-    21064:Windows_NT:50:3)
-	echo alpha-dec-winnt3.5
-	exit ;;
-    Amiga*:UNIX_System_V:4.0:*)
-	echo m68k-unknown-sysv4
-	exit ;;
-    *:[Aa]miga[Oo][Ss]:*:*)
-	echo ${UNAME_MACHINE}-unknown-amigaos
-	exit ;;
-    *:[Mm]orph[Oo][Ss]:*:*)
-	echo ${UNAME_MACHINE}-unknown-morphos
-	exit ;;
-    *:OS/390:*:*)
-	echo i370-ibm-openedition
-	exit ;;
-    *:z/VM:*:*)
-	echo s390-ibm-zvmoe
-	exit ;;
-    *:OS400:*:*)
-        echo powerpc-ibm-os400
-	exit ;;
-    arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
-	echo arm-acorn-riscix${UNAME_RELEASE}
-	exit ;;
-    arm:riscos:*:*|arm:RISCOS:*:*)
-	echo arm-unknown-riscos
-	exit ;;
-    SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*)
-	echo hppa1.1-hitachi-hiuxmpp
-	exit ;;
-    Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*)
-	# akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE.
-	if test "`(/bin/universe) 2>/dev/null`" = att ; then
-		echo pyramid-pyramid-sysv3
-	else
-		echo pyramid-pyramid-bsd
-	fi
-	exit ;;
-    NILE*:*:*:dcosx)
-	echo pyramid-pyramid-svr4
-	exit ;;
-    DRS?6000:unix:4.0:6*)
-	echo sparc-icl-nx6
-	exit ;;
-    DRS?6000:UNIX_SV:4.2*:7* | DRS?6000:isis:4.2*:7*)
-	case `/usr/bin/uname -p` in
-	    sparc) echo sparc-icl-nx7; exit ;;
-	esac ;;
-    sun4H:SunOS:5.*:*)
-	echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-	exit ;;
-    sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*)
-	echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-	exit ;;
-    i86pc:SunOS:5.*:*)
-	echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-	exit ;;
-    sun4*:SunOS:6*:*)
-	# According to config.sub, this is the proper way to canonicalize
-	# SunOS6.  Hard to guess exactly what SunOS6 will be like, but
-	# it's likely to be more like Solaris than SunOS4.
-	echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-	exit ;;
-    sun4*:SunOS:*:*)
-	case "`/usr/bin/arch -k`" in
-	    Series*|S4*)
-		UNAME_RELEASE=`uname -v`
-		;;
-	esac
-	# Japanese Language versions have a version number like `4.1.3-JL'.
-	echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'`
-	exit ;;
-    sun3*:SunOS:*:*)
-	echo m68k-sun-sunos${UNAME_RELEASE}
-	exit ;;
-    sun*:*:4.2BSD:*)
-	UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
-	test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3
-	case "`/bin/arch`" in
-	    sun3)
-		echo m68k-sun-sunos${UNAME_RELEASE}
-		;;
-	    sun4)
-		echo sparc-sun-sunos${UNAME_RELEASE}
-		;;
-	esac
-	exit ;;
-    aushp:SunOS:*:*)
-	echo sparc-auspex-sunos${UNAME_RELEASE}
-	exit ;;
-    # The situation for MiNT is a little confusing.  The machine name
-    # can be virtually everything (everything which is not
-    # "atarist" or "atariste" at least should have a processor
-    # > m68000).  The system name ranges from "MiNT" over "FreeMiNT"
-    # to the lowercase version "mint" (or "freemint").  Finally
-    # the system name "TOS" denotes a system which is actually not
-    # MiNT.  But MiNT is downward compatible to TOS, so this should
-    # be no problem.
-    atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
-        echo m68k-atari-mint${UNAME_RELEASE}
-	exit ;;
-    atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
-	echo m68k-atari-mint${UNAME_RELEASE}
-        exit ;;
-    *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
-        echo m68k-atari-mint${UNAME_RELEASE}
-	exit ;;
-    milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
-        echo m68k-milan-mint${UNAME_RELEASE}
-        exit ;;
-    hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
-        echo m68k-hades-mint${UNAME_RELEASE}
-        exit ;;
-    *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
-        echo m68k-unknown-mint${UNAME_RELEASE}
-        exit ;;
-    m68k:machten:*:*)
-	echo m68k-apple-machten${UNAME_RELEASE}
-	exit ;;
-    powerpc:machten:*:*)
-	echo powerpc-apple-machten${UNAME_RELEASE}
-	exit ;;
-    RISC*:Mach:*:*)
-	echo mips-dec-mach_bsd4.3
-	exit ;;
-    RISC*:ULTRIX:*:*)
-	echo mips-dec-ultrix${UNAME_RELEASE}
-	exit ;;
-    VAX*:ULTRIX*:*:*)
-	echo vax-dec-ultrix${UNAME_RELEASE}
-	exit ;;
-    2020:CLIX:*:* | 2430:CLIX:*:*)
-	echo clipper-intergraph-clix${UNAME_RELEASE}
-	exit ;;
-    mips:*:*:UMIPS | mips:*:*:RISCos)
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-#ifdef __cplusplus
-#include <stdio.h>  /* for printf() prototype */
-	int main (int argc, char *argv[]) {
-#else
-	int main (argc, argv) int argc; char *argv[]; {
-#endif
-	#if defined (host_mips) && defined (MIPSEB)
-	#if defined (SYSTYPE_SYSV)
-	  printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0);
-	#endif
-	#if defined (SYSTYPE_SVR4)
-	  printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0);
-	#endif
-	#if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD)
-	  printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0);
-	#endif
-	#endif
-	  exit (-1);
-	}
-EOF
-	$CC_FOR_BUILD -o $dummy $dummy.c &&
-	  dummyarg=`echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` &&
-	  SYSTEM_NAME=`$dummy $dummyarg` &&
-	    { echo "$SYSTEM_NAME"; exit; }
-	echo mips-mips-riscos${UNAME_RELEASE}
-	exit ;;
-    Motorola:PowerMAX_OS:*:*)
-	echo powerpc-motorola-powermax
-	exit ;;
-    Motorola:*:4.3:PL8-*)
-	echo powerpc-harris-powermax
-	exit ;;
-    Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*)
-	echo powerpc-harris-powermax
-	exit ;;
-    Night_Hawk:Power_UNIX:*:*)
-	echo powerpc-harris-powerunix
-	exit ;;
-    m88k:CX/UX:7*:*)
-	echo m88k-harris-cxux7
-	exit ;;
-    m88k:*:4*:R4*)
-	echo m88k-motorola-sysv4
-	exit ;;
-    m88k:*:3*:R3*)
-	echo m88k-motorola-sysv3
-	exit ;;
-    AViiON:dgux:*:*)
-        # DG/UX returns AViiON for all architectures
-        UNAME_PROCESSOR=`/usr/bin/uname -p`
-	if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ]
-	then
-	    if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \
-	       [ ${TARGET_BINARY_INTERFACE}x = x ]
-	    then
-		echo m88k-dg-dgux${UNAME_RELEASE}
-	    else
-		echo m88k-dg-dguxbcs${UNAME_RELEASE}
-	    fi
-	else
-	    echo i586-dg-dgux${UNAME_RELEASE}
-	fi
- 	exit ;;
-    M88*:DolphinOS:*:*)	# DolphinOS (SVR3)
-	echo m88k-dolphin-sysv3
-	exit ;;
-    M88*:*:R3*:*)
-	# Delta 88k system running SVR3
-	echo m88k-motorola-sysv3
-	exit ;;
-    XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3)
-	echo m88k-tektronix-sysv3
-	exit ;;
-    Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD)
-	echo m68k-tektronix-bsd
-	exit ;;
-    *:IRIX*:*:*)
-	echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'`
-	exit ;;
-    ????????:AIX?:[12].1:2)   # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX.
-	echo romp-ibm-aix     # uname -m gives an 8 hex-code CPU id
-	exit ;;               # Note that: echo "'`uname -s`'" gives 'AIX '
-    i*86:AIX:*:*)
-	echo i386-ibm-aix
-	exit ;;
-    ia64:AIX:*:*)
-	if [ -x /usr/bin/oslevel ] ; then
-		IBM_REV=`/usr/bin/oslevel`
-	else
-		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
-	fi
-	echo ${UNAME_MACHINE}-ibm-aix${IBM_REV}
-	exit ;;
-    *:AIX:2:3)
-	if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then
-		eval $set_cc_for_build
-		sed 's/^		//' << EOF >$dummy.c
-		#include <sys/systemcfg.h>
-
-		main()
-			{
-			if (!__power_pc())
-				exit(1);
-			puts("powerpc-ibm-aix3.2.5");
-			exit(0);
-			}
-EOF
-		if $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy`
-		then
-			echo "$SYSTEM_NAME"
-		else
-			echo rs6000-ibm-aix3.2.5
-		fi
-	elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then
-		echo rs6000-ibm-aix3.2.4
-	else
-		echo rs6000-ibm-aix3.2
-	fi
-	exit ;;
-    *:AIX:*:[45])
-	IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'`
-	if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then
-		IBM_ARCH=rs6000
-	else
-		IBM_ARCH=powerpc
-	fi
-	if [ -x /usr/bin/oslevel ] ; then
-		IBM_REV=`/usr/bin/oslevel`
-	else
-		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
-	fi
-	echo ${IBM_ARCH}-ibm-aix${IBM_REV}
-	exit ;;
-    *:AIX:*:*)
-	echo rs6000-ibm-aix
-	exit ;;
-    ibmrt:4.4BSD:*|romp-ibm:BSD:*)
-	echo romp-ibm-bsd4.4
-	exit ;;
-    ibmrt:*BSD:*|romp-ibm:BSD:*)            # covers RT/PC BSD and
-	echo romp-ibm-bsd${UNAME_RELEASE}   # 4.3 with uname added to
-	exit ;;                             # report: romp-ibm BSD 4.3
-    *:BOSX:*:*)
-	echo rs6000-bull-bosx
-	exit ;;
-    DPX/2?00:B.O.S.:*:*)
-	echo m68k-bull-sysv3
-	exit ;;
-    9000/[34]??:4.3bsd:1.*:*)
-	echo m68k-hp-bsd
-	exit ;;
-    hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*)
-	echo m68k-hp-bsd4.4
-	exit ;;
-    9000/[34678]??:HP-UX:*:*)
-	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
-	case "${UNAME_MACHINE}" in
-	    9000/31? )            HP_ARCH=m68000 ;;
-	    9000/[34]?? )         HP_ARCH=m68k ;;
-	    9000/[678][0-9][0-9])
-		if [ -x /usr/bin/getconf ]; then
-		    sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
-                    sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
-                    case "${sc_cpu_version}" in
-                      523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
-                      528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
-                      532)                      # CPU_PA_RISC2_0
-                        case "${sc_kernel_bits}" in
-                          32) HP_ARCH="hppa2.0n" ;;
-                          64) HP_ARCH="hppa2.0w" ;;
-			  '') HP_ARCH="hppa2.0" ;;   # HP-UX 10.20
-                        esac ;;
-                    esac
-		fi
-		if [ "${HP_ARCH}" = "" ]; then
-		    eval $set_cc_for_build
-		    sed 's/^              //' << EOF >$dummy.c
-
-              #define _HPUX_SOURCE
-              #include <stdlib.h>
-              #include <unistd.h>
-
-              int main ()
-              {
-              #if defined(_SC_KERNEL_BITS)
-                  long bits = sysconf(_SC_KERNEL_BITS);
-              #endif
-                  long cpu  = sysconf (_SC_CPU_VERSION);
-
-                  switch (cpu)
-              	{
-              	case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
-              	case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
-              	case CPU_PA_RISC2_0:
-              #if defined(_SC_KERNEL_BITS)
-              	    switch (bits)
-              		{
-              		case 64: puts ("hppa2.0w"); break;
-              		case 32: puts ("hppa2.0n"); break;
-              		default: puts ("hppa2.0"); break;
-              		} break;
-              #else  /* !defined(_SC_KERNEL_BITS) */
-              	    puts ("hppa2.0"); break;
-              #endif
-              	default: puts ("hppa1.0"); break;
-              	}
-                  exit (0);
-              }
-EOF
-		    (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
-		    test -z "$HP_ARCH" && HP_ARCH=hppa
-		fi ;;
-	esac
-	if [ ${HP_ARCH} = "hppa2.0w" ]
-	then
-	    # avoid double evaluation of $set_cc_for_build
-	    test -n "$CC_FOR_BUILD" || eval $set_cc_for_build
-
-	    # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating
-	    # 32-bit code.  hppa64-hp-hpux* has the same kernel and a compiler
-	    # generating 64-bit code.  GNU and HP use different nomenclature:
-	    #
-	    # $ CC_FOR_BUILD=cc ./config.guess
-	    # => hppa2.0w-hp-hpux11.23
-	    # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess
-	    # => hppa64-hp-hpux11.23
-
-	    if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) |
-		grep __LP64__ >/dev/null
-	    then
-		HP_ARCH="hppa2.0w"
-	    else
-		HP_ARCH="hppa64"
-	    fi
-	fi
-	echo ${HP_ARCH}-hp-hpux${HPUX_REV}
-	exit ;;
-    ia64:HP-UX:*:*)
-	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
-	echo ia64-hp-hpux${HPUX_REV}
-	exit ;;
-    3050*:HI-UX:*:*)
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-	#include <unistd.h>
-	int
-	main ()
-	{
-	  long cpu = sysconf (_SC_CPU_VERSION);
-	  /* The order matters, because CPU_IS_HP_MC68K erroneously returns
-	     true for CPU_PA_RISC1_0.  CPU_IS_PA_RISC returns correct
-	     results, however.  */
-	  if (CPU_IS_PA_RISC (cpu))
-	    {
-	      switch (cpu)
-		{
-		  case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break;
-		  case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break;
-		  case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break;
-		  default: puts ("hppa-hitachi-hiuxwe2"); break;
-		}
-	    }
-	  else if (CPU_IS_HP_MC68K (cpu))
-	    puts ("m68k-hitachi-hiuxwe2");
-	  else puts ("unknown-hitachi-hiuxwe2");
-	  exit (0);
-	}
-EOF
-	$CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` &&
-		{ echo "$SYSTEM_NAME"; exit; }
-	echo unknown-hitachi-hiuxwe2
-	exit ;;
-    9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* )
-	echo hppa1.1-hp-bsd
-	exit ;;
-    9000/8??:4.3bsd:*:*)
-	echo hppa1.0-hp-bsd
-	exit ;;
-    *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*)
-	echo hppa1.0-hp-mpeix
-	exit ;;
-    hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* )
-	echo hppa1.1-hp-osf
-	exit ;;
-    hp8??:OSF1:*:*)
-	echo hppa1.0-hp-osf
-	exit ;;
-    i*86:OSF1:*:*)
-	if [ -x /usr/sbin/sysversion ] ; then
-	    echo ${UNAME_MACHINE}-unknown-osf1mk
-	else
-	    echo ${UNAME_MACHINE}-unknown-osf1
-	fi
-	exit ;;
-    parisc*:Lites*:*:*)
-	echo hppa1.1-hp-lites
-	exit ;;
-    C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
-	echo c1-convex-bsd
-        exit ;;
-    C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
-	if getsysinfo -f scalar_acc
-	then echo c32-convex-bsd
-	else echo c2-convex-bsd
-	fi
-        exit ;;
-    C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
-	echo c34-convex-bsd
-        exit ;;
-    C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
-	echo c38-convex-bsd
-        exit ;;
-    C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
-	echo c4-convex-bsd
-        exit ;;
-    CRAY*Y-MP:*:*:*)
-	echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
-	exit ;;
-    CRAY*[A-Z]90:*:*:*)
-	echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \
-	| sed -e 's/CRAY.*\([A-Z]90\)/\1/' \
-	      -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \
-	      -e 's/\.[^.]*$/.X/'
-	exit ;;
-    CRAY*TS:*:*:*)
-	echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
-	exit ;;
-    CRAY*T3E:*:*:*)
-	echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
-	exit ;;
-    CRAY*SV1:*:*:*)
-	echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
-	exit ;;
-    *:UNICOS/mp:*:*)
-	echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
-	exit ;;
-    F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
-	FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
-        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
-        FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
-        echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
-        exit ;;
-    5000:UNIX_System_V:4.*:*)
-        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
-        FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
-        echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
-	exit ;;
-    i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
-	echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
-	exit ;;
-    sparc*:BSD/OS:*:*)
-	echo sparc-unknown-bsdi${UNAME_RELEASE}
-	exit ;;
-    *:BSD/OS:*:*)
-	echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
-	exit ;;
-    *:FreeBSD:*:*)
-	echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
-	exit ;;
-    i*:CYGWIN*:*)
-	echo ${UNAME_MACHINE}-pc-cygwin
-	exit ;;
-    i*:MINGW*:*)
-	echo ${UNAME_MACHINE}-pc-mingw32
-	exit ;;
-    i*:windows32*:*)
-    	# uname -m includes "-pc" on this system.
-    	echo ${UNAME_MACHINE}-mingw32
-	exit ;;
-    i*:PW*:*)
-	echo ${UNAME_MACHINE}-pc-pw32
-	exit ;;
-    x86:Interix*:[34]*)
-	echo i586-pc-interix${UNAME_RELEASE}|sed -e 's/\..*//'
-	exit ;;
-    [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*)
-	echo i${UNAME_MACHINE}-pc-mks
-	exit ;;
-    i*:Windows_NT*:* | Pentium*:Windows_NT*:*)
-	# How do we know it's Interix rather than the generic POSIX subsystem?
-	# It also conflicts with pre-2.0 versions of AT&T UWIN. Should we
-	# UNAME_MACHINE based on the output of uname instead of i386?
-	echo i586-pc-interix
-	exit ;;
-    i*:UWIN*:*)
-	echo ${UNAME_MACHINE}-pc-uwin
-	exit ;;
-    amd64:CYGWIN*:*:*)
-	echo x86_64-unknown-cygwin
-	exit ;;
-    p*:CYGWIN*:*)
-	echo powerpcle-unknown-cygwin
-	exit ;;
-    prep*:SunOS:5.*:*)
-	echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-	exit ;;
-    *:GNU:*:*)
-	# the GNU system
-	echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
-	exit ;;
-    *:GNU/*:*:*)
-	# other systems with GNU libc and userland
-	echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu
-	exit ;;
-    i*86:Minix:*:*)
-	echo ${UNAME_MACHINE}-pc-minix
-	exit ;;
-    arm*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit ;;
-    cris:Linux:*:*)
-	echo cris-axis-linux-gnu
-	exit ;;
-    crisv32:Linux:*:*)
-	echo crisv32-axis-linux-gnu
-	exit ;;
-    frv:Linux:*:*)
-    	echo frv-unknown-linux-gnu
-	exit ;;
-    ia64:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit ;;
-    m32r*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit ;;
-    m68*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit ;;
-    mips:Linux:*:*)
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-	#undef CPU
-	#undef mips
-	#undef mipsel
-	#if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
-	CPU=mipsel
-	#else
-	#if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
-	CPU=mips
-	#else
-	CPU=
-	#endif
-	#endif
-EOF
-	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=`
-	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
-	;;
-    mips64:Linux:*:*)
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-	#undef CPU
-	#undef mips64
-	#undef mips64el
-	#if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
-	CPU=mips64el
-	#else
-	#if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
-	CPU=mips64
-	#else
-	CPU=
-	#endif
-	#endif
-EOF
-	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=`
-	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
-	;;
-    ppc:Linux:*:*)
-	echo powerpc-unknown-linux-gnu
-	exit ;;
-    ppc64:Linux:*:*)
-	echo powerpc64-unknown-linux-gnu
-	exit ;;
-    alpha:Linux:*:*)
-	case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
-	  EV5)   UNAME_MACHINE=alphaev5 ;;
-	  EV56)  UNAME_MACHINE=alphaev56 ;;
-	  PCA56) UNAME_MACHINE=alphapca56 ;;
-	  PCA57) UNAME_MACHINE=alphapca56 ;;
-	  EV6)   UNAME_MACHINE=alphaev6 ;;
-	  EV67)  UNAME_MACHINE=alphaev67 ;;
-	  EV68*) UNAME_MACHINE=alphaev68 ;;
-        esac
-	objdump --private-headers /bin/sh | grep ld.so.1 >/dev/null
-	if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
-	echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
-	exit ;;
-    parisc:Linux:*:* | hppa:Linux:*:*)
-	# Look for CPU level
-	case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
-	  PA7*) echo hppa1.1-unknown-linux-gnu ;;
-	  PA8*) echo hppa2.0-unknown-linux-gnu ;;
-	  *)    echo hppa-unknown-linux-gnu ;;
-	esac
-	exit ;;
-    parisc64:Linux:*:* | hppa64:Linux:*:*)
-	echo hppa64-unknown-linux-gnu
-	exit ;;
-    s390:Linux:*:* | s390x:Linux:*:*)
-	echo ${UNAME_MACHINE}-ibm-linux
-	exit ;;
-    sh64*:Linux:*:*)
-    	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit ;;
-    sh*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit ;;
-    sparc:Linux:*:* | sparc64:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit ;;
-    x86_64:Linux:*:*)
-	echo x86_64-unknown-linux-gnu
-	exit ;;
-    i*86:Linux:*:*)
-	# The BFD linker knows what the default object file format is, so
-	# first see if it will tell us. cd to the root directory to prevent
-	# problems with other programs or directories called `ld' in the path.
-	# Set LC_ALL=C to ensure ld outputs messages in English.
-	ld_supported_targets=`cd /; LC_ALL=C ld --help 2>&1 \
-			 | sed -ne '/supported targets:/!d
-				    s/[ 	][ 	]*/ /g
-				    s/.*supported targets: *//
-				    s/ .*//
-				    p'`
-        case "$ld_supported_targets" in
-	  elf32-i386)
-		TENTATIVE="${UNAME_MACHINE}-pc-linux-gnu"
-		;;
-	  a.out-i386-linux)
-		echo "${UNAME_MACHINE}-pc-linux-gnuaout"
-		exit ;;
-	  coff-i386)
-		echo "${UNAME_MACHINE}-pc-linux-gnucoff"
-		exit ;;
-	  "")
-		# Either a pre-BFD a.out linker (linux-gnuoldld) or
-		# one that does not give us useful --help.
-		echo "${UNAME_MACHINE}-pc-linux-gnuoldld"
-		exit ;;
-	esac
-	# Determine whether the default compiler is a.out or elf
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-	#include <features.h>
-	#ifdef __ELF__
-	# ifdef __GLIBC__
-	#  if __GLIBC__ >= 2
-	LIBC=gnu
-	#  else
-	LIBC=gnulibc1
-	#  endif
-	# else
-	LIBC=gnulibc1
-	# endif
-	#else
-	#ifdef __INTEL_COMPILER
-	LIBC=gnu
-	#else
-	LIBC=gnuaout
-	#endif
-	#endif
-	#ifdef __dietlibc__
-	LIBC=dietlibc
-	#endif
-EOF
-	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=`
-	test x"${LIBC}" != x && {
-		echo "${UNAME_MACHINE}-pc-linux-${LIBC}"
-		exit
-	}
-	test x"${TENTATIVE}" != x && { echo "${TENTATIVE}"; exit; }
-	;;
-    i*86:DYNIX/ptx:4*:*)
-	# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
-	# earlier versions are messed up and put the nodename in both
-	# sysname and nodename.
-	echo i386-sequent-sysv4
-	exit ;;
-    i*86:UNIX_SV:4.2MP:2.*)
-        # Unixware is an offshoot of SVR4, but it has its own version
-        # number series starting with 2...
-        # I am not positive that other SVR4 systems won't match this,
-	# I just have to hope.  -- rms.
-        # Use sysv4.2uw... so that sysv4* matches it.
-	echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
-	exit ;;
-    i*86:OS/2:*:*)
-	# If we were able to find `uname', then EMX Unix compatibility
-	# is probably installed.
-	echo ${UNAME_MACHINE}-pc-os2-emx
-	exit ;;
-    i*86:XTS-300:*:STOP)
-	echo ${UNAME_MACHINE}-unknown-stop
-	exit ;;
-    i*86:atheos:*:*)
-	echo ${UNAME_MACHINE}-unknown-atheos
-	exit ;;
-    i*86:syllable:*:*)
-	echo ${UNAME_MACHINE}-pc-syllable
-	exit ;;
-    i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*)
-	echo i386-unknown-lynxos${UNAME_RELEASE}
-	exit ;;
-    i*86:*DOS:*:*)
-	echo ${UNAME_MACHINE}-pc-msdosdjgpp
-	exit ;;
-    i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*)
-	UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'`
-	if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then
-		echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL}
-	else
-		echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL}
-	fi
-	exit ;;
-    i*86:*:5:[678]*)
-    	# UnixWare 7.x, OpenUNIX and OpenServer 6.
-	case `/bin/uname -X | grep "^Machine"` in
-	    *486*)	     UNAME_MACHINE=i486 ;;
-	    *Pentium)	     UNAME_MACHINE=i586 ;;
-	    *Pent*|*Celeron) UNAME_MACHINE=i686 ;;
-	esac
-	echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION}
-	exit ;;
-    i*86:*:3.2:*)
-	if test -f /usr/options/cb.name; then
-		UNAME_REL=`sed -n 's/.*Version //p' </usr/options/cb.name`
-		echo ${UNAME_MACHINE}-pc-isc$UNAME_REL
-	elif /bin/uname -X 2>/dev/null >/dev/null ; then
-		UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')`
-		(/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486
-		(/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \
-			&& UNAME_MACHINE=i586
-		(/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \
-			&& UNAME_MACHINE=i686
-		(/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \
-			&& UNAME_MACHINE=i686
-		echo ${UNAME_MACHINE}-pc-sco$UNAME_REL
-	else
-		echo ${UNAME_MACHINE}-pc-sysv32
-	fi
-	exit ;;
-    pc:*:*:*)
-	# Left here for compatibility:
-        # uname -m prints for DJGPP always 'pc', but it prints nothing about
-        # the processor, so we play safe by assuming i386.
-	echo i386-pc-msdosdjgpp
-        exit ;;
-    Intel:Mach:3*:*)
-	echo i386-pc-mach3
-	exit ;;
-    paragon:*:*:*)
-	echo i860-intel-osf1
-	exit ;;
-    i860:*:4.*:*) # i860-SVR4
-	if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then
-	  echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4
-	else # Add other i860-SVR4 vendors below as they are discovered.
-	  echo i860-unknown-sysv${UNAME_RELEASE}  # Unknown i860-SVR4
-	fi
-	exit ;;
-    mini*:CTIX:SYS*5:*)
-	# "miniframe"
-	echo m68010-convergent-sysv
-	exit ;;
-    mc68k:UNIX:SYSTEM5:3.51m)
-	echo m68k-convergent-sysv
-	exit ;;
-    M680?0:D-NIX:5.3:*)
-	echo m68k-diab-dnix
-	exit ;;
-    M68*:*:R3V[5678]*:*)
-	test -r /sysV68 && { echo 'm68k-motorola-sysv'; exit; } ;;
-    3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0)
-	OS_REL=''
-	test -r /etc/.relid \
-	&& OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
-	/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
-	  && { echo i486-ncr-sysv4.3${OS_REL}; exit; }
-	/bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
-	  && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;;
-    3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
-        /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
-          && { echo i486-ncr-sysv4; exit; } ;;
-    m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*)
-	echo m68k-unknown-lynxos${UNAME_RELEASE}
-	exit ;;
-    mc68030:UNIX_System_V:4.*:*)
-	echo m68k-atari-sysv4
-	exit ;;
-    TSUNAMI:LynxOS:2.*:*)
-	echo sparc-unknown-lynxos${UNAME_RELEASE}
-	exit ;;
-    rs6000:LynxOS:2.*:*)
-	echo rs6000-unknown-lynxos${UNAME_RELEASE}
-	exit ;;
-    PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.0*:*)
-	echo powerpc-unknown-lynxos${UNAME_RELEASE}
-	exit ;;
-    SM[BE]S:UNIX_SV:*:*)
-	echo mips-dde-sysv${UNAME_RELEASE}
-	exit ;;
-    RM*:ReliantUNIX-*:*:*)
-	echo mips-sni-sysv4
-	exit ;;
-    RM*:SINIX-*:*:*)
-	echo mips-sni-sysv4
-	exit ;;
-    *:SINIX-*:*:*)
-	if uname -p 2>/dev/null >/dev/null ; then
-		UNAME_MACHINE=`(uname -p) 2>/dev/null`
-		echo ${UNAME_MACHINE}-sni-sysv4
-	else
-		echo ns32k-sni-sysv
-	fi
-	exit ;;
-    PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
-                      # says <Richard.M.Bartel@ccMail.Census.GOV>
-        echo i586-unisys-sysv4
-        exit ;;
-    *:UNIX_System_V:4*:FTX*)
-	# From Gerald Hewes <hewes@openmarket.com>.
-	# How about differentiating between stratus architectures? -djm
-	echo hppa1.1-stratus-sysv4
-	exit ;;
-    *:*:*:FTX*)
-	# From seanf@swdc.stratus.com.
-	echo i860-stratus-sysv4
-	exit ;;
-    i*86:VOS:*:*)
-	# From Paul.Green@stratus.com.
-	echo ${UNAME_MACHINE}-stratus-vos
-	exit ;;
-    *:VOS:*:*)
-	# From Paul.Green@stratus.com.
-	echo hppa1.1-stratus-vos
-	exit ;;
-    mc68*:A/UX:*:*)
-	echo m68k-apple-aux${UNAME_RELEASE}
-	exit ;;
-    news*:NEWS-OS:6*:*)
-	echo mips-sony-newsos6
-	exit ;;
-    R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
-	if [ -d /usr/nec ]; then
-	        echo mips-nec-sysv${UNAME_RELEASE}
-	else
-	        echo mips-unknown-sysv${UNAME_RELEASE}
-	fi
-        exit ;;
-    BeBox:BeOS:*:*)	# BeOS running on hardware made by Be, PPC only.
-	echo powerpc-be-beos
-	exit ;;
-    BeMac:BeOS:*:*)	# BeOS running on Mac or Mac clone, PPC only.
-	echo powerpc-apple-beos
-	exit ;;
-    BePC:BeOS:*:*)	# BeOS running on Intel PC compatible.
-	echo i586-pc-beos
-	exit ;;
-    SX-4:SUPER-UX:*:*)
-	echo sx4-nec-superux${UNAME_RELEASE}
-	exit ;;
-    SX-5:SUPER-UX:*:*)
-	echo sx5-nec-superux${UNAME_RELEASE}
-	exit ;;
-    SX-6:SUPER-UX:*:*)
-	echo sx6-nec-superux${UNAME_RELEASE}
-	exit ;;
-    Power*:Rhapsody:*:*)
-	echo powerpc-apple-rhapsody${UNAME_RELEASE}
-	exit ;;
-    *:Rhapsody:*:*)
-	echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE}
-	exit ;;
-    *:Darwin:*:*)
-	UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown
-	case $UNAME_PROCESSOR in
-	    *86) UNAME_PROCESSOR=i686 ;;
-	    unknown) UNAME_PROCESSOR=powerpc ;;
-	esac
-	echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
-	exit ;;
-    *:procnto*:*:* | *:QNX:[0123456789]*:*)
-	UNAME_PROCESSOR=`uname -p`
-	if test "$UNAME_PROCESSOR" = "x86"; then
-		UNAME_PROCESSOR=i386
-		UNAME_MACHINE=pc
-	fi
-	echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE}
-	exit ;;
-    *:QNX:*:4*)
-	echo i386-pc-qnx
-	exit ;;
-    NSE-?:NONSTOP_KERNEL:*:*)
-	echo nse-tandem-nsk${UNAME_RELEASE}
-	exit ;;
-    NSR-?:NONSTOP_KERNEL:*:*)
-	echo nsr-tandem-nsk${UNAME_RELEASE}
-	exit ;;
-    *:NonStop-UX:*:*)
-	echo mips-compaq-nonstopux
-	exit ;;
-    BS2000:POSIX*:*:*)
-	echo bs2000-siemens-sysv
-	exit ;;
-    DS/*:UNIX_System_V:*:*)
-	echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE}
-	exit ;;
-    *:Plan9:*:*)
-	# "uname -m" is not consistent, so use $cputype instead. 386
-	# is converted to i386 for consistency with other x86
-	# operating systems.
-	if test "$cputype" = "386"; then
-	    UNAME_MACHINE=i386
-	else
-	    UNAME_MACHINE="$cputype"
-	fi
-	echo ${UNAME_MACHINE}-unknown-plan9
-	exit ;;
-    *:TOPS-10:*:*)
-	echo pdp10-unknown-tops10
-	exit ;;
-    *:TENEX:*:*)
-	echo pdp10-unknown-tenex
-	exit ;;
-    KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*)
-	echo pdp10-dec-tops20
-	exit ;;
-    XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*)
-	echo pdp10-xkl-tops20
-	exit ;;
-    *:TOPS-20:*:*)
-	echo pdp10-unknown-tops20
-	exit ;;
-    *:ITS:*:*)
-	echo pdp10-unknown-its
-	exit ;;
-    SEI:*:*:SEIUX)
-        echo mips-sei-seiux${UNAME_RELEASE}
-	exit ;;
-    *:DragonFly:*:*)
-	echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
-	exit ;;
-    *:*VMS:*:*)
-    	UNAME_MACHINE=`(uname -p) 2>/dev/null`
-	case "${UNAME_MACHINE}" in
-	    A*) echo alpha-dec-vms ; exit ;;
-	    I*) echo ia64-dec-vms ; exit ;;
-	    V*) echo vax-dec-vms ; exit ;;
-	esac ;;
-    *:XENIX:*:SysV)
-	echo i386-pc-xenix
-	exit ;;
-    i*86:skyos:*:*)
-	echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//'
-	exit ;;
-esac
-
-#echo '(No uname command or uname output not recognized.)' 1>&2
-#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2
-
-eval $set_cc_for_build
-cat >$dummy.c <<EOF
-#ifdef _SEQUENT_
-# include <sys/types.h>
-# include <sys/utsname.h>
-#endif
-main ()
-{
-#if defined (sony)
-#if defined (MIPSEB)
-  /* BFD wants "bsd" instead of "newsos".  Perhaps BFD should be changed,
-     I don't know....  */
-  printf ("mips-sony-bsd\n"); exit (0);
-#else
-#include <sys/param.h>
-  printf ("m68k-sony-newsos%s\n",
-#ifdef NEWSOS4
-          "4"
-#else
-	  ""
-#endif
-         ); exit (0);
-#endif
-#endif
-
-#if defined (__arm) && defined (__acorn) && defined (__unix)
-  printf ("arm-acorn-riscix\n"); exit (0);
-#endif
-
-#if defined (hp300) && !defined (hpux)
-  printf ("m68k-hp-bsd\n"); exit (0);
-#endif
-
-#if defined (NeXT)
-#if !defined (__ARCHITECTURE__)
-#define __ARCHITECTURE__ "m68k"
-#endif
-  int version;
-  version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`;
-  if (version < 4)
-    printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version);
-  else
-    printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version);
-  exit (0);
-#endif
-
-#if defined (MULTIMAX) || defined (n16)
-#if defined (UMAXV)
-  printf ("ns32k-encore-sysv\n"); exit (0);
-#else
-#if defined (CMU)
-  printf ("ns32k-encore-mach\n"); exit (0);
-#else
-  printf ("ns32k-encore-bsd\n"); exit (0);
-#endif
-#endif
-#endif
-
-#if defined (__386BSD__)
-  printf ("i386-pc-bsd\n"); exit (0);
-#endif
-
-#if defined (sequent)
-#if defined (i386)
-  printf ("i386-sequent-dynix\n"); exit (0);
-#endif
-#if defined (ns32000)
-  printf ("ns32k-sequent-dynix\n"); exit (0);
-#endif
-#endif
-
-#if defined (_SEQUENT_)
-    struct utsname un;
-
-    uname(&un);
-
-    if (strncmp(un.version, "V2", 2) == 0) {
-	printf ("i386-sequent-ptx2\n"); exit (0);
-    }
-    if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */
-	printf ("i386-sequent-ptx1\n"); exit (0);
-    }
-    printf ("i386-sequent-ptx\n"); exit (0);
-
-#endif
-
-#if defined (vax)
-# if !defined (ultrix)
-#  include <sys/param.h>
-#  if defined (BSD)
-#   if BSD == 43
-      printf ("vax-dec-bsd4.3\n"); exit (0);
-#   else
-#    if BSD == 199006
-      printf ("vax-dec-bsd4.3reno\n"); exit (0);
-#    else
-      printf ("vax-dec-bsd\n"); exit (0);
-#    endif
-#   endif
-#  else
-    printf ("vax-dec-bsd\n"); exit (0);
-#  endif
-# else
-    printf ("vax-dec-ultrix\n"); exit (0);
-# endif
-#endif
-
-#if defined (alliant) && defined (i860)
-  printf ("i860-alliant-bsd\n"); exit (0);
-#endif
-
-  exit (1);
-}
-EOF
-
-$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` &&
-	{ echo "$SYSTEM_NAME"; exit; }
-
-# Apollos put the system type in the environment.
-
-test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; }
-
-# Convex versions that predate uname can use getsysinfo(1)
-
-if [ -x /usr/convex/getsysinfo ]
-then
-    case `getsysinfo -f cpu_type` in
-    c1*)
-	echo c1-convex-bsd
-	exit ;;
-    c2*)
-	if getsysinfo -f scalar_acc
-	then echo c32-convex-bsd
-	else echo c2-convex-bsd
-	fi
-	exit ;;
-    c34*)
-	echo c34-convex-bsd
-	exit ;;
-    c38*)
-	echo c38-convex-bsd
-	exit ;;
-    c4*)
-	echo c4-convex-bsd
-	exit ;;
-    esac
-fi
-
-cat >&2 <<EOF
-$0: unable to guess system type
-
-This script, last modified $timestamp, has failed to recognize
-the operating system you are using. It is advised that you
-download the most up to date version of the config scripts from
-
-  http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.guess
-and
-  http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.sub
-
-If the version you run ($0) is already up to date, please
-send the following data and any information you think might be
-pertinent to <config-patches@gnu.org> in order to provide the needed
-information to handle your system.
-
-config.guess timestamp = $timestamp
-
-uname -m = `(uname -m) 2>/dev/null || echo unknown`
-uname -r = `(uname -r) 2>/dev/null || echo unknown`
-uname -s = `(uname -s) 2>/dev/null || echo unknown`
-uname -v = `(uname -v) 2>/dev/null || echo unknown`
-
-/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null`
-/bin/uname -X     = `(/bin/uname -X) 2>/dev/null`
-
-hostinfo               = `(hostinfo) 2>/dev/null`
-/bin/universe          = `(/bin/universe) 2>/dev/null`
-/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null`
-/bin/arch              = `(/bin/arch) 2>/dev/null`
-/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null`
-/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null`
-
-UNAME_MACHINE = ${UNAME_MACHINE}
-UNAME_RELEASE = ${UNAME_RELEASE}
-UNAME_SYSTEM  = ${UNAME_SYSTEM}
-UNAME_VERSION = ${UNAME_VERSION}
-EOF
-
-exit 1
-
-# Local variables:
-# eval: (add-hook 'write-file-hooks 'time-stamp)
-# time-stamp-start: "timestamp='"
-# time-stamp-format: "%:y-%02m-%02d"
-# time-stamp-end: "'"
-# End:
diff --git a/crypto/openssh/config.sub b/crypto/openssh/config.sub
deleted file mode 100755
index 519f2cd..0000000
--- a/crypto/openssh/config.sub
+++ /dev/null
@@ -1,1570 +0,0 @@
-#! /bin/sh
-# Configuration validation subroutine script.
-#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
-
-timestamp='2005-05-12'
-
-# This file is (in principle) common to ALL GNU software.
-# The presence of a machine in this file suggests that SOME GNU software
-# can handle that machine.  It does not imply ALL GNU software can.
-#
-# This file is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
-# 02110-1301, USA.
-#
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-
-# Please send patches to <config-patches@gnu.org>.  Submit a context
-# diff and a properly formatted ChangeLog entry.
-#
-# Configuration subroutine to validate and canonicalize a configuration type.
-# Supply the specified configuration type as an argument.
-# If it is invalid, we print an error message on stderr and exit with code 1.
-# Otherwise, we print the canonical config type on stdout and succeed.
-
-# This file is supposed to be the same for all GNU packages
-# and recognize all the CPU types, system types and aliases
-# that are meaningful with *any* GNU software.
-# Each package is responsible for reporting which valid configurations
-# it does not support.  The user should be able to distinguish
-# a failure to support a valid configuration from a meaningless
-# configuration.
-
-# The goal of this file is to map all the various variations of a given
-# machine specification into a single specification in the form:
-#	CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM
-# or in some cases, the newer four-part form:
-#	CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM
-# It is wrong to echo any other type of specification.
-
-me=`echo "$0" | sed -e 's,.*/,,'`
-
-usage="\
-Usage: $0 [OPTION] CPU-MFR-OPSYS
-       $0 [OPTION] ALIAS
-
-Canonicalize a configuration name.
-
-Operation modes:
-  -h, --help         print this help, then exit
-  -t, --time-stamp   print date of last modification, then exit
-  -v, --version      print version number, then exit
-
-Report bugs and patches to <config-patches@gnu.org>."
-
-version="\
-GNU config.sub ($timestamp)
-
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
-Free Software Foundation, Inc.
-
-This is free software; see the source for copying conditions.  There is NO
-warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
-
-help="
-Try \`$me --help' for more information."
-
-# Parse command line
-while test $# -gt 0 ; do
-  case $1 in
-    --time-stamp | --time* | -t )
-       echo "$timestamp" ; exit ;;
-    --version | -v )
-       echo "$version" ; exit ;;
-    --help | --h* | -h )
-       echo "$usage"; exit ;;
-    -- )     # Stop option processing
-       shift; break ;;
-    - )	# Use stdin as input.
-       break ;;
-    -* )
-       echo "$me: invalid option $1$help"
-       exit 1 ;;
-
-    *local*)
-       # First pass through any local machine types.
-       echo $1
-       exit ;;
-
-    * )
-       break ;;
-  esac
-done
-
-case $# in
- 0) echo "$me: missing argument$help" >&2
-    exit 1;;
- 1) ;;
- *) echo "$me: too many arguments$help" >&2
-    exit 1;;
-esac
-
-# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any).
-# Here we must recognize all the valid KERNEL-OS combinations.
-maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
-case $maybe_os in
-  nto-qnx* | linux-gnu* | linux-dietlibc | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | \
-  kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | storm-chaos* | os2-emx* | rtmk-nova*)
-    os=-$maybe_os
-    basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
-    ;;
-  *)
-    basic_machine=`echo $1 | sed 's/-[^-]*$//'`
-    if [ $basic_machine != $1 ]
-    then os=`echo $1 | sed 's/.*-/-/'`
-    else os=; fi
-    ;;
-esac
-
-### Let's recognize common machines as not being operating systems so
-### that things like config.sub decstation-3100 work.  We also
-### recognize some manufacturers as not being operating systems, so we
-### can provide default operating systems below.
-case $os in
-	-sun*os*)
-		# Prevent following clause from handling this invalid input.
-		;;
-	-dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \
-	-att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \
-	-unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \
-	-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
-	-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
-	-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
-	-apple | -axis | -knuth | -cray)
-		os=
-		basic_machine=$1
-		;;
-	-sim | -cisco | -oki | -wec | -winbond)
-		os=
-		basic_machine=$1
-		;;
-	-scout)
-		;;
-	-wrs)
-		os=-vxworks
-		basic_machine=$1
-		;;
-	-chorusos*)
-		os=-chorusos
-		basic_machine=$1
-		;;
- 	-chorusrdb)
- 		os=-chorusrdb
-		basic_machine=$1
- 		;;
-	-hiux*)
-		os=-hiuxwe2
-		;;
-	-sco5)
-		os=-sco3.2v5
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-sco4)
-		os=-sco3.2v4
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-sco3.2.[4-9]*)
-		os=`echo $os | sed -e 's/sco3.2./sco3.2v/'`
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-sco3.2v[4-9]*)
-		# Don't forget version if it is 3.2v4 or newer.
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-sco*)
-		os=-sco3.2v2
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-udk*)
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-isc)
-		os=-isc2.2
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-clix*)
-		basic_machine=clipper-intergraph
-		;;
-	-isc*)
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-lynx*)
-		os=-lynxos
-		;;
-	-ptx*)
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'`
-		;;
-	-windowsnt*)
-		os=`echo $os | sed -e 's/windowsnt/winnt/'`
-		;;
-	-psos*)
-		os=-psos
-		;;
-	-mint | -mint[0-9]*)
-		basic_machine=m68k-atari
-		os=-mint
-		;;
-esac
-
-# Decode aliases for certain CPU-COMPANY combinations.
-case $basic_machine in
-	# Recognize the basic CPU types without company name.
-	# Some are omitted here because they have special meanings below.
-	1750a | 580 \
-	| a29k \
-	| alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
-	| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
-	| am33_2.0 \
-	| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr \
-	| bfin \
-	| c4x | clipper \
-	| d10v | d30v | dlx | dsp16xx \
-	| fr30 | frv \
-	| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
-	| i370 | i860 | i960 | ia64 \
-	| ip2k | iq2000 \
-	| m32r | m32rle | m68000 | m68k | m88k | maxq | mcore \
-	| mips | mipsbe | mipseb | mipsel | mipsle \
-	| mips16 \
-	| mips64 | mips64el \
-	| mips64vr | mips64vrel \
-	| mips64orion | mips64orionel \
-	| mips64vr4100 | mips64vr4100el \
-	| mips64vr4300 | mips64vr4300el \
-	| mips64vr5000 | mips64vr5000el \
-	| mipsisa32 | mipsisa32el \
-	| mipsisa32r2 | mipsisa32r2el \
-	| mipsisa64 | mipsisa64el \
-	| mipsisa64r2 | mipsisa64r2el \
-	| mipsisa64sb1 | mipsisa64sb1el \
-	| mipsisa64sr71k | mipsisa64sr71kel \
-	| mipstx39 | mipstx39el \
-	| mn10200 | mn10300 \
-	| msp430 \
-	| ns16k | ns32k \
-	| openrisc | or32 \
-	| pdp10 | pdp11 | pj | pjl \
-	| powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
-	| pyramid \
-	| sh | sh[1234] | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \
-	| sh64 | sh64le \
-	| sparc | sparc64 | sparc64b | sparc86x | sparclet | sparclite \
-	| sparcv8 | sparcv9 | sparcv9b \
-	| strongarm \
-	| tahoe | thumb | tic4x | tic80 | tron \
-	| v850 | v850e \
-	| we32k \
-	| x86 | xscale | xscalee[bl] | xstormy16 | xtensa \
-	| z8k)
-		basic_machine=$basic_machine-unknown
-		;;
-	m6811 | m68hc11 | m6812 | m68hc12)
-		# Motorola 68HC11/12.
-		basic_machine=$basic_machine-unknown
-		os=-none
-		;;
-	m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k)
-		;;
-
-	# We use `pc' rather than `unknown'
-	# because (1) that's what they normally are, and
-	# (2) the word "unknown" tends to confuse beginning users.
-	i*86 | x86_64)
-	  basic_machine=$basic_machine-pc
-	  ;;
-	# Object if more than one company name word.
-	*-*-*)
-		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
-		exit 1
-		;;
-	# Recognize the basic CPU types with company name.
-	580-* \
-	| a29k-* \
-	| alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
-	| alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
-	| alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
-	| arm-*  | armbe-* | armle-* | armeb-* | armv*-* \
-	| avr-* \
-	| bfin-* | bs2000-* \
-	| c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \
-	| clipper-* | craynv-* | cydra-* \
-	| d10v-* | d30v-* | dlx-* \
-	| elxsi-* \
-	| f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \
-	| h8300-* | h8500-* \
-	| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
-	| i*86-* | i860-* | i960-* | ia64-* \
-	| ip2k-* | iq2000-* \
-	| m32r-* | m32rle-* \
-	| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
-	| m88110-* | m88k-* | maxq-* | mcore-* \
-	| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
-	| mips16-* \
-	| mips64-* | mips64el-* \
-	| mips64vr-* | mips64vrel-* \
-	| mips64orion-* | mips64orionel-* \
-	| mips64vr4100-* | mips64vr4100el-* \
-	| mips64vr4300-* | mips64vr4300el-* \
-	| mips64vr5000-* | mips64vr5000el-* \
-	| mipsisa32-* | mipsisa32el-* \
-	| mipsisa32r2-* | mipsisa32r2el-* \
-	| mipsisa64-* | mipsisa64el-* \
-	| mipsisa64r2-* | mipsisa64r2el-* \
-	| mipsisa64sb1-* | mipsisa64sb1el-* \
-	| mipsisa64sr71k-* | mipsisa64sr71kel-* \
-	| mipstx39-* | mipstx39el-* \
-	| mmix-* \
-	| msp430-* \
-	| none-* | np1-* | ns16k-* | ns32k-* \
-	| orion-* \
-	| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
-	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
-	| pyramid-* \
-	| romp-* | rs6000-* \
-	| sh-* | sh[1234]-* | sh[23]e-* | sh[34]eb-* | shbe-* \
-	| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
-	| sparc-* | sparc64-* | sparc64b-* | sparc86x-* | sparclet-* \
-	| sparclite-* \
-	| sparcv8-* | sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \
-	| tahoe-* | thumb-* \
-	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
-	| tron-* \
-	| v850-* | v850e-* | vax-* \
-	| we32k-* \
-	| x86-* | x86_64-* | xps100-* | xscale-* | xscalee[bl]-* \
-	| xstormy16-* | xtensa-* \
-	| ymp-* \
-	| z8k-*)
-		;;
-	# Recognize the various machine names and aliases which stand
-	# for a CPU type and a company and sometimes even an OS.
-	386bsd)
-		basic_machine=i386-unknown
-		os=-bsd
-		;;
-	3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc)
-		basic_machine=m68000-att
-		;;
-	3b*)
-		basic_machine=we32k-att
-		;;
-	a29khif)
-		basic_machine=a29k-amd
-		os=-udi
-		;;
-    	abacus)
-		basic_machine=abacus-unknown
-		;;
-	adobe68k)
-		basic_machine=m68010-adobe
-		os=-scout
-		;;
-	alliant | fx80)
-		basic_machine=fx80-alliant
-		;;
-	altos | altos3068)
-		basic_machine=m68k-altos
-		;;
-	am29k)
-		basic_machine=a29k-none
-		os=-bsd
-		;;
-	amd64)
-		basic_machine=x86_64-pc
-		;;
-	amd64-*)
-		basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	amdahl)
-		basic_machine=580-amdahl
-		os=-sysv
-		;;
-	amiga | amiga-*)
-		basic_machine=m68k-unknown
-		;;
-	amigaos | amigados)
-		basic_machine=m68k-unknown
-		os=-amigaos
-		;;
-	amigaunix | amix)
-		basic_machine=m68k-unknown
-		os=-sysv4
-		;;
-	apollo68)
-		basic_machine=m68k-apollo
-		os=-sysv
-		;;
-	apollo68bsd)
-		basic_machine=m68k-apollo
-		os=-bsd
-		;;
-	aux)
-		basic_machine=m68k-apple
-		os=-aux
-		;;
-	balance)
-		basic_machine=ns32k-sequent
-		os=-dynix
-		;;
-	c90)
-		basic_machine=c90-cray
-		os=-unicos
-		;;
-	convex-c1)
-		basic_machine=c1-convex
-		os=-bsd
-		;;
-	convex-c2)
-		basic_machine=c2-convex
-		os=-bsd
-		;;
-	convex-c32)
-		basic_machine=c32-convex
-		os=-bsd
-		;;
-	convex-c34)
-		basic_machine=c34-convex
-		os=-bsd
-		;;
-	convex-c38)
-		basic_machine=c38-convex
-		os=-bsd
-		;;
-	cray | j90)
-		basic_machine=j90-cray
-		os=-unicos
-		;;
-	craynv)
-		basic_machine=craynv-cray
-		os=-unicosmp
-		;;
-	cr16c)
-		basic_machine=cr16c-unknown
-		os=-elf
-		;;
-	crds | unos)
-		basic_machine=m68k-crds
-		;;
-	crisv32 | crisv32-* | etraxfs*)
-		basic_machine=crisv32-axis
-		;;
-	cris | cris-* | etrax*)
-		basic_machine=cris-axis
-		;;
-	crx)
-		basic_machine=crx-unknown
-		os=-elf
-		;;
-	da30 | da30-*)
-		basic_machine=m68k-da30
-		;;
-	decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn)
-		basic_machine=mips-dec
-		;;
-	decsystem10* | dec10*)
-		basic_machine=pdp10-dec
-		os=-tops10
-		;;
-	decsystem20* | dec20*)
-		basic_machine=pdp10-dec
-		os=-tops20
-		;;
-	delta | 3300 | motorola-3300 | motorola-delta \
-	      | 3300-motorola | delta-motorola)
-		basic_machine=m68k-motorola
-		;;
-	delta88)
-		basic_machine=m88k-motorola
-		os=-sysv3
-		;;
-	djgpp)
-		basic_machine=i586-pc
-		os=-msdosdjgpp
-		;;
-	dpx20 | dpx20-*)
-		basic_machine=rs6000-bull
-		os=-bosx
-		;;
-	dpx2* | dpx2*-bull)
-		basic_machine=m68k-bull
-		os=-sysv3
-		;;
-	ebmon29k)
-		basic_machine=a29k-amd
-		os=-ebmon
-		;;
-	elxsi)
-		basic_machine=elxsi-elxsi
-		os=-bsd
-		;;
-	encore | umax | mmax)
-		basic_machine=ns32k-encore
-		;;
-	es1800 | OSE68k | ose68k | ose | OSE)
-		basic_machine=m68k-ericsson
-		os=-ose
-		;;
-	fx2800)
-		basic_machine=i860-alliant
-		;;
-	genix)
-		basic_machine=ns32k-ns
-		;;
-	gmicro)
-		basic_machine=tron-gmicro
-		os=-sysv
-		;;
-	go32)
-		basic_machine=i386-pc
-		os=-go32
-		;;
-	h3050r* | hiux*)
-		basic_machine=hppa1.1-hitachi
-		os=-hiuxwe2
-		;;
-	h8300hms)
-		basic_machine=h8300-hitachi
-		os=-hms
-		;;
-	h8300xray)
-		basic_machine=h8300-hitachi
-		os=-xray
-		;;
-	h8500hms)
-		basic_machine=h8500-hitachi
-		os=-hms
-		;;
-	harris)
-		basic_machine=m88k-harris
-		os=-sysv3
-		;;
-	hp300-*)
-		basic_machine=m68k-hp
-		;;
-	hp300bsd)
-		basic_machine=m68k-hp
-		os=-bsd
-		;;
-	hp300hpux)
-		basic_machine=m68k-hp
-		os=-hpux
-		;;
-	hp3k9[0-9][0-9] | hp9[0-9][0-9])
-		basic_machine=hppa1.0-hp
-		;;
-	hp9k2[0-9][0-9] | hp9k31[0-9])
-		basic_machine=m68000-hp
-		;;
-	hp9k3[2-9][0-9])
-		basic_machine=m68k-hp
-		;;
-	hp9k6[0-9][0-9] | hp6[0-9][0-9])
-		basic_machine=hppa1.0-hp
-		;;
-	hp9k7[0-79][0-9] | hp7[0-79][0-9])
-		basic_machine=hppa1.1-hp
-		;;
-	hp9k78[0-9] | hp78[0-9])
-		# FIXME: really hppa2.0-hp
-		basic_machine=hppa1.1-hp
-		;;
-	hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893)
-		# FIXME: really hppa2.0-hp
-		basic_machine=hppa1.1-hp
-		;;
-	hp9k8[0-9][13679] | hp8[0-9][13679])
-		basic_machine=hppa1.1-hp
-		;;
-	hp9k8[0-9][0-9] | hp8[0-9][0-9])
-		basic_machine=hppa1.0-hp
-		;;
-	hppa-next)
-		os=-nextstep3
-		;;
-	hppaosf)
-		basic_machine=hppa1.1-hp
-		os=-osf
-		;;
-	hppro)
-		basic_machine=hppa1.1-hp
-		os=-proelf
-		;;
-	i370-ibm* | ibm*)
-		basic_machine=i370-ibm
-		;;
-# I'm not sure what "Sysv32" means.  Should this be sysv3.2?
-	i*86v32)
-		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
-		os=-sysv32
-		;;
-	i*86v4*)
-		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
-		os=-sysv4
-		;;
-	i*86v)
-		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
-		os=-sysv
-		;;
-	i*86sol2)
-		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
-		os=-solaris2
-		;;
-	i386mach)
-		basic_machine=i386-mach
-		os=-mach
-		;;
-	i386-vsta | vsta)
-		basic_machine=i386-unknown
-		os=-vsta
-		;;
-	iris | iris4d)
-		basic_machine=mips-sgi
-		case $os in
-		    -irix*)
-			;;
-		    *)
-			os=-irix4
-			;;
-		esac
-		;;
-	isi68 | isi)
-		basic_machine=m68k-isi
-		os=-sysv
-		;;
-	m88k-omron*)
-		basic_machine=m88k-omron
-		;;
-	magnum | m3230)
-		basic_machine=mips-mips
-		os=-sysv
-		;;
-	merlin)
-		basic_machine=ns32k-utek
-		os=-sysv
-		;;
-	mingw32)
-		basic_machine=i386-pc
-		os=-mingw32
-		;;
-	miniframe)
-		basic_machine=m68000-convergent
-		;;
-	*mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*)
-		basic_machine=m68k-atari
-		os=-mint
-		;;
-	mips3*-*)
-		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`
-		;;
-	mips3*)
-		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown
-		;;
-	monitor)
-		basic_machine=m68k-rom68k
-		os=-coff
-		;;
-	morphos)
-		basic_machine=powerpc-unknown
-		os=-morphos
-		;;
-	msdos)
-		basic_machine=i386-pc
-		os=-msdos
-		;;
-	mvs)
-		basic_machine=i370-ibm
-		os=-mvs
-		;;
-	ncr3000)
-		basic_machine=i486-ncr
-		os=-sysv4
-		;;
-	netbsd386)
-		basic_machine=i386-unknown
-		os=-netbsd
-		;;
-	netwinder)
-		basic_machine=armv4l-rebel
-		os=-linux
-		;;
-	news | news700 | news800 | news900)
-		basic_machine=m68k-sony
-		os=-newsos
-		;;
-	news1000)
-		basic_machine=m68030-sony
-		os=-newsos
-		;;
-	news-3600 | risc-news)
-		basic_machine=mips-sony
-		os=-newsos
-		;;
-	necv70)
-		basic_machine=v70-nec
-		os=-sysv
-		;;
-	next | m*-next )
-		basic_machine=m68k-next
-		case $os in
-		    -nextstep* )
-			;;
-		    -ns2*)
-		      os=-nextstep2
-			;;
-		    *)
-		      os=-nextstep3
-			;;
-		esac
-		;;
-	nh3000)
-		basic_machine=m68k-harris
-		os=-cxux
-		;;
-	nh[45]000)
-		basic_machine=m88k-harris
-		os=-cxux
-		;;
-	nindy960)
-		basic_machine=i960-intel
-		os=-nindy
-		;;
-	mon960)
-		basic_machine=i960-intel
-		os=-mon960
-		;;
-	nonstopux)
-		basic_machine=mips-compaq
-		os=-nonstopux
-		;;
-	np1)
-		basic_machine=np1-gould
-		;;
-	nsr-tandem)
-		basic_machine=nsr-tandem
-		;;
-	op50n-* | op60c-*)
-		basic_machine=hppa1.1-oki
-		os=-proelf
-		;;
-	or32 | or32-*)
-		basic_machine=or32-unknown
-		os=-coff
-		;;
-	os400)
-		basic_machine=powerpc-ibm
-		os=-os400
-		;;
-	OSE68000 | ose68000)
-		basic_machine=m68000-ericsson
-		os=-ose
-		;;
-	os68k)
-		basic_machine=m68k-none
-		os=-os68k
-		;;
-	pa-hitachi)
-		basic_machine=hppa1.1-hitachi
-		os=-hiuxwe2
-		;;
-	paragon)
-		basic_machine=i860-intel
-		os=-osf
-		;;
-	pbd)
-		basic_machine=sparc-tti
-		;;
-	pbb)
-		basic_machine=m68k-tti
-		;;
-	pc532 | pc532-*)
-		basic_machine=ns32k-pc532
-		;;
-	pentium | p5 | k5 | k6 | nexgen | viac3)
-		basic_machine=i586-pc
-		;;
-	pentiumpro | p6 | 6x86 | athlon | athlon_*)
-		basic_machine=i686-pc
-		;;
-	pentiumii | pentium2 | pentiumiii | pentium3)
-		basic_machine=i686-pc
-		;;
-	pentium4)
-		basic_machine=i786-pc
-		;;
-	pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*)
-		basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	pentiumpro-* | p6-* | 6x86-* | athlon-*)
-		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*)
-		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	pentium4-*)
-		basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	pn)
-		basic_machine=pn-gould
-		;;
-	power)	basic_machine=power-ibm
-		;;
-	ppc)	basic_machine=powerpc-unknown
-		;;
-	ppc-*)	basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	ppcle | powerpclittle | ppc-le | powerpc-little)
-		basic_machine=powerpcle-unknown
-		;;
-	ppcle-* | powerpclittle-*)
-		basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	ppc64)	basic_machine=powerpc64-unknown
-		;;
-	ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	ppc64le | powerpc64little | ppc64-le | powerpc64-little)
-		basic_machine=powerpc64le-unknown
-		;;
-	ppc64le-* | powerpc64little-*)
-		basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	ps2)
-		basic_machine=i386-ibm
-		;;
-	pw32)
-		basic_machine=i586-unknown
-		os=-pw32
-		;;
-	rom68k)
-		basic_machine=m68k-rom68k
-		os=-coff
-		;;
-	rm[46]00)
-		basic_machine=mips-siemens
-		;;
-	rtpc | rtpc-*)
-		basic_machine=romp-ibm
-		;;
-	s390 | s390-*)
-		basic_machine=s390-ibm
-		;;
-	s390x | s390x-*)
-		basic_machine=s390x-ibm
-		;;
-	sa29200)
-		basic_machine=a29k-amd
-		os=-udi
-		;;
-	sb1)
-		basic_machine=mipsisa64sb1-unknown
-		;;
-	sb1el)
-		basic_machine=mipsisa64sb1el-unknown
-		;;
-	sei)
-		basic_machine=mips-sei
-		os=-seiux
-		;;
-	sequent)
-		basic_machine=i386-sequent
-		;;
-	sh)
-		basic_machine=sh-hitachi
-		os=-hms
-		;;
-	sh64)
-		basic_machine=sh64-unknown
-		;;
-	sparclite-wrs | simso-wrs)
-		basic_machine=sparclite-wrs
-		os=-vxworks
-		;;
-	sps7)
-		basic_machine=m68k-bull
-		os=-sysv2
-		;;
-	spur)
-		basic_machine=spur-unknown
-		;;
-	st2000)
-		basic_machine=m68k-tandem
-		;;
-	stratus)
-		basic_machine=i860-stratus
-		os=-sysv4
-		;;
-	sun2)
-		basic_machine=m68000-sun
-		;;
-	sun2os3)
-		basic_machine=m68000-sun
-		os=-sunos3
-		;;
-	sun2os4)
-		basic_machine=m68000-sun
-		os=-sunos4
-		;;
-	sun3os3)
-		basic_machine=m68k-sun
-		os=-sunos3
-		;;
-	sun3os4)
-		basic_machine=m68k-sun
-		os=-sunos4
-		;;
-	sun4os3)
-		basic_machine=sparc-sun
-		os=-sunos3
-		;;
-	sun4os4)
-		basic_machine=sparc-sun
-		os=-sunos4
-		;;
-	sun4sol2)
-		basic_machine=sparc-sun
-		os=-solaris2
-		;;
-	sun3 | sun3-*)
-		basic_machine=m68k-sun
-		;;
-	sun4)
-		basic_machine=sparc-sun
-		;;
-	sun386 | sun386i | roadrunner)
-		basic_machine=i386-sun
-		;;
-	sv1)
-		basic_machine=sv1-cray
-		os=-unicos
-		;;
-	symmetry)
-		basic_machine=i386-sequent
-		os=-dynix
-		;;
-	t3e)
-		basic_machine=alphaev5-cray
-		os=-unicos
-		;;
-	t90)
-		basic_machine=t90-cray
-		os=-unicos
-		;;
-	tic54x | c54x*)
-		basic_machine=tic54x-unknown
-		os=-coff
-		;;
-	tic55x | c55x*)
-		basic_machine=tic55x-unknown
-		os=-coff
-		;;
-	tic6x | c6x*)
-		basic_machine=tic6x-unknown
-		os=-coff
-		;;
-	tx39)
-		basic_machine=mipstx39-unknown
-		;;
-	tx39el)
-		basic_machine=mipstx39el-unknown
-		;;
-	toad1)
-		basic_machine=pdp10-xkl
-		os=-tops20
-		;;
-	tower | tower-32)
-		basic_machine=m68k-ncr
-		;;
-	tpf)
-		basic_machine=s390x-ibm
-		os=-tpf
-		;;
-	udi29k)
-		basic_machine=a29k-amd
-		os=-udi
-		;;
-	ultra3)
-		basic_machine=a29k-nyu
-		os=-sym1
-		;;
-	v810 | necv810)
-		basic_machine=v810-nec
-		os=-none
-		;;
-	vaxv)
-		basic_machine=vax-dec
-		os=-sysv
-		;;
-	vms)
-		basic_machine=vax-dec
-		os=-vms
-		;;
-	vpp*|vx|vx-*)
-		basic_machine=f301-fujitsu
-		;;
-	vxworks960)
-		basic_machine=i960-wrs
-		os=-vxworks
-		;;
-	vxworks68)
-		basic_machine=m68k-wrs
-		os=-vxworks
-		;;
-	vxworks29k)
-		basic_machine=a29k-wrs
-		os=-vxworks
-		;;
-	w65*)
-		basic_machine=w65-wdc
-		os=-none
-		;;
-	w89k-*)
-		basic_machine=hppa1.1-winbond
-		os=-proelf
-		;;
-	xbox)
-		basic_machine=i686-pc
-		os=-mingw32
-		;;
-	xps | xps100)
-		basic_machine=xps100-honeywell
-		;;
-	ymp)
-		basic_machine=ymp-cray
-		os=-unicos
-		;;
-	z8k-*-coff)
-		basic_machine=z8k-unknown
-		os=-sim
-		;;
-	none)
-		basic_machine=none-none
-		os=-none
-		;;
-
-# Here we handle the default manufacturer of certain CPU types.  It is in
-# some cases the only manufacturer, in others, it is the most popular.
-	w89k)
-		basic_machine=hppa1.1-winbond
-		;;
-	op50n)
-		basic_machine=hppa1.1-oki
-		;;
-	op60c)
-		basic_machine=hppa1.1-oki
-		;;
-	romp)
-		basic_machine=romp-ibm
-		;;
-	mmix)
-		basic_machine=mmix-knuth
-		;;
-	rs6000)
-		basic_machine=rs6000-ibm
-		;;
-	vax)
-		basic_machine=vax-dec
-		;;
-	pdp10)
-		# there are many clones, so DEC is not a safe bet
-		basic_machine=pdp10-unknown
-		;;
-	pdp11)
-		basic_machine=pdp11-dec
-		;;
-	we32k)
-		basic_machine=we32k-att
-		;;
-	sh3 | sh4 | sh[34]eb | sh[1234]le | sh[23]ele)
-		basic_machine=sh-unknown
-		;;
-	sh64)
-		basic_machine=sh64-unknown
-		;;
-	sparc | sparcv8 | sparcv9 | sparcv9b)
-		basic_machine=sparc-sun
-		;;
-	cydra)
-		basic_machine=cydra-cydrome
-		;;
-	orion)
-		basic_machine=orion-highlevel
-		;;
-	orion105)
-		basic_machine=clipper-highlevel
-		;;
-	mac | mpw | mac-mpw)
-		basic_machine=m68k-apple
-		;;
-	pmac | pmac-mpw)
-		basic_machine=powerpc-apple
-		;;
-	*-unknown)
-		# Make sure to match an already-canonicalized machine name.
-		;;
-	*)
-		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
-		exit 1
-		;;
-esac
-
-# Here we canonicalize certain aliases for manufacturers.
-case $basic_machine in
-	*-digital*)
-		basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'`
-		;;
-	*-commodore*)
-		basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'`
-		;;
-	*)
-		;;
-esac
-
-# Decode manufacturer-specific aliases for certain operating systems.
-
-if [ x"$os" != x"" ]
-then
-case $os in
-        # First match some system type aliases
-        # that might get confused with valid system types.
-	# -solaris* is a basic system type, with this one exception.
-	-solaris1 | -solaris1.*)
-		os=`echo $os | sed -e 's|solaris1|sunos4|'`
-		;;
-	-solaris)
-		os=-solaris2
-		;;
-	-svr4*)
-		os=-sysv4
-		;;
-	-unixware*)
-		os=-sysv4.2uw
-		;;
-	-gnu/linux*)
-		os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'`
-		;;
-	# First accept the basic system types.
-	# The portable systems comes first.
-	# Each alternative MUST END IN A *, to match a version number.
-	# -sysv* is not here because it comes later, after sysvr4.
-	-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
-	      | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\
-	      | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \
-	      | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
-	      | -aos* \
-	      | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
-	      | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
-	      | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* | -openbsd* \
-	      | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
-	      | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
-	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
-	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
-	      | -chorusos* | -chorusrdb* \
-	      | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
-	      | -mingw32* | -linux-gnu* | -linux-uclibc* | -uxpv* | -beos* | -mpeix* | -udk* \
-	      | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
-	      | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
-	      | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
-	      | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
-	      | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
-	      | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* | -skyos*)
-	# Remember, each alternative MUST END IN *, to match a version number.
-		;;
-	-qnx*)
-		case $basic_machine in
-		    x86-* | i*86-*)
-			;;
-		    *)
-			os=-nto$os
-			;;
-		esac
-		;;
-	-nto-qnx*)
-		;;
-	-nto*)
-		os=`echo $os | sed -e 's|nto|nto-qnx|'`
-		;;
-	-sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \
-	      | -windows* | -osx | -abug | -netware* | -os9* | -beos* \
-	      | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*)
-		;;
-	-mac*)
-		os=`echo $os | sed -e 's|mac|macos|'`
-		;;
-	-linux-dietlibc)
-		os=-linux-dietlibc
-		;;
-	-linux*)
-		os=`echo $os | sed -e 's|linux|linux-gnu|'`
-		;;
-	-sunos5*)
-		os=`echo $os | sed -e 's|sunos5|solaris2|'`
-		;;
-	-sunos6*)
-		os=`echo $os | sed -e 's|sunos6|solaris3|'`
-		;;
-	-opened*)
-		os=-openedition
-		;;
-        -os400*)
-		os=-os400
-		;;
-	-wince*)
-		os=-wince
-		;;
-	-osfrose*)
-		os=-osfrose
-		;;
-	-osf*)
-		os=-osf
-		;;
-	-utek*)
-		os=-bsd
-		;;
-	-dynix*)
-		os=-bsd
-		;;
-	-acis*)
-		os=-aos
-		;;
-	-atheos*)
-		os=-atheos
-		;;
-	-syllable*)
-		os=-syllable
-		;;
-	-386bsd)
-		os=-bsd
-		;;
-	-ctix* | -uts*)
-		os=-sysv
-		;;
-	-nova*)
-		os=-rtmk-nova
-		;;
-	-ns2 )
-		os=-nextstep2
-		;;
-	-nsk*)
-		os=-nsk
-		;;
-	# Preserve the version number of sinix5.
-	-sinix5.*)
-		os=`echo $os | sed -e 's|sinix|sysv|'`
-		;;
-	-sinix*)
-		os=-sysv4
-		;;
-        -tpf*)
-		os=-tpf
-		;;
-	-triton*)
-		os=-sysv3
-		;;
-	-oss*)
-		os=-sysv3
-		;;
-	-svr4)
-		os=-sysv4
-		;;
-	-svr3)
-		os=-sysv3
-		;;
-	-sysvr4)
-		os=-sysv4
-		;;
-	# This must come after -sysvr4.
-	-sysv*)
-		;;
-	-ose*)
-		os=-ose
-		;;
-	-es1800*)
-		os=-ose
-		;;
-	-xenix)
-		os=-xenix
-		;;
-	-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
-		os=-mint
-		;;
-	-aros*)
-		os=-aros
-		;;
-	-kaos*)
-		os=-kaos
-		;;
-	-zvmoe)
-		os=-zvmoe
-		;;
-	-none)
-		;;
-	*)
-		# Get rid of the `-' at the beginning of $os.
-		os=`echo $os | sed 's/[^-]*-//'`
-		echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2
-		exit 1
-		;;
-esac
-else
-
-# Here we handle the default operating systems that come with various machines.
-# The value should be what the vendor currently ships out the door with their
-# machine or put another way, the most popular os provided with the machine.
-
-# Note that if you're going to try to match "-MANUFACTURER" here (say,
-# "-sun"), then you have to tell the case statement up towards the top
-# that MANUFACTURER isn't an operating system.  Otherwise, code above
-# will signal an error saying that MANUFACTURER isn't an operating
-# system, and we'll never get to this point.
-
-case $basic_machine in
-	*-acorn)
-		os=-riscix1.2
-		;;
-	arm*-rebel)
-		os=-linux
-		;;
-	arm*-semi)
-		os=-aout
-		;;
-    c4x-* | tic4x-*)
-        os=-coff
-        ;;
-	# This must come before the *-dec entry.
-	pdp10-*)
-		os=-tops20
-		;;
-	pdp11-*)
-		os=-none
-		;;
-	*-dec | vax-*)
-		os=-ultrix4.2
-		;;
-	m68*-apollo)
-		os=-domain
-		;;
-	i386-sun)
-		os=-sunos4.0.2
-		;;
-	m68000-sun)
-		os=-sunos3
-		# This also exists in the configure program, but was not the
-		# default.
-		# os=-sunos4
-		;;
-	m68*-cisco)
-		os=-aout
-		;;
-	mips*-cisco)
-		os=-elf
-		;;
-	mips*-*)
-		os=-elf
-		;;
-	or32-*)
-		os=-coff
-		;;
-	*-tti)	# must be before sparc entry or we get the wrong os.
-		os=-sysv3
-		;;
-	sparc-* | *-sun)
-		os=-sunos4.1.1
-		;;
-	*-be)
-		os=-beos
-		;;
-	*-ibm)
-		os=-aix
-		;;
-    	*-knuth)
-		os=-mmixware
-		;;
-	*-wec)
-		os=-proelf
-		;;
-	*-winbond)
-		os=-proelf
-		;;
-	*-oki)
-		os=-proelf
-		;;
-	*-hp)
-		os=-hpux
-		;;
-	*-hitachi)
-		os=-hiux
-		;;
-	i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent)
-		os=-sysv
-		;;
-	*-cbm)
-		os=-amigaos
-		;;
-	*-dg)
-		os=-dgux
-		;;
-	*-dolphin)
-		os=-sysv3
-		;;
-	m68k-ccur)
-		os=-rtu
-		;;
-	m88k-omron*)
-		os=-luna
-		;;
-	*-next )
-		os=-nextstep
-		;;
-	*-sequent)
-		os=-ptx
-		;;
-	*-crds)
-		os=-unos
-		;;
-	*-ns)
-		os=-genix
-		;;
-	i370-*)
-		os=-mvs
-		;;
-	*-next)
-		os=-nextstep3
-		;;
-	*-gould)
-		os=-sysv
-		;;
-	*-highlevel)
-		os=-bsd
-		;;
-	*-encore)
-		os=-bsd
-		;;
-	*-sgi)
-		os=-irix
-		;;
-	*-siemens)
-		os=-sysv4
-		;;
-	*-masscomp)
-		os=-rtu
-		;;
-	f30[01]-fujitsu | f700-fujitsu)
-		os=-uxpv
-		;;
-	*-rom68k)
-		os=-coff
-		;;
-	*-*bug)
-		os=-coff
-		;;
-	*-apple)
-		os=-macos
-		;;
-	*-atari*)
-		os=-mint
-		;;
-	*)
-		os=-none
-		;;
-esac
-fi
-
-# Here we handle the case where we know the os, and the CPU type, but not the
-# manufacturer.  We pick the logical manufacturer.
-vendor=unknown
-case $basic_machine in
-	*-unknown)
-		case $os in
-			-riscix*)
-				vendor=acorn
-				;;
-			-sunos*)
-				vendor=sun
-				;;
-			-aix*)
-				vendor=ibm
-				;;
-			-beos*)
-				vendor=be
-				;;
-			-hpux*)
-				vendor=hp
-				;;
-			-mpeix*)
-				vendor=hp
-				;;
-			-hiux*)
-				vendor=hitachi
-				;;
-			-unos*)
-				vendor=crds
-				;;
-			-dgux*)
-				vendor=dg
-				;;
-			-luna*)
-				vendor=omron
-				;;
-			-genix*)
-				vendor=ns
-				;;
-			-mvs* | -opened*)
-				vendor=ibm
-				;;
-			-os400*)
-				vendor=ibm
-				;;
-			-ptx*)
-				vendor=sequent
-				;;
-			-tpf*)
-				vendor=ibm
-				;;
-			-vxsim* | -vxworks* | -windiss*)
-				vendor=wrs
-				;;
-			-aux*)
-				vendor=apple
-				;;
-			-hms*)
-				vendor=hitachi
-				;;
-			-mpw* | -macos*)
-				vendor=apple
-				;;
-			-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
-				vendor=atari
-				;;
-			-vos*)
-				vendor=stratus
-				;;
-		esac
-		basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"`
-		;;
-esac
-
-echo $basic_machine$os
-exit
-
-# Local variables:
-# eval: (add-hook 'write-file-hooks 'time-stamp)
-# time-stamp-start: "timestamp='"
-# time-stamp-format: "%:y-%02m-%02d"
-# time-stamp-end: "'"
-# End:
diff --git a/crypto/openssh/configure.ac b/crypto/openssh/configure.ac
deleted file mode 100644
index c596a7b..0000000
--- a/crypto/openssh/configure.ac
+++ /dev/null
@@ -1,4028 +0,0 @@
-# $Id: configure.ac,v 1.370 2006/10/06 23:07:21 dtucker Exp $
-#
-# Copyright (c) 1999-2004 Damien Miller
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
-AC_REVISION($Revision: 1.370 $)
-AC_CONFIG_SRCDIR([ssh.c])
-
-AC_CONFIG_HEADER(config.h)
-AC_PROG_CC
-AC_CANONICAL_HOST
-AC_C_BIGENDIAN
-
-# Checks for programs.
-AC_PROG_AWK
-AC_PROG_CPP
-AC_PROG_RANLIB
-AC_PROG_INSTALL
-AC_PROG_EGREP
-AC_PATH_PROG(AR, ar)
-AC_PATH_PROG(CAT, cat)
-AC_PATH_PROG(KILL, kill)
-AC_PATH_PROGS(PERL, perl5 perl)
-AC_PATH_PROG(SED, sed)
-AC_SUBST(PERL)
-AC_PATH_PROG(ENT, ent)
-AC_SUBST(ENT)
-AC_PATH_PROG(TEST_MINUS_S_SH, bash)
-AC_PATH_PROG(TEST_MINUS_S_SH, ksh)
-AC_PATH_PROG(TEST_MINUS_S_SH, sh)
-AC_PATH_PROG(SH, sh)
-AC_SUBST(TEST_SHELL,sh)
-
-dnl for buildpkg.sh
-AC_PATH_PROG(PATH_GROUPADD_PROG, groupadd, groupadd,
-	[/usr/sbin${PATH_SEPARATOR}/etc])
-AC_PATH_PROG(PATH_USERADD_PROG, useradd, useradd,
-	[/usr/sbin${PATH_SEPARATOR}/etc])
-AC_CHECK_PROG(MAKE_PACKAGE_SUPPORTED, pkgmk, yes, no)
-if test -x /sbin/sh; then
-	AC_SUBST(STARTUP_SCRIPT_SHELL,/sbin/sh)
-else
-	AC_SUBST(STARTUP_SCRIPT_SHELL,/bin/sh)
-fi
-
-# System features
-AC_SYS_LARGEFILE
-
-if test -z "$AR" ; then
-	AC_MSG_ERROR([*** 'ar' missing, please install or fix your \$PATH ***])
-fi
-
-# Use LOGIN_PROGRAM from environment if possible
-if test ! -z "$LOGIN_PROGRAM" ; then
-	AC_DEFINE_UNQUOTED(LOGIN_PROGRAM_FALLBACK, "$LOGIN_PROGRAM",
-		[If your header files don't define LOGIN_PROGRAM,
-		then use this (detected) from environment and PATH])
-else
-	# Search for login
-	AC_PATH_PROG(LOGIN_PROGRAM_FALLBACK, login)
-	if test ! -z "$LOGIN_PROGRAM_FALLBACK" ; then
-		AC_DEFINE_UNQUOTED(LOGIN_PROGRAM_FALLBACK, "$LOGIN_PROGRAM_FALLBACK")
-	fi
-fi
-
-AC_PATH_PROG(PATH_PASSWD_PROG, passwd)
-if test ! -z "$PATH_PASSWD_PROG" ; then
-	AC_DEFINE_UNQUOTED(_PATH_PASSWD_PROG, "$PATH_PASSWD_PROG",
-		[Full path of your "passwd" program])
-fi
-
-if test -z "$LD" ; then
-	LD=$CC
-fi
-AC_SUBST(LD)
-
-AC_C_INLINE
-
-AC_CHECK_DECL(LLONG_MAX, have_llong_max=1, , [#include <limits.h>])
-
-if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
-	CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wuninitialized"
-	GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
-	case $GCC_VER in
-		1.*) ;;
-		2.8* | 2.9*) CFLAGS="$CFLAGS -Wsign-compare" ;;
-		2.*) ;;
-		3.*) CFLAGS="$CFLAGS -Wsign-compare" ;;
-		4.*) CFLAGS="$CFLAGS -Wsign-compare -Wno-pointer-sign" ;;
-		*) ;;
-	esac
-
-	if test -z "$have_llong_max"; then
-		# retry LLONG_MAX with -std=gnu99, needed on some Linuxes
-		unset ac_cv_have_decl_LLONG_MAX
-		saved_CFLAGS="$CFLAGS"
-		CFLAGS="$CFLAGS -std=gnu99"
-		AC_CHECK_DECL(LLONG_MAX,
-		    [have_llong_max=1],
-		    [CFLAGS="$saved_CFLAGS"],
-		    [#include <limits.h>]
-		)
-	fi
-fi
-
-AC_ARG_WITH(rpath,
-	[  --without-rpath         Disable auto-added -R linker paths],
-	[
-		if test "x$withval" = "xno" ; then
-			need_dash_r=""
-		fi
-		if test "x$withval" = "xyes" ; then
-			need_dash_r=1
-		fi
-	]
-)
-
-# Allow user to specify flags
-AC_ARG_WITH(cflags,
-	[  --with-cflags           Specify additional flags to pass to compiler],
-	[
-		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
-		    test "x${withval}" != "xyes"; then
-			CFLAGS="$CFLAGS $withval"
-		fi
-	]
-)
-AC_ARG_WITH(cppflags,
-	[  --with-cppflags         Specify additional flags to pass to preprocessor] ,
-	[
-		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
-		    test "x${withval}" != "xyes"; then
-			CPPFLAGS="$CPPFLAGS $withval"
-		fi
-	]
-)
-AC_ARG_WITH(ldflags,
-	[  --with-ldflags          Specify additional flags to pass to linker],
-	[
-		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
-		    test "x${withval}" != "xyes"; then
-			LDFLAGS="$LDFLAGS $withval"
-		fi
-	]
-)
-AC_ARG_WITH(libs,
-	[  --with-libs             Specify additional libraries to link with],
-	[
-		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
-		    test "x${withval}" != "xyes"; then
-			LIBS="$LIBS $withval"
-		fi
-	]
-)
-AC_ARG_WITH(Werror,
-	[  --with-Werror           Build main code with -Werror],
-	[
-		if test -n "$withval"  &&  test "x$withval" != "xno"; then
-			werror_flags="-Werror"
-			if test "x${withval}" != "xyes"; then
-				werror_flags="$withval"
-			fi
-		fi
-	]
-)
-
-AC_CHECK_HEADERS( \
-	bstring.h \
-	crypt.h \
-	crypto/sha2.h \
-	dirent.h \
-	endian.h \
-	features.h \
-	fcntl.h \
-	floatingpoint.h \
-	getopt.h \
-	glob.h \
-	ia.h \
-	iaf.h \
-	limits.h \
-	login.h \
-	maillock.h \
-	ndir.h \
-	net/if_tun.h \
-	netdb.h \
-	netgroup.h \
-	pam/pam_appl.h \
-	paths.h \
-	pty.h \
-	readpassphrase.h \
-	rpc/types.h \
-	security/pam_appl.h \
-	sha2.h \
-	shadow.h \
-	stddef.h \
-	stdint.h \
-	string.h \
-	strings.h \
-	sys/audit.h \
-	sys/bitypes.h \
-	sys/bsdtty.h \
-	sys/cdefs.h \
-	sys/dir.h \
-	sys/mman.h \
-	sys/ndir.h \
-	sys/prctl.h \
-	sys/pstat.h \
-	sys/select.h \
-	sys/stat.h \
-	sys/stream.h \
-	sys/stropts.h \
-	sys/strtio.h \
-	sys/sysmacros.h \
-	sys/time.h \
-	sys/timers.h \
-	sys/un.h \
-	time.h \
-	tmpdir.h \
-	ttyent.h \
-	unistd.h \
-	usersec.h \
-	util.h \
-	utime.h \
-	utmp.h \
-	utmpx.h \
-	vis.h \
-)
-
-# lastlog.h requires sys/time.h to be included first on Solaris
-AC_CHECK_HEADERS(lastlog.h, [], [], [
-#ifdef HAVE_SYS_TIME_H
-# include <sys/time.h>
-#endif
-])
-
-# sys/ptms.h requires sys/stream.h to be included first on Solaris
-AC_CHECK_HEADERS(sys/ptms.h, [], [], [
-#ifdef HAVE_SYS_STREAM_H
-# include <sys/stream.h>
-#endif
-])
-
-# login_cap.h requires sys/types.h on NetBSD
-AC_CHECK_HEADERS(login_cap.h, [], [], [
-#include <sys/types.h>
-])
-
-# Messages for features tested for in target-specific section
-SIA_MSG="no"
-SPC_MSG="no"
-
-# Check for some target-specific stuff
-case "$host" in
-*-*-aix*)
-	# Some versions of VAC won't allow macro redefinitions at
-	# -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that
-	# particularly with older versions of vac or xlc.
-	# It also throws errors about null macro argments, but these are
-	# not fatal.
-	AC_MSG_CHECKING(if compiler allows macro redefinitions)
-	AC_COMPILE_IFELSE(
-	    [AC_LANG_SOURCE([[
-#define testmacro foo
-#define testmacro bar
-int main(void) { exit(0); }
-	    ]])],
-	    [ AC_MSG_RESULT(yes) ],
-	    [ AC_MSG_RESULT(no)
-	      CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
-	      LD="`echo $LD | sed 's/-qlanglvl\=ansi//g'`"
-	      CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`"
-	      CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`"
-	    ]
-	)
-
-	AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
-	if (test -z "$blibpath"); then
-		blibpath="/usr/lib:/lib"
-	fi
-	saved_LDFLAGS="$LDFLAGS"
-	if test "$GCC" = "yes"; then
-		flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:"
-	else
-		flags="-blibpath: -Wl,-blibpath: -Wl,-rpath,"
-	fi
-	for tryflags in $flags ;do
-		if (test -z "$blibflags"); then
-			LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
-			AC_TRY_LINK([], [], [blibflags=$tryflags])
-		fi
-	done
-	if (test -z "$blibflags"); then
-		AC_MSG_RESULT(not found)
-		AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log])
-	else
-		AC_MSG_RESULT($blibflags)
-	fi
-	LDFLAGS="$saved_LDFLAGS"
-	dnl Check for authenticate.  Might be in libs.a on older AIXes
-	AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE, 1,
-		[Define if you want to enable AIX4's authenticate function])],
-		[AC_CHECK_LIB(s,authenticate,
-			[ AC_DEFINE(WITH_AIXAUTHENTICATE)
-				LIBS="$LIBS -ls"
-			])
-		])
-	dnl Check for various auth function declarations in headers.
-	AC_CHECK_DECLS([authenticate, loginrestrictions, loginsuccess,
-	    passwdexpired, setauthdb], , , [#include <usersec.h>])
-	dnl Check if loginfailed is declared and takes 4 arguments (AIX >= 5.2)
-	AC_CHECK_DECLS(loginfailed,
-		 [AC_MSG_CHECKING(if loginfailed takes 4 arguments)
-		  AC_TRY_COMPILE(
-			[#include <usersec.h>],
-			[(void)loginfailed("user","host","tty",0);],
-			[AC_MSG_RESULT(yes)
-			 AC_DEFINE(AIX_LOGINFAILED_4ARG, 1,
-				[Define if your AIX loginfailed() function
-				takes 4 arguments (AIX >= 5.2)])],
-			[AC_MSG_RESULT(no)]
-		)],
-		[],
-		[#include <usersec.h>]
-	)
-	AC_CHECK_FUNCS(setauthdb)
-	AC_CHECK_DECL(F_CLOSEM,
-	    AC_DEFINE(HAVE_FCNTL_CLOSEM, 1, [Use F_CLOSEM fcntl for closefrom]),
-	    [],
-	    [ #include <limits.h>
-	      #include <fcntl.h> ]
-	)
-	check_for_aix_broken_getaddrinfo=1
-	AC_DEFINE(BROKEN_REALPATH, 1, [Define if you have a broken realpath.])
-	AC_DEFINE(SETEUID_BREAKS_SETUID, 1,
-	    [Define if your platform breaks doing a seteuid before a setuid])
-	AC_DEFINE(BROKEN_SETREUID, 1, [Define if your setreuid() is broken])
-	AC_DEFINE(BROKEN_SETREGID, 1, [Define if your setregid() is broken])
-	dnl AIX handles lastlog as part of its login message
-	AC_DEFINE(DISABLE_LASTLOG, 1, [Define if you don't want to use lastlog])
-	AC_DEFINE(LOGIN_NEEDS_UTMPX, 1,
-		[Some systems need a utmpx entry for /bin/login to work])
-	AC_DEFINE(SPT_TYPE,SPT_REUSEARGV,
-		[Define to a Set Process Title type if your system is
-		supported by bsd-setproctitle.c])
-	AC_DEFINE(SSHPAM_CHAUTHTOK_NEEDS_RUID, 1,
-	    [AIX 5.2 and 5.3 (and presumably newer) require this])
-	AC_DEFINE(PTY_ZEROREAD, 1, [read(1) can return 0 for a non-closed fd])
-	;;
-*-*-cygwin*)
-	check_for_libcrypt_later=1
-	LIBS="$LIBS /usr/lib/textmode.o"
-	AC_DEFINE(HAVE_CYGWIN, 1, [Define if you are on Cygwin])
-	AC_DEFINE(USE_PIPES, 1, [Use PIPES instead of a socketpair()])
-	AC_DEFINE(DISABLE_SHADOW, 1,
-		[Define if you want to disable shadow passwords])
-	AC_DEFINE(IP_TOS_IS_BROKEN, 1,
-		[Define if your system choked on IP TOS setting])
-	AC_DEFINE(NO_X11_UNIX_SOCKETS, 1,
-		[Define if X11 doesn't support AF_UNIX sockets on that system])
-	AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT, 1,
-		[Define if the concept of ports only accessible to
-		superusers isn't known])
-	AC_DEFINE(DISABLE_FD_PASSING, 1,
-		[Define if your platform needs to skip post auth
-		file descriptor passing])
-	;;
-*-*-dgux*)
-	AC_DEFINE(IP_TOS_IS_BROKEN)
-	AC_DEFINE(SETEUID_BREAKS_SETUID)
-	AC_DEFINE(BROKEN_SETREUID)
-	AC_DEFINE(BROKEN_SETREGID)
-	;;
-*-*-darwin*)
-	AC_MSG_CHECKING(if we have working getaddrinfo)
-	AC_TRY_RUN([#include <mach-o/dyld.h>
-main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
-		exit(0);
-	else
-		exit(1);
-}], [AC_MSG_RESULT(working)],
-	[AC_MSG_RESULT(buggy)
-	AC_DEFINE(BROKEN_GETADDRINFO, 1, [getaddrinfo is broken (if present)])],
-	[AC_MSG_RESULT(assume it is working)])
-	AC_DEFINE(SETEUID_BREAKS_SETUID)
-	AC_DEFINE(BROKEN_SETREUID)
-	AC_DEFINE(BROKEN_SETREGID)
-	AC_DEFINE_UNQUOTED(BIND_8_COMPAT, 1,
-		[Define if your resolver libs need this for getrrsetbyname])
-	AC_DEFINE(SSH_TUN_FREEBSD, 1, [Open tunnel devices the FreeBSD way])
-	AC_DEFINE(SSH_TUN_COMPAT_AF, 1,
-	    [Use tunnel device compatibility to OpenBSD])
-	AC_DEFINE(SSH_TUN_PREPEND_AF, 1,
-	    [Prepend the address family to IP tunnel traffic])
-	;;
-*-*-dragonfly*)
-	SSHDLIBS="$SSHDLIBS -lcrypt"
-	;;
-*-*-hpux*)
-	# first we define all of the options common to all HP-UX releases
-	CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
-	IPADDR_IN_DISPLAY=yes
-	AC_DEFINE(USE_PIPES)
-	AC_DEFINE(LOGIN_NO_ENDOPT, 1,
-	    [Define if your login program cannot handle end of options ("--")])
-	AC_DEFINE(LOGIN_NEEDS_UTMPX)
-	AC_DEFINE(LOCKED_PASSWD_STRING, "*",
-		[String used in /etc/passwd to denote locked account])
-	AC_DEFINE(SPT_TYPE,SPT_PSTAT)
-	MAIL="/var/mail/username"
-	LIBS="$LIBS -lsec"
-	AC_CHECK_LIB(xnet, t_error, ,
-	    AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
-
-	# next, we define all of the options specific to major releases
-	case "$host" in
-	*-*-hpux10*)
-		if test -z "$GCC"; then
-			CFLAGS="$CFLAGS -Ae"
-		fi
-		;;
-	*-*-hpux11*)
-		AC_DEFINE(PAM_SUN_CODEBASE, 1,
-			[Define if you are using Solaris-derived PAM which
-			passes pam_messages to the conversation function
-			with an extra level of indirection])
-		AC_DEFINE(DISABLE_UTMP, 1,
-			[Define if you don't want to use utmp])
-		AC_DEFINE(USE_BTMP, 1, [Use btmp to log bad logins])
-		check_for_hpux_broken_getaddrinfo=1
-		check_for_conflicting_getspnam=1
-		;;
-	esac
-
-	# lastly, we define options specific to minor releases
-	case "$host" in
-	*-*-hpux10.26)
-		AC_DEFINE(HAVE_SECUREWARE, 1,
-			[Define if you have SecureWare-based
-			protected password database])
-		disable_ptmx_check=yes
-		LIBS="$LIBS -lsecpw"
-		;;
-	esac
-	;;
-*-*-irix5*)
-	PATH="$PATH:/usr/etc"
-	AC_DEFINE(BROKEN_INET_NTOA, 1,
-		[Define if you system's inet_ntoa is busted
-		(e.g. Irix gcc issue)])
-	AC_DEFINE(SETEUID_BREAKS_SETUID)
-	AC_DEFINE(BROKEN_SETREUID)
-	AC_DEFINE(BROKEN_SETREGID)
-	AC_DEFINE(WITH_ABBREV_NO_TTY, 1,
-		[Define if you shouldn't strip 'tty' from your
-		ttyname in [uw]tmp])
-	AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
-	;;
-*-*-irix6*)
-	PATH="$PATH:/usr/etc"
-	AC_DEFINE(WITH_IRIX_ARRAY, 1,
-		[Define if you have/want arrays
-		(cluster-wide session managment, not C arrays)])
-	AC_DEFINE(WITH_IRIX_PROJECT, 1,
-		[Define if you want IRIX project management])
-	AC_DEFINE(WITH_IRIX_AUDIT, 1,
-		[Define if you want IRIX audit trails])
-	AC_CHECK_FUNC(jlimit_startjob, [AC_DEFINE(WITH_IRIX_JOBS, 1,
-		[Define if you want IRIX kernel jobs])])
-	AC_DEFINE(BROKEN_INET_NTOA)
-	AC_DEFINE(SETEUID_BREAKS_SETUID)
-	AC_DEFINE(BROKEN_SETREUID)
-	AC_DEFINE(BROKEN_SETREGID)
-	AC_DEFINE(BROKEN_UPDWTMPX, 1, [updwtmpx is broken (if present)])
-	AC_DEFINE(WITH_ABBREV_NO_TTY)
-	AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
-	;;
-*-*-linux*)
-	no_dev_ptmx=1
-	check_for_libcrypt_later=1
-	check_for_openpty_ctty_bug=1
-	AC_DEFINE(DONT_TRY_OTHER_AF, 1, [Workaround more Linux IPv6 quirks])
-	AC_DEFINE(PAM_TTY_KLUDGE, 1,
-		[Work around problematic Linux PAM modules handling of PAM_TTY])
-	AC_DEFINE(LOCKED_PASSWD_PREFIX, "!",
-		[String used in /etc/passwd to denote locked account])
-	AC_DEFINE(SPT_TYPE,SPT_REUSEARGV)
-	AC_DEFINE(LINK_OPNOTSUPP_ERRNO, EPERM,
-		[Define to whatever link() returns for "not supported"
-		if it doesn't return EOPNOTSUPP.])
-	AC_DEFINE(_PATH_BTMP, "/var/log/btmp", [log for bad login attempts])
-	AC_DEFINE(USE_BTMP)
-	inet6_default_4in6=yes
-	case `uname -r` in
-	1.*|2.0.*)
-		AC_DEFINE(BROKEN_CMSG_TYPE, 1,
-			[Define if cmsg_type is not passed correctly])
-		;;
-	esac
-	# tun(4) forwarding compat code
-	AC_CHECK_HEADERS(linux/if_tun.h)
-	if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then
-		AC_DEFINE(SSH_TUN_LINUX, 1,
-		    [Open tunnel devices the Linux tun/tap way])
-		AC_DEFINE(SSH_TUN_COMPAT_AF, 1,
-		    [Use tunnel device compatibility to OpenBSD])
-		AC_DEFINE(SSH_TUN_PREPEND_AF, 1,
-		    [Prepend the address family to IP tunnel traffic])
-	fi
-	;;
-mips-sony-bsd|mips-sony-newsos4)
-	AC_DEFINE(NEED_SETPGRP, 1, [Need setpgrp to acquire controlling tty])
-	SONY=1
-	;;
-*-*-netbsd*)
-	check_for_libcrypt_before=1
-	if test "x$withval" != "xno" ; then
-		need_dash_r=1
-	fi
-	AC_DEFINE(SSH_TUN_FREEBSD, 1, [Open tunnel devices the FreeBSD way])
-	AC_CHECK_HEADER([net/if_tap.h], ,
-	    AC_DEFINE(SSH_TUN_NO_L2, 1, [No layer 2 tunnel support]))
-	AC_DEFINE(SSH_TUN_PREPEND_AF, 1,
-	    [Prepend the address family to IP tunnel traffic])
-	;;
-*-*-freebsd*)
-	check_for_libcrypt_later=1
-	AC_DEFINE(LOCKED_PASSWD_PREFIX, "*LOCKED*", [Account locked with pw(1)])
-	AC_DEFINE(SSH_TUN_FREEBSD, 1, [Open tunnel devices the FreeBSD way])
-	AC_CHECK_HEADER([net/if_tap.h], ,
-	    AC_DEFINE(SSH_TUN_NO_L2, 1, [No layer 2 tunnel support]))
-	;;
-*-*-bsdi*)
-	AC_DEFINE(SETEUID_BREAKS_SETUID)
-	AC_DEFINE(BROKEN_SETREUID)
-	AC_DEFINE(BROKEN_SETREGID)
-	;;
-*-next-*)
-	conf_lastlog_location="/usr/adm/lastlog"
-	conf_utmp_location=/etc/utmp
-	conf_wtmp_location=/usr/adm/wtmp
-	MAIL=/usr/spool/mail
-	AC_DEFINE(HAVE_NEXT, 1, [Define if you are on NeXT])
-	AC_DEFINE(BROKEN_REALPATH)
-	AC_DEFINE(USE_PIPES)
-	AC_DEFINE(BROKEN_SAVED_UIDS, 1, [Needed for NeXT])
-	;;
-*-*-openbsd*)
-	AC_DEFINE(HAVE_ATTRIBUTE__SENTINEL__, 1, [OpenBSD's gcc has sentinel])
-	AC_DEFINE(HAVE_ATTRIBUTE__BOUNDED__, 1, [OpenBSD's gcc has bounded])
-	AC_DEFINE(SSH_TUN_OPENBSD, 1, [Open tunnel devices the OpenBSD way])
-	AC_DEFINE(SYSLOG_R_SAFE_IN_SIGHAND, 1,
-	    [syslog_r function is safe to use in in a signal handler])
-	;;
-*-*-solaris*)
-	if test "x$withval" != "xno" ; then
-		need_dash_r=1
-	fi
-	AC_DEFINE(PAM_SUN_CODEBASE)
-	AC_DEFINE(LOGIN_NEEDS_UTMPX)
-	AC_DEFINE(LOGIN_NEEDS_TERM, 1,
-		[Some versions of /bin/login need the TERM supplied
-		on the commandline])
-	AC_DEFINE(PAM_TTY_KLUDGE)
-	AC_DEFINE(SSHPAM_CHAUTHTOK_NEEDS_RUID, 1,
-		[Define if pam_chauthtok wants real uid set
-		to the unpriv'ed user])
-	AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
-	# Pushing STREAMS modules will cause sshd to acquire a controlling tty.
-	AC_DEFINE(SSHD_ACQUIRES_CTTY, 1,
-		[Define if sshd somehow reacquires a controlling TTY
-		after setsid()])
-	AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd
-		in case the name is longer than 8 chars])
-	external_path_file=/etc/default/login
-	# hardwire lastlog location (can't detect it on some versions)
-	conf_lastlog_location="/var/adm/lastlog"
-	AC_MSG_CHECKING(for obsolete utmp and wtmp in solaris2.x)
-	sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'`
-	if test "$sol2ver" -ge 8; then
-		AC_MSG_RESULT(yes)
-		AC_DEFINE(DISABLE_UTMP)
-		AC_DEFINE(DISABLE_WTMP, 1,
-			[Define if you don't want to use wtmp])
-	else
-		AC_MSG_RESULT(no)
-	fi
-	AC_ARG_WITH(solaris-contracts,
-		[  --with-solaris-contracts Enable Solaris process contracts (experimental)],
-		[
-		AC_CHECK_LIB(contract, ct_tmpl_activate,
-			[ AC_DEFINE(USE_SOLARIS_PROCESS_CONTRACTS, 1,
-				[Define if you have Solaris process contracts])
-			  SSHDLIBS="$SSHDLIBS -lcontract"
-			  AC_SUBST(SSHDLIBS)
-			  SPC_MSG="yes" ], )
-		],
-	)
-	;;
-*-*-sunos4*)
-	CPPFLAGS="$CPPFLAGS -DSUNOS4"
-	AC_CHECK_FUNCS(getpwanam)
-	AC_DEFINE(PAM_SUN_CODEBASE)
-	conf_utmp_location=/etc/utmp
-	conf_wtmp_location=/var/adm/wtmp
-	conf_lastlog_location=/var/adm/lastlog
-	AC_DEFINE(USE_PIPES)
-	;;
-*-ncr-sysv*)
-	LIBS="$LIBS -lc89"
-	AC_DEFINE(USE_PIPES)
-	AC_DEFINE(SSHD_ACQUIRES_CTTY)
-	AC_DEFINE(SETEUID_BREAKS_SETUID)
-	AC_DEFINE(BROKEN_SETREUID)
-	AC_DEFINE(BROKEN_SETREGID)
-	;;
-*-sni-sysv*)
-	# /usr/ucblib MUST NOT be searched on ReliantUNIX
-	AC_CHECK_LIB(dl, dlsym, ,)
-	# -lresolv needs to be at the end of LIBS or DNS lookups break
-	AC_CHECK_LIB(resolv, res_query, [ LIBS="$LIBS -lresolv" ])
-	IPADDR_IN_DISPLAY=yes
-	AC_DEFINE(USE_PIPES)
-	AC_DEFINE(IP_TOS_IS_BROKEN)
-	AC_DEFINE(SETEUID_BREAKS_SETUID)
-	AC_DEFINE(BROKEN_SETREUID)
-	AC_DEFINE(BROKEN_SETREGID)
-	AC_DEFINE(SSHD_ACQUIRES_CTTY)
-	external_path_file=/etc/default/login
-	# /usr/ucblib/libucb.a no longer needed on ReliantUNIX
-	# Attention: always take care to bind libsocket and libnsl before libc,
-	# otherwise you will find lots of "SIOCGPGRP errno 22" on syslog
-	;;
-# UnixWare 1.x, UnixWare 2.x, and others based on code from Univel.
-*-*-sysv4.2*)
-	AC_DEFINE(USE_PIPES)
-	AC_DEFINE(SETEUID_BREAKS_SETUID)
-	AC_DEFINE(BROKEN_SETREUID)
-	AC_DEFINE(BROKEN_SETREGID)
-	AC_DEFINE(PASSWD_NEEDS_USERNAME, 1, [must supply username to passwd])
-	AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
-	;;
-# UnixWare 7.x, OpenUNIX 8
-*-*-sysv5*)
-	check_for_libcrypt_later=1
-	AC_DEFINE(UNIXWARE_LONG_PASSWORDS, 1, [Support passwords > 8 chars])
-	AC_DEFINE(USE_PIPES)
-	AC_DEFINE(SETEUID_BREAKS_SETUID)
-	AC_DEFINE(BROKEN_SETREUID)
-	AC_DEFINE(BROKEN_SETREGID)
-	AC_DEFINE(PASSWD_NEEDS_USERNAME)
-	case "$host" in
-	*-*-sysv5SCO_SV*)	# SCO OpenServer 6.x
-		TEST_SHELL=/u95/bin/sh
-		AC_DEFINE(BROKEN_LIBIAF, 1,
-			[ia_uinfo routines not supported by OS yet])
-		AC_DEFINE(BROKEN_UPDWTMPX)
-		;;
-	*)	AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
-		;;
-	esac
-	;;
-*-*-sysv*)
-	;;
-# SCO UNIX and OEM versions of SCO UNIX
-*-*-sco3.2v4*)
-	AC_MSG_ERROR("This Platform is no longer supported.")
-	;;
-# SCO OpenServer 5.x
-*-*-sco3.2v5*)
-	if test -z "$GCC"; then
-		CFLAGS="$CFLAGS -belf"
-	fi
-	LIBS="$LIBS -lprot -lx -ltinfo -lm"
-	no_dev_ptmx=1
-	AC_DEFINE(USE_PIPES)
-	AC_DEFINE(HAVE_SECUREWARE)
-	AC_DEFINE(DISABLE_SHADOW)
-	AC_DEFINE(DISABLE_FD_PASSING)
-	AC_DEFINE(SETEUID_BREAKS_SETUID)
-	AC_DEFINE(BROKEN_SETREUID)
-	AC_DEFINE(BROKEN_SETREGID)
-	AC_DEFINE(WITH_ABBREV_NO_TTY)
-	AC_DEFINE(BROKEN_UPDWTMPX)
-	AC_DEFINE(PASSWD_NEEDS_USERNAME)
-	AC_CHECK_FUNCS(getluid setluid)
-	MANTYPE=man
-	TEST_SHELL=ksh
-	;;
-*-*-unicosmk*)
-	AC_DEFINE(NO_SSH_LASTLOG, 1,
-		[Define if you don't want to use lastlog in session.c])
-	AC_DEFINE(SETEUID_BREAKS_SETUID)
-	AC_DEFINE(BROKEN_SETREUID)
-	AC_DEFINE(BROKEN_SETREGID)
-	AC_DEFINE(USE_PIPES)
-	AC_DEFINE(DISABLE_FD_PASSING)
-	LDFLAGS="$LDFLAGS"
-	LIBS="$LIBS -lgen -lrsc -lshare -luex -lacm"
-	MANTYPE=cat
-	;;
-*-*-unicosmp*)
-	AC_DEFINE(SETEUID_BREAKS_SETUID)
-	AC_DEFINE(BROKEN_SETREUID)
-	AC_DEFINE(BROKEN_SETREGID)
-	AC_DEFINE(WITH_ABBREV_NO_TTY)
-	AC_DEFINE(USE_PIPES)
-	AC_DEFINE(DISABLE_FD_PASSING)
-	LDFLAGS="$LDFLAGS"
-	LIBS="$LIBS -lgen -lacid -ldb"
-	MANTYPE=cat
-	;;
-*-*-unicos*)
-	AC_DEFINE(SETEUID_BREAKS_SETUID)
-	AC_DEFINE(BROKEN_SETREUID)
-	AC_DEFINE(BROKEN_SETREGID)
-	AC_DEFINE(USE_PIPES)
-	AC_DEFINE(DISABLE_FD_PASSING)
-	AC_DEFINE(NO_SSH_LASTLOG)
-	LDFLAGS="$LDFLAGS -Wl,-Dmsglevel=334:fatal"
-	LIBS="$LIBS -lgen -lrsc -lshare -luex -lacm"
-	MANTYPE=cat
-	;;
-*-dec-osf*)
-	AC_MSG_CHECKING(for Digital Unix SIA)
-	no_osfsia=""
-	AC_ARG_WITH(osfsia,
-		[  --with-osfsia           Enable Digital Unix SIA],
-		[
-			if test "x$withval" = "xno" ; then
-				AC_MSG_RESULT(disabled)
-				no_osfsia=1
-			fi
-		],
-	)
-	if test -z "$no_osfsia" ; then
-		if test -f /etc/sia/matrix.conf; then
-			AC_MSG_RESULT(yes)
-			AC_DEFINE(HAVE_OSF_SIA, 1,
-				[Define if you have Digital Unix Security
-				Integration Architecture])
-			AC_DEFINE(DISABLE_LOGIN, 1,
-				[Define if you don't want to use your
-				system's login() call])
-			AC_DEFINE(DISABLE_FD_PASSING)
-			LIBS="$LIBS -lsecurity -ldb -lm -laud"
-			SIA_MSG="yes"
-		else
-			AC_MSG_RESULT(no)
-			AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin",
-			  [String used in /etc/passwd to denote locked account])
-		fi
-	fi
-	AC_DEFINE(BROKEN_GETADDRINFO)
-	AC_DEFINE(SETEUID_BREAKS_SETUID)
-	AC_DEFINE(BROKEN_SETREUID)
-	AC_DEFINE(BROKEN_SETREGID)
-	;;
-
-*-*-nto-qnx*)
-	AC_DEFINE(USE_PIPES)
-	AC_DEFINE(NO_X11_UNIX_SOCKETS)
-	AC_DEFINE(MISSING_NFDBITS, 1, [Define on *nto-qnx systems])
-	AC_DEFINE(MISSING_HOWMANY, 1, [Define on *nto-qnx systems])
-	AC_DEFINE(MISSING_FD_MASK, 1, [Define on *nto-qnx systems])
-	AC_DEFINE(DISABLE_LASTLOG)
-	AC_DEFINE(SSHD_ACQUIRES_CTTY)
-	enable_etc_default_login=no	# has incompatible /etc/default/login
-	;;
-
-*-*-ultrix*)
-	AC_DEFINE(BROKEN_GETGROUPS, 1, [getgroups(0,NULL) will return -1])
-	AC_DEFINE(BROKEN_MMAP, 1, [Ultrix mmap can't map files])
-	AC_DEFINE(NEED_SETPGRP)
-	AC_DEFINE(HAVE_SYS_SYSLOG_H, 1, [Force use of sys/syslog.h on Ultrix])
-	;;
-
-*-*-lynxos)
-        CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
-	AC_DEFINE(MISSING_HOWMANY)
-        AC_DEFINE(BROKEN_SETVBUF, 1, [LynxOS has broken setvbuf() implementation])
-        ;;
-esac
-
-AC_MSG_CHECKING(compiler and flags for sanity)
-AC_RUN_IFELSE(
-	[AC_LANG_SOURCE([
-#include <stdio.h>
-int main(){exit(0);}
-	])],
-	[	AC_MSG_RESULT(yes) ],
-	[
-		AC_MSG_RESULT(no)
-		AC_MSG_ERROR([*** compiler cannot create working executables, check config.log ***])
-	],
-	[	AC_MSG_WARN([cross compiling: not checking compiler sanity]) ]
-)
-
-dnl Checks for header files.
-# Checks for libraries.
-AC_CHECK_FUNC(yp_match, , AC_CHECK_LIB(nsl, yp_match))
-AC_CHECK_FUNC(setsockopt, , AC_CHECK_LIB(socket, setsockopt))
-
-dnl IRIX and Solaris 2.5.1 have dirname() in libgen
-AC_CHECK_FUNCS(dirname, [AC_CHECK_HEADERS(libgen.h)] ,[
-	AC_CHECK_LIB(gen, dirname,[
-		AC_CACHE_CHECK([for broken dirname],
-			ac_cv_have_broken_dirname, [
-			save_LIBS="$LIBS"
-			LIBS="$LIBS -lgen"
-			AC_RUN_IFELSE(
-				[AC_LANG_SOURCE([[
-#include <libgen.h>
-#include <string.h>
-
-int main(int argc, char **argv) {
-    char *s, buf[32];
-
-    strncpy(buf,"/etc", 32);
-    s = dirname(buf);
-    if (!s || strncmp(s, "/", 32) != 0) {
-	exit(1);
-    } else {
-	exit(0);
-    }
-}
-				]])],
-				[ ac_cv_have_broken_dirname="no" ],
-				[ ac_cv_have_broken_dirname="yes" ],
-				[ ac_cv_have_broken_dirname="no" ],
-			)
-			LIBS="$save_LIBS"
-		])
-		if test "x$ac_cv_have_broken_dirname" = "xno" ; then
-			LIBS="$LIBS -lgen"
-			AC_DEFINE(HAVE_DIRNAME)
-			AC_CHECK_HEADERS(libgen.h)
-		fi
-	])
-])
-
-AC_CHECK_FUNC(getspnam, ,
-	AC_CHECK_LIB(gen, getspnam, LIBS="$LIBS -lgen"))
-AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME, 1,
-	[Define if you have the basename function.]))
-
-dnl zlib is required
-AC_ARG_WITH(zlib,
-	[  --with-zlib=PATH        Use zlib in PATH],
-	[ if test "x$withval" = "xno" ; then
-		AC_MSG_ERROR([*** zlib is required ***])
-	  elif test "x$withval" != "xyes"; then
-		if test -d "$withval/lib"; then
-			if test -n "${need_dash_r}"; then
-				LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
-			else
-				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
-			fi
-		else
-			if test -n "${need_dash_r}"; then
-				LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
-			else
-				LDFLAGS="-L${withval} ${LDFLAGS}"
-			fi
-		fi
-		if test -d "$withval/include"; then
-			CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
-		else
-			CPPFLAGS="-I${withval} ${CPPFLAGS}"
-		fi
-	fi ]
-)
-
-AC_CHECK_LIB(z, deflate, ,
-	[
-		saved_CPPFLAGS="$CPPFLAGS"
-		saved_LDFLAGS="$LDFLAGS"
-		save_LIBS="$LIBS"
-		dnl Check default zlib install dir
-		if test -n "${need_dash_r}"; then
-			LDFLAGS="-L/usr/local/lib -R/usr/local/lib ${saved_LDFLAGS}"
-		else
-			LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}"
-		fi
-		CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}"
-		LIBS="$LIBS -lz"
-		AC_TRY_LINK_FUNC(deflate, AC_DEFINE(HAVE_LIBZ),
-			[
-				AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])
-			]
-		)
-	]
-)
-AC_CHECK_HEADER([zlib.h], ,AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***]))
-
-AC_ARG_WITH(zlib-version-check,
-	[  --without-zlib-version-check Disable zlib version check],
-	[  if test "x$withval" = "xno" ; then
-		zlib_check_nonfatal=1
-	   fi
-	]
-)
-
-AC_MSG_CHECKING(for possibly buggy zlib)
-AC_RUN_IFELSE([AC_LANG_SOURCE([[
-#include <stdio.h>
-#include <zlib.h>
-int main()
-{
-	int a=0, b=0, c=0, d=0, n, v;
-	n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
-	if (n != 3 && n != 4)
-		exit(1);
-	v = a*1000000 + b*10000 + c*100 + d;
-	fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
-
-	/* 1.1.4 is OK */
-	if (a == 1 && b == 1 && c >= 4)
-		exit(0);
-
-	/* 1.2.3 and up are OK */
-	if (v >= 1020300)
-		exit(0);
-
-	exit(2);
-}
-	]])],
-	AC_MSG_RESULT(no),
-	[ AC_MSG_RESULT(yes)
-	  if test -z "$zlib_check_nonfatal" ; then
-		AC_MSG_ERROR([*** zlib too old - check config.log ***
-Your reported zlib version has known security problems.  It's possible your
-vendor has fixed these problems without changing the version number.  If you
-are sure this is the case, you can disable the check by running
-"./configure --without-zlib-version-check".
-If you are in doubt, upgrade zlib to version 1.2.3 or greater.
-See http://www.gzip.org/zlib/ for details.])
-	  else
-		AC_MSG_WARN([zlib version may have security problems])
-	  fi
-	],
-	[	AC_MSG_WARN([cross compiling: not checking zlib version]) ]
-)
-
-dnl UnixWare 2.x
-AC_CHECK_FUNC(strcasecmp,
-	[], [ AC_CHECK_LIB(resolv, strcasecmp, LIBS="$LIBS -lresolv") ]
-)
-AC_CHECK_FUNCS(utimes,
-	[], [ AC_CHECK_LIB(c89, utimes, [AC_DEFINE(HAVE_UTIMES)
-					LIBS="$LIBS -lc89"]) ]
-)
-
-dnl    Checks for libutil functions
-AC_CHECK_HEADERS(libutil.h)
-AC_SEARCH_LIBS(login, util bsd, [AC_DEFINE(HAVE_LOGIN, 1,
-	[Define if your libraries define login()])])
-AC_CHECK_FUNCS(logout updwtmp logwtmp)
-
-AC_FUNC_STRFTIME
-
-# Check for ALTDIRFUNC glob() extension
-AC_MSG_CHECKING(for GLOB_ALTDIRFUNC support)
-AC_EGREP_CPP(FOUNDIT,
-	[
-		#include <glob.h>
-		#ifdef GLOB_ALTDIRFUNC
-		FOUNDIT
-		#endif
-	],
-	[
-		AC_DEFINE(GLOB_HAS_ALTDIRFUNC, 1,
-			[Define if your system glob() function has
-			the GLOB_ALTDIRFUNC extension])
-		AC_MSG_RESULT(yes)
-	],
-	[
-		AC_MSG_RESULT(no)
-	]
-)
-
-# Check for g.gl_matchc glob() extension
-AC_MSG_CHECKING(for gl_matchc field in glob_t)
-AC_TRY_COMPILE(
-	[ #include <glob.h> ],
-	[glob_t g; g.gl_matchc = 1;],
-	[
-		AC_DEFINE(GLOB_HAS_GL_MATCHC, 1,
-			[Define if your system glob() function has
-			gl_matchc options in glob_t])
-		AC_MSG_RESULT(yes)
-	],
-	[
-		AC_MSG_RESULT(no)
-	]
-)
-
-AC_CHECK_DECLS(GLOB_NOMATCH, , , [#include <glob.h>])
-
-AC_MSG_CHECKING([whether struct dirent allocates space for d_name])
-AC_RUN_IFELSE(
-	[AC_LANG_SOURCE([[
-#include <sys/types.h>
-#include <dirent.h>
-int main(void){struct dirent d;exit(sizeof(d.d_name)<=sizeof(char));}
-	]])],
-	[AC_MSG_RESULT(yes)],
-	[
-		AC_MSG_RESULT(no)
-		AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME, 1,
-			[Define if your struct dirent expects you to
-			allocate extra space for d_name])
-	],
-	[
-		AC_MSG_WARN([cross compiling: assuming BROKEN_ONE_BYTE_DIRENT_D_NAME])
-		AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME)
-	]
-)
-
-AC_MSG_CHECKING([for /proc/pid/fd directory])
-if test -d "/proc/$$/fd" ; then
-	AC_DEFINE(HAVE_PROC_PID, 1, [Define if you have /proc/$pid/fd])
-	AC_MSG_RESULT(yes)
-else
-	AC_MSG_RESULT(no)
-fi
-
-# Check whether user wants S/Key support
-SKEY_MSG="no"
-AC_ARG_WITH(skey,
-	[  --with-skey[[=PATH]]      Enable S/Key support (optionally in PATH)],
-	[
-		if test "x$withval" != "xno" ; then
-
-			if test "x$withval" != "xyes" ; then
-				CPPFLAGS="$CPPFLAGS -I${withval}/include"
-				LDFLAGS="$LDFLAGS -L${withval}/lib"
-			fi
-
-			AC_DEFINE(SKEY, 1, [Define if you want S/Key support])
-			LIBS="-lskey $LIBS"
-			SKEY_MSG="yes"
-
-			AC_MSG_CHECKING([for s/key support])
-			AC_LINK_IFELSE(
-				[AC_LANG_SOURCE([[
-#include <stdio.h>
-#include <skey.h>
-int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); }
-				]])],
-				[AC_MSG_RESULT(yes)],
-				[
-					AC_MSG_RESULT(no)
-					AC_MSG_ERROR([** Incomplete or missing s/key libraries.])
-				])
-                 	AC_MSG_CHECKING(if skeychallenge takes 4 arguments)
-			AC_TRY_COMPILE(
-				[#include <stdio.h>
-				 #include <skey.h>],
-				[(void)skeychallenge(NULL,"name","",0);],
-				[AC_MSG_RESULT(yes)
-				 AC_DEFINE(SKEYCHALLENGE_4ARG, 1,
-					[Define if your skeychallenge()
-					function takes 4 arguments (NetBSD)])],
-				[AC_MSG_RESULT(no)]
-        		)
-		fi
-	]
-)
-
-# Check whether user wants TCP wrappers support
-TCPW_MSG="no"
-AC_ARG_WITH(tcp-wrappers,
-	[  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
-	[
-		if test "x$withval" != "xno" ; then
-			saved_LIBS="$LIBS"
-			saved_LDFLAGS="$LDFLAGS"
-			saved_CPPFLAGS="$CPPFLAGS"
-			if test -n "${withval}" && \
-			    test "x${withval}" != "xyes"; then
-				if test -d "${withval}/lib"; then
-					if test -n "${need_dash_r}"; then
-						LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
-					else
-						LDFLAGS="-L${withval}/lib ${LDFLAGS}"
-					fi
-				else
-					if test -n "${need_dash_r}"; then
-						LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
-					else
-						LDFLAGS="-L${withval} ${LDFLAGS}"
-					fi
-				fi
-				if test -d "${withval}/include"; then
-					CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
-				else
-					CPPFLAGS="-I${withval} ${CPPFLAGS}"
-				fi
-			fi
-			LIBWRAP="-lwrap"
-			LIBS="$LIBWRAP $LIBS"
-			AC_MSG_CHECKING(for libwrap)
-			AC_TRY_LINK(
-				[
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <tcpd.h>
-					int deny_severity = 0, allow_severity = 0;
-				],
-				[hosts_access(0);],
-				[
-					AC_MSG_RESULT(yes)
-					AC_DEFINE(LIBWRAP, 1,
-						[Define if you want
-						TCP Wrappers support])
-					AC_SUBST(LIBWRAP)
-					TCPW_MSG="yes"
-				],
-				[
-					AC_MSG_ERROR([*** libwrap missing])
-				]
-			)
-			LIBS="$saved_LIBS"
-		fi
-	]
-)
-
-# Check whether user wants libedit support
-LIBEDIT_MSG="no"
-AC_ARG_WITH(libedit,
-	[  --with-libedit[[=PATH]]   Enable libedit support for sftp],
-	[ if test "x$withval" != "xno" ; then
-		if test "x$withval" != "xyes"; then
-			CPPFLAGS="$CPPFLAGS -I${withval}/include"
-			if test -n "${need_dash_r}"; then
-				LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
-			else
-				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
-			fi
-		fi
-		AC_CHECK_LIB(edit, el_init,
-			[ AC_DEFINE(USE_LIBEDIT, 1, [Use libedit for sftp])
-			  LIBEDIT="-ledit -lcurses"
-			  LIBEDIT_MSG="yes"
-			  AC_SUBST(LIBEDIT)
-			],
-			[ AC_MSG_ERROR(libedit not found) ],
-			[ -lcurses ]
-		)
-		AC_MSG_CHECKING(if libedit version is compatible)
-		AC_COMPILE_IFELSE(
-		    [AC_LANG_SOURCE([[
-#include <histedit.h>
-int main(void)
-{
-	int i = H_SETSIZE;
-	el_init("", NULL, NULL, NULL);
-	exit(0);
-}
-		    ]])],
-		    [ AC_MSG_RESULT(yes) ],
-		    [ AC_MSG_RESULT(no)
-		      AC_MSG_ERROR(libedit version is not compatible) ]
-		)
-	fi ]
-)
-
-AUDIT_MODULE=none
-AC_ARG_WITH(audit,
-	[  --with-audit=module     Enable EXPERIMENTAL audit support (modules=debug,bsm)],
-	[
-	  AC_MSG_CHECKING(for supported audit module)
-	  case "$withval" in
-	  bsm)
-		AC_MSG_RESULT(bsm)
-		AUDIT_MODULE=bsm
-		dnl    Checks for headers, libs and functions
-		AC_CHECK_HEADERS(bsm/audit.h, [],
-		    [AC_MSG_ERROR(BSM enabled and bsm/audit.h not found)],
-		    [
-#ifdef HAVE_TIME_H
-# include <time.h>
-#endif
-		    ]
-)
-		AC_CHECK_LIB(bsm, getaudit, [],
-		    [AC_MSG_ERROR(BSM enabled and required library not found)])
-		AC_CHECK_FUNCS(getaudit, [],
-		    [AC_MSG_ERROR(BSM enabled and required function not found)])
-		# These are optional
-		AC_CHECK_FUNCS(getaudit_addr)
-		AC_DEFINE(USE_BSM_AUDIT, 1, [Use BSM audit module])
-		;;
-	  debug)
-		AUDIT_MODULE=debug
-		AC_MSG_RESULT(debug)
-		AC_DEFINE(SSH_AUDIT_EVENTS, 1, Use audit debugging module)
-		;;
-	  no)
-		AC_MSG_RESULT(no)
-		;;
-	  *)
-		AC_MSG_ERROR([Unknown audit module $withval])
-		;;
-	esac ]
-)
-
-dnl    Checks for library functions. Please keep in alphabetical order
-AC_CHECK_FUNCS( \
-	arc4random \
-	asprintf \
-	b64_ntop \
-	__b64_ntop \
-	b64_pton \
-	__b64_pton \
-	bcopy \
-	bindresvport_sa \
-	clock \
-	closefrom \
-	dirfd \
-	fchmod \
-	fchown \
-	freeaddrinfo \
-	futimes \
-	getaddrinfo \
-	getcwd \
-	getgrouplist \
-	getnameinfo \
-	getopt \
-	getpeereid \
-	_getpty \
-	getrlimit \
-	getttyent \
-	glob \
-	inet_aton \
-	inet_ntoa \
-	inet_ntop \
-	innetgr \
-	login_getcapbool \
-	md5_crypt \
-	memmove \
-	mkdtemp \
-	mmap \
-	ngetaddrinfo \
-	nsleep \
-	ogetaddrinfo \
-	openlog_r \
-	openpty \
-	prctl \
-	pstat \
-	readpassphrase \
-	realpath \
-	recvmsg \
-	rresvport_af \
-	sendmsg \
-	setdtablesize \
-	setegid \
-	setenv \
-	seteuid \
-	setgroups \
-	setlogin \
-	setpcred \
-	setproctitle \
-	setregid \
-	setreuid \
-	setrlimit \
-	setsid \
-	setvbuf \
-	sigaction \
-	sigvec \
-	snprintf \
-	socketpair \
-	strdup \
-	strerror \
-	strlcat \
-	strlcpy \
-	strmode \
-	strnvis \
-	strtonum \
-	strtoll \
-	strtoul \
-	sysconf \
-	tcgetpgrp \
-	truncate \
-	unsetenv \
-	updwtmpx \
-	vasprintf \
-	vhangup \
-	vsnprintf \
-	waitpid \
-)
-
-# IRIX has a const char return value for gai_strerror()
-AC_CHECK_FUNCS(gai_strerror,[
-	AC_DEFINE(HAVE_GAI_STRERROR)
-	AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netdb.h>
-
-const char *gai_strerror(int);],[
-char *str;
-
-str = gai_strerror(0);],[
-		AC_DEFINE(HAVE_CONST_GAI_STRERROR_PROTO, 1,
-		[Define if gai_strerror() returns const char *])])])
-
-AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP, 1,
-	[Some systems put nanosleep outside of libc]))
-
-dnl Make sure prototypes are defined for these before using them.
-AC_CHECK_DECL(getrusage, [AC_CHECK_FUNCS(getrusage)])
-AC_CHECK_DECL(strsep,
-	[AC_CHECK_FUNCS(strsep)],
-	[],
-	[
-#ifdef HAVE_STRING_H
-# include <string.h>
-#endif
-	])
-
-dnl tcsendbreak might be a macro
-AC_CHECK_DECL(tcsendbreak,
-	[AC_DEFINE(HAVE_TCSENDBREAK)],
-	[AC_CHECK_FUNCS(tcsendbreak)],
-	[#include <termios.h>]
-)
-
-AC_CHECK_DECLS(h_errno, , ,[#include <netdb.h>])
-
-AC_CHECK_DECLS(SHUT_RD, , ,
-	[
-#include <sys/types.h>
-#include <sys/socket.h>
-	])
-
-AC_CHECK_DECLS(O_NONBLOCK, , ,
-	[
-#include <sys/types.h>
-#ifdef HAVE_SYS_STAT_H
-# include <sys/stat.h>
-#endif
-#ifdef HAVE_FCNTL_H
-# include <fcntl.h>
-#endif
-	])
-
-AC_CHECK_DECLS(writev, , , [
-#include <sys/types.h>
-#include <sys/uio.h>
-#include <unistd.h>
-	])
-
-AC_CHECK_FUNCS(setresuid, [
-	dnl Some platorms have setresuid that isn't implemented, test for this
-	AC_MSG_CHECKING(if setresuid seems to work)
-	AC_RUN_IFELSE(
-		[AC_LANG_SOURCE([[
-#include <stdlib.h>
-#include <errno.h>
-int main(){errno=0; setresuid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);}
-		]])],
-		[AC_MSG_RESULT(yes)],
-		[AC_DEFINE(BROKEN_SETRESUID, 1,
-			[Define if your setresuid() is broken])
-		 AC_MSG_RESULT(not implemented)],
-		[AC_MSG_WARN([cross compiling: not checking setresuid])]
-	)
-])
-
-AC_CHECK_FUNCS(setresgid, [
-	dnl Some platorms have setresgid that isn't implemented, test for this
-	AC_MSG_CHECKING(if setresgid seems to work)
-	AC_RUN_IFELSE(
-		[AC_LANG_SOURCE([[
-#include <stdlib.h>
-#include <errno.h>
-int main(){errno=0; setresgid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);}
-		]])],
-		[AC_MSG_RESULT(yes)],
-		[AC_DEFINE(BROKEN_SETRESGID, 1,
-			[Define if your setresgid() is broken])
-		 AC_MSG_RESULT(not implemented)],
-		[AC_MSG_WARN([cross compiling: not checking setresuid])]
-	)
-])
-
-dnl    Checks for time functions
-AC_CHECK_FUNCS(gettimeofday time)
-dnl    Checks for utmp functions
-AC_CHECK_FUNCS(endutent getutent getutid getutline pututline setutent)
-AC_CHECK_FUNCS(utmpname)
-dnl    Checks for utmpx functions
-AC_CHECK_FUNCS(endutxent getutxent getutxid getutxline pututxline )
-AC_CHECK_FUNCS(setutxent utmpxname)
-
-AC_CHECK_FUNC(daemon,
-	[AC_DEFINE(HAVE_DAEMON, 1, [Define if your libraries define daemon()])],
-	[AC_CHECK_LIB(bsd, daemon,
-		[LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_DAEMON)])]
-)
-
-AC_CHECK_FUNC(getpagesize,
-	[AC_DEFINE(HAVE_GETPAGESIZE, 1,
-		[Define if your libraries define getpagesize()])],
-	[AC_CHECK_LIB(ucb, getpagesize,
-		[LIBS="$LIBS -lucb"; AC_DEFINE(HAVE_GETPAGESIZE)])]
-)
-
-# Check for broken snprintf
-if test "x$ac_cv_func_snprintf" = "xyes" ; then
-	AC_MSG_CHECKING([whether snprintf correctly terminates long strings])
-	AC_RUN_IFELSE(
-		[AC_LANG_SOURCE([[
-#include <stdio.h>
-int main(void){char b[5];snprintf(b,5,"123456789");exit(b[4]!='\0');}
-		]])],
-		[AC_MSG_RESULT(yes)],
-		[
-			AC_MSG_RESULT(no)
-			AC_DEFINE(BROKEN_SNPRINTF, 1,
-				[Define if your snprintf is busted])
-			AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor])
-		],
-		[ AC_MSG_WARN([cross compiling: Assuming working snprintf()]) ]
-	)
-fi
-
-# If we don't have a working asprintf, then we strongly depend on vsnprintf
-# returning the right thing on overflow: the number of characters it tried to
-# create (as per SUSv3)
-if test "x$ac_cv_func_asprintf" != "xyes" && \
-   test "x$ac_cv_func_vsnprintf" = "xyes" ; then
-	AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
-	AC_RUN_IFELSE(
-		[AC_LANG_SOURCE([[
-#include <sys/types.h>
-#include <stdio.h>
-#include <stdarg.h>
-
-int x_snprintf(char *str,size_t count,const char *fmt,...)
-{
-	size_t ret; va_list ap;
-	va_start(ap, fmt); ret = vsnprintf(str, count, fmt, ap); va_end(ap);
-	return ret;
-}
-int main(void)
-{
-	char x[1];
-	exit(x_snprintf(x, 1, "%s %d", "hello", 12345) == 11 ? 0 : 1);
-} ]])],
-		[AC_MSG_RESULT(yes)],
-		[
-			AC_MSG_RESULT(no)
-			AC_DEFINE(BROKEN_SNPRINTF, 1,
-				[Define if your snprintf is busted])
-			AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor])
-		],
-		[ AC_MSG_WARN([cross compiling: Assuming working vsnprintf()]) ]
-	)
-fi
-
-# On systems where [v]snprintf is broken, but is declared in stdio,
-# check that the fmt argument is const char * or just char *.
-# This is only useful for when BROKEN_SNPRINTF
-AC_MSG_CHECKING([whether snprintf can declare const char *fmt])
-AC_COMPILE_IFELSE([AC_LANG_SOURCE([[#include <stdio.h>
-	   int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
-	   int main(void) { snprintf(0, 0, 0); } 
-    ]])],
-   [AC_MSG_RESULT(yes)
-    AC_DEFINE(SNPRINTF_CONST, [const],
-              [Define as const if snprintf() can declare const char *fmt])],
-   [AC_MSG_RESULT(no)
-    AC_DEFINE(SNPRINTF_CONST, [/* not const */])])
-
-# Check for missing getpeereid (or equiv) support
-NO_PEERCHECK=""
-if test "x$ac_cv_func_getpeereid" != "xyes" ; then
-	AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
-	AC_TRY_COMPILE(
-		[#include <sys/types.h>
-		 #include <sys/socket.h>],
-		[int i = SO_PEERCRED;],
-		[ AC_MSG_RESULT(yes)
-		  AC_DEFINE(HAVE_SO_PEERCRED, 1, [Have PEERCRED socket option])
-		],
-		[AC_MSG_RESULT(no)
-		NO_PEERCHECK=1]
-        )
-fi
-
-dnl see whether mkstemp() requires XXXXXX
-if test "x$ac_cv_func_mkdtemp" = "xyes" ; then
-AC_MSG_CHECKING([for (overly) strict mkstemp])
-AC_RUN_IFELSE(
-	[AC_LANG_SOURCE([[
-#include <stdlib.h>
-main() { char template[]="conftest.mkstemp-test";
-if (mkstemp(template) == -1)
-	exit(1);
-unlink(template); exit(0);
-}
-	]])],
-	[
-		AC_MSG_RESULT(no)
-	],
-	[
-		AC_MSG_RESULT(yes)
-		AC_DEFINE(HAVE_STRICT_MKSTEMP, 1, [Silly mkstemp()])
-	],
-	[
-		AC_MSG_RESULT(yes)
-		AC_DEFINE(HAVE_STRICT_MKSTEMP)
-	]
-)
-fi
-
-dnl make sure that openpty does not reacquire controlling terminal
-if test ! -z "$check_for_openpty_ctty_bug"; then
-	AC_MSG_CHECKING(if openpty correctly handles controlling tty)
-	AC_RUN_IFELSE(
-		[AC_LANG_SOURCE([[
-#include <stdio.h>
-#include <sys/fcntl.h>
-#include <sys/types.h>
-#include <sys/wait.h>
-
-int
-main()
-{
-	pid_t pid;
-	int fd, ptyfd, ttyfd, status;
-
-	pid = fork();
-	if (pid < 0) {		/* failed */
-		exit(1);
-	} else if (pid > 0) {	/* parent */
-		waitpid(pid, &status, 0);
-		if (WIFEXITED(status))
-			exit(WEXITSTATUS(status));
-		else
-			exit(2);
-	} else {		/* child */
-		close(0); close(1); close(2);
-		setsid();
-		openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
-		fd = open("/dev/tty", O_RDWR | O_NOCTTY);
-		if (fd >= 0)
-			exit(3);	/* Acquired ctty: broken */
-		else
-			exit(0);	/* Did not acquire ctty: OK */
-	}
-}
-		]])],
-		[
-			AC_MSG_RESULT(yes)
-		],
-		[
-			AC_MSG_RESULT(no)
-			AC_DEFINE(SSHD_ACQUIRES_CTTY)
-		],
-		[
-			AC_MSG_RESULT(cross-compiling, assuming yes)
-		]
-	)
-fi
-
-if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
-    test "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
-	AC_MSG_CHECKING(if getaddrinfo seems to work)
-	AC_RUN_IFELSE(
-		[AC_LANG_SOURCE([[
-#include <stdio.h>
-#include <sys/socket.h>
-#include <netdb.h>
-#include <errno.h>
-#include <netinet/in.h>
-
-#define TEST_PORT "2222"
-
-int
-main(void)
-{
-	int err, sock;
-	struct addrinfo *gai_ai, *ai, hints;
-	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
-
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_family = PF_UNSPEC;
-	hints.ai_socktype = SOCK_STREAM;
-	hints.ai_flags = AI_PASSIVE;
-
-	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
-	if (err != 0) {
-		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
-		exit(1);
-	}
-
-	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
-		if (ai->ai_family != AF_INET6)
-			continue;
-
-		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
-		    sizeof(ntop), strport, sizeof(strport),
-		    NI_NUMERICHOST|NI_NUMERICSERV);
-
-		if (err != 0) {
-			if (err == EAI_SYSTEM)
-				perror("getnameinfo EAI_SYSTEM");
-			else
-				fprintf(stderr, "getnameinfo failed: %s\n",
-				    gai_strerror(err));
-			exit(2);
-		}
-
-		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
-		if (sock < 0)
-			perror("socket");
-		if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
-			if (errno == EBADF)
-				exit(3);
-		}
-	}
-	exit(0);
-}
-		]])],
-		[
-			AC_MSG_RESULT(yes)
-		],
-		[
-			AC_MSG_RESULT(no)
-			AC_DEFINE(BROKEN_GETADDRINFO)
-		],
-		[
-			AC_MSG_RESULT(cross-compiling, assuming yes)
-		]
-	)
-fi
-
-if test "x$ac_cv_func_getaddrinfo" = "xyes" && \
-    test "x$check_for_aix_broken_getaddrinfo" = "x1"; then
-	AC_MSG_CHECKING(if getaddrinfo seems to work)
-	AC_RUN_IFELSE(
-		[AC_LANG_SOURCE([[
-#include <stdio.h>
-#include <sys/socket.h>
-#include <netdb.h>
-#include <errno.h>
-#include <netinet/in.h>
-
-#define TEST_PORT "2222"
-
-int
-main(void)
-{
-	int err, sock;
-	struct addrinfo *gai_ai, *ai, hints;
-	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
-
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_family = PF_UNSPEC;
-	hints.ai_socktype = SOCK_STREAM;
-	hints.ai_flags = AI_PASSIVE;
-
-	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
-	if (err != 0) {
-		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
-		exit(1);
-	}
-
-	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
-		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-			continue;
-
-		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
-		    sizeof(ntop), strport, sizeof(strport),
-		    NI_NUMERICHOST|NI_NUMERICSERV);
-
-		if (ai->ai_family == AF_INET && err != 0) {
-			perror("getnameinfo");
-			exit(2);
-		}
-	}
-	exit(0);
-}
-		]])],
-		[
-			AC_MSG_RESULT(yes)
-			AC_DEFINE(AIX_GETNAMEINFO_HACK, 1,
-				[Define if you have a getaddrinfo that fails
-				for the all-zeros IPv6 address])
-		],
-		[
-			AC_MSG_RESULT(no)
-			AC_DEFINE(BROKEN_GETADDRINFO)
-		],
-		[
-			AC_MSG_RESULT(cross-compiling, assuming no)
-		]
-	)
-fi
-
-if test "x$check_for_conflicting_getspnam" = "x1"; then
-	AC_MSG_CHECKING(for conflicting getspnam in shadow.h)
-	AC_COMPILE_IFELSE(
-		[
-#include <shadow.h>
-int main(void) {exit(0);}
-		],
-		[
-			AC_MSG_RESULT(no)
-		],
-		[
-			AC_MSG_RESULT(yes)
-			AC_DEFINE(GETSPNAM_CONFLICTING_DEFS, 1,
-			    [Conflicting defs for getspnam])
-		]
-	)
-fi
-
-AC_FUNC_GETPGRP
-
-# Search for OpenSSL
-saved_CPPFLAGS="$CPPFLAGS"
-saved_LDFLAGS="$LDFLAGS"
-AC_ARG_WITH(ssl-dir,
-	[  --with-ssl-dir=PATH     Specify path to OpenSSL installation ],
-	[
-		if test "x$withval" != "xno" ; then
-			case "$withval" in
-				# Relative paths
-				./*|../*)	withval="`pwd`/$withval"
-			esac
-			if test -d "$withval/lib"; then
-				if test -n "${need_dash_r}"; then
-					LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
-				else
-					LDFLAGS="-L${withval}/lib ${LDFLAGS}"
-				fi
-			else
-				if test -n "${need_dash_r}"; then
-					LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
-				else
-					LDFLAGS="-L${withval} ${LDFLAGS}"
-				fi
-			fi
-			if test -d "$withval/include"; then
-				CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
-			else
-				CPPFLAGS="-I${withval} ${CPPFLAGS}"
-			fi
-		fi
-	]
-)
-LIBS="-lcrypto $LIBS"
-AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL, 1,
-	[Define if your ssl headers are included
-	with #include <openssl/header.h>]),
-	[
-		dnl Check default openssl install dir
-		if test -n "${need_dash_r}"; then
-			LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}"
-		else
-			LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}"
-		fi
-		CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}"
-		AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL),
-			[
-				AC_MSG_ERROR([*** Can't find recent OpenSSL libcrypto (see config.log for details) ***])
-			]
-		)
-	]
-)
-
-# Determine OpenSSL header version
-AC_MSG_CHECKING([OpenSSL header version])
-AC_RUN_IFELSE(
-	[AC_LANG_SOURCE([[
-#include <stdio.h>
-#include <string.h>
-#include <openssl/opensslv.h>
-#define DATA "conftest.sslincver"
-int main(void) {
-	FILE *fd;
-	int rc;
-
-	fd = fopen(DATA,"w");
-	if(fd == NULL)
-		exit(1);
-
-	if ((rc = fprintf(fd ,"%x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
-		exit(1);
-
-	exit(0);
-}
-	]])],
-	[
-		ssl_header_ver=`cat conftest.sslincver`
-		AC_MSG_RESULT($ssl_header_ver)
-	],
-	[
-		AC_MSG_RESULT(not found)
-		AC_MSG_ERROR(OpenSSL version header not found.)
-	],
-	[
-		AC_MSG_WARN([cross compiling: not checking])
-	]
-)
-
-# Determine OpenSSL library version
-AC_MSG_CHECKING([OpenSSL library version])
-AC_RUN_IFELSE(
-	[AC_LANG_SOURCE([[
-#include <stdio.h>
-#include <string.h>
-#include <openssl/opensslv.h>
-#include <openssl/crypto.h>
-#define DATA "conftest.ssllibver"
-int main(void) {
-	FILE *fd;
-	int rc;
-
-	fd = fopen(DATA,"w");
-	if(fd == NULL)
-		exit(1);
-
-	if ((rc = fprintf(fd ,"%x (%s)\n", SSLeay(), SSLeay_version(SSLEAY_VERSION))) <0)
-		exit(1);
-
-	exit(0);
-}
-	]])],
-	[
-		ssl_library_ver=`cat conftest.ssllibver`
-		AC_MSG_RESULT($ssl_library_ver)
-	],
-	[
-		AC_MSG_RESULT(not found)
-		AC_MSG_ERROR(OpenSSL library not found.)
-	],
-	[
-		AC_MSG_WARN([cross compiling: not checking])
-	]
-)
-
-# Sanity check OpenSSL headers
-AC_MSG_CHECKING([whether OpenSSL's headers match the library])
-AC_RUN_IFELSE(
-	[AC_LANG_SOURCE([[
-#include <string.h>
-#include <openssl/opensslv.h>
-int main(void) { exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); }
-	]])],
-	[
-		AC_MSG_RESULT(yes)
-	],
-	[
-		AC_MSG_RESULT(no)
-		AC_MSG_ERROR([Your OpenSSL headers do not match your library.
-Check config.log for details.
-Also see contrib/findssl.sh for help identifying header/library mismatches.])
-	],
-	[
-		AC_MSG_WARN([cross compiling: not checking])
-	]
-)
-
-AC_MSG_CHECKING([if programs using OpenSSL functions will link])
-AC_LINK_IFELSE(
-	[AC_LANG_SOURCE([[
-#include <openssl/evp.h>
-int main(void) { SSLeay_add_all_algorithms(); }
-	]])],
-	[
-		AC_MSG_RESULT(yes)
-	],
-	[
-		AC_MSG_RESULT(no)
-		saved_LIBS="$LIBS"
-		LIBS="$LIBS -ldl"
-		AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
-		AC_LINK_IFELSE(
-			[AC_LANG_SOURCE([[
-#include <openssl/evp.h>
-int main(void) { SSLeay_add_all_algorithms(); }
-			]])],
-			[
-				AC_MSG_RESULT(yes)
-			],
-			[
-				AC_MSG_RESULT(no)
-				LIBS="$saved_LIBS"
-			]
-		)
-	]
-)
-
-AC_ARG_WITH(ssl-engine,
-	[  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support ],
-	[ if test "x$withval" != "xno" ; then
-		AC_MSG_CHECKING(for OpenSSL ENGINE support)
-		AC_TRY_COMPILE(
-			[ #include <openssl/engine.h>],
-			[
-ENGINE_load_builtin_engines();ENGINE_register_all_complete();
-			],
-			[ AC_MSG_RESULT(yes)
-			  AC_DEFINE(USE_OPENSSL_ENGINE, 1,
-			     [Enable OpenSSL engine support])
-			],
-			[ AC_MSG_ERROR(OpenSSL ENGINE support not found)]
-		)
-	  fi ]
-)
-
-# Check for OpenSSL without EVP_aes_{192,256}_cbc
-AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
-AC_LINK_IFELSE(
-	[AC_LANG_SOURCE([[
-#include <string.h>
-#include <openssl/evp.h>
-int main(void) { exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);}
-	]])],
-	[
-		AC_MSG_RESULT(no)
-	],
-	[
-		AC_MSG_RESULT(yes)
-		AC_DEFINE(OPENSSL_LOBOTOMISED_AES, 1,
-		    [libcrypto is missing AES 192 and 256 bit functions])
-	]
-)
-
-# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
-# because the system crypt() is more featureful.
-if test "x$check_for_libcrypt_before" = "x1"; then
-	AC_CHECK_LIB(crypt, crypt)
-fi
-
-# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the
-# version in OpenSSL.
-if test "x$check_for_libcrypt_later" = "x1"; then
-	AC_CHECK_LIB(crypt, crypt, LIBS="$LIBS -lcrypt")
-fi
-
-# Search for SHA256 support in libc and/or OpenSSL
-AC_CHECK_FUNCS(SHA256_Update EVP_sha256)
-
-AC_CHECK_LIB(iaf, ia_openinfo)
-
-### Configure cryptographic random number support
-
-# Check wheter OpenSSL seeds itself
-AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
-AC_RUN_IFELSE(
-	[AC_LANG_SOURCE([[
-#include <string.h>
-#include <openssl/rand.h>
-int main(void) { exit(RAND_status() == 1 ? 0 : 1); }
-	]])],
-	[
-		OPENSSL_SEEDS_ITSELF=yes
-		AC_MSG_RESULT(yes)
-	],
-	[
-		AC_MSG_RESULT(no)
-		# Default to use of the rand helper if OpenSSL doesn't
-		# seed itself
-		USE_RAND_HELPER=yes
-	],
-	[
-		AC_MSG_WARN([cross compiling: assuming yes])
-		# This is safe, since all recent OpenSSL versions will
-		# complain at runtime if not seeded correctly.
-		OPENSSL_SEEDS_ITSELF=yes
-	]
-)
-
-# Check for PAM libs
-PAM_MSG="no"
-AC_ARG_WITH(pam,
-	[  --with-pam              Enable PAM support ],
-	[
-		if test "x$withval" != "xno" ; then
-			if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
-			   test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
-				AC_MSG_ERROR([PAM headers not found])
-			fi
-
-			saved_LIBS="$LIBS"
-			AC_CHECK_LIB(dl, dlopen, , )
-			AC_CHECK_LIB(pam, pam_set_item, , AC_MSG_ERROR([*** libpam missing]))
-			AC_CHECK_FUNCS(pam_getenvlist)
-			AC_CHECK_FUNCS(pam_putenv)
-			LIBS="$saved_LIBS"
-
-			PAM_MSG="yes"
-
-			LIBPAM="-lpam"
-			AC_DEFINE(USE_PAM, 1,
-				[Define if you want to enable PAM support])
-
-			if test $ac_cv_lib_dl_dlopen = yes; then
-				case "$LIBS" in
-				*-ldl*)
-					# libdl already in LIBS
-					;;
-				*)
-					LIBPAM="$LIBPAM -ldl"
-					;;
-				esac
-			fi
-			AC_SUBST(LIBPAM)
-		fi
-	]
-)
-
-# Check for older PAM
-if test "x$PAM_MSG" = "xyes" ; then
-	# Check PAM strerror arguments (old PAM)
-	AC_MSG_CHECKING([whether pam_strerror takes only one argument])
-	AC_TRY_COMPILE(
-		[
-#include <stdlib.h>
-#if defined(HAVE_SECURITY_PAM_APPL_H)
-#include <security/pam_appl.h>
-#elif defined (HAVE_PAM_PAM_APPL_H)
-#include <pam/pam_appl.h>
-#endif
-		],
-		[(void)pam_strerror((pam_handle_t *)NULL, -1);],
-		[AC_MSG_RESULT(no)],
-		[
-			AC_DEFINE(HAVE_OLD_PAM, 1,
-				[Define if you have an old version of PAM
-				which takes only one argument to pam_strerror])
-			AC_MSG_RESULT(yes)
-			PAM_MSG="yes (old library)"
-		]
-	)
-fi
-
-# Do we want to force the use of the rand helper?
-AC_ARG_WITH(rand-helper,
-	[  --with-rand-helper      Use subprocess to gather strong randomness ],
-	[
-		if test "x$withval" = "xno" ; then
-			# Force use of OpenSSL's internal RNG, even if
-			# the previous test showed it to be unseeded.
-			if test -z "$OPENSSL_SEEDS_ITSELF" ; then
-				AC_MSG_WARN([*** Forcing use of OpenSSL's non-self-seeding PRNG])
-				OPENSSL_SEEDS_ITSELF=yes
-				USE_RAND_HELPER=""
-			fi
-		else
-			USE_RAND_HELPER=yes
-		fi
-	],
-)
-
-# Which randomness source do we use?
-if test ! -z "$OPENSSL_SEEDS_ITSELF" && test -z "$USE_RAND_HELPER" ; then
-	# OpenSSL only
-	AC_DEFINE(OPENSSL_PRNG_ONLY, 1,
-		[Define if you want OpenSSL's internally seeded PRNG only])
-	RAND_MSG="OpenSSL internal ONLY"
-	INSTALL_SSH_RAND_HELPER=""
-elif test ! -z "$USE_RAND_HELPER" ; then
-	# install rand helper
-	RAND_MSG="ssh-rand-helper"
-	INSTALL_SSH_RAND_HELPER="yes"
-fi
-AC_SUBST(INSTALL_SSH_RAND_HELPER)
-
-### Configuration of ssh-rand-helper
-
-# PRNGD TCP socket
-AC_ARG_WITH(prngd-port,
-	[  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT],
-	[
-		case "$withval" in
-		no)
-			withval=""
-			;;
-		[[0-9]]*)
-			;;
-		*)
-			AC_MSG_ERROR(You must specify a numeric port number for --with-prngd-port)
-			;;
-		esac
-		if test ! -z "$withval" ; then
-			PRNGD_PORT="$withval"
-			AC_DEFINE_UNQUOTED(PRNGD_PORT, $PRNGD_PORT,
-				[Port number of PRNGD/EGD random number socket])
-		fi
-	]
-)
-
-# PRNGD Unix domain socket
-AC_ARG_WITH(prngd-socket,
-	[  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
-	[
-		case "$withval" in
-		yes)
-			withval="/var/run/egd-pool"
-			;;
-		no)
-			withval=""
-			;;
-		/*)
-			;;
-		*)
-			AC_MSG_ERROR(You must specify an absolute path to the entropy socket)
-			;;
-		esac
-
-		if test ! -z "$withval" ; then
-			if test ! -z "$PRNGD_PORT" ; then
-				AC_MSG_ERROR(You may not specify both a PRNGD/EGD port and socket)
-			fi
-			if test ! -r "$withval" ; then
-				AC_MSG_WARN(Entropy socket is not readable)
-			fi
-			PRNGD_SOCKET="$withval"
-			AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET",
-				[Location of PRNGD/EGD random number socket])
-		fi
-	],
-	[
-		# Check for existing socket only if we don't have a random device already
-		if test "$USE_RAND_HELPER" = yes ; then
-			AC_MSG_CHECKING(for PRNGD/EGD socket)
-			# Insert other locations here
-			for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
-				if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then
-					PRNGD_SOCKET="$sock"
-					AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET")
-					break;
-				fi
-			done
-			if test ! -z "$PRNGD_SOCKET" ; then
-				AC_MSG_RESULT($PRNGD_SOCKET)
-			else
-				AC_MSG_RESULT(not found)
-			fi
-		fi
-	]
-)
-
-# Change default command timeout for hashing entropy source
-entropy_timeout=200
-AC_ARG_WITH(entropy-timeout,
-	[  --with-entropy-timeout  Specify entropy gathering command timeout (msec)],
-	[
-		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
-		    test "x${withval}" != "xyes"; then
-			entropy_timeout=$withval
-		fi
-	]
-)
-AC_DEFINE_UNQUOTED(ENTROPY_TIMEOUT_MSEC, $entropy_timeout,
-	[Builtin PRNG command timeout])
-
-SSH_PRIVSEP_USER=sshd
-AC_ARG_WITH(privsep-user,
-	[  --with-privsep-user=user Specify non-privileged user for privilege separation],
-	[
-		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
-		    test "x${withval}" != "xyes"; then
-			SSH_PRIVSEP_USER=$withval
-		fi
-	]
-)
-AC_DEFINE_UNQUOTED(SSH_PRIVSEP_USER, "$SSH_PRIVSEP_USER",
-	[non-privileged user for privilege separation])
-AC_SUBST(SSH_PRIVSEP_USER)
-
-# We do this little dance with the search path to insure
-# that programs that we select for use by installed programs
-# (which may be run by the super-user) come from trusted
-# locations before they come from the user's private area.
-# This should help avoid accidentally configuring some
-# random version of a program in someone's personal bin.
-
-OPATH=$PATH
-PATH=/bin:/usr/bin
-test -h /bin 2> /dev/null && PATH=/usr/bin
-test -d /sbin && PATH=$PATH:/sbin
-test -d /usr/sbin && PATH=$PATH:/usr/sbin
-PATH=$PATH:/etc:$OPATH
-
-# These programs are used by the command hashing source to gather entropy
-OSSH_PATH_ENTROPY_PROG(PROG_LS, ls)
-OSSH_PATH_ENTROPY_PROG(PROG_NETSTAT, netstat)
-OSSH_PATH_ENTROPY_PROG(PROG_ARP, arp)
-OSSH_PATH_ENTROPY_PROG(PROG_IFCONFIG, ifconfig)
-OSSH_PATH_ENTROPY_PROG(PROG_JSTAT, jstat)
-OSSH_PATH_ENTROPY_PROG(PROG_PS, ps)
-OSSH_PATH_ENTROPY_PROG(PROG_SAR, sar)
-OSSH_PATH_ENTROPY_PROG(PROG_W, w)
-OSSH_PATH_ENTROPY_PROG(PROG_WHO, who)
-OSSH_PATH_ENTROPY_PROG(PROG_LAST, last)
-OSSH_PATH_ENTROPY_PROG(PROG_LASTLOG, lastlog)
-OSSH_PATH_ENTROPY_PROG(PROG_DF, df)
-OSSH_PATH_ENTROPY_PROG(PROG_VMSTAT, vmstat)
-OSSH_PATH_ENTROPY_PROG(PROG_UPTIME, uptime)
-OSSH_PATH_ENTROPY_PROG(PROG_IPCS, ipcs)
-OSSH_PATH_ENTROPY_PROG(PROG_TAIL, tail)
-# restore PATH
-PATH=$OPATH
-
-# Where does ssh-rand-helper get its randomness from?
-INSTALL_SSH_PRNG_CMDS=""
-if test ! -z "$INSTALL_SSH_RAND_HELPER" ; then
-	if test ! -z "$PRNGD_PORT" ; then
-		RAND_HELPER_MSG="TCP localhost:$PRNGD_PORT"
-	elif test ! -z "$PRNGD_SOCKET" ; then
-		RAND_HELPER_MSG="Unix domain socket \"$PRNGD_SOCKET\""
-	else
-		RAND_HELPER_MSG="Command hashing (timeout $entropy_timeout)"
-		RAND_HELPER_CMDHASH=yes
-		INSTALL_SSH_PRNG_CMDS="yes"
-	fi
-fi
-AC_SUBST(INSTALL_SSH_PRNG_CMDS)
-
-
-# Cheap hack to ensure NEWS-OS libraries are arranged right.
-if test ! -z "$SONY" ; then
-  LIBS="$LIBS -liberty";
-fi
-
-# Check for  long long datatypes
-AC_CHECK_TYPES([long long, unsigned long long, long double])
-
-# Check datatype sizes
-AC_CHECK_SIZEOF(char, 1)
-AC_CHECK_SIZEOF(short int, 2)
-AC_CHECK_SIZEOF(int, 4)
-AC_CHECK_SIZEOF(long int, 4)
-AC_CHECK_SIZEOF(long long int, 8)
-
-# Sanity check long long for some platforms (AIX)
-if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
-	ac_cv_sizeof_long_long_int=0
-fi
-
-# compute LLONG_MIN and LLONG_MAX if we don't know them.
-if test -z "$have_llong_max"; then
-	AC_MSG_CHECKING([for max value of long long])
-	AC_RUN_IFELSE(
-		[AC_LANG_SOURCE([[
-#include <stdio.h>
-/* Why is this so damn hard? */
-#ifdef __GNUC__
-# undef __GNUC__
-#endif
-#define __USE_ISOC99
-#include <limits.h>
-#define DATA "conftest.llminmax"
-#define my_abs(a) ((a) < 0 ? ((a) * -1) : (a))
-
-/*
- * printf in libc on some platforms (eg old Tru64) does not understand %lld so
- * we do this the hard way.
- */
-static int
-fprint_ll(FILE *f, long long n)
-{
-	unsigned int i;
-	int l[sizeof(long long) * 8];
-
-	if (n < 0)
-		if (fprintf(f, "-") < 0)
-			return -1;
-	for (i = 0; n != 0; i++) {
-		l[i] = my_abs(n % 10);
-		n /= 10;
-	}
-	do {
-		if (fprintf(f, "%d", l[--i]) < 0)
-			return -1;
-	} while (i != 0);
-	if (fprintf(f, " ") < 0)
-		return -1;
-	return 0;
-}
-
-int main(void) {
-	FILE *f;
-	long long i, llmin, llmax = 0;
-
-	if((f = fopen(DATA,"w")) == NULL)
-		exit(1);
-
-#if defined(LLONG_MIN) && defined(LLONG_MAX)
-	fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
-	llmin = LLONG_MIN;
-	llmax = LLONG_MAX;
-#else
-	fprintf(stderr, "Calculating  LLONG_MIN and LLONG_MAX\n");
-	/* This will work on one's complement and two's complement */
-	for (i = 1; i > llmax; i <<= 1, i++)
-		llmax = i;
-	llmin = llmax + 1LL;	/* wrap */
-#endif
-
-	/* Sanity check */
-	if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
-	    || llmax - 1 > llmax || llmin == llmax || llmin == 0
-	    || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
-		fprintf(f, "unknown unknown\n");
-		exit(2);
-	}
-
-	if (fprint_ll(f, llmin) < 0)
-		exit(3);
-	if (fprint_ll(f, llmax) < 0)
-		exit(4);
-	if (fclose(f) < 0)
-		exit(5);
-	exit(0);
-}
-		]])],
-		[
-			llong_min=`$AWK '{print $1}' conftest.llminmax`
-			llong_max=`$AWK '{print $2}' conftest.llminmax`
-
-			AC_MSG_RESULT($llong_max)
-			AC_DEFINE_UNQUOTED(LLONG_MAX, [${llong_max}LL],
-			    [max value of long long calculated by configure])
-			AC_MSG_CHECKING([for min value of long long])
-			AC_MSG_RESULT($llong_min)
-			AC_DEFINE_UNQUOTED(LLONG_MIN, [${llong_min}LL],
-			    [min value of long long calculated by configure])
-		],
-		[
-			AC_MSG_RESULT(not found)
-		],
-		[
-			AC_MSG_WARN([cross compiling: not checking])
-		]
-	)
-fi
-
-
-# More checks for data types
-AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [
-	AC_TRY_COMPILE(
-		[ #include <sys/types.h> ],
-		[ u_int a; a = 1;],
-		[ ac_cv_have_u_int="yes" ],
-		[ ac_cv_have_u_int="no" ]
-	)
-])
-if test "x$ac_cv_have_u_int" = "xyes" ; then
-	AC_DEFINE(HAVE_U_INT, 1, [define if you have u_int data type])
-	have_u_int=1
-fi
-
-AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [
-	AC_TRY_COMPILE(
-		[ #include <sys/types.h> ],
-		[ int8_t a; int16_t b; int32_t c; a = b = c = 1;],
-		[ ac_cv_have_intxx_t="yes" ],
-		[ ac_cv_have_intxx_t="no" ]
-	)
-])
-if test "x$ac_cv_have_intxx_t" = "xyes" ; then
-	AC_DEFINE(HAVE_INTXX_T, 1, [define if you have intxx_t data type])
-	have_intxx_t=1
-fi
-
-if (test -z "$have_intxx_t" && \
-	   test "x$ac_cv_header_stdint_h" = "xyes")
-then
-    AC_MSG_CHECKING([for intXX_t types in stdint.h])
-	AC_TRY_COMPILE(
-		[ #include <stdint.h> ],
-		[ int8_t a; int16_t b; int32_t c; a = b = c = 1;],
-		[
-			AC_DEFINE(HAVE_INTXX_T)
-			AC_MSG_RESULT(yes)
-		],
-		[ AC_MSG_RESULT(no) ]
-	)
-fi
-
-AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [
-	AC_TRY_COMPILE(
-		[
-#include <sys/types.h>
-#ifdef HAVE_STDINT_H
-# include <stdint.h>
-#endif
-#include <sys/socket.h>
-#ifdef HAVE_SYS_BITYPES_H
-# include <sys/bitypes.h>
-#endif
-		],
-		[ int64_t a; a = 1;],
-		[ ac_cv_have_int64_t="yes" ],
-		[ ac_cv_have_int64_t="no" ]
-	)
-])
-if test "x$ac_cv_have_int64_t" = "xyes" ; then
-	AC_DEFINE(HAVE_INT64_T, 1, [define if you have int64_t data type])
-fi
-
-AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
-	AC_TRY_COMPILE(
-		[ #include <sys/types.h> ],
-		[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;],
-		[ ac_cv_have_u_intxx_t="yes" ],
-		[ ac_cv_have_u_intxx_t="no" ]
-	)
-])
-if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then
-	AC_DEFINE(HAVE_U_INTXX_T, 1, [define if you have u_intxx_t data type])
-	have_u_intxx_t=1
-fi
-
-if test -z "$have_u_intxx_t" ; then
-    AC_MSG_CHECKING([for u_intXX_t types in sys/socket.h])
-	AC_TRY_COMPILE(
-		[ #include <sys/socket.h> ],
-		[ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;],
-		[
-			AC_DEFINE(HAVE_U_INTXX_T)
-			AC_MSG_RESULT(yes)
-		],
-		[ AC_MSG_RESULT(no) ]
-	)
-fi
-
-AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [
-	AC_TRY_COMPILE(
-		[ #include <sys/types.h> ],
-		[ u_int64_t a; a = 1;],
-		[ ac_cv_have_u_int64_t="yes" ],
-		[ ac_cv_have_u_int64_t="no" ]
-	)
-])
-if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
-	AC_DEFINE(HAVE_U_INT64_T, 1, [define if you have u_int64_t data type])
-	have_u_int64_t=1
-fi
-
-if test -z "$have_u_int64_t" ; then
-    AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h])
-	AC_TRY_COMPILE(
-		[ #include <sys/bitypes.h> ],
-		[ u_int64_t a; a = 1],
-		[
-			AC_DEFINE(HAVE_U_INT64_T)
-			AC_MSG_RESULT(yes)
-		],
-		[ AC_MSG_RESULT(no) ]
-	)
-fi
-
-if test -z "$have_u_intxx_t" ; then
-	AC_CACHE_CHECK([for uintXX_t types], ac_cv_have_uintxx_t, [
-		AC_TRY_COMPILE(
-			[
-#include <sys/types.h>
-			],
-			[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1; ],
-			[ ac_cv_have_uintxx_t="yes" ],
-			[ ac_cv_have_uintxx_t="no" ]
-		)
-	])
-	if test "x$ac_cv_have_uintxx_t" = "xyes" ; then
-		AC_DEFINE(HAVE_UINTXX_T, 1,
-			[define if you have uintxx_t data type])
-	fi
-fi
-
-if test -z "$have_uintxx_t" ; then
-    AC_MSG_CHECKING([for uintXX_t types in stdint.h])
-	AC_TRY_COMPILE(
-		[ #include <stdint.h> ],
-		[ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;],
-		[
-			AC_DEFINE(HAVE_UINTXX_T)
-			AC_MSG_RESULT(yes)
-		],
-		[ AC_MSG_RESULT(no) ]
-	)
-fi
-
-if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \
-	   test "x$ac_cv_header_sys_bitypes_h" = "xyes")
-then
-	AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h])
-	AC_TRY_COMPILE(
-		[
-#include <sys/bitypes.h>
-		],
-		[
-			int8_t a; int16_t b; int32_t c;
-			u_int8_t e; u_int16_t f; u_int32_t g;
-			a = b = c = e = f = g = 1;
-		],
-		[
-			AC_DEFINE(HAVE_U_INTXX_T)
-			AC_DEFINE(HAVE_INTXX_T)
-			AC_MSG_RESULT(yes)
-		],
-		[AC_MSG_RESULT(no)]
-	)
-fi
-
-
-AC_CACHE_CHECK([for u_char], ac_cv_have_u_char, [
-	AC_TRY_COMPILE(
-		[
-#include <sys/types.h>
-		],
-		[ u_char foo; foo = 125; ],
-		[ ac_cv_have_u_char="yes" ],
-		[ ac_cv_have_u_char="no" ]
-	)
-])
-if test "x$ac_cv_have_u_char" = "xyes" ; then
-	AC_DEFINE(HAVE_U_CHAR, 1, [define if you have u_char data type])
-fi
-
-TYPE_SOCKLEN_T
-
-AC_CHECK_TYPES(sig_atomic_t,,,[#include <signal.h>])
-
-AC_CHECK_TYPES(in_addr_t,,,
-[#include <sys/types.h>
-#include <netinet/in.h>])
-
-AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [
-	AC_TRY_COMPILE(
-		[
-#include <sys/types.h>
-		],
-		[ size_t foo; foo = 1235; ],
-		[ ac_cv_have_size_t="yes" ],
-		[ ac_cv_have_size_t="no" ]
-	)
-])
-if test "x$ac_cv_have_size_t" = "xyes" ; then
-	AC_DEFINE(HAVE_SIZE_T, 1, [define if you have size_t data type])
-fi
-
-AC_CACHE_CHECK([for ssize_t], ac_cv_have_ssize_t, [
-	AC_TRY_COMPILE(
-		[
-#include <sys/types.h>
-		],
-		[ ssize_t foo; foo = 1235; ],
-		[ ac_cv_have_ssize_t="yes" ],
-		[ ac_cv_have_ssize_t="no" ]
-	)
-])
-if test "x$ac_cv_have_ssize_t" = "xyes" ; then
-	AC_DEFINE(HAVE_SSIZE_T, 1, [define if you have ssize_t data type])
-fi
-
-AC_CACHE_CHECK([for clock_t], ac_cv_have_clock_t, [
-	AC_TRY_COMPILE(
-		[
-#include <time.h>
-		],
-		[ clock_t foo; foo = 1235; ],
-		[ ac_cv_have_clock_t="yes" ],
-		[ ac_cv_have_clock_t="no" ]
-	)
-])
-if test "x$ac_cv_have_clock_t" = "xyes" ; then
-	AC_DEFINE(HAVE_CLOCK_T, 1, [define if you have clock_t data type])
-fi
-
-AC_CACHE_CHECK([for sa_family_t], ac_cv_have_sa_family_t, [
-	AC_TRY_COMPILE(
-		[
-#include <sys/types.h>
-#include <sys/socket.h>
-		],
-		[ sa_family_t foo; foo = 1235; ],
-		[ ac_cv_have_sa_family_t="yes" ],
-		[ AC_TRY_COMPILE(
-		  [
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-		],
-		[ sa_family_t foo; foo = 1235; ],
-		[ ac_cv_have_sa_family_t="yes" ],
-
-		[ ac_cv_have_sa_family_t="no" ]
-	)]
-	)
-])
-if test "x$ac_cv_have_sa_family_t" = "xyes" ; then
-	AC_DEFINE(HAVE_SA_FAMILY_T, 1,
-		[define if you have sa_family_t data type])
-fi
-
-AC_CACHE_CHECK([for pid_t], ac_cv_have_pid_t, [
-	AC_TRY_COMPILE(
-		[
-#include <sys/types.h>
-		],
-		[ pid_t foo; foo = 1235; ],
-		[ ac_cv_have_pid_t="yes" ],
-		[ ac_cv_have_pid_t="no" ]
-	)
-])
-if test "x$ac_cv_have_pid_t" = "xyes" ; then
-	AC_DEFINE(HAVE_PID_T, 1, [define if you have pid_t data type])
-fi
-
-AC_CACHE_CHECK([for mode_t], ac_cv_have_mode_t, [
-	AC_TRY_COMPILE(
-		[
-#include <sys/types.h>
-		],
-		[ mode_t foo; foo = 1235; ],
-		[ ac_cv_have_mode_t="yes" ],
-		[ ac_cv_have_mode_t="no" ]
-	)
-])
-if test "x$ac_cv_have_mode_t" = "xyes" ; then
-	AC_DEFINE(HAVE_MODE_T, 1, [define if you have mode_t data type])
-fi
-
-
-AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [
-	AC_TRY_COMPILE(
-		[
-#include <sys/types.h>
-#include <sys/socket.h>
-		],
-		[ struct sockaddr_storage s; ],
-		[ ac_cv_have_struct_sockaddr_storage="yes" ],
-		[ ac_cv_have_struct_sockaddr_storage="no" ]
-	)
-])
-if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then
-	AC_DEFINE(HAVE_STRUCT_SOCKADDR_STORAGE, 1,
-		[define if you have struct sockaddr_storage data type])
-fi
-
-AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [
-	AC_TRY_COMPILE(
-		[
-#include <sys/types.h>
-#include <netinet/in.h>
-		],
-		[ struct sockaddr_in6 s; s.sin6_family = 0; ],
-		[ ac_cv_have_struct_sockaddr_in6="yes" ],
-		[ ac_cv_have_struct_sockaddr_in6="no" ]
-	)
-])
-if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then
-	AC_DEFINE(HAVE_STRUCT_SOCKADDR_IN6, 1,
-		[define if you have struct sockaddr_in6 data type])
-fi
-
-AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [
-	AC_TRY_COMPILE(
-		[
-#include <sys/types.h>
-#include <netinet/in.h>
-		],
-		[ struct in6_addr s; s.s6_addr[0] = 0; ],
-		[ ac_cv_have_struct_in6_addr="yes" ],
-		[ ac_cv_have_struct_in6_addr="no" ]
-	)
-])
-if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then
-	AC_DEFINE(HAVE_STRUCT_IN6_ADDR, 1,
-		[define if you have struct in6_addr data type])
-fi
-
-AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [
-	AC_TRY_COMPILE(
-		[
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netdb.h>
-		],
-		[ struct addrinfo s; s.ai_flags = AI_PASSIVE; ],
-		[ ac_cv_have_struct_addrinfo="yes" ],
-		[ ac_cv_have_struct_addrinfo="no" ]
-	)
-])
-if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then
-	AC_DEFINE(HAVE_STRUCT_ADDRINFO, 1,
-		[define if you have struct addrinfo data type])
-fi
-
-AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [
-	AC_TRY_COMPILE(
-		[ #include <sys/time.h> ],
-		[ struct timeval tv; tv.tv_sec = 1;],
-		[ ac_cv_have_struct_timeval="yes" ],
-		[ ac_cv_have_struct_timeval="no" ]
-	)
-])
-if test "x$ac_cv_have_struct_timeval" = "xyes" ; then
-	AC_DEFINE(HAVE_STRUCT_TIMEVAL, 1, [define if you have struct timeval])
-	have_struct_timeval=1
-fi
-
-AC_CHECK_TYPES(struct timespec)
-
-# We need int64_t or else certian parts of the compile will fail.
-if test "x$ac_cv_have_int64_t" = "xno" && \
-	test "x$ac_cv_sizeof_long_int" != "x8" && \
-	test "x$ac_cv_sizeof_long_long_int" = "x0" ; then
-	echo "OpenSSH requires int64_t support.  Contact your vendor or install"
-	echo "an alternative compiler (I.E., GCC) before continuing."
-	echo ""
-	exit 1;
-else
-dnl test snprintf (broken on SCO w/gcc)
-	AC_RUN_IFELSE(
-		[AC_LANG_SOURCE([[
-#include <stdio.h>
-#include <string.h>
-#ifdef HAVE_SNPRINTF
-main()
-{
-	char buf[50];
-	char expected_out[50];
-	int mazsize = 50 ;
-#if (SIZEOF_LONG_INT == 8)
-	long int num = 0x7fffffffffffffff;
-#else
-	long long num = 0x7fffffffffffffffll;
-#endif
-	strcpy(expected_out, "9223372036854775807");
-	snprintf(buf, mazsize, "%lld", num);
-	if(strcmp(buf, expected_out) != 0)
-		exit(1);
-	exit(0);
-}
-#else
-main() { exit(0); }
-#endif
-		]])], [ true ], [ AC_DEFINE(BROKEN_SNPRINTF) ],
-		AC_MSG_WARN([cross compiling: Assuming working snprintf()])
-	)
-fi
-
-dnl Checks for structure members
-OSSH_CHECK_HEADER_FOR_FIELD(ut_host, utmp.h, HAVE_HOST_IN_UTMP)
-OSSH_CHECK_HEADER_FOR_FIELD(ut_host, utmpx.h, HAVE_HOST_IN_UTMPX)
-OSSH_CHECK_HEADER_FOR_FIELD(syslen, utmpx.h, HAVE_SYSLEN_IN_UTMPX)
-OSSH_CHECK_HEADER_FOR_FIELD(ut_pid, utmp.h, HAVE_PID_IN_UTMP)
-OSSH_CHECK_HEADER_FOR_FIELD(ut_type, utmp.h, HAVE_TYPE_IN_UTMP)
-OSSH_CHECK_HEADER_FOR_FIELD(ut_type, utmpx.h, HAVE_TYPE_IN_UTMPX)
-OSSH_CHECK_HEADER_FOR_FIELD(ut_tv, utmp.h, HAVE_TV_IN_UTMP)
-OSSH_CHECK_HEADER_FOR_FIELD(ut_id, utmp.h, HAVE_ID_IN_UTMP)
-OSSH_CHECK_HEADER_FOR_FIELD(ut_id, utmpx.h, HAVE_ID_IN_UTMPX)
-OSSH_CHECK_HEADER_FOR_FIELD(ut_addr, utmp.h, HAVE_ADDR_IN_UTMP)
-OSSH_CHECK_HEADER_FOR_FIELD(ut_addr, utmpx.h, HAVE_ADDR_IN_UTMPX)
-OSSH_CHECK_HEADER_FOR_FIELD(ut_addr_v6, utmp.h, HAVE_ADDR_V6_IN_UTMP)
-OSSH_CHECK_HEADER_FOR_FIELD(ut_addr_v6, utmpx.h, HAVE_ADDR_V6_IN_UTMPX)
-OSSH_CHECK_HEADER_FOR_FIELD(ut_exit, utmp.h, HAVE_EXIT_IN_UTMP)
-OSSH_CHECK_HEADER_FOR_FIELD(ut_time, utmp.h, HAVE_TIME_IN_UTMP)
-OSSH_CHECK_HEADER_FOR_FIELD(ut_time, utmpx.h, HAVE_TIME_IN_UTMPX)
-OSSH_CHECK_HEADER_FOR_FIELD(ut_tv, utmpx.h, HAVE_TV_IN_UTMPX)
-
-AC_CHECK_MEMBERS([struct stat.st_blksize])
-AC_CHECK_MEMBER([struct __res_state.retrans], [], [AC_DEFINE(__res_state, state,
-	[Define if we don't have struct __res_state in resolv.h])],
-[
-#include <stdio.h>
-#if HAVE_SYS_TYPES_H
-# include <sys/types.h>
-#endif
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-])
-
-AC_CACHE_CHECK([for ss_family field in struct sockaddr_storage],
-		ac_cv_have_ss_family_in_struct_ss, [
-	AC_TRY_COMPILE(
-		[
-#include <sys/types.h>
-#include <sys/socket.h>
-		],
-		[ struct sockaddr_storage s; s.ss_family = 1; ],
-		[ ac_cv_have_ss_family_in_struct_ss="yes" ],
-		[ ac_cv_have_ss_family_in_struct_ss="no" ],
-	)
-])
-if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then
-	AC_DEFINE(HAVE_SS_FAMILY_IN_SS, 1, [Fields in struct sockaddr_storage])
-fi
-
-AC_CACHE_CHECK([for __ss_family field in struct sockaddr_storage],
-		ac_cv_have___ss_family_in_struct_ss, [
-	AC_TRY_COMPILE(
-		[
-#include <sys/types.h>
-#include <sys/socket.h>
-		],
-		[ struct sockaddr_storage s; s.__ss_family = 1; ],
-		[ ac_cv_have___ss_family_in_struct_ss="yes" ],
-		[ ac_cv_have___ss_family_in_struct_ss="no" ]
-	)
-])
-if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then
-	AC_DEFINE(HAVE___SS_FAMILY_IN_SS, 1,
-		[Fields in struct sockaddr_storage])
-fi
-
-AC_CACHE_CHECK([for pw_class field in struct passwd],
-		ac_cv_have_pw_class_in_struct_passwd, [
-	AC_TRY_COMPILE(
-		[
-#include <pwd.h>
-		],
-		[ struct passwd p; p.pw_class = 0; ],
-		[ ac_cv_have_pw_class_in_struct_passwd="yes" ],
-		[ ac_cv_have_pw_class_in_struct_passwd="no" ]
-	)
-])
-if test "x$ac_cv_have_pw_class_in_struct_passwd" = "xyes" ; then
-	AC_DEFINE(HAVE_PW_CLASS_IN_PASSWD, 1,
-		[Define if your password has a pw_class field])
-fi
-
-AC_CACHE_CHECK([for pw_expire field in struct passwd],
-		ac_cv_have_pw_expire_in_struct_passwd, [
-	AC_TRY_COMPILE(
-		[
-#include <pwd.h>
-		],
-		[ struct passwd p; p.pw_expire = 0; ],
-		[ ac_cv_have_pw_expire_in_struct_passwd="yes" ],
-		[ ac_cv_have_pw_expire_in_struct_passwd="no" ]
-	)
-])
-if test "x$ac_cv_have_pw_expire_in_struct_passwd" = "xyes" ; then
-	AC_DEFINE(HAVE_PW_EXPIRE_IN_PASSWD, 1,
-		[Define if your password has a pw_expire field])
-fi
-
-AC_CACHE_CHECK([for pw_change field in struct passwd],
-		ac_cv_have_pw_change_in_struct_passwd, [
-	AC_TRY_COMPILE(
-		[
-#include <pwd.h>
-		],
-		[ struct passwd p; p.pw_change = 0; ],
-		[ ac_cv_have_pw_change_in_struct_passwd="yes" ],
-		[ ac_cv_have_pw_change_in_struct_passwd="no" ]
-	)
-])
-if test "x$ac_cv_have_pw_change_in_struct_passwd" = "xyes" ; then
-	AC_DEFINE(HAVE_PW_CHANGE_IN_PASSWD, 1,
-		[Define if your password has a pw_change field])
-fi
-
-dnl make sure we're using the real structure members and not defines
-AC_CACHE_CHECK([for msg_accrights field in struct msghdr],
-		ac_cv_have_accrights_in_msghdr, [
-	AC_COMPILE_IFELSE(
-		[
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/uio.h>
-int main() {
-#ifdef msg_accrights
-#error "msg_accrights is a macro"
-exit(1);
-#endif
-struct msghdr m;
-m.msg_accrights = 0;
-exit(0);
-}
-		],
-		[ ac_cv_have_accrights_in_msghdr="yes" ],
-		[ ac_cv_have_accrights_in_msghdr="no" ]
-	)
-])
-if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
-	AC_DEFINE(HAVE_ACCRIGHTS_IN_MSGHDR, 1,
-		[Define if your system uses access rights style
-		file descriptor passing])
-fi
-
-AC_CACHE_CHECK([for msg_control field in struct msghdr],
-		ac_cv_have_control_in_msghdr, [
-	AC_COMPILE_IFELSE(
-		[
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/uio.h>
-int main() {
-#ifdef msg_control
-#error "msg_control is a macro"
-exit(1);
-#endif
-struct msghdr m;
-m.msg_control = 0;
-exit(0);
-}
-		],
-		[ ac_cv_have_control_in_msghdr="yes" ],
-		[ ac_cv_have_control_in_msghdr="no" ]
-	)
-])
-if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
-	AC_DEFINE(HAVE_CONTROL_IN_MSGHDR, 1,
-		[Define if your system uses ancillary data style
-		file descriptor passing])
-fi
-
-AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
-	AC_TRY_LINK([],
-		[ extern char *__progname; printf("%s", __progname); ],
-		[ ac_cv_libc_defines___progname="yes" ],
-		[ ac_cv_libc_defines___progname="no" ]
-	)
-])
-if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
-	AC_DEFINE(HAVE___PROGNAME, 1, [Define if libc defines __progname])
-fi
-
-AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [
-	AC_TRY_LINK([
-#include <stdio.h>
-],
-		[ printf("%s", __FUNCTION__); ],
-		[ ac_cv_cc_implements___FUNCTION__="yes" ],
-		[ ac_cv_cc_implements___FUNCTION__="no" ]
-	)
-])
-if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
-	AC_DEFINE(HAVE___FUNCTION__, 1,
-		[Define if compiler implements __FUNCTION__])
-fi
-
-AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [
-	AC_TRY_LINK([
-#include <stdio.h>
-],
-		[ printf("%s", __func__); ],
-		[ ac_cv_cc_implements___func__="yes" ],
-		[ ac_cv_cc_implements___func__="no" ]
-	)
-])
-if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
-	AC_DEFINE(HAVE___func__, 1, [Define if compiler implements __func__])
-fi
-
-AC_CACHE_CHECK([whether va_copy exists], ac_cv_have_va_copy, [
-	AC_TRY_LINK(
-		[#include <stdarg.h>
-		 va_list x,y;],
-	    	[va_copy(x,y);],
-		[ ac_cv_have_va_copy="yes" ],
-		[ ac_cv_have_va_copy="no" ]
-	)
-])
-if test "x$ac_cv_have_va_copy" = "xyes" ; then
-	AC_DEFINE(HAVE_VA_COPY, 1, [Define if va_copy exists])
-fi
-
-AC_CACHE_CHECK([whether __va_copy exists], ac_cv_have___va_copy, [
-	AC_TRY_LINK(
-		[#include <stdarg.h>
-		 va_list x,y;],
-	    	[__va_copy(x,y);],
-		[ ac_cv_have___va_copy="yes" ],
-		[ ac_cv_have___va_copy="no" ]
-	)
-])
-if test "x$ac_cv_have___va_copy" = "xyes" ; then
-	AC_DEFINE(HAVE___VA_COPY, 1, [Define if __va_copy exists])
-fi
-
-AC_CACHE_CHECK([whether getopt has optreset support],
-		ac_cv_have_getopt_optreset, [
-	AC_TRY_LINK(
-		[
-#include <getopt.h>
-		],
-		[ extern int optreset; optreset = 0; ],
-		[ ac_cv_have_getopt_optreset="yes" ],
-		[ ac_cv_have_getopt_optreset="no" ]
-	)
-])
-if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then
-	AC_DEFINE(HAVE_GETOPT_OPTRESET, 1,
-		[Define if your getopt(3) defines and uses optreset])
-fi
-
-AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [
-	AC_TRY_LINK([],
-		[ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);],
-		[ ac_cv_libc_defines_sys_errlist="yes" ],
-		[ ac_cv_libc_defines_sys_errlist="no" ]
-	)
-])
-if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then
-	AC_DEFINE(HAVE_SYS_ERRLIST, 1,
-		[Define if your system defines sys_errlist[]])
-fi
-
-
-AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [
-	AC_TRY_LINK([],
-		[ extern int sys_nerr; printf("%i", sys_nerr);],
-		[ ac_cv_libc_defines_sys_nerr="yes" ],
-		[ ac_cv_libc_defines_sys_nerr="no" ]
-	)
-])
-if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
-	AC_DEFINE(HAVE_SYS_NERR, 1, [Define if your system defines sys_nerr])
-fi
-
-SCARD_MSG="no"
-# Check whether user wants sectok support
-AC_ARG_WITH(sectok,
-	[  --with-sectok           Enable smartcard support using libsectok],
-	[
-		if test "x$withval" != "xno" ; then
-			if test "x$withval" != "xyes" ; then
-				CPPFLAGS="$CPPFLAGS -I${withval}"
-				LDFLAGS="$LDFLAGS -L${withval}"
-				if test ! -z "$need_dash_r" ; then
-					LDFLAGS="$LDFLAGS -R${withval}"
-				fi
-				if test ! -z "$blibpath" ; then
-					blibpath="$blibpath:${withval}"
-				fi
-			fi
-			AC_CHECK_HEADERS(sectok.h)
-			if test "$ac_cv_header_sectok_h" != yes; then
-				AC_MSG_ERROR(Can't find sectok.h)
-			fi
-			AC_CHECK_LIB(sectok, sectok_open)
-			if test "$ac_cv_lib_sectok_sectok_open" != yes; then
-				AC_MSG_ERROR(Can't find libsectok)
-			fi
-			AC_DEFINE(SMARTCARD, 1,
-				[Define if you want smartcard support])
-			AC_DEFINE(USE_SECTOK, 1,
-				[Define if you want smartcard support
-				using sectok])
-			SCARD_MSG="yes, using sectok"
-		fi
-	]
-)
-
-# Check whether user wants OpenSC support
-OPENSC_CONFIG="no"
-AC_ARG_WITH(opensc,
-	[  --with-opensc[[=PFX]]     Enable smartcard support using OpenSC (optionally in PATH)],
-	[
-	    if test "x$withval" != "xno" ; then
-		if test "x$withval" != "xyes" ; then
-  			OPENSC_CONFIG=$withval/bin/opensc-config
-		else
-  			AC_PATH_PROG(OPENSC_CONFIG, opensc-config, no)
-		fi
-		if test "$OPENSC_CONFIG" != "no"; then
-			LIBOPENSC_CFLAGS=`$OPENSC_CONFIG --cflags`
-			LIBOPENSC_LIBS=`$OPENSC_CONFIG --libs`
-			CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS"
-			LIBS="$LIBS $LIBOPENSC_LIBS"
-			AC_DEFINE(SMARTCARD)
-			AC_DEFINE(USE_OPENSC, 1,
-				[Define if you want smartcard support
-				using OpenSC])
-			SCARD_MSG="yes, using OpenSC"
-		fi
-	    fi
-	]
-)
-
-# Check libraries needed by DNS fingerprint support
-AC_SEARCH_LIBS(getrrsetbyname, resolv,
-	[AC_DEFINE(HAVE_GETRRSETBYNAME, 1,
-		[Define if getrrsetbyname() exists])],
-	[
-		# Needed by our getrrsetbyname()
-		AC_SEARCH_LIBS(res_query, resolv)
-		AC_SEARCH_LIBS(dn_expand, resolv)
-		AC_MSG_CHECKING(if res_query will link)
-		AC_TRY_LINK_FUNC(res_query, AC_MSG_RESULT(yes),
-		   [AC_MSG_RESULT(no)
-		    saved_LIBS="$LIBS"
-		    LIBS="$LIBS -lresolv"
-		    AC_MSG_CHECKING(for res_query in -lresolv)
-		    AC_LINK_IFELSE([
-#include <resolv.h>
-int main()
-{
-	res_query (0, 0, 0, 0, 0);
-	return 0;
-}
-			],
-			[LIBS="$LIBS -lresolv"
-			 AC_MSG_RESULT(yes)],
-			[LIBS="$saved_LIBS"
-			 AC_MSG_RESULT(no)])
-		    ])
-		AC_CHECK_FUNCS(_getshort _getlong)
-		AC_CHECK_DECLS([_getshort, _getlong], , ,
-		    [#include <sys/types.h>
-		    #include <arpa/nameser.h>])
-		AC_CHECK_MEMBER(HEADER.ad,
-			[AC_DEFINE(HAVE_HEADER_AD, 1,
-			    [Define if HEADER.ad exists in arpa/nameser.h])],,
-			[#include <arpa/nameser.h>])
-	])
-
-# Check whether user wants SELinux support
-SELINUX_MSG="no"
-LIBSELINUX=""
-AC_ARG_WITH(selinux,
-	[  --with-selinux   Enable SELinux support],
-	[ if test "x$withval" != "xno" ; then
-		AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.])
-		SELINUX_MSG="yes"
-		AC_CHECK_HEADER([selinux/selinux.h], ,
-		    AC_MSG_ERROR(SELinux support requires selinux.h header))
-		AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ],
-		    AC_MSG_ERROR(SELinux support requires libselinux library))
-		save_LIBS="$LIBS"
-		LIBS="$LIBS $LIBSELINUX"
-		AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
-		LIBS="$save_LIBS"
-	fi ]
-)
-AC_SUBST(LIBSELINUX)
-
-# Check whether user wants Kerberos 5 support
-KRB5_MSG="no"
-AC_ARG_WITH(kerberos5,
-	[  --with-kerberos5=PATH   Enable Kerberos 5 support],
-	[ if test "x$withval" != "xno" ; then
-		if test "x$withval" = "xyes" ; then
-			KRB5ROOT="/usr/local"
-		else
-			KRB5ROOT=${withval}
-		fi
-
-		AC_DEFINE(KRB5, 1, [Define if you want Kerberos 5 support])
-		KRB5_MSG="yes"
-
-		AC_MSG_CHECKING(for krb5-config)
-		if test -x  $KRB5ROOT/bin/krb5-config ; then
-			KRB5CONF=$KRB5ROOT/bin/krb5-config
-			AC_MSG_RESULT($KRB5CONF)
-
-			AC_MSG_CHECKING(for gssapi support)
-			if $KRB5CONF | grep gssapi >/dev/null ; then
-				AC_MSG_RESULT(yes)
-				AC_DEFINE(GSSAPI, 1,
-					[Define this if you want GSSAPI
-					support in the version 2 protocol])
-				k5confopts=gssapi
-			else
-				AC_MSG_RESULT(no)
-				k5confopts=""
-			fi
-			K5CFLAGS="`$KRB5CONF --cflags $k5confopts`"
-			K5LIBS="`$KRB5CONF --libs $k5confopts`"
-			CPPFLAGS="$CPPFLAGS $K5CFLAGS"
-			AC_MSG_CHECKING(whether we are using Heimdal)
-			AC_TRY_COMPILE([ #include <krb5.h> ],
-				       [ char *tmp = heimdal_version; ],
-				       [ AC_MSG_RESULT(yes)
-					 AC_DEFINE(HEIMDAL, 1,
-					[Define this if you are using the
-					Heimdal version of Kerberos V5]) ],
-				         AC_MSG_RESULT(no)
-			)
-		else
-			AC_MSG_RESULT(no)
-			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
-			LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
-			AC_MSG_CHECKING(whether we are using Heimdal)
-			AC_TRY_COMPILE([ #include <krb5.h> ],
-				       [ char *tmp = heimdal_version; ],
-				       [ AC_MSG_RESULT(yes)
-					 AC_DEFINE(HEIMDAL)
-					 K5LIBS="-lkrb5 -ldes"
-					 K5LIBS="$K5LIBS -lcom_err -lasn1"
-					 AC_CHECK_LIB(roken, net_write,
-					   [K5LIBS="$K5LIBS -lroken"])
-				       ],
-				       [ AC_MSG_RESULT(no)
-					 K5LIBS="-lkrb5 -lk5crypto -lcom_err"
-				       ]
-			)
-			AC_SEARCH_LIBS(dn_expand, resolv)
-
-			AC_CHECK_LIB(gssapi,gss_init_sec_context,
-				[ AC_DEFINE(GSSAPI)
-				  K5LIBS="-lgssapi $K5LIBS" ],
-				[ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context,
-					[ AC_DEFINE(GSSAPI)
-					  K5LIBS="-lgssapi_krb5 $K5LIBS" ],
-					AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]),
-					$K5LIBS)
-				],
-				$K5LIBS)
-
-			AC_CHECK_HEADER(gssapi.h, ,
-				[ unset ac_cv_header_gssapi_h
-				  CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
-				  AC_CHECK_HEADERS(gssapi.h, ,
-					AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
-				  )
-				]
-			)
-
-			oldCPP="$CPPFLAGS"
-			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
-			AC_CHECK_HEADER(gssapi_krb5.h, ,
-					[ CPPFLAGS="$oldCPP" ])
-
-		fi
-		if test ! -z "$need_dash_r" ; then
-			LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib"
-		fi
-		if test ! -z "$blibpath" ; then
-			blibpath="$blibpath:${KRB5ROOT}/lib"
-		fi
-
-		AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h)
-		AC_CHECK_HEADERS(gssapi_krb5.h gssapi/gssapi_krb5.h)
-		AC_CHECK_HEADERS(gssapi_generic.h gssapi/gssapi_generic.h)
-
-		LIBS="$LIBS $K5LIBS"
-		AC_SEARCH_LIBS(k_hasafs, kafs, AC_DEFINE(USE_AFS, 1,
-			[Define this if you want to use libkafs' AFS support]))
-	fi
-	]
-)
-
-# Looking for programs, paths and files
-
-PRIVSEP_PATH=/var/empty
-AC_ARG_WITH(privsep-path,
-	[  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
-	[
-		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
-		    test "x${withval}" != "xyes"; then
-			PRIVSEP_PATH=$withval
-		fi
-	]
-)
-AC_SUBST(PRIVSEP_PATH)
-
-AC_ARG_WITH(xauth,
-	[  --with-xauth=PATH       Specify path to xauth program ],
-	[
-		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
-		    test "x${withval}" != "xyes"; then
-			xauth_path=$withval
-		fi
-	],
-	[
-		TestPath="$PATH"
-		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X/bin"
-		TestPath="${TestPath}${PATH_SEPARATOR}/usr/bin/X11"
-		TestPath="${TestPath}${PATH_SEPARATOR}/usr/X11R6/bin"
-		TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin"
-		AC_PATH_PROG(xauth_path, xauth, , $TestPath)
-		if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then
-			xauth_path="/usr/openwin/bin/xauth"
-		fi
-	]
-)
-
-STRIP_OPT=-s
-AC_ARG_ENABLE(strip,
-	[  --disable-strip         Disable calling strip(1) on install],
-	[
-		if test "x$enableval" = "xno" ; then
-			STRIP_OPT=
-		fi
-	]
-)
-AC_SUBST(STRIP_OPT)
-
-if test -z "$xauth_path" ; then
-	XAUTH_PATH="undefined"
-	AC_SUBST(XAUTH_PATH)
-else
-	AC_DEFINE_UNQUOTED(XAUTH_PATH, "$xauth_path",
-		[Define if xauth is found in your path])
-	XAUTH_PATH=$xauth_path
-	AC_SUBST(XAUTH_PATH)
-fi
-
-# Check for mail directory (last resort if we cannot get it from headers)
-if test ! -z "$MAIL" ; then
-	maildir=`dirname $MAIL`
-	AC_DEFINE_UNQUOTED(MAIL_DIRECTORY, "$maildir",
-		[Set this to your mail directory if you don't have maillock.h])
-fi
-
-if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
-	AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test])
-	disable_ptmx_check=yes
-fi
-if test -z "$no_dev_ptmx" ; then
-	if test "x$disable_ptmx_check" != "xyes" ; then
-		AC_CHECK_FILE("/dev/ptmx",
-			[
-				AC_DEFINE_UNQUOTED(HAVE_DEV_PTMX, 1,
-					[Define if you have /dev/ptmx])
-				have_dev_ptmx=1
-			]
-		)
-	fi
-fi
-
-if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then
-	AC_CHECK_FILE("/dev/ptc",
-		[
-			AC_DEFINE_UNQUOTED(HAVE_DEV_PTS_AND_PTC, 1,
-				[Define if you have /dev/ptc])
-			have_dev_ptc=1
-		]
-	)
-else
-	AC_MSG_WARN([cross compiling: Disabling /dev/ptc test])
-fi
-
-# Options from here on. Some of these are preset by platform above
-AC_ARG_WITH(mantype,
-	[  --with-mantype=man|cat|doc  Set man page type],
-	[
-		case "$withval" in
-		man|cat|doc)
-			MANTYPE=$withval
-			;;
-		*)
-			AC_MSG_ERROR(invalid man type: $withval)
-			;;
-		esac
-	]
-)
-if test -z "$MANTYPE"; then
-	TestPath="/usr/bin${PATH_SEPARATOR}/usr/ucb"
-	AC_PATH_PROGS(NROFF, nroff awf, /bin/false, $TestPath)
-	if ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then
-		MANTYPE=doc
-	elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then
-		MANTYPE=man
-	else
-		MANTYPE=cat
-	fi
-fi
-AC_SUBST(MANTYPE)
-if test "$MANTYPE" = "doc"; then
-	mansubdir=man;
-else
-	mansubdir=$MANTYPE;
-fi
-AC_SUBST(mansubdir)
-
-# Check whether to enable MD5 passwords
-MD5_MSG="no"
-AC_ARG_WITH(md5-passwords,
-	[  --with-md5-passwords    Enable use of MD5 passwords],
-	[
-		if test "x$withval" != "xno" ; then
-			AC_DEFINE(HAVE_MD5_PASSWORDS, 1,
-				[Define if you want to allow MD5 passwords])
-			MD5_MSG="yes"
-		fi
-	]
-)
-
-# Whether to disable shadow password support
-AC_ARG_WITH(shadow,
-	[  --without-shadow        Disable shadow password support],
-	[
-		if test "x$withval" = "xno" ; then
-			AC_DEFINE(DISABLE_SHADOW)
-			disable_shadow=yes
-		fi
-	]
-)
-
-if test -z "$disable_shadow" ; then
-	AC_MSG_CHECKING([if the systems has expire shadow information])
-	AC_TRY_COMPILE(
-	[
-#include <sys/types.h>
-#include <shadow.h>
-	struct spwd sp;
-	],[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ],
-	[ sp_expire_available=yes ], []
-	)
-
-	if test "x$sp_expire_available" = "xyes" ; then
-		AC_MSG_RESULT(yes)
-		AC_DEFINE(HAS_SHADOW_EXPIRE, 1,
-		    [Define if you want to use shadow password expire field])
-	else
-		AC_MSG_RESULT(no)
-	fi
-fi
-
-# Use ip address instead of hostname in $DISPLAY
-if test ! -z "$IPADDR_IN_DISPLAY" ; then
-	DISPLAY_HACK_MSG="yes"
-	AC_DEFINE(IPADDR_IN_DISPLAY, 1,
-		[Define if you need to use IP address
-		instead of hostname in $DISPLAY])
-else
-	DISPLAY_HACK_MSG="no"
-	AC_ARG_WITH(ipaddr-display,
-		[  --with-ipaddr-display   Use ip address instead of hostname in \$DISPLAY],
-		[
-			if test "x$withval" != "xno" ; then
-				AC_DEFINE(IPADDR_IN_DISPLAY)
-				DISPLAY_HACK_MSG="yes"
-			fi
-		]
-	)
-fi
-
-# check for /etc/default/login and use it if present.
-AC_ARG_ENABLE(etc-default-login,
-	[  --disable-etc-default-login Disable using PATH from /etc/default/login [no]],
-	[ if test "x$enableval" = "xno"; then
-		AC_MSG_NOTICE([/etc/default/login handling disabled])
-		etc_default_login=no
-	  else
-		etc_default_login=yes
-	  fi ],
-	[ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
-	  then
-		AC_MSG_WARN([cross compiling: not checking /etc/default/login])
-		etc_default_login=no
-	  else
-		etc_default_login=yes
-	  fi ]
-)
-
-if test "x$etc_default_login" != "xno"; then
-	AC_CHECK_FILE("/etc/default/login",
-	    [ external_path_file=/etc/default/login ])
-	if test "x$external_path_file" = "x/etc/default/login"; then
-		AC_DEFINE(HAVE_ETC_DEFAULT_LOGIN, 1,
-			[Define if your system has /etc/default/login])
-	fi
-fi
-
-dnl BSD systems use /etc/login.conf so --with-default-path= has no effect
-if test $ac_cv_func_login_getcapbool = "yes" && \
-	test $ac_cv_header_login_cap_h = "yes" ; then
-	external_path_file=/etc/login.conf
-fi
-
-# Whether to mess with the default path
-SERVER_PATH_MSG="(default)"
-AC_ARG_WITH(default-path,
-	[  --with-default-path=    Specify default \$PATH environment for server],
-	[
-		if test "x$external_path_file" = "x/etc/login.conf" ; then
-			AC_MSG_WARN([
---with-default-path=PATH has no effect on this system.
-Edit /etc/login.conf instead.])
-		elif test "x$withval" != "xno" ; then
-			if test ! -z "$external_path_file" ; then
-				AC_MSG_WARN([
---with-default-path=PATH will only be used if PATH is not defined in
-$external_path_file .])
-			fi
-			user_path="$withval"
-			SERVER_PATH_MSG="$withval"
-		fi
-	],
-	[ if test "x$external_path_file" = "x/etc/login.conf" ; then
-		AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf])
-	else
-		if test ! -z "$external_path_file" ; then
-			AC_MSG_WARN([
-If PATH is defined in $external_path_file, ensure the path to scp is included,
-otherwise scp will not work.])
-		fi
-		AC_RUN_IFELSE(
-			[AC_LANG_SOURCE([[
-/* find out what STDPATH is */
-#include <stdio.h>
-#ifdef HAVE_PATHS_H
-# include <paths.h>
-#endif
-#ifndef _PATH_STDPATH
-# ifdef _PATH_USERPATH	/* Irix */
-#  define _PATH_STDPATH _PATH_USERPATH
-# else
-#  define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
-# endif
-#endif
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#define DATA "conftest.stdpath"
-
-main()
-{
-	FILE *fd;
-	int rc;
-
-	fd = fopen(DATA,"w");
-	if(fd == NULL)
-		exit(1);
-
-	if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0)
-		exit(1);
-
-	exit(0);
-}
-		]])],
-		[ user_path=`cat conftest.stdpath` ],
-		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
-		[ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ]
-	)
-# make sure $bindir is in USER_PATH so scp will work
-		t_bindir=`eval echo ${bindir}`
-		case $t_bindir in
-			NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$prefix~"` ;;
-		esac
-		case $t_bindir in
-			NONE/*) t_bindir=`echo $t_bindir | sed "s~NONE~$ac_default_prefix~"` ;;
-		esac
-		echo $user_path | grep ":$t_bindir"  > /dev/null 2>&1
-		if test $? -ne 0  ; then
-			echo $user_path | grep "^$t_bindir"  > /dev/null 2>&1
-			if test $? -ne 0  ; then
-				user_path=$user_path:$t_bindir
-				AC_MSG_RESULT(Adding $t_bindir to USER_PATH so scp will work)
-			fi
-		fi
-	fi ]
-)
-if test "x$external_path_file" != "x/etc/login.conf" ; then
-	AC_DEFINE_UNQUOTED(USER_PATH, "$user_path", [Specify default $PATH])
-	AC_SUBST(user_path)
-fi
-
-# Set superuser path separately to user path
-AC_ARG_WITH(superuser-path,
-	[  --with-superuser-path=  Specify different path for super-user],
-	[
-		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
-		    test "x${withval}" != "xyes"; then
-			AC_DEFINE_UNQUOTED(SUPERUSER_PATH, "$withval",
-				[Define if you want a different $PATH
-				for the superuser])
-			superuser_path=$withval
-		fi
-	]
-)
-
-
-AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses])
-IPV4_IN6_HACK_MSG="no"
-AC_ARG_WITH(4in6,
-	[  --with-4in6             Check for and convert IPv4 in IPv6 mapped addresses],
-	[
-		if test "x$withval" != "xno" ; then
-			AC_MSG_RESULT(yes)
-			AC_DEFINE(IPV4_IN_IPV6, 1,
-				[Detect IPv4 in IPv6 mapped addresses
-				and treat as IPv4])
-			IPV4_IN6_HACK_MSG="yes"
-		else
-			AC_MSG_RESULT(no)
-		fi
-	],[
-		if test "x$inet6_default_4in6" = "xyes"; then
-			AC_MSG_RESULT([yes (default)])
-			AC_DEFINE(IPV4_IN_IPV6)
-			IPV4_IN6_HACK_MSG="yes"
-		else
-			AC_MSG_RESULT([no (default)])
-		fi
-	]
-)
-
-# Whether to enable BSD auth support
-BSD_AUTH_MSG=no
-AC_ARG_WITH(bsd-auth,
-	[  --with-bsd-auth         Enable BSD auth support],
-	[
-		if test "x$withval" != "xno" ; then
-			AC_DEFINE(BSD_AUTH, 1,
-				[Define if you have BSD auth support])
-			BSD_AUTH_MSG=yes
-		fi
-	]
-)
-
-# Where to place sshd.pid
-piddir=/var/run
-# make sure the directory exists
-if test ! -d $piddir ; then
-	piddir=`eval echo ${sysconfdir}`
-	case $piddir in
-		NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
-	esac
-fi
-
-AC_ARG_WITH(pid-dir,
-	[  --with-pid-dir=PATH     Specify location of ssh.pid file],
-	[
-		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
-		    test "x${withval}" != "xyes"; then
-			piddir=$withval
-			if test ! -d $piddir ; then
-			AC_MSG_WARN([** no $piddir directory on this system **])
-			fi
-		fi
-	]
-)
-
-AC_DEFINE_UNQUOTED(_PATH_SSH_PIDDIR, "$piddir", [Specify location of ssh.pid])
-AC_SUBST(piddir)
-
-dnl allow user to disable some login recording features
-AC_ARG_ENABLE(lastlog,
-	[  --disable-lastlog       disable use of lastlog even if detected [no]],
-	[
-		if test "x$enableval" = "xno" ; then
-			AC_DEFINE(DISABLE_LASTLOG)
-		fi
-	]
-)
-AC_ARG_ENABLE(utmp,
-	[  --disable-utmp          disable use of utmp even if detected [no]],
-	[
-		if test "x$enableval" = "xno" ; then
-			AC_DEFINE(DISABLE_UTMP)
-		fi
-	]
-)
-AC_ARG_ENABLE(utmpx,
-	[  --disable-utmpx         disable use of utmpx even if detected [no]],
-	[
-		if test "x$enableval" = "xno" ; then
-			AC_DEFINE(DISABLE_UTMPX, 1,
-				[Define if you don't want to use utmpx])
-		fi
-	]
-)
-AC_ARG_ENABLE(wtmp,
-	[  --disable-wtmp          disable use of wtmp even if detected [no]],
-	[
-		if test "x$enableval" = "xno" ; then
-			AC_DEFINE(DISABLE_WTMP)
-		fi
-	]
-)
-AC_ARG_ENABLE(wtmpx,
-	[  --disable-wtmpx         disable use of wtmpx even if detected [no]],
-	[
-		if test "x$enableval" = "xno" ; then
-			AC_DEFINE(DISABLE_WTMPX, 1,
-				[Define if you don't want to use wtmpx])
-		fi
-	]
-)
-AC_ARG_ENABLE(libutil,
-	[  --disable-libutil       disable use of libutil (login() etc.) [no]],
-	[
-		if test "x$enableval" = "xno" ; then
-			AC_DEFINE(DISABLE_LOGIN)
-		fi
-	]
-)
-AC_ARG_ENABLE(pututline,
-	[  --disable-pututline     disable use of pututline() etc. ([uw]tmp) [no]],
-	[
-		if test "x$enableval" = "xno" ; then
-			AC_DEFINE(DISABLE_PUTUTLINE, 1,
-				[Define if you don't want to use pututline()
-				etc. to write [uw]tmp])
-		fi
-	]
-)
-AC_ARG_ENABLE(pututxline,
-	[  --disable-pututxline    disable use of pututxline() etc. ([uw]tmpx) [no]],
-	[
-		if test "x$enableval" = "xno" ; then
-			AC_DEFINE(DISABLE_PUTUTXLINE, 1,
-				[Define if you don't want to use pututxline()
-				etc. to write [uw]tmpx])
-		fi
-	]
-)
-AC_ARG_WITH(lastlog,
-  [  --with-lastlog=FILE|DIR specify lastlog location [common locations]],
-	[
-		if test "x$withval" = "xno" ; then
-			AC_DEFINE(DISABLE_LASTLOG)
-		elif test -n "$withval"  &&  test "x${withval}" != "xyes"; then
-			conf_lastlog_location=$withval
-		fi
-	]
-)
-
-dnl lastlog, [uw]tmpx? detection
-dnl  NOTE: set the paths in the platform section to avoid the
-dnl   need for command-line parameters
-dnl lastlog and [uw]tmp are subject to a file search if all else fails
-
-dnl lastlog detection
-dnl  NOTE: the code itself will detect if lastlog is a directory
-AC_MSG_CHECKING([if your system defines LASTLOG_FILE])
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <utmp.h>
-#ifdef HAVE_LASTLOG_H
-#  include <lastlog.h>
-#endif
-#ifdef HAVE_PATHS_H
-#  include <paths.h>
-#endif
-#ifdef HAVE_LOGIN_H
-# include <login.h>
-#endif
-	],
-	[ char *lastlog = LASTLOG_FILE; ],
-	[ AC_MSG_RESULT(yes) ],
-	[
-		AC_MSG_RESULT(no)
-		AC_MSG_CHECKING([if your system defines _PATH_LASTLOG])
-		AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <utmp.h>
-#ifdef HAVE_LASTLOG_H
-#  include <lastlog.h>
-#endif
-#ifdef HAVE_PATHS_H
-#  include <paths.h>
-#endif
-		],
-		[ char *lastlog = _PATH_LASTLOG; ],
-		[ AC_MSG_RESULT(yes) ],
-		[
-			AC_MSG_RESULT(no)
-			system_lastlog_path=no
-		])
-	]
-)
-
-if test -z "$conf_lastlog_location"; then
-	if test x"$system_lastlog_path" = x"no" ; then
-		for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do
-				if (test -d "$f" || test -f "$f") ; then
-					conf_lastlog_location=$f
-				fi
-		done
-		if test -z "$conf_lastlog_location"; then
-			AC_MSG_WARN([** Cannot find lastlog **])
-			dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx
-		fi
-	fi
-fi
-
-if test -n "$conf_lastlog_location"; then
-	AC_DEFINE_UNQUOTED(CONF_LASTLOG_FILE, "$conf_lastlog_location",
-		[Define if you want to specify the path to your lastlog file])
-fi
-
-dnl utmp detection
-AC_MSG_CHECKING([if your system defines UTMP_FILE])
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <utmp.h>
-#ifdef HAVE_PATHS_H
-#  include <paths.h>
-#endif
-	],
-	[ char *utmp = UTMP_FILE; ],
-	[ AC_MSG_RESULT(yes) ],
-	[ AC_MSG_RESULT(no)
-	  system_utmp_path=no ]
-)
-if test -z "$conf_utmp_location"; then
-	if test x"$system_utmp_path" = x"no" ; then
-		for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do
-			if test -f $f ; then
-				conf_utmp_location=$f
-			fi
-		done
-		if test -z "$conf_utmp_location"; then
-			AC_DEFINE(DISABLE_UTMP)
-		fi
-	fi
-fi
-if test -n "$conf_utmp_location"; then
-	AC_DEFINE_UNQUOTED(CONF_UTMP_FILE, "$conf_utmp_location",
-		[Define if you want to specify the path to your utmp file])
-fi
-
-dnl wtmp detection
-AC_MSG_CHECKING([if your system defines WTMP_FILE])
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <utmp.h>
-#ifdef HAVE_PATHS_H
-#  include <paths.h>
-#endif
-	],
-	[ char *wtmp = WTMP_FILE; ],
-	[ AC_MSG_RESULT(yes) ],
-	[ AC_MSG_RESULT(no)
-	  system_wtmp_path=no ]
-)
-if test -z "$conf_wtmp_location"; then
-	if test x"$system_wtmp_path" = x"no" ; then
-		for f in /usr/adm/wtmp /var/log/wtmp; do
-			if test -f $f ; then
-				conf_wtmp_location=$f
-			fi
-		done
-		if test -z "$conf_wtmp_location"; then
-			AC_DEFINE(DISABLE_WTMP)
-		fi
-	fi
-fi
-if test -n "$conf_wtmp_location"; then
-	AC_DEFINE_UNQUOTED(CONF_WTMP_FILE, "$conf_wtmp_location",
-		[Define if you want to specify the path to your wtmp file])
-fi
-
-
-dnl utmpx detection - I don't know any system so perverse as to require
-dnl  utmpx, but not define UTMPX_FILE (ditto wtmpx.) No doubt it's out
-dnl  there, though.
-AC_MSG_CHECKING([if your system defines UTMPX_FILE])
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <utmp.h>
-#ifdef HAVE_UTMPX_H
-#include <utmpx.h>
-#endif
-#ifdef HAVE_PATHS_H
-#  include <paths.h>
-#endif
-	],
-	[ char *utmpx = UTMPX_FILE; ],
-	[ AC_MSG_RESULT(yes) ],
-	[ AC_MSG_RESULT(no)
-	  system_utmpx_path=no ]
-)
-if test -z "$conf_utmpx_location"; then
-	if test x"$system_utmpx_path" = x"no" ; then
-		AC_DEFINE(DISABLE_UTMPX)
-	fi
-else
-	AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location",
-		[Define if you want to specify the path to your utmpx file])
-fi
-
-dnl wtmpx detection
-AC_MSG_CHECKING([if your system defines WTMPX_FILE])
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <utmp.h>
-#ifdef HAVE_UTMPX_H
-#include <utmpx.h>
-#endif
-#ifdef HAVE_PATHS_H
-#  include <paths.h>
-#endif
-	],
-	[ char *wtmpx = WTMPX_FILE; ],
-	[ AC_MSG_RESULT(yes) ],
-	[ AC_MSG_RESULT(no)
-	  system_wtmpx_path=no ]
-)
-if test -z "$conf_wtmpx_location"; then
-	if test x"$system_wtmpx_path" = x"no" ; then
-		AC_DEFINE(DISABLE_WTMPX)
-	fi
-else
-	AC_DEFINE_UNQUOTED(CONF_WTMPX_FILE, "$conf_wtmpx_location",
-		[Define if you want to specify the path to your wtmpx file])
-fi
-
-
-if test ! -z "$blibpath" ; then
-	LDFLAGS="$LDFLAGS $blibflags$blibpath"
-	AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
-fi
-
-dnl Adding -Werror to CFLAGS early prevents configure tests from running.
-dnl Add now.
-CFLAGS="$CFLAGS $werror_flags"
-
-AC_EXEEXT
-AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
-	openbsd-compat/Makefile openbsd-compat/regress/Makefile \
-	scard/Makefile ssh_prng_cmds survey.sh])
-AC_OUTPUT
-
-# Print summary of options
-
-# Someone please show me a better way :)
-A=`eval echo ${prefix}` ; A=`eval echo ${A}`
-B=`eval echo ${bindir}` ; B=`eval echo ${B}`
-C=`eval echo ${sbindir}` ; C=`eval echo ${C}`
-D=`eval echo ${sysconfdir}` ; D=`eval echo ${D}`
-E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}`
-F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}`
-G=`eval echo ${piddir}` ; G=`eval echo ${G}`
-H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}`
-I=`eval echo ${user_path}` ; I=`eval echo ${I}`
-J=`eval echo ${superuser_path}` ; J=`eval echo ${J}`
-
-echo ""
-echo "OpenSSH has been configured with the following options:"
-echo "                     User binaries: $B"
-echo "                   System binaries: $C"
-echo "               Configuration files: $D"
-echo "                   Askpass program: $E"
-echo "                      Manual pages: $F"
-echo "                          PID file: $G"
-echo "  Privilege separation chroot path: $H"
-if test "x$external_path_file" = "x/etc/login.conf" ; then
-echo "   At runtime, sshd will use the path defined in $external_path_file"
-echo "   Make sure the path to scp is present, otherwise scp will not work"
-else
-echo "            sshd default user PATH: $I"
-	if test ! -z "$external_path_file"; then
-echo "   (If PATH is set in $external_path_file it will be used instead. If"
-echo "   used, ensure the path to scp is present, otherwise scp will not work.)"
-	fi
-fi
-if test ! -z "$superuser_path" ; then
-echo "          sshd superuser user PATH: $J"
-fi
-echo "                    Manpage format: $MANTYPE"
-echo "                       PAM support: $PAM_MSG"
-echo "                   OSF SIA support: $SIA_MSG"
-echo "                 KerberosV support: $KRB5_MSG"
-echo "                   SELinux support: $SELINUX_MSG"
-echo "                 Smartcard support: $SCARD_MSG"
-echo "                     S/KEY support: $SKEY_MSG"
-echo "              TCP Wrappers support: $TCPW_MSG"
-echo "              MD5 password support: $MD5_MSG"
-echo "                   libedit support: $LIBEDIT_MSG"
-echo "  Solaris process contract support: $SPC_MSG"
-echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
-echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
-echo "                  BSD Auth support: $BSD_AUTH_MSG"
-echo "              Random number source: $RAND_MSG"
-if test ! -z "$USE_RAND_HELPER" ; then
-echo "     ssh-rand-helper collects from: $RAND_HELPER_MSG"
-fi
-
-echo ""
-
-echo "              Host: ${host}"
-echo "          Compiler: ${CC}"
-echo "    Compiler flags: ${CFLAGS}"
-echo "Preprocessor flags: ${CPPFLAGS}"
-echo "      Linker flags: ${LDFLAGS}"
-echo "         Libraries: ${LIBWRAP} ${LIBPAM} ${LIBS}"
-
-echo ""
-
-if test "x$MAKE_PACKAGE_SUPPORTED" = "xyes" ; then
-	echo "SVR4 style packages are supported with \"make package\""
-	echo ""
-fi
-
-if test "x$PAM_MSG" = "xyes" ; then
-	echo "PAM is enabled. You may need to install a PAM control file "
-	echo "for sshd, otherwise password authentication may fail. "
-	echo "Example PAM control files can be found in the contrib/ "
-	echo "subdirectory"
-	echo ""
-fi
-
-if test ! -z "$RAND_HELPER_CMDHASH" ; then
-	echo "WARNING: you are using the builtin random number collection "
-	echo "service. Please read WARNING.RNG and request that your OS "
-	echo "vendor includes kernel-based random number collection in "
-	echo "future versions of your OS."
-	echo ""
-fi
-
-if test ! -z "$NO_PEERCHECK" ; then
-	echo "WARNING: the operating system that you are using does not "
-	echo "appear to support either the getpeereid() API nor the "
-	echo "SO_PEERCRED getsockopt() option. These facilities are used to "
-	echo "enforce security checks to prevent unauthorised connections to "
-	echo "ssh-agent. Their absence increases the risk that a malicious "
-	echo "user can connect to your agent. "
-	echo ""
-fi
-
-if test "$AUDIT_MODULE" = "bsm" ; then
-	echo "WARNING: BSM audit support is currently considered EXPERIMENTAL."
-	echo "See the Solaris section in README.platform for details."
-fi
diff --git a/crypto/openssh/crc32.c b/crypto/openssh/crc32.c
deleted file mode 100644
index c192eb4..0000000
--- a/crypto/openssh/crc32.c
+++ /dev/null
@@ -1,105 +0,0 @@
-/* $OpenBSD: crc32.c,v 1.11 2006/04/22 18:29:33 stevesk Exp $ */
-
-/*
- * Copyright (c) 2003 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-#include "includes.h"
-#include "crc32.h"
-
-static const u_int32_t crc32tab[] = {
-	0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL,
-	0x076dc419L, 0x706af48fL, 0xe963a535L, 0x9e6495a3L,
-	0x0edb8832L, 0x79dcb8a4L, 0xe0d5e91eL, 0x97d2d988L,
-	0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L, 0x90bf1d91L,
-	0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL,
-	0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L,
-	0x136c9856L, 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL,
-	0x14015c4fL, 0x63066cd9L, 0xfa0f3d63L, 0x8d080df5L,
-	0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L, 0xa2677172L,
-	0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL,
-	0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L,
-	0x32d86ce3L, 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L,
-	0x26d930acL, 0x51de003aL, 0xc8d75180L, 0xbfd06116L,
-	0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L, 0xb8bda50fL,
-	0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L,
-	0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL,
-	0x76dc4190L, 0x01db7106L, 0x98d220bcL, 0xefd5102aL,
-	0x71b18589L, 0x06b6b51fL, 0x9fbfe4a5L, 0xe8b8d433L,
-	0x7807c9a2L, 0x0f00f934L, 0x9609a88eL, 0xe10e9818L,
-	0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L,
-	0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL,
-	0x6c0695edL, 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L,
-	0x65b0d9c6L, 0x12b7e950L, 0x8bbeb8eaL, 0xfcb9887cL,
-	0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L, 0xfbd44c65L,
-	0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L,
-	0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL,
-	0x4369e96aL, 0x346ed9fcL, 0xad678846L, 0xda60b8d0L,
-	0x44042d73L, 0x33031de5L, 0xaa0a4c5fL, 0xdd0d7cc9L,
-	0x5005713cL, 0x270241aaL, 0xbe0b1010L, 0xc90c2086L,
-	0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL,
-	0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L,
-	0x59b33d17L, 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL,
-	0xedb88320L, 0x9abfb3b6L, 0x03b6e20cL, 0x74b1d29aL,
-	0xead54739L, 0x9dd277afL, 0x04db2615L, 0x73dc1683L,
-	0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L,
-	0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L,
-	0xf00f9344L, 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL,
-	0xf762575dL, 0x806567cbL, 0x196c3671L, 0x6e6b06e7L,
-	0xfed41b76L, 0x89d32be0L, 0x10da7a5aL, 0x67dd4accL,
-	0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L,
-	0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L,
-	0xd1bb67f1L, 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL,
-	0xd80d2bdaL, 0xaf0a1b4cL, 0x36034af6L, 0x41047a60L,
-	0xdf60efc3L, 0xa867df55L, 0x316e8eefL, 0x4669be79L,
-	0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L,
-	0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL,
-	0xc5ba3bbeL, 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L,
-	0xc2d7ffa7L, 0xb5d0cf31L, 0x2cd99e8bL, 0x5bdeae1dL,
-	0x9b64c2b0L, 0xec63f226L, 0x756aa39cL, 0x026d930aL,
-	0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L,
-	0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L,
-	0x92d28e9bL, 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L,
-	0x86d3d2d4L, 0xf1d4e242L, 0x68ddb3f8L, 0x1fda836eL,
-	0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L, 0x18b74777L,
-	0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL,
-	0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L,
-	0xa00ae278L, 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L,
-	0xa7672661L, 0xd06016f7L, 0x4969474dL, 0x3e6e77dbL,
-	0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L, 0x37d83bf0L,
-	0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L,
-	0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L,
-	0xbad03605L, 0xcdd70693L, 0x54de5729L, 0x23d967bfL,
-	0xb3667a2eL, 0xc4614ab8L, 0x5d681b02L, 0x2a6f2b94L,
-	0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL, 0x2d02ef8dL
-};
-
-u_int32_t
-ssh_crc32(const u_char *buf, u_int32_t size)
-{
-	u_int32_t i, crc;
-
-	crc = 0;
-	for (i = 0; i < size; i++)
-		crc = crc32tab[(crc ^ buf[i]) & 0xff] ^ (crc >> 8);
-	return crc;
-}
diff --git a/crypto/openssh/crc32.h b/crypto/openssh/crc32.h
deleted file mode 100644
index 5d7131a..0000000
--- a/crypto/openssh/crc32.h
+++ /dev/null
@@ -1,30 +0,0 @@
-/* $OpenBSD: crc32.h,v 1.15 2006/03/25 22:22:43 djm Exp $ */
-
-/*
- * Copyright (c) 2003 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef SSH_CRC32_H
-#define SSH_CRC32_H
-u_int32_t	 ssh_crc32(const u_char *, u_int32_t);
-#endif
diff --git a/crypto/openssh/deattack.c b/crypto/openssh/deattack.c
deleted file mode 100644
index 1b37e4d..0000000
--- a/crypto/openssh/deattack.c
+++ /dev/null
@@ -1,160 +0,0 @@
-/* $OpenBSD: deattack.c,v 1.30 2006/09/16 19:53:37 djm Exp $ */
-/*
- * Cryptographic attack detector for ssh - source code
- *
- * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina.
- *
- * All rights reserved. Redistribution and use in source and binary
- * forms, with or without modification, are permitted provided that
- * this copyright notice is retained.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
- * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS
- * SOFTWARE.
- *
- * Ariel Futoransky <futo@core-sdi.com>
- * <http://www.core-sdi.com>
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <string.h>
-#include <stdio.h>
-#include <stdarg.h>
-
-#include "xmalloc.h"
-#include "deattack.h"
-#include "log.h"
-#include "crc32.h"
-#include "misc.h"
-
-/*
- * CRC attack detection has a worst-case behaviour that is O(N^3) over
- * the number of identical blocks in a packet. This behaviour can be 
- * exploited to create a limited denial of service attack. 
- * 
- * However, because we are dealing with encrypted data, identical
- * blocks should only occur every 2^35 maximally-sized packets or so. 
- * Consequently, we can detect this DoS by looking for identical blocks
- * in a packet.
- *
- * The parameter below determines how many identical blocks we will
- * accept in a single packet, trading off between attack detection and
- * likelihood of terminating a legitimate connection. A value of 32 
- * corresponds to an average of 2^40 messages before an attack is
- * misdetected
- */
-#define MAX_IDENTICAL	32
-
-/* SSH Constants */
-#define SSH_MAXBLOCKS	(32 * 1024)
-#define SSH_BLOCKSIZE	(8)
-
-/* Hashing constants */
-#define HASH_MINSIZE	(8 * 1024)
-#define HASH_ENTRYSIZE	(2)
-#define HASH_FACTOR(x)	((x)*3/2)
-#define HASH_UNUSEDCHAR	(0xff)
-#define HASH_UNUSED	(0xffff)
-#define HASH_IV		(0xfffe)
-
-#define HASH_MINBLOCKS	(7*SSH_BLOCKSIZE)
-
-
-/* Hash function (Input keys are cipher results) */
-#define HASH(x)		get_u32(x)
-
-#define CMP(a, b)	(memcmp(a, b, SSH_BLOCKSIZE))
-
-static void
-crc_update(u_int32_t *a, u_int32_t b)
-{
-	b ^= *a;
-	*a = ssh_crc32((u_char *)&b, sizeof(b));
-}
-
-/* detect if a block is used in a particular pattern */
-static int
-check_crc(u_char *S, u_char *buf, u_int32_t len)
-{
-	u_int32_t crc;
-	u_char *c;
-
-	crc = 0;
-	for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) {
-		if (!CMP(S, c)) {
-			crc_update(&crc, 1);
-			crc_update(&crc, 0);
-		} else {
-			crc_update(&crc, 0);
-			crc_update(&crc, 0);
-		}
-	}
-	return (crc == 0);
-}
-
-
-/* Detect a crc32 compensation attack on a packet */
-int
-detect_attack(u_char *buf, u_int32_t len)
-{
-	static u_int16_t *h = (u_int16_t *) NULL;
-	static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
-	u_int32_t i, j;
-	u_int32_t l, same;
-	u_char *c;
-	u_char *d;
-
-	if (len > (SSH_MAXBLOCKS * SSH_BLOCKSIZE) ||
-	    len % SSH_BLOCKSIZE != 0) {
-		fatal("detect_attack: bad length %d", len);
-	}
-	for (l = n; l < HASH_FACTOR(len / SSH_BLOCKSIZE); l = l << 2)
-		;
-
-	if (h == NULL) {
-		debug("Installing crc compensation attack detector.");
-		h = (u_int16_t *) xcalloc(l, HASH_ENTRYSIZE);
-		n = l;
-	} else {
-		if (l > n) {
-			h = (u_int16_t *)xrealloc(h, l, HASH_ENTRYSIZE);
-			n = l;
-		}
-	}
-
-	if (len <= HASH_MINBLOCKS) {
-		for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) {
-			for (d = buf; d < c; d += SSH_BLOCKSIZE) {
-				if (!CMP(c, d)) {
-					if ((check_crc(c, buf, len)))
-						return (DEATTACK_DETECTED);
-					else
-						break;
-				}
-			}
-		}
-		return (DEATTACK_OK);
-	}
-	memset(h, HASH_UNUSEDCHAR, n * HASH_ENTRYSIZE);
-
-	for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
-		for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;
-		    i = (i + 1) & (n - 1)) {
-			if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) {
-				if (++same > MAX_IDENTICAL)
-					return (DEATTACK_DOS_DETECTED);
-				if (check_crc(c, buf, len))
-					return (DEATTACK_DETECTED);
-				else
-					break;
-			}
-		}
-		h[i] = j;
-	}
-	return (DEATTACK_OK);
-}
diff --git a/crypto/openssh/deattack.h b/crypto/openssh/deattack.h
deleted file mode 100644
index 0316fb2..0000000
--- a/crypto/openssh/deattack.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/* $OpenBSD: deattack.h,v 1.10 2006/09/16 19:53:37 djm Exp $ */
-
-/*
- * Cryptographic attack detector for ssh - Header file
- *
- * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina.
- *
- * All rights reserved. Redistribution and use in source and binary
- * forms, with or without modification, are permitted provided that
- * this copyright notice is retained.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
- * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS
- * SOFTWARE.
- *
- * Ariel Futoransky <futo@core-sdi.com>
- * <http://www.core-sdi.com>
- */
-
-#ifndef _DEATTACK_H
-#define _DEATTACK_H
-
-/* Return codes */
-#define DEATTACK_OK		0
-#define DEATTACK_DETECTED	1
-#define DEATTACK_DOS_DETECTED	2
-
-int	 detect_attack(u_char *, u_int32_t);
-#endif
diff --git a/crypto/openssh/defines.h b/crypto/openssh/defines.h
deleted file mode 100644
index 8a4e2c7..0000000
--- a/crypto/openssh/defines.h
+++ /dev/null
@@ -1,732 +0,0 @@
-/*
- * Copyright (c) 1999-2003 Damien Miller.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef _DEFINES_H
-#define _DEFINES_H
-
-/* $Id: defines.h,v 1.138 2006/09/21 13:13:30 dtucker Exp $ */
-
-
-/* Constants */
-
-#if defined(HAVE_DECL_SHUT_RD) && HAVE_DECL_SHUT_RD == 0
-enum
-{
-  SHUT_RD = 0,		/* No more receptions.  */
-  SHUT_WR,			/* No more transmissions.  */
-  SHUT_RDWR			/* No more receptions or transmissions.  */
-};
-# define SHUT_RD   SHUT_RD
-# define SHUT_WR   SHUT_WR
-# define SHUT_RDWR SHUT_RDWR
-#endif
-
-#ifndef IPTOS_LOWDELAY
-# define IPTOS_LOWDELAY          0x10
-# define IPTOS_THROUGHPUT        0x08
-# define IPTOS_RELIABILITY       0x04
-# define IPTOS_LOWCOST           0x02
-# define IPTOS_MINCOST           IPTOS_LOWCOST
-#endif /* IPTOS_LOWDELAY */
-
-#ifndef MAXPATHLEN
-# ifdef PATH_MAX
-#  define MAXPATHLEN PATH_MAX
-# else /* PATH_MAX */
-#  define MAXPATHLEN 64
-/* realpath uses a fixed buffer of size MAXPATHLEN, so force use of ours */
-#  ifndef BROKEN_REALPATH
-#   define BROKEN_REALPATH 1
-#  endif /* BROKEN_REALPATH */
-# endif /* PATH_MAX */
-#endif /* MAXPATHLEN */
-
-#ifndef PATH_MAX
-# ifdef _POSIX_PATH_MAX
-# define PATH_MAX _POSIX_PATH_MAX
-# endif
-#endif
-
-#ifndef MAXSYMLINKS
-# define MAXSYMLINKS 5
-#endif
-
-#ifndef STDIN_FILENO
-# define STDIN_FILENO    0
-#endif
-#ifndef STDOUT_FILENO
-# define STDOUT_FILENO   1
-#endif
-#ifndef STDERR_FILENO
-# define STDERR_FILENO   2
-#endif
-
-#ifndef NGROUPS_MAX	/* Disable groupaccess if NGROUP_MAX is not set */
-#ifdef NGROUPS
-#define NGROUPS_MAX NGROUPS
-#else
-#define NGROUPS_MAX 0
-#endif
-#endif
-
-#if defined(HAVE_DECL_O_NONBLOCK) && HAVE_DECL_O_NONBLOCK == 0
-# define O_NONBLOCK      00004	/* Non Blocking Open */
-#endif
-
-#ifndef S_ISDIR
-# define S_ISDIR(mode)	(((mode) & (_S_IFMT)) == (_S_IFDIR))
-#endif /* S_ISDIR */
-
-#ifndef S_ISREG
-# define S_ISREG(mode)	(((mode) & (_S_IFMT)) == (_S_IFREG))
-#endif /* S_ISREG */
-
-#ifndef S_ISLNK
-# define S_ISLNK(mode)	(((mode) & S_IFMT) == S_IFLNK)
-#endif /* S_ISLNK */
-
-#ifndef S_IXUSR
-# define S_IXUSR			0000100	/* execute/search permission, */
-# define S_IXGRP			0000010	/* execute/search permission, */
-# define S_IXOTH			0000001	/* execute/search permission, */
-# define _S_IWUSR			0000200	/* write permission, */
-# define S_IWUSR			_S_IWUSR	/* write permission, owner */
-# define S_IWGRP			0000020	/* write permission, group */
-# define S_IWOTH			0000002	/* write permission, other */
-# define S_IRUSR			0000400	/* read permission, owner */
-# define S_IRGRP			0000040	/* read permission, group */
-# define S_IROTH			0000004	/* read permission, other */
-# define S_IRWXU			0000700	/* read, write, execute */
-# define S_IRWXG			0000070	/* read, write, execute */
-# define S_IRWXO			0000007	/* read, write, execute */
-#endif /* S_IXUSR */
-
-#if !defined(MAP_ANON) && defined(MAP_ANONYMOUS)
-#define MAP_ANON MAP_ANONYMOUS
-#endif
-
-#ifndef MAP_FAILED
-# define MAP_FAILED ((void *)-1)
-#endif
-
-/* *-*-nto-qnx doesn't define this constant in the system headers */
-#ifdef MISSING_NFDBITS
-# define	NFDBITS (8 * sizeof(unsigned long))
-#endif
-
-/*
-SCO Open Server 3 has INADDR_LOOPBACK defined in rpc/rpc.h but
-including rpc/rpc.h breaks Solaris 6
-*/
-#ifndef INADDR_LOOPBACK
-#define INADDR_LOOPBACK ((u_long)0x7f000001)
-#endif
-
-/* Types */
-
-/* If sys/types.h does not supply intXX_t, supply them ourselves */
-/* (or die trying) */
-
-#ifndef HAVE_U_INT
-typedef unsigned int u_int;
-#endif
-
-#ifndef HAVE_INTXX_T
-# if (SIZEOF_CHAR == 1)
-typedef char int8_t;
-# else
-#  error "8 bit int type not found."
-# endif
-# if (SIZEOF_SHORT_INT == 2)
-typedef short int int16_t;
-# else
-#  ifdef _UNICOS
-#   if (SIZEOF_SHORT_INT == 4)
-typedef short int16_t;
-#   else
-typedef long  int16_t;
-#   endif
-#  else
-#   error "16 bit int type not found."
-#  endif /* _UNICOS */
-# endif
-# if (SIZEOF_INT == 4)
-typedef int int32_t;
-# else
-#  ifdef _UNICOS
-typedef long  int32_t;
-#  else
-#   error "32 bit int type not found."
-#  endif /* _UNICOS */
-# endif
-#endif
-
-/* If sys/types.h does not supply u_intXX_t, supply them ourselves */
-#ifndef HAVE_U_INTXX_T
-# ifdef HAVE_UINTXX_T
-typedef uint8_t u_int8_t;
-typedef uint16_t u_int16_t;
-typedef uint32_t u_int32_t;
-# define HAVE_U_INTXX_T 1
-# else
-#  if (SIZEOF_CHAR == 1)
-typedef unsigned char u_int8_t;
-#  else
-#   error "8 bit int type not found."
-#  endif
-#  if (SIZEOF_SHORT_INT == 2)
-typedef unsigned short int u_int16_t;
-#  else
-#   ifdef _UNICOS
-#    if (SIZEOF_SHORT_INT == 4)
-typedef unsigned short u_int16_t;
-#    else
-typedef unsigned long  u_int16_t;
-#    endif
-#   else
-#    error "16 bit int type not found."
-#   endif
-#  endif
-#  if (SIZEOF_INT == 4)
-typedef unsigned int u_int32_t;
-#  else
-#   ifdef _UNICOS
-typedef unsigned long  u_int32_t;
-#   else
-#    error "32 bit int type not found."
-#   endif
-#  endif
-# endif
-#define __BIT_TYPES_DEFINED__
-#endif
-
-/* 64-bit types */
-#ifndef HAVE_INT64_T
-# if (SIZEOF_LONG_INT == 8)
-typedef long int int64_t;
-# else
-#  if (SIZEOF_LONG_LONG_INT == 8)
-typedef long long int int64_t;
-#  endif
-# endif
-#endif
-#ifndef HAVE_U_INT64_T
-# if (SIZEOF_LONG_INT == 8)
-typedef unsigned long int u_int64_t;
-# else
-#  if (SIZEOF_LONG_LONG_INT == 8)
-typedef unsigned long long int u_int64_t;
-#  endif
-# endif
-#endif
-
-#ifndef HAVE_U_CHAR
-typedef unsigned char u_char;
-# define HAVE_U_CHAR
-#endif /* HAVE_U_CHAR */
-
-#ifndef SIZE_T_MAX
-#define SIZE_T_MAX ULONG_MAX
-#endif /* SIZE_T_MAX */
-
-#ifndef HAVE_SIZE_T
-typedef unsigned int size_t;
-# define HAVE_SIZE_T
-# define SIZE_T_MAX UINT_MAX
-#endif /* HAVE_SIZE_T */
-
-#ifndef HAVE_SSIZE_T
-typedef int ssize_t;
-# define HAVE_SSIZE_T
-#endif /* HAVE_SSIZE_T */
-
-#ifndef HAVE_CLOCK_T
-typedef long clock_t;
-# define HAVE_CLOCK_T
-#endif /* HAVE_CLOCK_T */
-
-#ifndef HAVE_SA_FAMILY_T
-typedef int sa_family_t;
-# define HAVE_SA_FAMILY_T
-#endif /* HAVE_SA_FAMILY_T */
-
-#ifndef HAVE_PID_T
-typedef int pid_t;
-# define HAVE_PID_T
-#endif /* HAVE_PID_T */
-
-#ifndef HAVE_SIG_ATOMIC_T
-typedef int sig_atomic_t;
-# define HAVE_SIG_ATOMIC_T
-#endif /* HAVE_SIG_ATOMIC_T */
-
-#ifndef HAVE_MODE_T
-typedef int mode_t;
-# define HAVE_MODE_T
-#endif /* HAVE_MODE_T */
-
-#if !defined(HAVE_SS_FAMILY_IN_SS) && defined(HAVE___SS_FAMILY_IN_SS)
-# define ss_family __ss_family
-#endif /* !defined(HAVE_SS_FAMILY_IN_SS) && defined(HAVE_SA_FAMILY_IN_SS) */
-
-#ifndef HAVE_SYS_UN_H
-struct	sockaddr_un {
-	short	sun_family;		/* AF_UNIX */
-	char	sun_path[108];		/* path name (gag) */
-};
-#endif /* HAVE_SYS_UN_H */
-
-#ifndef HAVE_IN_ADDR_T
-typedef u_int32_t	in_addr_t;
-#endif
-
-#if defined(BROKEN_SYS_TERMIO_H) && !defined(_STRUCT_WINSIZE)
-#define _STRUCT_WINSIZE
-struct winsize {
-      unsigned short ws_row;          /* rows, in characters */
-      unsigned short ws_col;          /* columns, in character */
-      unsigned short ws_xpixel;       /* horizontal size, pixels */
-      unsigned short ws_ypixel;       /* vertical size, pixels */
-};
-#endif
-
-/* *-*-nto-qnx does not define this type in the system headers */
-#ifdef MISSING_FD_MASK
- typedef unsigned long int	fd_mask;
-#endif
-
-/* Paths */
-
-#ifndef _PATH_BSHELL
-# define _PATH_BSHELL "/bin/sh"
-#endif
-#ifndef _PATH_CSHELL
-# define _PATH_CSHELL "/bin/csh"
-#endif
-#ifndef _PATH_SHELLS
-# define _PATH_SHELLS "/etc/shells"
-#endif
-
-#ifdef USER_PATH
-# ifdef _PATH_STDPATH
-#  undef _PATH_STDPATH
-# endif
-# define _PATH_STDPATH USER_PATH
-#endif
-
-#ifndef _PATH_STDPATH
-# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
-#endif
-
-#ifndef SUPERUSER_PATH
-# define SUPERUSER_PATH	_PATH_STDPATH
-#endif
-
-#ifndef _PATH_DEVNULL
-# define _PATH_DEVNULL "/dev/null"
-#endif
-
-#ifndef MAIL_DIRECTORY
-# define MAIL_DIRECTORY "/var/spool/mail"
-#endif
-
-#ifndef MAILDIR
-# define MAILDIR MAIL_DIRECTORY
-#endif
-
-#if !defined(_PATH_MAILDIR) && defined(MAILDIR)
-# define _PATH_MAILDIR MAILDIR
-#endif /* !defined(_PATH_MAILDIR) && defined(MAILDIR) */
-
-#ifndef _PATH_NOLOGIN
-# define _PATH_NOLOGIN "/etc/nologin"
-#endif
-
-/* Define this to be the path of the xauth program. */
-#ifdef XAUTH_PATH
-#define _PATH_XAUTH XAUTH_PATH
-#endif /* XAUTH_PATH */
-
-/* derived from XF4/xc/lib/dps/Xlibnet.h */
-#ifndef X_UNIX_PATH
-#  ifdef __hpux
-#    define X_UNIX_PATH "/var/spool/sockets/X11/%u"
-#  else
-#    define X_UNIX_PATH "/tmp/.X11-unix/X%u"
-#  endif
-#endif /* X_UNIX_PATH */
-#define _PATH_UNIX_X X_UNIX_PATH
-
-#ifndef _PATH_TTY
-# define _PATH_TTY "/dev/tty"
-#endif
-
-/* Macros */
-
-#if defined(HAVE_LOGIN_GETCAPBOOL) && defined(HAVE_LOGIN_CAP_H)
-# define HAVE_LOGIN_CAP
-#endif
-
-#ifndef MAX
-# define MAX(a,b) (((a)>(b))?(a):(b))
-# define MIN(a,b) (((a)<(b))?(a):(b))
-#endif
-
-#ifndef roundup
-# define roundup(x, y)   ((((x)+((y)-1))/(y))*(y))
-#endif
-
-#ifndef timersub
-#define timersub(a, b, result)					\
-   do {								\
-      (result)->tv_sec = (a)->tv_sec - (b)->tv_sec;		\
-      (result)->tv_usec = (a)->tv_usec - (b)->tv_usec;		\
-      if ((result)->tv_usec < 0) {				\
-	 --(result)->tv_sec;					\
-	 (result)->tv_usec += 1000000;				\
-      }								\
-   } while (0)
-#endif
-
-#ifndef TIMEVAL_TO_TIMESPEC
-#define	TIMEVAL_TO_TIMESPEC(tv, ts) {					\
-	(ts)->tv_sec = (tv)->tv_sec;					\
-	(ts)->tv_nsec = (tv)->tv_usec * 1000;				\
-}
-#endif
-
-#ifndef TIMESPEC_TO_TIMEVAL
-#define	TIMESPEC_TO_TIMEVAL(tv, ts) {					\
-	(tv)->tv_sec = (ts)->tv_sec;					\
-	(tv)->tv_usec = (ts)->tv_nsec / 1000;				\
-}
-#endif
-
-#ifndef __P
-# define __P(x) x
-#endif
-
-#if !defined(IN6_IS_ADDR_V4MAPPED)
-# define IN6_IS_ADDR_V4MAPPED(a) \
-	((((u_int32_t *) (a))[0] == 0) && (((u_int32_t *) (a))[1] == 0) && \
-	 (((u_int32_t *) (a))[2] == htonl (0xffff)))
-#endif /* !defined(IN6_IS_ADDR_V4MAPPED) */
-
-#if !defined(__GNUC__) || (__GNUC__ < 2)
-# define __attribute__(x)
-#endif /* !defined(__GNUC__) || (__GNUC__ < 2) */
-
-#ifndef __dead
-# define __dead	__attribute__((noreturn))
-#endif
-
-#if !defined(HAVE_ATTRIBUTE__SENTINEL__) && !defined(__sentinel__)
-# define __sentinel__
-#endif
-
-#if !defined(HAVE_ATTRIBUTE__BOUNDED__) && !defined(__bounded__)
-# define __bounded__(x, y, z)
-#endif
-
-/* *-*-nto-qnx doesn't define this macro in the system headers */
-#ifdef MISSING_HOWMANY
-# define howmany(x,y)	(((x)+((y)-1))/(y))
-#endif
-
-#ifndef OSSH_ALIGNBYTES
-#define OSSH_ALIGNBYTES	(sizeof(int) - 1)
-#endif
-#ifndef __CMSG_ALIGN
-#define	__CMSG_ALIGN(p) (((u_int)(p) + OSSH_ALIGNBYTES) &~ OSSH_ALIGNBYTES)
-#endif
-
-/* Length of the contents of a control message of length len */
-#ifndef CMSG_LEN
-#define	CMSG_LEN(len)	(__CMSG_ALIGN(sizeof(struct cmsghdr)) + (len))
-#endif
-
-/* Length of the space taken up by a padded control message of length len */
-#ifndef CMSG_SPACE
-#define	CMSG_SPACE(len)	(__CMSG_ALIGN(sizeof(struct cmsghdr)) + __CMSG_ALIGN(len))
-#endif
-
-/* given pointer to struct cmsghdr, return pointer to data */
-#ifndef CMSG_DATA
-#define CMSG_DATA(cmsg) ((u_char *)(cmsg) + __CMSG_ALIGN(sizeof(struct cmsghdr)))
-#endif /* CMSG_DATA */
-
-/*
- * RFC 2292 requires to check msg_controllen, in case that the kernel returns
- * an empty list for some reasons.
- */
-#ifndef CMSG_FIRSTHDR
-#define CMSG_FIRSTHDR(mhdr) \
-	((mhdr)->msg_controllen >= sizeof(struct cmsghdr) ? \
-	 (struct cmsghdr *)(mhdr)->msg_control : \
-	 (struct cmsghdr *)NULL)
-#endif /* CMSG_FIRSTHDR */
-
-#ifndef offsetof
-# define offsetof(type, member) ((size_t) &((type *)0)->member)
-#endif
-
-/* Set up BSD-style BYTE_ORDER definition if it isn't there already */
-/* XXX: doesn't try to cope with strange byte orders (PDP_ENDIAN) */
-#ifndef BYTE_ORDER
-# ifndef LITTLE_ENDIAN
-#  define LITTLE_ENDIAN  1234
-# endif /* LITTLE_ENDIAN */
-# ifndef BIG_ENDIAN
-#  define BIG_ENDIAN     4321
-# endif /* BIG_ENDIAN */
-# ifdef WORDS_BIGENDIAN
-#  define BYTE_ORDER BIG_ENDIAN
-# else /* WORDS_BIGENDIAN */
-#  define BYTE_ORDER LITTLE_ENDIAN
-# endif /* WORDS_BIGENDIAN */
-#endif /* BYTE_ORDER */
-
-/* Function replacement / compatibility hacks */
-
-#if !defined(HAVE_GETADDRINFO) && (defined(HAVE_OGETADDRINFO) || defined(HAVE_NGETADDRINFO))
-# define HAVE_GETADDRINFO
-#endif
-
-#ifndef HAVE_GETOPT_OPTRESET
-# undef getopt
-# undef opterr
-# undef optind
-# undef optopt
-# undef optreset
-# undef optarg
-# define getopt(ac, av, o)  BSDgetopt(ac, av, o)
-# define opterr             BSDopterr
-# define optind             BSDoptind
-# define optopt             BSDoptopt
-# define optreset           BSDoptreset
-# define optarg             BSDoptarg
-#endif
-
-#if defined(BROKEN_GETADDRINFO) && defined(HAVE_GETADDRINFO)
-# undef HAVE_GETADDRINFO
-#endif
-#if defined(BROKEN_GETADDRINFO) && defined(HAVE_FREEADDRINFO)
-# undef HAVE_FREEADDRINFO
-#endif
-#if defined(BROKEN_GETADDRINFO) && defined(HAVE_GAI_STRERROR)
-# undef HAVE_GAI_STRERROR
-#endif
-
-#if defined(BROKEN_UPDWTMPX) && defined(HAVE_UPDWTMPX)
-# undef HAVE_UPDWTMPX
-#endif
-
-#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) && \
-    defined(SYSLOG_R_SAFE_IN_SIGHAND)
-# define DO_LOG_SAFE_IN_SIGHAND
-#endif
-
-#if !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY)
-# define memmove(s1, s2, n) bcopy((s2), (s1), (n))
-#endif /* !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY) */
-
-#if defined(HAVE_VHANGUP) && !defined(HAVE_DEV_PTMX)
-#  define USE_VHANGUP
-#endif /* defined(HAVE_VHANGUP) && !defined(HAVE_DEV_PTMX) */
-
-#ifndef GETPGRP_VOID
-# include <unistd.h>
-# define getpgrp() getpgrp(0)
-#endif
-
-#ifdef USE_BSM_AUDIT
-# define SSH_AUDIT_EVENTS
-# define CUSTOM_SSH_AUDIT_EVENTS
-#endif
-
-/* OPENSSL_free() is Free() in versions before OpenSSL 0.9.6 */
-#if !defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x0090600f)
-# define OPENSSL_free(x) Free(x)
-#endif
-
-#if !defined(HAVE___func__) && defined(HAVE___FUNCTION__)
-#  define __func__ __FUNCTION__
-#elif !defined(HAVE___func__)
-#  define __func__ ""
-#endif
-
-#if defined(KRB5) && !defined(HEIMDAL)
-#  define krb5_get_err_text(context,code) error_message(code)
-#endif
-
-#if defined(SKEYCHALLENGE_4ARG)
-# define _compat_skeychallenge(a,b,c,d) skeychallenge(a,b,c,d)
-#else
-# define _compat_skeychallenge(a,b,c,d) skeychallenge(a,b,c)
-#endif
-
-/* Maximum number of file descriptors available */
-#ifdef HAVE_SYSCONF
-# define SSH_SYSFDMAX sysconf(_SC_OPEN_MAX)
-#else
-# define SSH_SYSFDMAX 10000
-#endif
-
-#if defined(__Lynx__)
- /*
-  * LynxOS defines these in param.h which we do not want to include since
-  * it will also pull in a bunch of kernel definitions.
-  */
-# define ALIGNBYTES (sizeof(int) - 1)
-# define ALIGN(p) (((unsigned)p + ALIGNBYTES) & ~ALIGNBYTES)
-  /* Missing prototypes on LynxOS */
-  int snprintf (char *, size_t, const char *, ...);
-  int mkstemp (char *);
-  char *crypt (const char *, const char *);
-  int seteuid (uid_t);
-  int setegid (gid_t);
-  char *mkdtemp (char *);
-  int rresvport_af (int *, sa_family_t);
-  int innetgr (const char *, const char *, const char *, const char *);
-#endif
-
-/*
- * Define this to use pipes instead of socketpairs for communicating with the
- * client program.  Socketpairs do not seem to work on all systems.
- *
- * configure.ac sets this for a few OS's which are known to have problems
- * but you may need to set it yourself
- */
-/* #define USE_PIPES 1 */
-
-/**
- ** login recorder definitions
- **/
-
-/* FIXME: put default paths back in */
-#ifndef UTMP_FILE
-#  ifdef _PATH_UTMP
-#    define UTMP_FILE _PATH_UTMP
-#  else
-#    ifdef CONF_UTMP_FILE
-#      define UTMP_FILE CONF_UTMP_FILE
-#    endif
-#  endif
-#endif
-#ifndef WTMP_FILE
-#  ifdef _PATH_WTMP
-#    define WTMP_FILE _PATH_WTMP
-#  else
-#    ifdef CONF_WTMP_FILE
-#      define WTMP_FILE CONF_WTMP_FILE
-#    endif
-#  endif
-#endif
-/* pick up the user's location for lastlog if given */
-#ifndef LASTLOG_FILE
-#  ifdef _PATH_LASTLOG
-#    define LASTLOG_FILE _PATH_LASTLOG
-#  else
-#    ifdef CONF_LASTLOG_FILE
-#      define LASTLOG_FILE CONF_LASTLOG_FILE
-#    endif
-#  endif
-#endif
-
-#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
-# define USE_SHADOW
-#endif
-
-/* The login() library function in libutil is first choice */
-#if defined(HAVE_LOGIN) && !defined(DISABLE_LOGIN)
-#  define USE_LOGIN
-
-#else
-/* Simply select your favourite login types. */
-/* Can't do if-else because some systems use several... <sigh> */
-#  if defined(UTMPX_FILE) && !defined(DISABLE_UTMPX)
-#    define USE_UTMPX
-#  endif
-#  if defined(UTMP_FILE) && !defined(DISABLE_UTMP)
-#    define USE_UTMP
-#  endif
-#  if defined(WTMPX_FILE) && !defined(DISABLE_WTMPX)
-#    define USE_WTMPX
-#  endif
-#  if defined(WTMP_FILE) && !defined(DISABLE_WTMP)
-#    define USE_WTMP
-#  endif
-
-#endif
-
-#ifndef UT_LINESIZE
-# define UT_LINESIZE 8
-#endif
-
-/* I hope that the presence of LASTLOG_FILE is enough to detect this */
-#if defined(LASTLOG_FILE) && !defined(DISABLE_LASTLOG)
-#  define USE_LASTLOG
-#endif
-
-#ifdef HAVE_OSF_SIA
-# ifdef USE_SHADOW
-#  undef USE_SHADOW
-# endif
-# define CUSTOM_SYS_AUTH_PASSWD 1
-#endif
-
-#ifdef HAVE_LIBIAF
-# define CUSTOM_SYS_AUTH_PASSWD 1
-#endif
-
-/* HP-UX 11.11 */
-#ifdef BTMP_FILE
-# define _PATH_BTMP BTMP_FILE
-#endif
-
-#if defined(USE_BTMP) && defined(_PATH_BTMP)
-# define CUSTOM_FAILED_LOGIN
-#endif
-
-/** end of login recorder definitions */
-
-#ifdef BROKEN_GETGROUPS
-# define getgroups(a,b) ((a)==0 && (b)==NULL ? NGROUPS_MAX : getgroups((a),(b)))
-#endif
-
-#if defined(HAVE_MMAP) && defined(BROKEN_MMAP)
-# undef HAVE_MMAP
-#endif
-
-#ifndef IOV_MAX
-# if defined(_XOPEN_IOV_MAX)
-#  define	IOV_MAX		_XOPEN_IOV_MAX
-# elif defined(DEF_IOV_MAX)
-#  define	IOV_MAX		DEF_IOV_MAX
-# else
-#  define	IOV_MAX		16
-# endif
-#endif
-
-#endif /* _DEFINES_H */
diff --git a/crypto/openssh/dh.c b/crypto/openssh/dh.c
deleted file mode 100644
index 02b9a40..0000000
--- a/crypto/openssh/dh.c
+++ /dev/null
@@ -1,331 +0,0 @@
-/* $OpenBSD: dh.c,v 1.43 2006/11/06 21:25:28 markus Exp $ */
-/*
- * Copyright (c) 2000 Niels Provos.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/param.h>
-
-#include <openssl/bn.h>
-#include <openssl/dh.h>
-
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "dh.h"
-#include "pathnames.h"
-#include "log.h"
-#include "misc.h"
-
-static int
-parse_prime(int linenum, char *line, struct dhgroup *dhg)
-{
-	char *cp, *arg;
-	char *strsize, *gen, *prime;
-	const char *errstr = NULL;
-
-	cp = line;
-	if ((arg = strdelim(&cp)) == NULL)
-		return 0;
-	/* Ignore leading whitespace */
-	if (*arg == '\0')
-		arg = strdelim(&cp);
-	if (!arg || !*arg || *arg == '#')
-		return 0;
-
-	/* time */
-	if (cp == NULL || *arg == '\0')
-		goto fail;
-	arg = strsep(&cp, " "); /* type */
-	if (cp == NULL || *arg == '\0')
-		goto fail;
-	arg = strsep(&cp, " "); /* tests */
-	if (cp == NULL || *arg == '\0')
-		goto fail;
-	arg = strsep(&cp, " "); /* tries */
-	if (cp == NULL || *arg == '\0')
-		goto fail;
-	strsize = strsep(&cp, " "); /* size */
-	if (cp == NULL || *strsize == '\0' ||
-	    (dhg->size = (u_int)strtonum(strsize, 0, 64*1024, &errstr)) == 0 ||
-	    errstr)
-		goto fail;
-	/* The whole group is one bit larger */
-	dhg->size++;
-	gen = strsep(&cp, " "); /* gen */
-	if (cp == NULL || *gen == '\0')
-		goto fail;
-	prime = strsep(&cp, " "); /* prime */
-	if (cp != NULL || *prime == '\0')
-		goto fail;
-
-	if ((dhg->g = BN_new()) == NULL)
-		fatal("parse_prime: BN_new failed");
-	if ((dhg->p = BN_new()) == NULL)
-		fatal("parse_prime: BN_new failed");
-	if (BN_hex2bn(&dhg->g, gen) == 0)
-		goto failclean;
-
-	if (BN_hex2bn(&dhg->p, prime) == 0)
-		goto failclean;
-
-	if (BN_num_bits(dhg->p) != dhg->size)
-		goto failclean;
-
-	if (BN_is_zero(dhg->g) || BN_is_one(dhg->g))
-		goto failclean;
-
-	return (1);
-
- failclean:
-	BN_clear_free(dhg->g);
-	BN_clear_free(dhg->p);
- fail:
-	error("Bad prime description in line %d", linenum);
-	return (0);
-}
-
-DH *
-choose_dh(int min, int wantbits, int max)
-{
-	FILE *f;
-	char line[4096];
-	int best, bestcount, which;
-	int linenum;
-	struct dhgroup dhg;
-
-	if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL &&
-	    (f = fopen(_PATH_DH_PRIMES, "r")) == NULL) {
-		logit("WARNING: %s does not exist, using fixed modulus",
-		    _PATH_DH_MODULI);
-		return (dh_new_group14());
-	}
-
-	linenum = 0;
-	best = bestcount = 0;
-	while (fgets(line, sizeof(line), f)) {
-		linenum++;
-		if (!parse_prime(linenum, line, &dhg))
-			continue;
-		BN_clear_free(dhg.g);
-		BN_clear_free(dhg.p);
-
-		if (dhg.size > max || dhg.size < min)
-			continue;
-
-		if ((dhg.size > wantbits && dhg.size < best) ||
-		    (dhg.size > best && best < wantbits)) {
-			best = dhg.size;
-			bestcount = 0;
-		}
-		if (dhg.size == best)
-			bestcount++;
-	}
-	rewind(f);
-
-	if (bestcount == 0) {
-		fclose(f);
-		logit("WARNING: no suitable primes in %s", _PATH_DH_PRIMES);
-		return (dh_new_group14());
-	}
-
-	linenum = 0;
-	which = arc4random() % bestcount;
-	while (fgets(line, sizeof(line), f)) {
-		if (!parse_prime(linenum, line, &dhg))
-			continue;
-		if ((dhg.size > max || dhg.size < min) ||
-		    dhg.size != best ||
-		    linenum++ != which) {
-			BN_clear_free(dhg.g);
-			BN_clear_free(dhg.p);
-			continue;
-		}
-		break;
-	}
-	fclose(f);
-	if (linenum != which+1)
-		fatal("WARNING: line %d disappeared in %s, giving up",
-		    which, _PATH_DH_PRIMES);
-
-	return (dh_new_group(dhg.g, dhg.p));
-}
-
-/* diffie-hellman-groupN-sha1 */
-
-int
-dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
-{
-	int i;
-	int n = BN_num_bits(dh_pub);
-	int bits_set = 0;
-	BIGNUM *tmp;
-
-	if (dh_pub->neg) {
-		logit("invalid public DH value: negativ");
-		return 0;
-	}
-	if (BN_cmp(dh_pub, BN_value_one()) != 1) {	/* pub_exp <= 1 */
-		logit("invalid public DH value: <= 1");
-		return 0;
-	}
-
-	if ((tmp = BN_new()) == NULL)
-		return (-1);
-	if (!BN_sub(tmp, dh->p, BN_value_one()) ||
-	    BN_cmp(dh_pub, tmp) != -1) {		/* pub_exp > p-2 */
-		BN_clear_free(tmp);
-		logit("invalid public DH value: >= p-1");
-		return 0;
-	}
-	BN_clear_free(tmp);
-
-	for (i = 0; i <= n; i++)
-		if (BN_is_bit_set(dh_pub, i))
-			bits_set++;
-	debug2("bits set: %d/%d", bits_set, BN_num_bits(dh->p));
-
-	/* if g==2 and bits_set==1 then computing log_g(dh_pub) is trivial */
-	if (bits_set > 1)
-		return 1;
-
-	logit("invalid public DH value (%d/%d)", bits_set, BN_num_bits(dh->p));
-	return 0;
-}
-
-void
-dh_gen_key(DH *dh, int need)
-{
-	int i, bits_set, tries = 0;
-
-	if (dh->p == NULL)
-		fatal("dh_gen_key: dh->p == NULL");
-	if (need > INT_MAX / 2 || 2 * need >= BN_num_bits(dh->p))
-		fatal("dh_gen_key: group too small: %d (2*need %d)",
-		    BN_num_bits(dh->p), 2*need);
-	do {
-		if (dh->priv_key != NULL)
-			BN_clear_free(dh->priv_key);
-		if ((dh->priv_key = BN_new()) == NULL)
-			fatal("dh_gen_key: BN_new failed");
-		/* generate a 2*need bits random private exponent */
-		if (!BN_rand(dh->priv_key, 2*need, 0, 0))
-			fatal("dh_gen_key: BN_rand failed");
-		if (DH_generate_key(dh) == 0)
-			fatal("DH_generate_key");
-		for (i = 0, bits_set = 0; i <= BN_num_bits(dh->priv_key); i++)
-			if (BN_is_bit_set(dh->priv_key, i))
-				bits_set++;
-		debug2("dh_gen_key: priv key bits set: %d/%d",
-		    bits_set, BN_num_bits(dh->priv_key));
-		if (tries++ > 10)
-			fatal("dh_gen_key: too many bad keys: giving up");
-	} while (!dh_pub_is_valid(dh, dh->pub_key));
-}
-
-DH *
-dh_new_group_asc(const char *gen, const char *modulus)
-{
-	DH *dh;
-
-	if ((dh = DH_new()) == NULL)
-		fatal("dh_new_group_asc: DH_new");
-
-	if (BN_hex2bn(&dh->p, modulus) == 0)
-		fatal("BN_hex2bn p");
-	if (BN_hex2bn(&dh->g, gen) == 0)
-		fatal("BN_hex2bn g");
-
-	return (dh);
-}
-
-/*
- * This just returns the group, we still need to generate the exchange
- * value.
- */
-
-DH *
-dh_new_group(BIGNUM *gen, BIGNUM *modulus)
-{
-	DH *dh;
-
-	if ((dh = DH_new()) == NULL)
-		fatal("dh_new_group: DH_new");
-	dh->p = modulus;
-	dh->g = gen;
-
-	return (dh);
-}
-
-DH *
-dh_new_group1(void)
-{
-	static char *gen = "2", *group1 =
-	    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
-	    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
-	    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
-	    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
-	    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
-	    "FFFFFFFF" "FFFFFFFF";
-
-	return (dh_new_group_asc(gen, group1));
-}
-
-DH *
-dh_new_group14(void)
-{
-	static char *gen = "2", *group14 =
-	    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
-	    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
-	    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
-	    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
-	    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
-	    "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
-	    "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
-	    "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
-	    "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
-	    "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
-	    "15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF";
-
-	return (dh_new_group_asc(gen, group14));
-}
-
-/*
- * Estimates the group order for a Diffie-Hellman group that has an
- * attack complexity approximately the same as O(2**bits).  Estimate
- * with:  O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3)))
- */
-
-int
-dh_estimate(int bits)
-{
-
-	if (bits <= 128)
-		return (1024);	/* O(2**86) */
-	if (bits <= 192)
-		return (2048);	/* O(2**116) */
-	return (4096);		/* O(2**156) */
-}
diff --git a/crypto/openssh/dh.h b/crypto/openssh/dh.h
deleted file mode 100644
index 8e580ee..0000000
--- a/crypto/openssh/dh.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/* $OpenBSD: dh.h,v 1.9 2006/03/25 22:22:43 djm Exp $ */
-
-/*
- * Copyright (c) 2000 Niels Provos.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-#ifndef DH_H
-#define DH_H
-
-struct dhgroup {
-	int size;
-	BIGNUM *g;
-	BIGNUM *p;
-};
-
-DH	*choose_dh(int, int, int);
-DH	*dh_new_group_asc(const char *, const char *);
-DH	*dh_new_group(BIGNUM *, BIGNUM *);
-DH	*dh_new_group1(void);
-DH	*dh_new_group14(void);
-
-void	 dh_gen_key(DH *, int);
-int	 dh_pub_is_valid(DH *, BIGNUM *);
-
-int	 dh_estimate(int);
-
-#define DH_GRP_MIN	1024
-#define DH_GRP_MAX	8192
-
-#endif
diff --git a/crypto/openssh/dispatch.c b/crypto/openssh/dispatch.c
deleted file mode 100644
index d6b63be..0000000
--- a/crypto/openssh/dispatch.c
+++ /dev/null
@@ -1,105 +0,0 @@
-/* $OpenBSD: dispatch.c,v 1.21 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <signal.h>
-#include <stdarg.h>
-
-#include "ssh1.h"
-#include "ssh2.h"
-#include "log.h"
-#include "dispatch.h"
-#include "packet.h"
-#include "compat.h"
-
-#define DISPATCH_MIN	0
-#define DISPATCH_MAX	255
-
-dispatch_fn *dispatch[DISPATCH_MAX];
-
-void
-dispatch_protocol_error(int type, u_int32_t seq, void *ctxt)
-{
-	logit("dispatch_protocol_error: type %d seq %u", type, seq);
-	if (!compat20)
-		fatal("protocol error");
-	packet_start(SSH2_MSG_UNIMPLEMENTED);
-	packet_put_int(seq);
-	packet_send();
-	packet_write_wait();
-}
-void
-dispatch_protocol_ignore(int type, u_int32_t seq, void *ctxt)
-{
-	logit("dispatch_protocol_ignore: type %d seq %u", type, seq);
-}
-void
-dispatch_init(dispatch_fn *dflt)
-{
-	u_int i;
-	for (i = 0; i < DISPATCH_MAX; i++)
-		dispatch[i] = dflt;
-}
-void
-dispatch_range(u_int from, u_int to, dispatch_fn *fn)
-{
-	u_int i;
-
-	for (i = from; i <= to; i++) {
-		if (i >= DISPATCH_MAX)
-			break;
-		dispatch[i] = fn;
-	}
-}
-void
-dispatch_set(int type, dispatch_fn *fn)
-{
-	dispatch[type] = fn;
-}
-void
-dispatch_run(int mode, volatile sig_atomic_t *done, void *ctxt)
-{
-	for (;;) {
-		int type;
-		u_int32_t seqnr;
-
-		if (mode == DISPATCH_BLOCK) {
-			type = packet_read_seqnr(&seqnr);
-		} else {
-			type = packet_read_poll_seqnr(&seqnr);
-			if (type == SSH_MSG_NONE)
-				return;
-		}
-		if (type > 0 && type < DISPATCH_MAX && dispatch[type] != NULL)
-			(*dispatch[type])(type, seqnr, ctxt);
-		else
-			packet_disconnect("protocol error: rcvd type %d", type);
-		if (done != NULL && *done)
-			return;
-	}
-}
diff --git a/crypto/openssh/dispatch.h b/crypto/openssh/dispatch.h
deleted file mode 100644
index 3e3d1a1..0000000
--- a/crypto/openssh/dispatch.h
+++ /dev/null
@@ -1,41 +0,0 @@
-/* $OpenBSD: dispatch.h,v 1.11 2006/04/20 09:27:09 djm Exp $ */
-
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include <signal.h>
-
-enum {
-	DISPATCH_BLOCK,
-	DISPATCH_NONBLOCK
-};
-
-typedef void dispatch_fn(int, u_int32_t, void *);
-
-void	 dispatch_init(dispatch_fn *);
-void	 dispatch_set(int, dispatch_fn *);
-void	 dispatch_range(u_int, u_int, dispatch_fn *);
-void	 dispatch_run(int, volatile sig_atomic_t *, void *);
-void	 dispatch_protocol_error(int, u_int32_t, void *);
-void	 dispatch_protocol_ignore(int, u_int32_t, void *);
diff --git a/crypto/openssh/dns.c b/crypto/openssh/dns.c
deleted file mode 100644
index 92623de..0000000
--- a/crypto/openssh/dns.c
+++ /dev/null
@@ -1,296 +0,0 @@
-/* $OpenBSD: dns.c,v 1.23 2006/08/03 03:34:42 deraadt Exp $ */
-
-/*
- * Copyright (c) 2003 Wesley Griffin. All rights reserved.
- * Copyright (c) 2003 Jakob Schlyter. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <netdb.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <string.h>
-
-#include "xmalloc.h"
-#include "key.h"
-#include "dns.h"
-#include "log.h"
-
-static const char *errset_text[] = {
-	"success",		/* 0 ERRSET_SUCCESS */
-	"out of memory",	/* 1 ERRSET_NOMEMORY */
-	"general failure",	/* 2 ERRSET_FAIL */
-	"invalid parameter",	/* 3 ERRSET_INVAL */
-	"name does not exist",	/* 4 ERRSET_NONAME */
-	"data does not exist",	/* 5 ERRSET_NODATA */
-};
-
-static const char *
-dns_result_totext(unsigned int res)
-{
-	switch (res) {
-	case ERRSET_SUCCESS:
-		return errset_text[ERRSET_SUCCESS];
-	case ERRSET_NOMEMORY:
-		return errset_text[ERRSET_NOMEMORY];
-	case ERRSET_FAIL:
-		return errset_text[ERRSET_FAIL];
-	case ERRSET_INVAL:
-		return errset_text[ERRSET_INVAL];
-	case ERRSET_NONAME:
-		return errset_text[ERRSET_NONAME];
-	case ERRSET_NODATA:
-		return errset_text[ERRSET_NODATA];
-	default:
-		return "unknown error";
-	}
-}
-
-/*
- * Read SSHFP parameters from key buffer.
- */
-static int
-dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type,
-    u_char **digest, u_int *digest_len, const Key *key)
-{
-	int success = 0;
-
-	switch (key->type) {
-	case KEY_RSA:
-		*algorithm = SSHFP_KEY_RSA;
-		break;
-	case KEY_DSA:
-		*algorithm = SSHFP_KEY_DSA;
-		break;
-	default:
-		*algorithm = SSHFP_KEY_RESERVED; /* 0 */
-	}
-
-	if (*algorithm) {
-		*digest_type = SSHFP_HASH_SHA1;
-		*digest = key_fingerprint_raw(key, SSH_FP_SHA1, digest_len);
-		if (*digest == NULL)
-			fatal("dns_read_key: null from key_fingerprint_raw()");
-		success = 1;
-	} else {
-		*digest_type = SSHFP_HASH_RESERVED;
-		*digest = NULL;
-		*digest_len = 0;
-		success = 0;
-	}
-
-	return success;
-}
-
-/*
- * Read SSHFP parameters from rdata buffer.
- */
-static int
-dns_read_rdata(u_int8_t *algorithm, u_int8_t *digest_type,
-    u_char **digest, u_int *digest_len, u_char *rdata, int rdata_len)
-{
-	int success = 0;
-
-	*algorithm = SSHFP_KEY_RESERVED;
-	*digest_type = SSHFP_HASH_RESERVED;
-
-	if (rdata_len >= 2) {
-		*algorithm = rdata[0];
-		*digest_type = rdata[1];
-		*digest_len = rdata_len - 2;
-
-		if (*digest_len > 0) {
-			*digest = (u_char *) xmalloc(*digest_len);
-			memcpy(*digest, rdata + 2, *digest_len);
-		} else {
-			*digest = (u_char *)xstrdup("");
-		}
-
-		success = 1;
-	}
-
-	return success;
-}
-
-/*
- * Check if hostname is numerical.
- * Returns -1 if hostname is numeric, 0 otherwise
- */
-static int
-is_numeric_hostname(const char *hostname)
-{
-	struct addrinfo hints, *ai;
-
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_socktype = SOCK_DGRAM;
-	hints.ai_flags = AI_NUMERICHOST;
-
-	if (getaddrinfo(hostname, "0", &hints, &ai) == 0) {
-		freeaddrinfo(ai);
-		return -1;
-	}
-
-	return 0;
-}
-
-/*
- * Verify the given hostname, address and host key using DNS.
- * Returns 0 if lookup succeeds, -1 otherwise
- */
-int
-verify_host_key_dns(const char *hostname, struct sockaddr *address,
-    const Key *hostkey, int *flags)
-{
-	u_int counter;
-	int result;
-	struct rrsetinfo *fingerprints = NULL;
-
-	u_int8_t hostkey_algorithm;
-	u_int8_t hostkey_digest_type;
-	u_char *hostkey_digest;
-	u_int hostkey_digest_len;
-
-	u_int8_t dnskey_algorithm;
-	u_int8_t dnskey_digest_type;
-	u_char *dnskey_digest;
-	u_int dnskey_digest_len;
-
-	*flags = 0;
-
-	debug3("verify_host_key_dns");
-	if (hostkey == NULL)
-		fatal("No key to look up!");
-
-	if (is_numeric_hostname(hostname)) {
-		debug("skipped DNS lookup for numerical hostname");
-		return -1;
-	}
-
-	result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
-	    DNS_RDATATYPE_SSHFP, 0, &fingerprints);
-	if (result) {
-		verbose("DNS lookup error: %s", dns_result_totext(result));
-		return -1;
-	}
-
-	if (fingerprints->rri_flags & RRSET_VALIDATED) {
-		*flags |= DNS_VERIFY_SECURE;
-		debug("found %d secure fingerprints in DNS",
-		    fingerprints->rri_nrdatas);
-	} else {
-		debug("found %d insecure fingerprints in DNS",
-		    fingerprints->rri_nrdatas);
-	}
-
-	/* Initialize host key parameters */
-	if (!dns_read_key(&hostkey_algorithm, &hostkey_digest_type,
-	    &hostkey_digest, &hostkey_digest_len, hostkey)) {
-		error("Error calculating host key fingerprint.");
-		freerrset(fingerprints);
-		return -1;
-	}
-
-	if (fingerprints->rri_nrdatas)
-		*flags |= DNS_VERIFY_FOUND;
-
-	for (counter = 0; counter < fingerprints->rri_nrdatas; counter++)  {
-		/*
-		 * Extract the key from the answer. Ignore any badly
-		 * formatted fingerprints.
-		 */
-		if (!dns_read_rdata(&dnskey_algorithm, &dnskey_digest_type,
-		    &dnskey_digest, &dnskey_digest_len,
-		    fingerprints->rri_rdatas[counter].rdi_data,
-		    fingerprints->rri_rdatas[counter].rdi_length)) {
-			verbose("Error parsing fingerprint from DNS.");
-			continue;
-		}
-
-		/* Check if the current key is the same as the given key */
-		if (hostkey_algorithm == dnskey_algorithm &&
-		    hostkey_digest_type == dnskey_digest_type) {
-
-			if (hostkey_digest_len == dnskey_digest_len &&
-			    memcmp(hostkey_digest, dnskey_digest,
-			    hostkey_digest_len) == 0) {
-
-				*flags |= DNS_VERIFY_MATCH;
-			}
-		}
-		xfree(dnskey_digest);
-	}
-
-	xfree(hostkey_digest); /* from key_fingerprint_raw() */
-	freerrset(fingerprints);
-
-	if (*flags & DNS_VERIFY_FOUND)
-		if (*flags & DNS_VERIFY_MATCH)
-			debug("matching host key fingerprint found in DNS");
-		else
-			debug("mismatching host key fingerprint found in DNS");
-	else
-		debug("no host key fingerprint found in DNS");
-
-	return 0;
-}
-
-/*
- * Export the fingerprint of a key as a DNS resource record
- */
-int
-export_dns_rr(const char *hostname, const Key *key, FILE *f, int generic)
-{
-	u_int8_t rdata_pubkey_algorithm = 0;
-	u_int8_t rdata_digest_type = SSHFP_HASH_SHA1;
-	u_char *rdata_digest;
-	u_int rdata_digest_len;
-
-	u_int i;
-	int success = 0;
-
-	if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type,
-	    &rdata_digest, &rdata_digest_len, key)) {
-
-		if (generic)
-			fprintf(f, "%s IN TYPE%d \\# %d %02x %02x ", hostname,
-			    DNS_RDATATYPE_SSHFP, 2 + rdata_digest_len,
-			    rdata_pubkey_algorithm, rdata_digest_type);
-		else
-			fprintf(f, "%s IN SSHFP %d %d ", hostname,
-			    rdata_pubkey_algorithm, rdata_digest_type);
-
-		for (i = 0; i < rdata_digest_len; i++)
-			fprintf(f, "%02x", rdata_digest[i]);
-		fprintf(f, "\n");
-		xfree(rdata_digest); /* from key_fingerprint_raw() */
-		success = 1;
-	} else {
-		error("export_dns_rr: unsupported algorithm");
-	}
-
-	return success;
-}
diff --git a/crypto/openssh/dns.h b/crypto/openssh/dns.h
deleted file mode 100644
index b2633a1..0000000
--- a/crypto/openssh/dns.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/* $OpenBSD: dns.h,v 1.10 2006/08/03 03:34:42 deraadt Exp $ */
-
-/*
- * Copyright (c) 2003 Wesley Griffin. All rights reserved.
- * Copyright (c) 2003 Jakob Schlyter. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef DNS_H
-#define DNS_H
-
-enum sshfp_types {
-	SSHFP_KEY_RESERVED,
-	SSHFP_KEY_RSA,
-	SSHFP_KEY_DSA
-};
-
-enum sshfp_hashes {
-	SSHFP_HASH_RESERVED,
-	SSHFP_HASH_SHA1
-};
-
-#define DNS_RDATACLASS_IN	1
-#define DNS_RDATATYPE_SSHFP	44
-
-#define DNS_VERIFY_FOUND	0x00000001
-#define DNS_VERIFY_MATCH	0x00000002
-#define DNS_VERIFY_SECURE	0x00000004
-
-int	verify_host_key_dns(const char *, struct sockaddr *, const Key *, int *);
-int	export_dns_rr(const char *, const Key *, FILE *, int);
-
-#endif /* DNS_H */
diff --git a/crypto/openssh/dsa.c b/crypto/openssh/dsa.c
deleted file mode 100644
index 4ff4b58..0000000
--- a/crypto/openssh/dsa.c
+++ /dev/null
@@ -1,304 +0,0 @@
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: dsa.c,v 1.11 2000/09/07 20:27:51 deraadt Exp $");
-
-#include "ssh.h"
-#include "xmalloc.h"
-#include "buffer.h"
-#include "bufaux.h"
-#include "compat.h"
-
-#include <openssl/bn.h>
-#include <openssl/dh.h>
-#include <openssl/rsa.h>
-#include <openssl/dsa.h>
-#include <openssl/evp.h>
-#include <openssl/bio.h>
-#include <openssl/pem.h>
-
-#include <openssl/hmac.h>
-#include "kex.h"
-#include "key.h"
-#include "uuencode.h"
-
-#define INTBLOB_LEN	20
-#define SIGBLOB_LEN	(2*INTBLOB_LEN)
-
-Key *
-dsa_key_from_blob(char *blob, int blen)
-{
-	Buffer b;
-	char *ktype;
-	int rlen;
-	DSA *dsa;
-	Key *key;
-
-#ifdef DEBUG_DSS
-	dump_base64(stderr, blob, blen);
-#endif
-	/* fetch & parse DSA/DSS pubkey */
-	buffer_init(&b);
-	buffer_append(&b, blob, blen);
-	ktype = buffer_get_string(&b, NULL);
-	if (strcmp(KEX_DSS, ktype) != 0) {
-		error("dsa_key_from_blob: cannot handle type %s", ktype);
-		buffer_free(&b);
-		xfree(ktype);
-		return NULL;
-	}
-	key = key_new(KEY_DSA);
-	dsa = key->dsa;
-	buffer_get_bignum2(&b, dsa->p);
-	buffer_get_bignum2(&b, dsa->q);
-	buffer_get_bignum2(&b, dsa->g);
-	buffer_get_bignum2(&b, dsa->pub_key);
-	rlen = buffer_len(&b);
-	if(rlen != 0)
-		error("dsa_key_from_blob: remaining bytes in key blob %d", rlen);
-	buffer_free(&b);
-	xfree(ktype);
-
-#ifdef DEBUG_DSS
-	DSA_print_fp(stderr, dsa, 8);
-#endif
-	return key;
-}
-int
-dsa_make_key_blob(Key *key, unsigned char **blobp, unsigned int *lenp)
-{
-	Buffer b;
-	int len;
-	unsigned char *buf;
-
-	if (key == NULL || key->type != KEY_DSA)
-		return 0;
-	buffer_init(&b);
-	buffer_put_cstring(&b, KEX_DSS);
-	buffer_put_bignum2(&b, key->dsa->p);
-	buffer_put_bignum2(&b, key->dsa->q);
-	buffer_put_bignum2(&b, key->dsa->g);
-	buffer_put_bignum2(&b, key->dsa->pub_key);
-	len = buffer_len(&b);
-	buf = xmalloc(len);
-	memcpy(buf, buffer_ptr(&b), len);
-	memset(buffer_ptr(&b), 0, len);
-	buffer_free(&b);
-	if (lenp != NULL)
-		*lenp = len;
-	if (blobp != NULL)
-		*blobp = buf;
-	return len;
-}
-int
-dsa_sign(
-    Key *key,
-    unsigned char **sigp, int *lenp,
-    unsigned char *data, int datalen)
-{
-	unsigned char *digest;
-	unsigned char *ret;
-	DSA_SIG *sig;
-	EVP_MD *evp_md = EVP_sha1();
-	EVP_MD_CTX md;
-	unsigned int rlen;
-	unsigned int slen;
-	unsigned int len;
-	unsigned char sigblob[SIGBLOB_LEN];
-	Buffer b;
-
-	if (key == NULL || key->type != KEY_DSA || key->dsa == NULL) {
-		error("dsa_sign: no DSA key");
-		return -1;
-	}
-	digest = xmalloc(evp_md->md_size);
-	EVP_DigestInit(&md, evp_md);
-	EVP_DigestUpdate(&md, data, datalen);
-	EVP_DigestFinal(&md, digest, NULL);
-
-	sig = DSA_do_sign(digest, evp_md->md_size, key->dsa);
-	if (sig == NULL) {
-		fatal("dsa_sign: cannot sign");
-	}
-
-	rlen = BN_num_bytes(sig->r);
-	slen = BN_num_bytes(sig->s);
-	if (rlen > INTBLOB_LEN || slen > INTBLOB_LEN) {
-		error("bad sig size %d %d", rlen, slen);
-		DSA_SIG_free(sig);
-		return -1;
-	}
-	debug("sig size %d %d", rlen, slen);
-
-	memset(sigblob, 0, SIGBLOB_LEN);
-	BN_bn2bin(sig->r, sigblob+ SIGBLOB_LEN - INTBLOB_LEN - rlen);
-	BN_bn2bin(sig->s, sigblob+ SIGBLOB_LEN - slen);
-	DSA_SIG_free(sig);
-
-	if (datafellows & SSH_BUG_SIGBLOB) {
-		debug("datafellows");
-		ret = xmalloc(SIGBLOB_LEN);
-		memcpy(ret, sigblob, SIGBLOB_LEN);
-		if (lenp != NULL)
-			*lenp = SIGBLOB_LEN;
-		if (sigp != NULL)
-			*sigp = ret;
-	} else {
-		/* ietf-drafts */
-		buffer_init(&b);
-		buffer_put_cstring(&b, KEX_DSS);
-		buffer_put_string(&b, sigblob, SIGBLOB_LEN);
-		len = buffer_len(&b);
-		ret = xmalloc(len);
-		memcpy(ret, buffer_ptr(&b), len);
-		buffer_free(&b);
-		if (lenp != NULL)
-			*lenp = len;
-		if (sigp != NULL)
-			*sigp = ret;
-	}
-	return 0;
-}
-int
-dsa_verify(
-    Key *key,
-    unsigned char *signature, int signaturelen,
-    unsigned char *data, int datalen)
-{
-	Buffer b;
-	unsigned char *digest;
-	DSA_SIG *sig;
-	EVP_MD *evp_md = EVP_sha1();
-	EVP_MD_CTX md;
-	unsigned char *sigblob;
-	char *txt;
-	unsigned int len;
-	int rlen;
-	int ret;
-
-	if (key == NULL || key->type != KEY_DSA || key->dsa == NULL) {
-		error("dsa_verify: no DSA key");
-		return -1;
-	}
-
-	if (!(datafellows & SSH_BUG_SIGBLOB) &&
-	    signaturelen == SIGBLOB_LEN) {
-		datafellows |= ~SSH_BUG_SIGBLOB;
-		log("autodetect SSH_BUG_SIGBLOB");
-	} else if ((datafellows & SSH_BUG_SIGBLOB) &&
-	    signaturelen != SIGBLOB_LEN) {
-		log("autoremove SSH_BUG_SIGBLOB");
-		datafellows &= ~SSH_BUG_SIGBLOB;
-	}
-
-	debug("len %d datafellows %d", signaturelen, datafellows);
-
-	/* fetch signature */
-	if (datafellows & SSH_BUG_SIGBLOB) {
-		sigblob = signature;
-		len = signaturelen;
-	} else {
-		/* ietf-drafts */
-		char *ktype;
-		buffer_init(&b);
-		buffer_append(&b, (char *) signature, signaturelen);
-		ktype = buffer_get_string(&b, NULL);
-		if (strcmp(KEX_DSS, ktype) != 0) {
-			error("dsa_verify: cannot handle type %s", ktype);
-			buffer_free(&b);
-			return -1;
-		}
-		sigblob = (unsigned char *)buffer_get_string(&b, &len);
-		rlen = buffer_len(&b);
-		if(rlen != 0) {
-			error("remaining bytes in signature %d", rlen);
-			buffer_free(&b);
-			return -1;
-		}
-		buffer_free(&b);
-		xfree(ktype);
-	}
-
-	if (len != SIGBLOB_LEN) {
-		fatal("bad sigbloblen %d != SIGBLOB_LEN", len);
-	}
-
-	/* parse signature */
-	sig = DSA_SIG_new();
-	sig->r = BN_new();
-	sig->s = BN_new();
-	BN_bin2bn(sigblob, INTBLOB_LEN, sig->r);
-	BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s);
-
-	if (!(datafellows & SSH_BUG_SIGBLOB)) {
-		memset(sigblob, 0, len);
-		xfree(sigblob);
-	}
-	
-	/* sha1 the data */
-	digest = xmalloc(evp_md->md_size);
-	EVP_DigestInit(&md, evp_md);
-	EVP_DigestUpdate(&md, data, datalen);
-	EVP_DigestFinal(&md, digest, NULL);
-
-	ret = DSA_do_verify(digest, evp_md->md_size, sig, key->dsa);
-
-	memset(digest, 0, evp_md->md_size);
-	xfree(digest);
-	DSA_SIG_free(sig);
-
-	switch (ret) {
-	case 1:
-		txt = "correct";
-		break;
-	case 0:
-		txt = "incorrect";
-		break;
-	case -1:
-	default:
-		txt = "error";
-		break;
-	}
-	debug("dsa_verify: signature %s", txt);
-	return ret;
-}
-
-Key *
-dsa_generate_key(unsigned int bits)
-{
-	DSA *dsa = DSA_generate_parameters(bits, NULL, 0, NULL, NULL, NULL, NULL);
-	Key *k;
-	if (dsa == NULL) {
-		fatal("DSA_generate_parameters failed");
-	}
-	if (!DSA_generate_key(dsa)) {
-		fatal("DSA_generate_keys failed");
-	}
-
-	k = key_new(KEY_EMPTY);
-	k->type = KEY_DSA;
-	k->dsa = dsa;
-	return k;
-}
diff --git a/crypto/openssh/dsa.h b/crypto/openssh/dsa.h
deleted file mode 100644
index 252e788..0000000
--- a/crypto/openssh/dsa.h
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-#ifndef DSA_H
-#define DSA_H
-
-Key	*dsa_key_from_blob(char *blob, int blen);
-int	dsa_make_key_blob(Key *key, unsigned char **blobp, unsigned int *lenp);
-
-int
-dsa_sign(
-    Key *key,
-    unsigned char **sigp, int *lenp,
-    unsigned char *data, int datalen);
-
-int
-dsa_verify(
-    Key *key,
-    unsigned char *signature, int signaturelen,
-    unsigned char *data, int datalen);
-
-Key *
-dsa_generate_key(unsigned int bits);
-
-#endif
diff --git a/crypto/openssh/entropy.c b/crypto/openssh/entropy.c
deleted file mode 100644
index ccabb13..0000000
--- a/crypto/openssh/entropy.c
+++ /dev/null
@@ -1,193 +0,0 @@
-/*
- * Copyright (c) 2001 Damien Miller.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/wait.h>
-
-#ifdef HAVE_SYS_STAT_H
-# include <sys/stat.h>
-#endif
-
-#ifdef HAVE_FCNTL_H
-# include <fcntl.h>
-#endif
-#include <stdarg.h>
-#include <unistd.h>
-#include <signal.h>
-
-#include <openssl/rand.h>
-#include <openssl/crypto.h>
-#include <openssl/err.h>
-
-#include "ssh.h"
-#include "misc.h"
-#include "xmalloc.h"
-#include "atomicio.h"
-#include "pathnames.h"
-#include "log.h"
-#include "buffer.h"
-
-/*
- * Portable OpenSSH PRNG seeding:
- * If OpenSSL has not "internally seeded" itself (e.g. pulled data from
- * /dev/random), then we execute a "ssh-rand-helper" program which
- * collects entropy and writes it to stdout. The child program must
- * write at least RANDOM_SEED_SIZE bytes. The child is run with stderr
- * attached, so error/debugging output should be visible.
- *
- * XXX: we should tell the child how many bytes we need.
- */
-
-#ifndef OPENSSL_PRNG_ONLY
-#define RANDOM_SEED_SIZE 48
-static uid_t original_uid, original_euid;
-#endif
-
-void
-seed_rng(void)
-{
-#ifndef OPENSSL_PRNG_ONLY
-	int devnull;
-	int p[2];
-	pid_t pid;
-	int ret;
-	unsigned char buf[RANDOM_SEED_SIZE];
-	mysig_t old_sigchld;
-
-	if (RAND_status() == 1) {
-		debug3("RNG is ready, skipping seeding");
-		return;
-	}
-
-	debug3("Seeding PRNG from %s", SSH_RAND_HELPER);
-
-	if ((devnull = open("/dev/null", O_RDWR)) == -1)
-		fatal("Couldn't open /dev/null: %s", strerror(errno));
-	if (pipe(p) == -1)
-		fatal("pipe: %s", strerror(errno));
-
-	old_sigchld = signal(SIGCHLD, SIG_DFL);
-	if ((pid = fork()) == -1)
-		fatal("Couldn't fork: %s", strerror(errno));
-	if (pid == 0) {
-		dup2(devnull, STDIN_FILENO);
-		dup2(p[1], STDOUT_FILENO);
-		/* Keep stderr open for errors */
-		close(p[0]);
-		close(p[1]);
-		close(devnull);
-
-		if (original_uid != original_euid &&
-		    ( seteuid(getuid()) == -1 ||
-		      setuid(original_uid) == -1) ) {
-			fprintf(stderr, "(rand child) setuid(%li): %s\n",
-			    (long int)original_uid, strerror(errno));
-			_exit(1);
-		}
-
-		execl(SSH_RAND_HELPER, "ssh-rand-helper", NULL);
-		fprintf(stderr, "(rand child) Couldn't exec '%s': %s\n",
-		    SSH_RAND_HELPER, strerror(errno));
-		_exit(1);
-	}
-
-	close(devnull);
-	close(p[1]);
-
-	memset(buf, '\0', sizeof(buf));
-	ret = atomicio(read, p[0], buf, sizeof(buf));
-	if (ret == -1)
-		fatal("Couldn't read from ssh-rand-helper: %s",
-		    strerror(errno));
-	if (ret != sizeof(buf))
-		fatal("ssh-rand-helper child produced insufficient data");
-
-	close(p[0]);
-
-	if (waitpid(pid, &ret, 0) == -1)
-		fatal("Couldn't wait for ssh-rand-helper completion: %s",
-		    strerror(errno));
-	signal(SIGCHLD, old_sigchld);
-
-	/* We don't mind if the child exits upon a SIGPIPE */
-	if (!WIFEXITED(ret) &&
-	    (!WIFSIGNALED(ret) || WTERMSIG(ret) != SIGPIPE))
-		fatal("ssh-rand-helper terminated abnormally");
-	if (WEXITSTATUS(ret) != 0)
-		fatal("ssh-rand-helper exit with exit status %d", ret);
-
-	RAND_add(buf, sizeof(buf), sizeof(buf));
-	memset(buf, '\0', sizeof(buf));
-
-#endif /* OPENSSL_PRNG_ONLY */
-	if (RAND_status() != 1)
-		fatal("PRNG is not seeded");
-}
-
-void
-init_rng(void)
-{
-	/*
-	 * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
-	 * We match major, minor, fix and status (not patch)
-	 */
-	if ((SSLeay() ^ OPENSSL_VERSION_NUMBER) & ~0xff0L)
-		fatal("OpenSSL version mismatch. Built against %lx, you "
-		    "have %lx", OPENSSL_VERSION_NUMBER, SSLeay());
-
-#ifndef OPENSSL_PRNG_ONLY
-	original_uid = getuid();
-	original_euid = geteuid();
-#endif
-}
-
-#ifndef OPENSSL_PRNG_ONLY
-void
-rexec_send_rng_seed(Buffer *m)
-{
-	u_char buf[RANDOM_SEED_SIZE];
-
-	if (RAND_bytes(buf, sizeof(buf)) <= 0) {
-		error("Couldn't obtain random bytes (error %ld)",
-		    ERR_get_error());
-		buffer_put_string(m, "", 0);
-	} else 
-		buffer_put_string(m, buf, sizeof(buf));
-}
-
-void
-rexec_recv_rng_seed(Buffer *m)
-{
-	u_char *buf;
-	u_int len;
-
-	buf = buffer_get_string_ret(m, &len);
-	if (buf != NULL) {
-		debug3("rexec_recv_rng_seed: seeding rng with %u bytes", len);
-		RAND_add(buf, len, len);
-	}
-}
-#endif
diff --git a/crypto/openssh/entropy.h b/crypto/openssh/entropy.h
deleted file mode 100644
index ec1ebcc..0000000
--- a/crypto/openssh/entropy.h
+++ /dev/null
@@ -1,38 +0,0 @@
-/*
- * Copyright (c) 1999-2000 Damien Miller.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/* $Id: entropy.h,v 1.5 2005/09/27 12:46:32 dtucker Exp $ */
-
-#ifndef _RANDOMS_H
-#define _RANDOMS_H
-
-#include "buffer.h"
-
-void seed_rng(void);
-void init_rng(void);
-
-void rexec_send_rng_seed(Buffer *);
-void rexec_recv_rng_seed(Buffer *);
-
-#endif /* _RANDOMS_H */
diff --git a/crypto/openssh/fatal.c b/crypto/openssh/fatal.c
deleted file mode 100644
index 5e5aa3f..0000000
--- a/crypto/openssh/fatal.c
+++ /dev/null
@@ -1,45 +0,0 @@
-/* $OpenBSD: fatal.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Copyright (c) 2002 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <stdarg.h>
-
-#include "log.h"
-
-/* Fatal messages.  This function never returns. */
-
-void
-fatal(const char *fmt,...)
-{
-	va_list args;
-
-	va_start(args, fmt);
-	do_log(SYSLOG_LEVEL_FATAL, fmt, args);
-	va_end(args);
-	cleanup_exit(255);
-}
diff --git a/crypto/openssh/fingerprint.c b/crypto/openssh/fingerprint.c
deleted file mode 100644
index 4b0966d..0000000
--- a/crypto/openssh/fingerprint.c
+++ /dev/null
@@ -1,69 +0,0 @@
-/*
- * Copyright (c) 1999 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by Markus Friedl.
- * 4. The name of the author may not be used to endorse or promote products
- *    derived from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$Id: fingerprint.c,v 1.6 2000/04/12 09:39:10 markus Exp $");
-
-#include "ssh.h"
-#include "xmalloc.h"
-#include <openssl/md5.h>
-
-#define FPRINT "%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x"
-
-/*
- * Generate key fingerprint in ascii format.
- * Based on ideas and code from Bjoern Groenvall <bg@sics.se>
- */
-char *
-fingerprint(BIGNUM *e, BIGNUM *n)
-{
-	static char retval[80];
-	MD5_CTX md;
-	unsigned char d[16];
-	unsigned char *buf;
-	int nlen, elen;
-
-	nlen = BN_num_bytes(n);
-	elen = BN_num_bytes(e);
-
-	buf = xmalloc(nlen + elen);
-
-	BN_bn2bin(n, buf);
-	BN_bn2bin(e, buf + nlen);
-
-	MD5_Init(&md);
-	MD5_Update(&md, buf, nlen + elen);
-	MD5_Final(d, &md);
-	snprintf(retval, sizeof(retval), FPRINT,
-	    d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7],
-	    d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
-	memset(buf, 0, nlen + elen);
-	xfree(buf);
-	return retval;
-}
diff --git a/crypto/openssh/fingerprint.h b/crypto/openssh/fingerprint.h
deleted file mode 100644
index fbb0d4c..0000000
--- a/crypto/openssh/fingerprint.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (c) 1999 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by Markus Friedl.
- * 4. The name of the author may not be used to endorse or promote products
- *    derived from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-/* RCSID("$Id: fingerprint.h,v 1.3 1999/11/24 16:15:25 markus Exp $"); */
-
-#ifndef FINGERPRINT_H
-#define FINGERPRINT_H
-char   *fingerprint(BIGNUM * e, BIGNUM * n);
-#endif
diff --git a/crypto/openssh/fixpaths b/crypto/openssh/fixpaths
deleted file mode 100755
index 60a6799..0000000
--- a/crypto/openssh/fixpaths
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/sh
-#
-# fixpaths  - substitute makefile variables into text files
-# Usage: fixpaths -Dsomething=somethingelse ...
-
-die() {
-	echo $*
-	exit -1
-}
-
-test -n "`echo $1|grep -- -D`" || \
-	die $0: nothing to do - no substitutions listed!
-
-test -n "`echo $1|grep -- '-D[^=]\+=[^ ]\+'`" || \
-	die $0: error in command line arguments.
-
-test -n "`echo $*|grep -- ' [^-]'`" || \
-	die Usage: $0 '[-Dstring=replacement] [[infile] ...]'
-
-sed `echo $*|sed -e 's/-D\([^=]\+\)=\([^ ]*\)/-e s=\1=\2=g/g'`
-
-exit 0
diff --git a/crypto/openssh/fixprogs b/crypto/openssh/fixprogs
deleted file mode 100755
index af76ee3..0000000
--- a/crypto/openssh/fixprogs
+++ /dev/null
@@ -1,72 +0,0 @@
-#!/usr/bin/perl
-#
-# fixprogs  - run through the list of entropy commands and
-#             score out the losers
-#
-
-$entscale = 50; # divisor for optional entropy measurement
-
-sub usage {
-  return("Usage: $0 <command file>\n");
-}
-
-if (($#ARGV == -1) || ($#ARGV>1)) {
-  die(&usage);
-}
-
-# 'undocumented' option - run ent (in second param) on the output
-if ($#ARGV==1) {
-  $entcmd=$ARGV[1]
-} else {
-  $entcmd = ""
-};
-
-$infilename = $ARGV[0];
-
-if (!open(IN, "<".$infilename)) {
-  die("Couldn't open input file");
-}
-$outfilename=$infilename.".out";
-if (!open(OUT, ">$outfilename")) {
-  die("Couldn't open output file $outfilename");
-}
-@infile=<IN>;
-
-select(OUT); $|=1; select(STDOUT);
-
-foreach (@infile) {
-  if (/^\s*\#/ || /^\s*$/) {
-    print OUT;
-    next;
-  }
-  ($cmd, $path, $est) = /^\"([^\"]+)\"\s+([\w\/_-]+)\s+([\d\.\-]+)/o;
-  @args = split(/ /, $cmd);
-   if (! ($pid = fork())) {
-     # child
-     close STDIN; close STDOUT; close STDERR;
-     open (STDIN,  "</dev/null");
-     open (STDOUT, ">/dev/null");
-     open (STDERR, ">/dev/null");
-     exec $path @args;
-     exit 1; # shouldn't be here
-   }
-   # parent
-   waitpid ($pid, 0); $ret=$? >> 8;
-
-  if ($ret != 0) {
-    $path = "undef";
-  } else {
-    if ($entcmd ne "") {
-      # now try to run ent on the command
-      $mostargs=join(" ", splice(@args,1));
-      print "Evaluating '$path $mostargs'\n";
-      @ent = qx{$path $mostargs | $entcmd -b -t};
-      @ent = grep(/^1,/, @ent);
-      ($null, $null, $rate) = split(/,/, $ent[0]);
-      $est = $rate / $entscale;		# scale the estimate back
-    }
-  }
-  print OUT "\"$cmd\" $path $est\n";
-}
-
-close(IN);
diff --git a/crypto/openssh/groupaccess.c b/crypto/openssh/groupaccess.c
deleted file mode 100644
index e73f62b..0000000
--- a/crypto/openssh/groupaccess.c
+++ /dev/null
@@ -1,104 +0,0 @@
-/* $OpenBSD: groupaccess.c,v 1.12 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Copyright (c) 2001 Kevin Steves.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-
-#include <grp.h>
-#include <unistd.h>
-#include <stdarg.h>
-
-#include "xmalloc.h"
-#include "groupaccess.h"
-#include "match.h"
-#include "log.h"
-
-static int ngroups;
-static char **groups_byname;
-
-/*
- * Initialize group access list for user with primary (base) and
- * supplementary groups.  Return the number of groups in the list.
- */
-int
-ga_init(const char *user, gid_t base)
-{
-	gid_t *groups_bygid;
-	int i, j;
-	struct group *gr;
-
-	if (ngroups > 0)
-		ga_free();
-
-	ngroups = NGROUPS_MAX;
-#if defined(HAVE_SYSCONF) && defined(_SC_NGROUPS_MAX)
-	ngroups = MAX(NGROUPS_MAX, sysconf(_SC_NGROUPS_MAX));
-#endif
-
-	groups_bygid = xcalloc(ngroups, sizeof(*groups_bygid));
-	groups_byname = xcalloc(ngroups, sizeof(*groups_byname));
-
-	if (getgrouplist(user, base, groups_bygid, &ngroups) == -1)
-		logit("getgrouplist: groups list too small");
-	for (i = 0, j = 0; i < ngroups; i++)
-		if ((gr = getgrgid(groups_bygid[i])) != NULL)
-			groups_byname[j++] = xstrdup(gr->gr_name);
-	xfree(groups_bygid);
-	return (ngroups = j);
-}
-
-/*
- * Return 1 if one of user's groups is contained in groups.
- * Return 0 otherwise.  Use match_pattern() for string comparison.
- */
-int
-ga_match(char * const *groups, int n)
-{
-	int i, j;
-
-	for (i = 0; i < ngroups; i++)
-		for (j = 0; j < n; j++)
-			if (match_pattern(groups_byname[i], groups[j]))
-				return 1;
-	return 0;
-}
-
-/*
- * Free memory allocated for group access list.
- */
-void
-ga_free(void)
-{
-	int i;
-
-	if (ngroups > 0) {
-		for (i = 0; i < ngroups; i++)
-			xfree(groups_byname[i]);
-		ngroups = 0;
-		xfree(groups_byname);
-	}
-}
diff --git a/crypto/openssh/groupaccess.h b/crypto/openssh/groupaccess.h
deleted file mode 100644
index 04b4498..0000000
--- a/crypto/openssh/groupaccess.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/* $OpenBSD: groupaccess.h,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
-
-/*
- * Copyright (c) 2001 Kevin Steves.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef GROUPACCESS_H
-#define GROUPACCESS_H
-
-int	 ga_init(const char *, gid_t);
-int	 ga_match(char * const *, int);
-void	 ga_free(void);
-
-#endif
diff --git a/crypto/openssh/gss-genr.c b/crypto/openssh/gss-genr.c
deleted file mode 100644
index 57f12a2..0000000
--- a/crypto/openssh/gss-genr.c
+++ /dev/null
@@ -1,324 +0,0 @@
-/* $OpenBSD: gss-genr.c,v 1.17 2006/08/29 12:02:30 dtucker Exp $ */
-
-/*
- * Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#ifdef GSSAPI
-
-#include <sys/types.h>
-#include <sys/param.h>
-
-#include <stdarg.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "xmalloc.h"
-#include "buffer.h"
-#include "log.h"
-#include "ssh2.h"
-
-#include "ssh-gss.h"
-
-extern u_char *session_id2;
-extern u_int session_id2_len;
-
-/* Check that the OID in a data stream matches that in the context */
-int
-ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
-{
-	return (ctx != NULL && ctx->oid != GSS_C_NO_OID &&
-	    ctx->oid->length == len &&
-	    memcmp(ctx->oid->elements, data, len) == 0);
-}
-
-/* Set the contexts OID from a data stream */
-void
-ssh_gssapi_set_oid_data(Gssctxt *ctx, void *data, size_t len)
-{
-	if (ctx->oid != GSS_C_NO_OID) {
-		xfree(ctx->oid->elements);
-		xfree(ctx->oid);
-	}
-	ctx->oid = xmalloc(sizeof(gss_OID_desc));
-	ctx->oid->length = len;
-	ctx->oid->elements = xmalloc(len);
-	memcpy(ctx->oid->elements, data, len);
-}
-
-/* Set the contexts OID */
-void
-ssh_gssapi_set_oid(Gssctxt *ctx, gss_OID oid)
-{
-	ssh_gssapi_set_oid_data(ctx, oid->elements, oid->length);
-}
-
-/* All this effort to report an error ... */
-void
-ssh_gssapi_error(Gssctxt *ctxt)
-{
-	char *s;
-
-	s = ssh_gssapi_last_error(ctxt, NULL, NULL);
-	debug("%s", s);
-	xfree(s);
-}
-
-char *
-ssh_gssapi_last_error(Gssctxt *ctxt, OM_uint32 *major_status,
-    OM_uint32 *minor_status)
-{
-	OM_uint32 lmin;
-	gss_buffer_desc msg = GSS_C_EMPTY_BUFFER;
-	OM_uint32 ctx;
-	Buffer b;
-	char *ret;
-
-	buffer_init(&b);
-
-	if (major_status != NULL)
-		*major_status = ctxt->major;
-	if (minor_status != NULL)
-		*minor_status = ctxt->minor;
-
-	ctx = 0;
-	/* The GSSAPI error */
-	do {
-		gss_display_status(&lmin, ctxt->major,
-		    GSS_C_GSS_CODE, GSS_C_NULL_OID, &ctx, &msg);
-
-		buffer_append(&b, msg.value, msg.length);
-		buffer_put_char(&b, '\n');
-
-		gss_release_buffer(&lmin, &msg);
-	} while (ctx != 0);
-
-	/* The mechanism specific error */
-	do {
-		gss_display_status(&lmin, ctxt->minor,
-		    GSS_C_MECH_CODE, GSS_C_NULL_OID, &ctx, &msg);
-
-		buffer_append(&b, msg.value, msg.length);
-		buffer_put_char(&b, '\n');
-
-		gss_release_buffer(&lmin, &msg);
-	} while (ctx != 0);
-
-	buffer_put_char(&b, '\0');
-	ret = xmalloc(buffer_len(&b));
-	buffer_get(&b, ret, buffer_len(&b));
-	buffer_free(&b);
-	return (ret);
-}
-
-/*
- * Initialise our GSSAPI context. We use this opaque structure to contain all
- * of the data which both the client and server need to persist across
- * {accept,init}_sec_context calls, so that when we do it from the userauth
- * stuff life is a little easier
- */
-void
-ssh_gssapi_build_ctx(Gssctxt **ctx)
-{
-	*ctx = xcalloc(1, sizeof (Gssctxt));
-	(*ctx)->context = GSS_C_NO_CONTEXT;
-	(*ctx)->name = GSS_C_NO_NAME;
-	(*ctx)->oid = GSS_C_NO_OID;
-	(*ctx)->creds = GSS_C_NO_CREDENTIAL;
-	(*ctx)->client = GSS_C_NO_NAME;
-	(*ctx)->client_creds = GSS_C_NO_CREDENTIAL;
-}
-
-/* Delete our context, providing it has been built correctly */
-void
-ssh_gssapi_delete_ctx(Gssctxt **ctx)
-{
-	OM_uint32 ms;
-
-	if ((*ctx) == NULL)
-		return;
-	if ((*ctx)->context != GSS_C_NO_CONTEXT)
-		gss_delete_sec_context(&ms, &(*ctx)->context, GSS_C_NO_BUFFER);
-	if ((*ctx)->name != GSS_C_NO_NAME)
-		gss_release_name(&ms, &(*ctx)->name);
-	if ((*ctx)->oid != GSS_C_NO_OID) {
-		xfree((*ctx)->oid->elements);
-		xfree((*ctx)->oid);
-		(*ctx)->oid = GSS_C_NO_OID;
-	}
-	if ((*ctx)->creds != GSS_C_NO_CREDENTIAL)
-		gss_release_cred(&ms, &(*ctx)->creds);
-	if ((*ctx)->client != GSS_C_NO_NAME)
-		gss_release_name(&ms, &(*ctx)->client);
-	if ((*ctx)->client_creds != GSS_C_NO_CREDENTIAL)
-		gss_release_cred(&ms, &(*ctx)->client_creds);
-
-	xfree(*ctx);
-	*ctx = NULL;
-}
-
-/*
- * Wrapper to init_sec_context
- * Requires that the context contains:
- *	oid
- *	server name (from ssh_gssapi_import_name)
- */
-OM_uint32
-ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok,
-    gss_buffer_desc* send_tok, OM_uint32 *flags)
-{
-	int deleg_flag = 0;
-
-	if (deleg_creds) {
-		deleg_flag = GSS_C_DELEG_FLAG;
-		debug("Delegating credentials");
-	}
-
-	ctx->major = gss_init_sec_context(&ctx->minor,
-	    GSS_C_NO_CREDENTIAL, &ctx->context, ctx->name, ctx->oid,
-	    GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
-	    0, NULL, recv_tok, NULL, send_tok, flags, NULL);
-
-	if (GSS_ERROR(ctx->major))
-		ssh_gssapi_error(ctx);
-
-	return (ctx->major);
-}
-
-/* Create a service name for the given host */
-OM_uint32
-ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
-{
-	gss_buffer_desc gssbuf;
-	char *val;
-
-	xasprintf(&val, "host@%s", host);
-	gssbuf.value = val;
-	gssbuf.length = strlen(gssbuf.value);
-
-	if ((ctx->major = gss_import_name(&ctx->minor,
-	    &gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name)))
-		ssh_gssapi_error(ctx);
-
-	xfree(gssbuf.value);
-	return (ctx->major);
-}
-
-/* Acquire credentials for a server running on the current host.
- * Requires that the context structure contains a valid OID
- */
-
-/* Returns a GSSAPI error code */
-OM_uint32
-ssh_gssapi_acquire_cred(Gssctxt *ctx)
-{
-	OM_uint32 status;
-	char lname[MAXHOSTNAMELEN];
-	gss_OID_set oidset;
-
-	gss_create_empty_oid_set(&status, &oidset);
-	gss_add_oid_set_member(&status, ctx->oid, &oidset);
-
-	if (gethostname(lname, MAXHOSTNAMELEN)) {
-		gss_release_oid_set(&status, &oidset);
-		return (-1);
-	}
-
-	if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
-		gss_release_oid_set(&status, &oidset);
-		return (ctx->major);
-	}
-
-	if ((ctx->major = gss_acquire_cred(&ctx->minor,
-	    ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
-		ssh_gssapi_error(ctx);
-
-	gss_release_oid_set(&status, &oidset);
-	return (ctx->major);
-}
-
-OM_uint32
-ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
-{
-	if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
-	    GSS_C_QOP_DEFAULT, buffer, hash)))
-		ssh_gssapi_error(ctx);
-
-	return (ctx->major);
-}
-
-void
-ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
-    const char *context)
-{
-	buffer_init(b);
-	buffer_put_string(b, session_id2, session_id2_len);
-	buffer_put_char(b, SSH2_MSG_USERAUTH_REQUEST);
-	buffer_put_cstring(b, user);
-	buffer_put_cstring(b, service);
-	buffer_put_cstring(b, context);
-}
-
-OM_uint32
-ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
-{
-	if (*ctx)
-		ssh_gssapi_delete_ctx(ctx);
-	ssh_gssapi_build_ctx(ctx);
-	ssh_gssapi_set_oid(*ctx, oid);
-	return (ssh_gssapi_acquire_cred(*ctx));
-}
-
-int
-ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
-{
-	gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
-	OM_uint32 major, minor;
-	gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};
-
-	/* RFC 4462 says we MUST NOT do SPNEGO */
-	if (oid->length == spnego_oid.length && 
-	    (memcmp(oid->elements, spnego_oid.elements, oid->length) == 0))
-		return 0; /* false */
-
-	ssh_gssapi_build_ctx(ctx);
-	ssh_gssapi_set_oid(*ctx, oid);
-	major = ssh_gssapi_import_name(*ctx, host);
-	if (!GSS_ERROR(major)) {
-		major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, 
-		    NULL);
-		gss_release_buffer(&minor, &token);
-		if ((*ctx)->context != GSS_C_NO_CONTEXT)
-			gss_delete_sec_context(&minor, &(*ctx)->context,
-			    GSS_C_NO_BUFFER);
-	}
-
-	if (GSS_ERROR(major)) 
-		ssh_gssapi_delete_ctx(ctx);
-
-	return (!GSS_ERROR(major));
-}
-
-#endif /* GSSAPI */
diff --git a/crypto/openssh/gss-serv-krb5.c b/crypto/openssh/gss-serv-krb5.c
deleted file mode 100644
index 5a625ac..0000000
--- a/crypto/openssh/gss-serv-krb5.c
+++ /dev/null
@@ -1,199 +0,0 @@
-/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
-
-/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#ifdef GSSAPI
-#ifdef KRB5
-
-#include <sys/types.h>
-
-#include <stdarg.h>
-#include <string.h>
-
-#include "xmalloc.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "log.h"
-#include "servconf.h"
-
-#include "buffer.h"
-#include "ssh-gss.h"
-
-extern ServerOptions options;
-
-#ifdef HEIMDAL
-# include <krb5.h>
-#else
-# ifdef HAVE_GSSAPI_KRB5_H
-#  include <gssapi_krb5.h>
-# elif HAVE_GSSAPI_GSSAPI_KRB5_H
-#  include <gssapi/gssapi_krb5.h>
-# endif
-#endif
-
-static krb5_context krb_context = NULL;
-
-/* Initialise the krb5 library, for the stuff that GSSAPI won't do */
-
-static int
-ssh_gssapi_krb5_init(void)
-{
-	krb5_error_code problem;
-
-	if (krb_context != NULL)
-		return 1;
-
-	problem = krb5_init_context(&krb_context);
-	if (problem) {
-		logit("Cannot initialize krb5 context");
-		return 0;
-	}
-
-	return 1;
-}
-
-/* Check if this user is OK to login. This only works with krb5 - other
- * GSSAPI mechanisms will need their own.
- * Returns true if the user is OK to log in, otherwise returns 0
- */
-
-static int
-ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
-{
-	krb5_principal princ;
-	int retval;
-
-	if (ssh_gssapi_krb5_init() == 0)
-		return 0;
-
-	if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
-	    &princ))) {
-		logit("krb5_parse_name(): %.100s",
-		    krb5_get_err_text(krb_context, retval));
-		return 0;
-	}
-	if (krb5_kuserok(krb_context, princ, name)) {
-		retval = 1;
-		logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
-		    name, (char *)client->displayname.value);
-	} else
-		retval = 0;
-
-	krb5_free_principal(krb_context, princ);
-	return retval;
-}
-
-
-/* This writes out any forwarded credentials from the structure populated
- * during userauth. Called after we have setuid to the user */
-
-static void
-ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
-{
-	krb5_ccache ccache;
-	krb5_error_code problem;
-	krb5_principal princ;
-	OM_uint32 maj_status, min_status;
-	int len;
-
-	if (client->creds == NULL) {
-		debug("No credentials stored");
-		return;
-	}
-
-	if (ssh_gssapi_krb5_init() == 0)
-		return;
-
-#ifdef HEIMDAL
-	if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
-		logit("krb5_cc_gen_new(): %.100s",
-		    krb5_get_err_text(krb_context, problem));
-		return;
-	}
-#else
-	if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) {
-		logit("ssh_krb5_cc_gen(): %.100s",
-		    krb5_get_err_text(krb_context, problem));
-		return;
-	}
-#endif	/* #ifdef HEIMDAL */
-
-	if ((problem = krb5_parse_name(krb_context,
-	    client->exportedname.value, &princ))) {
-		logit("krb5_parse_name(): %.100s",
-		    krb5_get_err_text(krb_context, problem));
-		krb5_cc_destroy(krb_context, ccache);
-		return;
-	}
-
-	if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
-		logit("krb5_cc_initialize(): %.100s",
-		    krb5_get_err_text(krb_context, problem));
-		krb5_free_principal(krb_context, princ);
-		krb5_cc_destroy(krb_context, ccache);
-		return;
-	}
-
-	krb5_free_principal(krb_context, princ);
-
-	if ((maj_status = gss_krb5_copy_ccache(&min_status,
-	    client->creds, ccache))) {
-		logit("gss_krb5_copy_ccache() failed");
-		krb5_cc_destroy(krb_context, ccache);
-		return;
-	}
-
-	client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
-	client->store.envvar = "KRB5CCNAME";
-	len = strlen(client->store.filename) + 6;
-	client->store.envval = xmalloc(len);
-	snprintf(client->store.envval, len, "FILE:%s", client->store.filename);
-
-#ifdef USE_PAM
-	if (options.use_pam)
-		do_pam_putenv(client->store.envvar, client->store.envval);
-#endif
-
-	krb5_cc_close(krb_context, ccache);
-
-	return;
-}
-
-ssh_gssapi_mech gssapi_kerberos_mech = {
-	"toWM5Slw5Ew8Mqkay+al2g==",
-	"Kerberos",
-	{9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
-	NULL,
-	&ssh_gssapi_krb5_userok,
-	NULL,
-	&ssh_gssapi_krb5_storecreds
-};
-
-#endif /* KRB5 */
-
-#endif /* GSSAPI */
diff --git a/crypto/openssh/gss-serv.c b/crypto/openssh/gss-serv.c
deleted file mode 100644
index e8191a8..0000000
--- a/crypto/openssh/gss-serv.c
+++ /dev/null
@@ -1,316 +0,0 @@
-/* $OpenBSD: gss-serv.c,v 1.20 2006/08/03 03:34:42 deraadt Exp $ */
-
-/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#ifdef GSSAPI
-
-#include <sys/types.h>
-
-#include <stdarg.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "xmalloc.h"
-#include "buffer.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "log.h"
-#include "channels.h"
-#include "session.h"
-#include "misc.h"
-
-#include "ssh-gss.h"
-
-static ssh_gssapi_client gssapi_client =
-    { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
-    GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
-
-ssh_gssapi_mech gssapi_null_mech =
-    { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL};
-
-#ifdef KRB5
-extern ssh_gssapi_mech gssapi_kerberos_mech;
-#endif
-
-ssh_gssapi_mech* supported_mechs[]= {
-#ifdef KRB5
-	&gssapi_kerberos_mech,
-#endif
-	&gssapi_null_mech,
-};
-
-/* Unprivileged */
-void
-ssh_gssapi_supported_oids(gss_OID_set *oidset)
-{
-	int i = 0;
-	OM_uint32 min_status;
-	int present;
-	gss_OID_set supported;
-
-	gss_create_empty_oid_set(&min_status, oidset);
-	gss_indicate_mechs(&min_status, &supported);
-
-	while (supported_mechs[i]->name != NULL) {
-		if (GSS_ERROR(gss_test_oid_set_member(&min_status,
-		    &supported_mechs[i]->oid, supported, &present)))
-			present = 0;
-		if (present)
-			gss_add_oid_set_member(&min_status,
-			    &supported_mechs[i]->oid, oidset);
-		i++;
-	}
-
-	gss_release_oid_set(&min_status, &supported);
-}
-
-
-/* Wrapper around accept_sec_context
- * Requires that the context contains:
- *    oid
- *    credentials	(from ssh_gssapi_acquire_cred)
- */
-/* Privileged */
-OM_uint32
-ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok,
-    gss_buffer_desc *send_tok, OM_uint32 *flags)
-{
-	OM_uint32 status;
-	gss_OID mech;
-
-	ctx->major = gss_accept_sec_context(&ctx->minor,
-	    &ctx->context, ctx->creds, recv_tok,
-	    GSS_C_NO_CHANNEL_BINDINGS, &ctx->client, &mech,
-	    send_tok, flags, NULL, &ctx->client_creds);
-
-	if (GSS_ERROR(ctx->major))
-		ssh_gssapi_error(ctx);
-
-	if (ctx->client_creds)
-		debug("Received some client credentials");
-	else
-		debug("Got no client credentials");
-
-	status = ctx->major;
-
-	/* Now, if we're complete and we have the right flags, then
-	 * we flag the user as also having been authenticated
-	 */
-
-	if (((flags == NULL) || ((*flags & GSS_C_MUTUAL_FLAG) &&
-	    (*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE)) {
-		if (ssh_gssapi_getclient(ctx, &gssapi_client))
-			fatal("Couldn't convert client name");
-	}
-
-	return (status);
-}
-
-/*
- * This parses an exported name, extracting the mechanism specific portion
- * to use for ACL checking. It verifies that the name belongs the mechanism
- * originally selected.
- */
-static OM_uint32
-ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
-{
-	u_char *tok;
-	OM_uint32 offset;
-	OM_uint32 oidl;
-
-	tok = ename->value;
-
-	/*
-	 * Check that ename is long enough for all of the fixed length
-	 * header, and that the initial ID bytes are correct
-	 */
-
-	if (ename->length < 6 || memcmp(tok, "\x04\x01", 2) != 0)
-		return GSS_S_FAILURE;
-
-	/*
-	 * Extract the OID, and check it. Here GSSAPI breaks with tradition
-	 * and does use the OID type and length bytes. To confuse things
-	 * there are two lengths - the first including these, and the
-	 * second without.
-	 */
-
-	oidl = get_u16(tok+2); /* length including next two bytes */
-	oidl = oidl-2; /* turn it into the _real_ length of the variable OID */
-
-	/*
-	 * Check the BER encoding for correct type and length, that the
-	 * string is long enough and that the OID matches that in our context
-	 */
-	if (tok[4] != 0x06 || tok[5] != oidl ||
-	    ename->length < oidl+6 ||
-	    !ssh_gssapi_check_oid(ctx, tok+6, oidl))
-		return GSS_S_FAILURE;
-
-	offset = oidl+6;
-
-	if (ename->length < offset+4)
-		return GSS_S_FAILURE;
-
-	name->length = get_u32(tok+offset);
-	offset += 4;
-
-	if (ename->length < offset+name->length)
-		return GSS_S_FAILURE;
-
-	name->value = xmalloc(name->length+1);
-	memcpy(name->value, tok+offset, name->length);
-	((char *)name->value)[name->length] = 0;
-
-	return GSS_S_COMPLETE;
-}
-
-/* Extract the client details from a given context. This can only reliably
- * be called once for a context */
-
-/* Privileged (called from accept_secure_ctx) */
-OM_uint32
-ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
-{
-	int i = 0;
-
-	gss_buffer_desc ename;
-
-	client->mech = NULL;
-
-	while (supported_mechs[i]->name != NULL) {
-		if (supported_mechs[i]->oid.length == ctx->oid->length &&
-		    (memcmp(supported_mechs[i]->oid.elements,
-		    ctx->oid->elements, ctx->oid->length) == 0))
-			client->mech = supported_mechs[i];
-		i++;
-	}
-
-	if (client->mech == NULL)
-		return GSS_S_FAILURE;
-
-	if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
-	    &client->displayname, NULL))) {
-		ssh_gssapi_error(ctx);
-		return (ctx->major);
-	}
-
-	if ((ctx->major = gss_export_name(&ctx->minor, ctx->client,
-	    &ename))) {
-		ssh_gssapi_error(ctx);
-		return (ctx->major);
-	}
-
-	if ((ctx->major = ssh_gssapi_parse_ename(ctx,&ename,
-	    &client->exportedname))) {
-		return (ctx->major);
-	}
-
-	/* We can't copy this structure, so we just move the pointer to it */
-	client->creds = ctx->client_creds;
-	ctx->client_creds = GSS_C_NO_CREDENTIAL;
-	return (ctx->major);
-}
-
-/* As user - called on fatal/exit */
-void
-ssh_gssapi_cleanup_creds(void)
-{
-	if (gssapi_client.store.filename != NULL) {
-		/* Unlink probably isn't sufficient */
-		debug("removing gssapi cred file\"%s\"",
-		    gssapi_client.store.filename);
-		unlink(gssapi_client.store.filename);
-	}
-}
-
-/* As user */
-void
-ssh_gssapi_storecreds(void)
-{
-	if (gssapi_client.mech && gssapi_client.mech->storecreds) {
-		(*gssapi_client.mech->storecreds)(&gssapi_client);
-	} else
-		debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
-}
-
-/* This allows GSSAPI methods to do things to the childs environment based
- * on the passed authentication process and credentials.
- */
-/* As user */
-void
-ssh_gssapi_do_child(char ***envp, u_int *envsizep)
-{
-
-	if (gssapi_client.store.envvar != NULL &&
-	    gssapi_client.store.envval != NULL) {
-		debug("Setting %s to %s", gssapi_client.store.envvar,
-		    gssapi_client.store.envval);
-		child_set_env(envp, envsizep, gssapi_client.store.envvar,
-		    gssapi_client.store.envval);
-	}
-}
-
-/* Privileged */
-int
-ssh_gssapi_userok(char *user)
-{
-	OM_uint32 lmin;
-
-	if (gssapi_client.exportedname.length == 0 ||
-	    gssapi_client.exportedname.value == NULL) {
-		debug("No suitable client data");
-		return 0;
-	}
-	if (gssapi_client.mech && gssapi_client.mech->userok)
-		if ((*gssapi_client.mech->userok)(&gssapi_client, user))
-			return 1;
-		else {
-			/* Destroy delegated credentials if userok fails */
-			gss_release_buffer(&lmin, &gssapi_client.displayname);
-			gss_release_buffer(&lmin, &gssapi_client.exportedname);
-			gss_release_cred(&lmin, &gssapi_client.creds);
-			memset(&gssapi_client, 0, sizeof(ssh_gssapi_client));
-			return 0;
-		}
-	else
-		debug("ssh_gssapi_userok: Unknown GSSAPI mechanism");
-	return (0);
-}
-
-/* Privileged */
-OM_uint32
-ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
-{
-	ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
-	    gssbuf, gssmic, NULL);
-
-	return (ctx->major);
-}
-
-#endif
diff --git a/crypto/openssh/hmac.c b/crypto/openssh/hmac.c
deleted file mode 100644
index 48a1763..0000000
--- a/crypto/openssh/hmac.c
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: hmac.c,v 1.4 2000/09/07 20:27:51 deraadt Exp $");
-
-#include "xmalloc.h"
-#include "ssh.h"
-#include "getput.h"
-
-#include <openssl/hmac.h>
-
-unsigned char *
-hmac(
-    EVP_MD *evp_md,
-    unsigned int seqno,
-    unsigned char *data, int datalen,
-    unsigned char *key, int keylen)
-{
-	HMAC_CTX c;
-	static unsigned char m[EVP_MAX_MD_SIZE];
-	unsigned char b[4];
-
-	if (key == NULL)
-		fatal("hmac: no key");
-	HMAC_Init(&c, key, keylen, evp_md);
-	PUT_32BIT(b, seqno);
-	HMAC_Update(&c, b, sizeof b);
-	HMAC_Update(&c, data, datalen);
-	HMAC_Final(&c, m, NULL);
-	HMAC_cleanup(&c);
-	return(m);
-}
diff --git a/crypto/openssh/hmac.h b/crypto/openssh/hmac.h
deleted file mode 100644
index 281300e..0000000
--- a/crypto/openssh/hmac.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-#ifndef HMAC_H
-#define HMAC_H
-
-unsigned char *
-hmac(
-    EVP_MD *evp_md,
-    unsigned int seqno,
-    unsigned char *data, int datalen,
-    unsigned char *key, int len);
-
-#endif
diff --git a/crypto/openssh/hostfile.c b/crypto/openssh/hostfile.c
deleted file mode 100644
index 2cceb35..0000000
--- a/crypto/openssh/hostfile.c
+++ /dev/null
@@ -1,353 +0,0 @@
-/* $OpenBSD: hostfile.c,v 1.45 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Functions for manipulating the known hosts files.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- *
- * Copyright (c) 1999, 2000 Markus Friedl.  All rights reserved.
- * Copyright (c) 1999 Niels Provos.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <netinet/in.h>
-
-#include <openssl/hmac.h>
-#include <openssl/sha.h>
-
-#include <resolv.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "xmalloc.h"
-#include "match.h"
-#include "key.h"
-#include "hostfile.h"
-#include "log.h"
-
-static int
-extract_salt(const char *s, u_int l, char *salt, size_t salt_len)
-{
-	char *p, *b64salt;
-	u_int b64len;
-	int ret;
-
-	if (l < sizeof(HASH_MAGIC) - 1) {
-		debug2("extract_salt: string too short");
-		return (-1);
-	}
-	if (strncmp(s, HASH_MAGIC, sizeof(HASH_MAGIC) - 1) != 0) {
-		debug2("extract_salt: invalid magic identifier");
-		return (-1);
-	}
-	s += sizeof(HASH_MAGIC) - 1;
-	l -= sizeof(HASH_MAGIC) - 1;
-	if ((p = memchr(s, HASH_DELIM, l)) == NULL) {
-		debug2("extract_salt: missing salt termination character");
-		return (-1);
-	}
-
-	b64len = p - s;
-	/* Sanity check */
-	if (b64len == 0 || b64len > 1024) {
-		debug2("extract_salt: bad encoded salt length %u", b64len);
-		return (-1);
-	}
-	b64salt = xmalloc(1 + b64len);
-	memcpy(b64salt, s, b64len);
-	b64salt[b64len] = '\0';
-
-	ret = __b64_pton(b64salt, salt, salt_len);
-	xfree(b64salt);
-	if (ret == -1) {
-		debug2("extract_salt: salt decode error");
-		return (-1);
-	}
-	if (ret != SHA_DIGEST_LENGTH) {
-		debug2("extract_salt: expected salt len %d, got %d",
-		    SHA_DIGEST_LENGTH, ret);
-		return (-1);
-	}
-
-	return (0);
-}
-
-char *
-host_hash(const char *host, const char *name_from_hostfile, u_int src_len)
-{
-	const EVP_MD *md = EVP_sha1();
-	HMAC_CTX mac_ctx;
-	char salt[256], result[256], uu_salt[512], uu_result[512];
-	static char encoded[1024];
-	u_int i, len;
-
-	len = EVP_MD_size(md);
-
-	if (name_from_hostfile == NULL) {
-		/* Create new salt */
-		for (i = 0; i < len; i++)
-			salt[i] = arc4random();
-	} else {
-		/* Extract salt from known host entry */
-		if (extract_salt(name_from_hostfile, src_len, salt,
-		    sizeof(salt)) == -1)
-			return (NULL);
-	}
-
-	HMAC_Init(&mac_ctx, salt, len, md);
-	HMAC_Update(&mac_ctx, host, strlen(host));
-	HMAC_Final(&mac_ctx, result, NULL);
-	HMAC_cleanup(&mac_ctx);
-
-	if (__b64_ntop(salt, len, uu_salt, sizeof(uu_salt)) == -1 ||
-	    __b64_ntop(result, len, uu_result, sizeof(uu_result)) == -1)
-		fatal("host_hash: __b64_ntop failed");
-
-	snprintf(encoded, sizeof(encoded), "%s%s%c%s", HASH_MAGIC, uu_salt,
-	    HASH_DELIM, uu_result);
-
-	return (encoded);
-}
-
-/*
- * Parses an RSA (number of bits, e, n) or DSA key from a string.  Moves the
- * pointer over the key.  Skips any whitespace at the beginning and at end.
- */
-
-int
-hostfile_read_key(char **cpp, u_int *bitsp, Key *ret)
-{
-	char *cp;
-
-	/* Skip leading whitespace. */
-	for (cp = *cpp; *cp == ' ' || *cp == '\t'; cp++)
-		;
-
-	if (key_read(ret, &cp) != 1)
-		return 0;
-
-	/* Skip trailing whitespace. */
-	for (; *cp == ' ' || *cp == '\t'; cp++)
-		;
-
-	/* Return results. */
-	*cpp = cp;
-	*bitsp = key_size(ret);
-	return 1;
-}
-
-static int
-hostfile_check_key(int bits, const Key *key, const char *host, const char *filename, int linenum)
-{
-	if (key == NULL || key->type != KEY_RSA1 || key->rsa == NULL)
-		return 1;
-	if (bits != BN_num_bits(key->rsa->n)) {
-		logit("Warning: %s, line %d: keysize mismatch for host %s: "
-		    "actual %d vs. announced %d.",
-		    filename, linenum, host, BN_num_bits(key->rsa->n), bits);
-		logit("Warning: replace %d with %d in %s, line %d.",
-		    bits, BN_num_bits(key->rsa->n), filename, linenum);
-	}
-	return 1;
-}
-
-/*
- * Checks whether the given host (which must be in all lowercase) is already
- * in the list of our known hosts. Returns HOST_OK if the host is known and
- * has the specified key, HOST_NEW if the host is not known, and HOST_CHANGED
- * if the host is known but used to have a different host key.
- *
- * If no 'key' has been specified and a key of type 'keytype' is known
- * for the specified host, then HOST_FOUND is returned.
- */
-
-static HostStatus
-check_host_in_hostfile_by_key_or_type(const char *filename,
-    const char *host, const Key *key, int keytype, Key *found, int *numret)
-{
-	FILE *f;
-	char line[8192];
-	int linenum = 0;
-	u_int kbits;
-	char *cp, *cp2, *hashed_host;
-	HostStatus end_return;
-
-	debug3("check_host_in_hostfile: filename %s", filename);
-
-	/* Open the file containing the list of known hosts. */
-	f = fopen(filename, "r");
-	if (!f)
-		return HOST_NEW;
-
-	/*
-	 * Return value when the loop terminates.  This is set to
-	 * HOST_CHANGED if we have seen a different key for the host and have
-	 * not found the proper one.
-	 */
-	end_return = HOST_NEW;
-
-	/* Go through the file. */
-	while (fgets(line, sizeof(line), f)) {
-		cp = line;
-		linenum++;
-
-		/* Skip any leading whitespace, comments and empty lines. */
-		for (; *cp == ' ' || *cp == '\t'; cp++)
-			;
-		if (!*cp || *cp == '#' || *cp == '\n')
-			continue;
-
-		/* Find the end of the host name portion. */
-		for (cp2 = cp; *cp2 && *cp2 != ' ' && *cp2 != '\t'; cp2++)
-			;
-
-		/* Check if the host name matches. */
-		if (match_hostname(host, cp, (u_int) (cp2 - cp)) != 1) {
-			if (*cp != HASH_DELIM)
-				continue;
-			hashed_host = host_hash(host, cp, (u_int) (cp2 - cp));
-			if (hashed_host == NULL) {
-				debug("Invalid hashed host line %d of %s",
-				    linenum, filename);
-				continue;
-			}
-			if (strncmp(hashed_host, cp, (u_int) (cp2 - cp)) != 0)
-				continue;
-		}
-
-		/* Got a match.  Skip host name. */
-		cp = cp2;
-
-		/*
-		 * Extract the key from the line.  This will skip any leading
-		 * whitespace.  Ignore badly formatted lines.
-		 */
-		if (!hostfile_read_key(&cp, &kbits, found))
-			continue;
-
-		if (numret != NULL)
-			*numret = linenum;
-
-		if (key == NULL) {
-			/* we found a key of the requested type */
-			if (found->type == keytype) {
-				fclose(f);
-				return HOST_FOUND;
-			}
-			continue;
-		}
-
-		if (!hostfile_check_key(kbits, found, host, filename, linenum))
-			continue;
-
-		/* Check if the current key is the same as the given key. */
-		if (key_equal(key, found)) {
-			/* Ok, they match. */
-			debug3("check_host_in_hostfile: match line %d", linenum);
-			fclose(f);
-			return HOST_OK;
-		}
-		/*
-		 * They do not match.  We will continue to go through the
-		 * file; however, we note that we will not return that it is
-		 * new.
-		 */
-		end_return = HOST_CHANGED;
-	}
-	/* Clear variables and close the file. */
-	fclose(f);
-
-	/*
-	 * Return either HOST_NEW or HOST_CHANGED, depending on whether we
-	 * saw a different key for the host.
-	 */
-	return end_return;
-}
-
-HostStatus
-check_host_in_hostfile(const char *filename, const char *host, const Key *key,
-    Key *found, int *numret)
-{
-	if (key == NULL)
-		fatal("no key to look up");
-	return (check_host_in_hostfile_by_key_or_type(filename, host, key, 0,
-	    found, numret));
-}
-
-int
-lookup_key_in_hostfile_by_type(const char *filename, const char *host,
-    int keytype, Key *found, int *numret)
-{
-	return (check_host_in_hostfile_by_key_or_type(filename, host, NULL,
-	    keytype, found, numret) == HOST_FOUND);
-}
-
-/*
- * Appends an entry to the host file.  Returns false if the entry could not
- * be appended.
- */
-
-int
-add_host_to_hostfile(const char *filename, const char *host, const Key *key,
-    int store_hash)
-{
-	FILE *f;
-	int success = 0;
-	char *hashed_host = NULL;
-
-	if (key == NULL)
-		return 1;	/* XXX ? */
-	f = fopen(filename, "a");
-	if (!f)
-		return 0;
-
-	if (store_hash) {
-		if ((hashed_host = host_hash(host, NULL, 0)) == NULL) {
-			error("add_host_to_hostfile: host_hash failed");
-			fclose(f);
-			return 0;
-		}
-	}
-	fprintf(f, "%s ", store_hash ? hashed_host : host);
-
-	if (key_write(key, f)) {
-		success = 1;
-	} else {
-		error("add_host_to_hostfile: saving key in %s failed", filename);
-	}
-	fprintf(f, "\n");
-	fclose(f);
-	return success;
-}
diff --git a/crypto/openssh/hostfile.h b/crypto/openssh/hostfile.h
deleted file mode 100644
index d1983b3..0000000
--- a/crypto/openssh/hostfile.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/* $OpenBSD: hostfile.h,v 1.16 2006/03/25 22:22:43 djm Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-#ifndef HOSTFILE_H
-#define HOSTFILE_H
-
-typedef enum {
-	HOST_OK, HOST_NEW, HOST_CHANGED, HOST_FOUND
-}       HostStatus;
-
-int	 hostfile_read_key(char **, u_int *, Key *);
-HostStatus check_host_in_hostfile(const char *, const char *,
-	    const Key *, Key *, int *);
-int	add_host_to_hostfile(const char *, const char *, const Key *, int);
-int	lookup_key_in_hostfile_by_type(const char *, const char *,
-	    int, Key *, int *);
-
-#define HASH_MAGIC	"|1|"
-#define HASH_DELIM	'|'
-
-char	*host_hash(const char *, const char *, u_int);
-
-#endif
diff --git a/crypto/openssh/includes.h b/crypto/openssh/includes.h
deleted file mode 100644
index 967fcc2..0000000
--- a/crypto/openssh/includes.h
+++ /dev/null
@@ -1,172 +0,0 @@
-/* $OpenBSD: includes.h,v 1.54 2006/07/22 20:48:23 stevesk Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * This file includes most of the needed system headers.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#ifndef INCLUDES_H
-#define INCLUDES_H
-
-#include "config.h"
-
-#define _GNU_SOURCE /* activate extra prototypes for glibc */
-
-#include <sys/types.h>
-#include <sys/socket.h> /* For CMSG_* */
-
-#ifdef HAVE_LIMITS_H
-# include <limits.h> /* For PATH_MAX */
-#endif
-#ifdef HAVE_BSTRING_H
-# include <bstring.h>
-#endif
-#if defined(HAVE_GLOB_H) && defined(GLOB_HAS_ALTDIRFUNC) && \
-    defined(GLOB_HAS_GL_MATCHC) && \
-    defined(HAVE_DECL_GLOB_NOMATCH) &&  HAVE_DECL_GLOB_NOMATCH != 0
-# include <glob.h>
-#endif
-#ifdef HAVE_ENDIAN_H
-# include <endian.h>
-#endif
-#ifdef HAVE_TTYENT_H
-# include <ttyent.h>
-#endif
-#ifdef HAVE_UTIME_H
-# include <utime.h>
-#endif
-#ifdef HAVE_MAILLOCK_H
-# include <maillock.h> /* For _PATH_MAILDIR */
-#endif
-#ifdef HAVE_NEXT
-# include <libc.h>
-#endif
-#ifdef HAVE_PATHS
-# include <paths.h>
-#endif
-
-/*
- *-*-nto-qnx needs these headers for strcasecmp and LASTLOG_FILE respectively
- */
-#ifdef HAVE_STRINGS_H
-# include <strings.h>
-#endif
-#ifdef HAVE_LOGIN_H
-# include <login.h>
-#endif
-
-#ifdef HAVE_UTMP_H
-#  include <utmp.h>
-#endif
-#ifdef HAVE_UTMPX_H
-#  include <utmpx.h>
-#endif
-#ifdef HAVE_LASTLOG_H
-#  include <lastlog.h>
-#endif
-
-#ifdef HAVE_SYS_SELECT_H
-# include <sys/select.h>
-#endif
-#ifdef HAVE_SYS_BSDTTY_H
-# include <sys/bsdtty.h>
-#endif
-#ifdef HAVE_STDINT_H
-# include <stdint.h>
-#endif
-#include <termios.h>
-#ifdef HAVE_SYS_BITYPES_H
-# include <sys/bitypes.h> /* For u_intXX_t */
-#endif
-#ifdef HAVE_SYS_CDEFS_H
-# include <sys/cdefs.h> /* For __P() */
-#endif
-#ifdef HAVE_SYS_STAT_H
-# include <sys/stat.h> /* For S_* constants and macros */
-#endif
-#ifdef HAVE_SYS_SYSMACROS_H
-# include <sys/sysmacros.h> /* For MIN, MAX, etc */
-#endif
-#ifdef HAVE_SYS_MMAN_H
-#include <sys/mman.h> /* for MAP_ANONYMOUS */
-#endif
-#ifdef HAVE_SYS_STRTIO_H
-#include <sys/strtio.h>	/* for TIOCCBRK on HP-UX */
-#endif
-#if defined(HAVE_SYS_PTMS_H) && defined(HAVE_DEV_PTMX)
-# if defined(HAVE_SYS_STREAM_H)
-#  include <sys/stream.h>	/* reqd for queue_t on Solaris 2.5.1 */
-# endif
-#include <sys/ptms.h>	/* for grantpt() and friends */
-#endif
-
-#include <netinet/in.h>
-#include <netinet/in_systm.h> /* For typedefs */
-#ifdef HAVE_RPC_TYPES_H
-# include <rpc/types.h> /* For INADDR_LOOPBACK */
-#endif
-#ifdef USE_PAM
-#if defined(HAVE_SECURITY_PAM_APPL_H)
-# include <security/pam_appl.h>
-#elif defined (HAVE_PAM_PAM_APPL_H)
-# include <pam/pam_appl.h>
-#endif
-#endif
-#ifdef HAVE_READPASSPHRASE_H
-# include <readpassphrase.h>
-#endif
-
-#ifdef HAVE_IA_H
-# include <ia.h>
-#endif
-
-#ifdef HAVE_IAF_H
-# include <iaf.h>
-#endif
-
-#ifdef HAVE_TMPDIR_H
-# include <tmpdir.h>
-#endif
-
-#ifdef HAVE_LIBUTIL_H
-# include <libutil.h> /* Openpty on FreeBSD at least */
-#endif
-
-#if defined(KRB5) && defined(USE_AFS)
-# include <krb5.h>
-# include <kafs.h>
-#endif
-
-#if defined(HAVE_SYS_SYSLOG_H)
-# include <sys/syslog.h>
-#endif
-
-/*
- * On HP-UX 11.11, shadow.h and prot.h provide conflicting declarations
- * of getspnam when _INCLUDE__STDC__ is defined, so we unset it here.
- */
-#ifdef GETSPNAM_CONFLICTING_DEFS
-# ifdef _INCLUDE__STDC__
-#  undef _INCLUDE__STDC__
-# endif
-#endif
-
-#include <openssl/opensslv.h> /* For OPENSSL_VERSION_NUMBER */
-
-#include "defines.h"
-
-#include "platform.h"
-#include "openbsd-compat/openbsd-compat.h"
-#include "openbsd-compat/bsd-nextstep.h"
-
-#include "entropy.h"
-
-#endif /* INCLUDES_H */
diff --git a/crypto/openssh/install-sh b/crypto/openssh/install-sh
deleted file mode 100755
index 220abbf..0000000
--- a/crypto/openssh/install-sh
+++ /dev/null
@@ -1,251 +0,0 @@
-#!/bin/sh
-#
-# install - install a program, script, or datafile
-# This comes from X11R5 (mit/util/scripts/install.sh).
-#
-# Copyright 1991 by the Massachusetts Institute of Technology
-#
-# Permission to use, copy, modify, distribute, and sell this software and its
-# documentation for any purpose is hereby granted without fee, provided that
-# the above copyright notice appear in all copies and that both that
-# copyright notice and this permission notice appear in supporting
-# documentation, and that the name of M.I.T. not be used in advertising or
-# publicity pertaining to distribution of the software without specific,
-# written prior permission.  M.I.T. makes no representations about the
-# suitability of this software for any purpose.  It is provided "as is"
-# without express or implied warranty.
-#
-# Calling this script install-sh is preferred over install.sh, to prevent
-# `make' implicit rules from creating a file called install from it
-# when there is no Makefile.
-#
-# This script is compatible with the BSD install script, but was written
-# from scratch.  It can only install one file at a time, a restriction
-# shared with many OS's install programs.
-
-
-# set DOITPROG to echo to test this script
-
-# Don't use :- since 4.3BSD and earlier shells don't like it.
-doit="${DOITPROG-}"
-
-
-# put in absolute paths if you don't have them in your path; or use env. vars.
-
-mvprog="${MVPROG-mv}"
-cpprog="${CPPROG-cp}"
-chmodprog="${CHMODPROG-chmod}"
-chownprog="${CHOWNPROG-chown}"
-chgrpprog="${CHGRPPROG-chgrp}"
-stripprog="${STRIPPROG-strip}"
-rmprog="${RMPROG-rm}"
-mkdirprog="${MKDIRPROG-mkdir}"
-
-transformbasename=""
-transform_arg=""
-instcmd="$mvprog"
-chmodcmd="$chmodprog 0755"
-chowncmd=""
-chgrpcmd=""
-stripcmd=""
-rmcmd="$rmprog -f"
-mvcmd="$mvprog"
-src=""
-dst=""
-dir_arg=""
-
-while [ x"$1" != x ]; do
-    case $1 in
-	-c) instcmd="$cpprog"
-	    shift
-	    continue;;
-
-	-d) dir_arg=true
-	    shift
-	    continue;;
-
-	-m) chmodcmd="$chmodprog $2"
-	    shift
-	    shift
-	    continue;;
-
-	-o) chowncmd="$chownprog $2"
-	    shift
-	    shift
-	    continue;;
-
-	-g) chgrpcmd="$chgrpprog $2"
-	    shift
-	    shift
-	    continue;;
-
-	-s) stripcmd="$stripprog"
-	    shift
-	    continue;;
-
-	-t=*) transformarg=`echo $1 | sed 's/-t=//'`
-	    shift
-	    continue;;
-
-	-b=*) transformbasename=`echo $1 | sed 's/-b=//'`
-	    shift
-	    continue;;
-
-	*)  if [ x"$src" = x ]
-	    then
-		src=$1
-	    else
-		# this colon is to work around a 386BSD /bin/sh bug
-		:
-		dst=$1
-	    fi
-	    shift
-	    continue;;
-    esac
-done
-
-if [ x"$src" = x ]
-then
-	echo "install:	no input file specified"
-	exit 1
-else
-	true
-fi
-
-if [ x"$dir_arg" != x ]; then
-	dst=$src
-	src=""
-	
-	if [ -d $dst ]; then
-		instcmd=:
-		chmodcmd=""
-	else
-		instcmd=mkdir
-	fi
-else
-
-# Waiting for this to be detected by the "$instcmd $src $dsttmp" command
-# might cause directories to be created, which would be especially bad
-# if $src (and thus $dsttmp) contains '*'.
-
-	if [ -f $src -o -d $src ]
-	then
-		true
-	else
-		echo "install:  $src does not exist"
-		exit 1
-	fi
-	
-	if [ x"$dst" = x ]
-	then
-		echo "install:	no destination specified"
-		exit 1
-	else
-		true
-	fi
-
-# If destination is a directory, append the input filename; if your system
-# does not like double slashes in filenames, you may need to add some logic
-
-	if [ -d $dst ]
-	then
-		dst="$dst"/`basename $src`
-	else
-		true
-	fi
-fi
-
-## this sed command emulates the dirname command
-dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'`
-
-# Make sure that the destination directory exists.
-#  this part is taken from Noah Friedman's mkinstalldirs script
-
-# Skip lots of stat calls in the usual case.
-if [ ! -d "$dstdir" ]; then
-defaultIFS='	
-'
-IFS="${IFS-${defaultIFS}}"
-
-oIFS="${IFS}"
-# Some sh's can't handle IFS=/ for some reason.
-IFS='%'
-set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'`
-IFS="${oIFS}"
-
-pathcomp=''
-
-while [ $# -ne 0 ] ; do
-	pathcomp="${pathcomp}${1}"
-	shift
-
-	if [ ! -d "${pathcomp}" ] ;
-	then
-		$mkdirprog "${pathcomp}"
-	else
-		true
-	fi
-
-	pathcomp="${pathcomp}/"
-done
-fi
-
-if [ x"$dir_arg" != x ]
-then
-	$doit $instcmd $dst &&
-
-	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi &&
-	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi &&
-	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi &&
-	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi
-else
-
-# If we're going to rename the final executable, determine the name now.
-
-	if [ x"$transformarg" = x ]
-	then
-		dstfile=`basename $dst`
-	else
-		dstfile=`basename $dst $transformbasename |
-			sed $transformarg`$transformbasename
-	fi
-
-# don't allow the sed command to completely eliminate the filename
-
-	if [ x"$dstfile" = x ]
-	then
-		dstfile=`basename $dst`
-	else
-		true
-	fi
-
-# Make a temp file name in the proper directory.
-
-	dsttmp=$dstdir/#inst.$$#
-
-# Move or copy the file name to the temp name
-
-	$doit $instcmd $src $dsttmp &&
-
-	trap "rm -f ${dsttmp}" 0 &&
-
-# and set any options; do chmod last to preserve setuid bits
-
-# If any of these fail, we abort the whole thing.  If we want to
-# ignore errors from any of these, just make sure not to ignore
-# errors from the above "$doit $instcmd $src $dsttmp" command.
-
-	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi &&
-	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi &&
-	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi &&
-	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi &&
-
-# Now rename the file to the real destination.
-
-	$doit $rmcmd -f $dstdir/$dstfile &&
-	$doit $mvcmd $dsttmp $dstdir/$dstfile
-
-fi &&
-
-
-exit 0
diff --git a/crypto/openssh/kex.c b/crypto/openssh/kex.c
deleted file mode 100644
index bfc1c11..0000000
--- a/crypto/openssh/kex.c
+++ /dev/null
@@ -1,564 +0,0 @@
-/* $OpenBSD: kex.c,v 1.76 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/param.h>
-
-#include <signal.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <openssl/crypto.h>
-
-#include "xmalloc.h"
-#include "ssh2.h"
-#include "buffer.h"
-#include "packet.h"
-#include "compat.h"
-#include "cipher.h"
-#include "key.h"
-#include "kex.h"
-#include "log.h"
-#include "mac.h"
-#include "match.h"
-#include "dispatch.h"
-#include "monitor.h"
-
-#define KEX_COOKIE_LEN	16
-
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
-# if defined(HAVE_EVP_SHA256)
-# define evp_ssh_sha256 EVP_sha256
-# else
-extern const EVP_MD *evp_ssh_sha256(void);
-# endif
-#endif
-
-/* prototype */
-static void kex_kexinit_finish(Kex *);
-static void kex_choose_conf(Kex *);
-
-/* put algorithm proposal into buffer */
-static void
-kex_prop2buf(Buffer *b, char *proposal[PROPOSAL_MAX])
-{
-	u_int i;
-
-	buffer_clear(b);
-	/*
-	 * add a dummy cookie, the cookie will be overwritten by
-	 * kex_send_kexinit(), each time a kexinit is set
-	 */
-	for (i = 0; i < KEX_COOKIE_LEN; i++)
-		buffer_put_char(b, 0);
-	for (i = 0; i < PROPOSAL_MAX; i++)
-		buffer_put_cstring(b, proposal[i]);
-	buffer_put_char(b, 0);			/* first_kex_packet_follows */
-	buffer_put_int(b, 0);			/* uint32 reserved */
-}
-
-/* parse buffer and return algorithm proposal */
-static char **
-kex_buf2prop(Buffer *raw, int *first_kex_follows)
-{
-	Buffer b;
-	int i;
-	char **proposal;
-
-	proposal = xcalloc(PROPOSAL_MAX, sizeof(char *));
-
-	buffer_init(&b);
-	buffer_append(&b, buffer_ptr(raw), buffer_len(raw));
-	/* skip cookie */
-	for (i = 0; i < KEX_COOKIE_LEN; i++)
-		buffer_get_char(&b);
-	/* extract kex init proposal strings */
-	for (i = 0; i < PROPOSAL_MAX; i++) {
-		proposal[i] = buffer_get_string(&b,NULL);
-		debug2("kex_parse_kexinit: %s", proposal[i]);
-	}
-	/* first kex follows / reserved */
-	i = buffer_get_char(&b);
-	if (first_kex_follows != NULL)
-		*first_kex_follows = i;
-	debug2("kex_parse_kexinit: first_kex_follows %d ", i);
-	i = buffer_get_int(&b);
-	debug2("kex_parse_kexinit: reserved %d ", i);
-	buffer_free(&b);
-	return proposal;
-}
-
-static void
-kex_prop_free(char **proposal)
-{
-	u_int i;
-
-	for (i = 0; i < PROPOSAL_MAX; i++)
-		xfree(proposal[i]);
-	xfree(proposal);
-}
-
-static void
-kex_protocol_error(int type, u_int32_t seq, void *ctxt)
-{
-	error("Hm, kex protocol error: type %d seq %u", type, seq);
-}
-
-static void
-kex_reset_dispatch(void)
-{
-	dispatch_range(SSH2_MSG_TRANSPORT_MIN,
-	    SSH2_MSG_TRANSPORT_MAX, &kex_protocol_error);
-	dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit);
-}
-
-void
-kex_finish(Kex *kex)
-{
-	kex_reset_dispatch();
-
-	packet_start(SSH2_MSG_NEWKEYS);
-	packet_send();
-	/* packet_write_wait(); */
-	debug("SSH2_MSG_NEWKEYS sent");
-
-	debug("expecting SSH2_MSG_NEWKEYS");
-	packet_read_expect(SSH2_MSG_NEWKEYS);
-	packet_check_eom();
-	debug("SSH2_MSG_NEWKEYS received");
-
-	kex->done = 1;
-	buffer_clear(&kex->peer);
-	/* buffer_clear(&kex->my); */
-	kex->flags &= ~KEX_INIT_SENT;
-	xfree(kex->name);
-	kex->name = NULL;
-}
-
-void
-kex_send_kexinit(Kex *kex)
-{
-	u_int32_t rnd = 0;
-	u_char *cookie;
-	u_int i;
-
-	if (kex == NULL) {
-		error("kex_send_kexinit: no kex, cannot rekey");
-		return;
-	}
-	if (kex->flags & KEX_INIT_SENT) {
-		debug("KEX_INIT_SENT");
-		return;
-	}
-	kex->done = 0;
-
-	/* generate a random cookie */
-	if (buffer_len(&kex->my) < KEX_COOKIE_LEN)
-		fatal("kex_send_kexinit: kex proposal too short");
-	cookie = buffer_ptr(&kex->my);
-	for (i = 0; i < KEX_COOKIE_LEN; i++) {
-		if (i % 4 == 0)
-			rnd = arc4random();
-		cookie[i] = rnd;
-		rnd >>= 8;
-	}
-	packet_start(SSH2_MSG_KEXINIT);
-	packet_put_raw(buffer_ptr(&kex->my), buffer_len(&kex->my));
-	packet_send();
-	debug("SSH2_MSG_KEXINIT sent");
-	kex->flags |= KEX_INIT_SENT;
-}
-
-void
-kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
-{
-	char *ptr;
-	u_int i, dlen;
-	Kex *kex = (Kex *)ctxt;
-
-	debug("SSH2_MSG_KEXINIT received");
-	if (kex == NULL)
-		fatal("kex_input_kexinit: no kex, cannot rekey");
-
-	ptr = packet_get_raw(&dlen);
-	buffer_append(&kex->peer, ptr, dlen);
-
-	/* discard packet */
-	for (i = 0; i < KEX_COOKIE_LEN; i++)
-		packet_get_char();
-	for (i = 0; i < PROPOSAL_MAX; i++)
-		xfree(packet_get_string(NULL));
-	(void) packet_get_char();
-	(void) packet_get_int();
-	packet_check_eom();
-
-	kex_kexinit_finish(kex);
-}
-
-Kex *
-kex_setup(char *proposal[PROPOSAL_MAX])
-{
-	Kex *kex;
-
-	kex = xcalloc(1, sizeof(*kex));
-	buffer_init(&kex->peer);
-	buffer_init(&kex->my);
-	kex_prop2buf(&kex->my, proposal);
-	kex->done = 0;
-
-	kex_send_kexinit(kex);					/* we start */
-	kex_reset_dispatch();
-
-	return kex;
-}
-
-static void
-kex_kexinit_finish(Kex *kex)
-{
-	if (!(kex->flags & KEX_INIT_SENT))
-		kex_send_kexinit(kex);
-
-	kex_choose_conf(kex);
-
-	if (kex->kex_type >= 0 && kex->kex_type < KEX_MAX &&
-	    kex->kex[kex->kex_type] != NULL) {
-		(kex->kex[kex->kex_type])(kex);
-	} else {
-		fatal("Unsupported key exchange %d", kex->kex_type);
-	}
-}
-
-static void
-choose_enc(Enc *enc, char *client, char *server)
-{
-	char *name = match_list(client, server, NULL);
-	if (name == NULL)
-		fatal("no matching cipher found: client %s server %s", client, server);
-	if ((enc->cipher = cipher_by_name(name)) == NULL)
-		fatal("matching cipher is not supported: %s", name);
-	enc->name = name;
-	enc->enabled = 0;
-	enc->iv = NULL;
-	enc->key = NULL;
-	enc->key_len = cipher_keylen(enc->cipher);
-	enc->block_size = cipher_blocksize(enc->cipher);
-}
-
-static void
-choose_mac(Mac *mac, char *client, char *server)
-{
-	char *name = match_list(client, server, NULL);
-	if (name == NULL)
-		fatal("no matching mac found: client %s server %s", client, server);
-	if (mac_init(mac, name) < 0)
-		fatal("unsupported mac %s", name);
-	/* truncate the key */
-	if (datafellows & SSH_BUG_HMAC)
-		mac->key_len = 16;
-	mac->name = name;
-	mac->key = NULL;
-	mac->enabled = 0;
-}
-
-static void
-choose_comp(Comp *comp, char *client, char *server)
-{
-	char *name = match_list(client, server, NULL);
-	if (name == NULL)
-		fatal("no matching comp found: client %s server %s", client, server);
-	if (strcmp(name, "zlib@openssh.com") == 0) {
-		comp->type = COMP_DELAYED;
-	} else if (strcmp(name, "zlib") == 0) {
-		comp->type = COMP_ZLIB;
-	} else if (strcmp(name, "none") == 0) {
-		comp->type = COMP_NONE;
-	} else {
-		fatal("unsupported comp %s", name);
-	}
-	comp->name = name;
-}
-
-static void
-choose_kex(Kex *k, char *client, char *server)
-{
-	k->name = match_list(client, server, NULL);
-	if (k->name == NULL)
-		fatal("no kex alg");
-	if (strcmp(k->name, KEX_DH1) == 0) {
-		k->kex_type = KEX_DH_GRP1_SHA1;
-		k->evp_md = EVP_sha1();
-	} else if (strcmp(k->name, KEX_DH14) == 0) {
-		k->kex_type = KEX_DH_GRP14_SHA1;
-		k->evp_md = EVP_sha1();
-	} else if (strcmp(k->name, KEX_DHGEX_SHA1) == 0) {
-		k->kex_type = KEX_DH_GEX_SHA1;
-		k->evp_md = EVP_sha1();
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
-	} else if (strcmp(k->name, KEX_DHGEX_SHA256) == 0) {
-		k->kex_type = KEX_DH_GEX_SHA256;
-		k->evp_md = evp_ssh_sha256();
-#endif
-	} else
-		fatal("bad kex alg %s", k->name);
-}
-
-static void
-choose_hostkeyalg(Kex *k, char *client, char *server)
-{
-	char *hostkeyalg = match_list(client, server, NULL);
-	if (hostkeyalg == NULL)
-		fatal("no hostkey alg");
-	k->hostkey_type = key_type_from_name(hostkeyalg);
-	if (k->hostkey_type == KEY_UNSPEC)
-		fatal("bad hostkey alg '%s'", hostkeyalg);
-	xfree(hostkeyalg);
-}
-
-static int
-proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX])
-{
-	static int check[] = {
-		PROPOSAL_KEX_ALGS, PROPOSAL_SERVER_HOST_KEY_ALGS, -1
-	};
-	int *idx;
-	char *p;
-
-	for (idx = &check[0]; *idx != -1; idx++) {
-		if ((p = strchr(my[*idx], ',')) != NULL)
-			*p = '\0';
-		if ((p = strchr(peer[*idx], ',')) != NULL)
-			*p = '\0';
-		if (strcmp(my[*idx], peer[*idx]) != 0) {
-			debug2("proposal mismatch: my %s peer %s",
-			    my[*idx], peer[*idx]);
-			return (0);
-		}
-	}
-	debug2("proposals match");
-	return (1);
-}
-
-static void
-kex_choose_conf(Kex *kex)
-{
-	Newkeys *newkeys;
-	char **my, **peer;
-	char **cprop, **sprop;
-	int nenc, nmac, ncomp;
-	u_int mode, ctos, need;
-	int first_kex_follows, type;
-
-	my   = kex_buf2prop(&kex->my, NULL);
-	peer = kex_buf2prop(&kex->peer, &first_kex_follows);
-
-	if (kex->server) {
-		cprop=peer;
-		sprop=my;
-	} else {
-		cprop=my;
-		sprop=peer;
-	}
-
-	/* Algorithm Negotiation */
-	for (mode = 0; mode < MODE_MAX; mode++) {
-		newkeys = xcalloc(1, sizeof(*newkeys));
-		kex->newkeys[mode] = newkeys;
-		ctos = (!kex->server && mode == MODE_OUT) || (kex->server && mode == MODE_IN);
-		nenc  = ctos ? PROPOSAL_ENC_ALGS_CTOS  : PROPOSAL_ENC_ALGS_STOC;
-		nmac  = ctos ? PROPOSAL_MAC_ALGS_CTOS  : PROPOSAL_MAC_ALGS_STOC;
-		ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
-		choose_enc (&newkeys->enc,  cprop[nenc],  sprop[nenc]);
-		choose_mac (&newkeys->mac,  cprop[nmac],  sprop[nmac]);
-		choose_comp(&newkeys->comp, cprop[ncomp], sprop[ncomp]);
-		debug("kex: %s %s %s %s",
-		    ctos ? "client->server" : "server->client",
-		    newkeys->enc.name,
-		    newkeys->mac.name,
-		    newkeys->comp.name);
-	}
-	choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
-	choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
-	    sprop[PROPOSAL_SERVER_HOST_KEY_ALGS]);
-	need = 0;
-	for (mode = 0; mode < MODE_MAX; mode++) {
-		newkeys = kex->newkeys[mode];
-		if (need < newkeys->enc.key_len)
-			need = newkeys->enc.key_len;
-		if (need < newkeys->enc.block_size)
-			need = newkeys->enc.block_size;
-		if (need < newkeys->mac.key_len)
-			need = newkeys->mac.key_len;
-	}
-	/* XXX need runden? */
-	kex->we_need = need;
-
-	/* ignore the next message if the proposals do not match */
-	if (first_kex_follows && !proposals_match(my, peer) &&
-	    !(datafellows & SSH_BUG_FIRSTKEX)) {
-		type = packet_read();
-		debug2("skipping next packet (type %u)", type);
-	}
-
-	kex_prop_free(my);
-	kex_prop_free(peer);
-}
-
-static u_char *
-derive_key(Kex *kex, int id, u_int need, u_char *hash, u_int hashlen,
-    BIGNUM *shared_secret)
-{
-	Buffer b;
-	EVP_MD_CTX md;
-	char c = id;
-	u_int have;
-	int mdsz;
-	u_char *digest;
-
-	if ((mdsz = EVP_MD_size(kex->evp_md)) <= 0)
-		fatal("bad kex md size %d", mdsz);
-	digest = xmalloc(roundup(need, mdsz));
-
-	buffer_init(&b);
-	buffer_put_bignum2(&b, shared_secret);
-
-	/* K1 = HASH(K || H || "A" || session_id) */
-	EVP_DigestInit(&md, kex->evp_md);
-	if (!(datafellows & SSH_BUG_DERIVEKEY))
-		EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
-	EVP_DigestUpdate(&md, hash, hashlen);
-	EVP_DigestUpdate(&md, &c, 1);
-	EVP_DigestUpdate(&md, kex->session_id, kex->session_id_len);
-	EVP_DigestFinal(&md, digest, NULL);
-
-	/*
-	 * expand key:
-	 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1)
-	 * Key = K1 || K2 || ... || Kn
-	 */
-	for (have = mdsz; need > have; have += mdsz) {
-		EVP_DigestInit(&md, kex->evp_md);
-		if (!(datafellows & SSH_BUG_DERIVEKEY))
-			EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
-		EVP_DigestUpdate(&md, hash, hashlen);
-		EVP_DigestUpdate(&md, digest, have);
-		EVP_DigestFinal(&md, digest + have, NULL);
-	}
-	buffer_free(&b);
-#ifdef DEBUG_KEX
-	fprintf(stderr, "key '%c'== ", c);
-	dump_digest("key", digest, need);
-#endif
-	return digest;
-}
-
-Newkeys *current_keys[MODE_MAX];
-
-#define NKEYS	6
-void
-kex_derive_keys(Kex *kex, u_char *hash, u_int hashlen, BIGNUM *shared_secret)
-{
-	u_char *keys[NKEYS];
-	u_int i, mode, ctos;
-
-	for (i = 0; i < NKEYS; i++) {
-		keys[i] = derive_key(kex, 'A'+i, kex->we_need, hash, hashlen,
-		    shared_secret);
-	}
-
-	debug2("kex_derive_keys");
-	for (mode = 0; mode < MODE_MAX; mode++) {
-		current_keys[mode] = kex->newkeys[mode];
-		kex->newkeys[mode] = NULL;
-		ctos = (!kex->server && mode == MODE_OUT) ||
-		    (kex->server && mode == MODE_IN);
-		current_keys[mode]->enc.iv  = keys[ctos ? 0 : 1];
-		current_keys[mode]->enc.key = keys[ctos ? 2 : 3];
-		current_keys[mode]->mac.key = keys[ctos ? 4 : 5];
-	}
-}
-
-Newkeys *
-kex_get_newkeys(int mode)
-{
-	Newkeys *ret;
-
-	ret = current_keys[mode];
-	current_keys[mode] = NULL;
-	return ret;
-}
-
-void
-derive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus,
-    u_int8_t cookie[8], u_int8_t id[16])
-{
-	const EVP_MD *evp_md = EVP_md5();
-	EVP_MD_CTX md;
-	u_int8_t nbuf[2048], obuf[EVP_MAX_MD_SIZE];
-	int len;
-
-	EVP_DigestInit(&md, evp_md);
-
-	len = BN_num_bytes(host_modulus);
-	if (len < (512 / 8) || (u_int)len > sizeof(nbuf))
-		fatal("%s: bad host modulus (len %d)", __func__, len);
-	BN_bn2bin(host_modulus, nbuf);
-	EVP_DigestUpdate(&md, nbuf, len);
-
-	len = BN_num_bytes(server_modulus);
-	if (len < (512 / 8) || (u_int)len > sizeof(nbuf))
-		fatal("%s: bad server modulus (len %d)", __func__, len);
-	BN_bn2bin(server_modulus, nbuf);
-	EVP_DigestUpdate(&md, nbuf, len);
-
-	EVP_DigestUpdate(&md, cookie, 8);
-
-	EVP_DigestFinal(&md, obuf, NULL);
-	memcpy(id, obuf, 16);
-
-	memset(nbuf, 0, sizeof(nbuf));
-	memset(obuf, 0, sizeof(obuf));
-	memset(&md, 0, sizeof(md));
-}
-
-#if defined(DEBUG_KEX) || defined(DEBUG_KEXDH)
-void
-dump_digest(char *msg, u_char *digest, int len)
-{
-	u_int i;
-
-	fprintf(stderr, "%s\n", msg);
-	for (i = 0; i< len; i++) {
-		fprintf(stderr, "%02x", digest[i]);
-		if (i%32 == 31)
-			fprintf(stderr, "\n");
-		else if (i%8 == 7)
-			fprintf(stderr, " ");
-	}
-	fprintf(stderr, "\n");
-}
-#endif
diff --git a/crypto/openssh/kex.h b/crypto/openssh/kex.h
deleted file mode 100644
index b1b20f5..0000000
--- a/crypto/openssh/kex.h
+++ /dev/null
@@ -1,155 +0,0 @@
-/* $OpenBSD: kex.h,v 1.44 2006/08/03 03:34:42 deraadt Exp $ */
-
-/*
- * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-#ifndef KEX_H
-#define KEX_H
-
-#include <signal.h>
-#include <openssl/evp.h>
-
-#define	KEX_DH1			"diffie-hellman-group1-sha1"
-#define	KEX_DH14		"diffie-hellman-group14-sha1"
-#define	KEX_DHGEX_SHA1		"diffie-hellman-group-exchange-sha1"
-#define	KEX_DHGEX_SHA256	"diffie-hellman-group-exchange-sha256"
-
-#define COMP_NONE	0
-#define COMP_ZLIB	1
-#define COMP_DELAYED	2
-
-enum kex_init_proposals {
-	PROPOSAL_KEX_ALGS,
-	PROPOSAL_SERVER_HOST_KEY_ALGS,
-	PROPOSAL_ENC_ALGS_CTOS,
-	PROPOSAL_ENC_ALGS_STOC,
-	PROPOSAL_MAC_ALGS_CTOS,
-	PROPOSAL_MAC_ALGS_STOC,
-	PROPOSAL_COMP_ALGS_CTOS,
-	PROPOSAL_COMP_ALGS_STOC,
-	PROPOSAL_LANG_CTOS,
-	PROPOSAL_LANG_STOC,
-	PROPOSAL_MAX
-};
-
-enum kex_modes {
-	MODE_IN,
-	MODE_OUT,
-	MODE_MAX
-};
-
-enum kex_exchange {
-	KEX_DH_GRP1_SHA1,
-	KEX_DH_GRP14_SHA1,
-	KEX_DH_GEX_SHA1,
-	KEX_DH_GEX_SHA256,
-	KEX_MAX
-};
-
-#define KEX_INIT_SENT	0x0001
-
-typedef struct Kex Kex;
-typedef struct Mac Mac;
-typedef struct Comp Comp;
-typedef struct Enc Enc;
-typedef struct Newkeys Newkeys;
-
-struct Enc {
-	char	*name;
-	Cipher	*cipher;
-	int	enabled;
-	u_int	key_len;
-	u_int	block_size;
-	u_char	*key;
-	u_char	*iv;
-};
-struct Mac {
-	char	*name;
-	int	enabled;
-	const EVP_MD	*md;
-	u_int	mac_len;
-	u_char	*key;
-	u_int	key_len;
-};
-struct Comp {
-	int	type;
-	int	enabled;
-	char	*name;
-};
-struct Newkeys {
-	Enc	enc;
-	Mac	mac;
-	Comp	comp;
-};
-struct Kex {
-	u_char	*session_id;
-	u_int	session_id_len;
-	Newkeys	*newkeys[MODE_MAX];
-	u_int	we_need;
-	int	server;
-	char	*name;
-	int	hostkey_type;
-	int	kex_type;
-	Buffer	my;
-	Buffer	peer;
-	sig_atomic_t done;
-	int	flags;
-	const EVP_MD *evp_md;
-	char	*client_version_string;
-	char	*server_version_string;
-	int	(*verify_host_key)(Key *);
-	Key	*(*load_host_key)(int);
-	int	(*host_key_index)(Key *);
-	void	(*kex[KEX_MAX])(Kex *);
-};
-
-Kex	*kex_setup(char *[PROPOSAL_MAX]);
-void	 kex_finish(Kex *);
-
-void	 kex_send_kexinit(Kex *);
-void	 kex_input_kexinit(int, u_int32_t, void *);
-void	 kex_derive_keys(Kex *, u_char *, u_int, BIGNUM *);
-
-Newkeys *kex_get_newkeys(int);
-
-void	 kexdh_client(Kex *);
-void	 kexdh_server(Kex *);
-void	 kexgex_client(Kex *);
-void	 kexgex_server(Kex *);
-
-void
-kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
-    BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
-void
-kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *,
-    int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *,
-    BIGNUM *, BIGNUM *, u_char **, u_int *);
-
-void
-derive_ssh1_session_id(BIGNUM *, BIGNUM *, u_int8_t[8], u_int8_t[16]);
-
-#if defined(DEBUG_KEX) || defined(DEBUG_KEXDH)
-void	dump_digest(char *, u_char *, int);
-#endif
-
-#endif
diff --git a/crypto/openssh/kexdh.c b/crypto/openssh/kexdh.c
deleted file mode 100644
index 56e22f5..0000000
--- a/crypto/openssh/kexdh.c
+++ /dev/null
@@ -1,88 +0,0 @@
-/* $OpenBSD: kexdh.c,v 1.23 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <signal.h>
-
-#include <openssl/evp.h>
-
-#include "buffer.h"
-#include "ssh2.h"
-#include "key.h"
-#include "cipher.h"
-#include "kex.h"
-
-void
-kex_dh_hash(
-    char *client_version_string,
-    char *server_version_string,
-    char *ckexinit, int ckexinitlen,
-    char *skexinit, int skexinitlen,
-    u_char *serverhostkeyblob, int sbloblen,
-    BIGNUM *client_dh_pub,
-    BIGNUM *server_dh_pub,
-    BIGNUM *shared_secret,
-    u_char **hash, u_int *hashlen)
-{
-	Buffer b;
-	static u_char digest[EVP_MAX_MD_SIZE];
-	const EVP_MD *evp_md = EVP_sha1();
-	EVP_MD_CTX md;
-
-	buffer_init(&b);
-	buffer_put_cstring(&b, client_version_string);
-	buffer_put_cstring(&b, server_version_string);
-
-	/* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
-	buffer_put_int(&b, ckexinitlen+1);
-	buffer_put_char(&b, SSH2_MSG_KEXINIT);
-	buffer_append(&b, ckexinit, ckexinitlen);
-	buffer_put_int(&b, skexinitlen+1);
-	buffer_put_char(&b, SSH2_MSG_KEXINIT);
-	buffer_append(&b, skexinit, skexinitlen);
-
-	buffer_put_string(&b, serverhostkeyblob, sbloblen);
-	buffer_put_bignum2(&b, client_dh_pub);
-	buffer_put_bignum2(&b, server_dh_pub);
-	buffer_put_bignum2(&b, shared_secret);
-
-#ifdef DEBUG_KEX
-	buffer_dump(&b);
-#endif
-	EVP_DigestInit(&md, evp_md);
-	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
-	EVP_DigestFinal(&md, digest, NULL);
-
-	buffer_free(&b);
-
-#ifdef DEBUG_KEX
-	dump_digest("hash", digest, EVP_MD_size(evp_md));
-#endif
-	*hash = digest;
-	*hashlen = EVP_MD_size(evp_md);
-}
diff --git a/crypto/openssh/kexdhc.c b/crypto/openssh/kexdhc.c
deleted file mode 100644
index d384c80..0000000
--- a/crypto/openssh/kexdhc.c
+++ /dev/null
@@ -1,159 +0,0 @@
-/* $OpenBSD: kexdhc.c,v 1.11 2006/11/06 21:25:28 markus Exp $ */
-/*
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <stdarg.h>
-#include <stdio.h>
-#include <string.h>
-#include <signal.h>
-
-#include "xmalloc.h"
-#include "buffer.h"
-#include "key.h"
-#include "cipher.h"
-#include "kex.h"
-#include "log.h"
-#include "packet.h"
-#include "dh.h"
-#include "ssh2.h"
-
-void
-kexdh_client(Kex *kex)
-{
-	BIGNUM *dh_server_pub = NULL, *shared_secret = NULL;
-	DH *dh;
-	Key *server_host_key;
-	u_char *server_host_key_blob = NULL, *signature = NULL;
-	u_char *kbuf, *hash;
-	u_int klen, slen, sbloblen, hashlen;
-	int kout;
-
-	/* generate and send 'e', client DH public key */
-	switch (kex->kex_type) {
-	case KEX_DH_GRP1_SHA1:
-		dh = dh_new_group1();
-		break;
-	case KEX_DH_GRP14_SHA1:
-		dh = dh_new_group14();
-		break;
-	default:
-		fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
-	}
-	dh_gen_key(dh, kex->we_need * 8);
-	packet_start(SSH2_MSG_KEXDH_INIT);
-	packet_put_bignum2(dh->pub_key);
-	packet_send();
-
-	debug("sending SSH2_MSG_KEXDH_INIT");
-#ifdef DEBUG_KEXDH
-	DHparams_print_fp(stderr, dh);
-	fprintf(stderr, "pub= ");
-	BN_print_fp(stderr, dh->pub_key);
-	fprintf(stderr, "\n");
-#endif
-
-	debug("expecting SSH2_MSG_KEXDH_REPLY");
-	packet_read_expect(SSH2_MSG_KEXDH_REPLY);
-
-	/* key, cert */
-	server_host_key_blob = packet_get_string(&sbloblen);
-	server_host_key = key_from_blob(server_host_key_blob, sbloblen);
-	if (server_host_key == NULL)
-		fatal("cannot decode server_host_key_blob");
-	if (server_host_key->type != kex->hostkey_type)
-		fatal("type mismatch for decoded server_host_key_blob");
-	if (kex->verify_host_key == NULL)
-		fatal("cannot verify server_host_key");
-	if (kex->verify_host_key(server_host_key) == -1)
-		fatal("server_host_key verification failed");
-
-	/* DH parameter f, server public DH key */
-	if ((dh_server_pub = BN_new()) == NULL)
-		fatal("dh_server_pub == NULL");
-	packet_get_bignum2(dh_server_pub);
-
-#ifdef DEBUG_KEXDH
-	fprintf(stderr, "dh_server_pub= ");
-	BN_print_fp(stderr, dh_server_pub);
-	fprintf(stderr, "\n");
-	debug("bits %d", BN_num_bits(dh_server_pub));
-#endif
-
-	/* signed H */
-	signature = packet_get_string(&slen);
-	packet_check_eom();
-
-	if (!dh_pub_is_valid(dh, dh_server_pub))
-		packet_disconnect("bad server public DH value");
-
-	klen = DH_size(dh);
-	kbuf = xmalloc(klen);
-	if ((kout = DH_compute_key(kbuf, dh_server_pub, dh)) < 0)
-		fatal("DH_compute_key: failed");
-#ifdef DEBUG_KEXDH
-	dump_digest("shared secret", kbuf, kout);
-#endif
-	if ((shared_secret = BN_new()) == NULL)
-		fatal("kexdh_client: BN_new failed");
-	if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
-		fatal("kexdh_client: BN_bin2bn failed");
-	memset(kbuf, 0, klen);
-	xfree(kbuf);
-
-	/* calc and verify H */
-	kex_dh_hash(
-	    kex->client_version_string,
-	    kex->server_version_string,
-	    buffer_ptr(&kex->my), buffer_len(&kex->my),
-	    buffer_ptr(&kex->peer), buffer_len(&kex->peer),
-	    server_host_key_blob, sbloblen,
-	    dh->pub_key,
-	    dh_server_pub,
-	    shared_secret,
-	    &hash, &hashlen
-	);
-	xfree(server_host_key_blob);
-	BN_clear_free(dh_server_pub);
-	DH_free(dh);
-
-	if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
-		fatal("key_verify failed for server_host_key");
-	key_free(server_host_key);
-	xfree(signature);
-
-	/* save session id */
-	if (kex->session_id == NULL) {
-		kex->session_id_len = hashlen;
-		kex->session_id = xmalloc(kex->session_id_len);
-		memcpy(kex->session_id, hash, kex->session_id_len);
-	}
-
-	kex_derive_keys(kex, hash, hashlen, shared_secret);
-	BN_clear_free(shared_secret);
-	kex_finish(kex);
-}
diff --git a/crypto/openssh/kexdhs.c b/crypto/openssh/kexdhs.c
deleted file mode 100644
index 8617088..0000000
--- a/crypto/openssh/kexdhs.c
+++ /dev/null
@@ -1,159 +0,0 @@
-/* $OpenBSD: kexdhs.c,v 1.9 2006/11/06 21:25:28 markus Exp $ */
-/*
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <stdarg.h>
-#include <string.h>
-#include <signal.h>
-
-#include "xmalloc.h"
-#include "buffer.h"
-#include "key.h"
-#include "cipher.h"
-#include "kex.h"
-#include "log.h"
-#include "packet.h"
-#include "dh.h"
-#include "ssh2.h"
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-#include "monitor_wrap.h"
-
-void
-kexdh_server(Kex *kex)
-{
-	BIGNUM *shared_secret = NULL, *dh_client_pub = NULL;
-	DH *dh;
-	Key *server_host_key;
-	u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
-	u_int sbloblen, klen, hashlen, slen;
-	int kout;
-
-	/* generate server DH public key */
-	switch (kex->kex_type) {
-	case KEX_DH_GRP1_SHA1:
-		dh = dh_new_group1();
-		break;
-	case KEX_DH_GRP14_SHA1:
-		dh = dh_new_group14();
-		break;
-	default:
-		fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
-	}
-	dh_gen_key(dh, kex->we_need * 8);
-
-	debug("expecting SSH2_MSG_KEXDH_INIT");
-	packet_read_expect(SSH2_MSG_KEXDH_INIT);
-
-	if (kex->load_host_key == NULL)
-		fatal("Cannot load hostkey");
-	server_host_key = kex->load_host_key(kex->hostkey_type);
-	if (server_host_key == NULL)
-		fatal("Unsupported hostkey type %d", kex->hostkey_type);
-
-	/* key, cert */
-	if ((dh_client_pub = BN_new()) == NULL)
-		fatal("dh_client_pub == NULL");
-	packet_get_bignum2(dh_client_pub);
-	packet_check_eom();
-
-#ifdef DEBUG_KEXDH
-	fprintf(stderr, "dh_client_pub= ");
-	BN_print_fp(stderr, dh_client_pub);
-	fprintf(stderr, "\n");
-	debug("bits %d", BN_num_bits(dh_client_pub));
-#endif
-
-#ifdef DEBUG_KEXDH
-	DHparams_print_fp(stderr, dh);
-	fprintf(stderr, "pub= ");
-	BN_print_fp(stderr, dh->pub_key);
-	fprintf(stderr, "\n");
-#endif
-	if (!dh_pub_is_valid(dh, dh_client_pub))
-		packet_disconnect("bad client public DH value");
-
-	klen = DH_size(dh);
-	kbuf = xmalloc(klen);
-	if ((kout = DH_compute_key(kbuf, dh_client_pub, dh)) < 0)
-		fatal("DH_compute_key: failed");
-#ifdef DEBUG_KEXDH
-	dump_digest("shared secret", kbuf, kout);
-#endif
-	if ((shared_secret = BN_new()) == NULL)
-		fatal("kexdh_server: BN_new failed");
-	if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
-		fatal("kexdh_server: BN_bin2bn failed");
-	memset(kbuf, 0, klen);
-	xfree(kbuf);
-
-	key_to_blob(server_host_key, &server_host_key_blob, &sbloblen);
-
-	/* calc H */
-	kex_dh_hash(
-	    kex->client_version_string,
-	    kex->server_version_string,
-	    buffer_ptr(&kex->peer), buffer_len(&kex->peer),
-	    buffer_ptr(&kex->my), buffer_len(&kex->my),
-	    server_host_key_blob, sbloblen,
-	    dh_client_pub,
-	    dh->pub_key,
-	    shared_secret,
-	    &hash, &hashlen
-	);
-	BN_clear_free(dh_client_pub);
-
-	/* save session id := H */
-	if (kex->session_id == NULL) {
-		kex->session_id_len = hashlen;
-		kex->session_id = xmalloc(kex->session_id_len);
-		memcpy(kex->session_id, hash, kex->session_id_len);
-	}
-
-	/* sign H */
-	PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));
-
-	/* destroy_sensitive_data(); */
-
-	/* send server hostkey, DH pubkey 'f' and singed H */
-	packet_start(SSH2_MSG_KEXDH_REPLY);
-	packet_put_string(server_host_key_blob, sbloblen);
-	packet_put_bignum2(dh->pub_key);	/* f */
-	packet_put_string(signature, slen);
-	packet_send();
-
-	xfree(signature);
-	xfree(server_host_key_blob);
-	/* have keys, free DH */
-	DH_free(dh);
-
-	kex_derive_keys(kex, hash, hashlen, shared_secret);
-	BN_clear_free(shared_secret);
-	kex_finish(kex);
-}
diff --git a/crypto/openssh/kexgex.c b/crypto/openssh/kexgex.c
deleted file mode 100644
index b60ab5c..0000000
--- a/crypto/openssh/kexgex.c
+++ /dev/null
@@ -1,98 +0,0 @@
-/* $OpenBSD: kexgex.c,v 1.27 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Copyright (c) 2000 Niels Provos.  All rights reserved.
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <openssl/evp.h>
-#include <signal.h>
-
-#include "buffer.h"
-#include "key.h"
-#include "cipher.h"
-#include "kex.h"
-#include "ssh2.h"
-
-void
-kexgex_hash(
-    const EVP_MD *evp_md,
-    char *client_version_string,
-    char *server_version_string,
-    char *ckexinit, int ckexinitlen,
-    char *skexinit, int skexinitlen,
-    u_char *serverhostkeyblob, int sbloblen,
-    int min, int wantbits, int max, BIGNUM *prime, BIGNUM *gen,
-    BIGNUM *client_dh_pub,
-    BIGNUM *server_dh_pub,
-    BIGNUM *shared_secret,
-    u_char **hash, u_int *hashlen)
-{
-	Buffer b;
-	static u_char digest[EVP_MAX_MD_SIZE];
-	EVP_MD_CTX md;
-
-	buffer_init(&b);
-	buffer_put_cstring(&b, client_version_string);
-	buffer_put_cstring(&b, server_version_string);
-
-	/* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
-	buffer_put_int(&b, ckexinitlen+1);
-	buffer_put_char(&b, SSH2_MSG_KEXINIT);
-	buffer_append(&b, ckexinit, ckexinitlen);
-	buffer_put_int(&b, skexinitlen+1);
-	buffer_put_char(&b, SSH2_MSG_KEXINIT);
-	buffer_append(&b, skexinit, skexinitlen);
-
-	buffer_put_string(&b, serverhostkeyblob, sbloblen);
-	if (min == -1 || max == -1)
-		buffer_put_int(&b, wantbits);
-	else {
-		buffer_put_int(&b, min);
-		buffer_put_int(&b, wantbits);
-		buffer_put_int(&b, max);
-	}
-	buffer_put_bignum2(&b, prime);
-	buffer_put_bignum2(&b, gen);
-	buffer_put_bignum2(&b, client_dh_pub);
-	buffer_put_bignum2(&b, server_dh_pub);
-	buffer_put_bignum2(&b, shared_secret);
-
-#ifdef DEBUG_KEXDH
-	buffer_dump(&b);
-#endif
-
-	EVP_DigestInit(&md, evp_md);
-	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
-	EVP_DigestFinal(&md, digest, NULL);
-
-	buffer_free(&b);
-	*hash = digest;
-	*hashlen = EVP_MD_size(evp_md);
-#ifdef DEBUG_KEXDH
-	dump_digest("hash", digest, *hashlen);
-#endif
-}
diff --git a/crypto/openssh/kexgexc.c b/crypto/openssh/kexgexc.c
deleted file mode 100644
index adb973d..0000000
--- a/crypto/openssh/kexgexc.c
+++ /dev/null
@@ -1,205 +0,0 @@
-/* $OpenBSD: kexgexc.c,v 1.11 2006/11/06 21:25:28 markus Exp $ */
-/*
- * Copyright (c) 2000 Niels Provos.  All rights reserved.
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <stdarg.h>
-#include <stdio.h>
-#include <string.h>
-#include <signal.h>
-
-#include "xmalloc.h"
-#include "buffer.h"
-#include "key.h"
-#include "cipher.h"
-#include "kex.h"
-#include "log.h"
-#include "packet.h"
-#include "dh.h"
-#include "ssh2.h"
-#include "compat.h"
-
-void
-kexgex_client(Kex *kex)
-{
-	BIGNUM *dh_server_pub = NULL, *shared_secret = NULL;
-	BIGNUM *p = NULL, *g = NULL;
-	Key *server_host_key;
-	u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
-	u_int klen, slen, sbloblen, hashlen;
-	int kout;
-	int min, max, nbits;
-	DH *dh;
-
-	nbits = dh_estimate(kex->we_need * 8);
-
-	if (datafellows & SSH_OLD_DHGEX) {
-		/* Old GEX request */
-		packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD);
-		packet_put_int(nbits);
-		min = DH_GRP_MIN;
-		max = DH_GRP_MAX;
-
-		debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD(%u) sent", nbits);
-	} else {
-		/* New GEX request */
-		min = DH_GRP_MIN;
-		max = DH_GRP_MAX;
-		packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST);
-		packet_put_int(min);
-		packet_put_int(nbits);
-		packet_put_int(max);
-
-		debug("SSH2_MSG_KEX_DH_GEX_REQUEST(%u<%u<%u) sent",
-		    min, nbits, max);
-	}
-#ifdef DEBUG_KEXDH
-	fprintf(stderr, "\nmin = %d, nbits = %d, max = %d\n",
-	    min, nbits, max);
-#endif
-	packet_send();
-
-	debug("expecting SSH2_MSG_KEX_DH_GEX_GROUP");
-	packet_read_expect(SSH2_MSG_KEX_DH_GEX_GROUP);
-
-	if ((p = BN_new()) == NULL)
-		fatal("BN_new");
-	packet_get_bignum2(p);
-	if ((g = BN_new()) == NULL)
-		fatal("BN_new");
-	packet_get_bignum2(g);
-	packet_check_eom();
-
-	if (BN_num_bits(p) < min || BN_num_bits(p) > max)
-		fatal("DH_GEX group out of range: %d !< %d !< %d",
-		    min, BN_num_bits(p), max);
-
-	dh = dh_new_group(g, p);
-	dh_gen_key(dh, kex->we_need * 8);
-
-#ifdef DEBUG_KEXDH
-	DHparams_print_fp(stderr, dh);
-	fprintf(stderr, "pub= ");
-	BN_print_fp(stderr, dh->pub_key);
-	fprintf(stderr, "\n");
-#endif
-
-	debug("SSH2_MSG_KEX_DH_GEX_INIT sent");
-	/* generate and send 'e', client DH public key */
-	packet_start(SSH2_MSG_KEX_DH_GEX_INIT);
-	packet_put_bignum2(dh->pub_key);
-	packet_send();
-
-	debug("expecting SSH2_MSG_KEX_DH_GEX_REPLY");
-	packet_read_expect(SSH2_MSG_KEX_DH_GEX_REPLY);
-
-	/* key, cert */
-	server_host_key_blob = packet_get_string(&sbloblen);
-	server_host_key = key_from_blob(server_host_key_blob, sbloblen);
-	if (server_host_key == NULL)
-		fatal("cannot decode server_host_key_blob");
-	if (server_host_key->type != kex->hostkey_type)
-		fatal("type mismatch for decoded server_host_key_blob");
-	if (kex->verify_host_key == NULL)
-		fatal("cannot verify server_host_key");
-	if (kex->verify_host_key(server_host_key) == -1)
-		fatal("server_host_key verification failed");
-
-	/* DH parameter f, server public DH key */
-	if ((dh_server_pub = BN_new()) == NULL)
-		fatal("dh_server_pub == NULL");
-	packet_get_bignum2(dh_server_pub);
-
-#ifdef DEBUG_KEXDH
-	fprintf(stderr, "dh_server_pub= ");
-	BN_print_fp(stderr, dh_server_pub);
-	fprintf(stderr, "\n");
-	debug("bits %d", BN_num_bits(dh_server_pub));
-#endif
-
-	/* signed H */
-	signature = packet_get_string(&slen);
-	packet_check_eom();
-
-	if (!dh_pub_is_valid(dh, dh_server_pub))
-		packet_disconnect("bad server public DH value");
-
-	klen = DH_size(dh);
-	kbuf = xmalloc(klen);
-	if ((kout = DH_compute_key(kbuf, dh_server_pub, dh)) < 0)
-		fatal("DH_compute_key: failed");
-#ifdef DEBUG_KEXDH
-	dump_digest("shared secret", kbuf, kout);
-#endif
-	if ((shared_secret = BN_new()) == NULL)
-		fatal("kexgex_client: BN_new failed");
-	if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
-		fatal("kexgex_client: BN_bin2bn failed");
-	memset(kbuf, 0, klen);
-	xfree(kbuf);
-
-	if (datafellows & SSH_OLD_DHGEX)
-		min = max = -1;
-
-	/* calc and verify H */
-	kexgex_hash(
-	    kex->evp_md,
-	    kex->client_version_string,
-	    kex->server_version_string,
-	    buffer_ptr(&kex->my), buffer_len(&kex->my),
-	    buffer_ptr(&kex->peer), buffer_len(&kex->peer),
-	    server_host_key_blob, sbloblen,
-	    min, nbits, max,
-	    dh->p, dh->g,
-	    dh->pub_key,
-	    dh_server_pub,
-	    shared_secret,
-	    &hash, &hashlen
-	);
-
-	/* have keys, free DH */
-	DH_free(dh);
-	xfree(server_host_key_blob);
-	BN_clear_free(dh_server_pub);
-
-	if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
-		fatal("key_verify failed for server_host_key");
-	key_free(server_host_key);
-	xfree(signature);
-
-	/* save session id */
-	if (kex->session_id == NULL) {
-		kex->session_id_len = hashlen;
-		kex->session_id = xmalloc(kex->session_id_len);
-		memcpy(kex->session_id, hash, kex->session_id_len);
-	}
-	kex_derive_keys(kex, hash, hashlen, shared_secret);
-	BN_clear_free(shared_secret);
-
-	kex_finish(kex);
-}
diff --git a/crypto/openssh/kexgexs.c b/crypto/openssh/kexgexs.c
deleted file mode 100644
index a037f57..0000000
--- a/crypto/openssh/kexgexs.c
+++ /dev/null
@@ -1,200 +0,0 @@
-/* $OpenBSD: kexgexs.c,v 1.10 2006/11/06 21:25:28 markus Exp $ */
-/*
- * Copyright (c) 2000 Niels Provos.  All rights reserved.
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/param.h>
-
-#include <stdarg.h>
-#include <stdio.h>
-#include <string.h>
-#include <signal.h>
-
-#include "xmalloc.h"
-#include "buffer.h"
-#include "key.h"
-#include "cipher.h"
-#include "kex.h"
-#include "log.h"
-#include "packet.h"
-#include "dh.h"
-#include "ssh2.h"
-#include "compat.h"
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-#include "monitor_wrap.h"
-
-void
-kexgex_server(Kex *kex)
-{
-	BIGNUM *shared_secret = NULL, *dh_client_pub = NULL;
-	Key *server_host_key;
-	DH *dh;
-	u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
-	u_int sbloblen, klen, slen, hashlen;
-	int min = -1, max = -1, nbits = -1, type, kout;
-
-	if (kex->load_host_key == NULL)
-		fatal("Cannot load hostkey");
-	server_host_key = kex->load_host_key(kex->hostkey_type);
-	if (server_host_key == NULL)
-		fatal("Unsupported hostkey type %d", kex->hostkey_type);
-
-	type = packet_read();
-	switch (type) {
-	case SSH2_MSG_KEX_DH_GEX_REQUEST:
-		debug("SSH2_MSG_KEX_DH_GEX_REQUEST received");
-		min = packet_get_int();
-		nbits = packet_get_int();
-		max = packet_get_int();
-		min = MAX(DH_GRP_MIN, min);
-		max = MIN(DH_GRP_MAX, max);
-		break;
-	case SSH2_MSG_KEX_DH_GEX_REQUEST_OLD:
-		debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received");
-		nbits = packet_get_int();
-		min = DH_GRP_MIN;
-		max = DH_GRP_MAX;
-		/* unused for old GEX */
-		break;
-	default:
-		fatal("protocol error during kex, no DH_GEX_REQUEST: %d", type);
-	}
-	packet_check_eom();
-
-	if (max < min || nbits < min || max < nbits)
-		fatal("DH_GEX_REQUEST, bad parameters: %d !< %d !< %d",
-		    min, nbits, max);
-
-	/* Contact privileged parent */
-	dh = PRIVSEP(choose_dh(min, nbits, max));
-	if (dh == NULL)
-		packet_disconnect("Protocol error: no matching DH grp found");
-
-	debug("SSH2_MSG_KEX_DH_GEX_GROUP sent");
-	packet_start(SSH2_MSG_KEX_DH_GEX_GROUP);
-	packet_put_bignum2(dh->p);
-	packet_put_bignum2(dh->g);
-	packet_send();
-
-	/* flush */
-	packet_write_wait();
-
-	/* Compute our exchange value in parallel with the client */
-	dh_gen_key(dh, kex->we_need * 8);
-
-	debug("expecting SSH2_MSG_KEX_DH_GEX_INIT");
-	packet_read_expect(SSH2_MSG_KEX_DH_GEX_INIT);
-
-	/* key, cert */
-	if ((dh_client_pub = BN_new()) == NULL)
-		fatal("dh_client_pub == NULL");
-	packet_get_bignum2(dh_client_pub);
-	packet_check_eom();
-
-#ifdef DEBUG_KEXDH
-	fprintf(stderr, "dh_client_pub= ");
-	BN_print_fp(stderr, dh_client_pub);
-	fprintf(stderr, "\n");
-	debug("bits %d", BN_num_bits(dh_client_pub));
-#endif
-
-#ifdef DEBUG_KEXDH
-	DHparams_print_fp(stderr, dh);
-	fprintf(stderr, "pub= ");
-	BN_print_fp(stderr, dh->pub_key);
-	fprintf(stderr, "\n");
-#endif
-	if (!dh_pub_is_valid(dh, dh_client_pub))
-		packet_disconnect("bad client public DH value");
-
-	klen = DH_size(dh);
-	kbuf = xmalloc(klen);
-	if ((kout = DH_compute_key(kbuf, dh_client_pub, dh)) < 0)
-		fatal("DH_compute_key: failed");
-#ifdef DEBUG_KEXDH
-	dump_digest("shared secret", kbuf, kout);
-#endif
-	if ((shared_secret = BN_new()) == NULL)
-		fatal("kexgex_server: BN_new failed");
-	if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
-		fatal("kexgex_server: BN_bin2bn failed");
-	memset(kbuf, 0, klen);
-	xfree(kbuf);
-
-	key_to_blob(server_host_key, &server_host_key_blob, &sbloblen);
-
-	if (type == SSH2_MSG_KEX_DH_GEX_REQUEST_OLD)
-		min = max = -1;
-
-	/* calc H */
-	kexgex_hash(
-	    kex->evp_md,
-	    kex->client_version_string,
-	    kex->server_version_string,
-	    buffer_ptr(&kex->peer), buffer_len(&kex->peer),
-	    buffer_ptr(&kex->my), buffer_len(&kex->my),
-	    server_host_key_blob, sbloblen,
-	    min, nbits, max,
-	    dh->p, dh->g,
-	    dh_client_pub,
-	    dh->pub_key,
-	    shared_secret,
-	    &hash, &hashlen
-	);
-	BN_clear_free(dh_client_pub);
-
-	/* save session id := H */
-	if (kex->session_id == NULL) {
-		kex->session_id_len = hashlen;
-		kex->session_id = xmalloc(kex->session_id_len);
-		memcpy(kex->session_id, hash, kex->session_id_len);
-	}
-
-	/* sign H */
-	PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));
-
-	/* destroy_sensitive_data(); */
-
-	/* send server hostkey, DH pubkey 'f' and singed H */
-	debug("SSH2_MSG_KEX_DH_GEX_REPLY sent");
-	packet_start(SSH2_MSG_KEX_DH_GEX_REPLY);
-	packet_put_string(server_host_key_blob, sbloblen);
-	packet_put_bignum2(dh->pub_key);	/* f */
-	packet_put_string(signature, slen);
-	packet_send();
-
-	xfree(signature);
-	xfree(server_host_key_blob);
-	/* have keys, free DH */
-	DH_free(dh);
-
-	kex_derive_keys(kex, hash, hashlen, shared_secret);
-	BN_clear_free(shared_secret);
-
-	kex_finish(kex);
-}
diff --git a/crypto/openssh/key.c b/crypto/openssh/key.c
deleted file mode 100644
index 93b2d41..0000000
--- a/crypto/openssh/key.c
+++ /dev/null
@@ -1,868 +0,0 @@
-/* $OpenBSD: key.c,v 1.68 2006/11/06 21:25:28 markus Exp $ */
-/*
- * read_bignum():
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- *
- * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <openssl/evp.h>
-
-#include <stdarg.h>
-#include <stdio.h>
-#include <string.h>
-
-#include "xmalloc.h"
-#include "key.h"
-#include "rsa.h"
-#include "uuencode.h"
-#include "buffer.h"
-#include "log.h"
-
-Key *
-key_new(int type)
-{
-	Key *k;
-	RSA *rsa;
-	DSA *dsa;
-	k = xcalloc(1, sizeof(*k));
-	k->type = type;
-	k->dsa = NULL;
-	k->rsa = NULL;
-	switch (k->type) {
-	case KEY_RSA1:
-	case KEY_RSA:
-		if ((rsa = RSA_new()) == NULL)
-			fatal("key_new: RSA_new failed");
-		if ((rsa->n = BN_new()) == NULL)
-			fatal("key_new: BN_new failed");
-		if ((rsa->e = BN_new()) == NULL)
-			fatal("key_new: BN_new failed");
-		k->rsa = rsa;
-		break;
-	case KEY_DSA:
-		if ((dsa = DSA_new()) == NULL)
-			fatal("key_new: DSA_new failed");
-		if ((dsa->p = BN_new()) == NULL)
-			fatal("key_new: BN_new failed");
-		if ((dsa->q = BN_new()) == NULL)
-			fatal("key_new: BN_new failed");
-		if ((dsa->g = BN_new()) == NULL)
-			fatal("key_new: BN_new failed");
-		if ((dsa->pub_key = BN_new()) == NULL)
-			fatal("key_new: BN_new failed");
-		k->dsa = dsa;
-		break;
-	case KEY_UNSPEC:
-		break;
-	default:
-		fatal("key_new: bad key type %d", k->type);
-		break;
-	}
-	return k;
-}
-
-Key *
-key_new_private(int type)
-{
-	Key *k = key_new(type);
-	switch (k->type) {
-	case KEY_RSA1:
-	case KEY_RSA:
-		if ((k->rsa->d = BN_new()) == NULL)
-			fatal("key_new_private: BN_new failed");
-		if ((k->rsa->iqmp = BN_new()) == NULL)
-			fatal("key_new_private: BN_new failed");
-		if ((k->rsa->q = BN_new()) == NULL)
-			fatal("key_new_private: BN_new failed");
-		if ((k->rsa->p = BN_new()) == NULL)
-			fatal("key_new_private: BN_new failed");
-		if ((k->rsa->dmq1 = BN_new()) == NULL)
-			fatal("key_new_private: BN_new failed");
-		if ((k->rsa->dmp1 = BN_new()) == NULL)
-			fatal("key_new_private: BN_new failed");
-		break;
-	case KEY_DSA:
-		if ((k->dsa->priv_key = BN_new()) == NULL)
-			fatal("key_new_private: BN_new failed");
-		break;
-	case KEY_UNSPEC:
-		break;
-	default:
-		break;
-	}
-	return k;
-}
-
-void
-key_free(Key *k)
-{
-	if (k == NULL)
-		fatal("key_free: key is NULL");
-	switch (k->type) {
-	case KEY_RSA1:
-	case KEY_RSA:
-		if (k->rsa != NULL)
-			RSA_free(k->rsa);
-		k->rsa = NULL;
-		break;
-	case KEY_DSA:
-		if (k->dsa != NULL)
-			DSA_free(k->dsa);
-		k->dsa = NULL;
-		break;
-	case KEY_UNSPEC:
-		break;
-	default:
-		fatal("key_free: bad key type %d", k->type);
-		break;
-	}
-	xfree(k);
-}
-
-int
-key_equal(const Key *a, const Key *b)
-{
-	if (a == NULL || b == NULL || a->type != b->type)
-		return 0;
-	switch (a->type) {
-	case KEY_RSA1:
-	case KEY_RSA:
-		return a->rsa != NULL && b->rsa != NULL &&
-		    BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
-		    BN_cmp(a->rsa->n, b->rsa->n) == 0;
-	case KEY_DSA:
-		return a->dsa != NULL && b->dsa != NULL &&
-		    BN_cmp(a->dsa->p, b->dsa->p) == 0 &&
-		    BN_cmp(a->dsa->q, b->dsa->q) == 0 &&
-		    BN_cmp(a->dsa->g, b->dsa->g) == 0 &&
-		    BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0;
-	default:
-		fatal("key_equal: bad key type %d", a->type);
-		break;
-	}
-	return 0;
-}
-
-u_char*
-key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
-    u_int *dgst_raw_length)
-{
-	const EVP_MD *md = NULL;
-	EVP_MD_CTX ctx;
-	u_char *blob = NULL;
-	u_char *retval = NULL;
-	u_int len = 0;
-	int nlen, elen;
-
-	*dgst_raw_length = 0;
-
-	switch (dgst_type) {
-	case SSH_FP_MD5:
-		md = EVP_md5();
-		break;
-	case SSH_FP_SHA1:
-		md = EVP_sha1();
-		break;
-	default:
-		fatal("key_fingerprint_raw: bad digest type %d",
-		    dgst_type);
-	}
-	switch (k->type) {
-	case KEY_RSA1:
-		nlen = BN_num_bytes(k->rsa->n);
-		elen = BN_num_bytes(k->rsa->e);
-		len = nlen + elen;
-		blob = xmalloc(len);
-		BN_bn2bin(k->rsa->n, blob);
-		BN_bn2bin(k->rsa->e, blob + nlen);
-		break;
-	case KEY_DSA:
-	case KEY_RSA:
-		key_to_blob(k, &blob, &len);
-		break;
-	case KEY_UNSPEC:
-		return retval;
-	default:
-		fatal("key_fingerprint_raw: bad key type %d", k->type);
-		break;
-	}
-	if (blob != NULL) {
-		retval = xmalloc(EVP_MAX_MD_SIZE);
-		EVP_DigestInit(&ctx, md);
-		EVP_DigestUpdate(&ctx, blob, len);
-		EVP_DigestFinal(&ctx, retval, dgst_raw_length);
-		memset(blob, 0, len);
-		xfree(blob);
-	} else {
-		fatal("key_fingerprint_raw: blob is null");
-	}
-	return retval;
-}
-
-static char *
-key_fingerprint_hex(u_char *dgst_raw, u_int dgst_raw_len)
-{
-	char *retval;
-	u_int i;
-
-	retval = xcalloc(1, dgst_raw_len * 3 + 1);
-	for (i = 0; i < dgst_raw_len; i++) {
-		char hex[4];
-		snprintf(hex, sizeof(hex), "%02x:", dgst_raw[i]);
-		strlcat(retval, hex, dgst_raw_len * 3 + 1);
-	}
-
-	/* Remove the trailing ':' character */
-	retval[(dgst_raw_len * 3) - 1] = '\0';
-	return retval;
-}
-
-static char *
-key_fingerprint_bubblebabble(u_char *dgst_raw, u_int dgst_raw_len)
-{
-	char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' };
-	char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm',
-	    'n', 'p', 'r', 's', 't', 'v', 'z', 'x' };
-	u_int i, j = 0, rounds, seed = 1;
-	char *retval;
-
-	rounds = (dgst_raw_len / 2) + 1;
-	retval = xcalloc((rounds * 6), sizeof(char));
-	retval[j++] = 'x';
-	for (i = 0; i < rounds; i++) {
-		u_int idx0, idx1, idx2, idx3, idx4;
-		if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) {
-			idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) +
-			    seed) % 6;
-			idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15;
-			idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) +
-			    (seed / 6)) % 6;
-			retval[j++] = vowels[idx0];
-			retval[j++] = consonants[idx1];
-			retval[j++] = vowels[idx2];
-			if ((i + 1) < rounds) {
-				idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15;
-				idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15;
-				retval[j++] = consonants[idx3];
-				retval[j++] = '-';
-				retval[j++] = consonants[idx4];
-				seed = ((seed * 5) +
-				    ((((u_int)(dgst_raw[2 * i])) * 7) +
-				    ((u_int)(dgst_raw[(2 * i) + 1])))) % 36;
-			}
-		} else {
-			idx0 = seed % 6;
-			idx1 = 16;
-			idx2 = seed / 6;
-			retval[j++] = vowels[idx0];
-			retval[j++] = consonants[idx1];
-			retval[j++] = vowels[idx2];
-		}
-	}
-	retval[j++] = 'x';
-	retval[j++] = '\0';
-	return retval;
-}
-
-char *
-key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
-{
-	char *retval = NULL;
-	u_char *dgst_raw;
-	u_int dgst_raw_len;
-
-	dgst_raw = key_fingerprint_raw(k, dgst_type, &dgst_raw_len);
-	if (!dgst_raw)
-		fatal("key_fingerprint: null from key_fingerprint_raw()");
-	switch (dgst_rep) {
-	case SSH_FP_HEX:
-		retval = key_fingerprint_hex(dgst_raw, dgst_raw_len);
-		break;
-	case SSH_FP_BUBBLEBABBLE:
-		retval = key_fingerprint_bubblebabble(dgst_raw, dgst_raw_len);
-		break;
-	default:
-		fatal("key_fingerprint_ex: bad digest representation %d",
-		    dgst_rep);
-		break;
-	}
-	memset(dgst_raw, 0, dgst_raw_len);
-	xfree(dgst_raw);
-	return retval;
-}
-
-/*
- * Reads a multiple-precision integer in decimal from the buffer, and advances
- * the pointer.  The integer must already be initialized.  This function is
- * permitted to modify the buffer.  This leaves *cpp to point just beyond the
- * last processed (and maybe modified) character.  Note that this may modify
- * the buffer containing the number.
- */
-static int
-read_bignum(char **cpp, BIGNUM * value)
-{
-	char *cp = *cpp;
-	int old;
-
-	/* Skip any leading whitespace. */
-	for (; *cp == ' ' || *cp == '\t'; cp++)
-		;
-
-	/* Check that it begins with a decimal digit. */
-	if (*cp < '0' || *cp > '9')
-		return 0;
-
-	/* Save starting position. */
-	*cpp = cp;
-
-	/* Move forward until all decimal digits skipped. */
-	for (; *cp >= '0' && *cp <= '9'; cp++)
-		;
-
-	/* Save the old terminating character, and replace it by \0. */
-	old = *cp;
-	*cp = 0;
-
-	/* Parse the number. */
-	if (BN_dec2bn(&value, *cpp) == 0)
-		return 0;
-
-	/* Restore old terminating character. */
-	*cp = old;
-
-	/* Move beyond the number and return success. */
-	*cpp = cp;
-	return 1;
-}
-
-static int
-write_bignum(FILE *f, BIGNUM *num)
-{
-	char *buf = BN_bn2dec(num);
-	if (buf == NULL) {
-		error("write_bignum: BN_bn2dec() failed");
-		return 0;
-	}
-	fprintf(f, " %s", buf);
-	OPENSSL_free(buf);
-	return 1;
-}
-
-/* returns 1 ok, -1 error */
-int
-key_read(Key *ret, char **cpp)
-{
-	Key *k;
-	int success = -1;
-	char *cp, *space;
-	int len, n, type;
-	u_int bits;
-	u_char *blob;
-
-	cp = *cpp;
-
-	switch (ret->type) {
-	case KEY_RSA1:
-		/* Get number of bits. */
-		if (*cp < '0' || *cp > '9')
-			return -1;	/* Bad bit count... */
-		for (bits = 0; *cp >= '0' && *cp <= '9'; cp++)
-			bits = 10 * bits + *cp - '0';
-		if (bits == 0)
-			return -1;
-		*cpp = cp;
-		/* Get public exponent, public modulus. */
-		if (!read_bignum(cpp, ret->rsa->e))
-			return -1;
-		if (!read_bignum(cpp, ret->rsa->n))
-			return -1;
-		success = 1;
-		break;
-	case KEY_UNSPEC:
-	case KEY_RSA:
-	case KEY_DSA:
-		space = strchr(cp, ' ');
-		if (space == NULL) {
-			debug3("key_read: missing whitespace");
-			return -1;
-		}
-		*space = '\0';
-		type = key_type_from_name(cp);
-		*space = ' ';
-		if (type == KEY_UNSPEC) {
-			debug3("key_read: missing keytype");
-			return -1;
-		}
-		cp = space+1;
-		if (*cp == '\0') {
-			debug3("key_read: short string");
-			return -1;
-		}
-		if (ret->type == KEY_UNSPEC) {
-			ret->type = type;
-		} else if (ret->type != type) {
-			/* is a key, but different type */
-			debug3("key_read: type mismatch");
-			return -1;
-		}
-		len = 2*strlen(cp);
-		blob = xmalloc(len);
-		n = uudecode(cp, blob, len);
-		if (n < 0) {
-			error("key_read: uudecode %s failed", cp);
-			xfree(blob);
-			return -1;
-		}
-		k = key_from_blob(blob, (u_int)n);
-		xfree(blob);
-		if (k == NULL) {
-			error("key_read: key_from_blob %s failed", cp);
-			return -1;
-		}
-		if (k->type != type) {
-			error("key_read: type mismatch: encoding error");
-			key_free(k);
-			return -1;
-		}
-/*XXXX*/
-		if (ret->type == KEY_RSA) {
-			if (ret->rsa != NULL)
-				RSA_free(ret->rsa);
-			ret->rsa = k->rsa;
-			k->rsa = NULL;
-			success = 1;
-#ifdef DEBUG_PK
-			RSA_print_fp(stderr, ret->rsa, 8);
-#endif
-		} else {
-			if (ret->dsa != NULL)
-				DSA_free(ret->dsa);
-			ret->dsa = k->dsa;
-			k->dsa = NULL;
-			success = 1;
-#ifdef DEBUG_PK
-			DSA_print_fp(stderr, ret->dsa, 8);
-#endif
-		}
-/*XXXX*/
-		key_free(k);
-		if (success != 1)
-			break;
-		/* advance cp: skip whitespace and data */
-		while (*cp == ' ' || *cp == '\t')
-			cp++;
-		while (*cp != '\0' && *cp != ' ' && *cp != '\t')
-			cp++;
-		*cpp = cp;
-		break;
-	default:
-		fatal("key_read: bad key type: %d", ret->type);
-		break;
-	}
-	return success;
-}
-
-int
-key_write(const Key *key, FILE *f)
-{
-	int n, success = 0;
-	u_int len, bits = 0;
-	u_char *blob;
-	char *uu;
-
-	if (key->type == KEY_RSA1 && key->rsa != NULL) {
-		/* size of modulus 'n' */
-		bits = BN_num_bits(key->rsa->n);
-		fprintf(f, "%u", bits);
-		if (write_bignum(f, key->rsa->e) &&
-		    write_bignum(f, key->rsa->n)) {
-			success = 1;
-		} else {
-			error("key_write: failed for RSA key");
-		}
-	} else if ((key->type == KEY_DSA && key->dsa != NULL) ||
-	    (key->type == KEY_RSA && key->rsa != NULL)) {
-		key_to_blob(key, &blob, &len);
-		uu = xmalloc(2*len);
-		n = uuencode(blob, len, uu, 2*len);
-		if (n > 0) {
-			fprintf(f, "%s %s", key_ssh_name(key), uu);
-			success = 1;
-		}
-		xfree(blob);
-		xfree(uu);
-	}
-	return success;
-}
-
-const char *
-key_type(const Key *k)
-{
-	switch (k->type) {
-	case KEY_RSA1:
-		return "RSA1";
-	case KEY_RSA:
-		return "RSA";
-	case KEY_DSA:
-		return "DSA";
-	}
-	return "unknown";
-}
-
-const char *
-key_ssh_name(const Key *k)
-{
-	switch (k->type) {
-	case KEY_RSA:
-		return "ssh-rsa";
-	case KEY_DSA:
-		return "ssh-dss";
-	}
-	return "ssh-unknown";
-}
-
-u_int
-key_size(const Key *k)
-{
-	switch (k->type) {
-	case KEY_RSA1:
-	case KEY_RSA:
-		return BN_num_bits(k->rsa->n);
-	case KEY_DSA:
-		return BN_num_bits(k->dsa->p);
-	}
-	return 0;
-}
-
-static RSA *
-rsa_generate_private_key(u_int bits)
-{
-	RSA *private;
-
-	private = RSA_generate_key(bits, 35, NULL, NULL);
-	if (private == NULL)
-		fatal("rsa_generate_private_key: key generation failed.");
-	return private;
-}
-
-static DSA*
-dsa_generate_private_key(u_int bits)
-{
-	DSA *private = DSA_generate_parameters(bits, NULL, 0, NULL, NULL, NULL, NULL);
-
-	if (private == NULL)
-		fatal("dsa_generate_private_key: DSA_generate_parameters failed");
-	if (!DSA_generate_key(private))
-		fatal("dsa_generate_private_key: DSA_generate_key failed.");
-	if (private == NULL)
-		fatal("dsa_generate_private_key: NULL.");
-	return private;
-}
-
-Key *
-key_generate(int type, u_int bits)
-{
-	Key *k = key_new(KEY_UNSPEC);
-	switch (type) {
-	case KEY_DSA:
-		k->dsa = dsa_generate_private_key(bits);
-		break;
-	case KEY_RSA:
-	case KEY_RSA1:
-		k->rsa = rsa_generate_private_key(bits);
-		break;
-	default:
-		fatal("key_generate: unknown type %d", type);
-	}
-	k->type = type;
-	return k;
-}
-
-Key *
-key_from_private(const Key *k)
-{
-	Key *n = NULL;
-	switch (k->type) {
-	case KEY_DSA:
-		n = key_new(k->type);
-		if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) ||
-		    (BN_copy(n->dsa->q, k->dsa->q) == NULL) ||
-		    (BN_copy(n->dsa->g, k->dsa->g) == NULL) ||
-		    (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL))
-			fatal("key_from_private: BN_copy failed");
-		break;
-	case KEY_RSA:
-	case KEY_RSA1:
-		n = key_new(k->type);
-		if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) ||
-		    (BN_copy(n->rsa->e, k->rsa->e) == NULL))
-			fatal("key_from_private: BN_copy failed");
-		break;
-	default:
-		fatal("key_from_private: unknown type %d", k->type);
-		break;
-	}
-	return n;
-}
-
-int
-key_type_from_name(char *name)
-{
-	if (strcmp(name, "rsa1") == 0) {
-		return KEY_RSA1;
-	} else if (strcmp(name, "rsa") == 0) {
-		return KEY_RSA;
-	} else if (strcmp(name, "dsa") == 0) {
-		return KEY_DSA;
-	} else if (strcmp(name, "ssh-rsa") == 0) {
-		return KEY_RSA;
-	} else if (strcmp(name, "ssh-dss") == 0) {
-		return KEY_DSA;
-	}
-	debug2("key_type_from_name: unknown key type '%s'", name);
-	return KEY_UNSPEC;
-}
-
-int
-key_names_valid2(const char *names)
-{
-	char *s, *cp, *p;
-
-	if (names == NULL || strcmp(names, "") == 0)
-		return 0;
-	s = cp = xstrdup(names);
-	for ((p = strsep(&cp, ",")); p && *p != '\0';
-	    (p = strsep(&cp, ","))) {
-		switch (key_type_from_name(p)) {
-		case KEY_RSA1:
-		case KEY_UNSPEC:
-			xfree(s);
-			return 0;
-		}
-	}
-	debug3("key names ok: [%s]", names);
-	xfree(s);
-	return 1;
-}
-
-Key *
-key_from_blob(const u_char *blob, u_int blen)
-{
-	Buffer b;
-	int rlen, type;
-	char *ktype = NULL;
-	Key *key = NULL;
-
-#ifdef DEBUG_PK
-	dump_base64(stderr, blob, blen);
-#endif
-	buffer_init(&b);
-	buffer_append(&b, blob, blen);
-	if ((ktype = buffer_get_string_ret(&b, NULL)) == NULL) {
-		error("key_from_blob: can't read key type");
-		goto out;
-	}
-
-	type = key_type_from_name(ktype);
-
-	switch (type) {
-	case KEY_RSA:
-		key = key_new(type);
-		if (buffer_get_bignum2_ret(&b, key->rsa->e) == -1 ||
-		    buffer_get_bignum2_ret(&b, key->rsa->n) == -1) {
-			error("key_from_blob: can't read rsa key");
-			key_free(key);
-			key = NULL;
-			goto out;
-		}
-#ifdef DEBUG_PK
-		RSA_print_fp(stderr, key->rsa, 8);
-#endif
-		break;
-	case KEY_DSA:
-		key = key_new(type);
-		if (buffer_get_bignum2_ret(&b, key->dsa->p) == -1 ||
-		    buffer_get_bignum2_ret(&b, key->dsa->q) == -1 ||
-		    buffer_get_bignum2_ret(&b, key->dsa->g) == -1 ||
-		    buffer_get_bignum2_ret(&b, key->dsa->pub_key) == -1) {
-			error("key_from_blob: can't read dsa key");
-			key_free(key);
-			key = NULL;
-			goto out;
-		}
-#ifdef DEBUG_PK
-		DSA_print_fp(stderr, key->dsa, 8);
-#endif
-		break;
-	case KEY_UNSPEC:
-		key = key_new(type);
-		break;
-	default:
-		error("key_from_blob: cannot handle type %s", ktype);
-		goto out;
-	}
-	rlen = buffer_len(&b);
-	if (key != NULL && rlen != 0)
-		error("key_from_blob: remaining bytes in key blob %d", rlen);
- out:
-	if (ktype != NULL)
-		xfree(ktype);
-	buffer_free(&b);
-	return key;
-}
-
-int
-key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
-{
-	Buffer b;
-	int len;
-
-	if (key == NULL) {
-		error("key_to_blob: key == NULL");
-		return 0;
-	}
-	buffer_init(&b);
-	switch (key->type) {
-	case KEY_DSA:
-		buffer_put_cstring(&b, key_ssh_name(key));
-		buffer_put_bignum2(&b, key->dsa->p);
-		buffer_put_bignum2(&b, key->dsa->q);
-		buffer_put_bignum2(&b, key->dsa->g);
-		buffer_put_bignum2(&b, key->dsa->pub_key);
-		break;
-	case KEY_RSA:
-		buffer_put_cstring(&b, key_ssh_name(key));
-		buffer_put_bignum2(&b, key->rsa->e);
-		buffer_put_bignum2(&b, key->rsa->n);
-		break;
-	default:
-		error("key_to_blob: unsupported key type %d", key->type);
-		buffer_free(&b);
-		return 0;
-	}
-	len = buffer_len(&b);
-	if (lenp != NULL)
-		*lenp = len;
-	if (blobp != NULL) {
-		*blobp = xmalloc(len);
-		memcpy(*blobp, buffer_ptr(&b), len);
-	}
-	memset(buffer_ptr(&b), 0, len);
-	buffer_free(&b);
-	return len;
-}
-
-int
-key_sign(
-    const Key *key,
-    u_char **sigp, u_int *lenp,
-    const u_char *data, u_int datalen)
-{
-	switch (key->type) {
-	case KEY_DSA:
-		return ssh_dss_sign(key, sigp, lenp, data, datalen);
-	case KEY_RSA:
-		return ssh_rsa_sign(key, sigp, lenp, data, datalen);
-	default:
-		error("key_sign: invalid key type %d", key->type);
-		return -1;
-	}
-}
-
-/*
- * key_verify returns 1 for a correct signature, 0 for an incorrect signature
- * and -1 on error.
- */
-int
-key_verify(
-    const Key *key,
-    const u_char *signature, u_int signaturelen,
-    const u_char *data, u_int datalen)
-{
-	if (signaturelen == 0)
-		return -1;
-
-	switch (key->type) {
-	case KEY_DSA:
-		return ssh_dss_verify(key, signature, signaturelen, data, datalen);
-	case KEY_RSA:
-		return ssh_rsa_verify(key, signature, signaturelen, data, datalen);
-	default:
-		error("key_verify: invalid key type %d", key->type);
-		return -1;
-	}
-}
-
-/* Converts a private to a public key */
-Key *
-key_demote(const Key *k)
-{
-	Key *pk;
-
-	pk = xcalloc(1, sizeof(*pk));
-	pk->type = k->type;
-	pk->flags = k->flags;
-	pk->dsa = NULL;
-	pk->rsa = NULL;
-
-	switch (k->type) {
-	case KEY_RSA1:
-	case KEY_RSA:
-		if ((pk->rsa = RSA_new()) == NULL)
-			fatal("key_demote: RSA_new failed");
-		if ((pk->rsa->e = BN_dup(k->rsa->e)) == NULL)
-			fatal("key_demote: BN_dup failed");
-		if ((pk->rsa->n = BN_dup(k->rsa->n)) == NULL)
-			fatal("key_demote: BN_dup failed");
-		break;
-	case KEY_DSA:
-		if ((pk->dsa = DSA_new()) == NULL)
-			fatal("key_demote: DSA_new failed");
-		if ((pk->dsa->p = BN_dup(k->dsa->p)) == NULL)
-			fatal("key_demote: BN_dup failed");
-		if ((pk->dsa->q = BN_dup(k->dsa->q)) == NULL)
-			fatal("key_demote: BN_dup failed");
-		if ((pk->dsa->g = BN_dup(k->dsa->g)) == NULL)
-			fatal("key_demote: BN_dup failed");
-		if ((pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL)
-			fatal("key_demote: BN_dup failed");
-		break;
-	default:
-		fatal("key_free: bad key type %d", k->type);
-		break;
-	}
-
-	return (pk);
-}
diff --git a/crypto/openssh/key.h b/crypto/openssh/key.h
deleted file mode 100644
index 6873dd7..0000000
--- a/crypto/openssh/key.h
+++ /dev/null
@@ -1,87 +0,0 @@
-/* $OpenBSD: key.h,v 1.26 2006/08/03 03:34:42 deraadt Exp $ */
-
-/*
- * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-#ifndef KEY_H
-#define KEY_H
-
-#include <openssl/rsa.h>
-#include <openssl/dsa.h>
-
-typedef struct Key Key;
-enum types {
-	KEY_RSA1,
-	KEY_RSA,
-	KEY_DSA,
-	KEY_UNSPEC
-};
-enum fp_type {
-	SSH_FP_SHA1,
-	SSH_FP_MD5
-};
-enum fp_rep {
-	SSH_FP_HEX,
-	SSH_FP_BUBBLEBABBLE
-};
-
-/* key is stored in external hardware */
-#define KEY_FLAG_EXT		0x0001
-
-struct Key {
-	int	 type;
-	int	 flags;
-	RSA	*rsa;
-	DSA	*dsa;
-};
-
-Key		*key_new(int);
-Key		*key_new_private(int);
-void		 key_free(Key *);
-Key		*key_demote(const Key *);
-int		 key_equal(const Key *, const Key *);
-char		*key_fingerprint(const Key *, enum fp_type, enum fp_rep);
-u_char		*key_fingerprint_raw(const Key *, enum fp_type, u_int *);
-const char	*key_type(const Key *);
-int		 key_write(const Key *, FILE *);
-int		 key_read(Key *, char **);
-u_int		 key_size(const Key *);
-
-Key	*key_generate(int, u_int);
-Key	*key_from_private(const Key *);
-int	 key_type_from_name(char *);
-
-Key		*key_from_blob(const u_char *, u_int);
-int		 key_to_blob(const Key *, u_char **, u_int *);
-const char	*key_ssh_name(const Key *);
-int		 key_names_valid2(const char *);
-
-int	 key_sign(const Key *, u_char **, u_int *, const u_char *, u_int);
-int	 key_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
-
-int	 ssh_dss_sign(const Key *, u_char **, u_int *, const u_char *, u_int);
-int	 ssh_dss_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
-int	 ssh_rsa_sign(const Key *, u_char **, u_int *, const u_char *, u_int);
-int	 ssh_rsa_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
-
-#endif
diff --git a/crypto/openssh/lib/Makefile b/crypto/openssh/lib/Makefile
deleted file mode 100644
index ac950a9..0000000
--- a/crypto/openssh/lib/Makefile
+++ /dev/null
@@ -1,35 +0,0 @@
-#	$OpenBSD: Makefile,v 1.36 2002/06/11 15:23:29 hin Exp $
-
-.PATH:		${.CURDIR}/..
-
-LIB=	ssh
-SRCS=	authfd.c authfile.c bufaux.c buffer.c canohost.c channels.c \
-	cipher.c compat.c compress.c crc32.c deattack.c fatal.c \
-	hostfile.c log.c match.c mpaux.c nchan.c packet.c readpass.c \
-	rsa.c tildexpand.c ttymodes.c xmalloc.c atomicio.c \
-	key.c dispatch.c kex.c mac.c uuencode.c misc.c \
-	rijndael.c ssh-dss.c ssh-rsa.c dh.c kexdh.c kexgex.c \
-	scard.c monitor_wrap.c monitor_fdpass.c msg.c
-
-DEBUGLIBS= no
-NOPROFILE= yes
-NOPIC=	yes
-
-install:
-	@echo -n
-
-.include <bsd.own.mk>
-
-.if (${KERBEROS5:L} == "yes")
-CFLAGS+= -DKRB5 -I${DESTDIR}/usr/include/kerberosV
-.endif # KERBEROS5
-
-.if (${KERBEROS:L} == "yes")
-CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV
-.if (${AFS:L} == "yes")
-CFLAGS+= -DAFS
-SRCS+=  radix.c
-.endif # AFS
-.endif # KERBEROS
-
-.include <bsd.lib.mk>
diff --git a/crypto/openssh/log-client.c b/crypto/openssh/log-client.c
deleted file mode 100644
index 505c8c3..0000000
--- a/crypto/openssh/log-client.c
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Client-side versions of debug(), log(), etc.  These print to stderr.
- * This is a stripped down version of log-server.c.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- *
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: log-client.c,v 1.12 2000/09/12 20:53:10 markus Exp $");
-
-#include "xmalloc.h"
-#include "ssh.h"
-
-static LogLevel log_level = SYSLOG_LEVEL_INFO;
-
-/* Initialize the log.
- *   av0	program name (should be argv[0])
- *   level	logging level
- */
-
-void
-log_init(char *av0, LogLevel level, SyslogFacility ignored1, int ignored2)
-{
-	switch (level) {
-	case SYSLOG_LEVEL_QUIET:
-	case SYSLOG_LEVEL_ERROR:
-	case SYSLOG_LEVEL_FATAL:
-	case SYSLOG_LEVEL_INFO:
-	case SYSLOG_LEVEL_VERBOSE:
-	case SYSLOG_LEVEL_DEBUG1:
-	case SYSLOG_LEVEL_DEBUG2:
-	case SYSLOG_LEVEL_DEBUG3:
-		log_level = level;
-		break;
-	default:
-		/* unchanged */
-		break;
-	}
-}
-
-#define MSGBUFSIZ 1024
-
-void
-do_log(LogLevel level, const char *fmt, va_list args)
-{
-	char msgbuf[MSGBUFSIZ];
-
-	if (level > log_level)
-		return;
-	if (level >= SYSLOG_LEVEL_DEBUG1)
-		fprintf(stderr, "debug: ");
-	vsnprintf(msgbuf, sizeof(msgbuf), fmt, args);
-	fprintf(stderr, "%s\r\n", msgbuf);
-}
diff --git a/crypto/openssh/log-server.c b/crypto/openssh/log-server.c
deleted file mode 100644
index de3d5cf..0000000
--- a/crypto/openssh/log-server.c
+++ /dev/null
@@ -1,173 +0,0 @@
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Server-side versions of debug(), log(), etc.  These normally send the output
- * to the system log.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- *
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: log-server.c,v 1.17 2000/09/12 20:53:10 markus Exp $");
-
-#include <syslog.h>
-#include "packet.h"
-#include "xmalloc.h"
-#include "ssh.h"
-
-static LogLevel log_level = SYSLOG_LEVEL_INFO;
-static int log_on_stderr = 0;
-static int log_facility = LOG_AUTH;
-
-/* Initialize the log.
- *   av0	program name (should be argv[0])
- *   on_stderr	print also on stderr
- *   level	logging level
- */
-
-void
-log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
-{
-	switch (level) {
-	case SYSLOG_LEVEL_QUIET:
-	case SYSLOG_LEVEL_ERROR:
-	case SYSLOG_LEVEL_FATAL:
-	case SYSLOG_LEVEL_INFO:
-	case SYSLOG_LEVEL_VERBOSE:
-	case SYSLOG_LEVEL_DEBUG1:
-	case SYSLOG_LEVEL_DEBUG2:
-	case SYSLOG_LEVEL_DEBUG3:
-		log_level = level;
-		break;
-	default:
-		fprintf(stderr, "Unrecognized internal syslog level code %d\n",
-			(int) level);
-		exit(1);
-	}
-	switch (facility) {
-	case SYSLOG_FACILITY_DAEMON:
-		log_facility = LOG_DAEMON;
-		break;
-	case SYSLOG_FACILITY_USER:
-		log_facility = LOG_USER;
-		break;
-	case SYSLOG_FACILITY_AUTH:
-		log_facility = LOG_AUTH;
-		break;
-	case SYSLOG_FACILITY_LOCAL0:
-		log_facility = LOG_LOCAL0;
-		break;
-	case SYSLOG_FACILITY_LOCAL1:
-		log_facility = LOG_LOCAL1;
-		break;
-	case SYSLOG_FACILITY_LOCAL2:
-		log_facility = LOG_LOCAL2;
-		break;
-	case SYSLOG_FACILITY_LOCAL3:
-		log_facility = LOG_LOCAL3;
-		break;
-	case SYSLOG_FACILITY_LOCAL4:
-		log_facility = LOG_LOCAL4;
-		break;
-	case SYSLOG_FACILITY_LOCAL5:
-		log_facility = LOG_LOCAL5;
-		break;
-	case SYSLOG_FACILITY_LOCAL6:
-		log_facility = LOG_LOCAL6;
-		break;
-	case SYSLOG_FACILITY_LOCAL7:
-		log_facility = LOG_LOCAL7;
-		break;
-	default:
-		fprintf(stderr, "Unrecognized internal syslog facility code %d\n",
-			(int) facility);
-		exit(1);
-	}
-	log_on_stderr = on_stderr;
-}
-
-#define MSGBUFSIZ 1024
-
-void
-do_log(LogLevel level, const char *fmt, va_list args)
-{
-	char msgbuf[MSGBUFSIZ];
-	char fmtbuf[MSGBUFSIZ];
-	char *txt = NULL;
-	int pri = LOG_INFO;
-	extern char *__progname;
-
-	if (level > log_level)
-		return;
-	switch (level) {
-	case SYSLOG_LEVEL_ERROR:
-		txt = "error";
-		pri = LOG_ERR;
-		break;
-	case SYSLOG_LEVEL_FATAL:
-		txt = "fatal";
-		pri = LOG_ERR;
-		break;
-	case SYSLOG_LEVEL_INFO:
-	case SYSLOG_LEVEL_VERBOSE:
-		pri = LOG_INFO;
-		break;
-	case SYSLOG_LEVEL_DEBUG1:
-		txt = "debug1";
-		pri = LOG_DEBUG;
-		break;
-	case SYSLOG_LEVEL_DEBUG2:
-		txt = "debug2";
-		pri = LOG_DEBUG;
-		break;
-	case SYSLOG_LEVEL_DEBUG3:
-		txt = "debug3";
-		pri = LOG_DEBUG;
-		break;
-	default:
-		txt = "internal error";
-		pri = LOG_ERR;
-		break;
-	}
-	if (txt != NULL) {
-		snprintf(fmtbuf, sizeof(fmtbuf), "%s: %s", txt, fmt);
-		vsnprintf(msgbuf, sizeof(msgbuf), fmtbuf, args);
-	} else {
-		vsnprintf(msgbuf, sizeof(msgbuf), fmt, args);
-	}
-	if (log_on_stderr) {
-		fprintf(stderr, "%s\n", msgbuf);
-	} else {
-		openlog(__progname, LOG_PID, log_facility);
-		syslog(pri, "%.500s", msgbuf);
-		closelog();
-	}
-}
diff --git a/crypto/openssh/log.c b/crypto/openssh/log.c
deleted file mode 100644
index 7f88674..0000000
--- a/crypto/openssh/log.c
+++ /dev/null
@@ -1,376 +0,0 @@
-/* $OpenBSD: log.c,v 1.39 2006/08/18 09:13:25 deraadt Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <syslog.h>
-#include <unistd.h>
-#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H)
-# include <vis.h>
-#endif
-
-#include "xmalloc.h"
-#include "log.h"
-
-static LogLevel log_level = SYSLOG_LEVEL_INFO;
-static int log_on_stderr = 1;
-static int log_facility = LOG_AUTH;
-static char *argv0;
-
-extern char *__progname;
-
-#define LOG_SYSLOG_VIS	(VIS_CSTYLE|VIS_NL|VIS_TAB|VIS_OCTAL)
-#define LOG_STDERR_VIS	(VIS_SAFE|VIS_OCTAL)
-
-/* textual representation of log-facilities/levels */
-
-static struct {
-	const char *name;
-	SyslogFacility val;
-} log_facilities[] = {
-	{ "DAEMON",	SYSLOG_FACILITY_DAEMON },
-	{ "USER",	SYSLOG_FACILITY_USER },
-	{ "AUTH",	SYSLOG_FACILITY_AUTH },
-#ifdef LOG_AUTHPRIV
-	{ "AUTHPRIV",	SYSLOG_FACILITY_AUTHPRIV },
-#endif
-	{ "LOCAL0",	SYSLOG_FACILITY_LOCAL0 },
-	{ "LOCAL1",	SYSLOG_FACILITY_LOCAL1 },
-	{ "LOCAL2",	SYSLOG_FACILITY_LOCAL2 },
-	{ "LOCAL3",	SYSLOG_FACILITY_LOCAL3 },
-	{ "LOCAL4",	SYSLOG_FACILITY_LOCAL4 },
-	{ "LOCAL5",	SYSLOG_FACILITY_LOCAL5 },
-	{ "LOCAL6",	SYSLOG_FACILITY_LOCAL6 },
-	{ "LOCAL7",	SYSLOG_FACILITY_LOCAL7 },
-	{ NULL,		SYSLOG_FACILITY_NOT_SET }
-};
-
-static struct {
-	const char *name;
-	LogLevel val;
-} log_levels[] =
-{
-	{ "QUIET",	SYSLOG_LEVEL_QUIET },
-	{ "FATAL",	SYSLOG_LEVEL_FATAL },
-	{ "ERROR",	SYSLOG_LEVEL_ERROR },
-	{ "INFO",	SYSLOG_LEVEL_INFO },
-	{ "VERBOSE",	SYSLOG_LEVEL_VERBOSE },
-	{ "DEBUG",	SYSLOG_LEVEL_DEBUG1 },
-	{ "DEBUG1",	SYSLOG_LEVEL_DEBUG1 },
-	{ "DEBUG2",	SYSLOG_LEVEL_DEBUG2 },
-	{ "DEBUG3",	SYSLOG_LEVEL_DEBUG3 },
-	{ NULL,		SYSLOG_LEVEL_NOT_SET }
-};
-
-SyslogFacility
-log_facility_number(char *name)
-{
-	int i;
-
-	if (name != NULL)
-		for (i = 0; log_facilities[i].name; i++)
-			if (strcasecmp(log_facilities[i].name, name) == 0)
-				return log_facilities[i].val;
-	return SYSLOG_FACILITY_NOT_SET;
-}
-
-LogLevel
-log_level_number(char *name)
-{
-	int i;
-
-	if (name != NULL)
-		for (i = 0; log_levels[i].name; i++)
-			if (strcasecmp(log_levels[i].name, name) == 0)
-				return log_levels[i].val;
-	return SYSLOG_LEVEL_NOT_SET;
-}
-
-/* Error messages that should be logged. */
-
-void
-error(const char *fmt,...)
-{
-	va_list args;
-
-	va_start(args, fmt);
-	do_log(SYSLOG_LEVEL_ERROR, fmt, args);
-	va_end(args);
-}
-
-void
-sigdie(const char *fmt,...)
-{
-#ifdef DO_LOG_SAFE_IN_SIGHAND
-	va_list args;
-
-	va_start(args, fmt);
-	do_log(SYSLOG_LEVEL_FATAL, fmt, args);
-	va_end(args);
-#endif
-	_exit(1);
-}
-
-
-/* Log this message (information that usually should go to the log). */
-
-void
-logit(const char *fmt,...)
-{
-	va_list args;
-
-	va_start(args, fmt);
-	do_log(SYSLOG_LEVEL_INFO, fmt, args);
-	va_end(args);
-}
-
-/* More detailed messages (information that does not need to go to the log). */
-
-void
-verbose(const char *fmt,...)
-{
-	va_list args;
-
-	va_start(args, fmt);
-	do_log(SYSLOG_LEVEL_VERBOSE, fmt, args);
-	va_end(args);
-}
-
-/* Debugging messages that should not be logged during normal operation. */
-
-void
-debug(const char *fmt,...)
-{
-	va_list args;
-
-	va_start(args, fmt);
-	do_log(SYSLOG_LEVEL_DEBUG1, fmt, args);
-	va_end(args);
-}
-
-void
-debug2(const char *fmt,...)
-{
-	va_list args;
-
-	va_start(args, fmt);
-	do_log(SYSLOG_LEVEL_DEBUG2, fmt, args);
-	va_end(args);
-}
-
-void
-debug3(const char *fmt,...)
-{
-	va_list args;
-
-	va_start(args, fmt);
-	do_log(SYSLOG_LEVEL_DEBUG3, fmt, args);
-	va_end(args);
-}
-
-/*
- * Initialize the log.
- */
-
-void
-log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
-{
-#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
-	struct syslog_data sdata = SYSLOG_DATA_INIT;
-#endif
-
-	argv0 = av0;
-
-	switch (level) {
-	case SYSLOG_LEVEL_QUIET:
-	case SYSLOG_LEVEL_FATAL:
-	case SYSLOG_LEVEL_ERROR:
-	case SYSLOG_LEVEL_INFO:
-	case SYSLOG_LEVEL_VERBOSE:
-	case SYSLOG_LEVEL_DEBUG1:
-	case SYSLOG_LEVEL_DEBUG2:
-	case SYSLOG_LEVEL_DEBUG3:
-		log_level = level;
-		break;
-	default:
-		fprintf(stderr, "Unrecognized internal syslog level code %d\n",
-		    (int) level);
-		exit(1);
-	}
-
-	log_on_stderr = on_stderr;
-	if (on_stderr)
-		return;
-
-	switch (facility) {
-	case SYSLOG_FACILITY_DAEMON:
-		log_facility = LOG_DAEMON;
-		break;
-	case SYSLOG_FACILITY_USER:
-		log_facility = LOG_USER;
-		break;
-	case SYSLOG_FACILITY_AUTH:
-		log_facility = LOG_AUTH;
-		break;
-#ifdef LOG_AUTHPRIV
-	case SYSLOG_FACILITY_AUTHPRIV:
-		log_facility = LOG_AUTHPRIV;
-		break;
-#endif
-	case SYSLOG_FACILITY_LOCAL0:
-		log_facility = LOG_LOCAL0;
-		break;
-	case SYSLOG_FACILITY_LOCAL1:
-		log_facility = LOG_LOCAL1;
-		break;
-	case SYSLOG_FACILITY_LOCAL2:
-		log_facility = LOG_LOCAL2;
-		break;
-	case SYSLOG_FACILITY_LOCAL3:
-		log_facility = LOG_LOCAL3;
-		break;
-	case SYSLOG_FACILITY_LOCAL4:
-		log_facility = LOG_LOCAL4;
-		break;
-	case SYSLOG_FACILITY_LOCAL5:
-		log_facility = LOG_LOCAL5;
-		break;
-	case SYSLOG_FACILITY_LOCAL6:
-		log_facility = LOG_LOCAL6;
-		break;
-	case SYSLOG_FACILITY_LOCAL7:
-		log_facility = LOG_LOCAL7;
-		break;
-	default:
-		fprintf(stderr,
-		    "Unrecognized internal syslog facility code %d\n",
-		    (int) facility);
-		exit(1);
-	}
-
-	/*
-	 * If an external library (eg libwrap) attempts to use syslog
-	 * immediately after reexec, syslog may be pointing to the wrong
-	 * facility, so we force an open/close of syslog here.
-	 */
-#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
-	openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
-	closelog_r(&sdata);
-#else
-	openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility);
-	closelog();
-#endif
-}
-
-#define MSGBUFSIZ 1024
-
-void
-do_log(LogLevel level, const char *fmt, va_list args)
-{
-#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
-	struct syslog_data sdata = SYSLOG_DATA_INIT;
-#endif
-	char msgbuf[MSGBUFSIZ];
-	char fmtbuf[MSGBUFSIZ];
-	char *txt = NULL;
-	int pri = LOG_INFO;
-
-	if (level > log_level)
-		return;
-
-	switch (level) {
-	case SYSLOG_LEVEL_FATAL:
-		if (!log_on_stderr)
-			txt = "fatal";
-		pri = LOG_CRIT;
-		break;
-	case SYSLOG_LEVEL_ERROR:
-		if (!log_on_stderr)
-			txt = "error";
-		pri = LOG_ERR;
-		break;
-	case SYSLOG_LEVEL_INFO:
-		pri = LOG_INFO;
-		break;
-	case SYSLOG_LEVEL_VERBOSE:
-		pri = LOG_INFO;
-		break;
-	case SYSLOG_LEVEL_DEBUG1:
-		txt = "debug1";
-		pri = LOG_DEBUG;
-		break;
-	case SYSLOG_LEVEL_DEBUG2:
-		txt = "debug2";
-		pri = LOG_DEBUG;
-		break;
-	case SYSLOG_LEVEL_DEBUG3:
-		txt = "debug3";
-		pri = LOG_DEBUG;
-		break;
-	default:
-		txt = "internal error";
-		pri = LOG_ERR;
-		break;
-	}
-	if (txt != NULL) {
-		snprintf(fmtbuf, sizeof(fmtbuf), "%s: %s", txt, fmt);
-		vsnprintf(msgbuf, sizeof(msgbuf), fmtbuf, args);
-	} else {
-		vsnprintf(msgbuf, sizeof(msgbuf), fmt, args);
-	}
-	strnvis(fmtbuf, msgbuf, sizeof(fmtbuf),
-	    log_on_stderr ? LOG_STDERR_VIS : LOG_SYSLOG_VIS);
-	if (log_on_stderr) {
-		snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf);
-		write(STDERR_FILENO, msgbuf, strlen(msgbuf));
-	} else {
-#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
-		openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
-		syslog_r(pri, &sdata, "%.500s", fmtbuf);
-		closelog_r(&sdata);
-#else
-		openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility);
-		syslog(pri, "%.500s", fmtbuf);
-		closelog();
-#endif
-	}
-}
diff --git a/crypto/openssh/log.h b/crypto/openssh/log.h
deleted file mode 100644
index 7a8c570..0000000
--- a/crypto/openssh/log.h
+++ /dev/null
@@ -1,65 +0,0 @@
-/* $OpenBSD: log.h,v 1.15 2006/08/18 09:13:25 deraadt Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#ifndef SSH_LOG_H
-#define SSH_LOG_H
-
-/* Supported syslog facilities and levels. */
-typedef enum {
-	SYSLOG_FACILITY_DAEMON,
-	SYSLOG_FACILITY_USER,
-	SYSLOG_FACILITY_AUTH,
-#ifdef LOG_AUTHPRIV
-	SYSLOG_FACILITY_AUTHPRIV,
-#endif
-	SYSLOG_FACILITY_LOCAL0,
-	SYSLOG_FACILITY_LOCAL1,
-	SYSLOG_FACILITY_LOCAL2,
-	SYSLOG_FACILITY_LOCAL3,
-	SYSLOG_FACILITY_LOCAL4,
-	SYSLOG_FACILITY_LOCAL5,
-	SYSLOG_FACILITY_LOCAL6,
-	SYSLOG_FACILITY_LOCAL7,
-	SYSLOG_FACILITY_NOT_SET = -1
-}       SyslogFacility;
-
-typedef enum {
-	SYSLOG_LEVEL_QUIET,
-	SYSLOG_LEVEL_FATAL,
-	SYSLOG_LEVEL_ERROR,
-	SYSLOG_LEVEL_INFO,
-	SYSLOG_LEVEL_VERBOSE,
-	SYSLOG_LEVEL_DEBUG1,
-	SYSLOG_LEVEL_DEBUG2,
-	SYSLOG_LEVEL_DEBUG3,
-	SYSLOG_LEVEL_NOT_SET = -1
-}       LogLevel;
-
-void     log_init(char *, LogLevel, SyslogFacility, int);
-
-SyslogFacility	log_facility_number(char *);
-LogLevel log_level_number(char *);
-
-void     fatal(const char *, ...) __dead __attribute__((format(printf, 1, 2)));
-void     error(const char *, ...) __attribute__((format(printf, 1, 2)));
-void     sigdie(const char *, ...) __attribute__((format(printf, 1, 2)));
-void     logit(const char *, ...) __attribute__((format(printf, 1, 2)));
-void     verbose(const char *, ...) __attribute__((format(printf, 1, 2)));
-void     debug(const char *, ...) __attribute__((format(printf, 1, 2)));
-void     debug2(const char *, ...) __attribute__((format(printf, 1, 2)));
-void     debug3(const char *, ...) __attribute__((format(printf, 1, 2)));
-
-void	 do_log(LogLevel, const char *, va_list);
-void	 cleanup_exit(int) __dead;
-#endif
diff --git a/crypto/openssh/login.c b/crypto/openssh/login.c
deleted file mode 100644
index 1d59cd8..0000000
--- a/crypto/openssh/login.c
+++ /dev/null
@@ -1,145 +0,0 @@
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * This file performs some of the things login(1) normally does.  We cannot
- * easily use something like login -p -h host -f user, because there are
- * several different logins around, and it is hard to determined what kind of
- * login the current system has.  Also, we want to be able to execute commands
- * on a tty.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- * Copyright (c) 1999 Theo de Raadt.  All rights reserved.
- * Copyright (c) 1999 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: login.c,v 1.15 2000/09/07 20:27:52 deraadt Exp $");
-
-#include <util.h>
-#include <utmp.h>
-#include "ssh.h"
-
-/*
- * Returns the time when the user last logged in.  Returns 0 if the
- * information is not available.  This must be called before record_login.
- * The host the user logged in from will be returned in buf.
- */
-
-/*
- * Returns the time when the user last logged in (or 0 if no previous login
- * is found).  The name of the host used last time is returned in buf.
- */
-
-unsigned long
-get_last_login_time(uid_t uid, const char *logname,
-		    char *buf, unsigned int bufsize)
-{
-	struct lastlog ll;
-	char *lastlog;
-	int fd;
-
-	lastlog = _PATH_LASTLOG;
-	buf[0] = '\0';
-
-	fd = open(lastlog, O_RDONLY);
-	if (fd < 0)
-		return 0;
-	lseek(fd, (off_t) ((long) uid * sizeof(ll)), SEEK_SET);
-	if (read(fd, &ll, sizeof(ll)) != sizeof(ll)) {
-		close(fd);
-		return 0;
-	}
-	close(fd);
-	if (bufsize > sizeof(ll.ll_host) + 1)
-		bufsize = sizeof(ll.ll_host) + 1;
-	strncpy(buf, ll.ll_host, bufsize - 1);
-	buf[bufsize - 1] = 0;
-	return ll.ll_time;
-}
-
-/*
- * Records that the user has logged in.  I these parts of operating systems
- * were more standardized.
- */
-
-void
-record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid,
-	     const char *host, struct sockaddr * addr)
-{
-	int fd;
-	struct lastlog ll;
-	char *lastlog;
-	struct utmp u;
-	const char *utmp, *wtmp;
-
-	/* Construct an utmp/wtmp entry. */
-	memset(&u, 0, sizeof(u));
-	strncpy(u.ut_line, ttyname + 5, sizeof(u.ut_line));
-	u.ut_time = time(NULL);
-	strncpy(u.ut_name, user, sizeof(u.ut_name));
-	strncpy(u.ut_host, host, sizeof(u.ut_host));
-
-	/* Figure out the file names. */
-	utmp = _PATH_UTMP;
-	wtmp = _PATH_WTMP;
-
-	login(&u);
-	lastlog = _PATH_LASTLOG;
-
-	/* Update lastlog unless actually recording a logout. */
-	if (strcmp(user, "") != 0) {
-		/*
-		 * It is safer to bzero the lastlog structure first because
-		 * some systems might have some extra fields in it (e.g. SGI)
-		 */
-		memset(&ll, 0, sizeof(ll));
-
-		/* Update lastlog. */
-		ll.ll_time = time(NULL);
-		strncpy(ll.ll_line, ttyname + 5, sizeof(ll.ll_line));
-		strncpy(ll.ll_host, host, sizeof(ll.ll_host));
-		fd = open(lastlog, O_RDWR);
-		if (fd >= 0) {
-			lseek(fd, (off_t) ((long) uid * sizeof(ll)), SEEK_SET);
-			if (write(fd, &ll, sizeof(ll)) != sizeof(ll))
-				log("Could not write %.100s: %.100s", lastlog, strerror(errno));
-			close(fd);
-		}
-	}
-}
-
-/* Records that the user has logged out. */
-
-void
-record_logout(pid_t pid, const char *ttyname)
-{
-	const char *line = ttyname + 5;	/* /dev/ttyq8 -> ttyq8 */
-	if (logout(line))
-		logwtmp(line, "", "");
-}
diff --git a/crypto/openssh/loginrec.c b/crypto/openssh/loginrec.c
deleted file mode 100644
index e591277..0000000
--- a/crypto/openssh/loginrec.c
+++ /dev/null
@@ -1,1694 +0,0 @@
-/*
- * Copyright (c) 2000 Andre Lucas.  All rights reserved.
- * Portions copyright (c) 1998 Todd C. Miller
- * Portions copyright (c) 1996 Jason Downs
- * Portions copyright (c) 1996 Theo de Raadt
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * The btmp logging code is derived from login.c from util-linux and is under
- * the the following license:
- *
- * Copyright (c) 1980, 1987, 1988 The Regents of the University of California.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms are permitted
- * provided that the above copyright notice and this paragraph are
- * duplicated in all such forms and that any documentation,
- * advertising materials, and other materials related to such
- * distribution and use acknowledge that the software was developed
- * by the University of California, Berkeley.  The name of the
- * University may not be used to endorse or promote products derived
- * from this software without specific prior written permission.
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-
-/**
- ** loginrec.c:  platform-independent login recording and lastlog retrieval
- **/
-
-/*
- *  The new login code explained
- *  ============================
- *
- *  This code attempts to provide a common interface to login recording
- *  (utmp and friends) and last login time retrieval.
- *
- *  Its primary means of achieving this is to use 'struct logininfo', a
- *  union of all the useful fields in the various different types of
- *  system login record structures one finds on UNIX variants.
- *
- *  We depend on autoconf to define which recording methods are to be
- *  used, and which fields are contained in the relevant data structures
- *  on the local system. Many C preprocessor symbols affect which code
- *  gets compiled here.
- *
- *  The code is designed to make it easy to modify a particular
- *  recording method, without affecting other methods nor requiring so
- *  many nested conditional compilation blocks as were commonplace in
- *  the old code.
- *
- *  For login recording, we try to use the local system's libraries as
- *  these are clearly most likely to work correctly. For utmp systems
- *  this usually means login() and logout() or setutent() etc., probably
- *  in libutil, along with logwtmp() etc. On these systems, we fall back
- *  to writing the files directly if we have to, though this method
- *  requires very thorough testing so we do not corrupt local auditing
- *  information. These files and their access methods are very system
- *  specific indeed.
- *
- *  For utmpx systems, the corresponding library functions are
- *  setutxent() etc. To the author's knowledge, all utmpx systems have
- *  these library functions and so no direct write is attempted. If such
- *  a system exists and needs support, direct analogues of the [uw]tmp
- *  code should suffice.
- *
- *  Retrieving the time of last login ('lastlog') is in some ways even
- *  more problemmatic than login recording. Some systems provide a
- *  simple table of all users which we seek based on uid and retrieve a
- *  relatively standard structure. Others record the same information in
- *  a directory with a separate file, and others don't record the
- *  information separately at all. For systems in the latter category,
- *  we look backwards in the wtmp or wtmpx file for the last login entry
- *  for our user. Naturally this is slower and on busy systems could
- *  incur a significant performance penalty.
- *
- *  Calling the new code
- *  --------------------
- *
- *  In OpenSSH all login recording and retrieval is performed in
- *  login.c. Here you'll find working examples. Also, in the logintest.c
- *  program there are more examples.
- *
- *  Internal handler calling method
- *  -------------------------------
- *
- *  When a call is made to login_login() or login_logout(), both
- *  routines set a struct logininfo flag defining which action (log in,
- *  or log out) is to be taken. They both then call login_write(), which
- *  calls whichever of the many structure-specific handlers autoconf
- *  selects for the local system.
- *
- *  The handlers themselves handle system data structure specifics. Both
- *  struct utmp and struct utmpx have utility functions (see
- *  construct_utmp*()) to try to make it simpler to add extra systems
- *  that introduce new features to either structure.
- *
- *  While it may seem terribly wasteful to replicate so much similar
- *  code for each method, experience has shown that maintaining code to
- *  write both struct utmp and utmpx in one function, whilst maintaining
- *  support for all systems whether they have library support or not, is
- *  a difficult and time-consuming task.
- *
- *  Lastlog support proceeds similarly. Functions login_get_lastlog()
- *  (and its OpenSSH-tuned friend login_get_lastlog_time()) call
- *  getlast_entry(), which tries one of three methods to find the last
- *  login time. It uses local system lastlog support if it can,
- *  otherwise it tries wtmp or wtmpx before giving up and returning 0,
- *  meaning "tilt".
- *
- *  Maintenance
- *  -----------
- *
- *  In many cases it's possible to tweak autoconf to select the correct
- *  methods for a particular platform, either by improving the detection
- *  code (best), or by presetting DISABLE_<method> or CONF_<method>_FILE
- *  symbols for the platform.
- *
- *  Use logintest to check which symbols are defined before modifying
- *  configure.ac and loginrec.c. (You have to build logintest yourself
- *  with 'make logintest' as it's not built by default.)
- *
- *  Otherwise, patches to the specific method(s) are very helpful!
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-
-#include <errno.h>
-#include <fcntl.h>
-#ifdef HAVE_PATHS_H
-# include <paths.h>
-#endif
-#include <pwd.h>
-#include <stdarg.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "xmalloc.h"
-#include "key.h"
-#include "hostfile.h"
-#include "ssh.h"
-#include "loginrec.h"
-#include "log.h"
-#include "atomicio.h"
-#include "packet.h"
-#include "canohost.h"
-#include "auth.h"
-#include "buffer.h"
-
-#ifdef HAVE_UTIL_H
-# include <util.h>
-#endif
-
-#ifdef HAVE_LIBUTIL_H
-# include <libutil.h>
-#endif
-
-/**
- ** prototypes for helper functions in this file
- **/
-
-#if HAVE_UTMP_H
-void set_utmp_time(struct logininfo *li, struct utmp *ut);
-void construct_utmp(struct logininfo *li, struct utmp *ut);
-#endif
-
-#ifdef HAVE_UTMPX_H
-void set_utmpx_time(struct logininfo *li, struct utmpx *ut);
-void construct_utmpx(struct logininfo *li, struct utmpx *ut);
-#endif
-
-int utmp_write_entry(struct logininfo *li);
-int utmpx_write_entry(struct logininfo *li);
-int wtmp_write_entry(struct logininfo *li);
-int wtmpx_write_entry(struct logininfo *li);
-int lastlog_write_entry(struct logininfo *li);
-int syslogin_write_entry(struct logininfo *li);
-
-int getlast_entry(struct logininfo *li);
-int lastlog_get_entry(struct logininfo *li);
-int wtmp_get_entry(struct logininfo *li);
-int wtmpx_get_entry(struct logininfo *li);
-
-extern Buffer loginmsg;
-
-/* pick the shortest string */
-#define MIN_SIZEOF(s1,s2) (sizeof(s1) < sizeof(s2) ? sizeof(s1) : sizeof(s2))
-
-/**
- ** platform-independent login functions
- **/
-
-/*
- * login_login(struct logininfo *) - Record a login
- *
- * Call with a pointer to a struct logininfo initialised with
- * login_init_entry() or login_alloc_entry()
- *
- * Returns:
- *  >0 if successful
- *  0  on failure (will use OpenSSH's logging facilities for diagnostics)
- */
-int
-login_login(struct logininfo *li)
-{
-	li->type = LTYPE_LOGIN;
-	return (login_write(li));
-}
-
-
-/*
- * login_logout(struct logininfo *) - Record a logout
- *
- * Call as with login_login()
- *
- * Returns:
- *  >0 if successful
- *  0  on failure (will use OpenSSH's logging facilities for diagnostics)
- */
-int
-login_logout(struct logininfo *li)
-{
-	li->type = LTYPE_LOGOUT;
-	return (login_write(li));
-}
-
-/*
- * login_get_lastlog_time(int) - Retrieve the last login time
- *
- * Retrieve the last login time for the given uid. Will try to use the
- * system lastlog facilities if they are available, but will fall back
- * to looking in wtmp/wtmpx if necessary
- *
- * Returns:
- *   0 on failure, or if user has never logged in
- *   Time in seconds from the epoch if successful
- *
- * Useful preprocessor symbols:
- *   DISABLE_LASTLOG: If set, *never* even try to retrieve lastlog
- *                    info
- *   USE_LASTLOG: If set, indicates the presence of system lastlog
- *                facilities. If this and DISABLE_LASTLOG are not set,
- *                try to retrieve lastlog information from wtmp/wtmpx.
- */
-unsigned int
-login_get_lastlog_time(const int uid)
-{
-	struct logininfo li;
-
-	if (login_get_lastlog(&li, uid))
-		return (li.tv_sec);
-	else
-		return (0);
-}
-
-/*
- * login_get_lastlog(struct logininfo *, int)   - Retrieve a lastlog entry
- *
- * Retrieve a logininfo structure populated (only partially) with
- * information from the system lastlog data, or from wtmp/wtmpx if no
- * system lastlog information exists.
- *
- * Note this routine must be given a pre-allocated logininfo.
- *
- * Returns:
- *  >0: A pointer to your struct logininfo if successful
- *  0  on failure (will use OpenSSH's logging facilities for diagnostics)
- */
-struct logininfo *
-login_get_lastlog(struct logininfo *li, const int uid)
-{
-	struct passwd *pw;
-
-	memset(li, '\0', sizeof(*li));
-	li->uid = uid;
-
-	/*
-	 * If we don't have a 'real' lastlog, we need the username to
-	 * reliably search wtmp(x) for the last login (see
-	 * wtmp_get_entry().)
-	 */
-	pw = getpwuid(uid);
-	if (pw == NULL)
-		fatal("%s: Cannot find account for uid %i", __func__, uid);
-
-	/* No MIN_SIZEOF here - we absolutely *must not* truncate the
-	 * username (XXX - so check for trunc!) */
-	strlcpy(li->username, pw->pw_name, sizeof(li->username));
-
-	if (getlast_entry(li))
-		return (li);
-	else
-		return (NULL);
-}
-
-
-/*
- * login_alloc_entry(int, char*, char*, char*)    - Allocate and initialise
- *                                                  a logininfo structure
- *
- * This function creates a new struct logininfo, a data structure
- * meant to carry the information required to portably record login info.
- *
- * Returns a pointer to a newly created struct logininfo. If memory
- * allocation fails, the program halts.
- */
-struct
-logininfo *login_alloc_entry(int pid, const char *username,
-    const char *hostname, const char *line)
-{
-	struct logininfo *newli;
-
-	newli = xmalloc(sizeof(*newli));
-	login_init_entry(newli, pid, username, hostname, line);
-	return (newli);
-}
-
-
-/* login_free_entry(struct logininfo *)    - free struct memory */
-void
-login_free_entry(struct logininfo *li)
-{
-	xfree(li);
-}
-
-
-/* login_init_entry(struct logininfo *, int, char*, char*, char*)
- *                                        - initialise a struct logininfo
- *
- * Populates a new struct logininfo, a data structure meant to carry
- * the information required to portably record login info.
- *
- * Returns: 1
- */
-int
-login_init_entry(struct logininfo *li, int pid, const char *username,
-    const char *hostname, const char *line)
-{
-	struct passwd *pw;
-
-	memset(li, 0, sizeof(*li));
-
-	li->pid = pid;
-
-	/* set the line information */
-	if (line)
-		line_fullname(li->line, line, sizeof(li->line));
-
-	if (username) {
-		strlcpy(li->username, username, sizeof(li->username));
-		pw = getpwnam(li->username);
-		if (pw == NULL) {
-			fatal("%s: Cannot find user \"%s\"", __func__,
-			    li->username);
-		}
-		li->uid = pw->pw_uid;
-	}
-
-	if (hostname)
-		strlcpy(li->hostname, hostname, sizeof(li->hostname));
-
-	return (1);
-}
-
-/*
- * login_set_current_time(struct logininfo *)    - set the current time
- *
- * Set the current time in a logininfo structure. This function is
- * meant to eliminate the need to deal with system dependencies for
- * time handling.
- */
-void
-login_set_current_time(struct logininfo *li)
-{
-	struct timeval tv;
-
-	gettimeofday(&tv, NULL);
-
-	li->tv_sec = tv.tv_sec;
-	li->tv_usec = tv.tv_usec;
-}
-
-/* copy a sockaddr_* into our logininfo */
-void
-login_set_addr(struct logininfo *li, const struct sockaddr *sa,
-    const unsigned int sa_size)
-{
-	unsigned int bufsize = sa_size;
-
-	/* make sure we don't overrun our union */
-	if (sizeof(li->hostaddr) < sa_size)
-		bufsize = sizeof(li->hostaddr);
-
-	memcpy(&li->hostaddr.sa, sa, bufsize);
-}
-
-
-/**
- ** login_write: Call low-level recording functions based on autoconf
- ** results
- **/
-int
-login_write(struct logininfo *li)
-{
-#ifndef HAVE_CYGWIN
-	if (geteuid() != 0) {
-		logit("Attempt to write login records by non-root user (aborting)");
-		return (1);
-	}
-#endif
-
-	/* set the timestamp */
-	login_set_current_time(li);
-#ifdef USE_LOGIN
-	syslogin_write_entry(li);
-#endif
-#ifdef USE_LASTLOG
-	if (li->type == LTYPE_LOGIN)
-		lastlog_write_entry(li);
-#endif
-#ifdef USE_UTMP
-	utmp_write_entry(li);
-#endif
-#ifdef USE_WTMP
-	wtmp_write_entry(li);
-#endif
-#ifdef USE_UTMPX
-	utmpx_write_entry(li);
-#endif
-#ifdef USE_WTMPX
-	wtmpx_write_entry(li);
-#endif
-#ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN
-	if (li->type == LTYPE_LOGIN &&
-	    !sys_auth_record_login(li->username,li->hostname,li->line,
-	    &loginmsg))
-		logit("Writing login record failed for %s", li->username);
-#endif
-#ifdef SSH_AUDIT_EVENTS
-	if (li->type == LTYPE_LOGIN)
-		audit_session_open(li->line);
-	else if (li->type == LTYPE_LOGOUT)
-		audit_session_close(li->line);
-#endif
-	return (0);
-}
-
-#ifdef LOGIN_NEEDS_UTMPX
-int
-login_utmp_only(struct logininfo *li)
-{
-	li->type = LTYPE_LOGIN;
-	login_set_current_time(li);
-# ifdef USE_UTMP
-	utmp_write_entry(li);
-# endif
-# ifdef USE_WTMP
-	wtmp_write_entry(li);
-# endif
-# ifdef USE_UTMPX
-	utmpx_write_entry(li);
-# endif
-# ifdef USE_WTMPX
-	wtmpx_write_entry(li);
-# endif
-	return (0);
-}
-#endif
-
-/**
- ** getlast_entry: Call low-level functions to retrieve the last login
- **                time.
- **/
-
-/* take the uid in li and return the last login time */
-int
-getlast_entry(struct logininfo *li)
-{
-#ifdef USE_LASTLOG
-	return(lastlog_get_entry(li));
-#else /* !USE_LASTLOG */
-
-#if defined(DISABLE_LASTLOG)
-	/* On some systems we shouldn't even try to obtain last login
-	 * time, e.g. AIX */
-	return (0);
-# elif defined(USE_WTMP) && \
-    (defined(HAVE_TIME_IN_UTMP) || defined(HAVE_TV_IN_UTMP))
-	/* retrieve last login time from utmp */
-	return (wtmp_get_entry(li));
-# elif defined(USE_WTMPX) && \
-    (defined(HAVE_TIME_IN_UTMPX) || defined(HAVE_TV_IN_UTMPX))
-	/* If wtmp isn't available, try wtmpx */
-	return (wtmpx_get_entry(li));
-# else
-	/* Give up: No means of retrieving last login time */
-	return (0);
-# endif /* DISABLE_LASTLOG */
-#endif /* USE_LASTLOG */
-}
-
-
-
-/*
- * 'line' string utility functions
- *
- * These functions process the 'line' string into one of three forms:
- *
- * 1. The full filename (including '/dev')
- * 2. The stripped name (excluding '/dev')
- * 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00
- *                               /dev/pts/1  -> ts/1 )
- *
- * Form 3 is used on some systems to identify a .tmp.? entry when
- * attempting to remove it. Typically both addition and removal is
- * performed by one application - say, sshd - so as long as the choice
- * uniquely identifies a terminal it's ok.
- */
-
-
-/*
- * line_fullname(): add the leading '/dev/' if it doesn't exist make
- * sure dst has enough space, if not just copy src (ugh)
- */
-char *
-line_fullname(char *dst, const char *src, u_int dstsize)
-{
-	memset(dst, '\0', dstsize);
-	if ((strncmp(src, "/dev/", 5) == 0) || (dstsize < (strlen(src) + 5)))
-		strlcpy(dst, src, dstsize);
-	else {
-		strlcpy(dst, "/dev/", dstsize);
-		strlcat(dst, src, dstsize);
-	}
-	return (dst);
-}
-
-/* line_stripname(): strip the leading '/dev' if it exists, return dst */
-char *
-line_stripname(char *dst, const char *src, int dstsize)
-{
-	memset(dst, '\0', dstsize);
-	if (strncmp(src, "/dev/", 5) == 0)
-		strlcpy(dst, src + 5, dstsize);
-	else
-		strlcpy(dst, src, dstsize);
-	return (dst);
-}
-
-/*
- * line_abbrevname(): Return the abbreviated (usually four-character)
- * form of the line (Just use the last <dstsize> characters of the
- * full name.)
- *
- * NOTE: use strncpy because we do NOT necessarily want zero
- * termination
- */
-char *
-line_abbrevname(char *dst, const char *src, int dstsize)
-{
-	size_t len;
-
-	memset(dst, '\0', dstsize);
-
-	/* Always skip prefix if present */
-	if (strncmp(src, "/dev/", 5) == 0)
-		src += 5;
-
-#ifdef WITH_ABBREV_NO_TTY
-	if (strncmp(src, "tty", 3) == 0)
-		src += 3;
-#endif
-
-	len = strlen(src);
-
-	if (len > 0) {
-		if (((int)len - dstsize) > 0)
-			src +=  ((int)len - dstsize);
-
-		/* note: _don't_ change this to strlcpy */
-		strncpy(dst, src, (size_t)dstsize);
-	}
-
-	return (dst);
-}
-
-/**
- ** utmp utility functions
- **
- ** These functions manipulate struct utmp, taking system differences
- ** into account.
- **/
-
-#if defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN)
-
-/* build the utmp structure */
-void
-set_utmp_time(struct logininfo *li, struct utmp *ut)
-{
-# if defined(HAVE_TV_IN_UTMP)
-	ut->ut_tv.tv_sec = li->tv_sec;
-	ut->ut_tv.tv_usec = li->tv_usec;
-# elif defined(HAVE_TIME_IN_UTMP)
-	ut->ut_time = li->tv_sec;
-# endif
-}
-
-void
-construct_utmp(struct logininfo *li,
-		    struct utmp *ut)
-{
-# ifdef HAVE_ADDR_V6_IN_UTMP
-	struct sockaddr_in6 *sa6;
-# endif
-
-	memset(ut, '\0', sizeof(*ut));
-
-	/* First fill out fields used for both logins and logouts */
-
-# ifdef HAVE_ID_IN_UTMP
-	line_abbrevname(ut->ut_id, li->line, sizeof(ut->ut_id));
-# endif
-
-# ifdef HAVE_TYPE_IN_UTMP
-	/* This is done here to keep utmp constants out of struct logininfo */
-	switch (li->type) {
-	case LTYPE_LOGIN:
-		ut->ut_type = USER_PROCESS;
-#ifdef _UNICOS
-		cray_set_tmpdir(ut);
-#endif
-		break;
-	case LTYPE_LOGOUT:
-		ut->ut_type = DEAD_PROCESS;
-#ifdef _UNICOS
-		cray_retain_utmp(ut, li->pid);
-#endif
-		break;
-	}
-# endif
-	set_utmp_time(li, ut);
-
-	line_stripname(ut->ut_line, li->line, sizeof(ut->ut_line));
-
-# ifdef HAVE_PID_IN_UTMP
-	ut->ut_pid = li->pid;
-# endif
-
-	/* If we're logging out, leave all other fields blank */
-	if (li->type == LTYPE_LOGOUT)
-		return;
-
-	/*
-	 * These fields are only used when logging in, and are blank
-	 * for logouts.
-	 */
-
-	/* Use strncpy because we don't necessarily want null termination */
-	strncpy(ut->ut_name, li->username,
-	    MIN_SIZEOF(ut->ut_name, li->username));
-# ifdef HAVE_HOST_IN_UTMP
-	strncpy(ut->ut_host, li->hostname,
-	    MIN_SIZEOF(ut->ut_host, li->hostname));
-# endif
-# ifdef HAVE_ADDR_IN_UTMP
-	/* this is just a 32-bit IP address */
-	if (li->hostaddr.sa.sa_family == AF_INET)
-		ut->ut_addr = li->hostaddr.sa_in.sin_addr.s_addr;
-# endif
-# ifdef HAVE_ADDR_V6_IN_UTMP
-	/* this is just a 128-bit IPv6 address */
-	if (li->hostaddr.sa.sa_family == AF_INET6) {
-		sa6 = ((struct sockaddr_in6 *)&li->hostaddr.sa);
-		memcpy(ut->ut_addr_v6, sa6->sin6_addr.s6_addr, 16);
-		if (IN6_IS_ADDR_V4MAPPED(&sa6->sin6_addr)) {
-			ut->ut_addr_v6[0] = ut->ut_addr_v6[3];
-			ut->ut_addr_v6[1] = 0;
-			ut->ut_addr_v6[2] = 0;
-			ut->ut_addr_v6[3] = 0;
-		}
-	}
-# endif
-}
-#endif /* USE_UTMP || USE_WTMP || USE_LOGIN */
-
-/**
- ** utmpx utility functions
- **
- ** These functions manipulate struct utmpx, accounting for system
- ** variations.
- **/
-
-#if defined(USE_UTMPX) || defined (USE_WTMPX)
-/* build the utmpx structure */
-void
-set_utmpx_time(struct logininfo *li, struct utmpx *utx)
-{
-# if defined(HAVE_TV_IN_UTMPX)
-	utx->ut_tv.tv_sec = li->tv_sec;
-	utx->ut_tv.tv_usec = li->tv_usec;
-# elif defined(HAVE_TIME_IN_UTMPX)
-	utx->ut_time = li->tv_sec;
-# endif
-}
-
-void
-construct_utmpx(struct logininfo *li, struct utmpx *utx)
-{
-# ifdef HAVE_ADDR_V6_IN_UTMP
-	struct sockaddr_in6 *sa6;
-#  endif
-	memset(utx, '\0', sizeof(*utx));
-
-# ifdef HAVE_ID_IN_UTMPX
-	line_abbrevname(utx->ut_id, li->line, sizeof(utx->ut_id));
-# endif
-
-	/* this is done here to keep utmp constants out of loginrec.h */
-	switch (li->type) {
-	case LTYPE_LOGIN:
-		utx->ut_type = USER_PROCESS;
-		break;
-	case LTYPE_LOGOUT:
-		utx->ut_type = DEAD_PROCESS;
-		break;
-	}
-	line_stripname(utx->ut_line, li->line, sizeof(utx->ut_line));
-	set_utmpx_time(li, utx);
-	utx->ut_pid = li->pid;
-
-	/* strncpy(): Don't necessarily want null termination */
-	strncpy(utx->ut_name, li->username,
-	    MIN_SIZEOF(utx->ut_name, li->username));
-
-	if (li->type == LTYPE_LOGOUT)
-		return;
-
-	/*
-	 * These fields are only used when logging in, and are blank
-	 * for logouts.
-	 */
-
-# ifdef HAVE_HOST_IN_UTMPX
-	strncpy(utx->ut_host, li->hostname,
-	    MIN_SIZEOF(utx->ut_host, li->hostname));
-# endif
-# ifdef HAVE_ADDR_IN_UTMPX
-	/* this is just a 32-bit IP address */
-	if (li->hostaddr.sa.sa_family == AF_INET)
-		utx->ut_addr = li->hostaddr.sa_in.sin_addr.s_addr;
-# endif
-# ifdef HAVE_ADDR_V6_IN_UTMP
-	/* this is just a 128-bit IPv6 address */
-	if (li->hostaddr.sa.sa_family == AF_INET6) {
-		sa6 = ((struct sockaddr_in6 *)&li->hostaddr.sa);
-		memcpy(ut->ut_addr_v6, sa6->sin6_addr.s6_addr, 16);
-		if (IN6_IS_ADDR_V4MAPPED(&sa6->sin6_addr)) {
-			ut->ut_addr_v6[0] = ut->ut_addr_v6[3];
-			ut->ut_addr_v6[1] = 0;
-			ut->ut_addr_v6[2] = 0;
-			ut->ut_addr_v6[3] = 0;
-		}
-	}
-# endif
-# ifdef HAVE_SYSLEN_IN_UTMPX
-	/* ut_syslen is the length of the utx_host string */
-	utx->ut_syslen = MIN(strlen(li->hostname), sizeof(utx->ut_host));
-# endif
-}
-#endif /* USE_UTMPX || USE_WTMPX */
-
-/**
- ** Low-level utmp functions
- **/
-
-/* FIXME: (ATL) utmp_write_direct needs testing */
-#ifdef USE_UTMP
-
-/* if we can, use pututline() etc. */
-# if !defined(DISABLE_PUTUTLINE) && defined(HAVE_SETUTENT) && \
-	defined(HAVE_PUTUTLINE)
-#  define UTMP_USE_LIBRARY
-# endif
-
-
-/* write a utmp entry with the system's help (pututline() and pals) */
-# ifdef UTMP_USE_LIBRARY
-static int
-utmp_write_library(struct logininfo *li, struct utmp *ut)
-{
-	setutent();
-	pututline(ut);
-#  ifdef HAVE_ENDUTENT
-	endutent();
-#  endif
-	return (1);
-}
-# else /* UTMP_USE_LIBRARY */
-
-/*
- * Write a utmp entry direct to the file
- * This is a slightly modification of code in OpenBSD's login.c
- */
-static int
-utmp_write_direct(struct logininfo *li, struct utmp *ut)
-{
-	struct utmp old_ut;
-	register int fd;
-	int tty;
-
-	/* FIXME: (ATL) ttyslot() needs local implementation */
-
-#if defined(HAVE_GETTTYENT)
-	struct ttyent *ty;
-
-	tty=0;
-	setttyent();
-	while (NULL != (ty = getttyent())) {
-		tty++;
-		if (!strncmp(ty->ty_name, ut->ut_line, sizeof(ut->ut_line)))
-			break;
-	}
-	endttyent();
-
-	if (NULL == ty) {
-		logit("%s: tty not found", __func__);
-		return (0);
-	}
-#else /* FIXME */
-
-	tty = ttyslot(); /* seems only to work for /dev/ttyp? style names */
-
-#endif /* HAVE_GETTTYENT */
-
-	if (tty > 0 && (fd = open(UTMP_FILE, O_RDWR|O_CREAT, 0644)) >= 0) {
-		off_t pos, ret;
-
-		pos = (off_t)tty * sizeof(struct utmp);
-		if ((ret = lseek(fd, pos, SEEK_SET)) == -1) {
-			logit("%s: lseek: %s", __func__, strerror(errno));
-			return (0);
-		}
-		if (ret != pos) {
-			logit("%s: Couldn't seek to tty %d slot in %s",
-			    __func__, tty, UTMP_FILE);
-			return (0);
-		}
-		/*
-		 * Prevent luser from zero'ing out ut_host.
-		 * If the new ut_line is empty but the old one is not
-		 * and ut_line and ut_name match, preserve the old ut_line.
-		 */
-		if (atomicio(read, fd, &old_ut, sizeof(old_ut)) == sizeof(old_ut) &&
-		    (ut->ut_host[0] == '\0') && (old_ut.ut_host[0] != '\0') &&
-		    (strncmp(old_ut.ut_line, ut->ut_line, sizeof(ut->ut_line)) == 0) &&
-		    (strncmp(old_ut.ut_name, ut->ut_name, sizeof(ut->ut_name)) == 0))
-			memcpy(ut->ut_host, old_ut.ut_host, sizeof(ut->ut_host));
-
-		if ((ret = lseek(fd, pos, SEEK_SET)) == -1) {
-			logit("%s: lseek: %s", __func__, strerror(errno));
-			return (0);
-		}
-		if (ret != pos) {
-			logit("%s: Couldn't seek to tty %d slot in %s",
-			    __func__, tty, UTMP_FILE);
-			return (0);
-		}
-		if (atomicio(vwrite, fd, ut, sizeof(*ut)) != sizeof(*ut)) {
-			logit("%s: error writing %s: %s", __func__,
-			    UTMP_FILE, strerror(errno));
-		}
-
-		close(fd);
-		return (1);
-	} else {
-		return (0);
-	}
-}
-# endif /* UTMP_USE_LIBRARY */
-
-static int
-utmp_perform_login(struct logininfo *li)
-{
-	struct utmp ut;
-
-	construct_utmp(li, &ut);
-# ifdef UTMP_USE_LIBRARY
-	if (!utmp_write_library(li, &ut)) {
-		logit("%s: utmp_write_library() failed", __func__);
-		return (0);
-	}
-# else
-	if (!utmp_write_direct(li, &ut)) {
-		logit("%s: utmp_write_direct() failed", __func__);
-		return (0);
-	}
-# endif
-	return (1);
-}
-
-
-static int
-utmp_perform_logout(struct logininfo *li)
-{
-	struct utmp ut;
-
-	construct_utmp(li, &ut);
-# ifdef UTMP_USE_LIBRARY
-	if (!utmp_write_library(li, &ut)) {
-		logit("%s: utmp_write_library() failed", __func__);
-		return (0);
-	}
-# else
-	if (!utmp_write_direct(li, &ut)) {
-		logit("%s: utmp_write_direct() failed", __func__);
-		return (0);
-	}
-# endif
-	return (1);
-}
-
-
-int
-utmp_write_entry(struct logininfo *li)
-{
-	switch(li->type) {
-	case LTYPE_LOGIN:
-		return (utmp_perform_login(li));
-
-	case LTYPE_LOGOUT:
-		return (utmp_perform_logout(li));
-
-	default:
-		logit("%s: invalid type field", __func__);
-		return (0);
-	}
-}
-#endif /* USE_UTMP */
-
-
-/**
- ** Low-level utmpx functions
- **/
-
-/* not much point if we don't want utmpx entries */
-#ifdef USE_UTMPX
-
-/* if we have the wherewithall, use pututxline etc. */
-# if !defined(DISABLE_PUTUTXLINE) && defined(HAVE_SETUTXENT) && \
-	defined(HAVE_PUTUTXLINE)
-#  define UTMPX_USE_LIBRARY
-# endif
-
-
-/* write a utmpx entry with the system's help (pututxline() and pals) */
-# ifdef UTMPX_USE_LIBRARY
-static int
-utmpx_write_library(struct logininfo *li, struct utmpx *utx)
-{
-	setutxent();
-	pututxline(utx);
-
-#  ifdef HAVE_ENDUTXENT
-	endutxent();
-#  endif
-	return (1);
-}
-
-# else /* UTMPX_USE_LIBRARY */
-
-/* write a utmp entry direct to the file */
-static int
-utmpx_write_direct(struct logininfo *li, struct utmpx *utx)
-{
-	logit("%s: not implemented!", __func__);
-	return (0);
-}
-# endif /* UTMPX_USE_LIBRARY */
-
-static int
-utmpx_perform_login(struct logininfo *li)
-{
-	struct utmpx utx;
-
-	construct_utmpx(li, &utx);
-# ifdef UTMPX_USE_LIBRARY
-	if (!utmpx_write_library(li, &utx)) {
-		logit("%s: utmp_write_library() failed", __func__);
-		return (0);
-	}
-# else
-	if (!utmpx_write_direct(li, &ut)) {
-		logit("%s: utmp_write_direct() failed", __func__);
-		return (0);
-	}
-# endif
-	return (1);
-}
-
-
-static int
-utmpx_perform_logout(struct logininfo *li)
-{
-	struct utmpx utx;
-
-	construct_utmpx(li, &utx);
-# ifdef HAVE_ID_IN_UTMPX
-	line_abbrevname(utx.ut_id, li->line, sizeof(utx.ut_id));
-# endif
-# ifdef HAVE_TYPE_IN_UTMPX
-	utx.ut_type = DEAD_PROCESS;
-# endif
-
-# ifdef UTMPX_USE_LIBRARY
-	utmpx_write_library(li, &utx);
-# else
-	utmpx_write_direct(li, &utx);
-# endif
-	return (1);
-}
-
-int
-utmpx_write_entry(struct logininfo *li)
-{
-	switch(li->type) {
-	case LTYPE_LOGIN:
-		return (utmpx_perform_login(li));
-	case LTYPE_LOGOUT:
-		return (utmpx_perform_logout(li));
-	default:
-		logit("%s: invalid type field", __func__);
-		return (0);
-	}
-}
-#endif /* USE_UTMPX */
-
-
-/**
- ** Low-level wtmp functions
- **/
-
-#ifdef USE_WTMP
-
-/*
- * Write a wtmp entry direct to the end of the file
- * This is a slight modification of code in OpenBSD's logwtmp.c
- */
-static int
-wtmp_write(struct logininfo *li, struct utmp *ut)
-{
-	struct stat buf;
-	int fd, ret = 1;
-
-	if ((fd = open(WTMP_FILE, O_WRONLY|O_APPEND, 0)) < 0) {
-		logit("%s: problem writing %s: %s", __func__,
-		    WTMP_FILE, strerror(errno));
-		return (0);
-	}
-	if (fstat(fd, &buf) == 0)
-		if (atomicio(vwrite, fd, ut, sizeof(*ut)) != sizeof(*ut)) {
-			ftruncate(fd, buf.st_size);
-			logit("%s: problem writing %s: %s", __func__,
-			    WTMP_FILE, strerror(errno));
-			ret = 0;
-		}
-	close(fd);
-	return (ret);
-}
-
-static int
-wtmp_perform_login(struct logininfo *li)
-{
-	struct utmp ut;
-
-	construct_utmp(li, &ut);
-	return (wtmp_write(li, &ut));
-}
-
-
-static int
-wtmp_perform_logout(struct logininfo *li)
-{
-	struct utmp ut;
-
-	construct_utmp(li, &ut);
-	return (wtmp_write(li, &ut));
-}
-
-
-int
-wtmp_write_entry(struct logininfo *li)
-{
-	switch(li->type) {
-	case LTYPE_LOGIN:
-		return (wtmp_perform_login(li));
-	case LTYPE_LOGOUT:
-		return (wtmp_perform_logout(li));
-	default:
-		logit("%s: invalid type field", __func__);
-		return (0);
-	}
-}
-
-
-/*
- * Notes on fetching login data from wtmp/wtmpx
- *
- * Logouts are usually recorded with (amongst other things) a blank
- * username on a given tty line.  However, some systems (HP-UX is one)
- * leave all fields set, but change the ut_type field to DEAD_PROCESS.
- *
- * Since we're only looking for logins here, we know that the username
- * must be set correctly. On systems that leave it in, we check for
- * ut_type==USER_PROCESS (indicating a login.)
- *
- * Portability: Some systems may set something other than USER_PROCESS
- * to indicate a login process. I don't know of any as I write. Also,
- * it's possible that some systems may both leave the username in
- * place and not have ut_type.
- */
-
-/* return true if this wtmp entry indicates a login */
-static int
-wtmp_islogin(struct logininfo *li, struct utmp *ut)
-{
-	if (strncmp(li->username, ut->ut_name,
-	    MIN_SIZEOF(li->username, ut->ut_name)) == 0) {
-# ifdef HAVE_TYPE_IN_UTMP
-		if (ut->ut_type & USER_PROCESS)
-			return (1);
-# else
-		return (1);
-# endif
-	}
-	return (0);
-}
-
-int
-wtmp_get_entry(struct logininfo *li)
-{
-	struct stat st;
-	struct utmp ut;
-	int fd, found = 0;
-
-	/* Clear the time entries in our logininfo */
-	li->tv_sec = li->tv_usec = 0;
-
-	if ((fd = open(WTMP_FILE, O_RDONLY)) < 0) {
-		logit("%s: problem opening %s: %s", __func__,
-		    WTMP_FILE, strerror(errno));
-		return (0);
-	}
-	if (fstat(fd, &st) != 0) {
-		logit("%s: couldn't stat %s: %s", __func__,
-		    WTMP_FILE, strerror(errno));
-		close(fd);
-		return (0);
-	}
-
-	/* Seek to the start of the last struct utmp */
-	if (lseek(fd, -(off_t)sizeof(struct utmp), SEEK_END) == -1) {
-		/* Looks like we've got a fresh wtmp file */
-		close(fd);
-		return (0);
-	}
-
-	while (!found) {
-		if (atomicio(read, fd, &ut, sizeof(ut)) != sizeof(ut)) {
-			logit("%s: read of %s failed: %s", __func__,
-			    WTMP_FILE, strerror(errno));
-			close (fd);
-			return (0);
-		}
-		if ( wtmp_islogin(li, &ut) ) {
-			found = 1;
-			/*
-			 * We've already checked for a time in struct
-			 * utmp, in login_getlast()
-			 */
-# ifdef HAVE_TIME_IN_UTMP
-			li->tv_sec = ut.ut_time;
-# else
-#  if HAVE_TV_IN_UTMP
-			li->tv_sec = ut.ut_tv.tv_sec;
-#  endif
-# endif
-			line_fullname(li->line, ut.ut_line,
-			    MIN_SIZEOF(li->line, ut.ut_line));
-# ifdef HAVE_HOST_IN_UTMP
-			strlcpy(li->hostname, ut.ut_host,
-			    MIN_SIZEOF(li->hostname, ut.ut_host));
-# endif
-			continue;
-		}
-		/* Seek back 2 x struct utmp */
-		if (lseek(fd, -(off_t)(2 * sizeof(struct utmp)), SEEK_CUR) == -1) {
-			/* We've found the start of the file, so quit */
-			close(fd);
-			return (0);
-		}
-	}
-
-	/* We found an entry. Tidy up and return */
-	close(fd);
-	return (1);
-}
-# endif /* USE_WTMP */
-
-
-/**
- ** Low-level wtmpx functions
- **/
-
-#ifdef USE_WTMPX
-/*
- * Write a wtmpx entry direct to the end of the file
- * This is a slight modification of code in OpenBSD's logwtmp.c
- */
-static int
-wtmpx_write(struct logininfo *li, struct utmpx *utx)
-{
-#ifndef HAVE_UPDWTMPX
-	struct stat buf;
-	int fd, ret = 1;
-
-	if ((fd = open(WTMPX_FILE, O_WRONLY|O_APPEND, 0)) < 0) {
-		logit("%s: problem opening %s: %s", __func__,
-		    WTMPX_FILE, strerror(errno));
-		return (0);
-	}
-
-	if (fstat(fd, &buf) == 0)
-		if (atomicio(vwrite, fd, utx, sizeof(*utx)) != sizeof(*utx)) {
-			ftruncate(fd, buf.st_size);
-			logit("%s: problem writing %s: %s", __func__,
-			    WTMPX_FILE, strerror(errno));
-			ret = 0;
-		}
-	close(fd);
-
-	return (ret);
-#else
-	updwtmpx(WTMPX_FILE, utx);
-	return (1);
-#endif
-}
-
-
-static int
-wtmpx_perform_login(struct logininfo *li)
-{
-	struct utmpx utx;
-
-	construct_utmpx(li, &utx);
-	return (wtmpx_write(li, &utx));
-}
-
-
-static int
-wtmpx_perform_logout(struct logininfo *li)
-{
-	struct utmpx utx;
-
-	construct_utmpx(li, &utx);
-	return (wtmpx_write(li, &utx));
-}
-
-
-int
-wtmpx_write_entry(struct logininfo *li)
-{
-	switch(li->type) {
-	case LTYPE_LOGIN:
-		return (wtmpx_perform_login(li));
-	case LTYPE_LOGOUT:
-		return (wtmpx_perform_logout(li));
-	default:
-		logit("%s: invalid type field", __func__);
-		return (0);
-	}
-}
-
-/* Please see the notes above wtmp_islogin() for information about the
-   next two functions */
-
-/* Return true if this wtmpx entry indicates a login */
-static int
-wtmpx_islogin(struct logininfo *li, struct utmpx *utx)
-{
-	if (strncmp(li->username, utx->ut_name,
-	    MIN_SIZEOF(li->username, utx->ut_name)) == 0 ) {
-# ifdef HAVE_TYPE_IN_UTMPX
-		if (utx->ut_type == USER_PROCESS)
-			return (1);
-# else
-		return (1);
-# endif
-	}
-	return (0);
-}
-
-
-int
-wtmpx_get_entry(struct logininfo *li)
-{
-	struct stat st;
-	struct utmpx utx;
-	int fd, found=0;
-
-	/* Clear the time entries */
-	li->tv_sec = li->tv_usec = 0;
-
-	if ((fd = open(WTMPX_FILE, O_RDONLY)) < 0) {
-		logit("%s: problem opening %s: %s", __func__,
-		    WTMPX_FILE, strerror(errno));
-		return (0);
-	}
-	if (fstat(fd, &st) != 0) {
-		logit("%s: couldn't stat %s: %s", __func__,
-		    WTMPX_FILE, strerror(errno));
-		close(fd);
-		return (0);
-	}
-
-	/* Seek to the start of the last struct utmpx */
-	if (lseek(fd, -(off_t)sizeof(struct utmpx), SEEK_END) == -1 ) {
-		/* probably a newly rotated wtmpx file */
-		close(fd);
-		return (0);
-	}
-
-	while (!found) {
-		if (atomicio(read, fd, &utx, sizeof(utx)) != sizeof(utx)) {
-			logit("%s: read of %s failed: %s", __func__,
-			    WTMPX_FILE, strerror(errno));
-			close (fd);
-			return (0);
-		}
-		/*
-		 * Logouts are recorded as a blank username on a particular
-		 * line. So, we just need to find the username in struct utmpx
-		 */
-		if (wtmpx_islogin(li, &utx)) {
-			found = 1;
-# if defined(HAVE_TV_IN_UTMPX)
-			li->tv_sec = utx.ut_tv.tv_sec;
-# elif defined(HAVE_TIME_IN_UTMPX)
-			li->tv_sec = utx.ut_time;
-# endif
-			line_fullname(li->line, utx.ut_line, sizeof(li->line));
-# if defined(HAVE_HOST_IN_UTMPX)
-			strlcpy(li->hostname, utx.ut_host,
-			    MIN_SIZEOF(li->hostname, utx.ut_host));
-# endif
-			continue;
-		}
-		if (lseek(fd, -(off_t)(2 * sizeof(struct utmpx)), SEEK_CUR) == -1) {
-			close(fd);
-			return (0);
-		}
-	}
-
-	close(fd);
-	return (1);
-}
-#endif /* USE_WTMPX */
-
-/**
- ** Low-level libutil login() functions
- **/
-
-#ifdef USE_LOGIN
-static int
-syslogin_perform_login(struct logininfo *li)
-{
-	struct utmp *ut;
-
-	ut = xmalloc(sizeof(*ut));
-	construct_utmp(li, ut);
-	login(ut);
-	free(ut);
-
-	return (1);
-}
-
-static int
-syslogin_perform_logout(struct logininfo *li)
-{
-# ifdef HAVE_LOGOUT
-	char line[UT_LINESIZE];
-
-	(void)line_stripname(line, li->line, sizeof(line));
-
-	if (!logout(line))
-		logit("%s: logout() returned an error", __func__);
-#  ifdef HAVE_LOGWTMP
-	else
-		logwtmp(line, "", "");
-#  endif
-	/* FIXME: (ATL - if the need arises) What to do if we have
-	 * login, but no logout?  what if logout but no logwtmp? All
-	 * routines are in libutil so they should all be there,
-	 * but... */
-# endif
-	return (1);
-}
-
-int
-syslogin_write_entry(struct logininfo *li)
-{
-	switch (li->type) {
-	case LTYPE_LOGIN:
-		return (syslogin_perform_login(li));
-	case LTYPE_LOGOUT:
-		return (syslogin_perform_logout(li));
-	default:
-		logit("%s: Invalid type field", __func__);
-		return (0);
-	}
-}
-#endif /* USE_LOGIN */
-
-/* end of file log-syslogin.c */
-
-/**
- ** Low-level lastlog functions
- **/
-
-#ifdef USE_LASTLOG
-#define LL_FILE 1
-#define LL_DIR 2
-#define LL_OTHER 3
-
-static void
-lastlog_construct(struct logininfo *li, struct lastlog *last)
-{
-	/* clear the structure */
-	memset(last, '\0', sizeof(*last));
-
-	line_stripname(last->ll_line, li->line, sizeof(last->ll_line));
-	strlcpy(last->ll_host, li->hostname,
-		MIN_SIZEOF(last->ll_host, li->hostname));
-	last->ll_time = li->tv_sec;
-}
-
-static int
-lastlog_filetype(char *filename)
-{
-	struct stat st;
-
-	if (stat(LASTLOG_FILE, &st) != 0) {
-		logit("%s: Couldn't stat %s: %s", __func__,
-		    LASTLOG_FILE, strerror(errno));
-		return (0);
-	}
-	if (S_ISDIR(st.st_mode))
-		return (LL_DIR);
-	else if (S_ISREG(st.st_mode))
-		return (LL_FILE);
-	else
-		return (LL_OTHER);
-}
-
-
-/* open the file (using filemode) and seek to the login entry */
-static int
-lastlog_openseek(struct logininfo *li, int *fd, int filemode)
-{
-	off_t offset;
-	int type;
-	char lastlog_file[1024];
-
-	type = lastlog_filetype(LASTLOG_FILE);
-	switch (type) {
-	case LL_FILE:
-		strlcpy(lastlog_file, LASTLOG_FILE,
-		    sizeof(lastlog_file));
-		break;
-	case LL_DIR:
-		snprintf(lastlog_file, sizeof(lastlog_file), "%s/%s",
-		    LASTLOG_FILE, li->username);
-		break;
-	default:
-		logit("%s: %.100s is not a file or directory!", __func__,
-		    LASTLOG_FILE);
-		return (0);
-	}
-
-	*fd = open(lastlog_file, filemode, 0600);
-	if (*fd < 0) {
-		debug("%s: Couldn't open %s: %s", __func__,
-		    lastlog_file, strerror(errno));
-		return (0);
-	}
-
-	if (type == LL_FILE) {
-		/* find this uid's offset in the lastlog file */
-		offset = (off_t) ((long)li->uid * sizeof(struct lastlog));
-
-		if (lseek(*fd, offset, SEEK_SET) != offset) {
-			logit("%s: %s->lseek(): %s", __func__,
-			    lastlog_file, strerror(errno));
-			return (0);
-		}
-	}
-
-	return (1);
-}
-
-static int
-lastlog_perform_login(struct logininfo *li)
-{
-	struct lastlog last;
-	int fd;
-
-	/* create our struct lastlog */
-	lastlog_construct(li, &last);
-
-	if (!lastlog_openseek(li, &fd, O_RDWR|O_CREAT))
-		return (0);
-
-	/* write the entry */
-	if (atomicio(vwrite, fd, &last, sizeof(last)) != sizeof(last)) {
-		close(fd);
-		logit("%s: Error writing to %s: %s", __func__,
-		    LASTLOG_FILE, strerror(errno));
-		return (0);
-	}
-
-	close(fd);
-	return (1);
-}
-
-int
-lastlog_write_entry(struct logininfo *li)
-{
-	switch(li->type) {
-	case LTYPE_LOGIN:
-		return (lastlog_perform_login(li));
-	default:
-		logit("%s: Invalid type field", __func__);
-		return (0);
-	}
-}
-
-static void
-lastlog_populate_entry(struct logininfo *li, struct lastlog *last)
-{
-	line_fullname(li->line, last->ll_line, sizeof(li->line));
-	strlcpy(li->hostname, last->ll_host,
-	    MIN_SIZEOF(li->hostname, last->ll_host));
-	li->tv_sec = last->ll_time;
-}
-
-int
-lastlog_get_entry(struct logininfo *li)
-{
-	struct lastlog last;
-	int fd, ret;
-
-	if (!lastlog_openseek(li, &fd, O_RDONLY))
-		return (0);
-
-	ret = atomicio(read, fd, &last, sizeof(last));
-	close(fd);
-
-	switch (ret) {
-	case 0:
-		memset(&last, '\0', sizeof(last));
-		/* FALLTHRU */
-	case sizeof(last):
-		lastlog_populate_entry(li, &last);
-		return (1);
-	case -1:
-		error("%s: Error reading from %s: %s", __func__,
-		    LASTLOG_FILE, strerror(errno));
-		return (0);
-	default:
-		error("%s: Error reading from %s: Expecting %d, got %d",
-		    __func__, LASTLOG_FILE, (int)sizeof(last), ret);
-		return (0);
-	}
-
-	/* NOTREACHED */
-	return (0);
-}
-#endif /* USE_LASTLOG */
-
-#ifdef USE_BTMP
-  /*
-   * Logs failed login attempts in _PATH_BTMP if that exists.
-   * The most common login failure is to give password instead of username.
-   * So the _PATH_BTMP file checked for the correct permission, so that
-   * only root can read it.
-   */
-
-void
-record_failed_login(const char *username, const char *hostname,
-    const char *ttyn)
-{
-	int fd;
-	struct utmp ut;
-	struct sockaddr_storage from;
-	socklen_t fromlen = sizeof(from);
-	struct sockaddr_in *a4;
-	struct sockaddr_in6 *a6;
-	time_t t;
-	struct stat fst;
-
-	if (geteuid() != 0)
-		return;
-	if ((fd = open(_PATH_BTMP, O_WRONLY | O_APPEND)) < 0) {
-		debug("Unable to open the btmp file %s: %s", _PATH_BTMP,
-		    strerror(errno));
-		return;
-	}
-	if (fstat(fd, &fst) < 0) {
-		logit("%s: fstat of %s failed: %s", __func__, _PATH_BTMP,
-		    strerror(errno));
-		goto out;
-	}
-	if((fst.st_mode & (S_IRWXG | S_IRWXO)) || (fst.st_uid != 0)){
-		logit("Excess permission or bad ownership on file %s",
-		    _PATH_BTMP);
-		goto out;
-	}
-
-	memset(&ut, 0, sizeof(ut));
-	/* strncpy because we don't necessarily want nul termination */
-	strncpy(ut.ut_user, username, sizeof(ut.ut_user));
-	strlcpy(ut.ut_line, "ssh:notty", sizeof(ut.ut_line));
-
-	time(&t);
-	ut.ut_time = t;     /* ut_time is not always a time_t */
-	ut.ut_type = LOGIN_PROCESS;
-	ut.ut_pid = getpid();
-
-	/* strncpy because we don't necessarily want nul termination */
-	strncpy(ut.ut_host, hostname, sizeof(ut.ut_host));
-
-	if (packet_connection_is_on_socket() &&
-	    getpeername(packet_get_connection_in(),
-	    (struct sockaddr *)&from, &fromlen) == 0) {
-		ipv64_normalise_mapped(&from, &fromlen);
-		if (from.ss_family == AF_INET) {
-			a4 = (struct sockaddr_in *)&from;
-			memcpy(&ut.ut_addr, &(a4->sin_addr),
-			    MIN_SIZEOF(ut.ut_addr, a4->sin_addr));
-		}
-#ifdef HAVE_ADDR_V6_IN_UTMP
-		if (from.ss_family == AF_INET6) {
-			a6 = (struct sockaddr_in6 *)&from;
-			memcpy(&ut.ut_addr_v6, &(a6->sin6_addr),
-			    MIN_SIZEOF(ut.ut_addr_v6, a6->sin6_addr));
-		}
-#endif
-	}
-
-	if (atomicio(vwrite, fd, &ut, sizeof(ut)) != sizeof(ut))
-		error("Failed to write to %s: %s", _PATH_BTMP,
-		    strerror(errno));
-
-out:
-	close(fd);
-}
-#endif	/* USE_BTMP */
diff --git a/crypto/openssh/loginrec.h b/crypto/openssh/loginrec.h
deleted file mode 100644
index 859e1a6..0000000
--- a/crypto/openssh/loginrec.h
+++ /dev/null
@@ -1,131 +0,0 @@
-#ifndef _HAVE_LOGINREC_H_
-#define _HAVE_LOGINREC_H_
-
-/*
- * Copyright (c) 2000 Andre Lucas.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/**
- ** loginrec.h:  platform-independent login recording and lastlog retrieval
- **/
-
-#include "includes.h"
-
-/**
- ** you should use the login_* calls to work around platform dependencies
- **/
-
-/*
- * login_netinfo structure
- */
-
-union login_netinfo {
-	struct sockaddr sa;
-	struct sockaddr_in sa_in;
-	struct sockaddr_storage sa_storage;
-};
-
-/*
- *   * logininfo structure  *
- */
-/* types - different to utmp.h 'type' macros */
-/* (though set to the same value as linux, openbsd and others...) */
-#define LTYPE_LOGIN    7
-#define LTYPE_LOGOUT   8
-
-/* string lengths - set very long */
-#define LINFO_PROGSIZE 64
-#define LINFO_LINESIZE 64
-#define LINFO_NAMESIZE 128
-#define LINFO_HOSTSIZE 256
-
-struct logininfo {
-	char       progname[LINFO_PROGSIZE];     /* name of program (for PAM) */
-	int        progname_null;
-	short int  type;                         /* type of login (LTYPE_*) */
-	int        pid;                          /* PID of login process */
-	int        uid;                          /* UID of this user */
-	char       line[LINFO_LINESIZE];         /* tty/pty name */
-	char       username[LINFO_NAMESIZE];     /* login username */
-	char       hostname[LINFO_HOSTSIZE];     /* remote hostname */
-	/* 'exit_status' structure components */
-	int        exit;                        /* process exit status */
-	int        termination;                 /* process termination status */
-	/* struct timeval (sys/time.h) isn't always available, if it isn't we'll
-	 * use time_t's value as tv_sec and set tv_usec to 0
-	 */
-	unsigned int tv_sec;
-	unsigned int tv_usec;
-	union login_netinfo hostaddr;       /* caller's host address(es) */
-}; /* struct logininfo */
-
-/*
- * login recording functions
- */
-
-/** 'public' functions */
-
-/* construct a new login entry */
-struct logininfo *login_alloc_entry(int pid, const char *username,
-				    const char *hostname, const char *line);
-/* free a structure */
-void login_free_entry(struct logininfo *li);
-/* fill out a pre-allocated structure with useful information */
-int login_init_entry(struct logininfo *li, int pid, const char *username,
-		     const char *hostname, const char *line);
-/* place the current time in a logininfo struct */
-void login_set_current_time(struct logininfo *li);
-
-/* record the entry */
-int login_login (struct logininfo *li);
-int login_logout(struct logininfo *li);
-#ifdef LOGIN_NEEDS_UTMPX
-int login_utmp_only(struct logininfo *li);
-#endif
-
-/** End of public functions */
-
-/* record the entry */
-int login_write (struct logininfo *li);
-int login_log_entry(struct logininfo *li);
-
-/* set the network address based on network address type */
-void login_set_addr(struct logininfo *li, const struct sockaddr *sa,
-		    const unsigned int sa_size);
-
-/*
- * lastlog retrieval functions
- */
-/* lastlog *entry* functions fill out a logininfo */
-struct logininfo *login_get_lastlog(struct logininfo *li, const int uid);
-/* lastlog *time* functions return time_t equivalent (uint) */
-unsigned int login_get_lastlog_time(const int uid);
-
-/* produce various forms of the line filename */
-char *line_fullname(char *dst, const char *src, u_int dstsize);
-char *line_stripname(char *dst, const char *src, int dstsize);
-char *line_abbrevname(char *dst, const char *src, int dstsize);
-
-void record_failed_login(const char *, const char *, const char *);
-
-#endif /* _HAVE_LOGINREC_H_ */
diff --git a/crypto/openssh/logintest.c b/crypto/openssh/logintest.c
deleted file mode 100644
index 7e9fbbf..0000000
--- a/crypto/openssh/logintest.c
+++ /dev/null
@@ -1,308 +0,0 @@
-/*
- * Copyright (c) 2000 Andre Lucas.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/**
- ** logintest.c:  simple test driver for platform-independent login recording
- **               and lastlog retrieval
- **/
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/wait.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-
-#include <unistd.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <pwd.h>
-#include <netdb.h>
-#ifdef HAVE_TIME_H
-#include <time.h>
-#endif
-
-#include "loginrec.h"
-
-extern char *__progname;
-
-#define PAUSE_BEFORE_LOGOUT 3
-
-int nologtest = 0;
-int compile_opts_only = 0;
-int be_verbose = 0;
-
-
-/* Dump a logininfo to stdout. Assumes a tab size of 8 chars. */
-void
-dump_logininfo(struct logininfo *li, char *descname)
-{
-	/* yes I know how nasty this is */
-	printf("struct logininfo %s = {\n\t"
-	       "progname\t'%s'\n\ttype\t\t%d\n\t"
-	       "pid\t\t%d\n\tuid\t\t%d\n\t"
-	       "line\t\t'%s'\n\tusername\t'%s'\n\t"
-	       "hostname\t'%s'\n\texit\t\t%d\n\ttermination\t%d\n\t"
-	       "tv_sec\t%d\n\ttv_usec\t%d\n\t"
-	       "struct login_netinfo hostaddr {\n\t\t"
-	       "struct sockaddr sa {\n"
-	       "\t\t\tfamily\t%d\n\t\t}\n"
-	       "\t}\n"
-	       "}\n",
-	       descname, li->progname, li->type,
-	       li->pid, li->uid, li->line,
-	       li->username, li->hostname, li->exit,
-	       li->termination, li->tv_sec, li->tv_usec,
-	       li->hostaddr.sa.sa_family);
-}
-
-
-int
-testAPI()
-{
-	struct logininfo *li1;
-	struct passwd *pw;
-	struct hostent *he;
-	struct sockaddr_in sa_in4;
-	char cmdstring[256], stripline[8];
-	char username[32];
-#ifdef HAVE_TIME_H
-	time_t t0, t1, t2, logintime, logouttime;
-	char s_t0[64],s_t1[64],s_t2[64];
-	char s_logintime[64], s_logouttime[64]; /* ctime() strings */
-#endif
-
-	printf("**\n** Testing the API...\n**\n");
-
-	pw = getpwuid(getuid());
-	strlcpy(username, pw->pw_name, sizeof(username));
-
-	/* gethostname(hostname, sizeof(hostname)); */
-
-	printf("login_alloc_entry test (no host info):\n");
-
-	/* FIXME fake tty more effectively - this could upset some platforms */
-	li1 = login_alloc_entry((int)getpid(), username, NULL, ttyname(0));
-	strlcpy(li1->progname, "OpenSSH-logintest", sizeof(li1->progname));
-
-	if (be_verbose)
-		dump_logininfo(li1, "li1");
-
-	printf("Setting host address info for 'localhost' (may call out):\n");
-	if (! (he = gethostbyname("localhost"))) {
-		printf("Couldn't set hostname(lookup failed)\n");
-	} else {
-		/* NOTE: this is messy, but typically a program wouldn't have to set
-		 *  any of this, a sockaddr_in* would be already prepared */
-		memcpy((void *)&(sa_in4.sin_addr), (void *)&(he->h_addr_list[0][0]),
-		       sizeof(struct in_addr));
-		login_set_addr(li1, (struct sockaddr *) &sa_in4, sizeof(sa_in4));
-		strlcpy(li1->hostname, "localhost", sizeof(li1->hostname));
-	}
-	if (be_verbose)
-		dump_logininfo(li1, "li1");
-
-	if ((int)geteuid() != 0) {
-		printf("NOT RUNNING LOGIN TESTS - you are not root!\n");
-		return 1;
-	}
-
-	if (nologtest)
-		return 1;
-
-	line_stripname(stripline, li1->line, sizeof(stripline));
-
-	printf("Performing an invalid login attempt (no type field)\n--\n");
-	login_write(li1);
-	printf("--\n(Should have written errors to stderr)\n");
-
-#ifdef HAVE_TIME_H
-	(void)time(&t0);
-	strlcpy(s_t0, ctime(&t0), sizeof(s_t0));
-	t1 = login_get_lastlog_time(getuid());
-	strlcpy(s_t1, ctime(&t1), sizeof(s_t1));
-	printf("Before logging in:\n\tcurrent time is %d - %s\t"
-	       "lastlog time is %d - %s\n",
-	       (int)t0, s_t0, (int)t1, s_t1);
-#endif
-
-	printf("Performing a login on line %s ", stripline);
-#ifdef HAVE_TIME_H
-	(void)time(&logintime);
-	strlcpy(s_logintime, ctime(&logintime), sizeof(s_logintime));
-	printf("at %d - %s", (int)logintime, s_logintime);
-#endif
-	printf("--\n");
-	login_login(li1);
-
-	snprintf(cmdstring, sizeof(cmdstring), "who | grep '%s '",
-		 stripline);
-	system(cmdstring);
-
-	printf("--\nPausing for %d second(s)...\n", PAUSE_BEFORE_LOGOUT);
-	sleep(PAUSE_BEFORE_LOGOUT);
-
-	printf("Performing a logout ");
-#ifdef HAVE_TIME_H
-	(void)time(&logouttime);
-	strlcpy(s_logouttime, ctime(&logouttime), sizeof(s_logouttime));
-	printf("at %d - %s", (int)logouttime, s_logouttime);
-#endif
-	printf("\nThe root login shown above should be gone.\n"
-	       "If the root login hasn't gone, but another user on the same\n"
-	       "pty has, this is OK - we're hacking it here, and there\n"
-	       "shouldn't be two users on one pty in reality...\n"
-	       "-- ('who' output follows)\n");
-	login_logout(li1);
-
-	system(cmdstring);
-	printf("-- ('who' output ends)\n");
-
-#ifdef HAVE_TIME_H
-	t2 = login_get_lastlog_time(getuid());
-	strlcpy(s_t2, ctime(&t2), sizeof(s_t2));
-	printf("After logging in, lastlog time is %d - %s\n", (int)t2, s_t2);
-	if (t1 == t2)
-		printf("The lastlog times before and after logging in are the "
-		       "same.\nThis indicates that lastlog is ** NOT WORKING "
-		       "CORRECTLY **\n");
-	else if (t0 != t2)
-		/* We can be off by a second or so, even when recording works fine.
-		 * I'm not 100% sure why, but it's true. */
-		printf("** The login time and the lastlog time differ.\n"
-		       "** This indicates that lastlog is either recording the "
-		       "wrong time,\n** or retrieving the wrong entry.\n"
-		       "If it's off by less than %d second(s) "
-		       "run the test again.\n", PAUSE_BEFORE_LOGOUT);
-	else
-		printf("lastlog agrees with the login time. This is a good thing.\n");
-
-#endif
-
-	printf("--\nThe output of 'last' shown next should have "
-	       "an entry for root \n  on %s for the time shown above:\n--\n",
-	       stripline);
-	snprintf(cmdstring, sizeof(cmdstring), "last | grep '%s ' | head -3",
-		 stripline);
-	system(cmdstring);
-
-	printf("--\nEnd of login test.\n");
-
-	login_free_entry(li1);
-
-	return 1;
-} /* testAPI() */
-
-
-void
-testLineName(char *line)
-{
-	/* have to null-terminate - these functions are designed for
-	 * structures with fixed-length char arrays, and don't null-term.*/
-	char full[17], strip[9], abbrev[5];
-
-	memset(full, '\0', sizeof(full));
-	memset(strip, '\0', sizeof(strip));
-	memset(abbrev, '\0', sizeof(abbrev));
-
-	line_fullname(full, line, sizeof(full)-1);
-	line_stripname(strip, full, sizeof(strip)-1);
-	line_abbrevname(abbrev, full, sizeof(abbrev)-1);
-	printf("%s: %s, %s, %s\n", line, full, strip, abbrev);
-
-} /* testLineName() */
-
-
-int
-testOutput()
-{
-	printf("**\n** Testing linename functions\n**\n");
-	testLineName("/dev/pts/1");
-	testLineName("pts/1");
-	testLineName("pts/999");
-	testLineName("/dev/ttyp00");
-	testLineName("ttyp00");
-
-	return 1;
-} /* testOutput() */
-
-
-/* show which options got compiled in */
-void
-showOptions(void)
-{
-	printf("**\n** Compile-time options\n**\n");
-
-	printf("login recording methods selected:\n");
-#ifdef USE_LOGIN
-	printf("\tUSE_LOGIN\n");
-#endif
-#ifdef USE_UTMP
-	printf("\tUSE_UTMP (UTMP_FILE=%s)\n", UTMP_FILE);
-#endif
-#ifdef USE_UTMPX
-	printf("\tUSE_UTMPX (UTMPX_FILE=%s)\n", UTMPX_FILE);
-#endif
-#ifdef USE_WTMP
-	printf("\tUSE_WTMP (WTMP_FILE=%s)\n", WTMP_FILE);
-#endif
-#ifdef USE_WTMPX
-	printf("\tUSE_WTMPX (WTMPX_FILE=%s)\n", WTMPX_FILE);
-#endif
-#ifdef USE_LASTLOG
-	printf("\tUSE_LASTLOG (LASTLOG_FILE=%s)\n", LASTLOG_FILE);
-#endif
-	printf("\n");
-
-} /* showOptions() */
-
-
-int
-main(int argc, char *argv[])
-{
-	printf("Platform-independent login recording test driver\n");
-
-	__progname = ssh_get_progname(argv[0]);
-	if (argc == 2) {
-		if (strncmp(argv[1], "-i", 3) == 0)
-			compile_opts_only = 1;
-		else if (strncmp(argv[1], "-v", 3) == 0)
-			be_verbose=1;
-	}
-
-	if (!compile_opts_only) {
-		if (be_verbose && !testOutput())
-			return 1;
-
-		if (!testAPI())
-			return 1;
-	}
-
-	showOptions();
-
-	return 0;
-} /* main() */
-
diff --git a/crypto/openssh/mac.c b/crypto/openssh/mac.c
deleted file mode 100644
index e5d5bfa..0000000
--- a/crypto/openssh/mac.c
+++ /dev/null
@@ -1,125 +0,0 @@
-/* $OpenBSD: mac.c,v 1.12 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <openssl/hmac.h>
-
-#include <stdarg.h>
-#include <string.h>
-#include <signal.h>
-
-#include "xmalloc.h"
-#include "log.h"
-#include "cipher.h"
-#include "buffer.h"
-#include "key.h"
-#include "kex.h"
-#include "mac.h"
-#include "misc.h"
-
-struct {
-	char		*name;
-	const EVP_MD *	(*mdfunc)(void);
-	int		truncatebits;	/* truncate digest if != 0 */
-} macs[] = {
-	{ "hmac-sha1",			EVP_sha1, 0, },
-	{ "hmac-sha1-96",		EVP_sha1, 96 },
-	{ "hmac-md5",			EVP_md5, 0 },
-	{ "hmac-md5-96",		EVP_md5, 96 },
-	{ "hmac-ripemd160",		EVP_ripemd160, 0 },
-	{ "hmac-ripemd160@openssh.com",	EVP_ripemd160, 0 },
-	{ NULL,				NULL, 0 }
-};
-
-int
-mac_init(Mac *mac, char *name)
-{
-	int i, evp_len;
-
-	for (i = 0; macs[i].name; i++) {
-		if (strcmp(name, macs[i].name) == 0) {
-			if (mac != NULL) {
-				mac->md = (*macs[i].mdfunc)();
-				if ((evp_len = EVP_MD_size(mac->md)) <= 0)
-					fatal("mac %s len %d", name, evp_len);
-				mac->key_len = mac->mac_len = (u_int)evp_len;
-				if (macs[i].truncatebits != 0)
-					mac->mac_len = macs[i].truncatebits/8;
-			}
-			debug2("mac_init: found %s", name);
-			return (0);
-		}
-	}
-	debug2("mac_init: unknown %s", name);
-	return (-1);
-}
-
-u_char *
-mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
-{
-	HMAC_CTX c;
-	static u_char m[EVP_MAX_MD_SIZE];
-	u_char b[4];
-
-	if (mac->key == NULL)
-		fatal("mac_compute: no key");
-	if (mac->mac_len > sizeof(m))
-		fatal("mac_compute: mac too long");
-	HMAC_Init(&c, mac->key, mac->key_len, mac->md);
-	put_u32(b, seqno);
-	HMAC_Update(&c, b, sizeof(b));
-	HMAC_Update(&c, data, datalen);
-	HMAC_Final(&c, m, NULL);
-	HMAC_cleanup(&c);
-	return (m);
-}
-
-/* XXX copied from ciphers_valid */
-#define	MAC_SEP	","
-int
-mac_valid(const char *names)
-{
-	char *maclist, *cp, *p;
-
-	if (names == NULL || strcmp(names, "") == 0)
-		return (0);
-	maclist = cp = xstrdup(names);
-	for ((p = strsep(&cp, MAC_SEP)); p && *p != '\0';
-	    (p = strsep(&cp, MAC_SEP))) {
-		if (mac_init(NULL, p) < 0) {
-			debug("bad mac %s [%s]", p, names);
-			xfree(maclist);
-			return (0);
-		} else {
-			debug3("mac ok: %s [%s]", p, names);
-		}
-	}
-	debug3("macs ok: [%s]", names);
-	xfree(maclist);
-	return (1);
-}
diff --git a/crypto/openssh/mac.h b/crypto/openssh/mac.h
deleted file mode 100644
index 960cc5c..0000000
--- a/crypto/openssh/mac.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/* $OpenBSD: mac.h,v 1.4 2006/03/25 22:22:43 djm Exp $ */
-/*
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-int	 mac_valid(const char *);
-int	 mac_init(Mac *, char *);
-u_char	*mac_compute(Mac *, u_int32_t, u_char *, int);
diff --git a/crypto/openssh/match.c b/crypto/openssh/match.c
deleted file mode 100644
index e3c9930..0000000
--- a/crypto/openssh/match.c
+++ /dev/null
@@ -1,274 +0,0 @@
-/* $OpenBSD: match.c,v 1.26 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Simple pattern matching, with '*' and '?' as wildcards.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <ctype.h>
-#include <string.h>
-
-#include "xmalloc.h"
-#include "match.h"
-
-/*
- * Returns true if the given string matches the pattern (which may contain ?
- * and * as wildcards), and zero if it does not match.
- */
-
-int
-match_pattern(const char *s, const char *pattern)
-{
-	for (;;) {
-		/* If at end of pattern, accept if also at end of string. */
-		if (!*pattern)
-			return !*s;
-
-		if (*pattern == '*') {
-			/* Skip the asterisk. */
-			pattern++;
-
-			/* If at end of pattern, accept immediately. */
-			if (!*pattern)
-				return 1;
-
-			/* If next character in pattern is known, optimize. */
-			if (*pattern != '?' && *pattern != '*') {
-				/*
-				 * Look instances of the next character in
-				 * pattern, and try to match starting from
-				 * those.
-				 */
-				for (; *s; s++)
-					if (*s == *pattern &&
-					    match_pattern(s + 1, pattern + 1))
-						return 1;
-				/* Failed. */
-				return 0;
-			}
-			/*
-			 * Move ahead one character at a time and try to
-			 * match at each position.
-			 */
-			for (; *s; s++)
-				if (match_pattern(s, pattern))
-					return 1;
-			/* Failed. */
-			return 0;
-		}
-		/*
-		 * There must be at least one more character in the string.
-		 * If we are at the end, fail.
-		 */
-		if (!*s)
-			return 0;
-
-		/* Check if the next character of the string is acceptable. */
-		if (*pattern != '?' && *pattern != *s)
-			return 0;
-
-		/* Move to the next character, both in string and in pattern. */
-		s++;
-		pattern++;
-	}
-	/* NOTREACHED */
-}
-
-/*
- * Tries to match the string against the
- * comma-separated sequence of subpatterns (each possibly preceded by ! to
- * indicate negation).  Returns -1 if negation matches, 1 if there is
- * a positive match, 0 if there is no match at all.
- */
-
-int
-match_pattern_list(const char *string, const char *pattern, u_int len,
-    int dolower)
-{
-	char sub[1024];
-	int negated;
-	int got_positive;
-	u_int i, subi;
-
-	got_positive = 0;
-	for (i = 0; i < len;) {
-		/* Check if the subpattern is negated. */
-		if (pattern[i] == '!') {
-			negated = 1;
-			i++;
-		} else
-			negated = 0;
-
-		/*
-		 * Extract the subpattern up to a comma or end.  Convert the
-		 * subpattern to lowercase.
-		 */
-		for (subi = 0;
-		    i < len && subi < sizeof(sub) - 1 && pattern[i] != ',';
-		    subi++, i++)
-			sub[subi] = dolower && isupper(pattern[i]) ?
-			    (char)tolower(pattern[i]) : pattern[i];
-		/* If subpattern too long, return failure (no match). */
-		if (subi >= sizeof(sub) - 1)
-			return 0;
-
-		/* If the subpattern was terminated by a comma, skip the comma. */
-		if (i < len && pattern[i] == ',')
-			i++;
-
-		/* Null-terminate the subpattern. */
-		sub[subi] = '\0';
-
-		/* Try to match the subpattern against the string. */
-		if (match_pattern(string, sub)) {
-			if (negated)
-				return -1;		/* Negative */
-			else
-				got_positive = 1;	/* Positive */
-		}
-	}
-
-	/*
-	 * Return success if got a positive match.  If there was a negative
-	 * match, we have already returned -1 and never get here.
-	 */
-	return got_positive;
-}
-
-/*
- * Tries to match the host name (which must be in all lowercase) against the
- * comma-separated sequence of subpatterns (each possibly preceded by ! to
- * indicate negation).  Returns -1 if negation matches, 1 if there is
- * a positive match, 0 if there is no match at all.
- */
-int
-match_hostname(const char *host, const char *pattern, u_int len)
-{
-	return match_pattern_list(host, pattern, len, 1);
-}
-
-/*
- * returns 0 if we get a negative match for the hostname or the ip
- * or if we get no match at all.  returns 1 otherwise.
- */
-int
-match_host_and_ip(const char *host, const char *ipaddr,
-    const char *patterns)
-{
-	int mhost, mip;
-
-	/* negative ipaddr match */
-	if ((mip = match_hostname(ipaddr, patterns, strlen(patterns))) == -1)
-		return 0;
-	/* negative hostname match */
-	if ((mhost = match_hostname(host, patterns, strlen(patterns))) == -1)
-		return 0;
-	/* no match at all */
-	if (mhost == 0 && mip == 0)
-		return 0;
-	return 1;
-}
-
-/*
- * match user, user@host_or_ip, user@host_or_ip_list against pattern
- */
-int
-match_user(const char *user, const char *host, const char *ipaddr,
-    const char *pattern)
-{
-	char *p, *pat;
-	int ret;
-
-	if ((p = strchr(pattern,'@')) == NULL)
-		return match_pattern(user, pattern);
-
-	pat = xstrdup(pattern);
-	p = strchr(pat, '@');
-	*p++ = '\0';
-
-	if ((ret = match_pattern(user, pat)) == 1)
-		ret = match_host_and_ip(host, ipaddr, p);
-	xfree(pat);
-
-	return ret;
-}
-
-/*
- * Returns first item from client-list that is also supported by server-list,
- * caller must xfree() returned string.
- */
-#define	MAX_PROP	40
-#define	SEP	","
-char *
-match_list(const char *client, const char *server, u_int *next)
-{
-	char *sproposals[MAX_PROP];
-	char *c, *s, *p, *ret, *cp, *sp;
-	int i, j, nproposals;
-
-	c = cp = xstrdup(client);
-	s = sp = xstrdup(server);
-
-	for ((p = strsep(&sp, SEP)), i=0; p && *p != '\0';
-	    (p = strsep(&sp, SEP)), i++) {
-		if (i < MAX_PROP)
-			sproposals[i] = p;
-		else
-			break;
-	}
-	nproposals = i;
-
-	for ((p = strsep(&cp, SEP)), i=0; p && *p != '\0';
-	    (p = strsep(&cp, SEP)), i++) {
-		for (j = 0; j < nproposals; j++) {
-			if (strcmp(p, sproposals[j]) == 0) {
-				ret = xstrdup(p);
-				if (next != NULL)
-					*next = (cp == NULL) ?
-					    strlen(c) : (u_int)(cp - c);
-				xfree(c);
-				xfree(s);
-				return ret;
-			}
-		}
-	}
-	if (next != NULL)
-		*next = strlen(c);
-	xfree(c);
-	xfree(s);
-	return NULL;
-}
diff --git a/crypto/openssh/match.h b/crypto/openssh/match.h
deleted file mode 100644
index d1d5386..0000000
--- a/crypto/openssh/match.h
+++ /dev/null
@@ -1,24 +0,0 @@
-/* $OpenBSD: match.h,v 1.13 2006/03/25 22:22:43 djm Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-#ifndef MATCH_H
-#define MATCH_H
-
-int	 match_pattern(const char *, const char *);
-int	 match_pattern_list(const char *, const char *, u_int, int);
-int	 match_hostname(const char *, const char *, u_int);
-int	 match_host_and_ip(const char *, const char *, const char *);
-int	 match_user(const char *, const char *, const char *, const char *);
-char	*match_list(const char *, const char *, u_int *);
-
-#endif
diff --git a/crypto/openssh/md-sha256.c b/crypto/openssh/md-sha256.c
deleted file mode 100644
index 8c1b3b9..0000000
--- a/crypto/openssh/md-sha256.c
+++ /dev/null
@@ -1,86 +0,0 @@
-/* $OpenBSD: md-sha256.c,v 1.5 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Copyright (c) 2005 Damien Miller <djm@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* EVP wrapper for SHA256 */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <openssl/opensslv.h>
-
-#if !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L)
-
-#include <string.h>
-#include <openssl/evp.h>
-#ifdef HAVE_SHA256_UPDATE
-# ifdef HAVE_SHA2_H
-#  include <sha2.h>
-# elif defined(HAVE_CRYPTO_SHA2_H)
-#  include <crypto/sha2.h>
-# endif
-#endif
-
-const EVP_MD *evp_ssh_sha256(void);
-
-static int
-ssh_sha256_init(EVP_MD_CTX *ctxt)
-{
-	SHA256_Init(ctxt->md_data);
-	return (1);
-}
-
-static int
-ssh_sha256_update(EVP_MD_CTX *ctxt, const void *data, unsigned long len)
-{
-	SHA256_Update(ctxt->md_data, data, len);
-	return (1);
-}
-
-static int
-ssh_sha256_final(EVP_MD_CTX *ctxt, unsigned char *digest)
-{
-	SHA256_Final(digest, ctxt->md_data);
-	return (1);
-}
-
-static int
-ssh_sha256_cleanup(EVP_MD_CTX *ctxt)
-{
-	memset(ctxt->md_data, 0, sizeof(SHA256_CTX));
-	return (1);
-}
-
-const EVP_MD *
-evp_ssh_sha256(void)
-{
-	static EVP_MD ssh_sha256;
-
-	memset(&ssh_sha256, 0, sizeof(ssh_sha256));
-	ssh_sha256.type = NID_undef;
-	ssh_sha256.md_size = SHA256_DIGEST_LENGTH;
-	ssh_sha256.init = ssh_sha256_init;
-	ssh_sha256.update = ssh_sha256_update;
-	ssh_sha256.final = ssh_sha256_final;
-	ssh_sha256.cleanup = ssh_sha256_cleanup;
-	ssh_sha256.block_size = SHA256_BLOCK_LENGTH;
-	ssh_sha256.ctx_size = sizeof(SHA256_CTX);
-
-	return (&ssh_sha256);
-}
-
-#endif /* !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L) */
-
diff --git a/crypto/openssh/md5crypt.c b/crypto/openssh/md5crypt.c
deleted file mode 100644
index 22ef989..0000000
--- a/crypto/openssh/md5crypt.c
+++ /dev/null
@@ -1,167 +0,0 @@
-/*
- * ----------------------------------------------------------------------------
- * "THE BEER-WARE LICENSE" (Revision 42):
- * <phk@login.dknet.dk> wrote this file.  As long as you retain this
- * notice you can do whatever you want with this stuff. If we meet some
- * day, and you think this stuff is worth it, you can buy me a beer in
- * return.   Poul-Henning Kamp
- * ----------------------------------------------------------------------------
- */
-
-#include "includes.h"
-
-#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
-#include <sys/types.h>
-
-#include <string.h>
-
-#include <openssl/md5.h>
-
-/* 0 ... 63 => ascii - 64 */
-static unsigned char itoa64[] =
-    "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
-
-static char *magic = "$1$";
-
-static char *
-to64(unsigned long v, int n)
-{
-	static char buf[5];
-	char *s = buf;
-
-	if (n > 4)
-		return (NULL);
-
-	memset(buf, '\0', sizeof(buf));
-	while (--n >= 0) {
-		*s++ = itoa64[v&0x3f];
-		v >>= 6;
-	}
-
-	return (buf);
-}
-
-int
-is_md5_salt(const char *salt)
-{
-	return (strncmp(salt, magic, strlen(magic)) == 0);
-}
-
-char *
-md5_crypt(const char *pw, const char *salt)
-{
-	static char passwd[120], salt_copy[9], *p;
-	static const char *sp, *ep;
-	unsigned char final[16];
-	int sl, pl, i, j;
-	MD5_CTX	ctx, ctx1;
-	unsigned long l;
-
-	/* Refine the Salt first */
-	sp = salt;
-
-	/* If it starts with the magic string, then skip that */
-	if(strncmp(sp, magic, strlen(magic)) == 0)
-		sp += strlen(magic);
-
-	/* It stops at the first '$', max 8 chars */
-	for (ep = sp; *ep != '$'; ep++) {
-		if (*ep == '\0' || ep >= (sp + 8))
-			return (NULL);
-	}
-
-	/* get the length of the true salt */
-	sl = ep - sp;
-
-	/* Stash the salt */
-	memcpy(salt_copy, sp, sl);
-	salt_copy[sl] = '\0';
-
-	MD5_Init(&ctx);
-
-	/* The password first, since that is what is most unknown */
-	MD5_Update(&ctx, pw, strlen(pw));
-
-	/* Then our magic string */
-	MD5_Update(&ctx, magic, strlen(magic));
-
-	/* Then the raw salt */
-	MD5_Update(&ctx, sp, sl);
-
-	/* Then just as many characters of the MD5(pw, salt, pw) */
-	MD5_Init(&ctx1);
-	MD5_Update(&ctx1, pw, strlen(pw));
-	MD5_Update(&ctx1, sp, sl);
-	MD5_Update(&ctx1, pw, strlen(pw));
-	MD5_Final(final, &ctx1);
-
-	for(pl = strlen(pw); pl > 0; pl -= 16)
-		MD5_Update(&ctx, final, pl > 16 ? 16 : pl);
-
-	/* Don't leave anything around in vm they could use. */
-	memset(final, '\0', sizeof final);
-
-	/* Then something really weird... */
-	for (j = 0, i = strlen(pw); i != 0; i >>= 1)
-		if (i & 1)
-			MD5_Update(&ctx, final + j, 1);
-		else
-			MD5_Update(&ctx, pw + j, 1);
-
-	/* Now make the output string */
-	snprintf(passwd, sizeof(passwd), "%s%s$", magic, salt_copy);
-
-	MD5_Final(final, &ctx);
-
-	/*
-	 * and now, just to make sure things don't run too fast
-	 * On a 60 Mhz Pentium this takes 34 msec, so you would
-	 * need 30 seconds to build a 1000 entry dictionary...
-	 */
-	for(i = 0; i < 1000; i++) {
-		MD5_Init(&ctx1);
-		if (i & 1)
-			MD5_Update(&ctx1, pw, strlen(pw));
-		else
-			MD5_Update(&ctx1, final, 16);
-
-		if (i % 3)
-			MD5_Update(&ctx1, sp, sl);
-
-		if (i % 7)
-			MD5_Update(&ctx1, pw, strlen(pw));
-
-		if (i & 1)
-			MD5_Update(&ctx1, final, 16);
-		else
-			MD5_Update(&ctx1, pw, strlen(pw));
-
-		MD5_Final(final, &ctx1);
-	}
-
-	p = passwd + strlen(passwd);
-
-	l = (final[ 0]<<16) | (final[ 6]<<8) | final[12];
-	strlcat(passwd, to64(l, 4), sizeof(passwd));
-	l = (final[ 1]<<16) | (final[ 7]<<8) | final[13];
-	strlcat(passwd, to64(l, 4), sizeof(passwd));
-	l = (final[ 2]<<16) | (final[ 8]<<8) | final[14];
-	strlcat(passwd, to64(l, 4), sizeof(passwd));
-	l = (final[ 3]<<16) | (final[ 9]<<8) | final[15];
-	strlcat(passwd, to64(l, 4), sizeof(passwd));
-	l = (final[ 4]<<16) | (final[10]<<8) | final[ 5];
-	strlcat(passwd, to64(l, 4), sizeof(passwd));
-	l =                    final[11]                ;
-	strlcat(passwd, to64(l, 2), sizeof(passwd));
-
-	/* Don't leave anything around in vm they could use. */
-	memset(final, 0, sizeof(final));
-	memset(salt_copy, 0, sizeof(salt_copy));
-	memset(&ctx, 0, sizeof(ctx));
-	memset(&ctx1, 0, sizeof(ctx1));
-	(void)to64(0, 4);
-
-	return (passwd);
-}
-
-#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */
diff --git a/crypto/openssh/md5crypt.h b/crypto/openssh/md5crypt.h
deleted file mode 100644
index 2341e2c..0000000
--- a/crypto/openssh/md5crypt.h
+++ /dev/null
@@ -1,24 +0,0 @@
-/*
- * ----------------------------------------------------------------------------
- * "THE BEER-WARE LICENSE" (Revision 42):
- * <phk@login.dknet.dk> wrote this file.  As long as you retain this notice you
- * can do whatever you want with this stuff. If we meet some day, and you think
- * this stuff is worth it, you can buy me a beer in return.   Poul-Henning Kamp
- * ----------------------------------------------------------------------------
- */
-
-/* $Id: md5crypt.h,v 1.4 2003/05/18 14:46:46 djm Exp $ */
-
-#ifndef _MD5CRYPT_H
-#define _MD5CRYPT_H
-
-#include "config.h"
-
-#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
-
-int is_md5_salt(const char *);
-char *md5_crypt(const char *, const char *);
-
-#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */
-
-#endif /* MD5CRYPT_H */
diff --git a/crypto/openssh/mdoc2man.awk b/crypto/openssh/mdoc2man.awk
deleted file mode 100644
index d6eaf46..0000000
--- a/crypto/openssh/mdoc2man.awk
+++ /dev/null
@@ -1,351 +0,0 @@
-#!/usr/bin/awk
-#
-# Version history:
-#  v3, I put the program under a proper license
-#      Dan Nelson <dnelson@allantgroup.com> added .An, .Aq and fixed a typo
-#  v2, fixed to work on GNU awk --posix and MacOS X
-#  v1, first attempt, didn't work on MacOS X
-#
-# Copyright (c) 2003 Peter Stuge <stuge-mdoc2man@cdy.org>
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-
-BEGIN {
-  optlist=0
-  oldoptlist=0
-  nospace=0
-  synopsis=0
-  reference=0
-  block=0
-  ext=0
-  extopt=0
-  literal=0
-  prenl=0
-  breakw=0
-  line=""
-}
-
-function wtail() {
-  retval=""
-  while(w<nwords) {
-    if(length(retval))
-      retval=retval OFS
-    retval=retval words[++w]
-  }
-  return retval
-}
-
-function add(str) {
-  for(;prenl;prenl--)
-    line=line "\n"
-  line=line str
-}
-
-! /^\./ {
-  for(;prenl;prenl--)
-    print ""
-  print
-  if(literal)
-    print ".br"
-  next
-}
-
-/^\.\\"/ { next }
-
-{
-  option=0
-  parens=0
-  angles=0
-  sub("^\\.","")
-  nwords=split($0,words)
-  for(w=1;w<=nwords;w++) {
-    skip=0
-    if(match(words[w],"^Li|Pf$")) {
-      skip=1
-    } else if(match(words[w],"^Xo$")) {
-      skip=1
-      ext=1
-      if(length(line)&&!(match(line," $")||prenl))
-	add(OFS)
-    } else if(match(words[w],"^Xc$")) {
-      skip=1
-      ext=0
-      if(!extopt)
-	prenl++
-      w=nwords
-    } else if(match(words[w],"^Bd$")) {
-      skip=1
-      if(match(words[w+1],"-literal")) {
-	literal=1
-	prenl++
-	w=nwords
-      }
-    } else if(match(words[w],"^Ed$")) {
-      skip=1
-      literal=0
-    } else if(match(words[w],"^Ns$")) {
-      skip=1
-      if(!nospace)
-	nospace=1
-      sub(" $","",line)
-    } else if(match(words[w],"^No$")) {
-      skip=1
-      sub(" $","",line)
-      add(words[++w])
-    } else if(match(words[w],"^Dq$")) {
-      skip=1
-      add("``")
-      add(words[++w])
-      while(w<nwords&&!match(words[w+1],"^[\\.,]"))
-	add(OFS words[++w])
-      add("''")
-      if(!nospace&&match(words[w+1],"^[\\.,]"))
-	nospace=1
-    } else if(match(words[w],"^Sq|Ql$")) {
-      skip=1
-      add("`" words[++w] "'")
-      if(!nospace&&match(words[w+1],"^[\\.,]"))
-	nospace=1
-    } else if(match(words[w],"^Oo$")) {
-      skip=1
-      extopt=1
-      if(!nospace)
-	nospace=1
-      add("[")
-    } else if(match(words[w],"^Oc$")) {
-      skip=1
-      extopt=0
-      add("]")
-    }
-    if(!skip) {
-      if(!nospace&&length(line)&&!(match(line," $")||prenl))
-	add(OFS)
-      if(nospace==1)
-	nospace=0
-    }
-    if(match(words[w],"^Dd$")) {
-      date=wtail()
-      next
-    } else if(match(words[w],"^Dt$")) {
-      id=wtail()
-      next
-    } else if(match(words[w],"^Ox$")) {
-      add("OpenBSD")
-      skip=1
-    } else if(match(words[w],"^Os$")) {
-      add(".TH " id " \"" date "\" \"" wtail() "\"")
-    } else if(match(words[w],"^Sh$")) {
-      add(".SH")
-      synopsis=match(words[w+1],"SYNOPSIS")
-    } else if(match(words[w],"^Xr$")) {
-      add("\\fB" words[++w] "\\fP(" words[++w] ")" words[++w])
-    } else if(match(words[w],"^Rs$")) {
-      split("",refauthors)
-      nrefauthors=0
-      reftitle=""
-      refissue=""
-      refdate=""
-      refopt=""
-      reference=1
-      next
-    } else if(match(words[w],"^Re$")) {
-      prenl++
-      for(i=nrefauthors-1;i>0;i--) {
-	add(refauthors[i])
-	if(i>1)
-	  add(", ")
-      }
-      if(nrefauthors>1)
-	add(" and ")
-      add(refauthors[0] ", \\fI" reftitle "\\fP")
-      if(length(refissue))
-	add(", " refissue)
-      if(length(refdate))
-	add(", " refdate)
-      if(length(refopt))
-	add(", " refopt)
-      add(".")
-      reference=0
-    } else if(reference) {
-      if(match(words[w],"^%A$")) { refauthors[nrefauthors++]=wtail() }
-      if(match(words[w],"^%T$")) {
-	reftitle=wtail()
-	sub("^\"","",reftitle)
-	sub("\"$","",reftitle)
-      }
-      if(match(words[w],"^%N$")) { refissue=wtail() }
-      if(match(words[w],"^%D$")) { refdate=wtail() }
-      if(match(words[w],"^%O$")) { refopt=wtail() }
-    } else if(match(words[w],"^Nm$")) {
-      if(synopsis) {
-	add(".br")
-	prenl++
-      }
-      n=words[++w]
-      if(!length(name))
-	name=n
-      if(!length(n))
-	n=name
-      add("\\fB" n "\\fP")
-      if(!nospace&&match(words[w+1],"^[\\.,]"))
-	nospace=1
-    } else if(match(words[w],"^Nd$")) {
-      add("\\- " wtail())
-    } else if(match(words[w],"^Fl$")) {
-      add("\\fB\\-" words[++w] "\\fP")
-      if(!nospace&&match(words[w+1],"^[\\.,]"))
-	nospace=1
-    } else if(match(words[w],"^Ar$")) {
-      add("\\fI")
-      if(w==nwords)
-	add("file ...\\fP")
-      else {
-	add(words[++w] "\\fP")
-	while(match(words[w+1],"^\\|$"))
-	  add(OFS words[++w] " \\fI" words[++w] "\\fP")
-      }
-      if(!nospace&&match(words[w+1],"^[\\.,]"))
-	nospace=1
-    } else if(match(words[w],"^Cm$")) {
-      add("\\fB" words[++w] "\\fP")
-      while(w<nwords&&match(words[w+1],"^[\\.,:;)]"))
-	add(words[++w])
-    } else if(match(words[w],"^Op$")) {
-      option=1
-      if(!nospace)
-	nospace=1
-      add("[")
-    } else if(match(words[w],"^Pp$")) {
-      prenl++
-    } else if(match(words[w],"^An$")) {
-      prenl++
-    } else if(match(words[w],"^Ss$")) {
-      add(".SS")
-    } else if(match(words[w],"^Pa$")&&!option) {
-      add("\\fI")
-      w++
-      if(match(words[w],"^\\."))
-	add("\\&")
-      add(words[w] "\\fP")
-      while(w<nwords&&match(words[w+1],"^[\\.,:;)]"))
-	add(words[++w])
-    } else if(match(words[w],"^Dv$")) {
-      add(".BR")
-    } else if(match(words[w],"^Em|Ev$")) {
-      add(".IR")
-    } else if(match(words[w],"^Pq$")) {
-      add("(")
-      nospace=1
-      parens=1
-    } else if(match(words[w],"^Aq$")) {
-      add("<")
-      nospace=1
-      angles=1
-    } else if(match(words[w],"^S[xy]$")) {
-      add(".B " wtail())
-    } else if(match(words[w],"^Ic$")) {
-      plain=1
-      add("\\fB")
-      while(w<nwords) {
-	w++
-	if(match(words[w],"^Op$")) {
-	  w++
-	  add("[")
-	  words[nwords]=words[nwords] "]"
-	}
-	if(match(words[w],"^Ar$")) {
-	  add("\\fI" words[++w] "\\fP")
-	} else if(match(words[w],"^[\\.,]")) {
-	  sub(" $","",line)
-	  if(plain) {
-	    add("\\fP")
-	    plain=0
-	  }
-	  add(words[w])
-	} else {
-	  if(!plain) {
-	    add("\\fB")
-	    plain=1
-	  }
-	  add(words[w])
-	}
-	if(!nospace)
-	  add(OFS)
-      }
-      sub(" $","",line)
-      if(plain)
-	add("\\fP")
-    } else if(match(words[w],"^Bl$")) {
-      oldoptlist=optlist
-      if(match(words[w+1],"-bullet"))
-	optlist=1
-      else if(match(words[w+1],"-enum")) {
-	optlist=2
-	enum=0
-      } else if(match(words[w+1],"-tag"))
-	optlist=3
-      else if(match(words[w+1],"-item"))
-	optlist=4
-      else if(match(words[w+1],"-bullet"))
-	optlist=1
-      w=nwords
-    } else if(match(words[w],"^El$")) {
-      optlist=oldoptlist
-    } else if(match(words[w],"^Bk$")) {
-      if(match(words[w+1],"-words")) {
-	w++
-	breakw=1
-      }
-    } else if(match(words[w],"^Ek$")) {
-      breakw=0
-    } else if(match(words[w],"^It$")&&optlist) {
-      if(optlist==1)
-	add(".IP \\(bu")
-      else if(optlist==2)
-	add(".IP " ++enum ".")
-      else if(optlist==3) {
-	add(".TP")
-	prenl++
-	if(match(words[w+1],"^Pa$|^Ev$")) {
-	  add(".B")
-	  w++
-	}
-      } else if(optlist==4)
-	add(".IP")
-    } else if(match(words[w],"^Sm$")) {
-      if(match(words[w+1],"off"))
-	nospace=2
-      else if(match(words[w+1],"on"))
-	nospace=0
-      w++
-    } else if(!skip) {
-      add(words[w])
-    }
-  }
-  if(match(line,"^\\.[^a-zA-Z]"))
-    sub("^\\.","",line)
-  if(parens)
-    add(")")
-  if(angles)
-    add(">")
-  if(option)
-    add("]")
-  if(ext&&!extopt&&!match(line," $"))
-    add(OFS)
-  if(!ext&&!extopt&&length(line)) {
-    print line
-    prenl=0
-    line=""
-  }
-}
diff --git a/crypto/openssh/misc.c b/crypto/openssh/misc.c
deleted file mode 100644
index 78bca2f..0000000
--- a/crypto/openssh/misc.c
+++ /dev/null
@@ -1,823 +0,0 @@
-/* $OpenBSD: misc.c,v 1.64 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- * Copyright (c) 2005,2006 Damien Miller.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/ioctl.h>
-#include <sys/socket.h>
-#include <sys/param.h>
-
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <netinet/in.h>
-#include <netinet/tcp.h>
-
-#include <errno.h>
-#include <fcntl.h>
-#ifdef HAVE_PATHS_H
-# include <paths.h>
-#include <pwd.h>
-#endif
-#ifdef SSH_TUN_OPENBSD
-#include <net/if.h>
-#endif
-
-#include "xmalloc.h"
-#include "misc.h"
-#include "log.h"
-#include "ssh.h"
-
-/* remove newline at end of string */
-char *
-chop(char *s)
-{
-	char *t = s;
-	while (*t) {
-		if (*t == '\n' || *t == '\r') {
-			*t = '\0';
-			return s;
-		}
-		t++;
-	}
-	return s;
-
-}
-
-/* set/unset filedescriptor to non-blocking */
-int
-set_nonblock(int fd)
-{
-	int val;
-
-	val = fcntl(fd, F_GETFL, 0);
-	if (val < 0) {
-		error("fcntl(%d, F_GETFL, 0): %s", fd, strerror(errno));
-		return (-1);
-	}
-	if (val & O_NONBLOCK) {
-		debug3("fd %d is O_NONBLOCK", fd);
-		return (0);
-	}
-	debug2("fd %d setting O_NONBLOCK", fd);
-	val |= O_NONBLOCK;
-	if (fcntl(fd, F_SETFL, val) == -1) {
-		debug("fcntl(%d, F_SETFL, O_NONBLOCK): %s", fd,
-		    strerror(errno));
-		return (-1);
-	}
-	return (0);
-}
-
-int
-unset_nonblock(int fd)
-{
-	int val;
-
-	val = fcntl(fd, F_GETFL, 0);
-	if (val < 0) {
-		error("fcntl(%d, F_GETFL, 0): %s", fd, strerror(errno));
-		return (-1);
-	}
-	if (!(val & O_NONBLOCK)) {
-		debug3("fd %d is not O_NONBLOCK", fd);
-		return (0);
-	}
-	debug("fd %d clearing O_NONBLOCK", fd);
-	val &= ~O_NONBLOCK;
-	if (fcntl(fd, F_SETFL, val) == -1) {
-		debug("fcntl(%d, F_SETFL, ~O_NONBLOCK): %s",
-		    fd, strerror(errno));
-		return (-1);
-	}
-	return (0);
-}
-
-/* disable nagle on socket */
-void
-set_nodelay(int fd)
-{
-	int opt;
-	socklen_t optlen;
-
-	optlen = sizeof opt;
-	if (getsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &opt, &optlen) == -1) {
-		debug("getsockopt TCP_NODELAY: %.100s", strerror(errno));
-		return;
-	}
-	if (opt == 1) {
-		debug2("fd %d is TCP_NODELAY", fd);
-		return;
-	}
-	opt = 1;
-	debug2("fd %d setting TCP_NODELAY", fd);
-	if (setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &opt, sizeof opt) == -1)
-		error("setsockopt TCP_NODELAY: %.100s", strerror(errno));
-}
-
-/* Characters considered whitespace in strsep calls. */
-#define WHITESPACE " \t\r\n"
-#define QUOTE	"\""
-
-/* return next token in configuration line */
-char *
-strdelim(char **s)
-{
-	char *old;
-	int wspace = 0;
-
-	if (*s == NULL)
-		return NULL;
-
-	old = *s;
-
-	*s = strpbrk(*s, WHITESPACE QUOTE "=");
-	if (*s == NULL)
-		return (old);
-
-	if (*s[0] == '\"') {
-		memmove(*s, *s + 1, strlen(*s)); /* move nul too */
-		/* Find matching quote */
-		if ((*s = strpbrk(*s, QUOTE)) == NULL) {
-			return (NULL);		/* no matching quote */
-		} else {
-			*s[0] = '\0';
-			return (old);
-		}
-	}
-
-	/* Allow only one '=' to be skipped */
-	if (*s[0] == '=')
-		wspace = 1;
-	*s[0] = '\0';
-
-	/* Skip any extra whitespace after first token */
-	*s += strspn(*s + 1, WHITESPACE) + 1;
-	if (*s[0] == '=' && !wspace)
-		*s += strspn(*s + 1, WHITESPACE) + 1;
-
-	return (old);
-}
-
-struct passwd *
-pwcopy(struct passwd *pw)
-{
-	struct passwd *copy = xcalloc(1, sizeof(*copy));
-
-	copy->pw_name = xstrdup(pw->pw_name);
-	copy->pw_passwd = xstrdup(pw->pw_passwd);
-	copy->pw_gecos = xstrdup(pw->pw_gecos);
-	copy->pw_uid = pw->pw_uid;
-	copy->pw_gid = pw->pw_gid;
-#ifdef HAVE_PW_EXPIRE_IN_PASSWD
-	copy->pw_expire = pw->pw_expire;
-#endif
-#ifdef HAVE_PW_CHANGE_IN_PASSWD
-	copy->pw_change = pw->pw_change;
-#endif
-#ifdef HAVE_PW_CLASS_IN_PASSWD
-	copy->pw_class = xstrdup(pw->pw_class);
-#endif
-	copy->pw_dir = xstrdup(pw->pw_dir);
-	copy->pw_shell = xstrdup(pw->pw_shell);
-	return copy;
-}
-
-/*
- * Convert ASCII string to TCP/IP port number.
- * Port must be >0 and <=65535.
- * Return 0 if invalid.
- */
-int
-a2port(const char *s)
-{
-	long port;
-	char *endp;
-
-	errno = 0;
-	port = strtol(s, &endp, 0);
-	if (s == endp || *endp != '\0' ||
-	    (errno == ERANGE && (port == LONG_MIN || port == LONG_MAX)) ||
-	    port <= 0 || port > 65535)
-		return 0;
-
-	return port;
-}
-
-int
-a2tun(const char *s, int *remote)
-{
-	const char *errstr = NULL;
-	char *sp, *ep;
-	int tun;
-
-	if (remote != NULL) {
-		*remote = SSH_TUNID_ANY;
-		sp = xstrdup(s);
-		if ((ep = strchr(sp, ':')) == NULL) {
-			xfree(sp);
-			return (a2tun(s, NULL));
-		}
-		ep[0] = '\0'; ep++;
-		*remote = a2tun(ep, NULL);
-		tun = a2tun(sp, NULL);
-		xfree(sp);
-		return (*remote == SSH_TUNID_ERR ? *remote : tun);
-	}
-
-	if (strcasecmp(s, "any") == 0)
-		return (SSH_TUNID_ANY);
-
-	tun = strtonum(s, 0, SSH_TUNID_MAX, &errstr);
-	if (errstr != NULL)
-		return (SSH_TUNID_ERR);
-
-	return (tun);
-}
-
-#define SECONDS		1
-#define MINUTES		(SECONDS * 60)
-#define HOURS		(MINUTES * 60)
-#define DAYS		(HOURS * 24)
-#define WEEKS		(DAYS * 7)
-
-/*
- * Convert a time string into seconds; format is
- * a sequence of:
- *      time[qualifier]
- *
- * Valid time qualifiers are:
- *      <none>  seconds
- *      s|S     seconds
- *      m|M     minutes
- *      h|H     hours
- *      d|D     days
- *      w|W     weeks
- *
- * Examples:
- *      90m     90 minutes
- *      1h30m   90 minutes
- *      2d      2 days
- *      1w      1 week
- *
- * Return -1 if time string is invalid.
- */
-long
-convtime(const char *s)
-{
-	long total, secs;
-	const char *p;
-	char *endp;
-
-	errno = 0;
-	total = 0;
-	p = s;
-
-	if (p == NULL || *p == '\0')
-		return -1;
-
-	while (*p) {
-		secs = strtol(p, &endp, 10);
-		if (p == endp ||
-		    (errno == ERANGE && (secs == LONG_MIN || secs == LONG_MAX)) ||
-		    secs < 0)
-			return -1;
-
-		switch (*endp++) {
-		case '\0':
-			endp--;
-			break;
-		case 's':
-		case 'S':
-			break;
-		case 'm':
-		case 'M':
-			secs *= MINUTES;
-			break;
-		case 'h':
-		case 'H':
-			secs *= HOURS;
-			break;
-		case 'd':
-		case 'D':
-			secs *= DAYS;
-			break;
-		case 'w':
-		case 'W':
-			secs *= WEEKS;
-			break;
-		default:
-			return -1;
-		}
-		total += secs;
-		if (total < 0)
-			return -1;
-		p = endp;
-	}
-
-	return total;
-}
-
-/*
- * Returns a standardized host+port identifier string.
- * Caller must free returned string.
- */
-char *
-put_host_port(const char *host, u_short port)
-{
-	char *hoststr;
-
-	if (port == 0 || port == SSH_DEFAULT_PORT)
-		return(xstrdup(host));
-	if (asprintf(&hoststr, "[%s]:%d", host, (int)port) < 0)
-		fatal("put_host_port: asprintf: %s", strerror(errno));
-	debug3("put_host_port: %s", hoststr);
-	return hoststr;
-}
-
-/*
- * Search for next delimiter between hostnames/addresses and ports.
- * Argument may be modified (for termination).
- * Returns *cp if parsing succeeds.
- * *cp is set to the start of the next delimiter, if one was found.
- * If this is the last field, *cp is set to NULL.
- */
-char *
-hpdelim(char **cp)
-{
-	char *s, *old;
-
-	if (cp == NULL || *cp == NULL)
-		return NULL;
-
-	old = s = *cp;
-	if (*s == '[') {
-		if ((s = strchr(s, ']')) == NULL)
-			return NULL;
-		else
-			s++;
-	} else if ((s = strpbrk(s, ":/")) == NULL)
-		s = *cp + strlen(*cp); /* skip to end (see first case below) */
-
-	switch (*s) {
-	case '\0':
-		*cp = NULL;	/* no more fields*/
-		break;
-
-	case ':':
-	case '/':
-		*s = '\0';	/* terminate */
-		*cp = s + 1;
-		break;
-
-	default:
-		return NULL;
-	}
-
-	return old;
-}
-
-char *
-cleanhostname(char *host)
-{
-	if (*host == '[' && host[strlen(host) - 1] == ']') {
-		host[strlen(host) - 1] = '\0';
-		return (host + 1);
-	} else
-		return host;
-}
-
-char *
-colon(char *cp)
-{
-	int flag = 0;
-
-	if (*cp == ':')		/* Leading colon is part of file name. */
-		return (0);
-	if (*cp == '[')
-		flag = 1;
-
-	for (; *cp; ++cp) {
-		if (*cp == '@' && *(cp+1) == '[')
-			flag = 1;
-		if (*cp == ']' && *(cp+1) == ':' && flag)
-			return (cp+1);
-		if (*cp == ':' && !flag)
-			return (cp);
-		if (*cp == '/')
-			return (0);
-	}
-	return (0);
-}
-
-/* function to assist building execv() arguments */
-void
-addargs(arglist *args, char *fmt, ...)
-{
-	va_list ap;
-	char *cp;
-	u_int nalloc;
-	int r;
-
-	va_start(ap, fmt);
-	r = vasprintf(&cp, fmt, ap);
-	va_end(ap);
-	if (r == -1)
-		fatal("addargs: argument too long");
-
-	nalloc = args->nalloc;
-	if (args->list == NULL) {
-		nalloc = 32;
-		args->num = 0;
-	} else if (args->num+2 >= nalloc)
-		nalloc *= 2;
-
-	args->list = xrealloc(args->list, nalloc, sizeof(char *));
-	args->nalloc = nalloc;
-	args->list[args->num++] = cp;
-	args->list[args->num] = NULL;
-}
-
-void
-replacearg(arglist *args, u_int which, char *fmt, ...)
-{
-	va_list ap;
-	char *cp;
-	int r;
-
-	va_start(ap, fmt);
-	r = vasprintf(&cp, fmt, ap);
-	va_end(ap);
-	if (r == -1)
-		fatal("replacearg: argument too long");
-
-	if (which >= args->num)
-		fatal("replacearg: tried to replace invalid arg %d >= %d",
-		    which, args->num);
-	xfree(args->list[which]);
-	args->list[which] = cp;
-}
-
-void
-freeargs(arglist *args)
-{
-	u_int i;
-
-	if (args->list != NULL) {
-		for (i = 0; i < args->num; i++)
-			xfree(args->list[i]);
-		xfree(args->list);
-		args->nalloc = args->num = 0;
-		args->list = NULL;
-	}
-}
-
-/*
- * Expands tildes in the file name.  Returns data allocated by xmalloc.
- * Warning: this calls getpw*.
- */
-char *
-tilde_expand_filename(const char *filename, uid_t uid)
-{
-	const char *path;
-	char user[128], ret[MAXPATHLEN];
-	struct passwd *pw;
-	u_int len, slash;
-
-	if (*filename != '~')
-		return (xstrdup(filename));
-	filename++;
-
-	path = strchr(filename, '/');
-	if (path != NULL && path > filename) {		/* ~user/path */
-		slash = path - filename;
-		if (slash > sizeof(user) - 1)
-			fatal("tilde_expand_filename: ~username too long");
-		memcpy(user, filename, slash);
-		user[slash] = '\0';
-		if ((pw = getpwnam(user)) == NULL)
-			fatal("tilde_expand_filename: No such user %s", user);
-	} else if ((pw = getpwuid(uid)) == NULL)	/* ~/path */
-		fatal("tilde_expand_filename: No such uid %d", uid);
-
-	if (strlcpy(ret, pw->pw_dir, sizeof(ret)) >= sizeof(ret))
-		fatal("tilde_expand_filename: Path too long");
-
-	/* Make sure directory has a trailing '/' */
-	len = strlen(pw->pw_dir);
-	if ((len == 0 || pw->pw_dir[len - 1] != '/') &&
-	    strlcat(ret, "/", sizeof(ret)) >= sizeof(ret))
-		fatal("tilde_expand_filename: Path too long");
-
-	/* Skip leading '/' from specified path */
-	if (path != NULL)
-		filename = path + 1;
-	if (strlcat(ret, filename, sizeof(ret)) >= sizeof(ret))
-		fatal("tilde_expand_filename: Path too long");
-
-	return (xstrdup(ret));
-}
-
-/*
- * Expand a string with a set of %[char] escapes. A number of escapes may be
- * specified as (char *escape_chars, char *replacement) pairs. The list must
- * be terminated by a NULL escape_char. Returns replaced string in memory
- * allocated by xmalloc.
- */
-char *
-percent_expand(const char *string, ...)
-{
-#define EXPAND_MAX_KEYS	16
-	struct {
-		const char *key;
-		const char *repl;
-	} keys[EXPAND_MAX_KEYS];
-	u_int num_keys, i, j;
-	char buf[4096];
-	va_list ap;
-
-	/* Gather keys */
-	va_start(ap, string);
-	for (num_keys = 0; num_keys < EXPAND_MAX_KEYS; num_keys++) {
-		keys[num_keys].key = va_arg(ap, char *);
-		if (keys[num_keys].key == NULL)
-			break;
-		keys[num_keys].repl = va_arg(ap, char *);
-		if (keys[num_keys].repl == NULL)
-			fatal("percent_expand: NULL replacement");
-	}
-	va_end(ap);
-
-	if (num_keys >= EXPAND_MAX_KEYS)
-		fatal("percent_expand: too many keys");
-
-	/* Expand string */
-	*buf = '\0';
-	for (i = 0; *string != '\0'; string++) {
-		if (*string != '%') {
- append:
-			buf[i++] = *string;
-			if (i >= sizeof(buf))
-				fatal("percent_expand: string too long");
-			buf[i] = '\0';
-			continue;
-		}
-		string++;
-		if (*string == '%')
-			goto append;
-		for (j = 0; j < num_keys; j++) {
-			if (strchr(keys[j].key, *string) != NULL) {
-				i = strlcat(buf, keys[j].repl, sizeof(buf));
-				if (i >= sizeof(buf))
-					fatal("percent_expand: string too long");
-				break;
-			}
-		}
-		if (j >= num_keys)
-			fatal("percent_expand: unknown key %%%c", *string);
-	}
-	return (xstrdup(buf));
-#undef EXPAND_MAX_KEYS
-}
-
-/*
- * Read an entire line from a public key file into a static buffer, discarding
- * lines that exceed the buffer size.  Returns 0 on success, -1 on failure.
- */
-int
-read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
-   u_long *lineno)
-{
-	while (fgets(buf, bufsz, f) != NULL) {
-		(*lineno)++;
-		if (buf[strlen(buf) - 1] == '\n' || feof(f)) {
-			return 0;
-		} else {
-			debug("%s: %s line %lu exceeds size limit", __func__,
-			    filename, *lineno);
-			/* discard remainder of line */
-			while (fgetc(f) != '\n' && !feof(f))
-				;	/* nothing */
-		}
-	}
-	return -1;
-}
-
-int
-tun_open(int tun, int mode)
-{
-#if defined(CUSTOM_SYS_TUN_OPEN)
-	return (sys_tun_open(tun, mode));
-#elif defined(SSH_TUN_OPENBSD)
-	struct ifreq ifr;
-	char name[100];
-	int fd = -1, sock;
-
-	/* Open the tunnel device */
-	if (tun <= SSH_TUNID_MAX) {
-		snprintf(name, sizeof(name), "/dev/tun%d", tun);
-		fd = open(name, O_RDWR);
-	} else if (tun == SSH_TUNID_ANY) {
-		for (tun = 100; tun >= 0; tun--) {
-			snprintf(name, sizeof(name), "/dev/tun%d", tun);
-			if ((fd = open(name, O_RDWR)) >= 0)
-				break;
-		}
-	} else {
-		debug("%s: invalid tunnel %u", __func__, tun);
-		return (-1);
-	}
-
-	if (fd < 0) {
-		debug("%s: %s open failed: %s", __func__, name, strerror(errno));
-		return (-1);
-	}
-
-	debug("%s: %s mode %d fd %d", __func__, name, mode, fd);
-
-	/* Set the tunnel device operation mode */
-	snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "tun%d", tun);
-	if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1)
-		goto failed;
-
-	if (ioctl(sock, SIOCGIFFLAGS, &ifr) == -1)
-		goto failed;
-
-	/* Set interface mode */
-	ifr.ifr_flags &= ~IFF_UP;
-	if (mode == SSH_TUNMODE_ETHERNET)
-		ifr.ifr_flags |= IFF_LINK0;
-	else
-		ifr.ifr_flags &= ~IFF_LINK0;
-	if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1)
-		goto failed;
-
-	/* Bring interface up */
-	ifr.ifr_flags |= IFF_UP;
-	if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1)
-		goto failed;
-
-	close(sock);
-	return (fd);
-
- failed:
-	if (fd >= 0)
-		close(fd);
-	if (sock >= 0)
-		close(sock);
-	debug("%s: failed to set %s mode %d: %s", __func__, name,
-	    mode, strerror(errno));
-	return (-1);
-#else
-	error("Tunnel interfaces are not supported on this platform");
-	return (-1);
-#endif
-}
-
-void
-sanitise_stdfd(void)
-{
-	int nullfd, dupfd;
-
-	if ((nullfd = dupfd = open(_PATH_DEVNULL, O_RDWR)) == -1) {
-		fprintf(stderr, "Couldn't open /dev/null: %s", strerror(errno));
-		exit(1);
-	}
-	while (++dupfd <= 2) {
-		/* Only clobber closed fds */
-		if (fcntl(dupfd, F_GETFL, 0) >= 0)
-			continue;
-		if (dup2(nullfd, dupfd) == -1) {
-			fprintf(stderr, "dup2: %s", strerror(errno));
-			exit(1);
-		}
-	}
-	if (nullfd > 2)
-		close(nullfd);
-}
-
-char *
-tohex(const void *vp, size_t l)
-{
-	const u_char *p = (const u_char *)vp;
-	char b[3], *r;
-	size_t i, hl;
-
-	if (l > 65536)
-		return xstrdup("tohex: length > 65536");
-
-	hl = l * 2 + 1;
-	r = xcalloc(1, hl);
-	for (i = 0; i < l; i++) {
-		snprintf(b, sizeof(b), "%02x", p[i]);
-		strlcat(r, b, hl);
-	}
-	return (r);
-}
-
-u_int64_t
-get_u64(const void *vp)
-{
-	const u_char *p = (const u_char *)vp;
-	u_int64_t v;
-
-	v  = (u_int64_t)p[0] << 56;
-	v |= (u_int64_t)p[1] << 48;
-	v |= (u_int64_t)p[2] << 40;
-	v |= (u_int64_t)p[3] << 32;
-	v |= (u_int64_t)p[4] << 24;
-	v |= (u_int64_t)p[5] << 16;
-	v |= (u_int64_t)p[6] << 8;
-	v |= (u_int64_t)p[7];
-
-	return (v);
-}
-
-u_int32_t
-get_u32(const void *vp)
-{
-	const u_char *p = (const u_char *)vp;
-	u_int32_t v;
-
-	v  = (u_int32_t)p[0] << 24;
-	v |= (u_int32_t)p[1] << 16;
-	v |= (u_int32_t)p[2] << 8;
-	v |= (u_int32_t)p[3];
-
-	return (v);
-}
-
-u_int16_t
-get_u16(const void *vp)
-{
-	const u_char *p = (const u_char *)vp;
-	u_int16_t v;
-
-	v  = (u_int16_t)p[0] << 8;
-	v |= (u_int16_t)p[1];
-
-	return (v);
-}
-
-void
-put_u64(void *vp, u_int64_t v)
-{
-	u_char *p = (u_char *)vp;
-
-	p[0] = (u_char)(v >> 56) & 0xff;
-	p[1] = (u_char)(v >> 48) & 0xff;
-	p[2] = (u_char)(v >> 40) & 0xff;
-	p[3] = (u_char)(v >> 32) & 0xff;
-	p[4] = (u_char)(v >> 24) & 0xff;
-	p[5] = (u_char)(v >> 16) & 0xff;
-	p[6] = (u_char)(v >> 8) & 0xff;
-	p[7] = (u_char)v & 0xff;
-}
-
-void
-put_u32(void *vp, u_int32_t v)
-{
-	u_char *p = (u_char *)vp;
-
-	p[0] = (u_char)(v >> 24) & 0xff;
-	p[1] = (u_char)(v >> 16) & 0xff;
-	p[2] = (u_char)(v >> 8) & 0xff;
-	p[3] = (u_char)v & 0xff;
-}
-
-
-void
-put_u16(void *vp, u_int16_t v)
-{
-	u_char *p = (u_char *)vp;
-
-	p[0] = (u_char)(v >> 8) & 0xff;
-	p[1] = (u_char)v & 0xff;
-}
diff --git a/crypto/openssh/misc.h b/crypto/openssh/misc.h
deleted file mode 100644
index f175b44..0000000
--- a/crypto/openssh/misc.h
+++ /dev/null
@@ -1,90 +0,0 @@
-/* $OpenBSD: misc.h,v 1.36 2006/08/18 10:27:16 djm Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#ifndef _MISC_H
-#define _MISC_H
-
-/* misc.c */
-
-char	*chop(char *);
-char	*strdelim(char **);
-int	 set_nonblock(int);
-int	 unset_nonblock(int);
-void	 set_nodelay(int);
-int	 a2port(const char *);
-int	 a2tun(const char *, int *);
-char	*put_host_port(const char *, u_short);
-char	*hpdelim(char **);
-char	*cleanhostname(char *);
-char	*colon(char *);
-long	 convtime(const char *);
-char	*tilde_expand_filename(const char *, uid_t);
-char	*percent_expand(const char *, ...) __attribute__((__sentinel__));
-char	*tohex(const void *, size_t);
-void	 sanitise_stdfd(void);
-
-struct passwd *pwcopy(struct passwd *);
-
-typedef struct arglist arglist;
-struct arglist {
-	char    **list;
-	u_int   num;
-	u_int   nalloc;
-};
-void	 addargs(arglist *, char *, ...)
-	     __attribute__((format(printf, 2, 3)));
-void	 replacearg(arglist *, u_int, char *, ...)
-	     __attribute__((format(printf, 3, 4)));
-void	 freeargs(arglist *);
-
-int	 tun_open(int, int);
-
-/* Common definitions for ssh tunnel device forwarding */
-#define SSH_TUNMODE_NO		0x00
-#define SSH_TUNMODE_POINTOPOINT	0x01
-#define SSH_TUNMODE_ETHERNET	0x02
-#define SSH_TUNMODE_DEFAULT	SSH_TUNMODE_POINTOPOINT
-#define SSH_TUNMODE_YES		(SSH_TUNMODE_POINTOPOINT|SSH_TUNMODE_ETHERNET)
-
-#define SSH_TUNID_ANY		0x7fffffff
-#define SSH_TUNID_ERR		(SSH_TUNID_ANY - 1)
-#define SSH_TUNID_MAX		(SSH_TUNID_ANY - 2)
-
-/* Functions to extract or store big-endian words of various sizes */
-u_int64_t	get_u64(const void *)
-    __attribute__((__bounded__( __minbytes__, 1, 8)));
-u_int32_t	get_u32(const void *)
-    __attribute__((__bounded__( __minbytes__, 1, 4)));
-u_int16_t	get_u16(const void *)
-    __attribute__((__bounded__( __minbytes__, 1, 2)));
-void		put_u64(void *, u_int64_t)
-    __attribute__((__bounded__( __minbytes__, 1, 8)));
-void		put_u32(void *, u_int32_t)
-    __attribute__((__bounded__( __minbytes__, 1, 4)));
-void		put_u16(void *, u_int16_t)
-    __attribute__((__bounded__( __minbytes__, 1, 2)));
-
-
-/* readpass.c */
-
-#define RP_ECHO			0x0001
-#define RP_ALLOW_STDIN		0x0002
-#define RP_ALLOW_EOF		0x0004
-#define RP_USE_ASKPASS		0x0008
-
-char	*read_passphrase(const char *, int);
-int	 ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
-int	 read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
-
-#endif /* _MISC_H */
diff --git a/crypto/openssh/mkinstalldirs b/crypto/openssh/mkinstalldirs
deleted file mode 100755
index 47d5f43..0000000
--- a/crypto/openssh/mkinstalldirs
+++ /dev/null
@@ -1,40 +0,0 @@
-#! /bin/sh
-# mkinstalldirs --- make directory hierarchy
-# Author: Noah Friedman <friedman@prep.ai.mit.edu>
-# Created: 1993-05-16
-# Public domain
-
-# $Id: mkinstalldirs,v 1.2 2003/11/21 12:48:55 djm Exp $
-
-errstatus=0
-
-for file
-do
-   set fnord `echo ":$file" | sed -ne 's/^:\//#/;s/^://;s/\// /g;s/^#/\//;p'`
-   shift
-
-   pathcomp=
-   for d
-   do
-     pathcomp="$pathcomp$d"
-     case "$pathcomp" in
-       -* ) pathcomp=./$pathcomp ;;
-     esac
-
-     if test ! -d "$pathcomp"; then
-	echo "mkdir $pathcomp"
-
-	mkdir "$pathcomp" || lasterr=$?
-
-	if test ! -d "$pathcomp"; then
-	  errstatus=$lasterr
-	fi
-     fi
-
-     pathcomp="$pathcomp/"
-   done
-done
-
-exit $errstatus
-
-# mkinstalldirs ends here
diff --git a/crypto/openssh/moduli b/crypto/openssh/moduli
deleted file mode 100644
index a12de21..0000000
--- a/crypto/openssh/moduli
+++ /dev/null
@@ -1,200 +0,0 @@
-#    $OpenBSD: moduli,v 1.3 2005/01/24 10:29:06 dtucker Exp $
-# Time Type Tests Tries Size Generator Modulus
-20040225025212 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7AFFE86A7
-20040225025304 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B01F83CB
-20040225025357 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B03F2B73
-20040225025411 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B041C8C7
-20040225025444 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B0546E93
-20040225025458 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B0573767
-20040225025522 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B0629E73
-20040225025545 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B06CD95B
-20040225025616 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B07C93A3
-20040225025655 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B093C72B
-20040225025710 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B096450B
-20040225025750 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B0AF2C83
-20040225025830 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B0C7F1FF
-20040225025845 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B0CB565B
-20040225025858 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B0CD8557
-20040225025915 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B0D20473
-20040225025934 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B0D924F7
-20040225025952 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B0DFD8BB
-20040225030015 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B0E8E59F
-20040225030039 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B0F43B0B
-20040225030104 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B0FEB103
-20040225030130 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B10AC3DB
-20040225030149 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B1122527
-20040225030214 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B11E494B
-20040225030245 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B12E727B
-20040225030319 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B1416743
-20040225030347 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B1507F2B
-20040225030404 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B1560FE3
-20040225030418 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B1591CF7
-20040225030432 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B15B57FF
-20040225030455 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B165D0AF
-20040225030511 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B169C97F
-20040225030551 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B182715B
-20040225030621 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B1920737
-20040225030648 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B19FB54B
-20040225030718 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B1AFAE87
-20040225030736 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B1B5A7AF
-20040225030753 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B1BC3C47
-20040225030815 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B1C6AF33
-20040225030831 2 6 100 1023 2 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B1CAD9FB
-20040225030902 2 6 100 1023 5 CAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7B1DC6A8F
-20040225035226 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844800C47CAB
-20040225035359 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844800D3866B
-20040225035635 2 6 100 1535 5 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844800F43DFF
-20040225035846 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF8448010B4D93
-20040225040147 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF8448013094F3
-20040225040301 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF8448013AA0FB
-20040225040619 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF84480163EC83
-20040225040718 2 6 100 1535 5 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF8448016AEB8F
-20040225041023 2 6 100 1535 5 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF84480190871F
-20040225041328 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844801B5F1B3
-20040225041740 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844801ED6FBB
-20040225041921 2 6 100 1535 5 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844801FEC44F
-20040225042229 2 6 100 1535 5 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844802245FF7
-20040225042513 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF84480246F93B
-20040225042547 2 6 100 1535 5 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844802473F4F
-20040225042707 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF84480253B03B
-20040225043111 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF84480287CD9B
-20040225043513 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844802BC32FB
-20040225043609 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844802C2125B
-20040225043847 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844802E1B733
-20040225043925 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844802E2E963
-20040225044335 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF8448031AC423
-20040225045303 2 6 100 1535 5 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844803A10E07
-20040225045443 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844803B0EF43
-20040225045518 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844803B15033
-20040225045923 2 6 100 1535 5 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844803E58317
-20040225050120 2 6 100 1535 5 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844803F9EB4F
-20040225050333 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF8448041304B3
-20040225050524 2 6 100 1535 5 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844804279B2F
-20040225050559 2 6 100 1535 5 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844804281047
-20040225050810 2 6 100 1535 5 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF8448043F454F
-20040225051113 2 6 100 1535 5 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844804672F1F
-20040225051335 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844804809CB3
-20040225051442 2 6 100 1535 5 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF84480489545F
-20040225052303 2 6 100 1535 2 FC4601920ABD76FF37FDC717EDFFEC0E539D5F7697882432A53085C95B040175503AEBD8A0FDF38D5F4EAA8EB1A22389D2CF2070F4DD47E2E8F89F4DD4ACACE4593F762DB92C479EBF1BBD4EF450A7FFAA15F75FB921B42B62466C29A993E7C7D8FD8412A4869D867E2765C2CBA0BC0F31E625B9BE1FF5421FDC2E097E0EF66F1CC9FF04AEB9341327D3468630C4E049530EF12350D51A71FDF9B6DB3CE56ED8C9FE61148F8098722A43C4F0AE29855BC9E06068D3898146ACFF844804FE918B
-20040225062215 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6B9F68B3E7
-20040225063823 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6B9FD47307
-20040225064402 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6B9FF43C0F
-20040225065646 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA04740DB
-20040225065825 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA04B01BF
-20040225070116 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA056DD47
-20040225074027 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA172E1B3
-20040225080343 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA217422F
-20040225081159 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA24927DB
-20040225081331 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA24C058B
-20040225082528 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA2993EBF
-20040225084537 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA3242BE3
-20040225085012 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA33EF643
-20040225085829 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA3729D77
-20040225090710 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA3AC0143
-20040225091002 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA3B8AE6B
-20040225092648 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA42B65D7
-20040225093120 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA4442793
-20040225093517 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA459441F
-20040225094409 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA491BE4B
-20040225095209 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA4C4E437
-20040225095548 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA4D5D7AB
-20040225100531 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA51404EB
-20040225100644 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA5145C87
-20040225101834 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA5609CBB
-20040225102317 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA57AC86F
-20040225103220 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA5B631A3
-20040225103355 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA5B98D2F
-20040225103756 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA5CEBAFB
-20040225104020 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA5D77CDF
-20040225104557 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA5F6FD9F
-20040225110302 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA66A70DF
-20040225110515 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA6721A43
-20040225110913 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA6879A53
-20040225111338 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA69FE2FB
-20040225111911 2 6 100 2047 5 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA6C04F47
-20040225112902 2 6 100 2047 2 F8F54DA4E1F232A9D05104B807DCBEA553C1E606FEB1CF149DEBB99243AAA7A354616FD95368EBCC1A58C8BCB87FB993F731400A413E07E35B1ADDD6484973E1734835FEFDC214DACA8C0844285A670D03BB3E1A5B5E14DC6F3B20EAAC8F18EB6C48AA5604F21EBEEA3C867F6CFA010858DFD589DCDEFBE8996A42F5BA00BEDFF6743F4D4E2808806965258C4E17D1B2BF371814696A2CC7C5C6548ED480AA7491A9DE16D2B12F15471B192295AA27F6D047EC2BA7547ED70674F52B4934D846712B1EA87E7FE12C5A210DEF5B3A14DBC8E712AA7192D877B4E6479F3CD69F82127E7352C19191B036A86BCF2D7D7CC687C25C5E4620295F10DCCE6BA7007CD3
-20040225143208 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8968A91B
-20040225144922 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8987DF6B
-20040225150309 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD899E0F8B
-20040225161716 2 6 100 3071 5 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8A3A91CF
-20040225163012 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8A4CED2B
-20040225175457 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8B02C5DB
-20040225182539 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8B3E9D13
-20040225194030 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8BDE269B
-20040225201420 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8C203553
-20040225203219 2 6 100 3071 5 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8C40B747
-20040225203908 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8C46ED83
-20040225210230 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8C72586B
-20040225212746 2 6 100 3071 5 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8CA15F2F
-20040225214624 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8CC34833
-20040225223007 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8D1B23AB
-20040225234913 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8DC36C9B
-20040226001353 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8DF174B3
-20040226004101 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8E24518B
-20040226010652 2 6 100 3071 5 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8E543397
-20040226015415 2 6 100 3071 5 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8EB6152F
-20040226022931 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8EFD1773
-20040226025740 2 6 100 3071 5 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD8F3376D7
-20040226053010 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD90786CE3
-20040226054156 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD908AC36B
-20040226081600 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD91D61A43
-20040226083039 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD91ED4AE3
-20040226092910 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD9265F7DB
-20040226112913 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD93696533
-20040226115826 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD93A210A3
-20040226135326 2 6 100 3071 5 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD949596D7
-20040226145128 2 6 100 3071 5 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD95096CCF
-20040226153142 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD95582C7B
-20040226164905 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD95FACE7B
-20040226171921 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD9633F443
-20040226182347 2 6 100 3071 5 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD96BAC3A7
-20040226200555 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD97972EFB
-20040226202801 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD97C0B5C3
-20040226214755 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD9868011B
-20040226215843 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD9876E7FB
-20040226220422 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD987B4983
-20040226222346 2 6 100 3071 2 EDDA2E6520E6A915FE821EA06B4E19C95EBA8092F521CDE778B7B6CCA0FD89E935C904E2FA83E37DD49C1C52120C0958B85AAEE0B1A0E36C89836CE6C5509D50ABA58C154289C129B4A12A9249589496A5381CEA2105D818DB8790C4913BAD3C4C5ADB6BE036BD44B8AFB9F607017277FA36C971E5F10D7D062354FAB31BA97B376D723451478D1BA7D2C213A2E377E6826FF2F0695A2EDF9F8107DE4FF78DD0C2EF3A715084592623C58D2B2775FC7C0CF8F745EA1C75BEA8E574B9747207357DE143B0A803829E418B8F4BB44C40481CBB086B8AC6B93CC0E989E1336A010529F5D0FC4E077F778672646C62B7371965D60822C871F97C03913DB5CE080F67A348DD1722DD7BFA0761B2BF16A925FB9FCB6DCD1BC959A8794ACAEA984E1E9AE7BB2276B9C866CC890D8A8C51A17C479DA689DAA065C019CF9B082ED67D9CF1C9753E2A4030CCC27BE34280F042384597CEA223D5FA6631E109D5A23C60312F1D4783C3403D67A0D67665F7C5BEABF0BC30514DB07D7EF2A8E07CDD989D61D3
-20040227091438 2 6 100 4095 5 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFC5737ECF
-20040227101541 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFC5AE7363
-20040227160657 2 6 100 4095 5 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFC7295F4F
-20040227180410 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFC7A46573
-20040227225950 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFC8E6D5E3
-20040227233727 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFC9079B33
-20040228032633 2 6 100 4095 5 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFCA006227
-20040228060859 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFCAAE6E63
-20040228101703 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFCBBC54FB
-20040228192850 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFCE191D13
-20040229084451 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFD1804AF3
-20040229164933 2 6 100 4095 5 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFD3887E07
-20040229210220 2 6 100 4095 5 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFD49457B7
-20040229222958 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFD4EA3223
-20040301003324 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFD566C79B
-20040301030228 2 6 100 4095 5 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFD6032D8F
-20040301040042 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFD63B1113
-20040301073501 2 6 100 4095 5 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFD71C4A67
-20040301133631 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFD8A0BBD3
-20040301165652 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFD96E4053
-20040301184021 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFD9D662FB
-20040302045553 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFDC5FE8E3
-20040302112648 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFDDFE9D13
-20040302120026 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFDE1A5AD3
-20040302130757 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFDE5E4073
-20040302142004 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFDEA4AA9B
-20040302145603 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFDEC2C32B
-20040302212946 2 6 100 4095 5 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFE0652EC7
-20040303003544 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFE127CF63
-20040303072925 2 6 100 4095 2 C7FE661FF2675517258B6E893FE81DFC29EDFB28FFE325C4F929BFAF5D0203DF5D75D966B0886A4197CC8F2EE339349DF88E73C54A315C402DF609DA61A237435167524F8EA37E5AB33E8A0C80E36DF4F6B9D6141958CC784CDDB6E2543038C9966D62AC2474786F2E2890E4935AD47BB005A6FC309817807EC9597B69858F1FBD6A1B28E897EFB6219F9FF83BEAFFD448C9F2F8C33CEA7C08242428FD75D218411E41523B688BF3D9311374E43D8963C821611BBBC91CA23968E60FB143FA0B36120657734D5C83C1C58A5A229CCDDC27875E51C358F0C8FEDDE4A11C50E0A154C80127B6FF92F496F7F2FA41D601A3EA88A3A53569AA3F3ABA5761757AC553CF57578800379C5F06082DD6088841D7BA48A58D1422B0DEC088279655C2D6380CF7097CD39565E9998785CBEB300AFFADEACA285201CBB27F48456EF7E49DE75380D0D1B4CCC28ADB8E12903473548D74A8847DAADC34315F157351C4CD507FF9B03CA6DD1C954BB75C9FD3C425FEFA76FC03FB346BE11E61B67A3AD374C1843ECA636CC7454249AB2A08B645DADCBFB48A470B1206ED20020FF0A0F5C2253187BBC2BC7F449AD58D35746E5A47B4A7BB404592C0A1F4E3BA34938C1E3C32464E1A52D3E722FA1165B72E8B438C11CFD0DB42A4081ED09F468A2E17C8D3F2BB689DC0CC831F889D7BAFC39D2A7F6C9A362E9BAE48B12FBACF34F9DFE2D793F3
-20040305011518 2 6 100 6143 2 E95A4131F86234D27EE1E51791599559EEDB618912E4FE36B81B80CDA4D497959DBFAEE929317A66BE64A328BAB6183EA5A5CBB3581490B4B613B225ADD00EFD38540356E0F4716229CDDB260283AF044FDAF1EF9248BB0CE9031C117CF15D3259B3E7B0301CA1AAC91AFA7A57CCDEED2DA4EFC2DBC7A9FC53BB4D3CB2D57D209D5DDEF25DE14F8226404296BD504EC14F6340F0AA2A1A943B9552C4B91D3EB48C08A13671C36EE5042857625DD2CB58965C0975EB775057FF82BC2B8B69D0BF26E2F80115B3E1A984D1D73D9D02AD69C3A1AF90EC915DE6FC9F574BD755B2EF6BBE62F3717E128DC797A06FE35C1C28CED57A0F64F61A4439ACFE7A7B95A1A948417A5B8B69916A32989B00E2C3FB7C74139A4DA9E533C439E59FC7C4F90780D2BBCDF012C499C15A1E0B5C318F84FB17DF97AB3EC356FD0072CFA3884EFBED319009DE6DBF2A5C7C87A93DEB04CCD9147EF8C9BEC2FD713793E4F0BF8C4EFCEBFBF95D555E523AB5D742808C4E425979A1C216C8CB2B42C7715B8CA5907E84E6FBC35DA7BFBFC892870B659C882C6E3697E0DCC6C24771F26D51A890786DA516DBC2D161680B134F1715B32F734E667650398EC2241AF78877BB3D61D83D0158DDE894862EE6E1BEE278724EA7B34C74F0A5D6B7F79F1322E20AD5757E11D9AC31BFE27C56ABB23A275130533433DC41DDBA1081E3A018E0D0B55DF33ECAE104909DC74F1CA2256CFD423A859B0AC2112A0AE684396C0029AD07D0D30AC84FFD2C2E80B74DE29310FCAFE7D0CB8864729B6FD1F86052D7DD9A9CB085A186259A67C175B3F81C5DA19AFED1BF9C5C07F40A29ED47ED4F1C7DE878B8411E3239ED15AC0E4CCC1D7F8842E9FD9C989F301E2689F800C3D14A38810906A36EEA34207014E99C843C599D56FCFBC14278A2A009C13B6E4AC7460B54D2C7EF38D72AC450540097D2AF609D3FFF874D14582FA8FF21027DEC92844BD22A9A7EC14C66BCC8DB1E058B95AF87ACB60A5725767A76C9185744E483BCCD9278ED9FF15A04061D0F6E32D98B6853A39AA498673C7DD012982B1913B3C3CE2C7080E4CE974B
-20040305043124 2 6 100 6143 2 E95A4131F86234D27EE1E51791599559EEDB618912E4FE36B81B80CDA4D497959DBFAEE929317A66BE64A328BAB6183EA5A5CBB3581490B4B613B225ADD00EFD38540356E0F4716229CDDB260283AF044FDAF1EF9248BB0CE9031C117CF15D3259B3E7B0301CA1AAC91AFA7A57CCDEED2DA4EFC2DBC7A9FC53BB4D3CB2D57D209D5DDEF25DE14F8226404296BD504EC14F6340F0AA2A1A943B9552C4B91D3EB48C08A13671C36EE5042857625DD2CB58965C0975EB775057FF82BC2B8B69D0BF26E2F80115B3E1A984D1D73D9D02AD69C3A1AF90EC915DE6FC9F574BD755B2EF6BBE62F3717E128DC797A06FE35C1C28CED57A0F64F61A4439ACFE7A7B95A1A948417A5B8B69916A32989B00E2C3FB7C74139A4DA9E533C439E59FC7C4F90780D2BBCDF012C499C15A1E0B5C318F84FB17DF97AB3EC356FD0072CFA3884EFBED319009DE6DBF2A5C7C87A93DEB04CCD9147EF8C9BEC2FD713793E4F0BF8C4EFCEBFBF95D555E523AB5D742808C4E425979A1C216C8CB2B42C7715B8CA5907E84E6FBC35DA7BFBFC892870B659C882C6E3697E0DCC6C24771F26D51A890786DA516DBC2D161680B134F1715B32F734E667650398EC2241AF78877BB3D61D83D0158DDE894862EE6E1BEE278724EA7B34C74F0A5D6B7F79F1322E20AD5757E11D9AC31BFE27C56ABB23A275130533433DC41DDBA1081E3A018E0D0B55DF33ECAE104909DC74F1CA2256CFD423A859B0AC2112A0AE684396C0029AD07D0D30AC84FFD2C2E80B74DE29310FCAFE7D0CB8864729B6FD1F86052D7DD9A9CB085A186259A67C175B3F81C5DA19AFED1BF9C5C07F40A29ED47ED4F1C7DE878B8411E3239ED15AC0E4CCC1D7F8842E9FD9C989F301E2689F800C3D14A38810906A36EEA34207014E99C843C599D56FCFBC14278A2A009C13B6E4AC7460B54D2C7EF38D72AC450540097D2AF609D3FFF874D14582FA8FF21027DEC92844BD22A9A7EC14C66BCC8DB1E058B95AF87ACB60A5725767A76C9185744E483BCCD9278ED9FF15A04061D0F6E32D98B6853A39AA498673C7DD012982B1913B3C3CE2C7080E5050933
-20040305084728 2 6 100 6143 2 E95A4131F86234D27EE1E51791599559EEDB618912E4FE36B81B80CDA4D497959DBFAEE929317A66BE64A328BAB6183EA5A5CBB3581490B4B613B225ADD00EFD38540356E0F4716229CDDB260283AF044FDAF1EF9248BB0CE9031C117CF15D3259B3E7B0301CA1AAC91AFA7A57CCDEED2DA4EFC2DBC7A9FC53BB4D3CB2D57D209D5DDEF25DE14F8226404296BD504EC14F6340F0AA2A1A943B9552C4B91D3EB48C08A13671C36EE5042857625DD2CB58965C0975EB775057FF82BC2B8B69D0BF26E2F80115B3E1A984D1D73D9D02AD69C3A1AF90EC915DE6FC9F574BD755B2EF6BBE62F3717E128DC797A06FE35C1C28CED57A0F64F61A4439ACFE7A7B95A1A948417A5B8B69916A32989B00E2C3FB7C74139A4DA9E533C439E59FC7C4F90780D2BBCDF012C499C15A1E0B5C318F84FB17DF97AB3EC356FD0072CFA3884EFBED319009DE6DBF2A5C7C87A93DEB04CCD9147EF8C9BEC2FD713793E4F0BF8C4EFCEBFBF95D555E523AB5D742808C4E425979A1C216C8CB2B42C7715B8CA5907E84E6FBC35DA7BFBFC892870B659C882C6E3697E0DCC6C24771F26D51A890786DA516DBC2D161680B134F1715B32F734E667650398EC2241AF78877BB3D61D83D0158DDE894862EE6E1BEE278724EA7B34C74F0A5D6B7F79F1322E20AD5757E11D9AC31BFE27C56ABB23A275130533433DC41DDBA1081E3A018E0D0B55DF33ECAE104909DC74F1CA2256CFD423A859B0AC2112A0AE684396C0029AD07D0D30AC84FFD2C2E80B74DE29310FCAFE7D0CB8864729B6FD1F86052D7DD9A9CB085A186259A67C175B3F81C5DA19AFED1BF9C5C07F40A29ED47ED4F1C7DE878B8411E3239ED15AC0E4CCC1D7F8842E9FD9C989F301E2689F800C3D14A38810906A36EEA34207014E99C843C599D56FCFBC14278A2A009C13B6E4AC7460B54D2C7EF38D72AC450540097D2AF609D3FFF874D14582FA8FF21027DEC92844BD22A9A7EC14C66BCC8DB1E058B95AF87ACB60A5725767A76C9185744E483BCCD9278ED9FF15A04061D0F6E32D98B6853A39AA498673C7DD012982B1913B3C3CE2C7080E54C7783
-20040306205350 2 6 100 6143 2 E95A4131F86234D27EE1E51791599559EEDB618912E4FE36B81B80CDA4D497959DBFAEE929317A66BE64A328BAB6183EA5A5CBB3581490B4B613B225ADD00EFD38540356E0F4716229CDDB260283AF044FDAF1EF9248BB0CE9031C117CF15D3259B3E7B0301CA1AAC91AFA7A57CCDEED2DA4EFC2DBC7A9FC53BB4D3CB2D57D209D5DDEF25DE14F8226404296BD504EC14F6340F0AA2A1A943B9552C4B91D3EB48C08A13671C36EE5042857625DD2CB58965C0975EB775057FF82BC2B8B69D0BF26E2F80115B3E1A984D1D73D9D02AD69C3A1AF90EC915DE6FC9F574BD755B2EF6BBE62F3717E128DC797A06FE35C1C28CED57A0F64F61A4439ACFE7A7B95A1A948417A5B8B69916A32989B00E2C3FB7C74139A4DA9E533C439E59FC7C4F90780D2BBCDF012C499C15A1E0B5C318F84FB17DF97AB3EC356FD0072CFA3884EFBED319009DE6DBF2A5C7C87A93DEB04CCD9147EF8C9BEC2FD713793E4F0BF8C4EFCEBFBF95D555E523AB5D742808C4E425979A1C216C8CB2B42C7715B8CA5907E84E6FBC35DA7BFBFC892870B659C882C6E3697E0DCC6C24771F26D51A890786DA516DBC2D161680B134F1715B32F734E667650398EC2241AF78877BB3D61D83D0158DDE894862EE6E1BEE278724EA7B34C74F0A5D6B7F79F1322E20AD5757E11D9AC31BFE27C56ABB23A275130533433DC41DDBA1081E3A018E0D0B55DF33ECAE104909DC74F1CA2256CFD423A859B0AC2112A0AE684396C0029AD07D0D30AC84FFD2C2E80B74DE29310FCAFE7D0CB8864729B6FD1F86052D7DD9A9CB085A186259A67C175B3F81C5DA19AFED1BF9C5C07F40A29ED47ED4F1C7DE878B8411E3239ED15AC0E4CCC1D7F8842E9FD9C989F301E2689F800C3D14A38810906A36EEA34207014E99C843C599D56FCFBC14278A2A009C13B6E4AC7460B54D2C7EF38D72AC450540097D2AF609D3FFF874D14582FA8FF21027DEC92844BD22A9A7EC14C66BCC8DB1E058B95AF87ACB60A5725767A76C9185744E483BCCD9278ED9FF15A04061D0F6E32D98B6853A39AA498673C7DD012982B1913B3C3CE2C7080E809C413
-20040309221333 2 6 100 6143 2 E95A4131F86234D27EE1E51791599559EEDB618912E4FE36B81B80CDA4D497959DBFAEE929317A66BE64A328BAB6183EA5A5CBB3581490B4B613B225ADD00EFD38540356E0F4716229CDDB260283AF044FDAF1EF9248BB0CE9031C117CF15D3259B3E7B0301CA1AAC91AFA7A57CCDEED2DA4EFC2DBC7A9FC53BB4D3CB2D57D209D5DDEF25DE14F8226404296BD504EC14F6340F0AA2A1A943B9552C4B91D3EB48C08A13671C36EE5042857625DD2CB58965C0975EB775057FF82BC2B8B69D0BF26E2F80115B3E1A984D1D73D9D02AD69C3A1AF90EC915DE6FC9F574BD755B2EF6BBE62F3717E128DC797A06FE35C1C28CED57A0F64F61A4439ACFE7A7B95A1A948417A5B8B69916A32989B00E2C3FB7C74139A4DA9E533C439E59FC7C4F90780D2BBCDF012C499C15A1E0B5C318F84FB17DF97AB3EC356FD0072CFA3884EFBED319009DE6DBF2A5C7C87A93DEB04CCD9147EF8C9BEC2FD713793E4F0BF8C4EFCEBFBF95D555E523AB5D742808C4E425979A1C216C8CB2B42C7715B8CA5907E84E6FBC35DA7BFBFC892870B659C882C6E3697E0DCC6C24771F26D51A890786DA516DBC2D161680B134F1715B32F734E667650398EC2241AF78877BB3D61D83D0158DDE894862EE6E1BEE278724EA7B34C74F0A5D6B7F79F1322E20AD5757E11D9AC31BFE27C56ABB23A275130533433DC41DDBA1081E3A018E0D0B55DF33ECAE104909DC74F1CA2256CFD423A859B0AC2112A0AE684396C0029AD07D0D30AC84FFD2C2E80B74DE29310FCAFE7D0CB8864729B6FD1F86052D7DD9A9CB085A186259A67C175B3F81C5DA19AFED1BF9C5C07F40A29ED47ED4F1C7DE878B8411E3239ED15AC0E4CCC1D7F8842E9FD9C989F301E2689F800C3D14A38810906A36EEA34207014E99C843C599D56FCFBC14278A2A009C13B6E4AC7460B54D2C7EF38D72AC450540097D2AF609D3FFF874D14582FA8FF21027DEC92844BD22A9A7EC14C66BCC8DB1E058B95AF87ACB60A5725767A76C9185744E483BCCD9278ED9FF15A04061D0F6E32D98B6853A39AA498673C7DD012982B1913B3C3CE2C7080ED7F9CFB
-20040311222059 2 6 100 6143 5 E95A4131F86234D27EE1E51791599559EEDB618912E4FE36B81B80CDA4D497959DBFAEE929317A66BE64A328BAB6183EA5A5CBB3581490B4B613B225ADD00EFD38540356E0F4716229CDDB260283AF044FDAF1EF9248BB0CE9031C117CF15D3259B3E7B0301CA1AAC91AFA7A57CCDEED2DA4EFC2DBC7A9FC53BB4D3CB2D57D209D5DDEF25DE14F8226404296BD504EC14F6340F0AA2A1A943B9552C4B91D3EB48C08A13671C36EE5042857625DD2CB58965C0975EB775057FF82BC2B8B69D0BF26E2F80115B3E1A984D1D73D9D02AD69C3A1AF90EC915DE6FC9F574BD755B2EF6BBE62F3717E128DC797A06FE35C1C28CED57A0F64F61A4439ACFE7A7B95A1A948417A5B8B69916A32989B00E2C3FB7C74139A4DA9E533C439E59FC7C4F90780D2BBCDF012C499C15A1E0B5C318F84FB17DF97AB3EC356FD0072CFA3884EFBED319009DE6DBF2A5C7C87A93DEB04CCD9147EF8C9BEC2FD713793E4F0BF8C4EFCEBFBF95D555E523AB5D742808C4E425979A1C216C8CB2B42C7715B8CA5907E84E6FBC35DA7BFBFC892870B659C882C6E3697E0DCC6C24771F26D51A890786DA516DBC2D161680B134F1715B32F734E667650398EC2241AF78877BB3D61D83D0158DDE894862EE6E1BEE278724EA7B34C74F0A5D6B7F79F1322E20AD5757E11D9AC31BFE27C56ABB23A275130533433DC41DDBA1081E3A018E0D0B55DF33ECAE104909DC74F1CA2256CFD423A859B0AC2112A0AE684396C0029AD07D0D30AC84FFD2C2E80B74DE29310FCAFE7D0CB8864729B6FD1F86052D7DD9A9CB085A186259A67C175B3F81C5DA19AFED1BF9C5C07F40A29ED47ED4F1C7DE878B8411E3239ED15AC0E4CCC1D7F8842E9FD9C989F301E2689F800C3D14A38810906A36EEA34207014E99C843C599D56FCFBC14278A2A009C13B6E4AC7460B54D2C7EF38D72AC450540097D2AF609D3FFF874D14582FA8FF21027DEC92844BD22A9A7EC14C66BCC8DB1E058B95AF87ACB60A5725767A76C9185744E483BCCD9278ED9FF15A04061D0F6E32D98B6853A39AA498673C7DD012982B1913B3C3CE2C7080F103209F
-20040312160304 2 6 100 6143 2 E95A4131F86234D27EE1E51791599559EEDB618912E4FE36B81B80CDA4D497959DBFAEE929317A66BE64A328BAB6183EA5A5CBB3581490B4B613B225ADD00EFD38540356E0F4716229CDDB260283AF044FDAF1EF9248BB0CE9031C117CF15D3259B3E7B0301CA1AAC91AFA7A57CCDEED2DA4EFC2DBC7A9FC53BB4D3CB2D57D209D5DDEF25DE14F8226404296BD504EC14F6340F0AA2A1A943B9552C4B91D3EB48C08A13671C36EE5042857625DD2CB58965C0975EB775057FF82BC2B8B69D0BF26E2F80115B3E1A984D1D73D9D02AD69C3A1AF90EC915DE6FC9F574BD755B2EF6BBE62F3717E128DC797A06FE35C1C28CED57A0F64F61A4439ACFE7A7B95A1A948417A5B8B69916A32989B00E2C3FB7C74139A4DA9E533C439E59FC7C4F90780D2BBCDF012C499C15A1E0B5C318F84FB17DF97AB3EC356FD0072CFA3884EFBED319009DE6DBF2A5C7C87A93DEB04CCD9147EF8C9BEC2FD713793E4F0BF8C4EFCEBFBF95D555E523AB5D742808C4E425979A1C216C8CB2B42C7715B8CA5907E84E6FBC35DA7BFBFC892870B659C882C6E3697E0DCC6C24771F26D51A890786DA516DBC2D161680B134F1715B32F734E667650398EC2241AF78877BB3D61D83D0158DDE894862EE6E1BEE278724EA7B34C74F0A5D6B7F79F1322E20AD5757E11D9AC31BFE27C56ABB23A275130533433DC41DDBA1081E3A018E0D0B55DF33ECAE104909DC74F1CA2256CFD423A859B0AC2112A0AE684396C0029AD07D0D30AC84FFD2C2E80B74DE29310FCAFE7D0CB8864729B6FD1F86052D7DD9A9CB085A186259A67C175B3F81C5DA19AFED1BF9C5C07F40A29ED47ED4F1C7DE878B8411E3239ED15AC0E4CCC1D7F8842E9FD9C989F301E2689F800C3D14A38810906A36EEA34207014E99C843C599D56FCFBC14278A2A009C13B6E4AC7460B54D2C7EF38D72AC450540097D2AF609D3FFF874D14582FA8FF21027DEC92844BD22A9A7EC14C66BCC8DB1E058B95AF87ACB60A5725767A76C9185744E483BCCD9278ED9FF15A04061D0F6E32D98B6853A39AA498673C7DD012982B1913B3C3CE2C7080F247861B
-20040312210904 2 6 100 6143 5 E95A4131F86234D27EE1E51791599559EEDB618912E4FE36B81B80CDA4D497959DBFAEE929317A66BE64A328BAB6183EA5A5CBB3581490B4B613B225ADD00EFD38540356E0F4716229CDDB260283AF044FDAF1EF9248BB0CE9031C117CF15D3259B3E7B0301CA1AAC91AFA7A57CCDEED2DA4EFC2DBC7A9FC53BB4D3CB2D57D209D5DDEF25DE14F8226404296BD504EC14F6340F0AA2A1A943B9552C4B91D3EB48C08A13671C36EE5042857625DD2CB58965C0975EB775057FF82BC2B8B69D0BF26E2F80115B3E1A984D1D73D9D02AD69C3A1AF90EC915DE6FC9F574BD755B2EF6BBE62F3717E128DC797A06FE35C1C28CED57A0F64F61A4439ACFE7A7B95A1A948417A5B8B69916A32989B00E2C3FB7C74139A4DA9E533C439E59FC7C4F90780D2BBCDF012C499C15A1E0B5C318F84FB17DF97AB3EC356FD0072CFA3884EFBED319009DE6DBF2A5C7C87A93DEB04CCD9147EF8C9BEC2FD713793E4F0BF8C4EFCEBFBF95D555E523AB5D742808C4E425979A1C216C8CB2B42C7715B8CA5907E84E6FBC35DA7BFBFC892870B659C882C6E3697E0DCC6C24771F26D51A890786DA516DBC2D161680B134F1715B32F734E667650398EC2241AF78877BB3D61D83D0158DDE894862EE6E1BEE278724EA7B34C74F0A5D6B7F79F1322E20AD5757E11D9AC31BFE27C56ABB23A275130533433DC41DDBA1081E3A018E0D0B55DF33ECAE104909DC74F1CA2256CFD423A859B0AC2112A0AE684396C0029AD07D0D30AC84FFD2C2E80B74DE29310FCAFE7D0CB8864729B6FD1F86052D7DD9A9CB085A186259A67C175B3F81C5DA19AFED1BF9C5C07F40A29ED47ED4F1C7DE878B8411E3239ED15AC0E4CCC1D7F8842E9FD9C989F301E2689F800C3D14A38810906A36EEA34207014E99C843C599D56FCFBC14278A2A009C13B6E4AC7460B54D2C7EF38D72AC450540097D2AF609D3FFF874D14582FA8FF21027DEC92844BD22A9A7EC14C66BCC8DB1E058B95AF87ACB60A5725767A76C9185744E483BCCD9278ED9FF15A04061D0F6E32D98B6853A39AA498673C7DD012982B1913B3C3CE2C7080F29D939F
-20040316074005 2 6 100 6143 2 E95A4131F86234D27EE1E51791599559EEDB618912E4FE36B81B80CDA4D497959DBFAEE929317A66BE64A328BAB6183EA5A5CBB3581490B4B613B225ADD00EFD38540356E0F4716229CDDB260283AF044FDAF1EF9248BB0CE9031C117CF15D3259B3E7B0301CA1AAC91AFA7A57CCDEED2DA4EFC2DBC7A9FC53BB4D3CB2D57D209D5DDEF25DE14F8226404296BD504EC14F6340F0AA2A1A943B9552C4B91D3EB48C08A13671C36EE5042857625DD2CB58965C0975EB775057FF82BC2B8B69D0BF26E2F80115B3E1A984D1D73D9D02AD69C3A1AF90EC915DE6FC9F574BD755B2EF6BBE62F3717E128DC797A06FE35C1C28CED57A0F64F61A4439ACFE7A7B95A1A948417A5B8B69916A32989B00E2C3FB7C74139A4DA9E533C439E59FC7C4F90780D2BBCDF012C499C15A1E0B5C318F84FB17DF97AB3EC356FD0072CFA3884EFBED319009DE6DBF2A5C7C87A93DEB04CCD9147EF8C9BEC2FD713793E4F0BF8C4EFCEBFBF95D555E523AB5D742808C4E425979A1C216C8CB2B42C7715B8CA5907E84E6FBC35DA7BFBFC892870B659C882C6E3697E0DCC6C24771F26D51A890786DA516DBC2D161680B134F1715B32F734E667650398EC2241AF78877BB3D61D83D0158DDE894862EE6E1BEE278724EA7B34C74F0A5D6B7F79F1322E20AD5757E11D9AC31BFE27C56ABB23A275130533433DC41DDBA1081E3A018E0D0B55DF33ECAE104909DC74F1CA2256CFD423A859B0AC2112A0AE684396C0029AD07D0D30AC84FFD2C2E80B74DE29310FCAFE7D0CB8864729B6FD1F86052D7DD9A9CB085A186259A67C175B3F81C5DA19AFED1BF9C5C07F40A29ED47ED4F1C7DE878B8411E3239ED15AC0E4CCC1D7F8842E9FD9C989F301E2689F800C3D14A38810906A36EEA34207014E99C843C599D56FCFBC14278A2A009C13B6E4AC7460B54D2C7EF38D72AC450540097D2AF609D3FFF874D14582FA8FF21027DEC92844BD22A9A7EC14C66BCC8DB1E058B95AF87ACB60A5725767A76C9185744E483BCCD9278ED9FF15A04061D0F6E32D98B6853A39AA498673C7DD012982B1913B3C3CE2C7080F8B1F7DB
-20040317113309 2 6 100 6143 2 E95A4131F86234D27EE1E51791599559EEDB618912E4FE36B81B80CDA4D497959DBFAEE929317A66BE64A328BAB6183EA5A5CBB3581490B4B613B225ADD00EFD38540356E0F4716229CDDB260283AF044FDAF1EF9248BB0CE9031C117CF15D3259B3E7B0301CA1AAC91AFA7A57CCDEED2DA4EFC2DBC7A9FC53BB4D3CB2D57D209D5DDEF25DE14F8226404296BD504EC14F6340F0AA2A1A943B9552C4B91D3EB48C08A13671C36EE5042857625DD2CB58965C0975EB775057FF82BC2B8B69D0BF26E2F80115B3E1A984D1D73D9D02AD69C3A1AF90EC915DE6FC9F574BD755B2EF6BBE62F3717E128DC797A06FE35C1C28CED57A0F64F61A4439ACFE7A7B95A1A948417A5B8B69916A32989B00E2C3FB7C74139A4DA9E533C439E59FC7C4F90780D2BBCDF012C499C15A1E0B5C318F84FB17DF97AB3EC356FD0072CFA3884EFBED319009DE6DBF2A5C7C87A93DEB04CCD9147EF8C9BEC2FD713793E4F0BF8C4EFCEBFBF95D555E523AB5D742808C4E425979A1C216C8CB2B42C7715B8CA5907E84E6FBC35DA7BFBFC892870B659C882C6E3697E0DCC6C24771F26D51A890786DA516DBC2D161680B134F1715B32F734E667650398EC2241AF78877BB3D61D83D0158DDE894862EE6E1BEE278724EA7B34C74F0A5D6B7F79F1322E20AD5757E11D9AC31BFE27C56ABB23A275130533433DC41DDBA1081E3A018E0D0B55DF33ECAE104909DC74F1CA2256CFD423A859B0AC2112A0AE684396C0029AD07D0D30AC84FFD2C2E80B74DE29310FCAFE7D0CB8864729B6FD1F86052D7DD9A9CB085A186259A67C175B3F81C5DA19AFED1BF9C5C07F40A29ED47ED4F1C7DE878B8411E3239ED15AC0E4CCC1D7F8842E9FD9C989F301E2689F800C3D14A38810906A36EEA34207014E99C843C599D56FCFBC14278A2A009C13B6E4AC7460B54D2C7EF38D72AC450540097D2AF609D3FFF874D14582FA8FF21027DEC92844BD22A9A7EC14C66BCC8DB1E058B95AF87ACB60A5725767A76C9185744E483BCCD9278ED9FF15A04061D0F6E32D98B6853A39AA498673C7DD012982B1913B3C3CE2C7080FAAE1F73
-20040317195246 2 6 100 6143 2 E95A4131F86234D27EE1E51791599559EEDB618912E4FE36B81B80CDA4D497959DBFAEE929317A66BE64A328BAB6183EA5A5CBB3581490B4B613B225ADD00EFD38540356E0F4716229CDDB260283AF044FDAF1EF9248BB0CE9031C117CF15D3259B3E7B0301CA1AAC91AFA7A57CCDEED2DA4EFC2DBC7A9FC53BB4D3CB2D57D209D5DDEF25DE14F8226404296BD504EC14F6340F0AA2A1A943B9552C4B91D3EB48C08A13671C36EE5042857625DD2CB58965C0975EB775057FF82BC2B8B69D0BF26E2F80115B3E1A984D1D73D9D02AD69C3A1AF90EC915DE6FC9F574BD755B2EF6BBE62F3717E128DC797A06FE35C1C28CED57A0F64F61A4439ACFE7A7B95A1A948417A5B8B69916A32989B00E2C3FB7C74139A4DA9E533C439E59FC7C4F90780D2BBCDF012C499C15A1E0B5C318F84FB17DF97AB3EC356FD0072CFA3884EFBED319009DE6DBF2A5C7C87A93DEB04CCD9147EF8C9BEC2FD713793E4F0BF8C4EFCEBFBF95D555E523AB5D742808C4E425979A1C216C8CB2B42C7715B8CA5907E84E6FBC35DA7BFBFC892870B659C882C6E3697E0DCC6C24771F26D51A890786DA516DBC2D161680B134F1715B32F734E667650398EC2241AF78877BB3D61D83D0158DDE894862EE6E1BEE278724EA7B34C74F0A5D6B7F79F1322E20AD5757E11D9AC31BFE27C56ABB23A275130533433DC41DDBA1081E3A018E0D0B55DF33ECAE104909DC74F1CA2256CFD423A859B0AC2112A0AE684396C0029AD07D0D30AC84FFD2C2E80B74DE29310FCAFE7D0CB8864729B6FD1F86052D7DD9A9CB085A186259A67C175B3F81C5DA19AFED1BF9C5C07F40A29ED47ED4F1C7DE878B8411E3239ED15AC0E4CCC1D7F8842E9FD9C989F301E2689F800C3D14A38810906A36EEA34207014E99C843C599D56FCFBC14278A2A009C13B6E4AC7460B54D2C7EF38D72AC450540097D2AF609D3FFF874D14582FA8FF21027DEC92844BD22A9A7EC14C66BCC8DB1E058B95AF87ACB60A5725767A76C9185744E483BCCD9278ED9FF15A04061D0F6E32D98B6853A39AA498673C7DD012982B1913B3C3CE2C7080FB3F2B93
-20040319025848 2 6 100 6143 2 E95A4131F86234D27EE1E51791599559EEDB618912E4FE36B81B80CDA4D497959DBFAEE929317A66BE64A328BAB6183EA5A5CBB3581490B4B613B225ADD00EFD38540356E0F4716229CDDB260283AF044FDAF1EF9248BB0CE9031C117CF15D3259B3E7B0301CA1AAC91AFA7A57CCDEED2DA4EFC2DBC7A9FC53BB4D3CB2D57D209D5DDEF25DE14F8226404296BD504EC14F6340F0AA2A1A943B9552C4B91D3EB48C08A13671C36EE5042857625DD2CB58965C0975EB775057FF82BC2B8B69D0BF26E2F80115B3E1A984D1D73D9D02AD69C3A1AF90EC915DE6FC9F574BD755B2EF6BBE62F3717E128DC797A06FE35C1C28CED57A0F64F61A4439ACFE7A7B95A1A948417A5B8B69916A32989B00E2C3FB7C74139A4DA9E533C439E59FC7C4F90780D2BBCDF012C499C15A1E0B5C318F84FB17DF97AB3EC356FD0072CFA3884EFBED319009DE6DBF2A5C7C87A93DEB04CCD9147EF8C9BEC2FD713793E4F0BF8C4EFCEBFBF95D555E523AB5D742808C4E425979A1C216C8CB2B42C7715B8CA5907E84E6FBC35DA7BFBFC892870B659C882C6E3697E0DCC6C24771F26D51A890786DA516DBC2D161680B134F1715B32F734E667650398EC2241AF78877BB3D61D83D0158DDE894862EE6E1BEE278724EA7B34C74F0A5D6B7F79F1322E20AD5757E11D9AC31BFE27C56ABB23A275130533433DC41DDBA1081E3A018E0D0B55DF33ECAE104909DC74F1CA2256CFD423A859B0AC2112A0AE684396C0029AD07D0D30AC84FFD2C2E80B74DE29310FCAFE7D0CB8864729B6FD1F86052D7DD9A9CB085A186259A67C175B3F81C5DA19AFED1BF9C5C07F40A29ED47ED4F1C7DE878B8411E3239ED15AC0E4CCC1D7F8842E9FD9C989F301E2689F800C3D14A38810906A36EEA34207014E99C843C599D56FCFBC14278A2A009C13B6E4AC7460B54D2C7EF38D72AC450540097D2AF609D3FFF874D14582FA8FF21027DEC92844BD22A9A7EC14C66BCC8DB1E058B95AF87ACB60A5725767A76C9185744E483BCCD9278ED9FF15A04061D0F6E32D98B6853A39AA498673C7DD012982B1913B3C3CE2C7080FD81741B
-20040323194658 2 6 100 6143 5 E95A4131F86234D27EE1E51791599559EEDB618912E4FE36B81B80CDA4D497959DBFAEE929317A66BE64A328BAB6183EA5A5CBB3581490B4B613B225ADD00EFD38540356E0F4716229CDDB260283AF044FDAF1EF9248BB0CE9031C117CF15D3259B3E7B0301CA1AAC91AFA7A57CCDEED2DA4EFC2DBC7A9FC53BB4D3CB2D57D209D5DDEF25DE14F8226404296BD504EC14F6340F0AA2A1A943B9552C4B91D3EB48C08A13671C36EE5042857625DD2CB58965C0975EB775057FF82BC2B8B69D0BF26E2F80115B3E1A984D1D73D9D02AD69C3A1AF90EC915DE6FC9F574BD755B2EF6BBE62F3717E128DC797A06FE35C1C28CED57A0F64F61A4439ACFE7A7B95A1A948417A5B8B69916A32989B00E2C3FB7C74139A4DA9E533C439E59FC7C4F90780D2BBCDF012C499C15A1E0B5C318F84FB17DF97AB3EC356FD0072CFA3884EFBED319009DE6DBF2A5C7C87A93DEB04CCD9147EF8C9BEC2FD713793E4F0BF8C4EFCEBFBF95D555E523AB5D742808C4E425979A1C216C8CB2B42C7715B8CA5907E84E6FBC35DA7BFBFC892870B659C882C6E3697E0DCC6C24771F26D51A890786DA516DBC2D161680B134F1715B32F734E667650398EC2241AF78877BB3D61D83D0158DDE894862EE6E1BEE278724EA7B34C74F0A5D6B7F79F1322E20AD5757E11D9AC31BFE27C56ABB23A275130533433DC41DDBA1081E3A018E0D0B55DF33ECAE104909DC74F1CA2256CFD423A859B0AC2112A0AE684396C0029AD07D0D30AC84FFD2C2E80B74DE29310FCAFE7D0CB8864729B6FD1F86052D7DD9A9CB085A186259A67C175B3F81C5DA19AFED1BF9C5C07F40A29ED47ED4F1C7DE878B8411E3239ED15AC0E4CCC1D7F8842E9FD9C989F301E2689F800C3D14A38810906A36EEA34207014E99C843C599D56FCFBC14278A2A009C13B6E4AC7460B54D2C7EF38D72AC450540097D2AF609D3FFF874D14582FA8FF21027DEC92844BD22A9A7EC14C66BCC8DB1E058B95AF87ACB60A5725767A76C9185744E483BCCD9278ED9FF15A04061D0F6E32D98B6853A39AA498673C7DD012982B1913B3C3CE2C708105AF04AF
-20040324041535 2 6 100 6143 5 E95A4131F86234D27EE1E51791599559EEDB618912E4FE36B81B80CDA4D497959DBFAEE929317A66BE64A328BAB6183EA5A5CBB3581490B4B613B225ADD00EFD38540356E0F4716229CDDB260283AF044FDAF1EF9248BB0CE9031C117CF15D3259B3E7B0301CA1AAC91AFA7A57CCDEED2DA4EFC2DBC7A9FC53BB4D3CB2D57D209D5DDEF25DE14F8226404296BD504EC14F6340F0AA2A1A943B9552C4B91D3EB48C08A13671C36EE5042857625DD2CB58965C0975EB775057FF82BC2B8B69D0BF26E2F80115B3E1A984D1D73D9D02AD69C3A1AF90EC915DE6FC9F574BD755B2EF6BBE62F3717E128DC797A06FE35C1C28CED57A0F64F61A4439ACFE7A7B95A1A948417A5B8B69916A32989B00E2C3FB7C74139A4DA9E533C439E59FC7C4F90780D2BBCDF012C499C15A1E0B5C318F84FB17DF97AB3EC356FD0072CFA3884EFBED319009DE6DBF2A5C7C87A93DEB04CCD9147EF8C9BEC2FD713793E4F0BF8C4EFCEBFBF95D555E523AB5D742808C4E425979A1C216C8CB2B42C7715B8CA5907E84E6FBC35DA7BFBFC892870B659C882C6E3697E0DCC6C24771F26D51A890786DA516DBC2D161680B134F1715B32F734E667650398EC2241AF78877BB3D61D83D0158DDE894862EE6E1BEE278724EA7B34C74F0A5D6B7F79F1322E20AD5757E11D9AC31BFE27C56ABB23A275130533433DC41DDBA1081E3A018E0D0B55DF33ECAE104909DC74F1CA2256CFD423A859B0AC2112A0AE684396C0029AD07D0D30AC84FFD2C2E80B74DE29310FCAFE7D0CB8864729B6FD1F86052D7DD9A9CB085A186259A67C175B3F81C5DA19AFED1BF9C5C07F40A29ED47ED4F1C7DE878B8411E3239ED15AC0E4CCC1D7F8842E9FD9C989F301E2689F800C3D14A38810906A36EEA34207014E99C843C599D56FCFBC14278A2A009C13B6E4AC7460B54D2C7EF38D72AC450540097D2AF609D3FFF874D14582FA8FF21027DEC92844BD22A9A7EC14C66BCC8DB1E058B95AF87ACB60A5725767A76C9185744E483BCCD9278ED9FF15A04061D0F6E32D98B6853A39AA498673C7DD012982B1913B3C3CE2C70810643E737
diff --git a/crypto/openssh/moduli.c b/crypto/openssh/moduli.c
deleted file mode 100644
index 44e5ddf..0000000
--- a/crypto/openssh/moduli.c
+++ /dev/null
@@ -1,669 +0,0 @@
-/* $OpenBSD: moduli.c,v 1.19 2006/11/06 21:25:28 markus Exp $ */
-/*
- * Copyright 1994 Phil Karn <karn@qualcomm.com>
- * Copyright 1996-1998, 2003 William Allen Simpson <wsimpson@greendragon.com>
- * Copyright 2000 Niels Provos <provos@citi.umich.edu>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Two-step process to generate safe primes for DHGEX
- *
- *  Sieve candidates for "safe" primes,
- *  suitable for use as Diffie-Hellman moduli;
- *  that is, where q = (p-1)/2 is also prime.
- *
- * First step: generate candidate primes (memory intensive)
- * Second step: test primes' safety (processor intensive)
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <openssl/bn.h>
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <stdarg.h>
-#include <time.h>
-
-#include "xmalloc.h"
-#include "log.h"
-
-/*
- * File output defines
- */
-
-/* need line long enough for largest moduli plus headers */
-#define QLINESIZE		(100+8192)
-
-/* Type: decimal.
- * Specifies the internal structure of the prime modulus.
- */
-#define QTYPE_UNKNOWN		(0)
-#define QTYPE_UNSTRUCTURED	(1)
-#define QTYPE_SAFE		(2)
-#define QTYPE_SCHNORR		(3)
-#define QTYPE_SOPHIE_GERMAIN	(4)
-#define QTYPE_STRONG		(5)
-
-/* Tests: decimal (bit field).
- * Specifies the methods used in checking for primality.
- * Usually, more than one test is used.
- */
-#define QTEST_UNTESTED		(0x00)
-#define QTEST_COMPOSITE		(0x01)
-#define QTEST_SIEVE		(0x02)
-#define QTEST_MILLER_RABIN	(0x04)
-#define QTEST_JACOBI		(0x08)
-#define QTEST_ELLIPTIC		(0x10)
-
-/*
- * Size: decimal.
- * Specifies the number of the most significant bit (0 to M).
- * WARNING: internally, usually 1 to N.
- */
-#define QSIZE_MINIMUM		(511)
-
-/*
- * Prime sieving defines
- */
-
-/* Constant: assuming 8 bit bytes and 32 bit words */
-#define SHIFT_BIT	(3)
-#define SHIFT_BYTE	(2)
-#define SHIFT_WORD	(SHIFT_BIT+SHIFT_BYTE)
-#define SHIFT_MEGABYTE	(20)
-#define SHIFT_MEGAWORD	(SHIFT_MEGABYTE-SHIFT_BYTE)
-
-/*
- * Using virtual memory can cause thrashing.  This should be the largest
- * number that is supported without a large amount of disk activity --
- * that would increase the run time from hours to days or weeks!
- */
-#define LARGE_MINIMUM	(8UL)	/* megabytes */
-
-/*
- * Do not increase this number beyond the unsigned integer bit size.
- * Due to a multiple of 4, it must be LESS than 128 (yielding 2**30 bits).
- */
-#define LARGE_MAXIMUM	(127UL)	/* megabytes */
-
-/*
- * Constant: when used with 32-bit integers, the largest sieve prime
- * has to be less than 2**32.
- */
-#define SMALL_MAXIMUM	(0xffffffffUL)
-
-/* Constant: can sieve all primes less than 2**32, as 65537**2 > 2**32-1. */
-#define TINY_NUMBER	(1UL<<16)
-
-/* Ensure enough bit space for testing 2*q. */
-#define TEST_MAXIMUM	(1UL<<16)
-#define TEST_MINIMUM	(QSIZE_MINIMUM + 1)
-/* real TEST_MINIMUM	(1UL << (SHIFT_WORD - TEST_POWER)) */
-#define TEST_POWER	(3)	/* 2**n, n < SHIFT_WORD */
-
-/* bit operations on 32-bit words */
-#define BIT_CLEAR(a,n)	((a)[(n)>>SHIFT_WORD] &= ~(1L << ((n) & 31)))
-#define BIT_SET(a,n)	((a)[(n)>>SHIFT_WORD] |= (1L << ((n) & 31)))
-#define BIT_TEST(a,n)	((a)[(n)>>SHIFT_WORD] & (1L << ((n) & 31)))
-
-/*
- * Prime testing defines
- */
-
-/* Minimum number of primality tests to perform */
-#define TRIAL_MINIMUM	(4)
-
-/*
- * Sieving data (XXX - move to struct)
- */
-
-/* sieve 2**16 */
-static u_int32_t *TinySieve, tinybits;
-
-/* sieve 2**30 in 2**16 parts */
-static u_int32_t *SmallSieve, smallbits, smallbase;
-
-/* sieve relative to the initial value */
-static u_int32_t *LargeSieve, largewords, largetries, largenumbers;
-static u_int32_t largebits, largememory;	/* megabytes */
-static BIGNUM *largebase;
-
-int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);
-int prime_test(FILE *, FILE *, u_int32_t, u_int32_t);
-
-/*
- * print moduli out in consistent form,
- */
-static int
-qfileout(FILE * ofile, u_int32_t otype, u_int32_t otests, u_int32_t otries,
-    u_int32_t osize, u_int32_t ogenerator, BIGNUM * omodulus)
-{
-	struct tm *gtm;
-	time_t time_now;
-	int res;
-
-	time(&time_now);
-	gtm = gmtime(&time_now);
-
-	res = fprintf(ofile, "%04d%02d%02d%02d%02d%02d %u %u %u %u %x ",
-	    gtm->tm_year + 1900, gtm->tm_mon + 1, gtm->tm_mday,
-	    gtm->tm_hour, gtm->tm_min, gtm->tm_sec,
-	    otype, otests, otries, osize, ogenerator);
-
-	if (res < 0)
-		return (-1);
-
-	if (BN_print_fp(ofile, omodulus) < 1)
-		return (-1);
-
-	res = fprintf(ofile, "\n");
-	fflush(ofile);
-
-	return (res > 0 ? 0 : -1);
-}
-
-
-/*
- ** Sieve p's and q's with small factors
- */
-static void
-sieve_large(u_int32_t s)
-{
-	u_int32_t r, u;
-
-	debug3("sieve_large %u", s);
-	largetries++;
-	/* r = largebase mod s */
-	r = BN_mod_word(largebase, s);
-	if (r == 0)
-		u = 0; /* s divides into largebase exactly */
-	else
-		u = s - r; /* largebase+u is first entry divisible by s */
-
-	if (u < largebits * 2) {
-		/*
-		 * The sieve omits p's and q's divisible by 2, so ensure that
-		 * largebase+u is odd. Then, step through the sieve in
-		 * increments of 2*s
-		 */
-		if (u & 0x1)
-			u += s; /* Make largebase+u odd, and u even */
-
-		/* Mark all multiples of 2*s */
-		for (u /= 2; u < largebits; u += s)
-			BIT_SET(LargeSieve, u);
-	}
-
-	/* r = p mod s */
-	r = (2 * r + 1) % s;
-	if (r == 0)
-		u = 0; /* s divides p exactly */
-	else
-		u = s - r; /* p+u is first entry divisible by s */
-
-	if (u < largebits * 4) {
-		/*
-		 * The sieve omits p's divisible by 4, so ensure that
-		 * largebase+u is not. Then, step through the sieve in
-		 * increments of 4*s
-		 */
-		while (u & 0x3) {
-			if (SMALL_MAXIMUM - u < s)
-				return;
-			u += s;
-		}
-
-		/* Mark all multiples of 4*s */
-		for (u /= 4; u < largebits; u += s)
-			BIT_SET(LargeSieve, u);
-	}
-}
-
-/*
- * list candidates for Sophie-Germain primes (where q = (p-1)/2)
- * to standard output.
- * The list is checked against small known primes (less than 2**30).
- */
-int
-gen_candidates(FILE *out, u_int32_t memory, u_int32_t power, BIGNUM *start)
-{
-	BIGNUM *q;
-	u_int32_t j, r, s, t;
-	u_int32_t smallwords = TINY_NUMBER >> 6;
-	u_int32_t tinywords = TINY_NUMBER >> 6;
-	time_t time_start, time_stop;
-	u_int32_t i;
-	int ret = 0;
-
-	largememory = memory;
-
-	if (memory != 0 &&
-	    (memory < LARGE_MINIMUM || memory > LARGE_MAXIMUM)) {
-		error("Invalid memory amount (min %ld, max %ld)",
-		    LARGE_MINIMUM, LARGE_MAXIMUM);
-		return (-1);
-	}
-
-	/*
-	 * Set power to the length in bits of the prime to be generated.
-	 * This is changed to 1 less than the desired safe prime moduli p.
-	 */
-	if (power > TEST_MAXIMUM) {
-		error("Too many bits: %u > %lu", power, TEST_MAXIMUM);
-		return (-1);
-	} else if (power < TEST_MINIMUM) {
-		error("Too few bits: %u < %u", power, TEST_MINIMUM);
-		return (-1);
-	}
-	power--; /* decrement before squaring */
-
-	/*
-	 * The density of ordinary primes is on the order of 1/bits, so the
-	 * density of safe primes should be about (1/bits)**2. Set test range
-	 * to something well above bits**2 to be reasonably sure (but not
-	 * guaranteed) of catching at least one safe prime.
-	 */
-	largewords = ((power * power) >> (SHIFT_WORD - TEST_POWER));
-
-	/*
-	 * Need idea of how much memory is available. We don't have to use all
-	 * of it.
-	 */
-	if (largememory > LARGE_MAXIMUM) {
-		logit("Limited memory: %u MB; limit %lu MB",
-		    largememory, LARGE_MAXIMUM);
-		largememory = LARGE_MAXIMUM;
-	}
-
-	if (largewords <= (largememory << SHIFT_MEGAWORD)) {
-		logit("Increased memory: %u MB; need %u bytes",
-		    largememory, (largewords << SHIFT_BYTE));
-		largewords = (largememory << SHIFT_MEGAWORD);
-	} else if (largememory > 0) {
-		logit("Decreased memory: %u MB; want %u bytes",
-		    largememory, (largewords << SHIFT_BYTE));
-		largewords = (largememory << SHIFT_MEGAWORD);
-	}
-
-	TinySieve = xcalloc(tinywords, sizeof(u_int32_t));
-	tinybits = tinywords << SHIFT_WORD;
-
-	SmallSieve = xcalloc(smallwords, sizeof(u_int32_t));
-	smallbits = smallwords << SHIFT_WORD;
-
-	/*
-	 * dynamically determine available memory
-	 */
-	while ((LargeSieve = calloc(largewords, sizeof(u_int32_t))) == NULL)
-		largewords -= (1L << (SHIFT_MEGAWORD - 2)); /* 1/4 MB chunks */
-
-	largebits = largewords << SHIFT_WORD;
-	largenumbers = largebits * 2;	/* even numbers excluded */
-
-	/* validation check: count the number of primes tried */
-	largetries = 0;
-	if ((q = BN_new()) == NULL)
-		fatal("BN_new failed");
-
-	/*
-	 * Generate random starting point for subprime search, or use
-	 * specified parameter.
-	 */
-	if ((largebase = BN_new()) == NULL)
-		fatal("BN_new failed");
-	if (start == NULL) {
-		if (BN_rand(largebase, power, 1, 1) == 0)
-			fatal("BN_rand failed");
-	} else {
-		if (BN_copy(largebase, start) == NULL)
-			fatal("BN_copy: failed");
-	}
-
-	/* ensure odd */
-	if (BN_set_bit(largebase, 0) == 0)
-		fatal("BN_set_bit: failed");
-
-	time(&time_start);
-
-	logit("%.24s Sieve next %u plus %u-bit", ctime(&time_start),
-	    largenumbers, power);
-	debug2("start point: 0x%s", BN_bn2hex(largebase));
-
-	/*
-	 * TinySieve
-	 */
-	for (i = 0; i < tinybits; i++) {
-		if (BIT_TEST(TinySieve, i))
-			continue; /* 2*i+3 is composite */
-
-		/* The next tiny prime */
-		t = 2 * i + 3;
-
-		/* Mark all multiples of t */
-		for (j = i + t; j < tinybits; j += t)
-			BIT_SET(TinySieve, j);
-
-		sieve_large(t);
-	}
-
-	/*
-	 * Start the small block search at the next possible prime. To avoid
-	 * fencepost errors, the last pass is skipped.
-	 */
-	for (smallbase = TINY_NUMBER + 3;
-	    smallbase < (SMALL_MAXIMUM - TINY_NUMBER);
-	    smallbase += TINY_NUMBER) {
-		for (i = 0; i < tinybits; i++) {
-			if (BIT_TEST(TinySieve, i))
-				continue; /* 2*i+3 is composite */
-
-			/* The next tiny prime */
-			t = 2 * i + 3;
-			r = smallbase % t;
-
-			if (r == 0) {
-				s = 0; /* t divides into smallbase exactly */
-			} else {
-				/* smallbase+s is first entry divisible by t */
-				s = t - r;
-			}
-
-			/*
-			 * The sieve omits even numbers, so ensure that
-			 * smallbase+s is odd. Then, step through the sieve
-			 * in increments of 2*t
-			 */
-			if (s & 1)
-				s += t; /* Make smallbase+s odd, and s even */
-
-			/* Mark all multiples of 2*t */
-			for (s /= 2; s < smallbits; s += t)
-				BIT_SET(SmallSieve, s);
-		}
-
-		/*
-		 * SmallSieve
-		 */
-		for (i = 0; i < smallbits; i++) {
-			if (BIT_TEST(SmallSieve, i))
-				continue; /* 2*i+smallbase is composite */
-
-			/* The next small prime */
-			sieve_large((2 * i) + smallbase);
-		}
-
-		memset(SmallSieve, 0, smallwords << SHIFT_BYTE);
-	}
-
-	time(&time_stop);
-
-	logit("%.24s Sieved with %u small primes in %ld seconds",
-	    ctime(&time_stop), largetries, (long) (time_stop - time_start));
-
-	for (j = r = 0; j < largebits; j++) {
-		if (BIT_TEST(LargeSieve, j))
-			continue; /* Definitely composite, skip */
-
-		debug2("test q = largebase+%u", 2 * j);
-		if (BN_set_word(q, 2 * j) == 0)
-			fatal("BN_set_word failed");
-		if (BN_add(q, q, largebase) == 0)
-			fatal("BN_add failed");
-		if (qfileout(out, QTYPE_SOPHIE_GERMAIN, QTEST_SIEVE,
-		    largetries, (power - 1) /* MSB */, (0), q) == -1) {
-			ret = -1;
-			break;
-		}
-
-		r++; /* count q */
-	}
-
-	time(&time_stop);
-
-	xfree(LargeSieve);
-	xfree(SmallSieve);
-	xfree(TinySieve);
-
-	logit("%.24s Found %u candidates", ctime(&time_stop), r);
-
-	return (ret);
-}
-
-/*
- * perform a Miller-Rabin primality test
- * on the list of candidates
- * (checking both q and p)
- * The result is a list of so-call "safe" primes
- */
-int
-prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted)
-{
-	BIGNUM *q, *p, *a;
-	BN_CTX *ctx;
-	char *cp, *lp;
-	u_int32_t count_in = 0, count_out = 0, count_possible = 0;
-	u_int32_t generator_known, in_tests, in_tries, in_type, in_size;
-	time_t time_start, time_stop;
-	int res;
-
-	if (trials < TRIAL_MINIMUM) {
-		error("Minimum primality trials is %d", TRIAL_MINIMUM);
-		return (-1);
-	}
-
-	time(&time_start);
-
-	if ((p = BN_new()) == NULL)
-		fatal("BN_new failed");
-	if ((q = BN_new()) == NULL)
-		fatal("BN_new failed");
-	if ((ctx = BN_CTX_new()) == NULL)
-		fatal("BN_CTX_new failed");
-
-	debug2("%.24s Final %u Miller-Rabin trials (%x generator)",
-	    ctime(&time_start), trials, generator_wanted);
-
-	res = 0;
-	lp = xmalloc(QLINESIZE + 1);
-	while (fgets(lp, QLINESIZE, in) != NULL) {
-		int ll = strlen(lp);
-
-		count_in++;
-		if (ll < 14 || *lp == '!' || *lp == '#') {
-			debug2("%10u: comment or short line", count_in);
-			continue;
-		}
-
-		/* XXX - fragile parser */
-		/* time */
-		cp = &lp[14];	/* (skip) */
-
-		/* type */
-		in_type = strtoul(cp, &cp, 10);
-
-		/* tests */
-		in_tests = strtoul(cp, &cp, 10);
-
-		if (in_tests & QTEST_COMPOSITE) {
-			debug2("%10u: known composite", count_in);
-			continue;
-		}
-
-		/* tries */
-		in_tries = strtoul(cp, &cp, 10);
-
-		/* size (most significant bit) */
-		in_size = strtoul(cp, &cp, 10);
-
-		/* generator (hex) */
-		generator_known = strtoul(cp, &cp, 16);
-
-		/* Skip white space */
-		cp += strspn(cp, " ");
-
-		/* modulus (hex) */
-		switch (in_type) {
-		case QTYPE_SOPHIE_GERMAIN:
-			debug2("%10u: (%u) Sophie-Germain", count_in, in_type);
-			a = q;
-			if (BN_hex2bn(&a, cp) == 0)
-				fatal("BN_hex2bn failed");
-			/* p = 2*q + 1 */
-			if (BN_lshift(p, q, 1) == 0)
-				fatal("BN_lshift failed");
-			if (BN_add_word(p, 1) == 0)
-				fatal("BN_add_word failed");
-			in_size += 1;
-			generator_known = 0;
-			break;
-		case QTYPE_UNSTRUCTURED:
-		case QTYPE_SAFE:
-		case QTYPE_SCHNORR:
-		case QTYPE_STRONG:
-		case QTYPE_UNKNOWN:
-			debug2("%10u: (%u)", count_in, in_type);
-			a = p;
-			if (BN_hex2bn(&a, cp) == 0)
-				fatal("BN_hex2bn failed");
-			/* q = (p-1) / 2 */
-			if (BN_rshift(q, p, 1) == 0)
-				fatal("BN_rshift failed");
-			break;
-		default:
-			debug2("Unknown prime type");
-			break;
-		}
-
-		/*
-		 * due to earlier inconsistencies in interpretation, check
-		 * the proposed bit size.
-		 */
-		if ((u_int32_t)BN_num_bits(p) != (in_size + 1)) {
-			debug2("%10u: bit size %u mismatch", count_in, in_size);
-			continue;
-		}
-		if (in_size < QSIZE_MINIMUM) {
-			debug2("%10u: bit size %u too short", count_in, in_size);
-			continue;
-		}
-
-		if (in_tests & QTEST_MILLER_RABIN)
-			in_tries += trials;
-		else
-			in_tries = trials;
-
-		/*
-		 * guess unknown generator
-		 */
-		if (generator_known == 0) {
-			if (BN_mod_word(p, 24) == 11)
-				generator_known = 2;
-			else if (BN_mod_word(p, 12) == 5)
-				generator_known = 3;
-			else {
-				u_int32_t r = BN_mod_word(p, 10);
-
-				if (r == 3 || r == 7)
-					generator_known = 5;
-			}
-		}
-		/*
-		 * skip tests when desired generator doesn't match
-		 */
-		if (generator_wanted > 0 &&
-		    generator_wanted != generator_known) {
-			debug2("%10u: generator %d != %d",
-			    count_in, generator_known, generator_wanted);
-			continue;
-		}
-
-		/*
-		 * Primes with no known generator are useless for DH, so
-		 * skip those.
-		 */
-		if (generator_known == 0) {
-			debug2("%10u: no known generator", count_in);
-			continue;
-		}
-
-		count_possible++;
-
-		/*
-		 * The (1/4)^N performance bound on Miller-Rabin is
-		 * extremely pessimistic, so don't spend a lot of time
-		 * really verifying that q is prime until after we know
-		 * that p is also prime. A single pass will weed out the
-		 * vast majority of composite q's.
-		 */
-		if (BN_is_prime(q, 1, NULL, ctx, NULL) <= 0) {
-			debug("%10u: q failed first possible prime test",
-			    count_in);
-			continue;
-		}
-
-		/*
-		 * q is possibly prime, so go ahead and really make sure
-		 * that p is prime. If it is, then we can go back and do
-		 * the same for q. If p is composite, chances are that
-		 * will show up on the first Rabin-Miller iteration so it
-		 * doesn't hurt to specify a high iteration count.
-		 */
-		if (!BN_is_prime(p, trials, NULL, ctx, NULL)) {
-			debug("%10u: p is not prime", count_in);
-			continue;
-		}
-		debug("%10u: p is almost certainly prime", count_in);
-
-		/* recheck q more rigorously */
-		if (!BN_is_prime(q, trials - 1, NULL, ctx, NULL)) {
-			debug("%10u: q is not prime", count_in);
-			continue;
-		}
-		debug("%10u: q is almost certainly prime", count_in);
-
-		if (qfileout(out, QTYPE_SAFE, (in_tests | QTEST_MILLER_RABIN),
-		    in_tries, in_size, generator_known, p)) {
-			res = -1;
-			break;
-		}
-
-		count_out++;
-	}
-
-	time(&time_stop);
-	xfree(lp);
-	BN_free(p);
-	BN_free(q);
-	BN_CTX_free(ctx);
-
-	logit("%.24s Found %u safe primes of %u candidates in %ld seconds",
-	    ctime(&time_stop), count_out, count_possible,
-	    (long) (time_stop - time_start));
-
-	return (res);
-}
diff --git a/crypto/openssh/monitor.c b/crypto/openssh/monitor.c
deleted file mode 100644
index 48ae46c..0000000
--- a/crypto/openssh/monitor.c
+++ /dev/null
@@ -1,1954 +0,0 @@
-/* $OpenBSD: monitor.c,v 1.89 2006/11/07 10:31:31 markus Exp $ */
-/*
- * Copyright 2002 Niels Provos <provos@citi.umich.edu>
- * Copyright 2002 Markus Friedl <markus@openbsd.org>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include "openbsd-compat/sys-tree.h"
-#include <sys/wait.h>
-
-#include <errno.h>
-#include <fcntl.h>
-#ifdef HAVE_PATHS_H
-#include <paths.h>
-#endif
-#include <pwd.h>
-#include <signal.h>
-#include <stdarg.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#ifdef SKEY
-#include <skey.h>
-#endif
-
-#include <openssl/dh.h>
-
-#include "xmalloc.h"
-#include "ssh.h"
-#include "key.h"
-#include "buffer.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "cipher.h"
-#include "kex.h"
-#include "dh.h"
-#ifdef TARGET_OS_MAC	/* XXX Broken krb5 headers on Mac */
-#undef TARGET_OS_MAC
-#include "zlib.h"
-#define TARGET_OS_MAC 1
-#else
-#include "zlib.h"
-#endif
-#include "packet.h"
-#include "auth-options.h"
-#include "sshpty.h"
-#include "channels.h"
-#include "session.h"
-#include "sshlogin.h"
-#include "canohost.h"
-#include "log.h"
-#include "servconf.h"
-#include "monitor.h"
-#include "monitor_mm.h"
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-#include "monitor_wrap.h"
-#include "monitor_fdpass.h"
-#include "misc.h"
-#include "compat.h"
-#include "ssh2.h"
-
-#ifdef GSSAPI
-static Gssctxt *gsscontext = NULL;
-#endif
-
-/* Imports */
-extern ServerOptions options;
-extern u_int utmp_len;
-extern Newkeys *current_keys[];
-extern z_stream incoming_stream;
-extern z_stream outgoing_stream;
-extern u_char session_id[];
-extern Buffer input, output;
-extern Buffer auth_debug;
-extern int auth_debug_init;
-extern Buffer loginmsg;
-
-/* State exported from the child */
-
-struct {
-	z_stream incoming;
-	z_stream outgoing;
-	u_char *keyin;
-	u_int keyinlen;
-	u_char *keyout;
-	u_int keyoutlen;
-	u_char *ivin;
-	u_int ivinlen;
-	u_char *ivout;
-	u_int ivoutlen;
-	u_char *ssh1key;
-	u_int ssh1keylen;
-	int ssh1cipher;
-	int ssh1protoflags;
-	u_char *input;
-	u_int ilen;
-	u_char *output;
-	u_int olen;
-} child_state;
-
-/* Functions on the monitor that answer unprivileged requests */
-
-int mm_answer_moduli(int, Buffer *);
-int mm_answer_sign(int, Buffer *);
-int mm_answer_pwnamallow(int, Buffer *);
-int mm_answer_auth2_read_banner(int, Buffer *);
-int mm_answer_authserv(int, Buffer *);
-int mm_answer_authpassword(int, Buffer *);
-int mm_answer_bsdauthquery(int, Buffer *);
-int mm_answer_bsdauthrespond(int, Buffer *);
-int mm_answer_skeyquery(int, Buffer *);
-int mm_answer_skeyrespond(int, Buffer *);
-int mm_answer_keyallowed(int, Buffer *);
-int mm_answer_keyverify(int, Buffer *);
-int mm_answer_pty(int, Buffer *);
-int mm_answer_pty_cleanup(int, Buffer *);
-int mm_answer_term(int, Buffer *);
-int mm_answer_rsa_keyallowed(int, Buffer *);
-int mm_answer_rsa_challenge(int, Buffer *);
-int mm_answer_rsa_response(int, Buffer *);
-int mm_answer_sesskey(int, Buffer *);
-int mm_answer_sessid(int, Buffer *);
-
-#ifdef USE_PAM
-int mm_answer_pam_start(int, Buffer *);
-int mm_answer_pam_account(int, Buffer *);
-int mm_answer_pam_init_ctx(int, Buffer *);
-int mm_answer_pam_query(int, Buffer *);
-int mm_answer_pam_respond(int, Buffer *);
-int mm_answer_pam_free_ctx(int, Buffer *);
-#endif
-
-#ifdef GSSAPI
-int mm_answer_gss_setup_ctx(int, Buffer *);
-int mm_answer_gss_accept_ctx(int, Buffer *);
-int mm_answer_gss_userok(int, Buffer *);
-int mm_answer_gss_checkmic(int, Buffer *);
-#endif
-
-#ifdef SSH_AUDIT_EVENTS
-int mm_answer_audit_event(int, Buffer *);
-int mm_answer_audit_command(int, Buffer *);
-#endif
-
-static Authctxt *authctxt;
-static BIGNUM *ssh1_challenge = NULL;	/* used for ssh1 rsa auth */
-
-/* local state for key verify */
-static u_char *key_blob = NULL;
-static u_int key_bloblen = 0;
-static int key_blobtype = MM_NOKEY;
-static char *hostbased_cuser = NULL;
-static char *hostbased_chost = NULL;
-static char *auth_method = "unknown";
-static u_int session_id2_len = 0;
-static u_char *session_id2 = NULL;
-static pid_t monitor_child_pid;
-
-struct mon_table {
-	enum monitor_reqtype type;
-	int flags;
-	int (*f)(int, Buffer *);
-};
-
-#define MON_ISAUTH	0x0004	/* Required for Authentication */
-#define MON_AUTHDECIDE	0x0008	/* Decides Authentication */
-#define MON_ONCE	0x0010	/* Disable after calling */
-#define MON_ALOG	0x0020	/* Log auth attempt without authenticating */
-
-#define MON_AUTH	(MON_ISAUTH|MON_AUTHDECIDE)
-
-#define MON_PERMIT	0x1000	/* Request is permitted */
-
-struct mon_table mon_dispatch_proto20[] = {
-    {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli},
-    {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
-    {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
-    {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
-    {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
-    {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
-#ifdef USE_PAM
-    {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
-    {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
-    {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
-    {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
-    {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
-    {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
-#endif
-#ifdef SSH_AUDIT_EVENTS
-    {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
-#endif
-#ifdef BSD_AUTH
-    {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
-    {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH, mm_answer_bsdauthrespond},
-#endif
-#ifdef SKEY
-    {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
-    {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
-#endif
-    {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
-    {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
-#ifdef GSSAPI
-    {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx},
-    {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
-    {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
-    {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
-#endif
-    {0, 0, NULL}
-};
-
-struct mon_table mon_dispatch_postauth20[] = {
-    {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
-    {MONITOR_REQ_SIGN, 0, mm_answer_sign},
-    {MONITOR_REQ_PTY, 0, mm_answer_pty},
-    {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},
-    {MONITOR_REQ_TERM, 0, mm_answer_term},
-#ifdef SSH_AUDIT_EVENTS
-    {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
-    {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
-#endif
-    {0, 0, NULL}
-};
-
-struct mon_table mon_dispatch_proto15[] = {
-    {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
-    {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
-    {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
-    {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
-    {MONITOR_REQ_RSAKEYALLOWED, MON_ISAUTH|MON_ALOG, mm_answer_rsa_keyallowed},
-    {MONITOR_REQ_KEYALLOWED, MON_ISAUTH|MON_ALOG, mm_answer_keyallowed},
-    {MONITOR_REQ_RSACHALLENGE, MON_ONCE, mm_answer_rsa_challenge},
-    {MONITOR_REQ_RSARESPONSE, MON_ONCE|MON_AUTHDECIDE, mm_answer_rsa_response},
-#ifdef BSD_AUTH
-    {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
-    {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH, mm_answer_bsdauthrespond},
-#endif
-#ifdef SKEY
-    {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery},
-    {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond},
-#endif
-#ifdef USE_PAM
-    {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
-    {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
-    {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
-    {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
-    {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
-    {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
-#endif
-#ifdef SSH_AUDIT_EVENTS
-    {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
-#endif
-    {0, 0, NULL}
-};
-
-struct mon_table mon_dispatch_postauth15[] = {
-    {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty},
-    {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup},
-    {MONITOR_REQ_TERM, 0, mm_answer_term},
-#ifdef SSH_AUDIT_EVENTS
-    {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
-    {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
-#endif
-    {0, 0, NULL}
-};
-
-struct mon_table *mon_dispatch;
-
-/* Specifies if a certain message is allowed at the moment */
-
-static void
-monitor_permit(struct mon_table *ent, enum monitor_reqtype type, int permit)
-{
-	while (ent->f != NULL) {
-		if (ent->type == type) {
-			ent->flags &= ~MON_PERMIT;
-			ent->flags |= permit ? MON_PERMIT : 0;
-			return;
-		}
-		ent++;
-	}
-}
-
-static void
-monitor_permit_authentications(int permit)
-{
-	struct mon_table *ent = mon_dispatch;
-
-	while (ent->f != NULL) {
-		if (ent->flags & MON_AUTH) {
-			ent->flags &= ~MON_PERMIT;
-			ent->flags |= permit ? MON_PERMIT : 0;
-		}
-		ent++;
-	}
-}
-
-void
-monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
-{
-	struct mon_table *ent;
-	int authenticated = 0;
-
-	debug3("preauth child monitor started");
-
-	authctxt = _authctxt;
-	memset(authctxt, 0, sizeof(*authctxt));
-
-	authctxt->loginmsg = &loginmsg;
-
-	if (compat20) {
-		mon_dispatch = mon_dispatch_proto20;
-
-		/* Permit requests for moduli and signatures */
-		monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
-		monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
-	} else {
-		mon_dispatch = mon_dispatch_proto15;
-
-		monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);
-	}
-
-	/* The first few requests do not require asynchronous access */
-	while (!authenticated) {
-		auth_method = "unknown";
-		authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
-		if (authenticated) {
-			if (!(ent->flags & MON_AUTHDECIDE))
-				fatal("%s: unexpected authentication from %d",
-				    __func__, ent->type);
-			if (authctxt->pw->pw_uid == 0 &&
-			    !auth_root_allowed(auth_method))
-				authenticated = 0;
-#ifdef USE_PAM
-			/* PAM needs to perform account checks after auth */
-			if (options.use_pam && authenticated) {
-				Buffer m;
-
-				buffer_init(&m);
-				mm_request_receive_expect(pmonitor->m_sendfd,
-				    MONITOR_REQ_PAM_ACCOUNT, &m);
-				authenticated = mm_answer_pam_account(pmonitor->m_sendfd, &m);
-				buffer_free(&m);
-			}
-#endif
-		}
-
-		if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
-			auth_log(authctxt, authenticated, auth_method,
-			    compat20 ? " ssh2" : "");
-			if (!authenticated)
-				authctxt->failures++;
-		}
-	}
-
-	if (!authctxt->valid)
-		fatal("%s: authenticated invalid user", __func__);
-	if (strcmp(auth_method, "unknown") == 0)
-		fatal("%s: authentication method name unknown", __func__);
-
-	debug("%s: %s has been authenticated by privileged process",
-	    __func__, authctxt->user);
-
-	mm_get_keystate(pmonitor);
-}
-
-static void
-monitor_set_child_handler(pid_t pid)
-{
-	monitor_child_pid = pid;
-}
-
-static void
-monitor_child_handler(int sig)
-{
-	kill(monitor_child_pid, sig);
-}
-
-void
-monitor_child_postauth(struct monitor *pmonitor)
-{
-	monitor_set_child_handler(pmonitor->m_pid);
-	signal(SIGHUP, &monitor_child_handler);
-	signal(SIGTERM, &monitor_child_handler);
-
-	if (compat20) {
-		mon_dispatch = mon_dispatch_postauth20;
-
-		/* Permit requests for moduli and signatures */
-		monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
-		monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
-		monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-	} else {
-		mon_dispatch = mon_dispatch_postauth15;
-		monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-	}
-	if (!no_pty_flag) {
-		monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
-		monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1);
-	}
-
-	for (;;)
-		monitor_read(pmonitor, mon_dispatch, NULL);
-}
-
-void
-monitor_sync(struct monitor *pmonitor)
-{
-	if (options.compression) {
-		/* The member allocation is not visible, so sync it */
-		mm_share_sync(&pmonitor->m_zlib, &pmonitor->m_zback);
-	}
-}
-
-int
-monitor_read(struct monitor *pmonitor, struct mon_table *ent,
-    struct mon_table **pent)
-{
-	Buffer m;
-	int ret;
-	u_char type;
-
-	buffer_init(&m);
-
-	mm_request_receive(pmonitor->m_sendfd, &m);
-	type = buffer_get_char(&m);
-
-	debug3("%s: checking request %d", __func__, type);
-
-	while (ent->f != NULL) {
-		if (ent->type == type)
-			break;
-		ent++;
-	}
-
-	if (ent->f != NULL) {
-		if (!(ent->flags & MON_PERMIT))
-			fatal("%s: unpermitted request %d", __func__,
-			    type);
-		ret = (*ent->f)(pmonitor->m_sendfd, &m);
-		buffer_free(&m);
-
-		/* The child may use this request only once, disable it */
-		if (ent->flags & MON_ONCE) {
-			debug2("%s: %d used once, disabling now", __func__,
-			    type);
-			ent->flags &= ~MON_PERMIT;
-		}
-
-		if (pent != NULL)
-			*pent = ent;
-
-		return ret;
-	}
-
-	fatal("%s: unsupported request: %d", __func__, type);
-
-	/* NOTREACHED */
-	return (-1);
-}
-
-/* allowed key state */
-static int
-monitor_allowed_key(u_char *blob, u_int bloblen)
-{
-	/* make sure key is allowed */
-	if (key_blob == NULL || key_bloblen != bloblen ||
-	    memcmp(key_blob, blob, key_bloblen))
-		return (0);
-	return (1);
-}
-
-static void
-monitor_reset_key_state(void)
-{
-	/* reset state */
-	if (key_blob != NULL)
-		xfree(key_blob);
-	if (hostbased_cuser != NULL)
-		xfree(hostbased_cuser);
-	if (hostbased_chost != NULL)
-		xfree(hostbased_chost);
-	key_blob = NULL;
-	key_bloblen = 0;
-	key_blobtype = MM_NOKEY;
-	hostbased_cuser = NULL;
-	hostbased_chost = NULL;
-}
-
-int
-mm_answer_moduli(int sock, Buffer *m)
-{
-	DH *dh;
-	int min, want, max;
-
-	min = buffer_get_int(m);
-	want = buffer_get_int(m);
-	max = buffer_get_int(m);
-
-	debug3("%s: got parameters: %d %d %d",
-	    __func__, min, want, max);
-	/* We need to check here, too, in case the child got corrupted */
-	if (max < min || want < min || max < want)
-		fatal("%s: bad parameters: %d %d %d",
-		    __func__, min, want, max);
-
-	buffer_clear(m);
-
-	dh = choose_dh(min, want, max);
-	if (dh == NULL) {
-		buffer_put_char(m, 0);
-		return (0);
-	} else {
-		/* Send first bignum */
-		buffer_put_char(m, 1);
-		buffer_put_bignum2(m, dh->p);
-		buffer_put_bignum2(m, dh->g);
-
-		DH_free(dh);
-	}
-	mm_request_send(sock, MONITOR_ANS_MODULI, m);
-	return (0);
-}
-
-int
-mm_answer_sign(int sock, Buffer *m)
-{
-	Key *key;
-	u_char *p;
-	u_char *signature;
-	u_int siglen, datlen;
-	int keyid;
-
-	debug3("%s", __func__);
-
-	keyid = buffer_get_int(m);
-	p = buffer_get_string(m, &datlen);
-
-	/*
-	 * Supported KEX types will only return SHA1 (20 byte) or
-	 * SHA256 (32 byte) hashes
-	 */
-	if (datlen != 20 && datlen != 32)
-		fatal("%s: data length incorrect: %u", __func__, datlen);
-
-	/* save session id, it will be passed on the first call */
-	if (session_id2_len == 0) {
-		session_id2_len = datlen;
-		session_id2 = xmalloc(session_id2_len);
-		memcpy(session_id2, p, session_id2_len);
-	}
-
-	if ((key = get_hostkey_by_index(keyid)) == NULL)
-		fatal("%s: no hostkey from index %d", __func__, keyid);
-	if (key_sign(key, &signature, &siglen, p, datlen) < 0)
-		fatal("%s: key_sign failed", __func__);
-
-	debug3("%s: signature %p(%u)", __func__, signature, siglen);
-
-	buffer_clear(m);
-	buffer_put_string(m, signature, siglen);
-
-	xfree(p);
-	xfree(signature);
-
-	mm_request_send(sock, MONITOR_ANS_SIGN, m);
-
-	/* Turn on permissions for getpwnam */
-	monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
-
-	return (0);
-}
-
-/* Retrieves the password entry and also checks if the user is permitted */
-
-int
-mm_answer_pwnamallow(int sock, Buffer *m)
-{
-	char *username;
-	struct passwd *pwent;
-	int allowed = 0;
-
-	debug3("%s", __func__);
-
-	if (authctxt->attempt++ != 0)
-		fatal("%s: multiple attempts for getpwnam", __func__);
-
-	username = buffer_get_string(m, NULL);
-
-	pwent = getpwnamallow(username);
-
-	authctxt->user = xstrdup(username);
-	setproctitle("%s [priv]", pwent ? username : "unknown");
-	xfree(username);
-
-	buffer_clear(m);
-
-	if (pwent == NULL) {
-		buffer_put_char(m, 0);
-		authctxt->pw = fakepw();
-		goto out;
-	}
-
-	allowed = 1;
-	authctxt->pw = pwent;
-	authctxt->valid = 1;
-
-	buffer_put_char(m, 1);
-	buffer_put_string(m, pwent, sizeof(struct passwd));
-	buffer_put_cstring(m, pwent->pw_name);
-	buffer_put_cstring(m, "*");
-	buffer_put_cstring(m, pwent->pw_gecos);
-#ifdef HAVE_PW_CLASS_IN_PASSWD
-	buffer_put_cstring(m, pwent->pw_class);
-#endif
-	buffer_put_cstring(m, pwent->pw_dir);
-	buffer_put_cstring(m, pwent->pw_shell);
-
- out:
-	debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed);
-	mm_request_send(sock, MONITOR_ANS_PWNAM, m);
-
-	/* For SSHv1 allow authentication now */
-	if (!compat20)
-		monitor_permit_authentications(1);
-	else {
-		/* Allow service/style information on the auth context */
-		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
-		monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
-	}
-
-#ifdef USE_PAM
-	if (options.use_pam)
-		monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);
-#endif
-
-	return (0);
-}
-
-int mm_answer_auth2_read_banner(int sock, Buffer *m)
-{
-	char *banner;
-
-	buffer_clear(m);
-	banner = auth2_read_banner();
-	buffer_put_cstring(m, banner != NULL ? banner : "");
-	mm_request_send(sock, MONITOR_ANS_AUTH2_READ_BANNER, m);
-
-	if (banner != NULL)
-		xfree(banner);
-
-	return (0);
-}
-
-int
-mm_answer_authserv(int sock, Buffer *m)
-{
-	monitor_permit_authentications(1);
-
-	authctxt->service = buffer_get_string(m, NULL);
-	authctxt->style = buffer_get_string(m, NULL);
-	debug3("%s: service=%s, style=%s",
-	    __func__, authctxt->service, authctxt->style);
-
-	if (strlen(authctxt->style) == 0) {
-		xfree(authctxt->style);
-		authctxt->style = NULL;
-	}
-
-	return (0);
-}
-
-int
-mm_answer_authpassword(int sock, Buffer *m)
-{
-	static int call_count;
-	char *passwd;
-	int authenticated;
-	u_int plen;
-
-	passwd = buffer_get_string(m, &plen);
-	/* Only authenticate if the context is valid */
-	authenticated = options.password_authentication &&
-	    auth_password(authctxt, passwd);
-	memset(passwd, 0, strlen(passwd));
-	xfree(passwd);
-
-	buffer_clear(m);
-	buffer_put_int(m, authenticated);
-
-	debug3("%s: sending result %d", __func__, authenticated);
-	mm_request_send(sock, MONITOR_ANS_AUTHPASSWORD, m);
-
-	call_count++;
-	if (plen == 0 && call_count == 1)
-		auth_method = "none";
-	else
-		auth_method = "password";
-
-	/* Causes monitor loop to terminate if authenticated */
-	return (authenticated);
-}
-
-#ifdef BSD_AUTH
-int
-mm_answer_bsdauthquery(int sock, Buffer *m)
-{
-	char *name, *infotxt;
-	u_int numprompts;
-	u_int *echo_on;
-	char **prompts;
-	u_int success;
-
-	success = bsdauth_query(authctxt, &name, &infotxt, &numprompts,
-	    &prompts, &echo_on) < 0 ? 0 : 1;
-
-	buffer_clear(m);
-	buffer_put_int(m, success);
-	if (success)
-		buffer_put_cstring(m, prompts[0]);
-
-	debug3("%s: sending challenge success: %u", __func__, success);
-	mm_request_send(sock, MONITOR_ANS_BSDAUTHQUERY, m);
-
-	if (success) {
-		xfree(name);
-		xfree(infotxt);
-		xfree(prompts);
-		xfree(echo_on);
-	}
-
-	return (0);
-}
-
-int
-mm_answer_bsdauthrespond(int sock, Buffer *m)
-{
-	char *response;
-	int authok;
-
-	if (authctxt->as == 0)
-		fatal("%s: no bsd auth session", __func__);
-
-	response = buffer_get_string(m, NULL);
-	authok = options.challenge_response_authentication &&
-	    auth_userresponse(authctxt->as, response, 0);
-	authctxt->as = NULL;
-	debug3("%s: <%s> = <%d>", __func__, response, authok);
-	xfree(response);
-
-	buffer_clear(m);
-	buffer_put_int(m, authok);
-
-	debug3("%s: sending authenticated: %d", __func__, authok);
-	mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
-
-	auth_method = "bsdauth";
-
-	return (authok != 0);
-}
-#endif
-
-#ifdef SKEY
-int
-mm_answer_skeyquery(int sock, Buffer *m)
-{
-	struct skey skey;
-	char challenge[1024];
-	u_int success;
-
-	success = _compat_skeychallenge(&skey, authctxt->user, challenge,
-	    sizeof(challenge)) < 0 ? 0 : 1;
-
-	buffer_clear(m);
-	buffer_put_int(m, success);
-	if (success)
-		buffer_put_cstring(m, challenge);
-
-	debug3("%s: sending challenge success: %u", __func__, success);
-	mm_request_send(sock, MONITOR_ANS_SKEYQUERY, m);
-
-	return (0);
-}
-
-int
-mm_answer_skeyrespond(int sock, Buffer *m)
-{
-	char *response;
-	int authok;
-
-	response = buffer_get_string(m, NULL);
-
-	authok = (options.challenge_response_authentication &&
-	    authctxt->valid &&
-	    skey_haskey(authctxt->pw->pw_name) == 0 &&
-	    skey_passcheck(authctxt->pw->pw_name, response) != -1);
-
-	xfree(response);
-
-	buffer_clear(m);
-	buffer_put_int(m, authok);
-
-	debug3("%s: sending authenticated: %d", __func__, authok);
-	mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);
-
-	auth_method = "skey";
-
-	return (authok != 0);
-}
-#endif
-
-#ifdef USE_PAM
-int
-mm_answer_pam_start(int sock, Buffer *m)
-{
-	if (!options.use_pam)
-		fatal("UsePAM not set, but ended up in %s anyway", __func__);
-
-	start_pam(authctxt);
-
-	monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1);
-
-	return (0);
-}
-
-int
-mm_answer_pam_account(int sock, Buffer *m)
-{
-	u_int ret;
-
-	if (!options.use_pam)
-		fatal("UsePAM not set, but ended up in %s anyway", __func__);
-
-	ret = do_pam_account();
-
-	buffer_put_int(m, ret);
-	buffer_put_string(m, buffer_ptr(&loginmsg), buffer_len(&loginmsg));
-
-	mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m);
-
-	return (ret);
-}
-
-static void *sshpam_ctxt, *sshpam_authok;
-extern KbdintDevice sshpam_device;
-
-int
-mm_answer_pam_init_ctx(int sock, Buffer *m)
-{
-
-	debug3("%s", __func__);
-	authctxt->user = buffer_get_string(m, NULL);
-	sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
-	sshpam_authok = NULL;
-	buffer_clear(m);
-	if (sshpam_ctxt != NULL) {
-		monitor_permit(mon_dispatch, MONITOR_REQ_PAM_FREE_CTX, 1);
-		buffer_put_int(m, 1);
-	} else {
-		buffer_put_int(m, 0);
-	}
-	mm_request_send(sock, MONITOR_ANS_PAM_INIT_CTX, m);
-	return (0);
-}
-
-int
-mm_answer_pam_query(int sock, Buffer *m)
-{
-	char *name, *info, **prompts;
-	u_int i, num, *echo_on;
-	int ret;
-
-	debug3("%s", __func__);
-	sshpam_authok = NULL;
-	ret = (sshpam_device.query)(sshpam_ctxt, &name, &info, &num, &prompts, &echo_on);
-	if (ret == 0 && num == 0)
-		sshpam_authok = sshpam_ctxt;
-	if (num > 1 || name == NULL || info == NULL)
-		ret = -1;
-	buffer_clear(m);
-	buffer_put_int(m, ret);
-	buffer_put_cstring(m, name);
-	xfree(name);
-	buffer_put_cstring(m, info);
-	xfree(info);
-	buffer_put_int(m, num);
-	for (i = 0; i < num; ++i) {
-		buffer_put_cstring(m, prompts[i]);
-		xfree(prompts[i]);
-		buffer_put_int(m, echo_on[i]);
-	}
-	if (prompts != NULL)
-		xfree(prompts);
-	if (echo_on != NULL)
-		xfree(echo_on);
-	auth_method = "keyboard-interactive/pam";
-	mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
-	return (0);
-}
-
-int
-mm_answer_pam_respond(int sock, Buffer *m)
-{
-	char **resp;
-	u_int i, num;
-	int ret;
-
-	debug3("%s", __func__);
-	sshpam_authok = NULL;
-	num = buffer_get_int(m);
-	if (num > 0) {
-		resp = xcalloc(num, sizeof(char *));
-		for (i = 0; i < num; ++i)
-			resp[i] = buffer_get_string(m, NULL);
-		ret = (sshpam_device.respond)(sshpam_ctxt, num, resp);
-		for (i = 0; i < num; ++i)
-			xfree(resp[i]);
-		xfree(resp);
-	} else {
-		ret = (sshpam_device.respond)(sshpam_ctxt, num, NULL);
-	}
-	buffer_clear(m);
-	buffer_put_int(m, ret);
-	mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m);
-	auth_method = "keyboard-interactive/pam";
-	if (ret == 0)
-		sshpam_authok = sshpam_ctxt;
-	return (0);
-}
-
-int
-mm_answer_pam_free_ctx(int sock, Buffer *m)
-{
-
-	debug3("%s", __func__);
-	(sshpam_device.free_ctx)(sshpam_ctxt);
-	buffer_clear(m);
-	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
-	auth_method = "keyboard-interactive/pam";
-	return (sshpam_authok == sshpam_ctxt);
-}
-#endif
-
-static void
-mm_append_debug(Buffer *m)
-{
-	if (auth_debug_init && buffer_len(&auth_debug)) {
-		debug3("%s: Appending debug messages for child", __func__);
-		buffer_append(m, buffer_ptr(&auth_debug),
-		    buffer_len(&auth_debug));
-		buffer_clear(&auth_debug);
-	}
-}
-
-int
-mm_answer_keyallowed(int sock, Buffer *m)
-{
-	Key *key;
-	char *cuser, *chost;
-	u_char *blob;
-	u_int bloblen;
-	enum mm_keytype type = 0;
-	int allowed = 0;
-
-	debug3("%s entering", __func__);
-
-	type = buffer_get_int(m);
-	cuser = buffer_get_string(m, NULL);
-	chost = buffer_get_string(m, NULL);
-	blob = buffer_get_string(m, &bloblen);
-
-	key = key_from_blob(blob, bloblen);
-
-	if ((compat20 && type == MM_RSAHOSTKEY) ||
-	    (!compat20 && type != MM_RSAHOSTKEY))
-		fatal("%s: key type and protocol mismatch", __func__);
-
-	debug3("%s: key_from_blob: %p", __func__, key);
-
-	if (key != NULL && authctxt->valid) {
-		switch (type) {
-		case MM_USERKEY:
-			allowed = options.pubkey_authentication &&
-			    user_key_allowed(authctxt->pw, key);
-			auth_method = "publickey";
-			break;
-		case MM_HOSTKEY:
-			allowed = options.hostbased_authentication &&
-			    hostbased_key_allowed(authctxt->pw,
-			    cuser, chost, key);
-			auth_method = "hostbased";
-			break;
-		case MM_RSAHOSTKEY:
-			key->type = KEY_RSA1; /* XXX */
-			allowed = options.rhosts_rsa_authentication &&
-			    auth_rhosts_rsa_key_allowed(authctxt->pw,
-			    cuser, chost, key);
-			auth_method = "rsa";
-			break;
-		default:
-			fatal("%s: unknown key type %d", __func__, type);
-			break;
-		}
-	}
-	if (key != NULL)
-		key_free(key);
-
-	/* clear temporarily storage (used by verify) */
-	monitor_reset_key_state();
-
-	if (allowed) {
-		/* Save temporarily for comparison in verify */
-		key_blob = blob;
-		key_bloblen = bloblen;
-		key_blobtype = type;
-		hostbased_cuser = cuser;
-		hostbased_chost = chost;
-	} else {
-		/* Log failed attempt */
-		auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : "");
-		xfree(blob);
-		xfree(cuser);
-		xfree(chost);
-	}
-
-	debug3("%s: key %p is %s",
-	    __func__, key, allowed ? "allowed" : "disallowed");
-
-	buffer_clear(m);
-	buffer_put_int(m, allowed);
-	buffer_put_int(m, forced_command != NULL);
-
-	mm_append_debug(m);
-
-	mm_request_send(sock, MONITOR_ANS_KEYALLOWED, m);
-
-	if (type == MM_RSAHOSTKEY)
-		monitor_permit(mon_dispatch, MONITOR_REQ_RSACHALLENGE, allowed);
-
-	return (0);
-}
-
-static int
-monitor_valid_userblob(u_char *data, u_int datalen)
-{
-	Buffer b;
-	char *p;
-	u_int len;
-	int fail = 0;
-
-	buffer_init(&b);
-	buffer_append(&b, data, datalen);
-
-	if (datafellows & SSH_OLD_SESSIONID) {
-		p = buffer_ptr(&b);
-		len = buffer_len(&b);
-		if ((session_id2 == NULL) ||
-		    (len < session_id2_len) ||
-		    (memcmp(p, session_id2, session_id2_len) != 0))
-			fail++;
-		buffer_consume(&b, session_id2_len);
-	} else {
-		p = buffer_get_string(&b, &len);
-		if ((session_id2 == NULL) ||
-		    (len != session_id2_len) ||
-		    (memcmp(p, session_id2, session_id2_len) != 0))
-			fail++;
-		xfree(p);
-	}
-	if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
-		fail++;
-	p = buffer_get_string(&b, NULL);
-	if (strcmp(authctxt->user, p) != 0) {
-		logit("wrong user name passed to monitor: expected %s != %.100s",
-		    authctxt->user, p);
-		fail++;
-	}
-	xfree(p);
-	buffer_skip_string(&b);
-	if (datafellows & SSH_BUG_PKAUTH) {
-		if (!buffer_get_char(&b))
-			fail++;
-	} else {
-		p = buffer_get_string(&b, NULL);
-		if (strcmp("publickey", p) != 0)
-			fail++;
-		xfree(p);
-		if (!buffer_get_char(&b))
-			fail++;
-		buffer_skip_string(&b);
-	}
-	buffer_skip_string(&b);
-	if (buffer_len(&b) != 0)
-		fail++;
-	buffer_free(&b);
-	return (fail == 0);
-}
-
-static int
-monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
-    char *chost)
-{
-	Buffer b;
-	char *p;
-	u_int len;
-	int fail = 0;
-
-	buffer_init(&b);
-	buffer_append(&b, data, datalen);
-
-	p = buffer_get_string(&b, &len);
-	if ((session_id2 == NULL) ||
-	    (len != session_id2_len) ||
-	    (memcmp(p, session_id2, session_id2_len) != 0))
-		fail++;
-	xfree(p);
-
-	if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
-		fail++;
-	p = buffer_get_string(&b, NULL);
-	if (strcmp(authctxt->user, p) != 0) {
-		logit("wrong user name passed to monitor: expected %s != %.100s",
-		    authctxt->user, p);
-		fail++;
-	}
-	xfree(p);
-	buffer_skip_string(&b);	/* service */
-	p = buffer_get_string(&b, NULL);
-	if (strcmp(p, "hostbased") != 0)
-		fail++;
-	xfree(p);
-	buffer_skip_string(&b);	/* pkalg */
-	buffer_skip_string(&b);	/* pkblob */
-
-	/* verify client host, strip trailing dot if necessary */
-	p = buffer_get_string(&b, NULL);
-	if (((len = strlen(p)) > 0) && p[len - 1] == '.')
-		p[len - 1] = '\0';
-	if (strcmp(p, chost) != 0)
-		fail++;
-	xfree(p);
-
-	/* verify client user */
-	p = buffer_get_string(&b, NULL);
-	if (strcmp(p, cuser) != 0)
-		fail++;
-	xfree(p);
-
-	if (buffer_len(&b) != 0)
-		fail++;
-	buffer_free(&b);
-	return (fail == 0);
-}
-
-int
-mm_answer_keyverify(int sock, Buffer *m)
-{
-	Key *key;
-	u_char *signature, *data, *blob;
-	u_int signaturelen, datalen, bloblen;
-	int verified = 0;
-	int valid_data = 0;
-
-	blob = buffer_get_string(m, &bloblen);
-	signature = buffer_get_string(m, &signaturelen);
-	data = buffer_get_string(m, &datalen);
-
-	if (hostbased_cuser == NULL || hostbased_chost == NULL ||
-	  !monitor_allowed_key(blob, bloblen))
-		fatal("%s: bad key, not previously allowed", __func__);
-
-	key = key_from_blob(blob, bloblen);
-	if (key == NULL)
-		fatal("%s: bad public key blob", __func__);
-
-	switch (key_blobtype) {
-	case MM_USERKEY:
-		valid_data = monitor_valid_userblob(data, datalen);
-		break;
-	case MM_HOSTKEY:
-		valid_data = monitor_valid_hostbasedblob(data, datalen,
-		    hostbased_cuser, hostbased_chost);
-		break;
-	default:
-		valid_data = 0;
-		break;
-	}
-	if (!valid_data)
-		fatal("%s: bad signature data blob", __func__);
-
-	verified = key_verify(key, signature, signaturelen, data, datalen);
-	debug3("%s: key %p signature %s",
-	    __func__, key, (verified == 1) ? "verified" : "unverified");
-
-	key_free(key);
-	xfree(blob);
-	xfree(signature);
-	xfree(data);
-
-	auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
-
-	monitor_reset_key_state();
-
-	buffer_clear(m);
-	buffer_put_int(m, verified);
-	mm_request_send(sock, MONITOR_ANS_KEYVERIFY, m);
-
-	return (verified == 1);
-}
-
-static void
-mm_record_login(Session *s, struct passwd *pw)
-{
-	socklen_t fromlen;
-	struct sockaddr_storage from;
-
-	/*
-	 * Get IP address of client. If the connection is not a socket, let
-	 * the address be 0.0.0.0.
-	 */
-	memset(&from, 0, sizeof(from));
-	fromlen = sizeof(from);
-	if (packet_connection_is_on_socket()) {
-		if (getpeername(packet_get_connection_in(),
-		    (struct sockaddr *)&from, &fromlen) < 0) {
-			debug("getpeername: %.100s", strerror(errno));
-			cleanup_exit(255);
-		}
-	}
-	/* Record that there was a login on that tty from the remote host. */
-	record_login(s->pid, s->tty, pw->pw_name, pw->pw_uid,
-	    get_remote_name_or_ip(utmp_len, options.use_dns),
-	    (struct sockaddr *)&from, fromlen);
-}
-
-static void
-mm_session_close(Session *s)
-{
-	debug3("%s: session %d pid %ld", __func__, s->self, (long)s->pid);
-	if (s->ttyfd != -1) {
-		debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
-		session_pty_cleanup2(s);
-	}
-	s->used = 0;
-}
-
-int
-mm_answer_pty(int sock, Buffer *m)
-{
-	extern struct monitor *pmonitor;
-	Session *s;
-	int res, fd0;
-
-	debug3("%s entering", __func__);
-
-	buffer_clear(m);
-	s = session_new();
-	if (s == NULL)
-		goto error;
-	s->authctxt = authctxt;
-	s->pw = authctxt->pw;
-	s->pid = pmonitor->m_pid;
-	res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
-	if (res == 0)
-		goto error;
-	pty_setowner(authctxt->pw, s->tty);
-
-	buffer_put_int(m, 1);
-	buffer_put_cstring(m, s->tty);
-
-	/* We need to trick ttyslot */
-	if (dup2(s->ttyfd, 0) == -1)
-		fatal("%s: dup2", __func__);
-
-	mm_record_login(s, authctxt->pw);
-
-	/* Now we can close the file descriptor again */
-	close(0);
-
-	/* send messages generated by record_login */
-	buffer_put_string(m, buffer_ptr(&loginmsg), buffer_len(&loginmsg));
-	buffer_clear(&loginmsg);
-
-	mm_request_send(sock, MONITOR_ANS_PTY, m);
-
-	mm_send_fd(sock, s->ptyfd);
-	mm_send_fd(sock, s->ttyfd);
-
-	/* make sure nothing uses fd 0 */
-	if ((fd0 = open(_PATH_DEVNULL, O_RDONLY)) < 0)
-		fatal("%s: open(/dev/null): %s", __func__, strerror(errno));
-	if (fd0 != 0)
-		error("%s: fd0 %d != 0", __func__, fd0);
-
-	/* slave is not needed */
-	close(s->ttyfd);
-	s->ttyfd = s->ptyfd;
-	/* no need to dup() because nobody closes ptyfd */
-	s->ptymaster = s->ptyfd;
-
-	debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ttyfd);
-
-	return (0);
-
- error:
-	if (s != NULL)
-		mm_session_close(s);
-	buffer_put_int(m, 0);
-	mm_request_send(sock, MONITOR_ANS_PTY, m);
-	return (0);
-}
-
-int
-mm_answer_pty_cleanup(int sock, Buffer *m)
-{
-	Session *s;
-	char *tty;
-
-	debug3("%s entering", __func__);
-
-	tty = buffer_get_string(m, NULL);
-	if ((s = session_by_tty(tty)) != NULL)
-		mm_session_close(s);
-	buffer_clear(m);
-	xfree(tty);
-	return (0);
-}
-
-int
-mm_answer_sesskey(int sock, Buffer *m)
-{
-	BIGNUM *p;
-	int rsafail;
-
-	/* Turn off permissions */
-	monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 0);
-
-	if ((p = BN_new()) == NULL)
-		fatal("%s: BN_new", __func__);
-
-	buffer_get_bignum2(m, p);
-
-	rsafail = ssh1_session_key(p);
-
-	buffer_clear(m);
-	buffer_put_int(m, rsafail);
-	buffer_put_bignum2(m, p);
-
-	BN_clear_free(p);
-
-	mm_request_send(sock, MONITOR_ANS_SESSKEY, m);
-
-	/* Turn on permissions for sessid passing */
-	monitor_permit(mon_dispatch, MONITOR_REQ_SESSID, 1);
-
-	return (0);
-}
-
-int
-mm_answer_sessid(int sock, Buffer *m)
-{
-	int i;
-
-	debug3("%s entering", __func__);
-
-	if (buffer_len(m) != 16)
-		fatal("%s: bad ssh1 session id", __func__);
-	for (i = 0; i < 16; i++)
-		session_id[i] = buffer_get_char(m);
-
-	/* Turn on permissions for getpwnam */
-	monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
-
-	return (0);
-}
-
-int
-mm_answer_rsa_keyallowed(int sock, Buffer *m)
-{
-	BIGNUM *client_n;
-	Key *key = NULL;
-	u_char *blob = NULL;
-	u_int blen = 0;
-	int allowed = 0;
-
-	debug3("%s entering", __func__);
-
-	auth_method = "rsa";
-	if (options.rsa_authentication && authctxt->valid) {
-		if ((client_n = BN_new()) == NULL)
-			fatal("%s: BN_new", __func__);
-		buffer_get_bignum2(m, client_n);
-		allowed = auth_rsa_key_allowed(authctxt->pw, client_n, &key);
-		BN_clear_free(client_n);
-	}
-	buffer_clear(m);
-	buffer_put_int(m, allowed);
-	buffer_put_int(m, forced_command != NULL);
-
-	/* clear temporarily storage (used by generate challenge) */
-	monitor_reset_key_state();
-
-	if (allowed && key != NULL) {
-		key->type = KEY_RSA;	/* cheat for key_to_blob */
-		if (key_to_blob(key, &blob, &blen) == 0)
-			fatal("%s: key_to_blob failed", __func__);
-		buffer_put_string(m, blob, blen);
-
-		/* Save temporarily for comparison in verify */
-		key_blob = blob;
-		key_bloblen = blen;
-		key_blobtype = MM_RSAUSERKEY;
-	}
-	if (key != NULL)
-		key_free(key);
-
-	mm_append_debug(m);
-
-	mm_request_send(sock, MONITOR_ANS_RSAKEYALLOWED, m);
-
-	monitor_permit(mon_dispatch, MONITOR_REQ_RSACHALLENGE, allowed);
-	monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 0);
-	return (0);
-}
-
-int
-mm_answer_rsa_challenge(int sock, Buffer *m)
-{
-	Key *key = NULL;
-	u_char *blob;
-	u_int blen;
-
-	debug3("%s entering", __func__);
-
-	if (!authctxt->valid)
-		fatal("%s: authctxt not valid", __func__);
-	blob = buffer_get_string(m, &blen);
-	if (!monitor_allowed_key(blob, blen))
-		fatal("%s: bad key, not previously allowed", __func__);
-	if (key_blobtype != MM_RSAUSERKEY && key_blobtype != MM_RSAHOSTKEY)
-		fatal("%s: key type mismatch", __func__);
-	if ((key = key_from_blob(blob, blen)) == NULL)
-		fatal("%s: received bad key", __func__);
-
-	if (ssh1_challenge)
-		BN_clear_free(ssh1_challenge);
-	ssh1_challenge = auth_rsa_generate_challenge(key);
-
-	buffer_clear(m);
-	buffer_put_bignum2(m, ssh1_challenge);
-
-	debug3("%s sending reply", __func__);
-	mm_request_send(sock, MONITOR_ANS_RSACHALLENGE, m);
-
-	monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 1);
-
-	xfree(blob);
-	key_free(key);
-	return (0);
-}
-
-int
-mm_answer_rsa_response(int sock, Buffer *m)
-{
-	Key *key = NULL;
-	u_char *blob, *response;
-	u_int blen, len;
-	int success;
-
-	debug3("%s entering", __func__);
-
-	if (!authctxt->valid)
-		fatal("%s: authctxt not valid", __func__);
-	if (ssh1_challenge == NULL)
-		fatal("%s: no ssh1_challenge", __func__);
-
-	blob = buffer_get_string(m, &blen);
-	if (!monitor_allowed_key(blob, blen))
-		fatal("%s: bad key, not previously allowed", __func__);
-	if (key_blobtype != MM_RSAUSERKEY && key_blobtype != MM_RSAHOSTKEY)
-		fatal("%s: key type mismatch: %d", __func__, key_blobtype);
-	if ((key = key_from_blob(blob, blen)) == NULL)
-		fatal("%s: received bad key", __func__);
-	response = buffer_get_string(m, &len);
-	if (len != 16)
-		fatal("%s: received bad response to challenge", __func__);
-	success = auth_rsa_verify_response(key, ssh1_challenge, response);
-
-	xfree(blob);
-	key_free(key);
-	xfree(response);
-
-	auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa";
-
-	/* reset state */
-	BN_clear_free(ssh1_challenge);
-	ssh1_challenge = NULL;
-	monitor_reset_key_state();
-
-	buffer_clear(m);
-	buffer_put_int(m, success);
-	mm_request_send(sock, MONITOR_ANS_RSARESPONSE, m);
-
-	return (success);
-}
-
-int
-mm_answer_term(int sock, Buffer *req)
-{
-	extern struct monitor *pmonitor;
-	int res, status;
-
-	debug3("%s: tearing down sessions", __func__);
-
-	/* The child is terminating */
-	session_destroy_all(&mm_session_close);
-
-	while (waitpid(pmonitor->m_pid, &status, 0) == -1)
-		if (errno != EINTR)
-			exit(1);
-
-	res = WIFEXITED(status) ? WEXITSTATUS(status) : 1;
-
-	/* Terminate process */
-	exit(res);
-}
-
-#ifdef SSH_AUDIT_EVENTS
-/* Report that an audit event occurred */
-int
-mm_answer_audit_event(int socket, Buffer *m)
-{
-	ssh_audit_event_t event;
-
-	debug3("%s entering", __func__);
-
-	event = buffer_get_int(m);
-	switch(event) {
-	case SSH_AUTH_FAIL_PUBKEY:
-	case SSH_AUTH_FAIL_HOSTBASED:
-	case SSH_AUTH_FAIL_GSSAPI:
-	case SSH_LOGIN_EXCEED_MAXTRIES:
-	case SSH_LOGIN_ROOT_DENIED:
-	case SSH_CONNECTION_CLOSE:
-	case SSH_INVALID_USER:
-		audit_event(event);
-		break;
-	default:
-		fatal("Audit event type %d not permitted", event);
-	}
-
-	return (0);
-}
-
-int
-mm_answer_audit_command(int socket, Buffer *m)
-{
-	u_int len;
-	char *cmd;
-
-	debug3("%s entering", __func__);
-	cmd = buffer_get_string(m, &len);
-	/* sanity check command, if so how? */
-	audit_run_command(cmd);
-	xfree(cmd);
-	return (0);
-}
-#endif /* SSH_AUDIT_EVENTS */
-
-void
-monitor_apply_keystate(struct monitor *pmonitor)
-{
-	if (compat20) {
-		set_newkeys(MODE_IN);
-		set_newkeys(MODE_OUT);
-	} else {
-		packet_set_protocol_flags(child_state.ssh1protoflags);
-		packet_set_encryption_key(child_state.ssh1key,
-		    child_state.ssh1keylen, child_state.ssh1cipher);
-		xfree(child_state.ssh1key);
-	}
-
-	/* for rc4 and other stateful ciphers */
-	packet_set_keycontext(MODE_OUT, child_state.keyout);
-	xfree(child_state.keyout);
-	packet_set_keycontext(MODE_IN, child_state.keyin);
-	xfree(child_state.keyin);
-
-	if (!compat20) {
-		packet_set_iv(MODE_OUT, child_state.ivout);
-		xfree(child_state.ivout);
-		packet_set_iv(MODE_IN, child_state.ivin);
-		xfree(child_state.ivin);
-	}
-
-	memcpy(&incoming_stream, &child_state.incoming,
-	    sizeof(incoming_stream));
-	memcpy(&outgoing_stream, &child_state.outgoing,
-	    sizeof(outgoing_stream));
-
-	/* Update with new address */
-	if (options.compression)
-		mm_init_compression(pmonitor->m_zlib);
-
-	/* Network I/O buffers */
-	/* XXX inefficient for large buffers, need: buffer_init_from_string */
-	buffer_clear(&input);
-	buffer_append(&input, child_state.input, child_state.ilen);
-	memset(child_state.input, 0, child_state.ilen);
-	xfree(child_state.input);
-
-	buffer_clear(&output);
-	buffer_append(&output, child_state.output, child_state.olen);
-	memset(child_state.output, 0, child_state.olen);
-	xfree(child_state.output);
-}
-
-static Kex *
-mm_get_kex(Buffer *m)
-{
-	Kex *kex;
-	void *blob;
-	u_int bloblen;
-
-	kex = xcalloc(1, sizeof(*kex));
-	kex->session_id = buffer_get_string(m, &kex->session_id_len);
-	if ((session_id2 == NULL) ||
-	    (kex->session_id_len != session_id2_len) ||
-	    (memcmp(kex->session_id, session_id2, session_id2_len) != 0))
-		fatal("mm_get_get: internal error: bad session id");
-	kex->we_need = buffer_get_int(m);
-	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
-	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
-	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
-	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
-	kex->server = 1;
-	kex->hostkey_type = buffer_get_int(m);
-	kex->kex_type = buffer_get_int(m);
-	blob = buffer_get_string(m, &bloblen);
-	buffer_init(&kex->my);
-	buffer_append(&kex->my, blob, bloblen);
-	xfree(blob);
-	blob = buffer_get_string(m, &bloblen);
-	buffer_init(&kex->peer);
-	buffer_append(&kex->peer, blob, bloblen);
-	xfree(blob);
-	kex->done = 1;
-	kex->flags = buffer_get_int(m);
-	kex->client_version_string = buffer_get_string(m, NULL);
-	kex->server_version_string = buffer_get_string(m, NULL);
-	kex->load_host_key=&get_hostkey_by_type;
-	kex->host_key_index=&get_hostkey_index;
-
-	return (kex);
-}
-
-/* This function requries careful sanity checking */
-
-void
-mm_get_keystate(struct monitor *pmonitor)
-{
-	Buffer m;
-	u_char *blob, *p;
-	u_int bloblen, plen;
-	u_int32_t seqnr, packets;
-	u_int64_t blocks;
-
-	debug3("%s: Waiting for new keys", __func__);
-
-	buffer_init(&m);
-	mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT, &m);
-	if (!compat20) {
-		child_state.ssh1protoflags = buffer_get_int(&m);
-		child_state.ssh1cipher = buffer_get_int(&m);
-		child_state.ssh1key = buffer_get_string(&m,
-		    &child_state.ssh1keylen);
-		child_state.ivout = buffer_get_string(&m,
-		    &child_state.ivoutlen);
-		child_state.ivin = buffer_get_string(&m, &child_state.ivinlen);
-		goto skip;
-	} else {
-		/* Get the Kex for rekeying */
-		*pmonitor->m_pkex = mm_get_kex(&m);
-	}
-
-	blob = buffer_get_string(&m, &bloblen);
-	current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
-	xfree(blob);
-
-	debug3("%s: Waiting for second key", __func__);
-	blob = buffer_get_string(&m, &bloblen);
-	current_keys[MODE_IN] = mm_newkeys_from_blob(blob, bloblen);
-	xfree(blob);
-
-	/* Now get sequence numbers for the packets */
-	seqnr = buffer_get_int(&m);
-	blocks = buffer_get_int64(&m);
-	packets = buffer_get_int(&m);
-	packet_set_state(MODE_OUT, seqnr, blocks, packets);
-	seqnr = buffer_get_int(&m);
-	blocks = buffer_get_int64(&m);
-	packets = buffer_get_int(&m);
-	packet_set_state(MODE_IN, seqnr, blocks, packets);
-
- skip:
-	/* Get the key context */
-	child_state.keyout = buffer_get_string(&m, &child_state.keyoutlen);
-	child_state.keyin  = buffer_get_string(&m, &child_state.keyinlen);
-
-	debug3("%s: Getting compression state", __func__);
-	/* Get compression state */
-	p = buffer_get_string(&m, &plen);
-	if (plen != sizeof(child_state.outgoing))
-		fatal("%s: bad request size", __func__);
-	memcpy(&child_state.outgoing, p, sizeof(child_state.outgoing));
-	xfree(p);
-
-	p = buffer_get_string(&m, &plen);
-	if (plen != sizeof(child_state.incoming))
-		fatal("%s: bad request size", __func__);
-	memcpy(&child_state.incoming, p, sizeof(child_state.incoming));
-	xfree(p);
-
-	/* Network I/O buffers */
-	debug3("%s: Getting Network I/O buffers", __func__);
-	child_state.input = buffer_get_string(&m, &child_state.ilen);
-	child_state.output = buffer_get_string(&m, &child_state.olen);
-
-	buffer_free(&m);
-}
-
-
-/* Allocation functions for zlib */
-void *
-mm_zalloc(struct mm_master *mm, u_int ncount, u_int size)
-{
-	size_t len = (size_t) size * ncount;
-	void *address;
-
-	if (len == 0 || ncount > SIZE_T_MAX / size)
-		fatal("%s: mm_zalloc(%u, %u)", __func__, ncount, size);
-
-	address = mm_malloc(mm, len);
-
-	return (address);
-}
-
-void
-mm_zfree(struct mm_master *mm, void *address)
-{
-	mm_free(mm, address);
-}
-
-void
-mm_init_compression(struct mm_master *mm)
-{
-	outgoing_stream.zalloc = (alloc_func)mm_zalloc;
-	outgoing_stream.zfree = (free_func)mm_zfree;
-	outgoing_stream.opaque = mm;
-
-	incoming_stream.zalloc = (alloc_func)mm_zalloc;
-	incoming_stream.zfree = (free_func)mm_zfree;
-	incoming_stream.opaque = mm;
-}
-
-/* XXX */
-
-#define FD_CLOSEONEXEC(x) do { \
-	if (fcntl(x, F_SETFD, 1) == -1) \
-		fatal("fcntl(%d, F_SETFD)", x); \
-} while (0)
-
-static void
-monitor_socketpair(int *pair)
-{
-#ifdef HAVE_SOCKETPAIR
-	if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1)
-		fatal("%s: socketpair", __func__);
-#else
-	fatal("%s: UsePrivilegeSeparation=yes not supported",
-	    __func__);
-#endif
-	FD_CLOSEONEXEC(pair[0]);
-	FD_CLOSEONEXEC(pair[1]);
-}
-
-#define MM_MEMSIZE	65536
-
-struct monitor *
-monitor_init(void)
-{
-	struct monitor *mon;
-	int pair[2];
-
-	mon = xcalloc(1, sizeof(*mon));
-
-	monitor_socketpair(pair);
-
-	mon->m_recvfd = pair[0];
-	mon->m_sendfd = pair[1];
-
-	/* Used to share zlib space across processes */
-	if (options.compression) {
-		mon->m_zback = mm_create(NULL, MM_MEMSIZE);
-		mon->m_zlib = mm_create(mon->m_zback, 20 * MM_MEMSIZE);
-
-		/* Compression needs to share state across borders */
-		mm_init_compression(mon->m_zlib);
-	}
-
-	return mon;
-}
-
-void
-monitor_reinit(struct monitor *mon)
-{
-	int pair[2];
-
-	monitor_socketpair(pair);
-
-	mon->m_recvfd = pair[0];
-	mon->m_sendfd = pair[1];
-}
-
-#ifdef GSSAPI
-int
-mm_answer_gss_setup_ctx(int sock, Buffer *m)
-{
-	gss_OID_desc goid;
-	OM_uint32 major;
-	u_int len;
-
-	goid.elements = buffer_get_string(m, &len);
-	goid.length = len;
-
-	major = ssh_gssapi_server_ctx(&gsscontext, &goid);
-
-	xfree(goid.elements);
-
-	buffer_clear(m);
-	buffer_put_int(m, major);
-
-	mm_request_send(sock, MONITOR_ANS_GSSSETUP, m);
-
-	/* Now we have a context, enable the step */
-	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 1);
-
-	return (0);
-}
-
-int
-mm_answer_gss_accept_ctx(int sock, Buffer *m)
-{
-	gss_buffer_desc in;
-	gss_buffer_desc out = GSS_C_EMPTY_BUFFER;
-	OM_uint32 major, minor;
-	OM_uint32 flags = 0; /* GSI needs this */
-	u_int len;
-
-	in.value = buffer_get_string(m, &len);
-	in.length = len;
-	major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
-	xfree(in.value);
-
-	buffer_clear(m);
-	buffer_put_int(m, major);
-	buffer_put_string(m, out.value, out.length);
-	buffer_put_int(m, flags);
-	mm_request_send(sock, MONITOR_ANS_GSSSTEP, m);
-
-	gss_release_buffer(&minor, &out);
-
-	if (major == GSS_S_COMPLETE) {
-		monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
-		monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
-		monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
-	}
-	return (0);
-}
-
-int
-mm_answer_gss_checkmic(int sock, Buffer *m)
-{
-	gss_buffer_desc gssbuf, mic;
-	OM_uint32 ret;
-	u_int len;
-
-	gssbuf.value = buffer_get_string(m, &len);
-	gssbuf.length = len;
-	mic.value = buffer_get_string(m, &len);
-	mic.length = len;
-
-	ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic);
-
-	xfree(gssbuf.value);
-	xfree(mic.value);
-
-	buffer_clear(m);
-	buffer_put_int(m, ret);
-
-	mm_request_send(sock, MONITOR_ANS_GSSCHECKMIC, m);
-
-	if (!GSS_ERROR(ret))
-		monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
-
-	return (0);
-}
-
-int
-mm_answer_gss_userok(int sock, Buffer *m)
-{
-	int authenticated;
-
-	authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
-
-	buffer_clear(m);
-	buffer_put_int(m, authenticated);
-
-	debug3("%s: sending result %d", __func__, authenticated);
-	mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
-
-	auth_method = "gssapi-with-mic";
-
-	/* Monitor loop will terminate if authenticated */
-	return (authenticated);
-}
-#endif /* GSSAPI */
diff --git a/crypto/openssh/monitor.h b/crypto/openssh/monitor.h
deleted file mode 100644
index 464009a..0000000
--- a/crypto/openssh/monitor.h
+++ /dev/null
@@ -1,92 +0,0 @@
-/* $OpenBSD: monitor.h,v 1.14 2006/03/25 22:22:43 djm Exp $ */
-
-/*
- * Copyright 2002 Niels Provos <provos@citi.umich.edu>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef _MONITOR_H_
-#define _MONITOR_H_
-
-enum monitor_reqtype {
-	MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
-	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
-	MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
-	MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
-	MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
-	MONITOR_REQ_AUTHPASSWORD, MONITOR_ANS_AUTHPASSWORD,
-	MONITOR_REQ_BSDAUTHQUERY, MONITOR_ANS_BSDAUTHQUERY,
-	MONITOR_REQ_BSDAUTHRESPOND, MONITOR_ANS_BSDAUTHRESPOND,
-	MONITOR_REQ_SKEYQUERY, MONITOR_ANS_SKEYQUERY,
-	MONITOR_REQ_SKEYRESPOND, MONITOR_ANS_SKEYRESPOND,
-	MONITOR_REQ_KEYALLOWED, MONITOR_ANS_KEYALLOWED,
-	MONITOR_REQ_KEYVERIFY, MONITOR_ANS_KEYVERIFY,
-	MONITOR_REQ_KEYEXPORT,
-	MONITOR_REQ_PTY, MONITOR_ANS_PTY,
-	MONITOR_REQ_PTYCLEANUP,
-	MONITOR_REQ_SESSKEY, MONITOR_ANS_SESSKEY,
-	MONITOR_REQ_SESSID,
-	MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED,
-	MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
-	MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
-	MONITOR_REQ_GSSSETUP, MONITOR_ANS_GSSSETUP,
-	MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
-	MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK,
-	MONITOR_REQ_GSSCHECKMIC, MONITOR_ANS_GSSCHECKMIC,
-	MONITOR_REQ_PAM_START,
-	MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT,
-	MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
-	MONITOR_REQ_PAM_QUERY, MONITOR_ANS_PAM_QUERY,
-	MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND,
-	MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,
-	MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND,
-	MONITOR_REQ_TERM
-};
-
-struct mm_master;
-struct monitor {
-	int			 m_recvfd;
-	int			 m_sendfd;
-	struct mm_master	*m_zback;
-	struct mm_master	*m_zlib;
-	struct Kex		**m_pkex;
-	pid_t			 m_pid;
-};
-
-struct monitor *monitor_init(void);
-void monitor_reinit(struct monitor *);
-void monitor_sync(struct monitor *);
-
-struct Authctxt;
-void monitor_child_preauth(struct Authctxt *, struct monitor *);
-void monitor_child_postauth(struct monitor *);
-
-struct mon_table;
-int monitor_read(struct monitor*, struct mon_table *, struct mon_table **);
-
-/* Prototypes for request sending and receiving */
-void mm_request_send(int, enum monitor_reqtype, Buffer *);
-void mm_request_receive(int, Buffer *);
-void mm_request_receive_expect(int, enum monitor_reqtype, Buffer *);
-
-#endif /* _MONITOR_H_ */
diff --git a/crypto/openssh/monitor_fdpass.c b/crypto/openssh/monitor_fdpass.c
deleted file mode 100644
index 9f8e9cd..0000000
--- a/crypto/openssh/monitor_fdpass.c
+++ /dev/null
@@ -1,139 +0,0 @@
-/* $OpenBSD: monitor_fdpass.c,v 1.12 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Copyright 2001 Niels Provos <provos@citi.umich.edu>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/uio.h>
-#ifdef HAVE_SYS_UN_H
-#include <sys/un.h>
-#endif
-
-#include <errno.h>
-#include <string.h>
-#include <stdarg.h>
-
-#include "log.h"
-#include "monitor_fdpass.h"
-
-void
-mm_send_fd(int sock, int fd)
-{
-#if defined(HAVE_SENDMSG) && (defined(HAVE_ACCRIGHTS_IN_MSGHDR) || defined(HAVE_CONTROL_IN_MSGHDR))
-	struct msghdr msg;
-	struct iovec vec;
-	char ch = '\0';
-	ssize_t n;
-#ifndef HAVE_ACCRIGHTS_IN_MSGHDR
-	char tmp[CMSG_SPACE(sizeof(int))];
-	struct cmsghdr *cmsg;
-#endif
-
-	memset(&msg, 0, sizeof(msg));
-#ifdef HAVE_ACCRIGHTS_IN_MSGHDR
-	msg.msg_accrights = (caddr_t)&fd;
-	msg.msg_accrightslen = sizeof(fd);
-#else
-	msg.msg_control = (caddr_t)tmp;
-	msg.msg_controllen = CMSG_LEN(sizeof(int));
-	cmsg = CMSG_FIRSTHDR(&msg);
-	cmsg->cmsg_len = CMSG_LEN(sizeof(int));
-	cmsg->cmsg_level = SOL_SOCKET;
-	cmsg->cmsg_type = SCM_RIGHTS;
-	*(int *)CMSG_DATA(cmsg) = fd;
-#endif
-
-	vec.iov_base = &ch;
-	vec.iov_len = 1;
-	msg.msg_iov = &vec;
-	msg.msg_iovlen = 1;
-
-	if ((n = sendmsg(sock, &msg, 0)) == -1)
-		fatal("%s: sendmsg(%d): %s", __func__, fd,
-		    strerror(errno));
-	if (n != 1)
-		fatal("%s: sendmsg: expected sent 1 got %ld",
-		    __func__, (long)n);
-#else
-	fatal("%s: UsePrivilegeSeparation=yes not supported",
-	    __func__);
-#endif
-}
-
-int
-mm_receive_fd(int sock)
-{
-#if defined(HAVE_RECVMSG) && (defined(HAVE_ACCRIGHTS_IN_MSGHDR) || defined(HAVE_CONTROL_IN_MSGHDR))
-	struct msghdr msg;
-	struct iovec vec;
-	ssize_t n;
-	char ch;
-	int fd;
-#ifndef HAVE_ACCRIGHTS_IN_MSGHDR
-	char tmp[CMSG_SPACE(sizeof(int))];
-	struct cmsghdr *cmsg;
-#endif
-
-	memset(&msg, 0, sizeof(msg));
-	vec.iov_base = &ch;
-	vec.iov_len = 1;
-	msg.msg_iov = &vec;
-	msg.msg_iovlen = 1;
-#ifdef HAVE_ACCRIGHTS_IN_MSGHDR
-	msg.msg_accrights = (caddr_t)&fd;
-	msg.msg_accrightslen = sizeof(fd);
-#else
-	msg.msg_control = tmp;
-	msg.msg_controllen = sizeof(tmp);
-#endif
-
-	if ((n = recvmsg(sock, &msg, 0)) == -1)
-		fatal("%s: recvmsg: %s", __func__, strerror(errno));
-	if (n != 1)
-		fatal("%s: recvmsg: expected received 1 got %ld",
-		    __func__, (long)n);
-
-#ifdef HAVE_ACCRIGHTS_IN_MSGHDR
-	if (msg.msg_accrightslen != sizeof(fd))
-		fatal("%s: no fd", __func__);
-#else
-	cmsg = CMSG_FIRSTHDR(&msg);
-	if (cmsg == NULL)
-		fatal("%s: no message header", __func__);
-#ifndef BROKEN_CMSG_TYPE
-	if (cmsg->cmsg_type != SCM_RIGHTS)
-		fatal("%s: expected type %d got %d", __func__,
-		    SCM_RIGHTS, cmsg->cmsg_type);
-#endif
-	fd = (*(int *)CMSG_DATA(cmsg));
-#endif
-	return fd;
-#else
-	fatal("%s: UsePrivilegeSeparation=yes not supported",
-	    __func__);
-#endif
-}
diff --git a/crypto/openssh/monitor_fdpass.h b/crypto/openssh/monitor_fdpass.h
deleted file mode 100644
index 12c67ec..0000000
--- a/crypto/openssh/monitor_fdpass.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/* $OpenBSD: monitor_fdpass.h,v 1.3 2006/03/25 22:22:43 djm Exp $ */
-
-/*
- * Copyright 2002 Niels Provos <provos@citi.umich.edu>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef _MM_FDPASS_H_
-#define _MM_FDPASS_H_
-
-void mm_send_fd(int, int);
-int mm_receive_fd(int);
-
-#endif /* _MM_FDPASS_H_ */
diff --git a/crypto/openssh/monitor_mm.c b/crypto/openssh/monitor_mm.c
deleted file mode 100644
index dab7475..0000000
--- a/crypto/openssh/monitor_mm.c
+++ /dev/null
@@ -1,352 +0,0 @@
-/* $OpenBSD: monitor_mm.c,v 1.15 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Copyright 2002 Niels Provos <provos@citi.umich.edu>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#ifdef HAVE_SYS_MMAN_H
-#include <sys/mman.h>
-#endif
-#include <sys/param.h>
-#include "openbsd-compat/sys-tree.h"
-
-#include <errno.h>
-#include <stdarg.h>
-#include <string.h>
-
-#include "xmalloc.h"
-#include "ssh.h"
-#include "log.h"
-#include "monitor_mm.h"
-
-static int
-mm_compare(struct mm_share *a, struct mm_share *b)
-{
-	long diff = (char *)a->address - (char *)b->address;
-
-	if (diff == 0)
-		return (0);
-	else if (diff < 0)
-		return (-1);
-	else
-		return (1);
-}
-
-RB_GENERATE(mmtree, mm_share, next, mm_compare)
-
-static struct mm_share *
-mm_make_entry(struct mm_master *mm, struct mmtree *head,
-    void *address, size_t size)
-{
-	struct mm_share *tmp, *tmp2;
-
-	if (mm->mmalloc == NULL)
-		tmp = xmalloc(sizeof(struct mm_share));
-	else
-		tmp = mm_xmalloc(mm->mmalloc, sizeof(struct mm_share));
-	tmp->address = address;
-	tmp->size = size;
-
-	tmp2 = RB_INSERT(mmtree, head, tmp);
-	if (tmp2 != NULL)
-		fatal("mm_make_entry(%p): double address %p->%p(%lu)",
-		    mm, tmp2, address, (u_long)size);
-
-	return (tmp);
-}
-
-/* Creates a shared memory area of a certain size */
-
-struct mm_master *
-mm_create(struct mm_master *mmalloc, size_t size)
-{
-	void *address;
-	struct mm_master *mm;
-
-	if (mmalloc == NULL)
-		mm = xmalloc(sizeof(struct mm_master));
-	else
-		mm = mm_xmalloc(mmalloc, sizeof(struct mm_master));
-
-	/*
-	 * If the memory map has a mm_master it can be completely
-	 * shared including authentication between the child
-	 * and the client.
-	 */
-	mm->mmalloc = mmalloc;
-
-	address = xmmap(size);
-	if (address == (void *)MAP_FAILED)
-		fatal("mmap(%lu): %s", (u_long)size, strerror(errno));
-
-	mm->address = address;
-	mm->size = size;
-
-	RB_INIT(&mm->rb_free);
-	RB_INIT(&mm->rb_allocated);
-
-	mm_make_entry(mm, &mm->rb_free, address, size);
-
-	return (mm);
-}
-
-/* Frees either the allocated or the free list */
-
-static void
-mm_freelist(struct mm_master *mmalloc, struct mmtree *head)
-{
-	struct mm_share *mms, *next;
-
-	for (mms = RB_ROOT(head); mms; mms = next) {
-		next = RB_NEXT(mmtree, head, mms);
-		RB_REMOVE(mmtree, head, mms);
-		if (mmalloc == NULL)
-			xfree(mms);
-		else
-			mm_free(mmalloc, mms);
-	}
-}
-
-/* Destroys a memory mapped area */
-
-void
-mm_destroy(struct mm_master *mm)
-{
-	mm_freelist(mm->mmalloc, &mm->rb_free);
-	mm_freelist(mm->mmalloc, &mm->rb_allocated);
-
-#ifdef HAVE_MMAP
-	if (munmap(mm->address, mm->size) == -1)
-		fatal("munmap(%p, %lu): %s", mm->address, (u_long)mm->size,
-		    strerror(errno));
-#else
-	fatal("%s: UsePrivilegeSeparation=yes and Compression=yes not supported",
-	    __func__);
-#endif
-	if (mm->mmalloc == NULL)
-		xfree(mm);
-	else
-		mm_free(mm->mmalloc, mm);
-}
-
-void *
-mm_xmalloc(struct mm_master *mm, size_t size)
-{
-	void *address;
-
-	address = mm_malloc(mm, size);
-	if (address == NULL)
-		fatal("%s: mm_malloc(%lu)", __func__, (u_long)size);
-	return (address);
-}
-
-
-/* Allocates data from a memory mapped area */
-
-void *
-mm_malloc(struct mm_master *mm, size_t size)
-{
-	struct mm_share *mms, *tmp;
-
-	if (size == 0)
-		fatal("mm_malloc: try to allocate 0 space");
-	if (size > SIZE_T_MAX - MM_MINSIZE + 1)
-		fatal("mm_malloc: size too big");
-
-	size = ((size + (MM_MINSIZE - 1)) / MM_MINSIZE) * MM_MINSIZE;
-
-	RB_FOREACH(mms, mmtree, &mm->rb_free) {
-		if (mms->size >= size)
-			break;
-	}
-
-	if (mms == NULL)
-		return (NULL);
-
-	/* Debug */
-	memset(mms->address, 0xd0, size);
-
-	tmp = mm_make_entry(mm, &mm->rb_allocated, mms->address, size);
-
-	/* Does not change order in RB tree */
-	mms->size -= size;
-	mms->address = (u_char *)mms->address + size;
-
-	if (mms->size == 0) {
-		RB_REMOVE(mmtree, &mm->rb_free, mms);
-		if (mm->mmalloc == NULL)
-			xfree(mms);
-		else
-			mm_free(mm->mmalloc, mms);
-	}
-
-	return (tmp->address);
-}
-
-/* Frees memory in a memory mapped area */
-
-void
-mm_free(struct mm_master *mm, void *address)
-{
-	struct mm_share *mms, *prev, tmp;
-
-	tmp.address = address;
-	mms = RB_FIND(mmtree, &mm->rb_allocated, &tmp);
-	if (mms == NULL)
-		fatal("mm_free(%p): can not find %p", mm, address);
-
-	/* Debug */
-	memset(mms->address, 0xd0, mms->size);
-
-	/* Remove from allocated list and insert in free list */
-	RB_REMOVE(mmtree, &mm->rb_allocated, mms);
-	if (RB_INSERT(mmtree, &mm->rb_free, mms) != NULL)
-		fatal("mm_free(%p): double address %p", mm, address);
-
-	/* Find previous entry */
-	prev = mms;
-	if (RB_LEFT(prev, next)) {
-		prev = RB_LEFT(prev, next);
-		while (RB_RIGHT(prev, next))
-			prev = RB_RIGHT(prev, next);
-	} else {
-		if (RB_PARENT(prev, next) &&
-		    (prev == RB_RIGHT(RB_PARENT(prev, next), next)))
-			prev = RB_PARENT(prev, next);
-		else {
-			while (RB_PARENT(prev, next) &&
-			    (prev == RB_LEFT(RB_PARENT(prev, next), next)))
-				prev = RB_PARENT(prev, next);
-			prev = RB_PARENT(prev, next);
-		}
-	}
-
-	/* Check if range does not overlap */
-	if (prev != NULL && MM_ADDRESS_END(prev) > address)
-		fatal("mm_free: memory corruption: %p(%lu) > %p",
-		    prev->address, (u_long)prev->size, address);
-
-	/* See if we can merge backwards */
-	if (prev != NULL && MM_ADDRESS_END(prev) == address) {
-		prev->size += mms->size;
-		RB_REMOVE(mmtree, &mm->rb_free, mms);
-		if (mm->mmalloc == NULL)
-			xfree(mms);
-		else
-			mm_free(mm->mmalloc, mms);
-	} else
-		prev = mms;
-
-	if (prev == NULL)
-		return;
-
-	/* Check if we can merge forwards */
-	mms = RB_NEXT(mmtree, &mm->rb_free, prev);
-	if (mms == NULL)
-		return;
-
-	if (MM_ADDRESS_END(prev) > mms->address)
-		fatal("mm_free: memory corruption: %p < %p(%lu)",
-		    mms->address, prev->address, (u_long)prev->size);
-	if (MM_ADDRESS_END(prev) != mms->address)
-		return;
-
-	prev->size += mms->size;
-	RB_REMOVE(mmtree, &mm->rb_free, mms);
-
-	if (mm->mmalloc == NULL)
-		xfree(mms);
-	else
-		mm_free(mm->mmalloc, mms);
-}
-
-static void
-mm_sync_list(struct mmtree *oldtree, struct mmtree *newtree,
-    struct mm_master *mm, struct mm_master *mmold)
-{
-	struct mm_master *mmalloc = mm->mmalloc;
-	struct mm_share *mms, *new;
-
-	/* Sync free list */
-	RB_FOREACH(mms, mmtree, oldtree) {
-		/* Check the values */
-		mm_memvalid(mmold, mms, sizeof(struct mm_share));
-		mm_memvalid(mm, mms->address, mms->size);
-
-		new = mm_xmalloc(mmalloc, sizeof(struct mm_share));
-		memcpy(new, mms, sizeof(struct mm_share));
-		RB_INSERT(mmtree, newtree, new);
-	}
-}
-
-void
-mm_share_sync(struct mm_master **pmm, struct mm_master **pmmalloc)
-{
-	struct mm_master *mm;
-	struct mm_master *mmalloc;
-	struct mm_master *mmold;
-	struct mmtree rb_free, rb_allocated;
-
-	debug3("%s: Share sync", __func__);
-
-	mm = *pmm;
-	mmold = mm->mmalloc;
-	mm_memvalid(mmold, mm, sizeof(*mm));
-
-	mmalloc = mm_create(NULL, mm->size);
-	mm = mm_xmalloc(mmalloc, sizeof(struct mm_master));
-	memcpy(mm, *pmm, sizeof(struct mm_master));
-	mm->mmalloc = mmalloc;
-
-	rb_free = mm->rb_free;
-	rb_allocated = mm->rb_allocated;
-
-	RB_INIT(&mm->rb_free);
-	RB_INIT(&mm->rb_allocated);
-
-	mm_sync_list(&rb_free, &mm->rb_free, mm, mmold);
-	mm_sync_list(&rb_allocated, &mm->rb_allocated, mm, mmold);
-
-	mm_destroy(mmold);
-
-	*pmm = mm;
-	*pmmalloc = mmalloc;
-
-	debug3("%s: Share sync end", __func__);
-}
-
-void
-mm_memvalid(struct mm_master *mm, void *address, size_t size)
-{
-	void *end = (u_char *)address + size;
-
-	if (address < mm->address)
-		fatal("mm_memvalid: address too small: %p", address);
-	if (end < address)
-		fatal("mm_memvalid: end < address: %p < %p", end, address);
-	if (end > (void *)((u_char *)mm->address + mm->size))
-		fatal("mm_memvalid: address too large: %p", address);
-}
diff --git a/crypto/openssh/monitor_mm.h b/crypto/openssh/monitor_mm.h
deleted file mode 100644
index 36a07a0..0000000
--- a/crypto/openssh/monitor_mm.h
+++ /dev/null
@@ -1,65 +0,0 @@
-/* $OpenBSD: monitor_mm.h,v 1.4 2006/08/03 03:34:42 deraadt Exp $ */
-
-/*
- * Copyright 2002 Niels Provos <provos@citi.umich.edu>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef _MM_H_
-#define _MM_H_
-
-struct mm_share {
-	RB_ENTRY(mm_share) next;
-	void *address;
-	size_t size;
-};
-
-struct mm_master {
-	RB_HEAD(mmtree, mm_share) rb_free;
-	struct mmtree rb_allocated;
-	void *address;
-	size_t size;
-
-	struct mm_master *mmalloc;	/* Used to completely share */
-
-	int write;		/* used to writing to other party */
-	int read;		/* used for reading from other party */
-};
-
-RB_PROTOTYPE(mmtree, mm_share, next, mm_compare)
-
-#define MM_MINSIZE		128
-
-#define MM_ADDRESS_END(x)	(void *)((u_char *)(x)->address + (x)->size)
-
-struct mm_master *mm_create(struct mm_master *, size_t);
-void mm_destroy(struct mm_master *);
-
-void mm_share_sync(struct mm_master **, struct mm_master **);
-
-void *mm_malloc(struct mm_master *, size_t);
-void *mm_xmalloc(struct mm_master *, size_t);
-void mm_free(struct mm_master *, void *);
-
-void mm_memvalid(struct mm_master *, void *, size_t);
-#endif /* _MM_H_ */
diff --git a/crypto/openssh/monitor_wrap.c b/crypto/openssh/monitor_wrap.c
deleted file mode 100644
index 3865539..0000000
--- a/crypto/openssh/monitor_wrap.c
+++ /dev/null
@@ -1,1227 +0,0 @@
-/* $OpenBSD: monitor_wrap.c,v 1.54 2006/08/12 20:46:46 miod Exp $ */
-/*
- * Copyright 2002 Niels Provos <provos@citi.umich.edu>
- * Copyright 2002 Markus Friedl <markus@openbsd.org>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/uio.h>
-
-#include <errno.h>
-#include <pwd.h>
-#include <signal.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <openssl/bn.h>
-#include <openssl/dh.h>
-
-#include "xmalloc.h"
-#include "ssh.h"
-#include "dh.h"
-#include "buffer.h"
-#include "key.h"
-#include "cipher.h"
-#include "kex.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "auth-options.h"
-#include "packet.h"
-#include "mac.h"
-#include "log.h"
-#ifdef TARGET_OS_MAC    /* XXX Broken krb5 headers on Mac */
-#undef TARGET_OS_MAC
-#include "zlib.h"
-#define TARGET_OS_MAC 1
-#else
-#include "zlib.h"
-#endif
-#include "monitor.h"
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-#include "monitor_wrap.h"
-#include "atomicio.h"
-#include "monitor_fdpass.h"
-#include "misc.h"
-#include "servconf.h"
-
-#include "channels.h"
-#include "session.h"
-
-/* Imports */
-extern int compat20;
-extern Newkeys *newkeys[];
-extern z_stream incoming_stream;
-extern z_stream outgoing_stream;
-extern struct monitor *pmonitor;
-extern Buffer input, output;
-extern Buffer loginmsg;
-extern ServerOptions options;
-
-int
-mm_is_monitor(void)
-{
-	/*
-	 * m_pid is only set in the privileged part, and
-	 * points to the unprivileged child.
-	 */
-	return (pmonitor && pmonitor->m_pid > 0);
-}
-
-void
-mm_request_send(int sock, enum monitor_reqtype type, Buffer *m)
-{
-	u_int mlen = buffer_len(m);
-	u_char buf[5];
-
-	debug3("%s entering: type %d", __func__, type);
-
-	put_u32(buf, mlen + 1);
-	buf[4] = (u_char) type;		/* 1st byte of payload is mesg-type */
-	if (atomicio(vwrite, sock, buf, sizeof(buf)) != sizeof(buf))
-		fatal("%s: write: %s", __func__, strerror(errno));
-	if (atomicio(vwrite, sock, buffer_ptr(m), mlen) != mlen)
-		fatal("%s: write: %s", __func__, strerror(errno));
-}
-
-void
-mm_request_receive(int sock, Buffer *m)
-{
-	u_char buf[4];
-	u_int msg_len;
-
-	debug3("%s entering", __func__);
-
-	if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) {
-		if (errno == EPIPE)
-			cleanup_exit(255);
-		fatal("%s: read: %s", __func__, strerror(errno));
-	}
-	msg_len = get_u32(buf);
-	if (msg_len > 256 * 1024)
-		fatal("%s: read: bad msg_len %d", __func__, msg_len);
-	buffer_clear(m);
-	buffer_append_space(m, msg_len);
-	if (atomicio(read, sock, buffer_ptr(m), msg_len) != msg_len)
-		fatal("%s: read: %s", __func__, strerror(errno));
-}
-
-void
-mm_request_receive_expect(int sock, enum monitor_reqtype type, Buffer *m)
-{
-	u_char rtype;
-
-	debug3("%s entering: type %d", __func__, type);
-
-	mm_request_receive(sock, m);
-	rtype = buffer_get_char(m);
-	if (rtype != type)
-		fatal("%s: read: rtype %d != type %d", __func__,
-		    rtype, type);
-}
-
-DH *
-mm_choose_dh(int min, int nbits, int max)
-{
-	BIGNUM *p, *g;
-	int success = 0;
-	Buffer m;
-
-	buffer_init(&m);
-	buffer_put_int(&m, min);
-	buffer_put_int(&m, nbits);
-	buffer_put_int(&m, max);
-
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_MODULI, &m);
-
-	debug3("%s: waiting for MONITOR_ANS_MODULI", __func__);
-	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_MODULI, &m);
-
-	success = buffer_get_char(&m);
-	if (success == 0)
-		fatal("%s: MONITOR_ANS_MODULI failed", __func__);
-
-	if ((p = BN_new()) == NULL)
-		fatal("%s: BN_new failed", __func__);
-	if ((g = BN_new()) == NULL)
-		fatal("%s: BN_new failed", __func__);
-	buffer_get_bignum2(&m, p);
-	buffer_get_bignum2(&m, g);
-
-	debug3("%s: remaining %d", __func__, buffer_len(&m));
-	buffer_free(&m);
-
-	return (dh_new_group(g, p));
-}
-
-int
-mm_key_sign(Key *key, u_char **sigp, u_int *lenp, u_char *data, u_int datalen)
-{
-	Kex *kex = *pmonitor->m_pkex;
-	Buffer m;
-
-	debug3("%s entering", __func__);
-
-	buffer_init(&m);
-	buffer_put_int(&m, kex->host_key_index(key));
-	buffer_put_string(&m, data, datalen);
-
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SIGN, &m);
-
-	debug3("%s: waiting for MONITOR_ANS_SIGN", __func__);
-	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SIGN, &m);
-	*sigp  = buffer_get_string(&m, lenp);
-	buffer_free(&m);
-
-	return (0);
-}
-
-struct passwd *
-mm_getpwnamallow(const char *username)
-{
-	Buffer m;
-	struct passwd *pw;
-	u_int pwlen;
-
-	debug3("%s entering", __func__);
-
-	buffer_init(&m);
-	buffer_put_cstring(&m, username);
-
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PWNAM, &m);
-
-	debug3("%s: waiting for MONITOR_ANS_PWNAM", __func__);
-	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PWNAM, &m);
-
-	if (buffer_get_char(&m) == 0) {
-		buffer_free(&m);
-		return (NULL);
-	}
-	pw = buffer_get_string(&m, &pwlen);
-	if (pwlen != sizeof(struct passwd))
-		fatal("%s: struct passwd size mismatch", __func__);
-	pw->pw_name = buffer_get_string(&m, NULL);
-	pw->pw_passwd = buffer_get_string(&m, NULL);
-	pw->pw_gecos = buffer_get_string(&m, NULL);
-#ifdef HAVE_PW_CLASS_IN_PASSWD
-	pw->pw_class = buffer_get_string(&m, NULL);
-#endif
-	pw->pw_dir = buffer_get_string(&m, NULL);
-	pw->pw_shell = buffer_get_string(&m, NULL);
-	buffer_free(&m);
-
-	return (pw);
-}
-
-char *
-mm_auth2_read_banner(void)
-{
-	Buffer m;
-	char *banner;
-
-	debug3("%s entering", __func__);
-
-	buffer_init(&m);
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTH2_READ_BANNER, &m);
-	buffer_clear(&m);
-
-	mm_request_receive_expect(pmonitor->m_recvfd,
-	    MONITOR_ANS_AUTH2_READ_BANNER, &m);
-	banner = buffer_get_string(&m, NULL);
-	buffer_free(&m);
-
-	/* treat empty banner as missing banner */
-	if (strlen(banner) == 0) {
-		xfree(banner);
-		banner = NULL;
-	}
-	return (banner);
-}
-
-/* Inform the privileged process about service and style */
-
-void
-mm_inform_authserv(char *service, char *style)
-{
-	Buffer m;
-
-	debug3("%s entering", __func__);
-
-	buffer_init(&m);
-	buffer_put_cstring(&m, service);
-	buffer_put_cstring(&m, style ? style : "");
-
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, &m);
-
-	buffer_free(&m);
-}
-
-/* Do the password authentication */
-int
-mm_auth_password(Authctxt *authctxt, char *password)
-{
-	Buffer m;
-	int authenticated = 0;
-
-	debug3("%s entering", __func__);
-
-	buffer_init(&m);
-	buffer_put_cstring(&m, password);
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHPASSWORD, &m);
-
-	debug3("%s: waiting for MONITOR_ANS_AUTHPASSWORD", __func__);
-	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUTHPASSWORD, &m);
-
-	authenticated = buffer_get_int(&m);
-
-	buffer_free(&m);
-
-	debug3("%s: user %sauthenticated",
-	    __func__, authenticated ? "" : "not ");
-	return (authenticated);
-}
-
-int
-mm_user_key_allowed(struct passwd *pw, Key *key)
-{
-	return (mm_key_allowed(MM_USERKEY, NULL, NULL, key));
-}
-
-int
-mm_hostbased_key_allowed(struct passwd *pw, char *user, char *host,
-    Key *key)
-{
-	return (mm_key_allowed(MM_HOSTKEY, user, host, key));
-}
-
-int
-mm_auth_rhosts_rsa_key_allowed(struct passwd *pw, char *user,
-    char *host, Key *key)
-{
-	int ret;
-
-	key->type = KEY_RSA; /* XXX hack for key_to_blob */
-	ret = mm_key_allowed(MM_RSAHOSTKEY, user, host, key);
-	key->type = KEY_RSA1;
-	return (ret);
-}
-
-static void
-mm_send_debug(Buffer *m)
-{
-	char *msg;
-
-	while (buffer_len(m)) {
-		msg = buffer_get_string(m, NULL);
-		debug3("%s: Sending debug: %s", __func__, msg);
-		packet_send_debug("%s", msg);
-		xfree(msg);
-	}
-}
-
-int
-mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key)
-{
-	Buffer m;
-	u_char *blob;
-	u_int len;
-	int allowed = 0, have_forced = 0;
-
-	debug3("%s entering", __func__);
-
-	/* Convert the key to a blob and the pass it over */
-	if (!key_to_blob(key, &blob, &len))
-		return (0);
-
-	buffer_init(&m);
-	buffer_put_int(&m, type);
-	buffer_put_cstring(&m, user ? user : "");
-	buffer_put_cstring(&m, host ? host : "");
-	buffer_put_string(&m, blob, len);
-	xfree(blob);
-
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYALLOWED, &m);
-
-	debug3("%s: waiting for MONITOR_ANS_KEYALLOWED", __func__);
-	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KEYALLOWED, &m);
-
-	allowed = buffer_get_int(&m);
-
-	/* fake forced command */
-	auth_clear_options();
-	have_forced = buffer_get_int(&m);
-	forced_command = have_forced ? xstrdup("true") : NULL;
-
-	/* Send potential debug messages */
-	mm_send_debug(&m);
-
-	buffer_free(&m);
-
-	return (allowed);
-}
-
-/*
- * This key verify needs to send the key type along, because the
- * privileged parent makes the decision if the key is allowed
- * for authentication.
- */
-
-int
-mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
-{
-	Buffer m;
-	u_char *blob;
-	u_int len;
-	int verified = 0;
-
-	debug3("%s entering", __func__);
-
-	/* Convert the key to a blob and the pass it over */
-	if (!key_to_blob(key, &blob, &len))
-		return (0);
-
-	buffer_init(&m);
-	buffer_put_string(&m, blob, len);
-	buffer_put_string(&m, sig, siglen);
-	buffer_put_string(&m, data, datalen);
-	xfree(blob);
-
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KEYVERIFY, &m);
-
-	debug3("%s: waiting for MONITOR_ANS_KEYVERIFY", __func__);
-	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KEYVERIFY, &m);
-
-	verified = buffer_get_int(&m);
-
-	buffer_free(&m);
-
-	return (verified);
-}
-
-/* Export key state after authentication */
-Newkeys *
-mm_newkeys_from_blob(u_char *blob, int blen)
-{
-	Buffer b;
-	u_int len;
-	Newkeys *newkey = NULL;
-	Enc *enc;
-	Mac *mac;
-	Comp *comp;
-
-	debug3("%s: %p(%d)", __func__, blob, blen);
-#ifdef DEBUG_PK
-	dump_base64(stderr, blob, blen);
-#endif
-	buffer_init(&b);
-	buffer_append(&b, blob, blen);
-
-	newkey = xmalloc(sizeof(*newkey));
-	enc = &newkey->enc;
-	mac = &newkey->mac;
-	comp = &newkey->comp;
-
-	/* Enc structure */
-	enc->name = buffer_get_string(&b, NULL);
-	buffer_get(&b, &enc->cipher, sizeof(enc->cipher));
-	enc->enabled = buffer_get_int(&b);
-	enc->block_size = buffer_get_int(&b);
-	enc->key = buffer_get_string(&b, &enc->key_len);
-	enc->iv = buffer_get_string(&b, &len);
-	if (len != enc->block_size)
-		fatal("%s: bad ivlen: expected %u != %u", __func__,
-		    enc->block_size, len);
-
-	if (enc->name == NULL || cipher_by_name(enc->name) != enc->cipher)
-		fatal("%s: bad cipher name %s or pointer %p", __func__,
-		    enc->name, enc->cipher);
-
-	/* Mac structure */
-	mac->name = buffer_get_string(&b, NULL);
-	if (mac->name == NULL || mac_init(mac, mac->name) == -1)
-		fatal("%s: can not init mac %s", __func__, mac->name);
-	mac->enabled = buffer_get_int(&b);
-	mac->key = buffer_get_string(&b, &len);
-	if (len > mac->key_len)
-		fatal("%s: bad mac key length: %u > %d", __func__, len,
-		    mac->key_len);
-	mac->key_len = len;
-
-	/* Comp structure */
-	comp->type = buffer_get_int(&b);
-	comp->enabled = buffer_get_int(&b);
-	comp->name = buffer_get_string(&b, NULL);
-
-	len = buffer_len(&b);
-	if (len != 0)
-		error("newkeys_from_blob: remaining bytes in blob %u", len);
-	buffer_free(&b);
-	return (newkey);
-}
-
-int
-mm_newkeys_to_blob(int mode, u_char **blobp, u_int *lenp)
-{
-	Buffer b;
-	int len;
-	Enc *enc;
-	Mac *mac;
-	Comp *comp;
-	Newkeys *newkey = newkeys[mode];
-
-	debug3("%s: converting %p", __func__, newkey);
-
-	if (newkey == NULL) {
-		error("%s: newkey == NULL", __func__);
-		return 0;
-	}
-	enc = &newkey->enc;
-	mac = &newkey->mac;
-	comp = &newkey->comp;
-
-	buffer_init(&b);
-	/* Enc structure */
-	buffer_put_cstring(&b, enc->name);
-	/* The cipher struct is constant and shared, you export pointer */
-	buffer_append(&b, &enc->cipher, sizeof(enc->cipher));
-	buffer_put_int(&b, enc->enabled);
-	buffer_put_int(&b, enc->block_size);
-	buffer_put_string(&b, enc->key, enc->key_len);
-	packet_get_keyiv(mode, enc->iv, enc->block_size);
-	buffer_put_string(&b, enc->iv, enc->block_size);
-
-	/* Mac structure */
-	buffer_put_cstring(&b, mac->name);
-	buffer_put_int(&b, mac->enabled);
-	buffer_put_string(&b, mac->key, mac->key_len);
-
-	/* Comp structure */
-	buffer_put_int(&b, comp->type);
-	buffer_put_int(&b, comp->enabled);
-	buffer_put_cstring(&b, comp->name);
-
-	len = buffer_len(&b);
-	if (lenp != NULL)
-		*lenp = len;
-	if (blobp != NULL) {
-		*blobp = xmalloc(len);
-		memcpy(*blobp, buffer_ptr(&b), len);
-	}
-	memset(buffer_ptr(&b), 0, len);
-	buffer_free(&b);
-	return len;
-}
-
-static void
-mm_send_kex(Buffer *m, Kex *kex)
-{
-	buffer_put_string(m, kex->session_id, kex->session_id_len);
-	buffer_put_int(m, kex->we_need);
-	buffer_put_int(m, kex->hostkey_type);
-	buffer_put_int(m, kex->kex_type);
-	buffer_put_string(m, buffer_ptr(&kex->my), buffer_len(&kex->my));
-	buffer_put_string(m, buffer_ptr(&kex->peer), buffer_len(&kex->peer));
-	buffer_put_int(m, kex->flags);
-	buffer_put_cstring(m, kex->client_version_string);
-	buffer_put_cstring(m, kex->server_version_string);
-}
-
-void
-mm_send_keystate(struct monitor *monitor)
-{
-	Buffer m;
-	u_char *blob, *p;
-	u_int bloblen, plen;
-	u_int32_t seqnr, packets;
-	u_int64_t blocks;
-
-	buffer_init(&m);
-
-	if (!compat20) {
-		u_char iv[24];
-		u_char *key;
-		u_int ivlen, keylen;
-
-		buffer_put_int(&m, packet_get_protocol_flags());
-
-		buffer_put_int(&m, packet_get_ssh1_cipher());
-
-		debug3("%s: Sending ssh1 KEY+IV", __func__);
-		keylen = packet_get_encryption_key(NULL);
-		key = xmalloc(keylen+1);	/* add 1 if keylen == 0 */
-		keylen = packet_get_encryption_key(key);
-		buffer_put_string(&m, key, keylen);
-		memset(key, 0, keylen);
-		xfree(key);
-
-		ivlen = packet_get_keyiv_len(MODE_OUT);
-		packet_get_keyiv(MODE_OUT, iv, ivlen);
-		buffer_put_string(&m, iv, ivlen);
-		ivlen = packet_get_keyiv_len(MODE_OUT);
-		packet_get_keyiv(MODE_IN, iv, ivlen);
-		buffer_put_string(&m, iv, ivlen);
-		goto skip;
-	} else {
-		/* Kex for rekeying */
-		mm_send_kex(&m, *monitor->m_pkex);
-	}
-
-	debug3("%s: Sending new keys: %p %p",
-	    __func__, newkeys[MODE_OUT], newkeys[MODE_IN]);
-
-	/* Keys from Kex */
-	if (!mm_newkeys_to_blob(MODE_OUT, &blob, &bloblen))
-		fatal("%s: conversion of newkeys failed", __func__);
-
-	buffer_put_string(&m, blob, bloblen);
-	xfree(blob);
-
-	if (!mm_newkeys_to_blob(MODE_IN, &blob, &bloblen))
-		fatal("%s: conversion of newkeys failed", __func__);
-
-	buffer_put_string(&m, blob, bloblen);
-	xfree(blob);
-
-	packet_get_state(MODE_OUT, &seqnr, &blocks, &packets);
-	buffer_put_int(&m, seqnr);
-	buffer_put_int64(&m, blocks);
-	buffer_put_int(&m, packets);
-	packet_get_state(MODE_IN, &seqnr, &blocks, &packets);
-	buffer_put_int(&m, seqnr);
-	buffer_put_int64(&m, blocks);
-	buffer_put_int(&m, packets);
-
-	debug3("%s: New keys have been sent", __func__);
- skip:
-	/* More key context */
-	plen = packet_get_keycontext(MODE_OUT, NULL);
-	p = xmalloc(plen+1);
-	packet_get_keycontext(MODE_OUT, p);
-	buffer_put_string(&m, p, plen);
-	xfree(p);
-
-	plen = packet_get_keycontext(MODE_IN, NULL);
-	p = xmalloc(plen+1);
-	packet_get_keycontext(MODE_IN, p);
-	buffer_put_string(&m, p, plen);
-	xfree(p);
-
-	/* Compression state */
-	debug3("%s: Sending compression state", __func__);
-	buffer_put_string(&m, &outgoing_stream, sizeof(outgoing_stream));
-	buffer_put_string(&m, &incoming_stream, sizeof(incoming_stream));
-
-	/* Network I/O buffers */
-	buffer_put_string(&m, buffer_ptr(&input), buffer_len(&input));
-	buffer_put_string(&m, buffer_ptr(&output), buffer_len(&output));
-
-	mm_request_send(monitor->m_recvfd, MONITOR_REQ_KEYEXPORT, &m);
-	debug3("%s: Finished sending state", __func__);
-
-	buffer_free(&m);
-}
-
-int
-mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen)
-{
-	Buffer m;
-	char *p, *msg;
-	int success = 0;
-
-	buffer_init(&m);
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTY, &m);
-
-	debug3("%s: waiting for MONITOR_ANS_PTY", __func__);
-	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PTY, &m);
-
-	success = buffer_get_int(&m);
-	if (success == 0) {
-		debug3("%s: pty alloc failed", __func__);
-		buffer_free(&m);
-		return (0);
-	}
-	p = buffer_get_string(&m, NULL);
-	msg = buffer_get_string(&m, NULL);
-	buffer_free(&m);
-
-	strlcpy(namebuf, p, namebuflen); /* Possible truncation */
-	xfree(p);
-
-	buffer_append(&loginmsg, msg, strlen(msg));
-	xfree(msg);
-
-	*ptyfd = mm_receive_fd(pmonitor->m_recvfd);
-	*ttyfd = mm_receive_fd(pmonitor->m_recvfd);
-
-	/* Success */
-	return (1);
-}
-
-void
-mm_session_pty_cleanup2(Session *s)
-{
-	Buffer m;
-
-	if (s->ttyfd == -1)
-		return;
-	buffer_init(&m);
-	buffer_put_cstring(&m, s->tty);
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTYCLEANUP, &m);
-	buffer_free(&m);
-
-	/* closed dup'ed master */
-	if (close(s->ptymaster) < 0)
-		error("close(s->ptymaster): %s", strerror(errno));
-
-	/* unlink pty from session */
-	s->ttyfd = -1;
-}
-
-#ifdef USE_PAM
-void
-mm_start_pam(Authctxt *authctxt)
-{
-	Buffer m;
-
-	debug3("%s entering", __func__);
-	if (!options.use_pam)
-		fatal("UsePAM=no, but ended up in %s anyway", __func__);
-
-	buffer_init(&m);
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_START, &m);
-
-	buffer_free(&m);
-}
-
-u_int
-mm_do_pam_account(void)
-{
-	Buffer m;
-	u_int ret;
-	char *msg;
-
-	debug3("%s entering", __func__);
-	if (!options.use_pam)
-		fatal("UsePAM=no, but ended up in %s anyway", __func__);
-
-	buffer_init(&m);
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_ACCOUNT, &m);
-
-	mm_request_receive_expect(pmonitor->m_recvfd,
-	    MONITOR_ANS_PAM_ACCOUNT, &m);
-	ret = buffer_get_int(&m);
-	msg = buffer_get_string(&m, NULL);
-	buffer_append(&loginmsg, msg, strlen(msg));
-	xfree(msg);
-
-	buffer_free(&m);
-
-	debug3("%s returning %d", __func__, ret);
-
-	return (ret);
-}
-
-void *
-mm_sshpam_init_ctx(Authctxt *authctxt)
-{
-	Buffer m;
-	int success;
-
-	debug3("%s", __func__);
-	buffer_init(&m);
-	buffer_put_cstring(&m, authctxt->user);
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
-	debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
-	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
-	success = buffer_get_int(&m);
-	if (success == 0) {
-		debug3("%s: pam_init_ctx failed", __func__);
-		buffer_free(&m);
-		return (NULL);
-	}
-	buffer_free(&m);
-	return (authctxt);
-}
-
-int
-mm_sshpam_query(void *ctx, char **name, char **info,
-    u_int *num, char ***prompts, u_int **echo_on)
-{
-	Buffer m;
-	u_int i;
-	int ret;
-
-	debug3("%s", __func__);
-	buffer_init(&m);
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_QUERY, &m);
-	debug3("%s: waiting for MONITOR_ANS_PAM_QUERY", __func__);
-	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_QUERY, &m);
-	ret = buffer_get_int(&m);
-	debug3("%s: pam_query returned %d", __func__, ret);
-	*name = buffer_get_string(&m, NULL);
-	*info = buffer_get_string(&m, NULL);
-	*num = buffer_get_int(&m);
-	if (*num > PAM_MAX_NUM_MSG)
-		fatal("%s: recieved %u PAM messages, expected <= %u",
-		    __func__, *num, PAM_MAX_NUM_MSG);
-	*prompts = xcalloc((*num + 1), sizeof(char *));
-	*echo_on = xcalloc((*num + 1), sizeof(u_int));
-	for (i = 0; i < *num; ++i) {
-		(*prompts)[i] = buffer_get_string(&m, NULL);
-		(*echo_on)[i] = buffer_get_int(&m);
-	}
-	buffer_free(&m);
-	return (ret);
-}
-
-int
-mm_sshpam_respond(void *ctx, u_int num, char **resp)
-{
-	Buffer m;
-	u_int i;
-	int ret;
-
-	debug3("%s", __func__);
-	buffer_init(&m);
-	buffer_put_int(&m, num);
-	for (i = 0; i < num; ++i)
-		buffer_put_cstring(&m, resp[i]);
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_RESPOND, &m);
-	debug3("%s: waiting for MONITOR_ANS_PAM_RESPOND", __func__);
-	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_RESPOND, &m);
-	ret = buffer_get_int(&m);
-	debug3("%s: pam_respond returned %d", __func__, ret);
-	buffer_free(&m);
-	return (ret);
-}
-
-void
-mm_sshpam_free_ctx(void *ctxtp)
-{
-	Buffer m;
-
-	debug3("%s", __func__);
-	buffer_init(&m);
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_FREE_CTX, &m);
-	debug3("%s: waiting for MONITOR_ANS_PAM_FREE_CTX", __func__);
-	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_FREE_CTX, &m);
-	buffer_free(&m);
-}
-#endif /* USE_PAM */
-
-/* Request process termination */
-
-void
-mm_terminate(void)
-{
-	Buffer m;
-
-	buffer_init(&m);
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_TERM, &m);
-	buffer_free(&m);
-}
-
-int
-mm_ssh1_session_key(BIGNUM *num)
-{
-	int rsafail;
-	Buffer m;
-
-	buffer_init(&m);
-	buffer_put_bignum2(&m, num);
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SESSKEY, &m);
-
-	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SESSKEY, &m);
-
-	rsafail = buffer_get_int(&m);
-	buffer_get_bignum2(&m, num);
-
-	buffer_free(&m);
-
-	return (rsafail);
-}
-
-static void
-mm_chall_setup(char **name, char **infotxt, u_int *numprompts,
-    char ***prompts, u_int **echo_on)
-{
-	*name = xstrdup("");
-	*infotxt = xstrdup("");
-	*numprompts = 1;
-	*prompts = xcalloc(*numprompts, sizeof(char *));
-	*echo_on = xcalloc(*numprompts, sizeof(u_int));
-	(*echo_on)[0] = 0;
-}
-
-int
-mm_bsdauth_query(void *ctx, char **name, char **infotxt,
-   u_int *numprompts, char ***prompts, u_int **echo_on)
-{
-	Buffer m;
-	u_int success;
-	char *challenge;
-
-	debug3("%s: entering", __func__);
-
-	buffer_init(&m);
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_BSDAUTHQUERY, &m);
-
-	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_BSDAUTHQUERY,
-	    &m);
-	success = buffer_get_int(&m);
-	if (success == 0) {
-		debug3("%s: no challenge", __func__);
-		buffer_free(&m);
-		return (-1);
-	}
-
-	/* Get the challenge, and format the response */
-	challenge  = buffer_get_string(&m, NULL);
-	buffer_free(&m);
-
-	mm_chall_setup(name, infotxt, numprompts, prompts, echo_on);
-	(*prompts)[0] = challenge;
-
-	debug3("%s: received challenge: %s", __func__, challenge);
-
-	return (0);
-}
-
-int
-mm_bsdauth_respond(void *ctx, u_int numresponses, char **responses)
-{
-	Buffer m;
-	int authok;
-
-	debug3("%s: entering", __func__);
-	if (numresponses != 1)
-		return (-1);
-
-	buffer_init(&m);
-	buffer_put_cstring(&m, responses[0]);
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_BSDAUTHRESPOND, &m);
-
-	mm_request_receive_expect(pmonitor->m_recvfd,
-	    MONITOR_ANS_BSDAUTHRESPOND, &m);
-
-	authok = buffer_get_int(&m);
-	buffer_free(&m);
-
-	return ((authok == 0) ? -1 : 0);
-}
-
-#ifdef SKEY
-int
-mm_skey_query(void *ctx, char **name, char **infotxt,
-   u_int *numprompts, char ***prompts, u_int **echo_on)
-{
-	Buffer m;
-	u_int success;
-	char *challenge;
-
-	debug3("%s: entering", __func__);
-
-	buffer_init(&m);
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SKEYQUERY, &m);
-
-	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SKEYQUERY,
-	    &m);
-	success = buffer_get_int(&m);
-	if (success == 0) {
-		debug3("%s: no challenge", __func__);
-		buffer_free(&m);
-		return (-1);
-	}
-
-	/* Get the challenge, and format the response */
-	challenge  = buffer_get_string(&m, NULL);
-	buffer_free(&m);
-
-	debug3("%s: received challenge: %s", __func__, challenge);
-
-	mm_chall_setup(name, infotxt, numprompts, prompts, echo_on);
-
-	xasprintf(*prompts, "%s%s", challenge, SKEY_PROMPT);
-	xfree(challenge);
-
-	return (0);
-}
-
-int
-mm_skey_respond(void *ctx, u_int numresponses, char **responses)
-{
-	Buffer m;
-	int authok;
-
-	debug3("%s: entering", __func__);
-	if (numresponses != 1)
-		return (-1);
-
-	buffer_init(&m);
-	buffer_put_cstring(&m, responses[0]);
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SKEYRESPOND, &m);
-
-	mm_request_receive_expect(pmonitor->m_recvfd,
-	    MONITOR_ANS_SKEYRESPOND, &m);
-
-	authok = buffer_get_int(&m);
-	buffer_free(&m);
-
-	return ((authok == 0) ? -1 : 0);
-}
-#endif /* SKEY */
-
-void
-mm_ssh1_session_id(u_char session_id[16])
-{
-	Buffer m;
-	int i;
-
-	debug3("%s entering", __func__);
-
-	buffer_init(&m);
-	for (i = 0; i < 16; i++)
-		buffer_put_char(&m, session_id[i]);
-
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SESSID, &m);
-	buffer_free(&m);
-}
-
-int
-mm_auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
-{
-	Buffer m;
-	Key *key;
-	u_char *blob;
-	u_int blen;
-	int allowed = 0, have_forced = 0;
-
-	debug3("%s entering", __func__);
-
-	buffer_init(&m);
-	buffer_put_bignum2(&m, client_n);
-
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSAKEYALLOWED, &m);
-	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSAKEYALLOWED, &m);
-
-	allowed = buffer_get_int(&m);
-
-	/* fake forced command */
-	auth_clear_options();
-	have_forced = buffer_get_int(&m);
-	forced_command = have_forced ? xstrdup("true") : NULL;
-
-	if (allowed && rkey != NULL) {
-		blob = buffer_get_string(&m, &blen);
-		if ((key = key_from_blob(blob, blen)) == NULL)
-			fatal("%s: key_from_blob failed", __func__);
-		*rkey = key;
-		xfree(blob);
-	}
-	mm_send_debug(&m);
-	buffer_free(&m);
-
-	return (allowed);
-}
-
-BIGNUM *
-mm_auth_rsa_generate_challenge(Key *key)
-{
-	Buffer m;
-	BIGNUM *challenge;
-	u_char *blob;
-	u_int blen;
-
-	debug3("%s entering", __func__);
-
-	if ((challenge = BN_new()) == NULL)
-		fatal("%s: BN_new failed", __func__);
-
-	key->type = KEY_RSA;    /* XXX cheat for key_to_blob */
-	if (key_to_blob(key, &blob, &blen) == 0)
-		fatal("%s: key_to_blob failed", __func__);
-	key->type = KEY_RSA1;
-
-	buffer_init(&m);
-	buffer_put_string(&m, blob, blen);
-	xfree(blob);
-
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSACHALLENGE, &m);
-	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSACHALLENGE, &m);
-
-	buffer_get_bignum2(&m, challenge);
-	buffer_free(&m);
-
-	return (challenge);
-}
-
-int
-mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16])
-{
-	Buffer m;
-	u_char *blob;
-	u_int blen;
-	int success = 0;
-
-	debug3("%s entering", __func__);
-
-	key->type = KEY_RSA;    /* XXX cheat for key_to_blob */
-	if (key_to_blob(key, &blob, &blen) == 0)
-		fatal("%s: key_to_blob failed", __func__);
-	key->type = KEY_RSA1;
-
-	buffer_init(&m);
-	buffer_put_string(&m, blob, blen);
-	buffer_put_string(&m, response, 16);
-	xfree(blob);
-
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_RSARESPONSE, &m);
-	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_RSARESPONSE, &m);
-
-	success = buffer_get_int(&m);
-	buffer_free(&m);
-
-	return (success);
-}
-
-#ifdef SSH_AUDIT_EVENTS
-void
-mm_audit_event(ssh_audit_event_t event)
-{
-	Buffer m;
-
-	debug3("%s entering", __func__);
-
-	buffer_init(&m);
-	buffer_put_int(&m, event);
-
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_EVENT, &m);
-	buffer_free(&m);
-}
-
-void
-mm_audit_run_command(const char *command)
-{
-	Buffer m;
-
-	debug3("%s entering command %s", __func__, command);
-
-	buffer_init(&m);
-	buffer_put_cstring(&m, command);
-
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m);
-	buffer_free(&m);
-}
-#endif /* SSH_AUDIT_EVENTS */
-
-#ifdef GSSAPI
-OM_uint32
-mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid)
-{
-	Buffer m;
-	OM_uint32 major;
-
-	/* Client doesn't get to see the context */
-	*ctx = NULL;
-
-	buffer_init(&m);
-	buffer_put_string(&m, goid->elements, goid->length);
-
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSETUP, &m);
-	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSETUP, &m);
-
-	major = buffer_get_int(&m);
-
-	buffer_free(&m);
-	return (major);
-}
-
-OM_uint32
-mm_ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *in,
-    gss_buffer_desc *out, OM_uint32 *flags)
-{
-	Buffer m;
-	OM_uint32 major;
-	u_int len;
-
-	buffer_init(&m);
-	buffer_put_string(&m, in->value, in->length);
-
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSTEP, &m);
-	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSTEP, &m);
-
-	major = buffer_get_int(&m);
-	out->value = buffer_get_string(&m, &len);
-	out->length = len;
-	if (flags)
-		*flags = buffer_get_int(&m);
-
-	buffer_free(&m);
-
-	return (major);
-}
-
-OM_uint32
-mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
-{
-	Buffer m;
-	OM_uint32 major;
-
-	buffer_init(&m);
-	buffer_put_string(&m, gssbuf->value, gssbuf->length);
-	buffer_put_string(&m, gssmic->value, gssmic->length);
-
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSCHECKMIC, &m);
-	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSCHECKMIC,
-	    &m);
-
-	major = buffer_get_int(&m);
-	buffer_free(&m);
-	return(major);
-}
-
-int
-mm_ssh_gssapi_userok(char *user)
-{
-	Buffer m;
-	int authenticated = 0;
-
-	buffer_init(&m);
-
-	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, &m);
-	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUSEROK,
-				  &m);
-
-	authenticated = buffer_get_int(&m);
-
-	buffer_free(&m);
-	debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
-	return (authenticated);
-}
-#endif /* GSSAPI */
diff --git a/crypto/openssh/monitor_wrap.h b/crypto/openssh/monitor_wrap.h
deleted file mode 100644
index 329189c..0000000
--- a/crypto/openssh/monitor_wrap.h
+++ /dev/null
@@ -1,110 +0,0 @@
-/* $OpenBSD: monitor_wrap.h,v 1.20 2006/08/03 03:34:42 deraadt Exp $ */
-
-/*
- * Copyright 2002 Niels Provos <provos@citi.umich.edu>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef _MM_WRAP_H_
-#define _MM_WRAP_H_
-
-extern int use_privsep;
-#define PRIVSEP(x)	(use_privsep ? mm_##x : x)
-
-enum mm_keytype {MM_NOKEY, MM_HOSTKEY, MM_USERKEY, MM_RSAHOSTKEY, MM_RSAUSERKEY};
-
-struct monitor;
-struct mm_master;
-struct Authctxt;
-
-int mm_is_monitor(void);
-DH *mm_choose_dh(int, int, int);
-int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
-void mm_inform_authserv(char *, char *);
-struct passwd *mm_getpwnamallow(const char *);
-char *mm_auth2_read_banner(void);
-int mm_auth_password(struct Authctxt *, char *);
-int mm_key_allowed(enum mm_keytype, char *, char *, Key *);
-int mm_user_key_allowed(struct passwd *, Key *);
-int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *);
-int mm_auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
-int mm_key_verify(Key *, u_char *, u_int, u_char *, u_int);
-int mm_auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
-int mm_auth_rsa_verify_response(Key *, BIGNUM *, u_char *);
-BIGNUM *mm_auth_rsa_generate_challenge(Key *);
-
-#ifdef GSSAPI
-OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
-OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
-   gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
-int mm_ssh_gssapi_userok(char *user);
-OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
-#endif
-
-#ifdef USE_PAM
-void mm_start_pam(struct Authctxt *);
-u_int mm_do_pam_account(void);
-void *mm_sshpam_init_ctx(struct Authctxt *);
-int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **);
-int mm_sshpam_respond(void *, u_int, char **);
-void mm_sshpam_free_ctx(void *);
-#endif
-
-#ifdef SSH_AUDIT_EVENTS
-#include "audit.h"
-void mm_audit_event(ssh_audit_event_t);
-void mm_audit_run_command(const char *);
-#endif
-
-struct Session;
-void mm_terminate(void);
-int mm_pty_allocate(int *, int *, char *, size_t);
-void mm_session_pty_cleanup2(struct Session *);
-
-/* SSHv1 interfaces */
-void mm_ssh1_session_id(u_char *);
-int mm_ssh1_session_key(BIGNUM *);
-
-/* Key export functions */
-struct Newkeys *mm_newkeys_from_blob(u_char *, int);
-int mm_newkeys_to_blob(int, u_char **, u_int *);
-
-void monitor_apply_keystate(struct monitor *);
-void mm_get_keystate(struct monitor *);
-void mm_send_keystate(struct monitor*);
-
-/* bsdauth */
-int mm_bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **);
-int mm_bsdauth_respond(void *, u_int, char **);
-
-/* skey */
-int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
-int mm_skey_respond(void *, u_int, char **);
-
-/* zlib allocation hooks */
-
-void *mm_zalloc(struct mm_master *, u_int, u_int);
-void mm_zfree(struct mm_master *, void *);
-void mm_init_compression(struct mm_master *);
-
-#endif /* _MM_WRAP_H_ */
diff --git a/crypto/openssh/msg.c b/crypto/openssh/msg.c
deleted file mode 100644
index cd5f98c..0000000
--- a/crypto/openssh/msg.c
+++ /dev/null
@@ -1,89 +0,0 @@
-/* $OpenBSD: msg.c,v 1.15 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Copyright (c) 2002 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/uio.h>
-
-#include <errno.h>
-#include <stdio.h>
-#include <string.h>
-#include <unistd.h>
-#include <stdarg.h>
-
-#include "buffer.h"
-#include "log.h"
-#include "atomicio.h"
-#include "msg.h"
-#include "misc.h"
-
-int
-ssh_msg_send(int fd, u_char type, Buffer *m)
-{
-	u_char buf[5];
-	u_int mlen = buffer_len(m);
-
-	debug3("ssh_msg_send: type %u", (unsigned int)type & 0xff);
-
-	put_u32(buf, mlen + 1);
-	buf[4] = type;		/* 1st byte of payload is mesg-type */
-	if (atomicio(vwrite, fd, buf, sizeof(buf)) != sizeof(buf)) {
-		error("ssh_msg_send: write");
-		return (-1);
-	}
-	if (atomicio(vwrite, fd, buffer_ptr(m), mlen) != mlen) {
-		error("ssh_msg_send: write");
-		return (-1);
-	}
-	return (0);
-}
-
-int
-ssh_msg_recv(int fd, Buffer *m)
-{
-	u_char buf[4];
-	u_int msg_len;
-
-	debug3("ssh_msg_recv entering");
-
-	if (atomicio(read, fd, buf, sizeof(buf)) != sizeof(buf)) {
-		if (errno != EPIPE)
-			error("ssh_msg_recv: read: header");
-		return (-1);
-	}
-	msg_len = get_u32(buf);
-	if (msg_len > 256 * 1024) {
-		error("ssh_msg_recv: read: bad msg_len %u", msg_len);
-		return (-1);
-	}
-	buffer_clear(m);
-	buffer_append_space(m, msg_len);
-	if (atomicio(read, fd, buffer_ptr(m), msg_len) != msg_len) {
-		error("ssh_msg_recv: read: %s", strerror(errno));
-		return (-1);
-	}
-	return (0);
-}
diff --git a/crypto/openssh/msg.h b/crypto/openssh/msg.h
deleted file mode 100644
index b0cb9b5..0000000
--- a/crypto/openssh/msg.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/* $OpenBSD: msg.h,v 1.4 2006/03/25 22:22:43 djm Exp $ */
-/*
- * Copyright (c) 2002 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-#ifndef SSH_MSG_H
-#define SSH_MSG_H
-
-int	 ssh_msg_send(int, u_char, Buffer *);
-int	 ssh_msg_recv(int, Buffer *);
-
-#endif
diff --git a/crypto/openssh/myproposal.h b/crypto/openssh/myproposal.h
deleted file mode 100644
index e246e0d..0000000
--- a/crypto/openssh/myproposal.h
+++ /dev/null
@@ -1,68 +0,0 @@
-/* $OpenBSD: myproposal.h,v 1.21 2006/03/25 22:22:43 djm Exp $ */
-
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include <openssl/opensslv.h>
-
-/* Old OpenSSL doesn't support what we need for DHGEX-sha256 */
-#if OPENSSL_VERSION_NUMBER < 0x00907000L
-# define KEX_DEFAULT_KEX		\
-	"diffie-hellman-group-exchange-sha1," \
-	"diffie-hellman-group14-sha1," \
-	"diffie-hellman-group1-sha1"
-#else
-# define KEX_DEFAULT_KEX		\
-	"diffie-hellman-group-exchange-sha256," \
-	"diffie-hellman-group-exchange-sha1," \
-	"diffie-hellman-group14-sha1," \
-	"diffie-hellman-group1-sha1"
-#endif
-
-#define	KEX_DEFAULT_PK_ALG	"ssh-rsa,ssh-dss"
-#define	KEX_DEFAULT_ENCRYPT \
-	"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
-	"arcfour128,arcfour256,arcfour," \
-	"aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \
-	"aes128-ctr,aes192-ctr,aes256-ctr"
-#define	KEX_DEFAULT_MAC \
-	"hmac-md5,hmac-sha1,hmac-ripemd160," \
-	"hmac-ripemd160@openssh.com," \
-	"hmac-sha1-96,hmac-md5-96"
-#define	KEX_DEFAULT_COMP	"none,zlib@openssh.com,zlib"
-#define	KEX_DEFAULT_LANG	""
-
-
-static char *myproposal[PROPOSAL_MAX] = {
-	KEX_DEFAULT_KEX,
-	KEX_DEFAULT_PK_ALG,
-	KEX_DEFAULT_ENCRYPT,
-	KEX_DEFAULT_ENCRYPT,
-	KEX_DEFAULT_MAC,
-	KEX_DEFAULT_MAC,
-	KEX_DEFAULT_COMP,
-	KEX_DEFAULT_COMP,
-	KEX_DEFAULT_LANG,
-	KEX_DEFAULT_LANG
-};
diff --git a/crypto/openssh/nchan.c b/crypto/openssh/nchan.c
deleted file mode 100644
index ad461f4..0000000
--- a/crypto/openssh/nchan.c
+++ /dev/null
@@ -1,490 +0,0 @@
-/* $OpenBSD: nchan.c,v 1.57 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <errno.h>
-#include <string.h>
-#include <stdarg.h>
-
-#include "ssh1.h"
-#include "ssh2.h"
-#include "buffer.h"
-#include "packet.h"
-#include "channels.h"
-#include "compat.h"
-#include "log.h"
-
-/*
- * SSH Protocol 1.5 aka New Channel Protocol
- * Thanks to Martina, Axel and everyone who left Erlangen, leaving me bored.
- * Written by Markus Friedl in October 1999
- *
- * Protocol versions 1.3 and 1.5 differ in the handshake protocol used for the
- * tear down of channels:
- *
- * 1.3:	strict request-ack-protocol:
- *	CLOSE	->
- *		<-  CLOSE_CONFIRM
- *
- * 1.5:	uses variations of:
- *	IEOF	->
- *		<-  OCLOSE
- *		<-  IEOF
- *	OCLOSE	->
- *	i.e. both sides have to close the channel
- *
- * 2.0: the EOF messages are optional
- *
- * See the debugging output from 'ssh -v' and 'sshd -d' of
- * ssh-1.2.27 as an example.
- *
- */
-
-/* functions manipulating channel states */
-/*
- * EVENTS update channel input/output states execute ACTIONS
- */
-/*
- * ACTIONS: should never update the channel states
- */
-static void	chan_send_ieof1(Channel *);
-static void	chan_send_oclose1(Channel *);
-static void	chan_send_close2(Channel *);
-static void	chan_send_eof2(Channel *);
-
-/* helper */
-static void	chan_shutdown_write(Channel *);
-static void	chan_shutdown_read(Channel *);
-
-static char *ostates[] = { "open", "drain", "wait_ieof", "closed" };
-static char *istates[] = { "open", "drain", "wait_oclose", "closed" };
-
-static void
-chan_set_istate(Channel *c, u_int next)
-{
-	if (c->istate > CHAN_INPUT_CLOSED || next > CHAN_INPUT_CLOSED)
-		fatal("chan_set_istate: bad state %d -> %d", c->istate, next);
-	debug2("channel %d: input %s -> %s", c->self, istates[c->istate],
-	    istates[next]);
-	c->istate = next;
-}
-static void
-chan_set_ostate(Channel *c, u_int next)
-{
-	if (c->ostate > CHAN_OUTPUT_CLOSED || next > CHAN_OUTPUT_CLOSED)
-		fatal("chan_set_ostate: bad state %d -> %d", c->ostate, next);
-	debug2("channel %d: output %s -> %s", c->self, ostates[c->ostate],
-	    ostates[next]);
-	c->ostate = next;
-}
-
-/*
- * SSH1 specific implementation of event functions
- */
-
-static void
-chan_rcvd_oclose1(Channel *c)
-{
-	debug2("channel %d: rcvd oclose", c->self);
-	switch (c->istate) {
-	case CHAN_INPUT_WAIT_OCLOSE:
-		chan_set_istate(c, CHAN_INPUT_CLOSED);
-		break;
-	case CHAN_INPUT_OPEN:
-		chan_shutdown_read(c);
-		chan_send_ieof1(c);
-		chan_set_istate(c, CHAN_INPUT_CLOSED);
-		break;
-	case CHAN_INPUT_WAIT_DRAIN:
-		/* both local read_failed and remote write_failed  */
-		chan_send_ieof1(c);
-		chan_set_istate(c, CHAN_INPUT_CLOSED);
-		break;
-	default:
-		error("channel %d: protocol error: rcvd_oclose for istate %d",
-		    c->self, c->istate);
-		return;
-	}
-}
-void
-chan_read_failed(Channel *c)
-{
-	debug2("channel %d: read failed", c->self);
-	switch (c->istate) {
-	case CHAN_INPUT_OPEN:
-		chan_shutdown_read(c);
-		chan_set_istate(c, CHAN_INPUT_WAIT_DRAIN);
-		break;
-	default:
-		error("channel %d: chan_read_failed for istate %d",
-		    c->self, c->istate);
-		break;
-	}
-}
-void
-chan_ibuf_empty(Channel *c)
-{
-	debug2("channel %d: ibuf empty", c->self);
-	if (buffer_len(&c->input)) {
-		error("channel %d: chan_ibuf_empty for non empty buffer",
-		    c->self);
-		return;
-	}
-	switch (c->istate) {
-	case CHAN_INPUT_WAIT_DRAIN:
-		if (compat20) {
-			if (!(c->flags & CHAN_CLOSE_SENT))
-				chan_send_eof2(c);
-			chan_set_istate(c, CHAN_INPUT_CLOSED);
-		} else {
-			chan_send_ieof1(c);
-			chan_set_istate(c, CHAN_INPUT_WAIT_OCLOSE);
-		}
-		break;
-	default:
-		error("channel %d: chan_ibuf_empty for istate %d",
-		    c->self, c->istate);
-		break;
-	}
-}
-static void
-chan_rcvd_ieof1(Channel *c)
-{
-	debug2("channel %d: rcvd ieof", c->self);
-	switch (c->ostate) {
-	case CHAN_OUTPUT_OPEN:
-		chan_set_ostate(c, CHAN_OUTPUT_WAIT_DRAIN);
-		break;
-	case CHAN_OUTPUT_WAIT_IEOF:
-		chan_set_ostate(c, CHAN_OUTPUT_CLOSED);
-		break;
-	default:
-		error("channel %d: protocol error: rcvd_ieof for ostate %d",
-		    c->self, c->ostate);
-		break;
-	}
-}
-static void
-chan_write_failed1(Channel *c)
-{
-	debug2("channel %d: write failed", c->self);
-	switch (c->ostate) {
-	case CHAN_OUTPUT_OPEN:
-		chan_shutdown_write(c);
-		chan_send_oclose1(c);
-		chan_set_ostate(c, CHAN_OUTPUT_WAIT_IEOF);
-		break;
-	case CHAN_OUTPUT_WAIT_DRAIN:
-		chan_shutdown_write(c);
-		chan_send_oclose1(c);
-		chan_set_ostate(c, CHAN_OUTPUT_CLOSED);
-		break;
-	default:
-		error("channel %d: chan_write_failed for ostate %d",
-		    c->self, c->ostate);
-		break;
-	}
-}
-void
-chan_obuf_empty(Channel *c)
-{
-	debug2("channel %d: obuf empty", c->self);
-	if (buffer_len(&c->output)) {
-		error("channel %d: chan_obuf_empty for non empty buffer",
-		    c->self);
-		return;
-	}
-	switch (c->ostate) {
-	case CHAN_OUTPUT_WAIT_DRAIN:
-		chan_shutdown_write(c);
-		if (!compat20)
-			chan_send_oclose1(c);
-		chan_set_ostate(c, CHAN_OUTPUT_CLOSED);
-		break;
-	default:
-		error("channel %d: internal error: obuf_empty for ostate %d",
-		    c->self, c->ostate);
-		break;
-	}
-}
-static void
-chan_send_ieof1(Channel *c)
-{
-	debug2("channel %d: send ieof", c->self);
-	switch (c->istate) {
-	case CHAN_INPUT_OPEN:
-	case CHAN_INPUT_WAIT_DRAIN:
-		packet_start(SSH_MSG_CHANNEL_INPUT_EOF);
-		packet_put_int(c->remote_id);
-		packet_send();
-		break;
-	default:
-		error("channel %d: cannot send ieof for istate %d",
-		    c->self, c->istate);
-		break;
-	}
-}
-static void
-chan_send_oclose1(Channel *c)
-{
-	debug2("channel %d: send oclose", c->self);
-	switch (c->ostate) {
-	case CHAN_OUTPUT_OPEN:
-	case CHAN_OUTPUT_WAIT_DRAIN:
-		buffer_clear(&c->output);
-		packet_start(SSH_MSG_CHANNEL_OUTPUT_CLOSE);
-		packet_put_int(c->remote_id);
-		packet_send();
-		break;
-	default:
-		error("channel %d: cannot send oclose for ostate %d",
-		    c->self, c->ostate);
-		break;
-	}
-}
-
-/*
- * the same for SSH2
- */
-static void
-chan_rcvd_close2(Channel *c)
-{
-	debug2("channel %d: rcvd close", c->self);
-	if (c->flags & CHAN_CLOSE_RCVD)
-		error("channel %d: protocol error: close rcvd twice", c->self);
-	c->flags |= CHAN_CLOSE_RCVD;
-	if (c->type == SSH_CHANNEL_LARVAL) {
-		/* tear down larval channels immediately */
-		chan_set_ostate(c, CHAN_OUTPUT_CLOSED);
-		chan_set_istate(c, CHAN_INPUT_CLOSED);
-		return;
-	}
-	switch (c->ostate) {
-	case CHAN_OUTPUT_OPEN:
-		/*
-		 * wait until a data from the channel is consumed if a CLOSE
-		 * is received
-		 */
-		chan_set_ostate(c, CHAN_OUTPUT_WAIT_DRAIN);
-		break;
-	}
-	switch (c->istate) {
-	case CHAN_INPUT_OPEN:
-		chan_shutdown_read(c);
-		chan_set_istate(c, CHAN_INPUT_CLOSED);
-		break;
-	case CHAN_INPUT_WAIT_DRAIN:
-		chan_send_eof2(c);
-		chan_set_istate(c, CHAN_INPUT_CLOSED);
-		break;
-	}
-}
-static void
-chan_rcvd_eof2(Channel *c)
-{
-	debug2("channel %d: rcvd eof", c->self);
-	c->flags |= CHAN_EOF_RCVD;
-	if (c->ostate == CHAN_OUTPUT_OPEN)
-		chan_set_ostate(c, CHAN_OUTPUT_WAIT_DRAIN);
-}
-static void
-chan_write_failed2(Channel *c)
-{
-	debug2("channel %d: write failed", c->self);
-	switch (c->ostate) {
-	case CHAN_OUTPUT_OPEN:
-	case CHAN_OUTPUT_WAIT_DRAIN:
-		chan_shutdown_write(c);
-		chan_set_ostate(c, CHAN_OUTPUT_CLOSED);
-		break;
-	default:
-		error("channel %d: chan_write_failed for ostate %d",
-		    c->self, c->ostate);
-		break;
-	}
-}
-static void
-chan_send_eof2(Channel *c)
-{
-	debug2("channel %d: send eof", c->self);
-	switch (c->istate) {
-	case CHAN_INPUT_WAIT_DRAIN:
-		packet_start(SSH2_MSG_CHANNEL_EOF);
-		packet_put_int(c->remote_id);
-		packet_send();
-		c->flags |= CHAN_EOF_SENT;
-		break;
-	default:
-		error("channel %d: cannot send eof for istate %d",
-		    c->self, c->istate);
-		break;
-	}
-}
-static void
-chan_send_close2(Channel *c)
-{
-	debug2("channel %d: send close", c->self);
-	if (c->ostate != CHAN_OUTPUT_CLOSED ||
-	    c->istate != CHAN_INPUT_CLOSED) {
-		error("channel %d: cannot send close for istate/ostate %d/%d",
-		    c->self, c->istate, c->ostate);
-	} else if (c->flags & CHAN_CLOSE_SENT) {
-		error("channel %d: already sent close", c->self);
-	} else {
-		packet_start(SSH2_MSG_CHANNEL_CLOSE);
-		packet_put_int(c->remote_id);
-		packet_send();
-		c->flags |= CHAN_CLOSE_SENT;
-	}
-}
-
-/* shared */
-
-void
-chan_rcvd_ieof(Channel *c)
-{
-	if (compat20)
-		chan_rcvd_eof2(c);
-	else
-		chan_rcvd_ieof1(c);
-	if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN &&
-	    buffer_len(&c->output) == 0 &&
-	    !CHANNEL_EFD_OUTPUT_ACTIVE(c))
-		chan_obuf_empty(c);
-}
-void
-chan_rcvd_oclose(Channel *c)
-{
-	if (compat20)
-		chan_rcvd_close2(c);
-	else
-		chan_rcvd_oclose1(c);
-}
-void
-chan_write_failed(Channel *c)
-{
-	if (compat20)
-		chan_write_failed2(c);
-	else
-		chan_write_failed1(c);
-}
-
-void
-chan_mark_dead(Channel *c)
-{
-	c->type = SSH_CHANNEL_ZOMBIE;
-}
-
-int
-chan_is_dead(Channel *c, int do_send)
-{
-	if (c->type == SSH_CHANNEL_ZOMBIE) {
-		debug2("channel %d: zombie", c->self);
-		return 1;
-	}
-	if (c->istate != CHAN_INPUT_CLOSED || c->ostate != CHAN_OUTPUT_CLOSED)
-		return 0;
-	if (!compat20) {
-		debug2("channel %d: is dead", c->self);
-		return 1;
-	}
-	if ((datafellows & SSH_BUG_EXTEOF) &&
-	    c->extended_usage == CHAN_EXTENDED_WRITE &&
-	    c->efd != -1 &&
-	    buffer_len(&c->extended) > 0) {
-		debug2("channel %d: active efd: %d len %d",
-		    c->self, c->efd, buffer_len(&c->extended));
-		return 0;
-	}
-	if (!(c->flags & CHAN_CLOSE_SENT)) {
-		if (do_send) {
-			chan_send_close2(c);
-		} else {
-			/* channel would be dead if we sent a close */
-			if (c->flags & CHAN_CLOSE_RCVD) {
-				debug2("channel %d: almost dead",
-				    c->self);
-				return 1;
-			}
-		}
-	}
-	if ((c->flags & CHAN_CLOSE_SENT) &&
-	    (c->flags & CHAN_CLOSE_RCVD)) {
-		debug2("channel %d: is dead", c->self);
-		return 1;
-	}
-	return 0;
-}
-
-/* helper */
-static void
-chan_shutdown_write(Channel *c)
-{
-	buffer_clear(&c->output);
-	if (compat20 && c->type == SSH_CHANNEL_LARVAL)
-		return;
-	/* shutdown failure is allowed if write failed already */
-	debug2("channel %d: close_write", c->self);
-	if (c->sock != -1) {
-		if (shutdown(c->sock, SHUT_WR) < 0)
-			debug2("channel %d: chan_shutdown_write: "
-			    "shutdown() failed for fd%d: %.100s",
-			    c->self, c->sock, strerror(errno));
-	} else {
-		if (channel_close_fd(&c->wfd) < 0)
-			logit("channel %d: chan_shutdown_write: "
-			    "close() failed for fd%d: %.100s",
-			    c->self, c->wfd, strerror(errno));
-	}
-}
-static void
-chan_shutdown_read(Channel *c)
-{
-	if (compat20 && c->type == SSH_CHANNEL_LARVAL)
-		return;
-	debug2("channel %d: close_read", c->self);
-	if (c->sock != -1) {
-		/*
-		 * shutdown(sock, SHUT_READ) may return ENOTCONN if the
-		 * write side has been closed already. (bug on Linux)
-		 * HP-UX may return ENOTCONN also.
-		 */
-		if (shutdown(c->sock, SHUT_RD) < 0
-		    && errno != ENOTCONN)
-			error("channel %d: chan_shutdown_read: "
-			    "shutdown() failed for fd%d [i%d o%d]: %.100s",
-			    c->self, c->sock, c->istate, c->ostate,
-			    strerror(errno));
-	} else {
-		if (channel_close_fd(&c->rfd) < 0)
-			logit("channel %d: chan_shutdown_read: "
-			    "close() failed for fd%d: %.100s",
-			    c->self, c->rfd, strerror(errno));
-	}
-}
diff --git a/crypto/openssh/nchan.h b/crypto/openssh/nchan.h
deleted file mode 100644
index 623eccc..0000000
--- a/crypto/openssh/nchan.h
+++ /dev/null
@@ -1,91 +0,0 @@
-/*
- * Copyright (c) 1999 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/* RCSID("$OpenBSD: nchan.h,v 1.10 2001/02/28 08:54:55 markus Exp $"); */
-
-#ifndef NCHAN_H
-#define NCHAN_H
-
-/*
- * SSH Protocol 1.5 aka New Channel Protocol
- * Thanks to Martina, Axel and everyone who left Erlangen, leaving me bored.
- * Written by Markus Friedl in October 1999
- *
- * Protocol versions 1.3 and 1.5 differ in the handshake protocol used for the
- * tear down of channels:
- *
- * 1.3:	strict request-ack-protocol:
- * 	CLOSE	->
- * 		<-  CLOSE_CONFIRM
- *
- * 1.5:	uses variations of:
- * 	IEOF	->
- * 		<-  OCLOSE
- * 		<-  IEOF
- * 	OCLOSE	->
- * 	i.e. both sides have to close the channel
- *
- * See the debugging output from 'ssh -v' and 'sshd -d' of
- * ssh-1.2.27 as an example.
- *
- */
-
-/* ssh-proto-1.5 overloads prot-1.3-message-types */
-#define SSH_MSG_CHANNEL_INPUT_EOF	SSH_MSG_CHANNEL_CLOSE
-#define SSH_MSG_CHANNEL_OUTPUT_CLOSE	SSH_MSG_CHANNEL_CLOSE_CONFIRMATION
-
-/* possible input states */
-#define CHAN_INPUT_OPEN			0x01
-#define CHAN_INPUT_WAIT_DRAIN		0x02
-#define CHAN_INPUT_WAIT_OCLOSE		0x04
-#define CHAN_INPUT_CLOSED		0x08
-
-/* possible output states */
-#define CHAN_OUTPUT_OPEN		0x10
-#define CHAN_OUTPUT_WAIT_DRAIN		0x20
-#define CHAN_OUTPUT_WAIT_IEOF		0x40
-#define CHAN_OUTPUT_CLOSED		0x80
-
-#define CHAN_CLOSE_SENT			0x01
-#define CHAN_CLOSE_RCVD			0x02
-
-
-/* Channel EVENTS */
-typedef void    chan_event_fn(Channel * c);
-
-/* for the input state */
-extern chan_event_fn	*chan_rcvd_oclose;
-extern chan_event_fn	*chan_read_failed;
-extern chan_event_fn	*chan_ibuf_empty;
-
-/* for the output state */
-extern chan_event_fn	*chan_rcvd_ieof;
-extern chan_event_fn	*chan_write_failed;
-extern chan_event_fn	*chan_obuf_empty;
-
-int chan_is_dead(Channel * c);
-
-void    chan_init_iostates(Channel * c);
-void	chan_init(void);
-#endif
diff --git a/crypto/openssh/nchan.ms b/crypto/openssh/nchan.ms
deleted file mode 100644
index 5757601..0000000
--- a/crypto/openssh/nchan.ms
+++ /dev/null
@@ -1,99 +0,0 @@
-.\"	$OpenBSD: nchan.ms,v 1.8 2003/11/21 11:57:03 djm Exp $
-.\"
-.\"
-.\" Copyright (c) 1999 Markus Friedl.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.TL
-OpenSSH Channel Close Protocol 1.5 Implementation
-.SH
-Channel Input State Diagram
-.PS
-reset
-l=1
-s=1.2
-ellipsewid=s*ellipsewid
-boxwid=s*boxwid
-ellipseht=s*ellipseht
-S1: ellipse "INPUT" "OPEN"
-move right 2*l from last ellipse.e
-S4: ellipse "INPUT" "CLOSED"
-move down l from last ellipse.s
-S3: ellipse "INPUT" "WAIT" "OCLOSED"
-move down l from 1st ellipse.s
-S2: ellipse "INPUT" "WAIT" "DRAIN"
-arrow "" "rcvd OCLOSE/" "shutdown_read" "send IEOF" from S1.e to S4.w
-arrow "ibuf_empty/" "send IEOF" from S2.e to S3.w
-arrow from S1.s to S2.n
-box invis "read_failed/" "shutdown_read" with .e at last arrow.c
-arrow  from S3.n to S4.s
-box invis "rcvd OCLOSE/" "-" with .w at last arrow.c
-ellipse wid .9*ellipsewid ht .9*ellipseht at S4
-arrow "start" "" from S1.w+(-0.5,0) to S1.w
-arrow from S2.ne to S4.sw
-box invis "rcvd OCLOSE/     " with .e at last arrow.c
-box invis " send IEOF" with .w at last arrow.c
-.PE
-.SH
-Channel Output State Diagram
-.PS
-S1: ellipse "OUTPUT" "OPEN"
-move right 2*l from last ellipse.e
-S3: ellipse "OUTPUT" "WAIT" "IEOF"
-move down l from last ellipse.s
-S4: ellipse "OUTPUT" "CLOSED"
-move down l from 1st ellipse.s
-S2: ellipse "OUTPUT" "WAIT" "DRAIN"
-arrow "" "write_failed/" "shutdown_write" "send OCLOSE" from S1.e to S3.w
-arrow "obuf_empty ||" "write_failed/" "shutdown_write" "send OCLOSE" from S2.e to S4.w
-arrow from S1.s to S2.n
-box invis "rcvd IEOF/" "-" with .e at last arrow.c
-arrow from S3.s to S4.n
-box invis "rcvd IEOF/" "-" with .w at last arrow.c
-ellipse wid .9*ellipsewid ht .9*ellipseht at S4
-arrow "start" "" from S1.w+(-0.5,0) to S1.w
-.PE
-.SH
-Notes
-.PP
-The input buffer is filled with data from the socket
-(the socket represents the local consumer/producer of the
-forwarded channel).
-The data is then sent over the INPUT-end (transmit-end) of the channel to the
-remote peer.
-Data sent by the peer is received on the OUTPUT-end (receive-end),
-saved in the output buffer and written to the socket.
-.PP
-If the local protocol instance has forwarded all data on the
-INPUT-end of the channel, it sends an IEOF message to the peer.
-If the peer receives the IEOF and has consumed all
-data he replies with an OCLOSE.
-When the local instance receives the OCLOSE
-he considers the INPUT-half of the channel closed.
-The peer has his OUTOUT-half closed.
-.PP
-A channel can be deallocated by a protocol instance
-if both the INPUT- and the OUTOUT-half on his
-side of the channel are closed.
-Note that when an instance is unable to consume the
-received data, he is permitted to send an OCLOSE
-before the matching IEOF is received.
diff --git a/crypto/openssh/nchan2.ms b/crypto/openssh/nchan2.ms
deleted file mode 100644
index a7a67b1..0000000
--- a/crypto/openssh/nchan2.ms
+++ /dev/null
@@ -1,88 +0,0 @@
-.\"	$OpenBSD: nchan2.ms,v 1.3 2003/11/21 11:57:03 djm Exp $
-.\"
-.\" Copyright (c) 2000 Markus Friedl.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.TL
-OpenSSH Channel Close Protocol 2.0 Implementation
-.SH
-Channel Input State Diagram
-.PS
-reset
-l=1
-s=1.2
-ellipsewid=s*ellipsewid
-boxwid=s*boxwid
-ellipseht=s*ellipseht
-S1: ellipse "INPUT" "OPEN"
-move right 2*l from last ellipse.e
-S3: ellipse invis
-move down l from last ellipse.s
-S4: ellipse "INPUT" "CLOSED"
-move down l from 1st ellipse.s
-S2: ellipse "INPUT" "WAIT" "DRAIN"
-arrow from S1.e to S4.n
-box invis "rcvd CLOSE/" "shutdown_read" with .sw at last arrow.c
-arrow "ibuf_empty ||" "rcvd CLOSE/" "send EOF" "" from S2.e to S4.w
-arrow from S1.s to S2.n
-box invis "read_failed/" "shutdown_read" with .e at last arrow.c
-ellipse wid .9*ellipsewid ht .9*ellipseht at S4
-arrow "start" "" from S1.w+(-0.5,0) to S1.w
-.PE
-.SH
-Channel Output State Diagram
-.PS
-S1: ellipse "OUTPUT" "OPEN"
-move right 2*l from last ellipse.e
-S3: ellipse invis
-move down l from last ellipse.s
-S4: ellipse "OUTPUT" "CLOSED"
-move down l from 1st ellipse.s
-S2: ellipse "OUTPUT" "WAIT" "DRAIN"
-arrow from S1.e to S4.n
-box invis "write_failed/" "shutdown_write" with .sw at last arrow.c
-arrow "obuf_empty ||" "write_failed/" "shutdown_write" "" from S2.e to S4.w
-arrow from S1.s to S2.n
-box invis "rcvd EOF ||" "rcvd CLOSE/" "-" with .e at last arrow.c
-ellipse wid .9*ellipsewid ht .9*ellipseht at S4
-arrow "start" "" from S1.w+(-0.5,0) to S1.w
-.PE
-.SH
-Notes
-.PP
-The input buffer is filled with data from the socket
-(the socket represents the local consumer/producer of the
-forwarded channel).
-The data is then sent over the INPUT-end (transmit-end) of the channel to the
-remote peer.
-Data sent by the peer is received on the OUTPUT-end (receive-end),
-saved in the output buffer and written to the socket.
-.PP
-If the local protocol instance has forwarded all data on the
-INPUT-end of the channel, it sends an EOF message to the peer.
-.PP
-A CLOSE message is sent to the peer if
-both the INPUT- and the OUTOUT-half of the local
-end of the channel are closed.
-.PP
-The channel can be deallocated by a protocol instance
-if a CLOSE message he been both sent and received.
diff --git a/crypto/openssh/openbsd-compat/Makefile.in b/crypto/openssh/openbsd-compat/Makefile.in
deleted file mode 100644
index 9f06605..0000000
--- a/crypto/openssh/openbsd-compat/Makefile.in
+++ /dev/null
@@ -1,42 +0,0 @@
-# $Id: Makefile.in,v 1.40 2006/08/30 17:24:41 djm Exp $
-
-sysconfdir=@sysconfdir@
-piddir=@piddir@
-srcdir=@srcdir@
-top_srcdir=@top_srcdir@
-
-VPATH=@srcdir@
-CC=@CC@
-LD=@LD@
-CFLAGS=@CFLAGS@
-CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
-LIBS=@LIBS@
-AR=@AR@
-RANLIB=@RANLIB@
-INSTALL=@INSTALL@
-LDFLAGS=-L. @LDFLAGS@
-
-OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtonum.o strtoll.o strtoul.o vis.o
-
-COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
-
-PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
-
-.c.o:
-	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
-
-all: libopenbsd-compat.a
-
-$(COMPAT): ../config.h
-$(OPENBSD): ../config.h
-$(PORTS): ../config.h
-
-libopenbsd-compat.a:  $(COMPAT) $(OPENBSD) $(PORTS)
-	$(AR) rv $@ $(COMPAT) $(OPENBSD) $(PORTS)
-	$(RANLIB) $@
-
-clean:
-	rm -f *.o *.a core 
-
-distclean: clean
-	rm -f Makefile *~
diff --git a/crypto/openssh/openbsd-compat/base64.c b/crypto/openssh/openbsd-compat/base64.c
deleted file mode 100644
index 9a60f58..0000000
--- a/crypto/openssh/openbsd-compat/base64.c
+++ /dev/null
@@ -1,325 +0,0 @@
-/*	$OpenBSD: base64.c,v 1.4 2002/01/02 23:00:10 deraadt Exp $	*/
-
-/*
- * Copyright (c) 1996 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
- * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-/*
- * Portions Copyright (c) 1995 by International Business Machines, Inc.
- *
- * International Business Machines, Inc. (hereinafter called IBM) grants
- * permission under its copyrights to use, copy, modify, and distribute this
- * Software with or without fee, provided that the above copyright notice and
- * all paragraphs of this notice appear in all copies, and that the name of IBM
- * not be used in connection with the marketing of any product incorporating
- * the Software or modifications thereof, without specific, written prior
- * permission.
- *
- * To the extent it has a right to do so, IBM grants an immunity from suit
- * under its patents, if any, for the use, sale or manufacture of products to
- * the extent that such products are used for performing Domain Name System
- * dynamic updates in TCP/IP networks by means of the Software.  No immunity is
- * granted for any product per se or for any other function of any product.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES,
- * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE.  IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL,
- * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING
- * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN
- * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
- */
-
-/* OPENBSD ORIGINAL: lib/libc/net/base64.c */
-
-#include "includes.h"
-
-#if (!defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP)) || (!defined(HAVE_B64_PTON) && !defined(HAVE___B64_PTON))
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include <ctype.h>
-#include <stdio.h>
-
-#include <stdlib.h>
-#include <string.h>
-
-#include "base64.h"
-
-/* XXX abort illegal in library */
-#define Assert(Cond) if (!(Cond)) abort()
-
-static const char Base64[] =
-	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
-static const char Pad64 = '=';
-
-/* (From RFC1521 and draft-ietf-dnssec-secext-03.txt)
-   The following encoding technique is taken from RFC 1521 by Borenstein
-   and Freed.  It is reproduced here in a slightly edited form for
-   convenience.
-
-   A 65-character subset of US-ASCII is used, enabling 6 bits to be
-   represented per printable character. (The extra 65th character, "=",
-   is used to signify a special processing function.)
-
-   The encoding process represents 24-bit groups of input bits as output
-   strings of 4 encoded characters. Proceeding from left to right, a
-   24-bit input group is formed by concatenating 3 8-bit input groups.
-   These 24 bits are then treated as 4 concatenated 6-bit groups, each
-   of which is translated into a single digit in the base64 alphabet.
-
-   Each 6-bit group is used as an index into an array of 64 printable
-   characters. The character referenced by the index is placed in the
-   output string.
-
-                         Table 1: The Base64 Alphabet
-
-      Value Encoding  Value Encoding  Value Encoding  Value Encoding
-          0 A            17 R            34 i            51 z
-          1 B            18 S            35 j            52 0
-          2 C            19 T            36 k            53 1
-          3 D            20 U            37 l            54 2
-          4 E            21 V            38 m            55 3
-          5 F            22 W            39 n            56 4
-          6 G            23 X            40 o            57 5
-          7 H            24 Y            41 p            58 6
-          8 I            25 Z            42 q            59 7
-          9 J            26 a            43 r            60 8
-         10 K            27 b            44 s            61 9
-         11 L            28 c            45 t            62 +
-         12 M            29 d            46 u            63 /
-         13 N            30 e            47 v
-         14 O            31 f            48 w         (pad) =
-         15 P            32 g            49 x
-         16 Q            33 h            50 y
-
-   Special processing is performed if fewer than 24 bits are available
-   at the end of the data being encoded.  A full encoding quantum is
-   always completed at the end of a quantity.  When fewer than 24 input
-   bits are available in an input group, zero bits are added (on the
-   right) to form an integral number of 6-bit groups.  Padding at the
-   end of the data is performed using the '=' character.
-
-   Since all base64 input is an integral number of octets, only the
-         -------------------------------------------------                       
-   following cases can arise:
-   
-       (1) the final quantum of encoding input is an integral
-           multiple of 24 bits; here, the final unit of encoded
-	   output will be an integral multiple of 4 characters
-	   with no "=" padding,
-       (2) the final quantum of encoding input is exactly 8 bits;
-           here, the final unit of encoded output will be two
-	   characters followed by two "=" padding characters, or
-       (3) the final quantum of encoding input is exactly 16 bits;
-           here, the final unit of encoded output will be three
-	   characters followed by one "=" padding character.
-   */
-
-#if !defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP) 
-int
-b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize)
-{
-	size_t datalength = 0;
-	u_char input[3];
-	u_char output[4];
-	u_int i;
-
-	while (2 < srclength) {
-		input[0] = *src++;
-		input[1] = *src++;
-		input[2] = *src++;
-		srclength -= 3;
-
-		output[0] = input[0] >> 2;
-		output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4);
-		output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6);
-		output[3] = input[2] & 0x3f;
-		Assert(output[0] < 64);
-		Assert(output[1] < 64);
-		Assert(output[2] < 64);
-		Assert(output[3] < 64);
-
-		if (datalength + 4 > targsize)
-			return (-1);
-		target[datalength++] = Base64[output[0]];
-		target[datalength++] = Base64[output[1]];
-		target[datalength++] = Base64[output[2]];
-		target[datalength++] = Base64[output[3]];
-	}
-    
-	/* Now we worry about padding. */
-	if (0 != srclength) {
-		/* Get what's left. */
-		input[0] = input[1] = input[2] = '\0';
-		for (i = 0; i < srclength; i++)
-			input[i] = *src++;
-	
-		output[0] = input[0] >> 2;
-		output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4);
-		output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6);
-		Assert(output[0] < 64);
-		Assert(output[1] < 64);
-		Assert(output[2] < 64);
-
-		if (datalength + 4 > targsize)
-			return (-1);
-		target[datalength++] = Base64[output[0]];
-		target[datalength++] = Base64[output[1]];
-		if (srclength == 1)
-			target[datalength++] = Pad64;
-		else
-			target[datalength++] = Base64[output[2]];
-		target[datalength++] = Pad64;
-	}
-	if (datalength >= targsize)
-		return (-1);
-	target[datalength] = '\0';	/* Returned value doesn't count \0. */
-	return (datalength);
-}
-#endif /* !defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP) */
-
-#if !defined(HAVE_B64_PTON) && !defined(HAVE___B64_PTON)
-
-/* skips all whitespace anywhere.
-   converts characters, four at a time, starting at (or after)
-   src from base - 64 numbers into three 8 bit bytes in the target area.
-   it returns the number of data bytes stored at the target, or -1 on error.
- */
-
-int
-b64_pton(char const *src, u_char *target, size_t targsize)
-{
-	u_int tarindex, state;
-	int ch;
-	char *pos;
-
-	state = 0;
-	tarindex = 0;
-
-	while ((ch = *src++) != '\0') {
-		if (isspace(ch))	/* Skip whitespace anywhere. */
-			continue;
-
-		if (ch == Pad64)
-			break;
-
-		pos = strchr(Base64, ch);
-		if (pos == 0) 		/* A non-base64 character. */
-			return (-1);
-
-		switch (state) {
-		case 0:
-			if (target) {
-				if (tarindex >= targsize)
-					return (-1);
-				target[tarindex] = (pos - Base64) << 2;
-			}
-			state = 1;
-			break;
-		case 1:
-			if (target) {
-				if (tarindex + 1 >= targsize)
-					return (-1);
-				target[tarindex]   |=  (pos - Base64) >> 4;
-				target[tarindex+1]  = ((pos - Base64) & 0x0f)
-							<< 4 ;
-			}
-			tarindex++;
-			state = 2;
-			break;
-		case 2:
-			if (target) {
-				if (tarindex + 1 >= targsize)
-					return (-1);
-				target[tarindex]   |=  (pos - Base64) >> 2;
-				target[tarindex+1]  = ((pos - Base64) & 0x03)
-							<< 6;
-			}
-			tarindex++;
-			state = 3;
-			break;
-		case 3:
-			if (target) {
-				if (tarindex >= targsize)
-					return (-1);
-				target[tarindex] |= (pos - Base64);
-			}
-			tarindex++;
-			state = 0;
-			break;
-		}
-	}
-
-	/*
-	 * We are done decoding Base-64 chars.  Let's see if we ended
-	 * on a byte boundary, and/or with erroneous trailing characters.
-	 */
-
-	if (ch == Pad64) {		/* We got a pad char. */
-		ch = *src++;		/* Skip it, get next. */
-		switch (state) {
-		case 0:		/* Invalid = in first position */
-		case 1:		/* Invalid = in second position */
-			return (-1);
-
-		case 2:		/* Valid, means one byte of info */
-			/* Skip any number of spaces. */
-			for (; ch != '\0'; ch = *src++)
-				if (!isspace(ch))
-					break;
-			/* Make sure there is another trailing = sign. */
-			if (ch != Pad64)
-				return (-1);
-			ch = *src++;		/* Skip the = */
-			/* Fall through to "single trailing =" case. */
-			/* FALLTHROUGH */
-
-		case 3:		/* Valid, means two bytes of info */
-			/*
-			 * We know this char is an =.  Is there anything but
-			 * whitespace after it?
-			 */
-			for (; ch != '\0'; ch = *src++)
-				if (!isspace(ch))
-					return (-1);
-
-			/*
-			 * Now make sure for cases 2 and 3 that the "extra"
-			 * bits that slopped past the last full byte were
-			 * zeros.  If we don't check them, they become a
-			 * subliminal channel.
-			 */
-			if (target && target[tarindex] != 0)
-				return (-1);
-		}
-	} else {
-		/*
-		 * We ended by seeing the end of the string.  Make sure we
-		 * have no partial bytes lying around.
-		 */
-		if (state != 0)
-			return (-1);
-	}
-
-	return (tarindex);
-}
-
-#endif /* !defined(HAVE_B64_PTON) && !defined(HAVE___B64_PTON) */
-#endif 
diff --git a/crypto/openssh/openbsd-compat/base64.h b/crypto/openssh/openbsd-compat/base64.h
deleted file mode 100644
index 732c6b3..0000000
--- a/crypto/openssh/openbsd-compat/base64.h
+++ /dev/null
@@ -1,65 +0,0 @@
-/* $Id: base64.h,v 1.6 2003/08/29 16:59:52 mouring Exp $ */
-
-/*
- * Copyright (c) 1996 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
- * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-/*
- * Portions Copyright (c) 1995 by International Business Machines, Inc.
- *
- * International Business Machines, Inc. (hereinafter called IBM) grants
- * permission under its copyrights to use, copy, modify, and distribute this
- * Software with or without fee, provided that the above copyright notice and
- * all paragraphs of this notice appear in all copies, and that the name of IBM
- * not be used in connection with the marketing of any product incorporating
- * the Software or modifications thereof, without specific, written prior
- * permission.
- *
- * To the extent it has a right to do so, IBM grants an immunity from suit
- * under its patents, if any, for the use, sale or manufacture of products to
- * the extent that such products are used for performing Domain Name System
- * dynamic updates in TCP/IP networks by means of the Software.  No immunity is
- * granted for any product per se or for any other function of any product.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES,
- * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE.  IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL,
- * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING
- * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN
- * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
- */
-
-#ifndef _BSD_BASE64_H
-#define _BSD_BASE64_H
-
-#include "includes.h"
-
-#ifndef HAVE___B64_NTOP
-# ifndef HAVE_B64_NTOP
-int b64_ntop(u_char const *src, size_t srclength, char *target, 
-    size_t targsize);
-# endif /* !HAVE_B64_NTOP */
-# define __b64_ntop(a,b,c,d) b64_ntop(a,b,c,d)
-#endif /* HAVE___B64_NTOP */
-
-#ifndef HAVE___B64_PTON
-# ifndef HAVE_B64_PTON
-int b64_pton(char const *src, u_char *target, size_t targsize);
-# endif /* !HAVE_B64_PTON */
-# define __b64_pton(a,b,c) b64_pton(a,b,c)
-#endif /* HAVE___B64_PTON */
-
-#endif /* _BSD_BASE64_H */
diff --git a/crypto/openssh/openbsd-compat/basename.c b/crypto/openssh/openbsd-compat/basename.c
deleted file mode 100644
index ffa5c89..0000000
--- a/crypto/openssh/openbsd-compat/basename.c
+++ /dev/null
@@ -1,67 +0,0 @@
-/*	$OpenBSD: basename.c,v 1.14 2005/08/08 08:05:33 espie Exp $	*/
-
-/*
- * Copyright (c) 1997, 2004 Todd C. Miller <Todd.Miller@courtesan.com>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* OPENBSD ORIGINAL: lib/libc/gen/basename.c */
-
-#include "includes.h"
-#ifndef HAVE_BASENAME
-#include <errno.h>
-#include <string.h>
-
-char *
-basename(const char *path)
-{
-	static char bname[MAXPATHLEN];
-	size_t len;
-	const char *endp, *startp;
-
-	/* Empty or NULL string gets treated as "." */
-	if (path == NULL || *path == '\0') {
-		bname[0] = '.';
-		bname[1] = '\0';
-		return (bname);
-	}
-
-	/* Strip any trailing slashes */
-	endp = path + strlen(path) - 1;
-	while (endp > path && *endp == '/')
-		endp--;
-
-	/* All slashes becomes "/" */
-	if (endp == path && *endp == '/') {
-		bname[0] = '/';
-		bname[1] = '\0';
-		return (bname);
-	}
-
-	/* Find the start of the base */
-	startp = endp;
-	while (startp > path && *(startp - 1) != '/')
-		startp--;
-
-	len = endp - startp + 1;
-	if (len >= sizeof(bname)) {
-		errno = ENAMETOOLONG;
-		return (NULL);
-	}
-	memcpy(bname, startp, len);
-	bname[len] = '\0';
-	return (bname);
-}
-
-#endif /* !defined(HAVE_BASENAME) */
diff --git a/crypto/openssh/openbsd-compat/bindresvport.c b/crypto/openssh/openbsd-compat/bindresvport.c
deleted file mode 100644
index 65afed1..0000000
--- a/crypto/openssh/openbsd-compat/bindresvport.c
+++ /dev/null
@@ -1,118 +0,0 @@
-/* This file has be substantially modified from the original OpenBSD source */
-
-/*	$OpenBSD: bindresvport.c,v 1.16 2005/04/01 07:44:03 otto Exp $	*/
-
-/*
- * Copyright 1996, Jason Downs.  All rights reserved.
- * Copyright 1998, Theo de Raadt.  All rights reserved.
- * Copyright 2000, Damien Miller.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/* OPENBSD ORIGINAL: lib/libc/rpc/bindresvport.c */
-
-#include "includes.h"
-
-#ifndef HAVE_BINDRESVPORT_SA
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include <errno.h>
-#include <string.h>
-
-#define STARTPORT 600
-#define ENDPORT (IPPORT_RESERVED - 1)
-#define NPORTS	(ENDPORT - STARTPORT + 1)
-
-/*
- * Bind a socket to a privileged IP port
- */
-int
-bindresvport_sa(int sd, struct sockaddr *sa)
-{
-	int error, af;
-	struct sockaddr_storage myaddr;
-	struct sockaddr_in *sin;
-	struct sockaddr_in6 *sin6;
-	u_int16_t *portp;
-	u_int16_t port;
-	socklen_t salen;
-	int i;
-
-	if (sa == NULL) {
-		memset(&myaddr, 0, sizeof(myaddr));
-		sa = (struct sockaddr *)&myaddr;
-
-		if (getsockname(sd, sa, &salen) == -1)
-			return -1;	/* errno is correctly set */
-
-		af = sa->sa_family;
-		memset(&myaddr, 0, salen);
-	} else
-		af = sa->sa_family;
-
-	if (af == AF_INET) {
-		sin = (struct sockaddr_in *)sa;
-		salen = sizeof(struct sockaddr_in);
-		portp = &sin->sin_port;
-	} else if (af == AF_INET6) {
-		sin6 = (struct sockaddr_in6 *)sa;
-		salen = sizeof(struct sockaddr_in6);
-		portp = &sin6->sin6_port;
-	} else {
-		errno = EPFNOSUPPORT;
-		return (-1);
-	}
-	sa->sa_family = af;
-
-	port = ntohs(*portp);
-	if (port == 0)
-		port = (arc4random() % NPORTS) + STARTPORT;
-
-	/* Avoid warning */
-	error = -1;
-
-	for(i = 0; i < NPORTS; i++) {
-		*portp = htons(port);
-		
-		error = bind(sd, sa, salen);
-
-		/* Terminate on success */
-		if (error == 0)
-			break;
-			
-		/* Terminate on errors, except "address already in use" */
-		if ((error < 0) && !((errno == EADDRINUSE) || (errno == EINVAL)))
-			break;
-			
-		port++;
-		if (port > ENDPORT)
-			port = STARTPORT;
-	}
-
-	return (error);
-}
-
-#endif /* HAVE_BINDRESVPORT_SA */
diff --git a/crypto/openssh/openbsd-compat/bsd-arc4random.c b/crypto/openssh/openbsd-compat/bsd-arc4random.c
deleted file mode 100644
index d45fb18..0000000
--- a/crypto/openssh/openbsd-compat/bsd-arc4random.c
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
- * Copyright (c) 1999,2000,2004 Damien Miller <djm@mindrot.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <string.h>
-#include <stdarg.h>
-
-#include "log.h"
-
-#ifndef HAVE_ARC4RANDOM
-
-#include <openssl/rand.h>
-#include <openssl/rc4.h>
-#include <openssl/err.h>
-
-/* Size of key to use */
-#define SEED_SIZE 20
-
-/* Number of bytes to reseed after */
-#define REKEY_BYTES	(1 << 24)
-
-static int rc4_ready = 0;
-static RC4_KEY rc4;
-
-unsigned int
-arc4random(void)
-{
-	unsigned int r = 0;
-	static int first_time = 1;
-
-	if (rc4_ready <= 0) {
-		if (first_time)
-			seed_rng();
-		first_time = 0;
-		arc4random_stir();
-	}
-
-	RC4(&rc4, sizeof(r), (unsigned char *)&r, (unsigned char *)&r);
-
-	rc4_ready -= sizeof(r);
-	
-	return(r);
-}
-
-void
-arc4random_stir(void)
-{
-	unsigned char rand_buf[SEED_SIZE];
-	int i;
-
-	memset(&rc4, 0, sizeof(rc4));
-	if (RAND_bytes(rand_buf, sizeof(rand_buf)) <= 0)
-		fatal("Couldn't obtain random bytes (error %ld)",
-		    ERR_get_error());
-	RC4_set_key(&rc4, sizeof(rand_buf), rand_buf);
-
-	/*
-	 * Discard early keystream, as per recommendations in:
-	 * http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps
-	 */
-	for(i = 0; i <= 256; i += sizeof(rand_buf))
-		RC4(&rc4, sizeof(rand_buf), rand_buf, rand_buf);
-
-	memset(rand_buf, 0, sizeof(rand_buf));
-
-	rc4_ready = REKEY_BYTES;
-}
-#endif /* !HAVE_ARC4RANDOM */
diff --git a/crypto/openssh/openbsd-compat/bsd-asprintf.c b/crypto/openssh/openbsd-compat/bsd-asprintf.c
deleted file mode 100644
index 6748013..0000000
--- a/crypto/openssh/openbsd-compat/bsd-asprintf.c
+++ /dev/null
@@ -1,99 +0,0 @@
-/*
- * Copyright (c) 2004 Darren Tucker.
- *
- * Based originally on asprintf.c from OpenBSD:
- * Copyright (c) 1997 Todd C. Miller <Todd.Miller@courtesan.com>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "includes.h"
-
-#ifndef HAVE_VASPRINTF
-
-#include <errno.h>
-#include <stdarg.h>
-#include <stdlib.h>
-
-#ifndef VA_COPY
-# ifdef HAVE_VA_COPY
-#  define VA_COPY(dest, src) va_copy(dest, src)
-# else
-#  ifdef HAVE___VA_COPY
-#   define VA_COPY(dest, src) __va_copy(dest, src)
-#  else
-#   define VA_COPY(dest, src) (dest) = (src)
-#  endif
-# endif
-#endif
-
-#define INIT_SZ	128
-
-int vasprintf(char **str, const char *fmt, va_list ap)
-{
-	int ret = -1;
-	va_list ap2;
-	char *string, *newstr;
-	size_t len;
-
-	VA_COPY(ap2, ap);
-	if ((string = malloc(INIT_SZ)) == NULL)
-		goto fail;
-
-	ret = vsnprintf(string, INIT_SZ, fmt, ap2);
-	if (ret >= 0 && ret < INIT_SZ) { /* succeeded with initial alloc */
-		*str = string;
-	} else if (ret == INT_MAX) { /* shouldn't happen */
-		goto fail;
-	} else {	/* bigger than initial, realloc allowing for nul */
-		len = (size_t)ret + 1;
-		if ((newstr = realloc(string, len)) == NULL) {
-			free(string);
-			goto fail;
-		} else {
-			va_end(ap2);
-			VA_COPY(ap2, ap);
-			ret = vsnprintf(newstr, len, fmt, ap2);
-			if (ret >= 0 && (size_t)ret < len) {
-				*str = newstr;
-			} else { /* failed with realloc'ed string, give up */
-				free(newstr);
-				goto fail;
-			}
-		}
-	}
-	va_end(ap2);
-	return (ret);
-
-fail:
-	*str = NULL;
-	errno = ENOMEM;
-	va_end(ap2);
-	return (-1);
-}
-#endif
-
-#ifndef HAVE_ASPRINTF
-int asprintf(char **str, const char *fmt, ...)
-{
-	va_list ap;
-	int ret;
-	
-	*str = NULL;
-	va_start(ap, fmt);
-	ret = vasprintf(str, fmt, ap);
-	va_end(ap);
-
-	return ret;
-}
-#endif
diff --git a/crypto/openssh/openbsd-compat/bsd-closefrom.c b/crypto/openssh/openbsd-compat/bsd-closefrom.c
deleted file mode 100644
index 9380b33..0000000
--- a/crypto/openssh/openbsd-compat/bsd-closefrom.c
+++ /dev/null
@@ -1,109 +0,0 @@
-/*
- * Copyright (c) 2004-2005 Todd C. Miller <Todd.Miller@courtesan.com>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "includes.h"
-
-#ifndef HAVE_CLOSEFROM
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <unistd.h>
-#include <stdio.h>
-#ifdef HAVE_FCNTL_H
-# include <fcntl.h>
-#endif
-#include <limits.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <string.h>
-#include <unistd.h>
-#ifdef HAVE_DIRENT_H
-# include <dirent.h>
-# define NAMLEN(dirent) strlen((dirent)->d_name)
-#else
-# define dirent direct
-# define NAMLEN(dirent) (dirent)->d_namlen
-# ifdef HAVE_SYS_NDIR_H
-#  include <sys/ndir.h>
-# endif
-# ifdef HAVE_SYS_DIR_H
-#  include <sys/dir.h>
-# endif
-# ifdef HAVE_NDIR_H
-#  include <ndir.h>
-# endif
-#endif
-
-#ifndef OPEN_MAX
-# define OPEN_MAX	256
-#endif
-
-#if 0
-__unused static const char rcsid[] = "$Sudo: closefrom.c,v 1.11 2006/08/17 15:26:54 millert Exp $";
-#endif /* lint */
-
-/*
- * Close all file descriptors greater than or equal to lowfd.
- */
-#ifdef HAVE_FCNTL_CLOSEM
-void
-closefrom(int lowfd)
-{
-    (void) fcntl(lowfd, F_CLOSEM, 0);
-}
-#else
-void
-closefrom(int lowfd)
-{
-    long fd, maxfd;
-#if defined(HAVE_DIRFD) && defined(HAVE_PROC_PID)
-    char fdpath[PATH_MAX], *endp;
-    struct dirent *dent;
-    DIR *dirp;
-    int len;
-
-    /* Check for a /proc/$$/fd directory. */
-    len = snprintf(fdpath, sizeof(fdpath), "/proc/%ld/fd", (long)getpid());
-    if (len > 0 && (size_t)len <= sizeof(fdpath) && (dirp = opendir(fdpath))) {
-	while ((dent = readdir(dirp)) != NULL) {
-	    fd = strtol(dent->d_name, &endp, 10);
-	    if (dent->d_name != endp && *endp == '\0' &&
-		fd >= 0 && fd < INT_MAX && fd >= lowfd && fd != dirfd(dirp))
-		(void) close((int) fd);
-	}
-	(void) closedir(dirp);
-    } else
-#endif
-    {
-	/*
-	 * Fall back on sysconf() or getdtablesize().  We avoid checking
-	 * resource limits since it is possible to open a file descriptor
-	 * and then drop the rlimit such that it is below the open fd.
-	 */
-#ifdef HAVE_SYSCONF
-	maxfd = sysconf(_SC_OPEN_MAX);
-#else
-	maxfd = getdtablesize();
-#endif /* HAVE_SYSCONF */
-	if (maxfd < 0)
-	    maxfd = OPEN_MAX;
-
-	for (fd = lowfd; fd < maxfd; fd++)
-	    (void) close((int) fd);
-    }
-}
-#endif /* !HAVE_FCNTL_CLOSEM */
-#endif /* HAVE_CLOSEFROM */
diff --git a/crypto/openssh/openbsd-compat/bsd-cray.c b/crypto/openssh/openbsd-compat/bsd-cray.c
deleted file mode 100644
index 1532c99..0000000
--- a/crypto/openssh/openbsd-compat/bsd-cray.c
+++ /dev/null
@@ -1,819 +0,0 @@
-/* 
- * $Id: bsd-cray.c,v 1.16 2006/09/01 05:38:41 djm Exp $
- *
- * bsd-cray.c
- *
- * Copyright (c) 2002, Cray Inc.  (Wendy Palm <wendyp@cray.com>)
- * Significant portions provided by 
- *          Wayne Schroeder, SDSC <schroeder@sdsc.edu>
- *          William Jones, UTexas <jones@tacc.utexas.edu>
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- * Created: Apr 22 16.34:00 2002 wp
- *
- * This file contains functions required for proper execution
- * on UNICOS systems.
- *
- */
-#ifdef _UNICOS
-
-#include <udb.h>
-#include <tmpdir.h>
-#include <unistd.h>
-#include <sys/category.h>
-#include <utmp.h>
-#include <sys/jtab.h>
-#include <signal.h>
-#include <sys/priv.h>
-#include <sys/secparm.h>
-#include <sys/tfm.h>
-#include <sys/usrv.h>
-#include <sys/sysv.h>
-#include <sys/sectab.h>
-#include <sys/secstat.h>
-#include <sys/stat.h>
-#include <sys/session.h>
-#include <stdarg.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <pwd.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <ia.h>
-#include <urm.h>
-#include "ssh.h"
-
-#include "includes.h"
-#include "sys/types.h"
-
-#ifndef HAVE_STRUCT_SOCKADDR_STORAGE
-# define      _SS_MAXSIZE     128     /* Implementation specific max size */
-# define       _SS_PADSIZE     (_SS_MAXSIZE - sizeof (struct sockaddr))
-
-# define ss_family ss_sa.sa_family
-#endif /* !HAVE_STRUCT_SOCKADDR_STORAGE */
-
-#ifndef IN6_IS_ADDR_LOOPBACK
-# define IN6_IS_ADDR_LOOPBACK(a) \
-	(((u_int32_t *) (a))[0] == 0 && ((u_int32_t *) (a))[1] == 0 && \
-	 ((u_int32_t *) (a))[2] == 0 && ((u_int32_t *) (a))[3] == htonl (1))
-#endif /* !IN6_IS_ADDR_LOOPBACK */
-
-#ifndef AF_INET6
-/* Define it to something that should never appear */
-#define AF_INET6 AF_MAX
-#endif
-
-#include "log.h"
-#include "servconf.h"
-#include "bsd-cray.h"
-
-#define MAXACID 80
-
-extern ServerOptions options;
-
-char cray_tmpdir[TPATHSIZ + 1];		    /* job TMPDIR path */
-
-struct sysv sysv;	/* system security structure */
-struct usrv usrv;	/* user security structure */
-
-/*
- * Functions.
- */
-void cray_retain_utmp(struct utmp *, int);
-void cray_delete_tmpdir(char *, int, uid_t);
-void cray_init_job(struct passwd *);
-void cray_set_tmpdir(struct utmp *);
-void cray_login_failure(char *, int);
-int cray_setup(uid_t, char *, const char *);
-int cray_access_denied(char *);
-
-void
-cray_login_failure(char *username, int errcode)
-{
-	struct udb *ueptr;		/* UDB pointer for username */
-	ia_failure_t fsent;		/* ia_failure structure */
-	ia_failure_ret_t fret;		/* ia_failure return stuff */
-	struct jtab jtab;		/* job table structure */
-	int jid = 0;			/* job id */
-
-	if ((jid = getjtab(&jtab)) < 0)
-		debug("cray_login_failure(): getjtab error");
-
-	getsysudb();
-	if ((ueptr = getudbnam(username)) == UDB_NULL)
-		debug("cray_login_failure(): getudbname() returned NULL");
-	endudb();
-
-	memset(&fsent, '\0', sizeof(fsent));
-	fsent.revision = 0;
-	fsent.uname = username;
-	fsent.host = (char *)get_canonical_hostname(options.use_dns);
-	fsent.ttyn = "sshd";
-	fsent.caller = IA_SSHD;
-	fsent.flags = IA_INTERACTIVE;
-	fsent.ueptr = ueptr;
-	fsent.jid = jid;
-	fsent.errcode = errcode;
-	fsent.pwdp = NULL;
-	fsent.exitcode = 0;	/* dont exit in ia_failure() */
-
-	fret.revision = 0;
-	fret.normal = 0;
-
-	/*
-	 * Call ia_failure because of an login failure.
-	 */
-	ia_failure(&fsent, &fret);
-}
-
-/*
- *  Cray access denied
- */
-int
-cray_access_denied(char *username)
-{
-	struct udb *ueptr;		/* UDB pointer for username */
-	int errcode;			/* IA errorcode */
-
-	errcode = 0;
-	getsysudb();
-	if ((ueptr = getudbnam(username)) == UDB_NULL)
-		debug("cray_login_failure(): getudbname() returned NULL");
-	endudb();
-
-	if (ueptr != NULL && ueptr->ue_disabled)
-		errcode = IA_DISABLED;
-	if (errcode)
-		cray_login_failure(username, errcode);
-
-	return (errcode);
-}
-
-/*
- * record_failed_login: generic "login failed" interface function
- */
-void
-record_failed_login(const char *user, const char *hostname, const char *ttyname)
-{
-	cray_login_failure((char *)user, IA_UDBERR);
-}
-
-int
-cray_setup (uid_t uid, char *username, const char *command)
-{
-	extern struct udb *getudb();
-	extern char *setlimits();
-
-	int err;			/* error return */
-	time_t system_time;		/* current system clock */
-	time_t expiration_time;		/* password expiration time */
-	int maxattempts;		/* maximum no. of failed login attempts */
-	int SecureSys;			/* unicos security flag */
-	int minslevel = 0;		/* system minimum security level */
-	int i, j;
-	int valid_acct = -1;		/* flag for reading valid acct */
-	char acct_name[MAXACID] = { "" }; /* used to read acct name */
-	struct jtab jtab;		/* Job table struct */
-	struct udb ue;			/* udb entry for logging-in user */
-	struct udb *up;			/* pointer to UDB entry */
-	struct secstat secinfo;		/* file  security attributes */
-	struct servprov init_info;	/* used for sesscntl() call */
-	int jid;			/* job ID */
-	int pid;			/* process ID */
-	char *sr;			/* status return from setlimits() */
-	char *ttyn = NULL;		/* ttyname or command name*/
-	char hostname[MAXHOSTNAMELEN];
-	/* passwd stuff for ia_user */
-	passwd_t pwdacm, pwddialup, pwdudb, pwdwal, pwddce;
-	ia_user_ret_t uret;		/* stuff returned from ia_user */
-	ia_user_t usent;		/* ia_user main structure */
-	int ia_rcode;			/* ia_user return code */
-	ia_failure_t fsent;		/* ia_failure structure */
-	ia_failure_ret_t fret;		/* ia_failure return stuff */
-	ia_success_t ssent;		/* ia_success structure */
-	ia_success_ret_t sret;		/* ia_success return stuff */
-	int ia_mlsrcode;		/* ia_mlsuser return code */
-	int secstatrc;			/* [f]secstat return code */
-
-	if (SecureSys = (int)sysconf(_SC_CRAY_SECURE_SYS)) {
-		getsysv(&sysv, sizeof(struct sysv));
-		minslevel = sysv.sy_minlvl;
-		if (getusrv(&usrv) < 0)
-			fatal("getusrv() failed, errno = %d", errno);
-	}
-	hostname[0] = '\0';
-	strlcpy(hostname,
-	   (char *)get_canonical_hostname(options.use_dns),
-	   MAXHOSTNAMELEN);
-	/*
-	 *  Fetch user's UDB entry.
-	 */
-	getsysudb();
-	if ((up = getudbnam(username)) == UDB_NULL)
-		fatal("cannot fetch user's UDB entry");
-
-	/*
-	 *  Prevent any possible fudging so perform a data
-	 *  safety check and compare the supplied uid against
-	 *  the udb's uid.
-	 */
-	if (up->ue_uid != uid)
-		fatal("IA uid missmatch");
-	endudb();
-
-	if ((jid = getjtab(&jtab)) < 0) {
-		debug("getjtab");
-		return(-1);
-	}
-	pid = getpid();
-	ttyn = ttyname(0);
-	if (SecureSys) {
-		if (ttyn != NULL)
-			secstatrc = secstat(ttyn, &secinfo);
-		else
-			secstatrc = fsecstat(1, &secinfo);
-
-		if (secstatrc == 0)
-			debug("[f]secstat() successful");
-		else
-			fatal("[f]secstat() error, rc = %d", secstatrc);
-	}
-	if ((ttyn == NULL) && ((char *)command != NULL))
-		ttyn = (char *)command;
-	/*
-	 *  Initialize all structures to call ia_user
-	 */
-	usent.revision = 0;
-	usent.uname = username;
-	usent.host = hostname;
-	usent.ttyn = ttyn;
-	usent.caller = IA_SSHD; 
-	usent.pswdlist = &pwdacm;
-	usent.ueptr = &ue;
-	usent.flags = IA_INTERACTIVE | IA_FFLAG;
-	pwdacm.atype = IA_SECURID;
-	pwdacm.pwdp = NULL;
-	pwdacm.next = &pwdudb;
-
-	pwdudb.atype = IA_UDB;
-	pwdudb.pwdp = NULL;
-	pwdudb.next = &pwddce;
-
-	pwddce.atype = IA_DCE;
-	pwddce.pwdp = NULL;
-	pwddce.next = &pwddialup;
-
-	pwddialup.atype = IA_DIALUP;
-	pwddialup.pwdp = NULL;
-	/* pwddialup.next = &pwdwal; */
-	pwddialup.next = NULL;
-
-	pwdwal.atype = IA_WAL;
-	pwdwal.pwdp = NULL;
-	pwdwal.next = NULL;
-
-	uret.revision = 0;
-	uret.pswd = NULL;
-	uret.normal = 0;
-
-	ia_rcode = ia_user(&usent, &uret);
-	switch (ia_rcode) {
-	/*
-	 *  These are acceptable return codes from ia_user()
-	 */
-	case IA_UDBWEEK:        /* Password Expires in 1 week */
-		expiration_time = ue.ue_pwage.time + ue.ue_pwage.maxage;
-		printf ("WARNING - your current password will expire %s\n",
-		ctime((const time_t *)&expiration_time));
-		break;
-	case IA_UDBEXPIRED:
-		if (ttyname(0) != NULL) {
-			/* Force a password change */
-			printf("Your password has expired; Choose a new one.\n");
-			execl("/bin/passwd", "passwd", username, 0);
-			exit(9);
-			}
-		break;
-	case IA_NORMAL:         /* Normal Return Code */
-		break;
-	case IA_BACKDOOR:
-		/* XXX: can we memset it to zero here so save some of this */
-		strlcpy(ue.ue_name, "root", sizeof(ue.ue_name));
-		strlcpy(ue.ue_dir, "/", sizeof(ue.ue_dir));
-		strlcpy(ue.ue_shell, "/bin/sh", sizeof(ue.ue_shell));
-
-		ue.ue_passwd[0] = '\0';
-		ue.ue_age[0] = '\0';
-		ue.ue_comment[0] = '\0';
-		ue.ue_loghost[0] = '\0';
-		ue.ue_logline[0] = '\0';
-
-		ue.ue_uid = -1;
-		ue.ue_nice[UDBRC_INTER] = 0;
-
-		for (i = 0; i < MAXVIDS; i++)
-			ue.ue_gids[i] = 0;
-
-		ue.ue_logfails = 0;
-		ue.ue_minlvl = ue.ue_maxlvl = ue.ue_deflvl = minslevel;
-		ue.ue_defcomps = 0;
-		ue.ue_comparts = 0;
-		ue.ue_permits = 0;
-		ue.ue_trap = 0;
-		ue.ue_disabled = 0;
-		ue.ue_logtime = 0;
-		break;
-	case IA_CONSOLE:        /* Superuser not from Console */
-	case IA_TRUSTED:	/* Trusted user */
-		if (options.permit_root_login > PERMIT_NO)
-			break;	/* Accept root login */
-	default:
-	/*
-	 *  These are failed return codes from ia_user()
-	 */
-		switch (ia_rcode) 
-		{
-		case IA_BADAUTH:
-			printf("Bad authorization, access denied.\n");
-			break;
-		case IA_DISABLED:
-			printf("Your login has been disabled. Contact the system ");
-			printf("administrator for assistance.\n");
-			break;
-		case IA_GETSYSV:
-			printf("getsysv() failed - errno = %d\n", errno);
-			break;
-		case IA_MAXLOGS:
-			printf("Maximum number of failed login attempts exceeded.\n");
-			printf("Access denied.\n");
-			break;
-		case IA_UDBPWDNULL:
-			if (SecureSys)
-				printf("NULL Password not allowed on MLS systems.\n");
-			break;
-		default:
-			break;
-		}
-
-		/*
-		 *  Authentication failed.
-		 */
-		printf("sshd: Login incorrect, (0%o)\n",
-		    ia_rcode-IA_ERRORCODE);
-
-		/*
-		 *  Initialize structure for ia_failure
-		 *  which will exit.
-		 */
-		fsent.revision = 0;
-		fsent.uname = username;
-		fsent.host = hostname;
-		fsent.ttyn = ttyn;
-		fsent.caller = IA_SSHD;
-		fsent.flags = IA_INTERACTIVE;
-		fsent.ueptr = &ue;
-		fsent.jid = jid;
-		fsent.errcode = ia_rcode;
-		fsent.pwdp = uret.pswd;
-		fsent.exitcode = 1;
-
-		fret.revision = 0;
-		fret.normal = 0;
-
-		/*
-		*  Call ia_failure because of an IA failure.
-		*  There is no return because ia_failure exits.
-		*/
-		ia_failure(&fsent, &fret);
-
-		exit(1); 
-	}
-
-	ia_mlsrcode = IA_NORMAL;
-	if (SecureSys) {
-		debug("calling ia_mlsuser()");
-		ia_mlsrcode = ia_mlsuser(&ue, &secinfo, &usrv, NULL, 0);
-	}
-	if (ia_mlsrcode != IA_NORMAL) {
-		printf("sshd: Login incorrect, (0%o)\n",
-		    ia_mlsrcode-IA_ERRORCODE);
-		/*
-		 *  Initialize structure for ia_failure
-		 *  which will exit.
-		 */
-		fsent.revision = 0;
-		fsent.uname = username;
-		fsent.host = hostname;
-		fsent.ttyn = ttyn;
-		fsent.caller = IA_SSHD;
-		fsent.flags = IA_INTERACTIVE;
-		fsent.ueptr = &ue;
-		fsent.jid  = jid;
-		fsent.errcode = ia_mlsrcode;
-		fsent.pwdp = uret.pswd;
-		fsent.exitcode = 1;
-		fret.revision = 0;
-		fret.normal = 0;
-
-		/*
-		 *  Call ia_failure because of an IA failure.
-		 *  There is no return because ia_failure exits.
-		 */
-		ia_failure(&fsent,&fret);
-		exit(1); 
-	}
-
-	/* Provide login status information */
-	if (options.print_lastlog && ue.ue_logtime != 0) {
-		printf("Last successful login was : %.*s ", 19,
-		    (char *)ctime(&ue.ue_logtime));
-
-		if (*ue.ue_loghost != '\0') {
-			printf("from %.*s\n", sizeof(ue.ue_loghost),
-			    ue.ue_loghost);
-		} else {
-			printf("on %.*s\n", sizeof(ue.ue_logline),
-			    ue.ue_logline);
-		}
-
-		if (SecureSys && (ue.ue_logfails != 0)) {
-			printf("  followed by %d failed attempts\n",
-			    ue.ue_logfails);
-		}
-	}
-
-	/*
-	 * Call ia_success to process successful I/A.
-	 */
-	ssent.revision = 0;
-	ssent.uname = username;
-	ssent.host = hostname;
-	ssent.ttyn = ttyn;
-	ssent.caller = IA_SSHD;
-	ssent.flags = IA_INTERACTIVE;
-	ssent.ueptr = &ue;
-	ssent.jid = jid;
-	ssent.errcode = ia_rcode;
-	ssent.us = NULL;
-	ssent.time = 1;	/* Set ue_logtime */
-
-	sret.revision = 0;
-	sret.normal = 0;
-
-	ia_success(&ssent, &sret);
-
-	/*
-	 * Query for account, iff > 1 valid acid & askacid permbit
-	 */
-	if (((ue.ue_permbits & PERMBITS_ACCTID) ||
-	    (ue.ue_acids[0] >= 0) && (ue.ue_acids[1] >= 0)) &&
-	    ue.ue_permbits & PERMBITS_ASKACID) {
-		if (ttyname(0) != NULL) {
-			debug("cray_setup: ttyname true case, %.100s", ttyname);
-			while (valid_acct == -1) {
-				printf("Account (? for available accounts)"
-				    " [%s]: ", acid2nam(ue.ue_acids[0]));
-				fgets(acct_name, MAXACID, stdin);
-				switch (acct_name[0]) {
-				case EOF:
-					exit(0);
-					break;
-				case '\0':
-					valid_acct = ue.ue_acids[0];
-					strlcpy(acct_name, acid2nam(valid_acct), MAXACID);
-					break;
-				case '?':
-					/* Print the list 3 wide */
-					for (i = 0, j = 0; i < MAXVIDS; i++) {
-						if (ue.ue_acids[i] == -1) {
-							printf("\n");
-							break;
-						}
-						if (++j == 4) {
-							j = 1;
-							printf("\n");
-						}
-						printf(" %s",
-						    acid2nam(ue.ue_acids[i]));
-					}
-					if (ue.ue_permbits & PERMBITS_ACCTID) {
-						printf("\"acctid\" permbit also allows"
-						    " you to select any valid "
-						    "account name.\n");
-					}
-					printf("\n");
-					break;
-				default:
-					valid_acct = nam2acid(acct_name);
-					if (valid_acct == -1) 
-						printf(
-						    "Account id not found for"
-						    " account name \"%s\"\n\n",
-						    acct_name);
-					break;
-				}
-				/*
-				 * If an account was given, search the user's
-				 * acids array to verify they can use this account.
-				 */
-				if ((valid_acct != -1) &&
-				    !(ue.ue_permbits & PERMBITS_ACCTID)) {
-					for (i = 0; i < MAXVIDS; i++) {
-						if (ue.ue_acids[i] == -1)
-							break;
-						if (valid_acct == ue.ue_acids[i])
-							break;
-					}
-					if (i == MAXVIDS ||
-					    ue.ue_acids[i] == -1) {
-						fprintf(stderr, "Cannot set"
-						    " account name to "
-						    "\"%s\", permission "
-						    "denied\n\n", acct_name);
-						valid_acct = -1;
-					}
-				}
-			}
-		} else {
-			/*
-			 * The client isn't connected to a terminal and can't
-			 * respond to an acid prompt.  Use default acid.
-			 */
-			debug("cray_setup: ttyname false case, %.100s",
-			    ttyname);
-			valid_acct = ue.ue_acids[0];
-		}
-	} else {
-		/*
-		 * The user doesn't have the askacid permbit set or
-		 * only has one valid account to use.
-		 */
-		valid_acct = ue.ue_acids[0];
-	}
-	if (acctid(0, valid_acct) < 0) {
-		printf ("Bad account id: %d\n", valid_acct);
-		exit(1);
-	}
-
-	/* 
-	 * Now set shares, quotas, limits, including CPU time for the 
-	 * (interactive) job and process, and set up permissions 
-	 * (for chown etc), etc.
-	 */
-	if (setshares(ue.ue_uid, valid_acct, printf, 0, 0)) {
-		printf("Unable to give %d shares to <%s>(%d/%d)\n",
-		    ue.ue_shares, ue.ue_name, ue.ue_uid, valid_acct);
-		exit(1);
-	}
-
-	sr = setlimits(username, C_PROC, pid, UDBRC_INTER);
-	if (sr != NULL) {
-		debug("%.200s", sr);
-		exit(1);
-	}
-	sr = setlimits(username, C_JOB, jid, UDBRC_INTER);
-	if (sr != NULL) {
-		debug("%.200s", sr);
-		exit(1);
-	}
-	/*
-	 * Place the service provider information into
-	 * the session table (Unicos) or job table (Unicos/mk).
-	 * There exist double defines for the job/session table in
-	 * unicos/mk (jtab.h) so no need for a compile time switch.
-	 */
-	memset(&init_info, '\0', sizeof(init_info));
-	init_info.s_sessinit.si_id = URM_SPT_LOGIN;
-	init_info.s_sessinit.si_pid = getpid();
-	init_info.s_sessinit.si_sid = jid;
-	sesscntl(0, S_SETSERVPO, (int)&init_info);
-
-	/*
-	 * Set user and controlling tty security attributes.
-	 */
-	if (SecureSys) {
-		if (setusrv(&usrv) == -1) {
-			debug("setusrv() failed, errno = %d",errno);
-			exit(1);
-		}
-	}
-
-	return (0);
-}
-
-/*
- * The rc.* and /etc/sdaemon methods of starting a program on unicos/unicosmk
- * can have pal privileges that sshd can inherit which
- * could allow a user to su to root with out a password.
- * This subroutine clears all privileges.
- */
-void
-drop_cray_privs()
-{
-#if defined(_SC_CRAY_PRIV_SU)
-	priv_proc_t *privstate;
-	int result;
-	extern int priv_set_proc();
-	extern priv_proc_t *priv_init_proc();
-
-	/*
-	 * If ether of theses two flags are not set
-	 * then don't allow this version of ssh to run.
-	 */
-	if (!sysconf(_SC_CRAY_PRIV_SU))
-		fatal("Not PRIV_SU system.");
-	if (!sysconf(_SC_CRAY_POSIX_PRIV))
-		fatal("Not POSIX_PRIV.");
-
-	debug("Setting MLS labels.");;
-
-	if (sysconf(_SC_CRAY_SECURE_MAC)) {
-		usrv.sv_minlvl = SYSLOW;
-		usrv.sv_actlvl = SYSHIGH;
-		usrv.sv_maxlvl = SYSHIGH;
-	} else {
-		usrv.sv_minlvl = sysv.sy_minlvl;
-		usrv.sv_actlvl = sysv.sy_minlvl;
-		usrv.sv_maxlvl = sysv.sy_maxlvl;
-	}       
-	usrv.sv_actcmp = 0;
-	usrv.sv_valcmp = sysv.sy_valcmp;
-
-	usrv.sv_intcat = TFM_SYSTEM;
-	usrv.sv_valcat |= (TFM_SYSTEM | TFM_SYSFILE);
-
-	if (setusrv(&usrv) < 0) {
-		fatal("%s(%d): setusrv(): %s", __FILE__, __LINE__,
-		    strerror(errno));
-	}
-
-	if ((privstate = priv_init_proc()) != NULL) {
-		result = priv_set_proc(privstate);
-		if (result != 0 ) {
-			fatal("%s(%d): priv_set_proc(): %s",
-			    __FILE__, __LINE__, strerror(errno));
-		}
-		priv_free_proc(privstate);
-	}
-	debug ("Privileges should be cleared...");
-#else
-	/* XXX: do this differently */
-#	error Cray systems must be run with _SC_CRAY_PRIV_SU on!
-#endif
-}
-
-
-/*
- *  Retain utmp/wtmp information - used by cray accounting.
- */
-void
-cray_retain_utmp(struct utmp *ut, int pid)
-{
-	int fd;
-	struct utmp utmp;
-
-	if ((fd = open(UTMP_FILE, O_RDONLY)) != -1) {
-		/* XXX use atomicio */
-		while (read(fd, (char *)&utmp, sizeof(utmp)) == sizeof(utmp)) {
-			if (pid == utmp.ut_pid) {
-				ut->ut_jid = utmp.ut_jid;
-				strncpy(ut->ut_tpath, utmp.ut_tpath, sizeof(utmp.ut_tpath));
-				strncpy(ut->ut_host, utmp.ut_host, sizeof(utmp.ut_host));
-				strncpy(ut->ut_name, utmp.ut_name, sizeof(utmp.ut_name));
-				break;
-			}
-		}
-		close(fd);
-	} else
-		fatal("Unable to open utmp file");
-}
-
-/*
- * tmpdir support.
- */
-
-/*
- * find and delete jobs tmpdir.
- */
-void
-cray_delete_tmpdir(char *login, int jid, uid_t uid)
-{
-	static char jtmp[TPATHSIZ];
-	struct stat statbuf;
-	int child, c, wstat;
-
-	for (c = 'a'; c <= 'z'; c++) {
-		snprintf(jtmp, TPATHSIZ, "%s/jtmp.%06d%c", JTMPDIR, jid, c);
-		if (stat(jtmp, &statbuf) == 0 && statbuf.st_uid == uid)
-			break;
-	}
-
-	if (c > 'z')
-		return;
-
-	if ((child = fork()) == 0) {
-		execl(CLEANTMPCMD, CLEANTMPCMD, login, jtmp, (char *)NULL);
-		fatal("cray_delete_tmpdir: execl of CLEANTMPCMD failed");
-	}
-
-	while (waitpid(child, &wstat, 0) == -1 && errno == EINTR)
-		;
-}
-
-/*
- * Remove tmpdir on job termination.
- */
-void
-cray_job_termination_handler(int sig)
-{
-	int jid;
-	char *login = NULL;
-	struct jtab jtab;
-
-	debug("received signal %d",sig);
-
-	if ((jid = waitjob(&jtab)) == -1 ||
-	    (login = uid2nam(jtab.j_uid)) == NULL)
-		return;
-
-	cray_delete_tmpdir(login, jid, jtab.j_uid);
-}
-
-/*
- * Set job id and create tmpdir directory.
- */
-void
-cray_init_job(struct passwd *pw)
-{
-	int jid;
-	int c;
-
-	jid = setjob(pw->pw_uid, WJSIGNAL);
-	if (jid < 0)
-		fatal("System call setjob failure");
-
-	for (c = 'a'; c <= 'z'; c++) {
-		snprintf(cray_tmpdir, TPATHSIZ, "%s/jtmp.%06d%c", JTMPDIR, jid, c);
-		if (mkdir(cray_tmpdir, JTMPMODE) != 0)
-			continue;
-		if (chown(cray_tmpdir,	pw->pw_uid, pw->pw_gid) != 0) {
-			rmdir(cray_tmpdir);
-			continue;
-		}
-		break;
-	}
-
-	if (c > 'z')
-		cray_tmpdir[0] = '\0';
-}
-
-void
-cray_set_tmpdir(struct utmp *ut)
-{
-	int jid;
-	struct jtab jbuf;
-
-	if ((jid = getjtab(&jbuf)) < 0)
-		return;
-
-	/*
-	 * Set jid and tmpdir in utmp record.
-	 */
-	ut->ut_jid = jid;
-	strncpy(ut->ut_tpath, cray_tmpdir, TPATHSIZ);
-}
-#endif /* UNICOS */
-
-#ifdef _UNICOSMP
-#include <pwd.h>
-/*
- * Set job id and create tmpdir directory.
- */
-void
-cray_init_job(struct passwd *pw)
-{
-	initrm_silent(pw->pw_uid);
-	return;
-}
-#endif /* _UNICOSMP */
diff --git a/crypto/openssh/openbsd-compat/bsd-cray.h b/crypto/openssh/openbsd-compat/bsd-cray.h
deleted file mode 100644
index 774eceb..0000000
--- a/crypto/openssh/openbsd-compat/bsd-cray.h
+++ /dev/null
@@ -1,61 +0,0 @@
-/* $Id: bsd-cray.h,v 1.12 2005/02/02 06:10:11 dtucker Exp $ */
-
-/*
- * Copyright (c) 2002, Cray Inc.  (Wendy Palm <wendyp@cray.com>)
- * Significant portions provided by 
- *          Wayne Schroeder, SDSC <schroeder@sdsc.edu>
- *          William Jones, UTexas <jones@tacc.utexas.edu>
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- * Created: Apr 22 16.34:00 2002 wp
- *
- * This file contains functions required for proper execution
- * on UNICOS systems.
- *
- */
-
-#ifndef _BSD_CRAY_H
-#define _BSD_CRAY_H
-
-#ifdef _UNICOS
-
-void cray_init_job(struct passwd *);
-void cray_job_termination_handler(int);
-void cray_login_failure(char *, int );
-int cray_access_denied(char *);
-extern char cray_tmpdir[];
-
-#define CUSTOM_FAILED_LOGIN 1
-
-#ifndef IA_SSHD
-# define IA_SSHD IA_LOGIN
-#endif
-#ifndef MAXHOSTNAMELEN
-# define MAXHOSTNAMELEN  64
-#endif
-#ifndef _CRAYT3E
-# define TIOCGPGRP (tIOC|20)
-#endif
-
-#endif /* UNICOS */
-
-#endif /* _BSD_CRAY_H */
diff --git a/crypto/openssh/openbsd-compat/bsd-cygwin_util.c b/crypto/openssh/openbsd-compat/bsd-cygwin_util.c
deleted file mode 100644
index dbf8176..0000000
--- a/crypto/openssh/openbsd-compat/bsd-cygwin_util.c
+++ /dev/null
@@ -1,293 +0,0 @@
-/*
- * Copyright (c) 2000, 2001, Corinna Vinschen <vinschen@cygnus.com>
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- * Created: Sat Sep 02 12:17:00 2000 cv
- *
- * This file contains functions for forcing opened file descriptors to
- * binary mode on Windows systems.
- */
-
-#include "includes.h"
-
-#ifdef HAVE_CYGWIN
-
-#if defined(open) && open == binary_open
-# undef open
-#endif
-#if defined(pipe) && open == binary_pipe
-# undef pipe
-#endif
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/utsname.h>
-#include <sys/vfs.h>
-
-#include <fcntl.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <windows.h>
-
-#include "xmalloc.h"
-#define is_winnt       (GetVersion() < 0x80000000)
-
-#define ntsec_on(c)	((c) && strstr((c),"ntsec") && !strstr((c),"nontsec"))
-#define ntsec_off(c)	((c) && strstr((c),"nontsec"))
-#define ntea_on(c)	((c) && strstr((c),"ntea") && !strstr((c),"nontea"))
-
-int 
-binary_open(const char *filename, int flags, ...)
-{
-	va_list ap;
-	mode_t mode;
-	
-	va_start(ap, flags);
-	mode = va_arg(ap, mode_t);
-	va_end(ap);
-	return (open(filename, flags | O_BINARY, mode));
-}
-
-int 
-binary_pipe(int fd[2])
-{
-	int ret = pipe(fd);
-
-	if (!ret) {
-		setmode(fd[0], O_BINARY);
-		setmode(fd[1], O_BINARY);
-	}
-	return (ret);
-}
-
-#define HAS_CREATE_TOKEN 1
-#define HAS_NTSEC_BY_DEFAULT 2
-#define HAS_CREATE_TOKEN_WO_NTSEC 3
-
-static int 
-has_capability(int what)
-{
-	static int inited;
-	static int has_create_token;
-	static int has_ntsec_by_default;
-	static int has_create_token_wo_ntsec;
-
-	/* 
-	 * has_capability() basically calls uname() and checks if
-	 * specific capabilities of Cygwin can be evaluated from that.
-	 * This simplifies the calling functions which only have to ask
-	 * for a capability using has_capability() instead of having
-	 * to figure that out by themselves.
-	 */
-	if (!inited) {
-		struct utsname uts;
-		
-		if (!uname(&uts)) {
-			int major_high = 0, major_low = 0, minor = 0;
-			int api_major_version = 0, api_minor_version = 0;
-			char *c;
-
-			sscanf(uts.release, "%d.%d.%d", &major_high,
-			    &major_low, &minor);
-			if ((c = strchr(uts.release, '(')) != NULL) {
-				sscanf(c + 1, "%d.%d", &api_major_version,
-				    &api_minor_version);
-			}
-			if (major_high > 1 ||
-			    (major_high == 1 && (major_low > 3 ||
-			    (major_low == 3 && minor >= 2))))
-				has_create_token = 1;
-			if (api_major_version > 0 || api_minor_version >= 56)
-				has_ntsec_by_default = 1;
-			if (major_high > 1 ||
-			    (major_high == 1 && major_low >= 5))
-				has_create_token_wo_ntsec = 1;
-			inited = 1;
-		}
-	}
-	switch (what) {
-	case HAS_CREATE_TOKEN:
-		return (has_create_token);
-	case HAS_NTSEC_BY_DEFAULT:
-		return (has_ntsec_by_default);
-	case HAS_CREATE_TOKEN_WO_NTSEC:
-		return (has_create_token_wo_ntsec);
-	}
-	return (0);
-}
-
-int
-check_nt_auth(int pwd_authenticated, struct passwd *pw)
-{
-	/*
-	* The only authentication which is able to change the user
-	* context on NT systems is the password authentication. So
-	* we deny all requsts for changing the user context if another
-	* authentication method is used.
-	*
-	* This doesn't apply to Cygwin versions >= 1.3.2 anymore which
-	* uses the undocumented NtCreateToken() call to create a user
-	* token if the process has the appropriate privileges and if
-	* CYGWIN ntsec setting is on.
-	*/
-	static int has_create_token = -1;
-
-	if (pw == NULL)
-		return 0;
-	if (is_winnt) {
-		if (has_create_token < 0) {
-			char *cygwin = getenv("CYGWIN");
-
-			has_create_token = 0;
-			if (has_capability(HAS_CREATE_TOKEN) &&
-			    (ntsec_on(cygwin) ||
-			    (has_capability(HAS_NTSEC_BY_DEFAULT) &&
-			     !ntsec_off(cygwin)) ||
-			     has_capability(HAS_CREATE_TOKEN_WO_NTSEC)))
-				has_create_token = 1;
-		}
-		if (has_create_token < 1 &&
-		    !pwd_authenticated && geteuid() != pw->pw_uid)
-			return (0);
-	}
-	return (1);
-}
-
-int
-check_ntsec(const char *filename)
-{
-	char *cygwin;
-	int allow_ntea = 0, allow_ntsec = 0;
-	struct statfs fsstat;
-
-	/* Windows 95/98/ME don't support file system security at all. */
-	if (!is_winnt)
-		return (0);
-
-	/* Evaluate current CYGWIN settings. */
-	cygwin = getenv("CYGWIN");
-	allow_ntea = ntea_on(cygwin);
-	allow_ntsec = ntsec_on(cygwin) ||
-	    (has_capability(HAS_NTSEC_BY_DEFAULT) && !ntsec_off(cygwin));
-
-	/*
-	 * `ntea' is an emulation of POSIX attributes. It doesn't support
-	 * real file level security as ntsec on NTFS file systems does
-	 * but it supports FAT filesystems. `ntea' is minimum requirement
-	 * for security checks.
-	 */
-	if (allow_ntea)
-		return (1);
-
-	/*
-	 * Retrieve file system flags. In Cygwin, file system flags are
-	 * copied to f_type which has no meaning in Win32 itself.
-	 */
-	if (statfs(filename, &fsstat))
-		return (1);
-
-	/*
-	 * Only file systems supporting ACLs are able to set permissions.
-	 * `ntsec' is the setting in Cygwin which switches using of NTFS
-	 * ACLs to support POSIX permissions on files.
-	 */
-	if (fsstat.f_type & FS_PERSISTENT_ACLS)
-		return (allow_ntsec);
-
-	return (0);
-}
-
-void
-register_9x_service(void)
-{
-        HINSTANCE kerneldll;
-        DWORD (*RegisterServiceProcess)(DWORD, DWORD);
-
-	/* The service register mechanism in 9x/Me is pretty different from
-	 * NT/2K/XP.  In NT/2K/XP we're using a special service starter
-	 * application to register and control sshd as service.  This method
-	 * doesn't play nicely with 9x/Me.  For that reason we register here
-	 * as service when running under 9x/Me.  This function is only called
-	 * by the child sshd when it's going to daemonize.
-	 */
-	if (is_winnt)
-		return;
-	if (!(kerneldll = LoadLibrary("KERNEL32.DLL")))
-		return;
-	if (!(RegisterServiceProcess = (DWORD (*)(DWORD, DWORD))
-		GetProcAddress(kerneldll, "RegisterServiceProcess")))
-		return;
-	RegisterServiceProcess(0, 1);
-}
-
-#define NL(x) x, (sizeof (x) - 1)
-#define WENV_SIZ (sizeof (wenv_arr) / sizeof (wenv_arr[0]))
-
-static struct wenv {
-	const char *name;
-	size_t namelen;
-} wenv_arr[] = {
-	{ NL("ALLUSERSPROFILE=") },
-	{ NL("COMMONPROGRAMFILES=") },
-	{ NL("COMPUTERNAME=") },
-	{ NL("COMSPEC=") },
-	{ NL("CYGWIN=") },
-	{ NL("NUMBER_OF_PROCESSORS=") },
-	{ NL("OS=") },
-	{ NL("PATH=") },
-	{ NL("PATHEXT=") },
-	{ NL("PROCESSOR_ARCHITECTURE=") },
-	{ NL("PROCESSOR_IDENTIFIER=") },
-	{ NL("PROCESSOR_LEVEL=") },
-	{ NL("PROCESSOR_REVISION=") },
-	{ NL("PROGRAMFILES=") },
-	{ NL("SYSTEMDRIVE=") },
-	{ NL("SYSTEMROOT=") },
-	{ NL("TMP=") },
-	{ NL("TEMP=") },
-	{ NL("WINDIR=") }
-};
-
-char **
-fetch_windows_environment(void)
-{
-	char **e, **p;
-	unsigned int i, idx = 0;
-
-	p = xcalloc(WENV_SIZ + 1, sizeof(char *));
-	for (e = environ; *e != NULL; ++e) {
-		for (i = 0; i < WENV_SIZ; ++i) {
-			if (!strncmp(*e, wenv_arr[i].name, wenv_arr[i].namelen))
-				p[idx++] = *e;
-		}
-	}
-	p[idx] = NULL;
-	return p;
-}
-
-void
-free_windows_environment(char **p)
-{
-	xfree(p);
-}
-
-#endif /* HAVE_CYGWIN */
diff --git a/crypto/openssh/openbsd-compat/bsd-cygwin_util.h b/crypto/openssh/openbsd-compat/bsd-cygwin_util.h
deleted file mode 100644
index 6719b8a..0000000
--- a/crypto/openssh/openbsd-compat/bsd-cygwin_util.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/* $Id: bsd-cygwin_util.h,v 1.11 2004/08/30 10:42:08 dtucker Exp $ */
-
-/*
- * Copyright (c) 2000, 2001, Corinna Vinschen <vinschen@cygnus.com>
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- * Created: Sat Sep 02 12:17:00 2000 cv
- *
- * This file contains functions for forcing opened file descriptors to
- * binary mode on Windows systems.
- */
-
-#ifndef _BSD_CYGWIN_UTIL_H
-#define _BSD_CYGWIN_UTIL_H
-
-#ifdef HAVE_CYGWIN
-
-#undef ERROR
-#define is_winnt       (GetVersion() < 0x80000000)
-
-#include <windows.h>
-#include <sys/cygwin.h>
-#include <io.h>
-
-int binary_open(const char *, int , ...);
-int binary_pipe(int fd[2]);
-int check_nt_auth(int, struct passwd *);
-int check_ntsec(const char *);
-void register_9x_service(void);
-char **fetch_windows_environment(void);
-void free_windows_environment(char **);
-
-#define open binary_open
-#define pipe binary_pipe
-
-#endif /* HAVE_CYGWIN */
-
-#endif /* _BSD_CYGWIN_UTIL_H */
diff --git a/crypto/openssh/openbsd-compat/bsd-getpeereid.c b/crypto/openssh/openbsd-compat/bsd-getpeereid.c
deleted file mode 100644
index bdae8b6..0000000
--- a/crypto/openssh/openbsd-compat/bsd-getpeereid.c
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Copyright (c) 2002,2004 Damien Miller <djm@mindrot.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "includes.h"
-
-#if !defined(HAVE_GETPEEREID)
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <unistd.h>
-
-#if defined(SO_PEERCRED)
-int
-getpeereid(int s, uid_t *euid, gid_t *gid)
-{
-	struct ucred cred;
-	socklen_t len = sizeof(cred);
-
-	if (getsockopt(s, SOL_SOCKET, SO_PEERCRED, &cred, &len) < 0)
-		return (-1);
-	*euid = cred.uid;
-	*gid = cred.gid;
-
-	return (0);
-}
-#else
-int
-getpeereid(int s, uid_t *euid, gid_t *gid)
-{
-	*euid = geteuid();
-	*gid = getgid();
-
-	return (0);
-}
-#endif /* defined(SO_PEERCRED) */
-
-#endif /* !defined(HAVE_GETPEEREID) */
diff --git a/crypto/openssh/openbsd-compat/bsd-misc.c b/crypto/openssh/openbsd-compat/bsd-misc.c
deleted file mode 100644
index 17d731b..0000000
--- a/crypto/openssh/openbsd-compat/bsd-misc.c
+++ /dev/null
@@ -1,239 +0,0 @@
-
-/*
- * Copyright (c) 1999-2004 Damien Miller <djm@mindrot.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "includes.h"
-
-#ifdef HAVE_SYS_SELECT_H
-# include <sys/select.h>
-#endif
-#ifdef HAVE_SYS_TIME_H
-# include <sys/time.h>
-#endif
-
-#include <string.h>
-#include <signal.h>
-#include <stdlib.h>
-
-#include "xmalloc.h"
-
-#ifndef HAVE___PROGNAME
-char *__progname;
-#endif
-
-/*
- * NB. duplicate __progname in case it is an alias for argv[0]
- * Otherwise it may get clobbered by setproctitle()
- */
-char *ssh_get_progname(char *argv0)
-{
-#ifdef HAVE___PROGNAME
-	extern char *__progname;
-
-	return xstrdup(__progname);
-#else
-	char *p;
-
-	if (argv0 == NULL)
-		return ("unknown");	/* XXX */
-	p = strrchr(argv0, '/');
-	if (p == NULL)
-		p = argv0;
-	else
-		p++;
-
-	return (xstrdup(p));
-#endif
-}
-
-#ifndef HAVE_SETLOGIN
-int setlogin(const char *name)
-{
-	return (0);
-}
-#endif /* !HAVE_SETLOGIN */
-
-#ifndef HAVE_INNETGR
-int innetgr(const char *netgroup, const char *host, 
-            const char *user, const char *domain)
-{
-	return (0);
-}
-#endif /* HAVE_INNETGR */
-
-#if !defined(HAVE_SETEUID) && defined(HAVE_SETREUID)
-int seteuid(uid_t euid)
-{
-	return (setreuid(-1, euid));
-}
-#endif /* !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) */
-
-#if !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID)
-int setegid(uid_t egid)
-{
-	return(setresgid(-1, egid, -1));
-}
-#endif /* !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID) */
-
-#if !defined(HAVE_STRERROR) && defined(HAVE_SYS_ERRLIST) && defined(HAVE_SYS_NERR)
-const char *strerror(int e)
-{
-	extern int sys_nerr;
-	extern char *sys_errlist[];
-	
-	if ((e >= 0) && (e < sys_nerr))
-		return (sys_errlist[e]);
-
-	return ("unlisted error");
-}
-#endif
-
-#ifndef HAVE_UTIMES
-int utimes(char *filename, struct timeval *tvp)
-{
-	struct utimbuf ub;
-
-	ub.actime = tvp[0].tv_sec;
-	ub.modtime = tvp[1].tv_sec;
-	
-	return (utime(filename, &ub));
-}
-#endif 
-
-#ifndef HAVE_TRUNCATE
-int truncate(const char *path, off_t length)
-{
-	int fd, ret, saverrno;
-
-	fd = open(path, O_WRONLY);
-	if (fd < 0)
-		return (-1);
-
-	ret = ftruncate(fd, length);
-	saverrno = errno;
-	close(fd);
-	if (ret == -1)
-		errno = saverrno;
-
-	return(ret);
-}
-#endif /* HAVE_TRUNCATE */
-
-#if !defined(HAVE_NANOSLEEP) && !defined(HAVE_NSLEEP)
-int nanosleep(const struct timespec *req, struct timespec *rem)
-{
-	int rc, saverrno;
-	extern int errno;
-	struct timeval tstart, tstop, tremain, time2wait;
-
-	TIMESPEC_TO_TIMEVAL(&time2wait, req)
-	(void) gettimeofday(&tstart, NULL);
-	rc = select(0, NULL, NULL, NULL, &time2wait);
-	if (rc == -1) {
-		saverrno = errno;
-		(void) gettimeofday (&tstop, NULL);
-		errno = saverrno;
-		tremain.tv_sec = time2wait.tv_sec - 
-			(tstop.tv_sec - tstart.tv_sec);
-		tremain.tv_usec = time2wait.tv_usec - 
-			(tstop.tv_usec - tstart.tv_usec);
-		tremain.tv_sec += tremain.tv_usec / 1000000L;
-		tremain.tv_usec %= 1000000L;
-	} else {
-		tremain.tv_sec = 0;
-		tremain.tv_usec = 0;
-	}
-	TIMEVAL_TO_TIMESPEC(&tremain, rem)
-
-	return(rc);
-}
-#endif
-
-#ifndef HAVE_TCGETPGRP
-pid_t
-tcgetpgrp(int fd)
-{
-	int ctty_pgrp;
-
-	if (ioctl(fd, TIOCGPGRP, &ctty_pgrp) == -1)
-		return(-1);
-	else
-		return(ctty_pgrp);
-}
-#endif /* HAVE_TCGETPGRP */
-
-#ifndef HAVE_TCSENDBREAK
-int
-tcsendbreak(int fd, int duration)
-{
-# if defined(TIOCSBRK) && defined(TIOCCBRK)
-	struct timeval sleepytime;
-
-	sleepytime.tv_sec = 0;
-	sleepytime.tv_usec = 400000;
-	if (ioctl(fd, TIOCSBRK, 0) == -1)
-		return (-1);
-	(void)select(0, 0, 0, 0, &sleepytime);
-	if (ioctl(fd, TIOCCBRK, 0) == -1)
-		return (-1);
-	return (0);
-# else
-	return -1;
-# endif
-}
-#endif /* HAVE_TCSENDBREAK */
-
-mysig_t
-mysignal(int sig, mysig_t act)
-{
-#ifdef HAVE_SIGACTION
-	struct sigaction sa, osa;
-
-	if (sigaction(sig, NULL, &osa) == -1)
-		return (mysig_t) -1;
-	if (osa.sa_handler != act) {
-		memset(&sa, 0, sizeof(sa));
-		sigemptyset(&sa.sa_mask);
-		sa.sa_flags = 0;
-#ifdef SA_INTERRUPT
-		if (sig == SIGALRM)
-			sa.sa_flags |= SA_INTERRUPT;
-#endif
-		sa.sa_handler = act;
-		if (sigaction(sig, &sa, NULL) == -1)
-			return (mysig_t) -1;
-	}
-	return (osa.sa_handler);
-#else
-	#undef signal
-	return (signal(sig, act));
-#endif
-}
-
-#ifndef HAVE_STRDUP
-char *
-strdup(const char *str)
-{
-	size_t len;
-	char *cp;
-
-	len = strlen(str) + 1;
-	cp = malloc(len);
-	if (cp != NULL)
-		return(memcpy(cp, str, len));
-	return NULL;
-}
-#endif
diff --git a/crypto/openssh/openbsd-compat/bsd-misc.h b/crypto/openssh/openbsd-compat/bsd-misc.h
deleted file mode 100644
index b61ec42..0000000
--- a/crypto/openssh/openbsd-compat/bsd-misc.h
+++ /dev/null
@@ -1,98 +0,0 @@
-/* $Id: bsd-misc.h,v 1.18 2005/02/25 23:07:38 dtucker Exp $ */
-
-/*
- * Copyright (c) 1999-2004 Damien Miller <djm@mindrot.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef _BSD_MISC_H
-#define _BSD_MISC_H
-
-#include "includes.h"
-
-char *ssh_get_progname(char *);
-
-#ifndef HAVE_SETSID
-#define setsid() setpgrp(0, getpid())
-#endif /* !HAVE_SETSID */
-
-#ifndef HAVE_SETENV
-int setenv(const char *, const char *, int);
-#endif /* !HAVE_SETENV */
-
-#ifndef HAVE_SETLOGIN
-int setlogin(const char *);
-#endif /* !HAVE_SETLOGIN */
-
-#ifndef HAVE_INNETGR
-int innetgr(const char *, const char *, const char *, const char *);
-#endif /* HAVE_INNETGR */
-
-#if !defined(HAVE_SETEUID) && defined(HAVE_SETREUID)
-int seteuid(uid_t);
-#endif /* !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) */
-
-#if !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID)
-int setegid(uid_t);
-#endif /* !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID) */
-
-#if !defined(HAVE_STRERROR) && defined(HAVE_SYS_ERRLIST) && defined(HAVE_SYS_NERR)
-const char *strerror(int);
-#endif 
-
-
-#ifndef HAVE_UTIMES
-#ifndef HAVE_STRUCT_TIMEVAL
-struct timeval {
-	long tv_sec;
-	long tv_usec;
-}
-#endif /* HAVE_STRUCT_TIMEVAL */
-
-int utimes(char *, struct timeval *);
-#endif /* HAVE_UTIMES */
-
-#ifndef HAVE_TRUNCATE
-int truncate (const char *, off_t);
-#endif /* HAVE_TRUNCATE */
-
-#if !defined(HAVE_NANOSLEEP) && !defined(HAVE_NSLEEP)
-#ifndef HAVE_STRUCT_TIMESPEC
-struct timespec {
-	time_t	tv_sec;
-	long	tv_nsec;
-};
-#endif
-int nanosleep(const struct timespec *, struct timespec *);
-#endif
-
-#ifndef HAVE_TCGETPGRP
-pid_t tcgetpgrp(int);
-#endif
-
-#ifndef HAVE_TCSENDBREAK
-int tcsendbreak(int, int);
-#endif
-
-#ifndef HAVE_UNSETENV
-void unsetenv(const char *);
-#endif
-
-/* wrapper for signal interface */
-typedef void (*mysig_t)(int);
-mysig_t mysignal(int sig, mysig_t act);
-
-#define signal(a,b) mysignal(a,b)
-
-#endif /* _BSD_MISC_H */
diff --git a/crypto/openssh/openbsd-compat/bsd-nextstep.c b/crypto/openssh/openbsd-compat/bsd-nextstep.c
deleted file mode 100644
index 8195af8..0000000
--- a/crypto/openssh/openbsd-compat/bsd-nextstep.c
+++ /dev/null
@@ -1,103 +0,0 @@
-/*
- * Copyright (c) 2000,2001 Ben Lindstrom.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#ifdef HAVE_NEXT
-#include <errno.h>
-#include <sys/wait.h>
-#include "bsd-nextstep.h"
-
-pid_t 
-posix_wait(int *status)
-{
-	union wait statusp;
-	pid_t wait_pid;
-
-	#undef wait			/* Use NeXT's wait() function */
-	wait_pid = wait(&statusp);
-	if (status)
-		*status = (int) statusp.w_status;
-
-	return (wait_pid);
-}
-
-int
-tcgetattr(int fd, struct termios *t)
-{
-	return (ioctl(fd, TIOCGETA, t));
-}
-
-int
-tcsetattr(int fd, int opt, const struct termios *t)
-{
-	struct termios localterm;
-
-	if (opt & TCSASOFT) {
-		localterm = *t;
-		localterm.c_cflag |= CIGNORE;
-		t = &localterm;
-	}
-	switch (opt & ~TCSASOFT) {
-	case TCSANOW:
-		return (ioctl(fd, TIOCSETA, t));
-	case TCSADRAIN:
-		return (ioctl(fd, TIOCSETAW, t));
-	case TCSAFLUSH:
-		return (ioctl(fd, TIOCSETAF, t));
-	default:
-		errno = EINVAL;
-		return (-1);
-	}
-}
-
-int tcsetpgrp(int fd, pid_t pgrp)
-{
-	return (ioctl(fd, TIOCSPGRP, &pgrp));
-}
-
-speed_t cfgetospeed(const struct termios *t)
-{
-	return (t->c_ospeed);
-}
-
-speed_t cfgetispeed(const struct termios *t)
-{
-	return (t->c_ispeed);
-}
-
-int
-cfsetospeed(struct termios *t,int speed)
-{
-	t->c_ospeed = speed;
-	return (0);
-}
-
-int
-cfsetispeed(struct termios *t, int speed)
-{
-	t->c_ispeed = speed;
-	return (0);
-}
-#endif /* HAVE_NEXT */
diff --git a/crypto/openssh/openbsd-compat/bsd-nextstep.h b/crypto/openssh/openbsd-compat/bsd-nextstep.h
deleted file mode 100644
index ca5b4b5..0000000
--- a/crypto/openssh/openbsd-compat/bsd-nextstep.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/* $Id: bsd-nextstep.h,v 1.9 2003/08/29 16:59:52 mouring Exp $ */
-
-/*
- * Copyright (c) 2000,2001 Ben Lindstrom.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-#ifndef _NEXT_POSIX_H
-#define _NEXT_POSIX_H
-
-#ifdef HAVE_NEXT
-#include <sys/dir.h>
-
-/* NGROUPS_MAX is behind -lposix.  Use the BSD version which is NGROUPS */
-#undef NGROUPS_MAX
-#define NGROUPS_MAX NGROUPS
-
-/* NeXT's readdir() is BSD (struct direct) not POSIX (struct dirent) */
-#define dirent direct
-
-/* Swap out NeXT's BSD wait() for a more POSIX complient one */
-pid_t posix_wait(int *);
-#define wait(a) posix_wait(a)
-
-/* #ifdef wrapped functions that need defining for clean compiling */
-pid_t getppid(void);
-void vhangup(void);
-int innetgr(const char *, const char *, const char *, const char *);
-
-/* TERMCAP */
-int tcgetattr(int, struct termios *);
-int tcsetattr(int, int, const struct termios *);
-int tcsetpgrp(int, pid_t);
-speed_t cfgetospeed(const struct termios *);
-speed_t cfgetispeed(const struct termios *);
-int cfsetospeed(struct termios *, int);
-int cfsetispeed(struct termios *, int);
-#endif /* HAVE_NEXT */
-#endif /* _NEXT_POSIX_H */
diff --git a/crypto/openssh/openbsd-compat/bsd-openpty.c b/crypto/openssh/openbsd-compat/bsd-openpty.c
deleted file mode 100644
index 9777eb5..0000000
--- a/crypto/openssh/openbsd-compat/bsd-openpty.c
+++ /dev/null
@@ -1,220 +0,0 @@
-/*
- * Please note: this implementation of openpty() is far from complete.
- * it is just enough for portable OpenSSH's needs.
- */
-
-/*
- * Copyright (c) 2004 Damien Miller <djm@mindrot.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Allocating a pseudo-terminal, and making it the controlling tty.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-#if !defined(HAVE_OPENPTY)
-
-#include <sys/types.h>
-
-#include <stdlib.h>
-
-#ifdef HAVE_SYS_STAT_H
-# include <sys/stat.h>
-#endif
-#ifdef HAVE_SYS_IOCTL_H
-# include <sys/ioctl.h>
-#endif
-
-#ifdef HAVE_FCNTL_H
-# include <fcntl.h>
-#endif
-
-#ifdef HAVE_UTIL_H
-# include <util.h>
-#endif /* HAVE_UTIL_H */
-
-#ifdef HAVE_PTY_H
-# include <pty.h>
-#endif
-#if defined(HAVE_DEV_PTMX) && defined(HAVE_SYS_STROPTS_H)
-# include <sys/stropts.h>
-#endif
-
-#include <signal.h>
-#include <string.h>
-#include <unistd.h>
-
-#ifndef O_NOCTTY
-#define O_NOCTTY 0
-#endif
-
-int
-openpty(int *amaster, int *aslave, char *name, struct termios *termp,
-   struct winsize *winp)
-{
-#if defined(HAVE__GETPTY)
-	/*
-	 * _getpty(3) exists in SGI Irix 4.x, 5.x & 6.x -- it generates more
-	 * pty's automagically when needed
-	 */
-	char *slave;
-
-	if ((slave = _getpty(amaster, O_RDWR, 0622, 0)) == NULL)
-		return (-1);
-
-	/* Open the slave side. */
-	if ((*aslave = open(slave, O_RDWR | O_NOCTTY)) == -1) {
-		close(*amaster);
-		return (-1);
-	}
-	return (0);
-
-#elif defined(HAVE_DEV_PTMX)
-	/*
-	 * This code is used e.g. on Solaris 2.x.  (Note that Solaris 2.3
-	 * also has bsd-style ptys, but they simply do not work.)
-	 */
-	int ptm;
-	char *pts;
-	mysig_t old_signal;
-
-	if ((ptm = open("/dev/ptmx", O_RDWR | O_NOCTTY)) == -1)
-		return (-1);
-
-	/* XXX: need to close ptm on error? */
-	old_signal = signal(SIGCHLD, SIG_DFL);
-	if (grantpt(ptm) < 0)
-		return (-1);
-	signal(SIGCHLD, old_signal);
-
-	if (unlockpt(ptm) < 0)
-		return (-1);
-
-	if ((pts = ptsname(ptm)) == NULL)
-		return (-1);
-	*amaster = ptm;
-
-	/* Open the slave side. */
-	if ((*aslave = open(pts, O_RDWR | O_NOCTTY)) == -1) {
-		close(*amaster);
-		return (-1);
-	}
-
-	/*
-	 * Try to push the appropriate streams modules, as described 
-	 * in Solaris pts(7).
-	 */
-	ioctl(*aslave, I_PUSH, "ptem");
-	ioctl(*aslave, I_PUSH, "ldterm");
-# ifndef __hpux
-	ioctl(*aslave, I_PUSH, "ttcompat");
-# endif /* __hpux */
-
-	return (0);
-
-#elif defined(HAVE_DEV_PTS_AND_PTC)
-	/* AIX-style pty code. */
-	const char *ttname;
-
-	if ((*amaster = open("/dev/ptc", O_RDWR | O_NOCTTY)) == -1)
-		return (-1);
-	if ((ttname = ttyname(*amaster)) == NULL)
-		return (-1);
-	if ((*aslave = open(ttname, O_RDWR | O_NOCTTY)) == -1) {
-		close(*amaster);
-		return (-1);
-	}
-	return (0);
-
-#elif defined(_UNICOS)
-	char ptbuf[64], ttbuf[64];
-	int i;
-	int highpty;
-
-	highpty = 128;
-#ifdef _SC_CRAY_NPTY
-	if ((highpty = sysconf(_SC_CRAY_NPTY)) == -1)
-		highpty = 128;
-#endif /* _SC_CRAY_NPTY */
-
-	for (i = 0; i < highpty; i++) {
-		snprintf(ptbuf, sizeof(ptbuf), "/dev/pty/%03d", i);
-		snprintf(ttbuf, sizeof(ttbuf), "/dev/ttyp%03d", i);
-		if ((*amaster = open(ptbuf, O_RDWR|O_NOCTTY)) == -1)
-			continue;
-		/* Open the slave side. */
-		if ((*aslave = open(ttbuf, O_RDWR|O_NOCTTY)) == -1) {
-			close(*amaster);
-			return (-1);
-		}
-		return (0);
-	}
-	return (-1);
-
-#else
-	/* BSD-style pty code. */
-	char ptbuf[64], ttbuf[64];
-	int i;
-	const char *ptymajors = "pqrstuvwxyzabcdefghijklmno"
-	    "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
-	const char *ptyminors = "0123456789abcdef";
-	int num_minors = strlen(ptyminors);
-	int num_ptys = strlen(ptymajors) * num_minors;
-	struct termios tio;
-
-	for (i = 0; i < num_ptys; i++) {
-		snprintf(ptbuf, sizeof(ptbuf), "/dev/pty%c%c", 
-		    ptymajors[i / num_minors], ptyminors[i % num_minors]);
-		snprintf(ttbuf, sizeof(ttbuf), "/dev/tty%c%c",
-		    ptymajors[i / num_minors], ptyminors[i % num_minors]);
-
-		if ((*amaster = open(ptbuf, O_RDWR | O_NOCTTY)) == -1) {
-			/* Try SCO style naming */
-			snprintf(ptbuf, sizeof(ptbuf), "/dev/ptyp%d", i);
-			snprintf(ttbuf, sizeof(ttbuf), "/dev/ttyp%d", i);
-			if ((*amaster = open(ptbuf, O_RDWR | O_NOCTTY)) == -1)
-				continue;
-		}
-
-		/* Open the slave side. */
-		if ((*aslave = open(ttbuf, O_RDWR | O_NOCTTY)) == -1) {
-			close(*amaster);
-			return (-1);
-		}
-		/* set tty modes to a sane state for broken clients */
-		if (tcgetattr(*amaster, &tio) != -1) {
-			tio.c_lflag |= (ECHO | ISIG | ICANON);
-			tio.c_oflag |= (OPOST | ONLCR);
-			tio.c_iflag |= ICRNL;
-			tcsetattr(*amaster, TCSANOW, &tio);
-		}
-
-		return (0);
-	}
-	return (-1);
-#endif
-}
-
-#endif /* !defined(HAVE_OPENPTY) */
-
diff --git a/crypto/openssh/openbsd-compat/bsd-snprintf.c b/crypto/openssh/openbsd-compat/bsd-snprintf.c
deleted file mode 100644
index 04651e1..0000000
--- a/crypto/openssh/openbsd-compat/bsd-snprintf.c
+++ /dev/null
@@ -1,805 +0,0 @@
-/*
- * Copyright Patrick Powell 1995
- * This code is based on code written by Patrick Powell (papowell@astart.com)
- * It may be used for any purpose as long as this notice remains intact
- * on all source code distributions
- */
-
-/**************************************************************
- * Original:
- * Patrick Powell Tue Apr 11 09:48:21 PDT 1995
- * A bombproof version of doprnt (dopr) included.
- * Sigh.  This sort of thing is always nasty do deal with.  Note that
- * the version here does not include floating point...
- *
- * snprintf() is used instead of sprintf() as it does limit checks
- * for string length.  This covers a nasty loophole.
- *
- * The other functions are there to prevent NULL pointers from
- * causing nast effects.
- *
- * More Recently:
- *  Brandon Long <blong@fiction.net> 9/15/96 for mutt 0.43
- *  This was ugly.  It is still ugly.  I opted out of floating point
- *  numbers, but the formatter understands just about everything
- *  from the normal C string format, at least as far as I can tell from
- *  the Solaris 2.5 printf(3S) man page.
- *
- *  Brandon Long <blong@fiction.net> 10/22/97 for mutt 0.87.1
- *    Ok, added some minimal floating point support, which means this
- *    probably requires libm on most operating systems.  Don't yet
- *    support the exponent (e,E) and sigfig (g,G).  Also, fmtint()
- *    was pretty badly broken, it just wasn't being exercised in ways
- *    which showed it, so that's been fixed.  Also, formated the code
- *    to mutt conventions, and removed dead code left over from the
- *    original.  Also, there is now a builtin-test, just compile with:
- *           gcc -DTEST_SNPRINTF -o snprintf snprintf.c -lm
- *    and run snprintf for results.
- * 
- *  Thomas Roessler <roessler@guug.de> 01/27/98 for mutt 0.89i
- *    The PGP code was using unsigned hexadecimal formats. 
- *    Unfortunately, unsigned formats simply didn't work.
- *
- *  Michael Elkins <me@cs.hmc.edu> 03/05/98 for mutt 0.90.8
- *    The original code assumed that both snprintf() and vsnprintf() were
- *    missing.  Some systems only have snprintf() but not vsnprintf(), so
- *    the code is now broken down under HAVE_SNPRINTF and HAVE_VSNPRINTF.
- *
- *  Andrew Tridgell (tridge@samba.org) Oct 1998
- *    fixed handling of %.0f
- *    added test for HAVE_LONG_DOUBLE
- *
- * tridge@samba.org, idra@samba.org, April 2001
- *    got rid of fcvt code (twas buggy and made testing harder)
- *    added C99 semantics
- *
- * date: 2002/12/19 19:56:31;  author: herb;  state: Exp;  lines: +2 -0
- * actually print args for %g and %e
- * 
- * date: 2002/06/03 13:37:52;  author: jmcd;  state: Exp;  lines: +8 -0
- * Since includes.h isn't included here, VA_COPY has to be defined here.  I don't
- * see any include file that is guaranteed to be here, so I'm defining it
- * locally.  Fixes AIX and Solaris builds.
- * 
- * date: 2002/06/03 03:07:24;  author: tridge;  state: Exp;  lines: +5 -13
- * put the ifdef for HAVE_VA_COPY in one place rather than in lots of
- * functions
- * 
- * date: 2002/05/17 14:51:22;  author: jmcd;  state: Exp;  lines: +21 -4
- * Fix usage of va_list passed as an arg.  Use __va_copy before using it
- * when it exists.
- * 
- * date: 2002/04/16 22:38:04;  author: idra;  state: Exp;  lines: +20 -14
- * Fix incorrect zpadlen handling in fmtfp.
- * Thanks to Ollie Oldham <ollie.oldham@metro-optix.com> for spotting it.
- * few mods to make it easier to compile the tests.
- * addedd the "Ollie" test to the floating point ones.
- *
- * Martin Pool (mbp@samba.org) April 2003
- *    Remove NO_CONFIG_H so that the test case can be built within a source
- *    tree with less trouble.
- *    Remove unnecessary SAFE_FREE() definition.
- *
- * Martin Pool (mbp@samba.org) May 2003
- *    Put in a prototype for dummy_snprintf() to quiet compiler warnings.
- *
- *    Move #endif to make sure VA_COPY, LDOUBLE, etc are defined even
- *    if the C library has some snprintf functions already.
- **************************************************************/
-
-#include "includes.h"
-
-#if defined(BROKEN_SNPRINTF)		/* For those with broken snprintf() */
-# undef HAVE_SNPRINTF
-# undef HAVE_VSNPRINTF
-#endif
-
-#ifndef VA_COPY
-# ifdef HAVE_VA_COPY
-#  define VA_COPY(dest, src) va_copy(dest, src)
-# else
-#  ifdef HAVE___VA_COPY
-#   define VA_COPY(dest, src) __va_copy(dest, src)
-#  else
-#   define VA_COPY(dest, src) (dest) = (src)
-#  endif
-# endif
-#endif
-
-#if !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF)
-
-#include <ctype.h>
-#include <stdarg.h>
-#include <stdlib.h>
-#include <string.h>
-
-#ifdef HAVE_LONG_DOUBLE
-# define LDOUBLE long double
-#else
-# define LDOUBLE double
-#endif
-
-#ifdef HAVE_LONG_LONG
-# define LLONG long long
-#else
-# define LLONG long
-#endif
-
-/*
- * dopr(): poor man's version of doprintf
- */
-
-/* format read states */
-#define DP_S_DEFAULT 0
-#define DP_S_FLAGS   1
-#define DP_S_MIN     2
-#define DP_S_DOT     3
-#define DP_S_MAX     4
-#define DP_S_MOD     5
-#define DP_S_CONV    6
-#define DP_S_DONE    7
-
-/* format flags - Bits */
-#define DP_F_MINUS 	(1 << 0)
-#define DP_F_PLUS  	(1 << 1)
-#define DP_F_SPACE 	(1 << 2)
-#define DP_F_NUM   	(1 << 3)
-#define DP_F_ZERO  	(1 << 4)
-#define DP_F_UP    	(1 << 5)
-#define DP_F_UNSIGNED 	(1 << 6)
-
-/* Conversion Flags */
-#define DP_C_SHORT   1
-#define DP_C_LONG    2
-#define DP_C_LDOUBLE 3
-#define DP_C_LLONG   4
-
-#define char_to_int(p) ((p)- '0')
-#ifndef MAX
-# define MAX(p,q) (((p) >= (q)) ? (p) : (q))
-#endif
-
-static size_t dopr(char *buffer, size_t maxlen, const char *format, 
-		   va_list args_in);
-static void fmtstr(char *buffer, size_t *currlen, size_t maxlen,
-		    char *value, int flags, int min, int max);
-static void fmtint(char *buffer, size_t *currlen, size_t maxlen,
-		    LLONG value, int base, int min, int max, int flags);
-static void fmtfp(char *buffer, size_t *currlen, size_t maxlen,
-		   LDOUBLE fvalue, int min, int max, int flags);
-static void dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c);
-
-static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args_in)
-{
-	char ch;
-	LLONG value;
-	LDOUBLE fvalue;
-	char *strvalue;
-	int min;
-	int max;
-	int state;
-	int flags;
-	int cflags;
-	size_t currlen;
-	va_list args;
-
-	VA_COPY(args, args_in);
-	
-	state = DP_S_DEFAULT;
-	currlen = flags = cflags = min = 0;
-	max = -1;
-	ch = *format++;
-	
-	while (state != DP_S_DONE) {
-		if (ch == '\0') 
-			state = DP_S_DONE;
-
-		switch(state) {
-		case DP_S_DEFAULT:
-			if (ch == '%') 
-				state = DP_S_FLAGS;
-			else 
-				dopr_outch (buffer, &currlen, maxlen, ch);
-			ch = *format++;
-			break;
-		case DP_S_FLAGS:
-			switch (ch) {
-			case '-':
-				flags |= DP_F_MINUS;
-				ch = *format++;
-				break;
-			case '+':
-				flags |= DP_F_PLUS;
-				ch = *format++;
-				break;
-			case ' ':
-				flags |= DP_F_SPACE;
-				ch = *format++;
-				break;
-			case '#':
-				flags |= DP_F_NUM;
-				ch = *format++;
-				break;
-			case '0':
-				flags |= DP_F_ZERO;
-				ch = *format++;
-				break;
-			default:
-				state = DP_S_MIN;
-				break;
-			}
-			break;
-		case DP_S_MIN:
-			if (isdigit((unsigned char)ch)) {
-				min = 10*min + char_to_int (ch);
-				ch = *format++;
-			} else if (ch == '*') {
-				min = va_arg (args, int);
-				ch = *format++;
-				state = DP_S_DOT;
-			} else {
-				state = DP_S_DOT;
-			}
-			break;
-		case DP_S_DOT:
-			if (ch == '.') {
-				state = DP_S_MAX;
-				ch = *format++;
-			} else { 
-				state = DP_S_MOD;
-			}
-			break;
-		case DP_S_MAX:
-			if (isdigit((unsigned char)ch)) {
-				if (max < 0)
-					max = 0;
-				max = 10*max + char_to_int (ch);
-				ch = *format++;
-			} else if (ch == '*') {
-				max = va_arg (args, int);
-				ch = *format++;
-				state = DP_S_MOD;
-			} else {
-				state = DP_S_MOD;
-			}
-			break;
-		case DP_S_MOD:
-			switch (ch) {
-			case 'h':
-				cflags = DP_C_SHORT;
-				ch = *format++;
-				break;
-			case 'l':
-				cflags = DP_C_LONG;
-				ch = *format++;
-				if (ch == 'l') {	/* It's a long long */
-					cflags = DP_C_LLONG;
-					ch = *format++;
-				}
-				break;
-			case 'L':
-				cflags = DP_C_LDOUBLE;
-				ch = *format++;
-				break;
-			default:
-				break;
-			}
-			state = DP_S_CONV;
-			break;
-		case DP_S_CONV:
-			switch (ch) {
-			case 'd':
-			case 'i':
-				if (cflags == DP_C_SHORT) 
-					value = va_arg (args, int);
-				else if (cflags == DP_C_LONG)
-					value = va_arg (args, long int);
-				else if (cflags == DP_C_LLONG)
-					value = va_arg (args, LLONG);
-				else
-					value = va_arg (args, int);
-				fmtint (buffer, &currlen, maxlen, value, 10, min, max, flags);
-				break;
-			case 'o':
-				flags |= DP_F_UNSIGNED;
-				if (cflags == DP_C_SHORT)
-					value = va_arg (args, unsigned int);
-				else if (cflags == DP_C_LONG)
-					value = (long)va_arg (args, unsigned long int);
-				else if (cflags == DP_C_LLONG)
-					value = (long)va_arg (args, unsigned LLONG);
-				else
-					value = (long)va_arg (args, unsigned int);
-				fmtint (buffer, &currlen, maxlen, value, 8, min, max, flags);
-				break;
-			case 'u':
-				flags |= DP_F_UNSIGNED;
-				if (cflags == DP_C_SHORT)
-					value = va_arg (args, unsigned int);
-				else if (cflags == DP_C_LONG)
-					value = (long)va_arg (args, unsigned long int);
-				else if (cflags == DP_C_LLONG)
-					value = (LLONG)va_arg (args, unsigned LLONG);
-				else
-					value = (long)va_arg (args, unsigned int);
-				fmtint (buffer, &currlen, maxlen, value, 10, min, max, flags);
-				break;
-			case 'X':
-				flags |= DP_F_UP;
-			case 'x':
-				flags |= DP_F_UNSIGNED;
-				if (cflags == DP_C_SHORT)
-					value = va_arg (args, unsigned int);
-				else if (cflags == DP_C_LONG)
-					value = (long)va_arg (args, unsigned long int);
-				else if (cflags == DP_C_LLONG)
-					value = (LLONG)va_arg (args, unsigned LLONG);
-				else
-					value = (long)va_arg (args, unsigned int);
-				fmtint (buffer, &currlen, maxlen, value, 16, min, max, flags);
-				break;
-			case 'f':
-				if (cflags == DP_C_LDOUBLE)
-					fvalue = va_arg (args, LDOUBLE);
-				else
-					fvalue = va_arg (args, double);
-				/* um, floating point? */
-				fmtfp (buffer, &currlen, maxlen, fvalue, min, max, flags);
-				break;
-			case 'E':
-				flags |= DP_F_UP;
-			case 'e':
-				if (cflags == DP_C_LDOUBLE)
-					fvalue = va_arg (args, LDOUBLE);
-				else
-					fvalue = va_arg (args, double);
-				fmtfp (buffer, &currlen, maxlen, fvalue, min, max, flags);
-				break;
-			case 'G':
-				flags |= DP_F_UP;
-			case 'g':
-				if (cflags == DP_C_LDOUBLE)
-					fvalue = va_arg (args, LDOUBLE);
-				else
-					fvalue = va_arg (args, double);
-				fmtfp (buffer, &currlen, maxlen, fvalue, min, max, flags);
-				break;
-			case 'c':
-				dopr_outch (buffer, &currlen, maxlen, va_arg (args, int));
-				break;
-			case 's':
-				strvalue = va_arg (args, char *);
-				if (!strvalue) strvalue = "(NULL)";
-				if (max == -1) {
-					max = strlen(strvalue);
-				}
-				if (min > 0 && max >= 0 && min > max) max = min;
-				fmtstr (buffer, &currlen, maxlen, strvalue, flags, min, max);
-				break;
-			case 'p':
-				strvalue = va_arg (args, void *);
-				fmtint (buffer, &currlen, maxlen, (long) strvalue, 16, min, max, flags);
-				break;
-			case 'n':
-				if (cflags == DP_C_SHORT) {
-					short int *num;
-					num = va_arg (args, short int *);
-					*num = currlen;
-				} else if (cflags == DP_C_LONG) {
-					long int *num;
-					num = va_arg (args, long int *);
-					*num = (long int)currlen;
-				} else if (cflags == DP_C_LLONG) {
-					LLONG *num;
-					num = va_arg (args, LLONG *);
-					*num = (LLONG)currlen;
-				} else {
-					int *num;
-					num = va_arg (args, int *);
-					*num = currlen;
-				}
-				break;
-			case '%':
-				dopr_outch (buffer, &currlen, maxlen, ch);
-				break;
-			case 'w':
-				/* not supported yet, treat as next char */
-				ch = *format++;
-				break;
-			default:
-				/* Unknown, skip */
-				break;
-			}
-			ch = *format++;
-			state = DP_S_DEFAULT;
-			flags = cflags = min = 0;
-			max = -1;
-			break;
-		case DP_S_DONE:
-			break;
-		default:
-			/* hmm? */
-			break; /* some picky compilers need this */
-		}
-	}
-	if (maxlen != 0) {
-		if (currlen < maxlen - 1) 
-			buffer[currlen] = '\0';
-		else if (maxlen > 0) 
-			buffer[maxlen - 1] = '\0';
-	}
-	
-	return currlen;
-}
-
-static void fmtstr(char *buffer, size_t *currlen, size_t maxlen,
-		    char *value, int flags, int min, int max)
-{
-	int padlen, strln;     /* amount to pad */
-	int cnt = 0;
-
-#ifdef DEBUG_SNPRINTF
-	printf("fmtstr min=%d max=%d s=[%s]\n", min, max, value);
-#endif
-	if (value == 0) {
-		value = "<NULL>";
-	}
-
-	for (strln = 0; strln < max && value[strln]; ++strln); /* strlen */
-	padlen = min - strln;
-	if (padlen < 0) 
-		padlen = 0;
-	if (flags & DP_F_MINUS) 
-		padlen = -padlen; /* Left Justify */
-	
-	while ((padlen > 0) && (cnt < max)) {
-		dopr_outch (buffer, currlen, maxlen, ' ');
-		--padlen;
-		++cnt;
-	}
-	while (*value && (cnt < max)) {
-		dopr_outch (buffer, currlen, maxlen, *value++);
-		++cnt;
-	}
-	while ((padlen < 0) && (cnt < max)) {
-		dopr_outch (buffer, currlen, maxlen, ' ');
-		++padlen;
-		++cnt;
-	}
-}
-
-/* Have to handle DP_F_NUM (ie 0x and 0 alternates) */
-
-static void fmtint(char *buffer, size_t *currlen, size_t maxlen,
-		    LLONG value, int base, int min, int max, int flags)
-{
-	int signvalue = 0;
-	unsigned LLONG uvalue;
-	char convert[20];
-	int place = 0;
-	int spadlen = 0; /* amount to space pad */
-	int zpadlen = 0; /* amount to zero pad */
-	int caps = 0;
-	
-	if (max < 0)
-		max = 0;
-	
-	uvalue = value;
-	
-	if(!(flags & DP_F_UNSIGNED)) {
-		if( value < 0 ) {
-			signvalue = '-';
-			uvalue = -value;
-		} else {
-			if (flags & DP_F_PLUS)  /* Do a sign (+/i) */
-				signvalue = '+';
-			else if (flags & DP_F_SPACE)
-				signvalue = ' ';
-		}
-	}
-  
-	if (flags & DP_F_UP) caps = 1; /* Should characters be upper case? */
-
-	do {
-		convert[place++] =
-			(caps? "0123456789ABCDEF":"0123456789abcdef")
-			[uvalue % (unsigned)base  ];
-		uvalue = (uvalue / (unsigned)base );
-	} while(uvalue && (place < 20));
-	if (place == 20) place--;
-	convert[place] = 0;
-
-	zpadlen = max - place;
-	spadlen = min - MAX (max, place) - (signvalue ? 1 : 0);
-	if (zpadlen < 0) zpadlen = 0;
-	if (spadlen < 0) spadlen = 0;
-	if (flags & DP_F_ZERO) {
-		zpadlen = MAX(zpadlen, spadlen);
-		spadlen = 0;
-	}
-	if (flags & DP_F_MINUS) 
-		spadlen = -spadlen; /* Left Justifty */
-
-#ifdef DEBUG_SNPRINTF
-	printf("zpad: %d, spad: %d, min: %d, max: %d, place: %d\n",
-	       zpadlen, spadlen, min, max, place);
-#endif
-
-	/* Spaces */
-	while (spadlen > 0) {
-		dopr_outch (buffer, currlen, maxlen, ' ');
-		--spadlen;
-	}
-
-	/* Sign */
-	if (signvalue) 
-		dopr_outch (buffer, currlen, maxlen, signvalue);
-
-	/* Zeros */
-	if (zpadlen > 0) {
-		while (zpadlen > 0) {
-			dopr_outch (buffer, currlen, maxlen, '0');
-			--zpadlen;
-		}
-	}
-
-	/* Digits */
-	while (place > 0) 
-		dopr_outch (buffer, currlen, maxlen, convert[--place]);
-  
-	/* Left Justified spaces */
-	while (spadlen < 0) {
-		dopr_outch (buffer, currlen, maxlen, ' ');
-		++spadlen;
-	}
-}
-
-static LDOUBLE abs_val(LDOUBLE value)
-{
-	LDOUBLE result = value;
-
-	if (value < 0)
-		result = -value;
-	
-	return result;
-}
-
-static LDOUBLE POW10(int exp)
-{
-	LDOUBLE result = 1;
-	
-	while (exp) {
-		result *= 10;
-		exp--;
-	}
-  
-	return result;
-}
-
-static LLONG ROUND(LDOUBLE value)
-{
-	LLONG intpart;
-
-	intpart = (LLONG)value;
-	value = value - intpart;
-	if (value >= 0.5) intpart++;
-	
-	return intpart;
-}
-
-/* a replacement for modf that doesn't need the math library. Should
-   be portable, but slow */
-static double my_modf(double x0, double *iptr)
-{
-	int i;
-	long l;
-	double x = x0;
-	double f = 1.0;
-
-	for (i=0;i<100;i++) {
-		l = (long)x;
-		if (l <= (x+1) && l >= (x-1)) break;
-		x *= 0.1;
-		f *= 10.0;
-	}
-
-	if (i == 100) {
-		/* yikes! the number is beyond what we can handle. What do we do? */
-		(*iptr) = 0;
-		return 0;
-	}
-
-	if (i != 0) {
-		double i2;
-		double ret;
-
-		ret = my_modf(x0-l*f, &i2);
-		(*iptr) = l*f + i2;
-		return ret;
-	} 
-
-	(*iptr) = l;
-	return x - (*iptr);
-}
-
-
-static void fmtfp (char *buffer, size_t *currlen, size_t maxlen,
-		   LDOUBLE fvalue, int min, int max, int flags)
-{
-	int signvalue = 0;
-	double ufvalue;
-	char iconvert[311];
-	char fconvert[311];
-	int iplace = 0;
-	int fplace = 0;
-	int padlen = 0; /* amount to pad */
-	int zpadlen = 0; 
-	int caps = 0;
-	int idx;
-	double intpart;
-	double fracpart;
-	double temp;
-  
-	/* 
-	 * AIX manpage says the default is 0, but Solaris says the default
-	 * is 6, and sprintf on AIX defaults to 6
-	 */
-	if (max < 0)
-		max = 6;
-
-	ufvalue = abs_val (fvalue);
-
-	if (fvalue < 0) {
-		signvalue = '-';
-	} else {
-		if (flags & DP_F_PLUS) { /* Do a sign (+/i) */
-			signvalue = '+';
-		} else {
-			if (flags & DP_F_SPACE)
-				signvalue = ' ';
-		}
-	}
-
-#if 0
-	if (flags & DP_F_UP) caps = 1; /* Should characters be upper case? */
-#endif
-
-#if 0
-	 if (max == 0) ufvalue += 0.5; /* if max = 0 we must round */
-#endif
-
-	/* 
-	 * Sorry, we only support 16 digits past the decimal because of our 
-	 * conversion method
-	 */
-	if (max > 16)
-		max = 16;
-
-	/* We "cheat" by converting the fractional part to integer by
-	 * multiplying by a factor of 10
-	 */
-
-	temp = ufvalue;
-	my_modf(temp, &intpart);
-
-	fracpart = ROUND((POW10(max)) * (ufvalue - intpart));
-	
-	if (fracpart >= POW10(max)) {
-		intpart++;
-		fracpart -= POW10(max);
-	}
-
-	/* Convert integer part */
-	do {
-		temp = intpart*0.1;
-		my_modf(temp, &intpart);
-		idx = (int) ((temp -intpart +0.05)* 10.0);
-		/* idx = (int) (((double)(temp*0.1) -intpart +0.05) *10.0); */
-		/* printf ("%llf, %f, %x\n", temp, intpart, idx); */
-		iconvert[iplace++] =
-			(caps? "0123456789ABCDEF":"0123456789abcdef")[idx];
-	} while (intpart && (iplace < 311));
-	if (iplace == 311) iplace--;
-	iconvert[iplace] = 0;
-
-	/* Convert fractional part */
-	if (fracpart)
-	{
-		do {
-			temp = fracpart*0.1;
-			my_modf(temp, &fracpart);
-			idx = (int) ((temp -fracpart +0.05)* 10.0);
-			/* idx = (int) ((((temp/10) -fracpart) +0.05) *10); */
-			/* printf ("%lf, %lf, %ld\n", temp, fracpart, idx ); */
-			fconvert[fplace++] =
-			(caps? "0123456789ABCDEF":"0123456789abcdef")[idx];
-		} while(fracpart && (fplace < 311));
-		if (fplace == 311) fplace--;
-	}
-	fconvert[fplace] = 0;
-  
-	/* -1 for decimal point, another -1 if we are printing a sign */
-	padlen = min - iplace - max - 1 - ((signvalue) ? 1 : 0); 
-	zpadlen = max - fplace;
-	if (zpadlen < 0) zpadlen = 0;
-	if (padlen < 0) 
-		padlen = 0;
-	if (flags & DP_F_MINUS) 
-		padlen = -padlen; /* Left Justifty */
-	
-	if ((flags & DP_F_ZERO) && (padlen > 0)) {
-		if (signvalue) {
-			dopr_outch (buffer, currlen, maxlen, signvalue);
-			--padlen;
-			signvalue = 0;
-		}
-		while (padlen > 0) {
-			dopr_outch (buffer, currlen, maxlen, '0');
-			--padlen;
-		}
-	}
-	while (padlen > 0) {
-		dopr_outch (buffer, currlen, maxlen, ' ');
-		--padlen;
-	}
-	if (signvalue) 
-		dopr_outch (buffer, currlen, maxlen, signvalue);
-	
-	while (iplace > 0) 
-		dopr_outch (buffer, currlen, maxlen, iconvert[--iplace]);
-
-#ifdef DEBUG_SNPRINTF
-	printf("fmtfp: fplace=%d zpadlen=%d\n", fplace, zpadlen);
-#endif
-
-	/*
-	 * Decimal point.  This should probably use locale to find the correct
-	 * char to print out.
-	 */
-	if (max > 0) {
-		dopr_outch (buffer, currlen, maxlen, '.');
-		
-		while (zpadlen > 0) {
-			dopr_outch (buffer, currlen, maxlen, '0');
-			--zpadlen;
-		}
-
-		while (fplace > 0) 
-			dopr_outch (buffer, currlen, maxlen, fconvert[--fplace]);
-	}
-
-	while (padlen < 0) {
-		dopr_outch (buffer, currlen, maxlen, ' ');
-		++padlen;
-	}
-}
-
-static void dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c)
-{
-	if (*currlen < maxlen) {
-		buffer[(*currlen)] = c;
-	}
-	(*currlen)++;
-}
-#endif /* !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF) */
-
-#if !defined(HAVE_VSNPRINTF)
-int vsnprintf (char *str, size_t count, const char *fmt, va_list args)
-{
-	return dopr(str, count, fmt, args);
-}
-#endif
-
-#if !defined(HAVE_SNPRINTF)
-int snprintf(char *str, size_t count, SNPRINTF_CONST char *fmt, ...)
-{
-	size_t ret;
-	va_list ap;
-
-	va_start(ap, fmt);
-	ret = vsnprintf(str, count, fmt, ap);
-	va_end(ap);
-	return ret;
-}
-#endif
-
diff --git a/crypto/openssh/openbsd-compat/bsd-waitpid.c b/crypto/openssh/openbsd-compat/bsd-waitpid.c
deleted file mode 100644
index 40e6ffa..0000000
--- a/crypto/openssh/openbsd-compat/bsd-waitpid.c
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (c) 2000 Ben Lindstrom.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#ifndef HAVE_WAITPID 
-#include <errno.h>
-#include <sys/wait.h>
-#include "bsd-waitpid.h"
-
-pid_t
-waitpid(int pid, int *stat_loc, int options)
-{
-	union wait statusp;
-	pid_t wait_pid;
-
-	if (pid <= 0) {
-		if (pid != -1) {
-			errno = EINVAL;
-			return (-1);
-		}
-		/* wait4() wants pid=0 for indiscriminate wait. */
-		pid = 0;
-	}
-        wait_pid = wait4(pid, &statusp, options, NULL);
-	if (stat_loc)
-        	*stat_loc = (int) statusp.w_status;            
-
-        return (wait_pid);                               
-}
-
-#endif /* !HAVE_WAITPID */
diff --git a/crypto/openssh/openbsd-compat/bsd-waitpid.h b/crypto/openssh/openbsd-compat/bsd-waitpid.h
deleted file mode 100644
index 2d853db..0000000
--- a/crypto/openssh/openbsd-compat/bsd-waitpid.h
+++ /dev/null
@@ -1,51 +0,0 @@
-/* $Id: bsd-waitpid.h,v 1.5 2003/08/29 16:59:52 mouring Exp $ */
-
-/*
- * Copyright (c) 2000 Ben Lindstrom.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-#ifndef _BSD_WAITPID_H
-#define _BSD_WAITPID_H
-
-#ifndef HAVE_WAITPID
-/* Clean out any potental issues */
-#undef WIFEXITED
-#undef WIFSTOPPED
-#undef WIFSIGNALED
-
-/* Define required functions to mimic a POSIX look and feel */
-#define _W_INT(w)	(*(int*)&(w))	/* convert union wait to int */
-#define WIFEXITED(w)	(!((_W_INT(w)) & 0377))
-#define WIFSTOPPED(w)	((_W_INT(w)) & 0100)
-#define WIFSIGNALED(w)	(!WIFEXITED(w) && !WIFSTOPPED(w))
-#define WEXITSTATUS(w)	(int)(WIFEXITED(w) ? ((_W_INT(w) >> 8) & 0377) : -1)
-#define WTERMSIG(w)	(int)(WIFSIGNALED(w) ? (_W_INT(w) & 0177) : -1)
-#define WCOREFLAG	0x80
-#define WCOREDUMP(w) 	((_W_INT(w)) & WCOREFLAG)
-
-/* Prototype */
-pid_t waitpid(int, int *, int);
-
-#endif /* !HAVE_WAITPID */
-#endif /* _BSD_WAITPID_H */
diff --git a/crypto/openssh/openbsd-compat/daemon.c b/crypto/openssh/openbsd-compat/daemon.c
deleted file mode 100644
index e3a6886..0000000
--- a/crypto/openssh/openbsd-compat/daemon.c
+++ /dev/null
@@ -1,92 +0,0 @@
-/*	$OpenBSD: daemon.c,v 1.6 2005/08/08 08:05:33 espie Exp $ */
-/*-
- * Copyright (c) 1990, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* OPENBSD ORIGINAL: lib/libc/gen/daemon.c */
-
-#include "includes.h"
-
-#ifndef HAVE_DAEMON
-
-#include <sys/types.h>
-
-#ifdef HAVE_SYS_STAT_H
-# include <sys/stat.h>
-#endif
-
-#ifdef HAVE_FCNTL_H
-# include <fcntl.h>
-#endif
-
-#ifdef HAVE_UNISTD_H
-# include <unistd.h>
-#endif
-
-int
-daemon(int nochdir, int noclose)
-{
-	int fd;
-
-	switch (fork()) {
-	case -1:
-		return (-1);
-	case 0:
-#ifdef HAVE_CYGWIN
-		register_9x_service();
-#endif
-		break;
-	default:
-#ifdef HAVE_CYGWIN
-		/*
-		 * This sleep avoids a race condition which kills the
-		 * child process if parent is started by a NT/W2K service.
-		 */
-		sleep(1);
-#endif
-		_exit(0);
-	}
-
-	if (setsid() == -1)
-		return (-1);
-
-	if (!nochdir)
-		(void)chdir("/");
-
-	if (!noclose && (fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) {
-		(void)dup2(fd, STDIN_FILENO);
-		(void)dup2(fd, STDOUT_FILENO);
-		(void)dup2(fd, STDERR_FILENO);
-		if (fd > 2)
-			(void)close (fd);
-	}
-	return (0);
-}
-
-#endif /* !HAVE_DAEMON */
-
diff --git a/crypto/openssh/openbsd-compat/dirname.c b/crypto/openssh/openbsd-compat/dirname.c
deleted file mode 100644
index 30fcb49..0000000
--- a/crypto/openssh/openbsd-compat/dirname.c
+++ /dev/null
@@ -1,72 +0,0 @@
-/*	$OpenBSD: dirname.c,v 1.13 2005/08/08 08:05:33 espie Exp $	*/
-
-/*
- * Copyright (c) 1997, 2004 Todd C. Miller <Todd.Miller@courtesan.com>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* OPENBSD ORIGINAL: lib/libc/gen/dirname.c */
-
-#include "includes.h"
-#ifndef HAVE_DIRNAME
-
-#include <errno.h>
-#include <string.h>
-#include <sys/param.h>
-
-char *
-dirname(const char *path)
-{
-	static char dname[MAXPATHLEN];
-	size_t len;
-	const char *endp;
-
-	/* Empty or NULL string gets treated as "." */
-	if (path == NULL || *path == '\0') {
-		dname[0] = '.';
-		dname[1] = '\0';
-		return (dname);
-	}
-
-	/* Strip any trailing slashes */
-	endp = path + strlen(path) - 1;
-	while (endp > path && *endp == '/')
-		endp--;
-
-	/* Find the start of the dir */
-	while (endp > path && *endp != '/')
-		endp--;
-
-	/* Either the dir is "/" or there are no slashes */
-	if (endp == path) {
-		dname[0] = *endp == '/' ? '/' : '.';
-		dname[1] = '\0';
-		return (dname);
-	} else {
-		/* Move forward past the separating slashes */
-		do {
-			endp--;
-		} while (endp > path && *endp == '/');
-	}
-
-	len = endp - path + 1;
-	if (len >= sizeof(dname)) {
-		errno = ENAMETOOLONG;
-		return (NULL);
-	}
-	memcpy(dname, path, len);
-	dname[len] = '\0';
-	return (dname);
-}
-#endif
diff --git a/crypto/openssh/openbsd-compat/fake-queue.h b/crypto/openssh/openbsd-compat/fake-queue.h
deleted file mode 100644
index 176fe31..0000000
--- a/crypto/openssh/openbsd-compat/fake-queue.h
+++ /dev/null
@@ -1,584 +0,0 @@
-/*	$OpenBSD: queue.h,v 1.22 2001/06/23 04:39:35 angelos Exp $	*/
-/*	$NetBSD: queue.h,v 1.11 1996/05/16 05:17:14 mycroft Exp $	*/
-
-/*
- * Copyright (c) 1991, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *	@(#)queue.h	8.5 (Berkeley) 8/20/94
- */
-
-#ifndef	_FAKE_QUEUE_H_
-#define	_FAKE_QUEUE_H_
-
-/*
- * Ignore all <sys/queue.h> since older platforms have broken/incomplete
- * <sys/queue.h> that are too hard to work around.
- */
-#undef SLIST_HEAD
-#undef SLIST_HEAD_INITIALIZER
-#undef SLIST_ENTRY
-#undef SLIST_FIRST
-#undef SLIST_END
-#undef SLIST_EMPTY
-#undef SLIST_NEXT
-#undef SLIST_FOREACH
-#undef SLIST_INIT
-#undef SLIST_INSERT_AFTER
-#undef SLIST_INSERT_HEAD
-#undef SLIST_REMOVE_HEAD
-#undef SLIST_REMOVE
-#undef LIST_HEAD
-#undef LIST_HEAD_INITIALIZER
-#undef LIST_ENTRY
-#undef LIST_FIRST
-#undef LIST_END
-#undef LIST_EMPTY
-#undef LIST_NEXT
-#undef LIST_FOREACH
-#undef LIST_INIT
-#undef LIST_INSERT_AFTER
-#undef LIST_INSERT_BEFORE
-#undef LIST_INSERT_HEAD
-#undef LIST_REMOVE
-#undef LIST_REPLACE
-#undef SIMPLEQ_HEAD
-#undef SIMPLEQ_HEAD_INITIALIZER
-#undef SIMPLEQ_ENTRY
-#undef SIMPLEQ_FIRST
-#undef SIMPLEQ_END
-#undef SIMPLEQ_EMPTY
-#undef SIMPLEQ_NEXT
-#undef SIMPLEQ_FOREACH
-#undef SIMPLEQ_INIT
-#undef SIMPLEQ_INSERT_HEAD
-#undef SIMPLEQ_INSERT_TAIL
-#undef SIMPLEQ_INSERT_AFTER
-#undef SIMPLEQ_REMOVE_HEAD
-#undef TAILQ_HEAD
-#undef TAILQ_HEAD_INITIALIZER
-#undef TAILQ_ENTRY
-#undef TAILQ_FIRST
-#undef TAILQ_END
-#undef TAILQ_NEXT
-#undef TAILQ_LAST
-#undef TAILQ_PREV
-#undef TAILQ_EMPTY
-#undef TAILQ_FOREACH
-#undef TAILQ_FOREACH_REVERSE
-#undef TAILQ_INIT
-#undef TAILQ_INSERT_HEAD
-#undef TAILQ_INSERT_TAIL
-#undef TAILQ_INSERT_AFTER
-#undef TAILQ_INSERT_BEFORE
-#undef TAILQ_REMOVE
-#undef TAILQ_REPLACE
-#undef CIRCLEQ_HEAD
-#undef CIRCLEQ_HEAD_INITIALIZER
-#undef CIRCLEQ_ENTRY
-#undef CIRCLEQ_FIRST
-#undef CIRCLEQ_LAST
-#undef CIRCLEQ_END
-#undef CIRCLEQ_NEXT
-#undef CIRCLEQ_PREV
-#undef CIRCLEQ_EMPTY
-#undef CIRCLEQ_FOREACH
-#undef CIRCLEQ_FOREACH_REVERSE
-#undef CIRCLEQ_INIT
-#undef CIRCLEQ_INSERT_AFTER
-#undef CIRCLEQ_INSERT_BEFORE
-#undef CIRCLEQ_INSERT_HEAD
-#undef CIRCLEQ_INSERT_TAIL
-#undef CIRCLEQ_REMOVE
-#undef CIRCLEQ_REPLACE
-
-/*
- * This file defines five types of data structures: singly-linked lists, 
- * lists, simple queues, tail queues, and circular queues.
- *
- *
- * A singly-linked list is headed by a single forward pointer. The elements
- * are singly linked for minimum space and pointer manipulation overhead at
- * the expense of O(n) removal for arbitrary elements. New elements can be
- * added to the list after an existing element or at the head of the list.
- * Elements being removed from the head of the list should use the explicit
- * macro for this purpose for optimum efficiency. A singly-linked list may
- * only be traversed in the forward direction.  Singly-linked lists are ideal
- * for applications with large datasets and few or no removals or for
- * implementing a LIFO queue.
- *
- * A list is headed by a single forward pointer (or an array of forward
- * pointers for a hash table header). The elements are doubly linked
- * so that an arbitrary element can be removed without a need to
- * traverse the list. New elements can be added to the list before
- * or after an existing element or at the head of the list. A list
- * may only be traversed in the forward direction.
- *
- * A simple queue is headed by a pair of pointers, one the head of the
- * list and the other to the tail of the list. The elements are singly
- * linked to save space, so elements can only be removed from the
- * head of the list. New elements can be added to the list before or after
- * an existing element, at the head of the list, or at the end of the
- * list. A simple queue may only be traversed in the forward direction.
- *
- * A tail queue is headed by a pair of pointers, one to the head of the
- * list and the other to the tail of the list. The elements are doubly
- * linked so that an arbitrary element can be removed without a need to
- * traverse the list. New elements can be added to the list before or
- * after an existing element, at the head of the list, or at the end of
- * the list. A tail queue may be traversed in either direction.
- *
- * A circle queue is headed by a pair of pointers, one to the head of the
- * list and the other to the tail of the list. The elements are doubly
- * linked so that an arbitrary element can be removed without a need to
- * traverse the list. New elements can be added to the list before or after
- * an existing element, at the head of the list, or at the end of the list.
- * A circle queue may be traversed in either direction, but has a more
- * complex end of list detection.
- *
- * For details on the use of these macros, see the queue(3) manual page.
- */
-
-/*
- * Singly-linked List definitions.
- */
-#define SLIST_HEAD(name, type)						\
-struct name {								\
-	struct type *slh_first;	/* first element */			\
-}
- 
-#define	SLIST_HEAD_INITIALIZER(head)					\
-	{ NULL }
- 
-#define SLIST_ENTRY(type)						\
-struct {								\
-	struct type *sle_next;	/* next element */			\
-}
- 
-/*
- * Singly-linked List access methods.
- */
-#define	SLIST_FIRST(head)	((head)->slh_first)
-#define	SLIST_END(head)		NULL
-#define	SLIST_EMPTY(head)	(SLIST_FIRST(head) == SLIST_END(head))
-#define	SLIST_NEXT(elm, field)	((elm)->field.sle_next)
-
-#define	SLIST_FOREACH(var, head, field)					\
-	for((var) = SLIST_FIRST(head);					\
-	    (var) != SLIST_END(head);					\
-	    (var) = SLIST_NEXT(var, field))
-
-/*
- * Singly-linked List functions.
- */
-#define	SLIST_INIT(head) {						\
-	SLIST_FIRST(head) = SLIST_END(head);				\
-}
-
-#define	SLIST_INSERT_AFTER(slistelm, elm, field) do {			\
-	(elm)->field.sle_next = (slistelm)->field.sle_next;		\
-	(slistelm)->field.sle_next = (elm);				\
-} while (0)
-
-#define	SLIST_INSERT_HEAD(head, elm, field) do {			\
-	(elm)->field.sle_next = (head)->slh_first;			\
-	(head)->slh_first = (elm);					\
-} while (0)
-
-#define	SLIST_REMOVE_HEAD(head, field) do {				\
-	(head)->slh_first = (head)->slh_first->field.sle_next;		\
-} while (0)
-
-#define SLIST_REMOVE(head, elm, type, field) do {			\
-	if ((head)->slh_first == (elm)) {				\
-		SLIST_REMOVE_HEAD((head), field);			\
-	}								\
-	else {								\
-		struct type *curelm = (head)->slh_first;		\
-		while( curelm->field.sle_next != (elm) )		\
-			curelm = curelm->field.sle_next;		\
-		curelm->field.sle_next =				\
-		    curelm->field.sle_next->field.sle_next;		\
-	}								\
-} while (0)
-
-/*
- * List definitions.
- */
-#define LIST_HEAD(name, type)						\
-struct name {								\
-	struct type *lh_first;	/* first element */			\
-}
-
-#define LIST_HEAD_INITIALIZER(head)					\
-	{ NULL }
-
-#define LIST_ENTRY(type)						\
-struct {								\
-	struct type *le_next;	/* next element */			\
-	struct type **le_prev;	/* address of previous next element */	\
-}
-
-/*
- * List access methods
- */
-#define	LIST_FIRST(head)		((head)->lh_first)
-#define	LIST_END(head)			NULL
-#define	LIST_EMPTY(head)		(LIST_FIRST(head) == LIST_END(head))
-#define	LIST_NEXT(elm, field)		((elm)->field.le_next)
-
-#define LIST_FOREACH(var, head, field)					\
-	for((var) = LIST_FIRST(head);					\
-	    (var)!= LIST_END(head);					\
-	    (var) = LIST_NEXT(var, field))
-
-/*
- * List functions.
- */
-#define	LIST_INIT(head) do {						\
-	LIST_FIRST(head) = LIST_END(head);				\
-} while (0)
-
-#define LIST_INSERT_AFTER(listelm, elm, field) do {			\
-	if (((elm)->field.le_next = (listelm)->field.le_next) != NULL)	\
-		(listelm)->field.le_next->field.le_prev =		\
-		    &(elm)->field.le_next;				\
-	(listelm)->field.le_next = (elm);				\
-	(elm)->field.le_prev = &(listelm)->field.le_next;		\
-} while (0)
-
-#define	LIST_INSERT_BEFORE(listelm, elm, field) do {			\
-	(elm)->field.le_prev = (listelm)->field.le_prev;		\
-	(elm)->field.le_next = (listelm);				\
-	*(listelm)->field.le_prev = (elm);				\
-	(listelm)->field.le_prev = &(elm)->field.le_next;		\
-} while (0)
-
-#define LIST_INSERT_HEAD(head, elm, field) do {				\
-	if (((elm)->field.le_next = (head)->lh_first) != NULL)		\
-		(head)->lh_first->field.le_prev = &(elm)->field.le_next;\
-	(head)->lh_first = (elm);					\
-	(elm)->field.le_prev = &(head)->lh_first;			\
-} while (0)
-
-#define LIST_REMOVE(elm, field) do {					\
-	if ((elm)->field.le_next != NULL)				\
-		(elm)->field.le_next->field.le_prev =			\
-		    (elm)->field.le_prev;				\
-	*(elm)->field.le_prev = (elm)->field.le_next;			\
-} while (0)
-
-#define LIST_REPLACE(elm, elm2, field) do {				\
-	if (((elm2)->field.le_next = (elm)->field.le_next) != NULL)	\
-		(elm2)->field.le_next->field.le_prev =			\
-		    &(elm2)->field.le_next;				\
-	(elm2)->field.le_prev = (elm)->field.le_prev;			\
-	*(elm2)->field.le_prev = (elm2);				\
-} while (0)
-
-/*
- * Simple queue definitions.
- */
-#define SIMPLEQ_HEAD(name, type)					\
-struct name {								\
-	struct type *sqh_first;	/* first element */			\
-	struct type **sqh_last;	/* addr of last next element */		\
-}
-
-#define SIMPLEQ_HEAD_INITIALIZER(head)					\
-	{ NULL, &(head).sqh_first }
-
-#define SIMPLEQ_ENTRY(type)						\
-struct {								\
-	struct type *sqe_next;	/* next element */			\
-}
-
-/*
- * Simple queue access methods.
- */
-#define	SIMPLEQ_FIRST(head)	    ((head)->sqh_first)
-#define	SIMPLEQ_END(head)	    NULL
-#define	SIMPLEQ_EMPTY(head)	    (SIMPLEQ_FIRST(head) == SIMPLEQ_END(head))
-#define	SIMPLEQ_NEXT(elm, field)    ((elm)->field.sqe_next)
-
-#define SIMPLEQ_FOREACH(var, head, field)				\
-	for((var) = SIMPLEQ_FIRST(head);				\
-	    (var) != SIMPLEQ_END(head);					\
-	    (var) = SIMPLEQ_NEXT(var, field))
-
-/*
- * Simple queue functions.
- */
-#define	SIMPLEQ_INIT(head) do {						\
-	(head)->sqh_first = NULL;					\
-	(head)->sqh_last = &(head)->sqh_first;				\
-} while (0)
-
-#define SIMPLEQ_INSERT_HEAD(head, elm, field) do {			\
-	if (((elm)->field.sqe_next = (head)->sqh_first) == NULL)	\
-		(head)->sqh_last = &(elm)->field.sqe_next;		\
-	(head)->sqh_first = (elm);					\
-} while (0)
-
-#define SIMPLEQ_INSERT_TAIL(head, elm, field) do {			\
-	(elm)->field.sqe_next = NULL;					\
-	*(head)->sqh_last = (elm);					\
-	(head)->sqh_last = &(elm)->field.sqe_next;			\
-} while (0)
-
-#define SIMPLEQ_INSERT_AFTER(head, listelm, elm, field) do {		\
-	if (((elm)->field.sqe_next = (listelm)->field.sqe_next) == NULL)\
-		(head)->sqh_last = &(elm)->field.sqe_next;		\
-	(listelm)->field.sqe_next = (elm);				\
-} while (0)
-
-#define SIMPLEQ_REMOVE_HEAD(head, elm, field) do {			\
-	if (((head)->sqh_first = (elm)->field.sqe_next) == NULL)	\
-		(head)->sqh_last = &(head)->sqh_first;			\
-} while (0)
-
-/*
- * Tail queue definitions.
- */
-#define TAILQ_HEAD(name, type)						\
-struct name {								\
-	struct type *tqh_first;	/* first element */			\
-	struct type **tqh_last;	/* addr of last next element */		\
-}
-
-#define TAILQ_HEAD_INITIALIZER(head)					\
-	{ NULL, &(head).tqh_first }
-
-#define TAILQ_ENTRY(type)						\
-struct {								\
-	struct type *tqe_next;	/* next element */			\
-	struct type **tqe_prev;	/* address of previous next element */	\
-}
-
-/* 
- * tail queue access methods 
- */
-#define	TAILQ_FIRST(head)		((head)->tqh_first)
-#define	TAILQ_END(head)			NULL
-#define	TAILQ_NEXT(elm, field)		((elm)->field.tqe_next)
-#define TAILQ_LAST(head, headname)					\
-	(*(((struct headname *)((head)->tqh_last))->tqh_last))
-/* XXX */
-#define TAILQ_PREV(elm, headname, field)				\
-	(*(((struct headname *)((elm)->field.tqe_prev))->tqh_last))
-#define	TAILQ_EMPTY(head)						\
-	(TAILQ_FIRST(head) == TAILQ_END(head))
-
-#define TAILQ_FOREACH(var, head, field)					\
-	for((var) = TAILQ_FIRST(head);					\
-	    (var) != TAILQ_END(head);					\
-	    (var) = TAILQ_NEXT(var, field))
-
-#define TAILQ_FOREACH_REVERSE(var, head, field, headname)		\
-	for((var) = TAILQ_LAST(head, headname);				\
-	    (var) != TAILQ_END(head);					\
-	    (var) = TAILQ_PREV(var, headname, field))
-
-/*
- * Tail queue functions.
- */
-#define	TAILQ_INIT(head) do {						\
-	(head)->tqh_first = NULL;					\
-	(head)->tqh_last = &(head)->tqh_first;				\
-} while (0)
-
-#define TAILQ_INSERT_HEAD(head, elm, field) do {			\
-	if (((elm)->field.tqe_next = (head)->tqh_first) != NULL)	\
-		(head)->tqh_first->field.tqe_prev =			\
-		    &(elm)->field.tqe_next;				\
-	else								\
-		(head)->tqh_last = &(elm)->field.tqe_next;		\
-	(head)->tqh_first = (elm);					\
-	(elm)->field.tqe_prev = &(head)->tqh_first;			\
-} while (0)
-
-#define TAILQ_INSERT_TAIL(head, elm, field) do {			\
-	(elm)->field.tqe_next = NULL;					\
-	(elm)->field.tqe_prev = (head)->tqh_last;			\
-	*(head)->tqh_last = (elm);					\
-	(head)->tqh_last = &(elm)->field.tqe_next;			\
-} while (0)
-
-#define TAILQ_INSERT_AFTER(head, listelm, elm, field) do {		\
-	if (((elm)->field.tqe_next = (listelm)->field.tqe_next) != NULL)\
-		(elm)->field.tqe_next->field.tqe_prev =			\
-		    &(elm)->field.tqe_next;				\
-	else								\
-		(head)->tqh_last = &(elm)->field.tqe_next;		\
-	(listelm)->field.tqe_next = (elm);				\
-	(elm)->field.tqe_prev = &(listelm)->field.tqe_next;		\
-} while (0)
-
-#define	TAILQ_INSERT_BEFORE(listelm, elm, field) do {			\
-	(elm)->field.tqe_prev = (listelm)->field.tqe_prev;		\
-	(elm)->field.tqe_next = (listelm);				\
-	*(listelm)->field.tqe_prev = (elm);				\
-	(listelm)->field.tqe_prev = &(elm)->field.tqe_next;		\
-} while (0)
-
-#define TAILQ_REMOVE(head, elm, field) do {				\
-	if (((elm)->field.tqe_next) != NULL)				\
-		(elm)->field.tqe_next->field.tqe_prev =			\
-		    (elm)->field.tqe_prev;				\
-	else								\
-		(head)->tqh_last = (elm)->field.tqe_prev;		\
-	*(elm)->field.tqe_prev = (elm)->field.tqe_next;			\
-} while (0)
-
-#define TAILQ_REPLACE(head, elm, elm2, field) do {			\
-	if (((elm2)->field.tqe_next = (elm)->field.tqe_next) != NULL)	\
-		(elm2)->field.tqe_next->field.tqe_prev =		\
-		    &(elm2)->field.tqe_next;				\
-	else								\
-		(head)->tqh_last = &(elm2)->field.tqe_next;		\
-	(elm2)->field.tqe_prev = (elm)->field.tqe_prev;			\
-	*(elm2)->field.tqe_prev = (elm2);				\
-} while (0)
-
-/*
- * Circular queue definitions.
- */
-#define CIRCLEQ_HEAD(name, type)					\
-struct name {								\
-	struct type *cqh_first;		/* first element */		\
-	struct type *cqh_last;		/* last element */		\
-}
-
-#define CIRCLEQ_HEAD_INITIALIZER(head)					\
-	{ CIRCLEQ_END(&head), CIRCLEQ_END(&head) }
-
-#define CIRCLEQ_ENTRY(type)						\
-struct {								\
-	struct type *cqe_next;		/* next element */		\
-	struct type *cqe_prev;		/* previous element */		\
-}
-
-/*
- * Circular queue access methods 
- */
-#define	CIRCLEQ_FIRST(head)		((head)->cqh_first)
-#define	CIRCLEQ_LAST(head)		((head)->cqh_last)
-#define	CIRCLEQ_END(head)		((void *)(head))
-#define	CIRCLEQ_NEXT(elm, field)	((elm)->field.cqe_next)
-#define	CIRCLEQ_PREV(elm, field)	((elm)->field.cqe_prev)
-#define	CIRCLEQ_EMPTY(head)						\
-	(CIRCLEQ_FIRST(head) == CIRCLEQ_END(head))
-
-#define CIRCLEQ_FOREACH(var, head, field)				\
-	for((var) = CIRCLEQ_FIRST(head);				\
-	    (var) != CIRCLEQ_END(head);					\
-	    (var) = CIRCLEQ_NEXT(var, field))
-
-#define CIRCLEQ_FOREACH_REVERSE(var, head, field)			\
-	for((var) = CIRCLEQ_LAST(head);					\
-	    (var) != CIRCLEQ_END(head);					\
-	    (var) = CIRCLEQ_PREV(var, field))
-
-/*
- * Circular queue functions.
- */
-#define	CIRCLEQ_INIT(head) do {						\
-	(head)->cqh_first = CIRCLEQ_END(head);				\
-	(head)->cqh_last = CIRCLEQ_END(head);				\
-} while (0)
-
-#define CIRCLEQ_INSERT_AFTER(head, listelm, elm, field) do {		\
-	(elm)->field.cqe_next = (listelm)->field.cqe_next;		\
-	(elm)->field.cqe_prev = (listelm);				\
-	if ((listelm)->field.cqe_next == CIRCLEQ_END(head))		\
-		(head)->cqh_last = (elm);				\
-	else								\
-		(listelm)->field.cqe_next->field.cqe_prev = (elm);	\
-	(listelm)->field.cqe_next = (elm);				\
-} while (0)
-
-#define CIRCLEQ_INSERT_BEFORE(head, listelm, elm, field) do {		\
-	(elm)->field.cqe_next = (listelm);				\
-	(elm)->field.cqe_prev = (listelm)->field.cqe_prev;		\
-	if ((listelm)->field.cqe_prev == CIRCLEQ_END(head))		\
-		(head)->cqh_first = (elm);				\
-	else								\
-		(listelm)->field.cqe_prev->field.cqe_next = (elm);	\
-	(listelm)->field.cqe_prev = (elm);				\
-} while (0)
-
-#define CIRCLEQ_INSERT_HEAD(head, elm, field) do {			\
-	(elm)->field.cqe_next = (head)->cqh_first;			\
-	(elm)->field.cqe_prev = CIRCLEQ_END(head);			\
-	if ((head)->cqh_last == CIRCLEQ_END(head))			\
-		(head)->cqh_last = (elm);				\
-	else								\
-		(head)->cqh_first->field.cqe_prev = (elm);		\
-	(head)->cqh_first = (elm);					\
-} while (0)
-
-#define CIRCLEQ_INSERT_TAIL(head, elm, field) do {			\
-	(elm)->field.cqe_next = CIRCLEQ_END(head);			\
-	(elm)->field.cqe_prev = (head)->cqh_last;			\
-	if ((head)->cqh_first == CIRCLEQ_END(head))			\
-		(head)->cqh_first = (elm);				\
-	else								\
-		(head)->cqh_last->field.cqe_next = (elm);		\
-	(head)->cqh_last = (elm);					\
-} while (0)
-
-#define	CIRCLEQ_REMOVE(head, elm, field) do {				\
-	if ((elm)->field.cqe_next == CIRCLEQ_END(head))			\
-		(head)->cqh_last = (elm)->field.cqe_prev;		\
-	else								\
-		(elm)->field.cqe_next->field.cqe_prev =			\
-		    (elm)->field.cqe_prev;				\
-	if ((elm)->field.cqe_prev == CIRCLEQ_END(head))			\
-		(head)->cqh_first = (elm)->field.cqe_next;		\
-	else								\
-		(elm)->field.cqe_prev->field.cqe_next =			\
-		    (elm)->field.cqe_next;				\
-} while (0)
-
-#define CIRCLEQ_REPLACE(head, elm, elm2, field) do {			\
-	if (((elm2)->field.cqe_next = (elm)->field.cqe_next) ==		\
-	    CIRCLEQ_END(head))						\
-		(head).cqh_last = (elm2);				\
-	else								\
-		(elm2)->field.cqe_next->field.cqe_prev = (elm2);	\
-	if (((elm2)->field.cqe_prev = (elm)->field.cqe_prev) ==		\
-	    CIRCLEQ_END(head))						\
-		(head).cqh_first = (elm2);				\
-	else								\
-		(elm2)->field.cqe_prev->field.cqe_next = (elm2);	\
-} while (0)
-
-#endif	/* !_FAKE_QUEUE_H_ */
diff --git a/crypto/openssh/openbsd-compat/fake-rfc2553.c b/crypto/openssh/openbsd-compat/fake-rfc2553.c
deleted file mode 100644
index b6ea3d2..0000000
--- a/crypto/openssh/openbsd-compat/fake-rfc2553.c
+++ /dev/null
@@ -1,228 +0,0 @@
-/*
- * Copyright (C) 2000-2003 Damien Miller.  All rights reserved.
- * Copyright (C) 1999 WIDE Project.  All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * Pseudo-implementation of RFC2553 name / address resolution functions
- *
- * But these functions are not implemented correctly. The minimum subset
- * is implemented for ssh use only. For example, this routine assumes
- * that ai_family is AF_INET. Don't use it for another purpose.
- */
-
-#include "includes.h"
-
-#include <stdlib.h>
-#include <string.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#ifndef HAVE_GETNAMEINFO
-int getnameinfo(const struct sockaddr *sa, size_t salen, char *host, 
-                size_t hostlen, char *serv, size_t servlen, int flags)
-{
-	struct sockaddr_in *sin = (struct sockaddr_in *)sa;
-	struct hostent *hp;
-	char tmpserv[16];
-
-	if (serv != NULL) {
-		snprintf(tmpserv, sizeof(tmpserv), "%d", ntohs(sin->sin_port));
-		if (strlcpy(serv, tmpserv, servlen) >= servlen)
-			return (EAI_MEMORY);
-	}
-
-	if (host != NULL) {
-		if (flags & NI_NUMERICHOST) {
-			if (strlcpy(host, inet_ntoa(sin->sin_addr),
-			    hostlen) >= hostlen)
-				return (EAI_MEMORY);
-			else
-				return (0);
-		} else {
-			hp = gethostbyaddr((char *)&sin->sin_addr, 
-			    sizeof(struct in_addr), AF_INET);
-			if (hp == NULL)
-				return (EAI_NODATA);
-			
-			if (strlcpy(host, hp->h_name, hostlen) >= hostlen)
-				return (EAI_MEMORY);
-			else
-				return (0);
-		}
-	}
-	return (0);
-}
-#endif /* !HAVE_GETNAMEINFO */
-
-#ifndef HAVE_GAI_STRERROR
-#ifdef HAVE_CONST_GAI_STRERROR_PROTO
-const char *
-#else
-char *
-#endif
-gai_strerror(int err)
-{
-	switch (err) {
-	case EAI_NODATA:
-		return ("no address associated with name");
-	case EAI_MEMORY:
-		return ("memory allocation failure.");
-	case EAI_NONAME:
-		return ("nodename nor servname provided, or not known");
-	default:
-		return ("unknown/invalid error.");
-	}
-}    
-#endif /* !HAVE_GAI_STRERROR */
-
-#ifndef HAVE_FREEADDRINFO
-void
-freeaddrinfo(struct addrinfo *ai)
-{
-	struct addrinfo *next;
-
-	for(; ai != NULL;) {
-		next = ai->ai_next;
-		free(ai);
-		ai = next;
-	}
-}
-#endif /* !HAVE_FREEADDRINFO */
-
-#ifndef HAVE_GETADDRINFO
-static struct
-addrinfo *malloc_ai(int port, u_long addr, const struct addrinfo *hints)
-{
-	struct addrinfo *ai;
-
-	ai = malloc(sizeof(*ai) + sizeof(struct sockaddr_in));
-	if (ai == NULL)
-		return (NULL);
-	
-	memset(ai, '\0', sizeof(*ai) + sizeof(struct sockaddr_in));
-	
-	ai->ai_addr = (struct sockaddr *)(ai + 1);
-	/* XXX -- ssh doesn't use sa_len */
-	ai->ai_addrlen = sizeof(struct sockaddr_in);
-	ai->ai_addr->sa_family = ai->ai_family = AF_INET;
-
-	((struct sockaddr_in *)(ai)->ai_addr)->sin_port = port;
-	((struct sockaddr_in *)(ai)->ai_addr)->sin_addr.s_addr = addr;
-	
-	/* XXX: the following is not generally correct, but does what we want */
-	if (hints->ai_socktype)
-		ai->ai_socktype = hints->ai_socktype;
-	else
-		ai->ai_socktype = SOCK_STREAM;
-
-	if (hints->ai_protocol)
-		ai->ai_protocol = hints->ai_protocol;
-
-	return (ai);
-}
-
-int
-getaddrinfo(const char *hostname, const char *servname, 
-    const struct addrinfo *hints, struct addrinfo **res)
-{
-	struct hostent *hp;
-	struct servent *sp;
-	struct in_addr in;
-	int i;
-	long int port;
-	u_long addr;
-
-	port = 0;
-	if (servname != NULL) {
-		char *cp;
-
-		port = strtol(servname, &cp, 10);
-		if (port > 0 && port <= 65535 && *cp == '\0')
-			port = htons(port);
-		else if ((sp = getservbyname(servname, NULL)) != NULL)
-			port = sp->s_port;
-		else
-			port = 0;
-	}
-
-	if (hints && hints->ai_flags & AI_PASSIVE) {
-		addr = htonl(0x00000000);
-		if (hostname && inet_aton(hostname, &in) != 0)
-			addr = in.s_addr;
-		*res = malloc_ai(port, addr, hints);
-		if (*res == NULL) 
-			return (EAI_MEMORY);
-		return (0);
-	}
-		
-	if (!hostname) {
-		*res = malloc_ai(port, htonl(0x7f000001), hints);
-		if (*res == NULL) 
-			return (EAI_MEMORY);
-		return (0);
-	}
-	
-	if (inet_aton(hostname, &in)) {
-		*res = malloc_ai(port, in.s_addr, hints);
-		if (*res == NULL) 
-			return (EAI_MEMORY);
-		return (0);
-	}
-	
-	/* Don't try DNS if AI_NUMERICHOST is set */
-	if (hints && hints->ai_flags & AI_NUMERICHOST)
-		return (EAI_NONAME);
-	
-	hp = gethostbyname(hostname);
-	if (hp && hp->h_name && hp->h_name[0] && hp->h_addr_list[0]) {
-		struct addrinfo *cur, *prev;
-
-		cur = prev = *res = NULL;
-		for (i = 0; hp->h_addr_list[i]; i++) {
-			struct in_addr *in = (struct in_addr *)hp->h_addr_list[i];
-
-			cur = malloc_ai(port, in->s_addr, hints);
-			if (cur == NULL) {
-				if (*res != NULL)
-					freeaddrinfo(*res);
-				return (EAI_MEMORY);
-			}
-			if (prev)
-				prev->ai_next = cur;
-			else
-				*res = cur;
-
-			prev = cur;
-		}
-		return (0);
-	}
-	
-	return (EAI_NODATA);
-}
-#endif /* !HAVE_GETADDRINFO */
diff --git a/crypto/openssh/openbsd-compat/fake-rfc2553.h b/crypto/openssh/openbsd-compat/fake-rfc2553.h
deleted file mode 100644
index 5c2ce5b..0000000
--- a/crypto/openssh/openbsd-compat/fake-rfc2553.h
+++ /dev/null
@@ -1,171 +0,0 @@
-/* $Id: fake-rfc2553.h,v 1.13 2006/07/24 03:51:52 djm Exp $ */
-
-/*
- * Copyright (C) 2000-2003 Damien Miller.  All rights reserved.
- * Copyright (C) 1999 WIDE Project.  All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * Pseudo-implementation of RFC2553 name / address resolution functions
- *
- * But these functions are not implemented correctly. The minimum subset
- * is implemented for ssh use only. For example, this routine assumes
- * that ai_family is AF_INET. Don't use it for another purpose.
- */
-
-#ifndef _FAKE_RFC2553_H
-#define _FAKE_RFC2553_H
-
-#include "includes.h"
-#include <sys/types.h>
-#if defined(HAVE_NETDB_H)
-# include <netdb.h>
-#endif
-
-/*
- * First, socket and INET6 related definitions 
- */
-#ifndef HAVE_STRUCT_SOCKADDR_STORAGE
-# define	_SS_MAXSIZE	128	/* Implementation specific max size */
-# define       _SS_PADSIZE     (_SS_MAXSIZE - sizeof (struct sockaddr))
-struct sockaddr_storage {
-	struct sockaddr	ss_sa;
-	char		__ss_pad2[_SS_PADSIZE];
-};
-# define ss_family ss_sa.sa_family
-#endif /* !HAVE_STRUCT_SOCKADDR_STORAGE */
-
-#ifndef IN6_IS_ADDR_LOOPBACK
-# define IN6_IS_ADDR_LOOPBACK(a) \
-	(((u_int32_t *)(a))[0] == 0 && ((u_int32_t *)(a))[1] == 0 && \
-	 ((u_int32_t *)(a))[2] == 0 && ((u_int32_t *)(a))[3] == htonl(1))
-#endif /* !IN6_IS_ADDR_LOOPBACK */
-
-#ifndef HAVE_STRUCT_IN6_ADDR
-struct in6_addr {
-	u_int8_t	s6_addr[16];
-};
-#endif /* !HAVE_STRUCT_IN6_ADDR */
-
-#ifndef HAVE_STRUCT_SOCKADDR_IN6
-struct sockaddr_in6 {
-	unsigned short	sin6_family;
-	u_int16_t	sin6_port;
-	u_int32_t	sin6_flowinfo;
-	struct in6_addr	sin6_addr;
-};
-#endif /* !HAVE_STRUCT_SOCKADDR_IN6 */
-
-#ifndef AF_INET6
-/* Define it to something that should never appear */
-#define AF_INET6 AF_MAX
-#endif
-
-/*
- * Next, RFC2553 name / address resolution API
- */
-
-#ifndef NI_NUMERICHOST
-# define NI_NUMERICHOST    (1)
-#endif
-#ifndef NI_NAMEREQD
-# define NI_NAMEREQD       (1<<1)
-#endif
-#ifndef NI_NUMERICSERV
-# define NI_NUMERICSERV    (1<<2)
-#endif
-
-#ifndef AI_PASSIVE
-# define AI_PASSIVE		(1)
-#endif
-#ifndef AI_CANONNAME
-# define AI_CANONNAME		(1<<1)
-#endif
-#ifndef AI_NUMERICHOST
-# define AI_NUMERICHOST		(1<<2)
-#endif
-
-#ifndef NI_MAXSERV
-# define NI_MAXSERV 32
-#endif /* !NI_MAXSERV */
-#ifndef NI_MAXHOST
-# define NI_MAXHOST 1025
-#endif /* !NI_MAXHOST */
-
-#ifndef EAI_NODATA
-# define EAI_NODATA	(INT_MAX - 1)
-#endif
-#ifndef EAI_MEMORY
-# define EAI_MEMORY	(INT_MAX - 2)
-#endif
-#ifndef EAI_NONAME
-# define EAI_NONAME	(INT_MAX - 3)
-#endif
-#ifndef EAI_SYSTEM
-# define EAI_SYSTEM	(INT_MAX - 4)
-#endif
-
-#ifndef HAVE_STRUCT_ADDRINFO
-struct addrinfo {
-	int	ai_flags;	/* AI_PASSIVE, AI_CANONNAME */
-	int	ai_family;	/* PF_xxx */
-	int	ai_socktype;	/* SOCK_xxx */
-	int	ai_protocol;	/* 0 or IPPROTO_xxx for IPv4 and IPv6 */
-	size_t	ai_addrlen;	/* length of ai_addr */
-	char	*ai_canonname;	/* canonical name for hostname */
-	struct sockaddr *ai_addr;	/* binary address */
-	struct addrinfo *ai_next;	/* next structure in linked list */
-};
-#endif /* !HAVE_STRUCT_ADDRINFO */
-
-#ifndef HAVE_GETADDRINFO
-#ifdef getaddrinfo
-# undef getaddrinfo
-#endif
-#define getaddrinfo(a,b,c,d)	(ssh_getaddrinfo(a,b,c,d))
-int getaddrinfo(const char *, const char *, 
-    const struct addrinfo *, struct addrinfo **);
-#endif /* !HAVE_GETADDRINFO */
-
-#if !defined(HAVE_GAI_STRERROR) && !defined(HAVE_CONST_GAI_STRERROR_PROTO)
-#define gai_strerror(a)		(ssh_gai_strerror(a))
-char *gai_strerror(int);
-#endif /* !HAVE_GAI_STRERROR */
-
-#ifndef HAVE_FREEADDRINFO
-#define freeaddrinfo(a)		(ssh_freeaddrinfo(a))
-void freeaddrinfo(struct addrinfo *);
-#endif /* !HAVE_FREEADDRINFO */
-
-#ifndef HAVE_GETNAMEINFO
-#define getnameinfo(a,b,c,d,e,f,g) (ssh_getnameinfo(a,b,c,d,e,f,g))
-int getnameinfo(const struct sockaddr *, size_t, char *, size_t, 
-    char *, size_t, int);
-#endif /* !HAVE_GETNAMEINFO */
-
-#endif /* !_FAKE_RFC2553_H */
-
diff --git a/crypto/openssh/openbsd-compat/getcwd.c b/crypto/openssh/openbsd-compat/getcwd.c
deleted file mode 100644
index 711cb9c..0000000
--- a/crypto/openssh/openbsd-compat/getcwd.c
+++ /dev/null
@@ -1,240 +0,0 @@
-/*	$OpenBSD: getcwd.c,v 1.14 2005/08/08 08:05:34 espie Exp $ */
-/*
- * Copyright (c) 1989, 1991, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* OPENBSD ORIGINAL: lib/libc/gen/getcwd.c */
-
-#include "includes.h"
-
-#if !defined(HAVE_GETCWD)
-
-#include <sys/param.h>
-#include <sys/stat.h>
-#include <errno.h>
-#include <dirent.h>
-#include <sys/dir.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include "includes.h"
-
-#define	ISDOT(dp) \
-	(dp->d_name[0] == '.' && (dp->d_name[1] == '\0' || \
-	    (dp->d_name[1] == '.' && dp->d_name[2] == '\0')))
-
-char *
-getcwd(char *pt, size_t size)
-{
-	struct dirent *dp;
-	DIR *dir = NULL;
-	dev_t dev;
-	ino_t ino;
-	int first;
-	char *bpt, *bup;
-	struct stat s;
-	dev_t root_dev;
-	ino_t root_ino;
-	size_t ptsize, upsize;
-	int save_errno;
-	char *ept, *eup, *up;
-
-	/*
-	 * If no buffer specified by the user, allocate one as necessary.
-	 * If a buffer is specified, the size has to be non-zero.  The path
-	 * is built from the end of the buffer backwards.
-	 */
-	if (pt) {
-		ptsize = 0;
-		if (!size) {
-			errno = EINVAL;
-			return (NULL);
-		}
-		ept = pt + size;
-	} else {
-		if ((pt = malloc(ptsize = MAXPATHLEN)) == NULL)
-			return (NULL);
-		ept = pt + ptsize;
-	}
-	bpt = ept - 1;
-	*bpt = '\0';
-
-	/*
-	 * Allocate bytes for the string of "../"'s.
-	 * Should always be enough (it's 340 levels).  If it's not, allocate
-	 * as necessary.  Special * case the first stat, it's ".", not "..".
-	 */
-	if ((up = malloc(upsize = MAXPATHLEN)) == NULL)
-		goto err;
-	eup = up + upsize;
-	bup = up;
-	up[0] = '.';
-	up[1] = '\0';
-
-	/* Save root values, so know when to stop. */
-	if (stat("/", &s))
-		goto err;
-	root_dev = s.st_dev;
-	root_ino = s.st_ino;
-
-	errno = 0;			/* XXX readdir has no error return. */
-
-	for (first = 1;; first = 0) {
-		/* Stat the current level. */
-		if (lstat(up, &s))
-			goto err;
-
-		/* Save current node values. */
-		ino = s.st_ino;
-		dev = s.st_dev;
-
-		/* Check for reaching root. */
-		if (root_dev == dev && root_ino == ino) {
-			*--bpt = '/';
-			/*
-			 * It's unclear that it's a requirement to copy the
-			 * path to the beginning of the buffer, but it's always
-			 * been that way and stuff would probably break.
-			 */
-			memmove(pt, bpt, ept - bpt);
-			free(up);
-			return (pt);
-		}
-
-		/*
-		 * Build pointer to the parent directory, allocating memory
-		 * as necessary.  Max length is 3 for "../", the largest
-		 * possible component name, plus a trailing NUL.
-		 */
-		if (bup + 3  + MAXNAMLEN + 1 >= eup) {
-			char *nup;
-
-			if ((nup = realloc(up, upsize *= 2)) == NULL)
-				goto err;
-			bup = nup + (bup - up);
-			up = nup;
-			eup = up + upsize;
-		}
-		*bup++ = '.';
-		*bup++ = '.';
-		*bup = '\0';
-
-		/* Open and stat parent directory. */
-		if (!(dir = opendir(up)) || fstat(dirfd(dir), &s))
-			goto err;
-
-		/* Add trailing slash for next directory. */
-		*bup++ = '/';
-
-		/*
-		 * If it's a mount point, have to stat each element because
-		 * the inode number in the directory is for the entry in the
-		 * parent directory, not the inode number of the mounted file.
-		 */
-		save_errno = 0;
-		if (s.st_dev == dev) {
-			for (;;) {
-				if (!(dp = readdir(dir)))
-					goto notfound;
-				if (dp->d_fileno == ino)
-					break;
-			}
-		} else
-			for (;;) {
-				if (!(dp = readdir(dir)))
-					goto notfound;
-				if (ISDOT(dp))
-					continue;
-				memcpy(bup, dp->d_name, dp->d_namlen + 1);
-
-				/* Save the first error for later. */
-				if (lstat(up, &s)) {
-					if (!save_errno)
-						save_errno = errno;
-					errno = 0;
-					continue;
-				}
-				if (s.st_dev == dev && s.st_ino == ino)
-					break;
-			}
-
-		/*
-		 * Check for length of the current name, preceding slash,
-		 * leading slash.
-		 */
-		if (bpt - pt < dp->d_namlen + (first ? 1 : 2)) {
-			size_t len;
-			char *npt;
-
-			if (!ptsize) {
-				errno = ERANGE;
-				goto err;
-			}
-			len = ept - bpt;
-			if ((npt = realloc(pt, ptsize *= 2)) == NULL)
-				goto err;
-			bpt = npt + (bpt - pt);
-			pt = npt;
-			ept = pt + ptsize;
-			memmove(ept - len, bpt, len);
-			bpt = ept - len;
-		}
-		if (!first)
-			*--bpt = '/';
-		bpt -= dp->d_namlen;
-		memcpy(bpt, dp->d_name, dp->d_namlen);
-		(void)closedir(dir);
-
-		/* Truncate any file name. */
-		*bup = '\0';
-	}
-
-notfound:
-	/*
-	 * If readdir set errno, use it, not any saved error; otherwise,
-	 * didn't find the current directory in its parent directory, set
-	 * errno to ENOENT.
-	 */
-	if (!errno)
-		errno = save_errno ? save_errno : ENOENT;
-	/* FALLTHROUGH */
-err:
-	save_errno = errno;
-
-	if (ptsize)
-		free(pt);
-	free(up);
-	if (dir)
-		(void)closedir(dir);
-
-	errno = save_errno;
-
-	return (NULL);
-}
-
-#endif /* !defined(HAVE_GETCWD) */
diff --git a/crypto/openssh/openbsd-compat/getgrouplist.c b/crypto/openssh/openbsd-compat/getgrouplist.c
deleted file mode 100644
index a57d7d3..0000000
--- a/crypto/openssh/openbsd-compat/getgrouplist.c
+++ /dev/null
@@ -1,95 +0,0 @@
-/*	$OpenBSD: getgrouplist.c,v 1.12 2005/08/08 08:05:34 espie Exp $ */
-/*
- * Copyright (c) 1991, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* OPENBSD ORIGINAL: lib/libc/gen/getgrouplist.c */
-
-#include "includes.h"
-
-#ifndef HAVE_GETGROUPLIST
-
-/*
- * get credential
- */
-#include <sys/types.h>
-#include <string.h>
-#include <unistd.h>
-#include <grp.h>
-
-int
-getgrouplist(const char *uname, gid_t agroup, gid_t *groups, int *grpcnt)
-{
-	struct group *grp;
-	int i, ngroups;
-	int ret, maxgroups;
-	int bail;
-
-	ret = 0;
-	ngroups = 0;
-	maxgroups = *grpcnt;
-
-	/*
-	 * install primary group
-	 */
-	if (ngroups >= maxgroups) {
-		*grpcnt = ngroups;
-		return (-1);
-	}
-	groups[ngroups++] = agroup;
-
-	/*
-	 * Scan the group file to find additional groups.
-	 */
-	setgrent();
-	while ((grp = getgrent())) {
-		if (grp->gr_gid == agroup)
-			continue;
-		for (bail = 0, i = 0; bail == 0 && i < ngroups; i++)
-			if (groups[i] == grp->gr_gid)
-				bail = 1;
-		if (bail)
-			continue;
-		for (i = 0; grp->gr_mem[i]; i++) {
-			if (!strcmp(grp->gr_mem[i], uname)) {
-				if (ngroups >= maxgroups) {
-					ret = -1;
-					goto out;
-				}
-				groups[ngroups++] = grp->gr_gid;
-				break;
-			}
-		}
-	}
-out:
-	endgrent();
-	*grpcnt = ngroups;
-	return (ret);
-}
-
-#endif /* HAVE_GETGROUPLIST */
diff --git a/crypto/openssh/openbsd-compat/getopt.c b/crypto/openssh/openbsd-compat/getopt.c
deleted file mode 100644
index 5450e43..0000000
--- a/crypto/openssh/openbsd-compat/getopt.c
+++ /dev/null
@@ -1,123 +0,0 @@
-/*
- * Copyright (c) 1987, 1993, 1994
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* OPENBSD ORIGINAL: lib/libc/stdlib/getopt.c */
-
-#include "includes.h"
-#if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET)
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static char *rcsid = "$OpenBSD: getopt.c,v 1.5 2003/06/02 20:18:37 millert Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-int	BSDopterr = 1,		/* if error message should be printed */
-	BSDoptind = 1,		/* index into parent argv vector */
-	BSDoptopt,		/* character checked for validity */
-	BSDoptreset;		/* reset getopt */
-char	*BSDoptarg;		/* argument associated with option */
-
-#define	BADCH	(int)'?'
-#define	BADARG	(int)':'
-#define	EMSG	""
-
-/*
- * getopt --
- *	Parse argc/argv argument vector.
- */
-int
-BSDgetopt(nargc, nargv, ostr)
-	int nargc;
-	char * const *nargv;
-	const char *ostr;
-{
-	extern char *__progname;
-	static char *place = EMSG;		/* option letter processing */
-	char *oli;				/* option letter list index */
-
-	if (ostr == NULL)
-		return (-1);
-
-	if (BSDoptreset || !*place) {		/* update scanning pointer */
-		BSDoptreset = 0;
-		if (BSDoptind >= nargc || *(place = nargv[BSDoptind]) != '-') {
-			place = EMSG;
-			return (-1);
-		}
-		if (place[1] && *++place == '-') {	/* found "--" */
-			++BSDoptind;
-			place = EMSG;
-			return (-1);
-		}
-	}					/* option letter okay? */
-	if ((BSDoptopt = (int)*place++) == (int)':' ||
-	    !(oli = strchr(ostr, BSDoptopt))) {
-		/*
-		 * if the user didn't specify '-' as an option,
-		 * assume it means -1.
-		 */
-		if (BSDoptopt == (int)'-')
-			return (-1);
-		if (!*place)
-			++BSDoptind;
-		if (BSDopterr && *ostr != ':')
-			(void)fprintf(stderr,
-			    "%s: illegal option -- %c\n", __progname, BSDoptopt);
-		return (BADCH);
-	}
-	if (*++oli != ':') {			/* don't need argument */
-		BSDoptarg = NULL;
-		if (!*place)
-			++BSDoptind;
-	}
-	else {					/* need an argument */
-		if (*place)			/* no white space */
-			BSDoptarg = place;
-		else if (nargc <= ++BSDoptind) {	/* no arg */
-			place = EMSG;
-			if (*ostr == ':')
-				return (BADARG);
-			if (BSDopterr)
-				(void)fprintf(stderr,
-				    "%s: option requires an argument -- %c\n",
-				    __progname, BSDoptopt);
-			return (BADCH);
-		}
-	 	else				/* white space */
-			BSDoptarg = nargv[BSDoptind];
-		place = EMSG;
-		++BSDoptind;
-	}
-	return (BSDoptopt);			/* dump back option letter */
-}
-
-#endif /* !defined(HAVE_GETOPT) || !defined(HAVE_OPTRESET) */
diff --git a/crypto/openssh/openbsd-compat/getrrsetbyname.c b/crypto/openssh/openbsd-compat/getrrsetbyname.c
deleted file mode 100644
index 6c86e02..0000000
--- a/crypto/openssh/openbsd-compat/getrrsetbyname.c
+++ /dev/null
@@ -1,612 +0,0 @@
-/* $OpenBSD: getrrsetbyname.c,v 1.10 2005/03/30 02:58:28 tedu Exp $ */
-
-/*
- * Copyright (c) 2001 Jakob Schlyter. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Portions Copyright (c) 1999-2001 Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* OPENBSD ORIGINAL: lib/libc/net/getrrsetbyname.c */
-
-#include "includes.h"
-
-#ifndef HAVE_GETRRSETBYNAME
-
-#include <stdlib.h>
-#include <string.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include "getrrsetbyname.h"
-
-#if defined(HAVE_DECL_H_ERRNO) && !HAVE_DECL_H_ERRNO
-extern int h_errno;
-#endif
-
-/* We don't need multithread support here */
-#ifdef _THREAD_PRIVATE
-# undef _THREAD_PRIVATE
-#endif
-#define _THREAD_PRIVATE(a,b,c) (c)
-
-/* to avoid conflicts where a platform already has _res */
-#ifdef _res
-# undef _res
-#endif
-#define _res	_compat_res
-
-struct __res_state _res;
-
-/* Necessary functions and macros */
-
-/*
- * Inline versions of get/put short/long.  Pointer is advanced.
- *
- * These macros demonstrate the property of C whereby it can be
- * portable or it can be elegant but rarely both.
- */
-
-#ifndef INT32SZ
-# define INT32SZ	4
-#endif
-#ifndef INT16SZ
-# define INT16SZ	2
-#endif
-
-#ifndef GETSHORT
-#define GETSHORT(s, cp) { \
-	register u_char *t_cp = (u_char *)(cp); \
-	(s) = ((u_int16_t)t_cp[0] << 8) \
-	    | ((u_int16_t)t_cp[1]) \
-	    ; \
-	(cp) += INT16SZ; \
-}
-#endif
-
-#ifndef GETLONG
-#define GETLONG(l, cp) { \
-	register u_char *t_cp = (u_char *)(cp); \
-	(l) = ((u_int32_t)t_cp[0] << 24) \
-	    | ((u_int32_t)t_cp[1] << 16) \
-	    | ((u_int32_t)t_cp[2] << 8) \
-	    | ((u_int32_t)t_cp[3]) \
-	    ; \
-	(cp) += INT32SZ; \
-}
-#endif
-
-/*
- * Routines to insert/extract short/long's.
- */
-
-#ifndef HAVE__GETSHORT
-static u_int16_t
-_getshort(msgp)
-	register const u_char *msgp;
-{
-	register u_int16_t u;
-
-	GETSHORT(u, msgp);
-	return (u);
-}
-#elif defined(HAVE_DECL__GETSHORT) && (HAVE_DECL__GETSHORT == 0)
-u_int16_t _getshort(register const u_char *);
-#endif
-
-#ifndef HAVE__GETLONG
-static u_int32_t
-_getlong(msgp)
-	register const u_char *msgp;
-{
-	register u_int32_t u;
-
-	GETLONG(u, msgp);
-	return (u);
-}
-#elif defined(HAVE_DECL__GETLONG) && (HAVE_DECL__GETLONG == 0)
-u_int32_t _getlong(register const u_char *);
-#endif
-
-/* ************** */
-
-#define ANSWER_BUFFER_SIZE 1024*64
-
-struct dns_query {
-	char			*name;
-	u_int16_t		type;
-	u_int16_t		class;
-	struct dns_query	*next;
-};
-
-struct dns_rr {
-	char			*name;
-	u_int16_t		type;
-	u_int16_t		class;
-	u_int16_t		ttl;
-	u_int16_t		size;
-	void			*rdata;
-	struct dns_rr		*next;
-};
-
-struct dns_response {
-	HEADER			header;
-	struct dns_query	*query;
-	struct dns_rr		*answer;
-	struct dns_rr		*authority;
-	struct dns_rr		*additional;
-};
-
-static struct dns_response *parse_dns_response(const u_char *, int);
-static struct dns_query *parse_dns_qsection(const u_char *, int,
-    const u_char **, int);
-static struct dns_rr *parse_dns_rrsection(const u_char *, int, const u_char **,
-    int);
-
-static void free_dns_query(struct dns_query *);
-static void free_dns_rr(struct dns_rr *);
-static void free_dns_response(struct dns_response *);
-
-static int count_dns_rr(struct dns_rr *, u_int16_t, u_int16_t);
-
-int
-getrrsetbyname(const char *hostname, unsigned int rdclass,
-    unsigned int rdtype, unsigned int flags,
-    struct rrsetinfo **res)
-{
-	struct __res_state *_resp = _THREAD_PRIVATE(_res, _res, &_res);
-	int result;
-	struct rrsetinfo *rrset = NULL;
-	struct dns_response *response = NULL;
-	struct dns_rr *rr;
-	struct rdatainfo *rdata;
-	int length;
-	unsigned int index_ans, index_sig;
-	u_char answer[ANSWER_BUFFER_SIZE];
-
-	/* check for invalid class and type */
-	if (rdclass > 0xffff || rdtype > 0xffff) {
-		result = ERRSET_INVAL;
-		goto fail;
-	}
-
-	/* don't allow queries of class or type ANY */
-	if (rdclass == 0xff || rdtype == 0xff) {
-		result = ERRSET_INVAL;
-		goto fail;
-	}
-
-	/* don't allow flags yet, unimplemented */
-	if (flags) {
-		result = ERRSET_INVAL;
-		goto fail;
-	}
-
-	/* initialize resolver */
-	if ((_resp->options & RES_INIT) == 0 && res_init() == -1) {
-		result = ERRSET_FAIL;
-		goto fail;
-	}
-
-#ifdef DEBUG
-	_resp->options |= RES_DEBUG;
-#endif /* DEBUG */
-
-#ifdef RES_USE_DNSSEC
-	/* turn on DNSSEC if EDNS0 is configured */
-	if (_resp->options & RES_USE_EDNS0)
-		_resp->options |= RES_USE_DNSSEC;
-#endif /* RES_USE_DNSEC */
-
-	/* make query */
-	length = res_query(hostname, (signed int) rdclass, (signed int) rdtype,
-	    answer, sizeof(answer));
-	if (length < 0) {
-		switch(h_errno) {
-		case HOST_NOT_FOUND:
-			result = ERRSET_NONAME;
-			goto fail;
-		case NO_DATA:
-			result = ERRSET_NODATA;
-			goto fail;
-		default:
-			result = ERRSET_FAIL;
-			goto fail;
-		}
-	}
-
-	/* parse result */
-	response = parse_dns_response(answer, length);
-	if (response == NULL) {
-		result = ERRSET_FAIL;
-		goto fail;
-	}
-
-	if (response->header.qdcount != 1) {
-		result = ERRSET_FAIL;
-		goto fail;
-	}
-
-	/* initialize rrset */
-	rrset = calloc(1, sizeof(struct rrsetinfo));
-	if (rrset == NULL) {
-		result = ERRSET_NOMEMORY;
-		goto fail;
-	}
-	rrset->rri_rdclass = response->query->class;
-	rrset->rri_rdtype = response->query->type;
-	rrset->rri_ttl = response->answer->ttl;
-	rrset->rri_nrdatas = response->header.ancount;
-
-#ifdef HAVE_HEADER_AD
-	/* check for authenticated data */
-	if (response->header.ad == 1)
-		rrset->rri_flags |= RRSET_VALIDATED;
-#endif
-
-	/* copy name from answer section */
-	rrset->rri_name = strdup(response->answer->name);
-	if (rrset->rri_name == NULL) {
-		result = ERRSET_NOMEMORY;
-		goto fail;
-	}
-
-	/* count answers */
-	rrset->rri_nrdatas = count_dns_rr(response->answer, rrset->rri_rdclass,
-	    rrset->rri_rdtype);
-	rrset->rri_nsigs = count_dns_rr(response->answer, rrset->rri_rdclass,
-	    T_SIG);
-
-	/* allocate memory for answers */
-	rrset->rri_rdatas = calloc(rrset->rri_nrdatas,
-	    sizeof(struct rdatainfo));
-	if (rrset->rri_rdatas == NULL) {
-		result = ERRSET_NOMEMORY;
-		goto fail;
-	}
-
-	/* allocate memory for signatures */
-	rrset->rri_sigs = calloc(rrset->rri_nsigs, sizeof(struct rdatainfo));
-	if (rrset->rri_sigs == NULL) {
-		result = ERRSET_NOMEMORY;
-		goto fail;
-	}
-
-	/* copy answers & signatures */
-	for (rr = response->answer, index_ans = 0, index_sig = 0;
-	    rr; rr = rr->next) {
-
-		rdata = NULL;
-
-		if (rr->class == rrset->rri_rdclass &&
-		    rr->type  == rrset->rri_rdtype)
-			rdata = &rrset->rri_rdatas[index_ans++];
-
-		if (rr->class == rrset->rri_rdclass &&
-		    rr->type  == T_SIG)
-			rdata = &rrset->rri_sigs[index_sig++];
-
-		if (rdata) {
-			rdata->rdi_length = rr->size;
-			rdata->rdi_data   = malloc(rr->size);
-
-			if (rdata->rdi_data == NULL) {
-				result = ERRSET_NOMEMORY;
-				goto fail;
-			}
-			memcpy(rdata->rdi_data, rr->rdata, rr->size);
-		}
-	}
-	free_dns_response(response);
-
-	*res = rrset;
-	return (ERRSET_SUCCESS);
-
-fail:
-	if (rrset != NULL)
-		freerrset(rrset);
-	if (response != NULL)
-		free_dns_response(response);
-	return (result);
-}
-
-void
-freerrset(struct rrsetinfo *rrset)
-{
-	u_int16_t i;
-
-	if (rrset == NULL)
-		return;
-
-	if (rrset->rri_rdatas) {
-		for (i = 0; i < rrset->rri_nrdatas; i++) {
-			if (rrset->rri_rdatas[i].rdi_data == NULL)
-				break;
-			free(rrset->rri_rdatas[i].rdi_data);
-		}
-		free(rrset->rri_rdatas);
-	}
-
-	if (rrset->rri_sigs) {
-		for (i = 0; i < rrset->rri_nsigs; i++) {
-			if (rrset->rri_sigs[i].rdi_data == NULL)
-				break;
-			free(rrset->rri_sigs[i].rdi_data);
-		}
-		free(rrset->rri_sigs);
-	}
-
-	if (rrset->rri_name)
-		free(rrset->rri_name);
-	free(rrset);
-}
-
-/*
- * DNS response parsing routines
- */
-static struct dns_response *
-parse_dns_response(const u_char *answer, int size)
-{
-	struct dns_response *resp;
-	const u_char *cp;
-
-	/* allocate memory for the response */
-	resp = calloc(1, sizeof(*resp));
-	if (resp == NULL)
-		return (NULL);
-
-	/* initialize current pointer */
-	cp = answer;
-
-	/* copy header */
-	memcpy(&resp->header, cp, HFIXEDSZ);
-	cp += HFIXEDSZ;
-
-	/* fix header byte order */
-	resp->header.qdcount = ntohs(resp->header.qdcount);
-	resp->header.ancount = ntohs(resp->header.ancount);
-	resp->header.nscount = ntohs(resp->header.nscount);
-	resp->header.arcount = ntohs(resp->header.arcount);
-
-	/* there must be at least one query */
-	if (resp->header.qdcount < 1) {
-		free_dns_response(resp);
-		return (NULL);
-	}
-
-	/* parse query section */
-	resp->query = parse_dns_qsection(answer, size, &cp,
-	    resp->header.qdcount);
-	if (resp->header.qdcount && resp->query == NULL) {
-		free_dns_response(resp);
-		return (NULL);
-	}
-
-	/* parse answer section */
-	resp->answer = parse_dns_rrsection(answer, size, &cp,
-	    resp->header.ancount);
-	if (resp->header.ancount && resp->answer == NULL) {
-		free_dns_response(resp);
-		return (NULL);
-	}
-
-	/* parse authority section */
-	resp->authority = parse_dns_rrsection(answer, size, &cp,
-	    resp->header.nscount);
-	if (resp->header.nscount && resp->authority == NULL) {
-		free_dns_response(resp);
-		return (NULL);
-	}
-
-	/* parse additional section */
-	resp->additional = parse_dns_rrsection(answer, size, &cp,
-	    resp->header.arcount);
-	if (resp->header.arcount && resp->additional == NULL) {
-		free_dns_response(resp);
-		return (NULL);
-	}
-
-	return (resp);
-}
-
-static struct dns_query *
-parse_dns_qsection(const u_char *answer, int size, const u_char **cp, int count)
-{
-	struct dns_query *head, *curr, *prev;
-	int i, length;
-	char name[MAXDNAME];
-
-	for (i = 1, head = NULL, prev = NULL; i <= count; i++, prev = curr) {
-
-		/* allocate and initialize struct */
-		curr = calloc(1, sizeof(struct dns_query));
-		if (curr == NULL) {
-			free_dns_query(head);
-			return (NULL);
-		}
-		if (head == NULL)
-			head = curr;
-		if (prev != NULL)
-			prev->next = curr;
-
-		/* name */
-		length = dn_expand(answer, answer + size, *cp, name,
-		    sizeof(name));
-		if (length < 0) {
-			free_dns_query(head);
-			return (NULL);
-		}
-		curr->name = strdup(name);
-		if (curr->name == NULL) {
-			free_dns_query(head);
-			return (NULL);
-		}
-		*cp += length;
-
-		/* type */
-		curr->type = _getshort(*cp);
-		*cp += INT16SZ;
-
-		/* class */
-		curr->class = _getshort(*cp);
-		*cp += INT16SZ;
-	}
-
-	return (head);
-}
-
-static struct dns_rr *
-parse_dns_rrsection(const u_char *answer, int size, const u_char **cp,
-    int count)
-{
-	struct dns_rr *head, *curr, *prev;
-	int i, length;
-	char name[MAXDNAME];
-
-	for (i = 1, head = NULL, prev = NULL; i <= count; i++, prev = curr) {
-
-		/* allocate and initialize struct */
-		curr = calloc(1, sizeof(struct dns_rr));
-		if (curr == NULL) {
-			free_dns_rr(head);
-			return (NULL);
-		}
-		if (head == NULL)
-			head = curr;
-		if (prev != NULL)
-			prev->next = curr;
-
-		/* name */
-		length = dn_expand(answer, answer + size, *cp, name,
-		    sizeof(name));
-		if (length < 0) {
-			free_dns_rr(head);
-			return (NULL);
-		}
-		curr->name = strdup(name);
-		if (curr->name == NULL) {
-			free_dns_rr(head);
-			return (NULL);
-		}
-		*cp += length;
-
-		/* type */
-		curr->type = _getshort(*cp);
-		*cp += INT16SZ;
-
-		/* class */
-		curr->class = _getshort(*cp);
-		*cp += INT16SZ;
-
-		/* ttl */
-		curr->ttl = _getlong(*cp);
-		*cp += INT32SZ;
-
-		/* rdata size */
-		curr->size = _getshort(*cp);
-		*cp += INT16SZ;
-
-		/* rdata itself */
-		curr->rdata = malloc(curr->size);
-		if (curr->rdata == NULL) {
-			free_dns_rr(head);
-			return (NULL);
-		}
-		memcpy(curr->rdata, *cp, curr->size);
-		*cp += curr->size;
-	}
-
-	return (head);
-}
-
-static void
-free_dns_query(struct dns_query *p)
-{
-	if (p == NULL)
-		return;
-
-	if (p->name)
-		free(p->name);
-	free_dns_query(p->next);
-	free(p);
-}
-
-static void
-free_dns_rr(struct dns_rr *p)
-{
-	if (p == NULL)
-		return;
-
-	if (p->name)
-		free(p->name);
-	if (p->rdata)
-		free(p->rdata);
-	free_dns_rr(p->next);
-	free(p);
-}
-
-static void
-free_dns_response(struct dns_response *p)
-{
-	if (p == NULL)
-		return;
-
-	free_dns_query(p->query);
-	free_dns_rr(p->answer);
-	free_dns_rr(p->authority);
-	free_dns_rr(p->additional);
-	free(p);
-}
-
-static int
-count_dns_rr(struct dns_rr *p, u_int16_t class, u_int16_t type)
-{
-	int n = 0;
-
-	while(p) {
-		if (p->class == class && p->type == type)
-			n++;
-		p = p->next;
-	}
-
-	return (n);
-}
-
-#endif /* !defined(HAVE_GETRRSETBYNAME) */
diff --git a/crypto/openssh/openbsd-compat/getrrsetbyname.h b/crypto/openssh/openbsd-compat/getrrsetbyname.h
deleted file mode 100644
index 39995b6..0000000
--- a/crypto/openssh/openbsd-compat/getrrsetbyname.h
+++ /dev/null
@@ -1,110 +0,0 @@
-/* OPENBSD BASED ON : include/netdb.h */
-
-/* $OpenBSD: getrrsetbyname.c,v 1.4 2001/08/16 18:16:43 ho Exp $ */
-
-/*
- * Copyright (c) 2001 Jakob Schlyter. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Portions Copyright (c) 1999-2001 Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef _GETRRSETBYNAME_H
-#define _GETRRSETBYNAME_H
-
-#include "includes.h"
-
-#ifndef HAVE_GETRRSETBYNAME
-
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <netdb.h>
-#include <resolv.h>
-
-#ifndef HFIXEDSZ
-#define HFIXEDSZ 12
-#endif
-
-#ifndef T_SIG
-#define T_SIG 24
-#endif
-
-/*
- * Flags for getrrsetbyname()
- */
-#ifndef RRSET_VALIDATED
-# define RRSET_VALIDATED	1
-#endif
-
-/*
- * Return codes for getrrsetbyname()
- */
-#ifndef ERRSET_SUCCESS
-# define ERRSET_SUCCESS		0
-# define ERRSET_NOMEMORY	1
-# define ERRSET_FAIL		2
-# define ERRSET_INVAL		3
-# define ERRSET_NONAME		4
-# define ERRSET_NODATA		5
-#endif
-
-struct rdatainfo {
-	unsigned int		rdi_length;	/* length of data */
-	unsigned char		*rdi_data;	/* record data */
-};
-
-struct rrsetinfo {
-	unsigned int		rri_flags;	/* RRSET_VALIDATED ... */
-	unsigned int		rri_rdclass;	/* class number */
-	unsigned int		rri_rdtype;	/* RR type number */
-	unsigned int		rri_ttl;	/* time to live */
-	unsigned int		rri_nrdatas;	/* size of rdatas array */
-	unsigned int		rri_nsigs;	/* size of sigs array */
-	char			*rri_name;	/* canonical name */
-	struct rdatainfo	*rri_rdatas;	/* individual records */
-	struct rdatainfo	*rri_sigs;	/* individual signatures */
-};
-
-int		getrrsetbyname(const char *, unsigned int, unsigned int, unsigned int, struct rrsetinfo **);
-void		freerrset(struct rrsetinfo *);
-
-#endif /* !defined(HAVE_GETRRSETBYNAME) */
-
-#endif /* _GETRRSETBYNAME_H */
diff --git a/crypto/openssh/openbsd-compat/glob.c b/crypto/openssh/openbsd-compat/glob.c
deleted file mode 100644
index b3dd2b1..0000000
--- a/crypto/openssh/openbsd-compat/glob.c
+++ /dev/null
@@ -1,873 +0,0 @@
-/*	$OpenBSD: glob.c,v 1.25 2005/08/08 08:05:34 espie Exp $ */
-/*
- * Copyright (c) 1989, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * This code is derived from software contributed to Berkeley by
- * Guido van Rossum.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* OPENBSD ORIGINAL: lib/libc/gen/glob.c */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/stat.h>
-
-#include <dirent.h>
-#include <ctype.h>
-#include <errno.h>
-#include <pwd.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#if !defined(HAVE_GLOB) || !defined(GLOB_HAS_ALTDIRFUNC) || \
-    !defined(GLOB_HAS_GL_MATCHC) || \
-    !defined(HAVE_DECL_GLOB_NOMATCH) || HAVE_DECL_GLOB_NOMATCH == 0
-
-static long
-get_arg_max(void)
-{
-#ifdef ARG_MAX
-	return(ARG_MAX);
-#elif defined(HAVE_SYSCONF) && defined(_SC_ARG_MAX)
-	return(sysconf(_SC_ARG_MAX));
-#else
-	return(256); /* XXX: arbitrary */
-#endif
-}
-
-/*
- * glob(3) -- a superset of the one defined in POSIX 1003.2.
- *
- * The [!...] convention to negate a range is supported (SysV, Posix, ksh).
- *
- * Optional extra services, controlled by flags not defined by POSIX:
- *
- * GLOB_QUOTE:
- *	Escaping convention: \ inhibits any special meaning the following
- *	character might have (except \ at end of string is retained).
- * GLOB_MAGCHAR:
- *	Set in gl_flags if pattern contained a globbing character.
- * GLOB_NOMAGIC:
- *	Same as GLOB_NOCHECK, but it will only append pattern if it did
- *	not contain any magic characters.  [Used in csh style globbing]
- * GLOB_ALTDIRFUNC:
- *	Use alternately specified directory access functions.
- * GLOB_TILDE:
- *	expand ~user/foo to the /home/dir/of/user/foo
- * GLOB_BRACE:
- *	expand {1,2}{a,b} to 1a 1b 2a 2b
- * gl_matchc:
- *	Number of matches in the current invocation of glob.
- */
-
-
-#define	DOLLAR		'$'
-#define	DOT		'.'
-#define	EOS		'\0'
-#define	LBRACKET	'['
-#define	NOT		'!'
-#define	QUESTION	'?'
-#define	QUOTE		'\\'
-#define	RANGE		'-'
-#define	RBRACKET	']'
-#define	SEP		'/'
-#define	STAR		'*'
-#undef TILDE			/* Some platforms may already define it */
-#define	TILDE		'~'
-#define	UNDERSCORE	'_'
-#define	LBRACE		'{'
-#define	RBRACE		'}'
-#define	SLASH		'/'
-#define	COMMA		','
-
-#ifndef DEBUG
-
-#define	M_QUOTE		0x8000
-#define	M_PROTECT	0x4000
-#define	M_MASK		0xffff
-#define	M_ASCII		0x00ff
-
-typedef u_short Char;
-
-#else
-
-#define	M_QUOTE		0x80
-#define	M_PROTECT	0x40
-#define	M_MASK		0xff
-#define	M_ASCII		0x7f
-
-typedef char Char;
-
-#endif
-
-
-#define	CHAR(c)		((Char)((c)&M_ASCII))
-#define	META(c)		((Char)((c)|M_QUOTE))
-#define	M_ALL		META('*')
-#define	M_END		META(']')
-#define	M_NOT		META('!')
-#define	M_ONE		META('?')
-#define	M_RNG		META('-')
-#define	M_SET		META('[')
-#define	ismeta(c)	(((c)&M_QUOTE) != 0)
-
-
-static int	 compare(const void *, const void *);
-static int	 g_Ctoc(const Char *, char *, u_int);
-static int	 g_lstat(Char *, struct stat *, glob_t *);
-static DIR	*g_opendir(Char *, glob_t *);
-static Char	*g_strchr(Char *, int);
-static int	 g_stat(Char *, struct stat *, glob_t *);
-static int	 glob0(const Char *, glob_t *);
-static int	 glob1(Char *, Char *, glob_t *, size_t *);
-static int	 glob2(Char *, Char *, Char *, Char *, Char *, Char *,
-		    glob_t *, size_t *);
-static int	 glob3(Char *, Char *, Char *, Char *, Char *, Char *,
-		    Char *, Char *, glob_t *, size_t *);
-static int	 globextend(const Char *, glob_t *, size_t *);
-static const Char *
-		 globtilde(const Char *, Char *, size_t, glob_t *);
-static int	 globexp1(const Char *, glob_t *);
-static int	 globexp2(const Char *, const Char *, glob_t *, int *);
-static int	 match(Char *, Char *, Char *);
-#ifdef DEBUG
-static void	 qprintf(const char *, Char *);
-#endif
-
-int
-glob(const char *pattern, int flags, int (*errfunc)(const char *, int),
-    glob_t *pglob)
-{
-	const u_char *patnext;
-	int c;
-	Char *bufnext, *bufend, patbuf[MAXPATHLEN];
-
-	patnext = (u_char *) pattern;
-	if (!(flags & GLOB_APPEND)) {
-		pglob->gl_pathc = 0;
-		pglob->gl_pathv = NULL;
-		if (!(flags & GLOB_DOOFFS))
-			pglob->gl_offs = 0;
-	}
-	pglob->gl_flags = flags & ~GLOB_MAGCHAR;
-	pglob->gl_errfunc = errfunc;
-	pglob->gl_matchc = 0;
-
-	bufnext = patbuf;
-	bufend = bufnext + MAXPATHLEN - 1;
-	if (flags & GLOB_NOESCAPE)
-		while (bufnext < bufend && (c = *patnext++) != EOS)
-			*bufnext++ = c;
-	else {
-		/* Protect the quoted characters. */
-		while (bufnext < bufend && (c = *patnext++) != EOS)
-			if (c == QUOTE) {
-				if ((c = *patnext++) == EOS) {
-					c = QUOTE;
-					--patnext;
-				}
-				*bufnext++ = c | M_PROTECT;
-			} else
-				*bufnext++ = c;
-	}
-	*bufnext = EOS;
-
-	if (flags & GLOB_BRACE)
-		return globexp1(patbuf, pglob);
-	else
-		return glob0(patbuf, pglob);
-}
-
-/*
- * Expand recursively a glob {} pattern. When there is no more expansion
- * invoke the standard globbing routine to glob the rest of the magic
- * characters
- */
-static int
-globexp1(const Char *pattern, glob_t *pglob)
-{
-	const Char* ptr = pattern;
-	int rv;
-
-	/* Protect a single {}, for find(1), like csh */
-	if (pattern[0] == LBRACE && pattern[1] == RBRACE && pattern[2] == EOS)
-		return glob0(pattern, pglob);
-
-	while ((ptr = (const Char *) g_strchr((Char *) ptr, LBRACE)) != NULL)
-		if (!globexp2(ptr, pattern, pglob, &rv))
-			return rv;
-
-	return glob0(pattern, pglob);
-}
-
-
-/*
- * Recursive brace globbing helper. Tries to expand a single brace.
- * If it succeeds then it invokes globexp1 with the new pattern.
- * If it fails then it tries to glob the rest of the pattern and returns.
- */
-static int
-globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv)
-{
-	int     i;
-	Char   *lm, *ls;
-	const Char *pe, *pm, *pl;
-	Char    patbuf[MAXPATHLEN];
-
-	/* copy part up to the brace */
-	for (lm = patbuf, pm = pattern; pm != ptr; *lm++ = *pm++)
-		;
-	*lm = EOS;
-	ls = lm;
-
-	/* Find the balanced brace */
-	for (i = 0, pe = ++ptr; *pe; pe++)
-		if (*pe == LBRACKET) {
-			/* Ignore everything between [] */
-			for (pm = pe++; *pe != RBRACKET && *pe != EOS; pe++)
-				;
-			if (*pe == EOS) {
-				/*
-				 * We could not find a matching RBRACKET.
-				 * Ignore and just look for RBRACE
-				 */
-				pe = pm;
-			}
-		} else if (*pe == LBRACE)
-			i++;
-		else if (*pe == RBRACE) {
-			if (i == 0)
-				break;
-			i--;
-		}
-
-	/* Non matching braces; just glob the pattern */
-	if (i != 0 || *pe == EOS) {
-		*rv = glob0(patbuf, pglob);
-		return 0;
-	}
-
-	for (i = 0, pl = pm = ptr; pm <= pe; pm++) {
-		switch (*pm) {
-		case LBRACKET:
-			/* Ignore everything between [] */
-			for (pl = pm++; *pm != RBRACKET && *pm != EOS; pm++)
-				;
-			if (*pm == EOS) {
-				/*
-				 * We could not find a matching RBRACKET.
-				 * Ignore and just look for RBRACE
-				 */
-				pm = pl;
-			}
-			break;
-
-		case LBRACE:
-			i++;
-			break;
-
-		case RBRACE:
-			if (i) {
-				i--;
-				break;
-			}
-			/* FALLTHROUGH */
-		case COMMA:
-			if (i && *pm == COMMA)
-				break;
-			else {
-				/* Append the current string */
-				for (lm = ls; (pl < pm); *lm++ = *pl++)
-					;
-
-				/*
-				 * Append the rest of the pattern after the
-				 * closing brace
-				 */
-				for (pl = pe + 1; (*lm++ = *pl++) != EOS; )
-					;
-
-				/* Expand the current pattern */
-#ifdef DEBUG
-				qprintf("globexp2:", patbuf);
-#endif
-				*rv = globexp1(patbuf, pglob);
-
-				/* move after the comma, to the next string */
-				pl = pm + 1;
-			}
-			break;
-
-		default:
-			break;
-		}
-	}
-	*rv = 0;
-	return 0;
-}
-
-
-
-/*
- * expand tilde from the passwd file.
- */
-static const Char *
-globtilde(const Char *pattern, Char *patbuf, size_t patbuf_len, glob_t *pglob)
-{
-	struct passwd *pwd;
-	char *h;
-	const Char *p;
-	Char *b, *eb;
-
-	if (*pattern != TILDE || !(pglob->gl_flags & GLOB_TILDE))
-		return pattern;
-
-	/* Copy up to the end of the string or / */
-	eb = &patbuf[patbuf_len - 1];
-	for (p = pattern + 1, h = (char *) patbuf;
-	    h < (char *)eb && *p && *p != SLASH; *h++ = *p++)
-		;
-
-	*h = EOS;
-
-#if 0
-	if (h == (char *)eb)
-		return what;
-#endif
-
-	if (((char *) patbuf)[0] == EOS) {
-		/*
-		 * handle a plain ~ or ~/ by expanding $HOME
-		 * first and then trying the password file
-		 */
-#if 0
-		if (issetugid() != 0 || (h = getenv("HOME")) == NULL) {
-#endif
-		if ((getuid() != geteuid()) || (h = getenv("HOME")) == NULL) {
-			if ((pwd = getpwuid(getuid())) == NULL)
-				return pattern;
-			else
-				h = pwd->pw_dir;
-		}
-	} else {
-		/*
-		 * Expand a ~user
-		 */
-		if ((pwd = getpwnam((char*) patbuf)) == NULL)
-			return pattern;
-		else
-			h = pwd->pw_dir;
-	}
-
-	/* Copy the home directory */
-	for (b = patbuf; b < eb && *h; *b++ = *h++)
-		;
-
-	/* Append the rest of the pattern */
-	while (b < eb && (*b++ = *p++) != EOS)
-		;
-	*b = EOS;
-
-	return patbuf;
-}
-
-
-/*
- * The main glob() routine: compiles the pattern (optionally processing
- * quotes), calls glob1() to do the real pattern matching, and finally
- * sorts the list (unless unsorted operation is requested).  Returns 0
- * if things went well, nonzero if errors occurred.  It is not an error
- * to find no matches.
- */
-static int
-glob0(const Char *pattern, glob_t *pglob)
-{
-	const Char *qpatnext;
-	int c, err, oldpathc;
-	Char *bufnext, patbuf[MAXPATHLEN];
-	size_t limit = 0;
-
-	qpatnext = globtilde(pattern, patbuf, MAXPATHLEN, pglob);
-	oldpathc = pglob->gl_pathc;
-	bufnext = patbuf;
-
-	/* We don't need to check for buffer overflow any more. */
-	while ((c = *qpatnext++) != EOS) {
-		switch (c) {
-		case LBRACKET:
-			c = *qpatnext;
-			if (c == NOT)
-				++qpatnext;
-			if (*qpatnext == EOS ||
-			    g_strchr((Char *) qpatnext+1, RBRACKET) == NULL) {
-				*bufnext++ = LBRACKET;
-				if (c == NOT)
-					--qpatnext;
-				break;
-			}
-			*bufnext++ = M_SET;
-			if (c == NOT)
-				*bufnext++ = M_NOT;
-			c = *qpatnext++;
-			do {
-				*bufnext++ = CHAR(c);
-				if (*qpatnext == RANGE &&
-				    (c = qpatnext[1]) != RBRACKET) {
-					*bufnext++ = M_RNG;
-					*bufnext++ = CHAR(c);
-					qpatnext += 2;
-				}
-			} while ((c = *qpatnext++) != RBRACKET);
-			pglob->gl_flags |= GLOB_MAGCHAR;
-			*bufnext++ = M_END;
-			break;
-		case QUESTION:
-			pglob->gl_flags |= GLOB_MAGCHAR;
-			*bufnext++ = M_ONE;
-			break;
-		case STAR:
-			pglob->gl_flags |= GLOB_MAGCHAR;
-			/* collapse adjacent stars to one,
-			 * to avoid exponential behavior
-			 */
-			if (bufnext == patbuf || bufnext[-1] != M_ALL)
-				*bufnext++ = M_ALL;
-			break;
-		default:
-			*bufnext++ = CHAR(c);
-			break;
-		}
-	}
-	*bufnext = EOS;
-#ifdef DEBUG
-	qprintf("glob0:", patbuf);
-#endif
-
-	if ((err = glob1(patbuf, patbuf+MAXPATHLEN-1, pglob, &limit)) != 0)
-		return(err);
-
-	/*
-	 * If there was no match we are going to append the pattern
-	 * if GLOB_NOCHECK was specified or if GLOB_NOMAGIC was specified
-	 * and the pattern did not contain any magic characters
-	 * GLOB_NOMAGIC is there just for compatibility with csh.
-	 */
-	if (pglob->gl_pathc == oldpathc) {
-		if ((pglob->gl_flags & GLOB_NOCHECK) ||
-		    ((pglob->gl_flags & GLOB_NOMAGIC) &&
-		    !(pglob->gl_flags & GLOB_MAGCHAR)))
-			return(globextend(pattern, pglob, &limit));
-		else
-			return(GLOB_NOMATCH);
-	}
-	if (!(pglob->gl_flags & GLOB_NOSORT))
-		qsort(pglob->gl_pathv + pglob->gl_offs + oldpathc,
-		    pglob->gl_pathc - oldpathc, sizeof(char *), compare);
-	return(0);
-}
-
-static int
-compare(const void *p, const void *q)
-{
-	return(strcmp(*(char **)p, *(char **)q));
-}
-
-static int
-glob1(Char *pattern, Char *pattern_last, glob_t *pglob, size_t *limitp)
-{
-	Char pathbuf[MAXPATHLEN];
-
-	/* A null pathname is invalid -- POSIX 1003.1 sect. 2.4. */
-	if (*pattern == EOS)
-		return(0);
-	return(glob2(pathbuf, pathbuf+MAXPATHLEN-1,
-	    pathbuf, pathbuf+MAXPATHLEN-1,
-	    pattern, pattern_last, pglob, limitp));
-}
-
-/*
- * The functions glob2 and glob3 are mutually recursive; there is one level
- * of recursion for each segment in the pattern that contains one or more
- * meta characters.
- */
-static int
-glob2(Char *pathbuf, Char *pathbuf_last, Char *pathend, Char *pathend_last,
-    Char *pattern, Char *pattern_last, glob_t *pglob, size_t *limitp)
-{
-	struct stat sb;
-	Char *p, *q;
-	int anymeta;
-
-	/*
-	 * Loop over pattern segments until end of pattern or until
-	 * segment with meta character found.
-	 */
-	for (anymeta = 0;;) {
-		if (*pattern == EOS) {		/* End of pattern? */
-			*pathend = EOS;
-			if (g_lstat(pathbuf, &sb, pglob))
-				return(0);
-
-			if (((pglob->gl_flags & GLOB_MARK) &&
-			    pathend[-1] != SEP) && (S_ISDIR(sb.st_mode) ||
-			    (S_ISLNK(sb.st_mode) &&
-			    (g_stat(pathbuf, &sb, pglob) == 0) &&
-			    S_ISDIR(sb.st_mode)))) {
-				if (pathend+1 > pathend_last)
-					return (1);
-				*pathend++ = SEP;
-				*pathend = EOS;
-			}
-			++pglob->gl_matchc;
-			return(globextend(pathbuf, pglob, limitp));
-		}
-
-		/* Find end of next segment, copy tentatively to pathend. */
-		q = pathend;
-		p = pattern;
-		while (*p != EOS && *p != SEP) {
-			if (ismeta(*p))
-				anymeta = 1;
-			if (q+1 > pathend_last)
-				return (1);
-			*q++ = *p++;
-		}
-
-		if (!anymeta) {		/* No expansion, do next segment. */
-			pathend = q;
-			pattern = p;
-			while (*pattern == SEP) {
-				if (pathend+1 > pathend_last)
-					return (1);
-				*pathend++ = *pattern++;
-			}
-		} else
-			/* Need expansion, recurse. */
-			return(glob3(pathbuf, pathbuf_last, pathend,
-			    pathend_last, pattern, pattern_last,
-			    p, pattern_last, pglob, limitp));
-	}
-	/* NOTREACHED */
-}
-
-static int
-glob3(Char *pathbuf, Char *pathbuf_last, Char *pathend, Char *pathend_last,
-    Char *pattern, Char *pattern_last, Char *restpattern,
-    Char *restpattern_last, glob_t *pglob, size_t *limitp)
-{
-	struct dirent *dp;
-	DIR *dirp;
-	int err;
-	char buf[MAXPATHLEN];
-
-	/*
-	 * The readdirfunc declaration can't be prototyped, because it is
-	 * assigned, below, to two functions which are prototyped in glob.h
-	 * and dirent.h as taking pointers to differently typed opaque
-	 * structures.
-	 */
-	struct dirent *(*readdirfunc)(void *);
-
-	if (pathend > pathend_last)
-		return (1);
-	*pathend = EOS;
-	errno = 0;
-
-	if ((dirp = g_opendir(pathbuf, pglob)) == NULL) {
-		/* TODO: don't call for ENOENT or ENOTDIR? */
-		if (pglob->gl_errfunc) {
-			if (g_Ctoc(pathbuf, buf, sizeof(buf)))
-				return(GLOB_ABORTED);
-			if (pglob->gl_errfunc(buf, errno) ||
-			    pglob->gl_flags & GLOB_ERR)
-				return(GLOB_ABORTED);
-		}
-		return(0);
-	}
-
-	err = 0;
-
-	/* Search directory for matching names. */
-	if (pglob->gl_flags & GLOB_ALTDIRFUNC)
-		readdirfunc = pglob->gl_readdir;
-	else
-		readdirfunc = (struct dirent *(*)(void *))readdir;
-	while ((dp = (*readdirfunc)(dirp))) {
-		u_char *sc;
-		Char *dc;
-
-		/* Initial DOT must be matched literally. */
-		if (dp->d_name[0] == DOT && *pattern != DOT)
-			continue;
-		dc = pathend;
-		sc = (u_char *) dp->d_name;
-		while (dc < pathend_last && (*dc++ = *sc++) != EOS)
-			;
-		if (dc >= pathend_last) {
-			*dc = EOS;
-			err = 1;
-			break;
-		}
-
-		if (!match(pathend, pattern, restpattern)) {
-			*pathend = EOS;
-			continue;
-		}
-		err = glob2(pathbuf, pathbuf_last, --dc, pathend_last,
-		    restpattern, restpattern_last, pglob, limitp);
-		if (err)
-			break;
-	}
-
-	if (pglob->gl_flags & GLOB_ALTDIRFUNC)
-		(*pglob->gl_closedir)(dirp);
-	else
-		closedir(dirp);
-	return(err);
-}
-
-
-/*
- * Extend the gl_pathv member of a glob_t structure to accommodate a new item,
- * add the new item, and update gl_pathc.
- *
- * This assumes the BSD realloc, which only copies the block when its size
- * crosses a power-of-two boundary; for v7 realloc, this would cause quadratic
- * behavior.
- *
- * Return 0 if new item added, error code if memory couldn't be allocated.
- *
- * Invariant of the glob_t structure:
- *	Either gl_pathc is zero and gl_pathv is NULL; or gl_pathc > 0 and
- *	gl_pathv points to (gl_offs + gl_pathc + 1) items.
- */
-static int
-globextend(const Char *path, glob_t *pglob, size_t *limitp)
-{
-	char **pathv;
-	int i;
-	u_int newsize, len;
-	char *copy;
-	const Char *p;
-
-	newsize = sizeof(*pathv) * (2 + pglob->gl_pathc + pglob->gl_offs);
-	pathv = pglob->gl_pathv ? realloc((char *)pglob->gl_pathv, newsize) :
-	    malloc(newsize);
-	if (pathv == NULL) {
-		if (pglob->gl_pathv) {
-			free(pglob->gl_pathv);
-			pglob->gl_pathv = NULL;
-		}
-		return(GLOB_NOSPACE);
-	}
-
-	if (pglob->gl_pathv == NULL && pglob->gl_offs > 0) {
-		/* first time around -- clear initial gl_offs items */
-		pathv += pglob->gl_offs;
-		for (i = pglob->gl_offs; --i >= 0; )
-			*--pathv = NULL;
-	}
-	pglob->gl_pathv = pathv;
-
-	for (p = path; *p++;)
-		;
-	len = (size_t)(p - path);
-	*limitp += len;
-	if ((copy = malloc(len)) != NULL) {
-		if (g_Ctoc(path, copy, len)) {
-			free(copy);
-			return(GLOB_NOSPACE);
-		}
-		pathv[pglob->gl_offs + pglob->gl_pathc++] = copy;
-	}
-	pathv[pglob->gl_offs + pglob->gl_pathc] = NULL;
-
-	if ((pglob->gl_flags & GLOB_LIMIT) &&
-	    newsize + *limitp >= (u_int) get_arg_max()) {
-		errno = 0;
-		return(GLOB_NOSPACE);
-	}
-
-	return(copy == NULL ? GLOB_NOSPACE : 0);
-}
-
-
-/*
- * pattern matching function for filenames.  Each occurrence of the *
- * pattern causes a recursion level.
- */
-static int
-match(Char *name, Char *pat, Char *patend)
-{
-	int ok, negate_range;
-	Char c, k;
-
-	while (pat < patend) {
-		c = *pat++;
-		switch (c & M_MASK) {
-		case M_ALL:
-			if (pat == patend)
-				return(1);
-			do {
-			    if (match(name, pat, patend))
-				    return(1);
-			} while (*name++ != EOS);
-			return(0);
-		case M_ONE:
-			if (*name++ == EOS)
-				return(0);
-			break;
-		case M_SET:
-			ok = 0;
-			if ((k = *name++) == EOS)
-				return(0);
-			if ((negate_range = ((*pat & M_MASK) == M_NOT)) != EOS)
-				++pat;
-			while (((c = *pat++) & M_MASK) != M_END)
-				if ((*pat & M_MASK) == M_RNG) {
-					if (c <= k && k <= pat[1])
-						ok = 1;
-					pat += 2;
-				} else if (c == k)
-					ok = 1;
-			if (ok == negate_range)
-				return(0);
-			break;
-		default:
-			if (*name++ != c)
-				return(0);
-			break;
-		}
-	}
-	return(*name == EOS);
-}
-
-/* Free allocated data belonging to a glob_t structure. */
-void
-globfree(glob_t *pglob)
-{
-	int i;
-	char **pp;
-
-	if (pglob->gl_pathv != NULL) {
-		pp = pglob->gl_pathv + pglob->gl_offs;
-		for (i = pglob->gl_pathc; i--; ++pp)
-			if (*pp)
-				free(*pp);
-		free(pglob->gl_pathv);
-		pglob->gl_pathv = NULL;
-	}
-}
-
-static DIR *
-g_opendir(Char *str, glob_t *pglob)
-{
-	char buf[MAXPATHLEN];
-
-	if (!*str)
-		strlcpy(buf, ".", sizeof buf);
-	else {
-		if (g_Ctoc(str, buf, sizeof(buf)))
-			return(NULL);
-	}
-
-	if (pglob->gl_flags & GLOB_ALTDIRFUNC)
-		return((*pglob->gl_opendir)(buf));
-
-	return(opendir(buf));
-}
-
-static int
-g_lstat(Char *fn, struct stat *sb, glob_t *pglob)
-{
-	char buf[MAXPATHLEN];
-
-	if (g_Ctoc(fn, buf, sizeof(buf)))
-		return(-1);
-	if (pglob->gl_flags & GLOB_ALTDIRFUNC)
-		return((*pglob->gl_lstat)(buf, sb));
-	return(lstat(buf, sb));
-}
-
-static int
-g_stat(Char *fn, struct stat *sb, glob_t *pglob)
-{
-	char buf[MAXPATHLEN];
-
-	if (g_Ctoc(fn, buf, sizeof(buf)))
-		return(-1);
-	if (pglob->gl_flags & GLOB_ALTDIRFUNC)
-		return((*pglob->gl_stat)(buf, sb));
-	return(stat(buf, sb));
-}
-
-static Char *
-g_strchr(Char *str, int ch)
-{
-	do {
-		if (*str == ch)
-			return (str);
-	} while (*str++);
-	return (NULL);
-}
-
-static int
-g_Ctoc(const Char *str, char *buf, u_int len)
-{
-
-	while (len--) {
-		if ((*buf++ = *str++) == EOS)
-			return (0);
-	}
-	return (1);
-}
-
-#ifdef DEBUG
-static void
-qprintf(const char *str, Char *s)
-{
-	Char *p;
-
-	(void)printf("%s:\n", str);
-	for (p = s; *p; p++)
-		(void)printf("%c", CHAR(*p));
-	(void)printf("\n");
-	for (p = s; *p; p++)
-		(void)printf("%c", *p & M_PROTECT ? '"' : ' ');
-	(void)printf("\n");
-	for (p = s; *p; p++)
-		(void)printf("%c", ismeta(*p) ? '_' : ' ');
-	(void)printf("\n");
-}
-#endif
-
-#endif /* !defined(HAVE_GLOB) || !defined(GLOB_HAS_ALTDIRFUNC) ||
-          !defined(GLOB_HAS_GL_MATCHC) */
-
diff --git a/crypto/openssh/openbsd-compat/glob.h b/crypto/openssh/openbsd-compat/glob.h
deleted file mode 100644
index 9ba07f7..0000000
--- a/crypto/openssh/openbsd-compat/glob.h
+++ /dev/null
@@ -1,100 +0,0 @@
-/*	$OpenBSD: glob.h,v 1.9 2004/10/07 16:56:11 millert Exp $	*/
-/*	$NetBSD: glob.h,v 1.5 1994/10/26 00:55:56 cgd Exp $	*/
-
-/*
- * Copyright (c) 1989, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * This code is derived from software contributed to Berkeley by
- * Guido van Rossum.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *	@(#)glob.h	8.1 (Berkeley) 6/2/93
- */
-
-/* OPENBSD ORIGINAL: include/glob.h */
-
-#if !defined(HAVE_GLOB_H) || !defined(GLOB_HAS_ALTDIRFUNC) || \
-    !defined(GLOB_HAS_GL_MATCHC) || \
-    !defined(HAVE_DECL_GLOB_NOMATCH) || HAVE_DECL_GLOB_NOMATCH == 0
-
-#ifndef _GLOB_H_
-#define	_GLOB_H_
-
-struct stat;
-typedef struct {
-	int gl_pathc;		/* Count of total paths so far. */
-	int gl_matchc;		/* Count of paths matching pattern. */
-	int gl_offs;		/* Reserved at beginning of gl_pathv. */
-	int gl_flags;		/* Copy of flags parameter to glob. */
-	char **gl_pathv;	/* List of paths matching pattern. */
-				/* Copy of errfunc parameter to glob. */
-	int (*gl_errfunc)(const char *, int);
-
-	/*
-	 * Alternate filesystem access methods for glob; replacement
-	 * versions of closedir(3), readdir(3), opendir(3), stat(2)
-	 * and lstat(2).
-	 */
-	void (*gl_closedir)(void *);
-	struct dirent *(*gl_readdir)(void *);	
-	void *(*gl_opendir)(const char *);
-	int (*gl_lstat)(const char *, struct stat *);
-	int (*gl_stat)(const char *, struct stat *);
-} glob_t;
-
-/* Flags */
-#define	GLOB_APPEND	0x0001	/* Append to output from previous call. */
-#define	GLOB_DOOFFS	0x0002	/* Use gl_offs. */
-#define	GLOB_ERR	0x0004	/* Return on error. */
-#define	GLOB_MARK	0x0008	/* Append / to matching directories. */
-#define	GLOB_NOCHECK	0x0010	/* Return pattern itself if nothing matches. */
-#define	GLOB_NOSORT	0x0020	/* Don't sort. */
-#define	GLOB_NOESCAPE	0x1000	/* Disable backslash escaping. */
-
-#define	GLOB_ALTDIRFUNC	0x0040	/* Use alternately specified directory funcs. */
-#define	GLOB_BRACE	0x0080	/* Expand braces ala csh. */
-#define	GLOB_MAGCHAR	0x0100	/* Pattern had globbing characters. */
-#define	GLOB_NOMAGIC	0x0200	/* GLOB_NOCHECK without magic chars (csh). */
-#define	GLOB_QUOTE	0x0400	/* Quote special chars with \. */
-#define	GLOB_TILDE	0x0800	/* Expand tilde names from the passwd file. */
-#define GLOB_LIMIT	0x2000	/* Limit pattern match output to ARG_MAX */
-
-/* Error values returned by glob(3) */
-#define	GLOB_NOSPACE	(-1)	/* Malloc call failed. */
-#define	GLOB_ABORTED	(-2)	/* Unignored error. */
-#define	GLOB_NOMATCH	(-3)	/* No match and GLOB_NOCHECK not set. */
-#define	GLOB_NOSYS	(-4)	/* Function not supported. */
-#define GLOB_ABEND	GLOB_ABORTED
-
-int	glob(const char *, int, int (*)(const char *, int), glob_t *);
-void	globfree(glob_t *);
-
-#endif /* !_GLOB_H_ */
-
-#endif /* !defined(HAVE_GLOB_H) || !defined(GLOB_HAS_ALTDIRFUNC)  ||
-	  !defined(GLOB_HAS_GL_MATCHC */
-
diff --git a/crypto/openssh/openbsd-compat/inet_aton.c b/crypto/openssh/openbsd-compat/inet_aton.c
deleted file mode 100644
index 130597e..0000000
--- a/crypto/openssh/openbsd-compat/inet_aton.c
+++ /dev/null
@@ -1,179 +0,0 @@
-/*	$OpenBSD: inet_addr.c,v 1.9 2005/08/06 20:30:03 espie Exp $	*/
-
-/*
- * Copyright (c) 1983, 1990, 1993
- *    The Regents of the University of California.  All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * -
- * Portions Copyright (c) 1993 by Digital Equipment Corporation.
- * 
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies, and that
- * the name of Digital Equipment Corporation not be used in advertising or
- * publicity pertaining to distribution of the document or software without
- * specific, written prior permission.
- * 
- * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
- * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- * -
- * --Copyright--
- */
-
-/* OPENBSD ORIGINAL: lib/libc/net/inet_addr.c */
-
-#include "includes.h"
-
-#if !defined(HAVE_INET_ATON)
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <ctype.h>
-
-#if 0
-/*
- * Ascii internet address interpretation routine.
- * The value returned is in network order.
- */
-in_addr_t
-inet_addr(const char *cp)
-{
-	struct in_addr val;
-
-	if (inet_aton(cp, &val))
-		return (val.s_addr);
-	return (INADDR_NONE);
-}
-#endif
-
-/* 
- * Check whether "cp" is a valid ascii representation
- * of an Internet address and convert to a binary address.
- * Returns 1 if the address is valid, 0 if not.
- * This replaces inet_addr, the return value from which
- * cannot distinguish between failure and a local broadcast address.
- */
-int
-inet_aton(const char *cp, struct in_addr *addr)
-{
-	u_int32_t val;
-	int base, n;
-	char c;
-	u_int parts[4];
-	u_int *pp = parts;
-
-	c = *cp;
-	for (;;) {
-		/*
-		 * Collect number up to ``.''.
-		 * Values are specified as for C:
-		 * 0x=hex, 0=octal, isdigit=decimal.
-		 */
-		if (!isdigit(c))
-			return (0);
-		val = 0; base = 10;
-		if (c == '0') {
-			c = *++cp;
-			if (c == 'x' || c == 'X')
-				base = 16, c = *++cp;
-			else
-				base = 8;
-		}
-		for (;;) {
-			if (isascii(c) && isdigit(c)) {
-				val = (val * base) + (c - '0');
-				c = *++cp;
-			} else if (base == 16 && isascii(c) && isxdigit(c)) {
-				val = (val << 4) |
-					(c + 10 - (islower(c) ? 'a' : 'A'));
-				c = *++cp;
-			} else
-				break;
-		}
-		if (c == '.') {
-			/*
-			 * Internet format:
-			 *	a.b.c.d
-			 *	a.b.c	(with c treated as 16 bits)
-			 *	a.b	(with b treated as 24 bits)
-			 */
-			if (pp >= parts + 3)
-				return (0);
-			*pp++ = val;
-			c = *++cp;
-		} else
-			break;
-	}
-	/*
-	 * Check for trailing characters.
-	 */
-	if (c != '\0' && (!isascii(c) || !isspace(c)))
-		return (0);
-	/*
-	 * Concoct the address according to
-	 * the number of parts specified.
-	 */
-	n = pp - parts + 1;
-	switch (n) {
-
-	case 0:
-		return (0);		/* initial nondigit */
-
-	case 1:				/* a -- 32 bits */
-		break;
-
-	case 2:				/* a.b -- 8.24 bits */
-		if ((val > 0xffffff) || (parts[0] > 0xff))
-			return (0);
-		val |= parts[0] << 24;
-		break;
-
-	case 3:				/* a.b.c -- 8.8.16 bits */
-		if ((val > 0xffff) || (parts[0] > 0xff) || (parts[1] > 0xff))
-			return (0);
-		val |= (parts[0] << 24) | (parts[1] << 16);
-		break;
-
-	case 4:				/* a.b.c.d -- 8.8.8.8 bits */
-		if ((val > 0xff) || (parts[0] > 0xff) || (parts[1] > 0xff) || (parts[2] > 0xff))
-			return (0);
-		val |= (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8);
-		break;
-	}
-	if (addr)
-		addr->s_addr = htonl(val);
-	return (1);
-}
-
-#endif /* !defined(HAVE_INET_ATON) */
diff --git a/crypto/openssh/openbsd-compat/inet_ntoa.c b/crypto/openssh/openbsd-compat/inet_ntoa.c
deleted file mode 100644
index 0eb7b3b..0000000
--- a/crypto/openssh/openbsd-compat/inet_ntoa.c
+++ /dev/null
@@ -1,59 +0,0 @@
-/*	$OpenBSD: inet_ntoa.c,v 1.6 2005/08/06 20:30:03 espie Exp $ */
-/*
- * Copyright (c) 1983, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* OPENBSD ORIGINAL: lib/libc/net/inet_ntoa.c */
-
-#include "includes.h"
-
-#if defined(BROKEN_INET_NTOA) || !defined(HAVE_INET_NTOA)
-
-/*
- * Convert network-format internet address
- * to base 256 d.d.d.d representation.
- */
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <stdio.h>
-
-char *
-inet_ntoa(struct in_addr in)
-{
-	static char b[18];
-	char *p;
-
-	p = (char *)&in;
-#define	UC(b)	(((int)b)&0xff)
-	(void)snprintf(b, sizeof(b),
-	    "%u.%u.%u.%u", UC(p[0]), UC(p[1]), UC(p[2]), UC(p[3]));
-	return (b);
-}
-
-#endif /* defined(BROKEN_INET_NTOA) || !defined(HAVE_INET_NTOA) */
diff --git a/crypto/openssh/openbsd-compat/inet_ntop.c b/crypto/openssh/openbsd-compat/inet_ntop.c
deleted file mode 100644
index e7ca4b7..0000000
--- a/crypto/openssh/openbsd-compat/inet_ntop.c
+++ /dev/null
@@ -1,211 +0,0 @@
-/*	$OpenBSD: inet_ntop.c,v 1.7 2005/08/06 20:30:03 espie Exp $	*/
-
-/* Copyright (c) 1996 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
- * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-/* OPENBSD ORIGINAL: lib/libc/net/inet_ntop.c */
-
-#include "includes.h"
-
-#ifndef HAVE_INET_NTOP
-
-#include <sys/param.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-#include <string.h>
-#include <errno.h>
-#include <stdio.h>
-
-#ifndef IN6ADDRSZ
-#define IN6ADDRSZ   16   /* IPv6 T_AAAA */                 
-#endif
-
-#ifndef INT16SZ
-#define INT16SZ     2    /* for systems without 16-bit ints */
-#endif
-
-/*
- * WARNING: Don't even consider trying to compile this on a system where
- * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
- */
-
-static const char *inet_ntop4(const u_char *src, char *dst, size_t size);
-static const char *inet_ntop6(const u_char *src, char *dst, size_t size);
-
-/* char *
- * inet_ntop(af, src, dst, size)
- *	convert a network format address to presentation format.
- * return:
- *	pointer to presentation format address (`dst'), or NULL (see errno).
- * author:
- *	Paul Vixie, 1996.
- */
-const char *
-inet_ntop(int af, const void *src, char *dst, size_t size)
-{
-	switch (af) {
-	case AF_INET:
-		return (inet_ntop4(src, dst, size));
-	case AF_INET6:
-		return (inet_ntop6(src, dst, size));
-	default:
-		errno = EAFNOSUPPORT;
-		return (NULL);
-	}
-	/* NOTREACHED */
-}
-
-/* const char *
- * inet_ntop4(src, dst, size)
- *	format an IPv4 address, more or less like inet_ntoa()
- * return:
- *	`dst' (as a const)
- * notes:
- *	(1) uses no statics
- *	(2) takes a u_char* not an in_addr as input
- * author:
- *	Paul Vixie, 1996.
- */
-static const char *
-inet_ntop4(const u_char *src, char *dst, size_t size)
-{
-	static const char fmt[] = "%u.%u.%u.%u";
-	char tmp[sizeof "255.255.255.255"];
-	int l;
-
-	l = snprintf(tmp, size, fmt, src[0], src[1], src[2], src[3]);
-	if (l <= 0 || l >= size) {
-		errno = ENOSPC;
-		return (NULL);
-	}
-	strlcpy(dst, tmp, size);
-	return (dst);
-}
-
-/* const char *
- * inet_ntop6(src, dst, size)
- *	convert IPv6 binary address into presentation (printable) format
- * author:
- *	Paul Vixie, 1996.
- */
-static const char *
-inet_ntop6(const u_char *src, char *dst, size_t size)
-{
-	/*
-	 * Note that int32_t and int16_t need only be "at least" large enough
-	 * to contain a value of the specified size.  On some systems, like
-	 * Crays, there is no such thing as an integer variable with 16 bits.
-	 * Keep this in mind if you think this function should have been coded
-	 * to use pointer overlays.  All the world's not a VAX.
-	 */
-	char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255"];
-	char *tp, *ep;
-	struct { int base, len; } best, cur;
-	u_int words[IN6ADDRSZ / INT16SZ];
-	int i;
-	int advance;
-
-	/*
-	 * Preprocess:
-	 *	Copy the input (bytewise) array into a wordwise array.
-	 *	Find the longest run of 0x00's in src[] for :: shorthanding.
-	 */
-	memset(words, '\0', sizeof words);
-	for (i = 0; i < IN6ADDRSZ; i++)
-		words[i / 2] |= (src[i] << ((1 - (i % 2)) << 3));
-	best.base = -1;
-	cur.base = -1;
-	for (i = 0; i < (IN6ADDRSZ / INT16SZ); i++) {
-		if (words[i] == 0) {
-			if (cur.base == -1)
-				cur.base = i, cur.len = 1;
-			else
-				cur.len++;
-		} else {
-			if (cur.base != -1) {
-				if (best.base == -1 || cur.len > best.len)
-					best = cur;
-				cur.base = -1;
-			}
-		}
-	}
-	if (cur.base != -1) {
-		if (best.base == -1 || cur.len > best.len)
-			best = cur;
-	}
-	if (best.base != -1 && best.len < 2)
-		best.base = -1;
-
-	/*
-	 * Format the result.
-	 */
-	tp = tmp;
-	ep = tmp + sizeof(tmp);
-	for (i = 0; i < (IN6ADDRSZ / INT16SZ) && tp < ep; i++) {
-		/* Are we inside the best run of 0x00's? */
-		if (best.base != -1 && i >= best.base &&
-		    i < (best.base + best.len)) {
-			if (i == best.base) {
-				if (tp + 1 >= ep)
-					return (NULL);
-				*tp++ = ':';
-			}
-			continue;
-		}
-		/* Are we following an initial run of 0x00s or any real hex? */
-		if (i != 0) {
-			if (tp + 1 >= ep)
-				return (NULL);
-			*tp++ = ':';
-		}
-		/* Is this address an encapsulated IPv4? */
-		if (i == 6 && best.base == 0 &&
-		    (best.len == 6 || (best.len == 5 && words[5] == 0xffff))) {
-			if (!inet_ntop4(src+12, tp, (size_t)(ep - tp)))
-				return (NULL);
-			tp += strlen(tp);
-			break;
-		}
-		advance = snprintf(tp, ep - tp, "%x", words[i]);
-		if (advance <= 0 || advance >= ep - tp)
-			return (NULL);
-		tp += advance;
-	}
-	/* Was it a trailing run of 0x00's? */
-	if (best.base != -1 && (best.base + best.len) == (IN6ADDRSZ / INT16SZ)) {
-		if (tp + 1 >= ep)
-			return (NULL);
-		*tp++ = ':';
-	}
-	if (tp + 1 >= ep)
-		return (NULL);
-	*tp++ = '\0';
-
-	/*
-	 * Check for overflow, copy, and we're done.
-	 */
-	if ((size_t)(tp - tmp) > size) {
-		errno = ENOSPC;
-		return (NULL);
-	}
-	strlcpy(dst, tmp, size);
-	return (dst);
-}
-
-#endif /* !HAVE_INET_NTOP */
diff --git a/crypto/openssh/openbsd-compat/mktemp.c b/crypto/openssh/openbsd-compat/mktemp.c
deleted file mode 100644
index 2285c84..0000000
--- a/crypto/openssh/openbsd-compat/mktemp.c
+++ /dev/null
@@ -1,178 +0,0 @@
-/* THIS FILE HAS BEEN MODIFIED FROM THE ORIGINAL OPENBSD SOURCE */
-/* Changes: Removed mktemp */
-
-/*	$OpenBSD: mktemp.c,v 1.19 2005/08/08 08:05:36 espie Exp $ */
-/*
- * Copyright (c) 1987, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* OPENBSD ORIGINAL: lib/libc/stdio/mktemp.c */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/stat.h>
-
-#include <fcntl.h>
-#include <ctype.h>
-#include <errno.h>
-#include <unistd.h>
-
-#if !defined(HAVE_MKDTEMP) || defined(HAVE_STRICT_MKSTEMP)
-
-static int _gettemp(char *, int *, int, int);
-
-int
-mkstemps(char *path, int slen)
-{
-	int fd;
-
-	return (_gettemp(path, &fd, 0, slen) ? fd : -1);
-}
-
-int
-mkstemp(char *path)
-{
-	int fd;
-
-	return (_gettemp(path, &fd, 0, 0) ? fd : -1);
-}
-
-char *
-mkdtemp(char *path)
-{
-	return(_gettemp(path, (int *)NULL, 1, 0) ? path : (char *)NULL);
-}
-
-static int
-_gettemp(path, doopen, domkdir, slen)
-	char *path;
-	register int *doopen;
-	int domkdir;
-	int slen;
-{
-	register char *start, *trv, *suffp;
-	struct stat sbuf;
-	int rval;
-	pid_t pid;
-
-	if (doopen && domkdir) {
-		errno = EINVAL;
-		return(0);
-	}
-
-	for (trv = path; *trv; ++trv)
-		;
-	trv -= slen;
-	suffp = trv;
-	--trv;
-	if (trv < path) {
-		errno = EINVAL;
-		return (0);
-	}
-	pid = getpid();
-	while (trv >= path && *trv == 'X' && pid != 0) {
-		*trv-- = (pid % 10) + '0';
-		pid /= 10;
-	}
-	while (trv >= path && *trv == 'X') {
-		char c;
-
-		pid = (arc4random() & 0xffff) % (26+26);
-		if (pid < 26)
-			c = pid + 'A';
-		else
-			c = (pid - 26) + 'a';
-		*trv-- = c;
-	}
-	start = trv + 1;
-
-	/*
-	 * check the target directory; if you have six X's and it
-	 * doesn't exist this runs for a *very* long time.
-	 */
-	if (doopen || domkdir) {
-		for (;; --trv) {
-			if (trv <= path)
-				break;
-			if (*trv == '/') {
-				*trv = '\0';
-				rval = stat(path, &sbuf);
-				*trv = '/';
-				if (rval != 0)
-					return(0);
-				if (!S_ISDIR(sbuf.st_mode)) {
-					errno = ENOTDIR;
-					return(0);
-				}
-				break;
-			}
-		}
-	}
-
-	for (;;) {
-		if (doopen) {
-			if ((*doopen =
-			    open(path, O_CREAT|O_EXCL|O_RDWR, 0600)) >= 0)
-				return(1);
-			if (errno != EEXIST)
-				return(0);
-		} else if (domkdir) {
-			if (mkdir(path, 0700) == 0)
-				return(1);
-			if (errno != EEXIST)
-				return(0);
-		} else if (lstat(path, &sbuf))
-			return(errno == ENOENT ? 1 : 0);
-
-		/* tricky little algorithm for backward compatibility */
-		for (trv = start;;) {
-			if (!*trv)
-				return (0);
-			if (*trv == 'Z') {
-				if (trv == suffp)
-					return (0);
-				*trv++ = 'a';
-			} else {
-				if (isdigit(*trv))
-					*trv = 'a';
-				else if (*trv == 'z')	/* inc from z to A */
-					*trv = 'A';
-				else {
-					if (trv == suffp)
-						return (0);
-					++*trv;
-				}
-				break;
-			}
-		}
-	}
-	/*NOTREACHED*/
-}
-
-#endif /* !defined(HAVE_MKDTEMP) || defined(HAVE_STRICT_MKSTEMP) */
diff --git a/crypto/openssh/openbsd-compat/openbsd-compat.h b/crypto/openssh/openbsd-compat/openbsd-compat.h
deleted file mode 100644
index aac2e6c..0000000
--- a/crypto/openssh/openbsd-compat/openbsd-compat.h
+++ /dev/null
@@ -1,206 +0,0 @@
-/* $Id: openbsd-compat.h,v 1.42 2006/09/03 12:44:50 dtucker Exp $ */
-
-/*
- * Copyright (c) 1999-2003 Damien Miller.  All rights reserved.
- * Copyright (c) 2003 Ben Lindstrom. All rights reserved.
- * Copyright (c) 2002 Tim Rice.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef _OPENBSD_COMPAT_H
-#define _OPENBSD_COMPAT_H
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <pwd.h>
-
-#include <sys/socket.h>
-
-/* OpenBSD function replacements */
-#include "base64.h"
-#include "sigact.h"
-#include "glob.h"
-#include "readpassphrase.h"
-#include "vis.h"
-#include "getrrsetbyname.h"
-#include "sha2.h"
-
-#ifndef HAVE_BASENAME
-char *basename(const char *path);
-#endif
-
-#ifndef HAVE_BINDRESVPORT_SA
-int bindresvport_sa(int sd, struct sockaddr *sa);
-#endif
-
-#ifndef HAVE_CLOSEFROM
-void closefrom(int);
-#endif
-
-#ifndef HAVE_GETCWD
-char *getcwd(char *pt, size_t size);
-#endif 
-
-#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
-char *realpath(const char *path, char *resolved);
-#endif 
-
-#ifndef HAVE_RRESVPORT_AF
-int rresvport_af(int *alport, sa_family_t af);
-#endif
-
-#ifndef HAVE_STRLCPY
-/* #include <sys/types.h> XXX Still needed? */
-size_t strlcpy(char *dst, const char *src, size_t siz);
-#endif
-
-#ifndef HAVE_STRLCAT
-/* #include <sys/types.h> XXX Still needed? */
-size_t strlcat(char *dst, const char *src, size_t siz);
-#endif 
-
-#ifndef HAVE_SETENV
-int setenv(register const char *name, register const char *value, int rewrite);
-#endif
-
-#ifndef HAVE_STRMODE
-void strmode(int mode, char *p);
-#endif
-
-#if !defined(HAVE_MKDTEMP) || defined(HAVE_STRICT_MKSTEMP)
-int mkstemps(char *path, int slen);
-int mkstemp(char *path);
-char *mkdtemp(char *path);
-#endif 
-
-#ifndef HAVE_DAEMON
-int daemon(int nochdir, int noclose);
-#endif 
-
-#ifndef HAVE_DIRNAME
-char *dirname(const char *path);
-#endif
-
-#if defined(BROKEN_INET_NTOA) || !defined(HAVE_INET_NTOA)
-char *inet_ntoa(struct in_addr in);
-#endif
-
-#ifndef HAVE_INET_NTOP
-const char *inet_ntop(int af, const void *src, char *dst, size_t size);
-#endif
-
-#ifndef HAVE_INET_ATON
-int inet_aton(const char *cp, struct in_addr *addr);
-#endif 
-
-#ifndef HAVE_STRSEP
-char *strsep(char **stringp, const char *delim);
-#endif
-
-#ifndef HAVE_SETPROCTITLE
-void setproctitle(const char *fmt, ...);
-void compat_init_setproctitle(int argc, char *argv[]);
-#endif
-
-#ifndef HAVE_GETGROUPLIST
-/* #include <grp.h> XXXX Still needed ? */
-int getgrouplist(const char *, gid_t, gid_t *, int *);
-#endif
-
-#if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET)
-int BSDgetopt(int argc, char * const *argv, const char *opts);
-#endif
-
-#if defined(HAVE_DECL_WRITEV) && HAVE_DECL_WRITEV == 0
-# include <sys/types.h>
-# include <sys/uio.h>
-int writev(int, struct iovec *, int);
-#endif
-
-/* Home grown routines */
-#include "bsd-misc.h"
-#include "bsd-waitpid.h"
-
-#ifndef HAVE_GETPEEREID
-int getpeereid(int , uid_t *, gid_t *);
-#endif 
-
-#ifndef HAVE_ARC4RANDOM
-unsigned int arc4random(void);
-void arc4random_stir(void);
-#endif /* !HAVE_ARC4RANDOM */
-
-#ifndef HAVE_ASPRINTF
-int asprintf(char **, const char *, ...);
-#endif 
-
-#ifndef HAVE_OPENPTY
-# include <sys/ioctl.h>	/* for struct winsize */
-int openpty(int *, int *, char *, struct termios *, struct winsize *);
-#endif /* HAVE_OPENPTY */
-
-/* #include <sys/types.h> XXX needed? For size_t */
-
-#ifndef HAVE_SNPRINTF
-int snprintf(char *, size_t, SNPRINTF_CONST char *, ...);
-#endif 
-
-#ifndef HAVE_STRTOLL
-long long strtoll(const char *, char **, int);
-#endif
-
-#ifndef HAVE_STRTONUM
-long long strtonum(const char *, long long, long long, const char **);
-#endif
-
-#if !defined(HAVE_VASPRINTF) || !defined(HAVE_VSNPRINTF)
-# include <stdarg.h>
-#endif
-
-#ifndef HAVE_VASPRINTF
-int vasprintf(char **, const char *, va_list);
-#endif
-
-#ifndef HAVE_VSNPRINTF
-int vsnprintf(char *, size_t, const char *, va_list);
-#endif
-
-void *xmmap(size_t size);
-char *xcrypt(const char *password, const char *salt);
-char *shadow_pw(struct passwd *pw);
-
-/* rfc2553 socket API replacements */
-#include "fake-rfc2553.h"
-
-/* Routines for a single OS platform */
-#include "bsd-cray.h"
-#include "bsd-cygwin_util.h"
-
-#include "port-aix.h"
-#include "port-irix.h"
-#include "port-linux.h"
-#include "port-solaris.h"
-#include "port-tun.h"
-#include "port-uw.h"
-
-#endif /* _OPENBSD_COMPAT_H */
diff --git a/crypto/openssh/openbsd-compat/openssl-compat.c b/crypto/openssh/openbsd-compat/openssl-compat.c
deleted file mode 100644
index 45ebd3f..0000000
--- a/crypto/openssh/openbsd-compat/openssl-compat.c
+++ /dev/null
@@ -1,62 +0,0 @@
-/* $Id: openssl-compat.c,v 1.4 2006/02/22 11:24:47 dtucker Exp $ */
-
-/*
- * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER
- * IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
- * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "includes.h"
-
-#ifdef USE_OPENSSL_ENGINE
-# include <openssl/engine.h>
-#endif
-
-#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS
-#include "openssl-compat.h"
-
-#ifdef SSH_OLD_EVP
-int
-ssh_EVP_CipherInit(EVP_CIPHER_CTX *evp, const EVP_CIPHER *type,
-    unsigned char *key, unsigned char *iv, int enc)
-{
-	EVP_CipherInit(evp, type, key, iv, enc);
-	return 1;
-}
-
-int
-ssh_EVP_Cipher(EVP_CIPHER_CTX *evp, char *dst, char *src, int len)
-{
-	EVP_Cipher(evp, dst, src, len);
-	return 1;
-}
-
-int
-ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *evp)
-{
-	EVP_CIPHER_CTX_cleanup(evp);
-	return 1;
-}
-#endif
-
-#ifdef	USE_OPENSSL_ENGINE
-void
-ssh_SSLeay_add_all_algorithms(void)
-{
-	SSLeay_add_all_algorithms();
-
-	/* Enable use of crypto hardware */
-	ENGINE_load_builtin_engines();
-	ENGINE_register_all_complete();
-}
-#endif
diff --git a/crypto/openssh/openbsd-compat/openssl-compat.h b/crypto/openssh/openbsd-compat/openssl-compat.h
deleted file mode 100644
index c582cd2..0000000
--- a/crypto/openssh/openbsd-compat/openssl-compat.h
+++ /dev/null
@@ -1,80 +0,0 @@
-/* $Id: openssl-compat.h,v 1.6 2006/02/22 11:24:47 dtucker Exp $ */
-
-/*
- * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER
- * IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
- * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "includes.h"
-#include <openssl/evp.h>
-
-#if OPENSSL_VERSION_NUMBER < 0x00906000L
-# define SSH_OLD_EVP
-# define EVP_CIPHER_CTX_get_app_data(e)		((e)->app_data)
-#endif
-
-#if (OPENSSL_VERSION_NUMBER < 0x00907000L) || defined(OPENSSL_LOBOTOMISED_AES)
-# define USE_BUILTIN_RIJNDAEL
-#endif
-
-#ifdef USE_BUILTIN_RIJNDAEL
-# define EVP_aes_128_cbc evp_rijndael
-# define EVP_aes_192_cbc evp_rijndael
-# define EVP_aes_256_cbc evp_rijndael
-extern const EVP_CIPHER *evp_rijndael(void);
-extern void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
-#endif
-
-#if !defined(EVP_CTRL_SET_ACSS_MODE)
-# if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
-#  define USE_CIPHER_ACSS 1
-extern const EVP_CIPHER *evp_acss(void);
-#  define EVP_acss evp_acss
-# else
-#  define EVP_acss NULL
-# endif
-#endif
-
-/*
- * We overload some of the OpenSSL crypto functions with ssh_* equivalents
- * which cater for older and/or less featureful OpenSSL version.
- *
- * In order for the compat library to call the real functions, it must
- * define SSH_DONT_OVERLOAD_OPENSSL_FUNCS before including this file and
- * implement the ssh_* equivalents.
- */
-#ifndef SSH_DONT_OVERLOAD_OPENSSL_FUNCS
-
-# ifdef SSH_OLD_EVP
-#  ifdef EVP_Cipher
-#   undef EVP_Cipher
-#  endif
-#  define EVP_CipherInit(a,b,c,d,e)	ssh_EVP_CipherInit((a),(b),(c),(d),(e))
-#  define EVP_Cipher(a,b,c,d)		ssh_EVP_Cipher((a),(b),(c),(d))
-#  define EVP_CIPHER_CTX_cleanup(a)	ssh_EVP_CIPHER_CTX_cleanup((a))
-# endif /* SSH_OLD_EVP */
-
-# ifdef USE_OPENSSL_ENGINE
-#  ifdef SSLeay_add_all_algorithms
-#   undef SSLeay_add_all_algorithms
-#  endif
-#  define SSLeay_add_all_algorithms()	ssh_SSLeay_add_all_algorithms()
-#endif
-
-int ssh_EVP_CipherInit(EVP_CIPHER_CTX *, const EVP_CIPHER *, unsigned char *,
-    unsigned char *, int);
-int ssh_EVP_Cipher(EVP_CIPHER_CTX *, char *, char *, int);
-int ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *);
-void ssh_SSLeay_add_all_algorithms(void);
-#endif	/* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */
diff --git a/crypto/openssh/openbsd-compat/port-aix.c b/crypto/openssh/openbsd-compat/port-aix.c
deleted file mode 100644
index b9fabf6..0000000
--- a/crypto/openssh/openbsd-compat/port-aix.c
+++ /dev/null
@@ -1,397 +0,0 @@
-/*
- *
- * Copyright (c) 2001 Gert Doering.  All rights reserved.
- * Copyright (c) 2003,2004,2005 Darren Tucker.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- */
-#include "includes.h"
-
-#include "xmalloc.h"
-#include "buffer.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "ssh.h"
-#include "log.h"
-
-#ifdef _AIX
-
-#include <errno.h>
-#if defined(HAVE_NETDB_H)
-# include <netdb.h>
-#endif
-#include <uinfo.h>
-#include <stdarg.h>
-#include <string.h>
-#include <unistd.h>
-#include <sys/socket.h>
-
-#ifdef WITH_AIXAUTHENTICATE
-# include <login.h>
-# include <userpw.h>
-# if defined(HAVE_SYS_AUDIT_H) && defined(AIX_LOGINFAILED_4ARG)
-#  include <sys/audit.h>
-# endif
-# include <usersec.h>
-#endif
-
-#include "port-aix.h"
-
-# ifdef HAVE_SETAUTHDB
-static char old_registry[REGISTRY_SIZE] = "";
-# endif
-
-/*
- * AIX has a "usrinfo" area where logname and other stuff is stored -
- * a few applications actually use this and die if it's not set
- *
- * NOTE: TTY= should be set, but since no one uses it and it's hard to
- * acquire due to privsep code.  We will just drop support.
- */
-void
-aix_usrinfo(struct passwd *pw)
-{
-	u_int i;
-	size_t len;
-	char *cp;
-
-	len = sizeof("LOGNAME= NAME= ") + (2 * strlen(pw->pw_name));
-	cp = xmalloc(len);
-
-	i = snprintf(cp, len, "LOGNAME=%s%cNAME=%s%c", pw->pw_name, '\0',
-	    pw->pw_name, '\0');
-	if (usrinfo(SETUINFO, cp, i) == -1)
-		fatal("Couldn't set usrinfo: %s", strerror(errno));
-	debug3("AIX/UsrInfo: set len %d", i);
-
-	xfree(cp);
-}
-
-# ifdef WITH_AIXAUTHENTICATE
-/*
- * Remove embedded newlines in string (if any).
- * Used before logging messages returned by AIX authentication functions
- * so the message is logged on one line.
- */
-void
-aix_remove_embedded_newlines(char *p)
-{
-	if (p == NULL)
-		return;
-
-	for (; *p; p++) {
-		if (*p == '\n')
-			*p = ' ';
-	}
-	/* Remove trailing whitespace */
-	if (*--p == ' ')
-		*p = '\0';
-}
-
-/*
- * Test specifically for the case where SYSTEM == NONE and AUTH1 contains
- * anything other than NONE or SYSTEM, which indicates that the admin has
- * configured the account for purely AUTH1-type authentication.
- *
- * Since authenticate() doesn't check AUTH1, and sshd can't sanely support
- * AUTH1 itself, in such a case authenticate() will allow access without
- * authentation, which is almost certainly not what the admin intends.
- *
- * (The native tools, eg login, will process the AUTH1 list in addition to
- * the SYSTEM list by using ckuserID(), however ckuserID() and AUTH1 methods
- * have been deprecated since AIX 4.2.x and would be very difficult for sshd
- * to support.
- *
- * Returns 0 if an unsupportable combination is found, 1 otherwise.
- */
-static int
-aix_valid_authentications(const char *user)
-{
-	char *auth1, *sys, *p;
-	int valid = 1;
-
-	if (getuserattr((char *)user, S_AUTHSYSTEM, &sys, SEC_CHAR) != 0) {
-		logit("Can't retrieve attribute SYSTEM for %s: %.100s",
-		    user, strerror(errno));
-		return 0;
-	}
-
-	debug3("AIX SYSTEM attribute %s", sys);
-	if (strcmp(sys, "NONE") != 0)
-		return 1;	/* not "NONE", so is OK */
-
-	if (getuserattr((char *)user, S_AUTH1, &auth1, SEC_LIST) != 0) {
-		logit("Can't retrieve attribute auth1 for %s: %.100s",
-		    user, strerror(errno));
-		return 0;
-	}
-
-	p = auth1;
-	/* A SEC_LIST is concatenated strings, ending with two NULs. */
-	while (p[0] != '\0' && p[1] != '\0') {
-		debug3("AIX auth1 attribute list member %s", p);
-		if (strcmp(p, "NONE") != 0 && strcmp(p, "SYSTEM")) {
-			logit("Account %s has unsupported auth1 value '%s'",
-			    user, p);
-			valid = 0;
-		}
-		p += strlen(p) + 1;
-	}
-
-	return (valid);
-}
-
-/*
- * Do authentication via AIX's authenticate routine.  We loop until the
- * reenter parameter is 0, but normally authenticate is called only once.
- *
- * Note: this function returns 1 on success, whereas AIX's authenticate()
- * returns 0.
- */
-int
-sys_auth_passwd(Authctxt *ctxt, const char *password)
-{
-	char *authmsg = NULL, *msg = NULL, *name = ctxt->pw->pw_name;
-	int authsuccess = 0, expired, reenter, result;
-
-	do {
-		result = authenticate((char *)name, (char *)password, &reenter,
-		    &authmsg);
-		aix_remove_embedded_newlines(authmsg);	
-		debug3("AIX/authenticate result %d, authmsg %.100s", result,
-		    authmsg);
-	} while (reenter);
-
-	if (!aix_valid_authentications(name))
-		result = -1;
-
-	if (result == 0) {
-		authsuccess = 1;
-
-		/*
-		 * Record successful login.  We don't have a pty yet, so just
-		 * label the line as "ssh"
-		 */
-		aix_setauthdb(name);
-
-		/*
-		 * Check if the user's password is expired.
-		 */
-		expired = passwdexpired(name, &msg);
-		if (msg && *msg) {
-			buffer_append(ctxt->loginmsg, msg, strlen(msg));
-			aix_remove_embedded_newlines(msg);
-		}
-		debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg);
-
-		switch (expired) {
-		case 0: /* password not expired */
-			break;
-		case 1: /* expired, password change required */
-			ctxt->force_pwchange = 1;
-			break;
-		default: /* user can't change(2) or other error (-1) */
-			logit("Password can't be changed for user %s: %.100s",
-			    name, msg);
-			if (msg)
-				xfree(msg);
-			authsuccess = 0;
-		}
-
-		aix_restoreauthdb();
-	}
-
-	if (authmsg != NULL)
-		xfree(authmsg);
-
-	return authsuccess;
-}
-
-/*
- * Check if specified account is permitted to log in.
- * Returns 1 if login is allowed, 0 if not allowed.
- */
-int
-sys_auth_allowed_user(struct passwd *pw, Buffer *loginmsg)
-{
-	char *msg = NULL;
-	int result, permitted = 0;
-	struct stat st;
-
-	/*
-	 * Don't perform checks for root account (PermitRootLogin controls
-	 * logins via * ssh) or if running as non-root user (since
-	 * loginrestrictions will always fail due to insufficient privilege).
-	 */
-	if (pw->pw_uid == 0 || geteuid() != 0) {
-		debug3("%s: not checking", __func__);
-		return 1;
-	}
-
-	result = loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg);
-	if (result == 0)
-		permitted = 1;
-	/*
-	 * If restricted because /etc/nologin exists, the login will be denied
-	 * in session.c after the nologin message is sent, so allow for now
-	 * and do not append the returned message.
-	 */
-	if (result == -1 && errno == EPERM && stat(_PATH_NOLOGIN, &st) == 0)
-		permitted = 1;
-	else if (msg != NULL)
-		buffer_append(loginmsg, msg, strlen(msg));
-	if (msg == NULL)
-		msg = xstrdup("(none)");
-	aix_remove_embedded_newlines(msg);
-	debug3("AIX/loginrestrictions returned %d msg %.100s", result, msg);
-
-	if (!permitted)
-		logit("Login restricted for %s: %.100s", pw->pw_name, msg);
-	xfree(msg);
-	return permitted;
-}
-
-int
-sys_auth_record_login(const char *user, const char *host, const char *ttynm,
-    Buffer *loginmsg)
-{
-	char *msg = NULL;
-	static int msg_done = 0;
-	int success = 0;
-
-	aix_setauthdb(user);
-	if (loginsuccess((char *)user, (char *)host, (char *)ttynm, &msg) == 0) {
-		success = 1;
-		if (msg != NULL && loginmsg != NULL && !msg_done) {
-			debug("AIX/loginsuccess: msg %s", msg);
-			buffer_append(loginmsg, msg, strlen(msg));
-			xfree(msg);
-			msg_done = 1;
-		}
-	}
-	aix_restoreauthdb();
-	return (success);
-}
-
-#  ifdef CUSTOM_FAILED_LOGIN
-/*
- * record_failed_login: generic "login failed" interface function
- */
-void
-record_failed_login(const char *user, const char *hostname, const char *ttyname)
-{
-	if (geteuid() != 0)
-		return;
-
-	aix_setauthdb(user);
-#   ifdef AIX_LOGINFAILED_4ARG
-	loginfailed((char *)user, (char *)hostname, (char *)ttyname,
-	    AUDIT_FAIL_AUTH);
-#   else
-	loginfailed((char *)user, (char *)hostname, (char *)ttyname);
-#   endif
-	aix_restoreauthdb();
-}
-#  endif /* CUSTOM_FAILED_LOGIN */
-
-/*
- * If we have setauthdb, retrieve the password registry for the user's
- * account then feed it to setauthdb.  This will mean that subsequent AIX auth
- * functions will only use the specified loadable module.  If we don't have
- * setauthdb this is a no-op.
- */
-void
-aix_setauthdb(const char *user)
-{
-#  ifdef HAVE_SETAUTHDB
-	char *registry;
-
-	if (setuserdb(S_READ) == -1) {
-		debug3("%s: Could not open userdb to read", __func__);
-		return;
-	}
-	
-	if (getuserattr((char *)user, S_REGISTRY, &registry, SEC_CHAR) == 0) {
-		if (setauthdb(registry, old_registry) == 0)
-			debug3("AIX/setauthdb set registry '%s'", registry);
-		else 
-			debug3("AIX/setauthdb set registry '%s' failed: %s",
-			    registry, strerror(errno));
-	} else
-		debug3("%s: Could not read S_REGISTRY for user: %s", __func__,
-		    strerror(errno));
-	enduserdb();
-#  endif /* HAVE_SETAUTHDB */
-}
-
-/*
- * Restore the user's registry settings from old_registry.
- * Note that if the first aix_setauthdb fails, setauthdb("") is still safe
- * (it restores the system default behaviour).  If we don't have setauthdb,
- * this is a no-op.
- */
-void
-aix_restoreauthdb(void)
-{
-#  ifdef HAVE_SETAUTHDB
-	if (setauthdb(old_registry, NULL) == 0)
-		debug3("%s: restoring old registry '%s'", __func__,
-		    old_registry);
-	else
-		debug3("%s: failed to restore old registry %s", __func__,
-		    old_registry);
-#  endif /* HAVE_SETAUTHDB */
-}
-
-# endif /* WITH_AIXAUTHENTICATE */
-
-# if defined(AIX_GETNAMEINFO_HACK) && !defined(BROKEN_ADDRINFO)
-# undef getnameinfo
-/*
- * For some reason, AIX's getnameinfo will refuse to resolve the all-zeros
- * IPv6 address into its textual representation ("::"), so we wrap it
- * with a function that will.
- */
-int
-sshaix_getnameinfo(const struct sockaddr *sa, size_t salen, char *host,
-    size_t hostlen, char *serv, size_t servlen, int flags)
-{
-	struct sockaddr_in6 *sa6;
-	u_int32_t *a6;
-
-	if (flags & (NI_NUMERICHOST|NI_NUMERICSERV) &&
-	    sa->sa_family == AF_INET6) {
-		sa6 = (struct sockaddr_in6 *)sa;
-		a6 = sa6->sin6_addr.u6_addr.u6_addr32;
-
-		if (a6[0] == 0 && a6[1] == 0 && a6[2] == 0 && a6[3] == 0) {
-			strlcpy(host, "::", hostlen);
-			snprintf(serv, servlen, "%d", sa6->sin6_port);
-			return 0;
-		}
-	}
-	return getnameinfo(sa, salen, host, hostlen, serv, servlen, flags);
-}
-# endif /* AIX_GETNAMEINFO_HACK */
-
-#endif /* _AIX */
diff --git a/crypto/openssh/openbsd-compat/port-aix.h b/crypto/openssh/openbsd-compat/port-aix.h
deleted file mode 100644
index 5a04bed..0000000
--- a/crypto/openssh/openbsd-compat/port-aix.h
+++ /dev/null
@@ -1,106 +0,0 @@
-/* $Id: port-aix.h,v 1.27 2006/09/18 13:54:33 dtucker Exp $ */
-
-/*
- *
- * Copyright (c) 2001 Gert Doering.  All rights reserved.
- * Copyright (c) 2004, 2005 Darren Tucker.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifdef _AIX
-
-#ifdef HAVE_SYS_SOCKET_H
-# include <sys/socket.h>
-#endif
-
-#include "buffer.h"
-
-/* These should be in the system headers but are not. */
-int usrinfo(int, char *, int);
-#if defined(HAVE_DECL_SETAUTHDB) && (HAVE_DECL_SETAUTHDB == 0)
-int setauthdb(const char *, char *);
-#endif
-/* these may or may not be in the headers depending on the version */
-#if defined(HAVE_DECL_AUTHENTICATE) && (HAVE_DECL_AUTHENTICATE == 0)
-int authenticate(char *, char *, int *, char **);
-#endif
-#if defined(HAVE_DECL_LOGINFAILED) && (HAVE_DECL_LOGINFAILED == 0)
-int loginfailed(char *, char *, char *);
-#endif
-#if defined(HAVE_DECL_LOGINRESTRICTIONS) && (HAVE_DECL_LOGINRESTRICTIONS == 0)
-int loginrestrictions(char *, int, char *, char **);
-#endif
-#if defined(HAVE_DECL_LOGINSUCCESS) && (HAVE_DECL_LOGINSUCCESS == 0)
-int loginsuccess(char *, char *, char *, char **);
-#endif
-#if defined(HAVE_DECL_PASSWDEXPIRED) && (HAVE_DECL_PASSWDEXPIRED == 0)
-int passwdexpired(char *, char **);
-#endif
-
-/* Some versions define r_type in the above headers, which causes a conflict */
-#ifdef r_type
-# undef r_type
-#endif
-
-/* AIX 4.2.x doesn't have nanosleep but does have nsleep which is equivalent */
-#if !defined(HAVE_NANOSLEEP) && defined(HAVE_NSLEEP)
-# define nanosleep(a,b) nsleep(a,b)
-#endif
-
-/* For struct timespec on AIX 4.2.x */
-#ifdef HAVE_SYS_TIMERS_H
-# include <sys/timers.h>
-#endif
-
-/*
- * According to the setauthdb man page, AIX password registries must be 15
- * chars or less plus terminating NUL.
- */
-#ifdef HAVE_SETAUTHDB
-# define REGISTRY_SIZE	16
-#endif
-
-void aix_usrinfo(struct passwd *);
-
-#ifdef WITH_AIXAUTHENTICATE
-# define CUSTOM_SYS_AUTH_PASSWD 1
-# define CUSTOM_SYS_AUTH_ALLOWED_USER 1
-int sys_auth_allowed_user(struct passwd *, Buffer *);
-# define CUSTOM_SYS_AUTH_RECORD_LOGIN 1
-int sys_auth_record_login(const char *, const char *, const char *, Buffer *);
-# define CUSTOM_FAILED_LOGIN 1
-#endif
-
-void aix_setauthdb(const char *);
-void aix_restoreauthdb(void);
-void aix_remove_embedded_newlines(char *);
-
-#if defined(AIX_GETNAMEINFO_HACK) && !defined(BROKEN_GETADDRINFO)
-# ifdef getnameinfo
-#  undef getnameinfo
-# endif
-int sshaix_getnameinfo(const struct sockaddr *, size_t, char *, size_t,
-    char *, size_t, int);
-# define getnameinfo(a,b,c,d,e,f,g) (sshaix_getnameinfo(a,b,c,d,e,f,g))
-#endif
-
-#endif /* _AIX */
diff --git a/crypto/openssh/openbsd-compat/port-irix.c b/crypto/openssh/openbsd-compat/port-irix.c
deleted file mode 100644
index ba751a5..0000000
--- a/crypto/openssh/openbsd-compat/port-irix.c
+++ /dev/null
@@ -1,90 +0,0 @@
-/*
- * Copyright (c) 2000 Denis Parker.  All rights reserved.
- * Copyright (c) 2000 Michael Stone.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#if defined(WITH_IRIX_PROJECT) || \
-    defined(WITH_IRIX_JOBS) || \
-    defined(WITH_IRIX_ARRAY)
-
-#include <errno.h>
-#include <string.h>
-#include <unistd.h>
-
-#ifdef WITH_IRIX_PROJECT
-# include <proj.h>
-#endif /* WITH_IRIX_PROJECT */
-#ifdef WITH_IRIX_JOBS
-# include <sys/resource.h>
-#endif
-#ifdef WITH_IRIX_AUDIT
-# include <sat.h>
-#endif /* WITH_IRIX_AUDIT */
-
-void
-irix_setusercontext(struct passwd *pw)
-{
-#ifdef WITH_IRIX_PROJECT
-        prid_t projid;
-#endif
-#ifdef WITH_IRIX_JOBS
-        jid_t jid = 0;
-#elif defined(WITH_IRIX_ARRAY)
-        int jid = 0;
-#endif
-
-#ifdef WITH_IRIX_JOBS
-        jid = jlimit_startjob(pw->pw_name, pw->pw_uid, "interactive");
-        if (jid == -1)
-                fatal("Failed to create job container: %.100s",
-                    strerror(errno));
-#endif /* WITH_IRIX_JOBS */
-#ifdef WITH_IRIX_ARRAY
-        /* initialize array session */
-        if (jid == 0  && newarraysess() != 0)
-                fatal("Failed to set up new array session: %.100s",
-                    strerror(errno));
-#endif /* WITH_IRIX_ARRAY */
-#ifdef WITH_IRIX_PROJECT
-        /* initialize irix project info */
-        if ((projid = getdfltprojuser(pw->pw_name)) == -1) {
-                debug("Failed to get project id, using projid 0");
-                projid = 0;
-        }
-        if (setprid(projid))
-                fatal("Failed to initialize project %d for %s: %.100s",
-                    (int)projid, pw->pw_name, strerror(errno));
-#endif /* WITH_IRIX_PROJECT */
-#ifdef WITH_IRIX_AUDIT
-        if (sysconf(_SC_AUDIT)) {
-                debug("Setting sat id to %d", (int) pw->pw_uid);
-                if (satsetid(pw->pw_uid))
-                        debug("error setting satid: %.100s", strerror(errno));
-        }
-#endif /* WITH_IRIX_AUDIT */
-}
-
-
-#endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */
diff --git a/crypto/openssh/openbsd-compat/port-irix.h b/crypto/openssh/openbsd-compat/port-irix.h
deleted file mode 100644
index 67c4863..0000000
--- a/crypto/openssh/openbsd-compat/port-irix.h
+++ /dev/null
@@ -1,39 +0,0 @@
-/* $Id: port-irix.h,v 1.4 2003/08/29 16:59:52 mouring Exp $ */
-
-/*
- * Copyright (c) 2000 Denis Parker.  All rights reserved.
- * Copyright (c) 2000 Michael Stone.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef _PORT_IRIX_H
-#define _PORT_IRIX_H
-
-#if defined(WITH_IRIX_PROJECT) || \
-    defined(WITH_IRIX_JOBS) || \
-    defined(WITH_IRIX_ARRAY)
-
-void irix_setusercontext(struct passwd *pw);
-
-#endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */
-
-#endif /* ! _PORT_IRIX_H */
diff --git a/crypto/openssh/openbsd-compat/port-linux.c b/crypto/openssh/openbsd-compat/port-linux.c
deleted file mode 100644
index 77f3a1c..0000000
--- a/crypto/openssh/openbsd-compat/port-linux.c
+++ /dev/null
@@ -1,169 +0,0 @@
-/* $Id: port-linux.c,v 1.3 2006/09/01 05:38:41 djm Exp $ */
-
-/*
- * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
- * Copyright (c) 2006 Damien Miller <djm@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Linux-specific portability code - just SELinux support at present
- */
-
-#include "includes.h"
-
-#include <errno.h>
-#include <stdarg.h>
-#include <string.h>
-
-#ifdef WITH_SELINUX
-#include "log.h"
-#include "port-linux.h"
-
-#include <selinux/selinux.h>
-#include <selinux/flask.h>
-#include <selinux/get_context_list.h>
-
-/* Wrapper around is_selinux_enabled() to log its return value once only */
-static int
-ssh_selinux_enabled(void)
-{
-	static int enabled = -1;
-
-	if (enabled == -1) {
-		enabled = is_selinux_enabled();
-		debug("SELinux support %s", enabled ? "enabled" : "disabled");
-	}
-
-	return (enabled);
-}
-
-/* Return the default security context for the given username */
-static security_context_t
-ssh_selinux_getctxbyname(char *pwname)
-{
-	security_context_t sc;
-	char *sename = NULL, *lvl = NULL;
-	int r;
-
-#ifdef HAVE_GETSEUSERBYNAME
-	if (getseuserbyname(pwname, &sename, &lvl) != 0)
-		return NULL;
-#else
-	sename = pwname;
-	lvl = NULL;
-#endif
-
-#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
-	r = get_default_context_with_level(sename, lvl, NULL, &sc);
-#else
-	r = get_default_context(sename, NULL, &sc);
-#endif
-
-	if (r != 0) {
-		switch (security_getenforce()) {
-		case -1:
-			fatal("%s: ssh_selinux_getctxbyname: "
-			    "security_getenforce() failed", __func__);
-		case 0:
-			error("%s: Failed to get default SELinux security "
-			    "context for %s", __func__, pwname);
-		default:
-			fatal("%s: Failed to get default SELinux security "
-			    "context for %s (in enforcing mode)",
-			    __func__, pwname);
-		}
-	}
-
-#ifdef HAVE_GETSEUSERBYNAME
-	if (sename != NULL)
-		xfree(sename);
-	if (lvl != NULL)
-		xfree(lvl);
-#endif
-
-	return (sc);
-}
-
-/* Set the execution context to the default for the specified user */
-void
-ssh_selinux_setup_exec_context(char *pwname)
-{
-	security_context_t user_ctx = NULL;
-
-	if (!ssh_selinux_enabled())
-		return;
-
-	debug3("%s: setting execution context", __func__);
-
-	user_ctx = ssh_selinux_getctxbyname(pwname);
-	if (setexeccon(user_ctx) != 0) {
-		switch (security_getenforce()) {
-		case -1:
-			fatal("%s: security_getenforce() failed", __func__);
-		case 0:
-			error("%s: Failed to set SELinux execution "
-			    "context for %s", __func__, pwname);
-		default:
-			fatal("%s: Failed to set SELinux execution context "
-			    "for %s (in enforcing mode)", __func__, pwname);
-		}
-	}
-	if (user_ctx != NULL)
-		freecon(user_ctx);
-
-	debug3("%s: done", __func__);
-}
-
-/* Set the TTY context for the specified user */
-void
-ssh_selinux_setup_pty(char *pwname, const char *tty)
-{
-	security_context_t new_tty_ctx = NULL;
-	security_context_t user_ctx = NULL;
-	security_context_t old_tty_ctx = NULL;
-
-	if (!ssh_selinux_enabled())
-		return;
-
-	debug3("%s: setting TTY context on %s", __func__, tty);
-
-	user_ctx = ssh_selinux_getctxbyname(pwname);
-
-	/* XXX: should these calls fatal() upon failure in enforcing mode? */
-
-	if (getfilecon(tty, &old_tty_ctx) == -1) {
-		error("%s: getfilecon: %s", __func__, strerror(errno));
-		goto out;
-	}
-
-	if (security_compute_relabel(user_ctx, old_tty_ctx,
-	    SECCLASS_CHR_FILE, &new_tty_ctx) != 0) {
-		error("%s: security_compute_relabel: %s",
-		    __func__, strerror(errno));
-		goto out;
-	}
-
-	if (setfilecon(tty, new_tty_ctx) != 0)
-		error("%s: setfilecon: %s", __func__, strerror(errno));
- out:
-	if (new_tty_ctx != NULL)
-		freecon(new_tty_ctx);
-	if (old_tty_ctx != NULL)
-		freecon(old_tty_ctx);
-	if (user_ctx != NULL)
-		freecon(user_ctx);
-	debug3("%s: done", __func__);
-}
-#endif /* WITH_SELINUX */
diff --git a/crypto/openssh/openbsd-compat/port-linux.h b/crypto/openssh/openbsd-compat/port-linux.h
deleted file mode 100644
index 05e520e..0000000
--- a/crypto/openssh/openbsd-compat/port-linux.h
+++ /dev/null
@@ -1,27 +0,0 @@
-/* $Id: port-linux.h,v 1.1 2006/04/22 11:26:08 djm Exp $ */
-
-/*
- * Copyright (c) 2006 Damien Miller <djm@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef _PORT_LINUX_H
-#define _PORT_LINUX_H
-
-#ifdef WITH_SELINUX
-void ssh_selinux_setup_pty(char *, const char *);
-void ssh_selinux_setup_exec_context(char *);
-#endif
-
-#endif /* ! _PORT_LINUX_H */
diff --git a/crypto/openssh/openbsd-compat/port-solaris.c b/crypto/openssh/openbsd-compat/port-solaris.c
deleted file mode 100644
index 2ab64d4..0000000
--- a/crypto/openssh/openbsd-compat/port-solaris.c
+++ /dev/null
@@ -1,199 +0,0 @@
-/* $Id: port-solaris.c,v 1.3 2006/10/31 23:28:49 dtucker Exp $ */
-
-/*
- * Copyright (c) 2006 Chad Mynhier.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "config.h"
-#include "includes.h"
-
-#ifdef USE_SOLARIS_PROCESS_CONTRACTS
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/param.h>
-
-#include <errno.h>
-#ifdef HAVE_FCNTL_H
-# include <fcntl.h>
-#endif
-#include <stdarg.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <libcontract.h>
-#include <sys/contract/process.h>
-#include <sys/ctfs.h>
-
-#include "log.h"
-
-#define CT_TEMPLATE	CTFS_ROOT "/process/template"
-#define CT_LATEST	CTFS_ROOT "/process/latest"
-
-static int tmpl_fd = -1;
-
-/* Lookup the latest process contract */
-static ctid_t
-get_active_process_contract_id(void)
-{
-	int stat_fd;
-	ctid_t ctid = -1;
-	ct_stathdl_t stathdl;
-
-	if ((stat_fd = open64(CT_LATEST, O_RDONLY)) == -1) {
-		error("%s: Error opening 'latest' process "
-		    "contract: %s", __func__, strerror(errno));
-		return -1;
-	}
-	if (ct_status_read(stat_fd, CTD_COMMON, &stathdl) != 0) {
-		error("%s: Error reading process contract "
-		    "status: %s", __func__, strerror(errno));
-		goto out;
-	}
-	if ((ctid = ct_status_get_id(stathdl)) < 0) {
-		error("%s: Error getting process contract id: %s",
-		    __func__, strerror(errno));
-		goto out;
-	}
-
-	ct_status_free(stathdl);
- out:
-	close(stat_fd);
-	return ctid;
-}
-
-void
-solaris_contract_pre_fork(void)
-{
-	if ((tmpl_fd = open64(CT_TEMPLATE, O_RDWR)) == -1) {
-		error("%s: open %s: %s", __func__,
-		    CT_TEMPLATE, strerror(errno));
-		return;
-	}
-
-	debug2("%s: setting up process contract template on fd %d",
-	    __func__, tmpl_fd);
-
-	/* First we set the template parameters and event sets. */
-	if (ct_pr_tmpl_set_param(tmpl_fd, CT_PR_PGRPONLY) != 0) {
-		error("%s: Error setting process contract parameter set "
-		    "(pgrponly): %s", __func__, strerror(errno));
-		goto fail;
-	}
-	if (ct_pr_tmpl_set_fatal(tmpl_fd, CT_PR_EV_HWERR) != 0) {
-		error("%s: Error setting process contract template "
-		    "fatal events: %s", __func__, strerror(errno));
-		goto fail;
-	}
-	if (ct_tmpl_set_critical(tmpl_fd, 0) != 0) {
-		error("%s: Error setting process contract template "
-		    "critical events: %s", __func__, strerror(errno));
-		goto fail;
-	}
-	if (ct_tmpl_set_informative(tmpl_fd, CT_PR_EV_HWERR) != 0) {
-		error("%s: Error setting process contract template "
-		    "informative events: %s", __func__, strerror(errno));
-		goto fail;
-	}
-
-	/* Now make this the active template for this process. */
-	if (ct_tmpl_activate(tmpl_fd) != 0) {
-		error("%s: Error activating process contract "
-		    "template: %s", __func__, strerror(errno));
-		goto fail;
-	}
-	return;
-
- fail:
-	if (tmpl_fd != -1) {
-		close(tmpl_fd);
-		tmpl_fd = -1;
-	}
-}
-
-void
-solaris_contract_post_fork_child()
-{
-	debug2("%s: clearing process contract template on fd %d",
-	    __func__, tmpl_fd);
-
-	/* Clear the active template. */
-	if (ct_tmpl_clear(tmpl_fd) != 0)
-		error("%s: Error clearing active process contract "
-		    "template: %s", __func__, strerror(errno));
-
-	close(tmpl_fd);
-	tmpl_fd = -1;
-}
-
-void
-solaris_contract_post_fork_parent(pid_t pid)
-{
-	ctid_t ctid;
-	char ctl_path[256];
-	int r, ctl_fd = -1, stat_fd = -1;
-
-	debug2("%s: clearing template (fd %d)", __func__, tmpl_fd);
-
-	if (tmpl_fd == -1)
-		return;
-
-	/* First clear the active template. */
-	if ((r = ct_tmpl_clear(tmpl_fd)) != 0)
-		error("%s: Error clearing active process contract "
-		    "template: %s", __func__, strerror(errno));
-
-	close(tmpl_fd);
-	tmpl_fd = -1;
-
-	/*
-	 * If either the fork didn't succeed (pid < 0), or clearing
-	 * th active contract failed (r != 0), then we have nothing
-	 * more do.
-	 */
-	if (r != 0 || pid <= 0)
-		return;
-
-	/* Now lookup and abandon the contract we've created. */
-	ctid = get_active_process_contract_id();
-
-	debug2("%s: abandoning contract id %ld", __func__, ctid);
-
-	snprintf(ctl_path, sizeof(ctl_path),
-	    CTFS_ROOT "/process/%ld/ctl", ctid);
-	if ((ctl_fd = open64(ctl_path, O_WRONLY)) < 0) {
-		error("%s: Error opening process contract "
-		    "ctl file: %s", __func__, strerror(errno));
-		goto fail;
-	}
-	if (ct_ctl_abandon(ctl_fd) < 0) {
-		error("%s: Error abandoning process contract: %s",
-		    __func__, strerror(errno));
-		goto fail;
-	}
-	close(ctl_fd);
-	return;
-
- fail:
-	if (tmpl_fd != -1) {
-		close(tmpl_fd);
-		tmpl_fd = -1;
-	}
-	if (stat_fd != -1)
-		close(stat_fd);
-	if (ctl_fd != -1)
-		close(ctl_fd);
-}
-#endif
diff --git a/crypto/openssh/openbsd-compat/port-solaris.h b/crypto/openssh/openbsd-compat/port-solaris.h
deleted file mode 100644
index 4c32487..0000000
--- a/crypto/openssh/openbsd-compat/port-solaris.h
+++ /dev/null
@@ -1,27 +0,0 @@
-/* $Id: port-solaris.h,v 1.1 2006/08/30 17:24:42 djm Exp $ */
-
-/*
- * Copyright (c) 2006 Chad Mynhier.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef _PORT_SOLARIS_H
-
-#include <sys/types.h>
-
-void solaris_contract_pre_fork(void);
-void solaris_contract_post_fork_child(void);
-void solaris_contract_post_fork_parent(pid_t pid);
-
-#endif
diff --git a/crypto/openssh/openbsd-compat/port-tun.c b/crypto/openssh/openbsd-compat/port-tun.c
deleted file mode 100644
index 276474d..0000000
--- a/crypto/openssh/openbsd-compat/port-tun.c
+++ /dev/null
@@ -1,270 +0,0 @@
-/*
- * Copyright (c) 2005 Reyk Floeter <reyk@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/ioctl.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netinet/ip.h>
-
-#include <errno.h>
-#include <fcntl.h>
-#include <stdarg.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "log.h"
-#include "misc.h"
-#include "buffer.h"
-#include "channels.h"
-
-/*
- * This is the portable version of the SSH tunnel forwarding, it
- * uses some preprocessor definitions for various platform-specific
- * settings.
- *
- * SSH_TUN_LINUX	Use the (newer) Linux tun/tap device
- * SSH_TUN_FREEBSD	Use the FreeBSD tun/tap device
- * SSH_TUN_COMPAT_AF	Translate the OpenBSD address family
- * SSH_TUN_PREPEND_AF	Prepend/remove the address family
- */
-
-/*
- * System-specific tunnel open function
- */
-
-#if defined(SSH_TUN_LINUX)
-#include <linux/if.h>
-#include <linux/if_tun.h>
-
-int
-sys_tun_open(int tun, int mode)
-{
-	struct ifreq ifr;
-	int fd = -1;
-	const char *name = NULL;
-
-	if ((fd = open("/dev/net/tun", O_RDWR)) == -1) {
-		debug("%s: failed to open tunnel control interface: %s",
-		    __func__, strerror(errno));
-		return (-1);
-	}
-
-	bzero(&ifr, sizeof(ifr));	
-
-	if (mode == SSH_TUNMODE_ETHERNET) {
-		ifr.ifr_flags = IFF_TAP;
-		name = "tap%d";
-	} else {
-		ifr.ifr_flags = IFF_TUN;
-		name = "tun%d";
-	}
-	ifr.ifr_flags |= IFF_NO_PI;
-
-	if (tun != SSH_TUNID_ANY) {
-		if (tun > SSH_TUNID_MAX) {
-			debug("%s: invalid tunnel id %x: %s", __func__,
-			    tun, strerror(errno));
-			goto failed;
-		}
-		snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), name, tun);
-	}
-
-	if (ioctl(fd, TUNSETIFF, &ifr) == -1) {
-		debug("%s: failed to configure tunnel (mode %d): %s", __func__,
-		    mode, strerror(errno));
-		goto failed;
-	}
-
-	if (tun == SSH_TUNID_ANY)
-		debug("%s: tunnel mode %d fd %d", __func__, mode, fd);
-	else
-		debug("%s: %s mode %d fd %d", __func__, ifr.ifr_name, mode, fd);
-
-	return (fd);
-
- failed:
-	close(fd);
-	return (-1);
-}
-#endif /* SSH_TUN_LINUX */
-
-#ifdef SSH_TUN_FREEBSD
-#include <sys/socket.h>
-#include <net/if.h>
-
-#ifdef HAVE_NET_IF_TUN_H
-#include <net/if_tun.h>
-#endif
-
-int
-sys_tun_open(int tun, int mode)
-{
-	struct ifreq ifr;
-	char name[100];
-	int fd = -1, sock, flag;
-	const char *tunbase = "tun";
-
-	if (mode == SSH_TUNMODE_ETHERNET) {
-#ifdef SSH_TUN_NO_L2
-		debug("%s: no layer 2 tunnelling support", __func__);
-		return (-1);
-#else
-		tunbase = "tap";
-#endif
-	}
-
-	/* Open the tunnel device */
-	if (tun <= SSH_TUNID_MAX) {
-		snprintf(name, sizeof(name), "/dev/%s%d", tunbase, tun);
-		fd = open(name, O_RDWR);
-	} else if (tun == SSH_TUNID_ANY) {
-		for (tun = 100; tun >= 0; tun--) {
-			snprintf(name, sizeof(name), "/dev/%s%d",
-			    tunbase, tun);
-			if ((fd = open(name, O_RDWR)) >= 0)
-				break;
-		}
-	} else {
-		debug("%s: invalid tunnel %u\n", __func__, tun);
-		return (-1);
-	}
-
-	if (fd < 0) {
-		debug("%s: %s open failed: %s", __func__, name,
-		    strerror(errno));
-		return (-1);
-	}
-
-	/* Turn on tunnel headers */
-	flag = 1;
-#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
-	if (mode != SSH_TUNMODE_ETHERNET &&
-	    ioctl(fd, TUNSIFHEAD, &flag) == -1) {
-		debug("%s: ioctl(%d, TUNSIFHEAD, 1): %s", __func__, fd,
-		    strerror(errno));
-		close(fd);
-	}
-#endif
-
-	debug("%s: %s mode %d fd %d", __func__, name, mode, fd);
-
-	/* Set the tunnel device operation mode */
-	snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s%d", tunbase, tun);
-	if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1)
-		goto failed;
-
-	if (ioctl(sock, SIOCGIFFLAGS, &ifr) == -1)
-		goto failed;
-	ifr.ifr_flags |= IFF_UP;
-	if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1)
-		goto failed;
-
-	close(sock);
-	return (fd);
-
- failed:
-	if (fd >= 0)
-		close(fd);
-	if (sock >= 0)
-		close(sock);
-	debug("%s: failed to set %s mode %d: %s", __func__, name,
-	    mode, strerror(errno));
-	return (-1);
-}
-#endif /* SSH_TUN_FREEBSD */
-
-/*
- * System-specific channel filters
- */
-
-#if defined(SSH_TUN_FILTER)
-#define OPENBSD_AF_INET		2
-#define OPENBSD_AF_INET6	24
-
-int
-sys_tun_infilter(struct Channel *c, char *buf, int len)
-{
-#if defined(SSH_TUN_PREPEND_AF)
-	char rbuf[CHAN_RBUF];
-	struct ip *iph;
-#endif
-	u_int32_t *af;
-	char *ptr = buf;
-
-#if defined(SSH_TUN_PREPEND_AF)
-	if (len <= 0 || len > (int)(sizeof(rbuf) - sizeof(*af)))
-		return (-1);
-	ptr = (char *)&rbuf[0];
-	bcopy(buf, ptr + sizeof(u_int32_t), len);
-	len += sizeof(u_int32_t);
-	af = (u_int32_t *)ptr;
-
-	iph = (struct ip *)(ptr + sizeof(u_int32_t));
-	switch (iph->ip_v) {
-	case 6:
-		*af = AF_INET6;
-		break;
-	case 4:
-	default:
-		*af = AF_INET;
-		break;
-	}
-#endif
-
-#if defined(SSH_TUN_COMPAT_AF)
-	if (len < (int)sizeof(u_int32_t))
-		return (-1);
-
-	af = (u_int32_t *)ptr;
-	if (*af == htonl(AF_INET6))
-		*af = htonl(OPENBSD_AF_INET6);
-	else
-		*af = htonl(OPENBSD_AF_INET);
-#endif
-
-	buffer_put_string(&c->input, ptr, len);
-	return (0);
-}
-
-u_char *
-sys_tun_outfilter(struct Channel *c, u_char **data, u_int *dlen)
-{
-	u_char *buf;
-	u_int32_t *af;
-
-	*data = buffer_get_string(&c->output, dlen);
-	if (*dlen < sizeof(*af))
-		return (NULL);
-	buf = *data;
-
-#if defined(SSH_TUN_PREPEND_AF)
-	*dlen -= sizeof(u_int32_t);
-	buf = *data + sizeof(u_int32_t);
-#elif defined(SSH_TUN_COMPAT_AF)
-	af = ntohl(*(u_int32_t *)buf);
-	if (*af == OPENBSD_AF_INET6)
-		*af = htonl(AF_INET6);
-	else
-		*af = htonl(AF_INET);
-#endif
-
-	return (buf);
-}
-#endif /* SSH_TUN_FILTER */
diff --git a/crypto/openssh/openbsd-compat/port-tun.h b/crypto/openssh/openbsd-compat/port-tun.h
deleted file mode 100644
index c53df01..0000000
--- a/crypto/openssh/openbsd-compat/port-tun.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright (c) 2005 Reyk Floeter <reyk@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef _PORT_TUN_H
-#define _PORT_TUN_H
-
-struct Channel;
-
-#if defined(SSH_TUN_LINUX) || defined(SSH_TUN_FREEBSD)
-# define CUSTOM_SYS_TUN_OPEN
-int	  sys_tun_open(int, int);
-#endif
-
-#if defined(SSH_TUN_COMPAT_AF) || defined(SSH_TUN_PREPEND_AF)
-# define SSH_TUN_FILTER
-int	 sys_tun_infilter(struct Channel *, char *, int);
-u_char	*sys_tun_outfilter(struct Channel *, u_char **, u_int *);
-#endif
-
-#endif
diff --git a/crypto/openssh/openbsd-compat/port-uw.c b/crypto/openssh/openbsd-compat/port-uw.c
deleted file mode 100644
index 6f35239..0000000
--- a/crypto/openssh/openbsd-compat/port-uw.c
+++ /dev/null
@@ -1,149 +0,0 @@
-/*
- * Copyright (c) 2005 The SCO Group. All rights reserved.
- * Copyright (c) 2005 Tim Rice. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#ifdef HAVE_LIBIAF
-#include <sys/types.h>
-#ifdef HAVE_CRYPT_H
-# include <crypt.h>
-#endif
-#include <pwd.h>
-#include <stdarg.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-
-#include "xmalloc.h"
-#include "packet.h"
-#include "buffer.h"
-#include "auth-options.h"
-#include "log.h"
-#include "servconf.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "ssh.h"
-
-int nischeck(char *);
-
-int
-sys_auth_passwd(Authctxt *authctxt, const char *password)
-{
-	struct passwd *pw = authctxt->pw;
-	char *salt;
-	int result;
-
-	/* Just use the supplied fake password if authctxt is invalid */
-	char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
-
-	/* Check for users with no password. */
-	if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
-		return (1);
-
-	/* Encrypt the candidate password using the proper salt. */
-	salt = (pw_password[0] && pw_password[1]) ? pw_password : "xx";
-
-	/*
-	 * Authentication is accepted if the encrypted passwords
-	 * are identical.
-	 */
-#ifdef UNIXWARE_LONG_PASSWORDS
-	if (!nischeck(pw->pw_name)) {
-		result = ((strcmp(bigcrypt(password, salt), pw_password) == 0)
-		||  (strcmp(osr5bigcrypt(password, salt), pw_password) == 0));
-	}
-	else
-#endif /* UNIXWARE_LONG_PASSWORDS */
-		result = (strcmp(xcrypt(password, salt), pw_password) == 0);
-
-#if !defined(BROKEN_LIBIAF)
-	if (authctxt->valid)
-		free(pw_password);
-#endif
-	return(result);
-}
-
-#ifdef UNIXWARE_LONG_PASSWORDS
-int
-nischeck(char *namep)
-{
-	char password_file[] = "/etc/passwd";
-	FILE *fd;
-	struct passwd *ent = NULL;
-
-	if ((fd = fopen (password_file, "r")) == NULL) {
-		/*
-		 * If the passwd file has dissapeared we are in a bad state.
-		 * However, returning 0 will send us back through the
-		 * authentication scheme that has checked the ia database for
-		 * passwords earlier.
-		 */
-		return(0);
-	}
-
-	/*
-	 * fgetpwent() only reads from password file, so we know for certain
-	 * that the user is local.
-	 */
-	while (ent = fgetpwent(fd)) {
-		if (strcmp (ent->pw_name, namep) == 0) {
-			/* Local user */
-			fclose (fd);
-			return(0);
-		}
-	}
-
-	fclose (fd);
-	return (1);
-}
-
-#endif /* UNIXWARE_LONG_PASSWORDS */
-
-/*
-	NOTE: ia_get_logpwd() allocates memory for arg 2
-	functions that call shadow_pw() will need to free
- */
-
-#if !defined(BROKEN_LIBIAF)
-char *
-get_iaf_password(struct passwd *pw)
-{
-	char *pw_password = NULL;
-
-	uinfo_t uinfo;
-	if (!ia_openinfo(pw->pw_name,&uinfo)) {
-		ia_get_logpwd(uinfo, &pw_password);
-		if (pw_password == NULL)
-			fatal("ia_get_logpwd: Unable to get the shadow passwd");
-		ia_closeinfo(uinfo);
-	 	return pw_password;
-	}
-	else
-		fatal("ia_openinfo: Unable to open the shadow passwd file");
-}
-#endif /* !BROKEN_LIBIAF */
-#endif /* HAVE_LIBIAF */
-
diff --git a/crypto/openssh/openbsd-compat/port-uw.h b/crypto/openssh/openbsd-compat/port-uw.h
deleted file mode 100644
index 3589b2e..0000000
--- a/crypto/openssh/openbsd-compat/port-uw.h
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Copyright (c) 2005 Tim Rice.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
-char * get_iaf_password(struct passwd *pw);
-#endif
-
diff --git a/crypto/openssh/openbsd-compat/readpassphrase.c b/crypto/openssh/openbsd-compat/readpassphrase.c
deleted file mode 100644
index 11bd8f6..0000000
--- a/crypto/openssh/openbsd-compat/readpassphrase.c
+++ /dev/null
@@ -1,191 +0,0 @@
-/*	$OpenBSD: readpassphrase.c,v 1.18 2005/08/08 08:05:34 espie Exp $	*/
-
-/*
- * Copyright (c) 2000-2002 Todd C. Miller <Todd.Miller@courtesan.com>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Sponsored in part by the Defense Advanced Research Projects
- * Agency (DARPA) and Air Force Research Laboratory, Air Force
- * Materiel Command, USAF, under agreement number F39502-99-1-0512.
- */
-
-/* OPENBSD ORIGINAL: lib/libc/gen/readpassphrase.c */
-
-#include "includes.h"
-
-#ifndef HAVE_READPASSPHRASE
-
-#include <termios.h>
-#include <signal.h>
-#include <ctype.h>
-#include <fcntl.h>
-#include <readpassphrase.h>
-#include <errno.h>
-#include <string.h>
-#include <unistd.h>
-
-#ifdef TCSASOFT
-# define _T_FLUSH	(TCSAFLUSH|TCSASOFT)
-#else
-# define _T_FLUSH	(TCSAFLUSH)
-#endif
-
-/* SunOS 4.x which lacks _POSIX_VDISABLE, but has VDISABLE */
-#if !defined(_POSIX_VDISABLE) && defined(VDISABLE)
-#  define _POSIX_VDISABLE       VDISABLE
-#endif
-
-static volatile sig_atomic_t signo;
-
-static void handler(int);
-
-char *
-readpassphrase(const char *prompt, char *buf, size_t bufsiz, int flags)
-{
-	ssize_t nr;
-	int input, output, save_errno;
-	char ch, *p, *end;
-	struct termios term, oterm;
-	struct sigaction sa, savealrm, saveint, savehup, savequit, saveterm;
-	struct sigaction savetstp, savettin, savettou, savepipe;
-
-	/* I suppose we could alloc on demand in this case (XXX). */
-	if (bufsiz == 0) {
-		errno = EINVAL;
-		return(NULL);
-	}
-
-restart:
-	signo = 0;
-	/*
-	 * Read and write to /dev/tty if available.  If not, read from
-	 * stdin and write to stderr unless a tty is required.
-	 */
-	if ((flags & RPP_STDIN) ||
-	    (input = output = open(_PATH_TTY, O_RDWR)) == -1) {
-		if (flags & RPP_REQUIRE_TTY) {
-			errno = ENOTTY;
-			return(NULL);
-		}
-		input = STDIN_FILENO;
-		output = STDERR_FILENO;
-	}
-
-	/*
-	 * Catch signals that would otherwise cause the user to end
-	 * up with echo turned off in the shell.  Don't worry about
-	 * things like SIGXCPU and SIGVTALRM for now.
-	 */
-	sigemptyset(&sa.sa_mask);
-	sa.sa_flags = 0;		/* don't restart system calls */
-	sa.sa_handler = handler;
-	(void)sigaction(SIGALRM, &sa, &savealrm);
-	(void)sigaction(SIGHUP, &sa, &savehup);
-	(void)sigaction(SIGINT, &sa, &saveint);
-	(void)sigaction(SIGPIPE, &sa, &savepipe);
-	(void)sigaction(SIGQUIT, &sa, &savequit);
-	(void)sigaction(SIGTERM, &sa, &saveterm);
-	(void)sigaction(SIGTSTP, &sa, &savetstp);
-	(void)sigaction(SIGTTIN, &sa, &savettin);
-	(void)sigaction(SIGTTOU, &sa, &savettou);
-
-	/* Turn off echo if possible. */
-	if (input != STDIN_FILENO && tcgetattr(input, &oterm) == 0) {
-		memcpy(&term, &oterm, sizeof(term));
-		if (!(flags & RPP_ECHO_ON))
-			term.c_lflag &= ~(ECHO | ECHONL);
-#ifdef VSTATUS
-		if (term.c_cc[VSTATUS] != _POSIX_VDISABLE)
-			term.c_cc[VSTATUS] = _POSIX_VDISABLE;
-#endif
-		(void)tcsetattr(input, _T_FLUSH, &term);
-	} else {
-		memset(&term, 0, sizeof(term));
-		term.c_lflag |= ECHO;
-		memset(&oterm, 0, sizeof(oterm));
-		oterm.c_lflag |= ECHO;
-	}
-
-	if (!(flags & RPP_STDIN))
-		(void)write(output, prompt, strlen(prompt));
-	end = buf + bufsiz - 1;
-	for (p = buf; (nr = read(input, &ch, 1)) == 1 && ch != '\n' && ch != '\r';) {
-		if (p < end) {
-			if ((flags & RPP_SEVENBIT))
-				ch &= 0x7f;
-			if (isalpha(ch)) {
-				if ((flags & RPP_FORCELOWER))
-					ch = tolower(ch);
-				if ((flags & RPP_FORCEUPPER))
-					ch = toupper(ch);
-			}
-			*p++ = ch;
-		}
-	}
-	*p = '\0';
-	save_errno = errno;
-	if (!(term.c_lflag & ECHO))
-		(void)write(output, "\n", 1);
-
-	/* Restore old terminal settings and signals. */
-	if (memcmp(&term, &oterm, sizeof(term)) != 0) {
-		while (tcsetattr(input, _T_FLUSH, &oterm) == -1 &&
-		    errno == EINTR)
-			continue;
-	}
-	(void)sigaction(SIGALRM, &savealrm, NULL);
-	(void)sigaction(SIGHUP, &savehup, NULL);
-	(void)sigaction(SIGINT, &saveint, NULL);
-	(void)sigaction(SIGQUIT, &savequit, NULL);
-	(void)sigaction(SIGPIPE, &savepipe, NULL);
-	(void)sigaction(SIGTERM, &saveterm, NULL);
-	(void)sigaction(SIGTSTP, &savetstp, NULL);
-	(void)sigaction(SIGTTIN, &savettin, NULL);
-	if (input != STDIN_FILENO)
-		(void)close(input);
-
-	/*
-	 * If we were interrupted by a signal, resend it to ourselves
-	 * now that we have restored the signal handlers.
-	 */
-	if (signo) {
-		kill(getpid(), signo);
-		switch (signo) {
-		case SIGTSTP:
-		case SIGTTIN:
-		case SIGTTOU:
-			goto restart;
-		}
-	}
-
-	errno = save_errno;
-	return(nr == -1 ? NULL : buf);
-}
-  
-#if 0
-char *
-getpass(const char *prompt)
-{
-	static char buf[_PASSWORD_LEN + 1];
-
-	return(readpassphrase(prompt, buf, sizeof(buf), RPP_ECHO_OFF));
-}
-#endif
-
-static void handler(int s)
-{
-
-	signo = s;
-}
-#endif /* HAVE_READPASSPHRASE */
diff --git a/crypto/openssh/openbsd-compat/readpassphrase.h b/crypto/openssh/openbsd-compat/readpassphrase.h
deleted file mode 100644
index 5fd7c5d..0000000
--- a/crypto/openssh/openbsd-compat/readpassphrase.h
+++ /dev/null
@@ -1,44 +0,0 @@
-/*	$OpenBSD: readpassphrase.h,v 1.5 2003/06/17 21:56:23 millert Exp $	*/
-
-/*
- * Copyright (c) 2000, 2002 Todd C. Miller <Todd.Miller@courtesan.com>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * Sponsored in part by the Defense Advanced Research Projects
- * Agency (DARPA) and Air Force Research Laboratory, Air Force
- * Materiel Command, USAF, under agreement number F39502-99-1-0512.
- */
-
-/* OPENBSD ORIGINAL: include/readpassphrase.h */
-
-#ifndef _READPASSPHRASE_H_
-#define _READPASSPHRASE_H_
-
-#include "includes.h"
-
-#ifndef HAVE_READPASSPHRASE
-
-#define RPP_ECHO_OFF    0x00		/* Turn off echo (default). */
-#define RPP_ECHO_ON     0x01		/* Leave echo on. */
-#define RPP_REQUIRE_TTY 0x02		/* Fail if there is no tty. */
-#define RPP_FORCELOWER  0x04		/* Force input to lower case. */
-#define RPP_FORCEUPPER  0x08		/* Force input to upper case. */
-#define RPP_SEVENBIT    0x10		/* Strip the high bit from input. */
-#define RPP_STDIN       0x20		/* Read from stdin, not /dev/tty */
-
-char * readpassphrase(const char *, char *, size_t, int);
-
-#endif /* HAVE_READPASSPHRASE */
-
-#endif /* !_READPASSPHRASE_H_ */
diff --git a/crypto/openssh/openbsd-compat/realpath.c b/crypto/openssh/openbsd-compat/realpath.c
deleted file mode 100644
index b6120d0..0000000
--- a/crypto/openssh/openbsd-compat/realpath.c
+++ /dev/null
@@ -1,197 +0,0 @@
-/*	$OpenBSD: realpath.c,v 1.13 2005/08/08 08:05:37 espie Exp $ */
-/*
- * Copyright (c) 2003 Constantin S. Svintsoff <kostik@iclub.nsu.ru>
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. The names of the authors may not be used to endorse or promote
- *    products derived from this software without specific prior written
- *    permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* OPENBSD ORIGINAL: lib/libc/stdlib/realpath.c */
-
-#include "includes.h"
-
-#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
-
-#include <sys/param.h>
-#include <sys/stat.h>
-
-#include <errno.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-/*
- * char *realpath(const char *path, char resolved[PATH_MAX]);
- *
- * Find the real name of path, by removing all ".", ".." and symlink
- * components.  Returns (resolved) on success, or (NULL) on failure,
- * in which case the path which caused trouble is left in (resolved).
- */
-char *
-realpath(const char *path, char resolved[PATH_MAX])
-{
-	struct stat sb;
-	char *p, *q, *s;
-	size_t left_len, resolved_len;
-	unsigned symlinks;
-	int serrno, slen;
-	char left[PATH_MAX], next_token[PATH_MAX], symlink[PATH_MAX];
-
-	serrno = errno;
-	symlinks = 0;
-	if (path[0] == '/') {
-		resolved[0] = '/';
-		resolved[1] = '\0';
-		if (path[1] == '\0')
-			return (resolved);
-		resolved_len = 1;
-		left_len = strlcpy(left, path + 1, sizeof(left));
-	} else {
-		if (getcwd(resolved, PATH_MAX) == NULL) {
-			strlcpy(resolved, ".", PATH_MAX);
-			return (NULL);
-		}
-		resolved_len = strlen(resolved);
-		left_len = strlcpy(left, path, sizeof(left));
-	}
-	if (left_len >= sizeof(left) || resolved_len >= PATH_MAX) {
-		errno = ENAMETOOLONG;
-		return (NULL);
-	}
-
-	/*
-	 * Iterate over path components in `left'.
-	 */
-	while (left_len != 0) {
-		/*
-		 * Extract the next path component and adjust `left'
-		 * and its length.
-		 */
-		p = strchr(left, '/');
-		s = p ? p : left + left_len;
-		if (s - left >= sizeof(next_token)) {
-			errno = ENAMETOOLONG;
-			return (NULL);
-		}
-		memcpy(next_token, left, s - left);
-		next_token[s - left] = '\0';
-		left_len -= s - left;
-		if (p != NULL)
-			memmove(left, s + 1, left_len + 1);
-		if (resolved[resolved_len - 1] != '/') {
-			if (resolved_len + 1 >= PATH_MAX) {
-				errno = ENAMETOOLONG;
-				return (NULL);
-			}
-			resolved[resolved_len++] = '/';
-			resolved[resolved_len] = '\0';
-		}
-		if (next_token[0] == '\0')
-			continue;
-		else if (strcmp(next_token, ".") == 0)
-			continue;
-		else if (strcmp(next_token, "..") == 0) {
-			/*
-			 * Strip the last path component except when we have
-			 * single "/"
-			 */
-			if (resolved_len > 1) {
-				resolved[resolved_len - 1] = '\0';
-				q = strrchr(resolved, '/') + 1;
-				*q = '\0';
-				resolved_len = q - resolved;
-			}
-			continue;
-		}
-
-		/*
-		 * Append the next path component and lstat() it. If
-		 * lstat() fails we still can return successfully if
-		 * there are no more path components left.
-		 */
-		resolved_len = strlcat(resolved, next_token, PATH_MAX);
-		if (resolved_len >= PATH_MAX) {
-			errno = ENAMETOOLONG;
-			return (NULL);
-		}
-		if (lstat(resolved, &sb) != 0) {
-			if (errno == ENOENT && p == NULL) {
-				errno = serrno;
-				return (resolved);
-			}
-			return (NULL);
-		}
-		if (S_ISLNK(sb.st_mode)) {
-			if (symlinks++ > MAXSYMLINKS) {
-				errno = ELOOP;
-				return (NULL);
-			}
-			slen = readlink(resolved, symlink, sizeof(symlink) - 1);
-			if (slen < 0)
-				return (NULL);
-			symlink[slen] = '\0';
-			if (symlink[0] == '/') {
-				resolved[1] = 0;
-				resolved_len = 1;
-			} else if (resolved_len > 1) {
-				/* Strip the last path component. */
-				resolved[resolved_len - 1] = '\0';
-				q = strrchr(resolved, '/') + 1;
-				*q = '\0';
-				resolved_len = q - resolved;
-			}
-
-			/*
-			 * If there are any path components left, then
-			 * append them to symlink. The result is placed
-			 * in `left'.
-			 */
-			if (p != NULL) {
-				if (symlink[slen - 1] != '/') {
-					if (slen + 1 >= sizeof(symlink)) {
-						errno = ENAMETOOLONG;
-						return (NULL);
-					}
-					symlink[slen] = '/';
-					symlink[slen + 1] = 0;
-				}
-				left_len = strlcat(symlink, left, sizeof(left));
-				if (left_len >= sizeof(left)) {
-					errno = ENAMETOOLONG;
-					return (NULL);
-				}
-			}
-			left_len = strlcpy(left, symlink, sizeof(left));
-		}
-	}
-
-	/*
-	 * Remove trailing slash except when the resolved pathname
-	 * is a single "/".
-	 */
-	if (resolved_len > 1 && resolved[resolved_len - 1] == '/')
-		resolved[resolved_len - 1] = '\0';
-	return (resolved);
-}
-#endif /* !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH) */
diff --git a/crypto/openssh/openbsd-compat/regress/Makefile.in b/crypto/openssh/openbsd-compat/regress/Makefile.in
deleted file mode 100644
index bcf214b..0000000
--- a/crypto/openssh/openbsd-compat/regress/Makefile.in
+++ /dev/null
@@ -1,38 +0,0 @@
-# $Id: Makefile.in,v 1.4 2006/08/19 09:12:14 dtucker Exp $
-
-sysconfdir=@sysconfdir@
-piddir=@piddir@
-srcdir=@srcdir@
-top_srcdir=@top_srcdir@
-
-VPATH=@srcdir@
-CC=@CC@
-LD=@LD@
-CFLAGS=@CFLAGS@
-CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
-EXEEXT=@EXEEXT@
-LIBCOMPAT=../libopenbsd-compat.a
-LIBS=@LIBS@
-LDFLAGS=@LDFLAGS@ $(LIBCOMPAT)
-
-TESTPROGS=closefromtest$(EXEEXT) snprintftest$(EXEEXT) strduptest$(EXEEXT) \
-	strtonumtest$(EXEEXT)
-
-all:	t-exec ${OTHERTESTS}
-
-%$(EXEEXT):	%.c
-	$(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $@ $< $(LIBCOMPAT) $(LIBS)
-
-t-exec:	$(TESTPROGS)
-	@echo running compat regress tests
-	@for TEST in ""$?; do \
-		echo "run test $${TEST}" ... 1>&2; \
-		./$${TEST}$(EXEEXT) || exit $$? ; \
-	done
-	@echo finished compat regress tests
-
-clean:
-	rm -f *.o *.a core $(TESTPROGS) valid.out
-
-distclean: clean
-	rm -f Makefile *~
diff --git a/crypto/openssh/openbsd-compat/regress/closefromtest.c b/crypto/openssh/openbsd-compat/regress/closefromtest.c
deleted file mode 100644
index feb1b56..0000000
--- a/crypto/openssh/openbsd-compat/regress/closefromtest.c
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
- * Copyright (c) 2006 Darren Tucker
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include <sys/types.h>
-#include <sys/stat.h>
-
-#include <fcntl.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-#define NUM_OPENS 10
-
-void
-fail(char *msg)
-{
-	fprintf(stderr, "closefrom: %s\n", msg);
-	exit(1);
-}
-
-int
-main(void)
-{
-	int i, max, fds[NUM_OPENS];
-	char buf[512];
-
-	for (i = 0; i < NUM_OPENS; i++)
-		if ((fds[i] = open("/dev/null", "r")) == -1)
-			exit(0);	/* can't test */
-	max = i - 1;
-
-	/* should close last fd only */
-	closefrom(fds[max]);
-	if (close(fds[max]) != -1)
-		fail("failed to close highest fd");
-
-	/* make sure we can still use remaining descriptors */
-	for (i = 0; i < max; i++)
-		if (read(fds[i], buf, sizeof(buf)) == -1)
-			fail("closed descriptors it should not have");
-
-	/* should close all fds */
-	closefrom(fds[0]);
-	for (i = 0; i < NUM_OPENS; i++)
-		if (close(fds[i]) != -1)
-			fail("failed to close from lowest fd");
-}
diff --git a/crypto/openssh/openbsd-compat/regress/snprintftest.c b/crypto/openssh/openbsd-compat/regress/snprintftest.c
deleted file mode 100644
index 4ca63e1..0000000
--- a/crypto/openssh/openbsd-compat/regress/snprintftest.c
+++ /dev/null
@@ -1,73 +0,0 @@
-/*
- * Copyright (c) 2005 Darren Tucker
- * Copyright (c) 2005 Damien Miller
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#define BUFSZ 2048
-
-#include <sys/types.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <stdarg.h>
-#include <string.h>
-
-static int failed = 0;
-
-static void
-fail(const char *m)
-{
-	fprintf(stderr, "snprintftest: %s\n", m);
-	failed = 1;
-}
-
-int x_snprintf(char *str, size_t count, const char *fmt, ...)
-{
-	size_t ret;
-	va_list ap;
-
-	va_start(ap, fmt);
-	ret = vsnprintf(str, count, fmt, ap);
-	va_end(ap);
-	return ret;
-}
-
-int
-main(void)
-{
-	char b[5];
-	char *src;
-
-	snprintf(b,5,"123456789");
-	if (b[4] != '\0')
-		fail("snprintf does not correctly terminate long strings");
-
-	/* check for read overrun on unterminated string */
-	if ((src = malloc(BUFSZ)) == NULL) {
-		fail("malloc failed");
-	} else {
-		memset(src, 'a', BUFSZ);
-		snprintf(b, sizeof(b), "%.*s", 1, src);
-		if (strcmp(b, "a") != 0)
-			fail("failed with length limit '%%.s'");
-	}
-
-	/* check that snprintf and vsnprintf return sane values */
-	if (snprintf(b, 1, "%s %d", "hello", 12345) != 11)
-		fail("snprintf does not return required length");
-	if (x_snprintf(b, 1, "%s %d", "hello", 12345) != 11)
-		fail("vsnprintf does not return required length");
-
-	return failed;
-}
diff --git a/crypto/openssh/openbsd-compat/regress/strduptest.c b/crypto/openssh/openbsd-compat/regress/strduptest.c
deleted file mode 100644
index 7f6d779..0000000
--- a/crypto/openssh/openbsd-compat/regress/strduptest.c
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * Copyright (c) 2005 Darren Tucker
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include <stdlib.h>
-#include <string.h>
-
-static int fail = 0;
-
-void
-test(const char *a)
-{
-	char *b;
-
-	b = strdup(a);
-	if (b == 0) {
-		fail = 1;
-		return;
-	}
-	if (strcmp(a, b) != 0)
-		fail = 1;
-	free(b);
-}
-
-int
-main(void)
-{
-	test("");
-	test("a");
-	test("\0");
-	test("abcdefghijklmnopqrstuvwxyz");
-	return fail;
-}
diff --git a/crypto/openssh/openbsd-compat/regress/strtonumtest.c b/crypto/openssh/openbsd-compat/regress/strtonumtest.c
deleted file mode 100644
index cb85851..0000000
--- a/crypto/openssh/openbsd-compat/regress/strtonumtest.c
+++ /dev/null
@@ -1,66 +0,0 @@
-/*	$OpenBSD: strtonumtest.c,v 1.1 2004/08/03 20:38:36 otto Exp $	*/
-/*
- * Copyright (c) 2004 Otto Moerbeek <otto@drijf.net>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* OPENBSD ORIGINAL: regress/lib/libc/strtonum/strtonumtest.c */
-
-#include <limits.h>
-#include <stdio.h>
-#include <stdlib.h>
-
-int fail;
-
-void
-test(const char *p, long long lb, long long ub, int ok)
-{
-	long long val;
-	const char *q;
-
-	val = strtonum(p, lb, ub, &q);
-	if (ok && q != NULL) {
-		fprintf(stderr, "%s [%lld-%lld] ", p, lb, ub);
-		fprintf(stderr, "NUMBER NOT ACCEPTED %s\n", q);
-		fail = 1;
-	} else if (!ok && q == NULL) {
-		fprintf(stderr, "%s [%lld-%lld] %lld ", p, lb, ub, val);
-		fprintf(stderr, "NUMBER ACCEPTED\n");
-		fail = 1;
-	}
-}
-
-int main(int argc, char *argv[])
-{
-	test("1", 0, 10, 1);
-	test("0", -2, 5, 1);
-	test("0", 2, 5, 0);
-	test("0", 2, LLONG_MAX, 0);
-	test("-2", 0, LLONG_MAX, 0);
-	test("0", -5, LLONG_MAX, 1);
-	test("-3", -3, LLONG_MAX, 1);
-	test("-9223372036854775808", LLONG_MIN, LLONG_MAX, 1);
-	test("9223372036854775807", LLONG_MIN, LLONG_MAX, 1);
-	test("-9223372036854775809", LLONG_MIN, LLONG_MAX, 0);
-	test("9223372036854775808", LLONG_MIN, LLONG_MAX, 0);
-	test("1000000000000000000000000", LLONG_MIN, LLONG_MAX, 0);
-	test("-1000000000000000000000000", LLONG_MIN, LLONG_MAX, 0);
-	test("-2", 10, -1, 0);
-	test("-2", -10, -1, 1);
-	test("-20", -10, -1, 0);
-	test("20", -10, -1, 0);
-
-	return (fail);
-}
-
diff --git a/crypto/openssh/openbsd-compat/rresvport.c b/crypto/openssh/openbsd-compat/rresvport.c
deleted file mode 100644
index 5b0275c..0000000
--- a/crypto/openssh/openbsd-compat/rresvport.c
+++ /dev/null
@@ -1,107 +0,0 @@
-/* $OpenBSD: rresvport.c,v 1.9 2005/11/10 10:00:17 espie Exp $ */
-/*
- * Copyright (c) 1995, 1996, 1998 Theo de Raadt.  All rights reserved.
- * Copyright (c) 1983, 1993, 1994
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* OPENBSD ORIGINAL: lib/libc/net/rresvport.c */
-
-#include "includes.h"
-
-#ifndef HAVE_RRESVPORT_AF
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include <errno.h>
-#include <stdlib.h>
-#include <string.h>
-
-#if 0
-int
-rresvport(int *alport)
-{
-	return rresvport_af(alport, AF_INET);
-}
-#endif
-
-int
-rresvport_af(int *alport, sa_family_t af)
-{
-	struct sockaddr_storage ss;
-	struct sockaddr *sa;
-	u_int16_t *portp;
-	int s;
-	socklen_t salen;
-
-	memset(&ss, '\0', sizeof ss);
-	sa = (struct sockaddr *)&ss;
-
-	switch (af) {
-	case AF_INET:
-		salen = sizeof(struct sockaddr_in);
-		portp = &((struct sockaddr_in *)sa)->sin_port;
-		break;
-	case AF_INET6:
-		salen = sizeof(struct sockaddr_in6);
-		portp = &((struct sockaddr_in6 *)sa)->sin6_port;
-		break;
-	default:
-		errno = EPFNOSUPPORT;
-		return (-1);
-	}
-	sa->sa_family = af;
-	
-	s = socket(af, SOCK_STREAM, 0);
-	if (s < 0)
-		return (-1);
-
-	*portp = htons(*alport);
-	if (*alport < IPPORT_RESERVED - 1) {
-		if (bind(s, sa, salen) >= 0)
-			return (s);
-		if (errno != EADDRINUSE) {
-			(void)close(s);
-			return (-1);
-		}
-	}
-
-	*portp = 0;
-	sa->sa_family = af;
-	if (bindresvport_sa(s, sa) == -1) {
-		(void)close(s);
-		return (-1);
-	}
-	*alport = ntohs(*portp);
-	return (s);
-}
-
-#endif /* HAVE_RRESVPORT_AF */
diff --git a/crypto/openssh/openbsd-compat/setenv.c b/crypto/openssh/openbsd-compat/setenv.c
deleted file mode 100644
index b52a99c..0000000
--- a/crypto/openssh/openbsd-compat/setenv.c
+++ /dev/null
@@ -1,145 +0,0 @@
-/*	$OpenBSD: setenv.c,v 1.9 2005/08/08 08:05:37 espie Exp $ */
-/*
- * Copyright (c) 1987 Regents of the University of California.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* OPENBSD ORIGINAL: lib/libc/stdlib/setenv.c */
-
-#include "includes.h"
-#if !defined(HAVE_SETENV) || !defined(HAVE_UNSETENV)
-
-#include <stdlib.h>
-#include <string.h>
-
-extern char **environ;
-
-/* OpenSSH Portable: __findenv is from getenv.c rev 1.8, made static */
-/*
- * __findenv --
- *	Returns pointer to value associated with name, if any, else NULL.
- *	Sets offset to be the offset of the name/value combination in the
- *	environmental array, for use by setenv(3) and unsetenv(3).
- *	Explicitly removes '=' in argument name.
- */
-static char *
-__findenv(const char *name, int *offset)
-{
-	extern char **environ;
-	int len, i;
-	const char *np;
-	char **p, *cp;
-
-	if (name == NULL || environ == NULL)
-		return (NULL);
-	for (np = name; *np && *np != '='; ++np)
-		;
-	len = np - name;
-	for (p = environ; (cp = *p) != NULL; ++p) {
-		for (np = name, i = len; i && *cp; i--)
-			if (*cp++ != *np++)
-				break;
-		if (i == 0 && *cp++ == '=') {
-			*offset = p - environ;
-			return (cp);
-		}
-	}
-	return (NULL);
-}
-
-#ifndef HAVE_SETENV
-/*
- * setenv --
- *	Set the value of the environmental variable "name" to be
- *	"value".  If rewrite is set, replace any current value.
- */
-int
-setenv(const char *name, const char *value, int rewrite)
-{
-	static char **lastenv;			/* last value of environ */
-	char *C;
-	int l_value, offset;
-
-	if (*value == '=')			/* no `=' in value */
-		++value;
-	l_value = strlen(value);
-	if ((C = __findenv(name, &offset))) {	/* find if already exists */
-		if (!rewrite)
-			return (0);
-		if (strlen(C) >= l_value) {	/* old larger; copy over */
-			while ((*C++ = *value++))
-				;
-			return (0);
-		}
-	} else {					/* create new slot */
-		size_t cnt;
-		char **P;
-
-		for (P = environ; *P != NULL; P++)
-			;
-		cnt = P - environ;
-		P = (char **)realloc(lastenv, sizeof(char *) * (cnt + 2));
-		if (!P)
-			return (-1);
-		if (lastenv != environ)
-			memcpy(P, environ, cnt * sizeof(char *));
-		lastenv = environ = P;
-		offset = cnt;
-		environ[cnt + 1] = NULL;
-	}
-	for (C = (char *)name; *C && *C != '='; ++C)
-		;				/* no `=' in name */
-	if (!(environ[offset] =			/* name + `=' + value */
-	    malloc((size_t)((int)(C - name) + l_value + 2))))
-		return (-1);
-	for (C = environ[offset]; (*C = *name++) && *C != '='; ++C)
-		;
-	for (*C++ = '='; (*C++ = *value++); )
-		;
-	return (0);
-}
-#endif /* HAVE_SETENV */
-
-#ifndef HAVE_UNSETENV
-/*
- * unsetenv(name) --
- *	Delete environmental variable "name".
- */
-void
-unsetenv(const char *name)
-{
-	char **P;
-	int offset;
-
-	while (__findenv(name, &offset))	/* if set multiple times */
-		for (P = &environ[offset];; ++P)
-			if (!(*P = *(P + 1)))
-				break;
-}
-#endif /* HAVE_UNSETENV */
-
-#endif /* !defined(HAVE_SETENV) || !defined(HAVE_UNSETENV) */
diff --git a/crypto/openssh/openbsd-compat/setproctitle.c b/crypto/openssh/openbsd-compat/setproctitle.c
deleted file mode 100644
index b511f66..0000000
--- a/crypto/openssh/openbsd-compat/setproctitle.c
+++ /dev/null
@@ -1,160 +0,0 @@
-/* Based on conf.c from UCB sendmail 8.8.8 */
-
-/*
- * Copyright 2003 Damien Miller
- * Copyright (c) 1983, 1995-1997 Eric P. Allman
- * Copyright (c) 1988, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#ifndef HAVE_SETPROCTITLE
-
-#include <stdarg.h>
-#include <stdlib.h>
-#include <unistd.h>
-#ifdef HAVE_SYS_PSTAT_H
-#include <sys/pstat.h>
-#endif
-#include <string.h>
-
-#define SPT_NONE	0	/* don't use it at all */
-#define SPT_PSTAT	1	/* use pstat(PSTAT_SETCMD, ...) */
-#define SPT_REUSEARGV	2	/* cover argv with title information */
-
-#ifndef SPT_TYPE
-# define SPT_TYPE	SPT_NONE
-#endif
-
-#ifndef SPT_PADCHAR
-# define SPT_PADCHAR	'\0'
-#endif
-
-#if SPT_TYPE == SPT_REUSEARGV
-static char *argv_start = NULL;
-static size_t argv_env_len = 0;
-#endif
-
-#endif /* HAVE_SETPROCTITLE */
-
-void
-compat_init_setproctitle(int argc, char *argv[])
-{
-#if defined(SPT_TYPE) && SPT_TYPE == SPT_REUSEARGV
-	extern char **environ;
-	char *lastargv = NULL;
-	char **envp = environ;
-	int i;
-
-	/*
-	 * NB: This assumes that argv has already been copied out of the
-	 * way. This is true for sshd, but may not be true for other 
-	 * programs. Beware.
-	 */
-
-	if (argc == 0 || argv[0] == NULL)
-		return;
-
-	/* Fail if we can't allocate room for the new environment */
-	for (i = 0; envp[i] != NULL; i++)
-		;
-	if ((environ = calloc(i + 1, sizeof(*environ))) == NULL) {
-		environ = envp;	/* put it back */
-		return;
-	}
-
-	/*
-	 * Find the last argv string or environment variable within 
-	 * our process memory area.
-	 */
-	for (i = 0; i < argc; i++) {
-		if (lastargv == NULL || lastargv + 1 == argv[i])
-			lastargv = argv[i] + strlen(argv[i]);
-	}
-	for (i = 0; envp[i] != NULL; i++) {
-		if (lastargv + 1 == envp[i])
-			lastargv = envp[i] + strlen(envp[i]);
-	}
-
-	argv[1] = NULL;
-	argv_start = argv[0];
-	argv_env_len = lastargv - argv[0] - 1;
-
-	/* 
-	 * Copy environment 
-	 * XXX - will truncate env on strdup fail
-	 */
-	for (i = 0; envp[i] != NULL; i++)
-		environ[i] = strdup(envp[i]);
-	environ[i] = NULL;
-#endif /* SPT_REUSEARGV */
-}
-
-#ifndef HAVE_SETPROCTITLE
-void
-setproctitle(const char *fmt, ...)
-{
-#if SPT_TYPE != SPT_NONE
-	va_list ap;
-	char buf[1024];
-	size_t len;
-	extern char *__progname;
-#if SPT_TYPE == SPT_PSTAT
-	union pstun pst;
-#endif
-
-#if SPT_TYPE == SPT_REUSEARGV
-	if (argv_env_len <= 0)
-		return;
-#endif
-
-	strlcpy(buf, __progname, sizeof(buf));
-
-	va_start(ap, fmt);
-	if (fmt != NULL) {
-		len = strlcat(buf, ": ", sizeof(buf));
-		if (len < sizeof(buf))
-			vsnprintf(buf + len, sizeof(buf) - len , fmt, ap);
-	}
-	va_end(ap);
-
-#if SPT_TYPE == SPT_PSTAT
-	pst.pst_command = buf;
-	pstat(PSTAT_SETCMD, pst, strlen(buf), 0, 0);
-#elif SPT_TYPE == SPT_REUSEARGV
-/*	debug("setproctitle: copy \"%s\" into len %d", 
-	    buf, argv_env_len); */
-	len = strlcpy(argv_start, buf, argv_env_len);
-	for(; len < argv_env_len; len++)
-		argv_start[len] = SPT_PADCHAR;
-#endif
-
-#endif /* SPT_NONE */
-}
-
-#endif /* HAVE_SETPROCTITLE */
diff --git a/crypto/openssh/openbsd-compat/sha2.c b/crypto/openssh/openbsd-compat/sha2.c
deleted file mode 100755
index cf8e0ad6..0000000
--- a/crypto/openssh/openbsd-compat/sha2.c
+++ /dev/null
@@ -1,882 +0,0 @@
-/*	$OpenBSD: sha2.c,v 1.11 2005/08/08 08:05:35 espie Exp $	*/
-
-/*
- * FILE:	sha2.c
- * AUTHOR:	Aaron D. Gifford <me@aarongifford.com>
- * 
- * Copyright (c) 2000-2001, Aaron D. Gifford
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the copyright holder nor the names of contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
- */
-
-/* OPENBSD ORIGINAL: lib/libc/hash/sha2.c */
-
-#include "includes.h"
-
-#include <openssl/opensslv.h>
-
-#if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
-    (OPENSSL_VERSION_NUMBER >= 0x00907000L)
-#include <sys/types.h>
-#include <string.h>
-#include "sha2.h"
-
-/*
- * UNROLLED TRANSFORM LOOP NOTE:
- * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
- * loop version for the hash transform rounds (defined using macros
- * later in this file).  Either define on the command line, for example:
- *
- *   cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
- *
- * or define below:
- *
- *   #define SHA2_UNROLL_TRANSFORM
- *
- */
-
-/*** SHA-256/384/512 Machine Architecture Definitions *****************/
-/*
- * BYTE_ORDER NOTE:
- *
- * Please make sure that your system defines BYTE_ORDER.  If your
- * architecture is little-endian, make sure it also defines
- * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
- * equivilent.
- *
- * If your system does not define the above, then you can do so by
- * hand like this:
- *
- *   #define LITTLE_ENDIAN 1234
- *   #define BIG_ENDIAN    4321
- *
- * And for little-endian machines, add:
- *
- *   #define BYTE_ORDER LITTLE_ENDIAN 
- *
- * Or for big-endian machines:
- *
- *   #define BYTE_ORDER BIG_ENDIAN
- *
- * The FreeBSD machine this was written on defines BYTE_ORDER
- * appropriately by including <sys/types.h> (which in turn includes
- * <machine/endian.h> where the appropriate definitions are actually
- * made).
- */
-#if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
-#error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
-#endif
-
-
-/*** SHA-256/384/512 Various Length Definitions ***********************/
-/* NOTE: Most of these are in sha2.h */
-#define SHA256_SHORT_BLOCK_LENGTH	(SHA256_BLOCK_LENGTH - 8)
-#define SHA384_SHORT_BLOCK_LENGTH	(SHA384_BLOCK_LENGTH - 16)
-#define SHA512_SHORT_BLOCK_LENGTH	(SHA512_BLOCK_LENGTH - 16)
-
-/*** ENDIAN SPECIFIC COPY MACROS **************************************/
-#define BE_8_TO_32(dst, cp) do {					\
-	(dst) = (u_int32_t)(cp)[3] | ((u_int32_t)(cp)[2] << 8) |	\
-	    ((u_int32_t)(cp)[1] << 16) | ((u_int32_t)(cp)[0] << 24);	\
-} while(0)
-
-#define BE_8_TO_64(dst, cp) do {					\
-	(dst) = (u_int64_t)(cp)[7] | ((u_int64_t)(cp)[6] << 8) |	\
-	    ((u_int64_t)(cp)[5] << 16) | ((u_int64_t)(cp)[4] << 24) |	\
-	    ((u_int64_t)(cp)[3] << 32) | ((u_int64_t)(cp)[2] << 40) |	\
-	    ((u_int64_t)(cp)[1] << 48) | ((u_int64_t)(cp)[0] << 56);	\
-} while (0)
-
-#define BE_64_TO_8(cp, src) do {					\
-	(cp)[0] = (src) >> 56;						\
-        (cp)[1] = (src) >> 48;						\
-	(cp)[2] = (src) >> 40;						\
-	(cp)[3] = (src) >> 32;						\
-	(cp)[4] = (src) >> 24;						\
-	(cp)[5] = (src) >> 16;						\
-	(cp)[6] = (src) >> 8;						\
-	(cp)[7] = (src);						\
-} while (0)
-
-#define BE_32_TO_8(cp, src) do {					\
-	(cp)[0] = (src) >> 24;						\
-	(cp)[1] = (src) >> 16;						\
-	(cp)[2] = (src) >> 8;						\
-	(cp)[3] = (src);						\
-} while (0)
-
-/*
- * Macro for incrementally adding the unsigned 64-bit integer n to the
- * unsigned 128-bit integer (represented using a two-element array of
- * 64-bit words):
- */
-#define ADDINC128(w,n) do {						\
-	(w)[0] += (u_int64_t)(n);					\
-	if ((w)[0] < (n)) {						\
-		(w)[1]++;						\
-	}								\
-} while (0)
-
-/*** THE SIX LOGICAL FUNCTIONS ****************************************/
-/*
- * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
- *
- *   NOTE:  The naming of R and S appears backwards here (R is a SHIFT and
- *   S is a ROTATION) because the SHA-256/384/512 description document
- *   (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
- *   same "backwards" definition.
- */
-/* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
-#define R(b,x) 		((x) >> (b))
-/* 32-bit Rotate-right (used in SHA-256): */
-#define S32(b,x)	(((x) >> (b)) | ((x) << (32 - (b))))
-/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
-#define S64(b,x)	(((x) >> (b)) | ((x) << (64 - (b))))
-
-/* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
-#define Ch(x,y,z)	(((x) & (y)) ^ ((~(x)) & (z)))
-#define Maj(x,y,z)	(((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
-
-/* Four of six logical functions used in SHA-256: */
-#define Sigma0_256(x)	(S32(2,  (x)) ^ S32(13, (x)) ^ S32(22, (x)))
-#define Sigma1_256(x)	(S32(6,  (x)) ^ S32(11, (x)) ^ S32(25, (x)))
-#define sigma0_256(x)	(S32(7,  (x)) ^ S32(18, (x)) ^ R(3 ,   (x)))
-#define sigma1_256(x)	(S32(17, (x)) ^ S32(19, (x)) ^ R(10,   (x)))
-
-/* Four of six logical functions used in SHA-384 and SHA-512: */
-#define Sigma0_512(x)	(S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
-#define Sigma1_512(x)	(S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
-#define sigma0_512(x)	(S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7,   (x)))
-#define sigma1_512(x)	(S64(19, (x)) ^ S64(61, (x)) ^ R( 6,   (x)))
-
-
-/*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
-/* Hash constant words K for SHA-256: */
-const static u_int32_t K256[64] = {
-	0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
-	0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
-	0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
-	0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
-	0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
-	0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
-	0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
-	0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
-	0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
-	0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
-	0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
-	0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
-	0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
-	0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
-	0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
-	0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
-};
-
-/* Initial hash value H for SHA-256: */
-const static u_int32_t sha256_initial_hash_value[8] = {
-	0x6a09e667UL,
-	0xbb67ae85UL,
-	0x3c6ef372UL,
-	0xa54ff53aUL,
-	0x510e527fUL,
-	0x9b05688cUL,
-	0x1f83d9abUL,
-	0x5be0cd19UL
-};
-
-/* Hash constant words K for SHA-384 and SHA-512: */
-const static u_int64_t K512[80] = {
-	0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
-	0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
-	0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
-	0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
-	0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
-	0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
-	0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
-	0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
-	0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
-	0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
-	0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
-	0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
-	0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
-	0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
-	0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
-	0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
-	0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
-	0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
-	0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
-	0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
-	0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
-	0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
-	0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
-	0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
-	0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
-	0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
-	0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
-	0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
-	0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
-	0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
-	0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
-	0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
-	0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
-	0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
-	0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
-	0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
-	0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
-	0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
-	0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
-	0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
-};
-
-/* Initial hash value H for SHA-384 */
-const static u_int64_t sha384_initial_hash_value[8] = {
-	0xcbbb9d5dc1059ed8ULL,
-	0x629a292a367cd507ULL,
-	0x9159015a3070dd17ULL,
-	0x152fecd8f70e5939ULL,
-	0x67332667ffc00b31ULL,
-	0x8eb44a8768581511ULL,
-	0xdb0c2e0d64f98fa7ULL,
-	0x47b5481dbefa4fa4ULL
-};
-
-/* Initial hash value H for SHA-512 */
-const static u_int64_t sha512_initial_hash_value[8] = {
-	0x6a09e667f3bcc908ULL,
-	0xbb67ae8584caa73bULL,
-	0x3c6ef372fe94f82bULL,
-	0xa54ff53a5f1d36f1ULL,
-	0x510e527fade682d1ULL,
-	0x9b05688c2b3e6c1fULL,
-	0x1f83d9abfb41bd6bULL,
-	0x5be0cd19137e2179ULL
-};
-
-
-/*** SHA-256: *********************************************************/
-void
-SHA256_Init(SHA256_CTX *context)
-{
-	if (context == NULL)
-		return;
-	memcpy(context->state, sha256_initial_hash_value,
-	    sizeof(sha256_initial_hash_value));
-	memset(context->buffer, 0, sizeof(context->buffer));
-	context->bitcount = 0;
-}
-
-#ifdef SHA2_UNROLL_TRANSFORM
-
-/* Unrolled SHA-256 round macros: */
-
-#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do {				    \
-	BE_8_TO_32(W256[j], data);					    \
-	data += 4;							    \
-	T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \
-	(d) += T1;							    \
-	(h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c));		    \
-	j++;								    \
-} while(0)
-
-#define ROUND256(a,b,c,d,e,f,g,h) do {					    \
-	s0 = W256[(j+1)&0x0f];						    \
-	s0 = sigma0_256(s0);						    \
-	s1 = W256[(j+14)&0x0f];						    \
-	s1 = sigma1_256(s1);						    \
-	T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] +	    \
-	     (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);		    \
-	(d) += T1;							    \
-	(h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c));		    \
-	j++;								    \
-} while(0)
-
-void
-SHA256_Transform(u_int32_t state[8], const u_int8_t data[SHA256_BLOCK_LENGTH])
-{
-	u_int32_t	a, b, c, d, e, f, g, h, s0, s1;
-	u_int32_t	T1, W256[16];
-	int		j;
-
-	/* Initialize registers with the prev. intermediate value */
-	a = state[0];
-	b = state[1];
-	c = state[2];
-	d = state[3];
-	e = state[4];
-	f = state[5];
-	g = state[6];
-	h = state[7];
-
-	j = 0;
-	do {
-		/* Rounds 0 to 15 (unrolled): */
-		ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
-		ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
-		ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
-		ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
-		ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
-		ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
-		ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
-		ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
-	} while (j < 16);
-
-	/* Now for the remaining rounds up to 63: */
-	do {
-		ROUND256(a,b,c,d,e,f,g,h);
-		ROUND256(h,a,b,c,d,e,f,g);
-		ROUND256(g,h,a,b,c,d,e,f);
-		ROUND256(f,g,h,a,b,c,d,e);
-		ROUND256(e,f,g,h,a,b,c,d);
-		ROUND256(d,e,f,g,h,a,b,c);
-		ROUND256(c,d,e,f,g,h,a,b);
-		ROUND256(b,c,d,e,f,g,h,a);
-	} while (j < 64);
-
-	/* Compute the current intermediate hash value */
-	state[0] += a;
-	state[1] += b;
-	state[2] += c;
-	state[3] += d;
-	state[4] += e;
-	state[5] += f;
-	state[6] += g;
-	state[7] += h;
-
-	/* Clean up */
-	a = b = c = d = e = f = g = h = T1 = 0;
-}
-
-#else /* SHA2_UNROLL_TRANSFORM */
-
-void
-SHA256_Transform(u_int32_t state[8], const u_int8_t data[SHA256_BLOCK_LENGTH])
-{
-	u_int32_t	a, b, c, d, e, f, g, h, s0, s1;
-	u_int32_t	T1, T2, W256[16];
-	int		j;
-
-	/* Initialize registers with the prev. intermediate value */
-	a = state[0];
-	b = state[1];
-	c = state[2];
-	d = state[3];
-	e = state[4];
-	f = state[5];
-	g = state[6];
-	h = state[7];
-
-	j = 0;
-	do {
-		BE_8_TO_32(W256[j], data);
-		data += 4;
-		/* Apply the SHA-256 compression function to update a..h */
-		T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
-		T2 = Sigma0_256(a) + Maj(a, b, c);
-		h = g;
-		g = f;
-		f = e;
-		e = d + T1;
-		d = c;
-		c = b;
-		b = a;
-		a = T1 + T2;
-
-		j++;
-	} while (j < 16);
-
-	do {
-		/* Part of the message block expansion: */
-		s0 = W256[(j+1)&0x0f];
-		s0 = sigma0_256(s0);
-		s1 = W256[(j+14)&0x0f];	
-		s1 = sigma1_256(s1);
-
-		/* Apply the SHA-256 compression function to update a..h */
-		T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + 
-		     (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
-		T2 = Sigma0_256(a) + Maj(a, b, c);
-		h = g;
-		g = f;
-		f = e;
-		e = d + T1;
-		d = c;
-		c = b;
-		b = a;
-		a = T1 + T2;
-
-		j++;
-	} while (j < 64);
-
-	/* Compute the current intermediate hash value */
-	state[0] += a;
-	state[1] += b;
-	state[2] += c;
-	state[3] += d;
-	state[4] += e;
-	state[5] += f;
-	state[6] += g;
-	state[7] += h;
-
-	/* Clean up */
-	a = b = c = d = e = f = g = h = T1 = T2 = 0;
-}
-
-#endif /* SHA2_UNROLL_TRANSFORM */
-
-void
-SHA256_Update(SHA256_CTX *context, const u_int8_t *data, size_t len)
-{
-	size_t	freespace, usedspace;
-
-	/* Calling with no data is valid (we do nothing) */
-	if (len == 0)
-		return;
-
-	usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
-	if (usedspace > 0) {
-		/* Calculate how much free space is available in the buffer */
-		freespace = SHA256_BLOCK_LENGTH - usedspace;
-
-		if (len >= freespace) {
-			/* Fill the buffer completely and process it */
-			memcpy(&context->buffer[usedspace], data, freespace);
-			context->bitcount += freespace << 3;
-			len -= freespace;
-			data += freespace;
-			SHA256_Transform(context->state, context->buffer);
-		} else {
-			/* The buffer is not yet full */
-			memcpy(&context->buffer[usedspace], data, len);
-			context->bitcount += len << 3;
-			/* Clean up: */
-			usedspace = freespace = 0;
-			return;
-		}
-	}
-	while (len >= SHA256_BLOCK_LENGTH) {
-		/* Process as many complete blocks as we can */
-		SHA256_Transform(context->state, data);
-		context->bitcount += SHA256_BLOCK_LENGTH << 3;
-		len -= SHA256_BLOCK_LENGTH;
-		data += SHA256_BLOCK_LENGTH;
-	}
-	if (len > 0) {
-		/* There's left-overs, so save 'em */
-		memcpy(context->buffer, data, len);
-		context->bitcount += len << 3;
-	}
-	/* Clean up: */
-	usedspace = freespace = 0;
-}
-
-void
-SHA256_Pad(SHA256_CTX *context)
-{
-	unsigned int	usedspace;
-
-	usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
-	if (usedspace > 0) {
-		/* Begin padding with a 1 bit: */
-		context->buffer[usedspace++] = 0x80;
-
-		if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
-			/* Set-up for the last transform: */
-			memset(&context->buffer[usedspace], 0,
-			    SHA256_SHORT_BLOCK_LENGTH - usedspace);
-		} else {
-			if (usedspace < SHA256_BLOCK_LENGTH) {
-				memset(&context->buffer[usedspace], 0,
-				    SHA256_BLOCK_LENGTH - usedspace);
-			}
-			/* Do second-to-last transform: */
-			SHA256_Transform(context->state, context->buffer);
-
-			/* Prepare for last transform: */
-			memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH);
-		}
-	} else {
-		/* Set-up for the last transform: */
-		memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH);
-
-		/* Begin padding with a 1 bit: */
-		*context->buffer = 0x80;
-	}
-	/* Store the length of input data (in bits) in big endian format: */
-	BE_64_TO_8(&context->buffer[SHA256_SHORT_BLOCK_LENGTH],
-	    context->bitcount);
-
-	/* Final transform: */
-	SHA256_Transform(context->state, context->buffer);
-
-	/* Clean up: */
-	usedspace = 0;
-}
-
-void
-SHA256_Final(u_int8_t digest[SHA256_DIGEST_LENGTH], SHA256_CTX *context)
-{
-	SHA256_Pad(context);
-
-	/* If no digest buffer is passed, we don't bother doing this: */
-	if (digest != NULL) {
-#if BYTE_ORDER == LITTLE_ENDIAN
-		int	i;
-
-		/* Convert TO host byte order */
-		for (i = 0; i < 8; i++)
-			BE_32_TO_8(digest + i * 4, context->state[i]);
-#else
-		memcpy(digest, context->state, SHA256_DIGEST_LENGTH);
-#endif
-		memset(context, 0, sizeof(*context));
-	}
-}
-
-
-/*** SHA-512: *********************************************************/
-void
-SHA512_Init(SHA512_CTX *context)
-{
-	if (context == NULL)
-		return;
-	memcpy(context->state, sha512_initial_hash_value,
-	    sizeof(sha512_initial_hash_value));
-	memset(context->buffer, 0, sizeof(context->buffer));
-	context->bitcount[0] = context->bitcount[1] =  0;
-}
-
-#ifdef SHA2_UNROLL_TRANSFORM
-
-/* Unrolled SHA-512 round macros: */
-
-#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do {				    \
-	BE_8_TO_64(W512[j], data);					    \
-	data += 8;							    \
-	T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \
-	(d) += T1;							    \
-	(h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c));		    \
-	j++;								    \
-} while(0)
-
-
-#define ROUND512(a,b,c,d,e,f,g,h) do {					    \
-	s0 = W512[(j+1)&0x0f];						    \
-	s0 = sigma0_512(s0);						    \
-	s1 = W512[(j+14)&0x0f];						    \
-	s1 = sigma1_512(s1);						    \
-	T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] +	    \
-             (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);		    \
-	(d) += T1;							    \
-	(h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c));		    \
-	j++;								    \
-} while(0)
-
-void
-SHA512_Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH])
-{
-	u_int64_t	a, b, c, d, e, f, g, h, s0, s1;
-	u_int64_t	T1, W512[16];
-	int		j;
-
-	/* Initialize registers with the prev. intermediate value */
-	a = state[0];
-	b = state[1];
-	c = state[2];
-	d = state[3];
-	e = state[4];
-	f = state[5];
-	g = state[6];
-	h = state[7];
-
-	j = 0;
-	do {
-		/* Rounds 0 to 15 (unrolled): */
-		ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
-		ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
-		ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
-		ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
-		ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
-		ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
-		ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
-		ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
-	} while (j < 16);
-
-	/* Now for the remaining rounds up to 79: */
-	do {
-		ROUND512(a,b,c,d,e,f,g,h);
-		ROUND512(h,a,b,c,d,e,f,g);
-		ROUND512(g,h,a,b,c,d,e,f);
-		ROUND512(f,g,h,a,b,c,d,e);
-		ROUND512(e,f,g,h,a,b,c,d);
-		ROUND512(d,e,f,g,h,a,b,c);
-		ROUND512(c,d,e,f,g,h,a,b);
-		ROUND512(b,c,d,e,f,g,h,a);
-	} while (j < 80);
-
-	/* Compute the current intermediate hash value */
-	state[0] += a;
-	state[1] += b;
-	state[2] += c;
-	state[3] += d;
-	state[4] += e;
-	state[5] += f;
-	state[6] += g;
-	state[7] += h;
-
-	/* Clean up */
-	a = b = c = d = e = f = g = h = T1 = 0;
-}
-
-#else /* SHA2_UNROLL_TRANSFORM */
-
-void
-SHA512_Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH])
-{
-	u_int64_t	a, b, c, d, e, f, g, h, s0, s1;
-	u_int64_t	T1, T2, W512[16];
-	int		j;
-
-	/* Initialize registers with the prev. intermediate value */
-	a = state[0];
-	b = state[1];
-	c = state[2];
-	d = state[3];
-	e = state[4];
-	f = state[5];
-	g = state[6];
-	h = state[7];
-
-	j = 0;
-	do {
-		BE_8_TO_64(W512[j], data);
-		data += 8;
-		/* Apply the SHA-512 compression function to update a..h */
-		T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
-		T2 = Sigma0_512(a) + Maj(a, b, c);
-		h = g;
-		g = f;
-		f = e;
-		e = d + T1;
-		d = c;
-		c = b;
-		b = a;
-		a = T1 + T2;
-
-		j++;
-	} while (j < 16);
-
-	do {
-		/* Part of the message block expansion: */
-		s0 = W512[(j+1)&0x0f];
-		s0 = sigma0_512(s0);
-		s1 = W512[(j+14)&0x0f];
-		s1 =  sigma1_512(s1);
-
-		/* Apply the SHA-512 compression function to update a..h */
-		T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
-		     (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
-		T2 = Sigma0_512(a) + Maj(a, b, c);
-		h = g;
-		g = f;
-		f = e;
-		e = d + T1;
-		d = c;
-		c = b;
-		b = a;
-		a = T1 + T2;
-
-		j++;
-	} while (j < 80);
-
-	/* Compute the current intermediate hash value */
-	state[0] += a;
-	state[1] += b;
-	state[2] += c;
-	state[3] += d;
-	state[4] += e;
-	state[5] += f;
-	state[6] += g;
-	state[7] += h;
-
-	/* Clean up */
-	a = b = c = d = e = f = g = h = T1 = T2 = 0;
-}
-
-#endif /* SHA2_UNROLL_TRANSFORM */
-
-void
-SHA512_Update(SHA512_CTX *context, const u_int8_t *data, size_t len)
-{
-	size_t	freespace, usedspace;
-
-	/* Calling with no data is valid (we do nothing) */
-	if (len == 0)
-		return;
-
-	usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
-	if (usedspace > 0) {
-		/* Calculate how much free space is available in the buffer */
-		freespace = SHA512_BLOCK_LENGTH - usedspace;
-
-		if (len >= freespace) {
-			/* Fill the buffer completely and process it */
-			memcpy(&context->buffer[usedspace], data, freespace);
-			ADDINC128(context->bitcount, freespace << 3);
-			len -= freespace;
-			data += freespace;
-			SHA512_Transform(context->state, context->buffer);
-		} else {
-			/* The buffer is not yet full */
-			memcpy(&context->buffer[usedspace], data, len);
-			ADDINC128(context->bitcount, len << 3);
-			/* Clean up: */
-			usedspace = freespace = 0;
-			return;
-		}
-	}
-	while (len >= SHA512_BLOCK_LENGTH) {
-		/* Process as many complete blocks as we can */
-		SHA512_Transform(context->state, data);
-		ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
-		len -= SHA512_BLOCK_LENGTH;
-		data += SHA512_BLOCK_LENGTH;
-	}
-	if (len > 0) {
-		/* There's left-overs, so save 'em */
-		memcpy(context->buffer, data, len);
-		ADDINC128(context->bitcount, len << 3);
-	}
-	/* Clean up: */
-	usedspace = freespace = 0;
-}
-
-void
-SHA512_Pad(SHA512_CTX *context)
-{
-	unsigned int	usedspace;
-
-	usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
-	if (usedspace > 0) {
-		/* Begin padding with a 1 bit: */
-		context->buffer[usedspace++] = 0x80;
-
-		if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
-			/* Set-up for the last transform: */
-			memset(&context->buffer[usedspace], 0, SHA512_SHORT_BLOCK_LENGTH - usedspace);
-		} else {
-			if (usedspace < SHA512_BLOCK_LENGTH) {
-				memset(&context->buffer[usedspace], 0, SHA512_BLOCK_LENGTH - usedspace);
-			}
-			/* Do second-to-last transform: */
-			SHA512_Transform(context->state, context->buffer);
-
-			/* And set-up for the last transform: */
-			memset(context->buffer, 0, SHA512_BLOCK_LENGTH - 2);
-		}
-	} else {
-		/* Prepare for final transform: */
-		memset(context->buffer, 0, SHA512_SHORT_BLOCK_LENGTH);
-
-		/* Begin padding with a 1 bit: */
-		*context->buffer = 0x80;
-	}
-	/* Store the length of input data (in bits) in big endian format: */
-	BE_64_TO_8(&context->buffer[SHA512_SHORT_BLOCK_LENGTH],
-	    context->bitcount[1]);
-	BE_64_TO_8(&context->buffer[SHA512_SHORT_BLOCK_LENGTH + 8],
-	    context->bitcount[0]);
-
-	/* Final transform: */
-	SHA512_Transform(context->state, context->buffer);
-
-	/* Clean up: */
-	usedspace = 0;
-}
-
-void
-SHA512_Final(u_int8_t digest[SHA512_DIGEST_LENGTH], SHA512_CTX *context)
-{
-	SHA512_Pad(context);
-
-	/* If no digest buffer is passed, we don't bother doing this: */
-	if (digest != NULL) {
-#if BYTE_ORDER == LITTLE_ENDIAN
-		int	i;
-
-		/* Convert TO host byte order */
-		for (i = 0; i < 8; i++)
-			BE_64_TO_8(digest + i * 8, context->state[i]);
-#else
-		memcpy(digest, context->state, SHA512_DIGEST_LENGTH);
-#endif
-		memset(context, 0, sizeof(*context));
-	}
-}
-
-
-#if 0
-/*** SHA-384: *********************************************************/
-void
-SHA384_Init(SHA384_CTX *context)
-{
-	if (context == NULL)
-		return;
-	memcpy(context->state, sha384_initial_hash_value,
-	    sizeof(sha384_initial_hash_value));
-	memset(context->buffer, 0, sizeof(context->buffer));
-	context->bitcount[0] = context->bitcount[1] = 0;
-}
-
-__weak_alias(SHA384_Transform, SHA512_Transform);
-__weak_alias(SHA384_Update, SHA512_Update);
-__weak_alias(SHA384_Pad, SHA512_Pad);
-
-void
-SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context)
-{
-	SHA384_Pad(context);
-
-	/* If no digest buffer is passed, we don't bother doing this: */
-	if (digest != NULL) {
-#if BYTE_ORDER == LITTLE_ENDIAN
-		int	i;
-
-		/* Convert TO host byte order */
-		for (i = 0; i < 6; i++)
-			BE_64_TO_8(digest + i * 8, context->state[i]);
-#else
-		memcpy(digest, context->state, SHA384_DIGEST_LENGTH);
-#endif
-	}
-
-	/* Zero out state data */
-	memset(context, 0, sizeof(*context));
-}
-#endif
-
-#endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
-    (OPENSSL_VERSION_NUMBER >= 0x00907000L) */
diff --git a/crypto/openssh/openbsd-compat/sha2.h b/crypto/openssh/openbsd-compat/sha2.h
deleted file mode 100755
index 821f2dd..0000000
--- a/crypto/openssh/openbsd-compat/sha2.h
+++ /dev/null
@@ -1,133 +0,0 @@
-/*	$OpenBSD: sha2.h,v 1.6 2004/06/22 01:57:30 jfb Exp $	*/
-
-/*
- * FILE:	sha2.h
- * AUTHOR:	Aaron D. Gifford <me@aarongifford.com>
- * 
- * Copyright (c) 2000-2001, Aaron D. Gifford
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the copyright holder nor the names of contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * $From: sha2.h,v 1.1 2001/11/08 00:02:01 adg Exp adg $
- */
-
-/* OPENBSD ORIGINAL: include/sha2.h */
-
-#ifndef _SSHSHA2_H
-#define _SSHSHA2_H
-
-#include "includes.h"
-
-#include <openssl/opensslv.h>
-
-#if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
-    (OPENSSL_VERSION_NUMBER >= 0x00907000L)
-
-/*** SHA-256/384/512 Various Length Definitions ***********************/
-#define SHA256_BLOCK_LENGTH		64
-#define SHA256_DIGEST_LENGTH		32
-#define SHA256_DIGEST_STRING_LENGTH	(SHA256_DIGEST_LENGTH * 2 + 1)
-#define SHA384_BLOCK_LENGTH		128
-#define SHA384_DIGEST_LENGTH		48
-#define SHA384_DIGEST_STRING_LENGTH	(SHA384_DIGEST_LENGTH * 2 + 1)
-#define SHA512_BLOCK_LENGTH		128
-#define SHA512_DIGEST_LENGTH		64
-#define SHA512_DIGEST_STRING_LENGTH	(SHA512_DIGEST_LENGTH * 2 + 1)
-
-
-/*** SHA-256/384/512 Context Structures *******************************/
-typedef struct _SHA256_CTX {
-	u_int32_t	state[8];
-	u_int64_t	bitcount;
-	u_int8_t	buffer[SHA256_BLOCK_LENGTH];
-} SHA256_CTX;
-typedef struct _SHA512_CTX {
-	u_int64_t	state[8];
-	u_int64_t	bitcount[2];
-	u_int8_t	buffer[SHA512_BLOCK_LENGTH];
-} SHA512_CTX;
-
-#if 0
-typedef SHA512_CTX SHA384_CTX;
-#endif
-
-void SHA256_Init(SHA256_CTX *);
-void SHA256_Transform(u_int32_t state[8], const u_int8_t [SHA256_BLOCK_LENGTH]);
-void SHA256_Update(SHA256_CTX *, const u_int8_t *, size_t)
-	__attribute__((__bounded__(__string__,2,3)));
-void SHA256_Pad(SHA256_CTX *);
-void SHA256_Final(u_int8_t [SHA256_DIGEST_LENGTH], SHA256_CTX *)
-	__attribute__((__bounded__(__minbytes__,1,SHA256_DIGEST_LENGTH)));
-char *SHA256_End(SHA256_CTX *, char *)
-	__attribute__((__bounded__(__minbytes__,2,SHA256_DIGEST_STRING_LENGTH)));
-char *SHA256_File(const char *, char *)
-	__attribute__((__bounded__(__minbytes__,2,SHA256_DIGEST_STRING_LENGTH)));
-char *SHA256_FileChunk(const char *, char *, off_t, off_t)
-	__attribute__((__bounded__(__minbytes__,2,SHA256_DIGEST_STRING_LENGTH)));
-char *SHA256_Data(const u_int8_t *, size_t, char *)
-	__attribute__((__bounded__(__string__,1,2)))
-	__attribute__((__bounded__(__minbytes__,3,SHA256_DIGEST_STRING_LENGTH)));
-
-#if 0
-void SHA384_Init(SHA384_CTX *);
-void SHA384_Transform(u_int64_t state[8], const u_int8_t [SHA384_BLOCK_LENGTH]);
-void SHA384_Update(SHA384_CTX *, const u_int8_t *, size_t)
-	__attribute__((__bounded__(__string__,2,3)));
-void SHA384_Pad(SHA384_CTX *);
-void SHA384_Final(u_int8_t [SHA384_DIGEST_LENGTH], SHA384_CTX *)
-	__attribute__((__bounded__(__minbytes__,1,SHA384_DIGEST_LENGTH)));
-char *SHA384_End(SHA384_CTX *, char *)
-	__attribute__((__bounded__(__minbytes__,2,SHA384_DIGEST_STRING_LENGTH)));
-char *SHA384_File(const char *, char *)
-	__attribute__((__bounded__(__minbytes__,2,SHA384_DIGEST_STRING_LENGTH)));
-char *SHA384_FileChunk(const char *, char *, off_t, off_t)
-	__attribute__((__bounded__(__minbytes__,2,SHA384_DIGEST_STRING_LENGTH)));
-char *SHA384_Data(const u_int8_t *, size_t, char *)
-	__attribute__((__bounded__(__string__,1,2)))
-	__attribute__((__bounded__(__minbytes__,3,SHA384_DIGEST_STRING_LENGTH)));
-#endif /* 0 */
-
-void SHA512_Init(SHA512_CTX *);
-void SHA512_Transform(u_int64_t state[8], const u_int8_t [SHA512_BLOCK_LENGTH]);
-void SHA512_Update(SHA512_CTX *, const u_int8_t *, size_t)
-	__attribute__((__bounded__(__string__,2,3)));
-void SHA512_Pad(SHA512_CTX *);
-void SHA512_Final(u_int8_t [SHA512_DIGEST_LENGTH], SHA512_CTX *)
-	__attribute__((__bounded__(__minbytes__,1,SHA512_DIGEST_LENGTH)));
-char *SHA512_End(SHA512_CTX *, char *)
-	__attribute__((__bounded__(__minbytes__,2,SHA512_DIGEST_STRING_LENGTH)));
-char *SHA512_File(const char *, char *)
-	__attribute__((__bounded__(__minbytes__,2,SHA512_DIGEST_STRING_LENGTH)));
-char *SHA512_FileChunk(const char *, char *, off_t, off_t)
-	__attribute__((__bounded__(__minbytes__,2,SHA512_DIGEST_STRING_LENGTH)));
-char *SHA512_Data(const u_int8_t *, size_t, char *)
-	__attribute__((__bounded__(__string__,1,2)))
-	__attribute__((__bounded__(__minbytes__,3,SHA512_DIGEST_STRING_LENGTH)));
-
-#endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
-    (OPENSSL_VERSION_NUMBER >= 0x00907000L) */
-
-#endif /* _SSHSHA2_H */
diff --git a/crypto/openssh/openbsd-compat/sigact.c b/crypto/openssh/openbsd-compat/sigact.c
deleted file mode 100644
index 8b8e4dd..0000000
--- a/crypto/openssh/openbsd-compat/sigact.c
+++ /dev/null
@@ -1,104 +0,0 @@
-/*	$OpenBSD: sigaction.c,v 1.4 2001/01/22 18:01:48 millert Exp $	*/
-
-/****************************************************************************
- * Copyright (c) 1998,2000 Free Software Foundation, Inc.                   *
- *                                                                          *
- * Permission is hereby granted, free of charge, to any person obtaining a  *
- * copy of this software and associated documentation files (the            *
- * "Software"), to deal in the Software without restriction, including      *
- * without limitation the rights to use, copy, modify, merge, publish,      *
- * distribute, distribute with modifications, sublicense, and/or sell       *
- * copies of the Software, and to permit persons to whom the Software is    *
- * furnished to do so, subject to the following conditions:                 *
- *                                                                          *
- * The above copyright notice and this permission notice shall be included  *
- * in all copies or substantial portions of the Software.                   *
- *                                                                          *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS  *
- * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF               *
- * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.   *
- * IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,   *
- * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR    *
- * OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR    *
- * THE USE OR OTHER DEALINGS IN THE SOFTWARE.                               *
- *                                                                          *
- * Except as contained in this notice, the name(s) of the above copyright   *
- * holders shall not be used in advertising or otherwise to promote the     *
- * sale, use or other dealings in this Software without prior written       *
- * authorization.                                                           *
- ****************************************************************************/
-
-/****************************************************************************
- *  Author: Zeyd M. Ben-Halim <zmbenhal@netcom.com> 1992,1995               *
- *     and: Eric S. Raymond <esr@snark.thyrsus.com>                         *
- ****************************************************************************/
-
-/* OPENBSD ORIGINAL: lib/libcurses/base/sigaction.c */
-
-#include "includes.h"
-#include <signal.h>
-#include "sigact.h"
-
-/* This file provides sigaction() emulation using sigvec() */
-/* Use only if this is non POSIX system */
-
-#if !HAVE_SIGACTION && HAVE_SIGVEC
-
-int
-sigaction(int sig, struct sigaction *sigact, struct sigaction *osigact)
-{
-	return sigvec(sig, &(sigact->sv), &(osigact->sv));
-}
-
-int
-sigemptyset (sigset_t * mask)
-{
-	*mask = 0;
-	return 0;
-}
-
-int
-sigprocmask (int mode, sigset_t * mask, sigset_t * omask)
-{
-	sigset_t current = sigsetmask(0);
-
-	if (omask) *omask = current;
-
-	if (mode==SIG_BLOCK)
-		current |= *mask;
-	else if (mode==SIG_UNBLOCK)
-		current &= ~*mask;
-	else if (mode==SIG_SETMASK)
-	current = *mask;
-
-	sigsetmask(current);
-	return 0;
-}
-
-int
-sigsuspend (sigset_t * mask)
-{
-	return sigpause(*mask);
-}
-
-int
-sigdelset (sigset_t * mask, int sig)
-{
-	*mask &= ~sigmask(sig);
-	return 0;
-}
-
-int
-sigaddset (sigset_t * mask, int sig)
-{
-	*mask |= sigmask(sig);
-	return 0;
-}
-
-int
-sigismember (sigset_t * mask, int sig)
-{
-	return (*mask & sigmask(sig)) != 0;
-}
-
-#endif
diff --git a/crypto/openssh/openbsd-compat/sigact.h b/crypto/openssh/openbsd-compat/sigact.h
deleted file mode 100644
index db96d0a..0000000
--- a/crypto/openssh/openbsd-compat/sigact.h
+++ /dev/null
@@ -1,90 +0,0 @@
-/*	$OpenBSD: SigAction.h,v 1.3 2001/01/22 18:01:32 millert Exp $	*/
-
-/****************************************************************************
- * Copyright (c) 1998,2000 Free Software Foundation, Inc.                   *
- *                                                                          *
- * Permission is hereby granted, free of charge, to any person obtaining a  *
- * copy of this software and associated documentation files (the            *
- * "Software"), to deal in the Software without restriction, including      *
- * without limitation the rights to use, copy, modify, merge, publish,      *
- * distribute, distribute with modifications, sublicense, and/or sell       *
- * copies of the Software, and to permit persons to whom the Software is    *
- * furnished to do so, subject to the following conditions:                 *
- *                                                                          *
- * The above copyright notice and this permission notice shall be included  *
- * in all copies or substantial portions of the Software.                   *
- *                                                                          *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS  *
- * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF               *
- * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.   *
- * IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,   *
- * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR    *
- * OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR    *
- * THE USE OR OTHER DEALINGS IN THE SOFTWARE.                               *
- *                                                                          *
- * Except as contained in this notice, the name(s) of the above copyright   *
- * holders shall not be used in advertising or otherwise to promote the     *
- * sale, use or other dealings in this Software without prior written       *
- * authorization.                                                           *
- ****************************************************************************/
-
-/****************************************************************************
- *  Author: Zeyd M. Ben-Halim <zmbenhal@netcom.com> 1992,1995               *
- *     and: Eric S. Raymond <esr@snark.thyrsus.com>                         *
- ****************************************************************************/
-
-/*
- * $From: SigAction.h,v 1.6 2000/12/10 02:36:10 tom Exp $
- *
- * This file exists to handle non-POSIX systems which don't have <unistd.h>,
- * and usually no sigaction() nor <termios.h>
- */
-
-/* OPENBSD ORIGINAL: lib/libcurses/SigAction.h */
-
-#ifndef _SIGACTION_H
-#define _SIGACTION_H
-
-#if !defined(HAVE_SIGACTION) && defined(HAVE_SIGVEC)
-
-#undef  SIG_BLOCK
-#define SIG_BLOCK       00
-
-#undef  SIG_UNBLOCK
-#define SIG_UNBLOCK     01
-
-#undef  SIG_SETMASK
-#define SIG_SETMASK     02
-
-/*
- * <bsd/signal.h> is in the Linux 1.2.8 + gcc 2.7.0 configuration,
- * and is useful for testing this header file.
- */
-#if HAVE_BSD_SIGNAL_H
-# include <bsd/signal.h>
-#endif
-
-struct sigaction
-{
-	struct sigvec sv;
-};
-
-typedef unsigned long sigset_t;
-
-#undef  sa_mask
-#define sa_mask sv.sv_mask
-#undef  sa_handler
-#define sa_handler sv.sv_handler
-#undef  sa_flags
-#define sa_flags sv.sv_flags
-
-int sigaction(int sig, struct sigaction *sigact, struct sigaction *osigact);
-int sigprocmask (int how, sigset_t *mask, sigset_t *omask);
-int sigemptyset (sigset_t *mask);
-int sigsuspend (sigset_t *mask);
-int sigdelset (sigset_t *mask, int sig);
-int sigaddset (sigset_t *mask, int sig);
-
-#endif /* !defined(HAVE_SIGACTION) && defined(HAVE_SIGVEC) */
-
-#endif /* !defined(_SIGACTION_H) */
diff --git a/crypto/openssh/openbsd-compat/strlcat.c b/crypto/openssh/openbsd-compat/strlcat.c
deleted file mode 100644
index bcc1b61..0000000
--- a/crypto/openssh/openbsd-compat/strlcat.c
+++ /dev/null
@@ -1,62 +0,0 @@
-/*	$OpenBSD: strlcat.c,v 1.13 2005/08/08 08:05:37 espie Exp $	*/
-
-/*
- * Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* OPENBSD ORIGINAL: lib/libc/string/strlcat.c */
-
-#include "includes.h"
-#ifndef HAVE_STRLCAT
-
-#include <sys/types.h>
-#include <string.h>
-
-/*
- * Appends src to string dst of size siz (unlike strncat, siz is the
- * full size of dst, not space left).  At most siz-1 characters
- * will be copied.  Always NUL terminates (unless siz <= strlen(dst)).
- * Returns strlen(src) + MIN(siz, strlen(initial dst)).
- * If retval >= siz, truncation occurred.
- */
-size_t
-strlcat(char *dst, const char *src, size_t siz)
-{
-	char *d = dst;
-	const char *s = src;
-	size_t n = siz;
-	size_t dlen;
-
-	/* Find the end of dst and adjust bytes left but don't go past end */
-	while (n-- != 0 && *d != '\0')
-		d++;
-	dlen = d - dst;
-	n = siz - dlen;
-
-	if (n == 0)
-		return(dlen + strlen(s));
-	while (*s != '\0') {
-		if (n != 1) {
-			*d++ = *s;
-			n--;
-		}
-		s++;
-	}
-	*d = '\0';
-
-	return(dlen + (s - src));	/* count does not include NUL */
-}
-
-#endif /* !HAVE_STRLCAT */
diff --git a/crypto/openssh/openbsd-compat/strlcpy.c b/crypto/openssh/openbsd-compat/strlcpy.c
deleted file mode 100644
index 679a5b2..0000000
--- a/crypto/openssh/openbsd-compat/strlcpy.c
+++ /dev/null
@@ -1,58 +0,0 @@
-/*	$OpenBSD: strlcpy.c,v 1.10 2005/08/08 08:05:37 espie Exp $	*/
-
-/*
- * Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* OPENBSD ORIGINAL: lib/libc/string/strlcpy.c */
-
-#include "includes.h"
-#ifndef HAVE_STRLCPY
-
-#include <sys/types.h>
-#include <string.h>
-
-/*
- * Copy src to string dst of size siz.  At most siz-1 characters
- * will be copied.  Always NUL terminates (unless siz == 0).
- * Returns strlen(src); if retval >= siz, truncation occurred.
- */
-size_t
-strlcpy(char *dst, const char *src, size_t siz)
-{
-	char *d = dst;
-	const char *s = src;
-	size_t n = siz;
-
-	/* Copy as many bytes as will fit */
-	if (n != 0 && --n != 0) {
-		do {
-			if ((*d++ = *s++) == 0)
-				break;
-		} while (--n != 0);
-	}
-
-	/* Not enough room in dst, add NUL and traverse rest of src */
-	if (n == 0) {
-		if (siz != 0)
-			*d = '\0';		/* NUL-terminate dst */
-		while (*s++)
-			;
-	}
-
-	return(s - src - 1);	/* count does not include NUL */
-}
-
-#endif /* !HAVE_STRLCPY */
diff --git a/crypto/openssh/openbsd-compat/strmode.c b/crypto/openssh/openbsd-compat/strmode.c
deleted file mode 100644
index 4a81614..0000000
--- a/crypto/openssh/openbsd-compat/strmode.c
+++ /dev/null
@@ -1,148 +0,0 @@
-/*	$OpenBSD: strmode.c,v 1.7 2005/08/08 08:05:37 espie Exp $ */
-/*-
- * Copyright (c) 1990 The Regents of the University of California.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* OPENBSD ORIGINAL: lib/libc/string/strmode.c */
-
-#include "includes.h"
-#ifndef HAVE_STRMODE
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <string.h>
-
-/* XXX mode should be mode_t */
-
-void
-strmode(int mode, char *p)
-{
-	 /* print type */
-	switch (mode & S_IFMT) {
-	case S_IFDIR:			/* directory */
-		*p++ = 'd';
-		break;
-	case S_IFCHR:			/* character special */
-		*p++ = 'c';
-		break;
-	case S_IFBLK:			/* block special */
-		*p++ = 'b';
-		break;
-	case S_IFREG:			/* regular */
-		*p++ = '-';
-		break;
-	case S_IFLNK:			/* symbolic link */
-		*p++ = 'l';
-		break;
-#ifdef S_IFSOCK
-	case S_IFSOCK:			/* socket */
-		*p++ = 's';
-		break;
-#endif
-#ifdef S_IFIFO
-	case S_IFIFO:			/* fifo */
-		*p++ = 'p';
-		break;
-#endif
-	default:			/* unknown */
-		*p++ = '?';
-		break;
-	}
-	/* usr */
-	if (mode & S_IRUSR)
-		*p++ = 'r';
-	else
-		*p++ = '-';
-	if (mode & S_IWUSR)
-		*p++ = 'w';
-	else
-		*p++ = '-';
-	switch (mode & (S_IXUSR | S_ISUID)) {
-	case 0:
-		*p++ = '-';
-		break;
-	case S_IXUSR:
-		*p++ = 'x';
-		break;
-	case S_ISUID:
-		*p++ = 'S';
-		break;
-	case S_IXUSR | S_ISUID:
-		*p++ = 's';
-		break;
-	}
-	/* group */
-	if (mode & S_IRGRP)
-		*p++ = 'r';
-	else
-		*p++ = '-';
-	if (mode & S_IWGRP)
-		*p++ = 'w';
-	else
-		*p++ = '-';
-	switch (mode & (S_IXGRP | S_ISGID)) {
-	case 0:
-		*p++ = '-';
-		break;
-	case S_IXGRP:
-		*p++ = 'x';
-		break;
-	case S_ISGID:
-		*p++ = 'S';
-		break;
-	case S_IXGRP | S_ISGID:
-		*p++ = 's';
-		break;
-	}
-	/* other */
-	if (mode & S_IROTH)
-		*p++ = 'r';
-	else
-		*p++ = '-';
-	if (mode & S_IWOTH)
-		*p++ = 'w';
-	else
-		*p++ = '-';
-	switch (mode & (S_IXOTH | S_ISVTX)) {
-	case 0:
-		*p++ = '-';
-		break;
-	case S_IXOTH:
-		*p++ = 'x';
-		break;
-	case S_ISVTX:
-		*p++ = 'T';
-		break;
-	case S_IXOTH | S_ISVTX:
-		*p++ = 't';
-		break;
-	}
-	*p++ = ' ';		/* will be a '+' if ACL's implemented */
-	*p = '\0';
-}
-#endif
diff --git a/crypto/openssh/openbsd-compat/strsep.c b/crypto/openssh/openbsd-compat/strsep.c
deleted file mode 100644
index b36eb8f..0000000
--- a/crypto/openssh/openbsd-compat/strsep.c
+++ /dev/null
@@ -1,79 +0,0 @@
-/*	$OpenBSD: strsep.c,v 1.6 2005/08/08 08:05:37 espie Exp $	*/
-
-/*-
- * Copyright (c) 1990, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* OPENBSD ORIGINAL: lib/libc/string/strsep.c */
-
-#include "includes.h"
-
-#if !defined(HAVE_STRSEP)
-
-#include <string.h>
-#include <stdio.h>
-
-/*
- * Get next token from string *stringp, where tokens are possibly-empty
- * strings separated by characters from delim.  
- *
- * Writes NULs into the string at *stringp to end tokens.
- * delim need not remain constant from call to call.
- * On return, *stringp points past the last NUL written (if there might
- * be further tokens), or is NULL (if there are definitely no more tokens).
- *
- * If *stringp is NULL, strsep returns NULL.
- */
-char *
-strsep(char **stringp, const char *delim)
-{
-	char *s;
-	const char *spanp;
-	int c, sc;
-	char *tok;
-
-	if ((s = *stringp) == NULL)
-		return (NULL);
-	for (tok = s;;) {
-		c = *s++;
-		spanp = delim;
-		do {
-			if ((sc = *spanp++) == c) {
-				if (c == 0)
-					s = NULL;
-				else
-					s[-1] = 0;
-				*stringp = s;
-				return (tok);
-			}
-		} while (sc != 0);
-	}
-	/* NOTREACHED */
-}
-
-#endif /* !defined(HAVE_STRSEP) */
diff --git a/crypto/openssh/openbsd-compat/strtoll.c b/crypto/openssh/openbsd-compat/strtoll.c
deleted file mode 100644
index f629303..0000000
--- a/crypto/openssh/openbsd-compat/strtoll.c
+++ /dev/null
@@ -1,148 +0,0 @@
-/* $OpenBSD: strtoll.c,v 1.6 2005/11/10 10:00:17 espie Exp $ */
-/*-
- * Copyright (c) 1992 The Regents of the University of California.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoll.c */
-
-#include "includes.h"
-#ifndef HAVE_STRTOLL
-
-#include <sys/types.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <limits.h>
-#include <stdlib.h>
-
-/*
- * Convert a string to a long long.
- *
- * Ignores `locale' stuff.  Assumes that the upper and lower case
- * alphabets and digits are each contiguous.
- */
-long long
-strtoll(const char *nptr, char **endptr, int base)
-{
-	const char *s;
-	long long acc, cutoff;
-	int c;
-	int neg, any, cutlim;
-
-	/*
-	 * Skip white space and pick up leading +/- sign if any.
-	 * If base is 0, allow 0x for hex and 0 for octal, else
-	 * assume decimal; if base is already 16, allow 0x.
-	 */
-	s = nptr;
-	do {
-		c = (unsigned char) *s++;
-	} while (isspace(c));
-	if (c == '-') {
-		neg = 1;
-		c = *s++;
-	} else {
-		neg = 0;
-		if (c == '+')
-			c = *s++;
-	}
-	if ((base == 0 || base == 16) &&
-	    c == '0' && (*s == 'x' || *s == 'X')) {
-		c = s[1];
-		s += 2;
-		base = 16;
-	}
-	if (base == 0)
-		base = c == '0' ? 8 : 10;
-
-	/*
-	 * Compute the cutoff value between legal numbers and illegal
-	 * numbers.  That is the largest legal value, divided by the
-	 * base.  An input number that is greater than this value, if
-	 * followed by a legal input character, is too big.  One that
-	 * is equal to this value may be valid or not; the limit
-	 * between valid and invalid numbers is then based on the last
-	 * digit.  For instance, if the range for long longs is
-	 * [-9223372036854775808..9223372036854775807] and the input base
-	 * is 10, cutoff will be set to 922337203685477580 and cutlim to
-	 * either 7 (neg==0) or 8 (neg==1), meaning that if we have
-	 * accumulated a value > 922337203685477580, or equal but the
-	 * next digit is > 7 (or 8), the number is too big, and we will
-	 * return a range error.
-	 *
-	 * Set any if any `digits' consumed; make it negative to indicate
-	 * overflow.
-	 */
-	cutoff = neg ? LLONG_MIN : LLONG_MAX;
-	cutlim = cutoff % base;
-	cutoff /= base;
-	if (neg) {
-		if (cutlim > 0) {
-			cutlim -= base;
-			cutoff += 1;
-		}
-		cutlim = -cutlim;
-	}
-	for (acc = 0, any = 0;; c = (unsigned char) *s++) {
-		if (isdigit(c))
-			c -= '0';
-		else if (isalpha(c))
-			c -= isupper(c) ? 'A' - 10 : 'a' - 10;
-		else
-			break;
-		if (c >= base)
-			break;
-		if (any < 0)
-			continue;
-		if (neg) {
-			if (acc < cutoff || (acc == cutoff && c > cutlim)) {
-				any = -1;
-				acc = LLONG_MIN;
-				errno = ERANGE;
-			} else {
-				any = 1;
-				acc *= base;
-				acc -= c;
-			}
-		} else {
-			if (acc > cutoff || (acc == cutoff && c > cutlim)) {
-				any = -1;
-				acc = LLONG_MAX;
-				errno = ERANGE;
-			} else {
-				any = 1;
-				acc *= base;
-				acc += c;
-			}
-		}
-	}
-	if (endptr != 0)
-		*endptr = (char *) (any ? s - 1 : nptr);
-	return (acc);
-}
-#endif /* HAVE_STRTOLL */
diff --git a/crypto/openssh/openbsd-compat/strtonum.c b/crypto/openssh/openbsd-compat/strtonum.c
deleted file mode 100644
index 87f2f24..0000000
--- a/crypto/openssh/openbsd-compat/strtonum.c
+++ /dev/null
@@ -1,72 +0,0 @@
-/*	$OpenBSD: strtonum.c,v 1.6 2004/08/03 19:38:01 millert Exp $	*/
-
-/*
- * Copyright (c) 2004 Ted Unangst and Todd Miller
- * All rights reserved.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* OPENBSD ORIGINAL: lib/libc/stdlib/strtonum.c */
-
-#include "includes.h"
-
-#ifndef HAVE_STRTONUM
-#include <stdlib.h>
-#include <limits.h>
-#include <errno.h>
-
-#define INVALID 	1
-#define TOOSMALL 	2
-#define TOOLARGE 	3
-
-long long
-strtonum(const char *numstr, long long minval, long long maxval,
-    const char **errstrp)
-{
-	long long ll = 0;
-	char *ep;
-	int error = 0;
-	struct errval {
-		const char *errstr;
-		int err;
-	} ev[4] = {
-		{ NULL,		0 },
-		{ "invalid",	EINVAL },
-		{ "too small",	ERANGE },
-		{ "too large",	ERANGE },
-	};
-
-	ev[0].err = errno;
-	errno = 0;
-	if (minval > maxval)
-		error = INVALID;
-	else {
-		ll = strtoll(numstr, &ep, 10);
-		if (numstr == ep || *ep != '\0')
-			error = INVALID;
-		else if ((ll == LLONG_MIN && errno == ERANGE) || ll < minval)
-			error = TOOSMALL;
-		else if ((ll == LLONG_MAX && errno == ERANGE) || ll > maxval)
-			error = TOOLARGE;
-	}
-	if (errstrp != NULL)
-		*errstrp = ev[error].errstr;
-	errno = ev[error].err;
-	if (error)
-		ll = 0;
-
-	return (ll);
-}
-
-#endif /* HAVE_STRTONUM */
diff --git a/crypto/openssh/openbsd-compat/strtoul.c b/crypto/openssh/openbsd-compat/strtoul.c
deleted file mode 100644
index 8219c83..0000000
--- a/crypto/openssh/openbsd-compat/strtoul.c
+++ /dev/null
@@ -1,108 +0,0 @@
-/*	$OpenBSD: strtoul.c,v 1.7 2005/08/08 08:05:37 espie Exp $ */
-/*
- * Copyright (c) 1990 Regents of the University of California.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoul.c */
-
-#include "includes.h"
-#ifndef HAVE_STRTOUL
-
-#include <ctype.h>
-#include <errno.h>
-#include <limits.h>
-#include <stdlib.h>
-
-/*
- * Convert a string to an unsigned long integer.
- *
- * Ignores `locale' stuff.  Assumes that the upper and lower case
- * alphabets and digits are each contiguous.
- */
-unsigned long
-strtoul(const char *nptr, char **endptr, int base)
-{
-	const char *s;
-	unsigned long acc, cutoff;
-	int c;
-	int neg, any, cutlim;
-
-	/*
-	 * See strtol for comments as to the logic used.
-	 */
-	s = nptr;
-	do {
-		c = (unsigned char) *s++;
-	} while (isspace(c));
-	if (c == '-') {
-		neg = 1;
-		c = *s++;
-	} else {
-		neg = 0;
-		if (c == '+')
-			c = *s++;
-	}
-	if ((base == 0 || base == 16) &&
-	    c == '0' && (*s == 'x' || *s == 'X')) {
-		c = s[1];
-		s += 2;
-		base = 16;
-	}
-	if (base == 0)
-		base = c == '0' ? 8 : 10;
-
-	cutoff = ULONG_MAX / (unsigned long)base;
-	cutlim = ULONG_MAX % (unsigned long)base;
-	for (acc = 0, any = 0;; c = (unsigned char) *s++) {
-		if (isdigit(c))
-			c -= '0';
-		else if (isalpha(c))
-			c -= isupper(c) ? 'A' - 10 : 'a' - 10;
-		else
-			break;
-		if (c >= base)
-			break;
-		if (any < 0)
-			continue;
-		if (acc > cutoff || acc == cutoff && c > cutlim) {
-			any = -1;
-			acc = ULONG_MAX;
-			errno = ERANGE;
-		} else {
-			any = 1;
-			acc *= (unsigned long)base;
-			acc += c;
-		}
-	}
-	if (neg && any > 0)
-		acc = -acc;
-	if (endptr != 0)
-		*endptr = (char *) (any ? s - 1 : nptr);
-	return (acc);
-}
-#endif /* !HAVE_STRTOUL */
diff --git a/crypto/openssh/openbsd-compat/sys-queue.h b/crypto/openssh/openbsd-compat/sys-queue.h
deleted file mode 100644
index 4023433..0000000
--- a/crypto/openssh/openbsd-compat/sys-queue.h
+++ /dev/null
@@ -1,593 +0,0 @@
-/*	$OpenBSD: queue.h,v 1.25 2004/04/08 16:08:21 henning Exp $	*/
-/*	$NetBSD: queue.h,v 1.11 1996/05/16 05:17:14 mycroft Exp $	*/
-
-/*
- * Copyright (c) 1991, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *	@(#)queue.h	8.5 (Berkeley) 8/20/94
- */
-
-/* OPENBSD ORIGINAL: sys/sys/queue.h */
-
-#ifndef	_FAKE_QUEUE_H_
-#define	_FAKE_QUEUE_H_
-
-/*
- * Require for OS/X and other platforms that have old/broken/incomplete
- * <sys/queue.h>.
- */
-#undef SLIST_HEAD
-#undef SLIST_HEAD_INITIALIZER
-#undef SLIST_ENTRY
-#undef SLIST_FOREACH_PREVPTR
-#undef SLIST_FIRST
-#undef SLIST_END
-#undef SLIST_EMPTY
-#undef SLIST_NEXT
-#undef SLIST_FOREACH
-#undef SLIST_INIT
-#undef SLIST_INSERT_AFTER
-#undef SLIST_INSERT_HEAD
-#undef SLIST_REMOVE_HEAD
-#undef SLIST_REMOVE
-#undef SLIST_REMOVE_NEXT
-#undef LIST_HEAD
-#undef LIST_HEAD_INITIALIZER
-#undef LIST_ENTRY
-#undef LIST_FIRST
-#undef LIST_END
-#undef LIST_EMPTY
-#undef LIST_NEXT
-#undef LIST_FOREACH
-#undef LIST_INIT
-#undef LIST_INSERT_AFTER
-#undef LIST_INSERT_BEFORE
-#undef LIST_INSERT_HEAD
-#undef LIST_REMOVE
-#undef LIST_REPLACE
-#undef SIMPLEQ_HEAD
-#undef SIMPLEQ_HEAD_INITIALIZER
-#undef SIMPLEQ_ENTRY
-#undef SIMPLEQ_FIRST
-#undef SIMPLEQ_END
-#undef SIMPLEQ_EMPTY
-#undef SIMPLEQ_NEXT
-#undef SIMPLEQ_FOREACH
-#undef SIMPLEQ_INIT
-#undef SIMPLEQ_INSERT_HEAD
-#undef SIMPLEQ_INSERT_TAIL
-#undef SIMPLEQ_INSERT_AFTER
-#undef SIMPLEQ_REMOVE_HEAD
-#undef TAILQ_HEAD
-#undef TAILQ_HEAD_INITIALIZER
-#undef TAILQ_ENTRY
-#undef TAILQ_FIRST
-#undef TAILQ_END
-#undef TAILQ_NEXT
-#undef TAILQ_LAST
-#undef TAILQ_PREV
-#undef TAILQ_EMPTY
-#undef TAILQ_FOREACH
-#undef TAILQ_FOREACH_REVERSE
-#undef TAILQ_INIT
-#undef TAILQ_INSERT_HEAD
-#undef TAILQ_INSERT_TAIL
-#undef TAILQ_INSERT_AFTER
-#undef TAILQ_INSERT_BEFORE
-#undef TAILQ_REMOVE
-#undef TAILQ_REPLACE
-#undef CIRCLEQ_HEAD
-#undef CIRCLEQ_HEAD_INITIALIZER
-#undef CIRCLEQ_ENTRY
-#undef CIRCLEQ_FIRST
-#undef CIRCLEQ_LAST
-#undef CIRCLEQ_END
-#undef CIRCLEQ_NEXT
-#undef CIRCLEQ_PREV
-#undef CIRCLEQ_EMPTY
-#undef CIRCLEQ_FOREACH
-#undef CIRCLEQ_FOREACH_REVERSE
-#undef CIRCLEQ_INIT
-#undef CIRCLEQ_INSERT_AFTER
-#undef CIRCLEQ_INSERT_BEFORE
-#undef CIRCLEQ_INSERT_HEAD
-#undef CIRCLEQ_INSERT_TAIL
-#undef CIRCLEQ_REMOVE
-#undef CIRCLEQ_REPLACE
-
-/*
- * This file defines five types of data structures: singly-linked lists, 
- * lists, simple queues, tail queues, and circular queues.
- *
- *
- * A singly-linked list is headed by a single forward pointer. The elements
- * are singly linked for minimum space and pointer manipulation overhead at
- * the expense of O(n) removal for arbitrary elements. New elements can be
- * added to the list after an existing element or at the head of the list.
- * Elements being removed from the head of the list should use the explicit
- * macro for this purpose for optimum efficiency. A singly-linked list may
- * only be traversed in the forward direction.  Singly-linked lists are ideal
- * for applications with large datasets and few or no removals or for
- * implementing a LIFO queue.
- *
- * A list is headed by a single forward pointer (or an array of forward
- * pointers for a hash table header). The elements are doubly linked
- * so that an arbitrary element can be removed without a need to
- * traverse the list. New elements can be added to the list before
- * or after an existing element or at the head of the list. A list
- * may only be traversed in the forward direction.
- *
- * A simple queue is headed by a pair of pointers, one the head of the
- * list and the other to the tail of the list. The elements are singly
- * linked to save space, so elements can only be removed from the
- * head of the list. New elements can be added to the list before or after
- * an existing element, at the head of the list, or at the end of the
- * list. A simple queue may only be traversed in the forward direction.
- *
- * A tail queue is headed by a pair of pointers, one to the head of the
- * list and the other to the tail of the list. The elements are doubly
- * linked so that an arbitrary element can be removed without a need to
- * traverse the list. New elements can be added to the list before or
- * after an existing element, at the head of the list, or at the end of
- * the list. A tail queue may be traversed in either direction.
- *
- * A circle queue is headed by a pair of pointers, one to the head of the
- * list and the other to the tail of the list. The elements are doubly
- * linked so that an arbitrary element can be removed without a need to
- * traverse the list. New elements can be added to the list before or after
- * an existing element, at the head of the list, or at the end of the list.
- * A circle queue may be traversed in either direction, but has a more
- * complex end of list detection.
- *
- * For details on the use of these macros, see the queue(3) manual page.
- */
-
-/*
- * Singly-linked List definitions.
- */
-#define SLIST_HEAD(name, type)						\
-struct name {								\
-	struct type *slh_first;	/* first element */			\
-}
- 
-#define	SLIST_HEAD_INITIALIZER(head)					\
-	{ NULL }
- 
-#define SLIST_ENTRY(type)						\
-struct {								\
-	struct type *sle_next;	/* next element */			\
-}
- 
-/*
- * Singly-linked List access methods.
- */
-#define	SLIST_FIRST(head)	((head)->slh_first)
-#define	SLIST_END(head)		NULL
-#define	SLIST_EMPTY(head)	(SLIST_FIRST(head) == SLIST_END(head))
-#define	SLIST_NEXT(elm, field)	((elm)->field.sle_next)
-
-#define	SLIST_FOREACH(var, head, field)					\
-	for((var) = SLIST_FIRST(head);					\
-	    (var) != SLIST_END(head);					\
-	    (var) = SLIST_NEXT(var, field))
-
-#define	SLIST_FOREACH_PREVPTR(var, varp, head, field)			\
-	for ((varp) = &SLIST_FIRST((head));				\
-	    ((var) = *(varp)) != SLIST_END(head);			\
-	    (varp) = &SLIST_NEXT((var), field))
-
-/*
- * Singly-linked List functions.
- */
-#define	SLIST_INIT(head) {						\
-	SLIST_FIRST(head) = SLIST_END(head);				\
-}
-
-#define	SLIST_INSERT_AFTER(slistelm, elm, field) do {			\
-	(elm)->field.sle_next = (slistelm)->field.sle_next;		\
-	(slistelm)->field.sle_next = (elm);				\
-} while (0)
-
-#define	SLIST_INSERT_HEAD(head, elm, field) do {			\
-	(elm)->field.sle_next = (head)->slh_first;			\
-	(head)->slh_first = (elm);					\
-} while (0)
-
-#define	SLIST_REMOVE_NEXT(head, elm, field) do {			\
-	(elm)->field.sle_next = (elm)->field.sle_next->field.sle_next;	\
-} while (0)
-
-#define	SLIST_REMOVE_HEAD(head, field) do {				\
-	(head)->slh_first = (head)->slh_first->field.sle_next;		\
-} while (0)
-
-#define SLIST_REMOVE(head, elm, type, field) do {			\
-	if ((head)->slh_first == (elm)) {				\
-		SLIST_REMOVE_HEAD((head), field);			\
-	}								\
-	else {								\
-		struct type *curelm = (head)->slh_first;		\
-		while( curelm->field.sle_next != (elm) )		\
-			curelm = curelm->field.sle_next;		\
-		curelm->field.sle_next =				\
-		    curelm->field.sle_next->field.sle_next;		\
-	}								\
-} while (0)
-
-/*
- * List definitions.
- */
-#define LIST_HEAD(name, type)						\
-struct name {								\
-	struct type *lh_first;	/* first element */			\
-}
-
-#define LIST_HEAD_INITIALIZER(head)					\
-	{ NULL }
-
-#define LIST_ENTRY(type)						\
-struct {								\
-	struct type *le_next;	/* next element */			\
-	struct type **le_prev;	/* address of previous next element */	\
-}
-
-/*
- * List access methods
- */
-#define	LIST_FIRST(head)		((head)->lh_first)
-#define	LIST_END(head)			NULL
-#define	LIST_EMPTY(head)		(LIST_FIRST(head) == LIST_END(head))
-#define	LIST_NEXT(elm, field)		((elm)->field.le_next)
-
-#define LIST_FOREACH(var, head, field)					\
-	for((var) = LIST_FIRST(head);					\
-	    (var)!= LIST_END(head);					\
-	    (var) = LIST_NEXT(var, field))
-
-/*
- * List functions.
- */
-#define	LIST_INIT(head) do {						\
-	LIST_FIRST(head) = LIST_END(head);				\
-} while (0)
-
-#define LIST_INSERT_AFTER(listelm, elm, field) do {			\
-	if (((elm)->field.le_next = (listelm)->field.le_next) != NULL)	\
-		(listelm)->field.le_next->field.le_prev =		\
-		    &(elm)->field.le_next;				\
-	(listelm)->field.le_next = (elm);				\
-	(elm)->field.le_prev = &(listelm)->field.le_next;		\
-} while (0)
-
-#define	LIST_INSERT_BEFORE(listelm, elm, field) do {			\
-	(elm)->field.le_prev = (listelm)->field.le_prev;		\
-	(elm)->field.le_next = (listelm);				\
-	*(listelm)->field.le_prev = (elm);				\
-	(listelm)->field.le_prev = &(elm)->field.le_next;		\
-} while (0)
-
-#define LIST_INSERT_HEAD(head, elm, field) do {				\
-	if (((elm)->field.le_next = (head)->lh_first) != NULL)		\
-		(head)->lh_first->field.le_prev = &(elm)->field.le_next;\
-	(head)->lh_first = (elm);					\
-	(elm)->field.le_prev = &(head)->lh_first;			\
-} while (0)
-
-#define LIST_REMOVE(elm, field) do {					\
-	if ((elm)->field.le_next != NULL)				\
-		(elm)->field.le_next->field.le_prev =			\
-		    (elm)->field.le_prev;				\
-	*(elm)->field.le_prev = (elm)->field.le_next;			\
-} while (0)
-
-#define LIST_REPLACE(elm, elm2, field) do {				\
-	if (((elm2)->field.le_next = (elm)->field.le_next) != NULL)	\
-		(elm2)->field.le_next->field.le_prev =			\
-		    &(elm2)->field.le_next;				\
-	(elm2)->field.le_prev = (elm)->field.le_prev;			\
-	*(elm2)->field.le_prev = (elm2);				\
-} while (0)
-
-/*
- * Simple queue definitions.
- */
-#define SIMPLEQ_HEAD(name, type)					\
-struct name {								\
-	struct type *sqh_first;	/* first element */			\
-	struct type **sqh_last;	/* addr of last next element */		\
-}
-
-#define SIMPLEQ_HEAD_INITIALIZER(head)					\
-	{ NULL, &(head).sqh_first }
-
-#define SIMPLEQ_ENTRY(type)						\
-struct {								\
-	struct type *sqe_next;	/* next element */			\
-}
-
-/*
- * Simple queue access methods.
- */
-#define	SIMPLEQ_FIRST(head)	    ((head)->sqh_first)
-#define	SIMPLEQ_END(head)	    NULL
-#define	SIMPLEQ_EMPTY(head)	    (SIMPLEQ_FIRST(head) == SIMPLEQ_END(head))
-#define	SIMPLEQ_NEXT(elm, field)    ((elm)->field.sqe_next)
-
-#define SIMPLEQ_FOREACH(var, head, field)				\
-	for((var) = SIMPLEQ_FIRST(head);				\
-	    (var) != SIMPLEQ_END(head);					\
-	    (var) = SIMPLEQ_NEXT(var, field))
-
-/*
- * Simple queue functions.
- */
-#define	SIMPLEQ_INIT(head) do {						\
-	(head)->sqh_first = NULL;					\
-	(head)->sqh_last = &(head)->sqh_first;				\
-} while (0)
-
-#define SIMPLEQ_INSERT_HEAD(head, elm, field) do {			\
-	if (((elm)->field.sqe_next = (head)->sqh_first) == NULL)	\
-		(head)->sqh_last = &(elm)->field.sqe_next;		\
-	(head)->sqh_first = (elm);					\
-} while (0)
-
-#define SIMPLEQ_INSERT_TAIL(head, elm, field) do {			\
-	(elm)->field.sqe_next = NULL;					\
-	*(head)->sqh_last = (elm);					\
-	(head)->sqh_last = &(elm)->field.sqe_next;			\
-} while (0)
-
-#define SIMPLEQ_INSERT_AFTER(head, listelm, elm, field) do {		\
-	if (((elm)->field.sqe_next = (listelm)->field.sqe_next) == NULL)\
-		(head)->sqh_last = &(elm)->field.sqe_next;		\
-	(listelm)->field.sqe_next = (elm);				\
-} while (0)
-
-#define SIMPLEQ_REMOVE_HEAD(head, elm, field) do {			\
-	if (((head)->sqh_first = (elm)->field.sqe_next) == NULL)	\
-		(head)->sqh_last = &(head)->sqh_first;			\
-} while (0)
-
-/*
- * Tail queue definitions.
- */
-#define TAILQ_HEAD(name, type)						\
-struct name {								\
-	struct type *tqh_first;	/* first element */			\
-	struct type **tqh_last;	/* addr of last next element */		\
-}
-
-#define TAILQ_HEAD_INITIALIZER(head)					\
-	{ NULL, &(head).tqh_first }
-
-#define TAILQ_ENTRY(type)						\
-struct {								\
-	struct type *tqe_next;	/* next element */			\
-	struct type **tqe_prev;	/* address of previous next element */	\
-}
-
-/* 
- * tail queue access methods 
- */
-#define	TAILQ_FIRST(head)		((head)->tqh_first)
-#define	TAILQ_END(head)			NULL
-#define	TAILQ_NEXT(elm, field)		((elm)->field.tqe_next)
-#define TAILQ_LAST(head, headname)					\
-	(*(((struct headname *)((head)->tqh_last))->tqh_last))
-/* XXX */
-#define TAILQ_PREV(elm, headname, field)				\
-	(*(((struct headname *)((elm)->field.tqe_prev))->tqh_last))
-#define	TAILQ_EMPTY(head)						\
-	(TAILQ_FIRST(head) == TAILQ_END(head))
-
-#define TAILQ_FOREACH(var, head, field)					\
-	for((var) = TAILQ_FIRST(head);					\
-	    (var) != TAILQ_END(head);					\
-	    (var) = TAILQ_NEXT(var, field))
-
-#define TAILQ_FOREACH_REVERSE(var, head, headname, field)		\
-	for((var) = TAILQ_LAST(head, headname);				\
-	    (var) != TAILQ_END(head);					\
-	    (var) = TAILQ_PREV(var, headname, field))
-
-/*
- * Tail queue functions.
- */
-#define	TAILQ_INIT(head) do {						\
-	(head)->tqh_first = NULL;					\
-	(head)->tqh_last = &(head)->tqh_first;				\
-} while (0)
-
-#define TAILQ_INSERT_HEAD(head, elm, field) do {			\
-	if (((elm)->field.tqe_next = (head)->tqh_first) != NULL)	\
-		(head)->tqh_first->field.tqe_prev =			\
-		    &(elm)->field.tqe_next;				\
-	else								\
-		(head)->tqh_last = &(elm)->field.tqe_next;		\
-	(head)->tqh_first = (elm);					\
-	(elm)->field.tqe_prev = &(head)->tqh_first;			\
-} while (0)
-
-#define TAILQ_INSERT_TAIL(head, elm, field) do {			\
-	(elm)->field.tqe_next = NULL;					\
-	(elm)->field.tqe_prev = (head)->tqh_last;			\
-	*(head)->tqh_last = (elm);					\
-	(head)->tqh_last = &(elm)->field.tqe_next;			\
-} while (0)
-
-#define TAILQ_INSERT_AFTER(head, listelm, elm, field) do {		\
-	if (((elm)->field.tqe_next = (listelm)->field.tqe_next) != NULL)\
-		(elm)->field.tqe_next->field.tqe_prev =			\
-		    &(elm)->field.tqe_next;				\
-	else								\
-		(head)->tqh_last = &(elm)->field.tqe_next;		\
-	(listelm)->field.tqe_next = (elm);				\
-	(elm)->field.tqe_prev = &(listelm)->field.tqe_next;		\
-} while (0)
-
-#define	TAILQ_INSERT_BEFORE(listelm, elm, field) do {			\
-	(elm)->field.tqe_prev = (listelm)->field.tqe_prev;		\
-	(elm)->field.tqe_next = (listelm);				\
-	*(listelm)->field.tqe_prev = (elm);				\
-	(listelm)->field.tqe_prev = &(elm)->field.tqe_next;		\
-} while (0)
-
-#define TAILQ_REMOVE(head, elm, field) do {				\
-	if (((elm)->field.tqe_next) != NULL)				\
-		(elm)->field.tqe_next->field.tqe_prev =			\
-		    (elm)->field.tqe_prev;				\
-	else								\
-		(head)->tqh_last = (elm)->field.tqe_prev;		\
-	*(elm)->field.tqe_prev = (elm)->field.tqe_next;			\
-} while (0)
-
-#define TAILQ_REPLACE(head, elm, elm2, field) do {			\
-	if (((elm2)->field.tqe_next = (elm)->field.tqe_next) != NULL)	\
-		(elm2)->field.tqe_next->field.tqe_prev =		\
-		    &(elm2)->field.tqe_next;				\
-	else								\
-		(head)->tqh_last = &(elm2)->field.tqe_next;		\
-	(elm2)->field.tqe_prev = (elm)->field.tqe_prev;			\
-	*(elm2)->field.tqe_prev = (elm2);				\
-} while (0)
-
-/*
- * Circular queue definitions.
- */
-#define CIRCLEQ_HEAD(name, type)					\
-struct name {								\
-	struct type *cqh_first;		/* first element */		\
-	struct type *cqh_last;		/* last element */		\
-}
-
-#define CIRCLEQ_HEAD_INITIALIZER(head)					\
-	{ CIRCLEQ_END(&head), CIRCLEQ_END(&head) }
-
-#define CIRCLEQ_ENTRY(type)						\
-struct {								\
-	struct type *cqe_next;		/* next element */		\
-	struct type *cqe_prev;		/* previous element */		\
-}
-
-/*
- * Circular queue access methods 
- */
-#define	CIRCLEQ_FIRST(head)		((head)->cqh_first)
-#define	CIRCLEQ_LAST(head)		((head)->cqh_last)
-#define	CIRCLEQ_END(head)		((void *)(head))
-#define	CIRCLEQ_NEXT(elm, field)	((elm)->field.cqe_next)
-#define	CIRCLEQ_PREV(elm, field)	((elm)->field.cqe_prev)
-#define	CIRCLEQ_EMPTY(head)						\
-	(CIRCLEQ_FIRST(head) == CIRCLEQ_END(head))
-
-#define CIRCLEQ_FOREACH(var, head, field)				\
-	for((var) = CIRCLEQ_FIRST(head);				\
-	    (var) != CIRCLEQ_END(head);					\
-	    (var) = CIRCLEQ_NEXT(var, field))
-
-#define CIRCLEQ_FOREACH_REVERSE(var, head, field)			\
-	for((var) = CIRCLEQ_LAST(head);					\
-	    (var) != CIRCLEQ_END(head);					\
-	    (var) = CIRCLEQ_PREV(var, field))
-
-/*
- * Circular queue functions.
- */
-#define	CIRCLEQ_INIT(head) do {						\
-	(head)->cqh_first = CIRCLEQ_END(head);				\
-	(head)->cqh_last = CIRCLEQ_END(head);				\
-} while (0)
-
-#define CIRCLEQ_INSERT_AFTER(head, listelm, elm, field) do {		\
-	(elm)->field.cqe_next = (listelm)->field.cqe_next;		\
-	(elm)->field.cqe_prev = (listelm);				\
-	if ((listelm)->field.cqe_next == CIRCLEQ_END(head))		\
-		(head)->cqh_last = (elm);				\
-	else								\
-		(listelm)->field.cqe_next->field.cqe_prev = (elm);	\
-	(listelm)->field.cqe_next = (elm);				\
-} while (0)
-
-#define CIRCLEQ_INSERT_BEFORE(head, listelm, elm, field) do {		\
-	(elm)->field.cqe_next = (listelm);				\
-	(elm)->field.cqe_prev = (listelm)->field.cqe_prev;		\
-	if ((listelm)->field.cqe_prev == CIRCLEQ_END(head))		\
-		(head)->cqh_first = (elm);				\
-	else								\
-		(listelm)->field.cqe_prev->field.cqe_next = (elm);	\
-	(listelm)->field.cqe_prev = (elm);				\
-} while (0)
-
-#define CIRCLEQ_INSERT_HEAD(head, elm, field) do {			\
-	(elm)->field.cqe_next = (head)->cqh_first;			\
-	(elm)->field.cqe_prev = CIRCLEQ_END(head);			\
-	if ((head)->cqh_last == CIRCLEQ_END(head))			\
-		(head)->cqh_last = (elm);				\
-	else								\
-		(head)->cqh_first->field.cqe_prev = (elm);		\
-	(head)->cqh_first = (elm);					\
-} while (0)
-
-#define CIRCLEQ_INSERT_TAIL(head, elm, field) do {			\
-	(elm)->field.cqe_next = CIRCLEQ_END(head);			\
-	(elm)->field.cqe_prev = (head)->cqh_last;			\
-	if ((head)->cqh_first == CIRCLEQ_END(head))			\
-		(head)->cqh_first = (elm);				\
-	else								\
-		(head)->cqh_last->field.cqe_next = (elm);		\
-	(head)->cqh_last = (elm);					\
-} while (0)
-
-#define	CIRCLEQ_REMOVE(head, elm, field) do {				\
-	if ((elm)->field.cqe_next == CIRCLEQ_END(head))			\
-		(head)->cqh_last = (elm)->field.cqe_prev;		\
-	else								\
-		(elm)->field.cqe_next->field.cqe_prev =			\
-		    (elm)->field.cqe_prev;				\
-	if ((elm)->field.cqe_prev == CIRCLEQ_END(head))			\
-		(head)->cqh_first = (elm)->field.cqe_next;		\
-	else								\
-		(elm)->field.cqe_prev->field.cqe_next =			\
-		    (elm)->field.cqe_next;				\
-} while (0)
-
-#define CIRCLEQ_REPLACE(head, elm, elm2, field) do {			\
-	if (((elm2)->field.cqe_next = (elm)->field.cqe_next) ==		\
-	    CIRCLEQ_END(head))						\
-		(head).cqh_last = (elm2);				\
-	else								\
-		(elm2)->field.cqe_next->field.cqe_prev = (elm2);	\
-	if (((elm2)->field.cqe_prev = (elm)->field.cqe_prev) ==		\
-	    CIRCLEQ_END(head))						\
-		(head).cqh_first = (elm2);				\
-	else								\
-		(elm2)->field.cqe_prev->field.cqe_next = (elm2);	\
-} while (0)
-
-#endif	/* !_FAKE_QUEUE_H_ */
diff --git a/crypto/openssh/openbsd-compat/sys-tree.h b/crypto/openssh/openbsd-compat/sys-tree.h
deleted file mode 100644
index c80b90b2..0000000
--- a/crypto/openssh/openbsd-compat/sys-tree.h
+++ /dev/null
@@ -1,679 +0,0 @@
-/*	$OpenBSD: tree.h,v 1.7 2002/10/17 21:51:54 art Exp $	*/
-/*
- * Copyright 2002 Niels Provos <provos@citi.umich.edu>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/* OPENBSD ORIGINAL: sys/sys/tree.h */
-
-#ifndef	_SYS_TREE_H_
-#define	_SYS_TREE_H_
-
-/*
- * This file defines data structures for different types of trees:
- * splay trees and red-black trees.
- *
- * A splay tree is a self-organizing data structure.  Every operation
- * on the tree causes a splay to happen.  The splay moves the requested
- * node to the root of the tree and partly rebalances it.
- *
- * This has the benefit that request locality causes faster lookups as
- * the requested nodes move to the top of the tree.  On the other hand,
- * every lookup causes memory writes.
- *
- * The Balance Theorem bounds the total access time for m operations
- * and n inserts on an initially empty tree as O((m + n)lg n).  The
- * amortized cost for a sequence of m accesses to a splay tree is O(lg n);
- *
- * A red-black tree is a binary search tree with the node color as an
- * extra attribute.  It fulfills a set of conditions:
- *	- every search path from the root to a leaf consists of the
- *	  same number of black nodes,
- *	- each red node (except for the root) has a black parent,
- *	- each leaf node is black.
- *
- * Every operation on a red-black tree is bounded as O(lg n).
- * The maximum height of a red-black tree is 2lg (n+1).
- */
-
-#define SPLAY_HEAD(name, type)						\
-struct name {								\
-	struct type *sph_root; /* root of the tree */			\
-}
-
-#define SPLAY_INITIALIZER(root)						\
-	{ NULL }
-
-#define SPLAY_INIT(root) do {						\
-	(root)->sph_root = NULL;					\
-} while (0)
-
-#define SPLAY_ENTRY(type)						\
-struct {								\
-	struct type *spe_left; /* left element */			\
-	struct type *spe_right; /* right element */			\
-}
-
-#define SPLAY_LEFT(elm, field)		(elm)->field.spe_left
-#define SPLAY_RIGHT(elm, field)		(elm)->field.spe_right
-#define SPLAY_ROOT(head)		(head)->sph_root
-#define SPLAY_EMPTY(head)		(SPLAY_ROOT(head) == NULL)
-
-/* SPLAY_ROTATE_{LEFT,RIGHT} expect that tmp hold SPLAY_{RIGHT,LEFT} */
-#define SPLAY_ROTATE_RIGHT(head, tmp, field) do {			\
-	SPLAY_LEFT((head)->sph_root, field) = SPLAY_RIGHT(tmp, field);	\
-	SPLAY_RIGHT(tmp, field) = (head)->sph_root;			\
-	(head)->sph_root = tmp;						\
-} while (0)
-	
-#define SPLAY_ROTATE_LEFT(head, tmp, field) do {			\
-	SPLAY_RIGHT((head)->sph_root, field) = SPLAY_LEFT(tmp, field);	\
-	SPLAY_LEFT(tmp, field) = (head)->sph_root;			\
-	(head)->sph_root = tmp;						\
-} while (0)
-
-#define SPLAY_LINKLEFT(head, tmp, field) do {				\
-	SPLAY_LEFT(tmp, field) = (head)->sph_root;			\
-	tmp = (head)->sph_root;						\
-	(head)->sph_root = SPLAY_LEFT((head)->sph_root, field);		\
-} while (0)
-
-#define SPLAY_LINKRIGHT(head, tmp, field) do {				\
-	SPLAY_RIGHT(tmp, field) = (head)->sph_root;			\
-	tmp = (head)->sph_root;						\
-	(head)->sph_root = SPLAY_RIGHT((head)->sph_root, field);	\
-} while (0)
-
-#define SPLAY_ASSEMBLE(head, node, left, right, field) do {		\
-	SPLAY_RIGHT(left, field) = SPLAY_LEFT((head)->sph_root, field);	\
-	SPLAY_LEFT(right, field) = SPLAY_RIGHT((head)->sph_root, field);\
-	SPLAY_LEFT((head)->sph_root, field) = SPLAY_RIGHT(node, field);	\
-	SPLAY_RIGHT((head)->sph_root, field) = SPLAY_LEFT(node, field);	\
-} while (0)
-
-/* Generates prototypes and inline functions */
-
-#define SPLAY_PROTOTYPE(name, type, field, cmp)				\
-void name##_SPLAY(struct name *, struct type *);			\
-void name##_SPLAY_MINMAX(struct name *, int);				\
-struct type *name##_SPLAY_INSERT(struct name *, struct type *);		\
-struct type *name##_SPLAY_REMOVE(struct name *, struct type *);		\
-									\
-/* Finds the node with the same key as elm */				\
-static __inline struct type *						\
-name##_SPLAY_FIND(struct name *head, struct type *elm)			\
-{									\
-	if (SPLAY_EMPTY(head))						\
-		return(NULL);						\
-	name##_SPLAY(head, elm);					\
-	if ((cmp)(elm, (head)->sph_root) == 0)				\
-		return (head->sph_root);				\
-	return (NULL);							\
-}									\
-									\
-static __inline struct type *						\
-name##_SPLAY_NEXT(struct name *head, struct type *elm)			\
-{									\
-	name##_SPLAY(head, elm);					\
-	if (SPLAY_RIGHT(elm, field) != NULL) {				\
-		elm = SPLAY_RIGHT(elm, field);				\
-		while (SPLAY_LEFT(elm, field) != NULL) {		\
-			elm = SPLAY_LEFT(elm, field);			\
-		}							\
-	} else								\
-		elm = NULL;						\
-	return (elm);							\
-}									\
-									\
-static __inline struct type *						\
-name##_SPLAY_MIN_MAX(struct name *head, int val)			\
-{									\
-	name##_SPLAY_MINMAX(head, val);					\
-        return (SPLAY_ROOT(head));					\
-}
-
-/* Main splay operation.
- * Moves node close to the key of elm to top
- */
-#define SPLAY_GENERATE(name, type, field, cmp)				\
-struct type *								\
-name##_SPLAY_INSERT(struct name *head, struct type *elm)		\
-{									\
-    if (SPLAY_EMPTY(head)) {						\
-	    SPLAY_LEFT(elm, field) = SPLAY_RIGHT(elm, field) = NULL;	\
-    } else {								\
-	    int __comp;							\
-	    name##_SPLAY(head, elm);					\
-	    __comp = (cmp)(elm, (head)->sph_root);			\
-	    if(__comp < 0) {						\
-		    SPLAY_LEFT(elm, field) = SPLAY_LEFT((head)->sph_root, field);\
-		    SPLAY_RIGHT(elm, field) = (head)->sph_root;		\
-		    SPLAY_LEFT((head)->sph_root, field) = NULL;		\
-	    } else if (__comp > 0) {					\
-		    SPLAY_RIGHT(elm, field) = SPLAY_RIGHT((head)->sph_root, field);\
-		    SPLAY_LEFT(elm, field) = (head)->sph_root;		\
-		    SPLAY_RIGHT((head)->sph_root, field) = NULL;	\
-	    } else							\
-		    return ((head)->sph_root);				\
-    }									\
-    (head)->sph_root = (elm);						\
-    return (NULL);							\
-}									\
-									\
-struct type *								\
-name##_SPLAY_REMOVE(struct name *head, struct type *elm)		\
-{									\
-	struct type *__tmp;						\
-	if (SPLAY_EMPTY(head))						\
-		return (NULL);						\
-	name##_SPLAY(head, elm);					\
-	if ((cmp)(elm, (head)->sph_root) == 0) {			\
-		if (SPLAY_LEFT((head)->sph_root, field) == NULL) {	\
-			(head)->sph_root = SPLAY_RIGHT((head)->sph_root, field);\
-		} else {						\
-			__tmp = SPLAY_RIGHT((head)->sph_root, field);	\
-			(head)->sph_root = SPLAY_LEFT((head)->sph_root, field);\
-			name##_SPLAY(head, elm);			\
-			SPLAY_RIGHT((head)->sph_root, field) = __tmp;	\
-		}							\
-		return (elm);						\
-	}								\
-	return (NULL);							\
-}									\
-									\
-void									\
-name##_SPLAY(struct name *head, struct type *elm)			\
-{									\
-	struct type __node, *__left, *__right, *__tmp;			\
-	int __comp;							\
-\
-	SPLAY_LEFT(&__node, field) = SPLAY_RIGHT(&__node, field) = NULL;\
-	__left = __right = &__node;					\
-\
-	while ((__comp = (cmp)(elm, (head)->sph_root))) {		\
-		if (__comp < 0) {					\
-			__tmp = SPLAY_LEFT((head)->sph_root, field);	\
-			if (__tmp == NULL)				\
-				break;					\
-			if ((cmp)(elm, __tmp) < 0){			\
-				SPLAY_ROTATE_RIGHT(head, __tmp, field);	\
-				if (SPLAY_LEFT((head)->sph_root, field) == NULL)\
-					break;				\
-			}						\
-			SPLAY_LINKLEFT(head, __right, field);		\
-		} else if (__comp > 0) {				\
-			__tmp = SPLAY_RIGHT((head)->sph_root, field);	\
-			if (__tmp == NULL)				\
-				break;					\
-			if ((cmp)(elm, __tmp) > 0){			\
-				SPLAY_ROTATE_LEFT(head, __tmp, field);	\
-				if (SPLAY_RIGHT((head)->sph_root, field) == NULL)\
-					break;				\
-			}						\
-			SPLAY_LINKRIGHT(head, __left, field);		\
-		}							\
-	}								\
-	SPLAY_ASSEMBLE(head, &__node, __left, __right, field);		\
-}									\
-									\
-/* Splay with either the minimum or the maximum element			\
- * Used to find minimum or maximum element in tree.			\
- */									\
-void name##_SPLAY_MINMAX(struct name *head, int __comp) \
-{									\
-	struct type __node, *__left, *__right, *__tmp;			\
-\
-	SPLAY_LEFT(&__node, field) = SPLAY_RIGHT(&__node, field) = NULL;\
-	__left = __right = &__node;					\
-\
-	while (1) {							\
-		if (__comp < 0) {					\
-			__tmp = SPLAY_LEFT((head)->sph_root, field);	\
-			if (__tmp == NULL)				\
-				break;					\
-			if (__comp < 0){				\
-				SPLAY_ROTATE_RIGHT(head, __tmp, field);	\
-				if (SPLAY_LEFT((head)->sph_root, field) == NULL)\
-					break;				\
-			}						\
-			SPLAY_LINKLEFT(head, __right, field);		\
-		} else if (__comp > 0) {				\
-			__tmp = SPLAY_RIGHT((head)->sph_root, field);	\
-			if (__tmp == NULL)				\
-				break;					\
-			if (__comp > 0) {				\
-				SPLAY_ROTATE_LEFT(head, __tmp, field);	\
-				if (SPLAY_RIGHT((head)->sph_root, field) == NULL)\
-					break;				\
-			}						\
-			SPLAY_LINKRIGHT(head, __left, field);		\
-		}							\
-	}								\
-	SPLAY_ASSEMBLE(head, &__node, __left, __right, field);		\
-}
-
-#define SPLAY_NEGINF	-1
-#define SPLAY_INF	1
-
-#define SPLAY_INSERT(name, x, y)	name##_SPLAY_INSERT(x, y)
-#define SPLAY_REMOVE(name, x, y)	name##_SPLAY_REMOVE(x, y)
-#define SPLAY_FIND(name, x, y)		name##_SPLAY_FIND(x, y)
-#define SPLAY_NEXT(name, x, y)		name##_SPLAY_NEXT(x, y)
-#define SPLAY_MIN(name, x)		(SPLAY_EMPTY(x) ? NULL	\
-					: name##_SPLAY_MIN_MAX(x, SPLAY_NEGINF))
-#define SPLAY_MAX(name, x)		(SPLAY_EMPTY(x) ? NULL	\
-					: name##_SPLAY_MIN_MAX(x, SPLAY_INF))
-
-#define SPLAY_FOREACH(x, name, head)					\
-	for ((x) = SPLAY_MIN(name, head);				\
-	     (x) != NULL;						\
-	     (x) = SPLAY_NEXT(name, head, x))
-
-/* Macros that define a red-back tree */
-#define RB_HEAD(name, type)						\
-struct name {								\
-	struct type *rbh_root; /* root of the tree */			\
-}
-
-#define RB_INITIALIZER(root)						\
-	{ NULL }
-
-#define RB_INIT(root) do {						\
-	(root)->rbh_root = NULL;					\
-} while (0)
-
-#define RB_BLACK	0
-#define RB_RED		1
-#define RB_ENTRY(type)							\
-struct {								\
-	struct type *rbe_left;		/* left element */		\
-	struct type *rbe_right;		/* right element */		\
-	struct type *rbe_parent;	/* parent element */		\
-	int rbe_color;			/* node color */		\
-}
-
-#define RB_LEFT(elm, field)		(elm)->field.rbe_left
-#define RB_RIGHT(elm, field)		(elm)->field.rbe_right
-#define RB_PARENT(elm, field)		(elm)->field.rbe_parent
-#define RB_COLOR(elm, field)		(elm)->field.rbe_color
-#define RB_ROOT(head)			(head)->rbh_root
-#define RB_EMPTY(head)			(RB_ROOT(head) == NULL)
-
-#define RB_SET(elm, parent, field) do {					\
-	RB_PARENT(elm, field) = parent;					\
-	RB_LEFT(elm, field) = RB_RIGHT(elm, field) = NULL;		\
-	RB_COLOR(elm, field) = RB_RED;					\
-} while (0)
-
-#define RB_SET_BLACKRED(black, red, field) do {				\
-	RB_COLOR(black, field) = RB_BLACK;				\
-	RB_COLOR(red, field) = RB_RED;					\
-} while (0)
-
-#ifndef RB_AUGMENT
-#define RB_AUGMENT(x)
-#endif
-
-#define RB_ROTATE_LEFT(head, elm, tmp, field) do {			\
-	(tmp) = RB_RIGHT(elm, field);					\
-	if ((RB_RIGHT(elm, field) = RB_LEFT(tmp, field))) {		\
-		RB_PARENT(RB_LEFT(tmp, field), field) = (elm);		\
-	}								\
-	RB_AUGMENT(elm);						\
-	if ((RB_PARENT(tmp, field) = RB_PARENT(elm, field))) {		\
-		if ((elm) == RB_LEFT(RB_PARENT(elm, field), field))	\
-			RB_LEFT(RB_PARENT(elm, field), field) = (tmp);	\
-		else							\
-			RB_RIGHT(RB_PARENT(elm, field), field) = (tmp);	\
-	} else								\
-		(head)->rbh_root = (tmp);				\
-	RB_LEFT(tmp, field) = (elm);					\
-	RB_PARENT(elm, field) = (tmp);					\
-	RB_AUGMENT(tmp);						\
-	if ((RB_PARENT(tmp, field)))					\
-		RB_AUGMENT(RB_PARENT(tmp, field));			\
-} while (0)
-
-#define RB_ROTATE_RIGHT(head, elm, tmp, field) do {			\
-	(tmp) = RB_LEFT(elm, field);					\
-	if ((RB_LEFT(elm, field) = RB_RIGHT(tmp, field))) {		\
-		RB_PARENT(RB_RIGHT(tmp, field), field) = (elm);		\
-	}								\
-	RB_AUGMENT(elm);						\
-	if ((RB_PARENT(tmp, field) = RB_PARENT(elm, field))) {		\
-		if ((elm) == RB_LEFT(RB_PARENT(elm, field), field))	\
-			RB_LEFT(RB_PARENT(elm, field), field) = (tmp);	\
-		else							\
-			RB_RIGHT(RB_PARENT(elm, field), field) = (tmp);	\
-	} else								\
-		(head)->rbh_root = (tmp);				\
-	RB_RIGHT(tmp, field) = (elm);					\
-	RB_PARENT(elm, field) = (tmp);					\
-	RB_AUGMENT(tmp);						\
-	if ((RB_PARENT(tmp, field)))					\
-		RB_AUGMENT(RB_PARENT(tmp, field));			\
-} while (0)
-
-/* Generates prototypes and inline functions */
-#define RB_PROTOTYPE(name, type, field, cmp)				\
-void name##_RB_INSERT_COLOR(struct name *, struct type *);	\
-void name##_RB_REMOVE_COLOR(struct name *, struct type *, struct type *);\
-struct type *name##_RB_REMOVE(struct name *, struct type *);		\
-struct type *name##_RB_INSERT(struct name *, struct type *);		\
-struct type *name##_RB_FIND(struct name *, struct type *);		\
-struct type *name##_RB_NEXT(struct name *, struct type *);		\
-struct type *name##_RB_MINMAX(struct name *, int);			\
-									\
-
-/* Main rb operation.
- * Moves node close to the key of elm to top
- */
-#define RB_GENERATE(name, type, field, cmp)				\
-void									\
-name##_RB_INSERT_COLOR(struct name *head, struct type *elm)		\
-{									\
-	struct type *parent, *gparent, *tmp;				\
-	while ((parent = RB_PARENT(elm, field)) &&			\
-	    RB_COLOR(parent, field) == RB_RED) {			\
-		gparent = RB_PARENT(parent, field);			\
-		if (parent == RB_LEFT(gparent, field)) {		\
-			tmp = RB_RIGHT(gparent, field);			\
-			if (tmp && RB_COLOR(tmp, field) == RB_RED) {	\
-				RB_COLOR(tmp, field) = RB_BLACK;	\
-				RB_SET_BLACKRED(parent, gparent, field);\
-				elm = gparent;				\
-				continue;				\
-			}						\
-			if (RB_RIGHT(parent, field) == elm) {		\
-				RB_ROTATE_LEFT(head, parent, tmp, field);\
-				tmp = parent;				\
-				parent = elm;				\
-				elm = tmp;				\
-			}						\
-			RB_SET_BLACKRED(parent, gparent, field);	\
-			RB_ROTATE_RIGHT(head, gparent, tmp, field);	\
-		} else {						\
-			tmp = RB_LEFT(gparent, field);			\
-			if (tmp && RB_COLOR(tmp, field) == RB_RED) {	\
-				RB_COLOR(tmp, field) = RB_BLACK;	\
-				RB_SET_BLACKRED(parent, gparent, field);\
-				elm = gparent;				\
-				continue;				\
-			}						\
-			if (RB_LEFT(parent, field) == elm) {		\
-				RB_ROTATE_RIGHT(head, parent, tmp, field);\
-				tmp = parent;				\
-				parent = elm;				\
-				elm = tmp;				\
-			}						\
-			RB_SET_BLACKRED(parent, gparent, field);	\
-			RB_ROTATE_LEFT(head, gparent, tmp, field);	\
-		}							\
-	}								\
-	RB_COLOR(head->rbh_root, field) = RB_BLACK;			\
-}									\
-									\
-void									\
-name##_RB_REMOVE_COLOR(struct name *head, struct type *parent, struct type *elm) \
-{									\
-	struct type *tmp;						\
-	while ((elm == NULL || RB_COLOR(elm, field) == RB_BLACK) &&	\
-	    elm != RB_ROOT(head)) {					\
-		if (RB_LEFT(parent, field) == elm) {			\
-			tmp = RB_RIGHT(parent, field);			\
-			if (RB_COLOR(tmp, field) == RB_RED) {		\
-				RB_SET_BLACKRED(tmp, parent, field);	\
-				RB_ROTATE_LEFT(head, parent, tmp, field);\
-				tmp = RB_RIGHT(parent, field);		\
-			}						\
-			if ((RB_LEFT(tmp, field) == NULL ||		\
-			    RB_COLOR(RB_LEFT(tmp, field), field) == RB_BLACK) &&\
-			    (RB_RIGHT(tmp, field) == NULL ||		\
-			    RB_COLOR(RB_RIGHT(tmp, field), field) == RB_BLACK)) {\
-				RB_COLOR(tmp, field) = RB_RED;		\
-				elm = parent;				\
-				parent = RB_PARENT(elm, field);		\
-			} else {					\
-				if (RB_RIGHT(tmp, field) == NULL ||	\
-				    RB_COLOR(RB_RIGHT(tmp, field), field) == RB_BLACK) {\
-					struct type *oleft;		\
-					if ((oleft = RB_LEFT(tmp, field)))\
-						RB_COLOR(oleft, field) = RB_BLACK;\
-					RB_COLOR(tmp, field) = RB_RED;	\
-					RB_ROTATE_RIGHT(head, tmp, oleft, field);\
-					tmp = RB_RIGHT(parent, field);	\
-				}					\
-				RB_COLOR(tmp, field) = RB_COLOR(parent, field);\
-				RB_COLOR(parent, field) = RB_BLACK;	\
-				if (RB_RIGHT(tmp, field))		\
-					RB_COLOR(RB_RIGHT(tmp, field), field) = RB_BLACK;\
-				RB_ROTATE_LEFT(head, parent, tmp, field);\
-				elm = RB_ROOT(head);			\
-				break;					\
-			}						\
-		} else {						\
-			tmp = RB_LEFT(parent, field);			\
-			if (RB_COLOR(tmp, field) == RB_RED) {		\
-				RB_SET_BLACKRED(tmp, parent, field);	\
-				RB_ROTATE_RIGHT(head, parent, tmp, field);\
-				tmp = RB_LEFT(parent, field);		\
-			}						\
-			if ((RB_LEFT(tmp, field) == NULL ||		\
-			    RB_COLOR(RB_LEFT(tmp, field), field) == RB_BLACK) &&\
-			    (RB_RIGHT(tmp, field) == NULL ||		\
-			    RB_COLOR(RB_RIGHT(tmp, field), field) == RB_BLACK)) {\
-				RB_COLOR(tmp, field) = RB_RED;		\
-				elm = parent;				\
-				parent = RB_PARENT(elm, field);		\
-			} else {					\
-				if (RB_LEFT(tmp, field) == NULL ||	\
-				    RB_COLOR(RB_LEFT(tmp, field), field) == RB_BLACK) {\
-					struct type *oright;		\
-					if ((oright = RB_RIGHT(tmp, field)))\
-						RB_COLOR(oright, field) = RB_BLACK;\
-					RB_COLOR(tmp, field) = RB_RED;	\
-					RB_ROTATE_LEFT(head, tmp, oright, field);\
-					tmp = RB_LEFT(parent, field);	\
-				}					\
-				RB_COLOR(tmp, field) = RB_COLOR(parent, field);\
-				RB_COLOR(parent, field) = RB_BLACK;	\
-				if (RB_LEFT(tmp, field))		\
-					RB_COLOR(RB_LEFT(tmp, field), field) = RB_BLACK;\
-				RB_ROTATE_RIGHT(head, parent, tmp, field);\
-				elm = RB_ROOT(head);			\
-				break;					\
-			}						\
-		}							\
-	}								\
-	if (elm)							\
-		RB_COLOR(elm, field) = RB_BLACK;			\
-}									\
-									\
-struct type *								\
-name##_RB_REMOVE(struct name *head, struct type *elm)			\
-{									\
-	struct type *child, *parent, *old = elm;			\
-	int color;							\
-	if (RB_LEFT(elm, field) == NULL)				\
-		child = RB_RIGHT(elm, field);				\
-	else if (RB_RIGHT(elm, field) == NULL)				\
-		child = RB_LEFT(elm, field);				\
-	else {								\
-		struct type *left;					\
-		elm = RB_RIGHT(elm, field);				\
-		while ((left = RB_LEFT(elm, field)))			\
-			elm = left;					\
-		child = RB_RIGHT(elm, field);				\
-		parent = RB_PARENT(elm, field);				\
-		color = RB_COLOR(elm, field);				\
-		if (child)						\
-			RB_PARENT(child, field) = parent;		\
-		if (parent) {						\
-			if (RB_LEFT(parent, field) == elm)		\
-				RB_LEFT(parent, field) = child;		\
-			else						\
-				RB_RIGHT(parent, field) = child;	\
-			RB_AUGMENT(parent);				\
-		} else							\
-			RB_ROOT(head) = child;				\
-		if (RB_PARENT(elm, field) == old)			\
-			parent = elm;					\
-		(elm)->field = (old)->field;				\
-		if (RB_PARENT(old, field)) {				\
-			if (RB_LEFT(RB_PARENT(old, field), field) == old)\
-				RB_LEFT(RB_PARENT(old, field), field) = elm;\
-			else						\
-				RB_RIGHT(RB_PARENT(old, field), field) = elm;\
-			RB_AUGMENT(RB_PARENT(old, field));		\
-		} else							\
-			RB_ROOT(head) = elm;				\
-		RB_PARENT(RB_LEFT(old, field), field) = elm;		\
-		if (RB_RIGHT(old, field))				\
-			RB_PARENT(RB_RIGHT(old, field), field) = elm;	\
-		if (parent) {						\
-			left = parent;					\
-			do {						\
-				RB_AUGMENT(left);			\
-			} while ((left = RB_PARENT(left, field)));	\
-		}							\
-		goto color;						\
-	}								\
-	parent = RB_PARENT(elm, field);					\
-	color = RB_COLOR(elm, field);					\
-	if (child)							\
-		RB_PARENT(child, field) = parent;			\
-	if (parent) {							\
-		if (RB_LEFT(parent, field) == elm)			\
-			RB_LEFT(parent, field) = child;			\
-		else							\
-			RB_RIGHT(parent, field) = child;		\
-		RB_AUGMENT(parent);					\
-	} else								\
-		RB_ROOT(head) = child;					\
-color:									\
-	if (color == RB_BLACK)						\
-		name##_RB_REMOVE_COLOR(head, parent, child);		\
-	return (old);							\
-}									\
-									\
-/* Inserts a node into the RB tree */					\
-struct type *								\
-name##_RB_INSERT(struct name *head, struct type *elm)			\
-{									\
-	struct type *tmp;						\
-	struct type *parent = NULL;					\
-	int comp = 0;							\
-	tmp = RB_ROOT(head);						\
-	while (tmp) {							\
-		parent = tmp;						\
-		comp = (cmp)(elm, parent);				\
-		if (comp < 0)						\
-			tmp = RB_LEFT(tmp, field);			\
-		else if (comp > 0)					\
-			tmp = RB_RIGHT(tmp, field);			\
-		else							\
-			return (tmp);					\
-	}								\
-	RB_SET(elm, parent, field);					\
-	if (parent != NULL) {						\
-		if (comp < 0)						\
-			RB_LEFT(parent, field) = elm;			\
-		else							\
-			RB_RIGHT(parent, field) = elm;			\
-		RB_AUGMENT(parent);					\
-	} else								\
-		RB_ROOT(head) = elm;					\
-	name##_RB_INSERT_COLOR(head, elm);				\
-	return (NULL);							\
-}									\
-									\
-/* Finds the node with the same key as elm */				\
-struct type *								\
-name##_RB_FIND(struct name *head, struct type *elm)			\
-{									\
-	struct type *tmp = RB_ROOT(head);				\
-	int comp;							\
-	while (tmp) {							\
-		comp = cmp(elm, tmp);					\
-		if (comp < 0)						\
-			tmp = RB_LEFT(tmp, field);			\
-		else if (comp > 0)					\
-			tmp = RB_RIGHT(tmp, field);			\
-		else							\
-			return (tmp);					\
-	}								\
-	return (NULL);							\
-}									\
-									\
-struct type *								\
-name##_RB_NEXT(struct name *head, struct type *elm)			\
-{									\
-	if (RB_RIGHT(elm, field)) {					\
-		elm = RB_RIGHT(elm, field);				\
-		while (RB_LEFT(elm, field))				\
-			elm = RB_LEFT(elm, field);			\
-	} else {							\
-		if (RB_PARENT(elm, field) &&				\
-		    (elm == RB_LEFT(RB_PARENT(elm, field), field)))	\
-			elm = RB_PARENT(elm, field);			\
-		else {							\
-			while (RB_PARENT(elm, field) &&			\
-			    (elm == RB_RIGHT(RB_PARENT(elm, field), field)))\
-				elm = RB_PARENT(elm, field);		\
-			elm = RB_PARENT(elm, field);			\
-		}							\
-	}								\
-	return (elm);							\
-}									\
-									\
-struct type *								\
-name##_RB_MINMAX(struct name *head, int val)				\
-{									\
-	struct type *tmp = RB_ROOT(head);				\
-	struct type *parent = NULL;					\
-	while (tmp) {							\
-		parent = tmp;						\
-		if (val < 0)						\
-			tmp = RB_LEFT(tmp, field);			\
-		else							\
-			tmp = RB_RIGHT(tmp, field);			\
-	}								\
-	return (parent);						\
-}
-
-#define RB_NEGINF	-1
-#define RB_INF	1
-
-#define RB_INSERT(name, x, y)	name##_RB_INSERT(x, y)
-#define RB_REMOVE(name, x, y)	name##_RB_REMOVE(x, y)
-#define RB_FIND(name, x, y)	name##_RB_FIND(x, y)
-#define RB_NEXT(name, x, y)	name##_RB_NEXT(x, y)
-#define RB_MIN(name, x)		name##_RB_MINMAX(x, RB_NEGINF)
-#define RB_MAX(name, x)		name##_RB_MINMAX(x, RB_INF)
-
-#define RB_FOREACH(x, name, head)					\
-	for ((x) = RB_MIN(name, head);					\
-	     (x) != NULL;						\
-	     (x) = name##_RB_NEXT(head, x))
-
-#endif	/* _SYS_TREE_H_ */
diff --git a/crypto/openssh/openbsd-compat/tree.h b/crypto/openssh/openbsd-compat/tree.h
deleted file mode 100644
index 30b4a85..0000000
--- a/crypto/openssh/openbsd-compat/tree.h
+++ /dev/null
@@ -1,667 +0,0 @@
-/*
- * Copyright 2002 Niels Provos <provos@citi.umich.edu>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef	_SYS_TREE_H_
-#define	_SYS_TREE_H_
-
-/*
- * This file defines data structures for different types of trees:
- * splay trees and red-black trees.
- *
- * A splay tree is a self-organizing data structure.  Every operation
- * on the tree causes a splay to happen.  The splay moves the requested
- * node to the root of the tree and partly rebalances it.
- *
- * This has the benefit that request locality causes faster lookups as
- * the requested nodes move to the top of the tree.  On the other hand,
- * every lookup causes memory writes.
- *
- * The Balance Theorem bounds the total access time for m operations
- * and n inserts on an initially empty tree as O((m + n)lg n).  The
- * amortized cost for a sequence of m accesses to a splay tree is O(lg n);
- *
- * A red-black tree is a binary search tree with the node color as an
- * extra attribute.  It fulfills a set of conditions:
- *	- every search path from the root to a leaf consists of the
- *	  same number of black nodes,
- *	- each red node (except for the root) has a black parent,
- *	- each leaf node is black.
- *
- * Every operation on a red-black tree is bounded as O(lg n).
- * The maximum height of a red-black tree is 2lg (n+1).
- */
-
-#define SPLAY_HEAD(name, type)						\
-struct name {								\
-	struct type *sph_root; /* root of the tree */			\
-}
-
-#define SPLAY_INITIALIZER(root)						\
-	{ NULL }
-
-#define SPLAY_INIT(root) do {						\
-	(root)->sph_root = NULL;					\
-} while (0)
-
-#define SPLAY_ENTRY(type)						\
-struct {								\
-	struct type *spe_left; /* left element */			\
-	struct type *spe_right; /* right element */			\
-}
-
-#define SPLAY_LEFT(elm, field)		(elm)->field.spe_left
-#define SPLAY_RIGHT(elm, field)		(elm)->field.spe_right
-#define SPLAY_ROOT(head)		(head)->sph_root
-#define SPLAY_EMPTY(head)		(SPLAY_ROOT(head) == NULL)
-
-/* SPLAY_ROTATE_{LEFT,RIGHT} expect that tmp hold SPLAY_{RIGHT,LEFT} */
-#define SPLAY_ROTATE_RIGHT(head, tmp, field) do {			\
-	SPLAY_LEFT((head)->sph_root, field) = SPLAY_RIGHT(tmp, field);	\
-	SPLAY_RIGHT(tmp, field) = (head)->sph_root;			\
-	(head)->sph_root = tmp;						\
-} while (0)
-	
-#define SPLAY_ROTATE_LEFT(head, tmp, field) do {			\
-	SPLAY_RIGHT((head)->sph_root, field) = SPLAY_LEFT(tmp, field);	\
-	SPLAY_LEFT(tmp, field) = (head)->sph_root;			\
-	(head)->sph_root = tmp;						\
-} while (0)
-
-#define SPLAY_LINKLEFT(head, tmp, field) do {				\
-	SPLAY_LEFT(tmp, field) = (head)->sph_root;			\
-	tmp = (head)->sph_root;						\
-	(head)->sph_root = SPLAY_LEFT((head)->sph_root, field);		\
-} while (0)
-
-#define SPLAY_LINKRIGHT(head, tmp, field) do {				\
-	SPLAY_RIGHT(tmp, field) = (head)->sph_root;			\
-	tmp = (head)->sph_root;						\
-	(head)->sph_root = SPLAY_RIGHT((head)->sph_root, field);	\
-} while (0)
-
-#define SPLAY_ASSEMBLE(head, node, left, right, field) do {		\
-	SPLAY_RIGHT(left, field) = SPLAY_LEFT((head)->sph_root, field);	\
-	SPLAY_LEFT(right, field) = SPLAY_RIGHT((head)->sph_root, field);\
-	SPLAY_LEFT((head)->sph_root, field) = SPLAY_RIGHT(node, field);	\
-	SPLAY_RIGHT((head)->sph_root, field) = SPLAY_LEFT(node, field);	\
-} while (0)
-
-/* Generates prototypes and inline functions */
-
-#define SPLAY_PROTOTYPE(name, type, field, cmp)				\
-void name##_SPLAY(struct name *, struct type *);			\
-void name##_SPLAY_MINMAX(struct name *, int);				\
-									\
-static __inline void							\
-name##_SPLAY_INSERT(struct name *head, struct type *elm)		\
-{									\
-    if (SPLAY_EMPTY(head)) {						\
-	    SPLAY_LEFT(elm, field) = SPLAY_RIGHT(elm, field) = NULL;	\
-    } else {								\
-	    int __comp;							\
-	    name##_SPLAY(head, elm);					\
-	    __comp = (cmp)(elm, (head)->sph_root);			\
-	    if(__comp < 0) {						\
-		    SPLAY_LEFT(elm, field) = SPLAY_LEFT((head)->sph_root, field);\
-		    SPLAY_RIGHT(elm, field) = (head)->sph_root;		\
-		    SPLAY_LEFT((head)->sph_root, field) = NULL;		\
-	    } else if (__comp > 0) {					\
-		    SPLAY_RIGHT(elm, field) = SPLAY_RIGHT((head)->sph_root, field);\
-		    SPLAY_LEFT(elm, field) = (head)->sph_root;		\
-		    SPLAY_RIGHT((head)->sph_root, field) = NULL;	\
-	    } else							\
-		    return;						\
-    }									\
-    (head)->sph_root = (elm);						\
-}									\
-									\
-static __inline void							\
-name##_SPLAY_REMOVE(struct name *head, struct type *elm)		\
-{									\
-	struct type *__tmp;						\
-	if (SPLAY_EMPTY(head))						\
-		return;							\
-	name##_SPLAY(head, elm);					\
-	if ((cmp)(elm, (head)->sph_root) == 0) {			\
-		if (SPLAY_LEFT((head)->sph_root, field) == NULL) {	\
-			(head)->sph_root = SPLAY_RIGHT((head)->sph_root, field);\
-		} else {						\
-			__tmp = SPLAY_RIGHT((head)->sph_root, field);	\
-			(head)->sph_root = SPLAY_LEFT((head)->sph_root, field);\
-			name##_SPLAY(head, elm);			\
-			SPLAY_RIGHT((head)->sph_root, field) = __tmp;	\
-		}							\
-	}								\
-}									\
-									\
-/* Finds the node with the same key as elm */				\
-static __inline struct type *						\
-name##_SPLAY_FIND(struct name *head, struct type *elm)			\
-{									\
-	if (SPLAY_EMPTY(head))						\
-		return(NULL);						\
-	name##_SPLAY(head, elm);					\
-	if ((cmp)(elm, (head)->sph_root) == 0)				\
-		return (head->sph_root);				\
-	return (NULL);							\
-}									\
-									\
-static __inline struct type *						\
-name##_SPLAY_NEXT(struct name *head, struct type *elm)			\
-{									\
-	name##_SPLAY(head, elm);					\
-	if (SPLAY_RIGHT(elm, field) != NULL) {				\
-		elm = SPLAY_RIGHT(elm, field);				\
-		while (SPLAY_LEFT(elm, field) != NULL) {		\
-			elm = SPLAY_LEFT(elm, field);			\
-		}							\
-	} else								\
-		elm = NULL;						\
-	return (elm);							\
-}									\
-									\
-static __inline struct type *						\
-name##_SPLAY_MIN_MAX(struct name *head, int val)			\
-{									\
-	name##_SPLAY_MINMAX(head, val);					\
-        return (SPLAY_ROOT(head));					\
-}
-
-/* Main splay operation.
- * Moves node close to the key of elm to top
- */
-#define SPLAY_GENERATE(name, type, field, cmp)				\
-void name##_SPLAY(struct name *head, struct type *elm)			\
-{									\
-	struct type __node, *__left, *__right, *__tmp;			\
-	int __comp;							\
-\
-	SPLAY_LEFT(&__node, field) = SPLAY_RIGHT(&__node, field) = NULL;\
-	__left = __right = &__node;					\
-\
-	while ((__comp = (cmp)(elm, (head)->sph_root))) {		\
-		if (__comp < 0) {					\
-			__tmp = SPLAY_LEFT((head)->sph_root, field);	\
-			if (__tmp == NULL)				\
-				break;					\
-			if ((cmp)(elm, __tmp) < 0){			\
-				SPLAY_ROTATE_RIGHT(head, __tmp, field);	\
-				if (SPLAY_LEFT((head)->sph_root, field) == NULL)\
-					break;				\
-			}						\
-			SPLAY_LINKLEFT(head, __right, field);		\
-		} else if (__comp > 0) {				\
-			__tmp = SPLAY_RIGHT((head)->sph_root, field);	\
-			if (__tmp == NULL)				\
-				break;					\
-			if ((cmp)(elm, __tmp) > 0){			\
-				SPLAY_ROTATE_LEFT(head, __tmp, field);	\
-				if (SPLAY_RIGHT((head)->sph_root, field) == NULL)\
-					break;				\
-			}						\
-			SPLAY_LINKRIGHT(head, __left, field);		\
-		}							\
-	}								\
-	SPLAY_ASSEMBLE(head, &__node, __left, __right, field);		\
-}									\
-									\
-/* Splay with either the minimum or the maximum element			\
- * Used to find minimum or maximum element in tree.			\
- */									\
-void name##_SPLAY_MINMAX(struct name *head, int __comp) \
-{									\
-	struct type __node, *__left, *__right, *__tmp;			\
-\
-	SPLAY_LEFT(&__node, field) = SPLAY_RIGHT(&__node, field) = NULL;\
-	__left = __right = &__node;					\
-\
-	while (1) {							\
-		if (__comp < 0) {					\
-			__tmp = SPLAY_LEFT((head)->sph_root, field);	\
-			if (__tmp == NULL)				\
-				break;					\
-			if (__comp < 0){				\
-				SPLAY_ROTATE_RIGHT(head, __tmp, field);	\
-				if (SPLAY_LEFT((head)->sph_root, field) == NULL)\
-					break;				\
-			}						\
-			SPLAY_LINKLEFT(head, __right, field);		\
-		} else if (__comp > 0) {				\
-			__tmp = SPLAY_RIGHT((head)->sph_root, field);	\
-			if (__tmp == NULL)				\
-				break;					\
-			if (__comp > 0) {				\
-				SPLAY_ROTATE_LEFT(head, __tmp, field);	\
-				if (SPLAY_RIGHT((head)->sph_root, field) == NULL)\
-					break;				\
-			}						\
-			SPLAY_LINKRIGHT(head, __left, field);		\
-		}							\
-	}								\
-	SPLAY_ASSEMBLE(head, &__node, __left, __right, field);		\
-}
-
-#define SPLAY_NEGINF	-1
-#define SPLAY_INF	1
-
-#define SPLAY_INSERT(name, x, y)	name##_SPLAY_INSERT(x, y)
-#define SPLAY_REMOVE(name, x, y)	name##_SPLAY_REMOVE(x, y)
-#define SPLAY_FIND(name, x, y)		name##_SPLAY_FIND(x, y)
-#define SPLAY_NEXT(name, x, y)		name##_SPLAY_NEXT(x, y)
-#define SPLAY_MIN(name, x)		(SPLAY_EMPTY(x) ? NULL	\
-					: name##_SPLAY_MIN_MAX(x, SPLAY_NEGINF))
-#define SPLAY_MAX(name, x)		(SPLAY_EMPTY(x) ? NULL	\
-					: name##_SPLAY_MIN_MAX(x, SPLAY_INF))
-
-#define SPLAY_FOREACH(x, name, head)					\
-	for ((x) = SPLAY_MIN(name, head);				\
-	     (x) != NULL;						\
-	     (x) = SPLAY_NEXT(name, head, x))
-
-/* Macros that define a red-back tree */
-#define RB_HEAD(name, type)						\
-struct name {								\
-	struct type *rbh_root; /* root of the tree */			\
-}
-
-#define RB_INITIALIZER(root)						\
-	{ NULL }
-
-#define RB_INIT(root) do {						\
-	(root)->rbh_root = NULL;					\
-} while (0)
-
-#define RB_BLACK	0
-#define RB_RED		1
-#define RB_ENTRY(type)							\
-struct {								\
-	struct type *rbe_left;		/* left element */		\
-	struct type *rbe_right;		/* right element */		\
-	struct type *rbe_parent;	/* parent element */		\
-	int rbe_color;			/* node color */		\
-}
-
-#define RB_LEFT(elm, field)		(elm)->field.rbe_left
-#define RB_RIGHT(elm, field)		(elm)->field.rbe_right
-#define RB_PARENT(elm, field)		(elm)->field.rbe_parent
-#define RB_COLOR(elm, field)		(elm)->field.rbe_color
-#define RB_ROOT(head)			(head)->rbh_root
-#define RB_EMPTY(head)			(RB_ROOT(head) == NULL)
-
-#define RB_SET(elm, parent, field) do {					\
-	RB_PARENT(elm, field) = parent;					\
-	RB_LEFT(elm, field) = RB_RIGHT(elm, field) = NULL;		\
-	RB_COLOR(elm, field) = RB_RED;					\
-} while (0)
-
-#define RB_SET_BLACKRED(black, red, field) do {				\
-	RB_COLOR(black, field) = RB_BLACK;				\
-	RB_COLOR(red, field) = RB_RED;					\
-} while (0)
-
-#ifndef RB_AUGMENT
-#define RB_AUGMENT(x)
-#endif
-
-#define RB_ROTATE_LEFT(head, elm, tmp, field) do {			\
-	(tmp) = RB_RIGHT(elm, field);					\
-	if ((RB_RIGHT(elm, field) = RB_LEFT(tmp, field))) {		\
-		RB_PARENT(RB_LEFT(tmp, field), field) = (elm);		\
-	}								\
-	RB_AUGMENT(elm);						\
-	if ((RB_PARENT(tmp, field) = RB_PARENT(elm, field))) {		\
-		if ((elm) == RB_LEFT(RB_PARENT(elm, field), field))	\
-			RB_LEFT(RB_PARENT(elm, field), field) = (tmp);	\
-		else							\
-			RB_RIGHT(RB_PARENT(elm, field), field) = (tmp);	\
-		RB_AUGMENT(RB_PARENT(elm, field));			\
-	} else								\
-		(head)->rbh_root = (tmp);				\
-	RB_LEFT(tmp, field) = (elm);					\
-	RB_PARENT(elm, field) = (tmp);					\
-	RB_AUGMENT(tmp);						\
-} while (0)
-
-#define RB_ROTATE_RIGHT(head, elm, tmp, field) do {			\
-	(tmp) = RB_LEFT(elm, field);					\
-	if ((RB_LEFT(elm, field) = RB_RIGHT(tmp, field))) {		\
-		RB_PARENT(RB_RIGHT(tmp, field), field) = (elm);		\
-	}								\
-	RB_AUGMENT(elm);						\
-	if ((RB_PARENT(tmp, field) = RB_PARENT(elm, field))) {		\
-		if ((elm) == RB_LEFT(RB_PARENT(elm, field), field))	\
-			RB_LEFT(RB_PARENT(elm, field), field) = (tmp);	\
-		else							\
-			RB_RIGHT(RB_PARENT(elm, field), field) = (tmp);	\
-		RB_AUGMENT(RB_PARENT(elm, field));			\
-	} else								\
-		(head)->rbh_root = (tmp);				\
-	RB_RIGHT(tmp, field) = (elm);					\
-	RB_PARENT(elm, field) = (tmp);					\
-	RB_AUGMENT(tmp);						\
-} while (0)
-
-/* Generates prototypes and inline functions */
-#define RB_PROTOTYPE(name, type, field, cmp)				\
-void name##_RB_INSERT_COLOR(struct name *, struct type *);	\
-void name##_RB_REMOVE_COLOR(struct name *, struct type *, struct type *);\
-void name##_RB_REMOVE(struct name *, struct type *);			\
-struct type *name##_RB_INSERT(struct name *, struct type *);		\
-struct type *name##_RB_FIND(struct name *, struct type *);		\
-struct type *name##_RB_NEXT(struct name *, struct type *);		\
-struct type *name##_RB_MINMAX(struct name *, int);			\
-									\
-
-/* Main rb operation.
- * Moves node close to the key of elm to top
- */
-#define RB_GENERATE(name, type, field, cmp)				\
-void									\
-name##_RB_INSERT_COLOR(struct name *head, struct type *elm)		\
-{									\
-	struct type *parent, *gparent, *tmp;				\
-	while ((parent = RB_PARENT(elm, field)) &&			\
-	    RB_COLOR(parent, field) == RB_RED) {			\
-		gparent = RB_PARENT(parent, field);			\
-		if (parent == RB_LEFT(gparent, field)) {		\
-			tmp = RB_RIGHT(gparent, field);			\
-			if (tmp && RB_COLOR(tmp, field) == RB_RED) {	\
-				RB_COLOR(tmp, field) = RB_BLACK;	\
-				RB_SET_BLACKRED(parent, gparent, field);\
-				elm = gparent;				\
-				continue;				\
-			}						\
-			if (RB_RIGHT(parent, field) == elm) {		\
-				RB_ROTATE_LEFT(head, parent, tmp, field);\
-				tmp = parent;				\
-				parent = elm;				\
-				elm = tmp;				\
-			}						\
-			RB_SET_BLACKRED(parent, gparent, field);	\
-			RB_ROTATE_RIGHT(head, gparent, tmp, field);	\
-		} else {						\
-			tmp = RB_LEFT(gparent, field);			\
-			if (tmp && RB_COLOR(tmp, field) == RB_RED) {	\
-				RB_COLOR(tmp, field) = RB_BLACK;	\
-				RB_SET_BLACKRED(parent, gparent, field);\
-				elm = gparent;				\
-				continue;				\
-			}						\
-			if (RB_LEFT(parent, field) == elm) {		\
-				RB_ROTATE_RIGHT(head, parent, tmp, field);\
-				tmp = parent;				\
-				parent = elm;				\
-				elm = tmp;				\
-			}						\
-			RB_SET_BLACKRED(parent, gparent, field);	\
-			RB_ROTATE_LEFT(head, gparent, tmp, field);	\
-		}							\
-	}								\
-	RB_COLOR(head->rbh_root, field) = RB_BLACK;			\
-}									\
-									\
-void									\
-name##_RB_REMOVE_COLOR(struct name *head, struct type *parent, struct type *elm) \
-{									\
-	struct type *tmp;						\
-	while ((elm == NULL || RB_COLOR(elm, field) == RB_BLACK) &&	\
-	    elm != RB_ROOT(head)) {					\
-		if (RB_LEFT(parent, field) == elm) {			\
-			tmp = RB_RIGHT(parent, field);			\
-			if (RB_COLOR(tmp, field) == RB_RED) {		\
-				RB_SET_BLACKRED(tmp, parent, field);	\
-				RB_ROTATE_LEFT(head, parent, tmp, field);\
-				tmp = RB_RIGHT(parent, field);		\
-			}						\
-			if ((RB_LEFT(tmp, field) == NULL ||		\
-			    RB_COLOR(RB_LEFT(tmp, field), field) == RB_BLACK) &&\
-			    (RB_RIGHT(tmp, field) == NULL ||		\
-			    RB_COLOR(RB_RIGHT(tmp, field), field) == RB_BLACK)) {\
-				RB_COLOR(tmp, field) = RB_RED;		\
-				elm = parent;				\
-				parent = RB_PARENT(elm, field);		\
-			} else {					\
-				if (RB_RIGHT(tmp, field) == NULL ||	\
-				    RB_COLOR(RB_RIGHT(tmp, field), field) == RB_BLACK) {\
-					struct type *oleft;		\
-					if ((oleft = RB_LEFT(tmp, field)))\
-						RB_COLOR(oleft, field) = RB_BLACK;\
-					RB_COLOR(tmp, field) = RB_RED;	\
-					RB_ROTATE_RIGHT(head, tmp, oleft, field);\
-					tmp = RB_RIGHT(parent, field);	\
-				}					\
-				RB_COLOR(tmp, field) = RB_COLOR(parent, field);\
-				RB_COLOR(parent, field) = RB_BLACK;	\
-				if (RB_RIGHT(tmp, field))		\
-					RB_COLOR(RB_RIGHT(tmp, field), field) = RB_BLACK;\
-				RB_ROTATE_LEFT(head, parent, tmp, field);\
-				elm = RB_ROOT(head);			\
-				break;					\
-			}						\
-		} else {						\
-			tmp = RB_LEFT(parent, field);			\
-			if (RB_COLOR(tmp, field) == RB_RED) {		\
-				RB_SET_BLACKRED(tmp, parent, field);	\
-				RB_ROTATE_RIGHT(head, parent, tmp, field);\
-				tmp = RB_LEFT(parent, field);		\
-			}						\
-			if ((RB_LEFT(tmp, field) == NULL ||		\
-			    RB_COLOR(RB_LEFT(tmp, field), field) == RB_BLACK) &&\
-			    (RB_RIGHT(tmp, field) == NULL ||		\
-			    RB_COLOR(RB_RIGHT(tmp, field), field) == RB_BLACK)) {\
-				RB_COLOR(tmp, field) = RB_RED;		\
-				elm = parent;				\
-				parent = RB_PARENT(elm, field);		\
-			} else {					\
-				if (RB_LEFT(tmp, field) == NULL ||	\
-				    RB_COLOR(RB_LEFT(tmp, field), field) == RB_BLACK) {\
-					struct type *oright;		\
-					if ((oright = RB_RIGHT(tmp, field)))\
-						RB_COLOR(oright, field) = RB_BLACK;\
-					RB_COLOR(tmp, field) = RB_RED;	\
-					RB_ROTATE_LEFT(head, tmp, oright, field);\
-					tmp = RB_LEFT(parent, field);	\
-				}					\
-				RB_COLOR(tmp, field) = RB_COLOR(parent, field);\
-				RB_COLOR(parent, field) = RB_BLACK;	\
-				if (RB_LEFT(tmp, field))		\
-					RB_COLOR(RB_LEFT(tmp, field), field) = RB_BLACK;\
-				RB_ROTATE_RIGHT(head, parent, tmp, field);\
-				elm = RB_ROOT(head);			\
-				break;					\
-			}						\
-		}							\
-	}								\
-	if (elm)							\
-		RB_COLOR(elm, field) = RB_BLACK;			\
-}									\
-									\
-void									\
-name##_RB_REMOVE(struct name *head, struct type *elm)			\
-{									\
-	struct type *child, *parent;					\
-	int color;							\
-	if (RB_LEFT(elm, field) == NULL)				\
-		child = RB_RIGHT(elm, field);				\
-	else if (RB_RIGHT(elm, field) == NULL)				\
-		child = RB_LEFT(elm, field);				\
-	else {								\
-		struct type *old = elm, *left;				\
-		elm = RB_RIGHT(elm, field);				\
-		while ((left = RB_LEFT(elm, field)))			\
-			elm = left;					\
-		child = RB_RIGHT(elm, field);				\
-		parent = RB_PARENT(elm, field);				\
-		color = RB_COLOR(elm, field);				\
-		if (child)						\
-			RB_PARENT(child, field) = parent;		\
-		if (parent) {						\
-			if (RB_LEFT(parent, field) == elm)		\
-				RB_LEFT(parent, field) = child;		\
-			else						\
-				RB_RIGHT(parent, field) = child;	\
-			RB_AUGMENT(parent);				\
-		} else							\
-			RB_ROOT(head) = child;				\
-		if (RB_PARENT(elm, field) == old)			\
-			parent = elm;					\
-		(elm)->field = (old)->field;				\
-		if (RB_PARENT(old, field)) {				\
-			if (RB_LEFT(RB_PARENT(old, field), field) == old)\
-				RB_LEFT(RB_PARENT(old, field), field) = elm;\
-			else						\
-				RB_RIGHT(RB_PARENT(old, field), field) = elm;\
-			RB_AUGMENT(RB_PARENT(old, field));		\
-		} else							\
-			RB_ROOT(head) = elm;				\
-		RB_PARENT(RB_LEFT(old, field), field) = elm;		\
-		if (RB_RIGHT(old, field))				\
-			RB_PARENT(RB_RIGHT(old, field), field) = elm;	\
-		if (parent) {						\
-			left = parent;					\
-			do {						\
-				RB_AUGMENT(left);			\
-			} while ((left = RB_PARENT(left, field)));	\
-		}							\
-		goto color;						\
-	}								\
-	parent = RB_PARENT(elm, field);					\
-	color = RB_COLOR(elm, field);					\
-	if (child)							\
-		RB_PARENT(child, field) = parent;			\
-	if (parent) {							\
-		if (RB_LEFT(parent, field) == elm)			\
-			RB_LEFT(parent, field) = child;			\
-		else							\
-			RB_RIGHT(parent, field) = child;		\
-		RB_AUGMENT(parent);					\
-	} else								\
-		RB_ROOT(head) = child;					\
-color:									\
-	if (color == RB_BLACK)						\
-		name##_RB_REMOVE_COLOR(head, parent, child);		\
-}									\
-									\
-/* Inserts a node into the RB tree */					\
-struct type *								\
-name##_RB_INSERT(struct name *head, struct type *elm)			\
-{									\
-	struct type *tmp;						\
-	struct type *parent = NULL;					\
-	int comp = 0;							\
-	tmp = RB_ROOT(head);						\
-	while (tmp) {							\
-		parent = tmp;						\
-		comp = (cmp)(elm, parent);				\
-		if (comp < 0)						\
-			tmp = RB_LEFT(tmp, field);			\
-		else if (comp > 0)					\
-			tmp = RB_RIGHT(tmp, field);			\
-		else							\
-			return (tmp);					\
-	}								\
-	RB_SET(elm, parent, field);					\
-	if (parent != NULL) {						\
-		if (comp < 0)						\
-			RB_LEFT(parent, field) = elm;			\
-		else							\
-			RB_RIGHT(parent, field) = elm;			\
-		RB_AUGMENT(parent);					\
-	} else								\
-		RB_ROOT(head) = elm;					\
-	name##_RB_INSERT_COLOR(head, elm);				\
-	return (NULL);							\
-}									\
-									\
-/* Finds the node with the same key as elm */				\
-struct type *								\
-name##_RB_FIND(struct name *head, struct type *elm)			\
-{									\
-	struct type *tmp = RB_ROOT(head);				\
-	int comp;							\
-	while (tmp) {							\
-		comp = cmp(elm, tmp);					\
-		if (comp < 0)						\
-			tmp = RB_LEFT(tmp, field);			\
-		else if (comp > 0)					\
-			tmp = RB_RIGHT(tmp, field);			\
-		else							\
-			return (tmp);					\
-	}								\
-	return (NULL);							\
-}									\
-									\
-struct type *								\
-name##_RB_NEXT(struct name *head, struct type *elm)			\
-{									\
-	if (RB_RIGHT(elm, field)) {					\
-		elm = RB_RIGHT(elm, field);				\
-		while (RB_LEFT(elm, field))				\
-			elm = RB_LEFT(elm, field);			\
-	} else {							\
-		if (RB_PARENT(elm, field) &&				\
-		    (elm == RB_LEFT(RB_PARENT(elm, field), field)))	\
-			elm = RB_PARENT(elm, field);			\
-		else {							\
-			while (RB_PARENT(elm, field) &&			\
-			    (elm == RB_RIGHT(RB_PARENT(elm, field), field)))\
-				elm = RB_PARENT(elm, field);		\
-			elm = RB_PARENT(elm, field);			\
-		}							\
-	}								\
-	return (elm);							\
-}									\
-									\
-struct type *								\
-name##_RB_MINMAX(struct name *head, int val)				\
-{									\
-	struct type *tmp = RB_ROOT(head);				\
-	struct type *parent = NULL;					\
-	while (tmp) {							\
-		parent = tmp;						\
-		if (val < 0)						\
-			tmp = RB_LEFT(tmp, field);			\
-		else							\
-			tmp = RB_RIGHT(tmp, field);			\
-	}								\
-	return (parent);						\
-}
-
-#define RB_NEGINF	-1
-#define RB_INF	1
-
-#define RB_INSERT(name, x, y)	name##_RB_INSERT(x, y)
-#define RB_REMOVE(name, x, y)	name##_RB_REMOVE(x, y)
-#define RB_FIND(name, x, y)	name##_RB_FIND(x, y)
-#define RB_NEXT(name, x, y)	name##_RB_NEXT(x, y)
-#define RB_MIN(name, x)		name##_RB_MINMAX(x, RB_NEGINF)
-#define RB_MAX(name, x)		name##_RB_MINMAX(x, RB_INF)
-
-#define RB_FOREACH(x, name, head)					\
-	for ((x) = RB_MIN(name, head);					\
-	     (x) != NULL;						\
-	     (x) = name##_RB_NEXT(head, x))
-
-#endif	/* _SYS_TREE_H_ */
diff --git a/crypto/openssh/openbsd-compat/vis.c b/crypto/openssh/openbsd-compat/vis.c
deleted file mode 100644
index 3a087b3..0000000
--- a/crypto/openssh/openbsd-compat/vis.c
+++ /dev/null
@@ -1,225 +0,0 @@
-/*	$OpenBSD: vis.c,v 1.19 2005/09/01 17:15:49 millert Exp $ */
-/*-
- * Copyright (c) 1989, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* OPENBSD ORIGINAL: lib/libc/gen/vis.c */
-
-#include "includes.h"
-#if !defined(HAVE_STRNVIS)
-
-#include <ctype.h>
-#include <string.h>
-
-#include "vis.h"
-
-#define	isoctal(c)	(((u_char)(c)) >= '0' && ((u_char)(c)) <= '7')
-#define	isvisible(c)							\
-	(((u_int)(c) <= UCHAR_MAX && isascii((u_char)(c)) &&		\
-	(((c) != '*' && (c) != '?' && (c) != '[' && (c) != '#') ||	\
-		(flag & VIS_GLOB) == 0) && isgraph((u_char)(c))) ||	\
-	((flag & VIS_SP) == 0 && (c) == ' ') ||				\
-	((flag & VIS_TAB) == 0 && (c) == '\t') ||			\
-	((flag & VIS_NL) == 0 && (c) == '\n') ||			\
-	((flag & VIS_SAFE) && ((c) == '\b' ||				\
-		(c) == '\007' || (c) == '\r' ||				\
-		isgraph((u_char)(c)))))
-
-/*
- * vis - visually encode characters
- */
-char *
-vis(char *dst, int c, int flag, int nextc)
-{
-	if (isvisible(c)) {
-		*dst++ = c;
-		if (c == '\\' && (flag & VIS_NOSLASH) == 0)
-			*dst++ = '\\';
-		*dst = '\0';
-		return (dst);
-	}
-
-	if (flag & VIS_CSTYLE) {
-		switch(c) {
-		case '\n':
-			*dst++ = '\\';
-			*dst++ = 'n';
-			goto done;
-		case '\r':
-			*dst++ = '\\';
-			*dst++ = 'r';
-			goto done;
-		case '\b':
-			*dst++ = '\\';
-			*dst++ = 'b';
-			goto done;
-		case '\a':
-			*dst++ = '\\';
-			*dst++ = 'a';
-			goto done;
-		case '\v':
-			*dst++ = '\\';
-			*dst++ = 'v';
-			goto done;
-		case '\t':
-			*dst++ = '\\';
-			*dst++ = 't';
-			goto done;
-		case '\f':
-			*dst++ = '\\';
-			*dst++ = 'f';
-			goto done;
-		case ' ':
-			*dst++ = '\\';
-			*dst++ = 's';
-			goto done;
-		case '\0':
-			*dst++ = '\\';
-			*dst++ = '0';
-			if (isoctal(nextc)) {
-				*dst++ = '0';
-				*dst++ = '0';
-			}
-			goto done;
-		}
-	}
-	if (((c & 0177) == ' ') || (flag & VIS_OCTAL) ||
-	    ((flag & VIS_GLOB) && (c == '*' || c == '?' || c == '[' || c == '#'))) {
-		*dst++ = '\\';
-		*dst++ = ((u_char)c >> 6 & 07) + '0';
-		*dst++ = ((u_char)c >> 3 & 07) + '0';
-		*dst++ = ((u_char)c & 07) + '0';
-		goto done;
-	}
-	if ((flag & VIS_NOSLASH) == 0)
-		*dst++ = '\\';
-	if (c & 0200) {
-		c &= 0177;
-		*dst++ = 'M';
-	}
-	if (iscntrl((u_char)c)) {
-		*dst++ = '^';
-		if (c == 0177)
-			*dst++ = '?';
-		else
-			*dst++ = c + '@';
-	} else {
-		*dst++ = '-';
-		*dst++ = c;
-	}
-done:
-	*dst = '\0';
-	return (dst);
-}
-
-/*
- * strvis, strnvis, strvisx - visually encode characters from src into dst
- *	
- *	Dst must be 4 times the size of src to account for possible
- *	expansion.  The length of dst, not including the trailing NULL,
- *	is returned. 
- *
- *	Strnvis will write no more than siz-1 bytes (and will NULL terminate).
- *	The number of bytes needed to fully encode the string is returned.
- *
- *	Strvisx encodes exactly len bytes from src into dst.
- *	This is useful for encoding a block of data.
- */
-int
-strvis(char *dst, const char *src, int flag)
-{
-	char c;
-	char *start;
-
-	for (start = dst; (c = *src);)
-		dst = vis(dst, c, flag, *++src);
-	*dst = '\0';
-	return (dst - start);
-}
-
-int
-strnvis(char *dst, const char *src, size_t siz, int flag)
-{
-	char *start, *end;
-	char tbuf[5];
-	int c, i;
-
-	i = 0;
-	for (start = dst, end = start + siz - 1; (c = *src) && dst < end; ) {
-		if (isvisible(c)) {
-			i = 1;
-			*dst++ = c;
-			if (c == '\\' && (flag & VIS_NOSLASH) == 0) {
-				/* need space for the extra '\\' */
-				if (dst < end)
-					*dst++ = '\\';
-				else {
-					dst--;
-					i = 2;
-					break;
-				}
-			}
-			src++;
-		} else {
-			i = vis(tbuf, c, flag, *++src) - tbuf;
-			if (dst + i <= end) {
-				memcpy(dst, tbuf, i);
-				dst += i;
-			} else {
-				src--;
-				break;
-			}
-		}
-	}
-	if (siz > 0)
-		*dst = '\0';
-	if (dst + i > end) {
-		/* adjust return value for truncation */
-		while ((c = *src))
-			dst += vis(tbuf, c, flag, *++src) - tbuf;
-	}
-	return (dst - start);
-}
-
-int
-strvisx(char *dst, const char *src, size_t len, int flag)
-{
-	char c;
-	char *start;
-
-	for (start = dst; len > 1; len--) {
-		c = *src;
-		dst = vis(dst, c, flag, *++src);
-	}
-	if (len)
-		dst = vis(dst, *src, flag, '\0');
-	*dst = '\0';
-	return (dst - start);
-}
-
-#endif
diff --git a/crypto/openssh/openbsd-compat/vis.h b/crypto/openssh/openbsd-compat/vis.h
deleted file mode 100644
index 3898a9e..0000000
--- a/crypto/openssh/openbsd-compat/vis.h
+++ /dev/null
@@ -1,95 +0,0 @@
-/*	$OpenBSD: vis.h,v 1.11 2005/08/09 19:38:31 millert Exp $	*/
-/*	$NetBSD: vis.h,v 1.4 1994/10/26 00:56:41 cgd Exp $	*/
-
-/*-
- * Copyright (c) 1990 The Regents of the University of California.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *	@(#)vis.h	5.9 (Berkeley) 4/3/91
- */
-
-/* OPENBSD ORIGINAL: include/vis.h */
-
-#include "includes.h"
-#if !defined(HAVE_STRNVIS)
-
-#ifndef _VIS_H_
-#define	_VIS_H_
-
-#include <sys/types.h>
-#include <limits.h>
-
-/*
- * to select alternate encoding format
- */
-#define	VIS_OCTAL	0x01	/* use octal \ddd format */
-#define	VIS_CSTYLE	0x02	/* use \[nrft0..] where appropriate */
-
-/*
- * to alter set of characters encoded (default is to encode all
- * non-graphic except space, tab, and newline).
- */
-#define	VIS_SP		0x04	/* also encode space */
-#define	VIS_TAB		0x08	/* also encode tab */
-#define	VIS_NL		0x10	/* also encode newline */
-#define	VIS_WHITE	(VIS_SP | VIS_TAB | VIS_NL)
-#define	VIS_SAFE	0x20	/* only encode "unsafe" characters */
-
-/*
- * other
- */
-#define	VIS_NOSLASH	0x40	/* inhibit printing '\' */
-#define	VIS_GLOB	0x100	/* encode glob(3) magics and '#' */
-
-/*
- * unvis return codes
- */
-#define	UNVIS_VALID	 1	/* character valid */
-#define	UNVIS_VALIDPUSH	 2	/* character valid, push back passed char */
-#define	UNVIS_NOCHAR	 3	/* valid sequence, no character produced */
-#define	UNVIS_SYNBAD	-1	/* unrecognized escape sequence */
-#define	UNVIS_ERROR	-2	/* decoder in unknown state (unrecoverable) */
-
-/*
- * unvis flags
- */
-#define	UNVIS_END	1	/* no more characters */
-
-char	*vis(char *, int, int, int);
-int	strvis(char *, const char *, int);
-int	strnvis(char *, const char *, size_t, int)
-		__attribute__ ((__bounded__(__string__,1,3)));
-int	strvisx(char *, const char *, size_t, int)
-		__attribute__ ((__bounded__(__string__,1,3)));
-int	strunvis(char *, const char *);
-int	unvis(char *, char, int *, int);
-ssize_t strnunvis(char *, const char *, size_t)
-		__attribute__ ((__bounded__(__string__,1,3)));
-
-#endif /* !_VIS_H_ */
-
-#endif /* !HAVE_STRNVIS */
diff --git a/crypto/openssh/openbsd-compat/xcrypt.c b/crypto/openssh/openbsd-compat/xcrypt.c
deleted file mode 100644
index 1489932..0000000
--- a/crypto/openssh/openbsd-compat/xcrypt.c
+++ /dev/null
@@ -1,117 +0,0 @@
-/*
- * Copyright (c) 2003 Ben Lindstrom.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <unistd.h>
-#include <pwd.h>
-
-# ifdef HAVE_CRYPT_H
-#  include <crypt.h>
-# endif
-
-# ifdef __hpux
-#  include <hpsecurity.h>
-#  include <prot.h>
-# endif
-
-# ifdef HAVE_SECUREWARE
-#  include <sys/security.h>
-#  include <sys/audit.h>
-#  include <prot.h>
-# endif 
-
-# if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
-#  include <shadow.h>
-# endif
-
-# if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
-#  include <sys/label.h>
-#  include <sys/audit.h>
-#  include <pwdadj.h>
-# endif
-
-# if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
-#  include "md5crypt.h"
-# endif 
-
-char *
-xcrypt(const char *password, const char *salt)
-{
-	char *crypted;
-
-# ifdef HAVE_MD5_PASSWORDS
-        if (is_md5_salt(salt))
-                crypted = md5_crypt(password, salt);
-        else
-                crypted = crypt(password, salt);
-# elif defined(__hpux) && !defined(HAVE_SECUREWARE)
-	if (iscomsec())
-                crypted = bigcrypt(password, salt);
-        else
-                crypted = crypt(password, salt);
-# elif defined(HAVE_SECUREWARE)
-        crypted = bigcrypt(password, salt);
-# else
-        crypted = crypt(password, salt);
-# endif 
-
-	return crypted;
-}
-
-/*
- * Handle shadowed password systems in a cleaner way for portable
- * version.
- */
-
-char *
-shadow_pw(struct passwd *pw)
-{
-	char *pw_password = pw->pw_passwd;
-
-# if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
-	struct spwd *spw = getspnam(pw->pw_name);
-
-	if (spw != NULL)
-		pw_password = spw->sp_pwdp;
-# endif
-
-#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
-	return(get_iaf_password(pw));
-#endif
-
-# if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
-	struct passwd_adjunct *spw;
-	if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL)
-		pw_password = spw->pwa_passwd;
-# elif defined(HAVE_SECUREWARE)
-	struct pr_passwd *spw = getprpwnam(pw->pw_name);
-
-	if (spw != NULL)
-		pw_password = spw->ufld.fd_encrypt;
-# endif
-
-	return pw_password;
-}
diff --git a/crypto/openssh/openbsd-compat/xmmap.c b/crypto/openssh/openbsd-compat/xmmap.c
deleted file mode 100644
index 0fb2326..0000000
--- a/crypto/openssh/openbsd-compat/xmmap.c
+++ /dev/null
@@ -1,85 +0,0 @@
-/*
- * Copyright (c) 2002 Tim Rice.  All rights reserved.
- * MAP_FAILED code by Solar Designer.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/* $Id: xmmap.c,v 1.12 2006/08/24 09:58:36 dtucker Exp $ */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#ifdef HAVE_SYS_MMAN_H
-#include <sys/mman.h>
-#endif
-#include <sys/stat.h>
-
-#ifdef HAVE_FCNTL_H
-# include <fcntl.h>
-#endif
-#include <errno.h>
-#include <stdarg.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "log.h"
-
-void *xmmap(size_t size)
-{
-#ifdef HAVE_MMAP
-	void *address;
-
-# ifdef MAP_ANON
-	address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED,
-	    -1, (off_t)0);
-# else
-	address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_SHARED,
-	    open("/dev/zero", O_RDWR), (off_t)0);
-# endif
-
-#define MM_SWAP_TEMPLATE "/var/run/sshd.mm.XXXXXXXX"
-	if (address == (void *)MAP_FAILED) {
-		char tmpname[sizeof(MM_SWAP_TEMPLATE)] = MM_SWAP_TEMPLATE;
-		int tmpfd;
-		mode_t old_umask;
-
-		old_umask = umask(0177);
-		tmpfd = mkstemp(tmpname);
-		umask(old_umask);
-		if (tmpfd == -1)
-			fatal("mkstemp(\"%s\"): %s",
-			    MM_SWAP_TEMPLATE, strerror(errno));
-		unlink(tmpname);
-		ftruncate(tmpfd, size);
-		address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_SHARED,
-		    tmpfd, (off_t)0);
-		close(tmpfd);
-	}
-
-	return (address);
-#else
-	fatal("%s: UsePrivilegeSeparation=yes and Compression=yes not supported",
-	    __func__);
-#endif /* HAVE_MMAP */
-
-}
-
diff --git a/crypto/openssh/openssh.xml.in b/crypto/openssh/openssh.xml.in
deleted file mode 100644
index 655ee5c..0000000
--- a/crypto/openssh/openssh.xml.in
+++ /dev/null
@@ -1,87 +0,0 @@
-<?xml version='1.0'?>
-<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
-<!--
-    Copyright (c) 2006 Chad Mynhier.
-
-    Permission to use, copy, modify, and distribute this software for any
-    purpose with or without fee is hereby granted, provided that the above
-    copyright notice and this permission notice appear in all copies.
-
-    THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-    WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-    MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-    ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-
-<service_bundle type='manifest' name='OpenSSH server'>
-
-    <service
-        name='site/openssh'
-        type='service'
-        version='1'>
-
-        <create_default_instance enabled='false'/>
-
-        <single_instance/>
-
-        <dependency
-            name='filesystem-local'
-            grouping='require_all'
-            restart_on='none'
-            type='service'>
-            <service_fmri value='svc:/system/filesystem/local'/>
-        </dependency>
-
-        <dependency
-            name='network'
-            grouping='require_all'
-            restart_on='none'
-            type='service'>
-            <service_fmri value='svc:/milestone/network'/>
-        </dependency>
-
-        <dependent
-            name='multi-user-server'
-            restart_on='none'
-            grouping='optional_all'>
-            <service_fmri value='svc:/milestone/multi-user-server'/>
-        </dependent>
-
-        <exec_method
-            name='start'
-            type='method'
-            exec='/lib/svc/method/site/opensshd start'
-            timeout_seconds='60'>
-            <method_context/>
-        </exec_method>
-
-        <exec_method
-            name='stop'
-            type='method'
-            exec=':kill'
-            timeout_seconds='60'>
-            <method_context/>
-        </exec_method>
-
-        <property_group
-            name='startd'
-            type='framework'>
-            <propval name='ignore_error' type='astring' value='core,signal'/>
-        </property_group>
-
-        <template>
-            <common_name>
-                <loctext xml:lang='C'>OpenSSH server</loctext>
-            </common_name>
-            <documentation>
-                <manpage
-                    title='sshd'
-                    section='1M'
-                    manpath='@prefix@/man'/>
-            </documentation>
-        </template>
-    </service>
-</service_bundle>
diff --git a/crypto/openssh/opensshd.init.in b/crypto/openssh/opensshd.init.in
deleted file mode 100755
index c36c5c8..0000000
--- a/crypto/openssh/opensshd.init.in
+++ /dev/null
@@ -1,82 +0,0 @@
-#!@STARTUP_SCRIPT_SHELL@
-# Donated code that was put under PD license.
-#
-# Stripped PRNGd out of it for the time being.
-
-umask 022
-
-CAT=@CAT@
-KILL=@KILL@
-
-prefix=@prefix@
-sysconfdir=@sysconfdir@
-piddir=@piddir@
-
-SSHD=$prefix/sbin/sshd
-PIDFILE=$piddir/sshd.pid
-SSH_KEYGEN=$prefix/bin/ssh-keygen
-HOST_KEY_RSA1=$sysconfdir/ssh_host_key
-HOST_KEY_DSA=$sysconfdir/ssh_host_dsa_key
-HOST_KEY_RSA=$sysconfdir/ssh_host_rsa_key
-
-
-checkkeys() {
-    if [ ! -f $HOST_KEY_RSA1 ]; then
-	${SSH_KEYGEN} -t rsa1 -f ${HOST_KEY_RSA1} -N ""
-    fi
-    if [ ! -f $HOST_KEY_DSA ]; then
-	${SSH_KEYGEN} -t dsa -f ${HOST_KEY_DSA} -N ""
-    fi
-    if [ ! -f $HOST_KEY_RSA ]; then
-	${SSH_KEYGEN} -t rsa -f ${HOST_KEY_RSA} -N ""
-    fi
-}
-
-stop_service() {
-    if [  -r $PIDFILE  -a  ! -z ${PIDFILE}  ]; then
-	PID=`${CAT} ${PIDFILE}`
-    fi
-    if [  ${PID:=0} -gt 1 -a  ! "X$PID" = "X "  ]; then
-	${KILL} ${PID}
-    else
-	echo "Unable to read PID file"
-    fi
-}
-
-start_service() {
-    # XXX We really should check if the service is already going, but
-    # XXX we will opt out at this time. - Bal
-
-    # Check to see if we have keys that need to be made
-    checkkeys
-
-    # Start SSHD
-    echo "starting $SSHD... \c"         ; $SSHD
-
-    sshd_rc=$?
-    if [ $sshd_rc -ne 0 ]; then
-	echo "$0: Error ${sshd_rc} starting ${SSHD}... bailing."
-	exit $sshd_rc
-    fi
-    echo done.
-}
-
-case $1 in
-
-'start')
-    start_service
-    ;;
-
-'stop')
-    stop_service
-    ;;
-
-'restart')
-    stop_service
-    start_service
-    ;;
-
-*)
-    echo "$0:  usage:  $0 {start|stop|restart}"
-    ;;
-esac
diff --git a/crypto/openssh/packet.c b/crypto/openssh/packet.c
deleted file mode 100644
index ab5a010..0000000
--- a/crypto/openssh/packet.c
+++ /dev/null
@@ -1,1609 +0,0 @@
-/* $OpenBSD: packet.c,v 1.145 2006/09/19 21:14:08 markus Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * This file contains code implementing the packet protocol and communication
- * with the other side.  This same code is used both on client and server side.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- *
- * SSH2 packet format added by Markus Friedl.
- * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
- 
-#include <sys/types.h>
-#include "openbsd-compat/sys-queue.h"
-#include <sys/param.h>
-#include <sys/socket.h>
-#ifdef HAVE_SYS_TIME_H
-# include <sys/time.h>
-#endif
-
-#include <netinet/in_systm.h>
-#include <netinet/in.h>
-#include <netinet/ip.h>
-#include <arpa/inet.h>
-
-#include <errno.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <signal.h>
-
-#include "xmalloc.h"
-#include "buffer.h"
-#include "packet.h"
-#include "crc32.h"
-#include "compress.h"
-#include "deattack.h"
-#include "channels.h"
-#include "compat.h"
-#include "ssh1.h"
-#include "ssh2.h"
-#include "cipher.h"
-#include "key.h"
-#include "kex.h"
-#include "mac.h"
-#include "log.h"
-#include "canohost.h"
-#include "misc.h"
-#include "ssh.h"
-
-#ifdef PACKET_DEBUG
-#define DBG(x) x
-#else
-#define DBG(x)
-#endif
-
-/*
- * This variable contains the file descriptors used for communicating with
- * the other side.  connection_in is used for reading; connection_out for
- * writing.  These can be the same descriptor, in which case it is assumed to
- * be a socket.
- */
-static int connection_in = -1;
-static int connection_out = -1;
-
-/* Protocol flags for the remote side. */
-static u_int remote_protocol_flags = 0;
-
-/* Encryption context for receiving data.  This is only used for decryption. */
-static CipherContext receive_context;
-
-/* Encryption context for sending data.  This is only used for encryption. */
-static CipherContext send_context;
-
-/* Buffer for raw input data from the socket. */
-Buffer input;
-
-/* Buffer for raw output data going to the socket. */
-Buffer output;
-
-/* Buffer for the partial outgoing packet being constructed. */
-static Buffer outgoing_packet;
-
-/* Buffer for the incoming packet currently being processed. */
-static Buffer incoming_packet;
-
-/* Scratch buffer for packet compression/decompression. */
-static Buffer compression_buffer;
-static int compression_buffer_ready = 0;
-
-/* Flag indicating whether packet compression/decompression is enabled. */
-static int packet_compression = 0;
-
-/* default maximum packet size */
-u_int max_packet_size = 32768;
-
-/* Flag indicating whether this module has been initialized. */
-static int initialized = 0;
-
-/* Set to true if the connection is interactive. */
-static int interactive_mode = 0;
-
-/* Set to true if we are the server side. */
-static int server_side = 0;
-
-/* Set to true if we are authenticated. */
-static int after_authentication = 0;
-
-/* Session key information for Encryption and MAC */
-Newkeys *newkeys[MODE_MAX];
-static struct packet_state {
-	u_int32_t seqnr;
-	u_int32_t packets;
-	u_int64_t blocks;
-} p_read, p_send;
-
-static u_int64_t max_blocks_in, max_blocks_out;
-static u_int32_t rekey_limit;
-
-/* Session key for protocol v1 */
-static u_char ssh1_key[SSH_SESSION_KEY_LENGTH];
-static u_int ssh1_keylen;
-
-/* roundup current message to extra_pad bytes */
-static u_char extra_pad = 0;
-
-struct packet {
-	TAILQ_ENTRY(packet) next;
-	u_char type;
-	Buffer payload;
-};
-TAILQ_HEAD(, packet) outgoing;
-
-/*
- * Sets the descriptors used for communication.  Disables encryption until
- * packet_set_encryption_key is called.
- */
-void
-packet_set_connection(int fd_in, int fd_out)
-{
-	Cipher *none = cipher_by_name("none");
-
-	if (none == NULL)
-		fatal("packet_set_connection: cannot load cipher 'none'");
-	connection_in = fd_in;
-	connection_out = fd_out;
-	cipher_init(&send_context, none, (const u_char *)"",
-	    0, NULL, 0, CIPHER_ENCRYPT);
-	cipher_init(&receive_context, none, (const u_char *)"",
-	    0, NULL, 0, CIPHER_DECRYPT);
-	newkeys[MODE_IN] = newkeys[MODE_OUT] = NULL;
-	if (!initialized) {
-		initialized = 1;
-		buffer_init(&input);
-		buffer_init(&output);
-		buffer_init(&outgoing_packet);
-		buffer_init(&incoming_packet);
-		TAILQ_INIT(&outgoing);
-	}
-}
-
-/* Returns 1 if remote host is connected via socket, 0 if not. */
-
-int
-packet_connection_is_on_socket(void)
-{
-	struct sockaddr_storage from, to;
-	socklen_t fromlen, tolen;
-
-	/* filedescriptors in and out are the same, so it's a socket */
-	if (connection_in == connection_out)
-		return 1;
-	fromlen = sizeof(from);
-	memset(&from, 0, sizeof(from));
-	if (getpeername(connection_in, (struct sockaddr *)&from, &fromlen) < 0)
-		return 0;
-	tolen = sizeof(to);
-	memset(&to, 0, sizeof(to));
-	if (getpeername(connection_out, (struct sockaddr *)&to, &tolen) < 0)
-		return 0;
-	if (fromlen != tolen || memcmp(&from, &to, fromlen) != 0)
-		return 0;
-	if (from.ss_family != AF_INET && from.ss_family != AF_INET6)
-		return 0;
-	return 1;
-}
-
-/*
- * Exports an IV from the CipherContext required to export the key
- * state back from the unprivileged child to the privileged parent
- * process.
- */
-
-void
-packet_get_keyiv(int mode, u_char *iv, u_int len)
-{
-	CipherContext *cc;
-
-	if (mode == MODE_OUT)
-		cc = &send_context;
-	else
-		cc = &receive_context;
-
-	cipher_get_keyiv(cc, iv, len);
-}
-
-int
-packet_get_keycontext(int mode, u_char *dat)
-{
-	CipherContext *cc;
-
-	if (mode == MODE_OUT)
-		cc = &send_context;
-	else
-		cc = &receive_context;
-
-	return (cipher_get_keycontext(cc, dat));
-}
-
-void
-packet_set_keycontext(int mode, u_char *dat)
-{
-	CipherContext *cc;
-
-	if (mode == MODE_OUT)
-		cc = &send_context;
-	else
-		cc = &receive_context;
-
-	cipher_set_keycontext(cc, dat);
-}
-
-int
-packet_get_keyiv_len(int mode)
-{
-	CipherContext *cc;
-
-	if (mode == MODE_OUT)
-		cc = &send_context;
-	else
-		cc = &receive_context;
-
-	return (cipher_get_keyiv_len(cc));
-}
-
-void
-packet_set_iv(int mode, u_char *dat)
-{
-	CipherContext *cc;
-
-	if (mode == MODE_OUT)
-		cc = &send_context;
-	else
-		cc = &receive_context;
-
-	cipher_set_keyiv(cc, dat);
-}
-
-int
-packet_get_ssh1_cipher(void)
-{
-	return (cipher_get_number(receive_context.cipher));
-}
-
-void
-packet_get_state(int mode, u_int32_t *seqnr, u_int64_t *blocks, u_int32_t *packets)
-{
-	struct packet_state *state;
-
-	state = (mode == MODE_IN) ? &p_read : &p_send;
-	*seqnr = state->seqnr;
-	*blocks = state->blocks;
-	*packets = state->packets;
-}
-
-void
-packet_set_state(int mode, u_int32_t seqnr, u_int64_t blocks, u_int32_t packets)
-{
-	struct packet_state *state;
-
-	state = (mode == MODE_IN) ? &p_read : &p_send;
-	state->seqnr = seqnr;
-	state->blocks = blocks;
-	state->packets = packets;
-}
-
-/* returns 1 if connection is via ipv4 */
-
-int
-packet_connection_is_ipv4(void)
-{
-	struct sockaddr_storage to;
-	socklen_t tolen = sizeof(to);
-
-	memset(&to, 0, sizeof(to));
-	if (getsockname(connection_out, (struct sockaddr *)&to, &tolen) < 0)
-		return 0;
-	if (to.ss_family == AF_INET)
-		return 1;
-#ifdef IPV4_IN_IPV6
-	if (to.ss_family == AF_INET6 &&
-	    IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)&to)->sin6_addr))
-		return 1;
-#endif
-	return 0;
-}
-
-/* Sets the connection into non-blocking mode. */
-
-void
-packet_set_nonblocking(void)
-{
-	/* Set the socket into non-blocking mode. */
-	set_nonblock(connection_in);
-
-	if (connection_out != connection_in)
-		set_nonblock(connection_out);
-}
-
-/* Returns the socket used for reading. */
-
-int
-packet_get_connection_in(void)
-{
-	return connection_in;
-}
-
-/* Returns the descriptor used for writing. */
-
-int
-packet_get_connection_out(void)
-{
-	return connection_out;
-}
-
-/* Closes the connection and clears and frees internal data structures. */
-
-void
-packet_close(void)
-{
-	if (!initialized)
-		return;
-	initialized = 0;
-	if (connection_in == connection_out) {
-		shutdown(connection_out, SHUT_RDWR);
-		close(connection_out);
-	} else {
-		close(connection_in);
-		close(connection_out);
-	}
-	buffer_free(&input);
-	buffer_free(&output);
-	buffer_free(&outgoing_packet);
-	buffer_free(&incoming_packet);
-	if (compression_buffer_ready) {
-		buffer_free(&compression_buffer);
-		buffer_compress_uninit();
-	}
-	cipher_cleanup(&send_context);
-	cipher_cleanup(&receive_context);
-}
-
-/* Sets remote side protocol flags. */
-
-void
-packet_set_protocol_flags(u_int protocol_flags)
-{
-	remote_protocol_flags = protocol_flags;
-}
-
-/* Returns the remote protocol flags set earlier by the above function. */
-
-u_int
-packet_get_protocol_flags(void)
-{
-	return remote_protocol_flags;
-}
-
-/*
- * Starts packet compression from the next packet on in both directions.
- * Level is compression level 1 (fastest) - 9 (slow, best) as in gzip.
- */
-
-static void
-packet_init_compression(void)
-{
-	if (compression_buffer_ready == 1)
-		return;
-	compression_buffer_ready = 1;
-	buffer_init(&compression_buffer);
-}
-
-void
-packet_start_compression(int level)
-{
-	if (packet_compression && !compat20)
-		fatal("Compression already enabled.");
-	packet_compression = 1;
-	packet_init_compression();
-	buffer_compress_init_send(level);
-	buffer_compress_init_recv();
-}
-
-/*
- * Causes any further packets to be encrypted using the given key.  The same
- * key is used for both sending and reception.  However, both directions are
- * encrypted independently of each other.
- */
-
-void
-packet_set_encryption_key(const u_char *key, u_int keylen,
-    int number)
-{
-	Cipher *cipher = cipher_by_number(number);
-
-	if (cipher == NULL)
-		fatal("packet_set_encryption_key: unknown cipher number %d", number);
-	if (keylen < 20)
-		fatal("packet_set_encryption_key: keylen too small: %d", keylen);
-	if (keylen > SSH_SESSION_KEY_LENGTH)
-		fatal("packet_set_encryption_key: keylen too big: %d", keylen);
-	memcpy(ssh1_key, key, keylen);
-	ssh1_keylen = keylen;
-	cipher_init(&send_context, cipher, key, keylen, NULL, 0, CIPHER_ENCRYPT);
-	cipher_init(&receive_context, cipher, key, keylen, NULL, 0, CIPHER_DECRYPT);
-}
-
-u_int
-packet_get_encryption_key(u_char *key)
-{
-	if (key == NULL)
-		return (ssh1_keylen);
-	memcpy(key, ssh1_key, ssh1_keylen);
-	return (ssh1_keylen);
-}
-
-/* Start constructing a packet to send. */
-void
-packet_start(u_char type)
-{
-	u_char buf[9];
-	int len;
-
-	DBG(debug("packet_start[%d]", type));
-	len = compat20 ? 6 : 9;
-	memset(buf, 0, len - 1);
-	buf[len - 1] = type;
-	buffer_clear(&outgoing_packet);
-	buffer_append(&outgoing_packet, buf, len);
-}
-
-/* Append payload. */
-void
-packet_put_char(int value)
-{
-	char ch = value;
-
-	buffer_append(&outgoing_packet, &ch, 1);
-}
-
-void
-packet_put_int(u_int value)
-{
-	buffer_put_int(&outgoing_packet, value);
-}
-
-void
-packet_put_string(const void *buf, u_int len)
-{
-	buffer_put_string(&outgoing_packet, buf, len);
-}
-
-void
-packet_put_cstring(const char *str)
-{
-	buffer_put_cstring(&outgoing_packet, str);
-}
-
-void
-packet_put_raw(const void *buf, u_int len)
-{
-	buffer_append(&outgoing_packet, buf, len);
-}
-
-void
-packet_put_bignum(BIGNUM * value)
-{
-	buffer_put_bignum(&outgoing_packet, value);
-}
-
-void
-packet_put_bignum2(BIGNUM * value)
-{
-	buffer_put_bignum2(&outgoing_packet, value);
-}
-
-/*
- * Finalizes and sends the packet.  If the encryption key has been set,
- * encrypts the packet before sending.
- */
-
-static void
-packet_send1(void)
-{
-	u_char buf[8], *cp;
-	int i, padding, len;
-	u_int checksum;
-	u_int32_t rnd = 0;
-
-	/*
-	 * If using packet compression, compress the payload of the outgoing
-	 * packet.
-	 */
-	if (packet_compression) {
-		buffer_clear(&compression_buffer);
-		/* Skip padding. */
-		buffer_consume(&outgoing_packet, 8);
-		/* padding */
-		buffer_append(&compression_buffer, "\0\0\0\0\0\0\0\0", 8);
-		buffer_compress(&outgoing_packet, &compression_buffer);
-		buffer_clear(&outgoing_packet);
-		buffer_append(&outgoing_packet, buffer_ptr(&compression_buffer),
-		    buffer_len(&compression_buffer));
-	}
-	/* Compute packet length without padding (add checksum, remove padding). */
-	len = buffer_len(&outgoing_packet) + 4 - 8;
-
-	/* Insert padding. Initialized to zero in packet_start1() */
-	padding = 8 - len % 8;
-	if (!send_context.plaintext) {
-		cp = buffer_ptr(&outgoing_packet);
-		for (i = 0; i < padding; i++) {
-			if (i % 4 == 0)
-				rnd = arc4random();
-			cp[7 - i] = rnd & 0xff;
-			rnd >>= 8;
-		}
-	}
-	buffer_consume(&outgoing_packet, 8 - padding);
-
-	/* Add check bytes. */
-	checksum = ssh_crc32(buffer_ptr(&outgoing_packet),
-	    buffer_len(&outgoing_packet));
-	put_u32(buf, checksum);
-	buffer_append(&outgoing_packet, buf, 4);
-
-#ifdef PACKET_DEBUG
-	fprintf(stderr, "packet_send plain: ");
-	buffer_dump(&outgoing_packet);
-#endif
-
-	/* Append to output. */
-	put_u32(buf, len);
-	buffer_append(&output, buf, 4);
-	cp = buffer_append_space(&output, buffer_len(&outgoing_packet));
-	cipher_crypt(&send_context, cp, buffer_ptr(&outgoing_packet),
-	    buffer_len(&outgoing_packet));
-
-#ifdef PACKET_DEBUG
-	fprintf(stderr, "encrypted: ");
-	buffer_dump(&output);
-#endif
-
-	buffer_clear(&outgoing_packet);
-
-	/*
-	 * Note that the packet is now only buffered in output.  It won't be
-	 * actually sent until packet_write_wait or packet_write_poll is
-	 * called.
-	 */
-}
-
-void
-set_newkeys(int mode)
-{
-	Enc *enc;
-	Mac *mac;
-	Comp *comp;
-	CipherContext *cc;
-	u_int64_t *max_blocks;
-	int crypt_type;
-
-	debug2("set_newkeys: mode %d", mode);
-
-	if (mode == MODE_OUT) {
-		cc = &send_context;
-		crypt_type = CIPHER_ENCRYPT;
-		p_send.packets = p_send.blocks = 0;
-		max_blocks = &max_blocks_out;
-	} else {
-		cc = &receive_context;
-		crypt_type = CIPHER_DECRYPT;
-		p_read.packets = p_read.blocks = 0;
-		max_blocks = &max_blocks_in;
-	}
-	if (newkeys[mode] != NULL) {
-		debug("set_newkeys: rekeying");
-		cipher_cleanup(cc);
-		enc  = &newkeys[mode]->enc;
-		mac  = &newkeys[mode]->mac;
-		comp = &newkeys[mode]->comp;
-		memset(mac->key, 0, mac->key_len);
-		xfree(enc->name);
-		xfree(enc->iv);
-		xfree(enc->key);
-		xfree(mac->name);
-		xfree(mac->key);
-		xfree(comp->name);
-		xfree(newkeys[mode]);
-	}
-	newkeys[mode] = kex_get_newkeys(mode);
-	if (newkeys[mode] == NULL)
-		fatal("newkeys: no keys for mode %d", mode);
-	enc  = &newkeys[mode]->enc;
-	mac  = &newkeys[mode]->mac;
-	comp = &newkeys[mode]->comp;
-	if (mac->md != NULL)
-		mac->enabled = 1;
-	DBG(debug("cipher_init_context: %d", mode));
-	cipher_init(cc, enc->cipher, enc->key, enc->key_len,
-	    enc->iv, enc->block_size, crypt_type);
-	/* Deleting the keys does not gain extra security */
-	/* memset(enc->iv,  0, enc->block_size);
-	   memset(enc->key, 0, enc->key_len); */
-	if ((comp->type == COMP_ZLIB ||
-	    (comp->type == COMP_DELAYED && after_authentication)) &&
-	    comp->enabled == 0) {
-		packet_init_compression();
-		if (mode == MODE_OUT)
-			buffer_compress_init_send(6);
-		else
-			buffer_compress_init_recv();
-		comp->enabled = 1;
-	}
-	/*
-	 * The 2^(blocksize*2) limit is too expensive for 3DES,
-	 * blowfish, etc, so enforce a 1GB limit for small blocksizes.
-	 */
-	if (enc->block_size >= 16)
-		*max_blocks = (u_int64_t)1 << (enc->block_size*2);
-	else
-		*max_blocks = ((u_int64_t)1 << 30) / enc->block_size;
-	if (rekey_limit)
-		*max_blocks = MIN(*max_blocks, rekey_limit / enc->block_size);
-}
-
-/*
- * Delayed compression for SSH2 is enabled after authentication:
- * This happens on the server side after a SSH2_MSG_USERAUTH_SUCCESS is sent,
- * and on the client side after a SSH2_MSG_USERAUTH_SUCCESS is received.
- */
-static void
-packet_enable_delayed_compress(void)
-{
-	Comp *comp = NULL;
-	int mode;
-
-	/*
-	 * Remember that we are past the authentication step, so rekeying
-	 * with COMP_DELAYED will turn on compression immediately.
-	 */
-	after_authentication = 1;
-	for (mode = 0; mode < MODE_MAX; mode++) {
-		/* protocol error: USERAUTH_SUCCESS received before NEWKEYS */
-		if (newkeys[mode] == NULL)
-			continue;
-		comp = &newkeys[mode]->comp;
-		if (comp && !comp->enabled && comp->type == COMP_DELAYED) {
-			packet_init_compression();
-			if (mode == MODE_OUT)
-				buffer_compress_init_send(6);
-			else
-				buffer_compress_init_recv();
-			comp->enabled = 1;
-		}
-	}
-}
-
-/*
- * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue)
- */
-static void
-packet_send2_wrapped(void)
-{
-	u_char type, *cp, *macbuf = NULL;
-	u_char padlen, pad;
-	u_int packet_length = 0;
-	u_int i, len;
-	u_int32_t rnd = 0;
-	Enc *enc   = NULL;
-	Mac *mac   = NULL;
-	Comp *comp = NULL;
-	int block_size;
-
-	if (newkeys[MODE_OUT] != NULL) {
-		enc  = &newkeys[MODE_OUT]->enc;
-		mac  = &newkeys[MODE_OUT]->mac;
-		comp = &newkeys[MODE_OUT]->comp;
-	}
-	block_size = enc ? enc->block_size : 8;
-
-	cp = buffer_ptr(&outgoing_packet);
-	type = cp[5];
-
-#ifdef PACKET_DEBUG
-	fprintf(stderr, "plain:     ");
-	buffer_dump(&outgoing_packet);
-#endif
-
-	if (comp && comp->enabled) {
-		len = buffer_len(&outgoing_packet);
-		/* skip header, compress only payload */
-		buffer_consume(&outgoing_packet, 5);
-		buffer_clear(&compression_buffer);
-		buffer_compress(&outgoing_packet, &compression_buffer);
-		buffer_clear(&outgoing_packet);
-		buffer_append(&outgoing_packet, "\0\0\0\0\0", 5);
-		buffer_append(&outgoing_packet, buffer_ptr(&compression_buffer),
-		    buffer_len(&compression_buffer));
-		DBG(debug("compression: raw %d compressed %d", len,
-		    buffer_len(&outgoing_packet)));
-	}
-
-	/* sizeof (packet_len + pad_len + payload) */
-	len = buffer_len(&outgoing_packet);
-
-	/*
-	 * calc size of padding, alloc space, get random data,
-	 * minimum padding is 4 bytes
-	 */
-	padlen = block_size - (len % block_size);
-	if (padlen < 4)
-		padlen += block_size;
-	if (extra_pad) {
-		/* will wrap if extra_pad+padlen > 255 */
-		extra_pad  = roundup(extra_pad, block_size);
-		pad = extra_pad - ((len + padlen) % extra_pad);
-		debug3("packet_send2: adding %d (len %d padlen %d extra_pad %d)",
-		    pad, len, padlen, extra_pad);
-		padlen += pad;
-		extra_pad = 0;
-	}
-	cp = buffer_append_space(&outgoing_packet, padlen);
-	if (enc && !send_context.plaintext) {
-		/* random padding */
-		for (i = 0; i < padlen; i++) {
-			if (i % 4 == 0)
-				rnd = arc4random();
-			cp[i] = rnd & 0xff;
-			rnd >>= 8;
-		}
-	} else {
-		/* clear padding */
-		memset(cp, 0, padlen);
-	}
-	/* packet_length includes payload, padding and padding length field */
-	packet_length = buffer_len(&outgoing_packet) - 4;
-	cp = buffer_ptr(&outgoing_packet);
-	put_u32(cp, packet_length);
-	cp[4] = padlen;
-	DBG(debug("send: len %d (includes padlen %d)", packet_length+4, padlen));
-
-	/* compute MAC over seqnr and packet(length fields, payload, padding) */
-	if (mac && mac->enabled) {
-		macbuf = mac_compute(mac, p_send.seqnr,
-		    buffer_ptr(&outgoing_packet),
-		    buffer_len(&outgoing_packet));
-		DBG(debug("done calc MAC out #%d", p_send.seqnr));
-	}
-	/* encrypt packet and append to output buffer. */
-	cp = buffer_append_space(&output, buffer_len(&outgoing_packet));
-	cipher_crypt(&send_context, cp, buffer_ptr(&outgoing_packet),
-	    buffer_len(&outgoing_packet));
-	/* append unencrypted MAC */
-	if (mac && mac->enabled)
-		buffer_append(&output, macbuf, mac->mac_len);
-#ifdef PACKET_DEBUG
-	fprintf(stderr, "encrypted: ");
-	buffer_dump(&output);
-#endif
-	/* increment sequence number for outgoing packets */
-	if (++p_send.seqnr == 0)
-		logit("outgoing seqnr wraps around");
-	if (++p_send.packets == 0)
-		if (!(datafellows & SSH_BUG_NOREKEY))
-			fatal("XXX too many packets with same key");
-	p_send.blocks += (packet_length + 4) / block_size;
-	buffer_clear(&outgoing_packet);
-
-	if (type == SSH2_MSG_NEWKEYS)
-		set_newkeys(MODE_OUT);
-	else if (type == SSH2_MSG_USERAUTH_SUCCESS && server_side)
-		packet_enable_delayed_compress();
-}
-
-static void
-packet_send2(void)
-{
-	static int rekeying = 0;
-	struct packet *p;
-	u_char type, *cp;
-
-	cp = buffer_ptr(&outgoing_packet);
-	type = cp[5];
-
-	/* during rekeying we can only send key exchange messages */
-	if (rekeying) {
-		if (!((type >= SSH2_MSG_TRANSPORT_MIN) &&
-		    (type <= SSH2_MSG_TRANSPORT_MAX))) {
-			debug("enqueue packet: %u", type);
-			p = xmalloc(sizeof(*p));
-			p->type = type;
-			memcpy(&p->payload, &outgoing_packet, sizeof(Buffer));
-			buffer_init(&outgoing_packet);
-			TAILQ_INSERT_TAIL(&outgoing, p, next);
-			return;
-		}
-	}
-
-	/* rekeying starts with sending KEXINIT */
-	if (type == SSH2_MSG_KEXINIT)
-		rekeying = 1;
-
-	packet_send2_wrapped();
-
-	/* after a NEWKEYS message we can send the complete queue */
-	if (type == SSH2_MSG_NEWKEYS) {
-		rekeying = 0;
-		while ((p = TAILQ_FIRST(&outgoing))) {
-			type = p->type;
-			debug("dequeue packet: %u", type);
-			buffer_free(&outgoing_packet);
-			memcpy(&outgoing_packet, &p->payload,
-			    sizeof(Buffer));
-			TAILQ_REMOVE(&outgoing, p, next);
-			xfree(p);
-			packet_send2_wrapped();
-		}
-	}
-}
-
-void
-packet_send(void)
-{
-	if (compat20)
-		packet_send2();
-	else
-		packet_send1();
-	DBG(debug("packet_send done"));
-}
-
-/*
- * Waits until a packet has been received, and returns its type.  Note that
- * no other data is processed until this returns, so this function should not
- * be used during the interactive session.
- */
-
-int
-packet_read_seqnr(u_int32_t *seqnr_p)
-{
-	int type, len;
-	fd_set *setp;
-	char buf[8192];
-	DBG(debug("packet_read()"));
-
-	setp = (fd_set *)xcalloc(howmany(connection_in+1, NFDBITS),
-	    sizeof(fd_mask));
-
-	/* Since we are blocking, ensure that all written packets have been sent. */
-	packet_write_wait();
-
-	/* Stay in the loop until we have received a complete packet. */
-	for (;;) {
-		/* Try to read a packet from the buffer. */
-		type = packet_read_poll_seqnr(seqnr_p);
-		if (!compat20 && (
-		    type == SSH_SMSG_SUCCESS
-		    || type == SSH_SMSG_FAILURE
-		    || type == SSH_CMSG_EOF
-		    || type == SSH_CMSG_EXIT_CONFIRMATION))
-			packet_check_eom();
-		/* If we got a packet, return it. */
-		if (type != SSH_MSG_NONE) {
-			xfree(setp);
-			return type;
-		}
-		/*
-		 * Otherwise, wait for some data to arrive, add it to the
-		 * buffer, and try again.
-		 */
-		memset(setp, 0, howmany(connection_in + 1, NFDBITS) *
-		    sizeof(fd_mask));
-		FD_SET(connection_in, setp);
-
-		/* Wait for some data to arrive. */
-		while (select(connection_in + 1, setp, NULL, NULL, NULL) == -1 &&
-		    (errno == EAGAIN || errno == EINTR))
-			;
-
-		/* Read data from the socket. */
-		len = read(connection_in, buf, sizeof(buf));
-		if (len == 0) {
-			logit("Connection closed by %.200s", get_remote_ipaddr());
-			cleanup_exit(255);
-		}
-		if (len < 0)
-			fatal("Read from socket failed: %.100s", strerror(errno));
-		/* Append it to the buffer. */
-		packet_process_incoming(buf, len);
-	}
-	/* NOTREACHED */
-}
-
-int
-packet_read(void)
-{
-	return packet_read_seqnr(NULL);
-}
-
-/*
- * Waits until a packet has been received, verifies that its type matches
- * that given, and gives a fatal error and exits if there is a mismatch.
- */
-
-void
-packet_read_expect(int expected_type)
-{
-	int type;
-
-	type = packet_read();
-	if (type != expected_type)
-		packet_disconnect("Protocol error: expected packet type %d, got %d",
-		    expected_type, type);
-}
-
-/* Checks if a full packet is available in the data received so far via
- * packet_process_incoming.  If so, reads the packet; otherwise returns
- * SSH_MSG_NONE.  This does not wait for data from the connection.
- *
- * SSH_MSG_DISCONNECT is handled specially here.  Also,
- * SSH_MSG_IGNORE messages are skipped by this function and are never returned
- * to higher levels.
- */
-
-static int
-packet_read_poll1(void)
-{
-	u_int len, padded_len;
-	u_char *cp, type;
-	u_int checksum, stored_checksum;
-
-	/* Check if input size is less than minimum packet size. */
-	if (buffer_len(&input) < 4 + 8)
-		return SSH_MSG_NONE;
-	/* Get length of incoming packet. */
-	cp = buffer_ptr(&input);
-	len = get_u32(cp);
-	if (len < 1 + 2 + 2 || len > 256 * 1024)
-		packet_disconnect("Bad packet length %u.", len);
-	padded_len = (len + 8) & ~7;
-
-	/* Check if the packet has been entirely received. */
-	if (buffer_len(&input) < 4 + padded_len)
-		return SSH_MSG_NONE;
-
-	/* The entire packet is in buffer. */
-
-	/* Consume packet length. */
-	buffer_consume(&input, 4);
-
-	/*
-	 * Cryptographic attack detector for ssh
-	 * (C)1998 CORE-SDI, Buenos Aires Argentina
-	 * Ariel Futoransky(futo@core-sdi.com)
-	 */
-	if (!receive_context.plaintext) {
-		switch (detect_attack(buffer_ptr(&input), padded_len)) {
-		case DEATTACK_DETECTED:
-			packet_disconnect("crc32 compensation attack: "
-			    "network attack detected");
-		case DEATTACK_DOS_DETECTED:
-			packet_disconnect("deattack denial of "
-			    "service detected");
-		}
-	}
-
-	/* Decrypt data to incoming_packet. */
-	buffer_clear(&incoming_packet);
-	cp = buffer_append_space(&incoming_packet, padded_len);
-	cipher_crypt(&receive_context, cp, buffer_ptr(&input), padded_len);
-
-	buffer_consume(&input, padded_len);
-
-#ifdef PACKET_DEBUG
-	fprintf(stderr, "read_poll plain: ");
-	buffer_dump(&incoming_packet);
-#endif
-
-	/* Compute packet checksum. */
-	checksum = ssh_crc32(buffer_ptr(&incoming_packet),
-	    buffer_len(&incoming_packet) - 4);
-
-	/* Skip padding. */
-	buffer_consume(&incoming_packet, 8 - len % 8);
-
-	/* Test check bytes. */
-	if (len != buffer_len(&incoming_packet))
-		packet_disconnect("packet_read_poll1: len %d != buffer_len %d.",
-		    len, buffer_len(&incoming_packet));
-
-	cp = (u_char *)buffer_ptr(&incoming_packet) + len - 4;
-	stored_checksum = get_u32(cp);
-	if (checksum != stored_checksum)
-		packet_disconnect("Corrupted check bytes on input.");
-	buffer_consume_end(&incoming_packet, 4);
-
-	if (packet_compression) {
-		buffer_clear(&compression_buffer);
-		buffer_uncompress(&incoming_packet, &compression_buffer);
-		buffer_clear(&incoming_packet);
-		buffer_append(&incoming_packet, buffer_ptr(&compression_buffer),
-		    buffer_len(&compression_buffer));
-	}
-	type = buffer_get_char(&incoming_packet);
-	if (type < SSH_MSG_MIN || type > SSH_MSG_MAX)
-		packet_disconnect("Invalid ssh1 packet type: %d", type);
-	return type;
-}
-
-static int
-packet_read_poll2(u_int32_t *seqnr_p)
-{
-	static u_int packet_length = 0;
-	u_int padlen, need;
-	u_char *macbuf, *cp, type;
-	u_int maclen, block_size;
-	Enc *enc   = NULL;
-	Mac *mac   = NULL;
-	Comp *comp = NULL;
-
-	if (newkeys[MODE_IN] != NULL) {
-		enc  = &newkeys[MODE_IN]->enc;
-		mac  = &newkeys[MODE_IN]->mac;
-		comp = &newkeys[MODE_IN]->comp;
-	}
-	maclen = mac && mac->enabled ? mac->mac_len : 0;
-	block_size = enc ? enc->block_size : 8;
-
-	if (packet_length == 0) {
-		/*
-		 * check if input size is less than the cipher block size,
-		 * decrypt first block and extract length of incoming packet
-		 */
-		if (buffer_len(&input) < block_size)
-			return SSH_MSG_NONE;
-		buffer_clear(&incoming_packet);
-		cp = buffer_append_space(&incoming_packet, block_size);
-		cipher_crypt(&receive_context, cp, buffer_ptr(&input),
-		    block_size);
-		cp = buffer_ptr(&incoming_packet);
-		packet_length = get_u32(cp);
-		if (packet_length < 1 + 4 || packet_length > 256 * 1024) {
-#ifdef PACKET_DEBUG
-			buffer_dump(&incoming_packet);
-#endif
-			packet_disconnect("Bad packet length %u.", packet_length);
-		}
-		DBG(debug("input: packet len %u", packet_length+4));
-		buffer_consume(&input, block_size);
-	}
-	/* we have a partial packet of block_size bytes */
-	need = 4 + packet_length - block_size;
-	DBG(debug("partial packet %d, need %d, maclen %d", block_size,
-	    need, maclen));
-	if (need % block_size != 0)
-		fatal("padding error: need %d block %d mod %d",
-		    need, block_size, need % block_size);
-	/*
-	 * check if the entire packet has been received and
-	 * decrypt into incoming_packet
-	 */
-	if (buffer_len(&input) < need + maclen)
-		return SSH_MSG_NONE;
-#ifdef PACKET_DEBUG
-	fprintf(stderr, "read_poll enc/full: ");
-	buffer_dump(&input);
-#endif
-	cp = buffer_append_space(&incoming_packet, need);
-	cipher_crypt(&receive_context, cp, buffer_ptr(&input), need);
-	buffer_consume(&input, need);
-	/*
-	 * compute MAC over seqnr and packet,
-	 * increment sequence number for incoming packet
-	 */
-	if (mac && mac->enabled) {
-		macbuf = mac_compute(mac, p_read.seqnr,
-		    buffer_ptr(&incoming_packet),
-		    buffer_len(&incoming_packet));
-		if (memcmp(macbuf, buffer_ptr(&input), mac->mac_len) != 0)
-			packet_disconnect("Corrupted MAC on input.");
-		DBG(debug("MAC #%d ok", p_read.seqnr));
-		buffer_consume(&input, mac->mac_len);
-	}
-	if (seqnr_p != NULL)
-		*seqnr_p = p_read.seqnr;
-	if (++p_read.seqnr == 0)
-		logit("incoming seqnr wraps around");
-	if (++p_read.packets == 0)
-		if (!(datafellows & SSH_BUG_NOREKEY))
-			fatal("XXX too many packets with same key");
-	p_read.blocks += (packet_length + 4) / block_size;
-
-	/* get padlen */
-	cp = buffer_ptr(&incoming_packet);
-	padlen = cp[4];
-	DBG(debug("input: padlen %d", padlen));
-	if (padlen < 4)
-		packet_disconnect("Corrupted padlen %d on input.", padlen);
-
-	/* skip packet size + padlen, discard padding */
-	buffer_consume(&incoming_packet, 4 + 1);
-	buffer_consume_end(&incoming_packet, padlen);
-
-	DBG(debug("input: len before de-compress %d", buffer_len(&incoming_packet)));
-	if (comp && comp->enabled) {
-		buffer_clear(&compression_buffer);
-		buffer_uncompress(&incoming_packet, &compression_buffer);
-		buffer_clear(&incoming_packet);
-		buffer_append(&incoming_packet, buffer_ptr(&compression_buffer),
-		    buffer_len(&compression_buffer));
-		DBG(debug("input: len after de-compress %d",
-		    buffer_len(&incoming_packet)));
-	}
-	/*
-	 * get packet type, implies consume.
-	 * return length of payload (without type field)
-	 */
-	type = buffer_get_char(&incoming_packet);
-	if (type < SSH2_MSG_MIN || type >= SSH2_MSG_LOCAL_MIN)
-		packet_disconnect("Invalid ssh2 packet type: %d", type);
-	if (type == SSH2_MSG_NEWKEYS)
-		set_newkeys(MODE_IN);
-	else if (type == SSH2_MSG_USERAUTH_SUCCESS && !server_side)
-		packet_enable_delayed_compress();
-#ifdef PACKET_DEBUG
-	fprintf(stderr, "read/plain[%d]:\r\n", type);
-	buffer_dump(&incoming_packet);
-#endif
-	/* reset for next packet */
-	packet_length = 0;
-	return type;
-}
-
-int
-packet_read_poll_seqnr(u_int32_t *seqnr_p)
-{
-	u_int reason, seqnr;
-	u_char type;
-	char *msg;
-
-	for (;;) {
-		if (compat20) {
-			type = packet_read_poll2(seqnr_p);
-			if (type)
-				DBG(debug("received packet type %d", type));
-			switch (type) {
-			case SSH2_MSG_IGNORE:
-				break;
-			case SSH2_MSG_DEBUG:
-				packet_get_char();
-				msg = packet_get_string(NULL);
-				debug("Remote: %.900s", msg);
-				xfree(msg);
-				msg = packet_get_string(NULL);
-				xfree(msg);
-				break;
-			case SSH2_MSG_DISCONNECT:
-				reason = packet_get_int();
-				msg = packet_get_string(NULL);
-				logit("Received disconnect from %s: %u: %.400s",
-				    get_remote_ipaddr(), reason, msg);
-				xfree(msg);
-				cleanup_exit(255);
-				break;
-			case SSH2_MSG_UNIMPLEMENTED:
-				seqnr = packet_get_int();
-				debug("Received SSH2_MSG_UNIMPLEMENTED for %u",
-				    seqnr);
-				break;
-			default:
-				return type;
-			}
-		} else {
-			type = packet_read_poll1();
-			switch (type) {
-			case SSH_MSG_IGNORE:
-				break;
-			case SSH_MSG_DEBUG:
-				msg = packet_get_string(NULL);
-				debug("Remote: %.900s", msg);
-				xfree(msg);
-				break;
-			case SSH_MSG_DISCONNECT:
-				msg = packet_get_string(NULL);
-				logit("Received disconnect from %s: %.400s",
-				    get_remote_ipaddr(), msg);
-				cleanup_exit(255);
-				xfree(msg);
-				break;
-			default:
-				if (type)
-					DBG(debug("received packet type %d", type));
-				return type;
-			}
-		}
-	}
-}
-
-int
-packet_read_poll(void)
-{
-	return packet_read_poll_seqnr(NULL);
-}
-
-/*
- * Buffers the given amount of input characters.  This is intended to be used
- * together with packet_read_poll.
- */
-
-void
-packet_process_incoming(const char *buf, u_int len)
-{
-	buffer_append(&input, buf, len);
-}
-
-/* Returns a character from the packet. */
-
-u_int
-packet_get_char(void)
-{
-	char ch;
-
-	buffer_get(&incoming_packet, &ch, 1);
-	return (u_char) ch;
-}
-
-/* Returns an integer from the packet data. */
-
-u_int
-packet_get_int(void)
-{
-	return buffer_get_int(&incoming_packet);
-}
-
-/*
- * Returns an arbitrary precision integer from the packet data.  The integer
- * must have been initialized before this call.
- */
-
-void
-packet_get_bignum(BIGNUM * value)
-{
-	buffer_get_bignum(&incoming_packet, value);
-}
-
-void
-packet_get_bignum2(BIGNUM * value)
-{
-	buffer_get_bignum2(&incoming_packet, value);
-}
-
-void *
-packet_get_raw(u_int *length_ptr)
-{
-	u_int bytes = buffer_len(&incoming_packet);
-
-	if (length_ptr != NULL)
-		*length_ptr = bytes;
-	return buffer_ptr(&incoming_packet);
-}
-
-int
-packet_remaining(void)
-{
-	return buffer_len(&incoming_packet);
-}
-
-/*
- * Returns a string from the packet data.  The string is allocated using
- * xmalloc; it is the responsibility of the calling program to free it when
- * no longer needed.  The length_ptr argument may be NULL, or point to an
- * integer into which the length of the string is stored.
- */
-
-void *
-packet_get_string(u_int *length_ptr)
-{
-	return buffer_get_string(&incoming_packet, length_ptr);
-}
-
-/*
- * Sends a diagnostic message from the server to the client.  This message
- * can be sent at any time (but not while constructing another message). The
- * message is printed immediately, but only if the client is being executed
- * in verbose mode.  These messages are primarily intended to ease debugging
- * authentication problems.   The length of the formatted message must not
- * exceed 1024 bytes.  This will automatically call packet_write_wait.
- */
-
-void
-packet_send_debug(const char *fmt,...)
-{
-	char buf[1024];
-	va_list args;
-
-	if (compat20 && (datafellows & SSH_BUG_DEBUG))
-		return;
-
-	va_start(args, fmt);
-	vsnprintf(buf, sizeof(buf), fmt, args);
-	va_end(args);
-
-	if (compat20) {
-		packet_start(SSH2_MSG_DEBUG);
-		packet_put_char(0);	/* bool: always display */
-		packet_put_cstring(buf);
-		packet_put_cstring("");
-	} else {
-		packet_start(SSH_MSG_DEBUG);
-		packet_put_cstring(buf);
-	}
-	packet_send();
-	packet_write_wait();
-}
-
-/*
- * Logs the error plus constructs and sends a disconnect packet, closes the
- * connection, and exits.  This function never returns. The error message
- * should not contain a newline.  The length of the formatted message must
- * not exceed 1024 bytes.
- */
-
-void
-packet_disconnect(const char *fmt,...)
-{
-	char buf[1024];
-	va_list args;
-	static int disconnecting = 0;
-
-	if (disconnecting)	/* Guard against recursive invocations. */
-		fatal("packet_disconnect called recursively.");
-	disconnecting = 1;
-
-	/*
-	 * Format the message.  Note that the caller must make sure the
-	 * message is of limited size.
-	 */
-	va_start(args, fmt);
-	vsnprintf(buf, sizeof(buf), fmt, args);
-	va_end(args);
-
-	/* Display the error locally */
-	logit("Disconnecting: %.100s", buf);
-
-	/* Send the disconnect message to the other side, and wait for it to get sent. */
-	if (compat20) {
-		packet_start(SSH2_MSG_DISCONNECT);
-		packet_put_int(SSH2_DISCONNECT_PROTOCOL_ERROR);
-		packet_put_cstring(buf);
-		packet_put_cstring("");
-	} else {
-		packet_start(SSH_MSG_DISCONNECT);
-		packet_put_cstring(buf);
-	}
-	packet_send();
-	packet_write_wait();
-
-	/* Stop listening for connections. */
-	channel_close_all();
-
-	/* Close the connection. */
-	packet_close();
-	cleanup_exit(255);
-}
-
-/* Checks if there is any buffered output, and tries to write some of the output. */
-
-void
-packet_write_poll(void)
-{
-	int len = buffer_len(&output);
-
-	if (len > 0) {
-		len = write(connection_out, buffer_ptr(&output), len);
-		if (len <= 0) {
-			if (errno == EAGAIN)
-				return;
-			else
-				fatal("Write failed: %.100s", strerror(errno));
-		}
-		buffer_consume(&output, len);
-	}
-}
-
-/*
- * Calls packet_write_poll repeatedly until all pending output data has been
- * written.
- */
-
-void
-packet_write_wait(void)
-{
-	fd_set *setp;
-
-	setp = (fd_set *)xcalloc(howmany(connection_out + 1, NFDBITS),
-	    sizeof(fd_mask));
-	packet_write_poll();
-	while (packet_have_data_to_write()) {
-		memset(setp, 0, howmany(connection_out + 1, NFDBITS) *
-		    sizeof(fd_mask));
-		FD_SET(connection_out, setp);
-		while (select(connection_out + 1, NULL, setp, NULL, NULL) == -1 &&
-		    (errno == EAGAIN || errno == EINTR))
-			;
-		packet_write_poll();
-	}
-	xfree(setp);
-}
-
-/* Returns true if there is buffered data to write to the connection. */
-
-int
-packet_have_data_to_write(void)
-{
-	return buffer_len(&output) != 0;
-}
-
-/* Returns true if there is not too much data to write to the connection. */
-
-int
-packet_not_very_much_data_to_write(void)
-{
-	if (interactive_mode)
-		return buffer_len(&output) < 16384;
-	else
-		return buffer_len(&output) < 128 * 1024;
-}
-
-
-static void
-packet_set_tos(int interactive)
-{
-#if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN)
-	int tos = interactive ? IPTOS_LOWDELAY : IPTOS_THROUGHPUT;
-
-	if (!packet_connection_is_on_socket() ||
-	    !packet_connection_is_ipv4())
-		return;
-	if (setsockopt(connection_in, IPPROTO_IP, IP_TOS, &tos,
-	    sizeof(tos)) < 0)
-		error("setsockopt IP_TOS %d: %.100s:",
-		    tos, strerror(errno));
-#endif
-}
-
-/* Informs that the current session is interactive.  Sets IP flags for that. */
-
-void
-packet_set_interactive(int interactive)
-{
-	static int called = 0;
-
-	if (called)
-		return;
-	called = 1;
-
-	/* Record that we are in interactive mode. */
-	interactive_mode = interactive;
-
-	/* Only set socket options if using a socket.  */
-	if (!packet_connection_is_on_socket())
-		return;
-	set_nodelay(connection_in);
-	packet_set_tos(interactive);
-}
-
-/* Returns true if the current connection is interactive. */
-
-int
-packet_is_interactive(void)
-{
-	return interactive_mode;
-}
-
-int
-packet_set_maxsize(u_int s)
-{
-	static int called = 0;
-
-	if (called) {
-		logit("packet_set_maxsize: called twice: old %d new %d",
-		    max_packet_size, s);
-		return -1;
-	}
-	if (s < 4 * 1024 || s > 1024 * 1024) {
-		logit("packet_set_maxsize: bad size %d", s);
-		return -1;
-	}
-	called = 1;
-	debug("packet_set_maxsize: setting to %d", s);
-	max_packet_size = s;
-	return s;
-}
-
-/* roundup current message to pad bytes */
-void
-packet_add_padding(u_char pad)
-{
-	extra_pad = pad;
-}
-
-/*
- * 9.2.  Ignored Data Message
- *
- *   byte      SSH_MSG_IGNORE
- *   string    data
- *
- * All implementations MUST understand (and ignore) this message at any
- * time (after receiving the protocol version). No implementation is
- * required to send them. This message can be used as an additional
- * protection measure against advanced traffic analysis techniques.
- */
-void
-packet_send_ignore(int nbytes)
-{
-	u_int32_t rnd = 0;
-	int i;
-
-	packet_start(compat20 ? SSH2_MSG_IGNORE : SSH_MSG_IGNORE);
-	packet_put_int(nbytes);
-	for (i = 0; i < nbytes; i++) {
-		if (i % 4 == 0)
-			rnd = arc4random();
-		packet_put_char((u_char)rnd & 0xff);
-		rnd >>= 8;
-	}
-}
-
-#define MAX_PACKETS	(1U<<31)
-int
-packet_need_rekeying(void)
-{
-	if (datafellows & SSH_BUG_NOREKEY)
-		return 0;
-	return
-	    (p_send.packets > MAX_PACKETS) ||
-	    (p_read.packets > MAX_PACKETS) ||
-	    (max_blocks_out && (p_send.blocks > max_blocks_out)) ||
-	    (max_blocks_in  && (p_read.blocks > max_blocks_in));
-}
-
-void
-packet_set_rekey_limit(u_int32_t bytes)
-{
-	rekey_limit = bytes;
-}
-
-void
-packet_set_server(void)
-{
-	server_side = 1;
-}
-
-void
-packet_set_authenticated(void)
-{
-	after_authentication = 1;
-}
diff --git a/crypto/openssh/packet.h b/crypto/openssh/packet.h
deleted file mode 100644
index 21ff450..0000000
--- a/crypto/openssh/packet.h
+++ /dev/null
@@ -1,106 +0,0 @@
-/* $OpenBSD: packet.h,v 1.45 2006/03/25 22:22:43 djm Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Interface for the packet protocol functions.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#ifndef PACKET_H
-#define PACKET_H
-
-#include <termios.h>
-
-#include <openssl/bn.h>
-
-void     packet_set_connection(int, int);
-void     packet_set_nonblocking(void);
-int      packet_get_connection_in(void);
-int      packet_get_connection_out(void);
-void     packet_close(void);
-void	 packet_set_encryption_key(const u_char *, u_int, int);
-u_int	 packet_get_encryption_key(u_char *);
-void     packet_set_protocol_flags(u_int);
-u_int	 packet_get_protocol_flags(void);
-void     packet_start_compression(int);
-void     packet_set_interactive(int);
-int      packet_is_interactive(void);
-void     packet_set_server(void);
-void     packet_set_authenticated(void);
-
-void     packet_start(u_char);
-void     packet_put_char(int ch);
-void     packet_put_int(u_int value);
-void     packet_put_bignum(BIGNUM * value);
-void     packet_put_bignum2(BIGNUM * value);
-void     packet_put_string(const void *buf, u_int len);
-void     packet_put_cstring(const char *str);
-void     packet_put_raw(const void *buf, u_int len);
-void     packet_send(void);
-
-int      packet_read(void);
-void     packet_read_expect(int type);
-int      packet_read_poll(void);
-void     packet_process_incoming(const char *buf, u_int len);
-int      packet_read_seqnr(u_int32_t *seqnr_p);
-int      packet_read_poll_seqnr(u_int32_t *seqnr_p);
-
-u_int	 packet_get_char(void);
-u_int	 packet_get_int(void);
-void     packet_get_bignum(BIGNUM * value);
-void     packet_get_bignum2(BIGNUM * value);
-void	*packet_get_raw(u_int *length_ptr);
-void	*packet_get_string(u_int *length_ptr);
-void     packet_disconnect(const char *fmt,...) __attribute__((format(printf, 1, 2)));
-void     packet_send_debug(const char *fmt,...) __attribute__((format(printf, 1, 2)));
-
-void	 set_newkeys(int mode);
-int	 packet_get_keyiv_len(int);
-void	 packet_get_keyiv(int, u_char *, u_int);
-int	 packet_get_keycontext(int, u_char *);
-void	 packet_set_keycontext(int, u_char *);
-void	 packet_get_state(int, u_int32_t *, u_int64_t *, u_int32_t *);
-void	 packet_set_state(int, u_int32_t, u_int64_t, u_int32_t);
-int	 packet_get_ssh1_cipher(void);
-void	 packet_set_iv(int, u_char *);
-
-void     packet_write_poll(void);
-void     packet_write_wait(void);
-int      packet_have_data_to_write(void);
-int      packet_not_very_much_data_to_write(void);
-
-int	 packet_connection_is_on_socket(void);
-int	 packet_connection_is_ipv4(void);
-int	 packet_remaining(void);
-void	 packet_send_ignore(int);
-void	 packet_add_padding(u_char);
-
-void	 tty_make_modes(int, struct termios *);
-void	 tty_parse_modes(int, int *);
-
-extern u_int max_packet_size;
-int	 packet_set_maxsize(u_int);
-#define  packet_get_maxsize() max_packet_size
-
-/* don't allow remaining bytes after the end of the message */
-#define packet_check_eom() \
-do { \
-	int _len = packet_remaining(); \
-	if (_len > 0) { \
-		logit("Packet integrity error (%d bytes remaining) at %s:%d", \
-		    _len ,__FILE__, __LINE__); \
-		packet_disconnect("Packet integrity error."); \
-	} \
-} while (0)
-
-int	 packet_need_rekeying(void);
-void	 packet_set_rekey_limit(u_int32_t);
-
-#endif				/* PACKET_H */
diff --git a/crypto/openssh/pathnames.h b/crypto/openssh/pathnames.h
deleted file mode 100644
index f2571e2..0000000
--- a/crypto/openssh/pathnames.h
+++ /dev/null
@@ -1,174 +0,0 @@
-/* $OpenBSD: pathnames.h,v 1.16 2006/03/25 22:22:43 djm Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#define ETCDIR				"/etc"
-
-#ifndef SSHDIR
-#define SSHDIR				ETCDIR "/ssh"
-#endif
-
-#ifndef _PATH_SSH_PIDDIR
-#define _PATH_SSH_PIDDIR		"/var/run"
-#endif
-
-/*
- * System-wide file containing host keys of known hosts.  This file should be
- * world-readable.
- */
-#define _PATH_SSH_SYSTEM_HOSTFILE	SSHDIR "/ssh_known_hosts"
-/* backward compat for protocol 2 */
-#define _PATH_SSH_SYSTEM_HOSTFILE2	SSHDIR "/ssh_known_hosts2"
-
-/*
- * Of these, ssh_host_key must be readable only by root, whereas ssh_config
- * should be world-readable.
- */
-#define _PATH_SERVER_CONFIG_FILE	SSHDIR "/sshd_config"
-#define _PATH_HOST_CONFIG_FILE		SSHDIR "/ssh_config"
-#define _PATH_HOST_KEY_FILE		SSHDIR "/ssh_host_key"
-#define _PATH_HOST_DSA_KEY_FILE		SSHDIR "/ssh_host_dsa_key"
-#define _PATH_HOST_RSA_KEY_FILE		SSHDIR "/ssh_host_rsa_key"
-#define _PATH_DH_MODULI			SSHDIR "/moduli"
-/* Backwards compatibility */
-#define _PATH_DH_PRIMES			SSHDIR "/primes"
-
-#ifndef _PATH_SSH_PROGRAM
-#define _PATH_SSH_PROGRAM		"/usr/bin/ssh"
-#endif
-
-/*
- * The process id of the daemon listening for connections is saved here to
- * make it easier to kill the correct daemon when necessary.
- */
-#define _PATH_SSH_DAEMON_PID_FILE	_PATH_SSH_PIDDIR "/sshd.pid"
-
-/*
- * The directory in user\'s home directory in which the files reside. The
- * directory should be world-readable (though not all files are).
- */
-#define _PATH_SSH_USER_DIR		".ssh"
-
-/*
- * Per-user file containing host keys of known hosts.  This file need not be
- * readable by anyone except the user him/herself, though this does not
- * contain anything particularly secret.
- */
-#define _PATH_SSH_USER_HOSTFILE		"~/.ssh/known_hosts"
-/* backward compat for protocol 2 */
-#define _PATH_SSH_USER_HOSTFILE2	"~/.ssh/known_hosts2"
-
-/*
- * Name of the default file containing client-side authentication key. This
- * file should only be readable by the user him/herself.
- */
-#define _PATH_SSH_CLIENT_IDENTITY	".ssh/identity"
-#define _PATH_SSH_CLIENT_ID_DSA		".ssh/id_dsa"
-#define _PATH_SSH_CLIENT_ID_RSA		".ssh/id_rsa"
-
-/*
- * Configuration file in user\'s home directory.  This file need not be
- * readable by anyone but the user him/herself, but does not contain anything
- * particularly secret.  If the user\'s home directory resides on an NFS
- * volume where root is mapped to nobody, this may need to be world-readable.
- */
-#define _PATH_SSH_USER_CONFFILE		".ssh/config"
-
-/*
- * File containing a list of those rsa keys that permit logging in as this
- * user.  This file need not be readable by anyone but the user him/herself,
- * but does not contain anything particularly secret.  If the user\'s home
- * directory resides on an NFS volume where root is mapped to nobody, this
- * may need to be world-readable.  (This file is read by the daemon which is
- * running as root.)
- */
-#define _PATH_SSH_USER_PERMITTED_KEYS	".ssh/authorized_keys"
-
-/* backward compat for protocol v2 */
-#define _PATH_SSH_USER_PERMITTED_KEYS2	".ssh/authorized_keys2"
-
-/*
- * Per-user and system-wide ssh "rc" files.  These files are executed with
- * /bin/sh before starting the shell or command if they exist.  They will be
- * passed "proto cookie" as arguments if X11 forwarding with spoofing is in
- * use.  xauth will be run if neither of these exists.
- */
-#define _PATH_SSH_USER_RC		".ssh/rc"
-#define _PATH_SSH_SYSTEM_RC		SSHDIR "/sshrc"
-
-/*
- * Ssh-only version of /etc/hosts.equiv.  Additionally, the daemon may use
- * ~/.rhosts and /etc/hosts.equiv if rhosts authentication is enabled.
- */
-#define _PATH_SSH_HOSTS_EQUIV		SSHDIR "/shosts.equiv"
-#define _PATH_RHOSTS_EQUIV		"/etc/hosts.equiv"
-
-/*
- * Default location of askpass
- */
-#ifndef _PATH_SSH_ASKPASS_DEFAULT
-#define _PATH_SSH_ASKPASS_DEFAULT	"/usr/X11R6/bin/ssh-askpass"
-#endif
-
-/* Location of ssh-keysign for hostbased authentication */
-#ifndef _PATH_SSH_KEY_SIGN
-#define _PATH_SSH_KEY_SIGN		"/usr/libexec/ssh-keysign"
-#endif
-
-/* xauth for X11 forwarding */
-#ifndef _PATH_XAUTH
-#define _PATH_XAUTH			"/usr/X11R6/bin/xauth"
-#endif
-
-/* UNIX domain socket for X11 server; displaynum will replace %u */
-#ifndef _PATH_UNIX_X
-#define _PATH_UNIX_X "/tmp/.X11-unix/X%u"
-#endif
-
-/* for scp */
-#ifndef _PATH_CP
-#define _PATH_CP			"cp"
-#endif
-
-/* for sftp */
-#ifndef _PATH_SFTP_SERVER
-#define _PATH_SFTP_SERVER		"/usr/libexec/sftp-server"
-#endif
-
-/* chroot directory for unprivileged user when UsePrivilegeSeparation=yes */
-#ifndef _PATH_PRIVSEP_CHROOT_DIR
-#define _PATH_PRIVSEP_CHROOT_DIR	"/var/empty"
-#endif
-
-/* for passwd change */
-#ifndef _PATH_PASSWD_PROG
-#define _PATH_PASSWD_PROG             "/usr/bin/passwd"
-#endif
-
-#ifndef _PATH_LS
-#define _PATH_LS			"ls"
-#endif
-
-/* path to login program */
-#ifndef LOGIN_PROGRAM
-# ifdef LOGIN_PROGRAM_FALLBACK
-#  define LOGIN_PROGRAM         LOGIN_PROGRAM_FALLBACK
-# else
-#  define LOGIN_PROGRAM         "/usr/bin/login"
-# endif
-#endif /* LOGIN_PROGRAM */
-
-/* Askpass program define */
-#ifndef ASKPASS_PROGRAM
-#define ASKPASS_PROGRAM         "/usr/lib/ssh/ssh-askpass"
-#endif /* ASKPASS_PROGRAM */
diff --git a/crypto/openssh/platform.c b/crypto/openssh/platform.c
deleted file mode 100644
index aee4b01..0000000
--- a/crypto/openssh/platform.c
+++ /dev/null
@@ -1,46 +0,0 @@
-/* $Id: platform.c,v 1.1 2006/08/30 17:24:41 djm Exp $ */
-
-/*
- * Copyright (c) 2006 Darren Tucker.  All rights reserved.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "config.h"
-#include "platform.h"
-
-#include "openbsd-compat/openbsd-compat.h"
-
-void
-platform_pre_fork(void)
-{
-#ifdef USE_SOLARIS_PROCESS_CONTRACTS
-	solaris_contract_pre_fork();
-#endif
-}
-
-void
-platform_post_fork_parent(pid_t child_pid)
-{
-#ifdef USE_SOLARIS_PROCESS_CONTRACTS
-	solaris_contract_post_fork_parent(child_pid);
-#endif
-}
-
-void
-platform_post_fork_child(void)
-{
-#ifdef USE_SOLARIS_PROCESS_CONTRACTS
-	solaris_contract_post_fork_child();
-#endif
-}
diff --git a/crypto/openssh/platform.h b/crypto/openssh/platform.h
deleted file mode 100644
index cf93bc5..0000000
--- a/crypto/openssh/platform.h
+++ /dev/null
@@ -1,23 +0,0 @@
-/* $Id: platform.h,v 1.1 2006/08/30 17:24:41 djm Exp $ */
-
-/*
- * Copyright (c) 2006 Darren Tucker.  All rights reserved.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include <sys/types.h>
-
-void platform_pre_fork(void);
-void platform_post_fork_parent(pid_t child_pid);
-void platform_post_fork_child(void);
diff --git a/crypto/openssh/progressmeter.c b/crypto/openssh/progressmeter.c
deleted file mode 100644
index 0f95222..0000000
--- a/crypto/openssh/progressmeter.c
+++ /dev/null
@@ -1,305 +0,0 @@
-/* $OpenBSD: progressmeter.c,v 1.37 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Copyright (c) 2003 Nils Nordman.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/ioctl.h>
-#include <sys/uio.h>
-
-#include <errno.h>
-#include <signal.h>
-#include <stdio.h>
-#include <string.h>
-#include <time.h>
-#include <unistd.h>
-
-#include "progressmeter.h"
-#include "atomicio.h"
-#include "misc.h"
-
-#define DEFAULT_WINSIZE 80
-#define MAX_WINSIZE 512
-#define PADDING 1		/* padding between the progress indicators */
-#define UPDATE_INTERVAL 1	/* update the progress meter every second */
-#define STALL_TIME 5		/* we're stalled after this many seconds */
-
-/* determines whether we can output to the terminal */
-static int can_output(void);
-
-/* formats and inserts the specified size into the given buffer */
-static void format_size(char *, int, off_t);
-static void format_rate(char *, int, off_t);
-
-/* window resizing */
-static void sig_winch(int);
-static void setscreensize(void);
-
-/* updates the progressmeter to reflect the current state of the transfer */
-void refresh_progress_meter(void);
-
-/* signal handler for updating the progress meter */
-static void update_progress_meter(int);
-
-static time_t start;		/* start progress */
-static time_t last_update;	/* last progress update */
-static char *file;		/* name of the file being transferred */
-static off_t end_pos;		/* ending position of transfer */
-static off_t cur_pos;		/* transfer position as of last refresh */
-static volatile off_t *counter;	/* progress counter */
-static long stalled;		/* how long we have been stalled */
-static int bytes_per_second;	/* current speed in bytes per second */
-static int win_size;		/* terminal window size */
-static volatile sig_atomic_t win_resized; /* for window resizing */
-
-/* units for format_size */
-static const char unit[] = " KMGT";
-
-static int
-can_output(void)
-{
-	return (getpgrp() == tcgetpgrp(STDOUT_FILENO));
-}
-
-static void
-format_rate(char *buf, int size, off_t bytes)
-{
-	int i;
-
-	bytes *= 100;
-	for (i = 0; bytes >= 100*1000 && unit[i] != 'T'; i++)
-		bytes = (bytes + 512) / 1024;
-	if (i == 0) {
-		i++;
-		bytes = (bytes + 512) / 1024;
-	}
-	snprintf(buf, size, "%3lld.%1lld%c%s",
-	    (long long) (bytes + 5) / 100,
-	    (long long) (bytes + 5) / 10 % 10,
-	    unit[i],
-	    i ? "B" : " ");
-}
-
-static void
-format_size(char *buf, int size, off_t bytes)
-{
-	int i;
-
-	for (i = 0; bytes >= 10000 && unit[i] != 'T'; i++)
-		bytes = (bytes + 512) / 1024;
-	snprintf(buf, size, "%4lld%c%s",
-	    (long long) bytes,
-	    unit[i],
-	    i ? "B" : " ");
-}
-
-void
-refresh_progress_meter(void)
-{
-	char buf[MAX_WINSIZE + 1];
-	time_t now;
-	off_t transferred;
-	double elapsed;
-	int percent;
-	off_t bytes_left;
-	int cur_speed;
-	int hours, minutes, seconds;
-	int i, len;
-	int file_len;
-
-	transferred = *counter - cur_pos;
-	cur_pos = *counter;
-	now = time(NULL);
-	bytes_left = end_pos - cur_pos;
-
-	if (bytes_left > 0)
-		elapsed = now - last_update;
-	else {
-		elapsed = now - start;
-		/* Calculate true total speed when done */
-		transferred = end_pos;
-		bytes_per_second = 0;
-	}
-
-	/* calculate speed */
-	if (elapsed != 0)
-		cur_speed = (transferred / elapsed);
-	else
-		cur_speed = transferred;
-
-#define AGE_FACTOR 0.9
-	if (bytes_per_second != 0) {
-		bytes_per_second = (bytes_per_second * AGE_FACTOR) +
-		    (cur_speed * (1.0 - AGE_FACTOR));
-	} else
-		bytes_per_second = cur_speed;
-
-	/* filename */
-	buf[0] = '\0';
-	file_len = win_size - 35;
-	if (file_len > 0) {
-		len = snprintf(buf, file_len + 1, "\r%s", file);
-		if (len < 0)
-			len = 0;
-		if (len >= file_len + 1)
-			len = file_len;
-		for (i = len; i < file_len; i++)
-			buf[i] = ' ';
-		buf[file_len] = '\0';
-	}
-
-	/* percent of transfer done */
-	if (end_pos != 0)
-		percent = ((float)cur_pos / end_pos) * 100;
-	else
-		percent = 100;
-	snprintf(buf + strlen(buf), win_size - strlen(buf),
-	    " %3d%% ", percent);
-
-	/* amount transferred */
-	format_size(buf + strlen(buf), win_size - strlen(buf),
-	    cur_pos);
-	strlcat(buf, " ", win_size);
-
-	/* bandwidth usage */
-	format_rate(buf + strlen(buf), win_size - strlen(buf),
-	    (off_t)bytes_per_second);
-	strlcat(buf, "/s ", win_size);
-
-	/* ETA */
-	if (!transferred)
-		stalled += elapsed;
-	else
-		stalled = 0;
-
-	if (stalled >= STALL_TIME)
-		strlcat(buf, "- stalled -", win_size);
-	else if (bytes_per_second == 0 && bytes_left)
-		strlcat(buf, "  --:-- ETA", win_size);
-	else {
-		if (bytes_left > 0)
-			seconds = bytes_left / bytes_per_second;
-		else
-			seconds = elapsed;
-
-		hours = seconds / 3600;
-		seconds -= hours * 3600;
-		minutes = seconds / 60;
-		seconds -= minutes * 60;
-
-		if (hours != 0)
-			snprintf(buf + strlen(buf), win_size - strlen(buf),
-			    "%d:%02d:%02d", hours, minutes, seconds);
-		else
-			snprintf(buf + strlen(buf), win_size - strlen(buf),
-			    "  %02d:%02d", minutes, seconds);
-
-		if (bytes_left > 0)
-			strlcat(buf, " ETA", win_size);
-		else
-			strlcat(buf, "    ", win_size);
-	}
-
-	atomicio(vwrite, STDOUT_FILENO, buf, win_size - 1);
-	last_update = now;
-}
-
-/*ARGSUSED*/
-static void
-update_progress_meter(int ignore)
-{
-	int save_errno;
-
-	save_errno = errno;
-
-	if (win_resized) {
-		setscreensize();
-		win_resized = 0;
-	}
-	if (can_output())
-		refresh_progress_meter();
-
-	signal(SIGALRM, update_progress_meter);
-	alarm(UPDATE_INTERVAL);
-	errno = save_errno;
-}
-
-void
-start_progress_meter(char *f, off_t filesize, off_t *ctr)
-{
-	start = last_update = time(NULL);
-	file = f;
-	end_pos = filesize;
-	cur_pos = 0;
-	counter = ctr;
-	stalled = 0;
-	bytes_per_second = 0;
-
-	setscreensize();
-	if (can_output())
-		refresh_progress_meter();
-
-	signal(SIGALRM, update_progress_meter);
-	signal(SIGWINCH, sig_winch);
-	alarm(UPDATE_INTERVAL);
-}
-
-void
-stop_progress_meter(void)
-{
-	alarm(0);
-
-	if (!can_output())
-		return;
-
-	/* Ensure we complete the progress */
-	if (cur_pos != end_pos)
-		refresh_progress_meter();
-
-	atomicio(vwrite, STDOUT_FILENO, "\n", 1);
-}
-
-/*ARGSUSED*/
-static void
-sig_winch(int sig)
-{
-	win_resized = 1;
-}
-
-static void
-setscreensize(void)
-{
-	struct winsize winsize;
-
-	if (ioctl(STDOUT_FILENO, TIOCGWINSZ, &winsize) != -1 &&
-	    winsize.ws_col != 0) {
-		if (winsize.ws_col > MAX_WINSIZE)
-			win_size = MAX_WINSIZE;
-		else
-			win_size = winsize.ws_col;
-	} else
-		win_size = DEFAULT_WINSIZE;
-	win_size += 1;					/* trailing \0 */
-}
diff --git a/crypto/openssh/progressmeter.h b/crypto/openssh/progressmeter.h
deleted file mode 100644
index 10bab99..0000000
--- a/crypto/openssh/progressmeter.h
+++ /dev/null
@@ -1,27 +0,0 @@
-/* $OpenBSD: progressmeter.h,v 1.2 2006/03/25 22:22:43 djm Exp $ */
-/*
- * Copyright (c) 2002 Nils Nordman.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-void	start_progress_meter(char *, off_t, off_t *);
-void	stop_progress_meter(void);
diff --git a/crypto/openssh/pty.c b/crypto/openssh/pty.c
deleted file mode 100644
index 9300bd5..0000000
--- a/crypto/openssh/pty.c
+++ /dev/null
@@ -1,275 +0,0 @@
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Allocating a pseudo-terminal, and making it the controlling tty.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: pty.c,v 1.16 2000/09/07 21:13:37 markus Exp $");
-
-#include <util.h>
-#include "pty.h"
-#include "ssh.h"
-
-/* Pty allocated with _getpty gets broken if we do I_PUSH:es to it. */
-#if defined(HAVE__GETPTY) || defined(HAVE_OPENPTY)
-#undef HAVE_DEV_PTMX
-#endif
-
-#ifndef O_NOCTTY
-#define O_NOCTTY 0
-#endif
-
-/*
- * Allocates and opens a pty.  Returns 0 if no pty could be allocated, or
- * nonzero if a pty was successfully allocated.  On success, open file
- * descriptors for the pty and tty sides and the name of the tty side are
- * returned (the buffer must be able to hold at least 64 characters).
- */
-
-int
-pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen)
-{
-#if defined(HAVE_OPENPTY) || defined(BSD4_4)
-	/* openpty(3) exists in OSF/1 and some other os'es */
-	char buf[64];
-	int i;
-
-	i = openpty(ptyfd, ttyfd, buf, NULL, NULL);
-	if (i < 0) {
-		error("openpty: %.100s", strerror(errno));
-		return 0;
-	}
-	strlcpy(namebuf, buf, namebuflen);	/* possible truncation */
-	return 1;
-#else /* HAVE_OPENPTY */
-#ifdef HAVE__GETPTY
-	/*
-	 * _getpty(3) exists in SGI Irix 4.x, 5.x & 6.x -- it generates more
-	 * pty's automagically when needed
-	 */
-	char *slave;
-
-	slave = _getpty(ptyfd, O_RDWR, 0622, 0);
-	if (slave == NULL) {
-		error("_getpty: %.100s", strerror(errno));
-		return 0;
-	}
-	strlcpy(namebuf, slave, namebuflen);
-	/* Open the slave side. */
-	*ttyfd = open(namebuf, O_RDWR | O_NOCTTY);
-	if (*ttyfd < 0) {
-		error("%.200s: %.100s", namebuf, strerror(errno));
-		close(*ptyfd);
-		return 0;
-	}
-	return 1;
-#else /* HAVE__GETPTY */
-#ifdef HAVE_DEV_PTMX
-	/*
-	 * This code is used e.g. on Solaris 2.x.  (Note that Solaris 2.3
-	 * also has bsd-style ptys, but they simply do not work.)
-	 */
-	int ptm;
-	char *pts;
-
-	ptm = open("/dev/ptmx", O_RDWR | O_NOCTTY);
-	if (ptm < 0) {
-		error("/dev/ptmx: %.100s", strerror(errno));
-		return 0;
-	}
-	if (grantpt(ptm) < 0) {
-		error("grantpt: %.100s", strerror(errno));
-		return 0;
-	}
-	if (unlockpt(ptm) < 0) {
-		error("unlockpt: %.100s", strerror(errno));
-		return 0;
-	}
-	pts = ptsname(ptm);
-	if (pts == NULL)
-		error("Slave pty side name could not be obtained.");
-	strlcpy(namebuf, pts, namebuflen);
-	*ptyfd = ptm;
-
-	/* Open the slave side. */
-	*ttyfd = open(namebuf, O_RDWR | O_NOCTTY);
-	if (*ttyfd < 0) {
-		error("%.100s: %.100s", namebuf, strerror(errno));
-		close(*ptyfd);
-		return 0;
-	}
-	/* Push the appropriate streams modules, as described in Solaris pts(7). */
-	if (ioctl(*ttyfd, I_PUSH, "ptem") < 0)
-		error("ioctl I_PUSH ptem: %.100s", strerror(errno));
-	if (ioctl(*ttyfd, I_PUSH, "ldterm") < 0)
-		error("ioctl I_PUSH ldterm: %.100s", strerror(errno));
-	if (ioctl(*ttyfd, I_PUSH, "ttcompat") < 0)
-		error("ioctl I_PUSH ttcompat: %.100s", strerror(errno));
-	return 1;
-#else /* HAVE_DEV_PTMX */
-#ifdef HAVE_DEV_PTS_AND_PTC
-	/* AIX-style pty code. */
-	const char *name;
-
-	*ptyfd = open("/dev/ptc", O_RDWR | O_NOCTTY);
-	if (*ptyfd < 0) {
-		error("Could not open /dev/ptc: %.100s", strerror(errno));
-		return 0;
-	}
-	name = ttyname(*ptyfd);
-	if (!name)
-		fatal("Open of /dev/ptc returns device for which ttyname fails.");
-	strlcpy(namebuf, name, namebuflen);
-	*ttyfd = open(name, O_RDWR | O_NOCTTY);
-	if (*ttyfd < 0) {
-		error("Could not open pty slave side %.100s: %.100s",
-		      name, strerror(errno));
-		close(*ptyfd);
-		return 0;
-	}
-	return 1;
-#else /* HAVE_DEV_PTS_AND_PTC */
-	/* BSD-style pty code. */
-	char buf[64];
-	int i;
-	const char *ptymajors = "pqrstuvwxyzabcdefghijklmnoABCDEFGHIJKLMNOPQRSTUVWXYZ";
-	const char *ptyminors = "0123456789abcdef";
-	int num_minors = strlen(ptyminors);
-	int num_ptys = strlen(ptymajors) * num_minors;
-
-	for (i = 0; i < num_ptys; i++) {
-		snprintf(buf, sizeof buf, "/dev/pty%c%c", ptymajors[i / num_minors],
-			 ptyminors[i % num_minors]);
-		*ptyfd = open(buf, O_RDWR | O_NOCTTY);
-		if (*ptyfd < 0)
-			continue;
-		snprintf(namebuf, namebuflen, "/dev/tty%c%c",
-		    ptymajors[i / num_minors], ptyminors[i % num_minors]);
-
-		/* Open the slave side. */
-		*ttyfd = open(namebuf, O_RDWR | O_NOCTTY);
-		if (*ttyfd < 0) {
-			error("%.100s: %.100s", namebuf, strerror(errno));
-			close(*ptyfd);
-			return 0;
-		}
-		return 1;
-	}
-	return 0;
-#endif /* HAVE_DEV_PTS_AND_PTC */
-#endif /* HAVE_DEV_PTMX */
-#endif /* HAVE__GETPTY */
-#endif /* HAVE_OPENPTY */
-}
-
-/* Releases the tty.  Its ownership is returned to root, and permissions to 0666. */
-
-void
-pty_release(const char *ttyname)
-{
-	if (chown(ttyname, (uid_t) 0, (gid_t) 0) < 0)
-		error("chown %.100s 0 0 failed: %.100s", ttyname, strerror(errno));
-	if (chmod(ttyname, (mode_t) 0666) < 0)
-		error("chmod %.100s 0666 failed: %.100s", ttyname, strerror(errno));
-}
-
-/* Makes the tty the processes controlling tty and sets it to sane modes. */
-
-void
-pty_make_controlling_tty(int *ttyfd, const char *ttyname)
-{
-	int fd;
-
-	/* First disconnect from the old controlling tty. */
-#ifdef TIOCNOTTY
-	fd = open("/dev/tty", O_RDWR | O_NOCTTY);
-	if (fd >= 0) {
-		(void) ioctl(fd, TIOCNOTTY, NULL);
-		close(fd);
-	}
-#endif /* TIOCNOTTY */
-	if (setsid() < 0)
-		error("setsid: %.100s", strerror(errno));
-
-	/*
-	 * Verify that we are successfully disconnected from the controlling
-	 * tty.
-	 */
-	fd = open("/dev/tty", O_RDWR | O_NOCTTY);
-	if (fd >= 0) {
-		error("Failed to disconnect from controlling tty.");
-		close(fd);
-	}
-	/* Make it our controlling tty. */
-#ifdef TIOCSCTTY
-	debug("Setting controlling tty using TIOCSCTTY.");
-	/*
-	 * We ignore errors from this, because HPSUX defines TIOCSCTTY, but
-	 * returns EINVAL with these arguments, and there is absolutely no
-	 * documentation.
-	 */
-	ioctl(*ttyfd, TIOCSCTTY, NULL);
-#endif /* TIOCSCTTY */
-	fd = open(ttyname, O_RDWR);
-	if (fd < 0)
-		error("%.100s: %.100s", ttyname, strerror(errno));
-	else
-		close(fd);
-
-	/* Verify that we now have a controlling tty. */
-	fd = open("/dev/tty", O_WRONLY);
-	if (fd < 0)
-		error("open /dev/tty failed - could not set controlling tty: %.100s",
-		      strerror(errno));
-	else {
-		close(fd);
-	}
-}
-
-/* Changes the window size associated with the pty. */
-
-void
-pty_change_window_size(int ptyfd, int row, int col,
-		       int xpixel, int ypixel)
-{
-	struct winsize w;
-	w.ws_row = row;
-	w.ws_col = col;
-	w.ws_xpixel = xpixel;
-	w.ws_ypixel = ypixel;
-	(void) ioctl(ptyfd, TIOCSWINSZ, &w);
-}
-
-void
-pty_setowner(struct passwd *pw, const char *ttyname)
-{
-	struct group *grp;
-	gid_t gid;
-	mode_t mode;
-
-	/* Determine the group to make the owner of the tty. */
-	grp = getgrnam("tty");
-	if (grp) {
-		gid = grp->gr_gid;
-		mode = S_IRUSR | S_IWUSR | S_IWGRP;
-	} else {
-		gid = pw->pw_gid;
-		mode = S_IRUSR | S_IWUSR | S_IWGRP | S_IWOTH;
-	}
-
-	/* Change ownership of the tty. */
-	if (chown(ttyname, pw->pw_uid, gid) < 0)
-		fatal("chown(%.100s, %d, %d) failed: %.100s",
-		    ttyname, pw->pw_uid, gid, strerror(errno));
-	if (chmod(ttyname, mode) < 0)
-		fatal("chmod(%.100s, 0%o) failed: %.100s",
-		    ttyname, mode, strerror(errno));
-}
diff --git a/crypto/openssh/pty.h b/crypto/openssh/pty.h
deleted file mode 100644
index 13d8e60..0000000
--- a/crypto/openssh/pty.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Functions for allocating a pseudo-terminal and making it the controlling
- * tty.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-/* RCSID("$OpenBSD: pty.h,v 1.8 2000/09/07 20:27:52 deraadt Exp $"); */
-
-#ifndef PTY_H
-#define PTY_H
-
-/*
- * Allocates and opens a pty.  Returns 0 if no pty could be allocated, or
- * nonzero if a pty was successfully allocated.  On success, open file
- * descriptors for the pty and tty sides and the name of the tty side are
- * returned (the buffer must be able to hold at least 64 characters).
- */
-int     pty_allocate(int *ptyfd, int *ttyfd, char *ttyname, int ttynamelen);
-
-/*
- * Releases the tty.  Its ownership is returned to root, and permissions to
- * 0666.
- */
-void    pty_release(const char *ttyname);
-
-/*
- * Makes the tty the processes controlling tty and sets it to sane modes.
- * This may need to reopen the tty to get rid of possible eavesdroppers.
- */
-void    pty_make_controlling_tty(int *ttyfd, const char *ttyname);
-
-/* Changes the window size associated with the pty. */
-void
-pty_change_window_size(int ptyfd, int row, int col,
-    int xpixel, int ypixel);
-
-void	pty_setowner(struct passwd *pw, const char *ttyname);
-
-#endif				/* PTY_H */
diff --git a/crypto/openssh/readconf.c b/crypto/openssh/readconf.c
deleted file mode 100644
index 4cacf60..0000000
--- a/crypto/openssh/readconf.c
+++ /dev/null
@@ -1,1273 +0,0 @@
-/* $OpenBSD: readconf.c,v 1.159 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Functions for reading the configuration files.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <netdb.h>
-#include <signal.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "xmalloc.h"
-#include "ssh.h"
-#include "compat.h"
-#include "cipher.h"
-#include "pathnames.h"
-#include "log.h"
-#include "key.h"
-#include "readconf.h"
-#include "match.h"
-#include "misc.h"
-#include "buffer.h"
-#include "kex.h"
-#include "mac.h"
-
-/* Format of the configuration file:
-
-   # Configuration data is parsed as follows:
-   #  1. command line options
-   #  2. user-specific file
-   #  3. system-wide file
-   # Any configuration value is only changed the first time it is set.
-   # Thus, host-specific definitions should be at the beginning of the
-   # configuration file, and defaults at the end.
-
-   # Host-specific declarations.  These may override anything above.  A single
-   # host may match multiple declarations; these are processed in the order
-   # that they are given in.
-
-   Host *.ngs.fi ngs.fi
-     User foo
-
-   Host fake.com
-     HostName another.host.name.real.org
-     User blaah
-     Port 34289
-     ForwardX11 no
-     ForwardAgent no
-
-   Host books.com
-     RemoteForward 9999 shadows.cs.hut.fi:9999
-     Cipher 3des
-
-   Host fascist.blob.com
-     Port 23123
-     User tylonen
-     PasswordAuthentication no
-
-   Host puukko.hut.fi
-     User t35124p
-     ProxyCommand ssh-proxy %h %p
-
-   Host *.fr
-     PublicKeyAuthentication no
-
-   Host *.su
-     Cipher none
-     PasswordAuthentication no
-
-   Host vpn.fake.com
-     Tunnel yes
-     TunnelDevice 3
-
-   # Defaults for various options
-   Host *
-     ForwardAgent no
-     ForwardX11 no
-     PasswordAuthentication yes
-     RSAAuthentication yes
-     RhostsRSAAuthentication yes
-     StrictHostKeyChecking yes
-     TcpKeepAlive no
-     IdentityFile ~/.ssh/identity
-     Port 22
-     EscapeChar ~
-
-*/
-
-/* Keyword tokens. */
-
-typedef enum {
-	oBadOption,
-	oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
-	oExitOnForwardFailure,
-	oPasswordAuthentication, oRSAAuthentication,
-	oChallengeResponseAuthentication, oXAuthLocation,
-	oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
-	oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
-	oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
-	oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
-	oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
-	oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
-	oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
-	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
-	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
-	oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
-	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
-	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
-	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
-	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
-	oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
-	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
-	oDeprecated, oUnsupported
-} OpCodes;
-
-/* Textual representations of the tokens. */
-
-static struct {
-	const char *name;
-	OpCodes opcode;
-} keywords[] = {
-	{ "forwardagent", oForwardAgent },
-	{ "forwardx11", oForwardX11 },
-	{ "forwardx11trusted", oForwardX11Trusted },
-	{ "exitonforwardfailure", oExitOnForwardFailure },
-	{ "xauthlocation", oXAuthLocation },
-	{ "gatewayports", oGatewayPorts },
-	{ "useprivilegedport", oUsePrivilegedPort },
-	{ "rhostsauthentication", oDeprecated },
-	{ "passwordauthentication", oPasswordAuthentication },
-	{ "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
-	{ "kbdinteractivedevices", oKbdInteractiveDevices },
-	{ "rsaauthentication", oRSAAuthentication },
-	{ "pubkeyauthentication", oPubkeyAuthentication },
-	{ "dsaauthentication", oPubkeyAuthentication },		    /* alias */
-	{ "rhostsrsaauthentication", oRhostsRSAAuthentication },
-	{ "hostbasedauthentication", oHostbasedAuthentication },
-	{ "challengeresponseauthentication", oChallengeResponseAuthentication },
-	{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
-	{ "tisauthentication", oChallengeResponseAuthentication },  /* alias */
-	{ "kerberosauthentication", oUnsupported },
-	{ "kerberostgtpassing", oUnsupported },
-	{ "afstokenpassing", oUnsupported },
-#if defined(GSSAPI)
-	{ "gssapiauthentication", oGssAuthentication },
-	{ "gssapidelegatecredentials", oGssDelegateCreds },
-#else
-	{ "gssapiauthentication", oUnsupported },
-	{ "gssapidelegatecredentials", oUnsupported },
-#endif
-	{ "fallbacktorsh", oDeprecated },
-	{ "usersh", oDeprecated },
-	{ "identityfile", oIdentityFile },
-	{ "identityfile2", oIdentityFile },			/* alias */
-	{ "identitiesonly", oIdentitiesOnly },
-	{ "hostname", oHostName },
-	{ "hostkeyalias", oHostKeyAlias },
-	{ "proxycommand", oProxyCommand },
-	{ "port", oPort },
-	{ "cipher", oCipher },
-	{ "ciphers", oCiphers },
-	{ "macs", oMacs },
-	{ "protocol", oProtocol },
-	{ "remoteforward", oRemoteForward },
-	{ "localforward", oLocalForward },
-	{ "user", oUser },
-	{ "host", oHost },
-	{ "escapechar", oEscapeChar },
-	{ "globalknownhostsfile", oGlobalKnownHostsFile },
-	{ "userknownhostsfile", oUserKnownHostsFile },		/* obsolete */
-	{ "globalknownhostsfile2", oGlobalKnownHostsFile2 },
-	{ "userknownhostsfile2", oUserKnownHostsFile2 },	/* obsolete */
-	{ "connectionattempts", oConnectionAttempts },
-	{ "batchmode", oBatchMode },
-	{ "checkhostip", oCheckHostIP },
-	{ "stricthostkeychecking", oStrictHostKeyChecking },
-	{ "compression", oCompression },
-	{ "compressionlevel", oCompressionLevel },
-	{ "tcpkeepalive", oTCPKeepAlive },
-	{ "keepalive", oTCPKeepAlive },				/* obsolete */
-	{ "numberofpasswordprompts", oNumberOfPasswordPrompts },
-	{ "loglevel", oLogLevel },
-	{ "dynamicforward", oDynamicForward },
-	{ "preferredauthentications", oPreferredAuthentications },
-	{ "hostkeyalgorithms", oHostKeyAlgorithms },
-	{ "bindaddress", oBindAddress },
-#ifdef SMARTCARD
-	{ "smartcarddevice", oSmartcardDevice },
-#else
-	{ "smartcarddevice", oUnsupported },
-#endif
-	{ "clearallforwardings", oClearAllForwardings },
-	{ "enablesshkeysign", oEnableSSHKeysign },
-	{ "verifyhostkeydns", oVerifyHostKeyDNS },
-	{ "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
-	{ "rekeylimit", oRekeyLimit },
-	{ "connecttimeout", oConnectTimeout },
-	{ "addressfamily", oAddressFamily },
-	{ "serveraliveinterval", oServerAliveInterval },
-	{ "serveralivecountmax", oServerAliveCountMax },
-	{ "sendenv", oSendEnv },
-	{ "controlpath", oControlPath },
-	{ "controlmaster", oControlMaster },
-	{ "hashknownhosts", oHashKnownHosts },
-	{ "tunnel", oTunnel },
-	{ "tunneldevice", oTunnelDevice },
-	{ "localcommand", oLocalCommand },
-	{ "permitlocalcommand", oPermitLocalCommand },
-	{ NULL, oBadOption }
-};
-
-/*
- * Adds a local TCP/IP port forward to options.  Never returns if there is an
- * error.
- */
-
-void
-add_local_forward(Options *options, const Forward *newfwd)
-{
-	Forward *fwd;
-#ifndef NO_IPPORT_RESERVED_CONCEPT
-	extern uid_t original_real_uid;
-	if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
-		fatal("Privileged ports can only be forwarded by root.");
-#endif
-	if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
-		fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
-	fwd = &options->local_forwards[options->num_local_forwards++];
-
-	fwd->listen_host = (newfwd->listen_host == NULL) ?
-	    NULL : xstrdup(newfwd->listen_host);
-	fwd->listen_port = newfwd->listen_port;
-	fwd->connect_host = xstrdup(newfwd->connect_host);
-	fwd->connect_port = newfwd->connect_port;
-}
-
-/*
- * Adds a remote TCP/IP port forward to options.  Never returns if there is
- * an error.
- */
-
-void
-add_remote_forward(Options *options, const Forward *newfwd)
-{
-	Forward *fwd;
-	if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
-		fatal("Too many remote forwards (max %d).",
-		    SSH_MAX_FORWARDS_PER_DIRECTION);
-	fwd = &options->remote_forwards[options->num_remote_forwards++];
-
-	fwd->listen_host = (newfwd->listen_host == NULL) ?
-	    NULL : xstrdup(newfwd->listen_host);
-	fwd->listen_port = newfwd->listen_port;
-	fwd->connect_host = xstrdup(newfwd->connect_host);
-	fwd->connect_port = newfwd->connect_port;
-}
-
-static void
-clear_forwardings(Options *options)
-{
-	int i;
-
-	for (i = 0; i < options->num_local_forwards; i++) {
-		if (options->local_forwards[i].listen_host != NULL)
-			xfree(options->local_forwards[i].listen_host);
-		xfree(options->local_forwards[i].connect_host);
-	}
-	options->num_local_forwards = 0;
-	for (i = 0; i < options->num_remote_forwards; i++) {
-		if (options->remote_forwards[i].listen_host != NULL)
-			xfree(options->remote_forwards[i].listen_host);
-		xfree(options->remote_forwards[i].connect_host);
-	}
-	options->num_remote_forwards = 0;
-	options->tun_open = SSH_TUNMODE_NO;
-}
-
-/*
- * Returns the number of the token pointed to by cp or oBadOption.
- */
-
-static OpCodes
-parse_token(const char *cp, const char *filename, int linenum)
-{
-	u_int i;
-
-	for (i = 0; keywords[i].name; i++)
-		if (strcasecmp(cp, keywords[i].name) == 0)
-			return keywords[i].opcode;
-
-	error("%s: line %d: Bad configuration option: %s",
-	    filename, linenum, cp);
-	return oBadOption;
-}
-
-/*
- * Processes a single option line as used in the configuration files. This
- * only sets those values that have not already been set.
- */
-#define WHITESPACE " \t\r\n"
-
-int
-process_config_line(Options *options, const char *host,
-		    char *line, const char *filename, int linenum,
-		    int *activep)
-{
-	char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
-	int opcode, *intptr, value, value2, scale;
-	long long orig, val64;
-	size_t len;
-	Forward fwd;
-
-	/* Strip trailing whitespace */
-	for (len = strlen(line) - 1; len > 0; len--) {
-		if (strchr(WHITESPACE, line[len]) == NULL)
-			break;
-		line[len] = '\0';
-	}
-
-	s = line;
-	/* Get the keyword. (Each line is supposed to begin with a keyword). */
-	if ((keyword = strdelim(&s)) == NULL)
-		return 0;
-	/* Ignore leading whitespace. */
-	if (*keyword == '\0')
-		keyword = strdelim(&s);
-	if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
-		return 0;
-
-	opcode = parse_token(keyword, filename, linenum);
-
-	switch (opcode) {
-	case oBadOption:
-		/* don't panic, but count bad options */
-		return -1;
-		/* NOTREACHED */
-	case oConnectTimeout:
-		intptr = &options->connection_timeout;
-parse_time:
-		arg = strdelim(&s);
-		if (!arg || *arg == '\0')
-			fatal("%s line %d: missing time value.",
-			    filename, linenum);
-		if ((value = convtime(arg)) == -1)
-			fatal("%s line %d: invalid time value.",
-			    filename, linenum);
-		if (*intptr == -1)
-			*intptr = value;
-		break;
-
-	case oForwardAgent:
-		intptr = &options->forward_agent;
-parse_flag:
-		arg = strdelim(&s);
-		if (!arg || *arg == '\0')
-			fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
-		value = 0;	/* To avoid compiler warning... */
-		if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
-			value = 1;
-		else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
-			value = 0;
-		else
-			fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
-		if (*activep && *intptr == -1)
-			*intptr = value;
-		break;
-
-	case oForwardX11:
-		intptr = &options->forward_x11;
-		goto parse_flag;
-
-	case oForwardX11Trusted:
-		intptr = &options->forward_x11_trusted;
-		goto parse_flag;
-
-	case oGatewayPorts:
-		intptr = &options->gateway_ports;
-		goto parse_flag;
-
-	case oExitOnForwardFailure:
-		intptr = &options->exit_on_forward_failure;
-		goto parse_flag;
-
-	case oUsePrivilegedPort:
-		intptr = &options->use_privileged_port;
-		goto parse_flag;
-
-	case oPasswordAuthentication:
-		intptr = &options->password_authentication;
-		goto parse_flag;
-
-	case oKbdInteractiveAuthentication:
-		intptr = &options->kbd_interactive_authentication;
-		goto parse_flag;
-
-	case oKbdInteractiveDevices:
-		charptr = &options->kbd_interactive_devices;
-		goto parse_string;
-
-	case oPubkeyAuthentication:
-		intptr = &options->pubkey_authentication;
-		goto parse_flag;
-
-	case oRSAAuthentication:
-		intptr = &options->rsa_authentication;
-		goto parse_flag;
-
-	case oRhostsRSAAuthentication:
-		intptr = &options->rhosts_rsa_authentication;
-		goto parse_flag;
-
-	case oHostbasedAuthentication:
-		intptr = &options->hostbased_authentication;
-		goto parse_flag;
-
-	case oChallengeResponseAuthentication:
-		intptr = &options->challenge_response_authentication;
-		goto parse_flag;
-
-	case oGssAuthentication:
-		intptr = &options->gss_authentication;
-		goto parse_flag;
-
-	case oGssDelegateCreds:
-		intptr = &options->gss_deleg_creds;
-		goto parse_flag;
-
-	case oBatchMode:
-		intptr = &options->batch_mode;
-		goto parse_flag;
-
-	case oCheckHostIP:
-		intptr = &options->check_host_ip;
-		goto parse_flag;
-
-	case oVerifyHostKeyDNS:
-		intptr = &options->verify_host_key_dns;
-		goto parse_yesnoask;
-
-	case oStrictHostKeyChecking:
-		intptr = &options->strict_host_key_checking;
-parse_yesnoask:
-		arg = strdelim(&s);
-		if (!arg || *arg == '\0')
-			fatal("%.200s line %d: Missing yes/no/ask argument.",
-			    filename, linenum);
-		value = 0;	/* To avoid compiler warning... */
-		if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
-			value = 1;
-		else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
-			value = 0;
-		else if (strcmp(arg, "ask") == 0)
-			value = 2;
-		else
-			fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
-		if (*activep && *intptr == -1)
-			*intptr = value;
-		break;
-
-	case oCompression:
-		intptr = &options->compression;
-		goto parse_flag;
-
-	case oTCPKeepAlive:
-		intptr = &options->tcp_keep_alive;
-		goto parse_flag;
-
-	case oNoHostAuthenticationForLocalhost:
-		intptr = &options->no_host_authentication_for_localhost;
-		goto parse_flag;
-
-	case oNumberOfPasswordPrompts:
-		intptr = &options->number_of_password_prompts;
-		goto parse_int;
-
-	case oCompressionLevel:
-		intptr = &options->compression_level;
-		goto parse_int;
-
-	case oRekeyLimit:
-		intptr = &options->rekey_limit;
-		arg = strdelim(&s);
-		if (!arg || *arg == '\0')
-			fatal("%.200s line %d: Missing argument.", filename, linenum);
-		if (arg[0] < '0' || arg[0] > '9')
-			fatal("%.200s line %d: Bad number.", filename, linenum);
-		orig = val64 = strtoll(arg, &endofnumber, 10);
-		if (arg == endofnumber)
-			fatal("%.200s line %d: Bad number.", filename, linenum);
-		switch (toupper(*endofnumber)) {
-		case '\0':
-			scale = 1;
-			break;
-		case 'K':
-			scale = 1<<10;
-			break;
-		case 'M':
-			scale = 1<<20;
-			break;
-		case 'G':
-			scale = 1<<30;
-			break;
-		default:
-			fatal("%.200s line %d: Invalid RekeyLimit suffix",
-			    filename, linenum);
-		}
-		val64 *= scale;
-		/* detect integer wrap and too-large limits */
-		if ((val64 / scale) != orig || val64 > INT_MAX)
-			fatal("%.200s line %d: RekeyLimit too large",
-			    filename, linenum);
-		if (val64 < 16)
-			fatal("%.200s line %d: RekeyLimit too small",
-			    filename, linenum);
-		if (*activep && *intptr == -1)
-			*intptr = (int)val64;
-		break;
-
-	case oIdentityFile:
-		arg = strdelim(&s);
-		if (!arg || *arg == '\0')
-			fatal("%.200s line %d: Missing argument.", filename, linenum);
-		if (*activep) {
-			intptr = &options->num_identity_files;
-			if (*intptr >= SSH_MAX_IDENTITY_FILES)
-				fatal("%.200s line %d: Too many identity files specified (max %d).",
-				    filename, linenum, SSH_MAX_IDENTITY_FILES);
-			charptr =  &options->identity_files[*intptr];
-			*charptr = xstrdup(arg);
-			*intptr = *intptr + 1;
-		}
-		break;
-
-	case oXAuthLocation:
-		charptr=&options->xauth_location;
-		goto parse_string;
-
-	case oUser:
-		charptr = &options->user;
-parse_string:
-		arg = strdelim(&s);
-		if (!arg || *arg == '\0')
-			fatal("%.200s line %d: Missing argument.", filename, linenum);
-		if (*activep && *charptr == NULL)
-			*charptr = xstrdup(arg);
-		break;
-
-	case oGlobalKnownHostsFile:
-		charptr = &options->system_hostfile;
-		goto parse_string;
-
-	case oUserKnownHostsFile:
-		charptr = &options->user_hostfile;
-		goto parse_string;
-
-	case oGlobalKnownHostsFile2:
-		charptr = &options->system_hostfile2;
-		goto parse_string;
-
-	case oUserKnownHostsFile2:
-		charptr = &options->user_hostfile2;
-		goto parse_string;
-
-	case oHostName:
-		charptr = &options->hostname;
-		goto parse_string;
-
-	case oHostKeyAlias:
-		charptr = &options->host_key_alias;
-		goto parse_string;
-
-	case oPreferredAuthentications:
-		charptr = &options->preferred_authentications;
-		goto parse_string;
-
-	case oBindAddress:
-		charptr = &options->bind_address;
-		goto parse_string;
-
-	case oSmartcardDevice:
-		charptr = &options->smartcard_device;
-		goto parse_string;
-
-	case oProxyCommand:
-		charptr = &options->proxy_command;
-parse_command:
-		if (s == NULL)
-			fatal("%.200s line %d: Missing argument.", filename, linenum);
-		len = strspn(s, WHITESPACE "=");
-		if (*activep && *charptr == NULL)
-			*charptr = xstrdup(s + len);
-		return 0;
-
-	case oPort:
-		intptr = &options->port;
-parse_int:
-		arg = strdelim(&s);
-		if (!arg || *arg == '\0')
-			fatal("%.200s line %d: Missing argument.", filename, linenum);
-		if (arg[0] < '0' || arg[0] > '9')
-			fatal("%.200s line %d: Bad number.", filename, linenum);
-
-		/* Octal, decimal, or hex format? */
-		value = strtol(arg, &endofnumber, 0);
-		if (arg == endofnumber)
-			fatal("%.200s line %d: Bad number.", filename, linenum);
-		if (*activep && *intptr == -1)
-			*intptr = value;
-		break;
-
-	case oConnectionAttempts:
-		intptr = &options->connection_attempts;
-		goto parse_int;
-
-	case oCipher:
-		intptr = &options->cipher;
-		arg = strdelim(&s);
-		if (!arg || *arg == '\0')
-			fatal("%.200s line %d: Missing argument.", filename, linenum);
-		value = cipher_number(arg);
-		if (value == -1)
-			fatal("%.200s line %d: Bad cipher '%s'.",
-			    filename, linenum, arg ? arg : "<NONE>");
-		if (*activep && *intptr == -1)
-			*intptr = value;
-		break;
-
-	case oCiphers:
-		arg = strdelim(&s);
-		if (!arg || *arg == '\0')
-			fatal("%.200s line %d: Missing argument.", filename, linenum);
-		if (!ciphers_valid(arg))
-			fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
-			    filename, linenum, arg ? arg : "<NONE>");
-		if (*activep && options->ciphers == NULL)
-			options->ciphers = xstrdup(arg);
-		break;
-
-	case oMacs:
-		arg = strdelim(&s);
-		if (!arg || *arg == '\0')
-			fatal("%.200s line %d: Missing argument.", filename, linenum);
-		if (!mac_valid(arg))
-			fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
-			    filename, linenum, arg ? arg : "<NONE>");
-		if (*activep && options->macs == NULL)
-			options->macs = xstrdup(arg);
-		break;
-
-	case oHostKeyAlgorithms:
-		arg = strdelim(&s);
-		if (!arg || *arg == '\0')
-			fatal("%.200s line %d: Missing argument.", filename, linenum);
-		if (!key_names_valid2(arg))
-			fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
-			    filename, linenum, arg ? arg : "<NONE>");
-		if (*activep && options->hostkeyalgorithms == NULL)
-			options->hostkeyalgorithms = xstrdup(arg);
-		break;
-
-	case oProtocol:
-		intptr = &options->protocol;
-		arg = strdelim(&s);
-		if (!arg || *arg == '\0')
-			fatal("%.200s line %d: Missing argument.", filename, linenum);
-		value = proto_spec(arg);
-		if (value == SSH_PROTO_UNKNOWN)
-			fatal("%.200s line %d: Bad protocol spec '%s'.",
-			    filename, linenum, arg ? arg : "<NONE>");
-		if (*activep && *intptr == SSH_PROTO_UNKNOWN)
-			*intptr = value;
-		break;
-
-	case oLogLevel:
-		intptr = (int *) &options->log_level;
-		arg = strdelim(&s);
-		value = log_level_number(arg);
-		if (value == SYSLOG_LEVEL_NOT_SET)
-			fatal("%.200s line %d: unsupported log level '%s'",
-			    filename, linenum, arg ? arg : "<NONE>");
-		if (*activep && (LogLevel) *intptr == SYSLOG_LEVEL_NOT_SET)
-			*intptr = (LogLevel) value;
-		break;
-
-	case oLocalForward:
-	case oRemoteForward:
-		arg = strdelim(&s);
-		if (arg == NULL || *arg == '\0')
-			fatal("%.200s line %d: Missing port argument.",
-			    filename, linenum);
-		arg2 = strdelim(&s);
-		if (arg2 == NULL || *arg2 == '\0')
-			fatal("%.200s line %d: Missing target argument.",
-			    filename, linenum);
-
-		/* construct a string for parse_forward */
-		snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
-
-		if (parse_forward(&fwd, fwdarg) == 0)
-			fatal("%.200s line %d: Bad forwarding specification.",
-			    filename, linenum);
-
-		if (*activep) {
-			if (opcode == oLocalForward)
-				add_local_forward(options, &fwd);
-			else if (opcode == oRemoteForward)
-				add_remote_forward(options, &fwd);
-		}
-		break;
-
-	case oDynamicForward:
-		arg = strdelim(&s);
-		if (!arg || *arg == '\0')
-			fatal("%.200s line %d: Missing port argument.",
-			    filename, linenum);
-		memset(&fwd, '\0', sizeof(fwd));
-		fwd.connect_host = "socks";
-		fwd.listen_host = hpdelim(&arg);
-		if (fwd.listen_host == NULL ||
-		    strlen(fwd.listen_host) >= NI_MAXHOST)
-			fatal("%.200s line %d: Bad forwarding specification.",
-			    filename, linenum);
-		if (arg) {
-			fwd.listen_port = a2port(arg);
-			fwd.listen_host = cleanhostname(fwd.listen_host);
-		} else {
-			fwd.listen_port = a2port(fwd.listen_host);
-			fwd.listen_host = NULL;
-		}
-		if (fwd.listen_port == 0)
-			fatal("%.200s line %d: Badly formatted port number.",
-			    filename, linenum);
-		if (*activep)
-			add_local_forward(options, &fwd);
-		break;
-
-	case oClearAllForwardings:
-		intptr = &options->clear_forwardings;
-		goto parse_flag;
-
-	case oHost:
-		*activep = 0;
-		while ((arg = strdelim(&s)) != NULL && *arg != '\0')
-			if (match_pattern(host, arg)) {
-				debug("Applying options for %.100s", arg);
-				*activep = 1;
-				break;
-			}
-		/* Avoid garbage check below, as strdelim is done. */
-		return 0;
-
-	case oEscapeChar:
-		intptr = &options->escape_char;
-		arg = strdelim(&s);
-		if (!arg || *arg == '\0')
-			fatal("%.200s line %d: Missing argument.", filename, linenum);
-		if (arg[0] == '^' && arg[2] == 0 &&
-		    (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
-			value = (u_char) arg[1] & 31;
-		else if (strlen(arg) == 1)
-			value = (u_char) arg[0];
-		else if (strcmp(arg, "none") == 0)
-			value = SSH_ESCAPECHAR_NONE;
-		else {
-			fatal("%.200s line %d: Bad escape character.",
-			    filename, linenum);
-			/* NOTREACHED */
-			value = 0;	/* Avoid compiler warning. */
-		}
-		if (*activep && *intptr == -1)
-			*intptr = value;
-		break;
-
-	case oAddressFamily:
-		arg = strdelim(&s);
-		if (!arg || *arg == '\0')
-			fatal("%s line %d: missing address family.",
-			    filename, linenum);
-		intptr = &options->address_family;
-		if (strcasecmp(arg, "inet") == 0)
-			value = AF_INET;
-		else if (strcasecmp(arg, "inet6") == 0)
-			value = AF_INET6;
-		else if (strcasecmp(arg, "any") == 0)
-			value = AF_UNSPEC;
-		else
-			fatal("Unsupported AddressFamily \"%s\"", arg);
-		if (*activep && *intptr == -1)
-			*intptr = value;
-		break;
-
-	case oEnableSSHKeysign:
-		intptr = &options->enable_ssh_keysign;
-		goto parse_flag;
-
-	case oIdentitiesOnly:
-		intptr = &options->identities_only;
-		goto parse_flag;
-
-	case oServerAliveInterval:
-		intptr = &options->server_alive_interval;
-		goto parse_time;
-
-	case oServerAliveCountMax:
-		intptr = &options->server_alive_count_max;
-		goto parse_int;
-
-	case oSendEnv:
-		while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
-			if (strchr(arg, '=') != NULL)
-				fatal("%s line %d: Invalid environment name.",
-				    filename, linenum);
-			if (!*activep)
-				continue;
-			if (options->num_send_env >= MAX_SEND_ENV)
-				fatal("%s line %d: too many send env.",
-				    filename, linenum);
-			options->send_env[options->num_send_env++] =
-			    xstrdup(arg);
-		}
-		break;
-
-	case oControlPath:
-		charptr = &options->control_path;
-		goto parse_string;
-
-	case oControlMaster:
-		intptr = &options->control_master;
-		arg = strdelim(&s);
-		if (!arg || *arg == '\0')
-			fatal("%.200s line %d: Missing ControlMaster argument.",
-			    filename, linenum);
-		value = 0;	/* To avoid compiler warning... */
-		if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
-			value = SSHCTL_MASTER_YES;
-		else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
-			value = SSHCTL_MASTER_NO;
-		else if (strcmp(arg, "auto") == 0)
-			value = SSHCTL_MASTER_AUTO;
-		else if (strcmp(arg, "ask") == 0)
-			value = SSHCTL_MASTER_ASK;
-		else if (strcmp(arg, "autoask") == 0)
-			value = SSHCTL_MASTER_AUTO_ASK;
-		else
-			fatal("%.200s line %d: Bad ControlMaster argument.",
-			    filename, linenum);
-		if (*activep && *intptr == -1)
-			*intptr = value;
-		break;
-
-	case oHashKnownHosts:
-		intptr = &options->hash_known_hosts;
-		goto parse_flag;
-
-	case oTunnel:
-		intptr = &options->tun_open;
-		arg = strdelim(&s);
-		if (!arg || *arg == '\0')
-			fatal("%s line %d: Missing yes/point-to-point/"
-			    "ethernet/no argument.", filename, linenum);
-		value = 0;	/* silence compiler */
-		if (strcasecmp(arg, "ethernet") == 0)
-			value = SSH_TUNMODE_ETHERNET;
-		else if (strcasecmp(arg, "point-to-point") == 0)
-			value = SSH_TUNMODE_POINTOPOINT;
-		else if (strcasecmp(arg, "yes") == 0)
-			value = SSH_TUNMODE_DEFAULT;
-		else if (strcasecmp(arg, "no") == 0)
-			value = SSH_TUNMODE_NO;
-		else
-			fatal("%s line %d: Bad yes/point-to-point/ethernet/"
-			    "no argument: %s", filename, linenum, arg);
-		if (*activep)
-			*intptr = value;
-		break;
-
-	case oTunnelDevice:
-		arg = strdelim(&s);
-		if (!arg || *arg == '\0')
-			fatal("%.200s line %d: Missing argument.", filename, linenum);
-		value = a2tun(arg, &value2);
-		if (value == SSH_TUNID_ERR)
-			fatal("%.200s line %d: Bad tun device.", filename, linenum);
-		if (*activep) {
-			options->tun_local = value;
-			options->tun_remote = value2;
-		}
-		break;
-
-	case oLocalCommand:
-		charptr = &options->local_command;
-		goto parse_command;
-
-	case oPermitLocalCommand:
-		intptr = &options->permit_local_command;
-		goto parse_flag;
-
-	case oDeprecated:
-		debug("%s line %d: Deprecated option \"%s\"",
-		    filename, linenum, keyword);
-		return 0;
-
-	case oUnsupported:
-		error("%s line %d: Unsupported option \"%s\"",
-		    filename, linenum, keyword);
-		return 0;
-
-	default:
-		fatal("process_config_line: Unimplemented opcode %d", opcode);
-	}
-
-	/* Check that there is no garbage at end of line. */
-	if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
-		fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
-		    filename, linenum, arg);
-	}
-	return 0;
-}
-
-
-/*
- * Reads the config file and modifies the options accordingly.  Options
- * should already be initialized before this call.  This never returns if
- * there is an error.  If the file does not exist, this returns 0.
- */
-
-int
-read_config_file(const char *filename, const char *host, Options *options,
-    int checkperm)
-{
-	FILE *f;
-	char line[1024];
-	int active, linenum;
-	int bad_options = 0;
-
-	/* Open the file. */
-	if ((f = fopen(filename, "r")) == NULL)
-		return 0;
-
-	if (checkperm) {
-		struct stat sb;
-
-		if (fstat(fileno(f), &sb) == -1)
-			fatal("fstat %s: %s", filename, strerror(errno));
-		if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
-		    (sb.st_mode & 022) != 0))
-			fatal("Bad owner or permissions on %s", filename);
-	}
-
-	debug("Reading configuration data %.200s", filename);
-
-	/*
-	 * Mark that we are now processing the options.  This flag is turned
-	 * on/off by Host specifications.
-	 */
-	active = 1;
-	linenum = 0;
-	while (fgets(line, sizeof(line), f)) {
-		/* Update line number counter. */
-		linenum++;
-		if (process_config_line(options, host, line, filename, linenum, &active) != 0)
-			bad_options++;
-	}
-	fclose(f);
-	if (bad_options > 0)
-		fatal("%s: terminating, %d bad configuration options",
-		    filename, bad_options);
-	return 1;
-}
-
-/*
- * Initializes options to special values that indicate that they have not yet
- * been set.  Read_config_file will only set options with this value. Options
- * are processed in the following order: command line, user config file,
- * system config file.  Last, fill_default_options is called.
- */
-
-void
-initialize_options(Options * options)
-{
-	memset(options, 'X', sizeof(*options));
-	options->forward_agent = -1;
-	options->forward_x11 = -1;
-	options->forward_x11_trusted = -1;
-	options->exit_on_forward_failure = -1;
-	options->xauth_location = NULL;
-	options->gateway_ports = -1;
-	options->use_privileged_port = -1;
-	options->rsa_authentication = -1;
-	options->pubkey_authentication = -1;
-	options->challenge_response_authentication = -1;
-	options->gss_authentication = -1;
-	options->gss_deleg_creds = -1;
-	options->password_authentication = -1;
-	options->kbd_interactive_authentication = -1;
-	options->kbd_interactive_devices = NULL;
-	options->rhosts_rsa_authentication = -1;
-	options->hostbased_authentication = -1;
-	options->batch_mode = -1;
-	options->check_host_ip = -1;
-	options->strict_host_key_checking = -1;
-	options->compression = -1;
-	options->tcp_keep_alive = -1;
-	options->compression_level = -1;
-	options->port = -1;
-	options->address_family = -1;
-	options->connection_attempts = -1;
-	options->connection_timeout = -1;
-	options->number_of_password_prompts = -1;
-	options->cipher = -1;
-	options->ciphers = NULL;
-	options->macs = NULL;
-	options->hostkeyalgorithms = NULL;
-	options->protocol = SSH_PROTO_UNKNOWN;
-	options->num_identity_files = 0;
-	options->hostname = NULL;
-	options->host_key_alias = NULL;
-	options->proxy_command = NULL;
-	options->user = NULL;
-	options->escape_char = -1;
-	options->system_hostfile = NULL;
-	options->user_hostfile = NULL;
-	options->system_hostfile2 = NULL;
-	options->user_hostfile2 = NULL;
-	options->num_local_forwards = 0;
-	options->num_remote_forwards = 0;
-	options->clear_forwardings = -1;
-	options->log_level = SYSLOG_LEVEL_NOT_SET;
-	options->preferred_authentications = NULL;
-	options->bind_address = NULL;
-	options->smartcard_device = NULL;
-	options->enable_ssh_keysign = - 1;
-	options->no_host_authentication_for_localhost = - 1;
-	options->identities_only = - 1;
-	options->rekey_limit = - 1;
-	options->verify_host_key_dns = -1;
-	options->server_alive_interval = -1;
-	options->server_alive_count_max = -1;
-	options->num_send_env = 0;
-	options->control_path = NULL;
-	options->control_master = -1;
-	options->hash_known_hosts = -1;
-	options->tun_open = -1;
-	options->tun_local = -1;
-	options->tun_remote = -1;
-	options->local_command = NULL;
-	options->permit_local_command = -1;
-}
-
-/*
- * Called after processing other sources of option data, this fills those
- * options for which no value has been specified with their default values.
- */
-
-void
-fill_default_options(Options * options)
-{
-	int len;
-
-	if (options->forward_agent == -1)
-		options->forward_agent = 0;
-	if (options->forward_x11 == -1)
-		options->forward_x11 = 0;
-	if (options->forward_x11_trusted == -1)
-		options->forward_x11_trusted = 0;
-	if (options->exit_on_forward_failure == -1)
-		options->exit_on_forward_failure = 0;
-	if (options->xauth_location == NULL)
-		options->xauth_location = _PATH_XAUTH;
-	if (options->gateway_ports == -1)
-		options->gateway_ports = 0;
-	if (options->use_privileged_port == -1)
-		options->use_privileged_port = 0;
-	if (options->rsa_authentication == -1)
-		options->rsa_authentication = 1;
-	if (options->pubkey_authentication == -1)
-		options->pubkey_authentication = 1;
-	if (options->challenge_response_authentication == -1)
-		options->challenge_response_authentication = 1;
-	if (options->gss_authentication == -1)
-		options->gss_authentication = 0;
-	if (options->gss_deleg_creds == -1)
-		options->gss_deleg_creds = 0;
-	if (options->password_authentication == -1)
-		options->password_authentication = 1;
-	if (options->kbd_interactive_authentication == -1)
-		options->kbd_interactive_authentication = 1;
-	if (options->rhosts_rsa_authentication == -1)
-		options->rhosts_rsa_authentication = 0;
-	if (options->hostbased_authentication == -1)
-		options->hostbased_authentication = 0;
-	if (options->batch_mode == -1)
-		options->batch_mode = 0;
-	if (options->check_host_ip == -1)
-		options->check_host_ip = 1;
-	if (options->strict_host_key_checking == -1)
-		options->strict_host_key_checking = 2;	/* 2 is default */
-	if (options->compression == -1)
-		options->compression = 0;
-	if (options->tcp_keep_alive == -1)
-		options->tcp_keep_alive = 1;
-	if (options->compression_level == -1)
-		options->compression_level = 6;
-	if (options->port == -1)
-		options->port = 0;	/* Filled in ssh_connect. */
-	if (options->address_family == -1)
-		options->address_family = AF_UNSPEC;
-	if (options->connection_attempts == -1)
-		options->connection_attempts = 1;
-	if (options->number_of_password_prompts == -1)
-		options->number_of_password_prompts = 3;
-	/* Selected in ssh_login(). */
-	if (options->cipher == -1)
-		options->cipher = SSH_CIPHER_NOT_SET;
-	/* options->ciphers, default set in myproposals.h */
-	/* options->macs, default set in myproposals.h */
-	/* options->hostkeyalgorithms, default set in myproposals.h */
-	if (options->protocol == SSH_PROTO_UNKNOWN)
-		options->protocol = SSH_PROTO_1|SSH_PROTO_2;
-	if (options->num_identity_files == 0) {
-		if (options->protocol & SSH_PROTO_1) {
-			len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
-			options->identity_files[options->num_identity_files] =
-			    xmalloc(len);
-			snprintf(options->identity_files[options->num_identity_files++],
-			    len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
-		}
-		if (options->protocol & SSH_PROTO_2) {
-			len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
-			options->identity_files[options->num_identity_files] =
-			    xmalloc(len);
-			snprintf(options->identity_files[options->num_identity_files++],
-			    len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
-
-			len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
-			options->identity_files[options->num_identity_files] =
-			    xmalloc(len);
-			snprintf(options->identity_files[options->num_identity_files++],
-			    len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
-		}
-	}
-	if (options->escape_char == -1)
-		options->escape_char = '~';
-	if (options->system_hostfile == NULL)
-		options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
-	if (options->user_hostfile == NULL)
-		options->user_hostfile = _PATH_SSH_USER_HOSTFILE;
-	if (options->system_hostfile2 == NULL)
-		options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2;
-	if (options->user_hostfile2 == NULL)
-		options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2;
-	if (options->log_level == SYSLOG_LEVEL_NOT_SET)
-		options->log_level = SYSLOG_LEVEL_INFO;
-	if (options->clear_forwardings == 1)
-		clear_forwardings(options);
-	if (options->no_host_authentication_for_localhost == - 1)
-		options->no_host_authentication_for_localhost = 0;
-	if (options->identities_only == -1)
-		options->identities_only = 0;
-	if (options->enable_ssh_keysign == -1)
-		options->enable_ssh_keysign = 0;
-	if (options->rekey_limit == -1)
-		options->rekey_limit = 0;
-	if (options->verify_host_key_dns == -1)
-		options->verify_host_key_dns = 0;
-	if (options->server_alive_interval == -1)
-		options->server_alive_interval = 0;
-	if (options->server_alive_count_max == -1)
-		options->server_alive_count_max = 3;
-	if (options->control_master == -1)
-		options->control_master = 0;
-	if (options->hash_known_hosts == -1)
-		options->hash_known_hosts = 0;
-	if (options->tun_open == -1)
-		options->tun_open = SSH_TUNMODE_NO;
-	if (options->tun_local == -1)
-		options->tun_local = SSH_TUNID_ANY;
-	if (options->tun_remote == -1)
-		options->tun_remote = SSH_TUNID_ANY;
-	if (options->permit_local_command == -1)
-		options->permit_local_command = 0;
-	/* options->local_command should not be set by default */
-	/* options->proxy_command should not be set by default */
-	/* options->user will be set in the main program if appropriate */
-	/* options->hostname will be set in the main program if appropriate */
-	/* options->host_key_alias should not be set by default */
-	/* options->preferred_authentications will be set in ssh */
-}
-
-/*
- * parse_forward
- * parses a string containing a port forwarding specification of the form:
- *	[listenhost:]listenport:connecthost:connectport
- * returns number of arguments parsed or zero on error
- */
-int
-parse_forward(Forward *fwd, const char *fwdspec)
-{
-	int i;
-	char *p, *cp, *fwdarg[4];
-
-	memset(fwd, '\0', sizeof(*fwd));
-
-	cp = p = xstrdup(fwdspec);
-
-	/* skip leading spaces */
-	while (*cp && isspace(*cp))
-		cp++;
-
-	for (i = 0; i < 4; ++i)
-		if ((fwdarg[i] = hpdelim(&cp)) == NULL)
-			break;
-
-	/* Check for trailing garbage in 4-arg case*/
-	if (cp != NULL)
-		i = 0;	/* failure */
-
-	switch (i) {
-	case 3:
-		fwd->listen_host = NULL;
-		fwd->listen_port = a2port(fwdarg[0]);
-		fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
-		fwd->connect_port = a2port(fwdarg[2]);
-		break;
-
-	case 4:
-		fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
-		fwd->listen_port = a2port(fwdarg[1]);
-		fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
-		fwd->connect_port = a2port(fwdarg[3]);
-		break;
-	default:
-		i = 0; /* failure */
-	}
-
-	xfree(p);
-
-	if (fwd->listen_port == 0 && fwd->connect_port == 0)
-		goto fail_free;
-
-	if (fwd->connect_host != NULL &&
-	    strlen(fwd->connect_host) >= NI_MAXHOST)
-		goto fail_free;
-
-	return (i);
-
- fail_free:
-	if (fwd->connect_host != NULL)
-		xfree(fwd->connect_host);
-	if (fwd->listen_host != NULL)
-		xfree(fwd->listen_host);
-	return (0);
-}
diff --git a/crypto/openssh/readconf.h b/crypto/openssh/readconf.h
deleted file mode 100644
index d484f25..0000000
--- a/crypto/openssh/readconf.h
+++ /dev/null
@@ -1,143 +0,0 @@
-/* $OpenBSD: readconf.h,v 1.71 2006/08/03 03:34:42 deraadt Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Functions for reading the configuration file.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#ifndef READCONF_H
-#define READCONF_H
-
-/* Data structure for representing a forwarding request. */
-
-typedef struct {
-	char	 *listen_host;		/* Host (address) to listen on. */
-	u_short	  listen_port;		/* Port to forward. */
-	char	 *connect_host;		/* Host to connect. */
-	u_short	  connect_port;		/* Port to connect on connect_host. */
-}       Forward;
-/* Data structure for representing option data. */
-
-#define MAX_SEND_ENV	256
-
-typedef struct {
-	int     forward_agent;	/* Forward authentication agent. */
-	int     forward_x11;	/* Forward X11 display. */
-	int     forward_x11_trusted;	/* Trust Forward X11 display. */
-	int     exit_on_forward_failure;	/* Exit if bind(2) fails for -L/-R */
-	char   *xauth_location;	/* Location for xauth program */
-	int     gateway_ports;	/* Allow remote connects to forwarded ports. */
-	int     use_privileged_port;	/* Don't use privileged port if false. */
-	int     rhosts_rsa_authentication;	/* Try rhosts with RSA
-						 * authentication. */
-	int     rsa_authentication;	/* Try RSA authentication. */
-	int     pubkey_authentication;	/* Try ssh2 pubkey authentication. */
-	int     hostbased_authentication;	/* ssh2's rhosts_rsa */
-	int     challenge_response_authentication;
-					/* Try S/Key or TIS, authentication. */
-	int     gss_authentication;	/* Try GSS authentication */
-	int     gss_deleg_creds;	/* Delegate GSS credentials */
-	int     password_authentication;	/* Try password
-						 * authentication. */
-	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
-	char	*kbd_interactive_devices; /* Keyboard-interactive auth devices. */
-	int     batch_mode;	/* Batch mode: do not ask for passwords. */
-	int     check_host_ip;	/* Also keep track of keys for IP address */
-	int     strict_host_key_checking;	/* Strict host key checking. */
-	int     compression;	/* Compress packets in both directions. */
-	int     compression_level;	/* Compression level 1 (fast) to 9
-					 * (best). */
-	int     tcp_keep_alive;	/* Set SO_KEEPALIVE. */
-	LogLevel log_level;	/* Level for logging. */
-
-	int     port;		/* Port to connect. */
-	int     address_family;
-	int     connection_attempts;	/* Max attempts (seconds) before
-					 * giving up */
-	int     connection_timeout;	/* Max time (seconds) before
-					 * aborting connection attempt */
-	int     number_of_password_prompts;	/* Max number of password
-						 * prompts. */
-	int     cipher;		/* Cipher to use. */
-	char   *ciphers;	/* SSH2 ciphers in order of preference. */
-	char   *macs;		/* SSH2 macs in order of preference. */
-	char   *hostkeyalgorithms;	/* SSH2 server key types in order of preference. */
-	int	protocol;	/* Protocol in order of preference. */
-	char   *hostname;	/* Real host to connect. */
-	char   *host_key_alias;	/* hostname alias for .ssh/known_hosts */
-	char   *proxy_command;	/* Proxy command for connecting the host. */
-	char   *user;		/* User to log in as. */
-	int     escape_char;	/* Escape character; -2 = none */
-
-	char   *system_hostfile;/* Path for /etc/ssh/ssh_known_hosts. */
-	char   *user_hostfile;	/* Path for $HOME/.ssh/known_hosts. */
-	char   *system_hostfile2;
-	char   *user_hostfile2;
-	char   *preferred_authentications;
-	char   *bind_address;	/* local socket address for connection to sshd */
-	char   *smartcard_device; /* Smartcard reader device */
-	int	verify_host_key_dns;	/* Verify host key using DNS */
-
-	int     num_identity_files;	/* Number of files for RSA/DSA identities. */
-	char   *identity_files[SSH_MAX_IDENTITY_FILES];
-	Key    *identity_keys[SSH_MAX_IDENTITY_FILES];
-
-	/* Local TCP/IP forward requests. */
-	int     num_local_forwards;
-	Forward local_forwards[SSH_MAX_FORWARDS_PER_DIRECTION];
-
-	/* Remote TCP/IP forward requests. */
-	int     num_remote_forwards;
-	Forward remote_forwards[SSH_MAX_FORWARDS_PER_DIRECTION];
-	int	clear_forwardings;
-
-	int	enable_ssh_keysign;
-	int	rekey_limit;
-	int	no_host_authentication_for_localhost;
-	int	identities_only;
-	int	server_alive_interval;
-	int	server_alive_count_max;
-
-	int     num_send_env;
-	char   *send_env[MAX_SEND_ENV];
-
-	char	*control_path;
-	int	control_master;
-
-	int	hash_known_hosts;
-
-	int	tun_open;	/* tun(4) */
-	int     tun_local;	/* force tun device (optional) */
-	int     tun_remote;	/* force tun device (optional) */
-
-	char	*local_command;
-	int	permit_local_command;
-
-}       Options;
-
-#define SSHCTL_MASTER_NO	0
-#define SSHCTL_MASTER_YES	1
-#define SSHCTL_MASTER_AUTO	2
-#define SSHCTL_MASTER_ASK	3
-#define SSHCTL_MASTER_AUTO_ASK	4
-
-void     initialize_options(Options *);
-void     fill_default_options(Options *);
-int	 read_config_file(const char *, const char *, Options *, int);
-int	 parse_forward(Forward *, const char *);
-
-int
-process_config_line(Options *, const char *, char *, const char *, int, int *);
-
-void	 add_local_forward(Options *, const Forward *);
-void	 add_remote_forward(Options *, const Forward *);
-
-#endif				/* READCONF_H */
diff --git a/crypto/openssh/readpass.c b/crypto/openssh/readpass.c
deleted file mode 100644
index bd144c2..0000000
--- a/crypto/openssh/readpass.c
+++ /dev/null
@@ -1,188 +0,0 @@
-/* $OpenBSD: readpass.c,v 1.47 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/wait.h>
-
-#include <errno.h>
-#include <fcntl.h>
-#ifdef HAVE_PATHS_H
-# include <paths.h>
-#endif
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "xmalloc.h"
-#include "misc.h"
-#include "pathnames.h"
-#include "log.h"
-#include "ssh.h"
-#include "uidswap.h"
-
-static char *
-ssh_askpass(char *askpass, const char *msg)
-{
-	pid_t pid;
-	size_t len;
-	char *pass;
-	int p[2], status, ret;
-	char buf[1024];
-
-	if (fflush(stdout) != 0)
-		error("ssh_askpass: fflush: %s", strerror(errno));
-	if (askpass == NULL)
-		fatal("internal error: askpass undefined");
-	if (pipe(p) < 0) {
-		error("ssh_askpass: pipe: %s", strerror(errno));
-		return NULL;
-	}
-	if ((pid = fork()) < 0) {
-		error("ssh_askpass: fork: %s", strerror(errno));
-		return NULL;
-	}
-	if (pid == 0) {
-		permanently_drop_suid(getuid());
-		close(p[0]);
-		if (dup2(p[1], STDOUT_FILENO) < 0)
-			fatal("ssh_askpass: dup2: %s", strerror(errno));
-		execlp(askpass, askpass, msg, (char *) 0);
-		fatal("ssh_askpass: exec(%s): %s", askpass, strerror(errno));
-	}
-	close(p[1]);
-
-	len = ret = 0;
-	do {
-		ret = read(p[0], buf + len, sizeof(buf) - 1 - len);
-		if (ret == -1 && errno == EINTR)
-			continue;
-		if (ret <= 0)
-			break;
-		len += ret;
-	} while (sizeof(buf) - 1 - len > 0);
-	buf[len] = '\0';
-
-	close(p[0]);
-	while (waitpid(pid, &status, 0) < 0)
-		if (errno != EINTR)
-			break;
-
-	if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) {
-		memset(buf, 0, sizeof(buf));
-		return NULL;
-	}
-
-	buf[strcspn(buf, "\r\n")] = '\0';
-	pass = xstrdup(buf);
-	memset(buf, 0, sizeof(buf));
-	return pass;
-}
-
-/*
- * Reads a passphrase from /dev/tty with echo turned off/on.  Returns the
- * passphrase (allocated with xmalloc).  Exits if EOF is encountered. If
- * RP_ALLOW_STDIN is set, the passphrase will be read from stdin if no
- * tty is available
- */
-char *
-read_passphrase(const char *prompt, int flags)
-{
-	char *askpass = NULL, *ret, buf[1024];
-	int rppflags, use_askpass = 0, ttyfd;
-
-	rppflags = (flags & RP_ECHO) ? RPP_ECHO_ON : RPP_ECHO_OFF;
-	if (flags & RP_USE_ASKPASS)
-		use_askpass = 1;
-	else if (flags & RP_ALLOW_STDIN) {
-		if (!isatty(STDIN_FILENO)) {
-			debug("read_passphrase: stdin is not a tty");
-			use_askpass = 1;
-		}
-	} else {
-		rppflags |= RPP_REQUIRE_TTY;
-		ttyfd = open(_PATH_TTY, O_RDWR);
-		if (ttyfd >= 0)
-			close(ttyfd);
-		else {
-			debug("read_passphrase: can't open %s: %s", _PATH_TTY,
-			    strerror(errno));
-			use_askpass = 1;
-		}
-	}
-
-	if ((flags & RP_USE_ASKPASS) && getenv("DISPLAY") == NULL)
-		return (flags & RP_ALLOW_EOF) ? NULL : xstrdup("");
-
-	if (use_askpass && getenv("DISPLAY")) {
-		if (getenv(SSH_ASKPASS_ENV))
-			askpass = getenv(SSH_ASKPASS_ENV);
-		else
-			askpass = _PATH_SSH_ASKPASS_DEFAULT;
-		if ((ret = ssh_askpass(askpass, prompt)) == NULL)
-			if (!(flags & RP_ALLOW_EOF))
-				return xstrdup("");
-		return ret;
-	}
-
-	if (readpassphrase(prompt, buf, sizeof buf, rppflags) == NULL) {
-		if (flags & RP_ALLOW_EOF)
-			return NULL;
-		return xstrdup("");
-	}
-
-	ret = xstrdup(buf);
-	memset(buf, 'x', sizeof buf);
-	return ret;
-}
-
-int
-ask_permission(const char *fmt, ...)
-{
-	va_list args;
-	char *p, prompt[1024];
-	int allowed = 0;
-
-	va_start(args, fmt);
-	vsnprintf(prompt, sizeof(prompt), fmt, args);
-	va_end(args);
-
-	p = read_passphrase(prompt, RP_USE_ASKPASS|RP_ALLOW_EOF);
-	if (p != NULL) {
-		/*
-		 * Accept empty responses and responses consisting
-		 * of the word "yes" as affirmative.
-		 */
-		if (*p == '\0' || *p == '\n' ||
-		    strcasecmp(p, "yes") == 0)
-			allowed = 1;
-		xfree(p);
-	}
-
-	return (allowed);
-}
diff --git a/crypto/openssh/regress/Makefile b/crypto/openssh/regress/Makefile
deleted file mode 100644
index 5399563..0000000
--- a/crypto/openssh/regress/Makefile
+++ /dev/null
@@ -1,98 +0,0 @@
-#	$OpenBSD: Makefile,v 1.42 2006/07/19 13:34:52 dtucker Exp $
-
-REGRESS_TARGETS=	t1 t2 t3 t4 t5 t6 t7 t-exec
-tests:		$(REGRESS_TARGETS)
-
-clean:
-	for F in $(CLEANFILES); do rm -f $(OBJ)$$F; done
-distclean:	clean
-
-LTESTS= 	connect \
-		proxy-connect \
-		connect-privsep \
-		proto-version \
-		proto-mismatch \
-		exit-status \
-		envpass \
-		transfer \
-		banner \
-		rekey \
-		stderr-data \
-		stderr-after-eof \
-		broken-pipe \
-		try-ciphers \
-		yes-head \
-		login-timeout \
-		agent \
-		agent-getpeereid \
-		agent-timeout \
-		agent-ptrace \
-		keyscan \
-		keygen-change \
-		scp \
-		sftp \
-		sftp-cmds \
-		sftp-badcmds \
-		sftp-batch \
-		sftp-glob \
-		reconfigure \
-		dynamic-forward \
-		forwarding \
-		multiplex \
-		reexec \
-		brokenkeys \
-		cfgmatch \
-		forcecommand
-
-USER!=		id -un
-CLEANFILES=	t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
-		authorized_keys_${USER} known_hosts pidfile \
-		ssh_config sshd_config.orig ssh_proxy sshd_config sshd_proxy \
-		rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \
-		rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \
-		ls.copy banner.in banner.out empty.in \
-		scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \
-		sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv
-
-#LTESTS +=	ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
-
-t1:
-	ssh-keygen -if ${.CURDIR}/rsa_ssh2.prv | diff - ${.CURDIR}/rsa_openssh.prv
-
-t2:
-	cat ${.CURDIR}/rsa_openssh.prv > $(OBJ)/t2.out
-	chmod 600 $(OBJ)/t2.out
-	ssh-keygen -yf $(OBJ)/t2.out | diff - ${.CURDIR}/rsa_openssh.pub
-
-t3:
-	ssh-keygen -ef ${.CURDIR}/rsa_openssh.pub >$(OBJ)/rsa_secsh.pub
-	ssh-keygen -if $(OBJ)/rsa_secsh.pub | diff - ${.CURDIR}/rsa_openssh.pub
-	rm -f ${.CURDIR}/rsa_secsh.pub
-
-t4:
-	ssh-keygen -lf ${.CURDIR}/rsa_openssh.pub |\
-		awk '{print $$2}' | diff - ${.CURDIR}/t4.ok
-
-t5:
-	ssh-keygen -Bf ${.CURDIR}/rsa_openssh.pub |\
-		awk '{print $$2}' | diff - ${.CURDIR}/t5.ok
-
-t6:
-	ssh-keygen -if ${.CURDIR}/dsa_ssh2.prv > $(OBJ)/t6.out1
-	ssh-keygen -if ${.CURDIR}/dsa_ssh2.pub > $(OBJ)/t6.out2
-	chmod 600 $(OBJ)/t6.out1
-	ssh-keygen -yf $(OBJ)/t6.out1 | diff - $(OBJ)/t6.out2
-
-$(OBJ)/t7.out:
-	ssh-keygen -q -t rsa -N '' -f $@
-
-t7: $(OBJ)/t7.out
-	ssh-keygen -lf $(OBJ)/t7.out > /dev/null
-	ssh-keygen -Bf $(OBJ)/t7.out > /dev/null
-
-t-exec:	${LTESTS:=.sh}
-	@if [ "x$?" = "x" ]; then exit 0; fi; \
-	for TEST in ""$?; do \
-		echo "run test $${TEST}" ... 1>&2; \
-		(env SUDO=${SUDO} sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \
-	done
diff --git a/crypto/openssh/regress/README.regress b/crypto/openssh/regress/README.regress
deleted file mode 100644
index 5aaf734..0000000
--- a/crypto/openssh/regress/README.regress
+++ /dev/null
@@ -1,108 +0,0 @@
-Overview.
-
-$ ./configure && make tests
-
-You'll see some progress info. A failure will cause either the make to
-abort or the driver script to report a "FATAL" failure.
-
-The test consists of 2 parts. The first is the file-based tests which is
-driven by the Makefile, and the second is a set of network or proxycommand
-based tests, which are driven by a driver script (test-exec.sh) which is
-called multiple times by the Makefile.
-
-Failures in the first part will cause the Makefile to return an error.
-Failures in the second part will print a "FATAL" message for the failed
-test and continue.
-
-OpenBSD has a system-wide regression test suite. OpenSSH Portable's test
-suite is based on OpenBSD's with modifications.
-
-
-Environment variables.
-
-SUDO: path to sudo command, if desired. Note that some systems (notably
-	systems using PAM) require sudo to execute some tests.
-TEST_SSH_TRACE: set to "yes" for verbose output from tests 
-TEST_SSH_QUIET: set to "yes" to suppress non-fatal output.
-TEST_SSH_x: path to "ssh" command under test, where x=SSH,SSHD,SSHAGENT,SSHADD
-	SSHKEYGEN,SSHKEYSCAN,SFTP,SFTPSERVER
-OBJ: used by test scripts to access build dir.
-TEST_SHELL: shell used for running the test scripts.
-TEST_SSH_PORT: TCP port to be used for the listening tests.
-TEST_SSH_SSH_CONFOTPS: Configuration directives to be added to ssh_config
-	before running each test.
-TEST_SSH_SSHD_CONFOTPS: Configuration directives to be added to sshd_config
-	before running each test.
-
-
-Individual tests.
-
-You can run an individual test from the top-level Makefile, eg:
-$ make tests LTESTS=agent-timeout
-
-If you need to manipulate the environment more you can invoke test-exec.sh
-directly if you set up the path to find the binaries under test and the
-test scripts themselves, for example:
-
-$ cd regress
-$ PATH=`pwd`/..:$PATH:. TEST_SHELL=/bin/sh sh test-exec.sh `pwd` \
-    agent-timeout.sh
-ok agent timeout test
-
-
-Files.
-
-test-exec.sh: the main test driver. Sets environment, creates config files
-and keys and runs the specified test.
-
-At the time of writing, the individual tests are:
-agent-timeout.sh:	agent timeout test
-agent.sh:		simple agent test
-broken-pipe.sh:		broken pipe test
-connect-privsep.sh:	proxy connect with privsep
-connect.sh:		simple connect
-exit-status.sh:		remote exit status
-forwarding.sh:		local and remote forwarding
-keygen-change.sh:	change passphrase for key
-keyscan.sh:		keyscan
-proto-mismatch.sh:	protocol version mismatch
-proto-version.sh:	sshd version with different protocol combinations
-proxy-connect.sh:	proxy connect
-sftp.sh:		basic sftp put/get
-ssh-com-client.sh:	connect with ssh.com client
-ssh-com-keygen.sh:	ssh.com key import
-ssh-com-sftp.sh:	basic sftp put/get with ssh.com server
-ssh-com.sh:		connect to ssh.com server
-stderr-after-eof.sh:	stderr data after eof
-stderr-data.sh:		stderr data transfer
-transfer.sh:		transfer data
-try-ciphers.sh:		try ciphers
-yes-head.sh:		yes pipe head
-
-
-Problems?
-
-Run the failing test with shell tracing (-x) turned on:
-$ PATH=`pwd`/..:$PATH:. sh -x test-exec.sh `pwd` agent-timeout.sh
-
-Failed tests can be difficult to diagnose. Suggestions:
-- run the individual test via ./test-exec.sh `pwd` [testname]
-- set LogLevel to VERBOSE in test-exec.sh and enable syslogging of
-  auth.debug (eg to /var/log/authlog).
-
-
-Known Issues.
-
-- If your build requires ssh-rand-helper regress tests will fail
-  unless ssh-rand-helper is in pre-installed (the path to
-  ssh-rand-helper is hard coded).
-
-- Similarly, if you do not have "scp" in your system's $PATH then the
-  multiplex scp tests will fail (since the system's shell startup scripts
-  will determine where the shell started by sshd will look for scp).
-
-- Recent GNU coreutils deprecate "head -[n]": this will cause the yes-head
-  test to fail.  The old behaviour can be restored by setting (and
-  exporting) _POSIX2_VERSION=199209 before running the tests.
-
-$Id: README.regress,v 1.10 2005/10/03 10:14:18 dtucker Exp $
diff --git a/crypto/openssh/regress/agent-getpeereid.sh b/crypto/openssh/regress/agent-getpeereid.sh
deleted file mode 100644
index e5fcedd..0000000
--- a/crypto/openssh/regress/agent-getpeereid.sh
+++ /dev/null
@@ -1,45 +0,0 @@
-#	$OpenBSD: agent-getpeereid.sh,v 1.3 2006/07/06 12:01:53 grunk Exp $
-#	Placed in the Public Domain.
-
-tid="disallow agent attach from other uid"
-
-UNPRIV=nobody
-ASOCK=${OBJ}/agent
-SSH_AUTH_SOCK=/nonexistant
-
-if grep "#undef.*HAVE_GETPEEREID" ${BUILDDIR}/config.h >/dev/null 2>&1
-then
-	echo "skipped (not supported on this platform)"
-	exit 0
-fi
-if [ -z "$SUDO" ]; then
-	echo "skipped: need SUDO to switch to uid $UNPRIV"
-	exit 0
-fi
-
-
-trace "start agent"
-eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null
-r=$?
-if [ $r -ne 0 ]; then
-	fail "could not start ssh-agent: exit code $r"
-else
-	chmod 644 ${SSH_AUTH_SOCK}
-
-	ssh-add -l > /dev/null 2>&1
-	r=$?
-	if [ $r -ne 1 ]; then
-		fail "ssh-add failed with $r != 1"
-	fi
-
-	< /dev/null ${SUDO} -S -u ${UNPRIV} ssh-add -l > /dev/null 2>&1
-	r=$?
-	if [ $r -lt 2 ]; then
-		fail "ssh-add did not fail for ${UNPRIV}: $r < 2"
-	fi
-
-	trace "kill agent"
-	${SSHAGENT} -k > /dev/null
-fi
-
-rm -f ${OBJ}/agent
diff --git a/crypto/openssh/regress/agent-ptrace.sh b/crypto/openssh/regress/agent-ptrace.sh
deleted file mode 100644
index 4de2638..0000000
--- a/crypto/openssh/regress/agent-ptrace.sh
+++ /dev/null
@@ -1,53 +0,0 @@
-#	$OpenBSD: agent-ptrace.sh,v 1.1 2002/12/09 15:38:30 markus Exp $
-#	Placed in the Public Domain.
-
-tid="disallow agent ptrace attach"
-
-if have_prog uname ; then
-	case `uname` in
-	AIX|CYGWIN*|OSF1)
-		echo "skipped (not supported on this platform)"
-		exit 0
-		;;
-	esac
-fi
-
-if have_prog gdb ; then
-	: ok
-else
-	echo "skipped (gdb not found)"
-	exit 0
-fi
-
-if test -z "$SUDO" ; then
-	echo "skipped (SUDO not set)"
-	exit 0
-else
-	$SUDO chown 0 ${SSHAGENT}
-	$SUDO chgrp 0 ${SSHAGENT}
-	$SUDO chmod 2755 ${SSHAGENT}
-fi
-
-trace "start agent"
-eval `${SSHAGENT} -s` > /dev/null
-r=$?
-if [ $r -ne 0 ]; then
-	fail "could not start ssh-agent: exit code $r"
-else
-	# ls -l ${SSH_AUTH_SOCK}
-	gdb ${SSHAGENT} ${SSH_AGENT_PID} > ${OBJ}/gdb.out 2>&1 << EOF
-		quit
-EOF
-	if [ $? -ne 0 ]; then
-		fail "gdb failed: exit code $?"
-	fi
-	egrep 'ptrace: Operation not permitted.|procfs:.*Permission denied.|ttrace attach: Permission denied.|procfs:.*: Invalid argument.' >/dev/null ${OBJ}/gdb.out
-	r=$?
-	rm -f ${OBJ}/gdb.out
-	if [ $r -ne 0 ]; then
-		fail "ptrace succeeded?: exit code $r"
-	fi
-
-	trace "kill agent"
-	${SSHAGENT} -k > /dev/null
-fi
diff --git a/crypto/openssh/regress/agent-timeout.sh b/crypto/openssh/regress/agent-timeout.sh
deleted file mode 100644
index 3a40e7a..0000000
--- a/crypto/openssh/regress/agent-timeout.sh
+++ /dev/null
@@ -1,36 +0,0 @@
-#	$OpenBSD: agent-timeout.sh,v 1.1 2002/06/06 00:38:40 markus Exp $
-#	Placed in the Public Domain.
-
-tid="agent timeout test"
-
-SSHAGENT_TIMEOUT=10
-
-trace "start agent"
-eval `${SSHAGENT} -s` > /dev/null
-r=$?
-if [ $r -ne 0 ]; then
-	fail "could not start ssh-agent: exit code $r"
-else
-	trace "add keys with timeout"
-	for t in rsa rsa1; do
-		${SSHADD} -t ${SSHAGENT_TIMEOUT} $OBJ/$t > /dev/null 2>&1
-		if [ $? -ne 0 ]; then
-			fail "ssh-add did succeed exit code 0"
-		fi
-	done
-	n=`${SSHADD} -l 2> /dev/null | wc -l`
-	trace "agent has $n keys"
-	if [ $n -ne 2 ]; then
-		fail "ssh-add -l did not return 2 keys: $n"
-	fi
-	trace "sleeping 2*${SSHAGENT_TIMEOUT} seconds"
-	sleep ${SSHAGENT_TIMEOUT}
-	sleep ${SSHAGENT_TIMEOUT}
-	${SSHADD} -l 2> /dev/null | grep 'The agent has no identities.' >/dev/null
-	if [ $? -ne 0 ]; then
-		fail "ssh-add -l still returns keys after timeout"
-	fi
-
-	trace "kill agent"
-	${SSHAGENT} -k > /dev/null
-fi
diff --git a/crypto/openssh/regress/agent.sh b/crypto/openssh/regress/agent.sh
deleted file mode 100644
index b344877..0000000
--- a/crypto/openssh/regress/agent.sh
+++ /dev/null
@@ -1,75 +0,0 @@
-#	$OpenBSD: agent.sh,v 1.6 2002/03/15 13:08:56 markus Exp $
-#	Placed in the Public Domain.
-
-tid="simple agent test"
-
-SSH_AUTH_SOCK=/nonexistant ${SSHADD} -l > /dev/null 2>&1
-if [ $? -ne 2 ]; then
-	fail "ssh-add -l did not fail with exit code 2"
-fi
-
-trace "start agent"
-eval `${SSHAGENT} -s` > /dev/null
-r=$?
-if [ $r -ne 0 ]; then
-	fail "could not start ssh-agent: exit code $r"
-else
-	${SSHADD} -l > /dev/null 2>&1
-	if [ $? -ne 1 ]; then
-		fail "ssh-add -l did not fail with exit code 1"
-	fi
-	trace "overwrite authorized keys"
-	echon > $OBJ/authorized_keys_$USER
-	for t in rsa rsa1; do
-		# generate user key for agent
-		rm -f $OBJ/$t-agent
-		${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\
-			 fail "ssh-keygen for $t-agent failed"
-		# add to authorized keys
-		cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER
-		# add privat key to agent
-		${SSHADD} $OBJ/$t-agent > /dev/null 2>&1
-		if [ $? -ne 0 ]; then
-			fail "ssh-add did succeed exit code 0"
-		fi
-	done
-	${SSHADD} -l > /dev/null 2>&1
-	if [ $? -ne 0 ]; then
-		fail "ssh-add -l failed: exit code $?"
-	fi
-	# the same for full pubkey output
-	${SSHADD} -L > /dev/null 2>&1
-	if [ $? -ne 0 ]; then
-		fail "ssh-add -L failed: exit code $?"
-	fi
-
-	trace "simple connect via agent"
-	for p in 1 2; do
-		${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p
-		if [ $? -ne 5$p ]; then
-			fail "ssh connect with protocol $p failed (exit code $?)"
-		fi
-	done
-
-	trace "agent forwarding"
-	for p in 1 2; do
-		${SSH} -A -$p -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
-		if [ $? -ne 0 ]; then
-			fail "ssh-add -l via agent fwd proto $p failed (exit code $?)"
-		fi
-		${SSH} -A -$p -F $OBJ/ssh_proxy somehost \
-			"${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p"
-		if [ $? -ne 5$p ]; then
-			fail "agent fwd proto $p failed (exit code $?)"
-		fi
-	done
-
-	trace "delete all agent keys"
-	${SSHADD} -D > /dev/null 2>&1
-	if [ $? -ne 0 ]; then
-		fail "ssh-add -D failed: exit code $?"
-	fi
-
-	trace "kill agent"
-	${SSHAGENT} -k > /dev/null
-fi
diff --git a/crypto/openssh/regress/banner.sh b/crypto/openssh/regress/banner.sh
deleted file mode 100644
index 0b9c950..0000000
--- a/crypto/openssh/regress/banner.sh
+++ /dev/null
@@ -1,44 +0,0 @@
-#	$OpenBSD: banner.sh,v 1.2 2003/10/11 11:49:49 dtucker Exp $
-#	Placed in the Public Domain.
-
-tid="banner"
-echo "Banner $OBJ/banner.in" >> $OBJ/sshd_proxy
-
-rm -f $OBJ/banner.out $OBJ/banner.in $OBJ/empty.in
-touch $OBJ/empty.in
-
-trace "test missing banner file"
-verbose "test $tid: missing banner file"
-( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
-	cmp $OBJ/empty.in $OBJ/banner.out ) || \
-	fail "missing banner file"
-
-for s in 0 10 100 1000 10000 100000 ; do
-	if [ "$s" = "0" ]; then
-		# create empty banner
-		touch $OBJ/banner.in
-	elif [ "$s" = "10" ]; then
-		# create 10-byte banner file
-		echo "abcdefghi" >$OBJ/banner.in
-	else
-		# increase size 10x
-		cp $OBJ/banner.in $OBJ/banner.out
-		for i in 0 1 2 3 4 5 6 7 8 ; do
-			cat $OBJ/banner.out >> $OBJ/banner.in
-		done
-	fi
-
-	trace "test banner size $s"
-	verbose "test $tid: size $s"
-	( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
-		cmp $OBJ/banner.in $OBJ/banner.out ) || \
-		fail "banner size $s mismatch"
-done
-
-trace "test suppress banner (-q)"
-verbose "test $tid: suppress banner (-q)"
-( ${SSH} -q -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
-	cmp $OBJ/empty.in $OBJ/banner.out ) || \
-	fail "suppress banner (-q)"
-
-rm -f $OBJ/banner.out $OBJ/banner.in $OBJ/empty.in
diff --git a/crypto/openssh/regress/broken-pipe.sh b/crypto/openssh/regress/broken-pipe.sh
deleted file mode 100644
index c08c849..0000000
--- a/crypto/openssh/regress/broken-pipe.sh
+++ /dev/null
@@ -1,15 +0,0 @@
-#	$OpenBSD: broken-pipe.sh,v 1.4 2002/03/15 13:08:56 markus Exp $
-#	Placed in the Public Domain.
-
-tid="broken pipe test"
-
-for p in 1 2; do
-	trace "protocol $p"
-	for i in 1 2 3 4; do
-		${SSH} -$p -F $OBJ/ssh_config_config nexthost echo $i 2> /dev/null | true
-		r=$?
-		if [ $r -ne 0 ]; then
-			fail "broken pipe returns $r for protocol $p"
-		fi
-	done
-done
diff --git a/crypto/openssh/regress/brokenkeys.sh b/crypto/openssh/regress/brokenkeys.sh
deleted file mode 100644
index 3e70c34..0000000
--- a/crypto/openssh/regress/brokenkeys.sh
+++ /dev/null
@@ -1,23 +0,0 @@
-#	$OpenBSD: brokenkeys.sh,v 1.1 2004/10/29 23:59:22 djm Exp $
-#	Placed in the Public Domain.
-
-tid="broken keys"
-
-KEYS="$OBJ/authorized_keys_${USER}"
-
-start_sshd
-
-mv ${KEYS} ${KEYS}.bak
-
-# Truncated key
-echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEABTM= bad key" > $KEYS
-cat ${KEYS}.bak >> ${KEYS}
-cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
-
-${SSH} -2 -F $OBJ/ssh_config somehost true
-if [ $? -ne 0 ]; then
-	fail "ssh connect with protocol $p failed"
-fi
-
-mv ${KEYS}.bak ${KEYS}
-
diff --git a/crypto/openssh/regress/bsd.regress.mk b/crypto/openssh/regress/bsd.regress.mk
deleted file mode 100644
index 9b8011a..0000000
--- a/crypto/openssh/regress/bsd.regress.mk
+++ /dev/null
@@ -1,79 +0,0 @@
-#	$OpenBSD: bsd.regress.mk,v 1.9 2002/02/17 01:10:15 marc Exp $
-# No man pages for regression tests.
-NOMAN=
-
-# No installation.
-install:
-
-# If REGRESSTARGETS is defined and PROG is not defined, set NOPROG
-.if defined(REGRESSTARGETS) && !defined(PROG)
-NOPROG=
-.endif
-
-.include <bsd.prog.mk>
-
-.MAIN: all
-all: regress
-
-# XXX - Need full path to REGRESSLOG, otherwise there will be much pain.
-
-REGRESSLOG?=/dev/null
-REGRESSNAME=${.CURDIR:S/${BSDSRCDIR}\/regress\///}
-
-.if defined(PROG) && !empty(PROG)
-run-regress-${PROG}: ${PROG}
-	./${PROG}
-.endif
-
-.if !defined(REGRESSTARGETS)
-REGRESSTARGETS=run-regress-${PROG}
-.  if defined(REGRESSSKIP)
-REGRESSSKIPTARGETS=run-regress-${PROG}
-.  endif
-.endif
-
-REGRESSSKIPSLOW?=no
-
-#.if (${REGRESSSKIPSLOW:L} == "yes") && defined(REGRESSSLOWTARGETS)
-
-.if (${REGRESSSKIPSLOW} == "yes") && defined(REGRESSSLOWTARGETS)
-REGRESSSKIPTARGETS+=${REGRESSSLOWTARGETS}
-.endif
-
-.if defined(REGRESSROOTTARGETS)
-ROOTUSER!=id -g
-SUDO?=
-. if (${ROOTUSER} != 0) && empty(SUDO)
-REGRESSSKIPTARGETS+=${REGRESSROOTTARGETS}
-. endif
-.endif
-
-REGRESSSKIPTARGETS?=
-
-regress:
-.for RT in ${REGRESSTARGETS} 
-.  if ${REGRESSSKIPTARGETS:M${RT}}
-	@echo -n "SKIP " >> ${REGRESSLOG}
-.  else
-# XXX - we need a better method to see if a test fails due to timeout or just
-#       normal failure.
-.   if !defined(REGRESSMAXTIME)
-	@if cd ${.CURDIR} && ${MAKE} ${RT}; then \
-	    echo -n "SUCCESS " >> ${REGRESSLOG} ; \
-	else \
-	    echo -n "FAIL " >> ${REGRESSLOG} ; \
-	    echo FAILED ; \
-	fi
-.   else
-	@if cd ${.CURDIR} && (ulimit -t ${REGRESSMAXTIME} ; ${MAKE} ${RT}); then \
-	    echo -n "SUCCESS " >> ${REGRESSLOG} ; \
-	else \
-	    echo -n "FAIL (possible timeout) " >> ${REGRESSLOG} ; \
-	    echo FAILED ; \
-	fi
-.   endif
-.  endif
-	@echo ${REGRESSNAME}/${RT:S/^run-regress-//} >> ${REGRESSLOG}
-.endfor
-
-.PHONY: regress
diff --git a/crypto/openssh/regress/cfgmatch.sh b/crypto/openssh/regress/cfgmatch.sh
deleted file mode 100644
index d987dcb..0000000
--- a/crypto/openssh/regress/cfgmatch.sh
+++ /dev/null
@@ -1,106 +0,0 @@
-#	$OpenBSD: cfgmatch.sh,v 1.2 2006/07/22 01:50:00 dtucker Exp $
-#	Placed in the Public Domain.
-
-tid="sshd_config match"
-
-pidfile=$OBJ/remote_pid
-fwdport=3301
-fwd="-L $fwdport:127.0.0.1:$PORT"
-
-stop_client()
-{
-	pid=`cat $pidfile`
-	if [ ! -z "$pid" ]; then
-		kill $pid
-		sleep 1
-	fi
-}
-
-cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
-
-echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config
-echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
-echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config
-
-echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy
-echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
-echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy
-
-start_sshd
-
-#set -x
-
-# Test Match + PermitOpen in sshd_config.  This should be permitted
-for p in 1 2; do
-	rm -f $pidfile
-	trace "match permitopen localhost proto $p"
-	${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \
-	    "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
-	    fail "match permitopen proto $p sshd failed"
-	sleep 1;
-	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
-	    fail "match permitopen permit proto $p"
-	stop_client
-done
-
-# Same but from different source.  This should not be permitted
-for p in 1 2; do
-	rm -f $pidfile
-	trace "match permitopen proxy proto $p"
-	${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
-	    "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
-	    fail "match permitopen proxy proto $p sshd failed"
-	sleep 1;
-	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
-	    fail "match permitopen deny proto $p"
-	stop_client
-done
-
-# Retry previous with key option, should also be denied.
-echo -n 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER
-cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
-echo -n 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER
-cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
-for p in 1 2; do
-	rm -f $pidfile
-	trace "match permitopen proxy w/key opts proto $p"
-	${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
-	    "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
-	    fail "match permitopen w/key opt proto $p sshd failed"
-	sleep 1;
-	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
-	    fail "match permitopen deny w/key opt proto $p"
-	stop_client
-done
-
-# Test both sshd_config and key options permitting the same dst/port pair.
-# Should be permitted.
-for p in 1 2; do
-	rm -f $pidfile
-	trace "match permitopen localhost proto $p"
-	${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \
-	    "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
-	    fail "match permitopen proto $p sshd failed"
-	sleep 1;
-	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
-	    fail "match permitopen permit proto $p"
-	stop_client
-done
-
-cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
-echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
-echo "Match User $USER" >>$OBJ/sshd_proxy
-echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
-
-# Test that a Match overrides a PermitOpen in the global section
-for p in 1 2; do
-	rm -f $pidfile
-	trace "match permitopen proxy w/key opts proto $p"
-	${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
-	    "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
-	    fail "match override permitopen proto $p sshd failed"
-	sleep 1;
-	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
-	    fail "match override permitopen proto $p"
-	stop_client
-done
diff --git a/crypto/openssh/regress/cipher-speed.sh b/crypto/openssh/regress/cipher-speed.sh
deleted file mode 100644
index 5925111..0000000
--- a/crypto/openssh/regress/cipher-speed.sh
+++ /dev/null
@@ -1,47 +0,0 @@
-#	$OpenBSD: cipher-speed.sh,v 1.2 2005/05/24 04:09:54 djm Exp $
-#	Placed in the Public Domain.
-
-tid="cipher speed"
-
-getbytes ()
-{
-	sed -n '/transferred/s/.*secs (\(.* bytes.sec\).*/\1/p'
-}
-
-tries="1 2"
-DATA=/bin/ls
-DATA=/bsd
-
-macs="hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96"
-ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc 
-	arcfour128 arcfour256 arcfour aes192-cbc aes256-cbc aes128-ctr"
-
-for c in $ciphers; do for m in $macs; do
-	trace "proto 2 cipher $c mac $m"
-	for x in $tries; do
-		echo -n "$c/$m:\t"
-		( ${SSH} -o 'compression no' \
-			-F $OBJ/ssh_proxy -2 -m $m -c $c somehost \
-			exec sh -c \'"dd of=/dev/null obs=32k"\' \
-		< ${DATA} ) 2>&1 | getbytes
-
-		if [ $? -ne 0 ]; then
-			fail "ssh -2 failed with mac $m cipher $c"
-		fi
-	done
-done; done
-
-ciphers="3des blowfish"
-for c in $ciphers; do
-	trace "proto 1 cipher $c"
-	for x in $tries; do
-		echo -n "$c:\t"
-		( ${SSH} -o 'compression no' \
-			-F $OBJ/ssh_proxy -1 -c $c somehost \
-			exec sh -c \'"dd of=/dev/null obs=32k"\' \
-		< ${DATA} ) 2>&1 | getbytes
-		if [ $? -ne 0 ]; then
-			fail "ssh -1 failed with cipher $c"
-		fi
-	done
-done
diff --git a/crypto/openssh/regress/connect-privsep.sh b/crypto/openssh/regress/connect-privsep.sh
deleted file mode 100644
index d23cadb..0000000
--- a/crypto/openssh/regress/connect-privsep.sh
+++ /dev/null
@@ -1,13 +0,0 @@
-#	$OpenBSD: connect-privsep.sh,v 1.1 2002/03/21 21:45:07 markus Exp $
-#	Placed in the Public Domain.
-
-tid="proxy connect with privsep"
-
-echo 'UsePrivilegeSeparation yes' >> $OBJ/sshd_proxy
-
-for p in 1 2; do
-	${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
-	if [ $? -ne 0 ]; then
-		fail "ssh privsep+proxyconnect protocol $p failed"
-	fi
-done
diff --git a/crypto/openssh/regress/connect.sh b/crypto/openssh/regress/connect.sh
deleted file mode 100644
index 2186fa6..0000000
--- a/crypto/openssh/regress/connect.sh
+++ /dev/null
@@ -1,13 +0,0 @@
-#	$OpenBSD: connect.sh,v 1.4 2002/03/15 13:08:56 markus Exp $
-#	Placed in the Public Domain.
-
-tid="simple connect"
-
-start_sshd
-
-for p in 1 2; do
-	${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true
-	if [ $? -ne 0 ]; then
-		fail "ssh connect with protocol $p failed"
-	fi
-done
diff --git a/crypto/openssh/regress/copy.1 b/crypto/openssh/regress/copy.1
deleted file mode 100755
index 92d4d20..0000000
--- a/crypto/openssh/regress/copy.1
+++ /dev/null
diff --git a/crypto/openssh/regress/copy.2 b/crypto/openssh/regress/copy.2
deleted file mode 100755
index 92d4d20..0000000
--- a/crypto/openssh/regress/copy.2
+++ /dev/null
diff --git a/crypto/openssh/regress/dsa_ssh2.prv b/crypto/openssh/regress/dsa_ssh2.prv
deleted file mode 100644
index c93b403..0000000
--- a/crypto/openssh/regress/dsa_ssh2.prv
+++ /dev/null
@@ -1,14 +0,0 @@
----- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
-Subject: ssh-keygen test
-Comment: "1024-bit dsa, Tue Jan 08 2002 22:00:23 +0100"
-P2/56wAAAgIAAAAmZGwtbW9kcHtzaWdue2RzYS1uaXN0LXNoYTF9LGRoe3BsYWlufX0AAA
-AEbm9uZQAAAcQAAAHAAAAAAAAABACwUfm3AxZTut3icBmwCcD48nY64HzuELlQ+vEqjIcR
-Lo49es/DQTeLNQ+kdKRCfouosGNv0WqxRtF0tUsWdXxS37oHGa4QPugBdHRd7YlZGZv8kg
-x7FsoepY7v7E683/97dv2zxL3AGagTEzWr7fl0yPexAaZoDvtQrrjX44BLmwAABACWQkvv
-MxnD8eFkS1konFfMJ1CkuRfTN34CBZ6dY7VTSGemy4QwtFdMKmoufD0eKgy3p5WOeWCYKt
-F4FhjHKZk/aaxFjjIbtkrnlvXg64QI11dSZyBN6/ViQkHPSkUDF+A6AAEhrNbQbAFSvao1
-kTvNtPCtL0AkUIduEMzGQfLCTAAAAKDeC043YVo9Zo0zAEeIA4uZh4LBCQAAA/9aj7Y5ik
-ehygJ4qTDSlVypsPuV+n59tMS0e2pfrSG87yf5r94AKBmJeho5OO6wYaXCxsVB7AFbSUD6
-75AK8mHF4v1/+7SWKk5f8xlMCMSPZ9K0+j/W1d/q2qkhnnDZolOHDomLA+U00i5ya/jnTV
-zyDPWLFpWK8u3xGBPAYX324gAAAKDHFvooRnaXdZbeWGTTqmgHB1GU9A==
----- END SSH2 ENCRYPTED PRIVATE KEY ----
diff --git a/crypto/openssh/regress/dsa_ssh2.pub b/crypto/openssh/regress/dsa_ssh2.pub
deleted file mode 100644
index 215d73ba..0000000
--- a/crypto/openssh/regress/dsa_ssh2.pub
+++ /dev/null
@@ -1,13 +0,0 @@
----- BEGIN SSH2 PUBLIC KEY ----
-Subject: ssh-keygen test
-Comment: "1024-bit dsa, Tue Jan 08 2002 22:00:23 +0100"
-AAAAB3NzaC1kc3MAAACBALBR+bcDFlO63eJwGbAJwPjydjrgfO4QuVD68SqMhxEujj16z8
-NBN4s1D6R0pEJ+i6iwY2/RarFG0XS1SxZ1fFLfugcZrhA+6AF0dF3tiVkZm/ySDHsWyh6l
-ju/sTrzf/3t2/bPEvcAZqBMTNavt+XTI97EBpmgO+1CuuNfjgEubAAAAFQDeC043YVo9Zo
-0zAEeIA4uZh4LBCQAAAIEAlkJL7zMZw/HhZEtZKJxXzCdQpLkX0zd+AgWenWO1U0hnpsuE
-MLRXTCpqLnw9HioMt6eVjnlgmCrReBYYxymZP2msRY4yG7ZK55b14OuECNdXUmcgTev1Yk
-JBz0pFAxfgOgABIazW0GwBUr2qNZE7zbTwrS9AJFCHbhDMxkHywkwAAACAWo+2OYpHocoC
-eKkw0pVcqbD7lfp+fbTEtHtqX60hvO8n+a/eACgZiXoaOTjusGGlwsbFQewBW0lA+u+QCv
-JhxeL9f/u0lipOX/MZTAjEj2fStPo/1tXf6tqpIZ5w2aJThw6JiwPlNNIucmv4501c8gz1
-ixaVivLt8RgTwGF99uI=
----- END SSH2 PUBLIC KEY ----
diff --git a/crypto/openssh/regress/dynamic-forward.sh b/crypto/openssh/regress/dynamic-forward.sh
deleted file mode 100644
index 4674a7b..0000000
--- a/crypto/openssh/regress/dynamic-forward.sh
+++ /dev/null
@@ -1,50 +0,0 @@
-#	$OpenBSD: dynamic-forward.sh,v 1.4 2004/06/22 22:55:56 dtucker Exp $
-#	Placed in the Public Domain.
-
-tid="dynamic forwarding"
-
-FWDPORT=`expr $PORT + 1`
-
-DATA=/bin/ls${EXEEXT}
-
-if have_prog nc && nc -h 2>&1 | grep "proxy address" >/dev/null; then
-	proxycmd="nc -x 127.0.0.1:$FWDPORT -X"
-elif have_prog connect; then
-	proxycmd="connect -S 127.0.0.1:$FWDPORT -"
-else
-	echo "skipped (no suitable ProxyCommand found)"
-	exit 0
-fi
-trace "will use ProxyCommand $proxycmd"
-
-start_sshd
-
-for p in 1 2; do
-	trace "start dynamic forwarding, fork to background"
-	${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q somehost \
-		exec sh -c \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\'
-
-	for s in 4 5; do
-	    for h in 127.0.0.1 localhost; do
-		trace "testing ssh protocol $p socks version $s host $h"
-		${SSH} -F $OBJ/ssh_config \
-			-o "ProxyCommand ${proxycmd}${s} $h $PORT" \
-			somehost cat $DATA > $OBJ/ls.copy
-		test -f $OBJ/ls.copy	 || fail "failed copy $DATA"
-		cmp $DATA $OBJ/ls.copy || fail "corrupted copy of $DATA"
-	    done
-	done
-
-	if [ -f $OBJ/remote_pid ]; then
-		remote=`cat $OBJ/remote_pid`
-		trace "terminate remote shell, pid $remote"
-		if [ $remote -gt 1 ]; then
-			kill -HUP $remote
-		fi
-	else
-		fail "no pid file: $OBJ/remote_pid"
-	fi
-
-	# Must allow time for connection tear-down
-	sleep 2
-done
diff --git a/crypto/openssh/regress/envpass.sh b/crypto/openssh/regress/envpass.sh
deleted file mode 100644
index af7eafe..0000000
--- a/crypto/openssh/regress/envpass.sh
+++ /dev/null
@@ -1,60 +0,0 @@
-#	$OpenBSD: envpass.sh,v 1.4 2005/03/04 08:48:46 djm Exp $
-#	Placed in the Public Domain.
-
-tid="environment passing"
-
-# NB accepted env vars are in test-exec.sh (_XXX_TEST_* and _XXX_TEST)
-
-# Prepare a custom config to test for a configuration parsing bug fixed in 4.0
-cat << EOF > $OBJ/ssh_proxy_envpass
-Host test-sendenv-confparse-bug
-	SendEnv *
-EOF
-cat $OBJ/ssh_proxy >> $OBJ/ssh_proxy_envpass
-
-trace "pass env, don't accept"
-verbose "test $tid: pass env, don't accept"
-_TEST_ENV=blah ${SSH} -oSendEnv="*" -F $OBJ/ssh_proxy_envpass otherhost \
-	sh << 'EOF'
-	test -z "$_TEST_ENV"
-EOF
-r=$?
-if [ $r -ne 0 ]; then
-	fail "environment found"
-fi
-
-trace "don't pass env, accept"
-verbose "test $tid: don't pass env, accept"
-_XXX_TEST_A=1 _XXX_TEST_B=2 ${SSH} -F $OBJ/ssh_proxy_envpass otherhost \
-	sh << 'EOF'
-	test -z "$_XXX_TEST_A" && test -z "$_XXX_TEST_B"
-EOF
-r=$?
-if [ $r -ne 0 ]; then
-	fail "environment found"
-fi
-
-trace "pass single env, accept single env"
-verbose "test $tid: pass single env, accept single env"
-_XXX_TEST=blah ${SSH} -oSendEnv="_XXX_TEST" -F $OBJ/ssh_proxy_envpass \
-    otherhost sh << 'EOF'
-	test X"$_XXX_TEST" = X"blah"
-EOF
-r=$?
-if [ $r -ne 0 ]; then
-	fail "environment not found"
-fi
-
-trace "pass multiple env, accept multiple env"
-verbose "test $tid: pass multiple env, accept multiple env"
-_XXX_TEST_A=1 _XXX_TEST_B=2 ${SSH} -oSendEnv="_XXX_TEST_*" \
-    -F $OBJ/ssh_proxy_envpass otherhost \
-	sh << 'EOF'
-	test X"$_XXX_TEST_A" = X"1" -a X"$_XXX_TEST_B" = X"2"
-EOF
-r=$?
-if [ $r -ne 0 ]; then
-	fail "environment not found"
-fi
-
-rm -f $OBJ/ssh_proxy_envpass
diff --git a/crypto/openssh/regress/exit-status.sh b/crypto/openssh/regress/exit-status.sh
deleted file mode 100644
index 56b78a6..0000000
--- a/crypto/openssh/regress/exit-status.sh
+++ /dev/null
@@ -1,24 +0,0 @@
-#	$OpenBSD: exit-status.sh,v 1.6 2002/03/15 13:08:56 markus Exp $
-#	Placed in the Public Domain.
-
-tid="remote exit status"
-
-for p in 1 2; do
-	for s in 0 1 4 5 44; do
-		trace "proto $p status $s"
-		verbose "test $tid: proto $p status $s"
-		${SSH} -$p -F $OBJ/ssh_proxy otherhost exit $s
-		r=$?
-		if [ $r -ne $s ]; then
-			fail "exit code mismatch for protocol $p: $r != $s"
-		fi
-
-		# same with early close of stdout/err
-		${SSH} -$p -F $OBJ/ssh_proxy -n otherhost \
-                	exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\'
-		r=$?
-		if [ $r -ne $s ]; then
-			fail "exit code (with sleep) mismatch for protocol $p: $r != $s"
-		fi
-	done
-done
diff --git a/crypto/openssh/regress/forcecommand.sh b/crypto/openssh/regress/forcecommand.sh
deleted file mode 100644
index 99e51a6..0000000
--- a/crypto/openssh/regress/forcecommand.sh
+++ /dev/null
@@ -1,42 +0,0 @@
-#	$OpenBSD: forcecommand.sh,v 1.1 2006/07/19 13:09:28 dtucker Exp $
-#	Placed in the Public Domain.
-
-tid="forced command"
-
-cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
-
-echon 'command="true" ' >$OBJ/authorized_keys_$USER
-cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
-echon 'command="true" ' >>$OBJ/authorized_keys_$USER
-cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
-
-for p in 1 2; do
-	trace "forced command in key option proto $p"
-	${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
-	    fail "forced command in key proto $p"
-done
-
-echon 'command="false" ' >$OBJ/authorized_keys_$USER
-cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
-echon 'command="false" ' >>$OBJ/authorized_keys_$USER
-cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
-
-cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
-echo "ForceCommand true" >> $OBJ/sshd_proxy
-
-for p in 1 2; do
-	trace "forced command in sshd_config overrides key option proto $p"
-	${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
-	    fail "forced command in key proto $p"
-done
-
-cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
-echo "ForceCommand false" >> $OBJ/sshd_proxy
-echo "Match User $USER" >> $OBJ/sshd_proxy
-echo "    ForceCommand true" >> $OBJ/sshd_proxy
-
-for p in 1 2; do
-	trace "forced command with match proto $p"
-	${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
-	    fail "forced command in key proto $p"
-done
diff --git a/crypto/openssh/regress/forwarding.sh b/crypto/openssh/regress/forwarding.sh
deleted file mode 100644
index 9ffbb3d..0000000
--- a/crypto/openssh/regress/forwarding.sh
+++ /dev/null
@@ -1,95 +0,0 @@
-#	$OpenBSD: forwarding.sh,v 1.6 2006/07/11 18:51:21 markus Exp $
-#	Placed in the Public Domain.
-
-tid="local and remote forwarding"
-DATA=/bin/ls${EXEEXT}
-
-start_sshd
-
-base=33
-last=$PORT
-fwd=""
-for j in 0 1 2; do
-	for i in 0 1 2; do
-		a=$base$j$i
-		b=`expr $a + 50`
-		c=$last
-		# fwd chain: $a -> $b -> $c
-		fwd="$fwd -L$a:127.0.0.1:$b -R$b:127.0.0.1:$c"
-		last=$a
-	done
-done
-for p in 1 2; do
-	q=`expr 3 - $p`
-	trace "start forwarding, fork to background"
-	${SSH} -$p -F $OBJ/ssh_config -f $fwd somehost sleep 10
-
-	trace "transfer over forwarded channels and check result"
-	${SSH} -$q -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \
-		somehost cat $DATA > $OBJ/ls.copy
-	test -f $OBJ/ls.copy			|| fail "failed copy $DATA"
-	cmp $DATA $OBJ/ls.copy			|| fail "corrupted copy of $DATA"
-
-	sleep 10
-done
-
-for p in 1 2; do
-for d in L R; do
-	trace "exit on -$d forward failure, proto $p"
-
-	# this one should succeed
-	${SSH} -$p -F $OBJ/ssh_config \
-	    -$d ${base}01:127.0.0.1:$PORT \
-	    -$d ${base}02:127.0.0.1:$PORT \
-	    -$d ${base}03:127.0.0.1:$PORT \
-	    -$d ${base}04:127.0.0.1:$PORT \
-	    -oExitOnForwardFailure=yes somehost true
-	if [ $? != 0 ]; then
-		fail "connection failed, should not"
-	else
-		# this one should fail
-		${SSH} -q -$p -F $OBJ/ssh_config \
-		    -$d ${base}01:127.0.0.1:$PORT \
-		    -$d ${base}02:127.0.0.1:$PORT \
-		    -$d ${base}03:127.0.0.1:$PORT \
-		    -$d ${base}01:127.0.0.1:$PORT \
-		    -$d ${base}04:127.0.0.1:$PORT \
-		    -oExitOnForwardFailure=yes somehost true
-		r=$?
-		if [ $r != 255 ]; then
-			fail "connection not termintated, but should ($r)"
-		fi
-	fi
-done
-done
-
-for p in 1 2; do
-	trace "simple clear forwarding proto $p"
-	${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true
-
-	trace "clear local forward proto $p"
-	${SSH} -$p -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \
-	    -oClearAllForwardings=yes somehost sleep 10
-	if [ $? != 0 ]; then
-		fail "connection failed with cleared local forwarding"
-	else
-		# this one should fail
-		${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \
-		     2>${TEST_SSH_LOGFILE} && \
-			fail "local forwarding not cleared"
-	fi
-	sleep 10
-	
-	trace "clear remote forward proto $p"
-	${SSH} -$p -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \
-	    -oClearAllForwardings=yes somehost sleep 10
-	if [ $? != 0 ]; then
-		fail "connection failed with cleared remote forwarding"
-	else
-		# this one should fail
-		${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \
-		     2>${TEST_SSH_LOGFILE} && \
-			fail "remote forwarding not cleared"
-	fi
-	sleep 10
-done
diff --git a/crypto/openssh/regress/keygen-change.sh b/crypto/openssh/regress/keygen-change.sh
deleted file mode 100644
index 08d3590..0000000
--- a/crypto/openssh/regress/keygen-change.sh
+++ /dev/null
@@ -1,23 +0,0 @@
-#	$OpenBSD: keygen-change.sh,v 1.2 2002/07/16 09:15:55 markus Exp $
-#	Placed in the Public Domain.
-
-tid="change passphrase for key"
-
-S1="secret1"
-S2="2secret"
-
-for t in rsa dsa rsa1; do
-	# generate user key for agent
-	trace "generating $t key"
-	rm -f $OBJ/$t-key
-	${SSHKEYGEN} -q -N ${S1} -t $t -f $OBJ/$t-key
-	if [ $? -eq 0 ]; then
-		${SSHKEYGEN} -p -P ${S1} -N ${S2} -f $OBJ/$t-key > /dev/null
-		if [ $? -ne 0 ]; then
-			fail "ssh-keygen -p failed for $t-key"
-		fi
-	else
-		fail "ssh-keygen for $t-key failed"
-	fi
-	rm -f $OBJ/$t-key $OBJ/$t-key.pub
-done
diff --git a/crypto/openssh/regress/keyscan.sh b/crypto/openssh/regress/keyscan.sh
deleted file mode 100644
index 33f14f0..0000000
--- a/crypto/openssh/regress/keyscan.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-#	$OpenBSD: keyscan.sh,v 1.3 2002/03/15 13:08:56 markus Exp $
-#	Placed in the Public Domain.
-
-tid="keyscan"
-
-# remove DSA hostkey
-rm -f ${OBJ}/host.dsa
-
-start_sshd
-
-for t in rsa1 rsa dsa; do
-	trace "keyscan type $t"
-	${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \
-		> /dev/null 2>&1
-	r=$?
-	if [ $r -ne 0 ]; then
-		fail "ssh-keyscan -t $t failed with: $r"
-	fi
-done
diff --git a/crypto/openssh/regress/login-timeout.sh b/crypto/openssh/regress/login-timeout.sh
deleted file mode 100644
index 15a887f..0000000
--- a/crypto/openssh/regress/login-timeout.sh
+++ /dev/null
@@ -1,29 +0,0 @@
-#	$OpenBSD: login-timeout.sh,v 1.4 2005/02/27 23:13:36 djm Exp $
-#	Placed in the Public Domain.
-
-tid="connect after login grace timeout"
-
-trace "test login grace with privsep"
-echo "LoginGraceTime 10s" >> $OBJ/sshd_config
-echo "MaxStartups 1" >> $OBJ/sshd_config
-start_sshd
-
-(echo SSH-2.0-fake; sleep 60) | telnet 127.0.0.1 ${PORT} >/dev/null 2>&1 & 
-sleep 15
-${SSH} -F $OBJ/ssh_config somehost true
-if [ $? -ne 0 ]; then
-	fail "ssh connect after login grace timeout failed with privsep"
-fi
-
-$SUDO kill `cat $PIDFILE`
-
-trace "test login grace without privsep"
-echo "UsePrivilegeSeparation no" >> $OBJ/sshd_config
-start_sshd
-
-(echo SSH-2.0-fake; sleep 60) | telnet 127.0.0.1 ${PORT} >/dev/null 2>&1 & 
-sleep 15
-${SSH} -F $OBJ/ssh_config somehost true
-if [ $? -ne 0 ]; then
-	fail "ssh connect after login grace timeout failed without privsep"
-fi
diff --git a/crypto/openssh/regress/multiplex.sh b/crypto/openssh/regress/multiplex.sh
deleted file mode 100644
index 4fba7b5..0000000
--- a/crypto/openssh/regress/multiplex.sh
+++ /dev/null
@@ -1,92 +0,0 @@
-#	$OpenBSD: multiplex.sh,v 1.11 2005/04/25 09:54:09 dtucker Exp $
-#	Placed in the Public Domain.
-
-CTL=/tmp/openssh.regress.ctl-sock.$$
-
-tid="connection multiplexing"
-
-if grep "#define.*DISABLE_FD_PASSING" ${BUILDDIR}/config.h >/dev/null 2>&1
-then
-	echo "skipped (not supported on this platform)"
-	exit 0
-fi
-
-DATA=/bin/ls${EXEEXT}
-COPY=$OBJ/ls.copy
-LOG=$TEST_SSH_LOGFILE
-
-start_sshd
-
-trace "start master, fork to background"
-${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost &
-MASTER_PID=$!
-
-# Wait for master to start and authenticate
-sleep 5
-
-verbose "test $tid: envpass"
-trace "env passing over multiplexed connection"
-_XXX_TEST=blah ${SSH} -oSendEnv="_XXX_TEST" -S$CTL otherhost sh << 'EOF'
-	test X"$_XXX_TEST" = X"blah"
-EOF
-if [ $? -ne 0 ]; then
-	fail "environment not found"
-fi
-
-verbose "test $tid: transfer"
-rm -f ${COPY}
-trace "ssh transfer over multiplexed connection and check result"
-${SSH} -S$CTL otherhost cat ${DATA} > ${COPY}
-test -f ${COPY}			|| fail "ssh -Sctl: failed copy ${DATA}" 
-cmp ${DATA} ${COPY}		|| fail "ssh -Sctl: corrupted copy of ${DATA}"
-
-rm -f ${COPY}
-trace "ssh transfer over multiplexed connection and check result"
-${SSH} -S $CTL otherhost cat ${DATA} > ${COPY}
-test -f ${COPY}			|| fail "ssh -S ctl: failed copy ${DATA}" 
-cmp ${DATA} ${COPY}		|| fail "ssh -S ctl: corrupted copy of ${DATA}"
-
-rm -f ${COPY}
-trace "sftp transfer over multiplexed connection and check result"
-echo "get ${DATA} ${COPY}" | \
-	${SFTP} -S ${SSH} -oControlPath=$CTL otherhost >$LOG 2>&1
-test -f ${COPY}			|| fail "sftp: failed copy ${DATA}" 
-cmp ${DATA} ${COPY}		|| fail "sftp: corrupted copy of ${DATA}"
-
-rm -f ${COPY}
-trace "scp transfer over multiplexed connection and check result"
-${SCP} -S ${SSH} -oControlPath=$CTL otherhost:${DATA} ${COPY} >$LOG 2>&1
-test -f ${COPY}			|| fail "scp: failed copy ${DATA}" 
-cmp ${DATA} ${COPY}		|| fail "scp: corrupted copy of ${DATA}"
-
-rm -f ${COPY}
-
-for s in 0 1 4 5 44; do
-	trace "exit status $s over multiplexed connection"
-	verbose "test $tid: status $s"
-	${SSH} -S $CTL otherhost exit $s
-	r=$?
-	if [ $r -ne $s ]; then
-		fail "exit code mismatch for protocol $p: $r != $s"
-	fi
-
-	# same with early close of stdout/err
-	trace "exit status $s with early close over multiplexed connection"
-	${SSH} -S $CTL -n otherhost \
-                exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\'
-	r=$?
-	if [ $r -ne $s ]; then
-		fail "exit code (with sleep) mismatch for protocol $p: $r != $s"
-	fi
-done
-
-trace "test check command"
-${SSH} -S $CTL -Ocheck otherhost || fail "check command failed" 
-
-trace "test exit command"
-${SSH} -S $CTL -Oexit otherhost || fail "send exit command failed" 
-
-# Wait for master to exit
-sleep 2
-
-kill -0 $MASTER_PID >/dev/null 2>&1 && fail "exit command failed" 
diff --git a/crypto/openssh/regress/proto-mismatch.sh b/crypto/openssh/regress/proto-mismatch.sh
deleted file mode 100644
index fb521f2..0000000
--- a/crypto/openssh/regress/proto-mismatch.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-#	$OpenBSD: proto-mismatch.sh,v 1.3 2002/03/15 13:08:56 markus Exp $
-#	Placed in the Public Domain.
-
-tid="protocol version mismatch"
-
-mismatch ()
-{
-	server=$1
-	client=$2
-	banner=`echo ${client} | ${SSHD} -o "Protocol=${server}" -i -f ${OBJ}/sshd_proxy`
-	r=$?
-	trace "sshd prints ${banner}"
-	if [ $r -ne 255 ]; then
-		fail "sshd prints ${banner} and accepts connect with version ${client}"
-	fi
-}
-
-mismatch	2	SSH-1.5-HALLO
-mismatch	1	SSH-2.0-HALLO
diff --git a/crypto/openssh/regress/proto-version.sh b/crypto/openssh/regress/proto-version.sh
deleted file mode 100644
index 1651a69..0000000
--- a/crypto/openssh/regress/proto-version.sh
+++ /dev/null
@@ -1,34 +0,0 @@
-#	$OpenBSD: proto-version.sh,v 1.3 2002/03/15 13:08:56 markus Exp $
-#	Placed in the Public Domain.
-
-tid="sshd version with different protocol combinations"
-
-# we just start sshd in inetd mode and check the banner
-check_version ()
-{
-	version=$1
-	expect=$2
-	banner=`echon | ${SSHD} -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy`
-	case ${banner} in
-	SSH-1.99-*)
-		proto=199
-		;;
-	SSH-2.0-*)
-		proto=20
-		;;
-	SSH-1.5-*)
-		proto=15
-		;;
-	*)
-		proto=0
-		;;
-	esac
-	if [ ${expect} -ne ${proto} ]; then
-		fail "wrong protocol version ${banner} for ${version}"
-	fi
-}
-
-check_version	2,1	199
-check_version	1,2	199
-check_version	2	20
-check_version	1	15
diff --git a/crypto/openssh/regress/proxy-connect.sh b/crypto/openssh/regress/proxy-connect.sh
deleted file mode 100644
index 6a36b25..0000000
--- a/crypto/openssh/regress/proxy-connect.sh
+++ /dev/null
@@ -1,18 +0,0 @@
-#	$OpenBSD: proxy-connect.sh,v 1.5 2002/12/09 15:28:46 markus Exp $
-#	Placed in the Public Domain.
-
-tid="proxy connect"
-
-for p in 1 2; do
-	${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
-	if [ $? -ne 0 ]; then
-		fail "ssh proxyconnect protocol $p failed"
-	fi
-	SSH_CONNECTION=`${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 'echo $SSH_CONNECTION'`
-	if [ $? -ne 0 ]; then
-		fail "ssh proxyconnect protocol $p failed"
-	fi
-	if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
-		fail "bad SSH_CONNECTION"
-	fi
-done
diff --git a/crypto/openssh/regress/reconfigure.sh b/crypto/openssh/regress/reconfigure.sh
deleted file mode 100644
index 1daf29f..0000000
--- a/crypto/openssh/regress/reconfigure.sh
+++ /dev/null
@@ -1,36 +0,0 @@
-#	$OpenBSD: reconfigure.sh,v 1.2 2003/06/21 09:14:05 markus Exp $
-#	Placed in the Public Domain.
-
-tid="simple connect after reconfigure"
-
-# we need the full path to sshd for -HUP
-case $SSHD in
-/*)
-	# full path is OK 
-	;;
-*)
-	# otherwise make fully qualified
-	SSHD=$OBJ/$SSHD
-esac
-
-start_sshd
-
-PID=`cat $PIDFILE`
-rm -f $PIDFILE
-$SUDO kill -HUP $PID
-
-trace "wait for sshd to restart"
-i=0;
-while [ ! -f $PIDFILE -a $i -lt 10 ]; do
-	i=`expr $i + 1`
-	sleep $i
-done
-
-test -f $PIDFILE || fatal "sshd did not restart"
-
-for p in 1 2; do
-	${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true
-	if [ $? -ne 0 ]; then
-		fail "ssh connect with protocol $p failed after reconfigure"
-	fi
-done
diff --git a/crypto/openssh/regress/reexec.sh b/crypto/openssh/regress/reexec.sh
deleted file mode 100644
index 4f824a3..0000000
--- a/crypto/openssh/regress/reexec.sh
+++ /dev/null
@@ -1,72 +0,0 @@
-#	$OpenBSD: reexec.sh,v 1.5 2004/10/08 02:01:50 djm Exp $
-#	Placed in the Public Domain.
-
-tid="reexec tests"
-
-DATA=/bin/ls${EXEEXT}
-COPY=${OBJ}/copy
-SSHD_ORIG=$SSHD${EXEEXT}
-SSHD_COPY=$OBJ/sshd${EXEEXT}
-
-# Start a sshd and then delete it
-start_sshd_copy ()
-{
-	cp $SSHD_ORIG $SSHD_COPY
-	SSHD=$SSHD_COPY
-	start_sshd
-	SSHD=$SSHD_ORIG
-}
-
-# Do basic copy tests
-copy_tests ()
-{
-	rm -f ${COPY}
-	for p in 1 2; do
-		verbose "$tid: proto $p"
-		${SSH} -nqo "Protocol=$p" -F $OBJ/ssh_config somehost \
-		    cat ${DATA} > ${COPY}
-		if [ $? -ne 0 ]; then
-			fail "ssh cat $DATA failed"
-		fi
-		cmp ${DATA} ${COPY}		|| fail "corrupted copy"
-		rm -f ${COPY}
-	done
-}
-
-verbose "test config passing"
-
-cp $OBJ/sshd_config $OBJ/sshd_config.orig
-start_sshd
-echo "InvalidXXX=no" >> $OBJ/sshd_config
-
-copy_tests
-
-$SUDO kill `cat $PIDFILE`
-rm -f $PIDFILE
-
-cp $OBJ/sshd_config.orig $OBJ/sshd_config
-
-verbose "test reexec fallback"
-
-start_sshd_copy
-rm -f $SSHD_COPY
-
-copy_tests
-
-$SUDO kill `cat $PIDFILE`
-rm -f $PIDFILE
-
-verbose "test reexec fallback without privsep"
-
-cp $OBJ/sshd_config.orig $OBJ/sshd_config
-echo "UsePrivilegeSeparation=no" >> $OBJ/sshd_config
-
-start_sshd_copy
-rm -f $SSHD_COPY
-
-copy_tests
-
-$SUDO kill `cat $PIDFILE`
-rm -f $PIDFILE
-
-
diff --git a/crypto/openssh/regress/rekey.sh b/crypto/openssh/regress/rekey.sh
deleted file mode 100644
index 3c5f266..0000000
--- a/crypto/openssh/regress/rekey.sh
+++ /dev/null
@@ -1,32 +0,0 @@
-#	$OpenBSD: rekey.sh,v 1.1 2003/03/28 13:58:28 markus Exp $
-#	Placed in the Public Domain.
-
-tid="rekey during transfer data"
-
-DATA=${OBJ}/data
-COPY=${OBJ}/copy
-LOG=${OBJ}/log
-
-rm -f ${COPY} ${LOG} ${DATA}
-touch ${DATA}
-dd if=/bin/ls${EXEEXT} of=${DATA} bs=1k seek=511 count=1 > /dev/null 2>&1
-
-for s in 16 1k 128k 256k; do
-	trace "rekeylimit ${s}"
-	rm -f ${COPY}
-	cat $DATA | \
-		${SSH} -oCompression=no -oRekeyLimit=$s \
-			-v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" \
-		2> ${LOG}
-	if [ $? -ne 0 ]; then
-		fail "ssh failed"
-	fi
-	cmp $DATA ${COPY}		|| fail "corrupted copy"
-	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
-	n=`expr $n - 1`
-	trace "$n rekeying(s)"
-	if [ $n -lt 1 ]; then
-		fail "no rekeying occured"
-	fi
-done
-rm -f ${COPY} ${LOG} ${DATA}
diff --git a/crypto/openssh/regress/rsa_openssh.prv b/crypto/openssh/regress/rsa_openssh.prv
deleted file mode 100644
index 2675555..0000000
--- a/crypto/openssh/regress/rsa_openssh.prv
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIICWgIBAAKBgQDsilwKcaKN6wSMNd1WgQ9+HRqQEkD0kCTVttrazGu0OhBU3Uko
-+dFD1Ip0CxdXmN25JQWxOYF7h/Ocu8P3jzv3RTX87xKR0YzlXTLX+SLtF/ySebS3
-xWPrlfRUDhh03hR5V+8xxvvy9widPYKw/oItwGSueOsEq1LTczCDv2dAjQIDAQAB
-An8nH5VzvHkMbSqJ6eOYDsVwomRvYbH5IEaYl1x6VATITNvAu9kUdQ4NsSpuMc+7
-Jj9gKZvmO1y2YCKc0P/iO+i/eV0L+yQh1Rw18jQZll+12T+LZrKRav03YNvMx0gN
-wqWY48Kt6hv2/N/ebQzKRe79+D0t2cTh92hT7xENFLIBAkEBGnoGKFjAUkJCwO1V
-mzpUqMHpRZVOrqP9hUmPjzNJ5oBPFGe4+h1hoSRFOAzaNuZt8ssbqaLCkzB8bfzj
-qhZqAQJBANZekuUpp8iBLeLSagw5FkcPwPzq6zfExbhvsZXb8Bo/4SflNs4JHXwI
-7SD9Z8aJLvM4uQ/5M70lblDMQ40i3o0CQQDIJvBYBFL5tlOgakq/O7yi+wt0L5BZ
-9H79w5rCSAA0IHRoK/qI1urHiHC3f3vbbLk5UStfrqEaND/mm0shyNIBAkBLsYdC
-/ctt5Bc0wUGK4Vl5bBmj9LtrrMJ4FpBpLwj/69BwCuKoK9XKZ0h73p6XHveCEGRg
-PIlFX4MtaoLrwgU9AkBV2k4dgIws+X8YX65EsyyFjnlDqX4x0nSOjQB1msIKfHBr
-dh5XLDBTTCxnKhMJ0Yx/opgOvf09XHBFwaQntR5i
------END RSA PRIVATE KEY-----
diff --git a/crypto/openssh/regress/rsa_openssh.pub b/crypto/openssh/regress/rsa_openssh.pub
deleted file mode 100644
index b504730..0000000
--- a/crypto/openssh/regress/rsa_openssh.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDsilwKcaKN6wSMNd1WgQ9+HRqQEkD0kCTVttrazGu0OhBU3Uko+dFD1Ip0CxdXmN25JQWxOYF7h/Ocu8P3jzv3RTX87xKR0YzlXTLX+SLtF/ySebS3xWPrlfRUDhh03hR5V+8xxvvy9widPYKw/oItwGSueOsEq1LTczCDv2dAjQ==
diff --git a/crypto/openssh/regress/rsa_ssh2.prv b/crypto/openssh/regress/rsa_ssh2.prv
deleted file mode 100644
index 1ece3d7..0000000
--- a/crypto/openssh/regress/rsa_ssh2.prv
+++ /dev/null
@@ -1,16 +0,0 @@
----- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
-Subject: ssh-keygen test
-Comment: "1024-bit rsa, Sat Jun 23 2001 12:21:26 -0400"
-P2/56wAAAi4AAAA3aWYtbW9kbntzaWdue3JzYS1wa2NzMS1zaGExfSxlbmNyeXB0e3JzYS
-1wa2NzMXYyLW9hZXB9fQAAAARub25lAAAB3wAAAdsAAAARAQABAAAD9icflXO8eQxtKonp
-45gOxXCiZG9hsfkgRpiXXHpUBMhM28C72RR1Dg2xKm4xz7smP2Apm+Y7XLZgIpzQ/+I76L
-95XQv7JCHVHDXyNBmWX7XZP4tmspFq/Tdg28zHSA3CpZjjwq3qG/b8395tDMpF7v34PS3Z
-xOH3aFPvEQ0UsgEAAAQA7IpcCnGijesEjDXdVoEPfh0akBJA9JAk1bba2sxrtDoQVN1JKP
-nRQ9SKdAsXV5jduSUFsTmBe4fznLvD948790U1/O8SkdGM5V0y1/ki7Rf8knm0t8Vj65X0
-VA4YdN4UeVfvMcb78vcInT2CsP6CLcBkrnjrBKtS03Mwg79nQI0AAAH/VdpOHYCMLPl/GF
-+uRLMshY55Q6l+MdJ0jo0AdZrCCnxwa3YeVywwU0wsZyoTCdGMf6KYDr39PVxwRcGkJ7Ue
-YgAAAgDWXpLlKafIgS3i0moMORZHD8D86us3xMW4b7GV2/AaP+En5TbOCR18CO0g/WfGiS
-7zOLkP+TO9JW5QzEONIt6NAAACAQEaegYoWMBSQkLA7VWbOlSowelFlU6uo/2FSY+PM0nm
-gE8UZ7j6HWGhJEU4DNo25m3yyxuposKTMHxt/OOqFmoB
----- END SSH2 ENCRYPTED PRIVATE KEY ----
----
diff --git a/crypto/openssh/regress/runtests.sh b/crypto/openssh/regress/runtests.sh
deleted file mode 100755
index 9808eb8..0000000
--- a/crypto/openssh/regress/runtests.sh
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/sh
-
-TEST_SSH_SSH=../ssh
-TEST_SSH_SSHD=../sshd
-TEST_SSH_SSHAGENT=../ssh-agent
-TEST_SSH_SSHADD=../ssh-add
-TEST_SSH_SSHKEYGEN=../ssh-keygen
-TEST_SSH_SSHKEYSCAN=../ssh-keyscan
-TEST_SSH_SFTP=../sftp
-TEST_SSH_SFTPSERVER=../sftp-server
-
-pmake
-
diff --git a/crypto/openssh/regress/scp-ssh-wrapper.sh b/crypto/openssh/regress/scp-ssh-wrapper.sh
deleted file mode 100644
index d1005a9..0000000
--- a/crypto/openssh/regress/scp-ssh-wrapper.sh
+++ /dev/null
@@ -1,57 +0,0 @@
-#!/bin/sh
-#       $OpenBSD: scp-ssh-wrapper.sh,v 1.2 2005/12/14 04:36:39 dtucker Exp $
-#       Placed in the Public Domain.
-
-printname () {
-	NAME=$1
-	save_IFS=$IFS
-	IFS=/
-	set -- `echo "$NAME"`
-	IFS="$save_IFS"
-	while [ $# -ge 1 ] ; do
-		if [ "x$1" != "x" ]; then
-			echo "D0755 0 $1"
-		fi
-		shift;
-	done
-}
-
-# Discard all but last argument.  We use arg later.
-while test "$1" != ""; do
-	arg="$1"
-	shift
-done
-
-BAD="../../../../../../../../../../../../../${DIR}/dotpathdir"
-
-case "$SCPTESTMODE" in
-badserver_0)
-	echo "D0755 0 /${DIR}/rootpathdir"
-	echo "C755 2 rootpathfile"
-	echo "X"
-	;;
-badserver_1)
-	echo "D0755 0 $BAD"
-	echo "C755 2 file"
-	echo "X"
-	;;
-badserver_2)
-	echo "D0755 0 $BAD"
-	echo "C755 2 file"
-	echo "X"
-	;;
-badserver_3)
-	printname $BAD
-	echo "C755 2 file"
-	echo "X"
-	;;
-badserver_4)
-	printname $BAD
-	echo "D0755 0 .."
-	echo "C755 2 file"
-	echo "X"
-	;;
-*)
-	exec $arg
-	;;
-esac
diff --git a/crypto/openssh/regress/scp.sh b/crypto/openssh/regress/scp.sh
deleted file mode 100644
index c5d412d..0000000
--- a/crypto/openssh/regress/scp.sh
+++ /dev/null
@@ -1,127 +0,0 @@
-#	$OpenBSD: scp.sh,v 1.7 2006/01/31 10:36:33 djm Exp $
-#	Placed in the Public Domain.
-
-tid="scp"
-
-#set -x
-
-# Figure out if diff understands "-N"
-if diff -N ${SRC}/scp.sh ${SRC}/scp.sh 2>/dev/null; then
-	DIFFOPT="-rN"
-else
-	DIFFOPT="-r"
-fi
-
-DATA=/bin/ls${EXEEXT}
-COPY=${OBJ}/copy
-COPY2=${OBJ}/copy2
-DIR=${COPY}.dd
-DIR2=${COPY}.dd2
-
-SRC=`dirname ${SCRIPT}`
-cp ${SRC}/scp-ssh-wrapper.sh ${OBJ}/scp-ssh-wrapper.scp
-chmod 755 ${OBJ}/scp-ssh-wrapper.scp
-scpopts="-q -S ${OBJ}/scp-ssh-wrapper.scp"
-
-scpclean() {
-	rm -rf ${COPY} ${COPY2} ${DIR} ${DIR2}
-	mkdir ${DIR} ${DIR2}
-}
-
-verbose "$tid: simple copy local file to local file"
-scpclean
-$SCP $scpopts ${DATA} ${COPY} || fail "copy failed"
-cmp ${DATA} ${COPY} || fail "corrupted copy"
-
-verbose "$tid: simple copy local file to remote file"
-scpclean
-$SCP $scpopts ${DATA} somehost:${COPY} || fail "copy failed"
-cmp ${DATA} ${COPY} || fail "corrupted copy"
-
-verbose "$tid: simple copy remote file to local file"
-scpclean
-$SCP $scpopts somehost:${DATA} ${COPY} || fail "copy failed"
-cmp ${DATA} ${COPY} || fail "corrupted copy"
-
-verbose "$tid: simple copy local file to remote dir"
-scpclean
-cp ${DATA} ${COPY}
-$SCP $scpopts ${COPY} somehost:${DIR} || fail "copy failed"
-cmp ${COPY} ${DIR}/copy || fail "corrupted copy"
-
-verbose "$tid: simple copy local file to local dir"
-scpclean
-cp ${DATA} ${COPY}
-$SCP $scpopts ${COPY} ${DIR} || fail "copy failed"
-cmp ${COPY} ${DIR}/copy || fail "corrupted copy"
-
-verbose "$tid: simple copy remote file to local dir"
-scpclean
-cp ${DATA} ${COPY}
-$SCP $scpopts somehost:${COPY} ${DIR} || fail "copy failed"
-cmp ${COPY} ${DIR}/copy || fail "corrupted copy"
-
-verbose "$tid: recursive local dir to remote dir"
-scpclean
-rm -rf ${DIR2}
-cp ${DATA} ${DIR}/copy
-$SCP $scpopts -r ${DIR} somehost:${DIR2} || fail "copy failed"
-diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy"
-
-verbose "$tid: recursive local dir to local dir"
-scpclean
-rm -rf ${DIR2}
-cp ${DATA} ${DIR}/copy
-$SCP $scpopts -r ${DIR} ${DIR2} || fail "copy failed"
-diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy"
-
-verbose "$tid: recursive remote dir to local dir"
-scpclean
-rm -rf ${DIR2}
-cp ${DATA} ${DIR}/copy
-$SCP $scpopts -r somehost:${DIR} ${DIR2} || fail "copy failed"
-diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy"
-
-verbose "$tid: shell metacharacters"
-scpclean
-(cd ${DIR} && \
-touch '`touch metachartest`' && \
-$SCP $scpopts *metachar* ${DIR2} 2>/dev/null; \
-[ ! -f metachartest ] ) || fail "shell metacharacters"
-
-if [ ! -z "$SUDO" ]; then
-	verbose "$tid: skipped file after scp -p with failed chown+utimes"
-	scpclean
-	cp -p ${DATA} ${DIR}/copy
-	cp -p ${DATA} ${DIR}/copy2
-	cp ${DATA} ${DIR2}/copy
-	chmod 660 ${DIR2}/copy
-	$SUDO chown root ${DIR2}/copy
-	$SCP -p $scpopts somehost:${DIR}/\* ${DIR2} >/dev/null 2>&1
-	$SUDO diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy"
-	$SUDO rm ${DIR2}/copy
-fi
-
-for i in 0 1 2 3 4; do
-	verbose "$tid: disallow bad server #$i"
-	SCPTESTMODE=badserver_$i
-	export DIR SCPTESTMODE
-	scpclean
-	$SCP $scpopts somehost:${DATA} ${DIR} >/dev/null 2>/dev/null
-	[ -d {$DIR}/rootpathdir ] && fail "allows dir relative to root dir"
-	[ -d ${DIR}/dotpathdir ] && fail "allows dir creation in non-recursive mode"
-
-	scpclean
-	$SCP -r $scpopts somehost:${DATA} ${DIR2} >/dev/null 2>/dev/null
-	[ -d ${DIR}/dotpathdir ] && fail "allows dir creation outside of subdir"
-done
-
-verbose "$tid: detect non-directory target"
-scpclean
-echo a > ${COPY}
-echo b > ${COPY2}
-$SCP $scpopts ${DATA} ${COPY} ${COPY2}
-cmp ${COPY} ${COPY2} >/dev/null && fail "corrupt target"
-
-scpclean
-rm -f ${OBJ}/scp-ssh-wrapper.scp
diff --git a/crypto/openssh/regress/sftp-badcmds.sh b/crypto/openssh/regress/sftp-badcmds.sh
deleted file mode 100644
index eac189a..0000000
--- a/crypto/openssh/regress/sftp-badcmds.sh
+++ /dev/null
@@ -1,78 +0,0 @@
-#	$OpenBSD: sftp-badcmds.sh,v 1.2 2003/05/15 04:07:12 mouring Exp $
-#	Placed in the Public Domain.
-
-tid="sftp invalid commands"
-
-DATA=/bin/ls${EXEEXT}
-DATA2=/bin/sh${EXEEXT}
-NONEXIST=/NONEXIST.$$
-COPY=${OBJ}/copy
-GLOBFILES=`(cd /bin;echo l*)`
-
-rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd
-
-rm -f ${COPY}
-verbose "$tid: get nonexistent"
-echo "get $NONEXIST $COPY" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-	|| fail "get nonexistent failed"
-test -f ${COPY} && fail "existing copy after get nonexistent"
-
-rm -f ${COPY}.dd/*
-verbose "$tid: glob get to nonexistent directory"
-echo "get /bin/l* $NONEXIST" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-        || fail "get nonexistent failed"
-for x in $GLOBFILES; do
-        test -f ${COPY}.dd/$x && fail "existing copy after get nonexistent"
-done
-
-rm -f ${COPY}
-verbose "$tid: put nonexistent"
-echo "put $NONEXIST $COPY" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-	|| fail "put nonexistent failed"
-test -f ${COPY} && fail "existing copy after put nonexistent"
-
-rm -f ${COPY}.dd/*
-verbose "$tid: glob put to nonexistent directory"
-echo "put /bin/l* ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-        || fail "put nonexistent failed"
-for x in $GLOBFILES; do
-        test -f ${COPY}.dd/$x && fail "existing copy after nonexistent"
-done
-
-rm -f ${COPY}
-verbose "$tid: rename nonexistent"
-echo "rename $NONEXIST ${COPY}.1" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-	|| fail "rename nonexist failed"
-test -f ${COPY}.1 && fail "file exists after rename nonexistent"
-
-rm -f ${COPY} ${COPY}.1
-cp $DATA $COPY
-cp $DATA2 ${COPY}.1
-verbose "$tid: rename target exists"
-echo "rename $COPY ${COPY}.1" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-	|| fail "rename target exists failed"
-test -f ${COPY} || fail "oldname missing after rename target exists"
-test -f ${COPY}.1 || fail "newname missing after rename target exists"
-cmp $DATA ${COPY} >/dev/null 2>&1 || fail "corrupted oldname after rename target exists"
-cmp $DATA2 ${COPY}.1 >/dev/null 2>&1 || fail "corrupted newname after rename target exists"
-
-rm -rf ${COPY} ${COPY}.dd
-cp $DATA $COPY
-mkdir ${COPY}.dd
-verbose "$tid: rename target exists (directory)"
-echo "rename $COPY ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-	|| fail "rename target exists (directory) failed"
-test -f ${COPY} || fail "oldname missing after rename target exists (directory)"
-test -d ${COPY}.dd || fail "newname missing after rename target exists (directory)"
-cmp $DATA ${COPY} >/dev/null 2>&1 || fail "corrupted oldname after rename target exists (directory)"
-
-rm -f ${COPY}.dd/*
-rm -rf ${COPY}
-cp ${DATA2} ${COPY}
-verbose "$tid: glob put files to local file"
-echo "put /bin/l* $COPY" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 
-cmp ${DATA2} ${COPY} || fail "put successed when it should have failed"
-
-rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd
-
-
diff --git a/crypto/openssh/regress/sftp-batch.sh b/crypto/openssh/regress/sftp-batch.sh
deleted file mode 100644
index 365c47c..0000000
--- a/crypto/openssh/regress/sftp-batch.sh
+++ /dev/null
@@ -1,57 +0,0 @@
-#     $OpenBSD: sftp-batch.sh,v 1.3 2004/01/13 09:49:06 djm Exp $
-#	Placed in the Public Domain.
-
-tid="sftp batchfile"
-
-DATA=/bin/ls${EXEEXT}
-COPY=${OBJ}/copy
-BATCH=${OBJ}/sftp.bb
-
-rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${BATCH}.*
-
-cat << EOF > ${BATCH}.pass.1
-	get $DATA $COPY
-	put ${COPY} ${COPY}.1
-	rm ${COPY}
-	-put ${COPY} ${COPY}.2
-EOF
-
-cat << EOF > ${BATCH}.pass.2
-	# This is a comment
-
-	# That was a blank line
-	ls
-EOF
-
-cat << EOF > ${BATCH}.fail.1
-	get $DATA $COPY
-	put ${COPY} ${COPY}.3
-	rm ${COPY}.*
-	# The next command should fail
-	put ${COPY}.3 ${COPY}.4
-EOF
-
-cat << EOF > ${BATCH}.fail.2
-	# The next command should fail
-	jajajajaja
-EOF
-
-verbose "$tid: good commands"
-${SFTP} -b ${BATCH}.pass.1 -P ${SFTPSERVER} >/dev/null 2>&1 \
-	|| fail "good commands failed"
-
-verbose "$tid: bad commands"
-${SFTP} -b ${BATCH}.fail.1 -P ${SFTPSERVER} >/dev/null 2>&1 \
-	&& fail "bad commands succeeded"
-
-verbose "$tid: comments and blanks"
-${SFTP} -b ${BATCH}.pass.2 -P ${SFTPSERVER} >/dev/null 2>&1 \
-	|| fail "comments & blanks failed"
-
-verbose "$tid: junk command"
-${SFTP} -b ${BATCH}.fail.2 -P ${SFTPSERVER} >/dev/null 2>&1 \
-	&& fail "junk command succeeded"
-
-rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${BATCH}.*
-
-
diff --git a/crypto/openssh/regress/sftp-cmds.sh b/crypto/openssh/regress/sftp-cmds.sh
deleted file mode 100644
index 31b21d1..0000000
--- a/crypto/openssh/regress/sftp-cmds.sh
+++ /dev/null
@@ -1,211 +0,0 @@
-#	$OpenBSD: sftp-cmds.sh,v 1.6 2003/10/07 07:04:52 djm Exp $
-#	Placed in the Public Domain.
-
-# XXX - TODO: 
-# - chmod / chown / chgrp
-# - -p flag for get & put
-
-tid="sftp commands"
-
-DATA=/bin/ls${EXEEXT}
-COPY=${OBJ}/copy
-# test that these files are readable!
-for i in `(cd /bin;echo l*)`
-do
-	if [ -r $i ]; then
-		GLOBFILES="$GLOBFILES $i"
-	fi
-done
-
-if have_prog uname
-then
-	case `uname` in
-	CYGWIN*)
-		os=cygwin
-		;;
-	*)
-		os=`uname`
-		;;
-	esac
-else
-	os="unknown"
-fi
-
-# Path with embedded quote
-QUOTECOPY=${COPY}".\"blah\""
-QUOTECOPY_ARG=${COPY}'.\"blah\"'
-
-rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${COPY}.dd2
-mkdir ${COPY}.dd
-
-verbose "$tid: lls"
-echo "lls ${OBJ}" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-	|| fail "lls failed"
-# XXX always successful
-
-verbose "$tid: ls"
-echo "ls ${OBJ}" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-	|| fail "ls failed"
-# XXX always successful
-
-verbose "$tid: shell"
-echo "!echo hi there" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-	|| fail "shell failed"
-# XXX always successful
-
-verbose "$tid: pwd"
-echo "pwd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-	|| fail "pwd failed"
-# XXX always successful
-
-verbose "$tid: lpwd"
-echo "lpwd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-	|| fail "lpwd failed"
-# XXX always successful
-
-verbose "$tid: quit"
-echo "quit" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-	|| fail "quit failed"
-# XXX always successful
-
-verbose "$tid: help"
-echo "help" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-	|| fail "help failed"
-# XXX always successful
-
-rm -f ${COPY}
-verbose "$tid: get"
-echo "get $DATA $COPY" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-	|| fail "get failed"
-cmp $DATA ${COPY} || fail "corrupted copy after get"
-
-rm -f ${COPY}
-verbose "$tid: get quoted"
-echo "get \"$DATA\" $COPY" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-	|| fail "get failed"
-cmp $DATA ${COPY} || fail "corrupted copy after get"
-
-if [ "$os" != "cygwin" ]; then
-rm -f ${QUOTECOPY}
-cp $DATA ${QUOTECOPY}
-verbose "$tid: get filename with quotes"
-echo "get \"$QUOTECOPY_ARG\" ${COPY}" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-	|| fail "put failed"
-cmp ${COPY} ${QUOTECOPY} || fail "corrupted copy after get with quotes"
-rm -f ${QUOTECOPY} ${COPY}
-fi
-
-rm -f ${COPY}.dd/*
-verbose "$tid: get to directory"
-echo "get $DATA ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-        || fail "get failed"
-cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after get"
-
-rm -f ${COPY}.dd/*
-verbose "$tid: glob get to directory"
-echo "get /bin/l* ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-        || fail "get failed"
-for x in $GLOBFILES; do
-        cmp /bin/$x ${COPY}.dd/$x || fail "corrupted copy after get"
-done
-
-rm -f ${COPY}.dd/*
-verbose "$tid: get to local dir"
-(echo "lcd ${COPY}.dd"; echo "get $DATA" ) | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-        || fail "get failed"
-cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after get"
-
-rm -f ${COPY}.dd/*
-verbose "$tid: glob get to local dir"
-(echo "lcd ${COPY}.dd"; echo "get /bin/l*") | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-        || fail "get failed"
-for x in $GLOBFILES; do
-        cmp /bin/$x ${COPY}.dd/$x || fail "corrupted copy after get"
-done
-
-rm -f ${COPY}
-verbose "$tid: put"
-echo "put $DATA $COPY" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-	|| fail "put failed"
-cmp $DATA ${COPY} || fail "corrupted copy after put"
-
-if [ "$os" != "cygwin" ]; then
-rm -f ${QUOTECOPY}
-verbose "$tid: put filename with quotes"
-echo "put $DATA \"$QUOTECOPY_ARG\"" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-	|| fail "put failed"
-cmp $DATA ${QUOTECOPY} || fail "corrupted copy after put with quotes"
-fi
-
-rm -f ${COPY}.dd/*
-verbose "$tid: put to directory"
-echo "put $DATA ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-	|| fail "put failed"
-cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after put"
-
-rm -f ${COPY}.dd/*
-verbose "$tid: glob put to directory"
-echo "put /bin/l* ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-	|| fail "put failed"
-for x in $GLOBFILES; do
-	cmp /bin/$x ${COPY}.dd/$x || fail "corrupted copy after put"
-done
-
-rm -f ${COPY}.dd/*
-verbose "$tid: put to local dir"
-(echo "cd ${COPY}.dd"; echo "put $DATA") | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-	|| fail "put failed"
-cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after put"
-
-rm -f ${COPY}.dd/*
-verbose "$tid: glob put to local dir"
-(echo "cd ${COPY}.dd"; echo "put /bin/l*") | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-	|| fail "put failed"
-for x in $GLOBFILES; do
-        cmp /bin/$x ${COPY}.dd/$x || fail "corrupted copy after put"
-done
-
-verbose "$tid: rename"
-echo "rename $COPY ${COPY}.1" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-	|| fail "rename failed"
-test -f ${COPY}.1 || fail "missing file after rename"
-cmp $DATA ${COPY}.1 >/dev/null 2>&1 || fail "corrupted copy after rename"
-
-verbose "$tid: rename directory"
-echo "rename ${COPY}.dd ${COPY}.dd2" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-	|| fail "rename directory failed"
-test -d ${COPY}.dd && fail "oldname exists after rename directory"
-test -d ${COPY}.dd2 || fail "missing newname after rename directory"
-
-verbose "$tid: ln"
-echo "ln ${COPY}.1 ${COPY}.2" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 || fail "ln failed"
-test -h ${COPY}.2 || fail "missing file after ln"
-
-verbose "$tid: mkdir"
-echo "mkdir ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-	|| fail "mkdir failed"
-test -d ${COPY}.dd || fail "missing directory after mkdir"
-
-# XXX do more here
-verbose "$tid: chdir"
-echo "chdir ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-	|| fail "chdir failed"
-
-verbose "$tid: rmdir"
-echo "rmdir ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-	|| fail "rmdir failed"
-test -d ${COPY}.1 && fail "present directory after rmdir"
-
-verbose "$tid: lmkdir"
-echo "lmkdir ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-	|| fail "lmkdir failed"
-test -d ${COPY}.dd || fail "missing directory after lmkdir"
-
-# XXX do more here
-verbose "$tid: lchdir"
-echo "lchdir ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
-	|| fail "lchdir failed"
-
-rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${COPY}.dd2
-
-
diff --git a/crypto/openssh/regress/sftp-glob.sh b/crypto/openssh/regress/sftp-glob.sh
deleted file mode 100644
index e238356..0000000
--- a/crypto/openssh/regress/sftp-glob.sh
+++ /dev/null
@@ -1,28 +0,0 @@
-#	$OpenBSD: sftp-glob.sh,v 1.1 2004/12/10 01:31:30 fgsch Exp $
-#	Placed in the Public Domain.
-
-tid="sftp glob"
-
-BASE=${OBJ}/glob
-DIR=${BASE}/dir
-DATA=${DIR}/file
-
-rm -rf ${BASE}
-mkdir -p ${DIR}
-touch ${DATA}
-
-verbose "$tid: ls file"
-echo "ls -l ${DIR}/fil*" | ${SFTP} -P ${SFTPSERVER} 2>/dev/null | \
-	grep ${DATA} >/dev/null 2>&1
-if [ $? -ne 0 ]; then
-	fail "globbed ls file failed"
-fi
-
-verbose "$tid: ls dir"
-echo "ls -l ${BASE}/d*" | ${SFTP} -P ${SFTPSERVER} 2>/dev/null | \
-	grep file >/dev/null 2>&1
-if [ $? -ne 0 ]; then
-	fail "globbed ls dir failed"
-fi
-
-rm -rf ${BASE}
diff --git a/crypto/openssh/regress/sftp.sh b/crypto/openssh/regress/sftp.sh
deleted file mode 100644
index 0e22f8f..0000000
--- a/crypto/openssh/regress/sftp.sh
+++ /dev/null
@@ -1,35 +0,0 @@
-#	$OpenBSD: sftp.sh,v 1.2 2002/03/27 22:39:52 markus Exp $
-#	Placed in the Public Domain.
-
-tid="basic sftp put/get"
-
-DATA=/bin/ls${EXEEXT}
-COPY=${OBJ}/copy
-
-SFTPCMDFILE=${OBJ}/batch
-cat >$SFTPCMDFILE <<EOF
-version
-get $DATA ${COPY}.1
-put $DATA ${COPY}.2
-EOF
-
-BUFFERSIZE="5 1000 32000 64000"
-REQUESTS="1 2 10"
-
-for B in ${BUFFERSIZE}; do
-	for R in ${REQUESTS}; do
-                verbose "test $tid: buffer_size $B num_requests $R"
-		rm -f ${COPY}.1 ${COPY}.2                
-		${SFTP} -P ${SFTPSERVER} -B $B -R $R -b $SFTPCMDFILE \
-		> /dev/null 2>&1
-		r=$?
-		if [ $r -ne 0 ]; then
-			fail "sftp failed with $r"
-		else 
-			cmp $DATA ${COPY}.1 || fail "corrupted copy after get"
-			cmp $DATA ${COPY}.2 || fail "corrupted copy after put"
-		fi
-	done
-done
-rm -f ${COPY}.1 ${COPY}.2                
-rm -f $SFTPCMDFILE
diff --git a/crypto/openssh/regress/ssh-com-client.sh b/crypto/openssh/regress/ssh-com-client.sh
deleted file mode 100644
index 324a0a7..0000000
--- a/crypto/openssh/regress/ssh-com-client.sh
+++ /dev/null
@@ -1,134 +0,0 @@
-#	$OpenBSD: ssh-com-client.sh,v 1.6 2004/02/24 17:06:52 markus Exp $
-#	Placed in the Public Domain.
-
-tid="connect with ssh.com client"
-
-#TEST_COMBASE=/path/to/ssh/com/binaries
-if [ "X${TEST_COMBASE}" = "X" ]; then
-	fatal '$TEST_COMBASE is not set'
-fi
-
-VERSIONS="
-	2.1.0
-	2.2.0
-	2.3.0
-	2.3.1
-	2.4.0
-	3.0.0
-	3.1.0
-	3.2.0
-	3.2.2
-	3.2.3
-	3.2.5
-	3.2.9
-	3.2.9.1
-	3.3.0"
-
-# 2.0.10 2.0.12 2.0.13 don't like the test setup
-
-# setup authorized keys
-SRC=`dirname ${SCRIPT}`
-cp ${SRC}/dsa_ssh2.prv ${OBJ}/id.com
-chmod 600 ${OBJ}/id.com
-${SSHKEYGEN} -i -f ${OBJ}/id.com	> $OBJ/id.openssh
-chmod 600 ${OBJ}/id.openssh
-${SSHKEYGEN} -y -f ${OBJ}/id.openssh	> $OBJ/authorized_keys_$USER
-${SSHKEYGEN} -e -f ${OBJ}/id.openssh	> $OBJ/id.com.pub
-echo IdKey ${OBJ}/id.com > ${OBJ}/id.list
-
-# we need a DSA host key
-t=dsa
-rm -f                             ${OBJ}/$t ${OBJ}/$t.pub
-${SSHKEYGEN} -q -N '' -t $t -f	  ${OBJ}/$t
-$SUDO cp $OBJ/$t $OBJ/host.$t
-echo HostKey $OBJ/host.$t >> $OBJ/sshd_config
-
-# add hostkeys to known hosts
-mkdir -p ${OBJ}/${USER}/hostkeys
-HK=${OBJ}/${USER}/hostkeys/key_${PORT}_127.0.0.1
-${SSHKEYGEN} -e -f ${OBJ}/rsa.pub > ${HK}.ssh-rsa.pub
-${SSHKEYGEN} -e -f ${OBJ}/dsa.pub > ${HK}.ssh-dss.pub
-
-cat > ${OBJ}/ssh2_config << EOF
-*:
-	QuietMode			yes
-	StrictHostKeyChecking		yes
-	Port				${PORT}
-	User				${USER}
-	Host				127.0.0.1
-	IdentityFile			${OBJ}/id.list
-	RandomSeedFile			${OBJ}/random_seed
-        UserConfigDirectory             ${OBJ}/%U
-	AuthenticationSuccessMsg	no
-	BatchMode			yes
-	ForwardX11			no
-EOF
-
-# we need a real server (no ProxyConnect option)
-start_sshd
-
-DATA=/bin/ls${EXEEXT}
-COPY=${OBJ}/copy
-rm -f ${COPY}
-
-# go for it
-for v in ${VERSIONS}; do
-	ssh2=${TEST_COMBASE}/${v}/ssh2
-	if [ ! -x ${ssh2} ]; then
-		continue
-	fi
-	verbose "ssh2 ${v}"
-	key=ssh-dss
-	skipcat=0
-        case $v in
-        2.1.*|2.3.0)
-                skipcat=1
-                ;;
-        3.0.*)
-                key=ssh-rsa
-                ;;
-        esac
-	cp ${HK}.$key.pub ${HK}.pub
-
-	# check exit status
-	${ssh2} -q -F ${OBJ}/ssh2_config somehost exit 42
-	r=$?
-        if [ $r -ne 42 ]; then
-                fail "ssh2 ${v} exit code test failed (got $r, expected 42)"
-        fi
-
-	# data transfer
-	rm -f ${COPY}
-	${ssh2} -F ${OBJ}/ssh2_config somehost cat ${DATA} > ${COPY}
-        if [ $? -ne 0 ]; then
-                fail "ssh2 ${v} cat test (receive) failed"
-        fi
-	cmp ${DATA} ${COPY}	|| fail "ssh2 ${v} cat test (receive) data mismatch"
-
-	# data transfer, again
-	if [ $skipcat -eq 0 ]; then
-		rm -f ${COPY}
-		cat ${DATA} | \
-			${ssh2} -F ${OBJ}/ssh2_config host "cat > ${COPY}"
-		if [ $? -ne 0 ]; then
-			fail "ssh2 ${v} cat test (send) failed"
-		fi
-		cmp ${DATA} ${COPY}	|| \
-			fail "ssh2 ${v} cat test (send) data mismatch"
-	fi
-
-	# no stderr after eof
-	rm -f ${COPY}
-	${ssh2} -F ${OBJ}/ssh2_config somehost \
-		exec sh -c \'"exec > /dev/null; sleep 1; echo bla 1>&2; exit 0"\' \
-		2> /dev/null
-        if [ $? -ne 0 ]; then
-                fail "ssh2 ${v} stderr test failed"
-        fi
-done
-
-rm -rf ${OBJ}/${USER}
-for i in ssh2_config random_seed dsa.pub dsa host.dsa \
-    id.list id.com id.com.pub id.openssh; do
-	rm -f ${OBJ}/$i
-done
diff --git a/crypto/openssh/regress/ssh-com-keygen.sh b/crypto/openssh/regress/ssh-com-keygen.sh
deleted file mode 100644
index 29b02d9..0000000
--- a/crypto/openssh/regress/ssh-com-keygen.sh
+++ /dev/null
@@ -1,74 +0,0 @@
-#	$OpenBSD: ssh-com-keygen.sh,v 1.4 2004/02/24 17:06:52 markus Exp $
-#	Placed in the Public Domain.
-
-tid="ssh.com key import"
-
-#TEST_COMBASE=/path/to/ssh/com/binaries
-if [ "X${TEST_COMBASE}" = "X" ]; then
-	fatal '$TEST_COMBASE is not set'
-fi
-
-VERSIONS="
-	2.0.10
-	2.0.12
-	2.0.13
-	2.1.0
-	2.2.0
-	2.3.0
-	2.3.1
-	2.4.0
-	3.0.0
-	3.1.0
-	3.2.0
-	3.2.2
-	3.2.3
-	3.2.5
-	3.2.9
-	3.2.9.1
-	3.3.0"
-
-COMPRV=${OBJ}/comkey
-COMPUB=${COMPRV}.pub
-OPENSSHPRV=${OBJ}/opensshkey
-OPENSSHPUB=${OPENSSHPRV}.pub
-
-# go for it
-for v in ${VERSIONS}; do
-	keygen=${TEST_COMBASE}/${v}/ssh-keygen2
-	if [ ! -x ${keygen} ]; then
-		continue
-	fi
-	types="dss"
-        case $v in
-        2.3.1|3.*)
-                types="$types rsa"
-                ;;
-        esac
-	for t in $types; do
-		verbose "ssh-keygen $v/$t"
-		rm -f $COMPRV $COMPUB $OPENSSHPRV $OPENSSHPUB
-		${keygen} -q -P -t $t ${COMPRV} > /dev/null 2>&1
-		if [ $? -ne 0 ]; then
-			fail "${keygen} -t $t failed"
-			continue
-		fi
-		${SSHKEYGEN} -if ${COMPUB} > ${OPENSSHPUB}
-		if [ $? -ne 0 ]; then
-			fail "import public key ($v/$t) failed"
-			continue
-		fi
-		${SSHKEYGEN} -if ${COMPRV} > ${OPENSSHPRV}
-		if [ $? -ne 0 ]; then
-			fail "import private key ($v/$t) failed"
-			continue
-		fi
-		chmod 600 ${OPENSSHPRV}
-		${SSHKEYGEN} -yf ${OPENSSHPRV} |\
-			diff - ${OPENSSHPUB}
-		if [ $? -ne 0 ]; then
-			fail "public keys ($v/$t) differ"
-		fi
-	done
-done
-
-rm -f $COMPRV $COMPUB $OPENSSHPRV $OPENSSHPUB
diff --git a/crypto/openssh/regress/ssh-com-sftp.sh b/crypto/openssh/regress/ssh-com-sftp.sh
deleted file mode 100644
index 936b4cc..0000000
--- a/crypto/openssh/regress/ssh-com-sftp.sh
+++ /dev/null
@@ -1,67 +0,0 @@
-#	$OpenBSD: ssh-com-sftp.sh,v 1.5 2004/02/24 17:06:52 markus Exp $
-#	Placed in the Public Domain.
-
-tid="basic sftp put/get with ssh.com server"
-
-DATA=/bin/ls${EXEEXT}
-COPY=${OBJ}/copy
-SFTPCMDFILE=${OBJ}/batch
-
-cat >$SFTPCMDFILE <<EOF
-version
-get $DATA ${COPY}.1
-put $DATA ${COPY}.2
-EOF
-
-BUFFERSIZE="5 1000 32000 64000"
-REQUESTS="1 2 10"
-
-#TEST_COMBASE=/path/to/ssh/com/binaries
-if [ "X${TEST_COMBASE}" = "X" ]; then
-	fatal '$TEST_COMBASE is not set'
-fi
-
-VERSIONS="
-	2.0.10
-	2.0.12
-	2.0.13
-	2.1.0
-	2.2.0
-	2.3.0
-	2.3.1
-	2.4.0
-	3.0.0
-	3.1.0
-	3.2.0
-	3.2.2
-	3.2.3
-	3.2.5
-	3.2.9
-	3.2.9.1
-	3.3.0"
-
-# go for it
-for v in ${VERSIONS}; do
-	server=${TEST_COMBASE}/${v}/sftp-server2
-	if [ ! -x ${server} ]; then
-		continue
-	fi
-	verbose "sftp-server $v"
-	for B in ${BUFFERSIZE}; do
-		for R in ${REQUESTS}; do
-			verbose "test $tid: buffer_size $B num_requests $R"
-			rm -f ${COPY}.1 ${COPY}.2
-			${SFTP} -P ${server} -B $B -R $R -b $SFTPCMDFILE \
-			> /dev/null 2>&1
-			r=$?
-			if [ $r -ne 0 ]; then
-				fail "sftp failed with $r"
-			else                                
-				cmp $DATA ${COPY}.1 || fail "corrupted copy after get"
-				cmp $DATA ${COPY}.2 || fail "corrupted copy after put"
-			fi
-		done
-	done
-done
-rm -f ${COPY}.1 ${COPY}.2                
-rm -f $SFTPCMDFILE
diff --git a/crypto/openssh/regress/ssh-com.sh b/crypto/openssh/regress/ssh-com.sh
deleted file mode 100644
index 7bcd85b..0000000
--- a/crypto/openssh/regress/ssh-com.sh
+++ /dev/null
@@ -1,119 +0,0 @@
-#	$OpenBSD: ssh-com.sh,v 1.7 2004/02/24 17:06:52 markus Exp $
-#	Placed in the Public Domain.
-
-tid="connect to ssh.com server"
-
-#TEST_COMBASE=/path/to/ssh/com/binaries
-if [ "X${TEST_COMBASE}" = "X" ]; then
-	fatal '$TEST_COMBASE is not set'
-fi
-
-VERSIONS="
-	2.0.12
-	2.0.13
-	2.1.0
-	2.2.0
-	2.3.0
-	2.4.0
-	3.0.0
-	3.1.0
-	3.2.0
-	3.2.2
-	3.2.3
-	3.2.5
-	3.2.9
-	3.2.9.1
-	3.3.0"
-# 2.0.10 does not support UserConfigDirectory
-# 2.3.1 requires a config in $HOME/.ssh2
-
-SRC=`dirname ${SCRIPT}`
-
-# ssh.com
-cat << EOF > $OBJ/sshd2_config
-#*:
-	# Port and ListenAddress are not used.
-	QuietMode			yes
-	Port				4343
-	ListenAddress			127.0.0.1
-	UserConfigDirectory		${OBJ}/%U
-	Ciphers				AnyCipher
-	PubKeyAuthentication		yes
-	#AllowedAuthentications		publickey
-	AuthorizationFile		authorization
-	HostKeyFile			${SRC}/dsa_ssh2.prv
-	PublicHostKeyFile		${SRC}/dsa_ssh2.pub
-	RandomSeedFile			${OBJ}/random_seed
-	MaxConnections			0 
-	PermitRootLogin			yes
-	VerboseMode			no
-	CheckMail			no
-	Ssh1Compatibility		no
-EOF
-
-# create client config 
-sed "s/HostKeyAlias.*/HostKeyAlias ssh2-localhost-with-alias/" \
-	< $OBJ/ssh_config > $OBJ/ssh_config_com
-
-# we need a DSA key for
-rm -f                             ${OBJ}/dsa ${OBJ}/dsa.pub
-${SSHKEYGEN} -q -N '' -t dsa -f	  ${OBJ}/dsa
-
-# setup userdir, try rsa first
-mkdir -p ${OBJ}/${USER}
-cp /dev/null ${OBJ}/${USER}/authorization
-for t in rsa dsa; do
-	${SSHKEYGEN} -e -f ${OBJ}/$t.pub	>  ${OBJ}/${USER}/$t.com
-	echo Key $t.com			>> ${OBJ}/${USER}/authorization
-	echo IdentityFile ${OBJ}/$t	>> ${OBJ}/ssh_config_com
-done
-
-# convert and append DSA hostkey
-(
-	echon 'ssh2-localhost-with-alias,127.0.0.1,::1 '
-	${SSHKEYGEN} -if ${SRC}/dsa_ssh2.pub
-) >> $OBJ/known_hosts
-
-# go for it
-for v in ${VERSIONS}; do
-	sshd2=${TEST_COMBASE}/${v}/sshd2
-	if [ ! -x ${sshd2} ]; then
-		continue
-	fi
-	trace "sshd2 ${v}"
-	PROXY="proxycommand ${sshd2} -qif ${OBJ}/sshd2_config 2> /dev/null"
-	${SSH} -qF ${OBJ}/ssh_config_com -o "${PROXY}" dummy exit 0
-        if [ $? -ne 0 ]; then
-                fail "ssh connect to sshd2 ${v} failed"
-        fi
-
-	ciphers="3des-cbc blowfish-cbc arcfour"
-	macs="hmac-md5"
-	case $v in
-	2.4.*)
-		ciphers="$ciphers cast128-cbc"
-		macs="$macs hmac-sha1 hmac-sha1-96 hmac-md5-96"
-		;;
-	3.*)
-		ciphers="$ciphers aes128-cbc cast128-cbc"
-		macs="$macs hmac-sha1 hmac-sha1-96 hmac-md5-96"
-		;;
-	esac
-	#ciphers="3des-cbc"
-	for m in $macs; do
-	for c in $ciphers; do
-		trace "sshd2 ${v} cipher $c mac $m"
-		verbose "test ${tid}: sshd2 ${v} cipher $c mac $m"
-		${SSH} -c $c -m $m -qF ${OBJ}/ssh_config_com -o "${PROXY}" dummy exit 0
-		if [ $? -ne 0 ]; then
-			fail "ssh connect to sshd2 ${v} with $c/$m failed"
-		fi
-	done
-	done
-done
-
-rm -rf ${OBJ}/${USER}
-for i in sshd_config_proxy ssh_config_proxy random_seed \
-	sshd2_config dsa.pub dsa ssh_config_com; do
-	rm -f ${OBJ}/$i
-done
diff --git a/crypto/openssh/regress/sshd-log-wrapper.sh b/crypto/openssh/regress/sshd-log-wrapper.sh
deleted file mode 100644
index c7a5ef3..0000000
--- a/crypto/openssh/regress/sshd-log-wrapper.sh
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/sh
-#       $OpenBSD: sshd-log-wrapper.sh,v 1.2 2005/02/27 11:40:30 dtucker Exp $
-#       Placed in the Public Domain.
-#
-# simple wrapper for sshd proxy mode to catch stderr output
-# sh sshd-log-wrapper.sh /path/to/sshd /path/to/logfile
-
-sshd=$1
-log=$2
-shift
-shift
-
-exec $sshd $@ -e 2>>$log
diff --git a/crypto/openssh/regress/stderr-after-eof.sh b/crypto/openssh/regress/stderr-after-eof.sh
deleted file mode 100644
index 05a5ea5..0000000
--- a/crypto/openssh/regress/stderr-after-eof.sh
+++ /dev/null
@@ -1,40 +0,0 @@
-#	$OpenBSD: stderr-after-eof.sh,v 1.1 2002/03/23 16:38:09 markus Exp $
-#	Placed in the Public Domain.
-
-tid="stderr data after eof"
-
-DATA=/etc/motd
-DATA=${OBJ}/data
-COPY=${OBJ}/copy
-
-if have_prog md5sum; then
-	CHECKSUM=md5sum
-elif have_prog openssl; then
-	CHECKSUM="openssl md5"
-elif have_prog cksum; then
-	CHECKSUM=cksum
-elif have_prog sum; then
-	CHECKSUM=sum
-else
-	fatal "No checksum program available, aborting $tid test"
-fi
-
-# setup data
-rm -f ${DATA} ${COPY}
-cp /dev/null ${DATA}
-for i in 1 2 3 4 5 6; do
-	(date;echo $i) | $CHECKSUM >> ${DATA}
-done
-
-${SSH} -2 -F $OBJ/ssh_proxy otherhost \
-	exec sh -c \'"exec > /dev/null; sleep 2; cat ${DATA} 1>&2 $s"\' \
-	2> ${COPY}
-r=$?
-if [ $r -ne 0 ]; then
-	fail "ssh failed with exit code $r"
-fi
-egrep 'Disconnecting: Received extended_data after EOF' ${COPY} &&
-	fail "ext data received after eof"
-cmp ${DATA} ${COPY}	|| fail "stderr corrupt"
-
-rm -f ${DATA} ${COPY}
diff --git a/crypto/openssh/regress/stderr-data.sh b/crypto/openssh/regress/stderr-data.sh
deleted file mode 100644
index 1daf79b..0000000
--- a/crypto/openssh/regress/stderr-data.sh
+++ /dev/null
@@ -1,33 +0,0 @@
-#	$OpenBSD: stderr-data.sh,v 1.2 2002/03/27 22:39:52 markus Exp $
-#	Placed in the Public Domain.
-
-tid="stderr data transfer"
-
-DATA=/bin/ls${EXEEXT}
-COPY=${OBJ}/copy
-rm -f ${COPY}
-
-for n in '' -n; do
-for p in 1 2; do
-	verbose "test $tid: proto $p ($n)"
-	${SSH} $n -$p -F $OBJ/ssh_proxy otherhost \
-		exec sh -c \'"exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \
-		2> ${COPY}
-	r=$?
-	if [ $r -ne 0 ]; then
-		fail "ssh failed with exit code $r"
-	fi
-	cmp ${DATA} ${COPY}	|| fail "stderr corrupt"
-	rm -f ${COPY}
-
-	${SSH} $n -$p -F $OBJ/ssh_proxy otherhost \
-		exec sh -c \'"echo a; exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \
-		> /dev/null 2> ${COPY}
-	r=$?
-	if [ $r -ne 0 ]; then
-		fail "ssh failed with exit code $r"
-	fi
-	cmp ${DATA} ${COPY}	|| fail "stderr corrupt"
-	rm -f ${COPY}
-done
-done
diff --git a/crypto/openssh/regress/t4.ok b/crypto/openssh/regress/t4.ok
deleted file mode 100644
index 8c4942b..0000000
--- a/crypto/openssh/regress/t4.ok
+++ /dev/null
@@ -1 +0,0 @@
-3b:dd:44:e9:49:18:84:95:f1:e7:33:6b:9d:93:b1:36
diff --git a/crypto/openssh/regress/t5.ok b/crypto/openssh/regress/t5.ok
deleted file mode 100644
index bd622f3..0000000
--- a/crypto/openssh/regress/t5.ok
+++ /dev/null
@@ -1 +0,0 @@
-xokes-lylis-byleh-zebib-kalus-bihas-tevah-haroz-suhar-foved-noxex
diff --git a/crypto/openssh/regress/test-exec.sh b/crypto/openssh/regress/test-exec.sh
deleted file mode 100644
index 59ae33c..0000000
--- a/crypto/openssh/regress/test-exec.sh
+++ /dev/null
@@ -1,307 +0,0 @@
-#	$OpenBSD: test-exec.sh,v 1.28 2005/05/20 23:14:15 djm Exp $
-#	Placed in the Public Domain.
-
-#SUDO=sudo
-
-# Unbreak GNU head(1)
-_POSIX2_VERSION=199209
-export _POSIX2_VERSION
-
-case `uname -s 2>/dev/null` in
-OSF1*)
-	BIN_SH=xpg4
-	export BIN_SH
-	;;
-esac
-
-if [ ! -z "$TEST_SSH_PORT" ]; then
-	PORT="$TEST_SSH_PORT"
-else
-	PORT=4242
-fi
-
-if [ -x /usr/ucb/whoami ]; then
-	USER=`/usr/ucb/whoami`
-elif whoami >/dev/null 2>&1; then
-	USER=`whoami`
-elif logname >/dev/null 2>&1; then
-	USER=`logname`
-else
-	USER=`id -un`
-fi
-
-OBJ=$1
-if [ "x$OBJ" = "x" ]; then
-	echo '$OBJ not defined'
-	exit 2
-fi
-if [ ! -d $OBJ ]; then
-	echo "not a directory: $OBJ"
-	exit 2
-fi
-SCRIPT=$2
-if [ "x$SCRIPT" = "x" ]; then
-	echo '$SCRIPT not defined'
-	exit 2
-fi
-if [ ! -f $SCRIPT ]; then
-	echo "not a file: $SCRIPT"
-	exit 2
-fi
-if $TEST_SHELL -n $SCRIPT; then
-	true
-else
-	echo "syntax error in $SCRIPT"
-	exit 2
-fi
-unset SSH_AUTH_SOCK
-
-SRC=`dirname ${SCRIPT}`
-
-# defaults
-SSH=ssh
-SSHD=sshd
-SSHAGENT=ssh-agent
-SSHADD=ssh-add
-SSHKEYGEN=ssh-keygen
-SSHKEYSCAN=ssh-keyscan
-SFTP=sftp
-SFTPSERVER=/usr/libexec/openssh/sftp-server
-SCP=scp
-
-if [ "x$TEST_SSH_SSH" != "x" ]; then
-	SSH="${TEST_SSH_SSH}"
-fi
-if [ "x$TEST_SSH_SSHD" != "x" ]; then
-	SSHD="${TEST_SSH_SSHD}"
-fi
-if [ "x$TEST_SSH_SSHAGENT" != "x" ]; then
-	SSHAGENT="${TEST_SSH_SSHAGENT}"
-fi
-if [ "x$TEST_SSH_SSHADD" != "x" ]; then
-	SSHADD="${TEST_SSH_SSHADD}"
-fi
-if [ "x$TEST_SSH_SSHKEYGEN" != "x" ]; then
-	SSHKEYGEN="${TEST_SSH_SSHKEYGEN}"
-fi
-if [ "x$TEST_SSH_SSHKEYSCAN" != "x" ]; then
-	SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}"
-fi
-if [ "x$TEST_SSH_SFTP" != "x" ]; then
-	SFTP="${TEST_SSH_SFTP}"
-fi
-if [ "x$TEST_SSH_SFTPSERVER" != "x" ]; then
-	SFTPSERVER="${TEST_SSH_SFTPSERVER}"
-fi
-if [ "x$TEST_SSH_SCP" != "x" ]; then
-	SCP="${TEST_SSH_SCP}"
-fi
-
-# Path to sshd must be absolute for rexec
-case "$SSHD" in
-/*) ;;
-*) SSHD=`which sshd` ;;
-esac
-
-if [ "x$TEST_SSH_LOGFILE" = "x" ]; then
-	TEST_SSH_LOGFILE=/dev/null
-fi
-
-# these should be used in tests
-export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP
-#echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP
-
-# helper
-echon()
-{
-       if [ "x`echo -n`" = "x" ]; then
-               echo -n "$@"
-       elif [ "x`echo '\c'`" = "x" ]; then
-               echo "$@\c"
-       else
-               fatal "Don't know how to echo without newline."
-       fi
-}
-
-have_prog()
-{
-	saved_IFS="$IFS"
-	IFS=":"
-	for i in $PATH
-	do
-		if [ -x $i/$1 ]; then
-			IFS="$saved_IFS"
-			return 0
-		fi
-	done
-	IFS="$saved_IFS"
-	return 1
-}
-
-cleanup ()
-{
-	if [ -f $PIDFILE ]; then
-		pid=`cat $PIDFILE`
-		if [ "X$pid" = "X" ]; then
-			echo no sshd running
-		else
-			if [ $pid -lt 2 ]; then
-				echo bad pid for ssd: $pid
-			else
-				$SUDO kill $pid
-			fi
-		fi
-	fi
-}
-
-trace ()
-{
-	echo "trace: $@" >>$TEST_SSH_LOGFILE
-	if [ "X$TEST_SSH_TRACE" = "Xyes" ]; then
-		echo "$@"
-	fi
-}
-
-verbose ()
-{
-	echo "verbose: $@" >>$TEST_SSH_LOGFILE
-	if [ "X$TEST_SSH_QUIET" != "Xyes" ]; then
-		echo "$@"
-	fi
-}
-
-
-fail ()
-{
-	echo "FAIL: $@" >>$TEST_SSH_LOGFILE
-	RESULT=1
-	echo "$@"
-}
-
-fatal ()
-{
-	echo "FATAL: $@" >>$TEST_SSH_LOGFILE
-	echon "FATAL: "
-	fail "$@"
-	cleanup
-	exit $RESULT
-}
-
-RESULT=0
-PIDFILE=$OBJ/pidfile
-
-trap fatal 3 2
-
-# create server config
-cat << EOF > $OBJ/sshd_config
-	StrictModes		no
-	Port			$PORT
-	AddressFamily		inet
-	ListenAddress		127.0.0.1
-	#ListenAddress		::1
-	PidFile			$PIDFILE
-	AuthorizedKeysFile	$OBJ/authorized_keys_%u
-	LogLevel		VERBOSE
-	AcceptEnv		_XXX_TEST_*
-	AcceptEnv		_XXX_TEST
-	Subsystem	sftp	$SFTPSERVER
-EOF
-
-if [ ! -z "$TEST_SSH_SSHD_CONFOPTS" ]; then
-	trace "adding sshd_config option $TEST_SSH_SSHD_CONFOPTS"
-	echo "$TEST_SSH_SSHD_CONFOPTS" >> $OBJ/sshd_config
-fi
-
-# server config for proxy connects
-cp $OBJ/sshd_config $OBJ/sshd_proxy
-
-# allow group-writable directories in proxy-mode
-echo 'StrictModes no' >> $OBJ/sshd_proxy
-
-# create client config
-cat << EOF > $OBJ/ssh_config
-Host *
-	Hostname		127.0.0.1
-	HostKeyAlias		localhost-with-alias
-	Port			$PORT
-	User			$USER
-	GlobalKnownHostsFile	$OBJ/known_hosts
-	UserKnownHostsFile	$OBJ/known_hosts
-	RSAAuthentication	yes
-	PubkeyAuthentication	yes
-	ChallengeResponseAuthentication	no
-	HostbasedAuthentication	no
-	PasswordAuthentication	no
-	BatchMode		yes
-	StrictHostKeyChecking	yes
-EOF
-
-if [ ! -z "$TEST_SSH_SSH_CONFOPTS" ]; then
-	trace "adding ssh_config option $TEST_SSH_SSHD_CONFOPTS"
-	echo "$TEST_SSH_SSH_CONFOPTS" >> $OBJ/ssh_config
-fi
-
-rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER
-
-trace "generate keys"
-for t in rsa rsa1; do
-	# generate user key
-	rm -f $OBJ/$t
-	${SSHKEYGEN} -b 1024 -q -N '' -t $t  -f $OBJ/$t ||\
-		fail "ssh-keygen for $t failed"
-
-	# known hosts file for client
-	(
-		echon 'localhost-with-alias,127.0.0.1,::1 '
-		cat $OBJ/$t.pub
-	) >> $OBJ/known_hosts
-
-	# setup authorized keys
-	cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
-	echo IdentityFile $OBJ/$t >> $OBJ/ssh_config
-
-	# use key as host key, too
-	$SUDO cp $OBJ/$t $OBJ/host.$t
-	echo HostKey $OBJ/host.$t >> $OBJ/sshd_config
-
-	# don't use SUDO for proxy connect
-	echo HostKey $OBJ/$t >> $OBJ/sshd_proxy
-done
-chmod 644 $OBJ/authorized_keys_$USER
-
-# create a proxy version of the client config
-(
-	cat $OBJ/ssh_config
-	echo proxycommand ${SUDO} sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy
-) > $OBJ/ssh_proxy
-
-# check proxy config
-${SSHD} -t -f $OBJ/sshd_proxy	|| fatal "sshd_proxy broken"
-
-start_sshd ()
-{
-	# start sshd
-	$SUDO ${SSHD} -f $OBJ/sshd_config -t	|| fatal "sshd_config broken"
-	$SUDO ${SSHD} -f $OBJ/sshd_config -e >>$TEST_SSH_LOGFILE 2>&1
-
-	trace "wait for sshd"
-	i=0;
-	while [ ! -f $PIDFILE -a $i -lt 10 ]; do
-		i=`expr $i + 1`
-		sleep $i
-	done
-
-	test -f $PIDFILE || fatal "no sshd running on port $PORT"
-}
-
-# source test body
-. $SCRIPT
-
-# kill sshd
-cleanup
-if [ $RESULT -eq 0 ]; then
-	verbose ok $tid
-else
-	echo failed $tid
-fi
-exit $RESULT
diff --git a/crypto/openssh/regress/transfer.sh b/crypto/openssh/regress/transfer.sh
deleted file mode 100644
index 13ea367..0000000
--- a/crypto/openssh/regress/transfer.sh
+++ /dev/null
@@ -1,29 +0,0 @@
-#	$OpenBSD: transfer.sh,v 1.1 2002/03/27 00:03:37 markus Exp $
-#	Placed in the Public Domain.
-
-tid="transfer data"
-
-DATA=/bin/ls${EXEEXT}
-COPY=${OBJ}/copy
-
-for p in 1 2; do
-	verbose "$tid: proto $p"
-	rm -f ${COPY}
-	${SSH} -n -q -$p -F $OBJ/ssh_proxy somehost cat ${DATA} > ${COPY}
-	if [ $? -ne 0 ]; then
-		fail "ssh cat $DATA failed"
-	fi
-	cmp ${DATA} ${COPY}		|| fail "corrupted copy"
-
-	for s in 10 100 1k 32k 64k 128k 256k; do
-		trace "proto $p dd-size ${s}"
-		rm -f ${COPY}
-		dd if=$DATA obs=${s} 2> /dev/null | \
-			${SSH} -q -$p -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
-		if [ $? -ne 0 ]; then
-			fail "ssh cat $DATA failed"
-		fi
-		cmp $DATA ${COPY}		|| fail "corrupted copy"
-	done
-done
-rm -f ${COPY}
diff --git a/crypto/openssh/regress/try-ciphers.sh b/crypto/openssh/regress/try-ciphers.sh
deleted file mode 100644
index 379fe35..0000000
--- a/crypto/openssh/regress/try-ciphers.sh
+++ /dev/null
@@ -1,49 +0,0 @@
-#	$OpenBSD: try-ciphers.sh,v 1.10 2005/05/24 04:10:54 djm Exp $
-#	Placed in the Public Domain.
-
-tid="try ciphers"
-
-ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc 
-	arcfour128 arcfour256 arcfour 
-	aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
-	aes128-ctr aes192-ctr aes256-ctr"
-macs="hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96"
-
-for c in $ciphers; do
-	for m in $macs; do
-		trace "proto 2 cipher $c mac $m"
-		verbose "test $tid: proto 2 cipher $c mac $m"
-		${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true
-		if [ $? -ne 0 ]; then
-			fail "ssh -2 failed with mac $m cipher $c"
-		fi
-	done
-done
-
-ciphers="3des blowfish"
-for c in $ciphers; do
-	trace "proto 1 cipher $c"
-	verbose "test $tid: proto 1 cipher $c"
-	${SSH} -F $OBJ/ssh_proxy -1 -c $c somehost true
-	if [ $? -ne 0 ]; then
-		fail "ssh -1 failed with cipher $c"
-	fi
-done
-
-if ${SSH} -oCiphers=acss@openssh.org 2>&1 | grep "Bad SSH2 cipher" >/dev/null
-then
-	:
-else
-
-echo "Ciphers acss@openssh.org" >> $OBJ/sshd_proxy
-c=acss@openssh.org
-for m in $macs; do
-	trace "proto 2 $c mac $m"
-	verbose "test $tid: proto 2 cipher $c mac $m"
-	${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true
-	if [ $? -ne 0 ]; then
-		fail "ssh -2 failed with mac $m cipher $c"
-	fi
-done
-
-fi
diff --git a/crypto/openssh/regress/yes-head.sh b/crypto/openssh/regress/yes-head.sh
deleted file mode 100644
index a8e6bc8..0000000
--- a/crypto/openssh/regress/yes-head.sh
+++ /dev/null
@@ -1,15 +0,0 @@
-#	$OpenBSD: yes-head.sh,v 1.4 2002/03/15 13:08:56 markus Exp $
-#	Placed in the Public Domain.
-
-tid="yes pipe head"
-
-for p in 1 2; do
-	lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)`
-	if [ $? -ne 0 ]; then
-		fail "yes|head test failed"
-		lines = 0;
-	fi
-	if [ $lines -ne 2000 ]; then
-		fail "yes|head returns $lines lines instead of 2000"
-	fi
-done
diff --git a/crypto/openssh/rijndael.c b/crypto/openssh/rijndael.c
deleted file mode 100644
index 7432ea2..0000000
--- a/crypto/openssh/rijndael.c
+++ /dev/null
@@ -1,1244 +0,0 @@
-/*	$OpenBSD: rijndael.c,v 1.16 2004/06/23 00:39:38 mouring Exp $ */
-
-/**
- * rijndael-alg-fst.c
- *
- * @version 3.0 (December 2000)
- *
- * Optimised ANSI C code for the Rijndael cipher (now AES)
- *
- * @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
- * @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
- * @author Paulo Barreto <paulo.barreto@terra.com.br>
- *
- * This code is hereby placed in the public domain.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
- * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
- * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
- * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
- * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
- * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-#include "includes.h"
-
-#include <stdlib.h>
-#include <string.h>
-
-#include "rijndael.h"
-
-#define FULL_UNROLL
-
-/*
-Te0[x] = S [x].[02, 01, 01, 03];
-Te1[x] = S [x].[03, 02, 01, 01];
-Te2[x] = S [x].[01, 03, 02, 01];
-Te3[x] = S [x].[01, 01, 03, 02];
-Te4[x] = S [x].[01, 01, 01, 01];
-
-Td0[x] = Si[x].[0e, 09, 0d, 0b];
-Td1[x] = Si[x].[0b, 0e, 09, 0d];
-Td2[x] = Si[x].[0d, 0b, 0e, 09];
-Td3[x] = Si[x].[09, 0d, 0b, 0e];
-Td4[x] = Si[x].[01, 01, 01, 01];
-*/
-
-static const u32 Te0[256] = {
-    0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU,
-    0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U,
-    0x60303050U, 0x02010103U, 0xce6767a9U, 0x562b2b7dU,
-    0xe7fefe19U, 0xb5d7d762U, 0x4dababe6U, 0xec76769aU,
-    0x8fcaca45U, 0x1f82829dU, 0x89c9c940U, 0xfa7d7d87U,
-    0xeffafa15U, 0xb25959ebU, 0x8e4747c9U, 0xfbf0f00bU,
-    0x41adadecU, 0xb3d4d467U, 0x5fa2a2fdU, 0x45afafeaU,
-    0x239c9cbfU, 0x53a4a4f7U, 0xe4727296U, 0x9bc0c05bU,
-    0x75b7b7c2U, 0xe1fdfd1cU, 0x3d9393aeU, 0x4c26266aU,
-    0x6c36365aU, 0x7e3f3f41U, 0xf5f7f702U, 0x83cccc4fU,
-    0x6834345cU, 0x51a5a5f4U, 0xd1e5e534U, 0xf9f1f108U,
-    0xe2717193U, 0xabd8d873U, 0x62313153U, 0x2a15153fU,
-    0x0804040cU, 0x95c7c752U, 0x46232365U, 0x9dc3c35eU,
-    0x30181828U, 0x379696a1U, 0x0a05050fU, 0x2f9a9ab5U,
-    0x0e070709U, 0x24121236U, 0x1b80809bU, 0xdfe2e23dU,
-    0xcdebeb26U, 0x4e272769U, 0x7fb2b2cdU, 0xea75759fU,
-    0x1209091bU, 0x1d83839eU, 0x582c2c74U, 0x341a1a2eU,
-    0x361b1b2dU, 0xdc6e6eb2U, 0xb45a5aeeU, 0x5ba0a0fbU,
-    0xa45252f6U, 0x763b3b4dU, 0xb7d6d661U, 0x7db3b3ceU,
-    0x5229297bU, 0xdde3e33eU, 0x5e2f2f71U, 0x13848497U,
-    0xa65353f5U, 0xb9d1d168U, 0x00000000U, 0xc1eded2cU,
-    0x40202060U, 0xe3fcfc1fU, 0x79b1b1c8U, 0xb65b5bedU,
-    0xd46a6abeU, 0x8dcbcb46U, 0x67bebed9U, 0x7239394bU,
-    0x944a4adeU, 0x984c4cd4U, 0xb05858e8U, 0x85cfcf4aU,
-    0xbbd0d06bU, 0xc5efef2aU, 0x4faaaae5U, 0xedfbfb16U,
-    0x864343c5U, 0x9a4d4dd7U, 0x66333355U, 0x11858594U,
-    0x8a4545cfU, 0xe9f9f910U, 0x04020206U, 0xfe7f7f81U,
-    0xa05050f0U, 0x783c3c44U, 0x259f9fbaU, 0x4ba8a8e3U,
-    0xa25151f3U, 0x5da3a3feU, 0x804040c0U, 0x058f8f8aU,
-    0x3f9292adU, 0x219d9dbcU, 0x70383848U, 0xf1f5f504U,
-    0x63bcbcdfU, 0x77b6b6c1U, 0xafdada75U, 0x42212163U,
-    0x20101030U, 0xe5ffff1aU, 0xfdf3f30eU, 0xbfd2d26dU,
-    0x81cdcd4cU, 0x180c0c14U, 0x26131335U, 0xc3ecec2fU,
-    0xbe5f5fe1U, 0x359797a2U, 0x884444ccU, 0x2e171739U,
-    0x93c4c457U, 0x55a7a7f2U, 0xfc7e7e82U, 0x7a3d3d47U,
-    0xc86464acU, 0xba5d5de7U, 0x3219192bU, 0xe6737395U,
-    0xc06060a0U, 0x19818198U, 0x9e4f4fd1U, 0xa3dcdc7fU,
-    0x44222266U, 0x542a2a7eU, 0x3b9090abU, 0x0b888883U,
-    0x8c4646caU, 0xc7eeee29U, 0x6bb8b8d3U, 0x2814143cU,
-    0xa7dede79U, 0xbc5e5ee2U, 0x160b0b1dU, 0xaddbdb76U,
-    0xdbe0e03bU, 0x64323256U, 0x743a3a4eU, 0x140a0a1eU,
-    0x924949dbU, 0x0c06060aU, 0x4824246cU, 0xb85c5ce4U,
-    0x9fc2c25dU, 0xbdd3d36eU, 0x43acacefU, 0xc46262a6U,
-    0x399191a8U, 0x319595a4U, 0xd3e4e437U, 0xf279798bU,
-    0xd5e7e732U, 0x8bc8c843U, 0x6e373759U, 0xda6d6db7U,
-    0x018d8d8cU, 0xb1d5d564U, 0x9c4e4ed2U, 0x49a9a9e0U,
-    0xd86c6cb4U, 0xac5656faU, 0xf3f4f407U, 0xcfeaea25U,
-    0xca6565afU, 0xf47a7a8eU, 0x47aeaee9U, 0x10080818U,
-    0x6fbabad5U, 0xf0787888U, 0x4a25256fU, 0x5c2e2e72U,
-    0x381c1c24U, 0x57a6a6f1U, 0x73b4b4c7U, 0x97c6c651U,
-    0xcbe8e823U, 0xa1dddd7cU, 0xe874749cU, 0x3e1f1f21U,
-    0x964b4bddU, 0x61bdbddcU, 0x0d8b8b86U, 0x0f8a8a85U,
-    0xe0707090U, 0x7c3e3e42U, 0x71b5b5c4U, 0xcc6666aaU,
-    0x904848d8U, 0x06030305U, 0xf7f6f601U, 0x1c0e0e12U,
-    0xc26161a3U, 0x6a35355fU, 0xae5757f9U, 0x69b9b9d0U,
-    0x17868691U, 0x99c1c158U, 0x3a1d1d27U, 0x279e9eb9U,
-    0xd9e1e138U, 0xebf8f813U, 0x2b9898b3U, 0x22111133U,
-    0xd26969bbU, 0xa9d9d970U, 0x078e8e89U, 0x339494a7U,
-    0x2d9b9bb6U, 0x3c1e1e22U, 0x15878792U, 0xc9e9e920U,
-    0x87cece49U, 0xaa5555ffU, 0x50282878U, 0xa5dfdf7aU,
-    0x038c8c8fU, 0x59a1a1f8U, 0x09898980U, 0x1a0d0d17U,
-    0x65bfbfdaU, 0xd7e6e631U, 0x844242c6U, 0xd06868b8U,
-    0x824141c3U, 0x299999b0U, 0x5a2d2d77U, 0x1e0f0f11U,
-    0x7bb0b0cbU, 0xa85454fcU, 0x6dbbbbd6U, 0x2c16163aU,
-};
-static const u32 Te1[256] = {
-    0xa5c66363U, 0x84f87c7cU, 0x99ee7777U, 0x8df67b7bU,
-    0x0dfff2f2U, 0xbdd66b6bU, 0xb1de6f6fU, 0x5491c5c5U,
-    0x50603030U, 0x03020101U, 0xa9ce6767U, 0x7d562b2bU,
-    0x19e7fefeU, 0x62b5d7d7U, 0xe64dababU, 0x9aec7676U,
-    0x458fcacaU, 0x9d1f8282U, 0x4089c9c9U, 0x87fa7d7dU,
-    0x15effafaU, 0xebb25959U, 0xc98e4747U, 0x0bfbf0f0U,
-    0xec41adadU, 0x67b3d4d4U, 0xfd5fa2a2U, 0xea45afafU,
-    0xbf239c9cU, 0xf753a4a4U, 0x96e47272U, 0x5b9bc0c0U,
-    0xc275b7b7U, 0x1ce1fdfdU, 0xae3d9393U, 0x6a4c2626U,
-    0x5a6c3636U, 0x417e3f3fU, 0x02f5f7f7U, 0x4f83ccccU,
-    0x5c683434U, 0xf451a5a5U, 0x34d1e5e5U, 0x08f9f1f1U,
-    0x93e27171U, 0x73abd8d8U, 0x53623131U, 0x3f2a1515U,
-    0x0c080404U, 0x5295c7c7U, 0x65462323U, 0x5e9dc3c3U,
-    0x28301818U, 0xa1379696U, 0x0f0a0505U, 0xb52f9a9aU,
-    0x090e0707U, 0x36241212U, 0x9b1b8080U, 0x3ddfe2e2U,
-    0x26cdebebU, 0x694e2727U, 0xcd7fb2b2U, 0x9fea7575U,
-    0x1b120909U, 0x9e1d8383U, 0x74582c2cU, 0x2e341a1aU,
-    0x2d361b1bU, 0xb2dc6e6eU, 0xeeb45a5aU, 0xfb5ba0a0U,
-    0xf6a45252U, 0x4d763b3bU, 0x61b7d6d6U, 0xce7db3b3U,
-    0x7b522929U, 0x3edde3e3U, 0x715e2f2fU, 0x97138484U,
-    0xf5a65353U, 0x68b9d1d1U, 0x00000000U, 0x2cc1ededU,
-    0x60402020U, 0x1fe3fcfcU, 0xc879b1b1U, 0xedb65b5bU,
-    0xbed46a6aU, 0x468dcbcbU, 0xd967bebeU, 0x4b723939U,
-    0xde944a4aU, 0xd4984c4cU, 0xe8b05858U, 0x4a85cfcfU,
-    0x6bbbd0d0U, 0x2ac5efefU, 0xe54faaaaU, 0x16edfbfbU,
-    0xc5864343U, 0xd79a4d4dU, 0x55663333U, 0x94118585U,
-    0xcf8a4545U, 0x10e9f9f9U, 0x06040202U, 0x81fe7f7fU,
-    0xf0a05050U, 0x44783c3cU, 0xba259f9fU, 0xe34ba8a8U,
-    0xf3a25151U, 0xfe5da3a3U, 0xc0804040U, 0x8a058f8fU,
-    0xad3f9292U, 0xbc219d9dU, 0x48703838U, 0x04f1f5f5U,
-    0xdf63bcbcU, 0xc177b6b6U, 0x75afdadaU, 0x63422121U,
-    0x30201010U, 0x1ae5ffffU, 0x0efdf3f3U, 0x6dbfd2d2U,
-    0x4c81cdcdU, 0x14180c0cU, 0x35261313U, 0x2fc3ececU,
-    0xe1be5f5fU, 0xa2359797U, 0xcc884444U, 0x392e1717U,
-    0x5793c4c4U, 0xf255a7a7U, 0x82fc7e7eU, 0x477a3d3dU,
-    0xacc86464U, 0xe7ba5d5dU, 0x2b321919U, 0x95e67373U,
-    0xa0c06060U, 0x98198181U, 0xd19e4f4fU, 0x7fa3dcdcU,
-    0x66442222U, 0x7e542a2aU, 0xab3b9090U, 0x830b8888U,
-    0xca8c4646U, 0x29c7eeeeU, 0xd36bb8b8U, 0x3c281414U,
-    0x79a7dedeU, 0xe2bc5e5eU, 0x1d160b0bU, 0x76addbdbU,
-    0x3bdbe0e0U, 0x56643232U, 0x4e743a3aU, 0x1e140a0aU,
-    0xdb924949U, 0x0a0c0606U, 0x6c482424U, 0xe4b85c5cU,
-    0x5d9fc2c2U, 0x6ebdd3d3U, 0xef43acacU, 0xa6c46262U,
-    0xa8399191U, 0xa4319595U, 0x37d3e4e4U, 0x8bf27979U,
-    0x32d5e7e7U, 0x438bc8c8U, 0x596e3737U, 0xb7da6d6dU,
-    0x8c018d8dU, 0x64b1d5d5U, 0xd29c4e4eU, 0xe049a9a9U,
-    0xb4d86c6cU, 0xfaac5656U, 0x07f3f4f4U, 0x25cfeaeaU,
-    0xafca6565U, 0x8ef47a7aU, 0xe947aeaeU, 0x18100808U,
-    0xd56fbabaU, 0x88f07878U, 0x6f4a2525U, 0x725c2e2eU,
-    0x24381c1cU, 0xf157a6a6U, 0xc773b4b4U, 0x5197c6c6U,
-    0x23cbe8e8U, 0x7ca1ddddU, 0x9ce87474U, 0x213e1f1fU,
-    0xdd964b4bU, 0xdc61bdbdU, 0x860d8b8bU, 0x850f8a8aU,
-    0x90e07070U, 0x427c3e3eU, 0xc471b5b5U, 0xaacc6666U,
-    0xd8904848U, 0x05060303U, 0x01f7f6f6U, 0x121c0e0eU,
-    0xa3c26161U, 0x5f6a3535U, 0xf9ae5757U, 0xd069b9b9U,
-    0x91178686U, 0x5899c1c1U, 0x273a1d1dU, 0xb9279e9eU,
-    0x38d9e1e1U, 0x13ebf8f8U, 0xb32b9898U, 0x33221111U,
-    0xbbd26969U, 0x70a9d9d9U, 0x89078e8eU, 0xa7339494U,
-    0xb62d9b9bU, 0x223c1e1eU, 0x92158787U, 0x20c9e9e9U,
-    0x4987ceceU, 0xffaa5555U, 0x78502828U, 0x7aa5dfdfU,
-    0x8f038c8cU, 0xf859a1a1U, 0x80098989U, 0x171a0d0dU,
-    0xda65bfbfU, 0x31d7e6e6U, 0xc6844242U, 0xb8d06868U,
-    0xc3824141U, 0xb0299999U, 0x775a2d2dU, 0x111e0f0fU,
-    0xcb7bb0b0U, 0xfca85454U, 0xd66dbbbbU, 0x3a2c1616U,
-};
-static const u32 Te2[256] = {
-    0x63a5c663U, 0x7c84f87cU, 0x7799ee77U, 0x7b8df67bU,
-    0xf20dfff2U, 0x6bbdd66bU, 0x6fb1de6fU, 0xc55491c5U,
-    0x30506030U, 0x01030201U, 0x67a9ce67U, 0x2b7d562bU,
-    0xfe19e7feU, 0xd762b5d7U, 0xabe64dabU, 0x769aec76U,
-    0xca458fcaU, 0x829d1f82U, 0xc94089c9U, 0x7d87fa7dU,
-    0xfa15effaU, 0x59ebb259U, 0x47c98e47U, 0xf00bfbf0U,
-    0xadec41adU, 0xd467b3d4U, 0xa2fd5fa2U, 0xafea45afU,
-    0x9cbf239cU, 0xa4f753a4U, 0x7296e472U, 0xc05b9bc0U,
-    0xb7c275b7U, 0xfd1ce1fdU, 0x93ae3d93U, 0x266a4c26U,
-    0x365a6c36U, 0x3f417e3fU, 0xf702f5f7U, 0xcc4f83ccU,
-    0x345c6834U, 0xa5f451a5U, 0xe534d1e5U, 0xf108f9f1U,
-    0x7193e271U, 0xd873abd8U, 0x31536231U, 0x153f2a15U,
-    0x040c0804U, 0xc75295c7U, 0x23654623U, 0xc35e9dc3U,
-    0x18283018U, 0x96a13796U, 0x050f0a05U, 0x9ab52f9aU,
-    0x07090e07U, 0x12362412U, 0x809b1b80U, 0xe23ddfe2U,
-    0xeb26cdebU, 0x27694e27U, 0xb2cd7fb2U, 0x759fea75U,
-    0x091b1209U, 0x839e1d83U, 0x2c74582cU, 0x1a2e341aU,
-    0x1b2d361bU, 0x6eb2dc6eU, 0x5aeeb45aU, 0xa0fb5ba0U,
-    0x52f6a452U, 0x3b4d763bU, 0xd661b7d6U, 0xb3ce7db3U,
-    0x297b5229U, 0xe33edde3U, 0x2f715e2fU, 0x84971384U,
-    0x53f5a653U, 0xd168b9d1U, 0x00000000U, 0xed2cc1edU,
-    0x20604020U, 0xfc1fe3fcU, 0xb1c879b1U, 0x5bedb65bU,
-    0x6abed46aU, 0xcb468dcbU, 0xbed967beU, 0x394b7239U,
-    0x4ade944aU, 0x4cd4984cU, 0x58e8b058U, 0xcf4a85cfU,
-    0xd06bbbd0U, 0xef2ac5efU, 0xaae54faaU, 0xfb16edfbU,
-    0x43c58643U, 0x4dd79a4dU, 0x33556633U, 0x85941185U,
-    0x45cf8a45U, 0xf910e9f9U, 0x02060402U, 0x7f81fe7fU,
-    0x50f0a050U, 0x3c44783cU, 0x9fba259fU, 0xa8e34ba8U,
-    0x51f3a251U, 0xa3fe5da3U, 0x40c08040U, 0x8f8a058fU,
-    0x92ad3f92U, 0x9dbc219dU, 0x38487038U, 0xf504f1f5U,
-    0xbcdf63bcU, 0xb6c177b6U, 0xda75afdaU, 0x21634221U,
-    0x10302010U, 0xff1ae5ffU, 0xf30efdf3U, 0xd26dbfd2U,
-    0xcd4c81cdU, 0x0c14180cU, 0x13352613U, 0xec2fc3ecU,
-    0x5fe1be5fU, 0x97a23597U, 0x44cc8844U, 0x17392e17U,
-    0xc45793c4U, 0xa7f255a7U, 0x7e82fc7eU, 0x3d477a3dU,
-    0x64acc864U, 0x5de7ba5dU, 0x192b3219U, 0x7395e673U,
-    0x60a0c060U, 0x81981981U, 0x4fd19e4fU, 0xdc7fa3dcU,
-    0x22664422U, 0x2a7e542aU, 0x90ab3b90U, 0x88830b88U,
-    0x46ca8c46U, 0xee29c7eeU, 0xb8d36bb8U, 0x143c2814U,
-    0xde79a7deU, 0x5ee2bc5eU, 0x0b1d160bU, 0xdb76addbU,
-    0xe03bdbe0U, 0x32566432U, 0x3a4e743aU, 0x0a1e140aU,
-    0x49db9249U, 0x060a0c06U, 0x246c4824U, 0x5ce4b85cU,
-    0xc25d9fc2U, 0xd36ebdd3U, 0xacef43acU, 0x62a6c462U,
-    0x91a83991U, 0x95a43195U, 0xe437d3e4U, 0x798bf279U,
-    0xe732d5e7U, 0xc8438bc8U, 0x37596e37U, 0x6db7da6dU,
-    0x8d8c018dU, 0xd564b1d5U, 0x4ed29c4eU, 0xa9e049a9U,
-    0x6cb4d86cU, 0x56faac56U, 0xf407f3f4U, 0xea25cfeaU,
-    0x65afca65U, 0x7a8ef47aU, 0xaee947aeU, 0x08181008U,
-    0xbad56fbaU, 0x7888f078U, 0x256f4a25U, 0x2e725c2eU,
-    0x1c24381cU, 0xa6f157a6U, 0xb4c773b4U, 0xc65197c6U,
-    0xe823cbe8U, 0xdd7ca1ddU, 0x749ce874U, 0x1f213e1fU,
-    0x4bdd964bU, 0xbddc61bdU, 0x8b860d8bU, 0x8a850f8aU,
-    0x7090e070U, 0x3e427c3eU, 0xb5c471b5U, 0x66aacc66U,
-    0x48d89048U, 0x03050603U, 0xf601f7f6U, 0x0e121c0eU,
-    0x61a3c261U, 0x355f6a35U, 0x57f9ae57U, 0xb9d069b9U,
-    0x86911786U, 0xc15899c1U, 0x1d273a1dU, 0x9eb9279eU,
-    0xe138d9e1U, 0xf813ebf8U, 0x98b32b98U, 0x11332211U,
-    0x69bbd269U, 0xd970a9d9U, 0x8e89078eU, 0x94a73394U,
-    0x9bb62d9bU, 0x1e223c1eU, 0x87921587U, 0xe920c9e9U,
-    0xce4987ceU, 0x55ffaa55U, 0x28785028U, 0xdf7aa5dfU,
-    0x8c8f038cU, 0xa1f859a1U, 0x89800989U, 0x0d171a0dU,
-    0xbfda65bfU, 0xe631d7e6U, 0x42c68442U, 0x68b8d068U,
-    0x41c38241U, 0x99b02999U, 0x2d775a2dU, 0x0f111e0fU,
-    0xb0cb7bb0U, 0x54fca854U, 0xbbd66dbbU, 0x163a2c16U,
-};
-static const u32 Te3[256] = {
-
-    0x6363a5c6U, 0x7c7c84f8U, 0x777799eeU, 0x7b7b8df6U,
-    0xf2f20dffU, 0x6b6bbdd6U, 0x6f6fb1deU, 0xc5c55491U,
-    0x30305060U, 0x01010302U, 0x6767a9ceU, 0x2b2b7d56U,
-    0xfefe19e7U, 0xd7d762b5U, 0xababe64dU, 0x76769aecU,
-    0xcaca458fU, 0x82829d1fU, 0xc9c94089U, 0x7d7d87faU,
-    0xfafa15efU, 0x5959ebb2U, 0x4747c98eU, 0xf0f00bfbU,
-    0xadadec41U, 0xd4d467b3U, 0xa2a2fd5fU, 0xafafea45U,
-    0x9c9cbf23U, 0xa4a4f753U, 0x727296e4U, 0xc0c05b9bU,
-    0xb7b7c275U, 0xfdfd1ce1U, 0x9393ae3dU, 0x26266a4cU,
-    0x36365a6cU, 0x3f3f417eU, 0xf7f702f5U, 0xcccc4f83U,
-    0x34345c68U, 0xa5a5f451U, 0xe5e534d1U, 0xf1f108f9U,
-    0x717193e2U, 0xd8d873abU, 0x31315362U, 0x15153f2aU,
-    0x04040c08U, 0xc7c75295U, 0x23236546U, 0xc3c35e9dU,
-    0x18182830U, 0x9696a137U, 0x05050f0aU, 0x9a9ab52fU,
-    0x0707090eU, 0x12123624U, 0x80809b1bU, 0xe2e23ddfU,
-    0xebeb26cdU, 0x2727694eU, 0xb2b2cd7fU, 0x75759feaU,
-    0x09091b12U, 0x83839e1dU, 0x2c2c7458U, 0x1a1a2e34U,
-    0x1b1b2d36U, 0x6e6eb2dcU, 0x5a5aeeb4U, 0xa0a0fb5bU,
-    0x5252f6a4U, 0x3b3b4d76U, 0xd6d661b7U, 0xb3b3ce7dU,
-    0x29297b52U, 0xe3e33eddU, 0x2f2f715eU, 0x84849713U,
-    0x5353f5a6U, 0xd1d168b9U, 0x00000000U, 0xeded2cc1U,
-    0x20206040U, 0xfcfc1fe3U, 0xb1b1c879U, 0x5b5bedb6U,
-    0x6a6abed4U, 0xcbcb468dU, 0xbebed967U, 0x39394b72U,
-    0x4a4ade94U, 0x4c4cd498U, 0x5858e8b0U, 0xcfcf4a85U,
-    0xd0d06bbbU, 0xefef2ac5U, 0xaaaae54fU, 0xfbfb16edU,
-    0x4343c586U, 0x4d4dd79aU, 0x33335566U, 0x85859411U,
-    0x4545cf8aU, 0xf9f910e9U, 0x02020604U, 0x7f7f81feU,
-    0x5050f0a0U, 0x3c3c4478U, 0x9f9fba25U, 0xa8a8e34bU,
-    0x5151f3a2U, 0xa3a3fe5dU, 0x4040c080U, 0x8f8f8a05U,
-    0x9292ad3fU, 0x9d9dbc21U, 0x38384870U, 0xf5f504f1U,
-    0xbcbcdf63U, 0xb6b6c177U, 0xdada75afU, 0x21216342U,
-    0x10103020U, 0xffff1ae5U, 0xf3f30efdU, 0xd2d26dbfU,
-    0xcdcd4c81U, 0x0c0c1418U, 0x13133526U, 0xecec2fc3U,
-    0x5f5fe1beU, 0x9797a235U, 0x4444cc88U, 0x1717392eU,
-    0xc4c45793U, 0xa7a7f255U, 0x7e7e82fcU, 0x3d3d477aU,
-    0x6464acc8U, 0x5d5de7baU, 0x19192b32U, 0x737395e6U,
-    0x6060a0c0U, 0x81819819U, 0x4f4fd19eU, 0xdcdc7fa3U,
-    0x22226644U, 0x2a2a7e54U, 0x9090ab3bU, 0x8888830bU,
-    0x4646ca8cU, 0xeeee29c7U, 0xb8b8d36bU, 0x14143c28U,
-    0xdede79a7U, 0x5e5ee2bcU, 0x0b0b1d16U, 0xdbdb76adU,
-    0xe0e03bdbU, 0x32325664U, 0x3a3a4e74U, 0x0a0a1e14U,
-    0x4949db92U, 0x06060a0cU, 0x24246c48U, 0x5c5ce4b8U,
-    0xc2c25d9fU, 0xd3d36ebdU, 0xacacef43U, 0x6262a6c4U,
-    0x9191a839U, 0x9595a431U, 0xe4e437d3U, 0x79798bf2U,
-    0xe7e732d5U, 0xc8c8438bU, 0x3737596eU, 0x6d6db7daU,
-    0x8d8d8c01U, 0xd5d564b1U, 0x4e4ed29cU, 0xa9a9e049U,
-    0x6c6cb4d8U, 0x5656faacU, 0xf4f407f3U, 0xeaea25cfU,
-    0x6565afcaU, 0x7a7a8ef4U, 0xaeaee947U, 0x08081810U,
-    0xbabad56fU, 0x787888f0U, 0x25256f4aU, 0x2e2e725cU,
-    0x1c1c2438U, 0xa6a6f157U, 0xb4b4c773U, 0xc6c65197U,
-    0xe8e823cbU, 0xdddd7ca1U, 0x74749ce8U, 0x1f1f213eU,
-    0x4b4bdd96U, 0xbdbddc61U, 0x8b8b860dU, 0x8a8a850fU,
-    0x707090e0U, 0x3e3e427cU, 0xb5b5c471U, 0x6666aaccU,
-    0x4848d890U, 0x03030506U, 0xf6f601f7U, 0x0e0e121cU,
-    0x6161a3c2U, 0x35355f6aU, 0x5757f9aeU, 0xb9b9d069U,
-    0x86869117U, 0xc1c15899U, 0x1d1d273aU, 0x9e9eb927U,
-    0xe1e138d9U, 0xf8f813ebU, 0x9898b32bU, 0x11113322U,
-    0x6969bbd2U, 0xd9d970a9U, 0x8e8e8907U, 0x9494a733U,
-    0x9b9bb62dU, 0x1e1e223cU, 0x87879215U, 0xe9e920c9U,
-    0xcece4987U, 0x5555ffaaU, 0x28287850U, 0xdfdf7aa5U,
-    0x8c8c8f03U, 0xa1a1f859U, 0x89898009U, 0x0d0d171aU,
-    0xbfbfda65U, 0xe6e631d7U, 0x4242c684U, 0x6868b8d0U,
-    0x4141c382U, 0x9999b029U, 0x2d2d775aU, 0x0f0f111eU,
-    0xb0b0cb7bU, 0x5454fca8U, 0xbbbbd66dU, 0x16163a2cU,
-};
-static const u32 Te4[256] = {
-    0x63636363U, 0x7c7c7c7cU, 0x77777777U, 0x7b7b7b7bU,
-    0xf2f2f2f2U, 0x6b6b6b6bU, 0x6f6f6f6fU, 0xc5c5c5c5U,
-    0x30303030U, 0x01010101U, 0x67676767U, 0x2b2b2b2bU,
-    0xfefefefeU, 0xd7d7d7d7U, 0xababababU, 0x76767676U,
-    0xcacacacaU, 0x82828282U, 0xc9c9c9c9U, 0x7d7d7d7dU,
-    0xfafafafaU, 0x59595959U, 0x47474747U, 0xf0f0f0f0U,
-    0xadadadadU, 0xd4d4d4d4U, 0xa2a2a2a2U, 0xafafafafU,
-    0x9c9c9c9cU, 0xa4a4a4a4U, 0x72727272U, 0xc0c0c0c0U,
-    0xb7b7b7b7U, 0xfdfdfdfdU, 0x93939393U, 0x26262626U,
-    0x36363636U, 0x3f3f3f3fU, 0xf7f7f7f7U, 0xccccccccU,
-    0x34343434U, 0xa5a5a5a5U, 0xe5e5e5e5U, 0xf1f1f1f1U,
-    0x71717171U, 0xd8d8d8d8U, 0x31313131U, 0x15151515U,
-    0x04040404U, 0xc7c7c7c7U, 0x23232323U, 0xc3c3c3c3U,
-    0x18181818U, 0x96969696U, 0x05050505U, 0x9a9a9a9aU,
-    0x07070707U, 0x12121212U, 0x80808080U, 0xe2e2e2e2U,
-    0xebebebebU, 0x27272727U, 0xb2b2b2b2U, 0x75757575U,
-    0x09090909U, 0x83838383U, 0x2c2c2c2cU, 0x1a1a1a1aU,
-    0x1b1b1b1bU, 0x6e6e6e6eU, 0x5a5a5a5aU, 0xa0a0a0a0U,
-    0x52525252U, 0x3b3b3b3bU, 0xd6d6d6d6U, 0xb3b3b3b3U,
-    0x29292929U, 0xe3e3e3e3U, 0x2f2f2f2fU, 0x84848484U,
-    0x53535353U, 0xd1d1d1d1U, 0x00000000U, 0xededededU,
-    0x20202020U, 0xfcfcfcfcU, 0xb1b1b1b1U, 0x5b5b5b5bU,
-    0x6a6a6a6aU, 0xcbcbcbcbU, 0xbebebebeU, 0x39393939U,
-    0x4a4a4a4aU, 0x4c4c4c4cU, 0x58585858U, 0xcfcfcfcfU,
-    0xd0d0d0d0U, 0xefefefefU, 0xaaaaaaaaU, 0xfbfbfbfbU,
-    0x43434343U, 0x4d4d4d4dU, 0x33333333U, 0x85858585U,
-    0x45454545U, 0xf9f9f9f9U, 0x02020202U, 0x7f7f7f7fU,
-    0x50505050U, 0x3c3c3c3cU, 0x9f9f9f9fU, 0xa8a8a8a8U,
-    0x51515151U, 0xa3a3a3a3U, 0x40404040U, 0x8f8f8f8fU,
-    0x92929292U, 0x9d9d9d9dU, 0x38383838U, 0xf5f5f5f5U,
-    0xbcbcbcbcU, 0xb6b6b6b6U, 0xdadadadaU, 0x21212121U,
-    0x10101010U, 0xffffffffU, 0xf3f3f3f3U, 0xd2d2d2d2U,
-    0xcdcdcdcdU, 0x0c0c0c0cU, 0x13131313U, 0xececececU,
-    0x5f5f5f5fU, 0x97979797U, 0x44444444U, 0x17171717U,
-    0xc4c4c4c4U, 0xa7a7a7a7U, 0x7e7e7e7eU, 0x3d3d3d3dU,
-    0x64646464U, 0x5d5d5d5dU, 0x19191919U, 0x73737373U,
-    0x60606060U, 0x81818181U, 0x4f4f4f4fU, 0xdcdcdcdcU,
-    0x22222222U, 0x2a2a2a2aU, 0x90909090U, 0x88888888U,
-    0x46464646U, 0xeeeeeeeeU, 0xb8b8b8b8U, 0x14141414U,
-    0xdedededeU, 0x5e5e5e5eU, 0x0b0b0b0bU, 0xdbdbdbdbU,
-    0xe0e0e0e0U, 0x32323232U, 0x3a3a3a3aU, 0x0a0a0a0aU,
-    0x49494949U, 0x06060606U, 0x24242424U, 0x5c5c5c5cU,
-    0xc2c2c2c2U, 0xd3d3d3d3U, 0xacacacacU, 0x62626262U,
-    0x91919191U, 0x95959595U, 0xe4e4e4e4U, 0x79797979U,
-    0xe7e7e7e7U, 0xc8c8c8c8U, 0x37373737U, 0x6d6d6d6dU,
-    0x8d8d8d8dU, 0xd5d5d5d5U, 0x4e4e4e4eU, 0xa9a9a9a9U,
-    0x6c6c6c6cU, 0x56565656U, 0xf4f4f4f4U, 0xeaeaeaeaU,
-    0x65656565U, 0x7a7a7a7aU, 0xaeaeaeaeU, 0x08080808U,
-    0xbabababaU, 0x78787878U, 0x25252525U, 0x2e2e2e2eU,
-    0x1c1c1c1cU, 0xa6a6a6a6U, 0xb4b4b4b4U, 0xc6c6c6c6U,
-    0xe8e8e8e8U, 0xddddddddU, 0x74747474U, 0x1f1f1f1fU,
-    0x4b4b4b4bU, 0xbdbdbdbdU, 0x8b8b8b8bU, 0x8a8a8a8aU,
-    0x70707070U, 0x3e3e3e3eU, 0xb5b5b5b5U, 0x66666666U,
-    0x48484848U, 0x03030303U, 0xf6f6f6f6U, 0x0e0e0e0eU,
-    0x61616161U, 0x35353535U, 0x57575757U, 0xb9b9b9b9U,
-    0x86868686U, 0xc1c1c1c1U, 0x1d1d1d1dU, 0x9e9e9e9eU,
-    0xe1e1e1e1U, 0xf8f8f8f8U, 0x98989898U, 0x11111111U,
-    0x69696969U, 0xd9d9d9d9U, 0x8e8e8e8eU, 0x94949494U,
-    0x9b9b9b9bU, 0x1e1e1e1eU, 0x87878787U, 0xe9e9e9e9U,
-    0xcecececeU, 0x55555555U, 0x28282828U, 0xdfdfdfdfU,
-    0x8c8c8c8cU, 0xa1a1a1a1U, 0x89898989U, 0x0d0d0d0dU,
-    0xbfbfbfbfU, 0xe6e6e6e6U, 0x42424242U, 0x68686868U,
-    0x41414141U, 0x99999999U, 0x2d2d2d2dU, 0x0f0f0f0fU,
-    0xb0b0b0b0U, 0x54545454U, 0xbbbbbbbbU, 0x16161616U,
-};
-static const u32 Td0[256] = {
-    0x51f4a750U, 0x7e416553U, 0x1a17a4c3U, 0x3a275e96U,
-    0x3bab6bcbU, 0x1f9d45f1U, 0xacfa58abU, 0x4be30393U,
-    0x2030fa55U, 0xad766df6U, 0x88cc7691U, 0xf5024c25U,
-    0x4fe5d7fcU, 0xc52acbd7U, 0x26354480U, 0xb562a38fU,
-    0xdeb15a49U, 0x25ba1b67U, 0x45ea0e98U, 0x5dfec0e1U,
-    0xc32f7502U, 0x814cf012U, 0x8d4697a3U, 0x6bd3f9c6U,
-    0x038f5fe7U, 0x15929c95U, 0xbf6d7aebU, 0x955259daU,
-    0xd4be832dU, 0x587421d3U, 0x49e06929U, 0x8ec9c844U,
-    0x75c2896aU, 0xf48e7978U, 0x99583e6bU, 0x27b971ddU,
-    0xbee14fb6U, 0xf088ad17U, 0xc920ac66U, 0x7dce3ab4U,
-    0x63df4a18U, 0xe51a3182U, 0x97513360U, 0x62537f45U,
-    0xb16477e0U, 0xbb6bae84U, 0xfe81a01cU, 0xf9082b94U,
-    0x70486858U, 0x8f45fd19U, 0x94de6c87U, 0x527bf8b7U,
-    0xab73d323U, 0x724b02e2U, 0xe31f8f57U, 0x6655ab2aU,
-    0xb2eb2807U, 0x2fb5c203U, 0x86c57b9aU, 0xd33708a5U,
-    0x302887f2U, 0x23bfa5b2U, 0x02036abaU, 0xed16825cU,
-    0x8acf1c2bU, 0xa779b492U, 0xf307f2f0U, 0x4e69e2a1U,
-    0x65daf4cdU, 0x0605bed5U, 0xd134621fU, 0xc4a6fe8aU,
-    0x342e539dU, 0xa2f355a0U, 0x058ae132U, 0xa4f6eb75U,
-    0x0b83ec39U, 0x4060efaaU, 0x5e719f06U, 0xbd6e1051U,
-    0x3e218af9U, 0x96dd063dU, 0xdd3e05aeU, 0x4de6bd46U,
-    0x91548db5U, 0x71c45d05U, 0x0406d46fU, 0x605015ffU,
-    0x1998fb24U, 0xd6bde997U, 0x894043ccU, 0x67d99e77U,
-    0xb0e842bdU, 0x07898b88U, 0xe7195b38U, 0x79c8eedbU,
-    0xa17c0a47U, 0x7c420fe9U, 0xf8841ec9U, 0x00000000U,
-    0x09808683U, 0x322bed48U, 0x1e1170acU, 0x6c5a724eU,
-    0xfd0efffbU, 0x0f853856U, 0x3daed51eU, 0x362d3927U,
-    0x0a0fd964U, 0x685ca621U, 0x9b5b54d1U, 0x24362e3aU,
-    0x0c0a67b1U, 0x9357e70fU, 0xb4ee96d2U, 0x1b9b919eU,
-    0x80c0c54fU, 0x61dc20a2U, 0x5a774b69U, 0x1c121a16U,
-    0xe293ba0aU, 0xc0a02ae5U, 0x3c22e043U, 0x121b171dU,
-    0x0e090d0bU, 0xf28bc7adU, 0x2db6a8b9U, 0x141ea9c8U,
-    0x57f11985U, 0xaf75074cU, 0xee99ddbbU, 0xa37f60fdU,
-    0xf701269fU, 0x5c72f5bcU, 0x44663bc5U, 0x5bfb7e34U,
-    0x8b432976U, 0xcb23c6dcU, 0xb6edfc68U, 0xb8e4f163U,
-    0xd731dccaU, 0x42638510U, 0x13972240U, 0x84c61120U,
-    0x854a247dU, 0xd2bb3df8U, 0xaef93211U, 0xc729a16dU,
-    0x1d9e2f4bU, 0xdcb230f3U, 0x0d8652ecU, 0x77c1e3d0U,
-    0x2bb3166cU, 0xa970b999U, 0x119448faU, 0x47e96422U,
-    0xa8fc8cc4U, 0xa0f03f1aU, 0x567d2cd8U, 0x223390efU,
-    0x87494ec7U, 0xd938d1c1U, 0x8ccaa2feU, 0x98d40b36U,
-    0xa6f581cfU, 0xa57ade28U, 0xdab78e26U, 0x3fadbfa4U,
-    0x2c3a9de4U, 0x5078920dU, 0x6a5fcc9bU, 0x547e4662U,
-    0xf68d13c2U, 0x90d8b8e8U, 0x2e39f75eU, 0x82c3aff5U,
-    0x9f5d80beU, 0x69d0937cU, 0x6fd52da9U, 0xcf2512b3U,
-    0xc8ac993bU, 0x10187da7U, 0xe89c636eU, 0xdb3bbb7bU,
-    0xcd267809U, 0x6e5918f4U, 0xec9ab701U, 0x834f9aa8U,
-    0xe6956e65U, 0xaaffe67eU, 0x21bccf08U, 0xef15e8e6U,
-    0xbae79bd9U, 0x4a6f36ceU, 0xea9f09d4U, 0x29b07cd6U,
-    0x31a4b2afU, 0x2a3f2331U, 0xc6a59430U, 0x35a266c0U,
-    0x744ebc37U, 0xfc82caa6U, 0xe090d0b0U, 0x33a7d815U,
-    0xf104984aU, 0x41ecdaf7U, 0x7fcd500eU, 0x1791f62fU,
-    0x764dd68dU, 0x43efb04dU, 0xccaa4d54U, 0xe49604dfU,
-    0x9ed1b5e3U, 0x4c6a881bU, 0xc12c1fb8U, 0x4665517fU,
-    0x9d5eea04U, 0x018c355dU, 0xfa877473U, 0xfb0b412eU,
-    0xb3671d5aU, 0x92dbd252U, 0xe9105633U, 0x6dd64713U,
-    0x9ad7618cU, 0x37a10c7aU, 0x59f8148eU, 0xeb133c89U,
-    0xcea927eeU, 0xb761c935U, 0xe11ce5edU, 0x7a47b13cU,
-    0x9cd2df59U, 0x55f2733fU, 0x1814ce79U, 0x73c737bfU,
-    0x53f7cdeaU, 0x5ffdaa5bU, 0xdf3d6f14U, 0x7844db86U,
-    0xcaaff381U, 0xb968c43eU, 0x3824342cU, 0xc2a3405fU,
-    0x161dc372U, 0xbce2250cU, 0x283c498bU, 0xff0d9541U,
-    0x39a80171U, 0x080cb3deU, 0xd8b4e49cU, 0x6456c190U,
-    0x7bcb8461U, 0xd532b670U, 0x486c5c74U, 0xd0b85742U,
-};
-static const u32 Td1[256] = {
-    0x5051f4a7U, 0x537e4165U, 0xc31a17a4U, 0x963a275eU,
-    0xcb3bab6bU, 0xf11f9d45U, 0xabacfa58U, 0x934be303U,
-    0x552030faU, 0xf6ad766dU, 0x9188cc76U, 0x25f5024cU,
-    0xfc4fe5d7U, 0xd7c52acbU, 0x80263544U, 0x8fb562a3U,
-    0x49deb15aU, 0x6725ba1bU, 0x9845ea0eU, 0xe15dfec0U,
-    0x02c32f75U, 0x12814cf0U, 0xa38d4697U, 0xc66bd3f9U,
-    0xe7038f5fU, 0x9515929cU, 0xebbf6d7aU, 0xda955259U,
-    0x2dd4be83U, 0xd3587421U, 0x2949e069U, 0x448ec9c8U,
-    0x6a75c289U, 0x78f48e79U, 0x6b99583eU, 0xdd27b971U,
-    0xb6bee14fU, 0x17f088adU, 0x66c920acU, 0xb47dce3aU,
-    0x1863df4aU, 0x82e51a31U, 0x60975133U, 0x4562537fU,
-    0xe0b16477U, 0x84bb6baeU, 0x1cfe81a0U, 0x94f9082bU,
-    0x58704868U, 0x198f45fdU, 0x8794de6cU, 0xb7527bf8U,
-    0x23ab73d3U, 0xe2724b02U, 0x57e31f8fU, 0x2a6655abU,
-    0x07b2eb28U, 0x032fb5c2U, 0x9a86c57bU, 0xa5d33708U,
-    0xf2302887U, 0xb223bfa5U, 0xba02036aU, 0x5ced1682U,
-    0x2b8acf1cU, 0x92a779b4U, 0xf0f307f2U, 0xa14e69e2U,
-    0xcd65daf4U, 0xd50605beU, 0x1fd13462U, 0x8ac4a6feU,
-    0x9d342e53U, 0xa0a2f355U, 0x32058ae1U, 0x75a4f6ebU,
-    0x390b83ecU, 0xaa4060efU, 0x065e719fU, 0x51bd6e10U,
-    0xf93e218aU, 0x3d96dd06U, 0xaedd3e05U, 0x464de6bdU,
-    0xb591548dU, 0x0571c45dU, 0x6f0406d4U, 0xff605015U,
-    0x241998fbU, 0x97d6bde9U, 0xcc894043U, 0x7767d99eU,
-    0xbdb0e842U, 0x8807898bU, 0x38e7195bU, 0xdb79c8eeU,
-    0x47a17c0aU, 0xe97c420fU, 0xc9f8841eU, 0x00000000U,
-    0x83098086U, 0x48322bedU, 0xac1e1170U, 0x4e6c5a72U,
-    0xfbfd0effU, 0x560f8538U, 0x1e3daed5U, 0x27362d39U,
-    0x640a0fd9U, 0x21685ca6U, 0xd19b5b54U, 0x3a24362eU,
-    0xb10c0a67U, 0x0f9357e7U, 0xd2b4ee96U, 0x9e1b9b91U,
-    0x4f80c0c5U, 0xa261dc20U, 0x695a774bU, 0x161c121aU,
-    0x0ae293baU, 0xe5c0a02aU, 0x433c22e0U, 0x1d121b17U,
-    0x0b0e090dU, 0xadf28bc7U, 0xb92db6a8U, 0xc8141ea9U,
-    0x8557f119U, 0x4caf7507U, 0xbbee99ddU, 0xfda37f60U,
-    0x9ff70126U, 0xbc5c72f5U, 0xc544663bU, 0x345bfb7eU,
-    0x768b4329U, 0xdccb23c6U, 0x68b6edfcU, 0x63b8e4f1U,
-    0xcad731dcU, 0x10426385U, 0x40139722U, 0x2084c611U,
-    0x7d854a24U, 0xf8d2bb3dU, 0x11aef932U, 0x6dc729a1U,
-    0x4b1d9e2fU, 0xf3dcb230U, 0xec0d8652U, 0xd077c1e3U,
-    0x6c2bb316U, 0x99a970b9U, 0xfa119448U, 0x2247e964U,
-    0xc4a8fc8cU, 0x1aa0f03fU, 0xd8567d2cU, 0xef223390U,
-    0xc787494eU, 0xc1d938d1U, 0xfe8ccaa2U, 0x3698d40bU,
-    0xcfa6f581U, 0x28a57adeU, 0x26dab78eU, 0xa43fadbfU,
-    0xe42c3a9dU, 0x0d507892U, 0x9b6a5fccU, 0x62547e46U,
-    0xc2f68d13U, 0xe890d8b8U, 0x5e2e39f7U, 0xf582c3afU,
-    0xbe9f5d80U, 0x7c69d093U, 0xa96fd52dU, 0xb3cf2512U,
-    0x3bc8ac99U, 0xa710187dU, 0x6ee89c63U, 0x7bdb3bbbU,
-    0x09cd2678U, 0xf46e5918U, 0x01ec9ab7U, 0xa8834f9aU,
-    0x65e6956eU, 0x7eaaffe6U, 0x0821bccfU, 0xe6ef15e8U,
-    0xd9bae79bU, 0xce4a6f36U, 0xd4ea9f09U, 0xd629b07cU,
-    0xaf31a4b2U, 0x312a3f23U, 0x30c6a594U, 0xc035a266U,
-    0x37744ebcU, 0xa6fc82caU, 0xb0e090d0U, 0x1533a7d8U,
-    0x4af10498U, 0xf741ecdaU, 0x0e7fcd50U, 0x2f1791f6U,
-    0x8d764dd6U, 0x4d43efb0U, 0x54ccaa4dU, 0xdfe49604U,
-    0xe39ed1b5U, 0x1b4c6a88U, 0xb8c12c1fU, 0x7f466551U,
-    0x049d5eeaU, 0x5d018c35U, 0x73fa8774U, 0x2efb0b41U,
-    0x5ab3671dU, 0x5292dbd2U, 0x33e91056U, 0x136dd647U,
-    0x8c9ad761U, 0x7a37a10cU, 0x8e59f814U, 0x89eb133cU,
-    0xeecea927U, 0x35b761c9U, 0xede11ce5U, 0x3c7a47b1U,
-    0x599cd2dfU, 0x3f55f273U, 0x791814ceU, 0xbf73c737U,
-    0xea53f7cdU, 0x5b5ffdaaU, 0x14df3d6fU, 0x867844dbU,
-    0x81caaff3U, 0x3eb968c4U, 0x2c382434U, 0x5fc2a340U,
-    0x72161dc3U, 0x0cbce225U, 0x8b283c49U, 0x41ff0d95U,
-    0x7139a801U, 0xde080cb3U, 0x9cd8b4e4U, 0x906456c1U,
-    0x617bcb84U, 0x70d532b6U, 0x74486c5cU, 0x42d0b857U,
-};
-static const u32 Td2[256] = {
-    0xa75051f4U, 0x65537e41U, 0xa4c31a17U, 0x5e963a27U,
-    0x6bcb3babU, 0x45f11f9dU, 0x58abacfaU, 0x03934be3U,
-    0xfa552030U, 0x6df6ad76U, 0x769188ccU, 0x4c25f502U,
-    0xd7fc4fe5U, 0xcbd7c52aU, 0x44802635U, 0xa38fb562U,
-    0x5a49deb1U, 0x1b6725baU, 0x0e9845eaU, 0xc0e15dfeU,
-    0x7502c32fU, 0xf012814cU, 0x97a38d46U, 0xf9c66bd3U,
-    0x5fe7038fU, 0x9c951592U, 0x7aebbf6dU, 0x59da9552U,
-    0x832dd4beU, 0x21d35874U, 0x692949e0U, 0xc8448ec9U,
-    0x896a75c2U, 0x7978f48eU, 0x3e6b9958U, 0x71dd27b9U,
-    0x4fb6bee1U, 0xad17f088U, 0xac66c920U, 0x3ab47dceU,
-    0x4a1863dfU, 0x3182e51aU, 0x33609751U, 0x7f456253U,
-    0x77e0b164U, 0xae84bb6bU, 0xa01cfe81U, 0x2b94f908U,
-    0x68587048U, 0xfd198f45U, 0x6c8794deU, 0xf8b7527bU,
-    0xd323ab73U, 0x02e2724bU, 0x8f57e31fU, 0xab2a6655U,
-    0x2807b2ebU, 0xc2032fb5U, 0x7b9a86c5U, 0x08a5d337U,
-    0x87f23028U, 0xa5b223bfU, 0x6aba0203U, 0x825ced16U,
-    0x1c2b8acfU, 0xb492a779U, 0xf2f0f307U, 0xe2a14e69U,
-    0xf4cd65daU, 0xbed50605U, 0x621fd134U, 0xfe8ac4a6U,
-    0x539d342eU, 0x55a0a2f3U, 0xe132058aU, 0xeb75a4f6U,
-    0xec390b83U, 0xefaa4060U, 0x9f065e71U, 0x1051bd6eU,
-
-    0x8af93e21U, 0x063d96ddU, 0x05aedd3eU, 0xbd464de6U,
-    0x8db59154U, 0x5d0571c4U, 0xd46f0406U, 0x15ff6050U,
-    0xfb241998U, 0xe997d6bdU, 0x43cc8940U, 0x9e7767d9U,
-    0x42bdb0e8U, 0x8b880789U, 0x5b38e719U, 0xeedb79c8U,
-    0x0a47a17cU, 0x0fe97c42U, 0x1ec9f884U, 0x00000000U,
-    0x86830980U, 0xed48322bU, 0x70ac1e11U, 0x724e6c5aU,
-    0xfffbfd0eU, 0x38560f85U, 0xd51e3daeU, 0x3927362dU,
-    0xd9640a0fU, 0xa621685cU, 0x54d19b5bU, 0x2e3a2436U,
-    0x67b10c0aU, 0xe70f9357U, 0x96d2b4eeU, 0x919e1b9bU,
-    0xc54f80c0U, 0x20a261dcU, 0x4b695a77U, 0x1a161c12U,
-    0xba0ae293U, 0x2ae5c0a0U, 0xe0433c22U, 0x171d121bU,
-    0x0d0b0e09U, 0xc7adf28bU, 0xa8b92db6U, 0xa9c8141eU,
-    0x198557f1U, 0x074caf75U, 0xddbbee99U, 0x60fda37fU,
-    0x269ff701U, 0xf5bc5c72U, 0x3bc54466U, 0x7e345bfbU,
-    0x29768b43U, 0xc6dccb23U, 0xfc68b6edU, 0xf163b8e4U,
-    0xdccad731U, 0x85104263U, 0x22401397U, 0x112084c6U,
-    0x247d854aU, 0x3df8d2bbU, 0x3211aef9U, 0xa16dc729U,
-    0x2f4b1d9eU, 0x30f3dcb2U, 0x52ec0d86U, 0xe3d077c1U,
-    0x166c2bb3U, 0xb999a970U, 0x48fa1194U, 0x642247e9U,
-    0x8cc4a8fcU, 0x3f1aa0f0U, 0x2cd8567dU, 0x90ef2233U,
-    0x4ec78749U, 0xd1c1d938U, 0xa2fe8ccaU, 0x0b3698d4U,
-    0x81cfa6f5U, 0xde28a57aU, 0x8e26dab7U, 0xbfa43fadU,
-    0x9de42c3aU, 0x920d5078U, 0xcc9b6a5fU, 0x4662547eU,
-    0x13c2f68dU, 0xb8e890d8U, 0xf75e2e39U, 0xaff582c3U,
-    0x80be9f5dU, 0x937c69d0U, 0x2da96fd5U, 0x12b3cf25U,
-    0x993bc8acU, 0x7da71018U, 0x636ee89cU, 0xbb7bdb3bU,
-    0x7809cd26U, 0x18f46e59U, 0xb701ec9aU, 0x9aa8834fU,
-    0x6e65e695U, 0xe67eaaffU, 0xcf0821bcU, 0xe8e6ef15U,
-    0x9bd9bae7U, 0x36ce4a6fU, 0x09d4ea9fU, 0x7cd629b0U,
-    0xb2af31a4U, 0x23312a3fU, 0x9430c6a5U, 0x66c035a2U,
-    0xbc37744eU, 0xcaa6fc82U, 0xd0b0e090U, 0xd81533a7U,
-    0x984af104U, 0xdaf741ecU, 0x500e7fcdU, 0xf62f1791U,
-    0xd68d764dU, 0xb04d43efU, 0x4d54ccaaU, 0x04dfe496U,
-    0xb5e39ed1U, 0x881b4c6aU, 0x1fb8c12cU, 0x517f4665U,
-    0xea049d5eU, 0x355d018cU, 0x7473fa87U, 0x412efb0bU,
-    0x1d5ab367U, 0xd25292dbU, 0x5633e910U, 0x47136dd6U,
-    0x618c9ad7U, 0x0c7a37a1U, 0x148e59f8U, 0x3c89eb13U,
-    0x27eecea9U, 0xc935b761U, 0xe5ede11cU, 0xb13c7a47U,
-    0xdf599cd2U, 0x733f55f2U, 0xce791814U, 0x37bf73c7U,
-    0xcdea53f7U, 0xaa5b5ffdU, 0x6f14df3dU, 0xdb867844U,
-    0xf381caafU, 0xc43eb968U, 0x342c3824U, 0x405fc2a3U,
-    0xc372161dU, 0x250cbce2U, 0x498b283cU, 0x9541ff0dU,
-    0x017139a8U, 0xb3de080cU, 0xe49cd8b4U, 0xc1906456U,
-    0x84617bcbU, 0xb670d532U, 0x5c74486cU, 0x5742d0b8U,
-};
-static const u32 Td3[256] = {
-    0xf4a75051U, 0x4165537eU, 0x17a4c31aU, 0x275e963aU,
-    0xab6bcb3bU, 0x9d45f11fU, 0xfa58abacU, 0xe303934bU,
-    0x30fa5520U, 0x766df6adU, 0xcc769188U, 0x024c25f5U,
-    0xe5d7fc4fU, 0x2acbd7c5U, 0x35448026U, 0x62a38fb5U,
-    0xb15a49deU, 0xba1b6725U, 0xea0e9845U, 0xfec0e15dU,
-    0x2f7502c3U, 0x4cf01281U, 0x4697a38dU, 0xd3f9c66bU,
-    0x8f5fe703U, 0x929c9515U, 0x6d7aebbfU, 0x5259da95U,
-    0xbe832dd4U, 0x7421d358U, 0xe0692949U, 0xc9c8448eU,
-    0xc2896a75U, 0x8e7978f4U, 0x583e6b99U, 0xb971dd27U,
-    0xe14fb6beU, 0x88ad17f0U, 0x20ac66c9U, 0xce3ab47dU,
-    0xdf4a1863U, 0x1a3182e5U, 0x51336097U, 0x537f4562U,
-    0x6477e0b1U, 0x6bae84bbU, 0x81a01cfeU, 0x082b94f9U,
-    0x48685870U, 0x45fd198fU, 0xde6c8794U, 0x7bf8b752U,
-    0x73d323abU, 0x4b02e272U, 0x1f8f57e3U, 0x55ab2a66U,
-    0xeb2807b2U, 0xb5c2032fU, 0xc57b9a86U, 0x3708a5d3U,
-    0x2887f230U, 0xbfa5b223U, 0x036aba02U, 0x16825cedU,
-    0xcf1c2b8aU, 0x79b492a7U, 0x07f2f0f3U, 0x69e2a14eU,
-    0xdaf4cd65U, 0x05bed506U, 0x34621fd1U, 0xa6fe8ac4U,
-    0x2e539d34U, 0xf355a0a2U, 0x8ae13205U, 0xf6eb75a4U,
-    0x83ec390bU, 0x60efaa40U, 0x719f065eU, 0x6e1051bdU,
-    0x218af93eU, 0xdd063d96U, 0x3e05aeddU, 0xe6bd464dU,
-    0x548db591U, 0xc45d0571U, 0x06d46f04U, 0x5015ff60U,
-    0x98fb2419U, 0xbde997d6U, 0x4043cc89U, 0xd99e7767U,
-    0xe842bdb0U, 0x898b8807U, 0x195b38e7U, 0xc8eedb79U,
-    0x7c0a47a1U, 0x420fe97cU, 0x841ec9f8U, 0x00000000U,
-    0x80868309U, 0x2bed4832U, 0x1170ac1eU, 0x5a724e6cU,
-    0x0efffbfdU, 0x8538560fU, 0xaed51e3dU, 0x2d392736U,
-    0x0fd9640aU, 0x5ca62168U, 0x5b54d19bU, 0x362e3a24U,
-    0x0a67b10cU, 0x57e70f93U, 0xee96d2b4U, 0x9b919e1bU,
-    0xc0c54f80U, 0xdc20a261U, 0x774b695aU, 0x121a161cU,
-    0x93ba0ae2U, 0xa02ae5c0U, 0x22e0433cU, 0x1b171d12U,
-    0x090d0b0eU, 0x8bc7adf2U, 0xb6a8b92dU, 0x1ea9c814U,
-    0xf1198557U, 0x75074cafU, 0x99ddbbeeU, 0x7f60fda3U,
-    0x01269ff7U, 0x72f5bc5cU, 0x663bc544U, 0xfb7e345bU,
-    0x4329768bU, 0x23c6dccbU, 0xedfc68b6U, 0xe4f163b8U,
-    0x31dccad7U, 0x63851042U, 0x97224013U, 0xc6112084U,
-    0x4a247d85U, 0xbb3df8d2U, 0xf93211aeU, 0x29a16dc7U,
-    0x9e2f4b1dU, 0xb230f3dcU, 0x8652ec0dU, 0xc1e3d077U,
-    0xb3166c2bU, 0x70b999a9U, 0x9448fa11U, 0xe9642247U,
-    0xfc8cc4a8U, 0xf03f1aa0U, 0x7d2cd856U, 0x3390ef22U,
-    0x494ec787U, 0x38d1c1d9U, 0xcaa2fe8cU, 0xd40b3698U,
-    0xf581cfa6U, 0x7ade28a5U, 0xb78e26daU, 0xadbfa43fU,
-    0x3a9de42cU, 0x78920d50U, 0x5fcc9b6aU, 0x7e466254U,
-    0x8d13c2f6U, 0xd8b8e890U, 0x39f75e2eU, 0xc3aff582U,
-    0x5d80be9fU, 0xd0937c69U, 0xd52da96fU, 0x2512b3cfU,
-    0xac993bc8U, 0x187da710U, 0x9c636ee8U, 0x3bbb7bdbU,
-    0x267809cdU, 0x5918f46eU, 0x9ab701ecU, 0x4f9aa883U,
-    0x956e65e6U, 0xffe67eaaU, 0xbccf0821U, 0x15e8e6efU,
-    0xe79bd9baU, 0x6f36ce4aU, 0x9f09d4eaU, 0xb07cd629U,
-    0xa4b2af31U, 0x3f23312aU, 0xa59430c6U, 0xa266c035U,
-    0x4ebc3774U, 0x82caa6fcU, 0x90d0b0e0U, 0xa7d81533U,
-    0x04984af1U, 0xecdaf741U, 0xcd500e7fU, 0x91f62f17U,
-    0x4dd68d76U, 0xefb04d43U, 0xaa4d54ccU, 0x9604dfe4U,
-    0xd1b5e39eU, 0x6a881b4cU, 0x2c1fb8c1U, 0x65517f46U,
-    0x5eea049dU, 0x8c355d01U, 0x877473faU, 0x0b412efbU,
-    0x671d5ab3U, 0xdbd25292U, 0x105633e9U, 0xd647136dU,
-    0xd7618c9aU, 0xa10c7a37U, 0xf8148e59U, 0x133c89ebU,
-    0xa927eeceU, 0x61c935b7U, 0x1ce5ede1U, 0x47b13c7aU,
-    0xd2df599cU, 0xf2733f55U, 0x14ce7918U, 0xc737bf73U,
-    0xf7cdea53U, 0xfdaa5b5fU, 0x3d6f14dfU, 0x44db8678U,
-    0xaff381caU, 0x68c43eb9U, 0x24342c38U, 0xa3405fc2U,
-    0x1dc37216U, 0xe2250cbcU, 0x3c498b28U, 0x0d9541ffU,
-    0xa8017139U, 0x0cb3de08U, 0xb4e49cd8U, 0x56c19064U,
-    0xcb84617bU, 0x32b670d5U, 0x6c5c7448U, 0xb85742d0U,
-};
-static const u32 Td4[256] = {
-    0x52525252U, 0x09090909U, 0x6a6a6a6aU, 0xd5d5d5d5U,
-    0x30303030U, 0x36363636U, 0xa5a5a5a5U, 0x38383838U,
-    0xbfbfbfbfU, 0x40404040U, 0xa3a3a3a3U, 0x9e9e9e9eU,
-    0x81818181U, 0xf3f3f3f3U, 0xd7d7d7d7U, 0xfbfbfbfbU,
-    0x7c7c7c7cU, 0xe3e3e3e3U, 0x39393939U, 0x82828282U,
-    0x9b9b9b9bU, 0x2f2f2f2fU, 0xffffffffU, 0x87878787U,
-    0x34343434U, 0x8e8e8e8eU, 0x43434343U, 0x44444444U,
-    0xc4c4c4c4U, 0xdedededeU, 0xe9e9e9e9U, 0xcbcbcbcbU,
-    0x54545454U, 0x7b7b7b7bU, 0x94949494U, 0x32323232U,
-    0xa6a6a6a6U, 0xc2c2c2c2U, 0x23232323U, 0x3d3d3d3dU,
-    0xeeeeeeeeU, 0x4c4c4c4cU, 0x95959595U, 0x0b0b0b0bU,
-    0x42424242U, 0xfafafafaU, 0xc3c3c3c3U, 0x4e4e4e4eU,
-    0x08080808U, 0x2e2e2e2eU, 0xa1a1a1a1U, 0x66666666U,
-    0x28282828U, 0xd9d9d9d9U, 0x24242424U, 0xb2b2b2b2U,
-    0x76767676U, 0x5b5b5b5bU, 0xa2a2a2a2U, 0x49494949U,
-    0x6d6d6d6dU, 0x8b8b8b8bU, 0xd1d1d1d1U, 0x25252525U,
-    0x72727272U, 0xf8f8f8f8U, 0xf6f6f6f6U, 0x64646464U,
-    0x86868686U, 0x68686868U, 0x98989898U, 0x16161616U,
-    0xd4d4d4d4U, 0xa4a4a4a4U, 0x5c5c5c5cU, 0xccccccccU,
-    0x5d5d5d5dU, 0x65656565U, 0xb6b6b6b6U, 0x92929292U,
-    0x6c6c6c6cU, 0x70707070U, 0x48484848U, 0x50505050U,
-    0xfdfdfdfdU, 0xededededU, 0xb9b9b9b9U, 0xdadadadaU,
-    0x5e5e5e5eU, 0x15151515U, 0x46464646U, 0x57575757U,
-    0xa7a7a7a7U, 0x8d8d8d8dU, 0x9d9d9d9dU, 0x84848484U,
-    0x90909090U, 0xd8d8d8d8U, 0xababababU, 0x00000000U,
-    0x8c8c8c8cU, 0xbcbcbcbcU, 0xd3d3d3d3U, 0x0a0a0a0aU,
-    0xf7f7f7f7U, 0xe4e4e4e4U, 0x58585858U, 0x05050505U,
-    0xb8b8b8b8U, 0xb3b3b3b3U, 0x45454545U, 0x06060606U,
-    0xd0d0d0d0U, 0x2c2c2c2cU, 0x1e1e1e1eU, 0x8f8f8f8fU,
-    0xcacacacaU, 0x3f3f3f3fU, 0x0f0f0f0fU, 0x02020202U,
-    0xc1c1c1c1U, 0xafafafafU, 0xbdbdbdbdU, 0x03030303U,
-    0x01010101U, 0x13131313U, 0x8a8a8a8aU, 0x6b6b6b6bU,
-    0x3a3a3a3aU, 0x91919191U, 0x11111111U, 0x41414141U,
-    0x4f4f4f4fU, 0x67676767U, 0xdcdcdcdcU, 0xeaeaeaeaU,
-    0x97979797U, 0xf2f2f2f2U, 0xcfcfcfcfU, 0xcecececeU,
-    0xf0f0f0f0U, 0xb4b4b4b4U, 0xe6e6e6e6U, 0x73737373U,
-    0x96969696U, 0xacacacacU, 0x74747474U, 0x22222222U,
-    0xe7e7e7e7U, 0xadadadadU, 0x35353535U, 0x85858585U,
-    0xe2e2e2e2U, 0xf9f9f9f9U, 0x37373737U, 0xe8e8e8e8U,
-    0x1c1c1c1cU, 0x75757575U, 0xdfdfdfdfU, 0x6e6e6e6eU,
-    0x47474747U, 0xf1f1f1f1U, 0x1a1a1a1aU, 0x71717171U,
-    0x1d1d1d1dU, 0x29292929U, 0xc5c5c5c5U, 0x89898989U,
-    0x6f6f6f6fU, 0xb7b7b7b7U, 0x62626262U, 0x0e0e0e0eU,
-    0xaaaaaaaaU, 0x18181818U, 0xbebebebeU, 0x1b1b1b1bU,
-    0xfcfcfcfcU, 0x56565656U, 0x3e3e3e3eU, 0x4b4b4b4bU,
-    0xc6c6c6c6U, 0xd2d2d2d2U, 0x79797979U, 0x20202020U,
-    0x9a9a9a9aU, 0xdbdbdbdbU, 0xc0c0c0c0U, 0xfefefefeU,
-    0x78787878U, 0xcdcdcdcdU, 0x5a5a5a5aU, 0xf4f4f4f4U,
-    0x1f1f1f1fU, 0xddddddddU, 0xa8a8a8a8U, 0x33333333U,
-    0x88888888U, 0x07070707U, 0xc7c7c7c7U, 0x31313131U,
-    0xb1b1b1b1U, 0x12121212U, 0x10101010U, 0x59595959U,
-    0x27272727U, 0x80808080U, 0xececececU, 0x5f5f5f5fU,
-    0x60606060U, 0x51515151U, 0x7f7f7f7fU, 0xa9a9a9a9U,
-    0x19191919U, 0xb5b5b5b5U, 0x4a4a4a4aU, 0x0d0d0d0dU,
-    0x2d2d2d2dU, 0xe5e5e5e5U, 0x7a7a7a7aU, 0x9f9f9f9fU,
-    0x93939393U, 0xc9c9c9c9U, 0x9c9c9c9cU, 0xefefefefU,
-    0xa0a0a0a0U, 0xe0e0e0e0U, 0x3b3b3b3bU, 0x4d4d4d4dU,
-    0xaeaeaeaeU, 0x2a2a2a2aU, 0xf5f5f5f5U, 0xb0b0b0b0U,
-    0xc8c8c8c8U, 0xebebebebU, 0xbbbbbbbbU, 0x3c3c3c3cU,
-    0x83838383U, 0x53535353U, 0x99999999U, 0x61616161U,
-    0x17171717U, 0x2b2b2b2bU, 0x04040404U, 0x7e7e7e7eU,
-    0xbabababaU, 0x77777777U, 0xd6d6d6d6U, 0x26262626U,
-    0xe1e1e1e1U, 0x69696969U, 0x14141414U, 0x63636363U,
-    0x55555555U, 0x21212121U, 0x0c0c0c0cU, 0x7d7d7d7dU,
-};
-static const u32 rcon[] = {
-	0x01000000, 0x02000000, 0x04000000, 0x08000000,
-	0x10000000, 0x20000000, 0x40000000, 0x80000000,
-	0x1B000000, 0x36000000, /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */
-};
-
-#define GETU32(pt) (((u32)(pt)[0] << 24) ^ ((u32)(pt)[1] << 16) ^ ((u32)(pt)[2] <<  8) ^ ((u32)(pt)[3]))
-#define PUTU32(ct, st) { (ct)[0] = (u8)((st) >> 24); (ct)[1] = (u8)((st) >> 16); (ct)[2] = (u8)((st) >>  8); (ct)[3] = (u8)(st); }
-
-/**
- * Expand the cipher key into the encryption key schedule.
- *
- * @return	the number of rounds for the given cipher key size.
- */
-static int rijndaelKeySetupEnc(u32 rk[/*4*(Nr + 1)*/], const u8 cipherKey[], int keyBits) {
-	int i = 0;
-	u32 temp;
-
-	rk[0] = GETU32(cipherKey     );
-	rk[1] = GETU32(cipherKey +  4);
-	rk[2] = GETU32(cipherKey +  8);
-	rk[3] = GETU32(cipherKey + 12);
-	if (keyBits == 128) {
-		for (;;) {
-			temp  = rk[3];
-			rk[4] = rk[0] ^
-				(Te4[(temp >> 16) & 0xff] & 0xff000000) ^
-				(Te4[(temp >>  8) & 0xff] & 0x00ff0000) ^
-				(Te4[(temp      ) & 0xff] & 0x0000ff00) ^
-				(Te4[(temp >> 24)       ] & 0x000000ff) ^
-				rcon[i];
-			rk[5] = rk[1] ^ rk[4];
-			rk[6] = rk[2] ^ rk[5];
-			rk[7] = rk[3] ^ rk[6];
-			if (++i == 10) {
-				return 10;
-			}
-			rk += 4;
-		}
-	}
-	rk[4] = GETU32(cipherKey + 16);
-	rk[5] = GETU32(cipherKey + 20);
-	if (keyBits == 192) {
-		for (;;) {
-			temp = rk[ 5];
-			rk[ 6] = rk[ 0] ^
-				(Te4[(temp >> 16) & 0xff] & 0xff000000) ^
-				(Te4[(temp >>  8) & 0xff] & 0x00ff0000) ^
-				(Te4[(temp      ) & 0xff] & 0x0000ff00) ^
-				(Te4[(temp >> 24)       ] & 0x000000ff) ^
-				rcon[i];
-			rk[ 7] = rk[ 1] ^ rk[ 6];
-			rk[ 8] = rk[ 2] ^ rk[ 7];
-			rk[ 9] = rk[ 3] ^ rk[ 8];
-			if (++i == 8) {
-				return 12;
-			}
-			rk[10] = rk[ 4] ^ rk[ 9];
-			rk[11] = rk[ 5] ^ rk[10];
-			rk += 6;
-		}
-	}
-	rk[6] = GETU32(cipherKey + 24);
-	rk[7] = GETU32(cipherKey + 28);
-	if (keyBits == 256) {
-		for (;;) {
-			temp = rk[ 7];
-			rk[ 8] = rk[ 0] ^
-				(Te4[(temp >> 16) & 0xff] & 0xff000000) ^
-				(Te4[(temp >>  8) & 0xff] & 0x00ff0000) ^
-				(Te4[(temp      ) & 0xff] & 0x0000ff00) ^
-				(Te4[(temp >> 24)       ] & 0x000000ff) ^
-				rcon[i];
-			rk[ 9] = rk[ 1] ^ rk[ 8];
-			rk[10] = rk[ 2] ^ rk[ 9];
-			rk[11] = rk[ 3] ^ rk[10];
-				if (++i == 7) {
-					return 14;
-				}
-			temp = rk[11];
-			rk[12] = rk[ 4] ^
-				(Te4[(temp >> 24)       ] & 0xff000000) ^
-				(Te4[(temp >> 16) & 0xff] & 0x00ff0000) ^
-				(Te4[(temp >>  8) & 0xff] & 0x0000ff00) ^
-				(Te4[(temp      ) & 0xff] & 0x000000ff);
-			rk[13] = rk[ 5] ^ rk[12];
-			rk[14] = rk[ 6] ^ rk[13];
-			rk[15] = rk[ 7] ^ rk[14];
-			rk += 8;
-		}
-	}
-	return 0;
-}
-
-/**
- * Expand the cipher key into the decryption key schedule.
- *
- * @return	the number of rounds for the given cipher key size.
- */
-static int
-rijndaelKeySetupDec(u32 rk[/*4*(Nr + 1)*/], const u8 cipherKey[], int keyBits,
-    int have_encrypt) {
-	int Nr, i, j;
-	u32 temp;
-
-	if (have_encrypt) {
-		Nr = have_encrypt;
-	} else {
-		/* expand the cipher key: */
-		Nr = rijndaelKeySetupEnc(rk, cipherKey, keyBits);
-	}
-	/* invert the order of the round keys: */
-	for (i = 0, j = 4*Nr; i < j; i += 4, j -= 4) {
-		temp = rk[i    ]; rk[i    ] = rk[j    ]; rk[j    ] = temp;
-		temp = rk[i + 1]; rk[i + 1] = rk[j + 1]; rk[j + 1] = temp;
-		temp = rk[i + 2]; rk[i + 2] = rk[j + 2]; rk[j + 2] = temp;
-		temp = rk[i + 3]; rk[i + 3] = rk[j + 3]; rk[j + 3] = temp;
-	}
-	/* apply the inverse MixColumn transform to all round keys but the first and the last: */
-	for (i = 1; i < Nr; i++) {
-		rk += 4;
-		rk[0] =
-			Td0[Te4[(rk[0] >> 24)       ] & 0xff] ^
-			Td1[Te4[(rk[0] >> 16) & 0xff] & 0xff] ^
-			Td2[Te4[(rk[0] >>  8) & 0xff] & 0xff] ^
-			Td3[Te4[(rk[0]      ) & 0xff] & 0xff];
-		rk[1] =
-			Td0[Te4[(rk[1] >> 24)       ] & 0xff] ^
-			Td1[Te4[(rk[1] >> 16) & 0xff] & 0xff] ^
-			Td2[Te4[(rk[1] >>  8) & 0xff] & 0xff] ^
-			Td3[Te4[(rk[1]      ) & 0xff] & 0xff];
-		rk[2] =
-			Td0[Te4[(rk[2] >> 24)       ] & 0xff] ^
-			Td1[Te4[(rk[2] >> 16) & 0xff] & 0xff] ^
-			Td2[Te4[(rk[2] >>  8) & 0xff] & 0xff] ^
-			Td3[Te4[(rk[2]      ) & 0xff] & 0xff];
-		rk[3] =
-			Td0[Te4[(rk[3] >> 24)       ] & 0xff] ^
-			Td1[Te4[(rk[3] >> 16) & 0xff] & 0xff] ^
-			Td2[Te4[(rk[3] >>  8) & 0xff] & 0xff] ^
-			Td3[Te4[(rk[3]      ) & 0xff] & 0xff];
-	}
-	return Nr;
-}
-
-static void rijndaelEncrypt(const u32 rk[/*4*(Nr + 1)*/], int Nr, const u8 pt[16], u8 ct[16]) {
-	u32 s0, s1, s2, s3, t0, t1, t2, t3;
-#ifndef FULL_UNROLL
-    int r;
-#endif /* ?FULL_UNROLL */
-
-    /*
-	 * map byte array block to cipher state
-	 * and add initial round key:
-	 */
-	s0 = GETU32(pt     ) ^ rk[0];
-	s1 = GETU32(pt +  4) ^ rk[1];
-	s2 = GETU32(pt +  8) ^ rk[2];
-	s3 = GETU32(pt + 12) ^ rk[3];
-#ifdef FULL_UNROLL
-    /* round 1: */
-	t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[ 4];
-	t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[ 5];
-	t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[ 6];
-	t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[ 7];
-	/* round 2: */
-	s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[ 8];
-	s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[ 9];
-	s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[10];
-	s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[11];
-    /* round 3: */
-	t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[12];
-	t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[13];
-	t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[14];
-	t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[15];
-	/* round 4: */
-	s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[16];
-	s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[17];
-	s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[18];
-	s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[19];
-    /* round 5: */
-	t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[20];
-	t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[21];
-	t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[22];
-	t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[23];
-	/* round 6: */
-	s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[24];
-	s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[25];
-	s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[26];
-	s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[27];
-    /* round 7: */
-	t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[28];
-	t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[29];
-	t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[30];
-	t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[31];
-	/* round 8: */
-	s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[32];
-	s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[33];
-	s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[34];
-	s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[35];
-    /* round 9: */
-	t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[36];
-	t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[37];
-	t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[38];
-	t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[39];
-    if (Nr > 10) {
-	/* round 10: */
-	s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[40];
-	s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[41];
-	s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[42];
-	s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[43];
-	/* round 11: */
-	t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[44];
-	t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[45];
-	t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[46];
-	t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[47];
-	if (Nr > 12) {
-	    /* round 12: */
-	    s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[48];
-	    s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[49];
-	    s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[50];
-	    s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[51];
-	    /* round 13: */
-	    t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[52];
-	    t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[53];
-	    t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[54];
-	    t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[55];
-	}
-    }
-    rk += Nr << 2;
-#else  /* !FULL_UNROLL */
-    /*
-	 * Nr - 1 full rounds:
-	 */
-    r = Nr >> 1;
-    for (;;) {
-	t0 =
-	    Te0[(s0 >> 24)       ] ^
-	    Te1[(s1 >> 16) & 0xff] ^
-	    Te2[(s2 >>  8) & 0xff] ^
-	    Te3[(s3      ) & 0xff] ^
-	    rk[4];
-	t1 =
-	    Te0[(s1 >> 24)       ] ^
-	    Te1[(s2 >> 16) & 0xff] ^
-	    Te2[(s3 >>  8) & 0xff] ^
-	    Te3[(s0      ) & 0xff] ^
-	    rk[5];
-	t2 =
-	    Te0[(s2 >> 24)       ] ^
-	    Te1[(s3 >> 16) & 0xff] ^
-	    Te2[(s0 >>  8) & 0xff] ^
-	    Te3[(s1      ) & 0xff] ^
-	    rk[6];
-	t3 =
-	    Te0[(s3 >> 24)       ] ^
-	    Te1[(s0 >> 16) & 0xff] ^
-	    Te2[(s1 >>  8) & 0xff] ^
-	    Te3[(s2      ) & 0xff] ^
-	    rk[7];
-
-	rk += 8;
-	if (--r == 0) {
-	    break;
-	}
-
-	s0 =
-	    Te0[(t0 >> 24)       ] ^
-	    Te1[(t1 >> 16) & 0xff] ^
-	    Te2[(t2 >>  8) & 0xff] ^
-	    Te3[(t3      ) & 0xff] ^
-	    rk[0];
-	s1 =
-	    Te0[(t1 >> 24)       ] ^
-	    Te1[(t2 >> 16) & 0xff] ^
-	    Te2[(t3 >>  8) & 0xff] ^
-	    Te3[(t0      ) & 0xff] ^
-	    rk[1];
-	s2 =
-	    Te0[(t2 >> 24)       ] ^
-	    Te1[(t3 >> 16) & 0xff] ^
-	    Te2[(t0 >>  8) & 0xff] ^
-	    Te3[(t1      ) & 0xff] ^
-	    rk[2];
-	s3 =
-	    Te0[(t3 >> 24)       ] ^
-	    Te1[(t0 >> 16) & 0xff] ^
-	    Te2[(t1 >>  8) & 0xff] ^
-	    Te3[(t2      ) & 0xff] ^
-	    rk[3];
-    }
-#endif /* ?FULL_UNROLL */
-    /*
-	 * apply last round and
-	 * map cipher state to byte array block:
-	 */
-	s0 =
-		(Te4[(t0 >> 24)       ] & 0xff000000) ^
-		(Te4[(t1 >> 16) & 0xff] & 0x00ff0000) ^
-		(Te4[(t2 >>  8) & 0xff] & 0x0000ff00) ^
-		(Te4[(t3      ) & 0xff] & 0x000000ff) ^
-		rk[0];
-	PUTU32(ct     , s0);
-	s1 =
-		(Te4[(t1 >> 24)       ] & 0xff000000) ^
-		(Te4[(t2 >> 16) & 0xff] & 0x00ff0000) ^
-		(Te4[(t3 >>  8) & 0xff] & 0x0000ff00) ^
-		(Te4[(t0      ) & 0xff] & 0x000000ff) ^
-		rk[1];
-	PUTU32(ct +  4, s1);
-	s2 =
-		(Te4[(t2 >> 24)       ] & 0xff000000) ^
-		(Te4[(t3 >> 16) & 0xff] & 0x00ff0000) ^
-		(Te4[(t0 >>  8) & 0xff] & 0x0000ff00) ^
-		(Te4[(t1      ) & 0xff] & 0x000000ff) ^
-		rk[2];
-	PUTU32(ct +  8, s2);
-	s3 =
-		(Te4[(t3 >> 24)       ] & 0xff000000) ^
-		(Te4[(t0 >> 16) & 0xff] & 0x00ff0000) ^
-		(Te4[(t1 >>  8) & 0xff] & 0x0000ff00) ^
-		(Te4[(t2      ) & 0xff] & 0x000000ff) ^
-		rk[3];
-	PUTU32(ct + 12, s3);
-}
-
-static void rijndaelDecrypt(const u32 rk[/*4*(Nr + 1)*/], int Nr, const u8 ct[16], u8 pt[16]) {
-	u32 s0, s1, s2, s3, t0, t1, t2, t3;
-#ifndef FULL_UNROLL
-    int r;
-#endif /* ?FULL_UNROLL */
-
-    /*
-	 * map byte array block to cipher state
-	 * and add initial round key:
-	 */
-    s0 = GETU32(ct     ) ^ rk[0];
-    s1 = GETU32(ct +  4) ^ rk[1];
-    s2 = GETU32(ct +  8) ^ rk[2];
-    s3 = GETU32(ct + 12) ^ rk[3];
-#ifdef FULL_UNROLL
-    /* round 1: */
-    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[ 4];
-    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[ 5];
-    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[ 6];
-    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[ 7];
-    /* round 2: */
-    s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[ 8];
-    s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[ 9];
-    s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[10];
-    s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[11];
-    /* round 3: */
-    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[12];
-    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[13];
-    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[14];
-    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[15];
-    /* round 4: */
-    s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[16];
-    s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[17];
-    s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[18];
-    s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[19];
-    /* round 5: */
-    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[20];
-    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[21];
-    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[22];
-    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[23];
-    /* round 6: */
-    s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[24];
-    s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[25];
-    s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[26];
-    s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[27];
-    /* round 7: */
-    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[28];
-    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[29];
-    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[30];
-    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[31];
-    /* round 8: */
-    s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[32];
-    s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[33];
-    s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[34];
-    s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[35];
-    /* round 9: */
-    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[36];
-    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[37];
-    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[38];
-    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[39];
-    if (Nr > 10) {
-	/* round 10: */
-	s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[40];
-	s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[41];
-	s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[42];
-	s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[43];
-	/* round 11: */
-	t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[44];
-	t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[45];
-	t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[46];
-	t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[47];
-	if (Nr > 12) {
-	    /* round 12: */
-	    s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[48];
-	    s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[49];
-	    s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[50];
-	    s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[51];
-	    /* round 13: */
-	    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[52];
-	    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[53];
-	    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[54];
-	    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[55];
-	}
-    }
-	rk += Nr << 2;
-#else  /* !FULL_UNROLL */
-    /*
-     * Nr - 1 full rounds:
-     */
-    r = Nr >> 1;
-    for (;;) {
-	t0 =
-	    Td0[(s0 >> 24)       ] ^
-	    Td1[(s3 >> 16) & 0xff] ^
-	    Td2[(s2 >>  8) & 0xff] ^
-	    Td3[(s1      ) & 0xff] ^
-	    rk[4];
-	t1 =
-	    Td0[(s1 >> 24)       ] ^
-	    Td1[(s0 >> 16) & 0xff] ^
-	    Td2[(s3 >>  8) & 0xff] ^
-	    Td3[(s2      ) & 0xff] ^
-	    rk[5];
-	t2 =
-	    Td0[(s2 >> 24)       ] ^
-	    Td1[(s1 >> 16) & 0xff] ^
-	    Td2[(s0 >>  8) & 0xff] ^
-	    Td3[(s3      ) & 0xff] ^
-	    rk[6];
-	t3 =
-	    Td0[(s3 >> 24)       ] ^
-	    Td1[(s2 >> 16) & 0xff] ^
-	    Td2[(s1 >>  8) & 0xff] ^
-	    Td3[(s0      ) & 0xff] ^
-	    rk[7];
-
-	rk += 8;
-	if (--r == 0) {
-	    break;
-	}
-
-	s0 =
-	    Td0[(t0 >> 24)       ] ^
-	    Td1[(t3 >> 16) & 0xff] ^
-	    Td2[(t2 >>  8) & 0xff] ^
-	    Td3[(t1      ) & 0xff] ^
-	    rk[0];
-	s1 =
-	    Td0[(t1 >> 24)       ] ^
-	    Td1[(t0 >> 16) & 0xff] ^
-	    Td2[(t3 >>  8) & 0xff] ^
-	    Td3[(t2      ) & 0xff] ^
-	    rk[1];
-	s2 =
-	    Td0[(t2 >> 24)       ] ^
-	    Td1[(t1 >> 16) & 0xff] ^
-	    Td2[(t0 >>  8) & 0xff] ^
-	    Td3[(t3      ) & 0xff] ^
-	    rk[2];
-	s3 =
-	    Td0[(t3 >> 24)       ] ^
-	    Td1[(t2 >> 16) & 0xff] ^
-	    Td2[(t1 >>  8) & 0xff] ^
-	    Td3[(t0      ) & 0xff] ^
-	    rk[3];
-    }
-#endif /* ?FULL_UNROLL */
-    /*
-	 * apply last round and
-	 * map cipher state to byte array block:
-	 */
-	s0 =
-		(Td4[(t0 >> 24)       ] & 0xff000000) ^
-		(Td4[(t3 >> 16) & 0xff] & 0x00ff0000) ^
-		(Td4[(t2 >>  8) & 0xff] & 0x0000ff00) ^
-		(Td4[(t1      ) & 0xff] & 0x000000ff) ^
-		rk[0];
-	PUTU32(pt     , s0);
-	s1 =
-		(Td4[(t1 >> 24)       ] & 0xff000000) ^
-		(Td4[(t0 >> 16) & 0xff] & 0x00ff0000) ^
-		(Td4[(t3 >>  8) & 0xff] & 0x0000ff00) ^
-		(Td4[(t2      ) & 0xff] & 0x000000ff) ^
-		rk[1];
-	PUTU32(pt +  4, s1);
-	s2 =
-		(Td4[(t2 >> 24)       ] & 0xff000000) ^
-		(Td4[(t1 >> 16) & 0xff] & 0x00ff0000) ^
-		(Td4[(t0 >>  8) & 0xff] & 0x0000ff00) ^
-		(Td4[(t3      ) & 0xff] & 0x000000ff) ^
-		rk[2];
-	PUTU32(pt +  8, s2);
-	s3 =
-		(Td4[(t3 >> 24)       ] & 0xff000000) ^
-		(Td4[(t2 >> 16) & 0xff] & 0x00ff0000) ^
-		(Td4[(t1 >>  8) & 0xff] & 0x0000ff00) ^
-		(Td4[(t0      ) & 0xff] & 0x000000ff) ^
-		rk[3];
-	PUTU32(pt + 12, s3);
-}
-
-void
-rijndael_set_key(rijndael_ctx *ctx, u_char *key, int bits, int do_encrypt)
-{
-	ctx->Nr = rijndaelKeySetupEnc(ctx->ek, key, bits);
-	if (do_encrypt) {
-		ctx->decrypt = 0;
-		memset(ctx->dk, 0, sizeof(ctx->dk));
-	} else {
-		ctx->decrypt = 1;
-		memcpy(ctx->dk, ctx->ek, sizeof(ctx->dk));
-		rijndaelKeySetupDec(ctx->dk, key, bits, ctx->Nr);
-	}
-}
-
-void
-rijndael_decrypt(rijndael_ctx *ctx, u_char *src, u_char *dst)
-{
-	rijndaelDecrypt(ctx->dk, ctx->Nr, src, dst);
-}
-
-void
-rijndael_encrypt(rijndael_ctx *ctx, u_char *src, u_char *dst)
-{
-	rijndaelEncrypt(ctx->ek, ctx->Nr, src, dst);
-}
diff --git a/crypto/openssh/rijndael.h b/crypto/openssh/rijndael.h
deleted file mode 100644
index c614bb1..0000000
--- a/crypto/openssh/rijndael.h
+++ /dev/null
@@ -1,51 +0,0 @@
-/*	$OpenBSD: rijndael.h,v 1.12 2001/12/19 07:18:56 deraadt Exp $ */
-
-/**
- * rijndael-alg-fst.h
- *
- * @version 3.0 (December 2000)
- *
- * Optimised ANSI C code for the Rijndael cipher (now AES)
- *
- * @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
- * @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
- * @author Paulo Barreto <paulo.barreto@terra.com.br>
- *
- * This code is hereby placed in the public domain.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
- * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
- * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
- * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
- * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
- * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-#ifndef __RIJNDAEL_H
-#define __RIJNDAEL_H
-
-#define MAXKC	(256/32)
-#define MAXKB	(256/8)
-#define MAXNR	14
-
-typedef unsigned char	u8;
-typedef unsigned short	u16;
-typedef unsigned int	u32;
-
-/*  The structure for key information */
-typedef struct {
-	int	decrypt;
-	int	Nr;			/* key-length-dependent number of rounds */
-	u32	ek[4*(MAXNR + 1)];	/* encrypt key schedule */
-	u32	dk[4*(MAXNR + 1)];	/* decrypt key schedule */
-} rijndael_ctx;
-
-void	 rijndael_set_key(rijndael_ctx *, u_char *, int, int);
-void	 rijndael_decrypt(rijndael_ctx *, u_char *, u_char *);
-void	 rijndael_encrypt(rijndael_ctx *, u_char *, u_char *);
-
-#endif /* __RIJNDAEL_H */
diff --git a/crypto/openssh/rsa.c b/crypto/openssh/rsa.c
deleted file mode 100644
index bec1d19..0000000
--- a/crypto/openssh/rsa.c
+++ /dev/null
@@ -1,151 +0,0 @@
-/* $OpenBSD: rsa.c,v 1.29 2006/11/06 21:25:28 markus Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- *
- * Copyright (c) 1999 Niels Provos.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- *
- * Description of the RSA algorithm can be found e.g. from the following
- * sources:
- *
- *   Bruce Schneier: Applied Cryptography.  John Wiley & Sons, 1994.
- *
- *   Jennifer Seberry and Josed Pieprzyk: Cryptography: An Introduction to
- *   Computer Security.  Prentice-Hall, 1989.
- *
- *   Man Young Rhee: Cryptography and Secure Data Communications.  McGraw-Hill,
- *   1994.
- *
- *   R. Rivest, A. Shamir, and L. M. Adleman: Cryptographic Communications
- *   System and Method.  US Patent 4,405,829, 1983.
- *
- *   Hans Riesel: Prime Numbers and Computer Methods for Factorization.
- *   Birkhauser, 1994.
- *
- *   The RSA Frequently Asked Questions document by RSA Data Security,
- *   Inc., 1995.
- *
- *   RSA in 3 lines of perl by Adam Back <aba@atlax.ex.ac.uk>, 1995, as
- * included below:
- *
- *     [gone - had to be deleted - what a pity]
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <stdarg.h>
-#include <string.h>
-
-#include "xmalloc.h"
-#include "rsa.h"
-#include "log.h"
-
-void
-rsa_public_encrypt(BIGNUM *out, BIGNUM *in, RSA *key)
-{
-	u_char *inbuf, *outbuf;
-	int len, ilen, olen;
-
-	if (BN_num_bits(key->e) < 2 || !BN_is_odd(key->e))
-		fatal("rsa_public_encrypt() exponent too small or not odd");
-
-	olen = BN_num_bytes(key->n);
-	outbuf = xmalloc(olen);
-
-	ilen = BN_num_bytes(in);
-	inbuf = xmalloc(ilen);
-	BN_bn2bin(in, inbuf);
-
-	if ((len = RSA_public_encrypt(ilen, inbuf, outbuf, key,
-	    RSA_PKCS1_PADDING)) <= 0)
-		fatal("rsa_public_encrypt() failed");
-
-	if (BN_bin2bn(outbuf, len, out) == NULL)
-		fatal("rsa_public_encrypt: BN_bin2bn failed");
-
-	memset(outbuf, 0, olen);
-	memset(inbuf, 0, ilen);
-	xfree(outbuf);
-	xfree(inbuf);
-}
-
-int
-rsa_private_decrypt(BIGNUM *out, BIGNUM *in, RSA *key)
-{
-	u_char *inbuf, *outbuf;
-	int len, ilen, olen;
-
-	olen = BN_num_bytes(key->n);
-	outbuf = xmalloc(olen);
-
-	ilen = BN_num_bytes(in);
-	inbuf = xmalloc(ilen);
-	BN_bn2bin(in, inbuf);
-
-	if ((len = RSA_private_decrypt(ilen, inbuf, outbuf, key,
-	    RSA_PKCS1_PADDING)) <= 0) {
-		error("rsa_private_decrypt() failed");
-	} else {
-		if (BN_bin2bn(outbuf, len, out) == NULL)
-			fatal("rsa_private_decrypt: BN_bin2bn failed");
-	}
-	memset(outbuf, 0, olen);
-	memset(inbuf, 0, ilen);
-	xfree(outbuf);
-	xfree(inbuf);
-	return len;
-}
-
-/* calculate p-1 and q-1 */
-void
-rsa_generate_additional_parameters(RSA *rsa)
-{
-	BIGNUM *aux;
-	BN_CTX *ctx;
-
-	if ((aux = BN_new()) == NULL)
-		fatal("rsa_generate_additional_parameters: BN_new failed");
-	if ((ctx = BN_CTX_new()) == NULL)
-		fatal("rsa_generate_additional_parameters: BN_CTX_new failed");
-
-	if ((BN_sub(aux, rsa->q, BN_value_one()) == 0) ||
-	    (BN_mod(rsa->dmq1, rsa->d, aux, ctx) == 0) ||
-	    (BN_sub(aux, rsa->p, BN_value_one()) == 0) ||
-	    (BN_mod(rsa->dmp1, rsa->d, aux, ctx) == 0))
-		fatal("rsa_generate_additional_parameters: BN_sub/mod failed");
-
-	BN_clear_free(aux);
-	BN_CTX_free(ctx);
-}
-
diff --git a/crypto/openssh/rsa.h b/crypto/openssh/rsa.h
deleted file mode 100644
index b841ea4..0000000
--- a/crypto/openssh/rsa.h
+++ /dev/null
@@ -1,26 +0,0 @@
-/* $OpenBSD: rsa.h,v 1.16 2006/03/25 22:22:43 djm Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * RSA key generation, encryption and decryption.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#ifndef RSA_H
-#define RSA_H
-
-#include <openssl/bn.h>
-#include <openssl/rsa.h>
-
-void	 rsa_public_encrypt(BIGNUM *, BIGNUM *, RSA *);
-int	 rsa_private_decrypt(BIGNUM *, BIGNUM *, RSA *);
-void	 rsa_generate_additional_parameters(RSA *);
-
-#endif				/* RSA_H */
diff --git a/crypto/openssh/scard-opensc.c b/crypto/openssh/scard-opensc.c
deleted file mode 100644
index 4751ea2..0000000
--- a/crypto/openssh/scard-opensc.c
+++ /dev/null
@@ -1,531 +0,0 @@
-/*
- * Copyright (c) 2002 Juha Yrjölä.  All rights reserved.
- * Copyright (c) 2001 Markus Friedl.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-#if defined(SMARTCARD) && defined(USE_OPENSC)
-
-#include <sys/types.h>
-
-#include <openssl/evp.h>
-#include <openssl/x509.h>
-
-#include <stdarg.h>
-
-#include <opensc/opensc.h>
-#include <opensc/pkcs15.h>
-
-#include "key.h"
-#include "log.h"
-#include "xmalloc.h"
-#include "misc.h"
-#include "scard.h"
-
-#if OPENSSL_VERSION_NUMBER < 0x00907000L && defined(CRYPTO_LOCK_ENGINE)
-#define USE_ENGINE
-#define RSA_get_default_method RSA_get_default_openssl_method
-#else
-#endif
-
-#ifdef USE_ENGINE
-#include <openssl/engine.h>
-#define sc_get_rsa sc_get_engine
-#else
-#define sc_get_rsa sc_get_rsa_method
-#endif
-
-static int sc_reader_id;
-static sc_context_t *ctx = NULL;
-static sc_card_t *card = NULL;
-static sc_pkcs15_card_t *p15card = NULL;
-
-static char *sc_pin = NULL;
-
-struct sc_priv_data
-{
-	struct sc_pkcs15_id cert_id;
-	int ref_count;
-};
-
-void
-sc_close(void)
-{
-	if (p15card) {
-		sc_pkcs15_unbind(p15card);
-		p15card = NULL;
-	}
-	if (card) {
-		sc_disconnect_card(card, 0);
-		card = NULL;
-	}
-	if (ctx) {
-		sc_release_context(ctx);
-		ctx = NULL;
-	}
-}
-
-static int
-sc_init(void)
-{
-	int r;
-
-	r = sc_establish_context(&ctx, "openssh");
-	if (r)
-		goto err;
-	if (sc_reader_id >= ctx->reader_count) {
-		r = SC_ERROR_NO_READERS_FOUND;
-		error("Illegal reader number %d (max %d)", sc_reader_id,
-		    ctx->reader_count -1);
-		goto err;
-	}
-	r = sc_connect_card(ctx->reader[sc_reader_id], 0, &card);
-	if (r)
-		goto err;
-	r = sc_pkcs15_bind(card, &p15card);
-	if (r)
-		goto err;
-	return 0;
-err:
-	sc_close();
-	return r;
-}
-
-/* private key operations */
-
-static int
-sc_prkey_op_init(RSA *rsa, struct sc_pkcs15_object **key_obj_out,
-	unsigned int usage)
-{
-	int r;
-	struct sc_priv_data *priv;
-	struct sc_pkcs15_object *key_obj;
-	struct sc_pkcs15_prkey_info *key;
-	struct sc_pkcs15_object *pin_obj;
-	struct sc_pkcs15_pin_info *pin;
-
-	priv = (struct sc_priv_data *) RSA_get_app_data(rsa);
-	if (priv == NULL)
-		return -1;
-	if (p15card == NULL) {
-		sc_close();
-		r = sc_init();
-		if (r) {
-			error("SmartCard init failed: %s", sc_strerror(r));
-			goto err;
-		}
-	}
-	r = sc_pkcs15_find_prkey_by_id_usage(p15card, &priv->cert_id,
-		usage, &key_obj);
-	if (r) {
-		error("Unable to find private key from SmartCard: %s",
-		      sc_strerror(r));
-		goto err;
-	}
-	key = key_obj->data;
-	r = sc_pkcs15_find_pin_by_auth_id(p15card, &key_obj->auth_id,
-					  &pin_obj);
-	if (r == SC_ERROR_OBJECT_NOT_FOUND) {
-		/* no pin required */
-		r = sc_lock(card);
-		if (r) {
-			error("Unable to lock smartcard: %s", sc_strerror(r));
-			goto err;
-		}
-		*key_obj_out = key_obj;
-		return 0;
-	} else if (r) {
-		error("Unable to find PIN object from SmartCard: %s",
-		      sc_strerror(r));
-		goto err;
-	}
-	pin = pin_obj->data;
-	r = sc_lock(card);
-	if (r) {
-		error("Unable to lock smartcard: %s", sc_strerror(r));
-		goto err;
-	}
-	if (sc_pin != NULL) {
-		r = sc_pkcs15_verify_pin(p15card, pin, sc_pin,
-					 strlen(sc_pin));
-		if (r) {
-			sc_unlock(card);
-			error("PIN code verification failed: %s",
-			      sc_strerror(r));
-			goto err;
-		}
-	}
-	*key_obj_out = key_obj;
-	return 0;
-err:
-	sc_close();
-	return -1;
-}
-
-#define SC_USAGE_DECRYPT	SC_PKCS15_PRKEY_USAGE_DECRYPT | \
-				SC_PKCS15_PRKEY_USAGE_UNWRAP
-
-static int
-sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa,
-    int padding)
-{
-	struct sc_pkcs15_object *key_obj;
-	int r;
-
-	if (padding != RSA_PKCS1_PADDING)
-		return -1;
-	r = sc_prkey_op_init(rsa, &key_obj, SC_USAGE_DECRYPT);
-	if (r)
-		return -1;
-	r = sc_pkcs15_decipher(p15card, key_obj, SC_ALGORITHM_RSA_PAD_PKCS1,
-	    from, flen, to, flen);
-	sc_unlock(card);
-	if (r < 0) {
-		error("sc_pkcs15_decipher() failed: %s", sc_strerror(r));
-		goto err;
-	}
-	return r;
-err:
-	sc_close();
-	return -1;
-}
-
-#define SC_USAGE_SIGN 		SC_PKCS15_PRKEY_USAGE_SIGN | \
-				SC_PKCS15_PRKEY_USAGE_SIGNRECOVER
-
-static int
-sc_sign(int type, u_char *m, unsigned int m_len,
-	unsigned char *sigret, unsigned int *siglen, RSA *rsa)
-{
-	struct sc_pkcs15_object *key_obj;
-	int r;
-	unsigned long flags = 0;
-
-	/* XXX: sc_prkey_op_init will search for a pkcs15 private
-	 * key object with the sign or signrecover usage flag set.
-	 * If the signing key has only the non-repudiation flag set
-	 * the key will be rejected as using a non-repudiation key
-	 * for authentication is not recommended. Note: This does not
-	 * prevent the use of a non-repudiation key for authentication
-	 * if the sign or signrecover flag is set as well.
-	 */
-	r = sc_prkey_op_init(rsa, &key_obj, SC_USAGE_SIGN);
-	if (r)
-		return -1;
-	/* FIXME: length of sigret correct? */
-	/* FIXME: check 'type' and modify flags accordingly */
-	flags = SC_ALGORITHM_RSA_PAD_PKCS1 | SC_ALGORITHM_RSA_HASH_SHA1;
-	r = sc_pkcs15_compute_signature(p15card, key_obj, flags,
-					m, m_len, sigret, RSA_size(rsa));
-	sc_unlock(card);
-	if (r < 0) {
-		error("sc_pkcs15_compute_signature() failed: %s",
-		      sc_strerror(r));
-		goto err;
-	}
-	*siglen = r;
-	return 1;
-err:
-	sc_close();
-	return 0;
-}
-
-static int
-sc_private_encrypt(int flen, u_char *from, u_char *to, RSA *rsa,
-    int padding)
-{
-	error("Private key encryption not supported");
-	return -1;
-}
-
-/* called on free */
-
-static int (*orig_finish)(RSA *rsa) = NULL;
-
-static int
-sc_finish(RSA *rsa)
-{
-	struct sc_priv_data *priv;
-
-	priv = RSA_get_app_data(rsa);
-	priv->ref_count--;
-	if (priv->ref_count == 0) {
-		free(priv);
-		sc_close();
-	}
-	if (orig_finish)
-		orig_finish(rsa);
-	return 1;
-}
-
-/* engine for overloading private key operations */
-
-static RSA_METHOD *
-sc_get_rsa_method(void)
-{
-	static RSA_METHOD smart_rsa;
-	const RSA_METHOD *def = RSA_get_default_method();
-
-	/* use the OpenSSL version */
-	memcpy(&smart_rsa, def, sizeof(smart_rsa));
-
-	smart_rsa.name		= "opensc";
-
-	/* overload */
-	smart_rsa.rsa_priv_enc	= sc_private_encrypt;
-	smart_rsa.rsa_priv_dec	= sc_private_decrypt;
-	smart_rsa.rsa_sign	= sc_sign;
-
-	/* save original */
-	orig_finish		= def->finish;
-	smart_rsa.finish	= sc_finish;
-
-	return &smart_rsa;
-}
-
-#ifdef USE_ENGINE
-static ENGINE *
-sc_get_engine(void)
-{
-	static ENGINE *smart_engine = NULL;
-
-	if ((smart_engine = ENGINE_new()) == NULL)
-		fatal("ENGINE_new failed");
-
-	ENGINE_set_id(smart_engine, "opensc");
-	ENGINE_set_name(smart_engine, "OpenSC");
-
-	ENGINE_set_RSA(smart_engine, sc_get_rsa_method());
-	ENGINE_set_DSA(smart_engine, DSA_get_default_openssl_method());
-	ENGINE_set_DH(smart_engine, DH_get_default_openssl_method());
-	ENGINE_set_RAND(smart_engine, RAND_SSLeay());
-	ENGINE_set_BN_mod_exp(smart_engine, BN_mod_exp);
-
-	return smart_engine;
-}
-#endif
-
-static void
-convert_rsa_to_rsa1(Key * in, Key * out)
-{
-	struct sc_priv_data *priv;
-
-	out->rsa->flags = in->rsa->flags;
-	out->flags = in->flags;
-	RSA_set_method(out->rsa, RSA_get_method(in->rsa));
-	BN_copy(out->rsa->n, in->rsa->n);
-	BN_copy(out->rsa->e, in->rsa->e);
-	priv = RSA_get_app_data(in->rsa);
-	priv->ref_count++;
-	RSA_set_app_data(out->rsa, priv);
-	return;
-}
-
-static int
-sc_read_pubkey(Key * k, const struct sc_pkcs15_object *cert_obj)
-{
-	int r;
-	sc_pkcs15_cert_t *cert = NULL;
-	struct sc_priv_data *priv = NULL;
-	sc_pkcs15_cert_info_t *cinfo = cert_obj->data;
-
-	X509 *x509 = NULL;
-	EVP_PKEY *pubkey = NULL;
-	u8 *p;
-	char *tmp;
-
-	debug("sc_read_pubkey() with cert id %02X", cinfo->id.value[0]);
-	r = sc_pkcs15_read_certificate(p15card, cinfo, &cert);
-	if (r) {
-		logit("Certificate read failed: %s", sc_strerror(r));
-		goto err;
-	}
-	x509 = X509_new();
-	if (x509 == NULL) {
-		r = -1;
-		goto err;
-	}
-	p = cert->data;
-	if (!d2i_X509(&x509, &p, cert->data_len)) {
-		logit("Unable to parse X.509 certificate");
-		r = -1;
-		goto err;
-	}
-	sc_pkcs15_free_certificate(cert);
-	cert = NULL;
-	pubkey = X509_get_pubkey(x509);
-	X509_free(x509);
-	x509 = NULL;
-	if (pubkey->type != EVP_PKEY_RSA) {
-		logit("Public key is of unknown type");
-		r = -1;
-		goto err;
-	}
-	k->rsa = EVP_PKEY_get1_RSA(pubkey);
-	EVP_PKEY_free(pubkey);
-
-	k->rsa->flags |= RSA_FLAG_SIGN_VER;
-	RSA_set_method(k->rsa, sc_get_rsa_method());
-	priv = xmalloc(sizeof(struct sc_priv_data));
-	priv->cert_id = cinfo->id;
-	priv->ref_count = 1;
-	RSA_set_app_data(k->rsa, priv);
-
-	k->flags = KEY_FLAG_EXT;
-	tmp = key_fingerprint(k, SSH_FP_MD5, SSH_FP_HEX);
-	debug("fingerprint %d %s", key_size(k), tmp);
-	xfree(tmp);
-
-	return 0;
-err:
-	if (cert)
-		sc_pkcs15_free_certificate(cert);
-	if (pubkey)
-		EVP_PKEY_free(pubkey);
-	if (x509)
-		X509_free(x509);
-	return r;
-}
-
-Key **
-sc_get_keys(const char *id, const char *pin)
-{
-	Key *k, **keys;
-	int i, r, real_count = 0, key_count;
-	sc_pkcs15_id_t cert_id;
-	sc_pkcs15_object_t *certs[32];
-	char *buf = xstrdup(id), *p;
-
-	debug("sc_get_keys called: id = %s", id);
-
-	if (sc_pin != NULL)
-		xfree(sc_pin);
-	sc_pin = (pin == NULL) ? NULL : xstrdup(pin);
-
-	cert_id.len = 0;
-	if ((p = strchr(buf, ':')) != NULL) {
-		*p = 0;
-		p++;
-		sc_pkcs15_hex_string_to_id(p, &cert_id);
-	}
-	r = sscanf(buf, "%d", &sc_reader_id);
-	xfree(buf);
-	if (r != 1)
-		goto err;
-	if (p15card == NULL) {
-		sc_close();
-		r = sc_init();
-		if (r) {
-			error("Smartcard init failed: %s", sc_strerror(r));
-			goto err;
-		}
-	}
-	if (cert_id.len) {
-		r = sc_pkcs15_find_cert_by_id(p15card, &cert_id, &certs[0]);
-		if (r < 0)
-			goto err;
-		key_count = 1;
-	} else {
-		r = sc_pkcs15_get_objects(p15card, SC_PKCS15_TYPE_CERT_X509,
-					  certs, 32);
-		if (r == 0) {
-			logit("No certificates found on smartcard");
-			r = -1;
-			goto err;
-		} else if (r < 0) {
-			error("Certificate enumeration failed: %s",
-			      sc_strerror(r));
-			goto err;
-		}
-		key_count = r;
-	}
-	if (key_count > 1024)
-		fatal("Too many keys (%u), expected <= 1024", key_count);
-	keys = xcalloc(key_count * 2 + 1, sizeof(Key *));
-	for (i = 0; i < key_count; i++) {
-		sc_pkcs15_object_t *tmp_obj = NULL;
-		cert_id = ((sc_pkcs15_cert_info_t *)(certs[i]->data))->id;
-		if (sc_pkcs15_find_prkey_by_id(p15card, &cert_id, &tmp_obj))
-			/* skip the public key (certificate) if no
-			 * corresponding private key is present */
-			continue;
-		k = key_new(KEY_RSA);
-		if (k == NULL)
-			break;
-		r = sc_read_pubkey(k, certs[i]);
-		if (r) {
-			error("sc_read_pubkey failed: %s", sc_strerror(r));
-			key_free(k);
-			continue;
-		}
-		keys[real_count] = k;
-		real_count++;
-		k = key_new(KEY_RSA1);
-		if (k == NULL)
-			break;
-		convert_rsa_to_rsa1(keys[real_count-1], k);
-		keys[real_count] = k;
-		real_count++;
-	}
-	keys[real_count] = NULL;
-
-	return keys;
-err:
-	sc_close();
-	return NULL;
-}
-
-int
-sc_put_key(Key *prv, const char *id)
-{
-	error("key uploading not yet supported");
-	return -1;
-}
-
-char *
-sc_get_key_label(Key *key)
-{
-	int r;
-	const struct sc_priv_data *priv;
-	struct sc_pkcs15_object *key_obj;
-
-	priv = (const struct sc_priv_data *) RSA_get_app_data(key->rsa);
-	if (priv == NULL || p15card == NULL) {
-		logit("SmartCard key not loaded");
-		/* internal error => return default label */
-		return xstrdup("smartcard key");
-	}
-	r = sc_pkcs15_find_prkey_by_id(p15card, &priv->cert_id, &key_obj);
-	if (r) {
-		logit("Unable to find private key from SmartCard: %s",
-		      sc_strerror(r));
-		return xstrdup("smartcard key");
-	}
-	if (key_obj == NULL || key_obj->label == NULL)
-		/* the optional PKCS#15 label does not exists
-		 * => return the default label */
-		return xstrdup("smartcard key");
-	return xstrdup(key_obj->label);
-}
-
-#endif /* SMARTCARD */
diff --git a/crypto/openssh/scard.c b/crypto/openssh/scard.c
deleted file mode 100644
index 9fd3ca1..0000000
--- a/crypto/openssh/scard.c
+++ /dev/null
@@ -1,571 +0,0 @@
-/* $OpenBSD: scard.c,v 1.36 2006/11/06 21:25:28 markus Exp $ */
-/*
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-#if defined(SMARTCARD) && defined(USE_SECTOK)
-
-#include <sys/types.h>
-
-#include <sectok.h>
-#include <stdarg.h>
-#include <string.h>
-
-#include <openssl/evp.h>
-
-#include "xmalloc.h"
-#include "key.h"
-#include "log.h"
-#include "misc.h"
-#include "scard.h"
-
-#if OPENSSL_VERSION_NUMBER < 0x00907000L
-#define USE_ENGINE
-#define RSA_get_default_method RSA_get_default_openssl_method
-#else
-#endif
-
-#ifdef USE_ENGINE
-#include <openssl/engine.h>
-#define sc_get_rsa sc_get_engine
-#else
-#define sc_get_rsa sc_get_rsa_method
-#endif
-
-#define CLA_SSH 0x05
-#define INS_DECRYPT 0x10
-#define INS_GET_KEYLENGTH 0x20
-#define INS_GET_PUBKEY 0x30
-#define INS_GET_RESPONSE 0xc0
-
-#define MAX_BUF_SIZE 256
-
-u_char DEFAUT0[] = {0xad, 0x9f, 0x61, 0xfe, 0xfa, 0x20, 0xce, 0x63};
-
-static int sc_fd = -1;
-static char *sc_reader_id = NULL;
-static char *sc_pin = NULL;
-static int cla = 0x00;	/* class */
-
-static void sc_mk_digest(const char *pin, u_char *digest);
-static int get_AUT0(u_char *aut0);
-static int try_AUT0(void);
-
-/* interface to libsectok */
-
-static int
-sc_open(void)
-{
-	int sw;
-
-	if (sc_fd >= 0)
-		return sc_fd;
-
-	sc_fd = sectok_friendly_open(sc_reader_id, STONOWAIT, &sw);
-	if (sc_fd < 0) {
-		error("sectok_open failed: %s", sectok_get_sw(sw));
-		return SCARD_ERROR_FAIL;
-	}
-	if (! sectok_cardpresent(sc_fd)) {
-		debug("smartcard in reader %s not present, skipping",
-		    sc_reader_id);
-		sc_close();
-		return SCARD_ERROR_NOCARD;
-	}
-	if (sectok_reset(sc_fd, 0, NULL, &sw) <= 0) {
-		error("sectok_reset failed: %s", sectok_get_sw(sw));
-		sc_fd = -1;
-		return SCARD_ERROR_FAIL;
-	}
-	if ((cla = cyberflex_inq_class(sc_fd)) < 0)
-		cla = 0;
-
-	debug("sc_open ok %d", sc_fd);
-	return sc_fd;
-}
-
-static int
-sc_enable_applet(void)
-{
-	static u_char aid[] = {0xfc, 0x53, 0x73, 0x68, 0x2e, 0x62, 0x69, 0x6e};
-	int sw = 0;
-
-	/* select applet id */
-	sectok_apdu(sc_fd, cla, 0xa4, 0x04, 0, sizeof aid, aid, 0, NULL, &sw);
-	if (!sectok_swOK(sw)) {
-		error("sectok_apdu failed: %s", sectok_get_sw(sw));
-		sc_close();
-		return -1;
-	}
-	return 0;
-}
-
-static int
-sc_init(void)
-{
-	int status;
-
-	status = sc_open();
-	if (status == SCARD_ERROR_NOCARD) {
-		return SCARD_ERROR_NOCARD;
-	}
-	if (status < 0) {
-		error("sc_open failed");
-		return status;
-	}
-	if (sc_enable_applet() < 0) {
-		error("sc_enable_applet failed");
-		return SCARD_ERROR_APPLET;
-	}
-	return 0;
-}
-
-static int
-sc_read_pubkey(Key * k)
-{
-	u_char buf[2], *n;
-	char *p;
-	int len, sw, status = -1;
-
-	len = sw = 0;
-	n = NULL;
-
-	if (sc_fd < 0) {
-		if (sc_init() < 0)
-			goto err;
-	}
-
-	/* get key size */
-	sectok_apdu(sc_fd, CLA_SSH, INS_GET_KEYLENGTH, 0, 0, 0, NULL,
-	    sizeof(buf), buf, &sw);
-	if (!sectok_swOK(sw)) {
-		error("could not obtain key length: %s", sectok_get_sw(sw));
-		goto err;
-	}
-	len = (buf[0] << 8) | buf[1];
-	len /= 8;
-	debug("INS_GET_KEYLENGTH: len %d sw %s", len, sectok_get_sw(sw));
-
-	n = xmalloc(len);
-	/* get n */
-	sectok_apdu(sc_fd, CLA_SSH, INS_GET_PUBKEY, 0, 0, 0, NULL, len, n, &sw);
-
-	if (sw == 0x6982) {
-		if (try_AUT0() < 0)
-			goto err;
-		sectok_apdu(sc_fd, CLA_SSH, INS_GET_PUBKEY, 0, 0, 0, NULL, len, n, &sw);
-	}
-	if (!sectok_swOK(sw)) {
-		error("could not obtain public key: %s", sectok_get_sw(sw));
-		goto err;
-	}
-
-	debug("INS_GET_KEYLENGTH: sw %s", sectok_get_sw(sw));
-
-	if (BN_bin2bn(n, len, k->rsa->n) == NULL) {
-		error("c_read_pubkey: BN_bin2bn failed");
-		goto err;
-	}
-
-	/* currently the java applet just stores 'n' */
-	if (!BN_set_word(k->rsa->e, 35)) {
-		error("c_read_pubkey: BN_set_word(e, 35) failed");
-		goto err;
-	}
-
-	status = 0;
-	p = key_fingerprint(k, SSH_FP_MD5, SSH_FP_HEX);
-	debug("fingerprint %u %s", key_size(k), p);
-	xfree(p);
-
-err:
-	if (n != NULL)
-		xfree(n);
-	sc_close();
-	return status;
-}
-
-/* private key operations */
-
-static int
-sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa,
-    int padding)
-{
-	u_char *padded = NULL;
-	int sw, len, olen, status = -1;
-
-	debug("sc_private_decrypt called");
-
-	olen = len = sw = 0;
-	if (sc_fd < 0) {
-		status = sc_init();
-		if (status < 0)
-			goto err;
-	}
-	if (padding != RSA_PKCS1_PADDING)
-		goto err;
-
-	len = BN_num_bytes(rsa->n);
-	padded = xmalloc(len);
-
-	sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, from, len, padded, &sw);
-
-	if (sw == 0x6982) {
-		if (try_AUT0() < 0)
-			goto err;
-		sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, from, len, padded, &sw);
-	}
-	if (!sectok_swOK(sw)) {
-		error("sc_private_decrypt: INS_DECRYPT failed: %s",
-		    sectok_get_sw(sw));
-		goto err;
-	}
-	olen = RSA_padding_check_PKCS1_type_2(to, len, padded + 1, len - 1,
-	    len);
-err:
-	if (padded)
-		xfree(padded);
-	sc_close();
-	return (olen >= 0 ? olen : status);
-}
-
-static int
-sc_private_encrypt(int flen, u_char *from, u_char *to, RSA *rsa,
-    int padding)
-{
-	u_char *padded = NULL;
-	int sw, len, status = -1;
-
-	len = sw = 0;
-	if (sc_fd < 0) {
-		status = sc_init();
-		if (status < 0)
-			goto err;
-	}
-	if (padding != RSA_PKCS1_PADDING)
-		goto err;
-
-	debug("sc_private_encrypt called");
-	len = BN_num_bytes(rsa->n);
-	padded = xmalloc(len);
-
-	if (RSA_padding_add_PKCS1_type_1(padded, len, (u_char *)from, flen) <= 0) {
-		error("RSA_padding_add_PKCS1_type_1 failed");
-		goto err;
-	}
-	sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, padded, len, to, &sw);
-	if (sw == 0x6982) {
-		if (try_AUT0() < 0)
-			goto err;
-		sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, padded, len, to, &sw);
-	}
-	if (!sectok_swOK(sw)) {
-		error("sc_private_encrypt: INS_DECRYPT failed: %s",
-		    sectok_get_sw(sw));
-		goto err;
-	}
-err:
-	if (padded)
-		xfree(padded);
-	sc_close();
-	return (len >= 0 ? len : status);
-}
-
-/* called on free */
-
-static int (*orig_finish)(RSA *rsa) = NULL;
-
-static int
-sc_finish(RSA *rsa)
-{
-	if (orig_finish)
-		orig_finish(rsa);
-	sc_close();
-	return 1;
-}
-
-/* engine for overloading private key operations */
-
-static RSA_METHOD *
-sc_get_rsa_method(void)
-{
-	static RSA_METHOD smart_rsa;
-	const RSA_METHOD *def = RSA_get_default_method();
-
-	/* use the OpenSSL version */
-	memcpy(&smart_rsa, def, sizeof(smart_rsa));
-
-	smart_rsa.name		= "sectok";
-
-	/* overload */
-	smart_rsa.rsa_priv_enc	= sc_private_encrypt;
-	smart_rsa.rsa_priv_dec	= sc_private_decrypt;
-
-	/* save original */
-	orig_finish		= def->finish;
-	smart_rsa.finish	= sc_finish;
-
-	return &smart_rsa;
-}
-
-#ifdef USE_ENGINE
-static ENGINE *
-sc_get_engine(void)
-{
-	static ENGINE *smart_engine = NULL;
-
-	if ((smart_engine = ENGINE_new()) == NULL)
-		fatal("ENGINE_new failed");
-
-	ENGINE_set_id(smart_engine, "sectok");
-	ENGINE_set_name(smart_engine, "libsectok");
-
-	ENGINE_set_RSA(smart_engine, sc_get_rsa_method());
-	ENGINE_set_DSA(smart_engine, DSA_get_default_openssl_method());
-	ENGINE_set_DH(smart_engine, DH_get_default_openssl_method());
-	ENGINE_set_RAND(smart_engine, RAND_SSLeay());
-	ENGINE_set_BN_mod_exp(smart_engine, BN_mod_exp);
-
-	return smart_engine;
-}
-#endif
-
-void
-sc_close(void)
-{
-	if (sc_fd >= 0) {
-		sectok_close(sc_fd);
-		sc_fd = -1;
-	}
-}
-
-Key **
-sc_get_keys(const char *id, const char *pin)
-{
-	Key *k, *n, **keys;
-	int status, nkeys = 2;
-
-	if (sc_reader_id != NULL)
-		xfree(sc_reader_id);
-	sc_reader_id = xstrdup(id);
-
-	if (sc_pin != NULL)
-		xfree(sc_pin);
-	sc_pin = (pin == NULL) ? NULL : xstrdup(pin);
-
-	k = key_new(KEY_RSA);
-	if (k == NULL) {
-		return NULL;
-	}
-	status = sc_read_pubkey(k);
-	if (status == SCARD_ERROR_NOCARD) {
-		key_free(k);
-		return NULL;
-	}
-	if (status < 0) {
-		error("sc_read_pubkey failed");
-		key_free(k);
-		return NULL;
-	}
-	keys = xcalloc((nkeys+1), sizeof(Key *));
-
-	n = key_new(KEY_RSA1);
-	if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) ||
-	    (BN_copy(n->rsa->e, k->rsa->e) == NULL))
-		fatal("sc_get_keys: BN_copy failed");
-	RSA_set_method(n->rsa, sc_get_rsa());
-	n->flags |= KEY_FLAG_EXT;
-	keys[0] = n;
-
-	n = key_new(KEY_RSA);
-	if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) ||
-	    (BN_copy(n->rsa->e, k->rsa->e) == NULL))
-		fatal("sc_get_keys: BN_copy failed");
-	RSA_set_method(n->rsa, sc_get_rsa());
-	n->flags |= KEY_FLAG_EXT;
-	keys[1] = n;
-
-	keys[2] = NULL;
-
-	key_free(k);
-	return keys;
-}
-
-#define NUM_RSA_KEY_ELEMENTS 5+1
-#define COPY_RSA_KEY(x, i) \
-	do { \
-		len = BN_num_bytes(prv->rsa->x); \
-		elements[i] = xmalloc(len); \
-		debug("#bytes %d", len); \
-		if (BN_bn2bin(prv->rsa->x, elements[i]) < 0) \
-			goto done; \
-	} while (0)
-
-static void
-sc_mk_digest(const char *pin, u_char *digest)
-{
-	const EVP_MD *evp_md = EVP_sha1();
-	EVP_MD_CTX md;
-
-	EVP_DigestInit(&md, evp_md);
-	EVP_DigestUpdate(&md, pin, strlen(pin));
-	EVP_DigestFinal(&md, digest, NULL);
-}
-
-static int
-get_AUT0(u_char *aut0)
-{
-	char *pass;
-
-	pass = read_passphrase("Enter passphrase for smartcard: ", RP_ALLOW_STDIN);
-	if (pass == NULL)
-		return -1;
-	if (!strcmp(pass, "-")) {
-		memcpy(aut0, DEFAUT0, sizeof DEFAUT0);
-		return 0;
-	}
-	sc_mk_digest(pass, aut0);
-	memset(pass, 0, strlen(pass));
-	xfree(pass);
-	return 0;
-}
-
-static int
-try_AUT0(void)
-{
-	u_char aut0[EVP_MAX_MD_SIZE];
-
-	/* permission denied; try PIN if provided */
-	if (sc_pin && strlen(sc_pin) > 0) {
-		sc_mk_digest(sc_pin, aut0);
-		if (cyberflex_verify_AUT0(sc_fd, cla, aut0, 8) < 0) {
-			error("smartcard passphrase incorrect");
-			return (-1);
-		}
-	} else {
-		/* try default AUT0 key */
-		if (cyberflex_verify_AUT0(sc_fd, cla, DEFAUT0, 8) < 0) {
-			/* default AUT0 key failed; prompt for passphrase */
-			if (get_AUT0(aut0) < 0 ||
-			    cyberflex_verify_AUT0(sc_fd, cla, aut0, 8) < 0) {
-				error("smartcard passphrase incorrect");
-				return (-1);
-			}
-		}
-	}
-	return (0);
-}
-
-int
-sc_put_key(Key *prv, const char *id)
-{
-	u_char *elements[NUM_RSA_KEY_ELEMENTS];
-	u_char key_fid[2];
-	u_char AUT0[EVP_MAX_MD_SIZE];
-	int len, status = -1, i, fd = -1, ret;
-	int sw = 0, cla = 0x00;
-
-	for (i = 0; i < NUM_RSA_KEY_ELEMENTS; i++)
-		elements[i] = NULL;
-
-	COPY_RSA_KEY(q, 0);
-	COPY_RSA_KEY(p, 1);
-	COPY_RSA_KEY(iqmp, 2);
-	COPY_RSA_KEY(dmq1, 3);
-	COPY_RSA_KEY(dmp1, 4);
-	COPY_RSA_KEY(n, 5);
-	len = BN_num_bytes(prv->rsa->n);
-	fd = sectok_friendly_open(id, STONOWAIT, &sw);
-	if (fd < 0) {
-		error("sectok_open failed: %s", sectok_get_sw(sw));
-		goto done;
-	}
-	if (! sectok_cardpresent(fd)) {
-		error("smartcard in reader %s not present", id);
-		goto done;
-	}
-	ret = sectok_reset(fd, 0, NULL, &sw);
-	if (ret <= 0) {
-		error("sectok_reset failed: %s", sectok_get_sw(sw));
-		goto done;
-	}
-	if ((cla = cyberflex_inq_class(fd)) < 0) {
-		error("cyberflex_inq_class failed");
-		goto done;
-	}
-	memcpy(AUT0, DEFAUT0, sizeof(DEFAUT0));
-	if (cyberflex_verify_AUT0(fd, cla, AUT0, sizeof(DEFAUT0)) < 0) {
-		if (get_AUT0(AUT0) < 0 ||
-		    cyberflex_verify_AUT0(fd, cla, AUT0, sizeof(DEFAUT0)) < 0) {
-			memset(AUT0, 0, sizeof(DEFAUT0));
-			error("smartcard passphrase incorrect");
-			goto done;
-		}
-	}
-	memset(AUT0, 0, sizeof(DEFAUT0));
-	key_fid[0] = 0x00;
-	key_fid[1] = 0x12;
-	if (cyberflex_load_rsa_priv(fd, cla, key_fid, 5, 8*len, elements,
-	    &sw) < 0) {
-		error("cyberflex_load_rsa_priv failed: %s", sectok_get_sw(sw));
-		goto done;
-	}
-	if (!sectok_swOK(sw))
-		goto done;
-	logit("cyberflex_load_rsa_priv done");
-	key_fid[0] = 0x73;
-	key_fid[1] = 0x68;
-	if (cyberflex_load_rsa_pub(fd, cla, key_fid, len, elements[5],
-	    &sw) < 0) {
-		error("cyberflex_load_rsa_pub failed: %s", sectok_get_sw(sw));
-		goto done;
-	}
-	if (!sectok_swOK(sw))
-		goto done;
-	logit("cyberflex_load_rsa_pub done");
-	status = 0;
-
-done:
-	memset(elements[0], '\0', BN_num_bytes(prv->rsa->q));
-	memset(elements[1], '\0', BN_num_bytes(prv->rsa->p));
-	memset(elements[2], '\0', BN_num_bytes(prv->rsa->iqmp));
-	memset(elements[3], '\0', BN_num_bytes(prv->rsa->dmq1));
-	memset(elements[4], '\0', BN_num_bytes(prv->rsa->dmp1));
-	memset(elements[5], '\0', BN_num_bytes(prv->rsa->n));
-
-	for (i = 0; i < NUM_RSA_KEY_ELEMENTS; i++)
-		if (elements[i])
-			xfree(elements[i]);
-	if (fd != -1)
-		sectok_close(fd);
-	return (status);
-}
-
-char *
-sc_get_key_label(Key *key)
-{
-	return xstrdup("smartcard key");
-}
-
-#endif /* SMARTCARD && USE_SECTOK */
diff --git a/crypto/openssh/scard.h b/crypto/openssh/scard.h
deleted file mode 100644
index 82efe48..0000000
--- a/crypto/openssh/scard.h
+++ /dev/null
@@ -1,39 +0,0 @@
-/* $OpenBSD: scard.h,v 1.14 2006/08/03 03:34:42 deraadt Exp $ */
-
-/*
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef SCARD_H
-#define SCARD_H
-
-#define SCARD_ERROR_FAIL	-1
-#define SCARD_ERROR_NOCARD	-2
-#define SCARD_ERROR_APPLET	-3
-
-Key	**sc_get_keys(const char *, const char *);
-void	 sc_close(void);
-int	 sc_put_key(Key *, const char *);
-char	*sc_get_key_label(Key *);
-
-#endif
diff --git a/crypto/openssh/scard/Makefile b/crypto/openssh/scard/Makefile
deleted file mode 100644
index 1cf7bbd..0000000
--- a/crypto/openssh/scard/Makefile
+++ /dev/null
@@ -1,20 +0,0 @@
-#	$OpenBSD: Makefile,v 1.2 2001/06/29 07:02:09 markus Exp $
-
-.PATH:		${.CURDIR}/..
-
-CARDLET=	Ssh.bin
-DATADIR=	/usr/libdata/ssh
-
-all: ${CARDLET}
-
-clean:
-	rm -f ${CARDLET}
-
-install: ${CARDLET}
-	install -c -m ${LIBMODE} -o ${LIBOWN} -g ${LIBGRP} \
-	    ${CARDLET} ${DESTDIR}${DATADIR}
-
-Ssh.bin: ${.CURDIR}/Ssh.bin.uu
-	uudecode ${.CURDIR}/$@.uu
-
-.include <bsd.prog.mk>
diff --git a/crypto/openssh/scard/Makefile.in b/crypto/openssh/scard/Makefile.in
deleted file mode 100644
index 8519e20..0000000
--- a/crypto/openssh/scard/Makefile.in
+++ /dev/null
@@ -1,29 +0,0 @@
-# $Id: Makefile.in,v 1.5 2006/10/23 21:44:47 tim Exp $
-
-prefix=@prefix@
-datadir=@datadir@
-datarootdir=@datarootdir@
-srcdir=@srcdir@
-top_srcdir=@top_srcdir@
-
-INSTALL=@INSTALL@
-
-VPATH=@srcdir@
-
-all:
-
-#Ssh.bin:  Ssh.bin.uu
-#	uudecode Ssh.bin.uu
-
-clean:
-#	rm -rf Ssh.bin
-
-distprep:
-	uudecode Ssh.bin.uu
-
-distclean: clean
-	rm -f Makefile *~
-
-install: $(srcdir)/Ssh.bin
-	$(top_srcdir)/mkinstalldirs $(DESTDIR)$(datadir)
-	$(INSTALL) -m 0644 $(srcdir)/Ssh.bin $(DESTDIR)$(datadir)/Ssh.bin
diff --git a/crypto/openssh/scard/Ssh.bin b/crypto/openssh/scard/Ssh.bin
deleted file mode 100644
index edbadc6..0000000
--- a/crypto/openssh/scard/Ssh.bin
+++ /dev/null
diff --git a/crypto/openssh/scard/Ssh.bin.uu b/crypto/openssh/scard/Ssh.bin.uu
deleted file mode 100644
index ea3986a..0000000
--- a/crypto/openssh/scard/Ssh.bin.uu
+++ /dev/null
@@ -1,17 +0,0 @@
-begin 644 Ssh.bin
-M`P)!&P`801X`>``!`E@"`/Y@\`4`_J'P!0!!&T$=`?Z@\`4`01M!'`'^>/,!
-M`4$;01X!_G#S%P'^0],1`?Y@\!0`_G/S'0#^<]4``D$;L`4`_F'3``#^8=,%
-M`/ZAT`$!_J#0)P'^H],*`?ZCTPD`_G/5"P7^8=,'`OZAT`H`_J#0$@3^:-,@
-M`T$;`P`%`/Y@`<P``$$<\@\``$$=\B$``$$>\A```/`0__(%`@8!`0H``&``
-M0205!!D)I$L`"0J0`&``*!4$&58``````.P````%____P````.D````0````
-M,P```"````#'````,````(T````R````V!4#&0A*``D*;@!@`"@5!QD*`/\]
-M(6``1A)*``D*9P!@`"@*/P!@`$LK"1)@`$LK!6``4!P$#00#2@`.#01@`%5@
-M`%I@`"@37``>%0@2%0A>`%\($F``9%(`:`H_`&``2RL*<VA@`$LK8`!I"1`U
-M(14#`Q)@`&X<!`T$`TL`"P,28`!D4@`.#01@`%5@`%I@`"A2`"X5`PH$`&``
-M<RL#!6``9%(`'14#"@$"8`!S*P,%8`!D4@`,4@`)"FT`8``H60``\`+_\@$!
-M`0D`"```"I``8``H60#P$__R`0$""0`,``!B01LM7P`\*UD```#P$O_V`0$#
-M`0`8```37``>7@`R10`/$UP`'@H`R`D07@`W!%>P!?_R`0$$`@`\```37P``
-M$V+^H2U?``5=``H38OZ@+5\`#UT`%!-B_G@M"@0`7P`970`>"@0`8``C10`)
-/"F<`8``H$UX`+5D`````
-`
-end
diff --git a/crypto/openssh/scard/Ssh.java b/crypto/openssh/scard/Ssh.java
deleted file mode 100644
index 6418957..0000000
--- a/crypto/openssh/scard/Ssh.java
+++ /dev/null
@@ -1,164 +0,0 @@
-// $Id: Ssh.java,v 1.3 2002/05/22 04:24:02 djm Exp $
-//
-// Ssh.java
-// SSH / smartcard integration project, smartcard side
-//
-// Tomoko Fukuzawa, created, Feb., 2000
-//
-// Naomaru Itoi, modified, Apr., 2000
-//
-
-// copyright 2000
-// the regents of the university of michigan
-// all rights reserved
-//
-// permission is granted to use, copy, create derivative works
-// and redistribute this software and such derivative works
-// for any purpose, so long as the name of the university of
-// michigan is not used in any advertising or publicity
-// pertaining to the use or distribution of this software
-// without specific, written prior authorization.  if the
-// above copyright notice or any other identification of the
-// university of michigan is included in any copy of any
-// portion of this software, then the disclaimer below must
-// also be included.
-//
-// this software is provided as is, without representation
-// from the university of michigan as to its fitness for any
-// purpose, and without warranty by the university of
-// michigan of any kind, either express or implied, including
-// without limitation the implied warranties of
-// merchantability and fitness for a particular purpose. the
-// regents of the university of michigan shall not be liable
-// for any damages, including special, indirect, incidental, or
-// consequential damages, with respect to any claim arising
-// out of or in connection with the use of the software, even
-// if it has been or is hereafter advised of the possibility of
-// such damages.
-
-import javacard.framework.*;
-import javacardx.framework.*;
-import javacardx.crypto.*;
-
-public class Ssh extends javacard.framework.Applet
-{
-    // Change this when the applet changes; hi byte is major, low byte is minor
-    static final short applet_version = (short)0x0102;
-
-    /* constants declaration */
-    // code of CLA byte in the command APDU header
-    static final byte Ssh_CLA =(byte)0x05;
-
-    // codes of INS byte in the command APDU header
-    static final byte DECRYPT = (byte) 0x10;
-    static final byte GET_KEYLENGTH = (byte) 0x20;
-    static final byte GET_PUBKEY = (byte) 0x30;
-    static final byte GET_VERSION = (byte) 0x32;
-    static final byte GET_RESPONSE = (byte) 0xc0;
-
-    static final short keysize = 1024;
-    static final short root_fid = (short)0x3f00;
-    static final short privkey_fid = (short)0x0012;
-    static final short pubkey_fid = (short)(('s'<<8)|'h');
-
-    /* instance variables declaration */
-    AsymKey rsakey;
-    CyberflexFile file;
-    CyberflexOS os;
-
-    private Ssh()
-    {
-	file = new CyberflexFile();
-	os = new CyberflexOS();
-
-	rsakey = new RSA_CRT_PrivateKey (keysize);
-
-	if ( ! rsakey.isSupportedLength (keysize) )
-	    ISOException.throwIt (ISO.SW_WRONG_LENGTH);
-
-	register();
-    } // end of the constructor
-
-    public boolean select() {
-	if (!rsakey.isInitialized())
-	    rsakey.setKeyInstance ((short)0xc8, (short)0x10);
-
-	return true;
-    }
-
-    public static void install(APDU apdu)
-    {
-	new Ssh();	// create a Ssh applet instance (card)
-    } // end of install method
-
-    public static void main(String args[]) {
-	ISOException.throwIt((short) 0x9000);
-    }
-
-    public void process(APDU apdu)
-    {
-	// APDU object carries a byte array (buffer) to
-	// transfer incoming and outgoing APDU header
-	// and data bytes between card and CAD
-	byte buffer[] = apdu.getBuffer();
-	short size, st;
-
-	// verify that if the applet can accept this
-	// APDU message
-	// NI: change suggested by Wayne Dyksen, Purdue
-	if (buffer[ISO.OFFSET_INS] == ISO.INS_SELECT)
-	    ISOException.throwIt(ISO.SW_NO_ERROR);
-
-	switch (buffer[ISO.OFFSET_INS]) {
-	case DECRYPT:
-	    if (buffer[ISO.OFFSET_CLA] != Ssh_CLA)
-		ISOException.throwIt(ISO.SW_CLA_NOT_SUPPORTED);
-	    //decrypt (apdu);
-	    size = (short) (buffer[ISO.OFFSET_LC] & 0x00FF);
-
-	    if (apdu.setIncomingAndReceive() != size)
-		ISOException.throwIt (ISO.SW_WRONG_LENGTH);
-
-	    // check access; depends on bit 2 (x/a)
-	    file.selectFile(root_fid);
-	    file.selectFile(privkey_fid);
-	    st = os.checkAccess(ACL.EXECUTE);
-	    if (st != ST.ACCESS_CLEARED) {
-		CyberflexAPDU.prepareSW1SW2(st);
-		ISOException.throwIt(CyberflexAPDU.getSW1SW2());
-	    }
-
-	    rsakey.cryptoUpdate (buffer, (short) ISO.OFFSET_CDATA, size,
-				 buffer, (short) ISO.OFFSET_CDATA);
-
-	    apdu.setOutgoingAndSend ((short) ISO.OFFSET_CDATA, size);
-	    break;
-	case GET_PUBKEY:
-	    file.selectFile(root_fid); // select root
-	    file.selectFile(pubkey_fid); // select public key file
-	    size = (short)(file.getFileSize() - 16);
-	    st = os.readBinaryFile(buffer, (short)0, (short)0, size);
-	    if (st == ST.SUCCESS)
-		apdu.setOutgoingAndSend((short)0, size);
-	    else {
-		CyberflexAPDU.prepareSW1SW2(st);
-		ISOException.throwIt(CyberflexAPDU.getSW1SW2());
-	    }
-	    break;
-	case GET_KEYLENGTH:
-	    Util.setShort(buffer, (short)0, keysize);
-	    apdu.setOutgoingAndSend ((short)0, (short)2);
-	    break;
-	case GET_VERSION:
-	    Util.setShort(buffer, (short)0, applet_version);
-	    apdu.setOutgoingAndSend ((short)0, (short)2);
-	    break;
-	case GET_RESPONSE:
-	    break;
-	default:
-	    ISOException.throwIt (ISO.SW_INS_NOT_SUPPORTED);
-	}
-
-    } // end of process method
-
-} // end of class Ssh
diff --git a/crypto/openssh/scp-common.c b/crypto/openssh/scp-common.c
deleted file mode 100644
index 7e5f09c..0000000
--- a/crypto/openssh/scp-common.c
+++ /dev/null
@@ -1,98 +0,0 @@
-/*
- * Copyright (c) 1999 Theo de Raadt.  All rights reserved.
- * Copyright (c) 1999 Aaron Campbell.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Parts from:
- *
- * Copyright (c) 1983, 1990, 1992, 1993, 1995
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: scp-common.c,v 1.1 2001/04/16 02:31:43 mouring Exp $");
-
-char *
-cleanhostname(host)
-	char *host;
-{
-	if (*host == '[' && host[strlen(host) - 1] == ']') {
-		host[strlen(host) - 1] = '\0';
-		return (host + 1);
-	} else
-		return host;
-}
-
-char *
-colon(cp)
-	char *cp;
-{
-	int flag = 0;
-
-	if (*cp == ':')		/* Leading colon is part of file name. */
-		return (0);
-	if (*cp == '[')
-		flag = 1;
-
-	for (; *cp; ++cp) {
-		if (*cp == '@' && *(cp+1) == '[')
-			flag = 1;
-		if (*cp == ']' && *(cp+1) == ':' && flag)
-			return (cp+1);
-		if (*cp == ':' && !flag)
-			return (cp);
-		if (*cp == '/')
-			return (0);
-	}
-	return (0);
-}
diff --git a/crypto/openssh/scp-common.h b/crypto/openssh/scp-common.h
deleted file mode 100644
index e0ab6ec..0000000
--- a/crypto/openssh/scp-common.h
+++ /dev/null
@@ -1,64 +0,0 @@
-/* $OpenBSD: scp-common.h,v 1.1 2001/04/16 02:31:43 mouring Exp $ */
-/*
- * Copyright (c) 1999 Theo de Raadt.  All rights reserved.
- * Copyright (c) 1999 Aaron Campbell.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Parts from:
- *
- * Copyright (c) 1983, 1990, 1992, 1993, 1995
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- */
-
-char *cleanhostname(char *host);
-char *colon(char *cp);
diff --git a/crypto/openssh/scp.1 b/crypto/openssh/scp.1
deleted file mode 100644
index 43662ab..0000000
--- a/crypto/openssh/scp.1
+++ /dev/null
@@ -1,220 +0,0 @@
-.\"  -*- nroff -*-
-.\"
-.\" scp.1
-.\"
-.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
-.\"
-.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-.\"                    All rights reserved
-.\"
-.\" Created: Sun May  7 00:14:37 1995 ylo
-.\"
-.\" $OpenBSD: scp.1,v 1.40 2006/07/18 07:56:28 jmc Exp $
-.\"
-.Dd September 25, 1999
-.Dt SCP 1
-.Os
-.Sh NAME
-.Nm scp
-.Nd secure copy (remote file copy program)
-.Sh SYNOPSIS
-.Nm scp
-.Bk -words
-.Op Fl 1246BCpqrv
-.Op Fl c Ar cipher
-.Op Fl F Ar ssh_config
-.Op Fl i Ar identity_file
-.Op Fl l Ar limit
-.Op Fl o Ar ssh_option
-.Op Fl P Ar port
-.Op Fl S Ar program
-.Sm off
-.Oo
-.Op Ar user No @
-.Ar host1 No :
-.Oc Ns Ar file1
-.Sm on
-.Op Ar ...
-.Sm off
-.Oo
-.Op Ar user No @
-.Ar host2 No :
-.Oc Ar file2
-.Sm on
-.Ek
-.Sh DESCRIPTION
-.Nm
-copies files between hosts on a network.
-It uses
-.Xr ssh 1
-for data transfer, and uses the same authentication and provides the
-same security as
-.Xr ssh 1 .
-Unlike
-.Xr rcp 1 ,
-.Nm
-will ask for passwords or passphrases if they are needed for
-authentication.
-.Pp
-Any file name may contain a host and user specification to indicate
-that the file is to be copied to/from that host.
-Copies between two remote hosts are permitted.
-.Pp
-The options are as follows:
-.Bl -tag -width Ds
-.It Fl 1
-Forces
-.Nm
-to use protocol 1.
-.It Fl 2
-Forces
-.Nm
-to use protocol 2.
-.It Fl 4
-Forces
-.Nm
-to use IPv4 addresses only.
-.It Fl 6
-Forces
-.Nm
-to use IPv6 addresses only.
-.It Fl B
-Selects batch mode (prevents asking for passwords or passphrases).
-.It Fl C
-Compression enable.
-Passes the
-.Fl C
-flag to
-.Xr ssh 1
-to enable compression.
-.It Fl c Ar cipher
-Selects the cipher to use for encrypting the data transfer.
-This option is directly passed to
-.Xr ssh 1 .
-.It Fl F Ar ssh_config
-Specifies an alternative
-per-user configuration file for
-.Nm ssh .
-This option is directly passed to
-.Xr ssh 1 .
-.It Fl i Ar identity_file
-Selects the file from which the identity (private key) for RSA
-authentication is read.
-This option is directly passed to
-.Xr ssh 1 .
-.It Fl l Ar limit
-Limits the used bandwidth, specified in Kbit/s.
-.It Fl o Ar ssh_option
-Can be used to pass options to
-.Nm ssh
-in the format used in
-.Xr ssh_config 5 .
-This is useful for specifying options
-for which there is no separate
-.Nm scp
-command-line flag.
-For full details of the options listed below, and their possible values, see
-.Xr ssh_config 5 .
-.Pp
-.Bl -tag -width Ds -offset indent -compact
-.It AddressFamily
-.It BatchMode
-.It BindAddress
-.It ChallengeResponseAuthentication
-.It CheckHostIP
-.It Cipher
-.It Ciphers
-.It Compression
-.It CompressionLevel
-.It ConnectionAttempts
-.It ConnectTimeout
-.It ControlMaster
-.It ControlPath
-.It GlobalKnownHostsFile
-.It GSSAPIAuthentication
-.It GSSAPIDelegateCredentials
-.It HashKnownHosts
-.It Host
-.It HostbasedAuthentication
-.It HostKeyAlgorithms
-.It HostKeyAlias
-.It HostName
-.It IdentityFile
-.It IdentitiesOnly
-.It KbdInteractiveDevices
-.It LogLevel
-.It MACs
-.It NoHostAuthenticationForLocalhost
-.It NumberOfPasswordPrompts
-.It PasswordAuthentication
-.It Port
-.It PreferredAuthentications
-.It Protocol
-.It ProxyCommand
-.It PubkeyAuthentication
-.It RekeyLimit
-.It RhostsRSAAuthentication
-.It RSAAuthentication
-.It SendEnv
-.It ServerAliveInterval
-.It ServerAliveCountMax
-.It SmartcardDevice
-.It StrictHostKeyChecking
-.It TCPKeepAlive
-.It UsePrivilegedPort
-.It User
-.It UserKnownHostsFile
-.It VerifyHostKeyDNS
-.El
-.It Fl P Ar port
-Specifies the port to connect to on the remote host.
-Note that this option is written with a capital
-.Sq P ,
-because
-.Fl p
-is already reserved for preserving the times and modes of the file in
-.Xr rcp 1 .
-.It Fl p
-Preserves modification times, access times, and modes from the
-original file.
-.It Fl q
-Disables the progress meter.
-.It Fl r
-Recursively copy entire directories.
-.It Fl S Ar program
-Name of
-.Ar program
-to use for the encrypted connection.
-The program must understand
-.Xr ssh 1
-options.
-.It Fl v
-Verbose mode.
-Causes
-.Nm
-and
-.Xr ssh 1
-to print debugging messages about their progress.
-This is helpful in
-debugging connection, authentication, and configuration problems.
-.El
-.Pp
-.Ex -std scp
-.Sh SEE ALSO
-.Xr rcp 1 ,
-.Xr sftp 1 ,
-.Xr ssh 1 ,
-.Xr ssh-add 1 ,
-.Xr ssh-agent 1 ,
-.Xr ssh-keygen 1 ,
-.Xr ssh_config 5 ,
-.Xr sshd 8
-.Sh HISTORY
-.Nm
-is based on the
-.Xr rcp 1
-program in BSD source code from the Regents of the University of
-California.
-.Sh AUTHORS
-.An Timo Rinne Aq tri@iki.fi
-.An Tatu Ylonen Aq ylo@cs.hut.fi
diff --git a/crypto/openssh/scp.c b/crypto/openssh/scp.c
deleted file mode 100644
index 56a3e79..0000000
--- a/crypto/openssh/scp.c
+++ /dev/null
@@ -1,1229 +0,0 @@
-/* $OpenBSD: scp.c,v 1.155 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * scp - secure remote copy.  This is basically patched BSD rcp which
- * uses ssh to do the data transfer (instead of using rcmd).
- *
- * NOTE: This version should NOT be suid root.  (This uses ssh to
- * do the transfer and ssh has the necessary privileges.)
- *
- * 1995 Timo Rinne <tri@iki.fi>, Tatu Ylonen <ylo@cs.hut.fi>
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-/*
- * Copyright (c) 1999 Theo de Raadt.  All rights reserved.
- * Copyright (c) 1999 Aaron Campbell.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Parts from:
- *
- * Copyright (c) 1983, 1990, 1992, 1993, 1995
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#ifdef HAVE_SYS_STAT_H
-# include <sys/stat.h>
-#endif
-#ifdef HAVE_SYS_TIME_H
-# include <sys/time.h>
-#endif
-#include <sys/wait.h>
-#include <sys/uio.h>
-
-#include <ctype.h>
-#include <dirent.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <pwd.h>
-#include <signal.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-#include <unistd.h>
-
-#include "xmalloc.h"
-#include "atomicio.h"
-#include "pathnames.h"
-#include "log.h"
-#include "misc.h"
-#include "progressmeter.h"
-
-extern char *__progname;
-
-int do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout);
-
-void bwlimit(int);
-
-/* Struct for addargs */
-arglist args;
-
-/* Bandwidth limit */
-off_t limit_rate = 0;
-
-/* Name of current file being transferred. */
-char *curfile;
-
-/* This is set to non-zero to enable verbose mode. */
-int verbose_mode = 0;
-
-/* This is set to zero if the progressmeter is not desired. */
-int showprogress = 1;
-
-/* This is the program to execute for the secured connection. ("ssh" or -S) */
-char *ssh_program = _PATH_SSH_PROGRAM;
-
-/* This is used to store the pid of ssh_program */
-pid_t do_cmd_pid = -1;
-
-static void
-killchild(int signo)
-{
-	if (do_cmd_pid > 1) {
-		kill(do_cmd_pid, signo ? signo : SIGTERM);
-		waitpid(do_cmd_pid, NULL, 0);
-	}
-
-	if (signo)
-		_exit(1);
-	exit(1);
-}
-
-static int
-do_local_cmd(arglist *a)
-{
-	u_int i;
-	int status;
-	pid_t pid;
-
-	if (a->num == 0)
-		fatal("do_local_cmd: no arguments");
-
-	if (verbose_mode) {
-		fprintf(stderr, "Executing:");
-		for (i = 0; i < a->num; i++)
-			fprintf(stderr, " %s", a->list[i]);
-		fprintf(stderr, "\n");
-	}
-	if ((pid = fork()) == -1)
-		fatal("do_local_cmd: fork: %s", strerror(errno));
-
-	if (pid == 0) {
-		execvp(a->list[0], a->list);
-		perror(a->list[0]);
-		exit(1);
-	}
-
-	do_cmd_pid = pid;
-	signal(SIGTERM, killchild);
-	signal(SIGINT, killchild);
-	signal(SIGHUP, killchild);
-
-	while (waitpid(pid, &status, 0) == -1)
-		if (errno != EINTR)
-			fatal("do_local_cmd: waitpid: %s", strerror(errno));
-
-	do_cmd_pid = -1;
-
-	if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
-		return (-1);
-
-	return (0);
-}
-
-/*
- * This function executes the given command as the specified user on the
- * given host.  This returns < 0 if execution fails, and >= 0 otherwise. This
- * assigns the input and output file descriptors on success.
- */
-
-int
-do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout)
-{
-	int pin[2], pout[2], reserved[2];
-
-	if (verbose_mode)
-		fprintf(stderr,
-		    "Executing: program %s host %s, user %s, command %s\n",
-		    ssh_program, host,
-		    remuser ? remuser : "(unspecified)", cmd);
-
-	/*
-	 * Reserve two descriptors so that the real pipes won't get
-	 * descriptors 0 and 1 because that will screw up dup2 below.
-	 */
-	if (pipe(reserved) < 0)
-		fatal("pipe: %s", strerror(errno));
-
-	/* Create a socket pair for communicating with ssh. */
-	if (pipe(pin) < 0)
-		fatal("pipe: %s", strerror(errno));
-	if (pipe(pout) < 0)
-		fatal("pipe: %s", strerror(errno));
-
-	/* Free the reserved descriptors. */
-	close(reserved[0]);
-	close(reserved[1]);
-
-	/* Fork a child to execute the command on the remote host using ssh. */
-	do_cmd_pid = fork();
-	if (do_cmd_pid == 0) {
-		/* Child. */
-		close(pin[1]);
-		close(pout[0]);
-		dup2(pin[0], 0);
-		dup2(pout[1], 1);
-		close(pin[0]);
-		close(pout[1]);
-
-		replacearg(&args, 0, "%s", ssh_program);
-		if (remuser != NULL)
-			addargs(&args, "-l%s", remuser);
-		addargs(&args, "%s", host);
-		addargs(&args, "%s", cmd);
-
-		execvp(ssh_program, args.list);
-		perror(ssh_program);
-		exit(1);
-	} else if (do_cmd_pid == -1) {
-		fatal("fork: %s", strerror(errno));
-	}
-	/* Parent.  Close the other side, and return the local side. */
-	close(pin[0]);
-	*fdout = pin[1];
-	close(pout[1]);
-	*fdin = pout[0];
-	signal(SIGTERM, killchild);
-	signal(SIGINT, killchild);
-	signal(SIGHUP, killchild);
-	return 0;
-}
-
-typedef struct {
-	size_t cnt;
-	char *buf;
-} BUF;
-
-BUF *allocbuf(BUF *, int, int);
-void lostconn(int);
-int okname(char *);
-void run_err(const char *,...);
-void verifydir(char *);
-
-struct passwd *pwd;
-uid_t userid;
-int errs, remin, remout;
-int pflag, iamremote, iamrecursive, targetshouldbedirectory;
-
-#define	CMDNEEDS	64
-char cmd[CMDNEEDS];		/* must hold "rcp -r -p -d\0" */
-
-int response(void);
-void rsource(char *, struct stat *);
-void sink(int, char *[]);
-void source(int, char *[]);
-void tolocal(int, char *[]);
-void toremote(char *, int, char *[]);
-void usage(void);
-
-int
-main(int argc, char **argv)
-{
-	int ch, fflag, tflag, status, n;
-	double speed;
-	char *targ, *endp, **newargv;
-	extern char *optarg;
-	extern int optind;
-
-	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
-	sanitise_stdfd();
-
-	/* Copy argv, because we modify it */
-	newargv = xcalloc(MAX(argc + 1, 1), sizeof(*newargv));
-	for (n = 0; n < argc; n++)
-		newargv[n] = xstrdup(argv[n]);
-	argv = newargv;
-
-	__progname = ssh_get_progname(argv[0]);
-
-	memset(&args, '\0', sizeof(args));
-	args.list = NULL;
-	addargs(&args, "%s", ssh_program);
-	addargs(&args, "-x");
-	addargs(&args, "-oForwardAgent no");
-	addargs(&args, "-oPermitLocalCommand no");
-	addargs(&args, "-oClearAllForwardings yes");
-
-	fflag = tflag = 0;
-	while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q1246S:o:F:")) != -1)
-		switch (ch) {
-		/* User-visible flags. */
-		case '1':
-		case '2':
-		case '4':
-		case '6':
-		case 'C':
-			addargs(&args, "-%c", ch);
-			break;
-		case 'o':
-		case 'c':
-		case 'i':
-		case 'F':
-			addargs(&args, "-%c%s", ch, optarg);
-			break;
-		case 'P':
-			addargs(&args, "-p%s", optarg);
-			break;
-		case 'B':
-			addargs(&args, "-oBatchmode yes");
-			break;
-		case 'l':
-			speed = strtod(optarg, &endp);
-			if (speed <= 0 || *endp != '\0')
-				usage();
-			limit_rate = speed * 1024;
-			break;
-		case 'p':
-			pflag = 1;
-			break;
-		case 'r':
-			iamrecursive = 1;
-			break;
-		case 'S':
-			ssh_program = xstrdup(optarg);
-			break;
-		case 'v':
-			addargs(&args, "-v");
-			verbose_mode = 1;
-			break;
-		case 'q':
-			addargs(&args, "-q");
-			showprogress = 0;
-			break;
-
-		/* Server options. */
-		case 'd':
-			targetshouldbedirectory = 1;
-			break;
-		case 'f':	/* "from" */
-			iamremote = 1;
-			fflag = 1;
-			break;
-		case 't':	/* "to" */
-			iamremote = 1;
-			tflag = 1;
-#ifdef HAVE_CYGWIN
-			setmode(0, O_BINARY);
-#endif
-			break;
-		default:
-			usage();
-		}
-	argc -= optind;
-	argv += optind;
-
-	if ((pwd = getpwuid(userid = getuid())) == NULL)
-		fatal("unknown user %u", (u_int) userid);
-
-	if (!isatty(STDERR_FILENO))
-		showprogress = 0;
-
-	remin = STDIN_FILENO;
-	remout = STDOUT_FILENO;
-
-	if (fflag) {
-		/* Follow "protocol", send data. */
-		(void) response();
-		source(argc, argv);
-		exit(errs != 0);
-	}
-	if (tflag) {
-		/* Receive data. */
-		sink(argc, argv);
-		exit(errs != 0);
-	}
-	if (argc < 2)
-		usage();
-	if (argc > 2)
-		targetshouldbedirectory = 1;
-
-	remin = remout = -1;
-	do_cmd_pid = -1;
-	/* Command to be executed on remote system using "ssh". */
-	(void) snprintf(cmd, sizeof cmd, "scp%s%s%s%s",
-	    verbose_mode ? " -v" : "",
-	    iamrecursive ? " -r" : "", pflag ? " -p" : "",
-	    targetshouldbedirectory ? " -d" : "");
-
-	(void) signal(SIGPIPE, lostconn);
-
-	if ((targ = colon(argv[argc - 1])))	/* Dest is remote host. */
-		toremote(targ, argc, argv);
-	else {
-		if (targetshouldbedirectory)
-			verifydir(argv[argc - 1]);
-		tolocal(argc, argv);	/* Dest is local host. */
-	}
-	/*
-	 * Finally check the exit status of the ssh process, if one was forked
-	 * and no error has occured yet
-	 */
-	if (do_cmd_pid != -1 && errs == 0) {
-		if (remin != -1)
-		    (void) close(remin);
-		if (remout != -1)
-		    (void) close(remout);
-		if (waitpid(do_cmd_pid, &status, 0) == -1)
-			errs = 1;
-		else {
-			if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
-				errs = 1;
-		}
-	}
-	exit(errs != 0);
-}
-
-void
-toremote(char *targ, int argc, char **argv)
-{
-	char *bp, *host, *src, *suser, *thost, *tuser, *arg;
-	arglist alist;
-	int i;
-
-	memset(&alist, '\0', sizeof(alist));
-	alist.list = NULL;
-
-	*targ++ = 0;
-	if (*targ == 0)
-		targ = ".";
-
-	arg = xstrdup(argv[argc - 1]);
-	if ((thost = strrchr(arg, '@'))) {
-		/* user@host */
-		*thost++ = 0;
-		tuser = arg;
-		if (*tuser == '\0')
-			tuser = NULL;
-	} else {
-		thost = arg;
-		tuser = NULL;
-	}
-
-	if (tuser != NULL && !okname(tuser)) {
-		xfree(arg);
-		return;
-	}
-
-	for (i = 0; i < argc - 1; i++) {
-		src = colon(argv[i]);
-		if (src) {	/* remote to remote */
-			freeargs(&alist);
-			addargs(&alist, "%s", ssh_program);
-			if (verbose_mode)
-				addargs(&alist, "-v");
-			addargs(&alist, "-x");
-			addargs(&alist, "-oClearAllForwardings yes");
-			addargs(&alist, "-n");
-
-			*src++ = 0;
-			if (*src == 0)
-				src = ".";
-			host = strrchr(argv[i], '@');
-
-			if (host) {
-				*host++ = 0;
-				host = cleanhostname(host);
-				suser = argv[i];
-				if (*suser == '\0')
-					suser = pwd->pw_name;
-				else if (!okname(suser))
-					continue;
-				addargs(&alist, "-l");
-				addargs(&alist, "%s", suser);
-			} else {
-				host = cleanhostname(argv[i]);
-			}
-			addargs(&alist, "%s", host);
-			addargs(&alist, "%s", cmd);
-			addargs(&alist, "%s", src);
-			addargs(&alist, "%s%s%s:%s",
-			    tuser ? tuser : "", tuser ? "@" : "",
-			    thost, targ);
-			if (do_local_cmd(&alist) != 0)
-				errs = 1;
-		} else {	/* local to remote */
-			if (remin == -1) {
-				xasprintf(&bp, "%s -t %s", cmd, targ);
-				host = cleanhostname(thost);
-				if (do_cmd(host, tuser, bp, &remin,
-				    &remout) < 0)
-					exit(1);
-				if (response() < 0)
-					exit(1);
-				(void) xfree(bp);
-			}
-			source(1, argv + i);
-		}
-	}
-	xfree(arg);
-}
-
-void
-tolocal(int argc, char **argv)
-{
-	char *bp, *host, *src, *suser;
-	arglist alist;
-	int i;
-
-	memset(&alist, '\0', sizeof(alist));
-	alist.list = NULL;
-
-	for (i = 0; i < argc - 1; i++) {
-		if (!(src = colon(argv[i]))) {	/* Local to local. */
-			freeargs(&alist);
-			addargs(&alist, "%s", _PATH_CP);
-			if (iamrecursive)
-				addargs(&alist, "-r");
-			if (pflag)
-				addargs(&alist, "-p");
-			addargs(&alist, "%s", argv[i]);
-			addargs(&alist, "%s", argv[argc-1]);
-			if (do_local_cmd(&alist))
-				++errs;
-			continue;
-		}
-		*src++ = 0;
-		if (*src == 0)
-			src = ".";
-		if ((host = strrchr(argv[i], '@')) == NULL) {
-			host = argv[i];
-			suser = NULL;
-		} else {
-			*host++ = 0;
-			suser = argv[i];
-			if (*suser == '\0')
-				suser = pwd->pw_name;
-		}
-		host = cleanhostname(host);
-		xasprintf(&bp, "%s -f %s", cmd, src);
-		if (do_cmd(host, suser, bp, &remin, &remout) < 0) {
-			(void) xfree(bp);
-			++errs;
-			continue;
-		}
-		xfree(bp);
-		sink(1, argv + argc - 1);
-		(void) close(remin);
-		remin = remout = -1;
-	}
-}
-
-void
-source(int argc, char **argv)
-{
-	struct stat stb;
-	static BUF buffer;
-	BUF *bp;
-	off_t i, amt, statbytes;
-	size_t result;
-	int fd = -1, haderr, indx;
-	char *last, *name, buf[2048];
-	int len;
-
-	for (indx = 0; indx < argc; ++indx) {
-		name = argv[indx];
-		statbytes = 0;
-		len = strlen(name);
-		while (len > 1 && name[len-1] == '/')
-			name[--len] = '\0';
-		if (strchr(name, '\n') != NULL) {
-			run_err("%s: skipping, filename contains a newline",
-			    name);
-			goto next;
-		}
-		if ((fd = open(name, O_RDONLY, 0)) < 0)
-			goto syserr;
-		if (fstat(fd, &stb) < 0) {
-syserr:			run_err("%s: %s", name, strerror(errno));
-			goto next;
-		}
-		switch (stb.st_mode & S_IFMT) {
-		case S_IFREG:
-			break;
-		case S_IFDIR:
-			if (iamrecursive) {
-				rsource(name, &stb);
-				goto next;
-			}
-			/* FALLTHROUGH */
-		default:
-			run_err("%s: not a regular file", name);
-			goto next;
-		}
-		if ((last = strrchr(name, '/')) == NULL)
-			last = name;
-		else
-			++last;
-		curfile = last;
-		if (pflag) {
-			/*
-			 * Make it compatible with possible future
-			 * versions expecting microseconds.
-			 */
-			(void) snprintf(buf, sizeof buf, "T%lu 0 %lu 0\n",
-			    (u_long) stb.st_mtime,
-			    (u_long) stb.st_atime);
-			(void) atomicio(vwrite, remout, buf, strlen(buf));
-			if (response() < 0)
-				goto next;
-		}
-#define	FILEMODEMASK	(S_ISUID|S_ISGID|S_IRWXU|S_IRWXG|S_IRWXO)
-		snprintf(buf, sizeof buf, "C%04o %lld %s\n",
-		    (u_int) (stb.st_mode & FILEMODEMASK),
-		    (long long)stb.st_size, last);
-		if (verbose_mode) {
-			fprintf(stderr, "Sending file modes: %s", buf);
-		}
-		(void) atomicio(vwrite, remout, buf, strlen(buf));
-		if (response() < 0)
-			goto next;
-		if ((bp = allocbuf(&buffer, fd, 2048)) == NULL) {
-next:			if (fd != -1) {
-				(void) close(fd);
-				fd = -1;
-			}
-			continue;
-		}
-		if (showprogress)
-			start_progress_meter(curfile, stb.st_size, &statbytes);
-		/* Keep writing after an error so that we stay sync'd up. */
-		for (haderr = i = 0; i < stb.st_size; i += bp->cnt) {
-			amt = bp->cnt;
-			if (i + amt > stb.st_size)
-				amt = stb.st_size - i;
-			if (!haderr) {
-				result = atomicio(read, fd, bp->buf, amt);
-				if (result != amt)
-					haderr = errno;
-			}
-			if (haderr)
-				(void) atomicio(vwrite, remout, bp->buf, amt);
-			else {
-				result = atomicio(vwrite, remout, bp->buf, amt);
-				if (result != amt)
-					haderr = errno;
-				statbytes += result;
-			}
-			if (limit_rate)
-				bwlimit(amt);
-		}
-		if (showprogress)
-			stop_progress_meter();
-
-		if (fd != -1) {
-			if (close(fd) < 0 && !haderr)
-				haderr = errno;
-			fd = -1;
-		}
-		if (!haderr)
-			(void) atomicio(vwrite, remout, "", 1);
-		else
-			run_err("%s: %s", name, strerror(haderr));
-		(void) response();
-	}
-}
-
-void
-rsource(char *name, struct stat *statp)
-{
-	DIR *dirp;
-	struct dirent *dp;
-	char *last, *vect[1], path[1100];
-
-	if (!(dirp = opendir(name))) {
-		run_err("%s: %s", name, strerror(errno));
-		return;
-	}
-	last = strrchr(name, '/');
-	if (last == 0)
-		last = name;
-	else
-		last++;
-	if (pflag) {
-		(void) snprintf(path, sizeof(path), "T%lu 0 %lu 0\n",
-		    (u_long) statp->st_mtime,
-		    (u_long) statp->st_atime);
-		(void) atomicio(vwrite, remout, path, strlen(path));
-		if (response() < 0) {
-			closedir(dirp);
-			return;
-		}
-	}
-	(void) snprintf(path, sizeof path, "D%04o %d %.1024s\n",
-	    (u_int) (statp->st_mode & FILEMODEMASK), 0, last);
-	if (verbose_mode)
-		fprintf(stderr, "Entering directory: %s", path);
-	(void) atomicio(vwrite, remout, path, strlen(path));
-	if (response() < 0) {
-		closedir(dirp);
-		return;
-	}
-	while ((dp = readdir(dirp)) != NULL) {
-		if (dp->d_ino == 0)
-			continue;
-		if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, ".."))
-			continue;
-		if (strlen(name) + 1 + strlen(dp->d_name) >= sizeof(path) - 1) {
-			run_err("%s/%s: name too long", name, dp->d_name);
-			continue;
-		}
-		(void) snprintf(path, sizeof path, "%s/%s", name, dp->d_name);
-		vect[0] = path;
-		source(1, vect);
-	}
-	(void) closedir(dirp);
-	(void) atomicio(vwrite, remout, "E\n", 2);
-	(void) response();
-}
-
-void
-bwlimit(int amount)
-{
-	static struct timeval bwstart, bwend;
-	static int lamt, thresh = 16384;
-	u_int64_t waitlen;
-	struct timespec ts, rm;
-
-	if (!timerisset(&bwstart)) {
-		gettimeofday(&bwstart, NULL);
-		return;
-	}
-
-	lamt += amount;
-	if (lamt < thresh)
-		return;
-
-	gettimeofday(&bwend, NULL);
-	timersub(&bwend, &bwstart, &bwend);
-	if (!timerisset(&bwend))
-		return;
-
-	lamt *= 8;
-	waitlen = (double)1000000L * lamt / limit_rate;
-
-	bwstart.tv_sec = waitlen / 1000000L;
-	bwstart.tv_usec = waitlen % 1000000L;
-
-	if (timercmp(&bwstart, &bwend, >)) {
-		timersub(&bwstart, &bwend, &bwend);
-
-		/* Adjust the wait time */
-		if (bwend.tv_sec) {
-			thresh /= 2;
-			if (thresh < 2048)
-				thresh = 2048;
-		} else if (bwend.tv_usec < 100) {
-			thresh *= 2;
-			if (thresh > 32768)
-				thresh = 32768;
-		}
-
-		TIMEVAL_TO_TIMESPEC(&bwend, &ts);
-		while (nanosleep(&ts, &rm) == -1) {
-			if (errno != EINTR)
-				break;
-			ts = rm;
-		}
-	}
-
-	lamt = 0;
-	gettimeofday(&bwstart, NULL);
-}
-
-void
-sink(int argc, char **argv)
-{
-	static BUF buffer;
-	struct stat stb;
-	enum {
-		YES, NO, DISPLAYED
-	} wrerr;
-	BUF *bp;
-	off_t i;
-	size_t j, count;
-	int amt, exists, first, ofd;
-	mode_t mode, omode, mask;
-	off_t size, statbytes;
-	int setimes, targisdir, wrerrno = 0;
-	char ch, *cp, *np, *targ, *why, *vect[1], buf[2048];
-	struct timeval tv[2];
-
-#define	atime	tv[0]
-#define	mtime	tv[1]
-#define	SCREWUP(str)	{ why = str; goto screwup; }
-
-	setimes = targisdir = 0;
-	mask = umask(0);
-	if (!pflag)
-		(void) umask(mask);
-	if (argc != 1) {
-		run_err("ambiguous target");
-		exit(1);
-	}
-	targ = *argv;
-	if (targetshouldbedirectory)
-		verifydir(targ);
-
-	(void) atomicio(vwrite, remout, "", 1);
-	if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode))
-		targisdir = 1;
-	for (first = 1;; first = 0) {
-		cp = buf;
-		if (atomicio(read, remin, cp, 1) != 1)
-			return;
-		if (*cp++ == '\n')
-			SCREWUP("unexpected <newline>");
-		do {
-			if (atomicio(read, remin, &ch, sizeof(ch)) != sizeof(ch))
-				SCREWUP("lost connection");
-			*cp++ = ch;
-		} while (cp < &buf[sizeof(buf) - 1] && ch != '\n');
-		*cp = 0;
-		if (verbose_mode)
-			fprintf(stderr, "Sink: %s", buf);
-
-		if (buf[0] == '\01' || buf[0] == '\02') {
-			if (iamremote == 0)
-				(void) atomicio(vwrite, STDERR_FILENO,
-				    buf + 1, strlen(buf + 1));
-			if (buf[0] == '\02')
-				exit(1);
-			++errs;
-			continue;
-		}
-		if (buf[0] == 'E') {
-			(void) atomicio(vwrite, remout, "", 1);
-			return;
-		}
-		if (ch == '\n')
-			*--cp = 0;
-
-		cp = buf;
-		if (*cp == 'T') {
-			setimes++;
-			cp++;
-			mtime.tv_sec = strtol(cp, &cp, 10);
-			if (!cp || *cp++ != ' ')
-				SCREWUP("mtime.sec not delimited");
-			mtime.tv_usec = strtol(cp, &cp, 10);
-			if (!cp || *cp++ != ' ')
-				SCREWUP("mtime.usec not delimited");
-			atime.tv_sec = strtol(cp, &cp, 10);
-			if (!cp || *cp++ != ' ')
-				SCREWUP("atime.sec not delimited");
-			atime.tv_usec = strtol(cp, &cp, 10);
-			if (!cp || *cp++ != '\0')
-				SCREWUP("atime.usec not delimited");
-			(void) atomicio(vwrite, remout, "", 1);
-			continue;
-		}
-		if (*cp != 'C' && *cp != 'D') {
-			/*
-			 * Check for the case "rcp remote:foo\* local:bar".
-			 * In this case, the line "No match." can be returned
-			 * by the shell before the rcp command on the remote is
-			 * executed so the ^Aerror_message convention isn't
-			 * followed.
-			 */
-			if (first) {
-				run_err("%s", cp);
-				exit(1);
-			}
-			SCREWUP("expected control record");
-		}
-		mode = 0;
-		for (++cp; cp < buf + 5; cp++) {
-			if (*cp < '0' || *cp > '7')
-				SCREWUP("bad mode");
-			mode = (mode << 3) | (*cp - '0');
-		}
-		if (*cp++ != ' ')
-			SCREWUP("mode not delimited");
-
-		for (size = 0; isdigit(*cp);)
-			size = size * 10 + (*cp++ - '0');
-		if (*cp++ != ' ')
-			SCREWUP("size not delimited");
-		if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
-			run_err("error: unexpected filename: %s", cp);
-			exit(1);
-		}
-		if (targisdir) {
-			static char *namebuf;
-			static size_t cursize;
-			size_t need;
-
-			need = strlen(targ) + strlen(cp) + 250;
-			if (need > cursize) {
-				if (namebuf)
-					xfree(namebuf);
-				namebuf = xmalloc(need);
-				cursize = need;
-			}
-			(void) snprintf(namebuf, need, "%s%s%s", targ,
-			    strcmp(targ, "/") ? "/" : "", cp);
-			np = namebuf;
-		} else
-			np = targ;
-		curfile = cp;
-		exists = stat(np, &stb) == 0;
-		if (buf[0] == 'D') {
-			int mod_flag = pflag;
-			if (!iamrecursive)
-				SCREWUP("received directory without -r");
-			if (exists) {
-				if (!S_ISDIR(stb.st_mode)) {
-					errno = ENOTDIR;
-					goto bad;
-				}
-				if (pflag)
-					(void) chmod(np, mode);
-			} else {
-				/* Handle copying from a read-only
-				   directory */
-				mod_flag = 1;
-				if (mkdir(np, mode | S_IRWXU) < 0)
-					goto bad;
-			}
-			vect[0] = xstrdup(np);
-			sink(1, vect);
-			if (setimes) {
-				setimes = 0;
-				if (utimes(vect[0], tv) < 0)
-					run_err("%s: set times: %s",
-					    vect[0], strerror(errno));
-			}
-			if (mod_flag)
-				(void) chmod(vect[0], mode);
-			if (vect[0])
-				xfree(vect[0]);
-			continue;
-		}
-		omode = mode;
-		mode |= S_IWRITE;
-		if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) {
-bad:			run_err("%s: %s", np, strerror(errno));
-			continue;
-		}
-		(void) atomicio(vwrite, remout, "", 1);
-		if ((bp = allocbuf(&buffer, ofd, 4096)) == NULL) {
-			(void) close(ofd);
-			continue;
-		}
-		cp = bp->buf;
-		wrerr = NO;
-
-		statbytes = 0;
-		if (showprogress)
-			start_progress_meter(curfile, size, &statbytes);
-		for (count = i = 0; i < size; i += 4096) {
-			amt = 4096;
-			if (i + amt > size)
-				amt = size - i;
-			count += amt;
-			do {
-				j = atomicio(read, remin, cp, amt);
-				if (j == 0) {
-					run_err("%s", j ? strerror(errno) :
-					    "dropped connection");
-					exit(1);
-				}
-				amt -= j;
-				cp += j;
-				statbytes += j;
-			} while (amt > 0);
-
-			if (limit_rate)
-				bwlimit(4096);
-
-			if (count == bp->cnt) {
-				/* Keep reading so we stay sync'd up. */
-				if (wrerr == NO) {
-					if (atomicio(vwrite, ofd, bp->buf,
-					    count) != count) {
-						wrerr = YES;
-						wrerrno = errno;
-					}
-				}
-				count = 0;
-				cp = bp->buf;
-			}
-		}
-		if (showprogress)
-			stop_progress_meter();
-		if (count != 0 && wrerr == NO &&
-		    atomicio(vwrite, ofd, bp->buf, count) != count) {
-			wrerr = YES;
-			wrerrno = errno;
-		}
-		if (wrerr == NO && ftruncate(ofd, size) != 0) {
-			run_err("%s: truncate: %s", np, strerror(errno));
-			wrerr = DISPLAYED;
-		}
-		if (pflag) {
-			if (exists || omode != mode)
-#ifdef HAVE_FCHMOD
-				if (fchmod(ofd, omode)) {
-#else /* HAVE_FCHMOD */
-				if (chmod(np, omode)) {
-#endif /* HAVE_FCHMOD */
-					run_err("%s: set mode: %s",
-					    np, strerror(errno));
-					wrerr = DISPLAYED;
-				}
-		} else {
-			if (!exists && omode != mode)
-#ifdef HAVE_FCHMOD
-				if (fchmod(ofd, omode & ~mask)) {
-#else /* HAVE_FCHMOD */
-				if (chmod(np, omode & ~mask)) {
-#endif /* HAVE_FCHMOD */
-					run_err("%s: set mode: %s",
-					    np, strerror(errno));
-					wrerr = DISPLAYED;
-				}
-		}
-		if (close(ofd) == -1) {
-			wrerr = YES;
-			wrerrno = errno;
-		}
-		(void) response();
-		if (setimes && wrerr == NO) {
-			setimes = 0;
-			if (utimes(np, tv) < 0) {
-				run_err("%s: set times: %s",
-				    np, strerror(errno));
-				wrerr = DISPLAYED;
-			}
-		}
-		switch (wrerr) {
-		case YES:
-			run_err("%s: %s", np, strerror(wrerrno));
-			break;
-		case NO:
-			(void) atomicio(vwrite, remout, "", 1);
-			break;
-		case DISPLAYED:
-			break;
-		}
-	}
-screwup:
-	run_err("protocol error: %s", why);
-	exit(1);
-}
-
-int
-response(void)
-{
-	char ch, *cp, resp, rbuf[2048];
-
-	if (atomicio(read, remin, &resp, sizeof(resp)) != sizeof(resp))
-		lostconn(0);
-
-	cp = rbuf;
-	switch (resp) {
-	case 0:		/* ok */
-		return (0);
-	default:
-		*cp++ = resp;
-		/* FALLTHROUGH */
-	case 1:		/* error, followed by error msg */
-	case 2:		/* fatal error, "" */
-		do {
-			if (atomicio(read, remin, &ch, sizeof(ch)) != sizeof(ch))
-				lostconn(0);
-			*cp++ = ch;
-		} while (cp < &rbuf[sizeof(rbuf) - 1] && ch != '\n');
-
-		if (!iamremote)
-			(void) atomicio(vwrite, STDERR_FILENO, rbuf, cp - rbuf);
-		++errs;
-		if (resp == 1)
-			return (-1);
-		exit(1);
-	}
-	/* NOTREACHED */
-}
-
-void
-usage(void)
-{
-	(void) fprintf(stderr,
-	    "usage: scp [-1246BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]\n"
-	    "           [-l limit] [-o ssh_option] [-P port] [-S program]\n"
-	    "           [[user@]host1:]file1 [...] [[user@]host2:]file2\n");
-	exit(1);
-}
-
-void
-run_err(const char *fmt,...)
-{
-	static FILE *fp;
-	va_list ap;
-
-	++errs;
-	if (fp != NULL || (remout != -1 && (fp = fdopen(remout, "w")))) {
-		(void) fprintf(fp, "%c", 0x01);
-		(void) fprintf(fp, "scp: ");
-		va_start(ap, fmt);
-		(void) vfprintf(fp, fmt, ap);
-		va_end(ap);
-		(void) fprintf(fp, "\n");
-		(void) fflush(fp);
-	}
-
-	if (!iamremote) {
-		va_start(ap, fmt);
-		vfprintf(stderr, fmt, ap);
-		va_end(ap);
-		fprintf(stderr, "\n");
-	}
-}
-
-void
-verifydir(char *cp)
-{
-	struct stat stb;
-
-	if (!stat(cp, &stb)) {
-		if (S_ISDIR(stb.st_mode))
-			return;
-		errno = ENOTDIR;
-	}
-	run_err("%s: %s", cp, strerror(errno));
-	killchild(0);
-}
-
-int
-okname(char *cp0)
-{
-	int c;
-	char *cp;
-
-	cp = cp0;
-	do {
-		c = (int)*cp;
-		if (c & 0200)
-			goto bad;
-		if (!isalpha(c) && !isdigit(c)) {
-			switch (c) {
-			case '\'':
-			case '"':
-			case '`':
-			case ' ':
-			case '#':
-				goto bad;
-			default:
-				break;
-			}
-		}
-	} while (*++cp);
-	return (1);
-
-bad:	fprintf(stderr, "%s: invalid user name\n", cp0);
-	return (0);
-}
-
-BUF *
-allocbuf(BUF *bp, int fd, int blksize)
-{
-	size_t size;
-#ifdef HAVE_STRUCT_STAT_ST_BLKSIZE
-	struct stat stb;
-
-	if (fstat(fd, &stb) < 0) {
-		run_err("fstat: %s", strerror(errno));
-		return (0);
-	}
-	size = roundup(stb.st_blksize, blksize);
-	if (size == 0)
-		size = blksize;
-#else /* HAVE_STRUCT_STAT_ST_BLKSIZE */
-	size = blksize;
-#endif /* HAVE_STRUCT_STAT_ST_BLKSIZE */
-	if (bp->cnt >= size)
-		return (bp);
-	if (bp->buf == NULL)
-		bp->buf = xmalloc(size);
-	else
-		bp->buf = xrealloc(bp->buf, 1, size);
-	memset(bp->buf, 0, size);
-	bp->cnt = size;
-	return (bp);
-}
-
-void
-lostconn(int signo)
-{
-	if (!iamremote)
-		write(STDERR_FILENO, "lost connection\n", 16);
-	if (signo)
-		_exit(1);
-	else
-		exit(1);
-}
diff --git a/crypto/openssh/scp/Makefile b/crypto/openssh/scp/Makefile
deleted file mode 100644
index c8959bb..0000000
--- a/crypto/openssh/scp/Makefile
+++ /dev/null
@@ -1,15 +0,0 @@
-#	$OpenBSD: Makefile,v 1.13 2001/05/03 23:09:55 mouring Exp $
-
-.PATH:		${.CURDIR}/..
-
-PROG=	scp
-BINOWN=	root
-
-BINMODE?=555
-
-BINDIR=	/usr/bin
-MAN=	scp.1
-
-SRCS=	scp.c misc.c
-
-.include <bsd.prog.mk>
diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c
deleted file mode 100644
index 1f80de2..0000000
--- a/crypto/openssh/servconf.c
+++ /dev/null
@@ -1,1364 +0,0 @@
-/* $OpenBSD: servconf.c,v 1.165 2006/08/14 12:40:25 dtucker Exp $ */
-/*
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <netdb.h>
-#include <pwd.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <signal.h>
-#include <unistd.h>
-#include <stdarg.h>
-
-#include "xmalloc.h"
-#include "ssh.h"
-#include "log.h"
-#include "buffer.h"
-#include "servconf.h"
-#include "compat.h"
-#include "pathnames.h"
-#include "misc.h"
-#include "cipher.h"
-#include "key.h"
-#include "kex.h"
-#include "mac.h"
-#include "match.h"
-#include "channels.h"
-#include "groupaccess.h"
-
-static void add_listen_addr(ServerOptions *, char *, u_short);
-static void add_one_listen_addr(ServerOptions *, char *, u_short);
-
-/* Use of privilege separation or not */
-extern int use_privsep;
-extern Buffer cfg;
-
-/* Initializes the server options to their default values. */
-
-void
-initialize_server_options(ServerOptions *options)
-{
-	memset(options, 0, sizeof(*options));
-
-	/* Portable-specific options */
-	options->use_pam = -1;
-
-	/* Standard Options */
-	options->num_ports = 0;
-	options->ports_from_cmdline = 0;
-	options->listen_addrs = NULL;
-	options->address_family = -1;
-	options->num_host_key_files = 0;
-	options->pid_file = NULL;
-	options->server_key_bits = -1;
-	options->login_grace_time = -1;
-	options->key_regeneration_time = -1;
-	options->permit_root_login = PERMIT_NOT_SET;
-	options->ignore_rhosts = -1;
-	options->ignore_user_known_hosts = -1;
-	options->print_motd = -1;
-	options->print_lastlog = -1;
-	options->x11_forwarding = -1;
-	options->x11_display_offset = -1;
-	options->x11_use_localhost = -1;
-	options->xauth_location = NULL;
-	options->strict_modes = -1;
-	options->tcp_keep_alive = -1;
-	options->log_facility = SYSLOG_FACILITY_NOT_SET;
-	options->log_level = SYSLOG_LEVEL_NOT_SET;
-	options->rhosts_rsa_authentication = -1;
-	options->hostbased_authentication = -1;
-	options->hostbased_uses_name_from_packet_only = -1;
-	options->rsa_authentication = -1;
-	options->pubkey_authentication = -1;
-	options->kerberos_authentication = -1;
-	options->kerberos_or_local_passwd = -1;
-	options->kerberos_ticket_cleanup = -1;
-	options->kerberos_get_afs_token = -1;
-	options->gss_authentication=-1;
-	options->gss_cleanup_creds = -1;
-	options->password_authentication = -1;
-	options->kbd_interactive_authentication = -1;
-	options->challenge_response_authentication = -1;
-	options->permit_empty_passwd = -1;
-	options->permit_user_env = -1;
-	options->use_login = -1;
-	options->compression = -1;
-	options->allow_tcp_forwarding = -1;
-	options->num_allow_users = 0;
-	options->num_deny_users = 0;
-	options->num_allow_groups = 0;
-	options->num_deny_groups = 0;
-	options->ciphers = NULL;
-	options->macs = NULL;
-	options->protocol = SSH_PROTO_UNKNOWN;
-	options->gateway_ports = -1;
-	options->num_subsystems = 0;
-	options->max_startups_begin = -1;
-	options->max_startups_rate = -1;
-	options->max_startups = -1;
-	options->max_authtries = -1;
-	options->banner = NULL;
-	options->use_dns = -1;
-	options->client_alive_interval = -1;
-	options->client_alive_count_max = -1;
-	options->authorized_keys_file = NULL;
-	options->authorized_keys_file2 = NULL;
-	options->num_accept_env = 0;
-	options->permit_tun = -1;
-	options->num_permitted_opens = -1;
-	options->adm_forced_command = NULL;
-}
-
-void
-fill_default_server_options(ServerOptions *options)
-{
-	/* Portable-specific options */
-	if (options->use_pam == -1)
-		options->use_pam = 0;
-
-	/* Standard Options */
-	if (options->protocol == SSH_PROTO_UNKNOWN)
-		options->protocol = SSH_PROTO_1|SSH_PROTO_2;
-	if (options->num_host_key_files == 0) {
-		/* fill default hostkeys for protocols */
-		if (options->protocol & SSH_PROTO_1)
-			options->host_key_files[options->num_host_key_files++] =
-			    _PATH_HOST_KEY_FILE;
-		if (options->protocol & SSH_PROTO_2) {
-			options->host_key_files[options->num_host_key_files++] =
-			    _PATH_HOST_RSA_KEY_FILE;
-			options->host_key_files[options->num_host_key_files++] =
-			    _PATH_HOST_DSA_KEY_FILE;
-		}
-	}
-	if (options->num_ports == 0)
-		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
-	if (options->listen_addrs == NULL)
-		add_listen_addr(options, NULL, 0);
-	if (options->pid_file == NULL)
-		options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
-	if (options->server_key_bits == -1)
-		options->server_key_bits = 768;
-	if (options->login_grace_time == -1)
-		options->login_grace_time = 120;
-	if (options->key_regeneration_time == -1)
-		options->key_regeneration_time = 3600;
-	if (options->permit_root_login == PERMIT_NOT_SET)
-		options->permit_root_login = PERMIT_YES;
-	if (options->ignore_rhosts == -1)
-		options->ignore_rhosts = 1;
-	if (options->ignore_user_known_hosts == -1)
-		options->ignore_user_known_hosts = 0;
-	if (options->print_motd == -1)
-		options->print_motd = 1;
-	if (options->print_lastlog == -1)
-		options->print_lastlog = 1;
-	if (options->x11_forwarding == -1)
-		options->x11_forwarding = 0;
-	if (options->x11_display_offset == -1)
-		options->x11_display_offset = 10;
-	if (options->x11_use_localhost == -1)
-		options->x11_use_localhost = 1;
-	if (options->xauth_location == NULL)
-		options->xauth_location = _PATH_XAUTH;
-	if (options->strict_modes == -1)
-		options->strict_modes = 1;
-	if (options->tcp_keep_alive == -1)
-		options->tcp_keep_alive = 1;
-	if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
-		options->log_facility = SYSLOG_FACILITY_AUTH;
-	if (options->log_level == SYSLOG_LEVEL_NOT_SET)
-		options->log_level = SYSLOG_LEVEL_INFO;
-	if (options->rhosts_rsa_authentication == -1)
-		options->rhosts_rsa_authentication = 0;
-	if (options->hostbased_authentication == -1)
-		options->hostbased_authentication = 0;
-	if (options->hostbased_uses_name_from_packet_only == -1)
-		options->hostbased_uses_name_from_packet_only = 0;
-	if (options->rsa_authentication == -1)
-		options->rsa_authentication = 1;
-	if (options->pubkey_authentication == -1)
-		options->pubkey_authentication = 1;
-	if (options->kerberos_authentication == -1)
-		options->kerberos_authentication = 0;
-	if (options->kerberos_or_local_passwd == -1)
-		options->kerberos_or_local_passwd = 1;
-	if (options->kerberos_ticket_cleanup == -1)
-		options->kerberos_ticket_cleanup = 1;
-	if (options->kerberos_get_afs_token == -1)
-		options->kerberos_get_afs_token = 0;
-	if (options->gss_authentication == -1)
-		options->gss_authentication = 0;
-	if (options->gss_cleanup_creds == -1)
-		options->gss_cleanup_creds = 1;
-	if (options->password_authentication == -1)
-		options->password_authentication = 1;
-	if (options->kbd_interactive_authentication == -1)
-		options->kbd_interactive_authentication = 0;
-	if (options->challenge_response_authentication == -1)
-		options->challenge_response_authentication = 1;
-	if (options->permit_empty_passwd == -1)
-		options->permit_empty_passwd = 0;
-	if (options->permit_user_env == -1)
-		options->permit_user_env = 0;
-	if (options->use_login == -1)
-		options->use_login = 0;
-	if (options->compression == -1)
-		options->compression = COMP_DELAYED;
-	if (options->allow_tcp_forwarding == -1)
-		options->allow_tcp_forwarding = 1;
-	if (options->gateway_ports == -1)
-		options->gateway_ports = 0;
-	if (options->max_startups == -1)
-		options->max_startups = 10;
-	if (options->max_startups_rate == -1)
-		options->max_startups_rate = 100;		/* 100% */
-	if (options->max_startups_begin == -1)
-		options->max_startups_begin = options->max_startups;
-	if (options->max_authtries == -1)
-		options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
-	if (options->use_dns == -1)
-		options->use_dns = 1;
-	if (options->client_alive_interval == -1)
-		options->client_alive_interval = 0;
-	if (options->client_alive_count_max == -1)
-		options->client_alive_count_max = 3;
-	if (options->authorized_keys_file2 == NULL) {
-		/* authorized_keys_file2 falls back to authorized_keys_file */
-		if (options->authorized_keys_file != NULL)
-			options->authorized_keys_file2 = options->authorized_keys_file;
-		else
-			options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
-	}
-	if (options->authorized_keys_file == NULL)
-		options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
-	if (options->permit_tun == -1)
-		options->permit_tun = SSH_TUNMODE_NO;
-
-	/* Turn privilege separation on by default */
-	if (use_privsep == -1)
-		use_privsep = 1;
-
-#ifndef HAVE_MMAP
-	if (use_privsep && options->compression == 1) {
-		error("This platform does not support both privilege "
-		    "separation and compression");
-		error("Compression disabled");
-		options->compression = 0;
-	}
-#endif
-
-}
-
-/* Keyword tokens. */
-typedef enum {
-	sBadOption,		/* == unknown option */
-	/* Portable-specific options */
-	sUsePAM,
-	/* Standard Options */
-	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
-	sPermitRootLogin, sLogFacility, sLogLevel,
-	sRhostsRSAAuthentication, sRSAAuthentication,
-	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
-	sKerberosGetAFSToken,
-	sKerberosTgtPassing, sChallengeResponseAuthentication,
-	sPasswordAuthentication, sKbdInteractiveAuthentication,
-	sListenAddress, sAddressFamily,
-	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
-	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
-	sStrictModes, sEmptyPasswd, sTCPKeepAlive,
-	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
-	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
-	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
-	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
-	sMaxStartups, sMaxAuthTries,
-	sBanner, sUseDNS, sHostbasedAuthentication,
-	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
-	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
-	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
-	sMatch, sPermitOpen, sForceCommand,
-	sUsePrivilegeSeparation,
-	sDeprecated, sUnsupported
-} ServerOpCodes;
-
-#define SSHCFG_GLOBAL	0x01	/* allowed in main section of sshd_config */
-#define SSHCFG_MATCH	0x02	/* allowed inside a Match section */
-#define SSHCFG_ALL	(SSHCFG_GLOBAL|SSHCFG_MATCH)
-
-/* Textual representation of the tokens. */
-static struct {
-	const char *name;
-	ServerOpCodes opcode;
-	u_int flags;
-} keywords[] = {
-	/* Portable-specific options */
-#ifdef USE_PAM
-	{ "usepam", sUsePAM, SSHCFG_GLOBAL },
-#else
-	{ "usepam", sUnsupported, SSHCFG_GLOBAL },
-#endif
-	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
-	/* Standard Options */
-	{ "port", sPort, SSHCFG_GLOBAL },
-	{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
-	{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL },		/* alias */
-	{ "pidfile", sPidFile, SSHCFG_GLOBAL },
-	{ "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
-	{ "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
-	{ "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
-	{ "permitrootlogin", sPermitRootLogin, SSHCFG_GLOBAL },
-	{ "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
-	{ "loglevel", sLogLevel, SSHCFG_GLOBAL },
-	{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
-	{ "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_GLOBAL },
-	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_GLOBAL },
-	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },
-	{ "rsaauthentication", sRSAAuthentication, SSHCFG_GLOBAL },
-	{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL },
-	{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL },	/* alias */
-#ifdef KRB5
-	{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_GLOBAL },
-	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
-	{ "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
-#ifdef USE_AFS
-	{ "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
-#else
-	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
-#endif
-#else
-	{ "kerberosauthentication", sUnsupported, SSHCFG_GLOBAL },
-	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
-	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
-	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
-#endif
-	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
-	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
-#ifdef GSSAPI
-	{ "gssapiauthentication", sGssAuthentication, SSHCFG_GLOBAL },
-	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
-#else
-	{ "gssapiauthentication", sUnsupported, SSHCFG_GLOBAL },
-	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
-#endif
-	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_GLOBAL },
-	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_GLOBAL },
-	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-	{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
-	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
-	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
-	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
-	{ "printmotd", sPrintMotd, SSHCFG_GLOBAL },
-	{ "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
-	{ "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
-	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
-	{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
-	{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
-	{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
-	{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
-	{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
-	{ "permitemptypasswords", sEmptyPasswd, SSHCFG_GLOBAL },
-	{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
-	{ "uselogin", sUseLogin, SSHCFG_GLOBAL },
-	{ "compression", sCompression, SSHCFG_GLOBAL },
-	{ "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
-	{ "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL },	/* obsolete alias */
-	{ "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
-	{ "allowusers", sAllowUsers, SSHCFG_GLOBAL },
-	{ "denyusers", sDenyUsers, SSHCFG_GLOBAL },
-	{ "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
-	{ "denygroups", sDenyGroups, SSHCFG_GLOBAL },
-	{ "ciphers", sCiphers, SSHCFG_GLOBAL },
-	{ "macs", sMacs, SSHCFG_GLOBAL },
-	{ "protocol", sProtocol, SSHCFG_GLOBAL },
-	{ "gatewayports", sGatewayPorts, SSHCFG_ALL },
-	{ "subsystem", sSubsystem, SSHCFG_GLOBAL },
-	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
-	{ "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL },
-	{ "banner", sBanner, SSHCFG_GLOBAL },
-	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
-	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
-	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
-	{ "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
-	{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
-	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
-	{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
-	{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
-	{ "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
-	{ "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
- 	{ "match", sMatch, SSHCFG_ALL },
-	{ "permitopen", sPermitOpen, SSHCFG_ALL },
-	{ "forcecommand", sForceCommand, SSHCFG_ALL },
-	{ NULL, sBadOption, 0 }
-};
-
-/*
- * Returns the number of the token pointed to by cp or sBadOption.
- */
-
-static ServerOpCodes
-parse_token(const char *cp, const char *filename,
-	    int linenum, u_int *flags)
-{
-	u_int i;
-
-	for (i = 0; keywords[i].name; i++)
-		if (strcasecmp(cp, keywords[i].name) == 0) {
-			*flags = keywords[i].flags;
-			return keywords[i].opcode;
-		}
-
-	error("%s: line %d: Bad configuration option: %s",
-	    filename, linenum, cp);
-	return sBadOption;
-}
-
-static void
-add_listen_addr(ServerOptions *options, char *addr, u_short port)
-{
-	u_int i;
-
-	if (options->num_ports == 0)
-		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
-	if (options->address_family == -1)
-		options->address_family = AF_UNSPEC;
-	if (port == 0)
-		for (i = 0; i < options->num_ports; i++)
-			add_one_listen_addr(options, addr, options->ports[i]);
-	else
-		add_one_listen_addr(options, addr, port);
-}
-
-static void
-add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
-{
-	struct addrinfo hints, *ai, *aitop;
-	char strport[NI_MAXSERV];
-	int gaierr;
-
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_family = options->address_family;
-	hints.ai_socktype = SOCK_STREAM;
-	hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
-	snprintf(strport, sizeof strport, "%u", port);
-	if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
-		fatal("bad addr or host: %s (%s)",
-		    addr ? addr : "<NULL>",
-		    gai_strerror(gaierr));
-	for (ai = aitop; ai->ai_next; ai = ai->ai_next)
-		;
-	ai->ai_next = options->listen_addrs;
-	options->listen_addrs = aitop;
-}
-
-/*
- * The strategy for the Match blocks is that the config file is parsed twice.
- *
- * The first time is at startup.  activep is initialized to 1 and the
- * directives in the global context are processed and acted on.  Hitting a
- * Match directive unsets activep and the directives inside the block are
- * checked for syntax only.
- *
- * The second time is after a connection has been established but before
- * authentication.  activep is initialized to 2 and global config directives
- * are ignored since they have already been processed.  If the criteria in a
- * Match block is met, activep is set and the subsequent directives
- * processed and actioned until EOF or another Match block unsets it.  Any
- * options set are copied into the main server config.
- *
- * Potential additions/improvements:
- *  - Add Match support for pre-kex directives, eg Protocol, Ciphers.
- *
- *  - Add a Tag directive (idea from David Leonard) ala pf, eg:
- *	Match Address 192.168.0.*
- *		Tag trusted
- *	Match Group wheel
- *		Tag trusted
- *	Match Tag trusted
- *		AllowTcpForwarding yes
- *		GatewayPorts clientspecified
- *		[...]
- *
- *  - Add a PermittedChannelRequests directive
- *	Match Group shell
- *		PermittedChannelRequests session,forwarded-tcpip
- */
-
-static int
-match_cfg_line_group(const char *grps, int line, const char *user)
-{
-	int result = 0;
-	u_int ngrps = 0;
-	char *arg, *p, *cp, *grplist[MAX_MATCH_GROUPS];
-	struct passwd *pw;
-
-	/*
-	 * Even if we do not have a user yet, we still need to check for
-	 * valid syntax.
-	 */
-	arg = cp = xstrdup(grps);
-	while ((p = strsep(&cp, ",")) != NULL && *p != '\0') {
-		if (ngrps >= MAX_MATCH_GROUPS) {
-			error("line %d: too many groups in Match Group", line);
-			result = -1;
-			goto out;
-		}
-		grplist[ngrps++] = p;
-	}
-
-	if (user == NULL)
-		goto out;
-
-	if ((pw = getpwnam(user)) == NULL) {
-		debug("Can't match group at line %d because user %.100s does "
-		    "not exist", line, user);
-	} else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
-		debug("Can't Match group because user %.100s not in any group "
-		    "at line %d", user, line);
-	} else if (ga_match(grplist, ngrps) != 1) {
-		debug("user %.100s does not match group %.100s at line %d",
-		    user, arg, line);
-	} else {
-		debug("user %.100s matched group %.100s at line %d", user,
-		    arg, line);
-		result = 1;
-	}
-out:
-	ga_free();
-	xfree(arg);
-	return result;
-}
-
-static int
-match_cfg_line(char **condition, int line, const char *user, const char *host,
-    const char *address)
-{
-	int result = 1;
-	char *arg, *attrib, *cp = *condition;
-	size_t len;
-
-	if (user == NULL)
-		debug3("checking syntax for 'Match %s'", cp);
-	else
-		debug3("checking match for '%s' user %s host %s addr %s", cp,
-		    user ? user : "(null)", host ? host : "(null)",
-		    address ? address : "(null)");
-
-	while ((attrib = strdelim(&cp)) && *attrib != '\0') {
-		if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
-			error("Missing Match criteria for %s", attrib);
-			return -1;
-		}
-		len = strlen(arg);
-		if (strcasecmp(attrib, "user") == 0) {
-			if (!user) {
-				result = 0;
-				continue;
-			}
-			if (match_pattern_list(user, arg, len, 0) != 1)
-				result = 0;
-			else
-				debug("user %.100s matched 'User %.100s' at "
-				    "line %d", user, arg, line);
-		} else if (strcasecmp(attrib, "group") == 0) {
-			switch (match_cfg_line_group(arg, line, user)) {
-			case -1:
-				return -1;
-			case 0:
-				result = 0;
-			}
-		} else if (strcasecmp(attrib, "host") == 0) {
-			if (!host) {
-				result = 0;
-				continue;
-			}
-			if (match_hostname(host, arg, len) != 1)
-				result = 0;
-			else
-				debug("connection from %.100s matched 'Host "
-				    "%.100s' at line %d", host, arg, line);
-		} else if (strcasecmp(attrib, "address") == 0) {
-			debug("address '%s' arg '%s'", address, arg);
-			if (!address) {
-				result = 0;
-				continue;
-			}
-			if (match_hostname(address, arg, len) != 1)
-				result = 0;
-			else
-				debug("connection from %.100s matched 'Address "
-				    "%.100s' at line %d", address, arg, line);
-		} else {
-			error("Unsupported Match attribute %s", attrib);
-			return -1;
-		}
-	}
-	if (user != NULL)
-		debug3("match %sfound", result ? "" : "not ");
-	*condition = cp;
-	return result;
-}
-
-#define WHITESPACE " \t\r\n"
-
-int
-process_server_config_line(ServerOptions *options, char *line,
-    const char *filename, int linenum, int *activep, const char *user,
-    const char *host, const char *address)
-{
-	char *cp, **charptr, *arg, *p;
-	int cmdline = 0, *intptr, value, n;
-	ServerOpCodes opcode;
-	u_short port;
-	u_int i, flags = 0;
-	size_t len;
-
-	cp = line;
-	if ((arg = strdelim(&cp)) == NULL)
-		return 0;
-	/* Ignore leading whitespace */
-	if (*arg == '\0')
-		arg = strdelim(&cp);
-	if (!arg || !*arg || *arg == '#')
-		return 0;
-	intptr = NULL;
-	charptr = NULL;
-	opcode = parse_token(arg, filename, linenum, &flags);
-
-	if (activep == NULL) { /* We are processing a command line directive */
-		cmdline = 1;
-		activep = &cmdline;
-	}
-	if (*activep && opcode != sMatch)
-		debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
-	if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
-		if (user == NULL) {
-			fatal("%s line %d: Directive '%s' is not allowed "
-			    "within a Match block", filename, linenum, arg);
-		} else { /* this is a directive we have already processed */
-			while (arg)
-				arg = strdelim(&cp);
-			return 0;
-		}
-	}
-
-	switch (opcode) {
-	/* Portable-specific options */
-	case sUsePAM:
-		intptr = &options->use_pam;
-		goto parse_flag;
-
-	/* Standard Options */
-	case sBadOption:
-		return -1;
-	case sPort:
-		/* ignore ports from configfile if cmdline specifies ports */
-		if (options->ports_from_cmdline)
-			return 0;
-		if (options->listen_addrs != NULL)
-			fatal("%s line %d: ports must be specified before "
-			    "ListenAddress.", filename, linenum);
-		if (options->num_ports >= MAX_PORTS)
-			fatal("%s line %d: too many ports.",
-			    filename, linenum);
-		arg = strdelim(&cp);
-		if (!arg || *arg == '\0')
-			fatal("%s line %d: missing port number.",
-			    filename, linenum);
-		options->ports[options->num_ports++] = a2port(arg);
-		if (options->ports[options->num_ports-1] == 0)
-			fatal("%s line %d: Badly formatted port number.",
-			    filename, linenum);
-		break;
-
-	case sServerKeyBits:
-		intptr = &options->server_key_bits;
-parse_int:
-		arg = strdelim(&cp);
-		if (!arg || *arg == '\0')
-			fatal("%s line %d: missing integer value.",
-			    filename, linenum);
-		value = atoi(arg);
-		if (*activep && *intptr == -1)
-			*intptr = value;
-		break;
-
-	case sLoginGraceTime:
-		intptr = &options->login_grace_time;
-parse_time:
-		arg = strdelim(&cp);
-		if (!arg || *arg == '\0')
-			fatal("%s line %d: missing time value.",
-			    filename, linenum);
-		if ((value = convtime(arg)) == -1)
-			fatal("%s line %d: invalid time value.",
-			    filename, linenum);
-		if (*intptr == -1)
-			*intptr = value;
-		break;
-
-	case sKeyRegenerationTime:
-		intptr = &options->key_regeneration_time;
-		goto parse_time;
-
-	case sListenAddress:
-		arg = strdelim(&cp);
-		if (arg == NULL || *arg == '\0')
-			fatal("%s line %d: missing address",
-			    filename, linenum);
-		/* check for bare IPv6 address: no "[]" and 2 or more ":" */
-		if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
-		    && strchr(p+1, ':') != NULL) {
-			add_listen_addr(options, arg, 0);
-			break;
-		}
-		p = hpdelim(&arg);
-		if (p == NULL)
-			fatal("%s line %d: bad address:port usage",
-			    filename, linenum);
-		p = cleanhostname(p);
-		if (arg == NULL)
-			port = 0;
-		else if ((port = a2port(arg)) == 0)
-			fatal("%s line %d: bad port number", filename, linenum);
-
-		add_listen_addr(options, p, port);
-
-		break;
-
-	case sAddressFamily:
-		arg = strdelim(&cp);
-		if (!arg || *arg == '\0')
-			fatal("%s line %d: missing address family.",
-			    filename, linenum);
-		intptr = &options->address_family;
-		if (options->listen_addrs != NULL)
-			fatal("%s line %d: address family must be specified before "
-			    "ListenAddress.", filename, linenum);
-		if (strcasecmp(arg, "inet") == 0)
-			value = AF_INET;
-		else if (strcasecmp(arg, "inet6") == 0)
-			value = AF_INET6;
-		else if (strcasecmp(arg, "any") == 0)
-			value = AF_UNSPEC;
-		else
-			fatal("%s line %d: unsupported address family \"%s\".",
-			    filename, linenum, arg);
-		if (*intptr == -1)
-			*intptr = value;
-		break;
-
-	case sHostKeyFile:
-		intptr = &options->num_host_key_files;
-		if (*intptr >= MAX_HOSTKEYS)
-			fatal("%s line %d: too many host keys specified (max %d).",
-			    filename, linenum, MAX_HOSTKEYS);
-		charptr = &options->host_key_files[*intptr];
-parse_filename:
-		arg = strdelim(&cp);
-		if (!arg || *arg == '\0')
-			fatal("%s line %d: missing file name.",
-			    filename, linenum);
-		if (*activep && *charptr == NULL) {
-			*charptr = tilde_expand_filename(arg, getuid());
-			/* increase optional counter */
-			if (intptr != NULL)
-				*intptr = *intptr + 1;
-		}
-		break;
-
-	case sPidFile:
-		charptr = &options->pid_file;
-		goto parse_filename;
-
-	case sPermitRootLogin:
-		intptr = &options->permit_root_login;
-		arg = strdelim(&cp);
-		if (!arg || *arg == '\0')
-			fatal("%s line %d: missing yes/"
-			    "without-password/forced-commands-only/no "
-			    "argument.", filename, linenum);
-		value = 0;	/* silence compiler */
-		if (strcmp(arg, "without-password") == 0)
-			value = PERMIT_NO_PASSWD;
-		else if (strcmp(arg, "forced-commands-only") == 0)
-			value = PERMIT_FORCED_ONLY;
-		else if (strcmp(arg, "yes") == 0)
-			value = PERMIT_YES;
-		else if (strcmp(arg, "no") == 0)
-			value = PERMIT_NO;
-		else
-			fatal("%s line %d: Bad yes/"
-			    "without-password/forced-commands-only/no "
-			    "argument: %s", filename, linenum, arg);
-		if (*intptr == -1)
-			*intptr = value;
-		break;
-
-	case sIgnoreRhosts:
-		intptr = &options->ignore_rhosts;
-parse_flag:
-		arg = strdelim(&cp);
-		if (!arg || *arg == '\0')
-			fatal("%s line %d: missing yes/no argument.",
-			    filename, linenum);
-		value = 0;	/* silence compiler */
-		if (strcmp(arg, "yes") == 0)
-			value = 1;
-		else if (strcmp(arg, "no") == 0)
-			value = 0;
-		else
-			fatal("%s line %d: Bad yes/no argument: %s",
-				filename, linenum, arg);
-		if (*activep && *intptr == -1)
-			*intptr = value;
-		break;
-
-	case sIgnoreUserKnownHosts:
-		intptr = &options->ignore_user_known_hosts;
-		goto parse_flag;
-
-	case sRhostsRSAAuthentication:
-		intptr = &options->rhosts_rsa_authentication;
-		goto parse_flag;
-
-	case sHostbasedAuthentication:
-		intptr = &options->hostbased_authentication;
-		goto parse_flag;
-
-	case sHostbasedUsesNameFromPacketOnly:
-		intptr = &options->hostbased_uses_name_from_packet_only;
-		goto parse_flag;
-
-	case sRSAAuthentication:
-		intptr = &options->rsa_authentication;
-		goto parse_flag;
-
-	case sPubkeyAuthentication:
-		intptr = &options->pubkey_authentication;
-		goto parse_flag;
-
-	case sKerberosAuthentication:
-		intptr = &options->kerberos_authentication;
-		goto parse_flag;
-
-	case sKerberosOrLocalPasswd:
-		intptr = &options->kerberos_or_local_passwd;
-		goto parse_flag;
-
-	case sKerberosTicketCleanup:
-		intptr = &options->kerberos_ticket_cleanup;
-		goto parse_flag;
-
-	case sKerberosGetAFSToken:
-		intptr = &options->kerberos_get_afs_token;
-		goto parse_flag;
-
-	case sGssAuthentication:
-		intptr = &options->gss_authentication;
-		goto parse_flag;
-
-	case sGssCleanupCreds:
-		intptr = &options->gss_cleanup_creds;
-		goto parse_flag;
-
-	case sPasswordAuthentication:
-		intptr = &options->password_authentication;
-		goto parse_flag;
-
-	case sKbdInteractiveAuthentication:
-		intptr = &options->kbd_interactive_authentication;
-		goto parse_flag;
-
-	case sChallengeResponseAuthentication:
-		intptr = &options->challenge_response_authentication;
-		goto parse_flag;
-
-	case sPrintMotd:
-		intptr = &options->print_motd;
-		goto parse_flag;
-
-	case sPrintLastLog:
-		intptr = &options->print_lastlog;
-		goto parse_flag;
-
-	case sX11Forwarding:
-		intptr = &options->x11_forwarding;
-		goto parse_flag;
-
-	case sX11DisplayOffset:
-		intptr = &options->x11_display_offset;
-		goto parse_int;
-
-	case sX11UseLocalhost:
-		intptr = &options->x11_use_localhost;
-		goto parse_flag;
-
-	case sXAuthLocation:
-		charptr = &options->xauth_location;
-		goto parse_filename;
-
-	case sStrictModes:
-		intptr = &options->strict_modes;
-		goto parse_flag;
-
-	case sTCPKeepAlive:
-		intptr = &options->tcp_keep_alive;
-		goto parse_flag;
-
-	case sEmptyPasswd:
-		intptr = &options->permit_empty_passwd;
-		goto parse_flag;
-
-	case sPermitUserEnvironment:
-		intptr = &options->permit_user_env;
-		goto parse_flag;
-
-	case sUseLogin:
-		intptr = &options->use_login;
-		goto parse_flag;
-
-	case sCompression:
-		intptr = &options->compression;
-		arg = strdelim(&cp);
-		if (!arg || *arg == '\0')
-			fatal("%s line %d: missing yes/no/delayed "
-			    "argument.", filename, linenum);
-		value = 0;	/* silence compiler */
-		if (strcmp(arg, "delayed") == 0)
-			value = COMP_DELAYED;
-		else if (strcmp(arg, "yes") == 0)
-			value = COMP_ZLIB;
-		else if (strcmp(arg, "no") == 0)
-			value = COMP_NONE;
-		else
-			fatal("%s line %d: Bad yes/no/delayed "
-			    "argument: %s", filename, linenum, arg);
-		if (*intptr == -1)
-			*intptr = value;
-		break;
-
-	case sGatewayPorts:
-		intptr = &options->gateway_ports;
-		arg = strdelim(&cp);
-		if (!arg || *arg == '\0')
-			fatal("%s line %d: missing yes/no/clientspecified "
-			    "argument.", filename, linenum);
-		value = 0;	/* silence compiler */
-		if (strcmp(arg, "clientspecified") == 0)
-			value = 2;
-		else if (strcmp(arg, "yes") == 0)
-			value = 1;
-		else if (strcmp(arg, "no") == 0)
-			value = 0;
-		else
-			fatal("%s line %d: Bad yes/no/clientspecified "
-			    "argument: %s", filename, linenum, arg);
-		if (*intptr == -1)
-			*intptr = value;
-		break;
-
-	case sUseDNS:
-		intptr = &options->use_dns;
-		goto parse_flag;
-
-	case sLogFacility:
-		intptr = (int *) &options->log_facility;
-		arg = strdelim(&cp);
-		value = log_facility_number(arg);
-		if (value == SYSLOG_FACILITY_NOT_SET)
-			fatal("%.200s line %d: unsupported log facility '%s'",
-			    filename, linenum, arg ? arg : "<NONE>");
-		if (*intptr == -1)
-			*intptr = (SyslogFacility) value;
-		break;
-
-	case sLogLevel:
-		intptr = (int *) &options->log_level;
-		arg = strdelim(&cp);
-		value = log_level_number(arg);
-		if (value == SYSLOG_LEVEL_NOT_SET)
-			fatal("%.200s line %d: unsupported log level '%s'",
-			    filename, linenum, arg ? arg : "<NONE>");
-		if (*intptr == -1)
-			*intptr = (LogLevel) value;
-		break;
-
-	case sAllowTcpForwarding:
-		intptr = &options->allow_tcp_forwarding;
-		goto parse_flag;
-
-	case sUsePrivilegeSeparation:
-		intptr = &use_privsep;
-		goto parse_flag;
-
-	case sAllowUsers:
-		while ((arg = strdelim(&cp)) && *arg != '\0') {
-			if (options->num_allow_users >= MAX_ALLOW_USERS)
-				fatal("%s line %d: too many allow users.",
-				    filename, linenum);
-			options->allow_users[options->num_allow_users++] =
-			    xstrdup(arg);
-		}
-		break;
-
-	case sDenyUsers:
-		while ((arg = strdelim(&cp)) && *arg != '\0') {
-			if (options->num_deny_users >= MAX_DENY_USERS)
-				fatal("%s line %d: too many deny users.",
-				    filename, linenum);
-			options->deny_users[options->num_deny_users++] =
-			    xstrdup(arg);
-		}
-		break;
-
-	case sAllowGroups:
-		while ((arg = strdelim(&cp)) && *arg != '\0') {
-			if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
-				fatal("%s line %d: too many allow groups.",
-				    filename, linenum);
-			options->allow_groups[options->num_allow_groups++] =
-			    xstrdup(arg);
-		}
-		break;
-
-	case sDenyGroups:
-		while ((arg = strdelim(&cp)) && *arg != '\0') {
-			if (options->num_deny_groups >= MAX_DENY_GROUPS)
-				fatal("%s line %d: too many deny groups.",
-				    filename, linenum);
-			options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
-		}
-		break;
-
-	case sCiphers:
-		arg = strdelim(&cp);
-		if (!arg || *arg == '\0')
-			fatal("%s line %d: Missing argument.", filename, linenum);
-		if (!ciphers_valid(arg))
-			fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
-			    filename, linenum, arg ? arg : "<NONE>");
-		if (options->ciphers == NULL)
-			options->ciphers = xstrdup(arg);
-		break;
-
-	case sMacs:
-		arg = strdelim(&cp);
-		if (!arg || *arg == '\0')
-			fatal("%s line %d: Missing argument.", filename, linenum);
-		if (!mac_valid(arg))
-			fatal("%s line %d: Bad SSH2 mac spec '%s'.",
-			    filename, linenum, arg ? arg : "<NONE>");
-		if (options->macs == NULL)
-			options->macs = xstrdup(arg);
-		break;
-
-	case sProtocol:
-		intptr = &options->protocol;
-		arg = strdelim(&cp);
-		if (!arg || *arg == '\0')
-			fatal("%s line %d: Missing argument.", filename, linenum);
-		value = proto_spec(arg);
-		if (value == SSH_PROTO_UNKNOWN)
-			fatal("%s line %d: Bad protocol spec '%s'.",
-			    filename, linenum, arg ? arg : "<NONE>");
-		if (*intptr == SSH_PROTO_UNKNOWN)
-			*intptr = value;
-		break;
-
-	case sSubsystem:
-		if (options->num_subsystems >= MAX_SUBSYSTEMS) {
-			fatal("%s line %d: too many subsystems defined.",
-			    filename, linenum);
-		}
-		arg = strdelim(&cp);
-		if (!arg || *arg == '\0')
-			fatal("%s line %d: Missing subsystem name.",
-			    filename, linenum);
-		if (!*activep) {
-			arg = strdelim(&cp);
-			break;
-		}
-		for (i = 0; i < options->num_subsystems; i++)
-			if (strcmp(arg, options->subsystem_name[i]) == 0)
-				fatal("%s line %d: Subsystem '%s' already defined.",
-				    filename, linenum, arg);
-		options->subsystem_name[options->num_subsystems] = xstrdup(arg);
-		arg = strdelim(&cp);
-		if (!arg || *arg == '\0')
-			fatal("%s line %d: Missing subsystem command.",
-			    filename, linenum);
-		options->subsystem_command[options->num_subsystems] = xstrdup(arg);
-
-		/* Collect arguments (separate to executable) */
-		p = xstrdup(arg);
-		len = strlen(p) + 1;
-		while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
-			len += 1 + strlen(arg);
-			p = xrealloc(p, 1, len);
-			strlcat(p, " ", len);
-			strlcat(p, arg, len);
-		}
-		options->subsystem_args[options->num_subsystems] = p;
-		options->num_subsystems++;
-		break;
-
-	case sMaxStartups:
-		arg = strdelim(&cp);
-		if (!arg || *arg == '\0')
-			fatal("%s line %d: Missing MaxStartups spec.",
-			    filename, linenum);
-		if ((n = sscanf(arg, "%d:%d:%d",
-		    &options->max_startups_begin,
-		    &options->max_startups_rate,
-		    &options->max_startups)) == 3) {
-			if (options->max_startups_begin >
-			    options->max_startups ||
-			    options->max_startups_rate > 100 ||
-			    options->max_startups_rate < 1)
-				fatal("%s line %d: Illegal MaxStartups spec.",
-				    filename, linenum);
-		} else if (n != 1)
-			fatal("%s line %d: Illegal MaxStartups spec.",
-			    filename, linenum);
-		else
-			options->max_startups = options->max_startups_begin;
-		break;
-
-	case sMaxAuthTries:
-		intptr = &options->max_authtries;
-		goto parse_int;
-
-	case sBanner:
-		charptr = &options->banner;
-		goto parse_filename;
-	/*
-	 * These options can contain %X options expanded at
-	 * connect time, so that you can specify paths like:
-	 *
-	 * AuthorizedKeysFile	/etc/ssh_keys/%u
-	 */
-	case sAuthorizedKeysFile:
-	case sAuthorizedKeysFile2:
-		charptr = (opcode == sAuthorizedKeysFile) ?
-		    &options->authorized_keys_file :
-		    &options->authorized_keys_file2;
-		goto parse_filename;
-
-	case sClientAliveInterval:
-		intptr = &options->client_alive_interval;
-		goto parse_time;
-
-	case sClientAliveCountMax:
-		intptr = &options->client_alive_count_max;
-		goto parse_int;
-
-	case sAcceptEnv:
-		while ((arg = strdelim(&cp)) && *arg != '\0') {
-			if (strchr(arg, '=') != NULL)
-				fatal("%s line %d: Invalid environment name.",
-				    filename, linenum);
-			if (options->num_accept_env >= MAX_ACCEPT_ENV)
-				fatal("%s line %d: too many allow env.",
-				    filename, linenum);
-			if (!*activep)
-				break;
-			options->accept_env[options->num_accept_env++] =
-			    xstrdup(arg);
-		}
-		break;
-
-	case sPermitTunnel:
-		intptr = &options->permit_tun;
-		arg = strdelim(&cp);
-		if (!arg || *arg == '\0')
-			fatal("%s line %d: Missing yes/point-to-point/"
-			    "ethernet/no argument.", filename, linenum);
-		value = 0;	/* silence compiler */
-		if (strcasecmp(arg, "ethernet") == 0)
-			value = SSH_TUNMODE_ETHERNET;
-		else if (strcasecmp(arg, "point-to-point") == 0)
-			value = SSH_TUNMODE_POINTOPOINT;
-		else if (strcasecmp(arg, "yes") == 0)
-			value = SSH_TUNMODE_YES;
-		else if (strcasecmp(arg, "no") == 0)
-			value = SSH_TUNMODE_NO;
-		else
-			fatal("%s line %d: Bad yes/point-to-point/ethernet/"
-			    "no argument: %s", filename, linenum, arg);
-		if (*intptr == -1)
-			*intptr = value;
-		break;
-
-	case sMatch:
-		if (cmdline)
-			fatal("Match directive not supported as a command-line "
-			   "option");
-		value = match_cfg_line(&cp, linenum, user, host, address);
-		if (value < 0)
-			fatal("%s line %d: Bad Match condition", filename,
-			    linenum);
-		*activep = value;
-		break;
-
-	case sPermitOpen:
-		arg = strdelim(&cp);
-		if (!arg || *arg == '\0')
-			fatal("%s line %d: missing PermitOpen specification",
-			    filename, linenum);
-		if (strcmp(arg, "any") == 0) {
-			if (*activep) {
-				channel_clear_adm_permitted_opens();
-				options->num_permitted_opens = 0;
-			}
-			break;
-		}
-		for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
-			p = hpdelim(&arg);
-			if (p == NULL)
-				fatal("%s line %d: missing host in PermitOpen",
-				    filename, linenum);
-			p = cleanhostname(p);
-			if (arg == NULL || (port = a2port(arg)) == 0)
-				fatal("%s line %d: bad port number in "
-				    "PermitOpen", filename, linenum);
-			if (*activep && options->num_permitted_opens == -1) {
-				channel_clear_adm_permitted_opens();
-				options->num_permitted_opens =
-				    channel_add_adm_permitted_opens(p, port);
-			}
-		}
-		break;
-
-	case sForceCommand:
-		if (cp == NULL)
-			fatal("%.200s line %d: Missing argument.", filename,
-			    linenum);
-		len = strspn(cp, WHITESPACE);
-		if (*activep && options->adm_forced_command == NULL)
-			options->adm_forced_command = xstrdup(cp + len);
-		return 0;
-
-	case sDeprecated:
-		logit("%s line %d: Deprecated option %s",
-		    filename, linenum, arg);
-		while (arg)
-		    arg = strdelim(&cp);
-		break;
-
-	case sUnsupported:
-		logit("%s line %d: Unsupported option %s",
-		    filename, linenum, arg);
-		while (arg)
-		    arg = strdelim(&cp);
-		break;
-
-	default:
-		fatal("%s line %d: Missing handler for opcode %s (%d)",
-		    filename, linenum, arg, opcode);
-	}
-	if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
-		fatal("%s line %d: garbage at end of line; \"%.200s\".",
-		    filename, linenum, arg);
-	return 0;
-}
-
-/* Reads the server configuration file. */
-
-void
-load_server_config(const char *filename, Buffer *conf)
-{
-	char line[1024], *cp;
-	FILE *f;
-
-	debug2("%s: filename %s", __func__, filename);
-	if ((f = fopen(filename, "r")) == NULL) {
-		perror(filename);
-		exit(1);
-	}
-	buffer_clear(conf);
-	while (fgets(line, sizeof(line), f)) {
-		/*
-		 * Trim out comments and strip whitespace
-		 * NB - preserve newlines, they are needed to reproduce
-		 * line numbers later for error messages
-		 */
-		if ((cp = strchr(line, '#')) != NULL)
-			memcpy(cp, "\n", 2);
-		cp = line + strspn(line, " \t\r");
-
-		buffer_append(conf, cp, strlen(cp));
-	}
-	buffer_append(conf, "\0", 1);
-	fclose(f);
-	debug2("%s: done config len = %d", __func__, buffer_len(conf));
-}
-
-void
-parse_server_match_config(ServerOptions *options, const char *user,
-    const char *host, const char *address)
-{
-	ServerOptions mo;
-
-	initialize_server_options(&mo);
-	parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
-	copy_set_server_options(options, &mo);
-}
-
-/* Copy any (supported) values that are set */
-void
-copy_set_server_options(ServerOptions *dst, ServerOptions *src)
-{
-	if (src->allow_tcp_forwarding != -1)
-		dst->allow_tcp_forwarding = src->allow_tcp_forwarding;
-	if (src->gateway_ports != -1)
-		dst->gateway_ports = src->gateway_ports;
-	if (src->adm_forced_command != NULL) {
-		if (dst->adm_forced_command != NULL)
-			xfree(dst->adm_forced_command);
-		dst->adm_forced_command = src->adm_forced_command;
-	}
-	if (src->x11_display_offset != -1)
-		dst->x11_display_offset = src->x11_display_offset;
-	if (src->x11_forwarding != -1)
-		dst->x11_forwarding = src->x11_forwarding;
-	if (src->x11_use_localhost != -1)
-		dst->x11_use_localhost = src->x11_use_localhost;
-}
-
-void
-parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
-    const char *user, const char *host, const char *address)
-{
-	int active, linenum, bad_options = 0;
-	char *cp, *obuf, *cbuf;
-
-	debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
-
-	obuf = cbuf = xstrdup(buffer_ptr(conf));
-	active = user ? 0 : 1;
-	linenum = 1;
-	while ((cp = strsep(&cbuf, "\n")) != NULL) {
-		if (process_server_config_line(options, cp, filename,
-		    linenum++, &active, user, host, address) != 0)
-			bad_options++;
-	}
-	xfree(obuf);
-	if (bad_options > 0)
-		fatal("%s: terminating, %d bad configuration options",
-		    filename, bad_options);
-}
diff --git a/crypto/openssh/servconf.h b/crypto/openssh/servconf.h
deleted file mode 100644
index ad496f6..0000000
--- a/crypto/openssh/servconf.h
+++ /dev/null
@@ -1,157 +0,0 @@
-/* $OpenBSD: servconf.h,v 1.79 2006/08/14 12:40:25 dtucker Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Definitions for server configuration data and for the functions reading it.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#ifndef SERVCONF_H
-#define SERVCONF_H
-
-#define MAX_PORTS		256	/* Max # ports. */
-
-#define MAX_ALLOW_USERS		256	/* Max # users on allow list. */
-#define MAX_DENY_USERS		256	/* Max # users on deny list. */
-#define MAX_ALLOW_GROUPS	256	/* Max # groups on allow list. */
-#define MAX_DENY_GROUPS		256	/* Max # groups on deny list. */
-#define MAX_SUBSYSTEMS		256	/* Max # subsystems. */
-#define MAX_HOSTKEYS		256	/* Max # hostkeys. */
-#define MAX_ACCEPT_ENV		256	/* Max # of env vars. */
-#define MAX_MATCH_GROUPS	256	/* Max # of groups for Match. */
-
-/* permit_root_login */
-#define	PERMIT_NOT_SET		-1
-#define	PERMIT_NO		0
-#define	PERMIT_FORCED_ONLY	1
-#define	PERMIT_NO_PASSWD	2
-#define	PERMIT_YES		3
-
-#define DEFAULT_AUTH_FAIL_MAX	6	/* Default for MaxAuthTries */
-
-typedef struct {
-	u_int num_ports;
-	u_int ports_from_cmdline;
-	u_short ports[MAX_PORTS];	/* Port number to listen on. */
-	char   *listen_addr;		/* Address on which the server listens. */
-	struct addrinfo *listen_addrs;	/* Addresses on which the server listens. */
-	int     address_family;		/* Address family used by the server. */
-	char   *host_key_files[MAX_HOSTKEYS];	/* Files containing host keys. */
-	int     num_host_key_files;     /* Number of files for host keys. */
-	char   *pid_file;	/* Where to put our pid */
-	int     server_key_bits;/* Size of the server key. */
-	int     login_grace_time;	/* Disconnect if no auth in this time
-					 * (sec). */
-	int     key_regeneration_time;	/* Server key lifetime (seconds). */
-	int     permit_root_login;	/* PERMIT_*, see above */
-	int     ignore_rhosts;	/* Ignore .rhosts and .shosts. */
-	int     ignore_user_known_hosts;	/* Ignore ~/.ssh/known_hosts
-						 * for RhostsRsaAuth */
-	int     print_motd;	/* If true, print /etc/motd. */
-	int	print_lastlog;	/* If true, print lastlog */
-	int     x11_forwarding;	/* If true, permit inet (spoofing) X11 fwd. */
-	int     x11_display_offset;	/* What DISPLAY number to start
-					 * searching at */
-	int     x11_use_localhost;	/* If true, use localhost for fake X11 server. */
-	char   *xauth_location;	/* Location of xauth program */
-	int     strict_modes;	/* If true, require string home dir modes. */
-	int     tcp_keep_alive;	/* If true, set SO_KEEPALIVE. */
-	char   *ciphers;	/* Supported SSH2 ciphers. */
-	char   *macs;		/* Supported SSH2 macs. */
-	int	protocol;	/* Supported protocol versions. */
-	int     gateway_ports;	/* If true, allow remote connects to forwarded ports. */
-	SyslogFacility log_facility;	/* Facility for system logging. */
-	LogLevel log_level;	/* Level for system logging. */
-	int     rhosts_rsa_authentication;	/* If true, permit rhosts RSA
-						 * authentication. */
-	int     hostbased_authentication;	/* If true, permit ssh2 hostbased auth */
-	int     hostbased_uses_name_from_packet_only; /* experimental */
-	int     rsa_authentication;	/* If true, permit RSA authentication. */
-	int     pubkey_authentication;	/* If true, permit ssh2 pubkey authentication. */
-	int     kerberos_authentication;	/* If true, permit Kerberos
-						 * authentication. */
-	int     kerberos_or_local_passwd;	/* If true, permit kerberos
-						 * and any other password
-						 * authentication mechanism,
-						 * such as SecurID or
-						 * /etc/passwd */
-	int     kerberos_ticket_cleanup;	/* If true, destroy ticket
-						 * file on logout. */
-	int     kerberos_get_afs_token;		/* If true, try to get AFS token if
-						 * authenticated with Kerberos. */
-	int     gss_authentication;	/* If true, permit GSSAPI authentication */
-	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
-	int     password_authentication;	/* If true, permit password
-						 * authentication. */
-	int     kbd_interactive_authentication;	/* If true, permit */
-	int     challenge_response_authentication;
-	int     permit_empty_passwd;	/* If false, do not permit empty
-					 * passwords. */
-	int     permit_user_env;	/* If true, read ~/.ssh/environment */
-	int     use_login;	/* If true, login(1) is used */
-	int     compression;	/* If true, compression is allowed */
-	int	allow_tcp_forwarding;
-	u_int num_allow_users;
-	char   *allow_users[MAX_ALLOW_USERS];
-	u_int num_deny_users;
-	char   *deny_users[MAX_DENY_USERS];
-	u_int num_allow_groups;
-	char   *allow_groups[MAX_ALLOW_GROUPS];
-	u_int num_deny_groups;
-	char   *deny_groups[MAX_DENY_GROUPS];
-
-	u_int num_subsystems;
-	char   *subsystem_name[MAX_SUBSYSTEMS];
-	char   *subsystem_command[MAX_SUBSYSTEMS];
-	char   *subsystem_args[MAX_SUBSYSTEMS];
-
-	u_int num_accept_env;
-	char   *accept_env[MAX_ACCEPT_ENV];
-
-	int	max_startups_begin;
-	int	max_startups_rate;
-	int	max_startups;
-	int	max_authtries;
-	char   *banner;			/* SSH-2 banner message */
-	int	use_dns;
-	int	client_alive_interval;	/*
-					 * poke the client this often to
-					 * see if it's still there
-					 */
-	int	client_alive_count_max;	/*
-					 * If the client is unresponsive
-					 * for this many intervals above,
-					 * disconnect the session
-					 */
-
-	char   *authorized_keys_file;	/* File containing public keys */
-	char   *authorized_keys_file2;
-
-	char   *adm_forced_command;
-
-	int	use_pam;		/* Enable auth via PAM */
-
-	int	permit_tun;
-
-	int	num_permitted_opens;
-}       ServerOptions;
-
-void	 initialize_server_options(ServerOptions *);
-void	 fill_default_server_options(ServerOptions *);
-int	 process_server_config_line(ServerOptions *, char *, const char *, int,
-	     int *, const char *, const char *, const char *);
-void	 load_server_config(const char *, Buffer *);
-void	 parse_server_config(ServerOptions *, const char *, Buffer *,
-	     const char *, const char *, const char *);
-void	 parse_server_match_config(ServerOptions *, const char *, const char *,
-	     const char *);
-void	 copy_set_server_options(ServerOptions *, ServerOptions *);
-
-#endif				/* SERVCONF_H */
diff --git a/crypto/openssh/serverloop.c b/crypto/openssh/serverloop.c
deleted file mode 100644
index 69304b5..0000000
--- a/crypto/openssh/serverloop.c
+++ /dev/null
@@ -1,1219 +0,0 @@
-/* $OpenBSD: serverloop.c,v 1.145 2006/10/11 12:38:03 markus Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Server main loop for handling the interactive session.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- * SSH2 support by Markus Friedl.
- * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/wait.h>
-#include <sys/socket.h>
-#ifdef HAVE_SYS_TIME_H
-# include <sys/time.h>
-#endif
-
-#include <netinet/in.h>
-
-#include <errno.h>
-#include <fcntl.h>
-#include <pwd.h>
-#include <signal.h>
-#include <string.h>
-#include <termios.h>
-#include <unistd.h>
-#include <stdarg.h>
-
-#include "xmalloc.h"
-#include "packet.h"
-#include "buffer.h"
-#include "log.h"
-#include "servconf.h"
-#include "canohost.h"
-#include "sshpty.h"
-#include "channels.h"
-#include "compat.h"
-#include "ssh1.h"
-#include "ssh2.h"
-#include "key.h"
-#include "cipher.h"
-#include "kex.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "session.h"
-#include "dispatch.h"
-#include "auth-options.h"
-#include "serverloop.h"
-#include "misc.h"
-
-extern ServerOptions options;
-
-/* XXX */
-extern Kex *xxx_kex;
-extern Authctxt *the_authctxt;
-extern int use_privsep;
-
-static Buffer stdin_buffer;	/* Buffer for stdin data. */
-static Buffer stdout_buffer;	/* Buffer for stdout data. */
-static Buffer stderr_buffer;	/* Buffer for stderr data. */
-static int fdin;		/* Descriptor for stdin (for writing) */
-static int fdout;		/* Descriptor for stdout (for reading);
-				   May be same number as fdin. */
-static int fderr;		/* Descriptor for stderr.  May be -1. */
-static long stdin_bytes = 0;	/* Number of bytes written to stdin. */
-static long stdout_bytes = 0;	/* Number of stdout bytes sent to client. */
-static long stderr_bytes = 0;	/* Number of stderr bytes sent to client. */
-static long fdout_bytes = 0;	/* Number of stdout bytes read from program. */
-static int stdin_eof = 0;	/* EOF message received from client. */
-static int fdout_eof = 0;	/* EOF encountered reading from fdout. */
-static int fderr_eof = 0;	/* EOF encountered readung from fderr. */
-static int fdin_is_tty = 0;	/* fdin points to a tty. */
-static int connection_in;	/* Connection to client (input). */
-static int connection_out;	/* Connection to client (output). */
-static int connection_closed = 0;	/* Connection to client closed. */
-static u_int buffer_high;	/* "Soft" max buffer size. */
-static int client_alive_timeouts = 0;
-
-/*
- * This SIGCHLD kludge is used to detect when the child exits.  The server
- * will exit after that, as soon as forwarded connections have terminated.
- */
-
-static volatile sig_atomic_t child_terminated = 0;	/* The child has terminated. */
-
-/* Cleanup on signals (!use_privsep case only) */
-static volatile sig_atomic_t received_sigterm = 0;
-
-/* prototypes */
-static void server_init_dispatch(void);
-
-/*
- * we write to this pipe if a SIGCHLD is caught in order to avoid
- * the race between select() and child_terminated
- */
-static int notify_pipe[2];
-static void
-notify_setup(void)
-{
-	if (pipe(notify_pipe) < 0) {
-		error("pipe(notify_pipe) failed %s", strerror(errno));
-	} else if ((fcntl(notify_pipe[0], F_SETFD, 1) == -1) ||
-	    (fcntl(notify_pipe[1], F_SETFD, 1) == -1)) {
-		error("fcntl(notify_pipe, F_SETFD) failed %s", strerror(errno));
-		close(notify_pipe[0]);
-		close(notify_pipe[1]);
-	} else {
-		set_nonblock(notify_pipe[0]);
-		set_nonblock(notify_pipe[1]);
-		return;
-	}
-	notify_pipe[0] = -1;	/* read end */
-	notify_pipe[1] = -1;	/* write end */
-}
-static void
-notify_parent(void)
-{
-	if (notify_pipe[1] != -1)
-		write(notify_pipe[1], "", 1);
-}
-static void
-notify_prepare(fd_set *readset)
-{
-	if (notify_pipe[0] != -1)
-		FD_SET(notify_pipe[0], readset);
-}
-static void
-notify_done(fd_set *readset)
-{
-	char c;
-
-	if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset))
-		while (read(notify_pipe[0], &c, 1) != -1)
-			debug2("notify_done: reading");
-}
-
-/*ARGSUSED*/
-static void
-sigchld_handler(int sig)
-{
-	int save_errno = errno;
-	child_terminated = 1;
-#ifndef _UNICOS
-	mysignal(SIGCHLD, sigchld_handler);
-#endif
-	notify_parent();
-	errno = save_errno;
-}
-
-/*ARGSUSED*/
-static void
-sigterm_handler(int sig)
-{
-	received_sigterm = sig;
-}
-
-/*
- * Make packets from buffered stderr data, and buffer it for sending
- * to the client.
- */
-static void
-make_packets_from_stderr_data(void)
-{
-	u_int len;
-
-	/* Send buffered stderr data to the client. */
-	while (buffer_len(&stderr_buffer) > 0 &&
-	    packet_not_very_much_data_to_write()) {
-		len = buffer_len(&stderr_buffer);
-		if (packet_is_interactive()) {
-			if (len > 512)
-				len = 512;
-		} else {
-			/* Keep the packets at reasonable size. */
-			if (len > packet_get_maxsize())
-				len = packet_get_maxsize();
-		}
-		packet_start(SSH_SMSG_STDERR_DATA);
-		packet_put_string(buffer_ptr(&stderr_buffer), len);
-		packet_send();
-		buffer_consume(&stderr_buffer, len);
-		stderr_bytes += len;
-	}
-}
-
-/*
- * Make packets from buffered stdout data, and buffer it for sending to the
- * client.
- */
-static void
-make_packets_from_stdout_data(void)
-{
-	u_int len;
-
-	/* Send buffered stdout data to the client. */
-	while (buffer_len(&stdout_buffer) > 0 &&
-	    packet_not_very_much_data_to_write()) {
-		len = buffer_len(&stdout_buffer);
-		if (packet_is_interactive()) {
-			if (len > 512)
-				len = 512;
-		} else {
-			/* Keep the packets at reasonable size. */
-			if (len > packet_get_maxsize())
-				len = packet_get_maxsize();
-		}
-		packet_start(SSH_SMSG_STDOUT_DATA);
-		packet_put_string(buffer_ptr(&stdout_buffer), len);
-		packet_send();
-		buffer_consume(&stdout_buffer, len);
-		stdout_bytes += len;
-	}
-}
-
-static void
-client_alive_check(void)
-{
-	int channel_id;
-
-	/* timeout, check to see how many we have had */
-	if (++client_alive_timeouts > options.client_alive_count_max) {
-		logit("Timeout, client not responding.");
-		cleanup_exit(255);
-	}
-
-	/*
-	 * send a bogus global/channel request with "wantreply",
-	 * we should get back a failure
-	 */
-	if ((channel_id = channel_find_open()) == -1) {
-		packet_start(SSH2_MSG_GLOBAL_REQUEST);
-		packet_put_cstring("keepalive@openssh.com");
-		packet_put_char(1);	/* boolean: want reply */
-	} else {
-		channel_request_start(channel_id, "keepalive@openssh.com", 1);
-	}
-	packet_send();
-}
-
-/*
- * Sleep in select() until we can do something.  This will initialize the
- * select masks.  Upon return, the masks will indicate which descriptors
- * have data or can accept data.  Optionally, a maximum time can be specified
- * for the duration of the wait (0 = infinite).
- */
-static void
-wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
-    u_int *nallocp, u_int max_time_milliseconds)
-{
-	struct timeval tv, *tvp;
-	int ret;
-	int client_alive_scheduled = 0;
-
-	/*
-	 * if using client_alive, set the max timeout accordingly,
-	 * and indicate that this particular timeout was for client
-	 * alive by setting the client_alive_scheduled flag.
-	 *
-	 * this could be randomized somewhat to make traffic
-	 * analysis more difficult, but we're not doing it yet.
-	 */
-	if (compat20 &&
-	    max_time_milliseconds == 0 && options.client_alive_interval) {
-		client_alive_scheduled = 1;
-		max_time_milliseconds = options.client_alive_interval * 1000;
-	}
-
-	/* Allocate and update select() masks for channel descriptors. */
-	channel_prepare_select(readsetp, writesetp, maxfdp, nallocp, 0);
-
-	if (compat20) {
-#if 0
-		/* wrong: bad condition XXX */
-		if (channel_not_very_much_buffered_data())
-#endif
-		FD_SET(connection_in, *readsetp);
-	} else {
-		/*
-		 * Read packets from the client unless we have too much
-		 * buffered stdin or channel data.
-		 */
-		if (buffer_len(&stdin_buffer) < buffer_high &&
-		    channel_not_very_much_buffered_data())
-			FD_SET(connection_in, *readsetp);
-		/*
-		 * If there is not too much data already buffered going to
-		 * the client, try to get some more data from the program.
-		 */
-		if (packet_not_very_much_data_to_write()) {
-			if (!fdout_eof)
-				FD_SET(fdout, *readsetp);
-			if (!fderr_eof)
-				FD_SET(fderr, *readsetp);
-		}
-		/*
-		 * If we have buffered data, try to write some of that data
-		 * to the program.
-		 */
-		if (fdin != -1 && buffer_len(&stdin_buffer) > 0)
-			FD_SET(fdin, *writesetp);
-	}
-	notify_prepare(*readsetp);
-
-	/*
-	 * If we have buffered packet data going to the client, mark that
-	 * descriptor.
-	 */
-	if (packet_have_data_to_write())
-		FD_SET(connection_out, *writesetp);
-
-	/*
-	 * If child has terminated and there is enough buffer space to read
-	 * from it, then read as much as is available and exit.
-	 */
-	if (child_terminated && packet_not_very_much_data_to_write())
-		if (max_time_milliseconds == 0 || client_alive_scheduled)
-			max_time_milliseconds = 100;
-
-	if (max_time_milliseconds == 0)
-		tvp = NULL;
-	else {
-		tv.tv_sec = max_time_milliseconds / 1000;
-		tv.tv_usec = 1000 * (max_time_milliseconds % 1000);
-		tvp = &tv;
-	}
-
-	/* Wait for something to happen, or the timeout to expire. */
-	ret = select((*maxfdp)+1, *readsetp, *writesetp, NULL, tvp);
-
-	if (ret == -1) {
-		memset(*readsetp, 0, *nallocp);
-		memset(*writesetp, 0, *nallocp);
-		if (errno != EINTR)
-			error("select: %.100s", strerror(errno));
-	} else if (ret == 0 && client_alive_scheduled)
-		client_alive_check();
-
-	notify_done(*readsetp);
-}
-
-/*
- * Processes input from the client and the program.  Input data is stored
- * in buffers and processed later.
- */
-static void
-process_input(fd_set *readset)
-{
-	int len;
-	char buf[16384];
-
-	/* Read and buffer any input data from the client. */
-	if (FD_ISSET(connection_in, readset)) {
-		len = read(connection_in, buf, sizeof(buf));
-		if (len == 0) {
-			verbose("Connection closed by %.100s",
-			    get_remote_ipaddr());
-			connection_closed = 1;
-			if (compat20)
-				return;
-			cleanup_exit(255);
-		} else if (len < 0) {
-			if (errno != EINTR && errno != EAGAIN) {
-				verbose("Read error from remote host "
-				    "%.100s: %.100s",
-				    get_remote_ipaddr(), strerror(errno));
-				cleanup_exit(255);
-			}
-		} else {
-			/* Buffer any received data. */
-			packet_process_incoming(buf, len);
-		}
-	}
-	if (compat20)
-		return;
-
-	/* Read and buffer any available stdout data from the program. */
-	if (!fdout_eof && FD_ISSET(fdout, readset)) {
-		errno = 0;
-		len = read(fdout, buf, sizeof(buf));
-		if (len < 0 && (errno == EINTR || errno == EAGAIN)) {
-			/* do nothing */
-#ifndef PTY_ZEROREAD
-		} else if (len <= 0) {
-#else
-		} else if ((!isatty(fdout) && len <= 0) ||
-		    (isatty(fdout) && (len < 0 || (len == 0 && errno != 0)))) {
-#endif
-			fdout_eof = 1;
-		} else {
-			buffer_append(&stdout_buffer, buf, len);
-			fdout_bytes += len;
-		}
-	}
-	/* Read and buffer any available stderr data from the program. */
-	if (!fderr_eof && FD_ISSET(fderr, readset)) {
-		errno = 0;
-		len = read(fderr, buf, sizeof(buf));
-		if (len < 0 && (errno == EINTR || errno == EAGAIN)) {
-			/* do nothing */
-#ifndef PTY_ZEROREAD
-		} else if (len <= 0) {
-#else
-		} else if ((!isatty(fderr) && len <= 0) ||
-		    (isatty(fderr) && (len < 0 || (len == 0 && errno != 0)))) {
-#endif
-			fderr_eof = 1;
-		} else {
-			buffer_append(&stderr_buffer, buf, len);
-		}
-	}
-}
-
-/*
- * Sends data from internal buffers to client program stdin.
- */
-static void
-process_output(fd_set *writeset)
-{
-	struct termios tio;
-	u_char *data;
-	u_int dlen;
-	int len;
-
-	/* Write buffered data to program stdin. */
-	if (!compat20 && fdin != -1 && FD_ISSET(fdin, writeset)) {
-		data = buffer_ptr(&stdin_buffer);
-		dlen = buffer_len(&stdin_buffer);
-		len = write(fdin, data, dlen);
-		if (len < 0 && (errno == EINTR || errno == EAGAIN)) {
-			/* do nothing */
-		} else if (len <= 0) {
-			if (fdin != fdout)
-				close(fdin);
-			else
-				shutdown(fdin, SHUT_WR); /* We will no longer send. */
-			fdin = -1;
-		} else {
-			/* Successful write. */
-			if (fdin_is_tty && dlen >= 1 && data[0] != '\r' &&
-			    tcgetattr(fdin, &tio) == 0 &&
-			    !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) {
-				/*
-				 * Simulate echo to reduce the impact of
-				 * traffic analysis
-				 */
-				packet_send_ignore(len);
-				packet_send();
-			}
-			/* Consume the data from the buffer. */
-			buffer_consume(&stdin_buffer, len);
-			/* Update the count of bytes written to the program. */
-			stdin_bytes += len;
-		}
-	}
-	/* Send any buffered packet data to the client. */
-	if (FD_ISSET(connection_out, writeset))
-		packet_write_poll();
-}
-
-/*
- * Wait until all buffered output has been sent to the client.
- * This is used when the program terminates.
- */
-static void
-drain_output(void)
-{
-	/* Send any buffered stdout data to the client. */
-	if (buffer_len(&stdout_buffer) > 0) {
-		packet_start(SSH_SMSG_STDOUT_DATA);
-		packet_put_string(buffer_ptr(&stdout_buffer),
-				  buffer_len(&stdout_buffer));
-		packet_send();
-		/* Update the count of sent bytes. */
-		stdout_bytes += buffer_len(&stdout_buffer);
-	}
-	/* Send any buffered stderr data to the client. */
-	if (buffer_len(&stderr_buffer) > 0) {
-		packet_start(SSH_SMSG_STDERR_DATA);
-		packet_put_string(buffer_ptr(&stderr_buffer),
-				  buffer_len(&stderr_buffer));
-		packet_send();
-		/* Update the count of sent bytes. */
-		stderr_bytes += buffer_len(&stderr_buffer);
-	}
-	/* Wait until all buffered data has been written to the client. */
-	packet_write_wait();
-}
-
-static void
-process_buffered_input_packets(void)
-{
-	dispatch_run(DISPATCH_NONBLOCK, NULL, compat20 ? xxx_kex : NULL);
-}
-
-/*
- * Performs the interactive session.  This handles data transmission between
- * the client and the program.  Note that the notion of stdin, stdout, and
- * stderr in this function is sort of reversed: this function writes to
- * stdin (of the child program), and reads from stdout and stderr (of the
- * child program).
- */
-void
-server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
-{
-	fd_set *readset = NULL, *writeset = NULL;
-	int max_fd = 0;
-	u_int nalloc = 0;
-	int wait_status;	/* Status returned by wait(). */
-	pid_t wait_pid;		/* pid returned by wait(). */
-	int waiting_termination = 0;	/* Have displayed waiting close message. */
-	u_int max_time_milliseconds;
-	u_int previous_stdout_buffer_bytes;
-	u_int stdout_buffer_bytes;
-	int type;
-
-	debug("Entering interactive session.");
-
-	/* Initialize the SIGCHLD kludge. */
-	child_terminated = 0;
-	mysignal(SIGCHLD, sigchld_handler);
-
-	if (!use_privsep) {
-		signal(SIGTERM, sigterm_handler);
-		signal(SIGINT, sigterm_handler);
-		signal(SIGQUIT, sigterm_handler);
-	}
-
-	/* Initialize our global variables. */
-	fdin = fdin_arg;
-	fdout = fdout_arg;
-	fderr = fderr_arg;
-
-	/* nonblocking IO */
-	set_nonblock(fdin);
-	set_nonblock(fdout);
-	/* we don't have stderr for interactive terminal sessions, see below */
-	if (fderr != -1)
-		set_nonblock(fderr);
-
-	if (!(datafellows & SSH_BUG_IGNOREMSG) && isatty(fdin))
-		fdin_is_tty = 1;
-
-	connection_in = packet_get_connection_in();
-	connection_out = packet_get_connection_out();
-
-	notify_setup();
-
-	previous_stdout_buffer_bytes = 0;
-
-	/* Set approximate I/O buffer size. */
-	if (packet_is_interactive())
-		buffer_high = 4096;
-	else
-		buffer_high = 64 * 1024;
-
-#if 0
-	/* Initialize max_fd to the maximum of the known file descriptors. */
-	max_fd = MAX(connection_in, connection_out);
-	max_fd = MAX(max_fd, fdin);
-	max_fd = MAX(max_fd, fdout);
-	if (fderr != -1)
-		max_fd = MAX(max_fd, fderr);
-#endif
-
-	/* Initialize Initialize buffers. */
-	buffer_init(&stdin_buffer);
-	buffer_init(&stdout_buffer);
-	buffer_init(&stderr_buffer);
-
-	/*
-	 * If we have no separate fderr (which is the case when we have a pty
-	 * - there we cannot make difference between data sent to stdout and
-	 * stderr), indicate that we have seen an EOF from stderr.  This way
-	 * we don't need to check the descriptor everywhere.
-	 */
-	if (fderr == -1)
-		fderr_eof = 1;
-
-	server_init_dispatch();
-
-	/* Main loop of the server for the interactive session mode. */
-	for (;;) {
-
-		/* Process buffered packets from the client. */
-		process_buffered_input_packets();
-
-		/*
-		 * If we have received eof, and there is no more pending
-		 * input data, cause a real eof by closing fdin.
-		 */
-		if (stdin_eof && fdin != -1 && buffer_len(&stdin_buffer) == 0) {
-			if (fdin != fdout)
-				close(fdin);
-			else
-				shutdown(fdin, SHUT_WR); /* We will no longer send. */
-			fdin = -1;
-		}
-		/* Make packets from buffered stderr data to send to the client. */
-		make_packets_from_stderr_data();
-
-		/*
-		 * Make packets from buffered stdout data to send to the
-		 * client. If there is very little to send, this arranges to
-		 * not send them now, but to wait a short while to see if we
-		 * are getting more data. This is necessary, as some systems
-		 * wake up readers from a pty after each separate character.
-		 */
-		max_time_milliseconds = 0;
-		stdout_buffer_bytes = buffer_len(&stdout_buffer);
-		if (stdout_buffer_bytes != 0 && stdout_buffer_bytes < 256 &&
-		    stdout_buffer_bytes != previous_stdout_buffer_bytes) {
-			/* try again after a while */
-			max_time_milliseconds = 10;
-		} else {
-			/* Send it now. */
-			make_packets_from_stdout_data();
-		}
-		previous_stdout_buffer_bytes = buffer_len(&stdout_buffer);
-
-		/* Send channel data to the client. */
-		if (packet_not_very_much_data_to_write())
-			channel_output_poll();
-
-		/*
-		 * Bail out of the loop if the program has closed its output
-		 * descriptors, and we have no more data to send to the
-		 * client, and there is no pending buffered data.
-		 */
-		if (fdout_eof && fderr_eof && !packet_have_data_to_write() &&
-		    buffer_len(&stdout_buffer) == 0 && buffer_len(&stderr_buffer) == 0) {
-			if (!channel_still_open())
-				break;
-			if (!waiting_termination) {
-				const char *s = "Waiting for forwarded connections to terminate...\r\n";
-				char *cp;
-				waiting_termination = 1;
-				buffer_append(&stderr_buffer, s, strlen(s));
-
-				/* Display list of open channels. */
-				cp = channel_open_message();
-				buffer_append(&stderr_buffer, cp, strlen(cp));
-				xfree(cp);
-			}
-		}
-		max_fd = MAX(connection_in, connection_out);
-		max_fd = MAX(max_fd, fdin);
-		max_fd = MAX(max_fd, fdout);
-		max_fd = MAX(max_fd, fderr);
-		max_fd = MAX(max_fd, notify_pipe[0]);
-
-		/* Sleep in select() until we can do something. */
-		wait_until_can_do_something(&readset, &writeset, &max_fd,
-		    &nalloc, max_time_milliseconds);
-
-		if (received_sigterm) {
-			logit("Exiting on signal %d", received_sigterm);
-			/* Clean up sessions, utmp, etc. */
-			cleanup_exit(255);
-		}
-
-		/* Process any channel events. */
-		channel_after_select(readset, writeset);
-
-		/* Process input from the client and from program stdout/stderr. */
-		process_input(readset);
-
-		/* Process output to the client and to program stdin. */
-		process_output(writeset);
-	}
-	if (readset)
-		xfree(readset);
-	if (writeset)
-		xfree(writeset);
-
-	/* Cleanup and termination code. */
-
-	/* Wait until all output has been sent to the client. */
-	drain_output();
-
-	debug("End of interactive session; stdin %ld, stdout (read %ld, sent %ld), stderr %ld bytes.",
-	    stdin_bytes, fdout_bytes, stdout_bytes, stderr_bytes);
-
-	/* Free and clear the buffers. */
-	buffer_free(&stdin_buffer);
-	buffer_free(&stdout_buffer);
-	buffer_free(&stderr_buffer);
-
-	/* Close the file descriptors. */
-	if (fdout != -1)
-		close(fdout);
-	fdout = -1;
-	fdout_eof = 1;
-	if (fderr != -1)
-		close(fderr);
-	fderr = -1;
-	fderr_eof = 1;
-	if (fdin != -1)
-		close(fdin);
-	fdin = -1;
-
-	channel_free_all();
-
-	/* We no longer want our SIGCHLD handler to be called. */
-	mysignal(SIGCHLD, SIG_DFL);
-
-	while ((wait_pid = waitpid(-1, &wait_status, 0)) < 0)
-		if (errno != EINTR)
-			packet_disconnect("wait: %.100s", strerror(errno));
-	if (wait_pid != pid)
-		error("Strange, wait returned pid %ld, expected %ld",
-		    (long)wait_pid, (long)pid);
-
-	/* Check if it exited normally. */
-	if (WIFEXITED(wait_status)) {
-		/* Yes, normal exit.  Get exit status and send it to the client. */
-		debug("Command exited with status %d.", WEXITSTATUS(wait_status));
-		packet_start(SSH_SMSG_EXITSTATUS);
-		packet_put_int(WEXITSTATUS(wait_status));
-		packet_send();
-		packet_write_wait();
-
-		/*
-		 * Wait for exit confirmation.  Note that there might be
-		 * other packets coming before it; however, the program has
-		 * already died so we just ignore them.  The client is
-		 * supposed to respond with the confirmation when it receives
-		 * the exit status.
-		 */
-		do {
-			type = packet_read();
-		}
-		while (type != SSH_CMSG_EXIT_CONFIRMATION);
-
-		debug("Received exit confirmation.");
-		return;
-	}
-	/* Check if the program terminated due to a signal. */
-	if (WIFSIGNALED(wait_status))
-		packet_disconnect("Command terminated on signal %d.",
-				  WTERMSIG(wait_status));
-
-	/* Some weird exit cause.  Just exit. */
-	packet_disconnect("wait returned status %04x.", wait_status);
-	/* NOTREACHED */
-}
-
-static void
-collect_children(void)
-{
-	pid_t pid;
-	sigset_t oset, nset;
-	int status;
-
-	/* block SIGCHLD while we check for dead children */
-	sigemptyset(&nset);
-	sigaddset(&nset, SIGCHLD);
-	sigprocmask(SIG_BLOCK, &nset, &oset);
-	if (child_terminated) {
-		debug("Received SIGCHLD.");
-		while ((pid = waitpid(-1, &status, WNOHANG)) > 0 ||
-		    (pid < 0 && errno == EINTR))
-			if (pid > 0)
-				session_close_by_pid(pid, status);
-		child_terminated = 0;
-	}
-	sigprocmask(SIG_SETMASK, &oset, NULL);
-}
-
-void
-server_loop2(Authctxt *authctxt)
-{
-	fd_set *readset = NULL, *writeset = NULL;
-	int rekeying = 0, max_fd, nalloc = 0;
-
-	debug("Entering interactive session for SSH2.");
-
-	mysignal(SIGCHLD, sigchld_handler);
-	child_terminated = 0;
-	connection_in = packet_get_connection_in();
-	connection_out = packet_get_connection_out();
-
-	if (!use_privsep) {
-		signal(SIGTERM, sigterm_handler);
-		signal(SIGINT, sigterm_handler);
-		signal(SIGQUIT, sigterm_handler);
-	}
-
-	notify_setup();
-
-	max_fd = MAX(connection_in, connection_out);
-	max_fd = MAX(max_fd, notify_pipe[0]);
-
-	server_init_dispatch();
-
-	for (;;) {
-		process_buffered_input_packets();
-
-		rekeying = (xxx_kex != NULL && !xxx_kex->done);
-
-		if (!rekeying && packet_not_very_much_data_to_write())
-			channel_output_poll();
-		wait_until_can_do_something(&readset, &writeset, &max_fd,
-		    &nalloc, 0);
-
-		if (received_sigterm) {
-			logit("Exiting on signal %d", received_sigterm);
-			/* Clean up sessions, utmp, etc. */
-			cleanup_exit(255);
-		}
-
-		collect_children();
-		if (!rekeying) {
-			channel_after_select(readset, writeset);
-			if (packet_need_rekeying()) {
-				debug("need rekeying");
-				xxx_kex->done = 0;
-				kex_send_kexinit(xxx_kex);
-			}
-		}
-		process_input(readset);
-		if (connection_closed)
-			break;
-		process_output(writeset);
-	}
-	collect_children();
-
-	if (readset)
-		xfree(readset);
-	if (writeset)
-		xfree(writeset);
-
-	/* free all channels, no more reads and writes */
-	channel_free_all();
-
-	/* free remaining sessions, e.g. remove wtmp entries */
-	session_destroy_all(NULL);
-}
-
-static void
-server_input_keep_alive(int type, u_int32_t seq, void *ctxt)
-{
-	debug("Got %d/%u for keepalive", type, seq);
-	/*
-	 * reset timeout, since we got a sane answer from the client.
-	 * even if this was generated by something other than
-	 * the bogus CHANNEL_REQUEST we send for keepalives.
-	 */
-	client_alive_timeouts = 0;
-}
-
-static void
-server_input_stdin_data(int type, u_int32_t seq, void *ctxt)
-{
-	char *data;
-	u_int data_len;
-
-	/* Stdin data from the client.  Append it to the buffer. */
-	/* Ignore any data if the client has closed stdin. */
-	if (fdin == -1)
-		return;
-	data = packet_get_string(&data_len);
-	packet_check_eom();
-	buffer_append(&stdin_buffer, data, data_len);
-	memset(data, 0, data_len);
-	xfree(data);
-}
-
-static void
-server_input_eof(int type, u_int32_t seq, void *ctxt)
-{
-	/*
-	 * Eof from the client.  The stdin descriptor to the
-	 * program will be closed when all buffered data has
-	 * drained.
-	 */
-	debug("EOF received for stdin.");
-	packet_check_eom();
-	stdin_eof = 1;
-}
-
-static void
-server_input_window_size(int type, u_int32_t seq, void *ctxt)
-{
-	u_int row = packet_get_int();
-	u_int col = packet_get_int();
-	u_int xpixel = packet_get_int();
-	u_int ypixel = packet_get_int();
-
-	debug("Window change received.");
-	packet_check_eom();
-	if (fdin != -1)
-		pty_change_window_size(fdin, row, col, xpixel, ypixel);
-}
-
-static Channel *
-server_request_direct_tcpip(void)
-{
-	Channel *c;
-	int sock;
-	char *target, *originator;
-	int target_port, originator_port;
-
-	target = packet_get_string(NULL);
-	target_port = packet_get_int();
-	originator = packet_get_string(NULL);
-	originator_port = packet_get_int();
-	packet_check_eom();
-
-	debug("server_request_direct_tcpip: originator %s port %d, target %s port %d",
-	    originator, originator_port, target, target_port);
-
-	/* XXX check permission */
-	sock = channel_connect_to(target, target_port);
-	xfree(target);
-	xfree(originator);
-	if (sock < 0)
-		return NULL;
-	c = channel_new("direct-tcpip", SSH_CHANNEL_CONNECTING,
-	    sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT,
-	    CHAN_TCP_PACKET_DEFAULT, 0, "direct-tcpip", 1);
-	return c;
-}
-
-static Channel *
-server_request_tun(void)
-{
-	Channel *c = NULL;
-	int mode, tun;
-	int sock;
-
-	mode = packet_get_int();
-	switch (mode) {
-	case SSH_TUNMODE_POINTOPOINT:
-	case SSH_TUNMODE_ETHERNET:
-		break;
-	default:
-		packet_send_debug("Unsupported tunnel device mode.");
-		return NULL;
-	}
-	if ((options.permit_tun & mode) == 0) {
-		packet_send_debug("Server has rejected tunnel device "
-		    "forwarding");
-		return NULL;
-	}
-
-	tun = packet_get_int();
-	if (forced_tun_device != -1) {
-		if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
-			goto done;
-		tun = forced_tun_device;
-	}
-	sock = tun_open(tun, mode);
-	if (sock < 0)
-		goto done;
-	c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
-	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
-	c->datagram = 1;
-#if defined(SSH_TUN_FILTER)
-	if (mode == SSH_TUNMODE_POINTOPOINT)
-		channel_register_filter(c->self, sys_tun_infilter,
-		    sys_tun_outfilter);
-#endif
-
- done:
-	if (c == NULL)
-		packet_send_debug("Failed to open the tunnel device.");
-	return c;
-}
-
-static Channel *
-server_request_session(void)
-{
-	Channel *c;
-
-	debug("input_session_request");
-	packet_check_eom();
-	/*
-	 * A server session has no fd to read or write until a
-	 * CHANNEL_REQUEST for a shell is made, so we set the type to
-	 * SSH_CHANNEL_LARVAL.  Additionally, a callback for handling all
-	 * CHANNEL_REQUEST messages is registered.
-	 */
-	c = channel_new("session", SSH_CHANNEL_LARVAL,
-	    -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
-	    0, "server-session", 1);
-	if (session_open(the_authctxt, c->self) != 1) {
-		debug("session open failed, free channel %d", c->self);
-		channel_free(c);
-		return NULL;
-	}
-	channel_register_cleanup(c->self, session_close_by_channel, 0);
-	return c;
-}
-
-static void
-server_input_channel_open(int type, u_int32_t seq, void *ctxt)
-{
-	Channel *c = NULL;
-	char *ctype;
-	int rchan;
-	u_int rmaxpack, rwindow, len;
-
-	ctype = packet_get_string(&len);
-	rchan = packet_get_int();
-	rwindow = packet_get_int();
-	rmaxpack = packet_get_int();
-
-	debug("server_input_channel_open: ctype %s rchan %d win %d max %d",
-	    ctype, rchan, rwindow, rmaxpack);
-
-	if (strcmp(ctype, "session") == 0) {
-		c = server_request_session();
-	} else if (strcmp(ctype, "direct-tcpip") == 0) {
-		c = server_request_direct_tcpip();
-	} else if (strcmp(ctype, "tun@openssh.com") == 0) {
-		c = server_request_tun();
-	}
-	if (c != NULL) {
-		debug("server_input_channel_open: confirm %s", ctype);
-		c->remote_id = rchan;
-		c->remote_window = rwindow;
-		c->remote_maxpacket = rmaxpack;
-		if (c->type != SSH_CHANNEL_CONNECTING) {
-			packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);
-			packet_put_int(c->remote_id);
-			packet_put_int(c->self);
-			packet_put_int(c->local_window);
-			packet_put_int(c->local_maxpacket);
-			packet_send();
-		}
-	} else {
-		debug("server_input_channel_open: failure %s", ctype);
-		packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE);
-		packet_put_int(rchan);
-		packet_put_int(SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED);
-		if (!(datafellows & SSH_BUG_OPENFAILURE)) {
-			packet_put_cstring("open failed");
-			packet_put_cstring("");
-		}
-		packet_send();
-	}
-	xfree(ctype);
-}
-
-static void
-server_input_global_request(int type, u_int32_t seq, void *ctxt)
-{
-	char *rtype;
-	int want_reply;
-	int success = 0;
-
-	rtype = packet_get_string(NULL);
-	want_reply = packet_get_char();
-	debug("server_input_global_request: rtype %s want_reply %d", rtype, want_reply);
-
-	/* -R style forwarding */
-	if (strcmp(rtype, "tcpip-forward") == 0) {
-		struct passwd *pw;
-		char *listen_address;
-		u_short listen_port;
-
-		pw = the_authctxt->pw;
-		if (pw == NULL || !the_authctxt->valid)
-			fatal("server_input_global_request: no/invalid user");
-		listen_address = packet_get_string(NULL);
-		listen_port = (u_short)packet_get_int();
-		debug("server_input_global_request: tcpip-forward listen %s port %d",
-		    listen_address, listen_port);
-
-		/* check permissions */
-		if (!options.allow_tcp_forwarding ||
-		    no_port_forwarding_flag
-#ifndef NO_IPPORT_RESERVED_CONCEPT
-		    || (listen_port < IPPORT_RESERVED && pw->pw_uid != 0)
-#endif
-		    ) {
-			success = 0;
-			packet_send_debug("Server has disabled port forwarding.");
-		} else {
-			/* Start listening on the port */
-			success = channel_setup_remote_fwd_listener(
-			    listen_address, listen_port, options.gateway_ports);
-		}
-		xfree(listen_address);
-	} else if (strcmp(rtype, "cancel-tcpip-forward") == 0) {
-		char *cancel_address;
-		u_short cancel_port;
-
-		cancel_address = packet_get_string(NULL);
-		cancel_port = (u_short)packet_get_int();
-		debug("%s: cancel-tcpip-forward addr %s port %d", __func__,
-		    cancel_address, cancel_port);
-
-		success = channel_cancel_rport_listener(cancel_address,
-		    cancel_port);
-		xfree(cancel_address);
-	}
-	if (want_reply) {
-		packet_start(success ?
-		    SSH2_MSG_REQUEST_SUCCESS : SSH2_MSG_REQUEST_FAILURE);
-		packet_send();
-		packet_write_wait();
-	}
-	xfree(rtype);
-}
-
-static void
-server_input_channel_req(int type, u_int32_t seq, void *ctxt)
-{
-	Channel *c;
-	int id, reply, success = 0;
-	char *rtype;
-
-	id = packet_get_int();
-	rtype = packet_get_string(NULL);
-	reply = packet_get_char();
-
-	debug("server_input_channel_req: channel %d request %s reply %d",
-	    id, rtype, reply);
-
-	if ((c = channel_lookup(id)) == NULL)
-		packet_disconnect("server_input_channel_req: "
-		    "unknown channel %d", id);
-	if (c->type == SSH_CHANNEL_LARVAL || c->type == SSH_CHANNEL_OPEN)
-		success = session_input_channel_req(c, rtype);
-	if (reply) {
-		packet_start(success ?
-		    SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE);
-		packet_put_int(c->remote_id);
-		packet_send();
-	}
-	xfree(rtype);
-}
-
-static void
-server_init_dispatch_20(void)
-{
-	debug("server_init_dispatch_20");
-	dispatch_init(&dispatch_protocol_error);
-	dispatch_set(SSH2_MSG_CHANNEL_CLOSE, &channel_input_oclose);
-	dispatch_set(SSH2_MSG_CHANNEL_DATA, &channel_input_data);
-	dispatch_set(SSH2_MSG_CHANNEL_EOF, &channel_input_ieof);
-	dispatch_set(SSH2_MSG_CHANNEL_EXTENDED_DATA, &channel_input_extended_data);
-	dispatch_set(SSH2_MSG_CHANNEL_OPEN, &server_input_channel_open);
-	dispatch_set(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation);
-	dispatch_set(SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure);
-	dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &server_input_channel_req);
-	dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust);
-	dispatch_set(SSH2_MSG_GLOBAL_REQUEST, &server_input_global_request);
-	/* client_alive */
-	dispatch_set(SSH2_MSG_CHANNEL_FAILURE, &server_input_keep_alive);
-	dispatch_set(SSH2_MSG_REQUEST_SUCCESS, &server_input_keep_alive);
-	dispatch_set(SSH2_MSG_REQUEST_FAILURE, &server_input_keep_alive);
-	/* rekeying */
-	dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit);
-}
-static void
-server_init_dispatch_13(void)
-{
-	debug("server_init_dispatch_13");
-	dispatch_init(NULL);
-	dispatch_set(SSH_CMSG_EOF, &server_input_eof);
-	dispatch_set(SSH_CMSG_STDIN_DATA, &server_input_stdin_data);
-	dispatch_set(SSH_CMSG_WINDOW_SIZE, &server_input_window_size);
-	dispatch_set(SSH_MSG_CHANNEL_CLOSE, &channel_input_close);
-	dispatch_set(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION, &channel_input_close_confirmation);
-	dispatch_set(SSH_MSG_CHANNEL_DATA, &channel_input_data);
-	dispatch_set(SSH_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation);
-	dispatch_set(SSH_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure);
-	dispatch_set(SSH_MSG_PORT_OPEN, &channel_input_port_open);
-}
-static void
-server_init_dispatch_15(void)
-{
-	server_init_dispatch_13();
-	debug("server_init_dispatch_15");
-	dispatch_set(SSH_MSG_CHANNEL_CLOSE, &channel_input_ieof);
-	dispatch_set(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION, &channel_input_oclose);
-}
-static void
-server_init_dispatch(void)
-{
-	if (compat20)
-		server_init_dispatch_20();
-	else if (compat13)
-		server_init_dispatch_13();
-	else
-		server_init_dispatch_15();
-}
diff --git a/crypto/openssh/serverloop.h b/crypto/openssh/serverloop.h
deleted file mode 100644
index 7311558..0000000
--- a/crypto/openssh/serverloop.h
+++ /dev/null
@@ -1,27 +0,0 @@
-/* $OpenBSD: serverloop.h,v 1.6 2006/03/25 22:22:43 djm Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-/*
- * Performs the interactive session.  This handles data transmission between
- * the client and the program.  Note that the notion of stdin, stdout, and
- * stderr in this function is sort of reversed: this function writes to stdin
- * (of the child program), and reads from stdout and stderr (of the child
- * program).
- */
-#ifndef SERVERLOOP_H
-#define SERVERLOOP_H
-
-void    server_loop(pid_t, int, int, int);
-void    server_loop2(Authctxt *);
-
-#endif
diff --git a/crypto/openssh/session.c b/crypto/openssh/session.c
deleted file mode 100644
index 69153ad..0000000
--- a/crypto/openssh/session.c
+++ /dev/null
@@ -1,2510 +0,0 @@
-/* $OpenBSD: session.c,v 1.220 2006/10/09 23:36:11 djm Exp $ */
-/*
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- * SSH2 support by Markus Friedl.
- * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#ifdef HAVE_SYS_STAT_H
-# include <sys/stat.h>
-#endif
-#include <sys/socket.h>
-#include <sys/un.h>
-#include <sys/wait.h>
-
-#include <arpa/inet.h>
-
-#include <errno.h>
-#include <grp.h>
-#ifdef HAVE_PATHS_H
-#include <paths.h>
-#endif
-#include <pwd.h>
-#include <signal.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "xmalloc.h"
-#include "ssh.h"
-#include "ssh1.h"
-#include "ssh2.h"
-#include "sshpty.h"
-#include "packet.h"
-#include "buffer.h"
-#include "match.h"
-#include "uidswap.h"
-#include "compat.h"
-#include "channels.h"
-#include "key.h"
-#include "cipher.h"
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-#include "hostfile.h"
-#include "auth.h"
-#include "auth-options.h"
-#include "pathnames.h"
-#include "log.h"
-#include "servconf.h"
-#include "sshlogin.h"
-#include "serverloop.h"
-#include "canohost.h"
-#include "session.h"
-#include "kex.h"
-#include "monitor_wrap.h"
-
-#if defined(KRB5) && defined(USE_AFS)
-#include <kafs.h>
-#endif
-
-/* func */
-
-Session *session_new(void);
-void	session_set_fds(Session *, int, int, int);
-void	session_pty_cleanup(Session *);
-void	session_proctitle(Session *);
-int	session_setup_x11fwd(Session *);
-void	do_exec_pty(Session *, const char *);
-void	do_exec_no_pty(Session *, const char *);
-void	do_exec(Session *, const char *);
-void	do_login(Session *, const char *);
-#ifdef LOGIN_NEEDS_UTMPX
-static void	do_pre_login(Session *s);
-#endif
-void	do_child(Session *, const char *);
-void	do_motd(void);
-int	check_quietlogin(Session *, const char *);
-
-static void do_authenticated1(Authctxt *);
-static void do_authenticated2(Authctxt *);
-
-static int session_pty_req(Session *);
-
-/* import */
-extern ServerOptions options;
-extern char *__progname;
-extern int log_stderr;
-extern int debug_flag;
-extern u_int utmp_len;
-extern int startup_pipe;
-extern void destroy_sensitive_data(void);
-extern Buffer loginmsg;
-
-/* original command from peer. */
-const char *original_command = NULL;
-
-/* data */
-#define MAX_SESSIONS 10
-Session	sessions[MAX_SESSIONS];
-
-#ifdef HAVE_LOGIN_CAP
-login_cap_t *lc;
-#endif
-
-static int is_child = 0;
-
-/* Name and directory of socket for authentication agent forwarding. */
-static char *auth_sock_name = NULL;
-static char *auth_sock_dir = NULL;
-
-/* removes the agent forwarding socket */
-
-static void
-auth_sock_cleanup_proc(struct passwd *pw)
-{
-	if (auth_sock_name != NULL) {
-		temporarily_use_uid(pw);
-		unlink(auth_sock_name);
-		rmdir(auth_sock_dir);
-		auth_sock_name = NULL;
-		restore_uid();
-	}
-}
-
-static int
-auth_input_request_forwarding(struct passwd * pw)
-{
-	Channel *nc;
-	int sock;
-	struct sockaddr_un sunaddr;
-
-	if (auth_sock_name != NULL) {
-		error("authentication forwarding requested twice.");
-		return 0;
-	}
-
-	/* Temporarily drop privileged uid for mkdir/bind. */
-	temporarily_use_uid(pw);
-
-	/* Allocate a buffer for the socket name, and format the name. */
-	auth_sock_name = xmalloc(MAXPATHLEN);
-	auth_sock_dir = xmalloc(MAXPATHLEN);
-	strlcpy(auth_sock_dir, "/tmp/ssh-XXXXXXXXXX", MAXPATHLEN);
-
-	/* Create private directory for socket */
-	if (mkdtemp(auth_sock_dir) == NULL) {
-		packet_send_debug("Agent forwarding disabled: "
-		    "mkdtemp() failed: %.100s", strerror(errno));
-		restore_uid();
-		xfree(auth_sock_name);
-		xfree(auth_sock_dir);
-		auth_sock_name = NULL;
-		auth_sock_dir = NULL;
-		return 0;
-	}
-	snprintf(auth_sock_name, MAXPATHLEN, "%s/agent.%ld",
-		 auth_sock_dir, (long) getpid());
-
-	/* Create the socket. */
-	sock = socket(AF_UNIX, SOCK_STREAM, 0);
-	if (sock < 0)
-		packet_disconnect("socket: %.100s", strerror(errno));
-
-	/* Bind it to the name. */
-	memset(&sunaddr, 0, sizeof(sunaddr));
-	sunaddr.sun_family = AF_UNIX;
-	strlcpy(sunaddr.sun_path, auth_sock_name, sizeof(sunaddr.sun_path));
-
-	if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0)
-		packet_disconnect("bind: %.100s", strerror(errno));
-
-	/* Restore the privileged uid. */
-	restore_uid();
-
-	/* Start listening on the socket. */
-	if (listen(sock, SSH_LISTEN_BACKLOG) < 0)
-		packet_disconnect("listen: %.100s", strerror(errno));
-
-	/* Allocate a channel for the authentication agent socket. */
-	nc = channel_new("auth socket",
-	    SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1,
-	    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
-	    0, "auth socket", 1);
-	strlcpy(nc->path, auth_sock_name, sizeof(nc->path));
-	return 1;
-}
-
-static void
-display_loginmsg(void)
-{
-	if (buffer_len(&loginmsg) > 0) {
-		buffer_append(&loginmsg, "\0", 1);
-		printf("%s", (char *)buffer_ptr(&loginmsg));
-		buffer_clear(&loginmsg);
-	}
-}
-
-void
-do_authenticated(Authctxt *authctxt)
-{
-	setproctitle("%s", authctxt->pw->pw_name);
-
-	/* setup the channel layer */
-	if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
-		channel_permit_all_opens();
-
-	if (compat20)
-		do_authenticated2(authctxt);
-	else
-		do_authenticated1(authctxt);
-
-	do_cleanup(authctxt);
-}
-
-/*
- * Prepares for an interactive session.  This is called after the user has
- * been successfully authenticated.  During this message exchange, pseudo
- * terminals are allocated, X11, TCP/IP, and authentication agent forwardings
- * are requested, etc.
- */
-static void
-do_authenticated1(Authctxt *authctxt)
-{
-	Session *s;
-	char *command;
-	int success, type, screen_flag;
-	int enable_compression_after_reply = 0;
-	u_int proto_len, data_len, dlen, compression_level = 0;
-
-	s = session_new();
-	if (s == NULL) {
-		error("no more sessions");
-		return;
-	}
-	s->authctxt = authctxt;
-	s->pw = authctxt->pw;
-
-	/*
-	 * We stay in this loop until the client requests to execute a shell
-	 * or a command.
-	 */
-	for (;;) {
-		success = 0;
-
-		/* Get a packet from the client. */
-		type = packet_read();
-
-		/* Process the packet. */
-		switch (type) {
-		case SSH_CMSG_REQUEST_COMPRESSION:
-			compression_level = packet_get_int();
-			packet_check_eom();
-			if (compression_level < 1 || compression_level > 9) {
-				packet_send_debug("Received invalid compression level %d.",
-				    compression_level);
-				break;
-			}
-			if (options.compression == COMP_NONE) {
-				debug2("compression disabled");
-				break;
-			}
-			/* Enable compression after we have responded with SUCCESS. */
-			enable_compression_after_reply = 1;
-			success = 1;
-			break;
-
-		case SSH_CMSG_REQUEST_PTY:
-			success = session_pty_req(s);
-			break;
-
-		case SSH_CMSG_X11_REQUEST_FORWARDING:
-			s->auth_proto = packet_get_string(&proto_len);
-			s->auth_data = packet_get_string(&data_len);
-
-			screen_flag = packet_get_protocol_flags() &
-			    SSH_PROTOFLAG_SCREEN_NUMBER;
-			debug2("SSH_PROTOFLAG_SCREEN_NUMBER: %d", screen_flag);
-
-			if (packet_remaining() == 4) {
-				if (!screen_flag)
-					debug2("Buggy client: "
-					    "X11 screen flag missing");
-				s->screen = packet_get_int();
-			} else {
-				s->screen = 0;
-			}
-			packet_check_eom();
-			success = session_setup_x11fwd(s);
-			if (!success) {
-				xfree(s->auth_proto);
-				xfree(s->auth_data);
-				s->auth_proto = NULL;
-				s->auth_data = NULL;
-			}
-			break;
-
-		case SSH_CMSG_AGENT_REQUEST_FORWARDING:
-			if (no_agent_forwarding_flag || compat13) {
-				debug("Authentication agent forwarding not permitted for this authentication.");
-				break;
-			}
-			debug("Received authentication agent forwarding request.");
-			success = auth_input_request_forwarding(s->pw);
-			break;
-
-		case SSH_CMSG_PORT_FORWARD_REQUEST:
-			if (no_port_forwarding_flag) {
-				debug("Port forwarding not permitted for this authentication.");
-				break;
-			}
-			if (!options.allow_tcp_forwarding) {
-				debug("Port forwarding not permitted.");
-				break;
-			}
-			debug("Received TCP/IP port forwarding request.");
-			if (channel_input_port_forward_request(s->pw->pw_uid == 0,
-			    options.gateway_ports) < 0) {
-				debug("Port forwarding failed.");
-				break;
-			}
-			success = 1;
-			break;
-
-		case SSH_CMSG_MAX_PACKET_SIZE:
-			if (packet_set_maxsize(packet_get_int()) > 0)
-				success = 1;
-			break;
-
-		case SSH_CMSG_EXEC_SHELL:
-		case SSH_CMSG_EXEC_CMD:
-			if (type == SSH_CMSG_EXEC_CMD) {
-				command = packet_get_string(&dlen);
-				debug("Exec command '%.500s'", command);
-				do_exec(s, command);
-				xfree(command);
-			} else {
-				do_exec(s, NULL);
-			}
-			packet_check_eom();
-			session_close(s);
-			return;
-
-		default:
-			/*
-			 * Any unknown messages in this phase are ignored,
-			 * and a failure message is returned.
-			 */
-			logit("Unknown packet type received after authentication: %d", type);
-		}
-		packet_start(success ? SSH_SMSG_SUCCESS : SSH_SMSG_FAILURE);
-		packet_send();
-		packet_write_wait();
-
-		/* Enable compression now that we have replied if appropriate. */
-		if (enable_compression_after_reply) {
-			enable_compression_after_reply = 0;
-			packet_start_compression(compression_level);
-		}
-	}
-}
-
-/*
- * This is called to fork and execute a command when we have no tty.  This
- * will call do_child from the child, and server_loop from the parent after
- * setting up file descriptors and such.
- */
-void
-do_exec_no_pty(Session *s, const char *command)
-{
-	pid_t pid;
-
-#ifdef USE_PIPES
-	int pin[2], pout[2], perr[2];
-	/* Allocate pipes for communicating with the program. */
-	if (pipe(pin) < 0 || pipe(pout) < 0 || pipe(perr) < 0)
-		packet_disconnect("Could not create pipes: %.100s",
-				  strerror(errno));
-#else /* USE_PIPES */
-	int inout[2], err[2];
-	/* Uses socket pairs to communicate with the program. */
-	if (socketpair(AF_UNIX, SOCK_STREAM, 0, inout) < 0 ||
-	    socketpair(AF_UNIX, SOCK_STREAM, 0, err) < 0)
-		packet_disconnect("Could not create socket pairs: %.100s",
-				  strerror(errno));
-#endif /* USE_PIPES */
-	if (s == NULL)
-		fatal("do_exec_no_pty: no session");
-
-	session_proctitle(s);
-
-#if defined(USE_PAM)
-	if (options.use_pam && !use_privsep)
-		do_pam_setcred(1);
-#endif /* USE_PAM */
-
-	/* Fork the child. */
-	if ((pid = fork()) == 0) {
-		is_child = 1;
-
-		/* Child.  Reinitialize the log since the pid has changed. */
-		log_init(__progname, options.log_level, options.log_facility, log_stderr);
-
-		/*
-		 * Create a new session and process group since the 4.4BSD
-		 * setlogin() affects the entire process group.
-		 */
-		if (setsid() < 0)
-			error("setsid failed: %.100s", strerror(errno));
-
-#ifdef USE_PIPES
-		/*
-		 * Redirect stdin.  We close the parent side of the socket
-		 * pair, and make the child side the standard input.
-		 */
-		close(pin[1]);
-		if (dup2(pin[0], 0) < 0)
-			perror("dup2 stdin");
-		close(pin[0]);
-
-		/* Redirect stdout. */
-		close(pout[0]);
-		if (dup2(pout[1], 1) < 0)
-			perror("dup2 stdout");
-		close(pout[1]);
-
-		/* Redirect stderr. */
-		close(perr[0]);
-		if (dup2(perr[1], 2) < 0)
-			perror("dup2 stderr");
-		close(perr[1]);
-#else /* USE_PIPES */
-		/*
-		 * Redirect stdin, stdout, and stderr.  Stdin and stdout will
-		 * use the same socket, as some programs (particularly rdist)
-		 * seem to depend on it.
-		 */
-		close(inout[1]);
-		close(err[1]);
-		if (dup2(inout[0], 0) < 0)	/* stdin */
-			perror("dup2 stdin");
-		if (dup2(inout[0], 1) < 0)	/* stdout.  Note: same socket as stdin. */
-			perror("dup2 stdout");
-		if (dup2(err[0], 2) < 0)	/* stderr */
-			perror("dup2 stderr");
-#endif /* USE_PIPES */
-
-#ifdef _UNICOS
-		cray_init_job(s->pw); /* set up cray jid and tmpdir */
-#endif
-
-		/* Do processing for the child (exec command etc). */
-		do_child(s, command);
-		/* NOTREACHED */
-	}
-#ifdef _UNICOS
-	signal(WJSIGNAL, cray_job_termination_handler);
-#endif /* _UNICOS */
-#ifdef HAVE_CYGWIN
-	if (is_winnt)
-		cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
-#endif
-	if (pid < 0)
-		packet_disconnect("fork failed: %.100s", strerror(errno));
-	s->pid = pid;
-	/* Set interactive/non-interactive mode. */
-	packet_set_interactive(s->display != NULL);
-#ifdef USE_PIPES
-	/* We are the parent.  Close the child sides of the pipes. */
-	close(pin[0]);
-	close(pout[1]);
-	close(perr[1]);
-
-	if (compat20) {
-		if (s->is_subsystem) {
-			close(perr[0]);
-			perr[0] = -1;
-		}
-		session_set_fds(s, pin[1], pout[0], perr[0]);
-	} else {
-		/* Enter the interactive session. */
-		server_loop(pid, pin[1], pout[0], perr[0]);
-		/* server_loop has closed pin[1], pout[0], and perr[0]. */
-	}
-#else /* USE_PIPES */
-	/* We are the parent.  Close the child sides of the socket pairs. */
-	close(inout[0]);
-	close(err[0]);
-
-	/*
-	 * Clear loginmsg, since it's the child's responsibility to display
-	 * it to the user, otherwise multiple sessions may accumulate
-	 * multiple copies of the login messages.
-	 */
-	buffer_clear(&loginmsg);
-
-	/*
-	 * Enter the interactive session.  Note: server_loop must be able to
-	 * handle the case that fdin and fdout are the same.
-	 */
-	if (compat20) {
-		session_set_fds(s, inout[1], inout[1], s->is_subsystem ? -1 : err[1]);
-	} else {
-		server_loop(pid, inout[1], inout[1], err[1]);
-		/* server_loop has closed inout[1] and err[1]. */
-	}
-#endif /* USE_PIPES */
-}
-
-/*
- * This is called to fork and execute a command when we have a tty.  This
- * will call do_child from the child, and server_loop from the parent after
- * setting up file descriptors, controlling tty, updating wtmp, utmp,
- * lastlog, and other such operations.
- */
-void
-do_exec_pty(Session *s, const char *command)
-{
-	int fdout, ptyfd, ttyfd, ptymaster;
-	pid_t pid;
-
-	if (s == NULL)
-		fatal("do_exec_pty: no session");
-	ptyfd = s->ptyfd;
-	ttyfd = s->ttyfd;
-
-#if defined(USE_PAM)
-	if (options.use_pam) {
-		do_pam_set_tty(s->tty);
-		if (!use_privsep)
-			do_pam_setcred(1);
-	}
-#endif
-
-	/* Fork the child. */
-	if ((pid = fork()) == 0) {
-		is_child = 1;
-
-		/* Child.  Reinitialize the log because the pid has changed. */
-		log_init(__progname, options.log_level, options.log_facility, log_stderr);
-		/* Close the master side of the pseudo tty. */
-		close(ptyfd);
-
-		/* Make the pseudo tty our controlling tty. */
-		pty_make_controlling_tty(&ttyfd, s->tty);
-
-		/* Redirect stdin/stdout/stderr from the pseudo tty. */
-		if (dup2(ttyfd, 0) < 0)
-			error("dup2 stdin: %s", strerror(errno));
-		if (dup2(ttyfd, 1) < 0)
-			error("dup2 stdout: %s", strerror(errno));
-		if (dup2(ttyfd, 2) < 0)
-			error("dup2 stderr: %s", strerror(errno));
-
-		/* Close the extra descriptor for the pseudo tty. */
-		close(ttyfd);
-
-		/* record login, etc. similar to login(1) */
-#ifndef HAVE_OSF_SIA
-		if (!(options.use_login && command == NULL)) {
-#ifdef _UNICOS
-			cray_init_job(s->pw); /* set up cray jid and tmpdir */
-#endif /* _UNICOS */
-			do_login(s, command);
-		}
-# ifdef LOGIN_NEEDS_UTMPX
-		else
-			do_pre_login(s);
-# endif
-#endif
-
-		/* Do common processing for the child, such as execing the command. */
-		do_child(s, command);
-		/* NOTREACHED */
-	}
-#ifdef _UNICOS
-	signal(WJSIGNAL, cray_job_termination_handler);
-#endif /* _UNICOS */
-#ifdef HAVE_CYGWIN
-	if (is_winnt)
-		cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
-#endif
-	if (pid < 0)
-		packet_disconnect("fork failed: %.100s", strerror(errno));
-	s->pid = pid;
-
-	/* Parent.  Close the slave side of the pseudo tty. */
-	close(ttyfd);
-
-	/*
-	 * Create another descriptor of the pty master side for use as the
-	 * standard input.  We could use the original descriptor, but this
-	 * simplifies code in server_loop.  The descriptor is bidirectional.
-	 */
-	fdout = dup(ptyfd);
-	if (fdout < 0)
-		packet_disconnect("dup #1 failed: %.100s", strerror(errno));
-
-	/* we keep a reference to the pty master */
-	ptymaster = dup(ptyfd);
-	if (ptymaster < 0)
-		packet_disconnect("dup #2 failed: %.100s", strerror(errno));
-	s->ptymaster = ptymaster;
-
-	/* Enter interactive session. */
-	packet_set_interactive(1);
-	if (compat20) {
-		session_set_fds(s, ptyfd, fdout, -1);
-	} else {
-		server_loop(pid, ptyfd, fdout, -1);
-		/* server_loop _has_ closed ptyfd and fdout. */
-	}
-}
-
-#ifdef LOGIN_NEEDS_UTMPX
-static void
-do_pre_login(Session *s)
-{
-	socklen_t fromlen;
-	struct sockaddr_storage from;
-	pid_t pid = getpid();
-
-	/*
-	 * Get IP address of client. If the connection is not a socket, let
-	 * the address be 0.0.0.0.
-	 */
-	memset(&from, 0, sizeof(from));
-	fromlen = sizeof(from);
-	if (packet_connection_is_on_socket()) {
-		if (getpeername(packet_get_connection_in(),
-		    (struct sockaddr *)&from, &fromlen) < 0) {
-			debug("getpeername: %.100s", strerror(errno));
-			cleanup_exit(255);
-		}
-	}
-
-	record_utmp_only(pid, s->tty, s->pw->pw_name,
-	    get_remote_name_or_ip(utmp_len, options.use_dns),
-	    (struct sockaddr *)&from, fromlen);
-}
-#endif
-
-/*
- * This is called to fork and execute a command.  If another command is
- * to be forced, execute that instead.
- */
-void
-do_exec(Session *s, const char *command)
-{
-	if (options.adm_forced_command) {
-		original_command = command;
-		command = options.adm_forced_command;
-		debug("Forced command (config) '%.900s'", command);
-	} else if (forced_command) {
-		original_command = command;
-		command = forced_command;
-		debug("Forced command (key option) '%.900s'", command);
-	}
-
-#ifdef SSH_AUDIT_EVENTS
-	if (command != NULL)
-		PRIVSEP(audit_run_command(command));
-	else if (s->ttyfd == -1) {
-		char *shell = s->pw->pw_shell;
-
-		if (shell[0] == '\0')	/* empty shell means /bin/sh */
-			shell =_PATH_BSHELL;
-		PRIVSEP(audit_run_command(shell));
-	}
-#endif
-
-	if (s->ttyfd != -1)
-		do_exec_pty(s, command);
-	else
-		do_exec_no_pty(s, command);
-
-	original_command = NULL;
-
-	/*
-	 * Clear loginmsg: it's the child's responsibility to display
-	 * it to the user, otherwise multiple sessions may accumulate
-	 * multiple copies of the login messages.
-	 */
-	buffer_clear(&loginmsg);
-}
-
-/* administrative, login(1)-like work */
-void
-do_login(Session *s, const char *command)
-{
-	socklen_t fromlen;
-	struct sockaddr_storage from;
-	struct passwd * pw = s->pw;
-	pid_t pid = getpid();
-
-	/*
-	 * Get IP address of client. If the connection is not a socket, let
-	 * the address be 0.0.0.0.
-	 */
-	memset(&from, 0, sizeof(from));
-	fromlen = sizeof(from);
-	if (packet_connection_is_on_socket()) {
-		if (getpeername(packet_get_connection_in(),
-		    (struct sockaddr *) & from, &fromlen) < 0) {
-			debug("getpeername: %.100s", strerror(errno));
-			cleanup_exit(255);
-		}
-	}
-
-	/* Record that there was a login on that tty from the remote host. */
-	if (!use_privsep)
-		record_login(pid, s->tty, pw->pw_name, pw->pw_uid,
-		    get_remote_name_or_ip(utmp_len,
-		    options.use_dns),
-		    (struct sockaddr *)&from, fromlen);
-
-#ifdef USE_PAM
-	/*
-	 * If password change is needed, do it now.
-	 * This needs to occur before the ~/.hushlogin check.
-	 */
-	if (options.use_pam && !use_privsep && s->authctxt->force_pwchange) {
-		display_loginmsg();
-		do_pam_chauthtok();
-		s->authctxt->force_pwchange = 0;
-		/* XXX - signal [net] parent to enable forwardings */
-	}
-#endif
-
-	if (check_quietlogin(s, command))
-		return;
-
-	display_loginmsg();
-
-	do_motd();
-}
-
-/*
- * Display the message of the day.
- */
-void
-do_motd(void)
-{
-	FILE *f;
-	char buf[256];
-
-	if (options.print_motd) {
-#ifdef HAVE_LOGIN_CAP
-		f = fopen(login_getcapstr(lc, "welcome", "/etc/motd",
-		    "/etc/motd"), "r");
-#else
-		f = fopen("/etc/motd", "r");
-#endif
-		if (f) {
-			while (fgets(buf, sizeof(buf), f))
-				fputs(buf, stdout);
-			fclose(f);
-		}
-	}
-}
-
-
-/*
- * Check for quiet login, either .hushlogin or command given.
- */
-int
-check_quietlogin(Session *s, const char *command)
-{
-	char buf[256];
-	struct passwd *pw = s->pw;
-	struct stat st;
-
-	/* Return 1 if .hushlogin exists or a command given. */
-	if (command != NULL)
-		return 1;
-	snprintf(buf, sizeof(buf), "%.200s/.hushlogin", pw->pw_dir);
-#ifdef HAVE_LOGIN_CAP
-	if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0)
-		return 1;
-#else
-	if (stat(buf, &st) >= 0)
-		return 1;
-#endif
-	return 0;
-}
-
-/*
- * Sets the value of the given variable in the environment.  If the variable
- * already exists, its value is overriden.
- */
-void
-child_set_env(char ***envp, u_int *envsizep, const char *name,
-	const char *value)
-{
-	char **env;
-	u_int envsize;
-	u_int i, namelen;
-
-	/*
-	 * If we're passed an uninitialized list, allocate a single null
-	 * entry before continuing.
-	 */
-	if (*envp == NULL && *envsizep == 0) {
-		*envp = xmalloc(sizeof(char *));
-		*envp[0] = NULL;
-		*envsizep = 1;
-	}
-
-	/*
-	 * Find the slot where the value should be stored.  If the variable
-	 * already exists, we reuse the slot; otherwise we append a new slot
-	 * at the end of the array, expanding if necessary.
-	 */
-	env = *envp;
-	namelen = strlen(name);
-	for (i = 0; env[i]; i++)
-		if (strncmp(env[i], name, namelen) == 0 && env[i][namelen] == '=')
-			break;
-	if (env[i]) {
-		/* Reuse the slot. */
-		xfree(env[i]);
-	} else {
-		/* New variable.  Expand if necessary. */
-		envsize = *envsizep;
-		if (i >= envsize - 1) {
-			if (envsize >= 1000)
-				fatal("child_set_env: too many env vars");
-			envsize += 50;
-			env = (*envp) = xrealloc(env, envsize, sizeof(char *));
-			*envsizep = envsize;
-		}
-		/* Need to set the NULL pointer at end of array beyond the new slot. */
-		env[i + 1] = NULL;
-	}
-
-	/* Allocate space and format the variable in the appropriate slot. */
-	env[i] = xmalloc(strlen(name) + 1 + strlen(value) + 1);
-	snprintf(env[i], strlen(name) + 1 + strlen(value) + 1, "%s=%s", name, value);
-}
-
-/*
- * Reads environment variables from the given file and adds/overrides them
- * into the environment.  If the file does not exist, this does nothing.
- * Otherwise, it must consist of empty lines, comments (line starts with '#')
- * and assignments of the form name=value.  No other forms are allowed.
- */
-static void
-read_environment_file(char ***env, u_int *envsize,
-	const char *filename)
-{
-	FILE *f;
-	char buf[4096];
-	char *cp, *value;
-	u_int lineno = 0;
-
-	f = fopen(filename, "r");
-	if (!f)
-		return;
-
-	while (fgets(buf, sizeof(buf), f)) {
-		if (++lineno > 1000)
-			fatal("Too many lines in environment file %s", filename);
-		for (cp = buf; *cp == ' ' || *cp == '\t'; cp++)
-			;
-		if (!*cp || *cp == '#' || *cp == '\n')
-			continue;
-		if (strchr(cp, '\n'))
-			*strchr(cp, '\n') = '\0';
-		value = strchr(cp, '=');
-		if (value == NULL) {
-			fprintf(stderr, "Bad line %u in %.100s\n", lineno,
-			    filename);
-			continue;
-		}
-		/*
-		 * Replace the equals sign by nul, and advance value to
-		 * the value string.
-		 */
-		*value = '\0';
-		value++;
-		child_set_env(env, envsize, cp, value);
-	}
-	fclose(f);
-}
-
-#ifdef HAVE_ETC_DEFAULT_LOGIN
-/*
- * Return named variable from specified environment, or NULL if not present.
- */
-static char *
-child_get_env(char **env, const char *name)
-{
-	int i;
-	size_t len;
-
-	len = strlen(name);
-	for (i=0; env[i] != NULL; i++)
-		if (strncmp(name, env[i], len) == 0 && env[i][len] == '=')
-			return(env[i] + len + 1);
-	return NULL;
-}
-
-/*
- * Read /etc/default/login.
- * We pick up the PATH (or SUPATH for root) and UMASK.
- */
-static void
-read_etc_default_login(char ***env, u_int *envsize, uid_t uid)
-{
-	char **tmpenv = NULL, *var;
-	u_int i, tmpenvsize = 0;
-	u_long mask;
-
-	/*
-	 * We don't want to copy the whole file to the child's environment,
-	 * so we use a temporary environment and copy the variables we're
-	 * interested in.
-	 */
-	read_environment_file(&tmpenv, &tmpenvsize, "/etc/default/login");
-
-	if (tmpenv == NULL)
-		return;
-
-	if (uid == 0)
-		var = child_get_env(tmpenv, "SUPATH");
-	else
-		var = child_get_env(tmpenv, "PATH");
-	if (var != NULL)
-		child_set_env(env, envsize, "PATH", var);
-
-	if ((var = child_get_env(tmpenv, "UMASK")) != NULL)
-		if (sscanf(var, "%5lo", &mask) == 1)
-			umask((mode_t)mask);
-
-	for (i = 0; tmpenv[i] != NULL; i++)
-		xfree(tmpenv[i]);
-	xfree(tmpenv);
-}
-#endif /* HAVE_ETC_DEFAULT_LOGIN */
-
-void
-copy_environment(char **source, char ***env, u_int *envsize)
-{
-	char *var_name, *var_val;
-	int i;
-
-	if (source == NULL)
-		return;
-
-	for(i = 0; source[i] != NULL; i++) {
-		var_name = xstrdup(source[i]);
-		if ((var_val = strstr(var_name, "=")) == NULL) {
-			xfree(var_name);
-			continue;
-		}
-		*var_val++ = '\0';
-
-		debug3("Copy environment: %s=%s", var_name, var_val);
-		child_set_env(env, envsize, var_name, var_val);
-
-		xfree(var_name);
-	}
-}
-
-static char **
-do_setup_env(Session *s, const char *shell)
-{
-	char buf[256];
-	u_int i, envsize;
-	char **env, *laddr;
-	struct passwd *pw = s->pw;
-#ifndef HAVE_LOGIN_CAP
-	char *path = NULL;
-#endif
-
-	/* Initialize the environment. */
-	envsize = 100;
-	env = xcalloc(envsize, sizeof(char *));
-	env[0] = NULL;
-
-#ifdef HAVE_CYGWIN
-	/*
-	 * The Windows environment contains some setting which are
-	 * important for a running system. They must not be dropped.
-	 */
-	{
-		char **p;
-
-		p = fetch_windows_environment();
-		copy_environment(p, &env, &envsize);
-		free_windows_environment(p);
-	}
-#endif
-
-#ifdef GSSAPI
-	/* Allow any GSSAPI methods that we've used to alter
-	 * the childs environment as they see fit
-	 */
-	ssh_gssapi_do_child(&env, &envsize);
-#endif
-
-	if (!options.use_login) {
-		/* Set basic environment. */
-		for (i = 0; i < s->num_env; i++)
-			child_set_env(&env, &envsize, s->env[i].name,
-			    s->env[i].val);
-
-		child_set_env(&env, &envsize, "USER", pw->pw_name);
-		child_set_env(&env, &envsize, "LOGNAME", pw->pw_name);
-#ifdef _AIX
-		child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
-#endif
-		child_set_env(&env, &envsize, "HOME", pw->pw_dir);
-#ifdef HAVE_LOGIN_CAP
-		if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0)
-			child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
-		else
-			child_set_env(&env, &envsize, "PATH", getenv("PATH"));
-#else /* HAVE_LOGIN_CAP */
-# ifndef HAVE_CYGWIN
-		/*
-		 * There's no standard path on Windows. The path contains
-		 * important components pointing to the system directories,
-		 * needed for loading shared libraries. So the path better
-		 * remains intact here.
-		 */
-#  ifdef HAVE_ETC_DEFAULT_LOGIN
-		read_etc_default_login(&env, &envsize, pw->pw_uid);
-		path = child_get_env(env, "PATH");
-#  endif /* HAVE_ETC_DEFAULT_LOGIN */
-		if (path == NULL || *path == '\0') {
-			child_set_env(&env, &envsize, "PATH",
-			    s->pw->pw_uid == 0 ?
-				SUPERUSER_PATH : _PATH_STDPATH);
-		}
-# endif /* HAVE_CYGWIN */
-#endif /* HAVE_LOGIN_CAP */
-
-		snprintf(buf, sizeof buf, "%.200s/%.50s",
-			 _PATH_MAILDIR, pw->pw_name);
-		child_set_env(&env, &envsize, "MAIL", buf);
-
-		/* Normal systems set SHELL by default. */
-		child_set_env(&env, &envsize, "SHELL", shell);
-	}
-	if (getenv("TZ"))
-		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
-
-	/* Set custom environment options from RSA authentication. */
-	if (!options.use_login) {
-		while (custom_environment) {
-			struct envstring *ce = custom_environment;
-			char *str = ce->s;
-
-			for (i = 0; str[i] != '=' && str[i]; i++)
-				;
-			if (str[i] == '=') {
-				str[i] = 0;
-				child_set_env(&env, &envsize, str, str + i + 1);
-			}
-			custom_environment = ce->next;
-			xfree(ce->s);
-			xfree(ce);
-		}
-	}
-
-	/* SSH_CLIENT deprecated */
-	snprintf(buf, sizeof buf, "%.50s %d %d",
-	    get_remote_ipaddr(), get_remote_port(), get_local_port());
-	child_set_env(&env, &envsize, "SSH_CLIENT", buf);
-
-	laddr = get_local_ipaddr(packet_get_connection_in());
-	snprintf(buf, sizeof buf, "%.50s %d %.50s %d",
-	    get_remote_ipaddr(), get_remote_port(), laddr, get_local_port());
-	xfree(laddr);
-	child_set_env(&env, &envsize, "SSH_CONNECTION", buf);
-
-	if (s->ttyfd != -1)
-		child_set_env(&env, &envsize, "SSH_TTY", s->tty);
-	if (s->term)
-		child_set_env(&env, &envsize, "TERM", s->term);
-	if (s->display)
-		child_set_env(&env, &envsize, "DISPLAY", s->display);
-	if (original_command)
-		child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
-		    original_command);
-
-#ifdef _UNICOS
-	if (cray_tmpdir[0] != '\0')
-		child_set_env(&env, &envsize, "TMPDIR", cray_tmpdir);
-#endif /* _UNICOS */
-
-	/*
-	 * Since we clear KRB5CCNAME at startup, if it's set now then it
-	 * must have been set by a native authentication method (eg AIX or
-	 * SIA), so copy it to the child.
-	 */
-	{
-		char *cp;
-
-		if ((cp = getenv("KRB5CCNAME")) != NULL)
-			child_set_env(&env, &envsize, "KRB5CCNAME", cp);
-	}
-
-#ifdef _AIX
-	{
-		char *cp;
-
-		if ((cp = getenv("AUTHSTATE")) != NULL)
-			child_set_env(&env, &envsize, "AUTHSTATE", cp);
-		read_environment_file(&env, &envsize, "/etc/environment");
-	}
-#endif
-#ifdef KRB5
-	if (s->authctxt->krb5_ccname)
-		child_set_env(&env, &envsize, "KRB5CCNAME",
-		    s->authctxt->krb5_ccname);
-#endif
-#ifdef USE_PAM
-	/*
-	 * Pull in any environment variables that may have
-	 * been set by PAM.
-	 */
-	if (options.use_pam) {
-		char **p;
-
-		p = fetch_pam_child_environment();
-		copy_environment(p, &env, &envsize);
-		free_pam_environment(p);
-
-		p = fetch_pam_environment();
-		copy_environment(p, &env, &envsize);
-		free_pam_environment(p);
-	}
-#endif /* USE_PAM */
-
-	if (auth_sock_name != NULL)
-		child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
-		    auth_sock_name);
-
-	/* read $HOME/.ssh/environment. */
-	if (options.permit_user_env && !options.use_login) {
-		snprintf(buf, sizeof buf, "%.200s/.ssh/environment",
-		    strcmp(pw->pw_dir, "/") ? pw->pw_dir : "");
-		read_environment_file(&env, &envsize, buf);
-	}
-	if (debug_flag) {
-		/* dump the environment */
-		fprintf(stderr, "Environment:\n");
-		for (i = 0; env[i]; i++)
-			fprintf(stderr, "  %.200s\n", env[i]);
-	}
-	return env;
-}
-
-/*
- * Run $HOME/.ssh/rc, /etc/ssh/sshrc, or xauth (whichever is found
- * first in this order).
- */
-static void
-do_rc_files(Session *s, const char *shell)
-{
-	FILE *f = NULL;
-	char cmd[1024];
-	int do_xauth;
-	struct stat st;
-
-	do_xauth =
-	    s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
-
-	/* ignore _PATH_SSH_USER_RC for subsystems */
-	if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
-		snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
-		    shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
-		if (debug_flag)
-			fprintf(stderr, "Running %s\n", cmd);
-		f = popen(cmd, "w");
-		if (f) {
-			if (do_xauth)
-				fprintf(f, "%s %s\n", s->auth_proto,
-				    s->auth_data);
-			pclose(f);
-		} else
-			fprintf(stderr, "Could not run %s\n",
-			    _PATH_SSH_USER_RC);
-	} else if (stat(_PATH_SSH_SYSTEM_RC, &st) >= 0) {
-		if (debug_flag)
-			fprintf(stderr, "Running %s %s\n", _PATH_BSHELL,
-			    _PATH_SSH_SYSTEM_RC);
-		f = popen(_PATH_BSHELL " " _PATH_SSH_SYSTEM_RC, "w");
-		if (f) {
-			if (do_xauth)
-				fprintf(f, "%s %s\n", s->auth_proto,
-				    s->auth_data);
-			pclose(f);
-		} else
-			fprintf(stderr, "Could not run %s\n",
-			    _PATH_SSH_SYSTEM_RC);
-	} else if (do_xauth && options.xauth_location != NULL) {
-		/* Add authority data to .Xauthority if appropriate. */
-		if (debug_flag) {
-			fprintf(stderr,
-			    "Running %.500s remove %.100s\n",
-			    options.xauth_location, s->auth_display);
-			fprintf(stderr,
-			    "%.500s add %.100s %.100s %.100s\n",
-			    options.xauth_location, s->auth_display,
-			    s->auth_proto, s->auth_data);
-		}
-		snprintf(cmd, sizeof cmd, "%s -q -",
-		    options.xauth_location);
-		f = popen(cmd, "w");
-		if (f) {
-			fprintf(f, "remove %s\n",
-			    s->auth_display);
-			fprintf(f, "add %s %s %s\n",
-			    s->auth_display, s->auth_proto,
-			    s->auth_data);
-			pclose(f);
-		} else {
-			fprintf(stderr, "Could not run %s\n",
-			    cmd);
-		}
-	}
-}
-
-static void
-do_nologin(struct passwd *pw)
-{
-	FILE *f = NULL;
-	char buf[1024];
-
-#ifdef HAVE_LOGIN_CAP
-	if (!login_getcapbool(lc, "ignorenologin", 0) && pw->pw_uid)
-		f = fopen(login_getcapstr(lc, "nologin", _PATH_NOLOGIN,
-		    _PATH_NOLOGIN), "r");
-#else
-	if (pw->pw_uid)
-		f = fopen(_PATH_NOLOGIN, "r");
-#endif
-	if (f) {
-		/* /etc/nologin exists.  Print its contents and exit. */
-		logit("User %.100s not allowed because %s exists",
-		    pw->pw_name, _PATH_NOLOGIN);
-		while (fgets(buf, sizeof(buf), f))
-			fputs(buf, stderr);
-		fclose(f);
-		fflush(NULL);
-		exit(254);
-	}
-}
-
-/* Set login name, uid, gid, and groups. */
-void
-do_setusercontext(struct passwd *pw)
-{
-#ifndef HAVE_CYGWIN
-	if (getuid() == 0 || geteuid() == 0)
-#endif /* HAVE_CYGWIN */
-	{
-
-#ifdef HAVE_SETPCRED
-		if (setpcred(pw->pw_name, (char **)NULL) == -1)
-			fatal("Failed to set process credentials");
-#endif /* HAVE_SETPCRED */
-#ifdef HAVE_LOGIN_CAP
-# ifdef __bsdi__
-		setpgid(0, 0);
-# endif
-#ifdef GSSAPI
-		if (options.gss_authentication) {
-			temporarily_use_uid(pw);
-			ssh_gssapi_storecreds();
-			restore_uid();
-		}
-#endif
-# ifdef USE_PAM
-		if (options.use_pam) {
-			do_pam_session();
-			do_pam_setcred(0);
-		}
-# endif /* USE_PAM */
-		if (setusercontext(lc, pw, pw->pw_uid,
-		    (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) {
-			perror("unable to set user context");
-			exit(1);
-		}
-#else
-# if defined(HAVE_GETLUID) && defined(HAVE_SETLUID)
-		/* Sets login uid for accounting */
-		if (getluid() == -1 && setluid(pw->pw_uid) == -1)
-			error("setluid: %s", strerror(errno));
-# endif /* defined(HAVE_GETLUID) && defined(HAVE_SETLUID) */
-
-		if (setlogin(pw->pw_name) < 0)
-			error("setlogin failed: %s", strerror(errno));
-		if (setgid(pw->pw_gid) < 0) {
-			perror("setgid");
-			exit(1);
-		}
-		/* Initialize the group list. */
-		if (initgroups(pw->pw_name, pw->pw_gid) < 0) {
-			perror("initgroups");
-			exit(1);
-		}
-		endgrent();
-#ifdef GSSAPI
-		if (options.gss_authentication) {
-			temporarily_use_uid(pw);
-			ssh_gssapi_storecreds();
-			restore_uid();
-		}
-#endif
-# ifdef USE_PAM
-		/*
-		 * PAM credentials may take the form of supplementary groups.
-		 * These will have been wiped by the above initgroups() call.
-		 * Reestablish them here.
-		 */
-		if (options.use_pam) {
-			do_pam_session();
-			do_pam_setcred(0);
-		}
-# endif /* USE_PAM */
-# if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY)
-		irix_setusercontext(pw);
-#  endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */
-# ifdef _AIX
-		aix_usrinfo(pw);
-# endif /* _AIX */
-#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
-		if (set_id(pw->pw_name) != 0) {
-			exit(1);
-		}
-#endif /* HAVE_LIBIAF  && !BROKEN_LIBIAF */
-		/* Permanently switch to the desired uid. */
-		permanently_set_uid(pw);
-#endif
-	}
-
-#ifdef HAVE_CYGWIN
-	if (is_winnt)
-#endif
-	if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
-		fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
-
-#ifdef WITH_SELINUX
-	ssh_selinux_setup_exec_context(pw->pw_name);
-#endif
-}
-
-static void
-do_pwchange(Session *s)
-{
-	fflush(NULL);
-	fprintf(stderr, "WARNING: Your password has expired.\n");
-	if (s->ttyfd != -1) {
-		fprintf(stderr,
-		    "You must change your password now and login again!\n");
-#ifdef PASSWD_NEEDS_USERNAME
-		execl(_PATH_PASSWD_PROG, "passwd", s->pw->pw_name,
-		    (char *)NULL);
-#else
-		execl(_PATH_PASSWD_PROG, "passwd", (char *)NULL);
-#endif
-		perror("passwd");
-	} else {
-		fprintf(stderr,
-		    "Password change required but no TTY available.\n");
-	}
-	exit(1);
-}
-
-static void
-launch_login(struct passwd *pw, const char *hostname)
-{
-	/* Launch login(1). */
-
-	execl(LOGIN_PROGRAM, "login", "-h", hostname,
-#ifdef xxxLOGIN_NEEDS_TERM
-		    (s->term ? s->term : "unknown"),
-#endif /* LOGIN_NEEDS_TERM */
-#ifdef LOGIN_NO_ENDOPT
-	    "-p", "-f", pw->pw_name, (char *)NULL);
-#else
-	    "-p", "-f", "--", pw->pw_name, (char *)NULL);
-#endif
-
-	/* Login couldn't be executed, die. */
-
-	perror("login");
-	exit(1);
-}
-
-static void
-child_close_fds(void)
-{
-	int i;
-
-	if (packet_get_connection_in() == packet_get_connection_out())
-		close(packet_get_connection_in());
-	else {
-		close(packet_get_connection_in());
-		close(packet_get_connection_out());
-	}
-	/*
-	 * Close all descriptors related to channels.  They will still remain
-	 * open in the parent.
-	 */
-	/* XXX better use close-on-exec? -markus */
-	channel_close_all();
-
-	/*
-	 * Close any extra file descriptors.  Note that there may still be
-	 * descriptors left by system functions.  They will be closed later.
-	 */
-	endpwent();
-
-	/*
-	 * Close any extra open file descriptors so that we don't have them
-	 * hanging around in clients.  Note that we want to do this after
-	 * initgroups, because at least on Solaris 2.3 it leaves file
-	 * descriptors open.
-	 */
-	for (i = 3; i < 64; i++)
-		close(i);
-}
-
-/*
- * Performs common processing for the child, such as setting up the
- * environment, closing extra file descriptors, setting the user and group
- * ids, and executing the command or shell.
- */
-void
-do_child(Session *s, const char *command)
-{
-	extern char **environ;
-	char **env;
-	char *argv[10];
-	const char *shell, *shell0, *hostname = NULL;
-	struct passwd *pw = s->pw;
-
-	/* remove hostkey from the child's memory */
-	destroy_sensitive_data();
-
-	/* Force a password change */
-	if (s->authctxt->force_pwchange) {
-		do_setusercontext(pw);
-		child_close_fds();
-		do_pwchange(s);
-		exit(1);
-	}
-
-	/* login(1) is only called if we execute the login shell */
-	if (options.use_login && command != NULL)
-		options.use_login = 0;
-
-#ifdef _UNICOS
-	cray_setup(pw->pw_uid, pw->pw_name, command);
-#endif /* _UNICOS */
-
-	/*
-	 * Login(1) does this as well, and it needs uid 0 for the "-h"
-	 * switch, so we let login(1) to this for us.
-	 */
-	if (!options.use_login) {
-#ifdef HAVE_OSF_SIA
-		session_setup_sia(pw, s->ttyfd == -1 ? NULL : s->tty);
-		if (!check_quietlogin(s, command))
-			do_motd();
-#else /* HAVE_OSF_SIA */
-		/* When PAM is enabled we rely on it to do the nologin check */
-		if (!options.use_pam)
-			do_nologin(pw);
-		do_setusercontext(pw);
-		/*
-		 * PAM session modules in do_setusercontext may have
-		 * generated messages, so if this in an interactive
-		 * login then display them too.
-		 */
-		if (!check_quietlogin(s, command))
-			display_loginmsg();
-#endif /* HAVE_OSF_SIA */
-	}
-
-#ifdef USE_PAM
-	if (options.use_pam && !options.use_login && !is_pam_session_open()) {
-		debug3("PAM session not opened, exiting");
-		display_loginmsg();
-		exit(254);
-	}
-#endif
-
-	/*
-	 * Get the shell from the password data.  An empty shell field is
-	 * legal, and means /bin/sh.
-	 */
-	shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
-
-	/*
-	 * Make sure $SHELL points to the shell from the password file,
-	 * even if shell is overridden from login.conf
-	 */
-	env = do_setup_env(s, shell);
-
-#ifdef HAVE_LOGIN_CAP
-	shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
-#endif
-
-	/* we have to stash the hostname before we close our socket. */
-	if (options.use_login)
-		hostname = get_remote_name_or_ip(utmp_len,
-		    options.use_dns);
-	/*
-	 * Close the connection descriptors; note that this is the child, and
-	 * the server will still have the socket open, and it is important
-	 * that we do not shutdown it.  Note that the descriptors cannot be
-	 * closed before building the environment, as we call
-	 * get_remote_ipaddr there.
-	 */
-	child_close_fds();
-
-	/*
-	 * Must take new environment into use so that .ssh/rc,
-	 * /etc/ssh/sshrc and xauth are run in the proper environment.
-	 */
-	environ = env;
-
-#if defined(KRB5) && defined(USE_AFS)
-	/*
-	 * At this point, we check to see if AFS is active and if we have
-	 * a valid Kerberos 5 TGT. If so, it seems like a good idea to see
-	 * if we can (and need to) extend the ticket into an AFS token. If
-	 * we don't do this, we run into potential problems if the user's
-	 * home directory is in AFS and it's not world-readable.
-	 */
-
-	if (options.kerberos_get_afs_token && k_hasafs() &&
-	    (s->authctxt->krb5_ctx != NULL)) {
-		char cell[64];
-
-		debug("Getting AFS token");
-
-		k_setpag();
-
-		if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0)
-			krb5_afslog(s->authctxt->krb5_ctx,
-			    s->authctxt->krb5_fwd_ccache, cell, NULL);
-
-		krb5_afslog_home(s->authctxt->krb5_ctx,
-		    s->authctxt->krb5_fwd_ccache, NULL, NULL, pw->pw_dir);
-	}
-#endif
-
-	/* Change current directory to the user's home directory. */
-	if (chdir(pw->pw_dir) < 0) {
-		fprintf(stderr, "Could not chdir to home directory %s: %s\n",
-		    pw->pw_dir, strerror(errno));
-#ifdef HAVE_LOGIN_CAP
-		if (login_getcapbool(lc, "requirehome", 0))
-			exit(1);
-#endif
-	}
-
-	if (!options.use_login)
-		do_rc_files(s, shell);
-
-	/* restore SIGPIPE for child */
-	signal(SIGPIPE, SIG_DFL);
-
-	if (options.use_login) {
-		launch_login(pw, hostname);
-		/* NEVERREACHED */
-	}
-
-	/* Get the last component of the shell name. */
-	if ((shell0 = strrchr(shell, '/')) != NULL)
-		shell0++;
-	else
-		shell0 = shell;
-
-	/*
-	 * If we have no command, execute the shell.  In this case, the shell
-	 * name to be passed in argv[0] is preceded by '-' to indicate that
-	 * this is a login shell.
-	 */
-	if (!command) {
-		char argv0[256];
-
-		/* Start the shell.  Set initial character to '-'. */
-		argv0[0] = '-';
-
-		if (strlcpy(argv0 + 1, shell0, sizeof(argv0) - 1)
-		    >= sizeof(argv0) - 1) {
-			errno = EINVAL;
-			perror(shell);
-			exit(1);
-		}
-
-		/* Execute the shell. */
-		argv[0] = argv0;
-		argv[1] = NULL;
-		execve(shell, argv, env);
-
-		/* Executing the shell failed. */
-		perror(shell);
-		exit(1);
-	}
-	/*
-	 * Execute the command using the user's shell.  This uses the -c
-	 * option to execute the command.
-	 */
-	argv[0] = (char *) shell0;
-	argv[1] = "-c";
-	argv[2] = (char *) command;
-	argv[3] = NULL;
-	execve(shell, argv, env);
-	perror(shell);
-	exit(1);
-}
-
-Session *
-session_new(void)
-{
-	int i;
-	static int did_init = 0;
-	if (!did_init) {
-		debug("session_new: init");
-		for (i = 0; i < MAX_SESSIONS; i++) {
-			sessions[i].used = 0;
-		}
-		did_init = 1;
-	}
-	for (i = 0; i < MAX_SESSIONS; i++) {
-		Session *s = &sessions[i];
-		if (! s->used) {
-			memset(s, 0, sizeof(*s));
-			s->chanid = -1;
-			s->ptyfd = -1;
-			s->ttyfd = -1;
-			s->used = 1;
-			s->self = i;
-			s->x11_chanids = NULL;
-			debug("session_new: session %d", i);
-			return s;
-		}
-	}
-	return NULL;
-}
-
-static void
-session_dump(void)
-{
-	int i;
-	for (i = 0; i < MAX_SESSIONS; i++) {
-		Session *s = &sessions[i];
-		debug("dump: used %d session %d %p channel %d pid %ld",
-		    s->used,
-		    s->self,
-		    s,
-		    s->chanid,
-		    (long)s->pid);
-	}
-}
-
-int
-session_open(Authctxt *authctxt, int chanid)
-{
-	Session *s = session_new();
-	debug("session_open: channel %d", chanid);
-	if (s == NULL) {
-		error("no more sessions");
-		return 0;
-	}
-	s->authctxt = authctxt;
-	s->pw = authctxt->pw;
-	if (s->pw == NULL || !authctxt->valid)
-		fatal("no user for session %d", s->self);
-	debug("session_open: session %d: link with channel %d", s->self, chanid);
-	s->chanid = chanid;
-	return 1;
-}
-
-Session *
-session_by_tty(char *tty)
-{
-	int i;
-	for (i = 0; i < MAX_SESSIONS; i++) {
-		Session *s = &sessions[i];
-		if (s->used && s->ttyfd != -1 && strcmp(s->tty, tty) == 0) {
-			debug("session_by_tty: session %d tty %s", i, tty);
-			return s;
-		}
-	}
-	debug("session_by_tty: unknown tty %.100s", tty);
-	session_dump();
-	return NULL;
-}
-
-static Session *
-session_by_channel(int id)
-{
-	int i;
-	for (i = 0; i < MAX_SESSIONS; i++) {
-		Session *s = &sessions[i];
-		if (s->used && s->chanid == id) {
-			debug("session_by_channel: session %d channel %d", i, id);
-			return s;
-		}
-	}
-	debug("session_by_channel: unknown channel %d", id);
-	session_dump();
-	return NULL;
-}
-
-static Session *
-session_by_x11_channel(int id)
-{
-	int i, j;
-
-	for (i = 0; i < MAX_SESSIONS; i++) {
-		Session *s = &sessions[i];
-
-		if (s->x11_chanids == NULL || !s->used)
-			continue;
-		for (j = 0; s->x11_chanids[j] != -1; j++) {
-			if (s->x11_chanids[j] == id) {
-				debug("session_by_x11_channel: session %d "
-				    "channel %d", s->self, id);
-				return s;
-			}
-		}
-	}
-	debug("session_by_x11_channel: unknown channel %d", id);
-	session_dump();
-	return NULL;
-}
-
-static Session *
-session_by_pid(pid_t pid)
-{
-	int i;
-	debug("session_by_pid: pid %ld", (long)pid);
-	for (i = 0; i < MAX_SESSIONS; i++) {
-		Session *s = &sessions[i];
-		if (s->used && s->pid == pid)
-			return s;
-	}
-	error("session_by_pid: unknown pid %ld", (long)pid);
-	session_dump();
-	return NULL;
-}
-
-static int
-session_window_change_req(Session *s)
-{
-	s->col = packet_get_int();
-	s->row = packet_get_int();
-	s->xpixel = packet_get_int();
-	s->ypixel = packet_get_int();
-	packet_check_eom();
-	pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
-	return 1;
-}
-
-static int
-session_pty_req(Session *s)
-{
-	u_int len;
-	int n_bytes;
-
-	if (no_pty_flag) {
-		debug("Allocating a pty not permitted for this authentication.");
-		return 0;
-	}
-	if (s->ttyfd != -1) {
-		packet_disconnect("Protocol error: you already have a pty.");
-		return 0;
-	}
-
-	s->term = packet_get_string(&len);
-
-	if (compat20) {
-		s->col = packet_get_int();
-		s->row = packet_get_int();
-	} else {
-		s->row = packet_get_int();
-		s->col = packet_get_int();
-	}
-	s->xpixel = packet_get_int();
-	s->ypixel = packet_get_int();
-
-	if (strcmp(s->term, "") == 0) {
-		xfree(s->term);
-		s->term = NULL;
-	}
-
-	/* Allocate a pty and open it. */
-	debug("Allocating pty.");
-	if (!PRIVSEP(pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)))) {
-		if (s->term)
-			xfree(s->term);
-		s->term = NULL;
-		s->ptyfd = -1;
-		s->ttyfd = -1;
-		error("session_pty_req: session %d alloc failed", s->self);
-		return 0;
-	}
-	debug("session_pty_req: session %d alloc %s", s->self, s->tty);
-
-	/* for SSH1 the tty modes length is not given */
-	if (!compat20)
-		n_bytes = packet_remaining();
-	tty_parse_modes(s->ttyfd, &n_bytes);
-
-	if (!use_privsep)
-		pty_setowner(s->pw, s->tty);
-
-	/* Set window size from the packet. */
-	pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
-
-	packet_check_eom();
-	session_proctitle(s);
-	return 1;
-}
-
-static int
-session_subsystem_req(Session *s)
-{
-	struct stat st;
-	u_int len;
-	int success = 0;
-	char *prog, *cmd, *subsys = packet_get_string(&len);
-	u_int i;
-
-	packet_check_eom();
-	logit("subsystem request for %.100s", subsys);
-
-	for (i = 0; i < options.num_subsystems; i++) {
-		if (strcmp(subsys, options.subsystem_name[i]) == 0) {
-			prog = options.subsystem_command[i];
-			cmd = options.subsystem_args[i];
-			if (stat(prog, &st) < 0) {
-				error("subsystem: cannot stat %s: %s", prog,
-				    strerror(errno));
-				break;
-			}
-			debug("subsystem: exec() %s", cmd);
-			s->is_subsystem = 1;
-			do_exec(s, cmd);
-			success = 1;
-			break;
-		}
-	}
-
-	if (!success)
-		logit("subsystem request for %.100s failed, subsystem not found",
-		    subsys);
-
-	xfree(subsys);
-	return success;
-}
-
-static int
-session_x11_req(Session *s)
-{
-	int success;
-
-	if (s->auth_proto != NULL || s->auth_data != NULL) {
-		error("session_x11_req: session %d: "
-		    "x11 forwarding already active", s->self);
-		return 0;
-	}
-	s->single_connection = packet_get_char();
-	s->auth_proto = packet_get_string(NULL);
-	s->auth_data = packet_get_string(NULL);
-	s->screen = packet_get_int();
-	packet_check_eom();
-
-	success = session_setup_x11fwd(s);
-	if (!success) {
-		xfree(s->auth_proto);
-		xfree(s->auth_data);
-		s->auth_proto = NULL;
-		s->auth_data = NULL;
-	}
-	return success;
-}
-
-static int
-session_shell_req(Session *s)
-{
-	packet_check_eom();
-	do_exec(s, NULL);
-	return 1;
-}
-
-static int
-session_exec_req(Session *s)
-{
-	u_int len;
-	char *command = packet_get_string(&len);
-	packet_check_eom();
-	do_exec(s, command);
-	xfree(command);
-	return 1;
-}
-
-static int
-session_break_req(Session *s)
-{
-
-	packet_get_int();	/* ignored */
-	packet_check_eom();
-
-	if (s->ttyfd == -1 ||
-	    tcsendbreak(s->ttyfd, 0) < 0)
-		return 0;
-	return 1;
-}
-
-static int
-session_env_req(Session *s)
-{
-	char *name, *val;
-	u_int name_len, val_len, i;
-
-	name = packet_get_string(&name_len);
-	val = packet_get_string(&val_len);
-	packet_check_eom();
-
-	/* Don't set too many environment variables */
-	if (s->num_env > 128) {
-		debug2("Ignoring env request %s: too many env vars", name);
-		goto fail;
-	}
-
-	for (i = 0; i < options.num_accept_env; i++) {
-		if (match_pattern(name, options.accept_env[i])) {
-			debug2("Setting env %d: %s=%s", s->num_env, name, val);
-			s->env = xrealloc(s->env, s->num_env + 1,
-			    sizeof(*s->env));
-			s->env[s->num_env].name = name;
-			s->env[s->num_env].val = val;
-			s->num_env++;
-			return (1);
-		}
-	}
-	debug2("Ignoring env request %s: disallowed name", name);
-
- fail:
-	xfree(name);
-	xfree(val);
-	return (0);
-}
-
-static int
-session_auth_agent_req(Session *s)
-{
-	static int called = 0;
-	packet_check_eom();
-	if (no_agent_forwarding_flag) {
-		debug("session_auth_agent_req: no_agent_forwarding_flag");
-		return 0;
-	}
-	if (called) {
-		return 0;
-	} else {
-		called = 1;
-		return auth_input_request_forwarding(s->pw);
-	}
-}
-
-int
-session_input_channel_req(Channel *c, const char *rtype)
-{
-	int success = 0;
-	Session *s;
-
-	if ((s = session_by_channel(c->self)) == NULL) {
-		logit("session_input_channel_req: no session %d req %.100s",
-		    c->self, rtype);
-		return 0;
-	}
-	debug("session_input_channel_req: session %d req %s", s->self, rtype);
-
-	/*
-	 * a session is in LARVAL state until a shell, a command
-	 * or a subsystem is executed
-	 */
-	if (c->type == SSH_CHANNEL_LARVAL) {
-		if (strcmp(rtype, "shell") == 0) {
-			success = session_shell_req(s);
-		} else if (strcmp(rtype, "exec") == 0) {
-			success = session_exec_req(s);
-		} else if (strcmp(rtype, "pty-req") == 0) {
-			success =  session_pty_req(s);
-		} else if (strcmp(rtype, "x11-req") == 0) {
-			success = session_x11_req(s);
-		} else if (strcmp(rtype, "auth-agent-req@openssh.com") == 0) {
-			success = session_auth_agent_req(s);
-		} else if (strcmp(rtype, "subsystem") == 0) {
-			success = session_subsystem_req(s);
-		} else if (strcmp(rtype, "env") == 0) {
-			success = session_env_req(s);
-		}
-	}
-	if (strcmp(rtype, "window-change") == 0) {
-		success = session_window_change_req(s);
-	} else if (strcmp(rtype, "break") == 0) {
-		success = session_break_req(s);
-	}
-
-	return success;
-}
-
-void
-session_set_fds(Session *s, int fdin, int fdout, int fderr)
-{
-	if (!compat20)
-		fatal("session_set_fds: called for proto != 2.0");
-	/*
-	 * now that have a child and a pipe to the child,
-	 * we can activate our channel and register the fd's
-	 */
-	if (s->chanid == -1)
-		fatal("no channel for session %d", s->self);
-	channel_set_fds(s->chanid,
-	    fdout, fdin, fderr,
-	    fderr == -1 ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
-	    1,
-	    CHAN_SES_WINDOW_DEFAULT);
-}
-
-/*
- * Function to perform pty cleanup. Also called if we get aborted abnormally
- * (e.g., due to a dropped connection).
- */
-void
-session_pty_cleanup2(Session *s)
-{
-	if (s == NULL) {
-		error("session_pty_cleanup: no session");
-		return;
-	}
-	if (s->ttyfd == -1)
-		return;
-
-	debug("session_pty_cleanup: session %d release %s", s->self, s->tty);
-
-	/* Record that the user has logged out. */
-	if (s->pid != 0)
-		record_logout(s->pid, s->tty, s->pw->pw_name);
-
-	/* Release the pseudo-tty. */
-	if (getuid() == 0)
-		pty_release(s->tty);
-
-	/*
-	 * Close the server side of the socket pairs.  We must do this after
-	 * the pty cleanup, so that another process doesn't get this pty
-	 * while we're still cleaning up.
-	 */
-	if (close(s->ptymaster) < 0)
-		error("close(s->ptymaster/%d): %s", s->ptymaster, strerror(errno));
-
-	/* unlink pty from session */
-	s->ttyfd = -1;
-}
-
-void
-session_pty_cleanup(Session *s)
-{
-	PRIVSEP(session_pty_cleanup2(s));
-}
-
-static char *
-sig2name(int sig)
-{
-#define SSH_SIG(x) if (sig == SIG ## x) return #x
-	SSH_SIG(ABRT);
-	SSH_SIG(ALRM);
-	SSH_SIG(FPE);
-	SSH_SIG(HUP);
-	SSH_SIG(ILL);
-	SSH_SIG(INT);
-	SSH_SIG(KILL);
-	SSH_SIG(PIPE);
-	SSH_SIG(QUIT);
-	SSH_SIG(SEGV);
-	SSH_SIG(TERM);
-	SSH_SIG(USR1);
-	SSH_SIG(USR2);
-#undef	SSH_SIG
-	return "SIG@openssh.com";
-}
-
-static void
-session_close_x11(int id)
-{
-	Channel *c;
-
-	if ((c = channel_by_id(id)) == NULL) {
-		debug("session_close_x11: x11 channel %d missing", id);
-	} else {
-		/* Detach X11 listener */
-		debug("session_close_x11: detach x11 channel %d", id);
-		channel_cancel_cleanup(id);
-		if (c->ostate != CHAN_OUTPUT_CLOSED)
-			chan_mark_dead(c);
-	}
-}
-
-static void
-session_close_single_x11(int id, void *arg)
-{
-	Session *s;
-	u_int i;
-
-	debug3("session_close_single_x11: channel %d", id);
-	channel_cancel_cleanup(id);
-	if ((s  = session_by_x11_channel(id)) == NULL)
-		fatal("session_close_single_x11: no x11 channel %d", id);
-	for (i = 0; s->x11_chanids[i] != -1; i++) {
-		debug("session_close_single_x11: session %d: "
-		    "closing channel %d", s->self, s->x11_chanids[i]);
-		/*
-		 * The channel "id" is already closing, but make sure we
-		 * close all of its siblings.
-		 */
-		if (s->x11_chanids[i] != id)
-			session_close_x11(s->x11_chanids[i]);
-	}
-	xfree(s->x11_chanids);
-	s->x11_chanids = NULL;
-	if (s->display) {
-		xfree(s->display);
-		s->display = NULL;
-	}
-	if (s->auth_proto) {
-		xfree(s->auth_proto);
-		s->auth_proto = NULL;
-	}
-	if (s->auth_data) {
-		xfree(s->auth_data);
-		s->auth_data = NULL;
-	}
-	if (s->auth_display) {
-		xfree(s->auth_display);
-		s->auth_display = NULL;
-	}
-}
-
-static void
-session_exit_message(Session *s, int status)
-{
-	Channel *c;
-
-	if ((c = channel_lookup(s->chanid)) == NULL)
-		fatal("session_exit_message: session %d: no channel %d",
-		    s->self, s->chanid);
-	debug("session_exit_message: session %d channel %d pid %ld",
-	    s->self, s->chanid, (long)s->pid);
-
-	if (WIFEXITED(status)) {
-		channel_request_start(s->chanid, "exit-status", 0);
-		packet_put_int(WEXITSTATUS(status));
-		packet_send();
-	} else if (WIFSIGNALED(status)) {
-		channel_request_start(s->chanid, "exit-signal", 0);
-		packet_put_cstring(sig2name(WTERMSIG(status)));
-#ifdef WCOREDUMP
-		packet_put_char(WCOREDUMP(status));
-#else /* WCOREDUMP */
-		packet_put_char(0);
-#endif /* WCOREDUMP */
-		packet_put_cstring("");
-		packet_put_cstring("");
-		packet_send();
-	} else {
-		/* Some weird exit cause.  Just exit. */
-		packet_disconnect("wait returned status %04x.", status);
-	}
-
-	/* disconnect channel */
-	debug("session_exit_message: release channel %d", s->chanid);
-
-	/*
-	 * Adjust cleanup callback attachment to send close messages when
-	 * the channel gets EOF. The session will be then be closed
-	 * by session_close_by_channel when the childs close their fds.
-	 */
-	channel_register_cleanup(c->self, session_close_by_channel, 1);
-
-	/*
-	 * emulate a write failure with 'chan_write_failed', nobody will be
-	 * interested in data we write.
-	 * Note that we must not call 'chan_read_failed', since there could
-	 * be some more data waiting in the pipe.
-	 */
-	if (c->ostate != CHAN_OUTPUT_CLOSED)
-		chan_write_failed(c);
-}
-
-void
-session_close(Session *s)
-{
-	u_int i;
-
-	debug("session_close: session %d pid %ld", s->self, (long)s->pid);
-	if (s->ttyfd != -1)
-		session_pty_cleanup(s);
-	if (s->term)
-		xfree(s->term);
-	if (s->display)
-		xfree(s->display);
-	if (s->x11_chanids)
-		xfree(s->x11_chanids);
-	if (s->auth_display)
-		xfree(s->auth_display);
-	if (s->auth_data)
-		xfree(s->auth_data);
-	if (s->auth_proto)
-		xfree(s->auth_proto);
-	s->used = 0;
-	if (s->env != NULL) {
-		for (i = 0; i < s->num_env; i++) {
-			xfree(s->env[i].name);
-			xfree(s->env[i].val);
-		}
-		xfree(s->env);
-	}
-	session_proctitle(s);
-}
-
-void
-session_close_by_pid(pid_t pid, int status)
-{
-	Session *s = session_by_pid(pid);
-	if (s == NULL) {
-		debug("session_close_by_pid: no session for pid %ld",
-		    (long)pid);
-		return;
-	}
-	if (s->chanid != -1)
-		session_exit_message(s, status);
-	if (s->ttyfd != -1)
-		session_pty_cleanup(s);
-	s->pid = 0;
-}
-
-/*
- * this is called when a channel dies before
- * the session 'child' itself dies
- */
-void
-session_close_by_channel(int id, void *arg)
-{
-	Session *s = session_by_channel(id);
-	u_int i;
-
-	if (s == NULL) {
-		debug("session_close_by_channel: no session for id %d", id);
-		return;
-	}
-	debug("session_close_by_channel: channel %d child %ld",
-	    id, (long)s->pid);
-	if (s->pid != 0) {
-		debug("session_close_by_channel: channel %d: has child", id);
-		/*
-		 * delay detach of session, but release pty, since
-		 * the fd's to the child are already closed
-		 */
-		if (s->ttyfd != -1)
-			session_pty_cleanup(s);
-		return;
-	}
-	/* detach by removing callback */
-	channel_cancel_cleanup(s->chanid);
-
-	/* Close any X11 listeners associated with this session */
-	if (s->x11_chanids != NULL) {
-		for (i = 0; s->x11_chanids[i] != -1; i++) {
-			session_close_x11(s->x11_chanids[i]);
-			s->x11_chanids[i] = -1;
-		}
-	}
-
-	s->chanid = -1;
-	session_close(s);
-}
-
-void
-session_destroy_all(void (*closefunc)(Session *))
-{
-	int i;
-	for (i = 0; i < MAX_SESSIONS; i++) {
-		Session *s = &sessions[i];
-		if (s->used) {
-			if (closefunc != NULL)
-				closefunc(s);
-			else
-				session_close(s);
-		}
-	}
-}
-
-static char *
-session_tty_list(void)
-{
-	static char buf[1024];
-	int i;
-	char *cp;
-
-	buf[0] = '\0';
-	for (i = 0; i < MAX_SESSIONS; i++) {
-		Session *s = &sessions[i];
-		if (s->used && s->ttyfd != -1) {
-
-			if (strncmp(s->tty, "/dev/", 5) != 0) {
-				cp = strrchr(s->tty, '/');
-				cp = (cp == NULL) ? s->tty : cp + 1;
-			} else
-				cp = s->tty + 5;
-
-			if (buf[0] != '\0')
-				strlcat(buf, ",", sizeof buf);
-			strlcat(buf, cp, sizeof buf);
-		}
-	}
-	if (buf[0] == '\0')
-		strlcpy(buf, "notty", sizeof buf);
-	return buf;
-}
-
-void
-session_proctitle(Session *s)
-{
-	if (s->pw == NULL)
-		error("no user for session %d", s->self);
-	else
-		setproctitle("%s@%s", s->pw->pw_name, session_tty_list());
-}
-
-int
-session_setup_x11fwd(Session *s)
-{
-	struct stat st;
-	char display[512], auth_display[512];
-	char hostname[MAXHOSTNAMELEN];
-	u_int i;
-
-	if (no_x11_forwarding_flag) {
-		packet_send_debug("X11 forwarding disabled in user configuration file.");
-		return 0;
-	}
-	if (!options.x11_forwarding) {
-		debug("X11 forwarding disabled in server configuration file.");
-		return 0;
-	}
-	if (!options.xauth_location ||
-	    (stat(options.xauth_location, &st) == -1)) {
-		packet_send_debug("No xauth program; cannot forward with spoofing.");
-		return 0;
-	}
-	if (options.use_login) {
-		packet_send_debug("X11 forwarding disabled; "
-		    "not compatible with UseLogin=yes.");
-		return 0;
-	}
-	if (s->display != NULL) {
-		debug("X11 display already set.");
-		return 0;
-	}
-	if (x11_create_display_inet(options.x11_display_offset,
-	    options.x11_use_localhost, s->single_connection,
-	    &s->display_number, &s->x11_chanids) == -1) {
-		debug("x11_create_display_inet failed.");
-		return 0;
-	}
-	for (i = 0; s->x11_chanids[i] != -1; i++) {
-		channel_register_cleanup(s->x11_chanids[i],
-		    session_close_single_x11, 0);
-	}
-
-	/* Set up a suitable value for the DISPLAY variable. */
-	if (gethostname(hostname, sizeof(hostname)) < 0)
-		fatal("gethostname: %.100s", strerror(errno));
-	/*
-	 * auth_display must be used as the displayname when the
-	 * authorization entry is added with xauth(1).  This will be
-	 * different than the DISPLAY string for localhost displays.
-	 */
-	if (options.x11_use_localhost) {
-		snprintf(display, sizeof display, "localhost:%u.%u",
-		    s->display_number, s->screen);
-		snprintf(auth_display, sizeof auth_display, "unix:%u.%u",
-		    s->display_number, s->screen);
-		s->display = xstrdup(display);
-		s->auth_display = xstrdup(auth_display);
-	} else {
-#ifdef IPADDR_IN_DISPLAY
-		struct hostent *he;
-		struct in_addr my_addr;
-
-		he = gethostbyname(hostname);
-		if (he == NULL) {
-			error("Can't get IP address for X11 DISPLAY.");
-			packet_send_debug("Can't get IP address for X11 DISPLAY.");
-			return 0;
-		}
-		memcpy(&my_addr, he->h_addr_list[0], sizeof(struct in_addr));
-		snprintf(display, sizeof display, "%.50s:%u.%u", inet_ntoa(my_addr),
-		    s->display_number, s->screen);
-#else
-		snprintf(display, sizeof display, "%.400s:%u.%u", hostname,
-		    s->display_number, s->screen);
-#endif
-		s->display = xstrdup(display);
-		s->auth_display = xstrdup(display);
-	}
-
-	return 1;
-}
-
-static void
-do_authenticated2(Authctxt *authctxt)
-{
-	server_loop2(authctxt);
-}
-
-void
-do_cleanup(Authctxt *authctxt)
-{
-	static int called = 0;
-
-	debug("do_cleanup");
-
-	/* no cleanup if we're in the child for login shell */
-	if (is_child)
-		return;
-
-	/* avoid double cleanup */
-	if (called)
-		return;
-	called = 1;
-
-	if (authctxt == NULL || !authctxt->authenticated)
-		return;
-#ifdef KRB5
-	if (options.kerberos_ticket_cleanup &&
-	    authctxt->krb5_ctx)
-		krb5_cleanup_proc(authctxt);
-#endif
-
-#ifdef GSSAPI
-	if (compat20 && options.gss_cleanup_creds)
-		ssh_gssapi_cleanup_creds();
-#endif
-
-#ifdef USE_PAM
-	if (options.use_pam) {
-		sshpam_cleanup();
-		sshpam_thread_cleanup();
-	}
-#endif
-
-	/* remove agent socket */
-	auth_sock_cleanup_proc(authctxt->pw);
-
-	/*
-	 * Cleanup ptys/utmp only if privsep is disabled,
-	 * or if running in monitor.
-	 */
-	if (!use_privsep || mm_is_monitor())
-		session_destroy_all(session_pty_cleanup2);
-}
diff --git a/crypto/openssh/session.h b/crypto/openssh/session.h
deleted file mode 100644
index ee9338e..0000000
--- a/crypto/openssh/session.h
+++ /dev/null
@@ -1,81 +0,0 @@
-/* $OpenBSD: session.h,v 1.29 2006/08/03 03:34:42 deraadt Exp $ */
-
-/*
- * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-#ifndef SESSION_H
-#define SESSION_H
-
-#define TTYSZ 64
-typedef struct Session Session;
-struct Session {
-	int	used;
-	int	self;
-	struct passwd *pw;
-	Authctxt *authctxt;
-	pid_t	pid;
-
-	/* tty */
-	char	*term;
-	int	ptyfd, ttyfd, ptymaster;
-	u_int	row, col, xpixel, ypixel;
-	char	tty[TTYSZ];
-
-	/* X11 */
-	u_int	display_number;
-	char	*display;
-	u_int	screen;
-	char	*auth_display;
-	char	*auth_proto;
-	char	*auth_data;
-	int	single_connection;
-
-	/* proto 2 */
-	int	chanid;
-	int	*x11_chanids;
-	int	is_subsystem;
-	u_int	num_env;
-	struct {
-		char	*name;
-		char	*val;
-	} *env;
-};
-
-void	 do_authenticated(Authctxt *);
-void	 do_cleanup(Authctxt *);
-
-int	 session_open(Authctxt *, int);
-int	 session_input_channel_req(Channel *, const char *);
-void	 session_close_by_pid(pid_t, int);
-void	 session_close_by_channel(int, void *);
-void	 session_destroy_all(void (*)(Session *));
-void	 session_pty_cleanup2(Session *);
-
-Session	*session_new(void);
-Session	*session_by_tty(char *);
-void	 session_close(Session *);
-void	 do_setusercontext(struct passwd *);
-void	 child_set_env(char ***envp, u_int *envsizep, const char *name,
-		       const char *value);
-
-#endif
diff --git a/crypto/openssh/sftp-client.c b/crypto/openssh/sftp-client.c
deleted file mode 100644
index 42eb2b4..0000000
--- a/crypto/openssh/sftp-client.c
+++ /dev/null
@@ -1,1174 +0,0 @@
-/* $OpenBSD: sftp-client.c,v 1.75 2006/10/22 02:25:50 djm Exp $ */
-/*
- * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* XXX: memleaks */
-/* XXX: signed vs unsigned */
-/* XXX: remove all logging, only return status codes */
-/* XXX: copy between two remote sites */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include "openbsd-compat/sys-queue.h"
-#ifdef HAVE_SYS_STAT_H
-# include <sys/stat.h>
-#endif
-#ifdef HAVE_SYS_TIME_H
-# include <sys/time.h>
-#endif
-#include <sys/uio.h>
-
-#include <errno.h>
-#include <fcntl.h>
-#include <signal.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "xmalloc.h"
-#include "buffer.h"
-#include "log.h"
-#include "atomicio.h"
-#include "progressmeter.h"
-#include "misc.h"
-
-#include "sftp.h"
-#include "sftp-common.h"
-#include "sftp-client.h"
-
-extern volatile sig_atomic_t interrupted;
-extern int showprogress;
-
-/* Minimum amount of data to read at a time */
-#define MIN_READ_SIZE	512
-
-struct sftp_conn {
-	int fd_in;
-	int fd_out;
-	u_int transfer_buflen;
-	u_int num_requests;
-	u_int version;
-	u_int msg_id;
-};
-
-static void
-send_msg(int fd, Buffer *m)
-{
-	u_char mlen[4];
-	struct iovec iov[2];
-
-	if (buffer_len(m) > SFTP_MAX_MSG_LENGTH)
-		fatal("Outbound message too long %u", buffer_len(m));
-
-	/* Send length first */
-	put_u32(mlen, buffer_len(m));
-	iov[0].iov_base = mlen;
-	iov[0].iov_len = sizeof(mlen);
-	iov[1].iov_base = buffer_ptr(m);
-	iov[1].iov_len = buffer_len(m);
-
-	if (atomiciov(writev, fd, iov, 2) != buffer_len(m) + sizeof(mlen))
-		fatal("Couldn't send packet: %s", strerror(errno));
-
-	buffer_clear(m);
-}
-
-static void
-get_msg(int fd, Buffer *m)
-{
-	u_int msg_len;
-
-	buffer_append_space(m, 4);
-	if (atomicio(read, fd, buffer_ptr(m), 4) != 4) {
-		if (errno == EPIPE)
-			fatal("Connection closed");
-		else
-			fatal("Couldn't read packet: %s", strerror(errno));
-	}
-
-	msg_len = buffer_get_int(m);
-	if (msg_len > SFTP_MAX_MSG_LENGTH)
-		fatal("Received message too long %u", msg_len);
-
-	buffer_append_space(m, msg_len);
-	if (atomicio(read, fd, buffer_ptr(m), msg_len) != msg_len) {
-		if (errno == EPIPE)
-			fatal("Connection closed");
-		else
-			fatal("Read packet: %s", strerror(errno));
-	}
-}
-
-static void
-send_string_request(int fd, u_int id, u_int code, char *s,
-    u_int len)
-{
-	Buffer msg;
-
-	buffer_init(&msg);
-	buffer_put_char(&msg, code);
-	buffer_put_int(&msg, id);
-	buffer_put_string(&msg, s, len);
-	send_msg(fd, &msg);
-	debug3("Sent message fd %d T:%u I:%u", fd, code, id);
-	buffer_free(&msg);
-}
-
-static void
-send_string_attrs_request(int fd, u_int id, u_int code, char *s,
-    u_int len, Attrib *a)
-{
-	Buffer msg;
-
-	buffer_init(&msg);
-	buffer_put_char(&msg, code);
-	buffer_put_int(&msg, id);
-	buffer_put_string(&msg, s, len);
-	encode_attrib(&msg, a);
-	send_msg(fd, &msg);
-	debug3("Sent message fd %d T:%u I:%u", fd, code, id);
-	buffer_free(&msg);
-}
-
-static u_int
-get_status(int fd, u_int expected_id)
-{
-	Buffer msg;
-	u_int type, id, status;
-
-	buffer_init(&msg);
-	get_msg(fd, &msg);
-	type = buffer_get_char(&msg);
-	id = buffer_get_int(&msg);
-
-	if (id != expected_id)
-		fatal("ID mismatch (%u != %u)", id, expected_id);
-	if (type != SSH2_FXP_STATUS)
-		fatal("Expected SSH2_FXP_STATUS(%u) packet, got %u",
-		    SSH2_FXP_STATUS, type);
-
-	status = buffer_get_int(&msg);
-	buffer_free(&msg);
-
-	debug3("SSH2_FXP_STATUS %u", status);
-
-	return(status);
-}
-
-static char *
-get_handle(int fd, u_int expected_id, u_int *len)
-{
-	Buffer msg;
-	u_int type, id;
-	char *handle;
-
-	buffer_init(&msg);
-	get_msg(fd, &msg);
-	type = buffer_get_char(&msg);
-	id = buffer_get_int(&msg);
-
-	if (id != expected_id)
-		fatal("ID mismatch (%u != %u)", id, expected_id);
-	if (type == SSH2_FXP_STATUS) {
-		int status = buffer_get_int(&msg);
-
-		error("Couldn't get handle: %s", fx2txt(status));
-		buffer_free(&msg);
-		return(NULL);
-	} else if (type != SSH2_FXP_HANDLE)
-		fatal("Expected SSH2_FXP_HANDLE(%u) packet, got %u",
-		    SSH2_FXP_HANDLE, type);
-
-	handle = buffer_get_string(&msg, len);
-	buffer_free(&msg);
-
-	return(handle);
-}
-
-static Attrib *
-get_decode_stat(int fd, u_int expected_id, int quiet)
-{
-	Buffer msg;
-	u_int type, id;
-	Attrib *a;
-
-	buffer_init(&msg);
-	get_msg(fd, &msg);
-
-	type = buffer_get_char(&msg);
-	id = buffer_get_int(&msg);
-
-	debug3("Received stat reply T:%u I:%u", type, id);
-	if (id != expected_id)
-		fatal("ID mismatch (%u != %u)", id, expected_id);
-	if (type == SSH2_FXP_STATUS) {
-		int status = buffer_get_int(&msg);
-
-		if (quiet)
-			debug("Couldn't stat remote file: %s", fx2txt(status));
-		else
-			error("Couldn't stat remote file: %s", fx2txt(status));
-		buffer_free(&msg);
-		return(NULL);
-	} else if (type != SSH2_FXP_ATTRS) {
-		fatal("Expected SSH2_FXP_ATTRS(%u) packet, got %u",
-		    SSH2_FXP_ATTRS, type);
-	}
-	a = decode_attrib(&msg);
-	buffer_free(&msg);
-
-	return(a);
-}
-
-struct sftp_conn *
-do_init(int fd_in, int fd_out, u_int transfer_buflen, u_int num_requests)
-{
-	u_int type;
-	int version;
-	Buffer msg;
-	struct sftp_conn *ret;
-
-	buffer_init(&msg);
-	buffer_put_char(&msg, SSH2_FXP_INIT);
-	buffer_put_int(&msg, SSH2_FILEXFER_VERSION);
-	send_msg(fd_out, &msg);
-
-	buffer_clear(&msg);
-
-	get_msg(fd_in, &msg);
-
-	/* Expecting a VERSION reply */
-	if ((type = buffer_get_char(&msg)) != SSH2_FXP_VERSION) {
-		error("Invalid packet back from SSH2_FXP_INIT (type %u)",
-		    type);
-		buffer_free(&msg);
-		return(NULL);
-	}
-	version = buffer_get_int(&msg);
-
-	debug2("Remote version: %d", version);
-
-	/* Check for extensions */
-	while (buffer_len(&msg) > 0) {
-		char *name = buffer_get_string(&msg, NULL);
-		char *value = buffer_get_string(&msg, NULL);
-
-		debug2("Init extension: \"%s\"", name);
-		xfree(name);
-		xfree(value);
-	}
-
-	buffer_free(&msg);
-
-	ret = xmalloc(sizeof(*ret));
-	ret->fd_in = fd_in;
-	ret->fd_out = fd_out;
-	ret->transfer_buflen = transfer_buflen;
-	ret->num_requests = num_requests;
-	ret->version = version;
-	ret->msg_id = 1;
-
-	/* Some filexfer v.0 servers don't support large packets */
-	if (version == 0)
-		ret->transfer_buflen = MIN(ret->transfer_buflen, 20480);
-
-	return(ret);
-}
-
-u_int
-sftp_proto_version(struct sftp_conn *conn)
-{
-	return(conn->version);
-}
-
-int
-do_close(struct sftp_conn *conn, char *handle, u_int handle_len)
-{
-	u_int id, status;
-	Buffer msg;
-
-	buffer_init(&msg);
-
-	id = conn->msg_id++;
-	buffer_put_char(&msg, SSH2_FXP_CLOSE);
-	buffer_put_int(&msg, id);
-	buffer_put_string(&msg, handle, handle_len);
-	send_msg(conn->fd_out, &msg);
-	debug3("Sent message SSH2_FXP_CLOSE I:%u", id);
-
-	status = get_status(conn->fd_in, id);
-	if (status != SSH2_FX_OK)
-		error("Couldn't close file: %s", fx2txt(status));
-
-	buffer_free(&msg);
-
-	return(status);
-}
-
-
-static int
-do_lsreaddir(struct sftp_conn *conn, char *path, int printflag,
-    SFTP_DIRENT ***dir)
-{
-	Buffer msg;
-	u_int count, type, id, handle_len, i, expected_id, ents = 0;
-	char *handle;
-
-	id = conn->msg_id++;
-
-	buffer_init(&msg);
-	buffer_put_char(&msg, SSH2_FXP_OPENDIR);
-	buffer_put_int(&msg, id);
-	buffer_put_cstring(&msg, path);
-	send_msg(conn->fd_out, &msg);
-
-	buffer_clear(&msg);
-
-	handle = get_handle(conn->fd_in, id, &handle_len);
-	if (handle == NULL)
-		return(-1);
-
-	if (dir) {
-		ents = 0;
-		*dir = xmalloc(sizeof(**dir));
-		(*dir)[0] = NULL;
-	}
-
-	for (; !interrupted;) {
-		id = expected_id = conn->msg_id++;
-
-		debug3("Sending SSH2_FXP_READDIR I:%u", id);
-
-		buffer_clear(&msg);
-		buffer_put_char(&msg, SSH2_FXP_READDIR);
-		buffer_put_int(&msg, id);
-		buffer_put_string(&msg, handle, handle_len);
-		send_msg(conn->fd_out, &msg);
-
-		buffer_clear(&msg);
-
-		get_msg(conn->fd_in, &msg);
-
-		type = buffer_get_char(&msg);
-		id = buffer_get_int(&msg);
-
-		debug3("Received reply T:%u I:%u", type, id);
-
-		if (id != expected_id)
-			fatal("ID mismatch (%u != %u)", id, expected_id);
-
-		if (type == SSH2_FXP_STATUS) {
-			int status = buffer_get_int(&msg);
-
-			debug3("Received SSH2_FXP_STATUS %d", status);
-
-			if (status == SSH2_FX_EOF) {
-				break;
-			} else {
-				error("Couldn't read directory: %s",
-				    fx2txt(status));
-				do_close(conn, handle, handle_len);
-				xfree(handle);
-				return(status);
-			}
-		} else if (type != SSH2_FXP_NAME)
-			fatal("Expected SSH2_FXP_NAME(%u) packet, got %u",
-			    SSH2_FXP_NAME, type);
-
-		count = buffer_get_int(&msg);
-		if (count == 0)
-			break;
-		debug3("Received %d SSH2_FXP_NAME responses", count);
-		for (i = 0; i < count; i++) {
-			char *filename, *longname;
-			Attrib *a;
-
-			filename = buffer_get_string(&msg, NULL);
-			longname = buffer_get_string(&msg, NULL);
-			a = decode_attrib(&msg);
-
-			if (printflag)
-				printf("%s\n", longname);
-
-			if (dir) {
-				*dir = xrealloc(*dir, ents + 2, sizeof(**dir));
-				(*dir)[ents] = xmalloc(sizeof(***dir));
-				(*dir)[ents]->filename = xstrdup(filename);
-				(*dir)[ents]->longname = xstrdup(longname);
-				memcpy(&(*dir)[ents]->a, a, sizeof(*a));
-				(*dir)[++ents] = NULL;
-			}
-
-			xfree(filename);
-			xfree(longname);
-		}
-	}
-
-	buffer_free(&msg);
-	do_close(conn, handle, handle_len);
-	xfree(handle);
-
-	/* Don't return partial matches on interrupt */
-	if (interrupted && dir != NULL && *dir != NULL) {
-		free_sftp_dirents(*dir);
-		*dir = xmalloc(sizeof(**dir));
-		**dir = NULL;
-	}
-
-	return(0);
-}
-
-int
-do_readdir(struct sftp_conn *conn, char *path, SFTP_DIRENT ***dir)
-{
-	return(do_lsreaddir(conn, path, 0, dir));
-}
-
-void free_sftp_dirents(SFTP_DIRENT **s)
-{
-	int i;
-
-	for (i = 0; s[i]; i++) {
-		xfree(s[i]->filename);
-		xfree(s[i]->longname);
-		xfree(s[i]);
-	}
-	xfree(s);
-}
-
-int
-do_rm(struct sftp_conn *conn, char *path)
-{
-	u_int status, id;
-
-	debug2("Sending SSH2_FXP_REMOVE \"%s\"", path);
-
-	id = conn->msg_id++;
-	send_string_request(conn->fd_out, id, SSH2_FXP_REMOVE, path,
-	    strlen(path));
-	status = get_status(conn->fd_in, id);
-	if (status != SSH2_FX_OK)
-		error("Couldn't delete file: %s", fx2txt(status));
-	return(status);
-}
-
-int
-do_mkdir(struct sftp_conn *conn, char *path, Attrib *a)
-{
-	u_int status, id;
-
-	id = conn->msg_id++;
-	send_string_attrs_request(conn->fd_out, id, SSH2_FXP_MKDIR, path,
-	    strlen(path), a);
-
-	status = get_status(conn->fd_in, id);
-	if (status != SSH2_FX_OK)
-		error("Couldn't create directory: %s", fx2txt(status));
-
-	return(status);
-}
-
-int
-do_rmdir(struct sftp_conn *conn, char *path)
-{
-	u_int status, id;
-
-	id = conn->msg_id++;
-	send_string_request(conn->fd_out, id, SSH2_FXP_RMDIR, path,
-	    strlen(path));
-
-	status = get_status(conn->fd_in, id);
-	if (status != SSH2_FX_OK)
-		error("Couldn't remove directory: %s", fx2txt(status));
-
-	return(status);
-}
-
-Attrib *
-do_stat(struct sftp_conn *conn, char *path, int quiet)
-{
-	u_int id;
-
-	id = conn->msg_id++;
-
-	send_string_request(conn->fd_out, id,
-	    conn->version == 0 ? SSH2_FXP_STAT_VERSION_0 : SSH2_FXP_STAT,
-	    path, strlen(path));
-
-	return(get_decode_stat(conn->fd_in, id, quiet));
-}
-
-Attrib *
-do_lstat(struct sftp_conn *conn, char *path, int quiet)
-{
-	u_int id;
-
-	if (conn->version == 0) {
-		if (quiet)
-			debug("Server version does not support lstat operation");
-		else
-			logit("Server version does not support lstat operation");
-		return(do_stat(conn, path, quiet));
-	}
-
-	id = conn->msg_id++;
-	send_string_request(conn->fd_out, id, SSH2_FXP_LSTAT, path,
-	    strlen(path));
-
-	return(get_decode_stat(conn->fd_in, id, quiet));
-}
-
-Attrib *
-do_fstat(struct sftp_conn *conn, char *handle, u_int handle_len, int quiet)
-{
-	u_int id;
-
-	id = conn->msg_id++;
-	send_string_request(conn->fd_out, id, SSH2_FXP_FSTAT, handle,
-	    handle_len);
-
-	return(get_decode_stat(conn->fd_in, id, quiet));
-}
-
-int
-do_setstat(struct sftp_conn *conn, char *path, Attrib *a)
-{
-	u_int status, id;
-
-	id = conn->msg_id++;
-	send_string_attrs_request(conn->fd_out, id, SSH2_FXP_SETSTAT, path,
-	    strlen(path), a);
-
-	status = get_status(conn->fd_in, id);
-	if (status != SSH2_FX_OK)
-		error("Couldn't setstat on \"%s\": %s", path,
-		    fx2txt(status));
-
-	return(status);
-}
-
-int
-do_fsetstat(struct sftp_conn *conn, char *handle, u_int handle_len,
-    Attrib *a)
-{
-	u_int status, id;
-
-	id = conn->msg_id++;
-	send_string_attrs_request(conn->fd_out, id, SSH2_FXP_FSETSTAT, handle,
-	    handle_len, a);
-
-	status = get_status(conn->fd_in, id);
-	if (status != SSH2_FX_OK)
-		error("Couldn't fsetstat: %s", fx2txt(status));
-
-	return(status);
-}
-
-char *
-do_realpath(struct sftp_conn *conn, char *path)
-{
-	Buffer msg;
-	u_int type, expected_id, count, id;
-	char *filename, *longname;
-	Attrib *a;
-
-	expected_id = id = conn->msg_id++;
-	send_string_request(conn->fd_out, id, SSH2_FXP_REALPATH, path,
-	    strlen(path));
-
-	buffer_init(&msg);
-
-	get_msg(conn->fd_in, &msg);
-	type = buffer_get_char(&msg);
-	id = buffer_get_int(&msg);
-
-	if (id != expected_id)
-		fatal("ID mismatch (%u != %u)", id, expected_id);
-
-	if (type == SSH2_FXP_STATUS) {
-		u_int status = buffer_get_int(&msg);
-
-		error("Couldn't canonicalise: %s", fx2txt(status));
-		return(NULL);
-	} else if (type != SSH2_FXP_NAME)
-		fatal("Expected SSH2_FXP_NAME(%u) packet, got %u",
-		    SSH2_FXP_NAME, type);
-
-	count = buffer_get_int(&msg);
-	if (count != 1)
-		fatal("Got multiple names (%d) from SSH_FXP_REALPATH", count);
-
-	filename = buffer_get_string(&msg, NULL);
-	longname = buffer_get_string(&msg, NULL);
-	a = decode_attrib(&msg);
-
-	debug3("SSH_FXP_REALPATH %s -> %s", path, filename);
-
-	xfree(longname);
-
-	buffer_free(&msg);
-
-	return(filename);
-}
-
-int
-do_rename(struct sftp_conn *conn, char *oldpath, char *newpath)
-{
-	Buffer msg;
-	u_int status, id;
-
-	buffer_init(&msg);
-
-	/* Send rename request */
-	id = conn->msg_id++;
-	buffer_put_char(&msg, SSH2_FXP_RENAME);
-	buffer_put_int(&msg, id);
-	buffer_put_cstring(&msg, oldpath);
-	buffer_put_cstring(&msg, newpath);
-	send_msg(conn->fd_out, &msg);
-	debug3("Sent message SSH2_FXP_RENAME \"%s\" -> \"%s\"", oldpath,
-	    newpath);
-	buffer_free(&msg);
-
-	status = get_status(conn->fd_in, id);
-	if (status != SSH2_FX_OK)
-		error("Couldn't rename file \"%s\" to \"%s\": %s", oldpath,
-		    newpath, fx2txt(status));
-
-	return(status);
-}
-
-int
-do_symlink(struct sftp_conn *conn, char *oldpath, char *newpath)
-{
-	Buffer msg;
-	u_int status, id;
-
-	if (conn->version < 3) {
-		error("This server does not support the symlink operation");
-		return(SSH2_FX_OP_UNSUPPORTED);
-	}
-
-	buffer_init(&msg);
-
-	/* Send symlink request */
-	id = conn->msg_id++;
-	buffer_put_char(&msg, SSH2_FXP_SYMLINK);
-	buffer_put_int(&msg, id);
-	buffer_put_cstring(&msg, oldpath);
-	buffer_put_cstring(&msg, newpath);
-	send_msg(conn->fd_out, &msg);
-	debug3("Sent message SSH2_FXP_SYMLINK \"%s\" -> \"%s\"", oldpath,
-	    newpath);
-	buffer_free(&msg);
-
-	status = get_status(conn->fd_in, id);
-	if (status != SSH2_FX_OK)
-		error("Couldn't symlink file \"%s\" to \"%s\": %s", oldpath,
-		    newpath, fx2txt(status));
-
-	return(status);
-}
-
-char *
-do_readlink(struct sftp_conn *conn, char *path)
-{
-	Buffer msg;
-	u_int type, expected_id, count, id;
-	char *filename, *longname;
-	Attrib *a;
-
-	expected_id = id = conn->msg_id++;
-	send_string_request(conn->fd_out, id, SSH2_FXP_READLINK, path,
-	    strlen(path));
-
-	buffer_init(&msg);
-
-	get_msg(conn->fd_in, &msg);
-	type = buffer_get_char(&msg);
-	id = buffer_get_int(&msg);
-
-	if (id != expected_id)
-		fatal("ID mismatch (%u != %u)", id, expected_id);
-
-	if (type == SSH2_FXP_STATUS) {
-		u_int status = buffer_get_int(&msg);
-
-		error("Couldn't readlink: %s", fx2txt(status));
-		return(NULL);
-	} else if (type != SSH2_FXP_NAME)
-		fatal("Expected SSH2_FXP_NAME(%u) packet, got %u",
-		    SSH2_FXP_NAME, type);
-
-	count = buffer_get_int(&msg);
-	if (count != 1)
-		fatal("Got multiple names (%d) from SSH_FXP_READLINK", count);
-
-	filename = buffer_get_string(&msg, NULL);
-	longname = buffer_get_string(&msg, NULL);
-	a = decode_attrib(&msg);
-
-	debug3("SSH_FXP_READLINK %s -> %s", path, filename);
-
-	xfree(longname);
-
-	buffer_free(&msg);
-
-	return(filename);
-}
-
-static void
-send_read_request(int fd_out, u_int id, u_int64_t offset, u_int len,
-    char *handle, u_int handle_len)
-{
-	Buffer msg;
-
-	buffer_init(&msg);
-	buffer_clear(&msg);
-	buffer_put_char(&msg, SSH2_FXP_READ);
-	buffer_put_int(&msg, id);
-	buffer_put_string(&msg, handle, handle_len);
-	buffer_put_int64(&msg, offset);
-	buffer_put_int(&msg, len);
-	send_msg(fd_out, &msg);
-	buffer_free(&msg);
-}
-
-int
-do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
-    int pflag)
-{
-	Attrib junk, *a;
-	Buffer msg;
-	char *handle;
-	int local_fd, status = 0, write_error;
-	int read_error, write_errno;
-	u_int64_t offset, size;
-	u_int handle_len, mode, type, id, buflen, num_req, max_req;
-	off_t progress_counter;
-	struct request {
-		u_int id;
-		u_int len;
-		u_int64_t offset;
-		TAILQ_ENTRY(request) tq;
-	};
-	TAILQ_HEAD(reqhead, request) requests;
-	struct request *req;
-
-	TAILQ_INIT(&requests);
-
-	a = do_stat(conn, remote_path, 0);
-	if (a == NULL)
-		return(-1);
-
-	/* XXX: should we preserve set[ug]id? */
-	if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS)
-		mode = a->perm & 0777;
-	else
-		mode = 0666;
-
-	if ((a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) &&
-	    (!S_ISREG(a->perm))) {
-		error("Cannot download non-regular file: %s", remote_path);
-		return(-1);
-	}
-
-	if (a->flags & SSH2_FILEXFER_ATTR_SIZE)
-		size = a->size;
-	else
-		size = 0;
-
-	buflen = conn->transfer_buflen;
-	buffer_init(&msg);
-
-	/* Send open request */
-	id = conn->msg_id++;
-	buffer_put_char(&msg, SSH2_FXP_OPEN);
-	buffer_put_int(&msg, id);
-	buffer_put_cstring(&msg, remote_path);
-	buffer_put_int(&msg, SSH2_FXF_READ);
-	attrib_clear(&junk); /* Send empty attributes */
-	encode_attrib(&msg, &junk);
-	send_msg(conn->fd_out, &msg);
-	debug3("Sent message SSH2_FXP_OPEN I:%u P:%s", id, remote_path);
-
-	handle = get_handle(conn->fd_in, id, &handle_len);
-	if (handle == NULL) {
-		buffer_free(&msg);
-		return(-1);
-	}
-
-	local_fd = open(local_path, O_WRONLY | O_CREAT | O_TRUNC,
-	    mode | S_IWRITE);
-	if (local_fd == -1) {
-		error("Couldn't open local file \"%s\" for writing: %s",
-		    local_path, strerror(errno));
-		buffer_free(&msg);
-		xfree(handle);
-		return(-1);
-	}
-
-	/* Read from remote and write to local */
-	write_error = read_error = write_errno = num_req = offset = 0;
-	max_req = 1;
-	progress_counter = 0;
-
-	if (showprogress && size != 0)
-		start_progress_meter(remote_path, size, &progress_counter);
-
-	while (num_req > 0 || max_req > 0) {
-		char *data;
-		u_int len;
-
-		/*
-		 * Simulate EOF on interrupt: stop sending new requests and
-		 * allow outstanding requests to drain gracefully
-		 */
-		if (interrupted) {
-			if (num_req == 0) /* If we haven't started yet... */
-				break;
-			max_req = 0;
-		}
-
-		/* Send some more requests */
-		while (num_req < max_req) {
-			debug3("Request range %llu -> %llu (%d/%d)",
-			    (unsigned long long)offset,
-			    (unsigned long long)offset + buflen - 1,
-			    num_req, max_req);
-			req = xmalloc(sizeof(*req));
-			req->id = conn->msg_id++;
-			req->len = buflen;
-			req->offset = offset;
-			offset += buflen;
-			num_req++;
-			TAILQ_INSERT_TAIL(&requests, req, tq);
-			send_read_request(conn->fd_out, req->id, req->offset,
-			    req->len, handle, handle_len);
-		}
-
-		buffer_clear(&msg);
-		get_msg(conn->fd_in, &msg);
-		type = buffer_get_char(&msg);
-		id = buffer_get_int(&msg);
-		debug3("Received reply T:%u I:%u R:%d", type, id, max_req);
-
-		/* Find the request in our queue */
-		for (req = TAILQ_FIRST(&requests);
-		    req != NULL && req->id != id;
-		    req = TAILQ_NEXT(req, tq))
-			;
-		if (req == NULL)
-			fatal("Unexpected reply %u", id);
-
-		switch (type) {
-		case SSH2_FXP_STATUS:
-			status = buffer_get_int(&msg);
-			if (status != SSH2_FX_EOF)
-				read_error = 1;
-			max_req = 0;
-			TAILQ_REMOVE(&requests, req, tq);
-			xfree(req);
-			num_req--;
-			break;
-		case SSH2_FXP_DATA:
-			data = buffer_get_string(&msg, &len);
-			debug3("Received data %llu -> %llu",
-			    (unsigned long long)req->offset,
-			    (unsigned long long)req->offset + len - 1);
-			if (len > req->len)
-				fatal("Received more data than asked for "
-				    "%u > %u", len, req->len);
-			if ((lseek(local_fd, req->offset, SEEK_SET) == -1 ||
-			    atomicio(vwrite, local_fd, data, len) != len) &&
-			    !write_error) {
-				write_errno = errno;
-				write_error = 1;
-				max_req = 0;
-			}
-			progress_counter += len;
-			xfree(data);
-
-			if (len == req->len) {
-				TAILQ_REMOVE(&requests, req, tq);
-				xfree(req);
-				num_req--;
-			} else {
-				/* Resend the request for the missing data */
-				debug3("Short data block, re-requesting "
-				    "%llu -> %llu (%2d)",
-				    (unsigned long long)req->offset + len,
-				    (unsigned long long)req->offset +
-				    req->len - 1, num_req);
-				req->id = conn->msg_id++;
-				req->len -= len;
-				req->offset += len;
-				send_read_request(conn->fd_out, req->id,
-				    req->offset, req->len, handle, handle_len);
-				/* Reduce the request size */
-				if (len < buflen)
-					buflen = MAX(MIN_READ_SIZE, len);
-			}
-			if (max_req > 0) { /* max_req = 0 iff EOF received */
-				if (size > 0 && offset > size) {
-					/* Only one request at a time
-					 * after the expected EOF */
-					debug3("Finish at %llu (%2d)",
-					    (unsigned long long)offset,
-					    num_req);
-					max_req = 1;
-				} else if (max_req <= conn->num_requests) {
-					++max_req;
-				}
-			}
-			break;
-		default:
-			fatal("Expected SSH2_FXP_DATA(%u) packet, got %u",
-			    SSH2_FXP_DATA, type);
-		}
-	}
-
-	if (showprogress && size)
-		stop_progress_meter();
-
-	/* Sanity check */
-	if (TAILQ_FIRST(&requests) != NULL)
-		fatal("Transfer complete, but requests still in queue");
-
-	if (read_error) {
-		error("Couldn't read from remote file \"%s\" : %s",
-		    remote_path, fx2txt(status));
-		do_close(conn, handle, handle_len);
-	} else if (write_error) {
-		error("Couldn't write to \"%s\": %s", local_path,
-		    strerror(write_errno));
-		status = -1;
-		do_close(conn, handle, handle_len);
-	} else {
-		status = do_close(conn, handle, handle_len);
-
-		/* Override umask and utimes if asked */
-#ifdef HAVE_FCHMOD
-		if (pflag && fchmod(local_fd, mode) == -1)
-#else
-		if (pflag && chmod(local_path, mode) == -1)
-#endif /* HAVE_FCHMOD */
-			error("Couldn't set mode on \"%s\": %s", local_path,
-			    strerror(errno));
-		if (pflag && (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME)) {
-			struct timeval tv[2];
-			tv[0].tv_sec = a->atime;
-			tv[1].tv_sec = a->mtime;
-			tv[0].tv_usec = tv[1].tv_usec = 0;
-			if (utimes(local_path, tv) == -1)
-				error("Can't set times on \"%s\": %s",
-				    local_path, strerror(errno));
-		}
-	}
-	close(local_fd);
-	buffer_free(&msg);
-	xfree(handle);
-
-	return(status);
-}
-
-int
-do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
-    int pflag)
-{
-	int local_fd, status;
-	u_int handle_len, id, type;
-	u_int64_t offset;
-	char *handle, *data;
-	Buffer msg;
-	struct stat sb;
-	Attrib a;
-	u_int32_t startid;
-	u_int32_t ackid;
-	struct outstanding_ack {
-		u_int id;
-		u_int len;
-		u_int64_t offset;
-		TAILQ_ENTRY(outstanding_ack) tq;
-	};
-	TAILQ_HEAD(ackhead, outstanding_ack) acks;
-	struct outstanding_ack *ack = NULL;
-
-	TAILQ_INIT(&acks);
-
-	if ((local_fd = open(local_path, O_RDONLY, 0)) == -1) {
-		error("Couldn't open local file \"%s\" for reading: %s",
-		    local_path, strerror(errno));
-		return(-1);
-	}
-	if (fstat(local_fd, &sb) == -1) {
-		error("Couldn't fstat local file \"%s\": %s",
-		    local_path, strerror(errno));
-		close(local_fd);
-		return(-1);
-	}
-	if (!S_ISREG(sb.st_mode)) {
-		error("%s is not a regular file", local_path);
-		close(local_fd);
-		return(-1);
-	}
-	stat_to_attrib(&sb, &a);
-
-	a.flags &= ~SSH2_FILEXFER_ATTR_SIZE;
-	a.flags &= ~SSH2_FILEXFER_ATTR_UIDGID;
-	a.perm &= 0777;
-	if (!pflag)
-		a.flags &= ~SSH2_FILEXFER_ATTR_ACMODTIME;
-
-	buffer_init(&msg);
-
-	/* Send open request */
-	id = conn->msg_id++;
-	buffer_put_char(&msg, SSH2_FXP_OPEN);
-	buffer_put_int(&msg, id);
-	buffer_put_cstring(&msg, remote_path);
-	buffer_put_int(&msg, SSH2_FXF_WRITE|SSH2_FXF_CREAT|SSH2_FXF_TRUNC);
-	encode_attrib(&msg, &a);
-	send_msg(conn->fd_out, &msg);
-	debug3("Sent message SSH2_FXP_OPEN I:%u P:%s", id, remote_path);
-
-	buffer_clear(&msg);
-
-	handle = get_handle(conn->fd_in, id, &handle_len);
-	if (handle == NULL) {
-		close(local_fd);
-		buffer_free(&msg);
-		return(-1);
-	}
-
-	startid = ackid = id + 1;
-	data = xmalloc(conn->transfer_buflen);
-
-	/* Read from local and write to remote */
-	offset = 0;
-	if (showprogress)
-		start_progress_meter(local_path, sb.st_size, &offset);
-
-	for (;;) {
-		int len;
-
-		/*
-		 * Can't use atomicio here because it returns 0 on EOF,
-		 * thus losing the last block of the file.
-		 * Simulate an EOF on interrupt, allowing ACKs from the
-		 * server to drain.
-		 */
-		if (interrupted)
-			len = 0;
-		else do
-			len = read(local_fd, data, conn->transfer_buflen);
-		while ((len == -1) && (errno == EINTR || errno == EAGAIN));
-
-		if (len == -1)
-			fatal("Couldn't read from \"%s\": %s", local_path,
-			    strerror(errno));
-
-		if (len != 0) {
-			ack = xmalloc(sizeof(*ack));
-			ack->id = ++id;
-			ack->offset = offset;
-			ack->len = len;
-			TAILQ_INSERT_TAIL(&acks, ack, tq);
-
-			buffer_clear(&msg);
-			buffer_put_char(&msg, SSH2_FXP_WRITE);
-			buffer_put_int(&msg, ack->id);
-			buffer_put_string(&msg, handle, handle_len);
-			buffer_put_int64(&msg, offset);
-			buffer_put_string(&msg, data, len);
-			send_msg(conn->fd_out, &msg);
-			debug3("Sent message SSH2_FXP_WRITE I:%u O:%llu S:%u",
-			    id, (unsigned long long)offset, len);
-		} else if (TAILQ_FIRST(&acks) == NULL)
-			break;
-
-		if (ack == NULL)
-			fatal("Unexpected ACK %u", id);
-
-		if (id == startid || len == 0 ||
-		    id - ackid >= conn->num_requests) {
-			u_int r_id;
-
-			buffer_clear(&msg);
-			get_msg(conn->fd_in, &msg);
-			type = buffer_get_char(&msg);
-			r_id = buffer_get_int(&msg);
-
-			if (type != SSH2_FXP_STATUS)
-				fatal("Expected SSH2_FXP_STATUS(%d) packet, "
-				    "got %d", SSH2_FXP_STATUS, type);
-
-			status = buffer_get_int(&msg);
-			debug3("SSH2_FXP_STATUS %d", status);
-
-			/* Find the request in our queue */
-			for (ack = TAILQ_FIRST(&acks);
-			    ack != NULL && ack->id != r_id;
-			    ack = TAILQ_NEXT(ack, tq))
-				;
-			if (ack == NULL)
-				fatal("Can't find request for ID %u", r_id);
-			TAILQ_REMOVE(&acks, ack, tq);
-
-			if (status != SSH2_FX_OK) {
-				error("Couldn't write to remote file \"%s\": %s",
-				    remote_path, fx2txt(status));
-				if (showprogress)
-					stop_progress_meter();
-				do_close(conn, handle, handle_len);
-				close(local_fd);
-				xfree(data);
-				xfree(ack);
-				goto done;
-			}
-			debug3("In write loop, ack for %u %u bytes at %llu",
-			    ack->id, ack->len, (unsigned long long)ack->offset);
-			++ackid;
-			xfree(ack);
-		}
-		offset += len;
-	}
-	if (showprogress)
-		stop_progress_meter();
-	xfree(data);
-
-	if (close(local_fd) == -1) {
-		error("Couldn't close local file \"%s\": %s", local_path,
-		    strerror(errno));
-		do_close(conn, handle, handle_len);
-		status = -1;
-		goto done;
-	}
-
-	/* Override umask and utimes if asked */
-	if (pflag)
-		do_fsetstat(conn, handle, handle_len, &a);
-
-	status = do_close(conn, handle, handle_len);
-
-done:
-	xfree(handle);
-	buffer_free(&msg);
-	return(status);
-}
diff --git a/crypto/openssh/sftp-client.h b/crypto/openssh/sftp-client.h
deleted file mode 100644
index c8a41f3..0000000
--- a/crypto/openssh/sftp-client.h
+++ /dev/null
@@ -1,99 +0,0 @@
-/* $OpenBSD: sftp-client.h,v 1.14 2005/04/26 12:59:02 jmc Exp $ */
-
-/*
- * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* Client side of SSH2 filexfer protocol */
-
-#ifndef _SFTP_CLIENT_H
-#define _SFTP_CLIENT_H
-
-typedef struct SFTP_DIRENT SFTP_DIRENT;
-
-struct SFTP_DIRENT {
-	char *filename;
-	char *longname;
-	Attrib a;
-};
-
-/*
- * Initialise a SSH filexfer connection. Returns NULL on error or
- * a pointer to a initialized sftp_conn struct on success.
- */
-struct sftp_conn *do_init(int, int, u_int, u_int);
-
-u_int sftp_proto_version(struct sftp_conn *);
-
-/* Close file referred to by 'handle' */
-int do_close(struct sftp_conn *, char *, u_int);
-
-/* Read contents of 'path' to NULL-terminated array 'dir' */
-int do_readdir(struct sftp_conn *, char *, SFTP_DIRENT ***);
-
-/* Frees a NULL-terminated array of SFTP_DIRENTs (eg. from do_readdir) */
-void free_sftp_dirents(SFTP_DIRENT **);
-
-/* Delete file 'path' */
-int do_rm(struct sftp_conn *, char *);
-
-/* Create directory 'path' */
-int do_mkdir(struct sftp_conn *, char *, Attrib *);
-
-/* Remove directory 'path' */
-int do_rmdir(struct sftp_conn *, char *);
-
-/* Get file attributes of 'path' (follows symlinks) */
-Attrib *do_stat(struct sftp_conn *, char *, int);
-
-/* Get file attributes of 'path' (does not follow symlinks) */
-Attrib *do_lstat(struct sftp_conn *, char *, int);
-
-/* Get file attributes of open file 'handle' */
-Attrib *do_fstat(struct sftp_conn *, char *, u_int, int);
-
-/* Set file attributes of 'path' */
-int do_setstat(struct sftp_conn *, char *, Attrib *);
-
-/* Set file attributes of open file 'handle' */
-int do_fsetstat(struct sftp_conn *, char *, u_int, Attrib *);
-
-/* Canonicalise 'path' - caller must free result */
-char *do_realpath(struct sftp_conn *, char *);
-
-/* Rename 'oldpath' to 'newpath' */
-int do_rename(struct sftp_conn *, char *, char *);
-
-/* Rename 'oldpath' to 'newpath' */
-int do_symlink(struct sftp_conn *, char *, char *);
-
-/* Return target of symlink 'path' - caller must free result */
-char *do_readlink(struct sftp_conn *, char *);
-
-/* XXX: add callbacks to do_download/do_upload so we can do progress meter */
-
-/*
- * Download 'remote_path' to 'local_path'. Preserve permissions and times
- * if 'pflag' is set
- */
-int do_download(struct sftp_conn *, char *, char *, int);
-
-/*
- * Upload 'local_path' to 'remote_path'. Preserve permissions and times
- * if 'pflag' is set
- */
-int do_upload(struct sftp_conn *, char *, char *, int);
-
-#endif
diff --git a/crypto/openssh/sftp-common.c b/crypto/openssh/sftp-common.c
deleted file mode 100644
index 7ebadcc..0000000
--- a/crypto/openssh/sftp-common.c
+++ /dev/null
@@ -1,223 +0,0 @@
-/* $OpenBSD: sftp-common.c,v 1.20 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- * Copyright (c) 2001 Damien Miller.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/param.h>
-
-#include <grp.h>
-#include <pwd.h>
-#include <stdio.h>
-#include <string.h>
-#include <time.h>
-#include <stdarg.h>
-
-#include "xmalloc.h"
-#include "buffer.h"
-#include "log.h"
-
-#include "sftp.h"
-#include "sftp-common.h"
-
-/* Clear contents of attributes structure */
-void
-attrib_clear(Attrib *a)
-{
-	a->flags = 0;
-	a->size = 0;
-	a->uid = 0;
-	a->gid = 0;
-	a->perm = 0;
-	a->atime = 0;
-	a->mtime = 0;
-}
-
-/* Convert from struct stat to filexfer attribs */
-void
-stat_to_attrib(const struct stat *st, Attrib *a)
-{
-	attrib_clear(a);
-	a->flags = 0;
-	a->flags |= SSH2_FILEXFER_ATTR_SIZE;
-	a->size = st->st_size;
-	a->flags |= SSH2_FILEXFER_ATTR_UIDGID;
-	a->uid = st->st_uid;
-	a->gid = st->st_gid;
-	a->flags |= SSH2_FILEXFER_ATTR_PERMISSIONS;
-	a->perm = st->st_mode;
-	a->flags |= SSH2_FILEXFER_ATTR_ACMODTIME;
-	a->atime = st->st_atime;
-	a->mtime = st->st_mtime;
-}
-
-/* Convert from filexfer attribs to struct stat */
-void
-attrib_to_stat(const Attrib *a, struct stat *st)
-{
-	memset(st, 0, sizeof(*st));
-
-	if (a->flags & SSH2_FILEXFER_ATTR_SIZE)
-		st->st_size = a->size;
-	if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) {
-		st->st_uid = a->uid;
-		st->st_gid = a->gid;
-	}
-	if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS)
-		st->st_mode = a->perm;
-	if (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME) {
-		st->st_atime = a->atime;
-		st->st_mtime = a->mtime;
-	}
-}
-
-/* Decode attributes in buffer */
-Attrib *
-decode_attrib(Buffer *b)
-{
-	static Attrib a;
-
-	attrib_clear(&a);
-	a.flags = buffer_get_int(b);
-	if (a.flags & SSH2_FILEXFER_ATTR_SIZE)
-		a.size = buffer_get_int64(b);
-	if (a.flags & SSH2_FILEXFER_ATTR_UIDGID) {
-		a.uid = buffer_get_int(b);
-		a.gid = buffer_get_int(b);
-	}
-	if (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS)
-		a.perm = buffer_get_int(b);
-	if (a.flags & SSH2_FILEXFER_ATTR_ACMODTIME) {
-		a.atime = buffer_get_int(b);
-		a.mtime = buffer_get_int(b);
-	}
-	/* vendor-specific extensions */
-	if (a.flags & SSH2_FILEXFER_ATTR_EXTENDED) {
-		char *type, *data;
-		int i, count;
-
-		count = buffer_get_int(b);
-		for (i = 0; i < count; i++) {
-			type = buffer_get_string(b, NULL);
-			data = buffer_get_string(b, NULL);
-			debug3("Got file attribute \"%s\"", type);
-			xfree(type);
-			xfree(data);
-		}
-	}
-	return &a;
-}
-
-/* Encode attributes to buffer */
-void
-encode_attrib(Buffer *b, const Attrib *a)
-{
-	buffer_put_int(b, a->flags);
-	if (a->flags & SSH2_FILEXFER_ATTR_SIZE)
-		buffer_put_int64(b, a->size);
-	if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) {
-		buffer_put_int(b, a->uid);
-		buffer_put_int(b, a->gid);
-	}
-	if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS)
-		buffer_put_int(b, a->perm);
-	if (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME) {
-		buffer_put_int(b, a->atime);
-		buffer_put_int(b, a->mtime);
-	}
-}
-
-/* Convert from SSH2_FX_ status to text error message */
-const char *
-fx2txt(int status)
-{
-	switch (status) {
-	case SSH2_FX_OK:
-		return("No error");
-	case SSH2_FX_EOF:
-		return("End of file");
-	case SSH2_FX_NO_SUCH_FILE:
-		return("No such file or directory");
-	case SSH2_FX_PERMISSION_DENIED:
-		return("Permission denied");
-	case SSH2_FX_FAILURE:
-		return("Failure");
-	case SSH2_FX_BAD_MESSAGE:
-		return("Bad message");
-	case SSH2_FX_NO_CONNECTION:
-		return("No connection");
-	case SSH2_FX_CONNECTION_LOST:
-		return("Connection lost");
-	case SSH2_FX_OP_UNSUPPORTED:
-		return("Operation unsupported");
-	default:
-		return("Unknown status");
-	}
-	/* NOTREACHED */
-}
-
-/*
- * drwxr-xr-x    5 markus   markus       1024 Jan 13 18:39 .ssh
- */
-char *
-ls_file(const char *name, const struct stat *st, int remote)
-{
-	int ulen, glen, sz = 0;
-	struct passwd *pw;
-	struct group *gr;
-	struct tm *ltime = localtime(&st->st_mtime);
-	char *user, *group;
-	char buf[1024], mode[11+1], tbuf[12+1], ubuf[11+1], gbuf[11+1];
-
-	strmode(st->st_mode, mode);
-	if (!remote && (pw = getpwuid(st->st_uid)) != NULL) {
-		user = pw->pw_name;
-	} else {
-		snprintf(ubuf, sizeof ubuf, "%u", (u_int)st->st_uid);
-		user = ubuf;
-	}
-	if (!remote && (gr = getgrgid(st->st_gid)) != NULL) {
-		group = gr->gr_name;
-	} else {
-		snprintf(gbuf, sizeof gbuf, "%u", (u_int)st->st_gid);
-		group = gbuf;
-	}
-	if (ltime != NULL) {
-		if (time(NULL) - st->st_mtime < (365*24*60*60)/2)
-			sz = strftime(tbuf, sizeof tbuf, "%b %e %H:%M", ltime);
-		else
-			sz = strftime(tbuf, sizeof tbuf, "%b %e  %Y", ltime);
-	}
-	if (sz == 0)
-		tbuf[0] = '\0';
-	ulen = MAX(strlen(user), 8);
-	glen = MAX(strlen(group), 8);
-	snprintf(buf, sizeof buf, "%s %3u %-*s %-*s %8llu %s %s", mode,
-	    (u_int)st->st_nlink, ulen, user, glen, group,
-	    (unsigned long long)st->st_size, tbuf, name);
-	return xstrdup(buf);
-}
diff --git a/crypto/openssh/sftp-common.h b/crypto/openssh/sftp-common.h
deleted file mode 100644
index 9b58484..0000000
--- a/crypto/openssh/sftp-common.h
+++ /dev/null
@@ -1,51 +0,0 @@
-/* $OpenBSD: sftp-common.h,v 1.10 2006/08/03 03:34:42 deraadt Exp $ */
-
-/*
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- * Copyright (c) 2001 Damien Miller.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/* Maximum packet that we are willing to send/accept */
-#define SFTP_MAX_MSG_LENGTH	(256 * 1024)
-
-typedef struct Attrib Attrib;
-
-/* File attributes */
-struct Attrib {
-	u_int32_t	flags;
-	u_int64_t	size;
-	u_int32_t	uid;
-	u_int32_t	gid;
-	u_int32_t	perm;
-	u_int32_t	atime;
-	u_int32_t	mtime;
-};
-
-void	 attrib_clear(Attrib *);
-void	 stat_to_attrib(const struct stat *, Attrib *);
-void	 attrib_to_stat(const Attrib *, struct stat *);
-Attrib	*decode_attrib(Buffer *);
-void	 encode_attrib(Buffer *, const Attrib *);
-char	*ls_file(const char *, const struct stat *, int);
-
-const char *fx2txt(int);
diff --git a/crypto/openssh/sftp-glob.c b/crypto/openssh/sftp-glob.c
deleted file mode 100644
index cdc2708..0000000
--- a/crypto/openssh/sftp-glob.c
+++ /dev/null
@@ -1,149 +0,0 @@
-/* $OpenBSD: sftp-glob.c,v 1.22 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#ifdef HAVE_SYS_STAT_H
-# include <sys/stat.h>
-#endif
-
-#include <dirent.h>
-#include <string.h>
-
-#include "xmalloc.h"
-#include "sftp.h"
-#include "buffer.h"
-#include "sftp-common.h"
-#include "sftp-client.h"
-
-int remote_glob(struct sftp_conn *, const char *, int,
-    int (*)(const char *, int), glob_t *);
-
-struct SFTP_OPENDIR {
-	SFTP_DIRENT **dir;
-	int offset;
-};
-
-static struct {
-	struct sftp_conn *conn;
-} cur;
-
-static void *
-fudge_opendir(const char *path)
-{
-	struct SFTP_OPENDIR *r;
-
-	r = xmalloc(sizeof(*r));
-
-	if (do_readdir(cur.conn, (char *)path, &r->dir)) {
-		xfree(r);
-		return(NULL);
-	}
-
-	r->offset = 0;
-
-	return((void *)r);
-}
-
-static struct dirent *
-fudge_readdir(struct SFTP_OPENDIR *od)
-{
-	/* Solaris needs sizeof(dirent) + path length (see below) */
-	static char buf[sizeof(struct dirent) + MAXPATHLEN];
-	struct dirent *ret = (struct dirent *)buf;
-#ifdef __GNU_LIBRARY__
-	static int inum = 1;
-#endif /* __GNU_LIBRARY__ */
-
-	if (od->dir[od->offset] == NULL)
-		return(NULL);
-
-	memset(buf, 0, sizeof(buf));
-
-	/*
-	 * Solaris defines dirent->d_name as a one byte array and expects
-	 * you to hack around it.
-	 */
-#ifdef BROKEN_ONE_BYTE_DIRENT_D_NAME
-	strlcpy(ret->d_name, od->dir[od->offset++]->filename, MAXPATHLEN);
-#else
-	strlcpy(ret->d_name, od->dir[od->offset++]->filename,
-	    sizeof(ret->d_name));
-#endif
-#ifdef __GNU_LIBRARY__
-	/*
-	 * Idiot glibc uses extensions to struct dirent for readdir with
-	 * ALTDIRFUNCs. Not that this is documented anywhere but the
-	 * source... Fake an inode number to appease it.
-	 */
-	ret->d_ino = inum++;
-	if (!inum)
-		inum = 1;
-#endif /* __GNU_LIBRARY__ */
-
-	return(ret);
-}
-
-static void
-fudge_closedir(struct SFTP_OPENDIR *od)
-{
-	free_sftp_dirents(od->dir);
-	xfree(od);
-}
-
-static int
-fudge_lstat(const char *path, struct stat *st)
-{
-	Attrib *a;
-
-	if (!(a = do_lstat(cur.conn, (char *)path, 0)))
-		return(-1);
-
-	attrib_to_stat(a, st);
-
-	return(0);
-}
-
-static int
-fudge_stat(const char *path, struct stat *st)
-{
-	Attrib *a;
-
-	if (!(a = do_stat(cur.conn, (char *)path, 0)))
-		return(-1);
-
-	attrib_to_stat(a, st);
-
-	return(0);
-}
-
-int
-remote_glob(struct sftp_conn *conn, const char *pattern, int flags,
-    int (*errfunc)(const char *, int), glob_t *pglob)
-{
-	pglob->gl_opendir = fudge_opendir;
-	pglob->gl_readdir = (struct dirent *(*)(void *))fudge_readdir;
-	pglob->gl_closedir = (void (*)(void *))fudge_closedir;
-	pglob->gl_lstat = fudge_lstat;
-	pglob->gl_stat = fudge_stat;
-
-	memset(&cur, 0, sizeof(cur));
-	cur.conn = conn;
-
-	return(glob(pattern, flags | GLOB_ALTDIRFUNC, errfunc, pglob));
-}
diff --git a/crypto/openssh/sftp-server.8 b/crypto/openssh/sftp-server.8
deleted file mode 100644
index 199c4f3..0000000
--- a/crypto/openssh/sftp-server.8
+++ /dev/null
@@ -1,93 +0,0 @@
-.\" $OpenBSD: sftp-server.8,v 1.11 2006/07/06 10:47:57 djm Exp $
-.\"
-.\" Copyright (c) 2000 Markus Friedl.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd August 30, 2000
-.Dt SFTP-SERVER 8
-.Os
-.Sh NAME
-.Nm sftp-server
-.Nd SFTP server subsystem
-.Sh SYNOPSIS
-.Nm sftp-server
-.Op Fl f Ar log_facility
-.Op Fl l Ar log_level
-.Sh DESCRIPTION
-.Nm
-is a program that speaks the server side of SFTP protocol
-to stdout and expects client requests from stdin.
-.Nm
-is not intended to be called directly, but from
-.Xr sshd 8
-using the
-.Cm Subsystem
-option.
-.Pp
-Command-line flags to
-.Nm
-should be specified in the
-.Cm Subsystem
-declaration.
-See
-.Xr sshd_config 5
-for more information.
-.Pp
-Valid options are:
-.Bl -tag -width Ds
-.It Fl f Ar log_facility
-Specifies the facility code that is used when logging messages from
-.Nm .
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
-LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
-The default is AUTH.
-.It Fl l Ar log_level
-Specifies which messages will be logged by
-.Nm .
-The possible values are:
-QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
-INFO and VERBOSE log transactions that
-.Nm
-performs on behalf of the client.
-DEBUG and DEBUG1 are equivalent.
-DEBUG2 and DEBUG3 each specify higher levels of debugging output.
-The default is ERROR.
-.El
-.Sh SEE ALSO
-.Xr sftp 1 ,
-.Xr ssh 1 ,
-.Xr sshd_config 5 ,
-.Xr sshd 8
-.Rs
-.%A T. Ylonen
-.%A S. Lehtinen
-.%T "SSH File Transfer Protocol"
-.%N draft-ietf-secsh-filexfer-00.txt
-.%D January 2001
-.%O work in progress material
-.Re
-.Sh HISTORY
-.Nm
-first appeared in
-.Ox 2.8 .
-.Sh AUTHORS
-.An Markus Friedl Aq markus@openbsd.org
diff --git a/crypto/openssh/sftp-server.c b/crypto/openssh/sftp-server.c
deleted file mode 100644
index c57958b..0000000
--- a/crypto/openssh/sftp-server.c
+++ /dev/null
@@ -1,1337 +0,0 @@
-/* $OpenBSD: sftp-server.c,v 1.70 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Copyright (c) 2000-2004 Markus Friedl.  All rights reserved.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/stat.h>
-#ifdef HAVE_SYS_TIME_H
-# include <sys/time.h>
-#endif
-
-#include <dirent.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <pwd.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <pwd.h>
-#include <time.h>
-#include <unistd.h>
-#include <stdarg.h>
-
-#include "xmalloc.h"
-#include "buffer.h"
-#include "log.h"
-#include "misc.h"
-#include "uidswap.h"
-
-#include "sftp.h"
-#include "sftp-common.h"
-
-/* helper */
-#define get_int64()			buffer_get_int64(&iqueue);
-#define get_int()			buffer_get_int(&iqueue);
-#define get_string(lenp)		buffer_get_string(&iqueue, lenp);
-
-/* Our verbosity */
-LogLevel log_level = SYSLOG_LEVEL_ERROR;
-
-/* Our client */
-struct passwd *pw = NULL;
-char *client_addr = NULL;
-
-/* input and output queue */
-Buffer iqueue;
-Buffer oqueue;
-
-/* Version of client */
-int version;
-
-/* portable attributes, etc. */
-
-typedef struct Stat Stat;
-
-struct Stat {
-	char *name;
-	char *long_name;
-	Attrib attrib;
-};
-
-static int
-errno_to_portable(int unixerrno)
-{
-	int ret = 0;
-
-	switch (unixerrno) {
-	case 0:
-		ret = SSH2_FX_OK;
-		break;
-	case ENOENT:
-	case ENOTDIR:
-	case EBADF:
-	case ELOOP:
-		ret = SSH2_FX_NO_SUCH_FILE;
-		break;
-	case EPERM:
-	case EACCES:
-	case EFAULT:
-		ret = SSH2_FX_PERMISSION_DENIED;
-		break;
-	case ENAMETOOLONG:
-	case EINVAL:
-		ret = SSH2_FX_BAD_MESSAGE;
-		break;
-	default:
-		ret = SSH2_FX_FAILURE;
-		break;
-	}
-	return ret;
-}
-
-static int
-flags_from_portable(int pflags)
-{
-	int flags = 0;
-
-	if ((pflags & SSH2_FXF_READ) &&
-	    (pflags & SSH2_FXF_WRITE)) {
-		flags = O_RDWR;
-	} else if (pflags & SSH2_FXF_READ) {
-		flags = O_RDONLY;
-	} else if (pflags & SSH2_FXF_WRITE) {
-		flags = O_WRONLY;
-	}
-	if (pflags & SSH2_FXF_CREAT)
-		flags |= O_CREAT;
-	if (pflags & SSH2_FXF_TRUNC)
-		flags |= O_TRUNC;
-	if (pflags & SSH2_FXF_EXCL)
-		flags |= O_EXCL;
-	return flags;
-}
-
-static const char *
-string_from_portable(int pflags)
-{
-	static char ret[128];
-
-	*ret = '\0';
-
-#define PAPPEND(str)	{				\
-		if (*ret != '\0')			\
-			strlcat(ret, ",", sizeof(ret));	\
-		strlcat(ret, str, sizeof(ret));		\
-	}
-
-	if (pflags & SSH2_FXF_READ)
-		PAPPEND("READ")
-	if (pflags & SSH2_FXF_WRITE)
-		PAPPEND("WRITE")
-	if (pflags & SSH2_FXF_CREAT)
-		PAPPEND("CREATE")
-	if (pflags & SSH2_FXF_TRUNC)
-		PAPPEND("TRUNCATE")
-	if (pflags & SSH2_FXF_EXCL)
-		PAPPEND("EXCL")
-
-	return ret;
-}
-
-static Attrib *
-get_attrib(void)
-{
-	return decode_attrib(&iqueue);
-}
-
-/* handle handles */
-
-typedef struct Handle Handle;
-struct Handle {
-	int use;
-	DIR *dirp;
-	int fd;
-	char *name;
-	u_int64_t bytes_read, bytes_write;
-};
-
-enum {
-	HANDLE_UNUSED,
-	HANDLE_DIR,
-	HANDLE_FILE
-};
-
-Handle	handles[100];
-
-static void
-handle_init(void)
-{
-	u_int i;
-
-	for (i = 0; i < sizeof(handles)/sizeof(Handle); i++)
-		handles[i].use = HANDLE_UNUSED;
-}
-
-static int
-handle_new(int use, const char *name, int fd, DIR *dirp)
-{
-	u_int i;
-
-	for (i = 0; i < sizeof(handles)/sizeof(Handle); i++) {
-		if (handles[i].use == HANDLE_UNUSED) {
-			handles[i].use = use;
-			handles[i].dirp = dirp;
-			handles[i].fd = fd;
-			handles[i].name = xstrdup(name);
-			handles[i].bytes_read = handles[i].bytes_write = 0;
-			return i;
-		}
-	}
-	return -1;
-}
-
-static int
-handle_is_ok(int i, int type)
-{
-	return i >= 0 && (u_int)i < sizeof(handles)/sizeof(Handle) &&
-	    handles[i].use == type;
-}
-
-static int
-handle_to_string(int handle, char **stringp, int *hlenp)
-{
-	if (stringp == NULL || hlenp == NULL)
-		return -1;
-	*stringp = xmalloc(sizeof(int32_t));
-	put_u32(*stringp, handle);
-	*hlenp = sizeof(int32_t);
-	return 0;
-}
-
-static int
-handle_from_string(const char *handle, u_int hlen)
-{
-	int val;
-
-	if (hlen != sizeof(int32_t))
-		return -1;
-	val = get_u32(handle);
-	if (handle_is_ok(val, HANDLE_FILE) ||
-	    handle_is_ok(val, HANDLE_DIR))
-		return val;
-	return -1;
-}
-
-static char *
-handle_to_name(int handle)
-{
-	if (handle_is_ok(handle, HANDLE_DIR)||
-	    handle_is_ok(handle, HANDLE_FILE))
-		return handles[handle].name;
-	return NULL;
-}
-
-static DIR *
-handle_to_dir(int handle)
-{
-	if (handle_is_ok(handle, HANDLE_DIR))
-		return handles[handle].dirp;
-	return NULL;
-}
-
-static int
-handle_to_fd(int handle)
-{
-	if (handle_is_ok(handle, HANDLE_FILE))
-		return handles[handle].fd;
-	return -1;
-}
-
-static void
-handle_update_read(int handle, ssize_t bytes)
-{
-	if (handle_is_ok(handle, HANDLE_FILE) && bytes > 0)
-		handles[handle].bytes_read += bytes;
-}
-
-static void
-handle_update_write(int handle, ssize_t bytes)
-{
-	if (handle_is_ok(handle, HANDLE_FILE) && bytes > 0)
-		handles[handle].bytes_write += bytes;
-}
-
-static u_int64_t
-handle_bytes_read(int handle)
-{
-	if (handle_is_ok(handle, HANDLE_FILE))
-		return (handles[handle].bytes_read);
-	return 0;
-}
-
-static u_int64_t
-handle_bytes_write(int handle)
-{
-	if (handle_is_ok(handle, HANDLE_FILE))
-		return (handles[handle].bytes_write);
-	return 0;
-}
-
-static int
-handle_close(int handle)
-{
-	int ret = -1;
-
-	if (handle_is_ok(handle, HANDLE_FILE)) {
-		ret = close(handles[handle].fd);
-		handles[handle].use = HANDLE_UNUSED;
-		xfree(handles[handle].name);
-	} else if (handle_is_ok(handle, HANDLE_DIR)) {
-		ret = closedir(handles[handle].dirp);
-		handles[handle].use = HANDLE_UNUSED;
-		xfree(handles[handle].name);
-	} else {
-		errno = ENOENT;
-	}
-	return ret;
-}
-
-static void
-handle_log_close(int handle, char *emsg)
-{
-	if (handle_is_ok(handle, HANDLE_FILE)) {
-		logit("%s%sclose \"%s\" bytes read %llu written %llu",
-		    emsg == NULL ? "" : emsg, emsg == NULL ? "" : " ",
-		    handle_to_name(handle),
-		    handle_bytes_read(handle), handle_bytes_write(handle));
-	} else {
-		logit("%s%sclosedir \"%s\"",
-		    emsg == NULL ? "" : emsg, emsg == NULL ? "" : " ",
-		    handle_to_name(handle));
-	}
-}
-
-static void
-handle_log_exit(void)
-{
-	u_int i;
-
-	for (i = 0; i < sizeof(handles)/sizeof(Handle); i++)
-		if (handles[i].use != HANDLE_UNUSED)
-			handle_log_close(i, "forced");
-}
-
-static int
-get_handle(void)
-{
-	char *handle;
-	int val = -1;
-	u_int hlen;
-
-	handle = get_string(&hlen);
-	if (hlen < 256)
-		val = handle_from_string(handle, hlen);
-	xfree(handle);
-	return val;
-}
-
-/* send replies */
-
-static void
-send_msg(Buffer *m)
-{
-	int mlen = buffer_len(m);
-
-	buffer_put_int(&oqueue, mlen);
-	buffer_append(&oqueue, buffer_ptr(m), mlen);
-	buffer_consume(m, mlen);
-}
-
-static const char *
-status_to_message(u_int32_t status)
-{
-	const char *status_messages[] = {
-		"Success",			/* SSH_FX_OK */
-		"End of file",			/* SSH_FX_EOF */
-		"No such file",			/* SSH_FX_NO_SUCH_FILE */
-		"Permission denied",		/* SSH_FX_PERMISSION_DENIED */
-		"Failure",			/* SSH_FX_FAILURE */
-		"Bad message",			/* SSH_FX_BAD_MESSAGE */
-		"No connection",		/* SSH_FX_NO_CONNECTION */
-		"Connection lost",		/* SSH_FX_CONNECTION_LOST */
-		"Operation unsupported",	/* SSH_FX_OP_UNSUPPORTED */
-		"Unknown error"			/* Others */
-	};
-	return (status_messages[MIN(status,SSH2_FX_MAX)]);
-}
-
-static void
-send_status(u_int32_t id, u_int32_t status)
-{
-	Buffer msg;
-
-	debug3("request %u: sent status %u", id, status);
-	if (log_level > SYSLOG_LEVEL_VERBOSE ||
-	    (status != SSH2_FX_OK && status != SSH2_FX_EOF))
-		logit("sent status %s", status_to_message(status));
-	buffer_init(&msg);
-	buffer_put_char(&msg, SSH2_FXP_STATUS);
-	buffer_put_int(&msg, id);
-	buffer_put_int(&msg, status);
-	if (version >= 3) {
-		buffer_put_cstring(&msg, status_to_message(status));
-		buffer_put_cstring(&msg, "");
-	}
-	send_msg(&msg);
-	buffer_free(&msg);
-}
-static void
-send_data_or_handle(char type, u_int32_t id, const char *data, int dlen)
-{
-	Buffer msg;
-
-	buffer_init(&msg);
-	buffer_put_char(&msg, type);
-	buffer_put_int(&msg, id);
-	buffer_put_string(&msg, data, dlen);
-	send_msg(&msg);
-	buffer_free(&msg);
-}
-
-static void
-send_data(u_int32_t id, const char *data, int dlen)
-{
-	debug("request %u: sent data len %d", id, dlen);
-	send_data_or_handle(SSH2_FXP_DATA, id, data, dlen);
-}
-
-static void
-send_handle(u_int32_t id, int handle)
-{
-	char *string;
-	int hlen;
-
-	handle_to_string(handle, &string, &hlen);
-	debug("request %u: sent handle handle %d", id, handle);
-	send_data_or_handle(SSH2_FXP_HANDLE, id, string, hlen);
-	xfree(string);
-}
-
-static void
-send_names(u_int32_t id, int count, const Stat *stats)
-{
-	Buffer msg;
-	int i;
-
-	buffer_init(&msg);
-	buffer_put_char(&msg, SSH2_FXP_NAME);
-	buffer_put_int(&msg, id);
-	buffer_put_int(&msg, count);
-	debug("request %u: sent names count %d", id, count);
-	for (i = 0; i < count; i++) {
-		buffer_put_cstring(&msg, stats[i].name);
-		buffer_put_cstring(&msg, stats[i].long_name);
-		encode_attrib(&msg, &stats[i].attrib);
-	}
-	send_msg(&msg);
-	buffer_free(&msg);
-}
-
-static void
-send_attrib(u_int32_t id, const Attrib *a)
-{
-	Buffer msg;
-
-	debug("request %u: sent attrib have 0x%x", id, a->flags);
-	buffer_init(&msg);
-	buffer_put_char(&msg, SSH2_FXP_ATTRS);
-	buffer_put_int(&msg, id);
-	encode_attrib(&msg, a);
-	send_msg(&msg);
-	buffer_free(&msg);
-}
-
-/* parse incoming */
-
-static void
-process_init(void)
-{
-	Buffer msg;
-
-	version = get_int();
-	verbose("received client version %d", version);
-	buffer_init(&msg);
-	buffer_put_char(&msg, SSH2_FXP_VERSION);
-	buffer_put_int(&msg, SSH2_FILEXFER_VERSION);
-	send_msg(&msg);
-	buffer_free(&msg);
-}
-
-static void
-process_open(void)
-{
-	u_int32_t id, pflags;
-	Attrib *a;
-	char *name;
-	int handle, fd, flags, mode, status = SSH2_FX_FAILURE;
-
-	id = get_int();
-	name = get_string(NULL);
-	pflags = get_int();		/* portable flags */
-	debug3("request %u: open flags %d", id, pflags);
-	a = get_attrib();
-	flags = flags_from_portable(pflags);
-	mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a->perm : 0666;
-	logit("open \"%s\" flags %s mode 0%o",
-	    name, string_from_portable(pflags), mode);
-	fd = open(name, flags, mode);
-	if (fd < 0) {
-		status = errno_to_portable(errno);
-	} else {
-		handle = handle_new(HANDLE_FILE, name, fd, NULL);
-		if (handle < 0) {
-			close(fd);
-		} else {
-			send_handle(id, handle);
-			status = SSH2_FX_OK;
-		}
-	}
-	if (status != SSH2_FX_OK)
-		send_status(id, status);
-	xfree(name);
-}
-
-static void
-process_close(void)
-{
-	u_int32_t id;
-	int handle, ret, status = SSH2_FX_FAILURE;
-
-	id = get_int();
-	handle = get_handle();
-	debug3("request %u: close handle %u", id, handle);
-	handle_log_close(handle, NULL);
-	ret = handle_close(handle);
-	status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
-	send_status(id, status);
-}
-
-static void
-process_read(void)
-{
-	char buf[64*1024];
-	u_int32_t id, len;
-	int handle, fd, ret, status = SSH2_FX_FAILURE;
-	u_int64_t off;
-
-	id = get_int();
-	handle = get_handle();
-	off = get_int64();
-	len = get_int();
-
-	debug("request %u: read \"%s\" (handle %d) off %llu len %d",
-	    id, handle_to_name(handle), handle, (unsigned long long)off, len);
-	if (len > sizeof buf) {
-		len = sizeof buf;
-		debug2("read change len %d", len);
-	}
-	fd = handle_to_fd(handle);
-	if (fd >= 0) {
-		if (lseek(fd, off, SEEK_SET) < 0) {
-			error("process_read: seek failed");
-			status = errno_to_portable(errno);
-		} else {
-			ret = read(fd, buf, len);
-			if (ret < 0) {
-				status = errno_to_portable(errno);
-			} else if (ret == 0) {
-				status = SSH2_FX_EOF;
-			} else {
-				send_data(id, buf, ret);
-				status = SSH2_FX_OK;
-				handle_update_read(handle, ret);
-			}
-		}
-	}
-	if (status != SSH2_FX_OK)
-		send_status(id, status);
-}
-
-static void
-process_write(void)
-{
-	u_int32_t id;
-	u_int64_t off;
-	u_int len;
-	int handle, fd, ret, status = SSH2_FX_FAILURE;
-	char *data;
-
-	id = get_int();
-	handle = get_handle();
-	off = get_int64();
-	data = get_string(&len);
-
-	debug("request %u: write \"%s\" (handle %d) off %llu len %d",
-	    id, handle_to_name(handle), handle, (unsigned long long)off, len);
-	fd = handle_to_fd(handle);
-	if (fd >= 0) {
-		if (lseek(fd, off, SEEK_SET) < 0) {
-			status = errno_to_portable(errno);
-			error("process_write: seek failed");
-		} else {
-/* XXX ATOMICIO ? */
-			ret = write(fd, data, len);
-			if (ret < 0) {
-				error("process_write: write failed");
-				status = errno_to_portable(errno);
-			} else if ((size_t)ret == len) {
-				status = SSH2_FX_OK;
-				handle_update_write(handle, ret);
-			} else {
-				debug2("nothing at all written");
-			}
-		}
-	}
-	send_status(id, status);
-	xfree(data);
-}
-
-static void
-process_do_stat(int do_lstat)
-{
-	Attrib a;
-	struct stat st;
-	u_int32_t id;
-	char *name;
-	int ret, status = SSH2_FX_FAILURE;
-
-	id = get_int();
-	name = get_string(NULL);
-	debug3("request %u: %sstat", id, do_lstat ? "l" : "");
-	verbose("%sstat name \"%s\"", do_lstat ? "l" : "", name);
-	ret = do_lstat ? lstat(name, &st) : stat(name, &st);
-	if (ret < 0) {
-		status = errno_to_portable(errno);
-	} else {
-		stat_to_attrib(&st, &a);
-		send_attrib(id, &a);
-		status = SSH2_FX_OK;
-	}
-	if (status != SSH2_FX_OK)
-		send_status(id, status);
-	xfree(name);
-}
-
-static void
-process_stat(void)
-{
-	process_do_stat(0);
-}
-
-static void
-process_lstat(void)
-{
-	process_do_stat(1);
-}
-
-static void
-process_fstat(void)
-{
-	Attrib a;
-	struct stat st;
-	u_int32_t id;
-	int fd, ret, handle, status = SSH2_FX_FAILURE;
-
-	id = get_int();
-	handle = get_handle();
-	debug("request %u: fstat \"%s\" (handle %u)",
-	    id, handle_to_name(handle), handle);
-	fd = handle_to_fd(handle);
-	if (fd  >= 0) {
-		ret = fstat(fd, &st);
-		if (ret < 0) {
-			status = errno_to_portable(errno);
-		} else {
-			stat_to_attrib(&st, &a);
-			send_attrib(id, &a);
-			status = SSH2_FX_OK;
-		}
-	}
-	if (status != SSH2_FX_OK)
-		send_status(id, status);
-}
-
-static struct timeval *
-attrib_to_tv(const Attrib *a)
-{
-	static struct timeval tv[2];
-
-	tv[0].tv_sec = a->atime;
-	tv[0].tv_usec = 0;
-	tv[1].tv_sec = a->mtime;
-	tv[1].tv_usec = 0;
-	return tv;
-}
-
-static void
-process_setstat(void)
-{
-	Attrib *a;
-	u_int32_t id;
-	char *name;
-	int status = SSH2_FX_OK, ret;
-
-	id = get_int();
-	name = get_string(NULL);
-	a = get_attrib();
-	debug("request %u: setstat name \"%s\"", id, name);
-	if (a->flags & SSH2_FILEXFER_ATTR_SIZE) {
-		logit("set \"%s\" size %llu", name, a->size);
-		ret = truncate(name, a->size);
-		if (ret == -1)
-			status = errno_to_portable(errno);
-	}
-	if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) {
-		logit("set \"%s\" mode %04o", name, a->perm);
-		ret = chmod(name, a->perm & 0777);
-		if (ret == -1)
-			status = errno_to_portable(errno);
-	}
-	if (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME) {
-		char buf[64];
-		time_t t = a->mtime;
-
-		strftime(buf, sizeof(buf), "%Y%m%d-%H:%M:%S",
-		    localtime(&t));
-		logit("set \"%s\" modtime %s", name, buf);
-		ret = utimes(name, attrib_to_tv(a));
-		if (ret == -1)
-			status = errno_to_portable(errno);
-	}
-	if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) {
-		logit("set \"%s\" owner %lu group %lu", name,
-		    (u_long)a->uid, (u_long)a->gid);
-		ret = chown(name, a->uid, a->gid);
-		if (ret == -1)
-			status = errno_to_portable(errno);
-	}
-	send_status(id, status);
-	xfree(name);
-}
-
-static void
-process_fsetstat(void)
-{
-	Attrib *a;
-	u_int32_t id;
-	int handle, fd, ret;
-	int status = SSH2_FX_OK;
-
-	id = get_int();
-	handle = get_handle();
-	a = get_attrib();
-	debug("request %u: fsetstat handle %d", id, handle);
-	fd = handle_to_fd(handle);
-	if (fd < 0) {
-		status = SSH2_FX_FAILURE;
-	} else {
-		char *name = handle_to_name(handle);
-
-		if (a->flags & SSH2_FILEXFER_ATTR_SIZE) {
-			logit("set \"%s\" size %llu", name, a->size);
-			ret = ftruncate(fd, a->size);
-			if (ret == -1)
-				status = errno_to_portable(errno);
-		}
-		if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) {
-			logit("set \"%s\" mode %04o", name, a->perm);
-#ifdef HAVE_FCHMOD
-			ret = fchmod(fd, a->perm & 0777);
-#else
-			ret = chmod(name, a->perm & 0777);
-#endif
-			if (ret == -1)
-				status = errno_to_portable(errno);
-		}
-		if (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME) {
-			char buf[64];
-			time_t t = a->mtime;
-
-			strftime(buf, sizeof(buf), "%Y%m%d-%H:%M:%S",
-			    localtime(&t));
-			logit("set \"%s\" modtime %s", name, buf);
-#ifdef HAVE_FUTIMES
-			ret = futimes(fd, attrib_to_tv(a));
-#else
-			ret = utimes(name, attrib_to_tv(a));
-#endif
-			if (ret == -1)
-				status = errno_to_portable(errno);
-		}
-		if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) {
-			logit("set \"%s\" owner %lu group %lu", name,
-			    (u_long)a->uid, (u_long)a->gid);
-#ifdef HAVE_FCHOWN
-			ret = fchown(fd, a->uid, a->gid);
-#else
-			ret = chown(name, a->uid, a->gid);
-#endif
-			if (ret == -1)
-				status = errno_to_portable(errno);
-		}
-	}
-	send_status(id, status);
-}
-
-static void
-process_opendir(void)
-{
-	DIR *dirp = NULL;
-	char *path;
-	int handle, status = SSH2_FX_FAILURE;
-	u_int32_t id;
-
-	id = get_int();
-	path = get_string(NULL);
-	debug3("request %u: opendir", id);
-	logit("opendir \"%s\"", path);
-	dirp = opendir(path);
-	if (dirp == NULL) {
-		status = errno_to_portable(errno);
-	} else {
-		handle = handle_new(HANDLE_DIR, path, 0, dirp);
-		if (handle < 0) {
-			closedir(dirp);
-		} else {
-			send_handle(id, handle);
-			status = SSH2_FX_OK;
-		}
-
-	}
-	if (status != SSH2_FX_OK)
-		send_status(id, status);
-	xfree(path);
-}
-
-static void
-process_readdir(void)
-{
-	DIR *dirp;
-	struct dirent *dp;
-	char *path;
-	int handle;
-	u_int32_t id;
-
-	id = get_int();
-	handle = get_handle();
-	debug("request %u: readdir \"%s\" (handle %d)", id,
-	    handle_to_name(handle), handle);
-	dirp = handle_to_dir(handle);
-	path = handle_to_name(handle);
-	if (dirp == NULL || path == NULL) {
-		send_status(id, SSH2_FX_FAILURE);
-	} else {
-		struct stat st;
-		char pathname[MAXPATHLEN];
-		Stat *stats;
-		int nstats = 10, count = 0, i;
-
-		stats = xcalloc(nstats, sizeof(Stat));
-		while ((dp = readdir(dirp)) != NULL) {
-			if (count >= nstats) {
-				nstats *= 2;
-				stats = xrealloc(stats, nstats, sizeof(Stat));
-			}
-/* XXX OVERFLOW ? */
-			snprintf(pathname, sizeof pathname, "%s%s%s", path,
-			    strcmp(path, "/") ? "/" : "", dp->d_name);
-			if (lstat(pathname, &st) < 0)
-				continue;
-			stat_to_attrib(&st, &(stats[count].attrib));
-			stats[count].name = xstrdup(dp->d_name);
-			stats[count].long_name = ls_file(dp->d_name, &st, 0);
-			count++;
-			/* send up to 100 entries in one message */
-			/* XXX check packet size instead */
-			if (count == 100)
-				break;
-		}
-		if (count > 0) {
-			send_names(id, count, stats);
-			for (i = 0; i < count; i++) {
-				xfree(stats[i].name);
-				xfree(stats[i].long_name);
-			}
-		} else {
-			send_status(id, SSH2_FX_EOF);
-		}
-		xfree(stats);
-	}
-}
-
-static void
-process_remove(void)
-{
-	char *name;
-	u_int32_t id;
-	int status = SSH2_FX_FAILURE;
-	int ret;
-
-	id = get_int();
-	name = get_string(NULL);
-	debug3("request %u: remove", id);
-	logit("remove name \"%s\"", name);
-	ret = unlink(name);
-	status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
-	send_status(id, status);
-	xfree(name);
-}
-
-static void
-process_mkdir(void)
-{
-	Attrib *a;
-	u_int32_t id;
-	char *name;
-	int ret, mode, status = SSH2_FX_FAILURE;
-
-	id = get_int();
-	name = get_string(NULL);
-	a = get_attrib();
-	mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ?
-	    a->perm & 0777 : 0777;
-	debug3("request %u: mkdir", id);
-	logit("mkdir name \"%s\" mode 0%o", name, mode);
-	ret = mkdir(name, mode);
-	status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
-	send_status(id, status);
-	xfree(name);
-}
-
-static void
-process_rmdir(void)
-{
-	u_int32_t id;
-	char *name;
-	int ret, status;
-
-	id = get_int();
-	name = get_string(NULL);
-	debug3("request %u: rmdir", id);
-	logit("rmdir name \"%s\"", name);
-	ret = rmdir(name);
-	status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
-	send_status(id, status);
-	xfree(name);
-}
-
-static void
-process_realpath(void)
-{
-	char resolvedname[MAXPATHLEN];
-	u_int32_t id;
-	char *path;
-
-	id = get_int();
-	path = get_string(NULL);
-	if (path[0] == '\0') {
-		xfree(path);
-		path = xstrdup(".");
-	}
-	debug3("request %u: realpath", id);
-	verbose("realpath \"%s\"", path);
-	if (realpath(path, resolvedname) == NULL) {
-		send_status(id, errno_to_portable(errno));
-	} else {
-		Stat s;
-		attrib_clear(&s.attrib);
-		s.name = s.long_name = resolvedname;
-		send_names(id, 1, &s);
-	}
-	xfree(path);
-}
-
-static void
-process_rename(void)
-{
-	u_int32_t id;
-	char *oldpath, *newpath;
-	int status;
-	struct stat sb;
-
-	id = get_int();
-	oldpath = get_string(NULL);
-	newpath = get_string(NULL);
-	debug3("request %u: rename", id);
-	logit("rename old \"%s\" new \"%s\"", oldpath, newpath);
-	status = SSH2_FX_FAILURE;
-	if (lstat(oldpath, &sb) == -1)
-		status = errno_to_portable(errno);
-	else if (S_ISREG(sb.st_mode)) {
-		/* Race-free rename of regular files */
-		if (link(oldpath, newpath) == -1) {
-			if (errno == EOPNOTSUPP
-#ifdef LINK_OPNOTSUPP_ERRNO
-			    || errno == LINK_OPNOTSUPP_ERRNO
-#endif
-			    ) {
-				struct stat st;
-
-				/*
-				 * fs doesn't support links, so fall back to
-				 * stat+rename.  This is racy.
-				 */
-				if (stat(newpath, &st) == -1) {
-					if (rename(oldpath, newpath) == -1)
-						status =
-						    errno_to_portable(errno);
-					else
-						status = SSH2_FX_OK;
-				}
-			} else {
-				status = errno_to_portable(errno);
-			}
-		} else if (unlink(oldpath) == -1) {
-			status = errno_to_portable(errno);
-			/* clean spare link */
-			unlink(newpath);
-		} else
-			status = SSH2_FX_OK;
-	} else if (stat(newpath, &sb) == -1) {
-		if (rename(oldpath, newpath) == -1)
-			status = errno_to_portable(errno);
-		else
-			status = SSH2_FX_OK;
-	}
-	send_status(id, status);
-	xfree(oldpath);
-	xfree(newpath);
-}
-
-static void
-process_readlink(void)
-{
-	u_int32_t id;
-	int len;
-	char buf[MAXPATHLEN];
-	char *path;
-
-	id = get_int();
-	path = get_string(NULL);
-	debug3("request %u: readlink", id);
-	verbose("readlink \"%s\"", path);
-	if ((len = readlink(path, buf, sizeof(buf) - 1)) == -1)
-		send_status(id, errno_to_portable(errno));
-	else {
-		Stat s;
-
-		buf[len] = '\0';
-		attrib_clear(&s.attrib);
-		s.name = s.long_name = buf;
-		send_names(id, 1, &s);
-	}
-	xfree(path);
-}
-
-static void
-process_symlink(void)
-{
-	u_int32_t id;
-	char *oldpath, *newpath;
-	int ret, status;
-
-	id = get_int();
-	oldpath = get_string(NULL);
-	newpath = get_string(NULL);
-	debug3("request %u: symlink", id);
-	logit("symlink old \"%s\" new \"%s\"", oldpath, newpath);
-	/* this will fail if 'newpath' exists */
-	ret = symlink(oldpath, newpath);
-	status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
-	send_status(id, status);
-	xfree(oldpath);
-	xfree(newpath);
-}
-
-static void
-process_extended(void)
-{
-	u_int32_t id;
-	char *request;
-
-	id = get_int();
-	request = get_string(NULL);
-	send_status(id, SSH2_FX_OP_UNSUPPORTED);		/* MUST */
-	xfree(request);
-}
-
-/* stolen from ssh-agent */
-
-static void
-process(void)
-{
-	u_int msg_len;
-	u_int buf_len;
-	u_int consumed;
-	u_int type;
-	u_char *cp;
-
-	buf_len = buffer_len(&iqueue);
-	if (buf_len < 5)
-		return;		/* Incomplete message. */
-	cp = buffer_ptr(&iqueue);
-	msg_len = get_u32(cp);
-	if (msg_len > SFTP_MAX_MSG_LENGTH) {
-		error("bad message from %s local user %s",
-		    client_addr, pw->pw_name);
-		cleanup_exit(11);
-	}
-	if (buf_len < msg_len + 4)
-		return;
-	buffer_consume(&iqueue, 4);
-	buf_len -= 4;
-	type = buffer_get_char(&iqueue);
-	switch (type) {
-	case SSH2_FXP_INIT:
-		process_init();
-		break;
-	case SSH2_FXP_OPEN:
-		process_open();
-		break;
-	case SSH2_FXP_CLOSE:
-		process_close();
-		break;
-	case SSH2_FXP_READ:
-		process_read();
-		break;
-	case SSH2_FXP_WRITE:
-		process_write();
-		break;
-	case SSH2_FXP_LSTAT:
-		process_lstat();
-		break;
-	case SSH2_FXP_FSTAT:
-		process_fstat();
-		break;
-	case SSH2_FXP_SETSTAT:
-		process_setstat();
-		break;
-	case SSH2_FXP_FSETSTAT:
-		process_fsetstat();
-		break;
-	case SSH2_FXP_OPENDIR:
-		process_opendir();
-		break;
-	case SSH2_FXP_READDIR:
-		process_readdir();
-		break;
-	case SSH2_FXP_REMOVE:
-		process_remove();
-		break;
-	case SSH2_FXP_MKDIR:
-		process_mkdir();
-		break;
-	case SSH2_FXP_RMDIR:
-		process_rmdir();
-		break;
-	case SSH2_FXP_REALPATH:
-		process_realpath();
-		break;
-	case SSH2_FXP_STAT:
-		process_stat();
-		break;
-	case SSH2_FXP_RENAME:
-		process_rename();
-		break;
-	case SSH2_FXP_READLINK:
-		process_readlink();
-		break;
-	case SSH2_FXP_SYMLINK:
-		process_symlink();
-		break;
-	case SSH2_FXP_EXTENDED:
-		process_extended();
-		break;
-	default:
-		error("Unknown message %d", type);
-		break;
-	}
-	/* discard the remaining bytes from the current packet */
-	if (buf_len < buffer_len(&iqueue))
-		fatal("iqueue grew unexpectedly");
-	consumed = buf_len - buffer_len(&iqueue);
-	if (msg_len < consumed)
-		fatal("msg_len %d < consumed %d", msg_len, consumed);
-	if (msg_len > consumed)
-		buffer_consume(&iqueue, msg_len - consumed);
-}
-
-/* Cleanup handler that logs active handles upon normal exit */
-void
-cleanup_exit(int i)
-{
-	if (pw != NULL && client_addr != NULL) {
-		handle_log_exit();
-		logit("session closed for local user %s from [%s]",
-		    pw->pw_name, client_addr);
-	}
-	_exit(i);
-}
-
-static void
-usage(void)
-{
-	extern char *__progname;
-
-	fprintf(stderr,
-	    "usage: %s [-he] [-l log_level] [-f log_facility]\n", __progname);
-	exit(1);
-}
-
-int
-main(int argc, char **argv)
-{
-	fd_set *rset, *wset;
-	int in, out, max, ch, skipargs = 0, log_stderr = 0;
-	ssize_t len, olen, set_size;
-	SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
-	char *cp;
-
-	extern char *optarg;
-	extern char *__progname;
-
-	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
-	sanitise_stdfd();
-
-	__progname = ssh_get_progname(argv[0]);
-	log_init(__progname, log_level, log_facility, log_stderr);
-
-	while (!skipargs && (ch = getopt(argc, argv, "C:f:l:che")) != -1) {
-		switch (ch) {
-		case 'c':
-			/*
-			 * Ignore all arguments if we are invoked as a
-			 * shell using "sftp-server -c command"
-			 */
-			skipargs = 1;
-			break;
-		case 'e':
-			log_stderr = 1;
-			break;
-		case 'l':
-			log_level = log_level_number(optarg);
-			if (log_level == SYSLOG_LEVEL_NOT_SET)
-				error("Invalid log level \"%s\"", optarg);
-			break;
-		case 'f':
-			log_facility = log_facility_number(optarg);
-			if (log_level == SYSLOG_FACILITY_NOT_SET)
-				error("Invalid log facility \"%s\"", optarg);
-			break;
-		case 'h':
-		default:
-			usage();
-		}
-	}
-
-	log_init(__progname, log_level, log_facility, log_stderr);
-
-	if ((cp = getenv("SSH_CONNECTION")) != NULL) {
-		client_addr = xstrdup(cp);
-		if ((cp = strchr(client_addr, ' ')) == NULL)
-			fatal("Malformed SSH_CONNECTION variable: \"%s\"",
-			    getenv("SSH_CONNECTION"));
-		*cp = '\0';
-	} else
-		client_addr = xstrdup("UNKNOWN");
-
-	if ((pw = getpwuid(getuid())) == NULL)
-		fatal("No user found for uid %lu", (u_long)getuid());
-	pw = pwcopy(pw);
-
-	logit("session opened for local user %s from [%s]",
-	    pw->pw_name, client_addr);
-
-	handle_init();
-
-	in = dup(STDIN_FILENO);
-	out = dup(STDOUT_FILENO);
-
-#ifdef HAVE_CYGWIN
-	setmode(in, O_BINARY);
-	setmode(out, O_BINARY);
-#endif
-
-	max = 0;
-	if (in > max)
-		max = in;
-	if (out > max)
-		max = out;
-
-	buffer_init(&iqueue);
-	buffer_init(&oqueue);
-
-	set_size = howmany(max + 1, NFDBITS) * sizeof(fd_mask);
-	rset = (fd_set *)xmalloc(set_size);
-	wset = (fd_set *)xmalloc(set_size);
-
-	for (;;) {
-		memset(rset, 0, set_size);
-		memset(wset, 0, set_size);
-
-		FD_SET(in, rset);
-		olen = buffer_len(&oqueue);
-		if (olen > 0)
-			FD_SET(out, wset);
-
-		if (select(max+1, rset, wset, NULL, NULL) < 0) {
-			if (errno == EINTR)
-				continue;
-			error("select: %s", strerror(errno));
-			cleanup_exit(2);
-		}
-
-		/* copy stdin to iqueue */
-		if (FD_ISSET(in, rset)) {
-			char buf[4*4096];
-			len = read(in, buf, sizeof buf);
-			if (len == 0) {
-				debug("read eof");
-				cleanup_exit(0);
-			} else if (len < 0) {
-				error("read: %s", strerror(errno));
-				cleanup_exit(1);
-			} else {
-				buffer_append(&iqueue, buf, len);
-			}
-		}
-		/* send oqueue to stdout */
-		if (FD_ISSET(out, wset)) {
-			len = write(out, buffer_ptr(&oqueue), olen);
-			if (len < 0) {
-				error("write: %s", strerror(errno));
-				cleanup_exit(1);
-			} else {
-				buffer_consume(&oqueue, len);
-			}
-		}
-		/* process requests from client */
-		process();
-	}
-}
diff --git a/crypto/openssh/sftp-server/Makefile b/crypto/openssh/sftp-server/Makefile
deleted file mode 100644
index e068239..0000000
--- a/crypto/openssh/sftp-server/Makefile
+++ /dev/null
@@ -1,18 +0,0 @@
-#	$OpenBSD: Makefile,v 1.5 2001/03/03 23:59:36 markus Exp $
-
-.PATH:		${.CURDIR}/..
-
-PROG=	sftp-server
-BINOWN=	root
-
-BINMODE?=555
-
-BINDIR=	/usr/libexec
-MAN=	sftp-server.8
-
-SRCS=	sftp-server.c sftp-common.c
-
-.include <bsd.prog.mk>
-
-LDADD+=	-lcrypto
-DPADD+=	${LIBCRYPTO}
diff --git a/crypto/openssh/sftp.1 b/crypto/openssh/sftp.1
deleted file mode 100644
index 47aafa8..0000000
--- a/crypto/openssh/sftp.1
+++ /dev/null
@@ -1,453 +0,0 @@
-.\" $OpenBSD: sftp.1,v 1.63 2006/01/20 00:14:55 dtucker Exp $
-.\"
-.\" Copyright (c) 2001 Damien Miller.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd February 4, 2001
-.Dt SFTP 1
-.Os
-.Sh NAME
-.Nm sftp
-.Nd secure file transfer program
-.Sh SYNOPSIS
-.Nm sftp
-.Bk -words
-.Op Fl 1Cv
-.Op Fl B Ar buffer_size
-.Op Fl b Ar batchfile
-.Op Fl F Ar ssh_config
-.Op Fl o Ar ssh_option
-.Op Fl P Ar sftp_server_path
-.Op Fl R Ar num_requests
-.Op Fl S Ar program
-.Op Fl s Ar subsystem | sftp_server
-.Ar host
-.Ek
-.Nm sftp
-.Oo Oo Ar user Ns @ Oc Ns
-.Ar host Ns Oo : Ns Ar file Oo
-.Ar file Oc Oc Oc
-.Nm sftp
-.Oo Oo Ar user Ns @ Oc Ns
-.Ar host Ns Oo : Ns Ar dir Ns
-.Oo Ar / Oc Oc Oc
-.Nm sftp
-.Fl b Ar batchfile
-.Oo Ar user Ns @ Oc Ns Ar host
-.Sh DESCRIPTION
-.Nm
-is an interactive file transfer program, similar to
-.Xr ftp 1 ,
-which performs all operations over an encrypted
-.Xr ssh 1
-transport.
-It may also use many features of ssh, such as public key authentication and
-compression.
-.Nm
-connects and logs into the specified
-.Ar host ,
-then enters an interactive command mode.
-.Pp
-The second usage format will retrieve files automatically if a non-interactive
-authentication method is used; otherwise it will do so after
-successful interactive authentication.
-.Pp
-The third usage format allows
-.Nm
-to start in a remote directory.
-.Pp
-The final usage format allows for automated sessions using the
-.Fl b
-option.
-In such cases, it is necessary to configure non-interactive authentication
-to obviate the need to enter a password at connection time (see
-.Xr sshd 8
-and
-.Xr ssh-keygen 1
-for details).
-The options are as follows:
-.Bl -tag -width Ds
-.It Fl 1
-Specify the use of protocol version 1.
-.It Fl B Ar buffer_size
-Specify the size of the buffer that
-.Nm
-uses when transferring files.
-Larger buffers require fewer round trips at the cost of higher
-memory consumption.
-The default is 32768 bytes.
-.It Fl b Ar batchfile
-Batch mode reads a series of commands from an input
-.Ar batchfile
-instead of
-.Em stdin .
-Since it lacks user interaction it should be used in conjunction with
-non-interactive authentication.
-A
-.Ar batchfile
-of
-.Sq \-
-may be used to indicate standard input.
-.Nm
-will abort if any of the following
-commands fail:
-.Ic get , put , rename , ln ,
-.Ic rm , mkdir , chdir , ls ,
-.Ic lchdir , chmod , chown , chgrp , lpwd
-and
-.Ic lmkdir .
-Termination on error can be suppressed on a command by command basis by
-prefixing the command with a
-.Sq \-
-character (for example,
-.Ic -rm /tmp/blah* ) .
-.It Fl C
-Enables compression (via ssh's
-.Fl C
-flag).
-.It Fl F Ar ssh_config
-Specifies an alternative
-per-user configuration file for
-.Xr ssh 1 .
-This option is directly passed to
-.Xr ssh 1 .
-.It Fl o Ar ssh_option
-Can be used to pass options to
-.Nm ssh
-in the format used in
-.Xr ssh_config 5 .
-This is useful for specifying options
-for which there is no separate
-.Nm sftp
-command-line flag.
-For example, to specify an alternate port use:
-.Ic sftp -oPort=24 .
-For full details of the options listed below, and their possible values, see
-.Xr ssh_config 5 .
-.Pp
-.Bl -tag -width Ds -offset indent -compact
-.It AddressFamily
-.It BatchMode
-.It BindAddress
-.It ChallengeResponseAuthentication
-.It CheckHostIP
-.It Cipher
-.It Ciphers
-.It Compression
-.It CompressionLevel
-.It ConnectionAttempts
-.It ConnectTimeout
-.It ControlMaster
-.It ControlPath
-.It GlobalKnownHostsFile
-.It GSSAPIAuthentication
-.It GSSAPIDelegateCredentials
-.It HashKnownHosts
-.It Host
-.It HostbasedAuthentication
-.It HostKeyAlgorithms
-.It HostKeyAlias
-.It HostName
-.It IdentityFile
-.It IdentitiesOnly
-.It KbdInteractiveDevices
-.It LogLevel
-.It MACs
-.It NoHostAuthenticationForLocalhost
-.It NumberOfPasswordPrompts
-.It PasswordAuthentication
-.It Port
-.It PreferredAuthentications
-.It Protocol
-.It ProxyCommand
-.It PubkeyAuthentication
-.It RekeyLimit
-.It RhostsRSAAuthentication
-.It RSAAuthentication
-.It SendEnv
-.It ServerAliveInterval
-.It ServerAliveCountMax
-.It SmartcardDevice
-.It StrictHostKeyChecking
-.It TCPKeepAlive
-.It UsePrivilegedPort
-.It User
-.It UserKnownHostsFile
-.It VerifyHostKeyDNS
-.El
-.It Fl P Ar sftp_server_path
-Connect directly to a local sftp server
-(rather than via
-.Xr ssh 1 ) .
-This option may be useful in debugging the client and server.
-.It Fl R Ar num_requests
-Specify how many requests may be outstanding at any one time.
-Increasing this may slightly improve file transfer speed
-but will increase memory usage.
-The default is 16 outstanding requests.
-.It Fl S Ar program
-Name of the
-.Ar program
-to use for the encrypted connection.
-The program must understand
-.Xr ssh 1
-options.
-.It Fl s Ar subsystem | sftp_server
-Specifies the SSH2 subsystem or the path for an sftp server
-on the remote host.
-A path is useful for using
-.Nm
-over protocol version 1, or when the remote
-.Xr sshd 8
-does not have an sftp subsystem configured.
-.It Fl v
-Raise logging level.
-This option is also passed to ssh.
-.El
-.Sh INTERACTIVE COMMANDS
-Once in interactive mode,
-.Nm
-understands a set of commands similar to those of
-.Xr ftp 1 .
-Commands are case insensitive.
-Pathnames that contain spaces must be enclosed in quotes.
-Any special characters contained within pathnames that are recognized by
-.Xr glob 3
-must be escaped with backslashes
-.Pq Sq \e .
-.Bl -tag -width Ds
-.It Ic bye
-Quit
-.Nm sftp .
-.It Ic cd Ar path
-Change remote directory to
-.Ar path .
-.It Ic chgrp Ar grp Ar path
-Change group of file
-.Ar path
-to
-.Ar grp .
-.Ar path
-may contain
-.Xr glob 3
-characters and may match multiple files.
-.Ar grp
-must be a numeric GID.
-.It Ic chmod Ar mode Ar path
-Change permissions of file
-.Ar path
-to
-.Ar mode .
-.Ar path
-may contain
-.Xr glob 3
-characters and may match multiple files.
-.It Ic chown Ar own Ar path
-Change owner of file
-.Ar path
-to
-.Ar own .
-.Ar path
-may contain
-.Xr glob 3
-characters and may match multiple files.
-.Ar own
-must be a numeric UID.
-.It Ic exit
-Quit
-.Nm sftp .
-.It Xo Ic get
-.Op Fl P
-.Ar remote-path
-.Op Ar local-path
-.Xc
-Retrieve the
-.Ar remote-path
-and store it on the local machine.
-If the local
-path name is not specified, it is given the same name it has on the
-remote machine.
-.Ar remote-path
-may contain
-.Xr glob 3
-characters and may match multiple files.
-If it does and
-.Ar local-path
-is specified, then
-.Ar local-path
-must specify a directory.
-If the
-.Fl P
-flag is specified, then full file permissions and access times are
-copied too.
-.It Ic help
-Display help text.
-.It Ic lcd Ar path
-Change local directory to
-.Ar path .
-.It Ic lls Op Ar ls-options Op Ar path
-Display local directory listing of either
-.Ar path
-or current directory if
-.Ar path
-is not specified.
-.Ar ls-options
-may contain any flags supported by the local system's
-.Xr ls 1
-command.
-.Ar path
-may contain
-.Xr glob 3
-characters and may match multiple files.
-.It Ic lmkdir Ar path
-Create local directory specified by
-.Ar path .
-.It Ic ln Ar oldpath Ar newpath
-Create a symbolic link from
-.Ar oldpath
-to
-.Ar newpath .
-.It Ic lpwd
-Print local working directory.
-.It Xo Ic ls
-.Op Fl 1aflnrSt
-.Op Ar path
-.Xc
-Display a remote directory listing of either
-.Ar path
-or the current directory if
-.Ar path
-is not specified.
-.Ar path
-may contain
-.Xr glob 3
-characters and may match multiple files.
-.Pp
-The following flags are recognized and alter the behaviour of
-.Ic ls
-accordingly:
-.Bl -tag -width Ds
-.It Fl 1
-Produce single columnar output.
-.It Fl a
-List files beginning with a dot
-.Pq Sq \&. .
-.It Fl f
-Do not sort the listing.
-The default sort order is lexicographical.
-.It Fl l
-Display additional details including permissions
-and ownership information.
-.It Fl n
-Produce a long listing with user and group information presented
-numerically.
-.It Fl r
-Reverse the sort order of the listing.
-.It Fl S
-Sort the listing by file size.
-.It Fl t
-Sort the listing by last modification time.
-.El
-.It Ic lumask Ar umask
-Set local umask to
-.Ar umask .
-.It Ic mkdir Ar path
-Create remote directory specified by
-.Ar path .
-.It Ic progress
-Toggle display of progress meter.
-.It Xo Ic put
-.Op Fl P
-.Ar local-path
-.Op Ar remote-path
-.Xc
-Upload
-.Ar local-path
-and store it on the remote machine.
-If the remote path name is not specified, it is given the same name it has
-on the local machine.
-.Ar local-path
-may contain
-.Xr glob 3
-characters and may match multiple files.
-If it does and
-.Ar remote-path
-is specified, then
-.Ar remote-path
-must specify a directory.
-If the
-.Fl P
-flag is specified, then the file's full permission and access time are
-copied too.
-.It Ic pwd
-Display remote working directory.
-.It Ic quit
-Quit
-.Nm sftp .
-.It Ic rename Ar oldpath Ar newpath
-Rename remote file from
-.Ar oldpath
-to
-.Ar newpath .
-.It Ic rm Ar path
-Delete remote file specified by
-.Ar path .
-.It Ic rmdir Ar path
-Remove remote directory specified by
-.Ar path .
-.It Ic symlink Ar oldpath Ar newpath
-Create a symbolic link from
-.Ar oldpath
-to
-.Ar newpath .
-.It Ic version
-Display the
-.Nm
-protocol version.
-.It Ic \&! Ar command
-Execute
-.Ar command
-in local shell.
-.It Ic \&!
-Escape to local shell.
-.It Ic \&?
-Synonym for help.
-.El
-.Sh SEE ALSO
-.Xr ftp 1 ,
-.Xr ls 1 ,
-.Xr scp 1 ,
-.Xr ssh 1 ,
-.Xr ssh-add 1 ,
-.Xr ssh-keygen 1 ,
-.Xr glob 3 ,
-.Xr ssh_config 5 ,
-.Xr sftp-server 8 ,
-.Xr sshd 8
-.Rs
-.%A T. Ylonen
-.%A S. Lehtinen
-.%T "SSH File Transfer Protocol"
-.%N draft-ietf-secsh-filexfer-00.txt
-.%D January 2001
-.%O work in progress material
-.Re
diff --git a/crypto/openssh/sftp.c b/crypto/openssh/sftp.c
deleted file mode 100644
index a39c782..0000000
--- a/crypto/openssh/sftp.c
+++ /dev/null
@@ -1,1624 +0,0 @@
-/* $OpenBSD: sftp.c,v 1.93 2006/09/30 17:48:22 ray Exp $ */
-/*
- * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/ioctl.h>
-#ifdef HAVE_SYS_STAT_H
-# include <sys/stat.h>
-#endif
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/wait.h>
-
-#include <errno.h>
-
-#ifdef HAVE_PATHS_H
-# include <paths.h>
-#endif
-#ifdef USE_LIBEDIT
-#include <histedit.h>
-#else
-typedef void EditLine;
-#endif
-#include <signal.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <unistd.h>
-#include <stdarg.h>
-
-#include "xmalloc.h"
-#include "log.h"
-#include "pathnames.h"
-#include "misc.h"
-
-#include "sftp.h"
-#include "buffer.h"
-#include "sftp-common.h"
-#include "sftp-client.h"
-
-/* File to read commands from */
-FILE* infile;
-
-/* Are we in batchfile mode? */
-int batchmode = 0;
-
-/* Size of buffer used when copying files */
-size_t copy_buffer_len = 32768;
-
-/* Number of concurrent outstanding requests */
-size_t num_requests = 16;
-
-/* PID of ssh transport process */
-static pid_t sshpid = -1;
-
-/* This is set to 0 if the progressmeter is not desired. */
-int showprogress = 1;
-
-/* SIGINT received during command processing */
-volatile sig_atomic_t interrupted = 0;
-
-/* I wish qsort() took a separate ctx for the comparison function...*/
-int sort_flag;
-
-int remote_glob(struct sftp_conn *, const char *, int,
-    int (*)(const char *, int), glob_t *); /* proto for sftp-glob.c */
-
-extern char *__progname;
-
-/* Separators for interactive commands */
-#define WHITESPACE " \t\r\n"
-
-/* ls flags */
-#define LS_LONG_VIEW	0x01	/* Full view ala ls -l */
-#define LS_SHORT_VIEW	0x02	/* Single row view ala ls -1 */
-#define LS_NUMERIC_VIEW	0x04	/* Long view with numeric uid/gid */
-#define LS_NAME_SORT	0x08	/* Sort by name (default) */
-#define LS_TIME_SORT	0x10	/* Sort by mtime */
-#define LS_SIZE_SORT	0x20	/* Sort by file size */
-#define LS_REVERSE_SORT	0x40	/* Reverse sort order */
-#define LS_SHOW_ALL	0x80	/* Don't skip filenames starting with '.' */
-
-#define VIEW_FLAGS	(LS_LONG_VIEW|LS_SHORT_VIEW|LS_NUMERIC_VIEW)
-#define SORT_FLAGS	(LS_NAME_SORT|LS_TIME_SORT|LS_SIZE_SORT)
-
-/* Commands for interactive mode */
-#define I_CHDIR		1
-#define I_CHGRP		2
-#define I_CHMOD		3
-#define I_CHOWN		4
-#define I_GET		5
-#define I_HELP		6
-#define I_LCHDIR	7
-#define I_LLS		8
-#define I_LMKDIR	9
-#define I_LPWD		10
-#define I_LS		11
-#define I_LUMASK	12
-#define I_MKDIR		13
-#define I_PUT		14
-#define I_PWD		15
-#define I_QUIT		16
-#define I_RENAME	17
-#define I_RM		18
-#define I_RMDIR		19
-#define I_SHELL		20
-#define I_SYMLINK	21
-#define I_VERSION	22
-#define I_PROGRESS	23
-
-struct CMD {
-	const char *c;
-	const int n;
-};
-
-static const struct CMD cmds[] = {
-	{ "bye",	I_QUIT },
-	{ "cd",		I_CHDIR },
-	{ "chdir",	I_CHDIR },
-	{ "chgrp",	I_CHGRP },
-	{ "chmod",	I_CHMOD },
-	{ "chown",	I_CHOWN },
-	{ "dir",	I_LS },
-	{ "exit",	I_QUIT },
-	{ "get",	I_GET },
-	{ "mget",	I_GET },
-	{ "help",	I_HELP },
-	{ "lcd",	I_LCHDIR },
-	{ "lchdir",	I_LCHDIR },
-	{ "lls",	I_LLS },
-	{ "lmkdir",	I_LMKDIR },
-	{ "ln",		I_SYMLINK },
-	{ "lpwd",	I_LPWD },
-	{ "ls",		I_LS },
-	{ "lumask",	I_LUMASK },
-	{ "mkdir",	I_MKDIR },
-	{ "progress",	I_PROGRESS },
-	{ "put",	I_PUT },
-	{ "mput",	I_PUT },
-	{ "pwd",	I_PWD },
-	{ "quit",	I_QUIT },
-	{ "rename",	I_RENAME },
-	{ "rm",		I_RM },
-	{ "rmdir",	I_RMDIR },
-	{ "symlink",	I_SYMLINK },
-	{ "version",	I_VERSION },
-	{ "!",		I_SHELL },
-	{ "?",		I_HELP },
-	{ NULL,			-1}
-};
-
-int interactive_loop(int fd_in, int fd_out, char *file1, char *file2);
-
-static void
-killchild(int signo)
-{
-	if (sshpid > 1) {
-		kill(sshpid, SIGTERM);
-		waitpid(sshpid, NULL, 0);
-	}
-
-	_exit(1);
-}
-
-static void
-cmd_interrupt(int signo)
-{
-	const char msg[] = "\rInterrupt  \n";
-	int olderrno = errno;
-
-	write(STDERR_FILENO, msg, sizeof(msg) - 1);
-	interrupted = 1;
-	errno = olderrno;
-}
-
-static void
-help(void)
-{
-	printf("Available commands:\n");
-	printf("cd path                       Change remote directory to 'path'\n");
-	printf("lcd path                      Change local directory to 'path'\n");
-	printf("chgrp grp path                Change group of file 'path' to 'grp'\n");
-	printf("chmod mode path               Change permissions of file 'path' to 'mode'\n");
-	printf("chown own path                Change owner of file 'path' to 'own'\n");
-	printf("help                          Display this help text\n");
-	printf("get remote-path [local-path]  Download file\n");
-	printf("lls [ls-options [path]]       Display local directory listing\n");
-	printf("ln oldpath newpath            Symlink remote file\n");
-	printf("lmkdir path                   Create local directory\n");
-	printf("lpwd                          Print local working directory\n");
-	printf("ls [path]                     Display remote directory listing\n");
-	printf("lumask umask                  Set local umask to 'umask'\n");
-	printf("mkdir path                    Create remote directory\n");
-	printf("progress                      Toggle display of progress meter\n");
-	printf("put local-path [remote-path]  Upload file\n");
-	printf("pwd                           Display remote working directory\n");
-	printf("exit                          Quit sftp\n");
-	printf("quit                          Quit sftp\n");
-	printf("rename oldpath newpath        Rename remote file\n");
-	printf("rmdir path                    Remove remote directory\n");
-	printf("rm path                       Delete remote file\n");
-	printf("symlink oldpath newpath       Symlink remote file\n");
-	printf("version                       Show SFTP version\n");
-	printf("!command                      Execute 'command' in local shell\n");
-	printf("!                             Escape to local shell\n");
-	printf("?                             Synonym for help\n");
-}
-
-static void
-local_do_shell(const char *args)
-{
-	int status;
-	char *shell;
-	pid_t pid;
-
-	if (!*args)
-		args = NULL;
-
-	if ((shell = getenv("SHELL")) == NULL)
-		shell = _PATH_BSHELL;
-
-	if ((pid = fork()) == -1)
-		fatal("Couldn't fork: %s", strerror(errno));
-
-	if (pid == 0) {
-		/* XXX: child has pipe fds to ssh subproc open - issue? */
-		if (args) {
-			debug3("Executing %s -c \"%s\"", shell, args);
-			execl(shell, shell, "-c", args, (char *)NULL);
-		} else {
-			debug3("Executing %s", shell);
-			execl(shell, shell, (char *)NULL);
-		}
-		fprintf(stderr, "Couldn't execute \"%s\": %s\n", shell,
-		    strerror(errno));
-		_exit(1);
-	}
-	while (waitpid(pid, &status, 0) == -1)
-		if (errno != EINTR)
-			fatal("Couldn't wait for child: %s", strerror(errno));
-	if (!WIFEXITED(status))
-		error("Shell exited abnormally");
-	else if (WEXITSTATUS(status))
-		error("Shell exited with status %d", WEXITSTATUS(status));
-}
-
-static void
-local_do_ls(const char *args)
-{
-	if (!args || !*args)
-		local_do_shell(_PATH_LS);
-	else {
-		int len = strlen(_PATH_LS " ") + strlen(args) + 1;
-		char *buf = xmalloc(len);
-
-		/* XXX: quoting - rip quoting code from ftp? */
-		snprintf(buf, len, _PATH_LS " %s", args);
-		local_do_shell(buf);
-		xfree(buf);
-	}
-}
-
-/* Strip one path (usually the pwd) from the start of another */
-static char *
-path_strip(char *path, char *strip)
-{
-	size_t len;
-
-	if (strip == NULL)
-		return (xstrdup(path));
-
-	len = strlen(strip);
-	if (strncmp(path, strip, len) == 0) {
-		if (strip[len - 1] != '/' && path[len] == '/')
-			len++;
-		return (xstrdup(path + len));
-	}
-
-	return (xstrdup(path));
-}
-
-static char *
-path_append(char *p1, char *p2)
-{
-	char *ret;
-	int len = strlen(p1) + strlen(p2) + 2;
-
-	ret = xmalloc(len);
-	strlcpy(ret, p1, len);
-	if (p1[strlen(p1) - 1] != '/')
-		strlcat(ret, "/", len);
-	strlcat(ret, p2, len);
-
-	return(ret);
-}
-
-static char *
-make_absolute(char *p, char *pwd)
-{
-	char *abs_str;
-
-	/* Derelativise */
-	if (p && p[0] != '/') {
-		abs_str = path_append(pwd, p);
-		xfree(p);
-		return(abs_str);
-	} else
-		return(p);
-}
-
-static int
-infer_path(const char *p, char **ifp)
-{
-	char *cp;
-
-	cp = strrchr(p, '/');
-	if (cp == NULL) {
-		*ifp = xstrdup(p);
-		return(0);
-	}
-
-	if (!cp[1]) {
-		error("Invalid path");
-		return(-1);
-	}
-
-	*ifp = xstrdup(cp + 1);
-	return(0);
-}
-
-static int
-parse_getput_flags(const char **cpp, int *pflag)
-{
-	const char *cp = *cpp;
-
-	/* Check for flags */
-	if (cp[0] == '-' && cp[1] && strchr(WHITESPACE, cp[2])) {
-		switch (cp[1]) {
-		case 'p':
-		case 'P':
-			*pflag = 1;
-			break;
-		default:
-			error("Invalid flag -%c", cp[1]);
-			return(-1);
-		}
-		cp += 2;
-		*cpp = cp + strspn(cp, WHITESPACE);
-	}
-
-	return(0);
-}
-
-static int
-parse_ls_flags(const char **cpp, int *lflag)
-{
-	const char *cp = *cpp;
-
-	/* Defaults */
-	*lflag = LS_NAME_SORT;
-
-	/* Check for flags */
-	if (cp++[0] == '-') {
-		for (; strchr(WHITESPACE, *cp) == NULL; cp++) {
-			switch (*cp) {
-			case 'l':
-				*lflag &= ~VIEW_FLAGS;
-				*lflag |= LS_LONG_VIEW;
-				break;
-			case '1':
-				*lflag &= ~VIEW_FLAGS;
-				*lflag |= LS_SHORT_VIEW;
-				break;
-			case 'n':
-				*lflag &= ~VIEW_FLAGS;
-				*lflag |= LS_NUMERIC_VIEW|LS_LONG_VIEW;
-				break;
-			case 'S':
-				*lflag &= ~SORT_FLAGS;
-				*lflag |= LS_SIZE_SORT;
-				break;
-			case 't':
-				*lflag &= ~SORT_FLAGS;
-				*lflag |= LS_TIME_SORT;
-				break;
-			case 'r':
-				*lflag |= LS_REVERSE_SORT;
-				break;
-			case 'f':
-				*lflag &= ~SORT_FLAGS;
-				break;
-			case 'a':
-				*lflag |= LS_SHOW_ALL;
-				break;
-			default:
-				error("Invalid flag -%c", *cp);
-				return(-1);
-			}
-		}
-		*cpp = cp + strspn(cp, WHITESPACE);
-	}
-
-	return(0);
-}
-
-static int
-get_pathname(const char **cpp, char **path)
-{
-	const char *cp = *cpp, *end;
-	char quot;
-	u_int i, j;
-
-	cp += strspn(cp, WHITESPACE);
-	if (!*cp) {
-		*cpp = cp;
-		*path = NULL;
-		return (0);
-	}
-
-	*path = xmalloc(strlen(cp) + 1);
-
-	/* Check for quoted filenames */
-	if (*cp == '\"' || *cp == '\'') {
-		quot = *cp++;
-
-		/* Search for terminating quote, unescape some chars */
-		for (i = j = 0; i <= strlen(cp); i++) {
-			if (cp[i] == quot) {	/* Found quote */
-				i++;
-				(*path)[j] = '\0';
-				break;
-			}
-			if (cp[i] == '\0') {	/* End of string */
-				error("Unterminated quote");
-				goto fail;
-			}
-			if (cp[i] == '\\') {	/* Escaped characters */
-				i++;
-				if (cp[i] != '\'' && cp[i] != '\"' &&
-				    cp[i] != '\\') {
-					error("Bad escaped character '\\%c'",
-					    cp[i]);
-					goto fail;
-				}
-			}
-			(*path)[j++] = cp[i];
-		}
-
-		if (j == 0) {
-			error("Empty quotes");
-			goto fail;
-		}
-		*cpp = cp + i + strspn(cp + i, WHITESPACE);
-	} else {
-		/* Read to end of filename */
-		end = strpbrk(cp, WHITESPACE);
-		if (end == NULL)
-			end = strchr(cp, '\0');
-		*cpp = end + strspn(end, WHITESPACE);
-
-		memcpy(*path, cp, end - cp);
-		(*path)[end - cp] = '\0';
-	}
-	return (0);
-
- fail:
-	xfree(*path);
-	*path = NULL;
-	return (-1);
-}
-
-static int
-is_dir(char *path)
-{
-	struct stat sb;
-
-	/* XXX: report errors? */
-	if (stat(path, &sb) == -1)
-		return(0);
-
-	return(S_ISDIR(sb.st_mode));
-}
-
-static int
-is_reg(char *path)
-{
-	struct stat sb;
-
-	if (stat(path, &sb) == -1)
-		fatal("stat %s: %s", path, strerror(errno));
-
-	return(S_ISREG(sb.st_mode));
-}
-
-static int
-remote_is_dir(struct sftp_conn *conn, char *path)
-{
-	Attrib *a;
-
-	/* XXX: report errors? */
-	if ((a = do_stat(conn, path, 1)) == NULL)
-		return(0);
-	if (!(a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS))
-		return(0);
-	return(S_ISDIR(a->perm));
-}
-
-static int
-process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, int pflag)
-{
-	char *abs_src = NULL;
-	char *abs_dst = NULL;
-	char *tmp;
-	glob_t g;
-	int err = 0;
-	int i;
-
-	abs_src = xstrdup(src);
-	abs_src = make_absolute(abs_src, pwd);
-
-	memset(&g, 0, sizeof(g));
-	debug3("Looking up %s", abs_src);
-	if (remote_glob(conn, abs_src, 0, NULL, &g)) {
-		error("File \"%s\" not found.", abs_src);
-		err = -1;
-		goto out;
-	}
-
-	/* If multiple matches, dst must be a directory or unspecified */
-	if (g.gl_matchc > 1 && dst && !is_dir(dst)) {
-		error("Multiple files match, but \"%s\" is not a directory",
-		    dst);
-		err = -1;
-		goto out;
-	}
-
-	for (i = 0; g.gl_pathv[i] && !interrupted; i++) {
-		if (infer_path(g.gl_pathv[i], &tmp)) {
-			err = -1;
-			goto out;
-		}
-
-		if (g.gl_matchc == 1 && dst) {
-			/* If directory specified, append filename */
-			xfree(tmp);
-			if (is_dir(dst)) {
-				if (infer_path(g.gl_pathv[0], &tmp)) {
-					err = 1;
-					goto out;
-				}
-				abs_dst = path_append(dst, tmp);
-				xfree(tmp);
-			} else
-				abs_dst = xstrdup(dst);
-		} else if (dst) {
-			abs_dst = path_append(dst, tmp);
-			xfree(tmp);
-		} else
-			abs_dst = tmp;
-
-		printf("Fetching %s to %s\n", g.gl_pathv[i], abs_dst);
-		if (do_download(conn, g.gl_pathv[i], abs_dst, pflag) == -1)
-			err = -1;
-		xfree(abs_dst);
-		abs_dst = NULL;
-	}
-
-out:
-	xfree(abs_src);
-	globfree(&g);
-	return(err);
-}
-
-static int
-process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd, int pflag)
-{
-	char *tmp_dst = NULL;
-	char *abs_dst = NULL;
-	char *tmp;
-	glob_t g;
-	int err = 0;
-	int i;
-
-	if (dst) {
-		tmp_dst = xstrdup(dst);
-		tmp_dst = make_absolute(tmp_dst, pwd);
-	}
-
-	memset(&g, 0, sizeof(g));
-	debug3("Looking up %s", src);
-	if (glob(src, 0, NULL, &g)) {
-		error("File \"%s\" not found.", src);
-		err = -1;
-		goto out;
-	}
-
-	/* If multiple matches, dst may be directory or unspecified */
-	if (g.gl_matchc > 1 && tmp_dst && !remote_is_dir(conn, tmp_dst)) {
-		error("Multiple files match, but \"%s\" is not a directory",
-		    tmp_dst);
-		err = -1;
-		goto out;
-	}
-
-	for (i = 0; g.gl_pathv[i] && !interrupted; i++) {
-		if (!is_reg(g.gl_pathv[i])) {
-			error("skipping non-regular file %s",
-			    g.gl_pathv[i]);
-			continue;
-		}
-		if (infer_path(g.gl_pathv[i], &tmp)) {
-			err = -1;
-			goto out;
-		}
-
-		if (g.gl_matchc == 1 && tmp_dst) {
-			/* If directory specified, append filename */
-			if (remote_is_dir(conn, tmp_dst)) {
-				if (infer_path(g.gl_pathv[0], &tmp)) {
-					err = 1;
-					goto out;
-				}
-				abs_dst = path_append(tmp_dst, tmp);
-				xfree(tmp);
-			} else
-				abs_dst = xstrdup(tmp_dst);
-
-		} else if (tmp_dst) {
-			abs_dst = path_append(tmp_dst, tmp);
-			xfree(tmp);
-		} else
-			abs_dst = make_absolute(tmp, pwd);
-
-		printf("Uploading %s to %s\n", g.gl_pathv[i], abs_dst);
-		if (do_upload(conn, g.gl_pathv[i], abs_dst, pflag) == -1)
-			err = -1;
-	}
-
-out:
-	if (abs_dst)
-		xfree(abs_dst);
-	if (tmp_dst)
-		xfree(tmp_dst);
-	globfree(&g);
-	return(err);
-}
-
-static int
-sdirent_comp(const void *aa, const void *bb)
-{
-	SFTP_DIRENT *a = *(SFTP_DIRENT **)aa;
-	SFTP_DIRENT *b = *(SFTP_DIRENT **)bb;
-	int rmul = sort_flag & LS_REVERSE_SORT ? -1 : 1;
-
-#define NCMP(a,b) (a == b ? 0 : (a < b ? 1 : -1))
-	if (sort_flag & LS_NAME_SORT)
-		return (rmul * strcmp(a->filename, b->filename));
-	else if (sort_flag & LS_TIME_SORT)
-		return (rmul * NCMP(a->a.mtime, b->a.mtime));
-	else if (sort_flag & LS_SIZE_SORT)
-		return (rmul * NCMP(a->a.size, b->a.size));
-
-	fatal("Unknown ls sort type");
-}
-
-/* sftp ls.1 replacement for directories */
-static int
-do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
-{
-	int n;
-	u_int c = 1, colspace = 0, columns = 1;
-	SFTP_DIRENT **d;
-
-	if ((n = do_readdir(conn, path, &d)) != 0)
-		return (n);
-
-	if (!(lflag & LS_SHORT_VIEW)) {
-		u_int m = 0, width = 80;
-		struct winsize ws;
-		char *tmp;
-
-		/* Count entries for sort and find longest filename */
-		for (n = 0; d[n] != NULL; n++) {
-			if (d[n]->filename[0] != '.' || (lflag & LS_SHOW_ALL))
-				m = MAX(m, strlen(d[n]->filename));
-		}
-
-		/* Add any subpath that also needs to be counted */
-		tmp = path_strip(path, strip_path);
-		m += strlen(tmp);
-		xfree(tmp);
-
-		if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) != -1)
-			width = ws.ws_col;
-
-		columns = width / (m + 2);
-		columns = MAX(columns, 1);
-		colspace = width / columns;
-		colspace = MIN(colspace, width);
-	}
-
-	if (lflag & SORT_FLAGS) {
-		for (n = 0; d[n] != NULL; n++)
-			;	/* count entries */
-		sort_flag = lflag & (SORT_FLAGS|LS_REVERSE_SORT);
-		qsort(d, n, sizeof(*d), sdirent_comp);
-	}
-
-	for (n = 0; d[n] != NULL && !interrupted; n++) {
-		char *tmp, *fname;
-
-		if (d[n]->filename[0] == '.' && !(lflag & LS_SHOW_ALL))
-			continue;
-
-		tmp = path_append(path, d[n]->filename);
-		fname = path_strip(tmp, strip_path);
-		xfree(tmp);
-
-		if (lflag & LS_LONG_VIEW) {
-			if (lflag & LS_NUMERIC_VIEW) {
-				char *lname;
-				struct stat sb;
-
-				memset(&sb, 0, sizeof(sb));
-				attrib_to_stat(&d[n]->a, &sb);
-				lname = ls_file(fname, &sb, 1);
-				printf("%s\n", lname);
-				xfree(lname);
-			} else
-				printf("%s\n", d[n]->longname);
-		} else {
-			printf("%-*s", colspace, fname);
-			if (c >= columns) {
-				printf("\n");
-				c = 1;
-			} else
-				c++;
-		}
-
-		xfree(fname);
-	}
-
-	if (!(lflag & LS_LONG_VIEW) && (c != 1))
-		printf("\n");
-
-	free_sftp_dirents(d);
-	return (0);
-}
-
-/* sftp ls.1 replacement which handles path globs */
-static int
-do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
-    int lflag)
-{
-	glob_t g;
-	u_int i, c = 1, colspace = 0, columns = 1;
-	Attrib *a = NULL;
-
-	memset(&g, 0, sizeof(g));
-
-	if (remote_glob(conn, path, GLOB_MARK|GLOB_NOCHECK|GLOB_BRACE,
-	    NULL, &g) || (g.gl_pathc && !g.gl_matchc)) {
-		if (g.gl_pathc)
-			globfree(&g);
-		error("Can't ls: \"%s\" not found", path);
-		return (-1);
-	}
-
-	if (interrupted)
-		goto out;
-
-	/*
-	 * If the glob returns a single match and it is a directory,
-	 * then just list its contents.
-	 */
-	if (g.gl_matchc == 1) {
-		if ((a = do_lstat(conn, g.gl_pathv[0], 1)) == NULL) {
-			globfree(&g);
-			return (-1);
-		}
-		if ((a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) &&
-		    S_ISDIR(a->perm)) {
-			int err;
-
-			err = do_ls_dir(conn, g.gl_pathv[0], strip_path, lflag);
-			globfree(&g);
-			return (err);
-		}
-	}
-
-	if (!(lflag & LS_SHORT_VIEW)) {
-		u_int m = 0, width = 80;
-		struct winsize ws;
-
-		/* Count entries for sort and find longest filename */
-		for (i = 0; g.gl_pathv[i]; i++)
-			m = MAX(m, strlen(g.gl_pathv[i]));
-
-		if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) != -1)
-			width = ws.ws_col;
-
-		columns = width / (m + 2);
-		columns = MAX(columns, 1);
-		colspace = width / columns;
-	}
-
-	for (i = 0; g.gl_pathv[i] && !interrupted; i++, a = NULL) {
-		char *fname;
-
-		fname = path_strip(g.gl_pathv[i], strip_path);
-
-		if (lflag & LS_LONG_VIEW) {
-			char *lname;
-			struct stat sb;
-
-			/*
-			 * XXX: this is slow - 1 roundtrip per path
-			 * A solution to this is to fork glob() and
-			 * build a sftp specific version which keeps the
-			 * attribs (which currently get thrown away)
-			 * that the server returns as well as the filenames.
-			 */
-			memset(&sb, 0, sizeof(sb));
-			if (a == NULL)
-				a = do_lstat(conn, g.gl_pathv[i], 1);
-			if (a != NULL)
-				attrib_to_stat(a, &sb);
-			lname = ls_file(fname, &sb, 1);
-			printf("%s\n", lname);
-			xfree(lname);
-		} else {
-			printf("%-*s", colspace, fname);
-			if (c >= columns) {
-				printf("\n");
-				c = 1;
-			} else
-				c++;
-		}
-		xfree(fname);
-	}
-
-	if (!(lflag & LS_LONG_VIEW) && (c != 1))
-		printf("\n");
-
- out:
-	if (g.gl_pathc)
-		globfree(&g);
-
-	return (0);
-}
-
-static int
-parse_args(const char **cpp, int *pflag, int *lflag, int *iflag,
-    unsigned long *n_arg, char **path1, char **path2)
-{
-	const char *cmd, *cp = *cpp;
-	char *cp2;
-	int base = 0;
-	long l;
-	int i, cmdnum;
-
-	/* Skip leading whitespace */
-	cp = cp + strspn(cp, WHITESPACE);
-
-	/* Ignore blank lines and lines which begin with comment '#' char */
-	if (*cp == '\0' || *cp == '#')
-		return (0);
-
-	/* Check for leading '-' (disable error processing) */
-	*iflag = 0;
-	if (*cp == '-') {
-		*iflag = 1;
-		cp++;
-	}
-
-	/* Figure out which command we have */
-	for (i = 0; cmds[i].c; i++) {
-		int cmdlen = strlen(cmds[i].c);
-
-		/* Check for command followed by whitespace */
-		if (!strncasecmp(cp, cmds[i].c, cmdlen) &&
-		    strchr(WHITESPACE, cp[cmdlen])) {
-			cp += cmdlen;
-			cp = cp + strspn(cp, WHITESPACE);
-			break;
-		}
-	}
-	cmdnum = cmds[i].n;
-	cmd = cmds[i].c;
-
-	/* Special case */
-	if (*cp == '!') {
-		cp++;
-		cmdnum = I_SHELL;
-	} else if (cmdnum == -1) {
-		error("Invalid command.");
-		return (-1);
-	}
-
-	/* Get arguments and parse flags */
-	*lflag = *pflag = *n_arg = 0;
-	*path1 = *path2 = NULL;
-	switch (cmdnum) {
-	case I_GET:
-	case I_PUT:
-		if (parse_getput_flags(&cp, pflag))
-			return(-1);
-		/* Get first pathname (mandatory) */
-		if (get_pathname(&cp, path1))
-			return(-1);
-		if (*path1 == NULL) {
-			error("You must specify at least one path after a "
-			    "%s command.", cmd);
-			return(-1);
-		}
-		/* Try to get second pathname (optional) */
-		if (get_pathname(&cp, path2))
-			return(-1);
-		break;
-	case I_RENAME:
-	case I_SYMLINK:
-		if (get_pathname(&cp, path1))
-			return(-1);
-		if (get_pathname(&cp, path2))
-			return(-1);
-		if (!*path1 || !*path2) {
-			error("You must specify two paths after a %s "
-			    "command.", cmd);
-			return(-1);
-		}
-		break;
-	case I_RM:
-	case I_MKDIR:
-	case I_RMDIR:
-	case I_CHDIR:
-	case I_LCHDIR:
-	case I_LMKDIR:
-		/* Get pathname (mandatory) */
-		if (get_pathname(&cp, path1))
-			return(-1);
-		if (*path1 == NULL) {
-			error("You must specify a path after a %s command.",
-			    cmd);
-			return(-1);
-		}
-		break;
-	case I_LS:
-		if (parse_ls_flags(&cp, lflag))
-			return(-1);
-		/* Path is optional */
-		if (get_pathname(&cp, path1))
-			return(-1);
-		break;
-	case I_LLS:
-	case I_SHELL:
-		/* Uses the rest of the line */
-		break;
-	case I_LUMASK:
-		base = 8;
-	case I_CHMOD:
-		base = 8;
-	case I_CHOWN:
-	case I_CHGRP:
-		/* Get numeric arg (mandatory) */
-		errno = 0;
-		l = strtol(cp, &cp2, base);
-		if (cp2 == cp || ((l == LONG_MIN || l == LONG_MAX) &&
-		    errno == ERANGE) || l < 0) {
-			error("You must supply a numeric argument "
-			    "to the %s command.", cmd);
-			return(-1);
-		}
-		cp = cp2;
-		*n_arg = l;
-		if (cmdnum == I_LUMASK && strchr(WHITESPACE, *cp))
-			break;
-		if (cmdnum == I_LUMASK || !strchr(WHITESPACE, *cp)) {
-			error("You must supply a numeric argument "
-			    "to the %s command.", cmd);
-			return(-1);
-		}
-		cp += strspn(cp, WHITESPACE);
-
-		/* Get pathname (mandatory) */
-		if (get_pathname(&cp, path1))
-			return(-1);
-		if (*path1 == NULL) {
-			error("You must specify a path after a %s command.",
-			    cmd);
-			return(-1);
-		}
-		break;
-	case I_QUIT:
-	case I_PWD:
-	case I_LPWD:
-	case I_HELP:
-	case I_VERSION:
-	case I_PROGRESS:
-		break;
-	default:
-		fatal("Command not implemented");
-	}
-
-	*cpp = cp;
-	return(cmdnum);
-}
-
-static int
-parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd,
-    int err_abort)
-{
-	char *path1, *path2, *tmp;
-	int pflag, lflag, iflag, cmdnum, i;
-	unsigned long n_arg;
-	Attrib a, *aa;
-	char path_buf[MAXPATHLEN];
-	int err = 0;
-	glob_t g;
-
-	path1 = path2 = NULL;
-	cmdnum = parse_args(&cmd, &pflag, &lflag, &iflag, &n_arg,
-	    &path1, &path2);
-
-	if (iflag != 0)
-		err_abort = 0;
-
-	memset(&g, 0, sizeof(g));
-
-	/* Perform command */
-	switch (cmdnum) {
-	case 0:
-		/* Blank line */
-		break;
-	case -1:
-		/* Unrecognized command */
-		err = -1;
-		break;
-	case I_GET:
-		err = process_get(conn, path1, path2, *pwd, pflag);
-		break;
-	case I_PUT:
-		err = process_put(conn, path1, path2, *pwd, pflag);
-		break;
-	case I_RENAME:
-		path1 = make_absolute(path1, *pwd);
-		path2 = make_absolute(path2, *pwd);
-		err = do_rename(conn, path1, path2);
-		break;
-	case I_SYMLINK:
-		path2 = make_absolute(path2, *pwd);
-		err = do_symlink(conn, path1, path2);
-		break;
-	case I_RM:
-		path1 = make_absolute(path1, *pwd);
-		remote_glob(conn, path1, GLOB_NOCHECK, NULL, &g);
-		for (i = 0; g.gl_pathv[i] && !interrupted; i++) {
-			printf("Removing %s\n", g.gl_pathv[i]);
-			err = do_rm(conn, g.gl_pathv[i]);
-			if (err != 0 && err_abort)
-				break;
-		}
-		break;
-	case I_MKDIR:
-		path1 = make_absolute(path1, *pwd);
-		attrib_clear(&a);
-		a.flags |= SSH2_FILEXFER_ATTR_PERMISSIONS;
-		a.perm = 0777;
-		err = do_mkdir(conn, path1, &a);
-		break;
-	case I_RMDIR:
-		path1 = make_absolute(path1, *pwd);
-		err = do_rmdir(conn, path1);
-		break;
-	case I_CHDIR:
-		path1 = make_absolute(path1, *pwd);
-		if ((tmp = do_realpath(conn, path1)) == NULL) {
-			err = 1;
-			break;
-		}
-		if ((aa = do_stat(conn, tmp, 0)) == NULL) {
-			xfree(tmp);
-			err = 1;
-			break;
-		}
-		if (!(aa->flags & SSH2_FILEXFER_ATTR_PERMISSIONS)) {
-			error("Can't change directory: Can't check target");
-			xfree(tmp);
-			err = 1;
-			break;
-		}
-		if (!S_ISDIR(aa->perm)) {
-			error("Can't change directory: \"%s\" is not "
-			    "a directory", tmp);
-			xfree(tmp);
-			err = 1;
-			break;
-		}
-		xfree(*pwd);
-		*pwd = tmp;
-		break;
-	case I_LS:
-		if (!path1) {
-			do_globbed_ls(conn, *pwd, *pwd, lflag);
-			break;
-		}
-
-		/* Strip pwd off beginning of non-absolute paths */
-		tmp = NULL;
-		if (*path1 != '/')
-			tmp = *pwd;
-
-		path1 = make_absolute(path1, *pwd);
-		err = do_globbed_ls(conn, path1, tmp, lflag);
-		break;
-	case I_LCHDIR:
-		if (chdir(path1) == -1) {
-			error("Couldn't change local directory to "
-			    "\"%s\": %s", path1, strerror(errno));
-			err = 1;
-		}
-		break;
-	case I_LMKDIR:
-		if (mkdir(path1, 0777) == -1) {
-			error("Couldn't create local directory "
-			    "\"%s\": %s", path1, strerror(errno));
-			err = 1;
-		}
-		break;
-	case I_LLS:
-		local_do_ls(cmd);
-		break;
-	case I_SHELL:
-		local_do_shell(cmd);
-		break;
-	case I_LUMASK:
-		umask(n_arg);
-		printf("Local umask: %03lo\n", n_arg);
-		break;
-	case I_CHMOD:
-		path1 = make_absolute(path1, *pwd);
-		attrib_clear(&a);
-		a.flags |= SSH2_FILEXFER_ATTR_PERMISSIONS;
-		a.perm = n_arg;
-		remote_glob(conn, path1, GLOB_NOCHECK, NULL, &g);
-		for (i = 0; g.gl_pathv[i] && !interrupted; i++) {
-			printf("Changing mode on %s\n", g.gl_pathv[i]);
-			err = do_setstat(conn, g.gl_pathv[i], &a);
-			if (err != 0 && err_abort)
-				break;
-		}
-		break;
-	case I_CHOWN:
-	case I_CHGRP:
-		path1 = make_absolute(path1, *pwd);
-		remote_glob(conn, path1, GLOB_NOCHECK, NULL, &g);
-		for (i = 0; g.gl_pathv[i] && !interrupted; i++) {
-			if (!(aa = do_stat(conn, g.gl_pathv[i], 0))) {
-				if (err != 0 && err_abort)
-					break;
-				else
-					continue;
-			}
-			if (!(aa->flags & SSH2_FILEXFER_ATTR_UIDGID)) {
-				error("Can't get current ownership of "
-				    "remote file \"%s\"", g.gl_pathv[i]);
-				if (err != 0 && err_abort)
-					break;
-				else
-					continue;
-			}
-			aa->flags &= SSH2_FILEXFER_ATTR_UIDGID;
-			if (cmdnum == I_CHOWN) {
-				printf("Changing owner on %s\n", g.gl_pathv[i]);
-				aa->uid = n_arg;
-			} else {
-				printf("Changing group on %s\n", g.gl_pathv[i]);
-				aa->gid = n_arg;
-			}
-			err = do_setstat(conn, g.gl_pathv[i], aa);
-			if (err != 0 && err_abort)
-				break;
-		}
-		break;
-	case I_PWD:
-		printf("Remote working directory: %s\n", *pwd);
-		break;
-	case I_LPWD:
-		if (!getcwd(path_buf, sizeof(path_buf))) {
-			error("Couldn't get local cwd: %s", strerror(errno));
-			err = -1;
-			break;
-		}
-		printf("Local working directory: %s\n", path_buf);
-		break;
-	case I_QUIT:
-		/* Processed below */
-		break;
-	case I_HELP:
-		help();
-		break;
-	case I_VERSION:
-		printf("SFTP protocol version %u\n", sftp_proto_version(conn));
-		break;
-	case I_PROGRESS:
-		showprogress = !showprogress;
-		if (showprogress)
-			printf("Progress meter enabled\n");
-		else
-			printf("Progress meter disabled\n");
-		break;
-	default:
-		fatal("%d is not implemented", cmdnum);
-	}
-
-	if (g.gl_pathc)
-		globfree(&g);
-	if (path1)
-		xfree(path1);
-	if (path2)
-		xfree(path2);
-
-	/* If an unignored error occurs in batch mode we should abort. */
-	if (err_abort && err != 0)
-		return (-1);
-	else if (cmdnum == I_QUIT)
-		return (1);
-
-	return (0);
-}
-
-#ifdef USE_LIBEDIT
-static char *
-prompt(EditLine *el)
-{
-	return ("sftp> ");
-}
-#endif
-
-int
-interactive_loop(int fd_in, int fd_out, char *file1, char *file2)
-{
-	char *pwd;
-	char *dir = NULL;
-	char cmd[2048];
-	struct sftp_conn *conn;
-	int err, interactive;
-	EditLine *el = NULL;
-#ifdef USE_LIBEDIT
-	History *hl = NULL;
-	HistEvent hev;
-	extern char *__progname;
-
-	if (!batchmode && isatty(STDIN_FILENO)) {
-		if ((el = el_init(__progname, stdin, stdout, stderr)) == NULL)
-			fatal("Couldn't initialise editline");
-		if ((hl = history_init()) == NULL)
-			fatal("Couldn't initialise editline history");
-		history(hl, &hev, H_SETSIZE, 100);
-		el_set(el, EL_HIST, history, hl);
-
-		el_set(el, EL_PROMPT, prompt);
-		el_set(el, EL_EDITOR, "emacs");
-		el_set(el, EL_TERMINAL, NULL);
-		el_set(el, EL_SIGNAL, 1);
-		el_source(el, NULL);
-	}
-#endif /* USE_LIBEDIT */
-
-	conn = do_init(fd_in, fd_out, copy_buffer_len, num_requests);
-	if (conn == NULL)
-		fatal("Couldn't initialise connection to server");
-
-	pwd = do_realpath(conn, ".");
-	if (pwd == NULL)
-		fatal("Need cwd");
-
-	if (file1 != NULL) {
-		dir = xstrdup(file1);
-		dir = make_absolute(dir, pwd);
-
-		if (remote_is_dir(conn, dir) && file2 == NULL) {
-			printf("Changing to: %s\n", dir);
-			snprintf(cmd, sizeof cmd, "cd \"%s\"", dir);
-			if (parse_dispatch_command(conn, cmd, &pwd, 1) != 0) {
-				xfree(dir);
-				xfree(pwd);
-				xfree(conn);
-				return (-1);
-			}
-		} else {
-			if (file2 == NULL)
-				snprintf(cmd, sizeof cmd, "get %s", dir);
-			else
-				snprintf(cmd, sizeof cmd, "get %s %s", dir,
-				    file2);
-
-			err = parse_dispatch_command(conn, cmd, &pwd, 1);
-			xfree(dir);
-			xfree(pwd);
-			xfree(conn);
-			return (err);
-		}
-		xfree(dir);
-	}
-
-#if defined(HAVE_SETVBUF) && !defined(BROKEN_SETVBUF)
-	setvbuf(stdout, NULL, _IOLBF, 0);
-	setvbuf(infile, NULL, _IOLBF, 0);
-#else
-	setlinebuf(stdout);
-	setlinebuf(infile);
-#endif
-
-	interactive = !batchmode && isatty(STDIN_FILENO);
-	err = 0;
-	for (;;) {
-		char *cp;
-
-		signal(SIGINT, SIG_IGN);
-
-		if (el == NULL) {
-			if (interactive)
-				printf("sftp> ");
-			if (fgets(cmd, sizeof(cmd), infile) == NULL) {
-				if (interactive)
-					printf("\n");
-				break;
-			}
-			if (!interactive) { /* Echo command */
-				printf("sftp> %s", cmd);
-				if (strlen(cmd) > 0 &&
-				    cmd[strlen(cmd) - 1] != '\n')
-					printf("\n");
-			}
-		} else {
-#ifdef USE_LIBEDIT
-			const char *line;
-			int count = 0;
-
-			if ((line = el_gets(el, &count)) == NULL || count <= 0) {
-				printf("\n");
- 				break;
-			}
-			history(hl, &hev, H_ENTER, line);
-			if (strlcpy(cmd, line, sizeof(cmd)) >= sizeof(cmd)) {
-				fprintf(stderr, "Error: input line too long\n");
-				continue;
-			}
-#endif /* USE_LIBEDIT */
-		}
-
-		cp = strrchr(cmd, '\n');
-		if (cp)
-			*cp = '\0';
-
-		/* Handle user interrupts gracefully during commands */
-		interrupted = 0;
-		signal(SIGINT, cmd_interrupt);
-
-		err = parse_dispatch_command(conn, cmd, &pwd, batchmode);
-		if (err != 0)
-			break;
-	}
-	xfree(pwd);
-	xfree(conn);
-
-#ifdef USE_LIBEDIT
-	if (el != NULL)
-		el_end(el);
-#endif /* USE_LIBEDIT */
-
-	/* err == 1 signifies normal "quit" exit */
-	return (err >= 0 ? 0 : -1);
-}
-
-static void
-connect_to_server(char *path, char **args, int *in, int *out)
-{
-	int c_in, c_out;
-
-#ifdef USE_PIPES
-	int pin[2], pout[2];
-
-	if ((pipe(pin) == -1) || (pipe(pout) == -1))
-		fatal("pipe: %s", strerror(errno));
-	*in = pin[0];
-	*out = pout[1];
-	c_in = pout[0];
-	c_out = pin[1];
-#else /* USE_PIPES */
-	int inout[2];
-
-	if (socketpair(AF_UNIX, SOCK_STREAM, 0, inout) == -1)
-		fatal("socketpair: %s", strerror(errno));
-	*in = *out = inout[0];
-	c_in = c_out = inout[1];
-#endif /* USE_PIPES */
-
-	if ((sshpid = fork()) == -1)
-		fatal("fork: %s", strerror(errno));
-	else if (sshpid == 0) {
-		if ((dup2(c_in, STDIN_FILENO) == -1) ||
-		    (dup2(c_out, STDOUT_FILENO) == -1)) {
-			fprintf(stderr, "dup2: %s\n", strerror(errno));
-			_exit(1);
-		}
-		close(*in);
-		close(*out);
-		close(c_in);
-		close(c_out);
-
-		/*
-		 * The underlying ssh is in the same process group, so we must
-		 * ignore SIGINT if we want to gracefully abort commands,
-		 * otherwise the signal will make it to the ssh process and
-		 * kill it too
-		 */
-		signal(SIGINT, SIG_IGN);
-		execvp(path, args);
-		fprintf(stderr, "exec: %s: %s\n", path, strerror(errno));
-		_exit(1);
-	}
-
-	signal(SIGTERM, killchild);
-	signal(SIGINT, killchild);
-	signal(SIGHUP, killchild);
-	close(c_in);
-	close(c_out);
-}
-
-static void
-usage(void)
-{
-	extern char *__progname;
-
-	fprintf(stderr,
-	    "usage: %s [-1Cv] [-B buffer_size] [-b batchfile] [-F ssh_config]\n"
-	    "            [-o ssh_option] [-P sftp_server_path] [-R num_requests]\n"
-	    "            [-S program] [-s subsystem | sftp_server] host\n"
-	    "       %s [[user@]host[:file [file]]]\n"
-	    "       %s [[user@]host[:dir[/]]]\n"
-	    "       %s -b batchfile [user@]host\n", __progname, __progname, __progname, __progname);
-	exit(1);
-}
-
-int
-main(int argc, char **argv)
-{
-	int in, out, ch, err;
-	char *host, *userhost, *cp, *file2 = NULL;
-	int debug_level = 0, sshver = 2;
-	char *file1 = NULL, *sftp_server = NULL;
-	char *ssh_program = _PATH_SSH_PROGRAM, *sftp_direct = NULL;
-	LogLevel ll = SYSLOG_LEVEL_INFO;
-	arglist args;
-	extern int optind;
-	extern char *optarg;
-
-	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
-	sanitise_stdfd();
-
-	__progname = ssh_get_progname(argv[0]);
-	memset(&args, '\0', sizeof(args));
-	args.list = NULL;
-	addargs(&args, "%s", ssh_program);
-	addargs(&args, "-oForwardX11 no");
-	addargs(&args, "-oForwardAgent no");
-	addargs(&args, "-oPermitLocalCommand no");
-	addargs(&args, "-oClearAllForwardings yes");
-
-	ll = SYSLOG_LEVEL_INFO;
-	infile = stdin;
-
-	while ((ch = getopt(argc, argv, "1hvCo:s:S:b:B:F:P:R:")) != -1) {
-		switch (ch) {
-		case 'C':
-			addargs(&args, "-C");
-			break;
-		case 'v':
-			if (debug_level < 3) {
-				addargs(&args, "-v");
-				ll = SYSLOG_LEVEL_DEBUG1 + debug_level;
-			}
-			debug_level++;
-			break;
-		case 'F':
-		case 'o':
-			addargs(&args, "-%c%s", ch, optarg);
-			break;
-		case '1':
-			sshver = 1;
-			if (sftp_server == NULL)
-				sftp_server = _PATH_SFTP_SERVER;
-			break;
-		case 's':
-			sftp_server = optarg;
-			break;
-		case 'S':
-			ssh_program = optarg;
-			replacearg(&args, 0, "%s", ssh_program);
-			break;
-		case 'b':
-			if (batchmode)
-				fatal("Batch file already specified.");
-
-			/* Allow "-" as stdin */
-			if (strcmp(optarg, "-") != 0 &&
-			    (infile = fopen(optarg, "r")) == NULL)
-				fatal("%s (%s).", strerror(errno), optarg);
-			showprogress = 0;
-			batchmode = 1;
-			addargs(&args, "-obatchmode yes");
-			break;
-		case 'P':
-			sftp_direct = optarg;
-			break;
-		case 'B':
-			copy_buffer_len = strtol(optarg, &cp, 10);
-			if (copy_buffer_len == 0 || *cp != '\0')
-				fatal("Invalid buffer size \"%s\"", optarg);
-			break;
-		case 'R':
-			num_requests = strtol(optarg, &cp, 10);
-			if (num_requests == 0 || *cp != '\0')
-				fatal("Invalid number of requests \"%s\"",
-				    optarg);
-			break;
-		case 'h':
-		default:
-			usage();
-		}
-	}
-
-	if (!isatty(STDERR_FILENO))
-		showprogress = 0;
-
-	log_init(argv[0], ll, SYSLOG_FACILITY_USER, 1);
-
-	if (sftp_direct == NULL) {
-		if (optind == argc || argc > (optind + 2))
-			usage();
-
-		userhost = xstrdup(argv[optind]);
-		file2 = argv[optind+1];
-
-		if ((host = strrchr(userhost, '@')) == NULL)
-			host = userhost;
-		else {
-			*host++ = '\0';
-			if (!userhost[0]) {
-				fprintf(stderr, "Missing username\n");
-				usage();
-			}
-			addargs(&args, "-l%s",userhost);
-		}
-
-		if ((cp = colon(host)) != NULL) {
-			*cp++ = '\0';
-			file1 = cp;
-		}
-
-		host = cleanhostname(host);
-		if (!*host) {
-			fprintf(stderr, "Missing hostname\n");
-			usage();
-		}
-
-		addargs(&args, "-oProtocol %d", sshver);
-
-		/* no subsystem if the server-spec contains a '/' */
-		if (sftp_server == NULL || strchr(sftp_server, '/') == NULL)
-			addargs(&args, "-s");
-
-		addargs(&args, "%s", host);
-		addargs(&args, "%s", (sftp_server != NULL ?
-		    sftp_server : "sftp"));
-
-		if (!batchmode)
-			fprintf(stderr, "Connecting to %s...\n", host);
-		connect_to_server(ssh_program, args.list, &in, &out);
-	} else {
-		args.list = NULL;
-		addargs(&args, "sftp-server");
-
-		if (!batchmode)
-			fprintf(stderr, "Attaching to %s...\n", sftp_direct);
-		connect_to_server(sftp_direct, args.list, &in, &out);
-	}
-	freeargs(&args);
-
-	err = interactive_loop(in, out, file1, file2);
-
-#if !defined(USE_PIPES)
-	shutdown(in, SHUT_RDWR);
-	shutdown(out, SHUT_RDWR);
-#endif
-
-	close(in);
-	close(out);
-	if (batchmode)
-		fclose(infile);
-
-	while (waitpid(sshpid, NULL, 0) == -1)
-		if (errno != EINTR)
-			fatal("Couldn't wait for ssh process: %s",
-			    strerror(errno));
-
-	exit(err == 0 ? 0 : 1);
-}
diff --git a/crypto/openssh/sftp.h b/crypto/openssh/sftp.h
deleted file mode 100644
index 610c0b7..0000000
--- a/crypto/openssh/sftp.h
+++ /dev/null
@@ -1,92 +0,0 @@
-/* $OpenBSD: sftp.h,v 1.5 2006/03/25 22:22:43 djm Exp $ */
-
-/*
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * draft-ietf-secsh-filexfer-01.txt
- */
-
-/* version */
-#define	SSH2_FILEXFER_VERSION		3
-
-/* client to server */
-#define SSH2_FXP_INIT			1
-#define SSH2_FXP_OPEN			3
-#define SSH2_FXP_CLOSE			4
-#define SSH2_FXP_READ			5
-#define SSH2_FXP_WRITE			6
-#define SSH2_FXP_LSTAT			7
-#define SSH2_FXP_STAT_VERSION_0		7
-#define SSH2_FXP_FSTAT			8
-#define SSH2_FXP_SETSTAT		9
-#define SSH2_FXP_FSETSTAT		10
-#define SSH2_FXP_OPENDIR		11
-#define SSH2_FXP_READDIR		12
-#define SSH2_FXP_REMOVE			13
-#define SSH2_FXP_MKDIR			14
-#define SSH2_FXP_RMDIR			15
-#define SSH2_FXP_REALPATH		16
-#define SSH2_FXP_STAT			17
-#define SSH2_FXP_RENAME			18
-#define SSH2_FXP_READLINK		19
-#define SSH2_FXP_SYMLINK		20
-
-/* server to client */
-#define SSH2_FXP_VERSION		2
-#define SSH2_FXP_STATUS			101
-#define SSH2_FXP_HANDLE			102
-#define SSH2_FXP_DATA			103
-#define SSH2_FXP_NAME			104
-#define SSH2_FXP_ATTRS			105
-
-#define SSH2_FXP_EXTENDED		200
-#define SSH2_FXP_EXTENDED_REPLY		201
-
-/* attributes */
-#define SSH2_FILEXFER_ATTR_SIZE		0x00000001
-#define SSH2_FILEXFER_ATTR_UIDGID	0x00000002
-#define SSH2_FILEXFER_ATTR_PERMISSIONS	0x00000004
-#define SSH2_FILEXFER_ATTR_ACMODTIME	0x00000008
-#define SSH2_FILEXFER_ATTR_EXTENDED	0x80000000
-
-/* portable open modes */
-#define SSH2_FXF_READ			0x00000001
-#define SSH2_FXF_WRITE			0x00000002
-#define SSH2_FXF_APPEND			0x00000004
-#define SSH2_FXF_CREAT			0x00000008
-#define SSH2_FXF_TRUNC			0x00000010
-#define SSH2_FXF_EXCL			0x00000020
-
-/* status messages */
-#define SSH2_FX_OK			0
-#define SSH2_FX_EOF			1
-#define SSH2_FX_NO_SUCH_FILE		2
-#define SSH2_FX_PERMISSION_DENIED	3
-#define SSH2_FX_FAILURE			4
-#define SSH2_FX_BAD_MESSAGE		5
-#define SSH2_FX_NO_CONNECTION		6
-#define SSH2_FX_CONNECTION_LOST		7
-#define SSH2_FX_OP_UNSUPPORTED		8
-#define SSH2_FX_MAX			8
diff --git a/crypto/openssh/sftp/Makefile b/crypto/openssh/sftp/Makefile
deleted file mode 100644
index 3f5d866..0000000
--- a/crypto/openssh/sftp/Makefile
+++ /dev/null
@@ -1,19 +0,0 @@
-#	$OpenBSD: Makefile,v 1.5 2001/05/03 23:09:57 mouring Exp $
-
-.PATH:		${.CURDIR}/..
-
-PROG=	sftp
-BINOWN=	root
-
-BINMODE?=555
-
-BINDIR=	/usr/bin
-MAN=	sftp.1
-
-SRCS=	sftp.c sftp-client.c sftp-int.c sftp-common.c sftp-glob.c misc.c
-
-.include <bsd.prog.mk>
-
-LDADD+=	-lcrypto
-DPADD+=	${LIBCRYPTO}
-
diff --git a/crypto/openssh/ssh-add.1 b/crypto/openssh/ssh-add.1
deleted file mode 100644
index 327fcdd..0000000
--- a/crypto/openssh/ssh-add.1
+++ /dev/null
@@ -1,175 +0,0 @@
-.\"	$OpenBSD: ssh-add.1,v 1.43 2005/04/21 06:17:50 djm Exp $
-.\"
-.\"  -*- nroff -*-
-.\"
-.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
-.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-.\"                    All rights reserved
-.\"
-.\" As far as I am concerned, the code I have written for this software
-.\" can be used freely for any purpose.  Any derived versions of this
-.\" software must be clearly marked as such, and if the derived work is
-.\" incompatible with the protocol description in the RFC file, it must be
-.\" called by a name other than "ssh" or "Secure Shell".
-.\"
-.\"
-.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
-.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
-.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd September 25, 1999
-.Dt SSH-ADD 1
-.Os
-.Sh NAME
-.Nm ssh-add
-.Nd adds RSA or DSA identities to the authentication agent
-.Sh SYNOPSIS
-.Nm ssh-add
-.Op Fl cDdLlXx
-.Op Fl t Ar life
-.Op Ar
-.Nm ssh-add
-.Fl s Ar reader
-.Nm ssh-add
-.Fl e Ar reader
-.Sh DESCRIPTION
-.Nm
-adds RSA or DSA identities to the authentication agent,
-.Xr ssh-agent 1 .
-When run without arguments, it adds the files
-.Pa ~/.ssh/id_rsa ,
-.Pa ~/.ssh/id_dsa
-and
-.Pa ~/.ssh/identity .
-Alternative file names can be given on the command line.
-If any file requires a passphrase,
-.Nm
-asks for the passphrase from the user.
-The passphrase is read from the user's tty.
-.Nm
-retries the last passphrase if multiple identity files are given.
-.Pp
-The authentication agent must be running and the
-.Ev SSH_AUTH_SOCK
-environment variable must contain the name of its socket for
-.Nm
-to work.
-.Pp
-The options are as follows:
-.Bl -tag -width Ds
-.It Fl c
-Indicates that added identities should be subject to confirmation before
-being used for authentication.
-Confirmation is performed by the
-.Ev SSH_ASKPASS
-program mentioned below.
-Successful confirmation is signaled by a zero exit status from the
-.Ev SSH_ASKPASS
-program, rather than text entered into the requester.
-.It Fl D
-Deletes all identities from the agent.
-.It Fl d
-Instead of adding the identity, removes the identity from the agent.
-.It Fl e Ar reader
-Remove key in smartcard
-.Ar reader .
-.It Fl L
-Lists public key parameters of all identities currently represented
-by the agent.
-.It Fl l
-Lists fingerprints of all identities currently represented by the agent.
-.It Fl s Ar reader
-Add key in smartcard
-.Ar reader .
-.It Fl t Ar life
-Set a maximum lifetime when adding identities to an agent.
-The lifetime may be specified in seconds or in a time format
-specified in
-.Xr sshd_config 5 .
-.It Fl X
-Unlock the agent.
-.It Fl x
-Lock the agent with a password.
-.El
-.Sh ENVIRONMENT
-.Bl -tag -width Ds
-.It Ev "DISPLAY" and "SSH_ASKPASS"
-If
-.Nm
-needs a passphrase, it will read the passphrase from the current
-terminal if it was run from a terminal.
-If
-.Nm
-does not have a terminal associated with it but
-.Ev DISPLAY
-and
-.Ev SSH_ASKPASS
-are set, it will execute the program specified by
-.Ev SSH_ASKPASS
-and open an X11 window to read the passphrase.
-This is particularly useful when calling
-.Nm
-from a
-.Pa .xsession
-or related script.
-(Note that on some machines it
-may be necessary to redirect the input from
-.Pa /dev/null
-to make this work.)
-.It Ev SSH_AUTH_SOCK
-Identifies the path of a unix-domain socket used to communicate with the
-agent.
-.El
-.Sh FILES
-.Bl -tag -width Ds
-.It Pa ~/.ssh/identity
-Contains the protocol version 1 RSA authentication identity of the user.
-.It Pa ~/.ssh/id_dsa
-Contains the protocol version 2 DSA authentication identity of the user.
-.It Pa ~/.ssh/id_rsa
-Contains the protocol version 2 RSA authentication identity of the user.
-.El
-.Pp
-Identity files should not be readable by anyone but the user.
-Note that
-.Nm
-ignores identity files if they are accessible by others.
-.Sh DIAGNOSTICS
-Exit status is 0 on success, 1 if the specified command fails,
-and 2 if
-.Nm
-is unable to contact the authentication agent.
-.Sh SEE ALSO
-.Xr ssh 1 ,
-.Xr ssh-agent 1 ,
-.Xr ssh-keygen 1 ,
-.Xr sshd 8
-.Sh AUTHORS
-OpenSSH is a derivative of the original and free
-ssh 1.2.12 release by Tatu Ylonen.
-Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
-Theo de Raadt and Dug Song
-removed many bugs, re-added newer features and
-created OpenSSH.
-Markus Friedl contributed the support for SSH
-protocol versions 1.5 and 2.0.
diff --git a/crypto/openssh/ssh-add.c b/crypto/openssh/ssh-add.c
deleted file mode 100644
index 4dc46f6..0000000
--- a/crypto/openssh/ssh-add.c
+++ /dev/null
@@ -1,438 +0,0 @@
-/* $OpenBSD: ssh-add.c,v 1.89 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Adds an identity to the authentication server, or removes an identity.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- * SSH2 implementation,
- * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/param.h>
-
-#include <openssl/evp.h>
-
-#include <fcntl.h>
-#include <pwd.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "xmalloc.h"
-#include "ssh.h"
-#include "rsa.h"
-#include "log.h"
-#include "key.h"
-#include "buffer.h"
-#include "authfd.h"
-#include "authfile.h"
-#include "pathnames.h"
-#include "misc.h"
-
-/* argv0 */
-extern char *__progname;
-
-/* Default files to add */
-static char *default_files[] = {
-	_PATH_SSH_CLIENT_ID_RSA,
-	_PATH_SSH_CLIENT_ID_DSA,
-	_PATH_SSH_CLIENT_IDENTITY,
-	NULL
-};
-
-/* Default lifetime (0 == forever) */
-static int lifetime = 0;
-
-/* User has to confirm key use */
-static int confirm = 0;
-
-/* we keep a cache of one passphrases */
-static char *pass = NULL;
-static void
-clear_pass(void)
-{
-	if (pass) {
-		memset(pass, 0, strlen(pass));
-		xfree(pass);
-		pass = NULL;
-	}
-}
-
-static int
-delete_file(AuthenticationConnection *ac, const char *filename)
-{
-	Key *public;
-	char *comment = NULL;
-	int ret = -1;
-
-	public = key_load_public(filename, &comment);
-	if (public == NULL) {
-		printf("Bad key file %s\n", filename);
-		return -1;
-	}
-	if (ssh_remove_identity(ac, public)) {
-		fprintf(stderr, "Identity removed: %s (%s)\n", filename, comment);
-		ret = 0;
-	} else
-		fprintf(stderr, "Could not remove identity: %s\n", filename);
-
-	key_free(public);
-	xfree(comment);
-
-	return ret;
-}
-
-/* Send a request to remove all identities. */
-static int
-delete_all(AuthenticationConnection *ac)
-{
-	int ret = -1;
-
-	if (ssh_remove_all_identities(ac, 1))
-		ret = 0;
-	/* ignore error-code for ssh2 */
-	ssh_remove_all_identities(ac, 2);
-
-	if (ret == 0)
-		fprintf(stderr, "All identities removed.\n");
-	else
-		fprintf(stderr, "Failed to remove all identities.\n");
-
-	return ret;
-}
-
-static int
-add_file(AuthenticationConnection *ac, const char *filename)
-{
-	Key *private;
-	char *comment = NULL;
-	char msg[1024];
-	int fd, perms_ok, ret = -1;
-
-	if ((fd = open(filename, O_RDONLY)) < 0) {
-		perror(filename);
-		return -1;
-	}
-
-	/*
-	 * Since we'll try to load a keyfile multiple times, permission errors
-	 * will occur multiple times, so check perms first and bail if wrong.
-	 */
-	perms_ok = key_perm_ok(fd, filename);
-	close(fd);
-	if (!perms_ok)
-		return -1;
-
-	/* At first, try empty passphrase */
-	private = key_load_private(filename, "", &comment);
-	if (comment == NULL)
-		comment = xstrdup(filename);
-	/* try last */
-	if (private == NULL && pass != NULL)
-		private = key_load_private(filename, pass, NULL);
-	if (private == NULL) {
-		/* clear passphrase since it did not work */
-		clear_pass();
-		snprintf(msg, sizeof msg, "Enter passphrase for %.200s: ",
-		    comment);
-		for (;;) {
-			pass = read_passphrase(msg, RP_ALLOW_STDIN);
-			if (strcmp(pass, "") == 0) {
-				clear_pass();
-				xfree(comment);
-				return -1;
-			}
-			private = key_load_private(filename, pass, &comment);
-			if (private != NULL)
-				break;
-			clear_pass();
-			snprintf(msg, sizeof msg,
-			    "Bad passphrase, try again for %.200s: ", comment);
-		}
-	}
-
-	if (ssh_add_identity_constrained(ac, private, comment, lifetime,
-	    confirm)) {
-		fprintf(stderr, "Identity added: %s (%s)\n", filename, comment);
-		ret = 0;
-		if (lifetime != 0)
-			fprintf(stderr,
-			    "Lifetime set to %d seconds\n", lifetime);
-		if (confirm != 0)
-			fprintf(stderr,
-			    "The user has to confirm each use of the key\n");
-	} else if (ssh_add_identity(ac, private, comment)) {
-		fprintf(stderr, "Identity added: %s (%s)\n", filename, comment);
-		ret = 0;
-	} else {
-		fprintf(stderr, "Could not add identity: %s\n", filename);
-	}
-
-	xfree(comment);
-	key_free(private);
-
-	return ret;
-}
-
-static int
-update_card(AuthenticationConnection *ac, int add, const char *id)
-{
-	char *pin;
-	int ret = -1;
-
-	pin = read_passphrase("Enter passphrase for smartcard: ", RP_ALLOW_STDIN);
-	if (pin == NULL)
-		return -1;
-
-	if (ssh_update_card(ac, add, id, pin, lifetime, confirm)) {
-		fprintf(stderr, "Card %s: %s\n",
-		    add ? "added" : "removed", id);
-		ret = 0;
-	} else {
-		fprintf(stderr, "Could not %s card: %s\n",
-		    add ? "add" : "remove", id);
-		ret = -1;
-	}
-	xfree(pin);
-	return ret;
-}
-
-static int
-list_identities(AuthenticationConnection *ac, int do_fp)
-{
-	Key *key;
-	char *comment, *fp;
-	int had_identities = 0;
-	int version;
-
-	for (version = 1; version <= 2; version++) {
-		for (key = ssh_get_first_identity(ac, &comment, version);
-		    key != NULL;
-		    key = ssh_get_next_identity(ac, &comment, version)) {
-			had_identities = 1;
-			if (do_fp) {
-				fp = key_fingerprint(key, SSH_FP_MD5,
-				    SSH_FP_HEX);
-				printf("%d %s %s (%s)\n",
-				    key_size(key), fp, comment, key_type(key));
-				xfree(fp);
-			} else {
-				if (!key_write(key, stdout))
-					fprintf(stderr, "key_write failed");
-				fprintf(stdout, " %s\n", comment);
-			}
-			key_free(key);
-			xfree(comment);
-		}
-	}
-	if (!had_identities) {
-		printf("The agent has no identities.\n");
-		return -1;
-	}
-	return 0;
-}
-
-static int
-lock_agent(AuthenticationConnection *ac, int lock)
-{
-	char prompt[100], *p1, *p2;
-	int passok = 1, ret = -1;
-
-	strlcpy(prompt, "Enter lock password: ", sizeof(prompt));
-	p1 = read_passphrase(prompt, RP_ALLOW_STDIN);
-	if (lock) {
-		strlcpy(prompt, "Again: ", sizeof prompt);
-		p2 = read_passphrase(prompt, RP_ALLOW_STDIN);
-		if (strcmp(p1, p2) != 0) {
-			fprintf(stderr, "Passwords do not match.\n");
-			passok = 0;
-		}
-		memset(p2, 0, strlen(p2));
-		xfree(p2);
-	}
-	if (passok && ssh_lock_agent(ac, lock, p1)) {
-		fprintf(stderr, "Agent %slocked.\n", lock ? "" : "un");
-		ret = 0;
-	} else
-		fprintf(stderr, "Failed to %slock agent.\n", lock ? "" : "un");
-	memset(p1, 0, strlen(p1));
-	xfree(p1);
-	return (ret);
-}
-
-static int
-do_file(AuthenticationConnection *ac, int deleting, char *file)
-{
-	if (deleting) {
-		if (delete_file(ac, file) == -1)
-			return -1;
-	} else {
-		if (add_file(ac, file) == -1)
-			return -1;
-	}
-	return 0;
-}
-
-static void
-usage(void)
-{
-	fprintf(stderr, "Usage: %s [options] [file ...]\n", __progname);
-	fprintf(stderr, "Options:\n");
-	fprintf(stderr, "  -l          List fingerprints of all identities.\n");
-	fprintf(stderr, "  -L          List public key parameters of all identities.\n");
-	fprintf(stderr, "  -d          Delete identity.\n");
-	fprintf(stderr, "  -D          Delete all identities.\n");
-	fprintf(stderr, "  -x          Lock agent.\n");
-	fprintf(stderr, "  -X          Unlock agent.\n");
-	fprintf(stderr, "  -t life     Set lifetime (in seconds) when adding identities.\n");
-	fprintf(stderr, "  -c          Require confirmation to sign using identities\n");
-#ifdef SMARTCARD
-	fprintf(stderr, "  -s reader   Add key in smartcard reader.\n");
-	fprintf(stderr, "  -e reader   Remove key in smartcard reader.\n");
-#endif
-}
-
-int
-main(int argc, char **argv)
-{
-	extern char *optarg;
-	extern int optind;
-	AuthenticationConnection *ac = NULL;
-	char *sc_reader_id = NULL;
-	int i, ch, deleting = 0, ret = 0;
-
-	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
-	sanitise_stdfd();
-
-	__progname = ssh_get_progname(argv[0]);
-	init_rng();
-	seed_rng();
-
-	SSLeay_add_all_algorithms();
-
-	/* At first, get a connection to the authentication agent. */
-	ac = ssh_get_authentication_connection();
-	if (ac == NULL) {
-		fprintf(stderr,
-		    "Could not open a connection to your authentication agent.\n");
-		exit(2);
-	}
-	while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:")) != -1) {
-		switch (ch) {
-		case 'l':
-		case 'L':
-			if (list_identities(ac, ch == 'l' ? 1 : 0) == -1)
-				ret = 1;
-			goto done;
-		case 'x':
-		case 'X':
-			if (lock_agent(ac, ch == 'x' ? 1 : 0) == -1)
-				ret = 1;
-			goto done;
-		case 'c':
-			confirm = 1;
-			break;
-		case 'd':
-			deleting = 1;
-			break;
-		case 'D':
-			if (delete_all(ac) == -1)
-				ret = 1;
-			goto done;
-		case 's':
-			sc_reader_id = optarg;
-			break;
-		case 'e':
-			deleting = 1;
-			sc_reader_id = optarg;
-			break;
-		case 't':
-			if ((lifetime = convtime(optarg)) == -1) {
-				fprintf(stderr, "Invalid lifetime\n");
-				ret = 1;
-				goto done;
-			}
-			break;
-		default:
-			usage();
-			ret = 1;
-			goto done;
-		}
-	}
-	argc -= optind;
-	argv += optind;
-	if (sc_reader_id != NULL) {
-		if (update_card(ac, !deleting, sc_reader_id) == -1)
-			ret = 1;
-		goto done;
-	}
-	if (argc == 0) {
-		char buf[MAXPATHLEN];
-		struct passwd *pw;
-		struct stat st;
-		int count = 0;
-
-		if ((pw = getpwuid(getuid())) == NULL) {
-			fprintf(stderr, "No user found with uid %u\n",
-			    (u_int)getuid());
-			ret = 1;
-			goto done;
-		}
-
-		for (i = 0; default_files[i]; i++) {
-			snprintf(buf, sizeof(buf), "%s/%s", pw->pw_dir,
-			    default_files[i]);
-			if (stat(buf, &st) < 0)
-				continue;
-			if (do_file(ac, deleting, buf) == -1)
-				ret = 1;
-			else
-				count++;
-		}
-		if (count == 0)
-			ret = 1;
-	} else {
-		for (i = 0; i < argc; i++) {
-			if (do_file(ac, deleting, argv[i]) == -1)
-				ret = 1;
-		}
-	}
-	clear_pass();
-
-done:
-	ssh_close_authentication_connection(ac);
-	return ret;
-}
diff --git a/crypto/openssh/ssh-add/Makefile b/crypto/openssh/ssh-add/Makefile
deleted file mode 100644
index 2f7bf42..0000000
--- a/crypto/openssh/ssh-add/Makefile
+++ /dev/null
@@ -1,18 +0,0 @@
-#	$OpenBSD: Makefile,v 1.20 2001/03/04 00:51:25 markus Exp $
-
-.PATH:		${.CURDIR}/..
-
-PROG=	ssh-add
-BINOWN=	root
-
-BINMODE?=555
-
-BINDIR=	/usr/bin
-MAN=	ssh-add.1
-
-SRCS=	ssh-add.c
-
-.include <bsd.prog.mk>
-
-LDADD+=	-lcrypto
-DPADD+= ${LIBCRYPTO}
diff --git a/crypto/openssh/ssh-agent.1 b/crypto/openssh/ssh-agent.1
deleted file mode 100644
index f1b8777..0000000
--- a/crypto/openssh/ssh-agent.1
+++ /dev/null
@@ -1,207 +0,0 @@
-.\" $OpenBSD: ssh-agent.1,v 1.44 2006/07/18 08:03:09 jmc Exp $
-.\"
-.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
-.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-.\"                    All rights reserved
-.\"
-.\" As far as I am concerned, the code I have written for this software
-.\" can be used freely for any purpose.  Any derived versions of this
-.\" software must be clearly marked as such, and if the derived work is
-.\" incompatible with the protocol description in the RFC file, it must be
-.\" called by a name other than "ssh" or "Secure Shell".
-.\"
-.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
-.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
-.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd September 25, 1999
-.Dt SSH-AGENT 1
-.Os
-.Sh NAME
-.Nm ssh-agent
-.Nd authentication agent
-.Sh SYNOPSIS
-.Nm ssh-agent
-.Op Fl a Ar bind_address
-.Op Fl c Li | Fl s
-.Op Fl t Ar life
-.Op Fl d
-.Op Ar command Op Ar args ...
-.Nm ssh-agent
-.Op Fl c Li | Fl s
-.Fl k
-.Sh DESCRIPTION
-.Nm
-is a program to hold private keys used for public key authentication
-(RSA, DSA).
-The idea is that
-.Nm
-is started in the beginning of an X-session or a login session, and
-all other windows or programs are started as clients to the ssh-agent
-program.
-Through use of environment variables the agent can be located
-and automatically used for authentication when logging in to other
-machines using
-.Xr ssh 1 .
-.Pp
-The options are as follows:
-.Bl -tag -width Ds
-.It Fl a Ar bind_address
-Bind the agent to the unix-domain socket
-.Ar bind_address .
-The default is
-.Pa /tmp/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt .
-.It Fl c
-Generate C-shell commands on
-.Dv stdout .
-This is the default if
-.Ev SHELL
-looks like it's a csh style of shell.
-.It Fl s
-Generate Bourne shell commands on
-.Dv stdout .
-This is the default if
-.Ev SHELL
-does not look like it's a csh style of shell.
-.It Fl k
-Kill the current agent (given by the
-.Ev SSH_AGENT_PID
-environment variable).
-.It Fl t Ar life
-Set a default value for the maximum lifetime of identities added to the agent.
-The lifetime may be specified in seconds or in a time format specified in
-.Xr sshd_config 5 .
-A lifetime specified for an identity with
-.Xr ssh-add 1
-overrides this value.
-Without this option the default maximum lifetime is forever.
-.It Fl d
-Debug mode.
-When this option is specified
-.Nm
-will not fork.
-.El
-.Pp
-If a commandline is given, this is executed as a subprocess of the agent.
-When the command dies, so does the agent.
-.Pp
-The agent initially does not have any private keys.
-Keys are added using
-.Xr ssh-add 1 .
-When executed without arguments,
-.Xr ssh-add 1
-adds the files
-.Pa ~/.ssh/id_rsa ,
-.Pa ~/.ssh/id_dsa
-and
-.Pa ~/.ssh/identity .
-If the identity has a passphrase,
-.Xr ssh-add 1
-asks for the passphrase (using a small X11 application if running
-under X11, or from the terminal if running without X).
-It then sends the identity to the agent.
-Several identities can be stored in the
-agent; the agent can automatically use any of these identities.
-.Ic ssh-add -l
-displays the identities currently held by the agent.
-.Pp
-The idea is that the agent is run in the user's local PC, laptop, or
-terminal.
-Authentication data need not be stored on any other
-machine, and authentication passphrases never go over the network.
-However, the connection to the agent is forwarded over SSH
-remote logins, and the user can thus use the privileges given by the
-identities anywhere in the network in a secure way.
-.Pp
-There are two main ways to get an agent set up:
-The first is that the agent starts a new subcommand into which some environment
-variables are exported, eg
-.Cm ssh-agent xterm & .
-The second is that the agent prints the needed shell commands (either
-.Xr sh 1
-or
-.Xr csh 1
-syntax can be generated) which can be evalled in the calling shell, eg
-.Cm eval `ssh-agent -s`
-for Bourne-type shells such as
-.Xr sh 1
-or
-.Xr ksh 1
-and
-.Cm eval `ssh-agent -c`
-for
-.Xr csh 1
-and derivatives.
-.Pp
-Later
-.Xr ssh 1
-looks at these variables and uses them to establish a connection to the agent.
-.Pp
-The agent will never send a private key over its request channel.
-Instead, operations that require a private key will be performed
-by the agent, and the result will be returned to the requester.
-This way, private keys are not exposed to clients using the agent.
-.Pp
-A unix-domain socket is created
-and the name of this socket is stored in the
-.Ev SSH_AUTH_SOCK
-environment
-variable.
-The socket is made accessible only to the current user.
-This method is easily abused by root or another instance of the same
-user.
-.Pp
-The
-.Ev SSH_AGENT_PID
-environment variable holds the agent's process ID.
-.Pp
-The agent exits automatically when the command given on the command
-line terminates.
-.Sh FILES
-.Bl -tag -width Ds
-.It Pa ~/.ssh/identity
-Contains the protocol version 1 RSA authentication identity of the user.
-.It Pa ~/.ssh/id_dsa
-Contains the protocol version 2 DSA authentication identity of the user.
-.It Pa ~/.ssh/id_rsa
-Contains the protocol version 2 RSA authentication identity of the user.
-.It Pa /tmp/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt
-Unix-domain sockets used to contain the connection to the
-authentication agent.
-These sockets should only be readable by the owner.
-The sockets should get automatically removed when the agent exits.
-.El
-.Sh SEE ALSO
-.Xr ssh 1 ,
-.Xr ssh-add 1 ,
-.Xr ssh-keygen 1 ,
-.Xr sshd 8
-.Sh AUTHORS
-OpenSSH is a derivative of the original and free
-ssh 1.2.12 release by Tatu Ylonen.
-Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
-Theo de Raadt and Dug Song
-removed many bugs, re-added newer features and
-created OpenSSH.
-Markus Friedl contributed the support for SSH
-protocol versions 1.5 and 2.0.
diff --git a/crypto/openssh/ssh-agent.c b/crypto/openssh/ssh-agent.c
deleted file mode 100644
index ef95eb8..0000000
--- a/crypto/openssh/ssh-agent.c
+++ /dev/null
@@ -1,1254 +0,0 @@
-/* $OpenBSD: ssh-agent.c,v 1.153 2006/10/06 02:29:19 djm Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * The authentication agent program.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/resource.h>
-#include <sys/stat.h>
-#include <sys/socket.h>
-#ifdef HAVE_SYS_TIME_H
-# include <sys/time.h>
-#endif
-#ifdef HAVE_SYS_UN_H
-# include <sys/un.h>
-#endif
-#include "openbsd-compat/sys-queue.h"
-
-#include <openssl/evp.h>
-#include <openssl/md5.h>
-
-#include <errno.h>
-#include <fcntl.h>
-#ifdef HAVE_PATHS_H
-# include <paths.h>
-#endif
-#include <signal.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <time.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "xmalloc.h"
-#include "ssh.h"
-#include "rsa.h"
-#include "buffer.h"
-#include "key.h"
-#include "authfd.h"
-#include "compat.h"
-#include "log.h"
-#include "misc.h"
-
-#ifdef SMARTCARD
-#include "scard.h"
-#endif
-
-#if defined(HAVE_SYS_PRCTL_H)
-#include <sys/prctl.h>	/* For prctl() and PR_SET_DUMPABLE */
-#endif
-
-typedef enum {
-	AUTH_UNUSED,
-	AUTH_SOCKET,
-	AUTH_CONNECTION
-} sock_type;
-
-typedef struct {
-	int fd;
-	sock_type type;
-	Buffer input;
-	Buffer output;
-	Buffer request;
-} SocketEntry;
-
-u_int sockets_alloc = 0;
-SocketEntry *sockets = NULL;
-
-typedef struct identity {
-	TAILQ_ENTRY(identity) next;
-	Key *key;
-	char *comment;
-	u_int death;
-	u_int confirm;
-} Identity;
-
-typedef struct {
-	int nentries;
-	TAILQ_HEAD(idqueue, identity) idlist;
-} Idtab;
-
-/* private key table, one per protocol version */
-Idtab idtable[3];
-
-int max_fd = 0;
-
-/* pid of shell == parent of agent */
-pid_t parent_pid = -1;
-
-/* pathname and directory for AUTH_SOCKET */
-char socket_name[MAXPATHLEN];
-char socket_dir[MAXPATHLEN];
-
-/* locking */
-int locked = 0;
-char *lock_passwd = NULL;
-
-extern char *__progname;
-
-/* Default lifetime (0 == forever) */
-static int lifetime = 0;
-
-static void
-close_socket(SocketEntry *e)
-{
-	close(e->fd);
-	e->fd = -1;
-	e->type = AUTH_UNUSED;
-	buffer_free(&e->input);
-	buffer_free(&e->output);
-	buffer_free(&e->request);
-}
-
-static void
-idtab_init(void)
-{
-	int i;
-
-	for (i = 0; i <=2; i++) {
-		TAILQ_INIT(&idtable[i].idlist);
-		idtable[i].nentries = 0;
-	}
-}
-
-/* return private key table for requested protocol version */
-static Idtab *
-idtab_lookup(int version)
-{
-	if (version < 1 || version > 2)
-		fatal("internal error, bad protocol version %d", version);
-	return &idtable[version];
-}
-
-static void
-free_identity(Identity *id)
-{
-	key_free(id->key);
-	xfree(id->comment);
-	xfree(id);
-}
-
-/* return matching private key for given public key */
-static Identity *
-lookup_identity(Key *key, int version)
-{
-	Identity *id;
-
-	Idtab *tab = idtab_lookup(version);
-	TAILQ_FOREACH(id, &tab->idlist, next) {
-		if (key_equal(key, id->key))
-			return (id);
-	}
-	return (NULL);
-}
-
-/* Check confirmation of keysign request */
-static int
-confirm_key(Identity *id)
-{
-	char *p;
-	int ret = -1;
-
-	p = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
-	if (ask_permission("Allow use of key %s?\nKey fingerprint %s.",
-	    id->comment, p))
-		ret = 0;
-	xfree(p);
-
-	return (ret);
-}
-
-/* send list of supported public keys to 'client' */
-static void
-process_request_identities(SocketEntry *e, int version)
-{
-	Idtab *tab = idtab_lookup(version);
-	Identity *id;
-	Buffer msg;
-
-	buffer_init(&msg);
-	buffer_put_char(&msg, (version == 1) ?
-	    SSH_AGENT_RSA_IDENTITIES_ANSWER : SSH2_AGENT_IDENTITIES_ANSWER);
-	buffer_put_int(&msg, tab->nentries);
-	TAILQ_FOREACH(id, &tab->idlist, next) {
-		if (id->key->type == KEY_RSA1) {
-			buffer_put_int(&msg, BN_num_bits(id->key->rsa->n));
-			buffer_put_bignum(&msg, id->key->rsa->e);
-			buffer_put_bignum(&msg, id->key->rsa->n);
-		} else {
-			u_char *blob;
-			u_int blen;
-			key_to_blob(id->key, &blob, &blen);
-			buffer_put_string(&msg, blob, blen);
-			xfree(blob);
-		}
-		buffer_put_cstring(&msg, id->comment);
-	}
-	buffer_put_int(&e->output, buffer_len(&msg));
-	buffer_append(&e->output, buffer_ptr(&msg), buffer_len(&msg));
-	buffer_free(&msg);
-}
-
-/* ssh1 only */
-static void
-process_authentication_challenge1(SocketEntry *e)
-{
-	u_char buf[32], mdbuf[16], session_id[16];
-	u_int response_type;
-	BIGNUM *challenge;
-	Identity *id;
-	int i, len;
-	Buffer msg;
-	MD5_CTX md;
-	Key *key;
-
-	buffer_init(&msg);
-	key = key_new(KEY_RSA1);
-	if ((challenge = BN_new()) == NULL)
-		fatal("process_authentication_challenge1: BN_new failed");
-
-	(void) buffer_get_int(&e->request);			/* ignored */
-	buffer_get_bignum(&e->request, key->rsa->e);
-	buffer_get_bignum(&e->request, key->rsa->n);
-	buffer_get_bignum(&e->request, challenge);
-
-	/* Only protocol 1.1 is supported */
-	if (buffer_len(&e->request) == 0)
-		goto failure;
-	buffer_get(&e->request, session_id, 16);
-	response_type = buffer_get_int(&e->request);
-	if (response_type != 1)
-		goto failure;
-
-	id = lookup_identity(key, 1);
-	if (id != NULL && (!id->confirm || confirm_key(id) == 0)) {
-		Key *private = id->key;
-		/* Decrypt the challenge using the private key. */
-		if (rsa_private_decrypt(challenge, challenge, private->rsa) <= 0)
-			goto failure;
-
-		/* The response is MD5 of decrypted challenge plus session id. */
-		len = BN_num_bytes(challenge);
-		if (len <= 0 || len > 32) {
-			logit("process_authentication_challenge: bad challenge length %d", len);
-			goto failure;
-		}
-		memset(buf, 0, 32);
-		BN_bn2bin(challenge, buf + 32 - len);
-		MD5_Init(&md);
-		MD5_Update(&md, buf, 32);
-		MD5_Update(&md, session_id, 16);
-		MD5_Final(mdbuf, &md);
-
-		/* Send the response. */
-		buffer_put_char(&msg, SSH_AGENT_RSA_RESPONSE);
-		for (i = 0; i < 16; i++)
-			buffer_put_char(&msg, mdbuf[i]);
-		goto send;
-	}
-
-failure:
-	/* Unknown identity or protocol error.  Send failure. */
-	buffer_put_char(&msg, SSH_AGENT_FAILURE);
-send:
-	buffer_put_int(&e->output, buffer_len(&msg));
-	buffer_append(&e->output, buffer_ptr(&msg), buffer_len(&msg));
-	key_free(key);
-	BN_clear_free(challenge);
-	buffer_free(&msg);
-}
-
-/* ssh2 only */
-static void
-process_sign_request2(SocketEntry *e)
-{
-	u_char *blob, *data, *signature = NULL;
-	u_int blen, dlen, slen = 0;
-	extern int datafellows;
-	int ok = -1, flags;
-	Buffer msg;
-	Key *key;
-
-	datafellows = 0;
-
-	blob = buffer_get_string(&e->request, &blen);
-	data = buffer_get_string(&e->request, &dlen);
-
-	flags = buffer_get_int(&e->request);
-	if (flags & SSH_AGENT_OLD_SIGNATURE)
-		datafellows = SSH_BUG_SIGBLOB;
-
-	key = key_from_blob(blob, blen);
-	if (key != NULL) {
-		Identity *id = lookup_identity(key, 2);
-		if (id != NULL && (!id->confirm || confirm_key(id) == 0))
-			ok = key_sign(id->key, &signature, &slen, data, dlen);
-		key_free(key);
-	}
-	buffer_init(&msg);
-	if (ok == 0) {
-		buffer_put_char(&msg, SSH2_AGENT_SIGN_RESPONSE);
-		buffer_put_string(&msg, signature, slen);
-	} else {
-		buffer_put_char(&msg, SSH_AGENT_FAILURE);
-	}
-	buffer_put_int(&e->output, buffer_len(&msg));
-	buffer_append(&e->output, buffer_ptr(&msg),
-	    buffer_len(&msg));
-	buffer_free(&msg);
-	xfree(data);
-	xfree(blob);
-	if (signature != NULL)
-		xfree(signature);
-}
-
-/* shared */
-static void
-process_remove_identity(SocketEntry *e, int version)
-{
-	u_int blen, bits;
-	int success = 0;
-	Key *key = NULL;
-	u_char *blob;
-
-	switch (version) {
-	case 1:
-		key = key_new(KEY_RSA1);
-		bits = buffer_get_int(&e->request);
-		buffer_get_bignum(&e->request, key->rsa->e);
-		buffer_get_bignum(&e->request, key->rsa->n);
-
-		if (bits != key_size(key))
-			logit("Warning: identity keysize mismatch: actual %u, announced %u",
-			    key_size(key), bits);
-		break;
-	case 2:
-		blob = buffer_get_string(&e->request, &blen);
-		key = key_from_blob(blob, blen);
-		xfree(blob);
-		break;
-	}
-	if (key != NULL) {
-		Identity *id = lookup_identity(key, version);
-		if (id != NULL) {
-			/*
-			 * We have this key.  Free the old key.  Since we
-			 * don't want to leave empty slots in the middle of
-			 * the array, we actually free the key there and move
-			 * all the entries between the empty slot and the end
-			 * of the array.
-			 */
-			Idtab *tab = idtab_lookup(version);
-			if (tab->nentries < 1)
-				fatal("process_remove_identity: "
-				    "internal error: tab->nentries %d",
-				    tab->nentries);
-			TAILQ_REMOVE(&tab->idlist, id, next);
-			free_identity(id);
-			tab->nentries--;
-			success = 1;
-		}
-		key_free(key);
-	}
-	buffer_put_int(&e->output, 1);
-	buffer_put_char(&e->output,
-	    success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
-}
-
-static void
-process_remove_all_identities(SocketEntry *e, int version)
-{
-	Idtab *tab = idtab_lookup(version);
-	Identity *id;
-
-	/* Loop over all identities and clear the keys. */
-	for (id = TAILQ_FIRST(&tab->idlist); id;
-	    id = TAILQ_FIRST(&tab->idlist)) {
-		TAILQ_REMOVE(&tab->idlist, id, next);
-		free_identity(id);
-	}
-
-	/* Mark that there are no identities. */
-	tab->nentries = 0;
-
-	/* Send success. */
-	buffer_put_int(&e->output, 1);
-	buffer_put_char(&e->output, SSH_AGENT_SUCCESS);
-}
-
-static void
-reaper(void)
-{
-	u_int now = time(NULL);
-	Identity *id, *nxt;
-	int version;
-	Idtab *tab;
-
-	for (version = 1; version < 3; version++) {
-		tab = idtab_lookup(version);
-		for (id = TAILQ_FIRST(&tab->idlist); id; id = nxt) {
-			nxt = TAILQ_NEXT(id, next);
-			if (id->death != 0 && now >= id->death) {
-				TAILQ_REMOVE(&tab->idlist, id, next);
-				free_identity(id);
-				tab->nentries--;
-			}
-		}
-	}
-}
-
-static void
-process_add_identity(SocketEntry *e, int version)
-{
-	Idtab *tab = idtab_lookup(version);
-	int type, success = 0, death = 0, confirm = 0;
-	char *type_name, *comment;
-	Key *k = NULL;
-
-	switch (version) {
-	case 1:
-		k = key_new_private(KEY_RSA1);
-		(void) buffer_get_int(&e->request);		/* ignored */
-		buffer_get_bignum(&e->request, k->rsa->n);
-		buffer_get_bignum(&e->request, k->rsa->e);
-		buffer_get_bignum(&e->request, k->rsa->d);
-		buffer_get_bignum(&e->request, k->rsa->iqmp);
-
-		/* SSH and SSL have p and q swapped */
-		buffer_get_bignum(&e->request, k->rsa->q);	/* p */
-		buffer_get_bignum(&e->request, k->rsa->p);	/* q */
-
-		/* Generate additional parameters */
-		rsa_generate_additional_parameters(k->rsa);
-		break;
-	case 2:
-		type_name = buffer_get_string(&e->request, NULL);
-		type = key_type_from_name(type_name);
-		xfree(type_name);
-		switch (type) {
-		case KEY_DSA:
-			k = key_new_private(type);
-			buffer_get_bignum2(&e->request, k->dsa->p);
-			buffer_get_bignum2(&e->request, k->dsa->q);
-			buffer_get_bignum2(&e->request, k->dsa->g);
-			buffer_get_bignum2(&e->request, k->dsa->pub_key);
-			buffer_get_bignum2(&e->request, k->dsa->priv_key);
-			break;
-		case KEY_RSA:
-			k = key_new_private(type);
-			buffer_get_bignum2(&e->request, k->rsa->n);
-			buffer_get_bignum2(&e->request, k->rsa->e);
-			buffer_get_bignum2(&e->request, k->rsa->d);
-			buffer_get_bignum2(&e->request, k->rsa->iqmp);
-			buffer_get_bignum2(&e->request, k->rsa->p);
-			buffer_get_bignum2(&e->request, k->rsa->q);
-
-			/* Generate additional parameters */
-			rsa_generate_additional_parameters(k->rsa);
-			break;
-		default:
-			buffer_clear(&e->request);
-			goto send;
-		}
-		break;
-	}
-	/* enable blinding */
-	switch (k->type) {
-	case KEY_RSA:
-	case KEY_RSA1:
-		if (RSA_blinding_on(k->rsa, NULL) != 1) {
-			error("process_add_identity: RSA_blinding_on failed");
-			key_free(k);
-			goto send;
-		}
-		break;
-	}
-	comment = buffer_get_string(&e->request, NULL);
-	if (k == NULL) {
-		xfree(comment);
-		goto send;
-	}
-	success = 1;
-	while (buffer_len(&e->request)) {
-		switch (buffer_get_char(&e->request)) {
-		case SSH_AGENT_CONSTRAIN_LIFETIME:
-			death = time(NULL) + buffer_get_int(&e->request);
-			break;
-		case SSH_AGENT_CONSTRAIN_CONFIRM:
-			confirm = 1;
-			break;
-		default:
-			break;
-		}
-	}
-	if (lifetime && !death)
-		death = time(NULL) + lifetime;
-	if (lookup_identity(k, version) == NULL) {
-		Identity *id = xmalloc(sizeof(Identity));
-		id->key = k;
-		id->comment = comment;
-		id->death = death;
-		id->confirm = confirm;
-		TAILQ_INSERT_TAIL(&tab->idlist, id, next);
-		/* Increment the number of identities. */
-		tab->nentries++;
-	} else {
-		key_free(k);
-		xfree(comment);
-	}
-send:
-	buffer_put_int(&e->output, 1);
-	buffer_put_char(&e->output,
-	    success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
-}
-
-/* XXX todo: encrypt sensitive data with passphrase */
-static void
-process_lock_agent(SocketEntry *e, int lock)
-{
-	int success = 0;
-	char *passwd;
-
-	passwd = buffer_get_string(&e->request, NULL);
-	if (locked && !lock && strcmp(passwd, lock_passwd) == 0) {
-		locked = 0;
-		memset(lock_passwd, 0, strlen(lock_passwd));
-		xfree(lock_passwd);
-		lock_passwd = NULL;
-		success = 1;
-	} else if (!locked && lock) {
-		locked = 1;
-		lock_passwd = xstrdup(passwd);
-		success = 1;
-	}
-	memset(passwd, 0, strlen(passwd));
-	xfree(passwd);
-
-	buffer_put_int(&e->output, 1);
-	buffer_put_char(&e->output,
-	    success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
-}
-
-static void
-no_identities(SocketEntry *e, u_int type)
-{
-	Buffer msg;
-
-	buffer_init(&msg);
-	buffer_put_char(&msg,
-	    (type == SSH_AGENTC_REQUEST_RSA_IDENTITIES) ?
-	    SSH_AGENT_RSA_IDENTITIES_ANSWER : SSH2_AGENT_IDENTITIES_ANSWER);
-	buffer_put_int(&msg, 0);
-	buffer_put_int(&e->output, buffer_len(&msg));
-	buffer_append(&e->output, buffer_ptr(&msg), buffer_len(&msg));
-	buffer_free(&msg);
-}
-
-#ifdef SMARTCARD
-static void
-process_add_smartcard_key (SocketEntry *e)
-{
-	char *sc_reader_id = NULL, *pin;
-	int i, version, success = 0, death = 0, confirm = 0;
-	Key **keys, *k;
-	Identity *id;
-	Idtab *tab;
-
-	sc_reader_id = buffer_get_string(&e->request, NULL);
-	pin = buffer_get_string(&e->request, NULL);
-
-	while (buffer_len(&e->request)) {
-		switch (buffer_get_char(&e->request)) {
-		case SSH_AGENT_CONSTRAIN_LIFETIME:
-			death = time(NULL) + buffer_get_int(&e->request);
-			break;
-		case SSH_AGENT_CONSTRAIN_CONFIRM:
-			confirm = 1;
-			break;
-		default:
-			break;
-		}
-	}
-	if (lifetime && !death)
-		death = time(NULL) + lifetime;
-
-	keys = sc_get_keys(sc_reader_id, pin);
-	xfree(sc_reader_id);
-	xfree(pin);
-
-	if (keys == NULL || keys[0] == NULL) {
-		error("sc_get_keys failed");
-		goto send;
-	}
-	for (i = 0; keys[i] != NULL; i++) {
-		k = keys[i];
-		version = k->type == KEY_RSA1 ? 1 : 2;
-		tab = idtab_lookup(version);
-		if (lookup_identity(k, version) == NULL) {
-			id = xmalloc(sizeof(Identity));
-			id->key = k;
-			id->comment = sc_get_key_label(k);
-			id->death = death;
-			id->confirm = confirm;
-			TAILQ_INSERT_TAIL(&tab->idlist, id, next);
-			tab->nentries++;
-			success = 1;
-		} else {
-			key_free(k);
-		}
-		keys[i] = NULL;
-	}
-	xfree(keys);
-send:
-	buffer_put_int(&e->output, 1);
-	buffer_put_char(&e->output,
-	    success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
-}
-
-static void
-process_remove_smartcard_key(SocketEntry *e)
-{
-	char *sc_reader_id = NULL, *pin;
-	int i, version, success = 0;
-	Key **keys, *k = NULL;
-	Identity *id;
-	Idtab *tab;
-
-	sc_reader_id = buffer_get_string(&e->request, NULL);
-	pin = buffer_get_string(&e->request, NULL);
-	keys = sc_get_keys(sc_reader_id, pin);
-	xfree(sc_reader_id);
-	xfree(pin);
-
-	if (keys == NULL || keys[0] == NULL) {
-		error("sc_get_keys failed");
-		goto send;
-	}
-	for (i = 0; keys[i] != NULL; i++) {
-		k = keys[i];
-		version = k->type == KEY_RSA1 ? 1 : 2;
-		if ((id = lookup_identity(k, version)) != NULL) {
-			tab = idtab_lookup(version);
-			TAILQ_REMOVE(&tab->idlist, id, next);
-			tab->nentries--;
-			free_identity(id);
-			success = 1;
-		}
-		key_free(k);
-		keys[i] = NULL;
-	}
-	xfree(keys);
-send:
-	buffer_put_int(&e->output, 1);
-	buffer_put_char(&e->output,
-	    success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
-}
-#endif /* SMARTCARD */
-
-/* dispatch incoming messages */
-
-static void
-process_message(SocketEntry *e)
-{
-	u_int msg_len, type;
-	u_char *cp;
-
-	/* kill dead keys */
-	reaper();
-
-	if (buffer_len(&e->input) < 5)
-		return;		/* Incomplete message. */
-	cp = buffer_ptr(&e->input);
-	msg_len = get_u32(cp);
-	if (msg_len > 256 * 1024) {
-		close_socket(e);
-		return;
-	}
-	if (buffer_len(&e->input) < msg_len + 4)
-		return;
-
-	/* move the current input to e->request */
-	buffer_consume(&e->input, 4);
-	buffer_clear(&e->request);
-	buffer_append(&e->request, buffer_ptr(&e->input), msg_len);
-	buffer_consume(&e->input, msg_len);
-	type = buffer_get_char(&e->request);
-
-	/* check wheter agent is locked */
-	if (locked && type != SSH_AGENTC_UNLOCK) {
-		buffer_clear(&e->request);
-		switch (type) {
-		case SSH_AGENTC_REQUEST_RSA_IDENTITIES:
-		case SSH2_AGENTC_REQUEST_IDENTITIES:
-			/* send empty lists */
-			no_identities(e, type);
-			break;
-		default:
-			/* send a fail message for all other request types */
-			buffer_put_int(&e->output, 1);
-			buffer_put_char(&e->output, SSH_AGENT_FAILURE);
-		}
-		return;
-	}
-
-	debug("type %d", type);
-	switch (type) {
-	case SSH_AGENTC_LOCK:
-	case SSH_AGENTC_UNLOCK:
-		process_lock_agent(e, type == SSH_AGENTC_LOCK);
-		break;
-	/* ssh1 */
-	case SSH_AGENTC_RSA_CHALLENGE:
-		process_authentication_challenge1(e);
-		break;
-	case SSH_AGENTC_REQUEST_RSA_IDENTITIES:
-		process_request_identities(e, 1);
-		break;
-	case SSH_AGENTC_ADD_RSA_IDENTITY:
-	case SSH_AGENTC_ADD_RSA_ID_CONSTRAINED:
-		process_add_identity(e, 1);
-		break;
-	case SSH_AGENTC_REMOVE_RSA_IDENTITY:
-		process_remove_identity(e, 1);
-		break;
-	case SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES:
-		process_remove_all_identities(e, 1);
-		break;
-	/* ssh2 */
-	case SSH2_AGENTC_SIGN_REQUEST:
-		process_sign_request2(e);
-		break;
-	case SSH2_AGENTC_REQUEST_IDENTITIES:
-		process_request_identities(e, 2);
-		break;
-	case SSH2_AGENTC_ADD_IDENTITY:
-	case SSH2_AGENTC_ADD_ID_CONSTRAINED:
-		process_add_identity(e, 2);
-		break;
-	case SSH2_AGENTC_REMOVE_IDENTITY:
-		process_remove_identity(e, 2);
-		break;
-	case SSH2_AGENTC_REMOVE_ALL_IDENTITIES:
-		process_remove_all_identities(e, 2);
-		break;
-#ifdef SMARTCARD
-	case SSH_AGENTC_ADD_SMARTCARD_KEY:
-	case SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED:
-		process_add_smartcard_key(e);
-		break;
-	case SSH_AGENTC_REMOVE_SMARTCARD_KEY:
-		process_remove_smartcard_key(e);
-		break;
-#endif /* SMARTCARD */
-	default:
-		/* Unknown message.  Respond with failure. */
-		error("Unknown message %d", type);
-		buffer_clear(&e->request);
-		buffer_put_int(&e->output, 1);
-		buffer_put_char(&e->output, SSH_AGENT_FAILURE);
-		break;
-	}
-}
-
-static void
-new_socket(sock_type type, int fd)
-{
-	u_int i, old_alloc, new_alloc;
-
-	set_nonblock(fd);
-
-	if (fd > max_fd)
-		max_fd = fd;
-
-	for (i = 0; i < sockets_alloc; i++)
-		if (sockets[i].type == AUTH_UNUSED) {
-			sockets[i].fd = fd;
-			buffer_init(&sockets[i].input);
-			buffer_init(&sockets[i].output);
-			buffer_init(&sockets[i].request);
-			sockets[i].type = type;
-			return;
-		}
-	old_alloc = sockets_alloc;
-	new_alloc = sockets_alloc + 10;
-	sockets = xrealloc(sockets, new_alloc, sizeof(sockets[0]));
-	for (i = old_alloc; i < new_alloc; i++)
-		sockets[i].type = AUTH_UNUSED;
-	sockets_alloc = new_alloc;
-	sockets[old_alloc].fd = fd;
-	buffer_init(&sockets[old_alloc].input);
-	buffer_init(&sockets[old_alloc].output);
-	buffer_init(&sockets[old_alloc].request);
-	sockets[old_alloc].type = type;
-}
-
-static int
-prepare_select(fd_set **fdrp, fd_set **fdwp, int *fdl, u_int *nallocp)
-{
-	u_int i, sz;
-	int n = 0;
-
-	for (i = 0; i < sockets_alloc; i++) {
-		switch (sockets[i].type) {
-		case AUTH_SOCKET:
-		case AUTH_CONNECTION:
-			n = MAX(n, sockets[i].fd);
-			break;
-		case AUTH_UNUSED:
-			break;
-		default:
-			fatal("Unknown socket type %d", sockets[i].type);
-			break;
-		}
-	}
-
-	sz = howmany(n+1, NFDBITS) * sizeof(fd_mask);
-	if (*fdrp == NULL || sz > *nallocp) {
-		if (*fdrp)
-			xfree(*fdrp);
-		if (*fdwp)
-			xfree(*fdwp);
-		*fdrp = xmalloc(sz);
-		*fdwp = xmalloc(sz);
-		*nallocp = sz;
-	}
-	if (n < *fdl)
-		debug("XXX shrink: %d < %d", n, *fdl);
-	*fdl = n;
-	memset(*fdrp, 0, sz);
-	memset(*fdwp, 0, sz);
-
-	for (i = 0; i < sockets_alloc; i++) {
-		switch (sockets[i].type) {
-		case AUTH_SOCKET:
-		case AUTH_CONNECTION:
-			FD_SET(sockets[i].fd, *fdrp);
-			if (buffer_len(&sockets[i].output) > 0)
-				FD_SET(sockets[i].fd, *fdwp);
-			break;
-		default:
-			break;
-		}
-	}
-	return (1);
-}
-
-static void
-after_select(fd_set *readset, fd_set *writeset)
-{
-	struct sockaddr_un sunaddr;
-	socklen_t slen;
-	char buf[1024];
-	int len, sock;
-	u_int i;
-	uid_t euid;
-	gid_t egid;
-
-	for (i = 0; i < sockets_alloc; i++)
-		switch (sockets[i].type) {
-		case AUTH_UNUSED:
-			break;
-		case AUTH_SOCKET:
-			if (FD_ISSET(sockets[i].fd, readset)) {
-				slen = sizeof(sunaddr);
-				sock = accept(sockets[i].fd,
-				    (struct sockaddr *)&sunaddr, &slen);
-				if (sock < 0) {
-					error("accept from AUTH_SOCKET: %s",
-					    strerror(errno));
-					break;
-				}
-				if (getpeereid(sock, &euid, &egid) < 0) {
-					error("getpeereid %d failed: %s",
-					    sock, strerror(errno));
-					close(sock);
-					break;
-				}
-				if ((euid != 0) && (getuid() != euid)) {
-					error("uid mismatch: "
-					    "peer euid %u != uid %u",
-					    (u_int) euid, (u_int) getuid());
-					close(sock);
-					break;
-				}
-				new_socket(AUTH_CONNECTION, sock);
-			}
-			break;
-		case AUTH_CONNECTION:
-			if (buffer_len(&sockets[i].output) > 0 &&
-			    FD_ISSET(sockets[i].fd, writeset)) {
-				do {
-					len = write(sockets[i].fd,
-					    buffer_ptr(&sockets[i].output),
-					    buffer_len(&sockets[i].output));
-					if (len == -1 && (errno == EAGAIN ||
-					    errno == EINTR))
-						continue;
-					break;
-				} while (1);
-				if (len <= 0) {
-					close_socket(&sockets[i]);
-					break;
-				}
-				buffer_consume(&sockets[i].output, len);
-			}
-			if (FD_ISSET(sockets[i].fd, readset)) {
-				do {
-					len = read(sockets[i].fd, buf, sizeof(buf));
-					if (len == -1 && (errno == EAGAIN ||
-					    errno == EINTR))
-						continue;
-					break;
-				} while (1);
-				if (len <= 0) {
-					close_socket(&sockets[i]);
-					break;
-				}
-				buffer_append(&sockets[i].input, buf, len);
-				process_message(&sockets[i]);
-			}
-			break;
-		default:
-			fatal("Unknown type %d", sockets[i].type);
-		}
-}
-
-static void
-cleanup_socket(void)
-{
-	if (socket_name[0])
-		unlink(socket_name);
-	if (socket_dir[0])
-		rmdir(socket_dir);
-}
-
-void
-cleanup_exit(int i)
-{
-	cleanup_socket();
-	_exit(i);
-}
-
-/*ARGSUSED*/
-static void
-cleanup_handler(int sig)
-{
-	cleanup_socket();
-	_exit(2);
-}
-
-/*ARGSUSED*/
-static void
-check_parent_exists(int sig)
-{
-	int save_errno = errno;
-
-	if (parent_pid != -1 && kill(parent_pid, 0) < 0) {
-		/* printf("Parent has died - Authentication agent exiting.\n"); */
-		cleanup_handler(sig); /* safe */
-	}
-	mysignal(SIGALRM, check_parent_exists);
-	alarm(10);
-	errno = save_errno;
-}
-
-static void
-usage(void)
-{
-	fprintf(stderr, "Usage: %s [options] [command [args ...]]\n",
-	    __progname);
-	fprintf(stderr, "Options:\n");
-	fprintf(stderr, "  -c          Generate C-shell commands on stdout.\n");
-	fprintf(stderr, "  -s          Generate Bourne shell commands on stdout.\n");
-	fprintf(stderr, "  -k          Kill the current agent.\n");
-	fprintf(stderr, "  -d          Debug mode.\n");
-	fprintf(stderr, "  -a socket   Bind agent socket to given name.\n");
-	fprintf(stderr, "  -t life     Default identity lifetime (seconds).\n");
-	exit(1);
-}
-
-int
-main(int ac, char **av)
-{
-	int c_flag = 0, d_flag = 0, k_flag = 0, s_flag = 0;
-	int sock, fd, ch;
-	u_int nalloc;
-	char *shell, *format, *pidstr, *agentsocket = NULL;
-	fd_set *readsetp = NULL, *writesetp = NULL;
-	struct sockaddr_un sunaddr;
-#ifdef HAVE_SETRLIMIT
-	struct rlimit rlim;
-#endif
-	int prev_mask;
-	extern int optind;
-	extern char *optarg;
-	pid_t pid;
-	char pidstrbuf[1 + 3 * sizeof pid];
-
-	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
-	sanitise_stdfd();
-
-	/* drop */
-	setegid(getgid());
-	setgid(getgid());
-
-#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
-	/* Disable ptrace on Linux without sgid bit */
-	prctl(PR_SET_DUMPABLE, 0);
-#endif
-
-	SSLeay_add_all_algorithms();
-
-	__progname = ssh_get_progname(av[0]);
-	init_rng();
-	seed_rng();
-
-	while ((ch = getopt(ac, av, "cdksa:t:")) != -1) {
-		switch (ch) {
-		case 'c':
-			if (s_flag)
-				usage();
-			c_flag++;
-			break;
-		case 'k':
-			k_flag++;
-			break;
-		case 's':
-			if (c_flag)
-				usage();
-			s_flag++;
-			break;
-		case 'd':
-			if (d_flag)
-				usage();
-			d_flag++;
-			break;
-		case 'a':
-			agentsocket = optarg;
-			break;
-		case 't':
-			if ((lifetime = convtime(optarg)) == -1) {
-				fprintf(stderr, "Invalid lifetime\n");
-				usage();
-			}
-			break;
-		default:
-			usage();
-		}
-	}
-	ac -= optind;
-	av += optind;
-
-	if (ac > 0 && (c_flag || k_flag || s_flag || d_flag))
-		usage();
-
-	if (ac == 0 && !c_flag && !s_flag) {
-		shell = getenv("SHELL");
-		if (shell != NULL &&
-		    strncmp(shell + strlen(shell) - 3, "csh", 3) == 0)
-			c_flag = 1;
-	}
-	if (k_flag) {
-		const char *errstr = NULL;
-
-		pidstr = getenv(SSH_AGENTPID_ENV_NAME);
-		if (pidstr == NULL) {
-			fprintf(stderr, "%s not set, cannot kill agent\n",
-			    SSH_AGENTPID_ENV_NAME);
-			exit(1);
-		}
-		pid = (int)strtonum(pidstr, 2, INT_MAX, &errstr);
-		if (errstr) {
-			fprintf(stderr,
-			    "%s=\"%s\", which is not a good PID: %s\n",
-			    SSH_AGENTPID_ENV_NAME, pidstr, errstr);
-			exit(1);
-		}
-		if (kill(pid, SIGTERM) == -1) {
-			perror("kill");
-			exit(1);
-		}
-		format = c_flag ? "unsetenv %s;\n" : "unset %s;\n";
-		printf(format, SSH_AUTHSOCKET_ENV_NAME);
-		printf(format, SSH_AGENTPID_ENV_NAME);
-		printf("echo Agent pid %ld killed;\n", (long)pid);
-		exit(0);
-	}
-	parent_pid = getpid();
-
-	if (agentsocket == NULL) {
-		/* Create private directory for agent socket */
-		strlcpy(socket_dir, "/tmp/ssh-XXXXXXXXXX", sizeof socket_dir);
-		if (mkdtemp(socket_dir) == NULL) {
-			perror("mkdtemp: private socket dir");
-			exit(1);
-		}
-		snprintf(socket_name, sizeof socket_name, "%s/agent.%ld", socket_dir,
-		    (long)parent_pid);
-	} else {
-		/* Try to use specified agent socket */
-		socket_dir[0] = '\0';
-		strlcpy(socket_name, agentsocket, sizeof socket_name);
-	}
-
-	/*
-	 * Create socket early so it will exist before command gets run from
-	 * the parent.
-	 */
-	sock = socket(AF_UNIX, SOCK_STREAM, 0);
-	if (sock < 0) {
-		perror("socket");
-		*socket_name = '\0'; /* Don't unlink any existing file */
-		cleanup_exit(1);
-	}
-	memset(&sunaddr, 0, sizeof(sunaddr));
-	sunaddr.sun_family = AF_UNIX;
-	strlcpy(sunaddr.sun_path, socket_name, sizeof(sunaddr.sun_path));
-	prev_mask = umask(0177);
-	if (bind(sock, (struct sockaddr *) &sunaddr, sizeof(sunaddr)) < 0) {
-		perror("bind");
-		*socket_name = '\0'; /* Don't unlink any existing file */
-		umask(prev_mask);
-		cleanup_exit(1);
-	}
-	umask(prev_mask);
-	if (listen(sock, SSH_LISTEN_BACKLOG) < 0) {
-		perror("listen");
-		cleanup_exit(1);
-	}
-
-	/*
-	 * Fork, and have the parent execute the command, if any, or present
-	 * the socket data.  The child continues as the authentication agent.
-	 */
-	if (d_flag) {
-		log_init(__progname, SYSLOG_LEVEL_DEBUG1, SYSLOG_FACILITY_AUTH, 1);
-		format = c_flag ? "setenv %s %s;\n" : "%s=%s; export %s;\n";
-		printf(format, SSH_AUTHSOCKET_ENV_NAME, socket_name,
-		    SSH_AUTHSOCKET_ENV_NAME);
-		printf("echo Agent pid %ld;\n", (long)parent_pid);
-		goto skip;
-	}
-	pid = fork();
-	if (pid == -1) {
-		perror("fork");
-		cleanup_exit(1);
-	}
-	if (pid != 0) {		/* Parent - execute the given command. */
-		close(sock);
-		snprintf(pidstrbuf, sizeof pidstrbuf, "%ld", (long)pid);
-		if (ac == 0) {
-			format = c_flag ? "setenv %s %s;\n" : "%s=%s; export %s;\n";
-			printf(format, SSH_AUTHSOCKET_ENV_NAME, socket_name,
-			    SSH_AUTHSOCKET_ENV_NAME);
-			printf(format, SSH_AGENTPID_ENV_NAME, pidstrbuf,
-			    SSH_AGENTPID_ENV_NAME);
-			printf("echo Agent pid %ld;\n", (long)pid);
-			exit(0);
-		}
-		if (setenv(SSH_AUTHSOCKET_ENV_NAME, socket_name, 1) == -1 ||
-		    setenv(SSH_AGENTPID_ENV_NAME, pidstrbuf, 1) == -1) {
-			perror("setenv");
-			exit(1);
-		}
-		execvp(av[0], av);
-		perror(av[0]);
-		exit(1);
-	}
-	/* child */
-	log_init(__progname, SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_AUTH, 0);
-
-	if (setsid() == -1) {
-		error("setsid: %s", strerror(errno));
-		cleanup_exit(1);
-	}
-
-	(void)chdir("/");
-	if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) {
-		/* XXX might close listen socket */
-		(void)dup2(fd, STDIN_FILENO);
-		(void)dup2(fd, STDOUT_FILENO);
-		(void)dup2(fd, STDERR_FILENO);
-		if (fd > 2)
-			close(fd);
-	}
-
-#ifdef HAVE_SETRLIMIT
-	/* deny core dumps, since memory contains unencrypted private keys */
-	rlim.rlim_cur = rlim.rlim_max = 0;
-	if (setrlimit(RLIMIT_CORE, &rlim) < 0) {
-		error("setrlimit RLIMIT_CORE: %s", strerror(errno));
-		cleanup_exit(1);
-	}
-#endif
-
-skip:
-	new_socket(AUTH_SOCKET, sock);
-	if (ac > 0) {
-		mysignal(SIGALRM, check_parent_exists);
-		alarm(10);
-	}
-	idtab_init();
-	if (!d_flag)
-		signal(SIGINT, SIG_IGN);
-	signal(SIGPIPE, SIG_IGN);
-	signal(SIGHUP, cleanup_handler);
-	signal(SIGTERM, cleanup_handler);
-	nalloc = 0;
-
-	while (1) {
-		prepare_select(&readsetp, &writesetp, &max_fd, &nalloc);
-		if (select(max_fd + 1, readsetp, writesetp, NULL, NULL) < 0) {
-			if (errno == EINTR)
-				continue;
-			fatal("select: %s", strerror(errno));
-		}
-		after_select(readsetp, writesetp);
-	}
-	/* NOTREACHED */
-}
diff --git a/crypto/openssh/ssh-agent/Makefile b/crypto/openssh/ssh-agent/Makefile
deleted file mode 100644
index c252dbd..0000000
--- a/crypto/openssh/ssh-agent/Makefile
+++ /dev/null
@@ -1,18 +0,0 @@
-#	$OpenBSD: Makefile,v 1.21 2001/06/27 19:29:16 markus Exp $
-
-.PATH:		${.CURDIR}/..
-
-PROG=	ssh-agent
-BINOWN=	root
-
-BINMODE?=555
-
-BINDIR=	/usr/bin
-MAN=	ssh-agent.1
-
-SRCS=	ssh-agent.c
-
-.include <bsd.prog.mk>
-
-LDADD+=	-lcrypto
-DPADD+=	${LIBCRYPTO}
diff --git a/crypto/openssh/ssh-dss.c b/crypto/openssh/ssh-dss.c
deleted file mode 100644
index 51a06e9..0000000
--- a/crypto/openssh/ssh-dss.c
+++ /dev/null
@@ -1,185 +0,0 @@
-/* $OpenBSD: ssh-dss.c,v 1.24 2006/11/06 21:25:28 markus Exp $ */
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <openssl/bn.h>
-#include <openssl/evp.h>
-
-#include <stdarg.h>
-#include <string.h>
-
-#include "xmalloc.h"
-#include "buffer.h"
-#include "compat.h"
-#include "log.h"
-#include "key.h"
-
-#define INTBLOB_LEN	20
-#define SIGBLOB_LEN	(2*INTBLOB_LEN)
-
-int
-ssh_dss_sign(const Key *key, u_char **sigp, u_int *lenp,
-    const u_char *data, u_int datalen)
-{
-	DSA_SIG *sig;
-	const EVP_MD *evp_md = EVP_sha1();
-	EVP_MD_CTX md;
-	u_char digest[EVP_MAX_MD_SIZE], sigblob[SIGBLOB_LEN];
-	u_int rlen, slen, len, dlen;
-	Buffer b;
-
-	if (key == NULL || key->type != KEY_DSA || key->dsa == NULL) {
-		error("ssh_dss_sign: no DSA key");
-		return -1;
-	}
-	EVP_DigestInit(&md, evp_md);
-	EVP_DigestUpdate(&md, data, datalen);
-	EVP_DigestFinal(&md, digest, &dlen);
-
-	sig = DSA_do_sign(digest, dlen, key->dsa);
-	memset(digest, 'd', sizeof(digest));
-
-	if (sig == NULL) {
-		error("ssh_dss_sign: sign failed");
-		return -1;
-	}
-
-	rlen = BN_num_bytes(sig->r);
-	slen = BN_num_bytes(sig->s);
-	if (rlen > INTBLOB_LEN || slen > INTBLOB_LEN) {
-		error("bad sig size %u %u", rlen, slen);
-		DSA_SIG_free(sig);
-		return -1;
-	}
-	memset(sigblob, 0, SIGBLOB_LEN);
-	BN_bn2bin(sig->r, sigblob+ SIGBLOB_LEN - INTBLOB_LEN - rlen);
-	BN_bn2bin(sig->s, sigblob+ SIGBLOB_LEN - slen);
-	DSA_SIG_free(sig);
-
-	if (datafellows & SSH_BUG_SIGBLOB) {
-		if (lenp != NULL)
-			*lenp = SIGBLOB_LEN;
-		if (sigp != NULL) {
-			*sigp = xmalloc(SIGBLOB_LEN);
-			memcpy(*sigp, sigblob, SIGBLOB_LEN);
-		}
-	} else {
-		/* ietf-drafts */
-		buffer_init(&b);
-		buffer_put_cstring(&b, "ssh-dss");
-		buffer_put_string(&b, sigblob, SIGBLOB_LEN);
-		len = buffer_len(&b);
-		if (lenp != NULL)
-			*lenp = len;
-		if (sigp != NULL) {
-			*sigp = xmalloc(len);
-			memcpy(*sigp, buffer_ptr(&b), len);
-		}
-		buffer_free(&b);
-	}
-	return 0;
-}
-int
-ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen,
-    const u_char *data, u_int datalen)
-{
-	DSA_SIG *sig;
-	const EVP_MD *evp_md = EVP_sha1();
-	EVP_MD_CTX md;
-	u_char digest[EVP_MAX_MD_SIZE], *sigblob;
-	u_int len, dlen;
-	int rlen, ret;
-	Buffer b;
-
-	if (key == NULL || key->type != KEY_DSA || key->dsa == NULL) {
-		error("ssh_dss_verify: no DSA key");
-		return -1;
-	}
-
-	/* fetch signature */
-	if (datafellows & SSH_BUG_SIGBLOB) {
-		sigblob = xmalloc(signaturelen);
-		memcpy(sigblob, signature, signaturelen);
-		len = signaturelen;
-	} else {
-		/* ietf-drafts */
-		char *ktype;
-		buffer_init(&b);
-		buffer_append(&b, signature, signaturelen);
-		ktype = buffer_get_string(&b, NULL);
-		if (strcmp("ssh-dss", ktype) != 0) {
-			error("ssh_dss_verify: cannot handle type %s", ktype);
-			buffer_free(&b);
-			xfree(ktype);
-			return -1;
-		}
-		xfree(ktype);
-		sigblob = buffer_get_string(&b, &len);
-		rlen = buffer_len(&b);
-		buffer_free(&b);
-		if (rlen != 0) {
-			error("ssh_dss_verify: "
-			    "remaining bytes in signature %d", rlen);
-			xfree(sigblob);
-			return -1;
-		}
-	}
-
-	if (len != SIGBLOB_LEN) {
-		fatal("bad sigbloblen %u != SIGBLOB_LEN", len);
-	}
-
-	/* parse signature */
-	if ((sig = DSA_SIG_new()) == NULL)
-		fatal("ssh_dss_verify: DSA_SIG_new failed");
-	if ((sig->r = BN_new()) == NULL)
-		fatal("ssh_dss_verify: BN_new failed");
-	if ((sig->s = BN_new()) == NULL)
-		fatal("ssh_dss_verify: BN_new failed");
-	if ((BN_bin2bn(sigblob, INTBLOB_LEN, sig->r) == NULL) ||
-	    (BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s) == NULL))
-		fatal("ssh_dss_verify: BN_bin2bn failed");
-
-	/* clean up */
-	memset(sigblob, 0, len);
-	xfree(sigblob);
-
-	/* sha1 the data */
-	EVP_DigestInit(&md, evp_md);
-	EVP_DigestUpdate(&md, data, datalen);
-	EVP_DigestFinal(&md, digest, &dlen);
-
-	ret = DSA_do_verify(digest, dlen, sig, key->dsa);
-	memset(digest, 'd', sizeof(digest));
-
-	DSA_SIG_free(sig);
-
-	debug("ssh_dss_verify: signature %s",
-	    ret == 1 ? "correct" : ret == 0 ? "incorrect" : "error");
-	return ret;
-}
diff --git a/crypto/openssh/ssh-gss.h b/crypto/openssh/ssh-gss.h
deleted file mode 100644
index 1ef66e4..0000000
--- a/crypto/openssh/ssh-gss.h
+++ /dev/null
@@ -1,132 +0,0 @@
-/* $OpenBSD: ssh-gss.h,v 1.9 2006/08/18 14:40:34 djm Exp $ */
-/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef _SSH_GSS_H
-#define _SSH_GSS_H
-
-#ifdef GSSAPI
-
-#ifdef HAVE_GSSAPI_H
-#include <gssapi.h>
-#elif defined(HAVE_GSSAPI_GSSAPI_H)
-#include <gssapi/gssapi.h>
-#endif
-
-#ifdef KRB5
-# ifndef HEIMDAL
-#  ifdef HAVE_GSSAPI_GENERIC_H
-#   include <gssapi_generic.h>
-#  elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H)
-#   include <gssapi/gssapi_generic.h>
-#  endif
-
-/* MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */
-
-#ifndef GSS_C_NT_HOSTBASED_SERVICE
-#define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
-#endif /* GSS_C_NT_... */
-#endif /* !HEIMDAL */
-#endif /* KRB5 */
-
-/* draft-ietf-secsh-gsskeyex-06 */
-#define SSH2_MSG_USERAUTH_GSSAPI_RESPONSE		60
-#define SSH2_MSG_USERAUTH_GSSAPI_TOKEN			61
-#define SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE	63
-#define SSH2_MSG_USERAUTH_GSSAPI_ERROR			64
-#define SSH2_MSG_USERAUTH_GSSAPI_ERRTOK			65
-#define SSH2_MSG_USERAUTH_GSSAPI_MIC			66
-
-#define SSH_GSS_OIDTYPE 0x06
-
-typedef struct {
-	char *filename;
-	char *envvar;
-	char *envval;
-	void *data;
-} ssh_gssapi_ccache;
-
-typedef struct {
-	gss_buffer_desc displayname;
-	gss_buffer_desc exportedname;
-	gss_cred_id_t creds;
-	struct ssh_gssapi_mech_struct *mech;
-	ssh_gssapi_ccache store;
-} ssh_gssapi_client;
-
-typedef struct ssh_gssapi_mech_struct {
-	char *enc_name;
-	char *name;
-	gss_OID_desc oid;
-	int (*dochild) (ssh_gssapi_client *);
-	int (*userok) (ssh_gssapi_client *, char *);
-	int (*localname) (ssh_gssapi_client *, char **);
-	void (*storecreds) (ssh_gssapi_client *);
-} ssh_gssapi_mech;
-
-typedef struct {
-	OM_uint32	major; /* both */
-	OM_uint32	minor; /* both */
-	gss_ctx_id_t	context; /* both */
-	gss_name_t	name; /* both */
-	gss_OID		oid; /* client */
-	gss_cred_id_t	creds; /* server */
-	gss_name_t	client; /* server */
-	gss_cred_id_t	client_creds; /* server */
-} Gssctxt;
-
-extern ssh_gssapi_mech *supported_mechs[];
-
-int  ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
-void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
-void ssh_gssapi_set_oid(Gssctxt *, gss_OID);
-void ssh_gssapi_supported_oids(gss_OID_set *);
-ssh_gssapi_mech *ssh_gssapi_get_ctype(Gssctxt *);
-
-OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *);
-OM_uint32 ssh_gssapi_acquire_cred(Gssctxt *);
-OM_uint32 ssh_gssapi_init_ctx(Gssctxt *, int,
-    gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
-OM_uint32 ssh_gssapi_accept_ctx(Gssctxt *,
-    gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
-OM_uint32 ssh_gssapi_getclient(Gssctxt *, ssh_gssapi_client *);
-void ssh_gssapi_error(Gssctxt *);
-char *ssh_gssapi_last_error(Gssctxt *, OM_uint32 *, OM_uint32 *);
-void ssh_gssapi_build_ctx(Gssctxt **);
-void ssh_gssapi_delete_ctx(Gssctxt **);
-OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
-OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
-void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
-int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
-
-/* In the server */
-int ssh_gssapi_userok(char *name);
-OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
-void ssh_gssapi_do_child(char ***, u_int *);
-void ssh_gssapi_cleanup_creds(void);
-void ssh_gssapi_storecreds(void);
-
-#endif /* GSSAPI */
-
-#endif /* _SSH_GSS_H */
diff --git a/crypto/openssh/ssh-keygen.1 b/crypto/openssh/ssh-keygen.1
deleted file mode 100644
index ab16bcd..0000000
--- a/crypto/openssh/ssh-keygen.1
+++ /dev/null
@@ -1,468 +0,0 @@
-.\"	$OpenBSD: ssh-keygen.1,v 1.72 2005/11/28 05:16:53 dtucker Exp $
-.\"
-.\"  -*- nroff -*-
-.\"
-.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
-.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-.\"                    All rights reserved
-.\"
-.\" As far as I am concerned, the code I have written for this software
-.\" can be used freely for any purpose.  Any derived versions of this
-.\" software must be clearly marked as such, and if the derived work is
-.\" incompatible with the protocol description in the RFC file, it must be
-.\" called by a name other than "ssh" or "Secure Shell".
-.\"
-.\"
-.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
-.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
-.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd September 25, 1999
-.Dt SSH-KEYGEN 1
-.Os
-.Sh NAME
-.Nm ssh-keygen
-.Nd authentication key generation, management and conversion
-.Sh SYNOPSIS
-.Nm ssh-keygen
-.Bk -words
-.Op Fl q
-.Op Fl b Ar bits
-.Fl t Ar type
-.Op Fl N Ar new_passphrase
-.Op Fl C Ar comment
-.Op Fl f Ar output_keyfile
-.Ek
-.Nm ssh-keygen
-.Fl p
-.Op Fl P Ar old_passphrase
-.Op Fl N Ar new_passphrase
-.Op Fl f Ar keyfile
-.Nm ssh-keygen
-.Fl i
-.Op Fl f Ar input_keyfile
-.Nm ssh-keygen
-.Fl e
-.Op Fl f Ar input_keyfile
-.Nm ssh-keygen
-.Fl y
-.Op Fl f Ar input_keyfile
-.Nm ssh-keygen
-.Fl c
-.Op Fl P Ar passphrase
-.Op Fl C Ar comment
-.Op Fl f Ar keyfile
-.Nm ssh-keygen
-.Fl l
-.Op Fl f Ar input_keyfile
-.Nm ssh-keygen
-.Fl B
-.Op Fl f Ar input_keyfile
-.Nm ssh-keygen
-.Fl D Ar reader
-.Nm ssh-keygen
-.Fl F Ar hostname
-.Op Fl f Ar known_hosts_file
-.Nm ssh-keygen
-.Fl H
-.Op Fl f Ar known_hosts_file
-.Nm ssh-keygen
-.Fl R Ar hostname
-.Op Fl f Ar known_hosts_file
-.Nm ssh-keygen
-.Fl U Ar reader
-.Op Fl f Ar input_keyfile
-.Nm ssh-keygen
-.Fl r Ar hostname
-.Op Fl f Ar input_keyfile
-.Op Fl g
-.Nm ssh-keygen
-.Fl G Ar output_file
-.Op Fl v
-.Op Fl b Ar bits
-.Op Fl M Ar memory
-.Op Fl S Ar start_point
-.Nm ssh-keygen
-.Fl T Ar output_file
-.Fl f Ar input_file
-.Op Fl v
-.Op Fl a Ar num_trials
-.Op Fl W Ar generator
-.Sh DESCRIPTION
-.Nm
-generates, manages and converts authentication keys for
-.Xr ssh 1 .
-.Nm
-can create RSA keys for use by SSH protocol version 1 and RSA or DSA
-keys for use by SSH protocol version 2.
-The type of key to be generated is specified with the
-.Fl t
-option.
-If invoked without any arguments,
-.Nm
-will generate an RSA key for use in SSH protocol 2 connections.
-.Pp
-.Nm
-is also used to generate groups for use in Diffie-Hellman group
-exchange (DH-GEX).
-See the
-.Sx MODULI GENERATION
-section for details.
-.Pp
-Normally each user wishing to use SSH
-with RSA or DSA authentication runs this once to create the authentication
-key in
-.Pa ~/.ssh/identity ,
-.Pa ~/.ssh/id_dsa
-or
-.Pa ~/.ssh/id_rsa .
-Additionally, the system administrator may use this to generate host keys,
-as seen in
-.Pa /etc/rc .
-.Pp
-Normally this program generates the key and asks for a file in which
-to store the private key.
-The public key is stored in a file with the same name but
-.Dq .pub
-appended.
-The program also asks for a passphrase.
-The passphrase may be empty to indicate no passphrase
-(host keys must have an empty passphrase), or it may be a string of
-arbitrary length.
-A passphrase is similar to a password, except it can be a phrase with a
-series of words, punctuation, numbers, whitespace, or any string of
-characters you want.
-Good passphrases are 10-30 characters long, are
-not simple sentences or otherwise easily guessable (English
-prose has only 1-2 bits of entropy per character, and provides very bad
-passphrases), and contain a mix of upper and lowercase letters,
-numbers, and non-alphanumeric characters.
-The passphrase can be changed later by using the
-.Fl p
-option.
-.Pp
-There is no way to recover a lost passphrase.
-If the passphrase is
-lost or forgotten, a new key must be generated and copied to the
-corresponding public key to other machines.
-.Pp
-For RSA1 keys,
-there is also a comment field in the key file that is only for
-convenience to the user to help identify the key.
-The comment can tell what the key is for, or whatever is useful.
-The comment is initialized to
-.Dq user@host
-when the key is created, but can be changed using the
-.Fl c
-option.
-.Pp
-After a key is generated, instructions below detail where the keys
-should be placed to be activated.
-.Pp
-The options are as follows:
-.Bl -tag -width Ds
-.It Fl a Ar trials
-Specifies the number of primality tests to perform when screening DH-GEX
-candidates using the
-.Fl T
-command.
-.It Fl B
-Show the bubblebabble digest of specified private or public key file.
-.It Fl b Ar bits
-Specifies the number of bits in the key to create.
-For RSA keys, the minimum size is 768 bits and the default is 2048 bits.
-Generally, 2048 bits is considered sufficient.
-DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
-.It Fl C Ar comment
-Provides a new comment.
-.It Fl c
-Requests changing the comment in the private and public key files.
-This operation is only supported for RSA1 keys.
-The program will prompt for the file containing the private keys, for
-the passphrase if the key has one, and for the new comment.
-.It Fl D Ar reader
-Download the RSA public key stored in the smartcard in
-.Ar reader .
-.It Fl e
-This option will read a private or public OpenSSH key file and
-print the key in a
-.Sq SECSH Public Key File Format
-to stdout.
-This option allows exporting keys for use by several commercial
-SSH implementations.
-.It Fl F Ar hostname
-Search for the specified
-.Ar hostname
-in a
-.Pa known_hosts
-file, listing any occurrences found.
-This option is useful to find hashed host names or addresses and may also be
-used in conjunction with the
-.Fl H
-option to print found keys in a hashed format.
-.It Fl f Ar filename
-Specifies the filename of the key file.
-.It Fl G Ar output_file
-Generate candidate primes for DH-GEX.
-These primes must be screened for
-safety (using the
-.Fl T
-option) before use.
-.It Fl g
-Use generic DNS format when printing fingerprint resource records using the
-.Fl r
-command.
-.It Fl H
-Hash a
-.Pa known_hosts
-file.
-This replaces all hostnames and addresses with hashed representations
-within the specified file; the original content is moved to a file with
-a .old suffix.
-These hashes may be used normally by
-.Nm ssh
-and
-.Nm sshd ,
-but they do not reveal identifying information should the file's contents
-be disclosed.
-This option will not modify existing hashed hostnames and is therefore safe
-to use on files that mix hashed and non-hashed names.
-.It Fl i
-This option will read an unencrypted private (or public) key file
-in SSH2-compatible format and print an OpenSSH compatible private
-(or public) key to stdout.
-.Nm
-also reads the
-.Sq SECSH Public Key File Format .
-This option allows importing keys from several commercial
-SSH implementations.
-.It Fl l
-Show fingerprint of specified public key file.
-Private RSA1 keys are also supported.
-For RSA and DSA keys
-.Nm
-tries to find the matching public key file and prints its fingerprint.
-.It Fl M Ar memory
-Specify the amount of memory to use (in megabytes) when generating
-candidate moduli for DH-GEX.
-.It Fl N Ar new_passphrase
-Provides the new passphrase.
-.It Fl P Ar passphrase
-Provides the (old) passphrase.
-.It Fl p
-Requests changing the passphrase of a private key file instead of
-creating a new private key.
-The program will prompt for the file
-containing the private key, for the old passphrase, and twice for the
-new passphrase.
-.It Fl q
-Silence
-.Nm ssh-keygen .
-Used by
-.Pa /etc/rc
-when creating a new key.
-.It Fl R Ar hostname
-Removes all keys belonging to
-.Ar hostname
-from a
-.Pa known_hosts
-file.
-This option is useful to delete hashed hosts (see the
-.Fl H
-option above).
-.It Fl r Ar hostname
-Print the SSHFP fingerprint resource record named
-.Ar hostname
-for the specified public key file.
-.It Fl S Ar start
-Specify start point (in hex) when generating candidate moduli for DH-GEX.
-.It Fl T Ar output_file
-Test DH group exchange candidate primes (generated using the
-.Fl G
-option) for safety.
-.It Fl t Ar type
-Specifies the type of key to create.
-The possible values are
-.Dq rsa1
-for protocol version 1 and
-.Dq rsa
-or
-.Dq dsa
-for protocol version 2.
-.It Fl U Ar reader
-Upload an existing RSA private key into the smartcard in
-.Ar reader .
-.It Fl v
-Verbose mode.
-Causes
-.Nm
-to print debugging messages about its progress.
-This is helpful for debugging moduli generation.
-Multiple
-.Fl v
-options increase the verbosity.
-The maximum is 3.
-.It Fl W Ar generator
-Specify desired generator when testing candidate moduli for DH-GEX.
-.It Fl y
-This option will read a private
-OpenSSH format file and print an OpenSSH public key to stdout.
-.El
-.Sh MODULI GENERATION
-.Nm
-may be used to generate groups for the Diffie-Hellman Group Exchange
-(DH-GEX) protocol.
-Generating these groups is a two-step process: first, candidate
-primes are generated using a fast, but memory intensive process.
-These candidate primes are then tested for suitability (a CPU-intensive
-process).
-.Pp
-Generation of primes is performed using the
-.Fl G
-option.
-The desired length of the primes may be specified by the
-.Fl b
-option.
-For example:
-.Pp
-.Dl # ssh-keygen -G moduli-2048.candidates -b 2048
-.Pp
-By default, the search for primes begins at a random point in the
-desired length range.
-This may be overridden using the
-.Fl S
-option, which specifies a different start point (in hex).
-.Pp
-Once a set of candidates have been generated, they must be tested for
-suitability.
-This may be performed using the
-.Fl T
-option.
-In this mode
-.Nm
-will read candidates from standard input (or a file specified using the
-.Fl f
-option).
-For example:
-.Pp
-.Dl # ssh-keygen -T moduli-2048 -f moduli-2048.candidates
-.Pp
-By default, each candidate will be subjected to 100 primality tests.
-This may be overridden using the
-.Fl a
-option.
-The DH generator value will be chosen automatically for the
-prime under consideration.
-If a specific generator is desired, it may be requested using the
-.Fl W
-option.
-Valid generator values are 2, 3, and 5.
-.Pp
-Screened DH groups may be installed in
-.Pa /etc/moduli .
-It is important that this file contains moduli of a range of bit lengths and
-that both ends of a connection share common moduli.
-.Sh FILES
-.Bl -tag -width Ds
-.It Pa ~/.ssh/identity
-Contains the protocol version 1 RSA authentication identity of the user.
-This file should not be readable by anyone but the user.
-It is possible to
-specify a passphrase when generating the key; that passphrase will be
-used to encrypt the private part of this file using 3DES.
-This file is not automatically accessed by
-.Nm
-but it is offered as the default file for the private key.
-.Xr ssh 1
-will read this file when a login attempt is made.
-.It Pa ~/.ssh/identity.pub
-Contains the protocol version 1 RSA public key for authentication.
-The contents of this file should be added to
-.Pa ~/.ssh/authorized_keys
-on all machines
-where the user wishes to log in using RSA authentication.
-There is no need to keep the contents of this file secret.
-.It Pa ~/.ssh/id_dsa
-Contains the protocol version 2 DSA authentication identity of the user.
-This file should not be readable by anyone but the user.
-It is possible to
-specify a passphrase when generating the key; that passphrase will be
-used to encrypt the private part of this file using 3DES.
-This file is not automatically accessed by
-.Nm
-but it is offered as the default file for the private key.
-.Xr ssh 1
-will read this file when a login attempt is made.
-.It Pa ~/.ssh/id_dsa.pub
-Contains the protocol version 2 DSA public key for authentication.
-The contents of this file should be added to
-.Pa ~/.ssh/authorized_keys
-on all machines
-where the user wishes to log in using public key authentication.
-There is no need to keep the contents of this file secret.
-.It Pa ~/.ssh/id_rsa
-Contains the protocol version 2 RSA authentication identity of the user.
-This file should not be readable by anyone but the user.
-It is possible to
-specify a passphrase when generating the key; that passphrase will be
-used to encrypt the private part of this file using 3DES.
-This file is not automatically accessed by
-.Nm
-but it is offered as the default file for the private key.
-.Xr ssh 1
-will read this file when a login attempt is made.
-.It Pa ~/.ssh/id_rsa.pub
-Contains the protocol version 2 RSA public key for authentication.
-The contents of this file should be added to
-.Pa ~/.ssh/authorized_keys
-on all machines
-where the user wishes to log in using public key authentication.
-There is no need to keep the contents of this file secret.
-.It Pa /etc/moduli
-Contains Diffie-Hellman groups used for DH-GEX.
-The file format is described in
-.Xr moduli 5 .
-.El
-.Sh SEE ALSO
-.Xr ssh 1 ,
-.Xr ssh-add 1 ,
-.Xr ssh-agent 1 ,
-.Xr moduli 5 ,
-.Xr sshd 8
-.Rs
-.%A J. Galbraith
-.%A R. Thayer
-.%T "SECSH Public Key File Format"
-.%N draft-ietf-secsh-publickeyfile-01.txt
-.%D March 2001
-.%O work in progress material
-.Re
-.Sh AUTHORS
-OpenSSH is a derivative of the original and free
-ssh 1.2.12 release by Tatu Ylonen.
-Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
-Theo de Raadt and Dug Song
-removed many bugs, re-added newer features and
-created OpenSSH.
-Markus Friedl contributed the support for SSH
-protocol versions 1.5 and 2.0.
diff --git a/crypto/openssh/ssh-keygen.c b/crypto/openssh/ssh-keygen.c
deleted file mode 100644
index 1f42b93..0000000
--- a/crypto/openssh/ssh-keygen.c
+++ /dev/null
@@ -1,1449 +0,0 @@
-/* $OpenBSD: ssh-keygen.c,v 1.155 2006/11/06 21:25:28 markus Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Identity and host key generation and maintenance.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/stat.h>
-#include <sys/param.h>
-
-#include <openssl/evp.h>
-#include <openssl/pem.h>
-
-#include <errno.h>
-#include <fcntl.h>
-#include <netdb.h>
-#ifdef HAVE_PATHS_H
-# include <paths.h>
-#endif
-#include <pwd.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "xmalloc.h"
-#include "key.h"
-#include "rsa.h"
-#include "authfile.h"
-#include "uuencode.h"
-#include "buffer.h"
-#include "pathnames.h"
-#include "log.h"
-#include "misc.h"
-#include "match.h"
-#include "hostfile.h"
-#include "dns.h"
-
-#ifdef SMARTCARD
-#include "scard.h"
-#endif
-
-/* Number of bits in the RSA/DSA key.  This value can be set on the command line. */
-#define DEFAULT_BITS		2048
-#define DEFAULT_BITS_DSA	1024
-u_int32_t bits = 0;
-
-/*
- * Flag indicating that we just want to change the passphrase.  This can be
- * set on the command line.
- */
-int change_passphrase = 0;
-
-/*
- * Flag indicating that we just want to change the comment.  This can be set
- * on the command line.
- */
-int change_comment = 0;
-
-int quiet = 0;
-
-/* Flag indicating that we want to hash a known_hosts file */
-int hash_hosts = 0;
-/* Flag indicating that we want lookup a host in known_hosts file */
-int find_host = 0;
-/* Flag indicating that we want to delete a host from a known_hosts file */
-int delete_host = 0;
-
-/* Flag indicating that we just want to see the key fingerprint */
-int print_fingerprint = 0;
-int print_bubblebabble = 0;
-
-/* The identity file name, given on the command line or entered by the user. */
-char identity_file[1024];
-int have_identity = 0;
-
-/* This is set to the passphrase if given on the command line. */
-char *identity_passphrase = NULL;
-
-/* This is set to the new passphrase if given on the command line. */
-char *identity_new_passphrase = NULL;
-
-/* This is set to the new comment if given on the command line. */
-char *identity_comment = NULL;
-
-/* Dump public key file in format used by real and the original SSH 2 */
-int convert_to_ssh2 = 0;
-int convert_from_ssh2 = 0;
-int print_public = 0;
-int print_generic = 0;
-
-char *key_type_name = NULL;
-
-/* argv0 */
-extern char *__progname;
-
-char hostname[MAXHOSTNAMELEN];
-
-/* moduli.c */
-int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);
-int prime_test(FILE *, FILE *, u_int32_t, u_int32_t);
-
-static void
-ask_filename(struct passwd *pw, const char *prompt)
-{
-	char buf[1024];
-	char *name = NULL;
-
-	if (key_type_name == NULL)
-		name = _PATH_SSH_CLIENT_ID_RSA;
-	else {
-		switch (key_type_from_name(key_type_name)) {
-		case KEY_RSA1:
-			name = _PATH_SSH_CLIENT_IDENTITY;
-			break;
-		case KEY_DSA:
-			name = _PATH_SSH_CLIENT_ID_DSA;
-			break;
-		case KEY_RSA:
-			name = _PATH_SSH_CLIENT_ID_RSA;
-			break;
-		default:
-			fprintf(stderr, "bad key type");
-			exit(1);
-			break;
-		}
-	}
-	snprintf(identity_file, sizeof(identity_file), "%s/%s", pw->pw_dir, name);
-	fprintf(stderr, "%s (%s): ", prompt, identity_file);
-	if (fgets(buf, sizeof(buf), stdin) == NULL)
-		exit(1);
-	if (strchr(buf, '\n'))
-		*strchr(buf, '\n') = 0;
-	if (strcmp(buf, "") != 0)
-		strlcpy(identity_file, buf, sizeof(identity_file));
-	have_identity = 1;
-}
-
-static Key *
-load_identity(char *filename)
-{
-	char *pass;
-	Key *prv;
-
-	prv = key_load_private(filename, "", NULL);
-	if (prv == NULL) {
-		if (identity_passphrase)
-			pass = xstrdup(identity_passphrase);
-		else
-			pass = read_passphrase("Enter passphrase: ",
-			    RP_ALLOW_STDIN);
-		prv = key_load_private(filename, pass, NULL);
-		memset(pass, 0, strlen(pass));
-		xfree(pass);
-	}
-	return prv;
-}
-
-#define SSH_COM_PUBLIC_BEGIN		"---- BEGIN SSH2 PUBLIC KEY ----"
-#define SSH_COM_PUBLIC_END		"---- END SSH2 PUBLIC KEY ----"
-#define SSH_COM_PRIVATE_BEGIN		"---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----"
-#define	SSH_COM_PRIVATE_KEY_MAGIC	0x3f6ff9eb
-
-static void
-do_convert_to_ssh2(struct passwd *pw)
-{
-	Key *k;
-	u_int len;
-	u_char *blob;
-	struct stat st;
-
-	if (!have_identity)
-		ask_filename(pw, "Enter file in which the key is");
-	if (stat(identity_file, &st) < 0) {
-		perror(identity_file);
-		exit(1);
-	}
-	if ((k = key_load_public(identity_file, NULL)) == NULL) {
-		if ((k = load_identity(identity_file)) == NULL) {
-			fprintf(stderr, "load failed\n");
-			exit(1);
-		}
-	}
-	if (k->type == KEY_RSA1) {
-		fprintf(stderr, "version 1 keys are not supported\n");
-		exit(1);
-	}
-	if (key_to_blob(k, &blob, &len) <= 0) {
-		fprintf(stderr, "key_to_blob failed\n");
-		exit(1);
-	}
-	fprintf(stdout, "%s\n", SSH_COM_PUBLIC_BEGIN);
-	fprintf(stdout,
-	    "Comment: \"%u-bit %s, converted from OpenSSH by %s@%s\"\n",
-	    key_size(k), key_type(k),
-	    pw->pw_name, hostname);
-	dump_base64(stdout, blob, len);
-	fprintf(stdout, "%s\n", SSH_COM_PUBLIC_END);
-	key_free(k);
-	xfree(blob);
-	exit(0);
-}
-
-static void
-buffer_get_bignum_bits(Buffer *b, BIGNUM *value)
-{
-	u_int bignum_bits = buffer_get_int(b);
-	u_int bytes = (bignum_bits + 7) / 8;
-
-	if (buffer_len(b) < bytes)
-		fatal("buffer_get_bignum_bits: input buffer too small: "
-		    "need %d have %d", bytes, buffer_len(b));
-	if (BN_bin2bn(buffer_ptr(b), bytes, value) == NULL)
-		fatal("buffer_get_bignum_bits: BN_bin2bn failed");
-	buffer_consume(b, bytes);
-}
-
-static Key *
-do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
-{
-	Buffer b;
-	Key *key = NULL;
-	char *type, *cipher;
-	u_char *sig, data[] = "abcde12345";
-	int magic, rlen, ktype, i1, i2, i3, i4;
-	u_int slen;
-	u_long e;
-
-	buffer_init(&b);
-	buffer_append(&b, blob, blen);
-
-	magic  = buffer_get_int(&b);
-	if (magic != SSH_COM_PRIVATE_KEY_MAGIC) {
-		error("bad magic 0x%x != 0x%x", magic, SSH_COM_PRIVATE_KEY_MAGIC);
-		buffer_free(&b);
-		return NULL;
-	}
-	i1 = buffer_get_int(&b);
-	type   = buffer_get_string(&b, NULL);
-	cipher = buffer_get_string(&b, NULL);
-	i2 = buffer_get_int(&b);
-	i3 = buffer_get_int(&b);
-	i4 = buffer_get_int(&b);
-	debug("ignore (%d %d %d %d)", i1,i2,i3,i4);
-	if (strcmp(cipher, "none") != 0) {
-		error("unsupported cipher %s", cipher);
-		xfree(cipher);
-		buffer_free(&b);
-		xfree(type);
-		return NULL;
-	}
-	xfree(cipher);
-
-	if (strstr(type, "dsa")) {
-		ktype = KEY_DSA;
-	} else if (strstr(type, "rsa")) {
-		ktype = KEY_RSA;
-	} else {
-		buffer_free(&b);
-		xfree(type);
-		return NULL;
-	}
-	key = key_new_private(ktype);
-	xfree(type);
-
-	switch (key->type) {
-	case KEY_DSA:
-		buffer_get_bignum_bits(&b, key->dsa->p);
-		buffer_get_bignum_bits(&b, key->dsa->g);
-		buffer_get_bignum_bits(&b, key->dsa->q);
-		buffer_get_bignum_bits(&b, key->dsa->pub_key);
-		buffer_get_bignum_bits(&b, key->dsa->priv_key);
-		break;
-	case KEY_RSA:
-		e  = buffer_get_char(&b);
-		debug("e %lx", e);
-		if (e < 30) {
-			e <<= 8;
-			e += buffer_get_char(&b);
-			debug("e %lx", e);
-			e <<= 8;
-			e += buffer_get_char(&b);
-			debug("e %lx", e);
-		}
-		if (!BN_set_word(key->rsa->e, e)) {
-			buffer_free(&b);
-			key_free(key);
-			return NULL;
-		}
-		buffer_get_bignum_bits(&b, key->rsa->d);
-		buffer_get_bignum_bits(&b, key->rsa->n);
-		buffer_get_bignum_bits(&b, key->rsa->iqmp);
-		buffer_get_bignum_bits(&b, key->rsa->q);
-		buffer_get_bignum_bits(&b, key->rsa->p);
-		rsa_generate_additional_parameters(key->rsa);
-		break;
-	}
-	rlen = buffer_len(&b);
-	if (rlen != 0)
-		error("do_convert_private_ssh2_from_blob: "
-		    "remaining bytes in key blob %d", rlen);
-	buffer_free(&b);
-
-	/* try the key */
-	key_sign(key, &sig, &slen, data, sizeof(data));
-	key_verify(key, sig, slen, data, sizeof(data));
-	xfree(sig);
-	return key;
-}
-
-static int
-get_line(FILE *fp, char *line, size_t len)
-{
-	int c;
-	size_t pos = 0;
-
-	line[0] = '\0';
-	while ((c = fgetc(fp)) != EOF) {
-		if (pos >= len - 1) {
-			fprintf(stderr, "input line too long.\n");
-			exit(1);
-		}
-		switch (c) {
-		case '\r':
-			c = fgetc(fp);
-			if (c != EOF && c != '\n' && ungetc(c, fp) == EOF) {
-				fprintf(stderr, "unget: %s\n", strerror(errno));
-				exit(1);
-			}
-			return pos;
-		case '\n':
-			return pos;
-		}
-		line[pos++] = c;
-		line[pos] = '\0';
-	}
-	if (c == EOF)
-		return -1;
-	return pos;
-}
-
-static void
-do_convert_from_ssh2(struct passwd *pw)
-{
-	Key *k;
-	int blen;
-	u_int len;
-	char line[1024];
-	u_char blob[8096];
-	char encoded[8096];
-	struct stat st;
-	int escaped = 0, private = 0, ok;
-	FILE *fp;
-
-	if (!have_identity)
-		ask_filename(pw, "Enter file in which the key is");
-	if (stat(identity_file, &st) < 0) {
-		perror(identity_file);
-		exit(1);
-	}
-	fp = fopen(identity_file, "r");
-	if (fp == NULL) {
-		perror(identity_file);
-		exit(1);
-	}
-	encoded[0] = '\0';
-	while ((blen = get_line(fp, line, sizeof(line))) != -1) {
-		if (line[blen - 1] == '\\')
-			escaped++;
-		if (strncmp(line, "----", 4) == 0 ||
-		    strstr(line, ": ") != NULL) {
-			if (strstr(line, SSH_COM_PRIVATE_BEGIN) != NULL)
-				private = 1;
-			if (strstr(line, " END ") != NULL) {
-				break;
-			}
-			/* fprintf(stderr, "ignore: %s", line); */
-			continue;
-		}
-		if (escaped) {
-			escaped--;
-			/* fprintf(stderr, "escaped: %s", line); */
-			continue;
-		}
-		strlcat(encoded, line, sizeof(encoded));
-	}
-	len = strlen(encoded);
-	if (((len % 4) == 3) &&
-	    (encoded[len-1] == '=') &&
-	    (encoded[len-2] == '=') &&
-	    (encoded[len-3] == '='))
-		encoded[len-3] = '\0';
-	blen = uudecode(encoded, blob, sizeof(blob));
-	if (blen < 0) {
-		fprintf(stderr, "uudecode failed.\n");
-		exit(1);
-	}
-	k = private ?
-	    do_convert_private_ssh2_from_blob(blob, blen) :
-	    key_from_blob(blob, blen);
-	if (k == NULL) {
-		fprintf(stderr, "decode blob failed.\n");
-		exit(1);
-	}
-	ok = private ?
-	    (k->type == KEY_DSA ?
-		 PEM_write_DSAPrivateKey(stdout, k->dsa, NULL, NULL, 0, NULL, NULL) :
-		 PEM_write_RSAPrivateKey(stdout, k->rsa, NULL, NULL, 0, NULL, NULL)) :
-	    key_write(k, stdout);
-	if (!ok) {
-		fprintf(stderr, "key write failed");
-		exit(1);
-	}
-	key_free(k);
-	if (!private)
-		fprintf(stdout, "\n");
-	fclose(fp);
-	exit(0);
-}
-
-static void
-do_print_public(struct passwd *pw)
-{
-	Key *prv;
-	struct stat st;
-
-	if (!have_identity)
-		ask_filename(pw, "Enter file in which the key is");
-	if (stat(identity_file, &st) < 0) {
-		perror(identity_file);
-		exit(1);
-	}
-	prv = load_identity(identity_file);
-	if (prv == NULL) {
-		fprintf(stderr, "load failed\n");
-		exit(1);
-	}
-	if (!key_write(prv, stdout))
-		fprintf(stderr, "key_write failed");
-	key_free(prv);
-	fprintf(stdout, "\n");
-	exit(0);
-}
-
-#ifdef SMARTCARD
-static void
-do_upload(struct passwd *pw, const char *sc_reader_id)
-{
-	Key *prv = NULL;
-	struct stat st;
-	int ret;
-
-	if (!have_identity)
-		ask_filename(pw, "Enter file in which the key is");
-	if (stat(identity_file, &st) < 0) {
-		perror(identity_file);
-		exit(1);
-	}
-	prv = load_identity(identity_file);
-	if (prv == NULL) {
-		error("load failed");
-		exit(1);
-	}
-	ret = sc_put_key(prv, sc_reader_id);
-	key_free(prv);
-	if (ret < 0)
-		exit(1);
-	logit("loading key done");
-	exit(0);
-}
-
-static void
-do_download(struct passwd *pw, const char *sc_reader_id)
-{
-	Key **keys = NULL;
-	int i;
-
-	keys = sc_get_keys(sc_reader_id, NULL);
-	if (keys == NULL)
-		fatal("cannot read public key from smartcard");
-	for (i = 0; keys[i]; i++) {
-		key_write(keys[i], stdout);
-		key_free(keys[i]);
-		fprintf(stdout, "\n");
-	}
-	xfree(keys);
-	exit(0);
-}
-#endif /* SMARTCARD */
-
-static void
-do_fingerprint(struct passwd *pw)
-{
-	FILE *f;
-	Key *public;
-	char *comment = NULL, *cp, *ep, line[16*1024], *fp;
-	int i, skip = 0, num = 1, invalid = 1;
-	enum fp_rep rep;
-	enum fp_type fptype;
-	struct stat st;
-
-	fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
-	rep =    print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
-
-	if (!have_identity)
-		ask_filename(pw, "Enter file in which the key is");
-	if (stat(identity_file, &st) < 0) {
-		perror(identity_file);
-		exit(1);
-	}
-	public = key_load_public(identity_file, &comment);
-	if (public != NULL) {
-		fp = key_fingerprint(public, fptype, rep);
-		printf("%u %s %s\n", key_size(public), fp, comment);
-		key_free(public);
-		xfree(comment);
-		xfree(fp);
-		exit(0);
-	}
-	if (comment) {
-		xfree(comment);
-		comment = NULL;
-	}
-
-	f = fopen(identity_file, "r");
-	if (f != NULL) {
-		while (fgets(line, sizeof(line), f)) {
-			i = strlen(line) - 1;
-			if (line[i] != '\n') {
-				error("line %d too long: %.40s...", num, line);
-				skip = 1;
-				continue;
-			}
-			num++;
-			if (skip) {
-				skip = 0;
-				continue;
-			}
-			line[i] = '\0';
-
-			/* Skip leading whitespace, empty and comment lines. */
-			for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
-				;
-			if (!*cp || *cp == '\n' || *cp == '#')
-				continue ;
-			i = strtol(cp, &ep, 10);
-			if (i == 0 || ep == NULL || (*ep != ' ' && *ep != '\t')) {
-				int quoted = 0;
-				comment = cp;
-				for (; *cp && (quoted || (*cp != ' ' &&
-				    *cp != '\t')); cp++) {
-					if (*cp == '\\' && cp[1] == '"')
-						cp++;	/* Skip both */
-					else if (*cp == '"')
-						quoted = !quoted;
-				}
-				if (!*cp)
-					continue;
-				*cp++ = '\0';
-			}
-			ep = cp;
-			public = key_new(KEY_RSA1);
-			if (key_read(public, &cp) != 1) {
-				cp = ep;
-				key_free(public);
-				public = key_new(KEY_UNSPEC);
-				if (key_read(public, &cp) != 1) {
-					key_free(public);
-					continue;
-				}
-			}
-			comment = *cp ? cp : comment;
-			fp = key_fingerprint(public, fptype, rep);
-			printf("%u %s %s\n", key_size(public), fp,
-			    comment ? comment : "no comment");
-			xfree(fp);
-			key_free(public);
-			invalid = 0;
-		}
-		fclose(f);
-	}
-	if (invalid) {
-		printf("%s is not a public key file.\n", identity_file);
-		exit(1);
-	}
-	exit(0);
-}
-
-static void
-print_host(FILE *f, char *name, Key *public, int hash)
-{
-	if (hash && (name = host_hash(name, NULL, 0)) == NULL)
-		fatal("hash_host failed");
-	fprintf(f, "%s ", name);
-	if (!key_write(public, f))
-		fatal("key_write failed");
-	fprintf(f, "\n");
-}
-
-static void
-do_known_hosts(struct passwd *pw, const char *name)
-{
-	FILE *in, *out = stdout;
-	Key *public;
-	char *cp, *cp2, *kp, *kp2;
-	char line[16*1024], tmp[MAXPATHLEN], old[MAXPATHLEN];
-	int c, i, skip = 0, inplace = 0, num = 0, invalid = 0, has_unhashed = 0;
-
-	if (!have_identity) {
-		cp = tilde_expand_filename(_PATH_SSH_USER_HOSTFILE, pw->pw_uid);
-		if (strlcpy(identity_file, cp, sizeof(identity_file)) >=
-		    sizeof(identity_file))
-			fatal("Specified known hosts path too long");
-		xfree(cp);
-		have_identity = 1;
-	}
-	if ((in = fopen(identity_file, "r")) == NULL)
-		fatal("fopen: %s", strerror(errno));
-
-	/*
-	 * Find hosts goes to stdout, hash and deletions happen in-place
-	 * A corner case is ssh-keygen -HF foo, which should go to stdout
-	 */
-	if (!find_host && (hash_hosts || delete_host)) {
-		if (strlcpy(tmp, identity_file, sizeof(tmp)) >= sizeof(tmp) ||
-		    strlcat(tmp, ".XXXXXXXXXX", sizeof(tmp)) >= sizeof(tmp) ||
-		    strlcpy(old, identity_file, sizeof(old)) >= sizeof(old) ||
-		    strlcat(old, ".old", sizeof(old)) >= sizeof(old))
-			fatal("known_hosts path too long");
-		umask(077);
-		if ((c = mkstemp(tmp)) == -1)
-			fatal("mkstemp: %s", strerror(errno));
-		if ((out = fdopen(c, "w")) == NULL) {
-			c = errno;
-			unlink(tmp);
-			fatal("fdopen: %s", strerror(c));
-		}
-		inplace = 1;
-	}
-
-	while (fgets(line, sizeof(line), in)) {
-		num++;
-		i = strlen(line) - 1;
-		if (line[i] != '\n') {
-			error("line %d too long: %.40s...", num, line);
-			skip = 1;
-			invalid = 1;
-			continue;
-		}
-		if (skip) {
-			skip = 0;
-			continue;
-		}
-		line[i] = '\0';
-
-		/* Skip leading whitespace, empty and comment lines. */
-		for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
-			;
-		if (!*cp || *cp == '\n' || *cp == '#') {
-			if (inplace)
-				fprintf(out, "%s\n", cp);
-			continue;
-		}
-		/* Find the end of the host name portion. */
-		for (kp = cp; *kp && *kp != ' ' && *kp != '\t'; kp++)
-			;
-		if (*kp == '\0' || *(kp + 1) == '\0') {
-			error("line %d missing key: %.40s...",
-			    num, line);
-			invalid = 1;
-			continue;
-		}
-		*kp++ = '\0';
-		kp2 = kp;
-
-		public = key_new(KEY_RSA1);
-		if (key_read(public, &kp) != 1) {
-			kp = kp2;
-			key_free(public);
-			public = key_new(KEY_UNSPEC);
-			if (key_read(public, &kp) != 1) {
-				error("line %d invalid key: %.40s...",
-				    num, line);
-				key_free(public);
-				invalid = 1;
-				continue;
-			}
-		}
-
-		if (*cp == HASH_DELIM) {
-			if (find_host || delete_host) {
-				cp2 = host_hash(name, cp, strlen(cp));
-				if (cp2 == NULL) {
-					error("line %d: invalid hashed "
-					    "name: %.64s...", num, line);
-					invalid = 1;
-					continue;
-				}
-				c = (strcmp(cp2, cp) == 0);
-				if (find_host && c) {
-					printf("# Host %s found: "
-					    "line %d type %s\n", name,
-					    num, key_type(public));
-					print_host(out, cp, public, 0);
-				}
-				if (delete_host && !c)
-					print_host(out, cp, public, 0);
-			} else if (hash_hosts)
-				print_host(out, cp, public, 0);
-		} else {
-			if (find_host || delete_host) {
-				c = (match_hostname(name, cp,
-				    strlen(cp)) == 1);
-				if (find_host && c) {
-					printf("# Host %s found: "
-					    "line %d type %s\n", name,
-					    num, key_type(public));
-					print_host(out, cp, public, hash_hosts);
-				}
-				if (delete_host && !c)
-					print_host(out, cp, public, 0);
-			} else if (hash_hosts) {
-				for (cp2 = strsep(&cp, ",");
-				    cp2 != NULL && *cp2 != '\0';
-				    cp2 = strsep(&cp, ",")) {
-					if (strcspn(cp2, "*?!") != strlen(cp2))
-						fprintf(stderr, "Warning: "
-						    "ignoring host name with "
-						    "metacharacters: %.64s\n",
-						    cp2);
-					else
-						print_host(out, cp2, public, 1);
-				}
-				has_unhashed = 1;
-			}
-		}
-		key_free(public);
-	}
-	fclose(in);
-
-	if (invalid) {
-		fprintf(stderr, "%s is not a valid known_host file.\n",
-		    identity_file);
-		if (inplace) {
-			fprintf(stderr, "Not replacing existing known_hosts "
-			    "file because of errors\n");
-			fclose(out);
-			unlink(tmp);
-		}
-		exit(1);
-	}
-
-	if (inplace) {
-		fclose(out);
-
-		/* Backup existing file */
-		if (unlink(old) == -1 && errno != ENOENT)
-			fatal("unlink %.100s: %s", old, strerror(errno));
-		if (link(identity_file, old) == -1)
-			fatal("link %.100s to %.100s: %s", identity_file, old,
-			    strerror(errno));
-		/* Move new one into place */
-		if (rename(tmp, identity_file) == -1) {
-			error("rename\"%s\" to \"%s\": %s", tmp, identity_file,
-			    strerror(errno));
-			unlink(tmp);
-			unlink(old);
-			exit(1);
-		}
-
-		fprintf(stderr, "%s updated.\n", identity_file);
-		fprintf(stderr, "Original contents retained as %s\n", old);
-		if (has_unhashed) {
-			fprintf(stderr, "WARNING: %s contains unhashed "
-			    "entries\n", old);
-			fprintf(stderr, "Delete this file to ensure privacy "
-			    "of hostnames\n");
-		}
-	}
-
-	exit(0);
-}
-
-/*
- * Perform changing a passphrase.  The argument is the passwd structure
- * for the current user.
- */
-static void
-do_change_passphrase(struct passwd *pw)
-{
-	char *comment;
-	char *old_passphrase, *passphrase1, *passphrase2;
-	struct stat st;
-	Key *private;
-
-	if (!have_identity)
-		ask_filename(pw, "Enter file in which the key is");
-	if (stat(identity_file, &st) < 0) {
-		perror(identity_file);
-		exit(1);
-	}
-	/* Try to load the file with empty passphrase. */
-	private = key_load_private(identity_file, "", &comment);
-	if (private == NULL) {
-		if (identity_passphrase)
-			old_passphrase = xstrdup(identity_passphrase);
-		else
-			old_passphrase =
-			    read_passphrase("Enter old passphrase: ",
-			    RP_ALLOW_STDIN);
-		private = key_load_private(identity_file, old_passphrase,
-		    &comment);
-		memset(old_passphrase, 0, strlen(old_passphrase));
-		xfree(old_passphrase);
-		if (private == NULL) {
-			printf("Bad passphrase.\n");
-			exit(1);
-		}
-	}
-	printf("Key has comment '%s'\n", comment);
-
-	/* Ask the new passphrase (twice). */
-	if (identity_new_passphrase) {
-		passphrase1 = xstrdup(identity_new_passphrase);
-		passphrase2 = NULL;
-	} else {
-		passphrase1 =
-			read_passphrase("Enter new passphrase (empty for no "
-			    "passphrase): ", RP_ALLOW_STDIN);
-		passphrase2 = read_passphrase("Enter same passphrase again: ",
-		    RP_ALLOW_STDIN);
-
-		/* Verify that they are the same. */
-		if (strcmp(passphrase1, passphrase2) != 0) {
-			memset(passphrase1, 0, strlen(passphrase1));
-			memset(passphrase2, 0, strlen(passphrase2));
-			xfree(passphrase1);
-			xfree(passphrase2);
-			printf("Pass phrases do not match.  Try again.\n");
-			exit(1);
-		}
-		/* Destroy the other copy. */
-		memset(passphrase2, 0, strlen(passphrase2));
-		xfree(passphrase2);
-	}
-
-	/* Save the file using the new passphrase. */
-	if (!key_save_private(private, identity_file, passphrase1, comment)) {
-		printf("Saving the key failed: %s.\n", identity_file);
-		memset(passphrase1, 0, strlen(passphrase1));
-		xfree(passphrase1);
-		key_free(private);
-		xfree(comment);
-		exit(1);
-	}
-	/* Destroy the passphrase and the copy of the key in memory. */
-	memset(passphrase1, 0, strlen(passphrase1));
-	xfree(passphrase1);
-	key_free(private);		 /* Destroys contents */
-	xfree(comment);
-
-	printf("Your identification has been saved with the new passphrase.\n");
-	exit(0);
-}
-
-/*
- * Print the SSHFP RR.
- */
-static int
-do_print_resource_record(struct passwd *pw, char *fname, char *hname)
-{
-	Key *public;
-	char *comment = NULL;
-	struct stat st;
-
-	if (fname == NULL)
-		ask_filename(pw, "Enter file in which the key is");
-	if (stat(fname, &st) < 0) {
-		if (errno == ENOENT)
-			return 0;
-		perror(fname);
-		exit(1);
-	}
-	public = key_load_public(fname, &comment);
-	if (public != NULL) {
-		export_dns_rr(hname, public, stdout, print_generic);
-		key_free(public);
-		xfree(comment);
-		return 1;
-	}
-	if (comment)
-		xfree(comment);
-
-	printf("failed to read v2 public key from %s.\n", fname);
-	exit(1);
-}
-
-/*
- * Change the comment of a private key file.
- */
-static void
-do_change_comment(struct passwd *pw)
-{
-	char new_comment[1024], *comment, *passphrase;
-	Key *private;
-	Key *public;
-	struct stat st;
-	FILE *f;
-	int fd;
-
-	if (!have_identity)
-		ask_filename(pw, "Enter file in which the key is");
-	if (stat(identity_file, &st) < 0) {
-		perror(identity_file);
-		exit(1);
-	}
-	private = key_load_private(identity_file, "", &comment);
-	if (private == NULL) {
-		if (identity_passphrase)
-			passphrase = xstrdup(identity_passphrase);
-		else if (identity_new_passphrase)
-			passphrase = xstrdup(identity_new_passphrase);
-		else
-			passphrase = read_passphrase("Enter passphrase: ",
-			    RP_ALLOW_STDIN);
-		/* Try to load using the passphrase. */
-		private = key_load_private(identity_file, passphrase, &comment);
-		if (private == NULL) {
-			memset(passphrase, 0, strlen(passphrase));
-			xfree(passphrase);
-			printf("Bad passphrase.\n");
-			exit(1);
-		}
-	} else {
-		passphrase = xstrdup("");
-	}
-	if (private->type != KEY_RSA1) {
-		fprintf(stderr, "Comments are only supported for RSA1 keys.\n");
-		key_free(private);
-		exit(1);
-	}
-	printf("Key now has comment '%s'\n", comment);
-
-	if (identity_comment) {
-		strlcpy(new_comment, identity_comment, sizeof(new_comment));
-	} else {
-		printf("Enter new comment: ");
-		fflush(stdout);
-		if (!fgets(new_comment, sizeof(new_comment), stdin)) {
-			memset(passphrase, 0, strlen(passphrase));
-			key_free(private);
-			exit(1);
-		}
-		if (strchr(new_comment, '\n'))
-			*strchr(new_comment, '\n') = 0;
-	}
-
-	/* Save the file using the new passphrase. */
-	if (!key_save_private(private, identity_file, passphrase, new_comment)) {
-		printf("Saving the key failed: %s.\n", identity_file);
-		memset(passphrase, 0, strlen(passphrase));
-		xfree(passphrase);
-		key_free(private);
-		xfree(comment);
-		exit(1);
-	}
-	memset(passphrase, 0, strlen(passphrase));
-	xfree(passphrase);
-	public = key_from_private(private);
-	key_free(private);
-
-	strlcat(identity_file, ".pub", sizeof(identity_file));
-	fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644);
-	if (fd == -1) {
-		printf("Could not save your public key in %s\n", identity_file);
-		exit(1);
-	}
-	f = fdopen(fd, "w");
-	if (f == NULL) {
-		printf("fdopen %s failed", identity_file);
-		exit(1);
-	}
-	if (!key_write(public, f))
-		fprintf(stderr, "write key failed");
-	key_free(public);
-	fprintf(f, " %s\n", new_comment);
-	fclose(f);
-
-	xfree(comment);
-
-	printf("The comment in your key file has been changed.\n");
-	exit(0);
-}
-
-static void
-usage(void)
-{
-	fprintf(stderr, "Usage: %s [options]\n", __progname);
-	fprintf(stderr, "Options:\n");
-	fprintf(stderr, "  -a trials   Number of trials for screening DH-GEX moduli.\n");
-	fprintf(stderr, "  -B          Show bubblebabble digest of key file.\n");
-	fprintf(stderr, "  -b bits     Number of bits in the key to create.\n");
-	fprintf(stderr, "  -C comment  Provide new comment.\n");
-	fprintf(stderr, "  -c          Change comment in private and public key files.\n");
-#ifdef SMARTCARD
-	fprintf(stderr, "  -D reader   Download public key from smartcard.\n");
-#endif /* SMARTCARD */
-	fprintf(stderr, "  -e          Convert OpenSSH to IETF SECSH key file.\n");
-	fprintf(stderr, "  -F hostname Find hostname in known hosts file.\n");
-	fprintf(stderr, "  -f filename Filename of the key file.\n");
-	fprintf(stderr, "  -G file     Generate candidates for DH-GEX moduli.\n");
-	fprintf(stderr, "  -g          Use generic DNS resource record format.\n");
-	fprintf(stderr, "  -H          Hash names in known_hosts file.\n");
-	fprintf(stderr, "  -i          Convert IETF SECSH to OpenSSH key file.\n");
-	fprintf(stderr, "  -l          Show fingerprint of key file.\n");
-	fprintf(stderr, "  -M memory   Amount of memory (MB) to use for generating DH-GEX moduli.\n");
-	fprintf(stderr, "  -N phrase   Provide new passphrase.\n");
-	fprintf(stderr, "  -P phrase   Provide old passphrase.\n");
-	fprintf(stderr, "  -p          Change passphrase of private key file.\n");
-	fprintf(stderr, "  -q          Quiet.\n");
-	fprintf(stderr, "  -R hostname Remove host from known_hosts file.\n");
-	fprintf(stderr, "  -r hostname Print DNS resource record.\n");
-	fprintf(stderr, "  -S start    Start point (hex) for generating DH-GEX moduli.\n");
-	fprintf(stderr, "  -T file     Screen candidates for DH-GEX moduli.\n");
-	fprintf(stderr, "  -t type     Specify type of key to create.\n");
-#ifdef SMARTCARD
-	fprintf(stderr, "  -U reader   Upload private key to smartcard.\n");
-#endif /* SMARTCARD */
-	fprintf(stderr, "  -v          Verbose.\n");
-	fprintf(stderr, "  -W gen      Generator to use for generating DH-GEX moduli.\n");
-	fprintf(stderr, "  -y          Read private key file and print public key.\n");
-
-	exit(1);
-}
-
-/*
- * Main program for key management.
- */
-int
-main(int ac, char **av)
-{
-	char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2;
-	char out_file[MAXPATHLEN], *reader_id = NULL;
-	char *rr_hostname = NULL;
-	Key *private, *public;
-	struct passwd *pw;
-	struct stat st;
-	int opt, type, fd, download = 0;
-	u_int32_t memory = 0, generator_wanted = 0, trials = 100;
-	int do_gen_candidates = 0, do_screen_candidates = 0;
-	int log_level = SYSLOG_LEVEL_INFO;
-	BIGNUM *start = NULL;
-	FILE *f;
-	const char *errstr;
-
-	extern int optind;
-	extern char *optarg;
-
-	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
-	sanitise_stdfd();
-
-	__progname = ssh_get_progname(av[0]);
-
-	SSLeay_add_all_algorithms();
-	log_init(av[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
-
-	init_rng();
-	seed_rng();
-
-	/* we need this for the home * directory.  */
-	pw = getpwuid(getuid());
-	if (!pw) {
-		printf("You don't exist, go away!\n");
-		exit(1);
-	}
-	if (gethostname(hostname, sizeof(hostname)) < 0) {
-		perror("gethostname");
-		exit(1);
-	}
-
-	while ((opt = getopt(ac, av,
-	    "degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) {
-		switch (opt) {
-		case 'b':
-			bits = (u_int32_t)strtonum(optarg, 768, 32768, &errstr);
-			if (errstr)
-				fatal("Bits has bad value %s (%s)",
-					optarg, errstr);
-			break;
-		case 'F':
-			find_host = 1;
-			rr_hostname = optarg;
-			break;
-		case 'H':
-			hash_hosts = 1;
-			break;
-		case 'R':
-			delete_host = 1;
-			rr_hostname = optarg;
-			break;
-		case 'l':
-			print_fingerprint = 1;
-			break;
-		case 'B':
-			print_bubblebabble = 1;
-			break;
-		case 'p':
-			change_passphrase = 1;
-			break;
-		case 'c':
-			change_comment = 1;
-			break;
-		case 'f':
-			if (strlcpy(identity_file, optarg, sizeof(identity_file)) >=
-			    sizeof(identity_file))
-				fatal("Identity filename too long");
-			have_identity = 1;
-			break;
-		case 'g':
-			print_generic = 1;
-			break;
-		case 'P':
-			identity_passphrase = optarg;
-			break;
-		case 'N':
-			identity_new_passphrase = optarg;
-			break;
-		case 'C':
-			identity_comment = optarg;
-			break;
-		case 'q':
-			quiet = 1;
-			break;
-		case 'e':
-		case 'x':
-			/* export key */
-			convert_to_ssh2 = 1;
-			break;
-		case 'i':
-		case 'X':
-			/* import key */
-			convert_from_ssh2 = 1;
-			break;
-		case 'y':
-			print_public = 1;
-			break;
-		case 'd':
-			key_type_name = "dsa";
-			break;
-		case 't':
-			key_type_name = optarg;
-			break;
-		case 'D':
-			download = 1;
-			/*FALLTHROUGH*/
-		case 'U':
-			reader_id = optarg;
-			break;
-		case 'v':
-			if (log_level == SYSLOG_LEVEL_INFO)
-				log_level = SYSLOG_LEVEL_DEBUG1;
-			else {
-				if (log_level >= SYSLOG_LEVEL_DEBUG1 &&
-				    log_level < SYSLOG_LEVEL_DEBUG3)
-					log_level++;
-			}
-			break;
-		case 'r':
-			rr_hostname = optarg;
-			break;
-		case 'W':
-			generator_wanted = (u_int32_t)strtonum(optarg, 1,
-			    UINT_MAX, &errstr);
-			if (errstr)
-				fatal("Desired generator has bad value: %s (%s)",
-					optarg, errstr);
-			break;
-		case 'a':
-			trials = (u_int32_t)strtonum(optarg, 1, UINT_MAX, &errstr);
-			if (errstr)
-				fatal("Invalid number of trials: %s (%s)",
-					optarg, errstr);
-			break;
-		case 'M':
-			memory = (u_int32_t)strtonum(optarg, 1, UINT_MAX, &errstr);
-			if (errstr) {
-				fatal("Memory limit is %s: %s", errstr, optarg);
-			}
-			break;
-		case 'G':
-			do_gen_candidates = 1;
-			if (strlcpy(out_file, optarg, sizeof(out_file)) >=
-			    sizeof(out_file))
-				fatal("Output filename too long");
-			break;
-		case 'T':
-			do_screen_candidates = 1;
-			if (strlcpy(out_file, optarg, sizeof(out_file)) >=
-			    sizeof(out_file))
-				fatal("Output filename too long");
-			break;
-		case 'S':
-			/* XXX - also compare length against bits */
-			if (BN_hex2bn(&start, optarg) == 0)
-				fatal("Invalid start point.");
-			break;
-		case '?':
-		default:
-			usage();
-		}
-	}
-
-	/* reinit */
-	log_init(av[0], log_level, SYSLOG_FACILITY_USER, 1);
-
-	if (optind < ac) {
-		printf("Too many arguments.\n");
-		usage();
-	}
-	if (change_passphrase && change_comment) {
-		printf("Can only have one of -p and -c.\n");
-		usage();
-	}
-	if (delete_host || hash_hosts || find_host)
-		do_known_hosts(pw, rr_hostname);
-	if (print_fingerprint || print_bubblebabble)
-		do_fingerprint(pw);
-	if (change_passphrase)
-		do_change_passphrase(pw);
-	if (change_comment)
-		do_change_comment(pw);
-	if (convert_to_ssh2)
-		do_convert_to_ssh2(pw);
-	if (convert_from_ssh2)
-		do_convert_from_ssh2(pw);
-	if (print_public)
-		do_print_public(pw);
-	if (rr_hostname != NULL) {
-		unsigned int n = 0;
-
-		if (have_identity) {
-			n = do_print_resource_record(pw,
-			    identity_file, rr_hostname);
-			if (n == 0) {
-				perror(identity_file);
-				exit(1);
-			}
-			exit(0);
-		} else {
-
-			n += do_print_resource_record(pw,
-			    _PATH_HOST_RSA_KEY_FILE, rr_hostname);
-			n += do_print_resource_record(pw,
-			    _PATH_HOST_DSA_KEY_FILE, rr_hostname);
-
-			if (n == 0)
-				fatal("no keys found.");
-			exit(0);
-		}
-	}
-	if (reader_id != NULL) {
-#ifdef SMARTCARD
-		if (download)
-			do_download(pw, reader_id);
-		else
-			do_upload(pw, reader_id);
-#else /* SMARTCARD */
-		fatal("no support for smartcards.");
-#endif /* SMARTCARD */
-	}
-
-	if (do_gen_candidates) {
-		FILE *out = fopen(out_file, "w");
-
-		if (out == NULL) {
-			error("Couldn't open modulus candidate file \"%s\": %s",
-			    out_file, strerror(errno));
-			return (1);
-		}
-		if (bits == 0)
-			bits = DEFAULT_BITS;
-		if (gen_candidates(out, memory, bits, start) != 0)
-			fatal("modulus candidate generation failed");
-
-		return (0);
-	}
-
-	if (do_screen_candidates) {
-		FILE *in;
-		FILE *out = fopen(out_file, "w");
-
-		if (have_identity && strcmp(identity_file, "-") != 0) {
-			if ((in = fopen(identity_file, "r")) == NULL) {
-				fatal("Couldn't open modulus candidate "
-				    "file \"%s\": %s", identity_file,
-				    strerror(errno));
-			}
-		} else
-			in = stdin;
-
-		if (out == NULL) {
-			fatal("Couldn't open moduli file \"%s\": %s",
-			    out_file, strerror(errno));
-		}
-		if (prime_test(in, out, trials, generator_wanted) != 0)
-			fatal("modulus screening failed");
-		return (0);
-	}
-
-	arc4random_stir();
-
-	if (key_type_name == NULL)
-		key_type_name = "rsa";
-
-	type = key_type_from_name(key_type_name);
-	if (type == KEY_UNSPEC) {
-		fprintf(stderr, "unknown key type %s\n", key_type_name);
-		exit(1);
-	}
-	if (bits == 0)
-		bits = (type == KEY_DSA) ? DEFAULT_BITS_DSA : DEFAULT_BITS;
-	if (type == KEY_DSA && bits != 1024)
-		fatal("DSA keys must be 1024 bits");
-	if (!quiet)
-		printf("Generating public/private %s key pair.\n", key_type_name);
-	private = key_generate(type, bits);
-	if (private == NULL) {
-		fprintf(stderr, "key_generate failed");
-		exit(1);
-	}
-	public  = key_from_private(private);
-
-	if (!have_identity)
-		ask_filename(pw, "Enter file in which to save the key");
-
-	/* Create ~/.ssh directory if it doesn't already exist. */
-	snprintf(dotsshdir, sizeof dotsshdir, "%s/%s", pw->pw_dir, _PATH_SSH_USER_DIR);
-	if (strstr(identity_file, dotsshdir) != NULL &&
-	    stat(dotsshdir, &st) < 0) {
-		if (mkdir(dotsshdir, 0700) < 0)
-			error("Could not create directory '%s'.", dotsshdir);
-		else if (!quiet)
-			printf("Created directory '%s'.\n", dotsshdir);
-	}
-	/* If the file already exists, ask the user to confirm. */
-	if (stat(identity_file, &st) >= 0) {
-		char yesno[3];
-		printf("%s already exists.\n", identity_file);
-		printf("Overwrite (y/n)? ");
-		fflush(stdout);
-		if (fgets(yesno, sizeof(yesno), stdin) == NULL)
-			exit(1);
-		if (yesno[0] != 'y' && yesno[0] != 'Y')
-			exit(1);
-	}
-	/* Ask for a passphrase (twice). */
-	if (identity_passphrase)
-		passphrase1 = xstrdup(identity_passphrase);
-	else if (identity_new_passphrase)
-		passphrase1 = xstrdup(identity_new_passphrase);
-	else {
-passphrase_again:
-		passphrase1 =
-			read_passphrase("Enter passphrase (empty for no "
-			    "passphrase): ", RP_ALLOW_STDIN);
-		passphrase2 = read_passphrase("Enter same passphrase again: ",
-		    RP_ALLOW_STDIN);
-		if (strcmp(passphrase1, passphrase2) != 0) {
-			/*
-			 * The passphrases do not match.  Clear them and
-			 * retry.
-			 */
-			memset(passphrase1, 0, strlen(passphrase1));
-			memset(passphrase2, 0, strlen(passphrase2));
-			xfree(passphrase1);
-			xfree(passphrase2);
-			printf("Passphrases do not match.  Try again.\n");
-			goto passphrase_again;
-		}
-		/* Clear the other copy of the passphrase. */
-		memset(passphrase2, 0, strlen(passphrase2));
-		xfree(passphrase2);
-	}
-
-	if (identity_comment) {
-		strlcpy(comment, identity_comment, sizeof(comment));
-	} else {
-		/* Create default commend field for the passphrase. */
-		snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, hostname);
-	}
-
-	/* Save the key with the given passphrase and comment. */
-	if (!key_save_private(private, identity_file, passphrase1, comment)) {
-		printf("Saving the key failed: %s.\n", identity_file);
-		memset(passphrase1, 0, strlen(passphrase1));
-		xfree(passphrase1);
-		exit(1);
-	}
-	/* Clear the passphrase. */
-	memset(passphrase1, 0, strlen(passphrase1));
-	xfree(passphrase1);
-
-	/* Clear the private key and the random number generator. */
-	key_free(private);
-	arc4random_stir();
-
-	if (!quiet)
-		printf("Your identification has been saved in %s.\n", identity_file);
-
-	strlcat(identity_file, ".pub", sizeof(identity_file));
-	fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644);
-	if (fd == -1) {
-		printf("Could not save your public key in %s\n", identity_file);
-		exit(1);
-	}
-	f = fdopen(fd, "w");
-	if (f == NULL) {
-		printf("fdopen %s failed", identity_file);
-		exit(1);
-	}
-	if (!key_write(public, f))
-		fprintf(stderr, "write key failed");
-	fprintf(f, " %s\n", comment);
-	fclose(f);
-
-	if (!quiet) {
-		char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX);
-		printf("Your public key has been saved in %s.\n",
-		    identity_file);
-		printf("The key fingerprint is:\n");
-		printf("%s %s\n", fp, comment);
-		xfree(fp);
-	}
-
-	key_free(public);
-	exit(0);
-}
diff --git a/crypto/openssh/ssh-keygen/Makefile b/crypto/openssh/ssh-keygen/Makefile
deleted file mode 100644
index d175813..0000000
--- a/crypto/openssh/ssh-keygen/Makefile
+++ /dev/null
@@ -1,18 +0,0 @@
-#	$OpenBSD: Makefile,v 1.21 2001/06/27 19:29:16 markus Exp $
-
-.PATH:		${.CURDIR}/..
-
-PROG=	ssh-keygen
-BINOWN=	root
-
-BINMODE?=555
-
-BINDIR=	/usr/bin
-MAN=	ssh-keygen.1
-
-SRCS=	ssh-keygen.c
-
-.include <bsd.prog.mk>
-
-LDADD+=	-lcrypto
-DPADD+=	${LIBCRYPTO}
diff --git a/crypto/openssh/ssh-keyscan.1 b/crypto/openssh/ssh-keyscan.1
deleted file mode 100644
index a3656fc..0000000
--- a/crypto/openssh/ssh-keyscan.1
+++ /dev/null
@@ -1,168 +0,0 @@
-.\"	$OpenBSD: ssh-keyscan.1,v 1.22 2006/09/25 04:55:38 ray Exp $
-.\"
-.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
-.\"
-.\" Modification and redistribution in source and binary forms is
-.\" permitted provided that due credit is given to the author and the
-.\" OpenBSD project by leaving this copyright notice intact.
-.\"
-.Dd January 1, 1996
-.Dt SSH-KEYSCAN 1
-.Os
-.Sh NAME
-.Nm ssh-keyscan
-.Nd gather ssh public keys
-.Sh SYNOPSIS
-.Nm ssh-keyscan
-.Bk -words
-.Op Fl 46Hv
-.Op Fl f Ar file
-.Op Fl p Ar port
-.Op Fl T Ar timeout
-.Op Fl t Ar type
-.Op Ar host | addrlist namelist
-.Op Ar ...
-.Ek
-.Sh DESCRIPTION
-.Nm
-is a utility for gathering the public ssh host keys of a number of
-hosts.
-It was designed to aid in building and verifying
-.Pa ssh_known_hosts
-files.
-.Nm
-provides a minimal interface suitable for use by shell and perl
-scripts.
-.Pp
-.Nm
-uses non-blocking socket I/O to contact as many hosts as possible in
-parallel, so it is very efficient.
-The keys from a domain of 1,000
-hosts can be collected in tens of seconds, even when some of those
-hosts are down or do not run ssh.
-For scanning, one does not need
-login access to the machines that are being scanned, nor does the
-scanning process involve any encryption.
-.Pp
-The options are as follows:
-.Bl -tag -width Ds
-.It Fl 4
-Forces
-.Nm
-to use IPv4 addresses only.
-.It Fl 6
-Forces
-.Nm
-to use IPv6 addresses only.
-.It Fl f Ar file
-Read hosts or
-.Pa addrlist namelist
-pairs from this file, one per line.
-If
-.Pa -
-is supplied instead of a filename,
-.Nm
-will read hosts or
-.Pa addrlist namelist
-pairs from the standard input.
-.It Fl H
-Hash all hostnames and addresses in the output.
-Hashed names may be used normally by
-.Nm ssh
-and
-.Nm sshd ,
-but they do not reveal identifying information should the file's contents
-be disclosed.
-.It Fl p Ar port
-Port to connect to on the remote host.
-.It Fl T Ar timeout
-Set the timeout for connection attempts.
-If
-.Pa timeout
-seconds have elapsed since a connection was initiated to a host or since the
-last time anything was read from that host, then the connection is
-closed and the host in question considered unavailable.
-Default is 5 seconds.
-.It Fl t Ar type
-Specifies the type of the key to fetch from the scanned hosts.
-The possible values are
-.Dq rsa1
-for protocol version 1 and
-.Dq rsa
-or
-.Dq dsa
-for protocol version 2.
-Multiple values may be specified by separating them with commas.
-The default is
-.Dq rsa1 .
-.It Fl v
-Verbose mode.
-Causes
-.Nm
-to print debugging messages about its progress.
-.El
-.Sh SECURITY
-If an ssh_known_hosts file is constructed using
-.Nm
-without verifying the keys, users will be vulnerable to
-.Em man in the middle
-attacks.
-On the other hand, if the security model allows such a risk,
-.Nm
-can help in the detection of tampered keyfiles or man in the middle
-attacks which have begun after the ssh_known_hosts file was created.
-.Sh FILES
-.Pa Input format:
-.Bd -literal
-1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
-.Ed
-.Pp
-.Pa Output format for rsa1 keys:
-.Bd -literal
-host-or-namelist bits exponent modulus
-.Ed
-.Pp
-.Pa Output format for rsa and dsa keys:
-.Bd -literal
-host-or-namelist keytype base64-encoded-key
-.Ed
-.Pp
-Where
-.Pa keytype
-is either
-.Dq ssh-rsa
-or
-.Dq ssh-dss .
-.Pp
-.Pa /etc/ssh/ssh_known_hosts
-.Sh EXAMPLES
-Print the
-.Pa rsa1
-host key for machine
-.Pa hostname :
-.Bd -literal
-$ ssh-keyscan hostname
-.Ed
-.Pp
-Find all hosts from the file
-.Pa ssh_hosts
-which have new or different keys from those in the sorted file
-.Pa ssh_known_hosts :
-.Bd -literal
-$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e
-	sort -u - ssh_known_hosts | diff ssh_known_hosts -
-.Ed
-.Sh SEE ALSO
-.Xr ssh 1 ,
-.Xr sshd 8
-.Sh AUTHORS
-.An -nosplit
-.An David Mazieres Aq dm@lcs.mit.edu
-wrote the initial version, and
-.An Wayne Davison Aq wayned@users.sourceforge.net
-added support for protocol version 2.
-.Sh BUGS
-It generates "Connection closed by remote host" messages on the consoles
-of all the machines it scans if the server is older than version 2.9.
-This is because it opens a connection to the ssh port, reads the public
-key, and drops the connection as soon as it gets the key.
diff --git a/crypto/openssh/ssh-keyscan.c b/crypto/openssh/ssh-keyscan.c
deleted file mode 100644
index b198640..0000000
--- a/crypto/openssh/ssh-keyscan.c
+++ /dev/null
@@ -1,850 +0,0 @@
-/* $OpenBSD: ssh-keyscan.c,v 1.74 2006/10/06 02:29:19 djm Exp $ */
-/*
- * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
- *
- * Modification and redistribution in source and binary forms is
- * permitted provided that due credit is given to the author and the
- * OpenBSD project by leaving this copyright notice intact.
- */
-
-#include "includes.h"
- 
-#include "openbsd-compat/sys-queue.h"
-#include <sys/resource.h>
-#ifdef HAVE_SYS_TIME_H
-# include <sys/time.h>
-#endif
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include <openssl/bn.h>
-
-#include <netdb.h>
-#include <errno.h>
-#include <setjmp.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <signal.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "xmalloc.h"
-#include "ssh.h"
-#include "ssh1.h"
-#include "buffer.h"
-#include "key.h"
-#include "cipher.h"
-#include "kex.h"
-#include "compat.h"
-#include "myproposal.h"
-#include "packet.h"
-#include "dispatch.h"
-#include "log.h"
-#include "atomicio.h"
-#include "misc.h"
-#include "hostfile.h"
-
-/* Flag indicating whether IPv4 or IPv6.  This can be set on the command line.
-   Default value is AF_UNSPEC means both IPv4 and IPv6. */
-int IPv4or6 = AF_UNSPEC;
-
-int ssh_port = SSH_DEFAULT_PORT;
-
-#define KT_RSA1	1
-#define KT_DSA	2
-#define KT_RSA	4
-
-int get_keytypes = KT_RSA1;	/* Get only RSA1 keys by default */
-
-int hash_hosts = 0;		/* Hash hostname on output */
-
-#define MAXMAXFD 256
-
-/* The number of seconds after which to give up on a TCP connection */
-int timeout = 5;
-
-int maxfd;
-#define MAXCON (maxfd - 10)
-
-extern char *__progname;
-fd_set *read_wait;
-size_t read_wait_nfdset;
-int ncon;
-int nonfatal_fatal = 0;
-jmp_buf kexjmp;
-Key *kexjmp_key;
-
-/*
- * Keep a connection structure for each file descriptor.  The state
- * associated with file descriptor n is held in fdcon[n].
- */
-typedef struct Connection {
-	u_char c_status;	/* State of connection on this file desc. */
-#define CS_UNUSED 0		/* File descriptor unused */
-#define CS_CON 1		/* Waiting to connect/read greeting */
-#define CS_SIZE 2		/* Waiting to read initial packet size */
-#define CS_KEYS 3		/* Waiting to read public key packet */
-	int c_fd;		/* Quick lookup: c->c_fd == c - fdcon */
-	int c_plen;		/* Packet length field for ssh packet */
-	int c_len;		/* Total bytes which must be read. */
-	int c_off;		/* Length of data read so far. */
-	int c_keytype;		/* Only one of KT_RSA1, KT_DSA, or KT_RSA */
-	char *c_namebase;	/* Address to free for c_name and c_namelist */
-	char *c_name;		/* Hostname of connection for errors */
-	char *c_namelist;	/* Pointer to other possible addresses */
-	char *c_output_name;	/* Hostname of connection for output */
-	char *c_data;		/* Data read from this fd */
-	Kex *c_kex;		/* The key-exchange struct for ssh2 */
-	struct timeval c_tv;	/* Time at which connection gets aborted */
-	TAILQ_ENTRY(Connection) c_link;	/* List of connections in timeout order. */
-} con;
-
-TAILQ_HEAD(conlist, Connection) tq;	/* Timeout Queue */
-con *fdcon;
-
-/*
- *  This is just a wrapper around fgets() to make it usable.
- */
-
-/* Stress-test.  Increase this later. */
-#define LINEBUF_SIZE 16
-
-typedef struct {
-	char *buf;
-	u_int size;
-	int lineno;
-	const char *filename;
-	FILE *stream;
-	void (*errfun) (const char *,...);
-} Linebuf;
-
-static Linebuf *
-Linebuf_alloc(const char *filename, void (*errfun) (const char *,...))
-{
-	Linebuf *lb;
-
-	if (!(lb = malloc(sizeof(*lb)))) {
-		if (errfun)
-			(*errfun) ("linebuf (%s): malloc failed\n",
-			    filename ? filename : "(stdin)");
-		return (NULL);
-	}
-	if (filename) {
-		lb->filename = filename;
-		if (!(lb->stream = fopen(filename, "r"))) {
-			xfree(lb);
-			if (errfun)
-				(*errfun) ("%s: %s\n", filename, strerror(errno));
-			return (NULL);
-		}
-	} else {
-		lb->filename = "(stdin)";
-		lb->stream = stdin;
-	}
-
-	if (!(lb->buf = malloc((lb->size = LINEBUF_SIZE)))) {
-		if (errfun)
-			(*errfun) ("linebuf (%s): malloc failed\n", lb->filename);
-		xfree(lb);
-		return (NULL);
-	}
-	lb->errfun = errfun;
-	lb->lineno = 0;
-	return (lb);
-}
-
-static void
-Linebuf_free(Linebuf * lb)
-{
-	fclose(lb->stream);
-	xfree(lb->buf);
-	xfree(lb);
-}
-
-#if 0
-static void
-Linebuf_restart(Linebuf * lb)
-{
-	clearerr(lb->stream);
-	rewind(lb->stream);
-	lb->lineno = 0;
-}
-
-static int
-Linebuf_lineno(Linebuf * lb)
-{
-	return (lb->lineno);
-}
-#endif
-
-static char *
-Linebuf_getline(Linebuf * lb)
-{
-	size_t n = 0;
-	void *p;
-
-	lb->lineno++;
-	for (;;) {
-		/* Read a line */
-		if (!fgets(&lb->buf[n], lb->size - n, lb->stream)) {
-			if (ferror(lb->stream) && lb->errfun)
-				(*lb->errfun)("%s: %s\n", lb->filename,
-				    strerror(errno));
-			return (NULL);
-		}
-		n = strlen(lb->buf);
-
-		/* Return it or an error if it fits */
-		if (n > 0 && lb->buf[n - 1] == '\n') {
-			lb->buf[n - 1] = '\0';
-			return (lb->buf);
-		}
-		if (n != lb->size - 1) {
-			if (lb->errfun)
-				(*lb->errfun)("%s: skipping incomplete last line\n",
-				    lb->filename);
-			return (NULL);
-		}
-		/* Double the buffer if we need more space */
-		lb->size *= 2;
-		if ((p = realloc(lb->buf, lb->size)) == NULL) {
-			lb->size /= 2;
-			if (lb->errfun)
-				(*lb->errfun)("linebuf (%s): realloc failed\n",
-				    lb->filename);
-			return (NULL);
-		}
-		lb->buf = p;
-	}
-}
-
-static int
-fdlim_get(int hard)
-{
-#if defined(HAVE_GETRLIMIT) && defined(RLIMIT_NOFILE)
-	struct rlimit rlfd;
-
-	if (getrlimit(RLIMIT_NOFILE, &rlfd) < 0)
-		return (-1);
-	if ((hard ? rlfd.rlim_max : rlfd.rlim_cur) == RLIM_INFINITY)
-		return SSH_SYSFDMAX;
-	else
-		return hard ? rlfd.rlim_max : rlfd.rlim_cur;
-#else
-	return SSH_SYSFDMAX;
-#endif
-}
-
-static int
-fdlim_set(int lim)
-{
-#if defined(HAVE_SETRLIMIT) && defined(RLIMIT_NOFILE)
-	struct rlimit rlfd;
-#endif
-
-	if (lim <= 0)
-		return (-1);
-#if defined(HAVE_SETRLIMIT) && defined(RLIMIT_NOFILE)
-	if (getrlimit(RLIMIT_NOFILE, &rlfd) < 0)
-		return (-1);
-	rlfd.rlim_cur = lim;
-	if (setrlimit(RLIMIT_NOFILE, &rlfd) < 0)
-		return (-1);
-#elif defined (HAVE_SETDTABLESIZE)
-	setdtablesize(lim);
-#endif
-	return (0);
-}
-
-/*
- * This is an strsep function that returns a null field for adjacent
- * separators.  This is the same as the 4.4BSD strsep, but different from the
- * one in the GNU libc.
- */
-static char *
-xstrsep(char **str, const char *delim)
-{
-	char *s, *e;
-
-	if (!**str)
-		return (NULL);
-
-	s = *str;
-	e = s + strcspn(s, delim);
-
-	if (*e != '\0')
-		*e++ = '\0';
-	*str = e;
-
-	return (s);
-}
-
-/*
- * Get the next non-null token (like GNU strsep).  Strsep() will return a
- * null token for two adjacent separators, so we may have to loop.
- */
-static char *
-strnnsep(char **stringp, char *delim)
-{
-	char *tok;
-
-	do {
-		tok = xstrsep(stringp, delim);
-	} while (tok && *tok == '\0');
-	return (tok);
-}
-
-static Key *
-keygrab_ssh1(con *c)
-{
-	static Key *rsa;
-	static Buffer msg;
-
-	if (rsa == NULL) {
-		buffer_init(&msg);
-		rsa = key_new(KEY_RSA1);
-	}
-	buffer_append(&msg, c->c_data, c->c_plen);
-	buffer_consume(&msg, 8 - (c->c_plen & 7));	/* padding */
-	if (buffer_get_char(&msg) != (int) SSH_SMSG_PUBLIC_KEY) {
-		error("%s: invalid packet type", c->c_name);
-		buffer_clear(&msg);
-		return NULL;
-	}
-	buffer_consume(&msg, 8);		/* cookie */
-
-	/* server key */
-	(void) buffer_get_int(&msg);
-	buffer_get_bignum(&msg, rsa->rsa->e);
-	buffer_get_bignum(&msg, rsa->rsa->n);
-
-	/* host key */
-	(void) buffer_get_int(&msg);
-	buffer_get_bignum(&msg, rsa->rsa->e);
-	buffer_get_bignum(&msg, rsa->rsa->n);
-
-	buffer_clear(&msg);
-
-	return (rsa);
-}
-
-static int
-hostjump(Key *hostkey)
-{
-	kexjmp_key = hostkey;
-	longjmp(kexjmp, 1);
-}
-
-static int
-ssh2_capable(int remote_major, int remote_minor)
-{
-	switch (remote_major) {
-	case 1:
-		if (remote_minor == 99)
-			return 1;
-		break;
-	case 2:
-		return 1;
-	default:
-		break;
-	}
-	return 0;
-}
-
-static Key *
-keygrab_ssh2(con *c)
-{
-	int j;
-
-	packet_set_connection(c->c_fd, c->c_fd);
-	enable_compat20();
-	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = c->c_keytype == KT_DSA?
-	    "ssh-dss": "ssh-rsa";
-	c->c_kex = kex_setup(myproposal);
-	c->c_kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
-	c->c_kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
-	c->c_kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
-	c->c_kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
-	c->c_kex->verify_host_key = hostjump;
-
-	if (!(j = setjmp(kexjmp))) {
-		nonfatal_fatal = 1;
-		dispatch_run(DISPATCH_BLOCK, &c->c_kex->done, c->c_kex);
-		fprintf(stderr, "Impossible! dispatch_run() returned!\n");
-		exit(1);
-	}
-	nonfatal_fatal = 0;
-	xfree(c->c_kex);
-	c->c_kex = NULL;
-	packet_close();
-
-	return j < 0? NULL : kexjmp_key;
-}
-
-static void
-keyprint(con *c, Key *key)
-{
-	char *host = c->c_output_name ? c->c_output_name : c->c_name;
-
-	if (!key)
-		return;
-	if (hash_hosts && (host = host_hash(host, NULL, 0)) == NULL)
-		fatal("host_hash failed");
-
-	fprintf(stdout, "%s ", host);
-	key_write(key, stdout);
-	fputs("\n", stdout);
-}
-
-static int
-tcpconnect(char *host)
-{
-	struct addrinfo hints, *ai, *aitop;
-	char strport[NI_MAXSERV];
-	int gaierr, s = -1;
-
-	snprintf(strport, sizeof strport, "%d", ssh_port);
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_family = IPv4or6;
-	hints.ai_socktype = SOCK_STREAM;
-	if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
-		fatal("getaddrinfo %s: %s", host, gai_strerror(gaierr));
-	for (ai = aitop; ai; ai = ai->ai_next) {
-		s = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
-		if (s < 0) {
-			error("socket: %s", strerror(errno));
-			continue;
-		}
-		if (set_nonblock(s) == -1)
-			fatal("%s: set_nonblock(%d)", __func__, s);
-		if (connect(s, ai->ai_addr, ai->ai_addrlen) < 0 &&
-		    errno != EINPROGRESS)
-			error("connect (`%s'): %s", host, strerror(errno));
-		else
-			break;
-		close(s);
-		s = -1;
-	}
-	freeaddrinfo(aitop);
-	return s;
-}
-
-static int
-conalloc(char *iname, char *oname, int keytype)
-{
-	char *namebase, *name, *namelist;
-	int s;
-
-	namebase = namelist = xstrdup(iname);
-
-	do {
-		name = xstrsep(&namelist, ",");
-		if (!name) {
-			xfree(namebase);
-			return (-1);
-		}
-	} while ((s = tcpconnect(name)) < 0);
-
-	if (s >= maxfd)
-		fatal("conalloc: fdno %d too high", s);
-	if (fdcon[s].c_status)
-		fatal("conalloc: attempt to reuse fdno %d", s);
-
-	fdcon[s].c_fd = s;
-	fdcon[s].c_status = CS_CON;
-	fdcon[s].c_namebase = namebase;
-	fdcon[s].c_name = name;
-	fdcon[s].c_namelist = namelist;
-	fdcon[s].c_output_name = xstrdup(oname);
-	fdcon[s].c_data = (char *) &fdcon[s].c_plen;
-	fdcon[s].c_len = 4;
-	fdcon[s].c_off = 0;
-	fdcon[s].c_keytype = keytype;
-	gettimeofday(&fdcon[s].c_tv, NULL);
-	fdcon[s].c_tv.tv_sec += timeout;
-	TAILQ_INSERT_TAIL(&tq, &fdcon[s], c_link);
-	FD_SET(s, read_wait);
-	ncon++;
-	return (s);
-}
-
-static void
-confree(int s)
-{
-	if (s >= maxfd || fdcon[s].c_status == CS_UNUSED)
-		fatal("confree: attempt to free bad fdno %d", s);
-	close(s);
-	xfree(fdcon[s].c_namebase);
-	xfree(fdcon[s].c_output_name);
-	if (fdcon[s].c_status == CS_KEYS)
-		xfree(fdcon[s].c_data);
-	fdcon[s].c_status = CS_UNUSED;
-	fdcon[s].c_keytype = 0;
-	TAILQ_REMOVE(&tq, &fdcon[s], c_link);
-	FD_CLR(s, read_wait);
-	ncon--;
-}
-
-static void
-contouch(int s)
-{
-	TAILQ_REMOVE(&tq, &fdcon[s], c_link);
-	gettimeofday(&fdcon[s].c_tv, NULL);
-	fdcon[s].c_tv.tv_sec += timeout;
-	TAILQ_INSERT_TAIL(&tq, &fdcon[s], c_link);
-}
-
-static int
-conrecycle(int s)
-{
-	con *c = &fdcon[s];
-	int ret;
-
-	ret = conalloc(c->c_namelist, c->c_output_name, c->c_keytype);
-	confree(s);
-	return (ret);
-}
-
-static void
-congreet(int s)
-{
-	int n = 0, remote_major = 0, remote_minor = 0;
-	char buf[256], *cp;
-	char remote_version[sizeof buf];
-	size_t bufsiz;
-	con *c = &fdcon[s];
-
-	for (;;) {
-		memset(buf, '\0', sizeof(buf));
-		bufsiz = sizeof(buf);
-		cp = buf;
-		while (bufsiz-- &&
-		    (n = atomicio(read, s, cp, 1)) == 1 && *cp != '\n') {
-			if (*cp == '\r')
-				*cp = '\n';
-			cp++;
-		}
-		if (n != 1 || strncmp(buf, "SSH-", 4) == 0)
-			break;
-	}
-	if (n == 0) {
-		switch (errno) {
-		case EPIPE:
-			error("%s: Connection closed by remote host", c->c_name);
-			break;
-		case ECONNREFUSED:
-			break;
-		default:
-			error("read (%s): %s", c->c_name, strerror(errno));
-			break;
-		}
-		conrecycle(s);
-		return;
-	}
-	if (*cp != '\n' && *cp != '\r') {
-		error("%s: bad greeting", c->c_name);
-		confree(s);
-		return;
-	}
-	*cp = '\0';
-	if (sscanf(buf, "SSH-%d.%d-%[^\n]\n",
-	    &remote_major, &remote_minor, remote_version) == 3)
-		compat_datafellows(remote_version);
-	else
-		datafellows = 0;
-	if (c->c_keytype != KT_RSA1) {
-		if (!ssh2_capable(remote_major, remote_minor)) {
-			debug("%s doesn't support ssh2", c->c_name);
-			confree(s);
-			return;
-		}
-	} else if (remote_major != 1) {
-		debug("%s doesn't support ssh1", c->c_name);
-		confree(s);
-		return;
-	}
-	fprintf(stderr, "# %s %s\n", c->c_name, chop(buf));
-	n = snprintf(buf, sizeof buf, "SSH-%d.%d-OpenSSH-keyscan\r\n",
-	    c->c_keytype == KT_RSA1? PROTOCOL_MAJOR_1 : PROTOCOL_MAJOR_2,
-	    c->c_keytype == KT_RSA1? PROTOCOL_MINOR_1 : PROTOCOL_MINOR_2);
-	if (n < 0 || (size_t)n >= sizeof(buf)) {
-		error("snprintf: buffer too small");
-		confree(s);
-		return;
-	}
-	if (atomicio(vwrite, s, buf, n) != (size_t)n) {
-		error("write (%s): %s", c->c_name, strerror(errno));
-		confree(s);
-		return;
-	}
-	if (c->c_keytype != KT_RSA1) {
-		keyprint(c, keygrab_ssh2(c));
-		confree(s);
-		return;
-	}
-	c->c_status = CS_SIZE;
-	contouch(s);
-}
-
-static void
-conread(int s)
-{
-	con *c = &fdcon[s];
-	size_t n;
-
-	if (c->c_status == CS_CON) {
-		congreet(s);
-		return;
-	}
-	n = atomicio(read, s, c->c_data + c->c_off, c->c_len - c->c_off);
-	if (n == 0) {
-		error("read (%s): %s", c->c_name, strerror(errno));
-		confree(s);
-		return;
-	}
-	c->c_off += n;
-
-	if (c->c_off == c->c_len)
-		switch (c->c_status) {
-		case CS_SIZE:
-			c->c_plen = htonl(c->c_plen);
-			c->c_len = c->c_plen + 8 - (c->c_plen & 7);
-			c->c_off = 0;
-			c->c_data = xmalloc(c->c_len);
-			c->c_status = CS_KEYS;
-			break;
-		case CS_KEYS:
-			keyprint(c, keygrab_ssh1(c));
-			confree(s);
-			return;
-		default:
-			fatal("conread: invalid status %d", c->c_status);
-			break;
-		}
-
-	contouch(s);
-}
-
-static void
-conloop(void)
-{
-	struct timeval seltime, now;
-	fd_set *r, *e;
-	con *c;
-	int i;
-
-	gettimeofday(&now, NULL);
-	c = TAILQ_FIRST(&tq);
-
-	if (c && (c->c_tv.tv_sec > now.tv_sec ||
-	    (c->c_tv.tv_sec == now.tv_sec && c->c_tv.tv_usec > now.tv_usec))) {
-		seltime = c->c_tv;
-		seltime.tv_sec -= now.tv_sec;
-		seltime.tv_usec -= now.tv_usec;
-		if (seltime.tv_usec < 0) {
-			seltime.tv_usec += 1000000;
-			seltime.tv_sec--;
-		}
-	} else
-		seltime.tv_sec = seltime.tv_usec = 0;
-
-	r = xcalloc(read_wait_nfdset, sizeof(fd_mask));
-	e = xcalloc(read_wait_nfdset, sizeof(fd_mask));
-	memcpy(r, read_wait, read_wait_nfdset * sizeof(fd_mask));
-	memcpy(e, read_wait, read_wait_nfdset * sizeof(fd_mask));
-
-	while (select(maxfd, r, NULL, e, &seltime) == -1 &&
-	    (errno == EAGAIN || errno == EINTR))
-		;
-
-	for (i = 0; i < maxfd; i++) {
-		if (FD_ISSET(i, e)) {
-			error("%s: exception!", fdcon[i].c_name);
-			confree(i);
-		} else if (FD_ISSET(i, r))
-			conread(i);
-	}
-	xfree(r);
-	xfree(e);
-
-	c = TAILQ_FIRST(&tq);
-	while (c && (c->c_tv.tv_sec < now.tv_sec ||
-	    (c->c_tv.tv_sec == now.tv_sec && c->c_tv.tv_usec < now.tv_usec))) {
-		int s = c->c_fd;
-
-		c = TAILQ_NEXT(c, c_link);
-		conrecycle(s);
-	}
-}
-
-static void
-do_host(char *host)
-{
-	char *name = strnnsep(&host, " \t\n");
-	int j;
-
-	if (name == NULL)
-		return;
-	for (j = KT_RSA1; j <= KT_RSA; j *= 2) {
-		if (get_keytypes & j) {
-			while (ncon >= MAXCON)
-				conloop();
-			conalloc(name, *host ? host : name, j);
-		}
-	}
-}
-
-void
-fatal(const char *fmt,...)
-{
-	va_list args;
-
-	va_start(args, fmt);
-	do_log(SYSLOG_LEVEL_FATAL, fmt, args);
-	va_end(args);
-	if (nonfatal_fatal)
-		longjmp(kexjmp, -1);
-	else
-		exit(255);
-}
-
-static void
-usage(void)
-{
-	fprintf(stderr, "usage: %s [-46Hv] [-f file] [-p port] [-T timeout] [-t type]\n"
-	    "\t\t   [host | addrlist namelist] [...]\n",
-	    __progname);
-	exit(1);
-}
-
-int
-main(int argc, char **argv)
-{
-	int debug_flag = 0, log_level = SYSLOG_LEVEL_INFO;
-	int opt, fopt_count = 0;
-	char *tname;
-
-	extern int optind;
-	extern char *optarg;
-
-	__progname = ssh_get_progname(argv[0]);
-	init_rng();
-	seed_rng();
-	TAILQ_INIT(&tq);
-
-	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
-	sanitise_stdfd();
-
-	if (argc <= 1)
-		usage();
-
-	while ((opt = getopt(argc, argv, "Hv46p:T:t:f:")) != -1) {
-		switch (opt) {
-		case 'H':
-			hash_hosts = 1;
-			break;
-		case 'p':
-			ssh_port = a2port(optarg);
-			if (ssh_port == 0) {
-				fprintf(stderr, "Bad port '%s'\n", optarg);
-				exit(1);
-			}
-			break;
-		case 'T':
-			timeout = convtime(optarg);
-			if (timeout == -1 || timeout == 0) {
-				fprintf(stderr, "Bad timeout '%s'\n", optarg);
-				usage();
-			}
-			break;
-		case 'v':
-			if (!debug_flag) {
-				debug_flag = 1;
-				log_level = SYSLOG_LEVEL_DEBUG1;
-			}
-			else if (log_level < SYSLOG_LEVEL_DEBUG3)
-				log_level++;
-			else
-				fatal("Too high debugging level.");
-			break;
-		case 'f':
-			if (strcmp(optarg, "-") == 0)
-				optarg = NULL;
-			argv[fopt_count++] = optarg;
-			break;
-		case 't':
-			get_keytypes = 0;
-			tname = strtok(optarg, ",");
-			while (tname) {
-				int type = key_type_from_name(tname);
-				switch (type) {
-				case KEY_RSA1:
-					get_keytypes |= KT_RSA1;
-					break;
-				case KEY_DSA:
-					get_keytypes |= KT_DSA;
-					break;
-				case KEY_RSA:
-					get_keytypes |= KT_RSA;
-					break;
-				case KEY_UNSPEC:
-					fatal("unknown key type %s", tname);
-				}
-				tname = strtok(NULL, ",");
-			}
-			break;
-		case '4':
-			IPv4or6 = AF_INET;
-			break;
-		case '6':
-			IPv4or6 = AF_INET6;
-			break;
-		case '?':
-		default:
-			usage();
-		}
-	}
-	if (optind == argc && !fopt_count)
-		usage();
-
-	log_init("ssh-keyscan", log_level, SYSLOG_FACILITY_USER, 1);
-
-	maxfd = fdlim_get(1);
-	if (maxfd < 0)
-		fatal("%s: fdlim_get: bad value", __progname);
-	if (maxfd > MAXMAXFD)
-		maxfd = MAXMAXFD;
-	if (MAXCON <= 0)
-		fatal("%s: not enough file descriptors", __progname);
-	if (maxfd > fdlim_get(0))
-		fdlim_set(maxfd);
-	fdcon = xcalloc(maxfd, sizeof(con));
-
-	read_wait_nfdset = howmany(maxfd, NFDBITS);
-	read_wait = xcalloc(read_wait_nfdset, sizeof(fd_mask));
-
-	if (fopt_count) {
-		Linebuf *lb;
-		char *line;
-		int j;
-
-		for (j = 0; j < fopt_count; j++) {
-			lb = Linebuf_alloc(argv[j], error);
-			if (!lb)
-				continue;
-			while ((line = Linebuf_getline(lb)) != NULL)
-				do_host(line);
-			Linebuf_free(lb);
-		}
-	}
-
-	while (optind < argc)
-		do_host(argv[optind++]);
-
-	while (ncon > 0)
-		conloop();
-
-	return (0);
-}
diff --git a/crypto/openssh/ssh-keyscan/Makefile b/crypto/openssh/ssh-keyscan/Makefile
deleted file mode 100644
index 2ea5c23..0000000
--- a/crypto/openssh/ssh-keyscan/Makefile
+++ /dev/null
@@ -1,18 +0,0 @@
-#	$OpenBSD: Makefile,v 1.4 2001/08/05 23:18:20 markus Exp $
-
-.PATH:		${.CURDIR}/..
-
-PROG=	ssh-keyscan
-BINOWN=	root
-
-BINMODE?=555
-
-BINDIR=	/usr/bin
-MAN=	ssh-keyscan.1
-
-SRCS=	ssh-keyscan.c
-
-.include <bsd.prog.mk>
-
-LDADD+= -lcrypto -lz
-DPADD+= ${LIBCRYPTO} ${LIBZ}
diff --git a/crypto/openssh/ssh-keysign.8 b/crypto/openssh/ssh-keysign.8
deleted file mode 100644
index 4cdcb7a..0000000
--- a/crypto/openssh/ssh-keysign.8
+++ /dev/null
@@ -1,82 +0,0 @@
-.\" $OpenBSD: ssh-keysign.8,v 1.8 2006/02/24 20:22:16 jmc Exp $
-.\"
-.\" Copyright (c) 2002 Markus Friedl.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd May 24, 2002
-.Dt SSH-KEYSIGN 8
-.Os
-.Sh NAME
-.Nm ssh-keysign
-.Nd ssh helper program for host-based authentication
-.Sh SYNOPSIS
-.Nm
-.Sh DESCRIPTION
-.Nm
-is used by
-.Xr ssh 1
-to access the local host keys and generate the digital signature
-required during host-based authentication with SSH protocol version 2.
-.Pp
-.Nm
-is disabled by default and can only be enabled in the
-global client configuration file
-.Pa /etc/ssh/ssh_config
-by setting
-.Cm EnableSSHKeysign
-to
-.Dq yes .
-.Pp
-.Nm
-is not intended to be invoked by the user, but from
-.Xr ssh 1 .
-See
-.Xr ssh 1
-and
-.Xr sshd 8
-for more information about host-based authentication.
-.Sh FILES
-.Bl -tag -width Ds
-.It Pa /etc/ssh/ssh_config
-Controls whether
-.Nm
-is enabled.
-.It Pa /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key
-These files contain the private parts of the host keys used to
-generate the digital signature.
-They should be owned by root, readable only by root, and not
-accessible to others.
-Since they are readable only by root,
-.Nm
-must be set-uid root if host-based authentication is used.
-.El
-.Sh SEE ALSO
-.Xr ssh 1 ,
-.Xr ssh-keygen 1 ,
-.Xr ssh_config 5 ,
-.Xr sshd 8
-.Sh HISTORY
-.Nm
-first appeared in
-.Ox 3.2 .
-.Sh AUTHORS
-.An Markus Friedl Aq markus@openbsd.org
diff --git a/crypto/openssh/ssh-keysign.c b/crypto/openssh/ssh-keysign.c
deleted file mode 100644
index c4bc7e5..0000000
--- a/crypto/openssh/ssh-keysign.c
+++ /dev/null
@@ -1,254 +0,0 @@
-/* $OpenBSD: ssh-keysign.c,v 1.29 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Copyright (c) 2002 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <fcntl.h>
-#ifdef HAVE_PATHS_H
-#include <paths.h>
-#endif
-#include <pwd.h>
-#include <stdarg.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <openssl/evp.h>
-#include <openssl/rand.h>
-#include <openssl/rsa.h>
-
-#include "xmalloc.h"
-#include "log.h"
-#include "key.h"
-#include "ssh.h"
-#include "ssh2.h"
-#include "misc.h"
-#include "buffer.h"
-#include "authfile.h"
-#include "msg.h"
-#include "canohost.h"
-#include "pathnames.h"
-#include "readconf.h"
-#include "uidswap.h"
-
-/* XXX readconf.c needs these */
-uid_t original_real_uid;
-
-extern char *__progname;
-
-static int
-valid_request(struct passwd *pw, char *host, Key **ret, u_char *data,
-    u_int datalen)
-{
-	Buffer b;
-	Key *key = NULL;
-	u_char *pkblob;
-	u_int blen, len;
-	char *pkalg, *p;
-	int pktype, fail;
-
-	fail = 0;
-
-	buffer_init(&b);
-	buffer_append(&b, data, datalen);
-
-	/* session id, currently limited to SHA1 (20 bytes) or SHA256 (32) */
-	p = buffer_get_string(&b, &len);
-	if (len != 20 && len != 32)
-		fail++;
-	xfree(p);
-
-	if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
-		fail++;
-
-	/* server user */
-	buffer_skip_string(&b);
-
-	/* service */
-	p = buffer_get_string(&b, NULL);
-	if (strcmp("ssh-connection", p) != 0)
-		fail++;
-	xfree(p);
-
-	/* method */
-	p = buffer_get_string(&b, NULL);
-	if (strcmp("hostbased", p) != 0)
-		fail++;
-	xfree(p);
-
-	/* pubkey */
-	pkalg = buffer_get_string(&b, NULL);
-	pkblob = buffer_get_string(&b, &blen);
-
-	pktype = key_type_from_name(pkalg);
-	if (pktype == KEY_UNSPEC)
-		fail++;
-	else if ((key = key_from_blob(pkblob, blen)) == NULL)
-		fail++;
-	else if (key->type != pktype)
-		fail++;
-	xfree(pkalg);
-	xfree(pkblob);
-
-	/* client host name, handle trailing dot */
-	p = buffer_get_string(&b, &len);
-	debug2("valid_request: check expect chost %s got %s", host, p);
-	if (strlen(host) != len - 1)
-		fail++;
-	else if (p[len - 1] != '.')
-		fail++;
-	else if (strncasecmp(host, p, len - 1) != 0)
-		fail++;
-	xfree(p);
-
-	/* local user */
-	p = buffer_get_string(&b, NULL);
-
-	if (strcmp(pw->pw_name, p) != 0)
-		fail++;
-	xfree(p);
-
-	/* end of message */
-	if (buffer_len(&b) != 0)
-		fail++;
-	buffer_free(&b);
-
-	debug3("valid_request: fail %d", fail);
-
-	if (fail && key != NULL)
-		key_free(key);
-	else
-		*ret = key;
-
-	return (fail ? -1 : 0);
-}
-
-int
-main(int argc, char **argv)
-{
-	Buffer b;
-	Options options;
-	Key *keys[2], *key = NULL;
-	struct passwd *pw;
-	int key_fd[2], i, found, version = 2, fd;
-	u_char *signature, *data;
-	char *host;
-	u_int slen, dlen;
-	u_int32_t rnd[256];
-
-	/* Ensure that stdin and stdout are connected */
-	if ((fd = open(_PATH_DEVNULL, O_RDWR)) < 2)
-		exit(1);
-	/* Leave /dev/null fd iff it is attached to stderr */
-	if (fd > 2)
-		close(fd);
-
-	key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
-	key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
-
-	original_real_uid = getuid();	/* XXX readconf.c needs this */
-	if ((pw = getpwuid(original_real_uid)) == NULL)
-		fatal("getpwuid failed");
-	pw = pwcopy(pw);
-
-	permanently_set_uid(pw);
-
-	init_rng();
-	seed_rng();
-	arc4random_stir();
-
-#ifdef DEBUG_SSH_KEYSIGN
-	log_init("ssh-keysign", SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
-#endif
-
-	/* verify that ssh-keysign is enabled by the admin */
-	initialize_options(&options);
-	(void)read_config_file(_PATH_HOST_CONFIG_FILE, "", &options, 0);
-	fill_default_options(&options);
-	if (options.enable_ssh_keysign != 1)
-		fatal("ssh-keysign not enabled in %s",
-		    _PATH_HOST_CONFIG_FILE);
-
-	if (key_fd[0] == -1 && key_fd[1] == -1)
-		fatal("could not open any host key");
-
-	SSLeay_add_all_algorithms();
-	for (i = 0; i < 256; i++)
-		rnd[i] = arc4random();
-	RAND_seed(rnd, sizeof(rnd));
-
-	found = 0;
-	for (i = 0; i < 2; i++) {
-		keys[i] = NULL;
-		if (key_fd[i] == -1)
-			continue;
-		keys[i] = key_load_private_pem(key_fd[i], KEY_UNSPEC,
-		    NULL, NULL);
-		close(key_fd[i]);
-		if (keys[i] != NULL)
-			found = 1;
-	}
-	if (!found)
-		fatal("no hostkey found");
-
-	buffer_init(&b);
-	if (ssh_msg_recv(STDIN_FILENO, &b) < 0)
-		fatal("ssh_msg_recv failed");
-	if (buffer_get_char(&b) != version)
-		fatal("bad version");
-	fd = buffer_get_int(&b);
-	if ((fd == STDIN_FILENO) || (fd == STDOUT_FILENO))
-		fatal("bad fd");
-	if ((host = get_local_name(fd)) == NULL)
-		fatal("cannot get sockname for fd");
-
-	data = buffer_get_string(&b, &dlen);
-	if (valid_request(pw, host, &key, data, dlen) < 0)
-		fatal("not a valid request");
-	xfree(host);
-
-	found = 0;
-	for (i = 0; i < 2; i++) {
-		if (keys[i] != NULL &&
-		    key_equal(key, keys[i])) {
-			found = 1;
-			break;
-		}
-	}
-	if (!found)
-		fatal("no matching hostkey found");
-
-	if (key_sign(keys[i], &signature, &slen, data, dlen) != 0)
-		fatal("key_sign failed");
-	xfree(data);
-
-	/* send reply */
-	buffer_clear(&b);
-	buffer_put_string(&b, signature, slen);
-	if (ssh_msg_send(STDOUT_FILENO, version, &b) == -1)
-		fatal("ssh_msg_send failed");
-
-	return (0);
-}
diff --git a/crypto/openssh/ssh-keysign/Makefile b/crypto/openssh/ssh-keysign/Makefile
deleted file mode 100644
index 1a13d9e..0000000
--- a/crypto/openssh/ssh-keysign/Makefile
+++ /dev/null
@@ -1,18 +0,0 @@
-#	$OpenBSD: Makefile,v 1.3 2002/05/31 10:30:33 markus Exp $
-
-.PATH:		${.CURDIR}/..
-
-PROG=	ssh-keysign
-BINOWN=	root
-
-BINMODE?=4555
-
-BINDIR=	/usr/libexec
-MAN=	ssh-keysign.8
-
-SRCS=	ssh-keysign.c
-
-.include <bsd.prog.mk>
-
-LDADD+=	-lcrypto -lz
-DPADD+=	${LIBCRYPTO} ${LIBZ}
diff --git a/crypto/openssh/ssh-rand-helper.8 b/crypto/openssh/ssh-rand-helper.8
deleted file mode 100644
index df559d3..0000000
--- a/crypto/openssh/ssh-rand-helper.8
+++ /dev/null
@@ -1,94 +0,0 @@
-.\" $Id: ssh-rand-helper.8,v 1.2 2003/11/21 12:48:56 djm Exp $
-.\"
-.\" Copyright (c) 2002 Damien Miller.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd April 14, 2002
-.Dt SSH-RAND-HELPER 8
-.Os
-.Sh NAME
-.Nm ssh-rand-helper
-.Nd Random number gatherer for OpenSSH
-.Sh SYNOPSIS
-.Nm ssh-rand-hlper
-.Op Fl vxXh
-.Op Fl b Ar bytes
-.Sh DESCRIPTION
-.Nm
-is a small helper program used by
-.Xr ssh 1 ,
-.Xr ssh-add 1 ,
-.Xr ssh-agent 1 ,
-.Xr ssh-keygen 1 ,
-.Xr ssh-keyscan 1
-and
-.Xr sshd 8
-to gather random numbers of cryptographic quality if the
-.Xr openssl 4
-library has not been configured to provide them itself.
-.Pp
-Normally
-.Nm
-will generate a strong random seed and provide it to the calling
-program via standard output. If standard output is a tty,
-.Nm
-will instead print the seed in hexidecimal format unless told otherwise.
-.Pp
-.Nm
-will by default gather random numbers from the system commands listed
-in
-.Pa /etc/ssh/ssh_prng_cmds .
-The output of each of the commands listed will be hashed and used to
-generate a random seed for the calling program.
-.Nm
-will also store seed files in
-.Pa ~/.ssh/prng_seed
-between executions.
-.Pp
-Alternately,
-.Nm
-may be configured at build time to collect random numbers from a
-EGD/PRNGd server via a unix domain or localhost tcp socket.
-.Pp
-This program is not intended to be run by the end-user, so the few
-commandline options are for debugging purposes only.
-.Bl -tag -width Ds
-.It Fl b Ar bytes
-Specify the number of random bytes to include in the output.
-.It Fl x
-Output a hexidecimal instead of a binary seed.
-.It Fl X
-Force output of a binary seed, even if standard output is a tty
-.It Fl v
-Turn on debugging message. Multiple
-.Fl v
-options will increase the debugging level.
-.Fl h
-Display a summary of options.
-.El
-.Sh AUTHORS
-Damien Miller <djm@mindrot.org>
-.Sh SEE ALSO
-.Xr ssh 1 ,
-.Xr ssh-add 1 ,
-.Xr ssh-keygen 1 ,
-.Xr sshd 8
diff --git a/crypto/openssh/ssh-rand-helper.c b/crypto/openssh/ssh-rand-helper.c
deleted file mode 100644
index 8520c3a..0000000
--- a/crypto/openssh/ssh-rand-helper.c
+++ /dev/null
@@ -1,924 +0,0 @@
-/*
- * Copyright (c) 2001-2002 Damien Miller.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/resource.h>
-#include <sys/stat.h>
-#include <sys/wait.h>
-#include <sys/socket.h>
-
-#include <stdarg.h>
-#include <stddef.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#ifdef HAVE_SYS_UN_H
-# include <sys/un.h>
-#endif
-
-#include <errno.h>
-#include <fcntl.h>
-#include <pwd.h>
-#include <signal.h>
-#include <time.h>
-#include <unistd.h>
-
-#include <openssl/rand.h>
-#include <openssl/sha.h>
-#include <openssl/crypto.h>
-
-/* SunOS 4.4.4 needs this */
-#ifdef HAVE_FLOATINGPOINT_H
-# include <floatingpoint.h>
-#endif /* HAVE_FLOATINGPOINT_H */
-
-#include "misc.h"
-#include "xmalloc.h"
-#include "atomicio.h"
-#include "pathnames.h"
-#include "log.h"
-
-/* Number of bytes we write out */
-#define OUTPUT_SEED_SIZE	48
-
-/* Length of on-disk seedfiles */
-#define SEED_FILE_SIZE		1024
-
-/* Maximum number of command-line arguments to read from file */
-#define NUM_ARGS		10
-
-/* Minimum number of usable commands to be considered sufficient */
-#define MIN_ENTROPY_SOURCES	16
-
-/* Path to on-disk seed file (relative to user's home directory */
-#ifndef SSH_PRNG_SEED_FILE
-# define SSH_PRNG_SEED_FILE      _PATH_SSH_USER_DIR"/prng_seed"
-#endif
-
-/* Path to PRNG commands list */
-#ifndef SSH_PRNG_COMMAND_FILE
-# define SSH_PRNG_COMMAND_FILE   SSHDIR "/ssh_prng_cmds"
-#endif
-
-extern char *__progname;
-
-#define WHITESPACE " \t\n"
-
-#ifndef RUSAGE_SELF
-# define RUSAGE_SELF 0
-#endif
-#ifndef RUSAGE_CHILDREN
-# define RUSAGE_CHILDREN 0
-#endif
-
-#if !defined(PRNGD_SOCKET) && !defined(PRNGD_PORT)
-# define USE_SEED_FILES
-#endif
-
-typedef struct {
-	/* Proportion of data that is entropy */
-	double rate;
-	/* Counter goes positive if this command times out */
-	unsigned int badness;
-	/* Increases by factor of two each timeout */
-	unsigned int sticky_badness;
-	/* Path to executable */
-	char *path;
-	/* argv to pass to executable */
-	char *args[NUM_ARGS]; /* XXX: arbitrary limit */
-	/* full command string (debug) */
-	char *cmdstring;
-} entropy_cmd_t;
-
-/* slow command timeouts (all in milliseconds) */
-/* static int entropy_timeout_default = ENTROPY_TIMEOUT_MSEC; */
-static int entropy_timeout_current = ENTROPY_TIMEOUT_MSEC;
-
-/* this is initialised from a file, by prng_read_commands() */
-static entropy_cmd_t *entropy_cmds = NULL;
-
-/* Prototypes */
-double stir_from_system(void);
-double stir_from_programs(void);
-double stir_gettimeofday(double entropy_estimate);
-double stir_clock(double entropy_estimate);
-double stir_rusage(int who, double entropy_estimate);
-double hash_command_output(entropy_cmd_t *src, unsigned char *hash);
-int get_random_bytes_prngd(unsigned char *buf, int len,
-    unsigned short tcp_port, char *socket_path);
-
-/*
- * Collect 'len' bytes of entropy into 'buf' from PRNGD/EGD daemon
- * listening either on 'tcp_port', or via Unix domain socket at *
- * 'socket_path'.
- * Either a non-zero tcp_port or a non-null socket_path must be
- * supplied.
- * Returns 0 on success, -1 on error
- */
-int
-get_random_bytes_prngd(unsigned char *buf, int len,
-    unsigned short tcp_port, char *socket_path)
-{
-	int fd, addr_len, rval, errors;
-	u_char msg[2];
-	struct sockaddr_storage addr;
-	struct sockaddr_in *addr_in = (struct sockaddr_in *)&addr;
-	struct sockaddr_un *addr_un = (struct sockaddr_un *)&addr;
-	mysig_t old_sigpipe;
-
-	/* Sanity checks */
-	if (socket_path == NULL && tcp_port == 0)
-		fatal("You must specify a port or a socket");
-	if (socket_path != NULL &&
-	    strlen(socket_path) >= sizeof(addr_un->sun_path))
-		fatal("Random pool path is too long");
-	if (len <= 0 || len > 255)
-		fatal("Too many bytes (%d) to read from PRNGD", len);
-
-	memset(&addr, '\0', sizeof(addr));
-
-	if (tcp_port != 0) {
-		addr_in->sin_family = AF_INET;
-		addr_in->sin_addr.s_addr = htonl(INADDR_LOOPBACK);
-		addr_in->sin_port = htons(tcp_port);
-		addr_len = sizeof(*addr_in);
-	} else {
-		addr_un->sun_family = AF_UNIX;
-		strlcpy(addr_un->sun_path, socket_path,
-		    sizeof(addr_un->sun_path));
-		addr_len = offsetof(struct sockaddr_un, sun_path) +
-		    strlen(socket_path) + 1;
-	}
-
-	old_sigpipe = mysignal(SIGPIPE, SIG_IGN);
-
-	errors = 0;
-	rval = -1;
-reopen:
-	fd = socket(addr.ss_family, SOCK_STREAM, 0);
-	if (fd == -1) {
-		error("Couldn't create socket: %s", strerror(errno));
-		goto done;
-	}
-
-	if (connect(fd, (struct sockaddr*)&addr, addr_len) == -1) {
-		if (tcp_port != 0) {
-			error("Couldn't connect to PRNGD port %d: %s",
-			    tcp_port, strerror(errno));
-		} else {
-			error("Couldn't connect to PRNGD socket \"%s\": %s",
-			    addr_un->sun_path, strerror(errno));
-		}
-		goto done;
-	}
-
-	/* Send blocking read request to PRNGD */
-	msg[0] = 0x02;
-	msg[1] = len;
-
-	if (atomicio(vwrite, fd, msg, sizeof(msg)) != sizeof(msg)) {
-		if (errno == EPIPE && errors < 10) {
-			close(fd);
-			errors++;
-			goto reopen;
-		}
-		error("Couldn't write to PRNGD socket: %s",
-		    strerror(errno));
-		goto done;
-	}
-
-	if (atomicio(read, fd, buf, len) != (size_t)len) {
-		if (errno == EPIPE && errors < 10) {
-			close(fd);
-			errors++;
-			goto reopen;
-		}
-		error("Couldn't read from PRNGD socket: %s",
-		    strerror(errno));
-		goto done;
-	}
-
-	rval = 0;
-done:
-	mysignal(SIGPIPE, old_sigpipe);
-	if (fd != -1)
-		close(fd);
-	return rval;
-}
-
-static int
-seed_from_prngd(unsigned char *buf, size_t bytes)
-{
-#ifdef PRNGD_PORT
-	debug("trying egd/prngd port %d", PRNGD_PORT);
-	if (get_random_bytes_prngd(buf, bytes, PRNGD_PORT, NULL) == 0)
-		return 0;
-#endif
-#ifdef PRNGD_SOCKET
-	debug("trying egd/prngd socket %s", PRNGD_SOCKET);
-	if (get_random_bytes_prngd(buf, bytes, 0, PRNGD_SOCKET) == 0)
-		return 0;
-#endif
-	return -1;
-}
-
-double
-stir_gettimeofday(double entropy_estimate)
-{
-	struct timeval tv;
-
-	if (gettimeofday(&tv, NULL) == -1)
-		fatal("Couldn't gettimeofday: %s", strerror(errno));
-
-	RAND_add(&tv, sizeof(tv), entropy_estimate);
-
-	return entropy_estimate;
-}
-
-double
-stir_clock(double entropy_estimate)
-{
-#ifdef HAVE_CLOCK
-	clock_t c;
-
-	c = clock();
-	RAND_add(&c, sizeof(c), entropy_estimate);
-
-	return entropy_estimate;
-#else /* _HAVE_CLOCK */
-	return 0;
-#endif /* _HAVE_CLOCK */
-}
-
-double
-stir_rusage(int who, double entropy_estimate)
-{
-#ifdef HAVE_GETRUSAGE
-	struct rusage ru;
-
-	if (getrusage(who, &ru) == -1)
-		return 0;
-
-	RAND_add(&ru, sizeof(ru), entropy_estimate);
-
-	return entropy_estimate;
-#else /* _HAVE_GETRUSAGE */
-	return 0;
-#endif /* _HAVE_GETRUSAGE */
-}
-
-static int
-timeval_diff(struct timeval *t1, struct timeval *t2)
-{
-	int secdiff, usecdiff;
-
-	secdiff = t2->tv_sec - t1->tv_sec;
-	usecdiff = (secdiff*1000000) + (t2->tv_usec - t1->tv_usec);
-	return (int)(usecdiff / 1000);
-}
-
-double
-hash_command_output(entropy_cmd_t *src, unsigned char *hash)
-{
-	char buf[8192];
-	fd_set rdset;
-	int bytes_read, cmd_eof, error_abort, msec_elapsed, p[2];
-	int status, total_bytes_read;
-	static int devnull = -1;
-	pid_t pid;
-	SHA_CTX sha;
-	struct timeval tv_start, tv_current;
-
-	debug3("Reading output from \'%s\'", src->cmdstring);
-
-	if (devnull == -1) {
-		devnull = open("/dev/null", O_RDWR);
-		if (devnull == -1)
-			fatal("Couldn't open /dev/null: %s",
-			    strerror(errno));
-	}
-
-	if (pipe(p) == -1)
-		fatal("Couldn't open pipe: %s", strerror(errno));
-
-	(void)gettimeofday(&tv_start, NULL); /* record start time */
-
-	switch (pid = fork()) {
-		case -1: /* Error */
-			close(p[0]);
-			close(p[1]);
-			fatal("Couldn't fork: %s", strerror(errno));
-			/* NOTREACHED */
-		case 0: /* Child */
-			dup2(devnull, STDIN_FILENO);
-			dup2(p[1], STDOUT_FILENO);
-			dup2(p[1], STDERR_FILENO);
-			close(p[0]);
-			close(p[1]);
-			close(devnull);
-
-			execv(src->path, (char**)(src->args));
-
-			debug("(child) Couldn't exec '%s': %s",
-			    src->cmdstring, strerror(errno));
-			_exit(-1);
-		default: /* Parent */
-			break;
-	}
-
-	RAND_add(&pid, sizeof(&pid), 0.0);
-
-	close(p[1]);
-
-	/* Hash output from child */
-	SHA1_Init(&sha);
-
-	cmd_eof = error_abort = msec_elapsed = total_bytes_read = 0;
-	while (!error_abort && !cmd_eof) {
-		int ret;
-		struct timeval tv;
-		int msec_remaining;
-
-		(void) gettimeofday(&tv_current, 0);
-		msec_elapsed = timeval_diff(&tv_start, &tv_current);
-		if (msec_elapsed >= entropy_timeout_current) {
-			error_abort=1;
-			continue;
-		}
-		msec_remaining = entropy_timeout_current - msec_elapsed;
-
-		FD_ZERO(&rdset);
-		FD_SET(p[0], &rdset);
-		tv.tv_sec = msec_remaining / 1000;
-		tv.tv_usec = (msec_remaining % 1000) * 1000;
-
-		ret = select(p[0] + 1, &rdset, NULL, NULL, &tv);
-
-		RAND_add(&tv, sizeof(tv), 0.0);
-
-		switch (ret) {
-		case 0:
-			/* timer expired */
-			error_abort = 1;
-			kill(pid, SIGINT);
-			break;
-		case 1:
-			/* command input */
-			do {
-				bytes_read = read(p[0], buf, sizeof(buf));
-			} while (bytes_read == -1 && errno == EINTR);
-			RAND_add(&bytes_read, sizeof(&bytes_read), 0.0);
-			if (bytes_read == -1) {
-				error_abort = 1;
-				break;
-			} else if (bytes_read) {
-				SHA1_Update(&sha, buf, bytes_read);
-				total_bytes_read += bytes_read;
-			} else {
-				cmd_eof = 1;
-			}
-			break;
-		case -1:
-		default:
-			/* error */
-			debug("Command '%s': select() failed: %s",
-			    src->cmdstring, strerror(errno));
-			error_abort = 1;
-			break;
-		}
-	}
-
-	SHA1_Final(hash, &sha);
-
-	close(p[0]);
-
-	debug3("Time elapsed: %d msec", msec_elapsed);
-
-	if (waitpid(pid, &status, 0) == -1) {
-		error("Couldn't wait for child '%s' completion: %s",
-		    src->cmdstring, strerror(errno));
-		return 0.0;
-	}
-
-	RAND_add(&status, sizeof(&status), 0.0);
-
-	if (error_abort) {
-		/*
-		 * Closing p[0] on timeout causes the entropy command to
-		 * SIGPIPE. Take whatever output we got, and mark this
-		 * command as slow
-		 */
-		debug2("Command '%s' timed out", src->cmdstring);
-		src->sticky_badness *= 2;
-		src->badness = src->sticky_badness;
-		return total_bytes_read;
-	}
-
-	if (WIFEXITED(status)) {
-		if (WEXITSTATUS(status) == 0) {
-			return total_bytes_read;
-		} else {
-			debug2("Command '%s' exit status was %d",
-			    src->cmdstring, WEXITSTATUS(status));
-			src->badness = src->sticky_badness = 128;
-			return 0.0;
-		}
-	} else if (WIFSIGNALED(status)) {
-		debug2("Command '%s' returned on uncaught signal %d !",
-		    src->cmdstring, status);
-		src->badness = src->sticky_badness = 128;
-		return 0.0;
-	} else
-		return 0.0;
-}
-
-double
-stir_from_system(void)
-{
-	double total_entropy_estimate;
-	long int i;
-
-	total_entropy_estimate = 0;
-
-	i = getpid();
-	RAND_add(&i, sizeof(i), 0.5);
-	total_entropy_estimate += 0.1;
-
-	i = getppid();
-	RAND_add(&i, sizeof(i), 0.5);
-	total_entropy_estimate += 0.1;
-
-	i = getuid();
-	RAND_add(&i, sizeof(i), 0.0);
-	i = getgid();
-	RAND_add(&i, sizeof(i), 0.0);
-
-	total_entropy_estimate += stir_gettimeofday(1.0);
-	total_entropy_estimate += stir_clock(0.5);
-	total_entropy_estimate += stir_rusage(RUSAGE_SELF, 2.0);
-
-	return total_entropy_estimate;
-}
-
-double
-stir_from_programs(void)
-{
-	int c;
-	double entropy, total_entropy;
-	unsigned char hash[SHA_DIGEST_LENGTH];
-
-	total_entropy = 0;
-	for(c = 0; entropy_cmds[c].path != NULL; c++) {
-		if (!entropy_cmds[c].badness) {
-			/* Hash output from command */
-			entropy = hash_command_output(&entropy_cmds[c],
-			    hash);
-
-			/* Scale back estimate by command's rate */
-			entropy *= entropy_cmds[c].rate;
-
-			/* Upper bound of entropy is SHA_DIGEST_LENGTH */
-			if (entropy > SHA_DIGEST_LENGTH)
-				entropy = SHA_DIGEST_LENGTH;
-
-			/* Stir it in */
-			RAND_add(hash, sizeof(hash), entropy);
-
-			debug3("Got %0.2f bytes of entropy from '%s'",
-			    entropy, entropy_cmds[c].cmdstring);
-
-			total_entropy += entropy;
-
-			/* Execution time should be a bit unpredictable */
-			total_entropy += stir_gettimeofday(0.05);
-			total_entropy += stir_clock(0.05);
-			total_entropy += stir_rusage(RUSAGE_SELF, 0.1);
-			total_entropy += stir_rusage(RUSAGE_CHILDREN, 0.1);
-		} else {
-			debug2("Command '%s' disabled (badness %d)",
-			    entropy_cmds[c].cmdstring,
-			    entropy_cmds[c].badness);
-
-			if (entropy_cmds[c].badness > 0)
-				entropy_cmds[c].badness--;
-		}
-	}
-
-	return total_entropy;
-}
-
-/*
- * prng seedfile functions
- */
-int
-prng_check_seedfile(char *filename)
-{
-	struct stat st;
-
-	/*
-	 * XXX raceable: eg replace seed between this stat and subsequent
-	 * open. Not such a problem because we don't really trust the
-	 * seed file anyway.
-	 * XXX: use secure path checking as elsewhere in OpenSSH
-	 */
-	if (lstat(filename, &st) == -1) {
-		/* Give up on hard errors */
-		if (errno != ENOENT)
-			debug("WARNING: Couldn't stat random seed file "
-			    "\"%.100s\": %s", filename, strerror(errno));
-		return 0;
-	}
-
-	/* regular file? */
-	if (!S_ISREG(st.st_mode))
-		fatal("PRNG seedfile %.100s is not a regular file",
-		    filename);
-
-	/* mode 0600, owned by root or the current user? */
-	if (((st.st_mode & 0177) != 0) || !(st.st_uid == getuid())) {
-		debug("WARNING: PRNG seedfile %.100s must be mode 0600, "
-		    "owned by uid %li", filename, (long int)getuid());
-		return 0;
-	}
-
-	return 1;
-}
-
-void
-prng_write_seedfile(void)
-{
-	int fd, save_errno;
-	unsigned char seed[SEED_FILE_SIZE];
-	char filename[MAXPATHLEN], tmpseed[MAXPATHLEN];
-	struct passwd *pw;
-	mode_t old_umask;
-
-	pw = getpwuid(getuid());
-	if (pw == NULL)
-		fatal("Couldn't get password entry for current user "
-		    "(%li): %s", (long int)getuid(), strerror(errno));
-
-	/* Try to ensure that the parent directory is there */
-	snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir,
-	    _PATH_SSH_USER_DIR);
-	if (mkdir(filename, 0700) < 0 && errno != EEXIST)
-		fatal("mkdir %.200s: %s", filename, strerror(errno));
-
-	snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir,
-	    SSH_PRNG_SEED_FILE);
-
-	strlcpy(tmpseed, filename, sizeof(tmpseed));
-	if (strlcat(tmpseed, ".XXXXXXXXXX", sizeof(tmpseed)) >=
-	    sizeof(tmpseed))
-		fatal("PRNG seed filename too long");
-
-	if (RAND_bytes(seed, sizeof(seed)) <= 0)
-		fatal("PRNG seed extraction failed");
-
-	/* Don't care if the seed doesn't exist */
-	prng_check_seedfile(filename);
-
-	old_umask = umask(0177);
-
-	if ((fd = mkstemp(tmpseed)) == -1) {
-		debug("WARNING: couldn't make temporary PRNG seedfile %.100s "
-		    "(%.100s)", tmpseed, strerror(errno));
-	} else {
-		debug("writing PRNG seed to file %.100s", tmpseed);
-		if (atomicio(vwrite, fd, &seed, sizeof(seed)) < sizeof(seed)) {
-			save_errno = errno;
-			close(fd);
-			unlink(tmpseed);
-			fatal("problem writing PRNG seedfile %.100s "
-			    "(%.100s)", filename, strerror(save_errno));
-		}
-		close(fd);
-		debug("moving temporary PRNG seed to file %.100s", filename);
-		if (rename(tmpseed, filename) == -1) {
-			save_errno = errno;
-			unlink(tmpseed);
-			fatal("problem renaming PRNG seedfile from %.100s "
-			    "to %.100s (%.100s)", tmpseed, filename,
-			    strerror(save_errno));
-		}
-	}
-	umask(old_umask);
-}
-
-void
-prng_read_seedfile(void)
-{
-	int fd;
-	char seed[SEED_FILE_SIZE], filename[MAXPATHLEN];
-	struct passwd *pw;
-
-	pw = getpwuid(getuid());
-	if (pw == NULL)
-		fatal("Couldn't get password entry for current user "
-		    "(%li): %s", (long int)getuid(), strerror(errno));
-
-	snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir,
-		SSH_PRNG_SEED_FILE);
-
-	debug("loading PRNG seed from file %.100s", filename);
-
-	if (!prng_check_seedfile(filename)) {
-		verbose("Random seed file not found or invalid, ignoring.");
-		return;
-	}
-
-	/* open the file and read in the seed */
-	fd = open(filename, O_RDONLY);
-	if (fd == -1)
-		fatal("could not open PRNG seedfile %.100s (%.100s)",
-		    filename, strerror(errno));
-
-	if (atomicio(read, fd, &seed, sizeof(seed)) < sizeof(seed)) {
-		verbose("invalid or short read from PRNG seedfile "
-		    "%.100s - ignoring", filename);
-		memset(seed, '\0', sizeof(seed));
-	}
-	close(fd);
-
-	/* stir in the seed, with estimated entropy zero */
-	RAND_add(&seed, sizeof(seed), 0.0);
-}
-
-
-/*
- * entropy command initialisation functions
- */
-int
-prng_read_commands(char *cmdfilename)
-{
-	char cmd[SEED_FILE_SIZE], *cp, line[1024], path[SEED_FILE_SIZE];
-	double est;
-	entropy_cmd_t *entcmd;
-	FILE *f;
-	int cur_cmd, linenum, num_cmds, arg;
-
-	if ((f = fopen(cmdfilename, "r")) == NULL) {
-		fatal("couldn't read entropy commands file %.100s: %.100s",
-		    cmdfilename, strerror(errno));
-	}
-
-	num_cmds = 64;
-	entcmd = xcalloc(num_cmds, sizeof(entropy_cmd_t));
-
-	/* Read in file */
-	cur_cmd = linenum = 0;
-	while (fgets(line, sizeof(line), f)) {
-		linenum++;
-
-		/* Skip leading whitespace, blank lines and comments */
-		cp = line + strspn(line, WHITESPACE);
-		if ((*cp == 0) || (*cp == '#'))
-			continue; /* done with this line */
-
-		/*
-		 * The first non-whitespace char should be a double quote
-		 * delimiting the commandline
-		 */
-		if (*cp != '"') {
-			error("bad entropy command, %.100s line %d",
-			    cmdfilename, linenum);
-			continue;
-		}
-
-		/*
-		 * First token, command args (incl. argv[0]) in double
-		 * quotes
-		 */
-		cp = strtok(cp, "\"");
-		if (cp == NULL) {
-			error("missing or bad command string, %.100s "
-			    "line %d -- ignored", cmdfilename, linenum);
-			continue;
-		}
-		strlcpy(cmd, cp, sizeof(cmd));
-
-		/* Second token, full command path */
-		if ((cp = strtok(NULL, WHITESPACE)) == NULL) {
-			error("missing command path, %.100s "
-			    "line %d -- ignored", cmdfilename, linenum);
-			continue;
-		}
-
-		/* Did configure mark this as dead? */
-		if (strncmp("undef", cp, 5) == 0)
-			continue;
-
-		strlcpy(path, cp, sizeof(path));
-
-		/* Third token, entropy rate estimate for this command */
-		if ((cp = strtok(NULL, WHITESPACE)) == NULL) {
-			error("missing entropy estimate, %.100s "
-			    "line %d -- ignored", cmdfilename, linenum);
-			continue;
-		}
-		est = strtod(cp, NULL);
-
-		/* end of line */
-		if ((cp = strtok(NULL, WHITESPACE)) != NULL) {
-			error("garbage at end of line %d in %.100s "
-			    "-- ignored", linenum, cmdfilename);
-			continue;
-		}
-
-		/* save the command for debug messages */
-		entcmd[cur_cmd].cmdstring = xstrdup(cmd);
-
-		/* split the command args */
-		cp = strtok(cmd, WHITESPACE);
-		arg = 0;
-		do {
-			entcmd[cur_cmd].args[arg] = xstrdup(cp);
-			arg++;
-		} while(arg < NUM_ARGS && (cp = strtok(NULL, WHITESPACE)));
-
-		if (strtok(NULL, WHITESPACE))
-			error("ignored extra commands (max %d), %.100s "
-			    "line %d", NUM_ARGS, cmdfilename, linenum);
-
-		/* Copy the command path and rate estimate */
-		entcmd[cur_cmd].path = xstrdup(path);
-		entcmd[cur_cmd].rate = est;
-
-		/* Initialise other values */
-		entcmd[cur_cmd].sticky_badness = 1;
-
-		cur_cmd++;
-
-		/*
-		 * If we've filled the array, reallocate it twice the size
-		 * Do this now because even if this we're on the last
-		 * command we need another slot to mark the last entry
-		 */
-		if (cur_cmd == num_cmds) {
-			num_cmds *= 2;
-			entcmd = xrealloc(entcmd, num_cmds,
-			    sizeof(entropy_cmd_t));
-		}
-	}
-
-	/* zero the last entry */
-	memset(&entcmd[cur_cmd], '\0', sizeof(entropy_cmd_t));
-
-	/* trim to size */
-	entropy_cmds = xrealloc(entcmd, (cur_cmd + 1),
-	    sizeof(entropy_cmd_t));
-
-	debug("Loaded %d entropy commands from %.100s", cur_cmd,
-	    cmdfilename);
-
-	fclose(f);
-	return cur_cmd < MIN_ENTROPY_SOURCES ? -1 : 0;
-}
-
-void
-usage(void)
-{
-	fprintf(stderr, "Usage: %s [options]\n", __progname);
-	fprintf(stderr, "  -v          Verbose; display verbose debugging messages.\n");
-	fprintf(stderr, "              Multiple -v increases verbosity.\n");
-	fprintf(stderr, "  -x          Force output in hexadecimal (for debugging)\n");
-	fprintf(stderr, "  -X          Force output in binary\n");
-	fprintf(stderr, "  -b bytes    Number of bytes to output (default %d)\n",
-	    OUTPUT_SEED_SIZE);
-}
-
-int
-main(int argc, char **argv)
-{
-	unsigned char *buf;
-	int ret, ch, debug_level, output_hex, bytes;
-	extern char *optarg;
-	LogLevel ll;
-
-	__progname = ssh_get_progname(argv[0]);
-	log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
-
-	ll = SYSLOG_LEVEL_INFO;
-	debug_level = output_hex = 0;
-	bytes = OUTPUT_SEED_SIZE;
-
-	/* Don't write binary data to a tty, unless we are forced to */
-	if (isatty(STDOUT_FILENO))
-		output_hex = 1;
-
-	while ((ch = getopt(argc, argv, "vxXhb:")) != -1) {
-		switch (ch) {
-		case 'v':
-			if (debug_level < 3)
-				ll = SYSLOG_LEVEL_DEBUG1 + debug_level++;
-			break;
-		case 'x':
-			output_hex = 1;
-			break;
-		case 'X':
-			output_hex = 0;
-			break;
-		case 'b':
-			if ((bytes = atoi(optarg)) <= 0)
-				fatal("Invalid number of output bytes");
-			break;
-		case 'h':
-			usage();
-			exit(0);
-		default:
-			error("Invalid commandline option");
-			usage();
-		}
-	}
-
-	log_init(argv[0], ll, SYSLOG_FACILITY_USER, 1);
-
-#ifdef USE_SEED_FILES
-	prng_read_seedfile();
-#endif
-
-	buf = xmalloc(bytes);
-
-	/*
-	 * Seed the RNG from wherever we can
-	 */
-
-	/* Take whatever is on the stack, but don't credit it */
-	RAND_add(buf, bytes, 0);
-
-	debug("Seeded RNG with %i bytes from system calls",
-	    (int)stir_from_system());
-
-	/* try prngd, fall back to commands if prngd fails or not configured */
-	if (seed_from_prngd(buf, bytes) == 0) {
-		RAND_add(buf, bytes, bytes);
-	} else {
-		/* Read in collection commands */
-		if (prng_read_commands(SSH_PRNG_COMMAND_FILE) == -1)
-			fatal("PRNG initialisation failed -- exiting.");
-		debug("Seeded RNG with %i bytes from programs",
-		    (int)stir_from_programs());
-	}
-
-#ifdef USE_SEED_FILES
-	prng_write_seedfile();
-#endif
-
-	/*
-	 * Write the seed to stdout
-	 */
-
-	if (!RAND_status())
-		fatal("Not enough entropy in RNG");
-
-	if (RAND_bytes(buf, bytes) <= 0)
-		fatal("Couldn't extract entropy from PRNG");
-
-	if (output_hex) {
-		for(ret = 0; ret < bytes; ret++)
-			printf("%02x", (unsigned char)(buf[ret]));
-		printf("\n");
-	} else
-		ret = atomicio(vwrite, STDOUT_FILENO, buf, bytes);
-
-	memset(buf, '\0', bytes);
-	xfree(buf);
-
-	return ret == bytes ? 0 : 1;
-}
-
-/*
- * We may attempt to re-seed during mkstemp if we are using the one in the
- * compat library (via mkstemp -> _gettemp -> arc4random -> seed_rng) so we
- * need our own seed_rng().  We must also check that we have enough entropy.
- */
-void
-seed_rng(void)
-{
-	if (!RAND_status())
-		fatal("Not enough entropy in RNG");
-}
diff --git a/crypto/openssh/ssh-rsa.c b/crypto/openssh/ssh-rsa.c
deleted file mode 100644
index 0e16ff8..0000000
--- a/crypto/openssh/ssh-rsa.c
+++ /dev/null
@@ -1,263 +0,0 @@
-/* $OpenBSD: ssh-rsa.c,v 1.39 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Copyright (c) 2000, 2003 Markus Friedl <markus@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <openssl/evp.h>
-#include <openssl/err.h>
-
-#include <stdarg.h>
-#include <string.h>
-
-#include "xmalloc.h"
-#include "log.h"
-#include "buffer.h"
-#include "key.h"
-#include "compat.h"
-#include "ssh.h"
-
-static int openssh_RSA_verify(int, u_char *, u_int, u_char *, u_int, RSA *);
-
-/* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */
-int
-ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp,
-    const u_char *data, u_int datalen)
-{
-	const EVP_MD *evp_md;
-	EVP_MD_CTX md;
-	u_char digest[EVP_MAX_MD_SIZE], *sig;
-	u_int slen, dlen, len;
-	int ok, nid;
-	Buffer b;
-
-	if (key == NULL || key->type != KEY_RSA || key->rsa == NULL) {
-		error("ssh_rsa_sign: no RSA key");
-		return -1;
-	}
-	nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1;
-	if ((evp_md = EVP_get_digestbynid(nid)) == NULL) {
-		error("ssh_rsa_sign: EVP_get_digestbynid %d failed", nid);
-		return -1;
-	}
-	EVP_DigestInit(&md, evp_md);
-	EVP_DigestUpdate(&md, data, datalen);
-	EVP_DigestFinal(&md, digest, &dlen);
-
-	slen = RSA_size(key->rsa);
-	sig = xmalloc(slen);
-
-	ok = RSA_sign(nid, digest, dlen, sig, &len, key->rsa);
-	memset(digest, 'd', sizeof(digest));
-
-	if (ok != 1) {
-		int ecode = ERR_get_error();
-
-		error("ssh_rsa_sign: RSA_sign failed: %s",
-		    ERR_error_string(ecode, NULL));
-		xfree(sig);
-		return -1;
-	}
-	if (len < slen) {
-		u_int diff = slen - len;
-		debug("slen %u > len %u", slen, len);
-		memmove(sig + diff, sig, len);
-		memset(sig, 0, diff);
-	} else if (len > slen) {
-		error("ssh_rsa_sign: slen %u slen2 %u", slen, len);
-		xfree(sig);
-		return -1;
-	}
-	/* encode signature */
-	buffer_init(&b);
-	buffer_put_cstring(&b, "ssh-rsa");
-	buffer_put_string(&b, sig, slen);
-	len = buffer_len(&b);
-	if (lenp != NULL)
-		*lenp = len;
-	if (sigp != NULL) {
-		*sigp = xmalloc(len);
-		memcpy(*sigp, buffer_ptr(&b), len);
-	}
-	buffer_free(&b);
-	memset(sig, 's', slen);
-	xfree(sig);
-
-	return 0;
-}
-
-int
-ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
-    const u_char *data, u_int datalen)
-{
-	Buffer b;
-	const EVP_MD *evp_md;
-	EVP_MD_CTX md;
-	char *ktype;
-	u_char digest[EVP_MAX_MD_SIZE], *sigblob;
-	u_int len, dlen, modlen;
-	int rlen, ret, nid;
-
-	if (key == NULL || key->type != KEY_RSA || key->rsa == NULL) {
-		error("ssh_rsa_verify: no RSA key");
-		return -1;
-	}
-	if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
-		error("ssh_rsa_verify: RSA modulus too small: %d < minimum %d bits",
-		    BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
-		return -1;
-	}
-	buffer_init(&b);
-	buffer_append(&b, signature, signaturelen);
-	ktype = buffer_get_string(&b, NULL);
-	if (strcmp("ssh-rsa", ktype) != 0) {
-		error("ssh_rsa_verify: cannot handle type %s", ktype);
-		buffer_free(&b);
-		xfree(ktype);
-		return -1;
-	}
-	xfree(ktype);
-	sigblob = buffer_get_string(&b, &len);
-	rlen = buffer_len(&b);
-	buffer_free(&b);
-	if (rlen != 0) {
-		error("ssh_rsa_verify: remaining bytes in signature %d", rlen);
-		xfree(sigblob);
-		return -1;
-	}
-	/* RSA_verify expects a signature of RSA_size */
-	modlen = RSA_size(key->rsa);
-	if (len > modlen) {
-		error("ssh_rsa_verify: len %u > modlen %u", len, modlen);
-		xfree(sigblob);
-		return -1;
-	} else if (len < modlen) {
-		u_int diff = modlen - len;
-		debug("ssh_rsa_verify: add padding: modlen %u > len %u",
-		    modlen, len);
-		sigblob = xrealloc(sigblob, 1, modlen);
-		memmove(sigblob + diff, sigblob, len);
-		memset(sigblob, 0, diff);
-		len = modlen;
-	}
-	nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1;
-	if ((evp_md = EVP_get_digestbynid(nid)) == NULL) {
-		error("ssh_rsa_verify: EVP_get_digestbynid %d failed", nid);
-		xfree(sigblob);
-		return -1;
-	}
-	EVP_DigestInit(&md, evp_md);
-	EVP_DigestUpdate(&md, data, datalen);
-	EVP_DigestFinal(&md, digest, &dlen);
-
-	ret = openssh_RSA_verify(nid, digest, dlen, sigblob, len, key->rsa);
-	memset(digest, 'd', sizeof(digest));
-	memset(sigblob, 's', len);
-	xfree(sigblob);
-	debug("ssh_rsa_verify: signature %scorrect", (ret==0) ? "in" : "");
-	return ret;
-}
-
-/*
- * See:
- * http://www.rsasecurity.com/rsalabs/pkcs/pkcs-1/
- * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.asn
- */
-/*
- * id-sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
- *	oiw(14) secsig(3) algorithms(2) 26 }
- */
-static const u_char id_sha1[] = {
-	0x30, 0x21, /* type Sequence, length 0x21 (33) */
-	0x30, 0x09, /* type Sequence, length 0x09 */
-	0x06, 0x05, /* type OID, length 0x05 */
-	0x2b, 0x0e, 0x03, 0x02, 0x1a, /* id-sha1 OID */
-	0x05, 0x00, /* NULL */
-	0x04, 0x14  /* Octet string, length 0x14 (20), followed by sha1 hash */
-};
-/*
- * id-md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
- *	rsadsi(113549) digestAlgorithm(2) 5 }
- */
-static const u_char id_md5[] = {
-	0x30, 0x20, /* type Sequence, length 0x20 (32) */
-	0x30, 0x0c, /* type Sequence, length 0x09 */
-	0x06, 0x08, /* type OID, length 0x05 */
-	0x2a, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, /* id-md5 */
-	0x05, 0x00, /* NULL */
-	0x04, 0x10  /* Octet string, length 0x10 (16), followed by md5 hash */
-};
-
-static int
-openssh_RSA_verify(int type, u_char *hash, u_int hashlen,
-    u_char *sigbuf, u_int siglen, RSA *rsa)
-{
-	u_int ret, rsasize, oidlen = 0, hlen = 0;
-	int len;
-	const u_char *oid = NULL;
-	u_char *decrypted = NULL;
-
-	ret = 0;
-	switch (type) {
-	case NID_sha1:
-		oid = id_sha1;
-		oidlen = sizeof(id_sha1);
-		hlen = 20;
-		break;
-	case NID_md5:
-		oid = id_md5;
-		oidlen = sizeof(id_md5);
-		hlen = 16;
-		break;
-	default:
-		goto done;
-	}
-	if (hashlen != hlen) {
-		error("bad hashlen");
-		goto done;
-	}
-	rsasize = RSA_size(rsa);
-	if (siglen == 0 || siglen > rsasize) {
-		error("bad siglen");
-		goto done;
-	}
-	decrypted = xmalloc(rsasize);
-	if ((len = RSA_public_decrypt(siglen, sigbuf, decrypted, rsa,
-	    RSA_PKCS1_PADDING)) < 0) {
-		error("RSA_public_decrypt failed: %s",
-		    ERR_error_string(ERR_get_error(), NULL));
-		goto done;
-	}
-	if (len < 0 || (u_int)len != hlen + oidlen) {
-		error("bad decrypted len: %d != %d + %d", len, hlen, oidlen);
-		goto done;
-	}
-	if (memcmp(decrypted, oid, oidlen) != 0) {
-		error("oid mismatch");
-		goto done;
-	}
-	if (memcmp(decrypted + oidlen, hash, hlen) != 0) {
-		error("hash mismatch");
-		goto done;
-	}
-	ret = 1;
-done:
-	if (decrypted)
-		xfree(decrypted);
-	return ret;
-}
diff --git a/crypto/openssh/ssh.1 b/crypto/openssh/ssh.1
deleted file mode 100644
index 93be52f..0000000
--- a/crypto/openssh/ssh.1
+++ /dev/null
@@ -1,1429 +0,0 @@
-.\"  -*- nroff -*-
-.\"
-.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
-.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-.\"                    All rights reserved
-.\"
-.\" As far as I am concerned, the code I have written for this software
-.\" can be used freely for any purpose.  Any derived versions of this
-.\" software must be clearly marked as such, and if the derived work is
-.\" incompatible with the protocol description in the RFC file, it must be
-.\" called by a name other than "ssh" or "Secure Shell".
-.\"
-.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
-.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
-.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" $OpenBSD: ssh.1,v 1.265 2006/10/28 18:08:10 otto Exp $
-.Dd September 25, 1999
-.Dt SSH 1
-.Os
-.Sh NAME
-.Nm ssh
-.Nd OpenSSH SSH client (remote login program)
-.Sh SYNOPSIS
-.Nm ssh
-.Op Fl 1246AaCfgkMNnqsTtVvXxY
-.Op Fl b Ar bind_address
-.Op Fl c Ar cipher_spec
-.Oo Fl D\ \&
-.Sm off
-.Oo Ar bind_address : Oc
-.Ar port
-.Sm on
-.Oc
-.Op Fl e Ar escape_char
-.Op Fl F Ar configfile
-.Bk -words
-.Op Fl i Ar identity_file
-.Ek
-.Oo Fl L\ \&
-.Sm off
-.Oo Ar bind_address : Oc
-.Ar port : host : hostport
-.Sm on
-.Oc
-.Bk -words
-.Op Fl l Ar login_name
-.Ek
-.Op Fl m Ar mac_spec
-.Op Fl O Ar ctl_cmd
-.Op Fl o Ar option
-.Op Fl p Ar port
-.Oo Fl R\ \&
-.Sm off
-.Oo Ar bind_address : Oc
-.Ar port : host : hostport
-.Sm on
-.Oc
-.Op Fl S Ar ctl_path
-.Bk -words
-.Oo Fl w Ar local_tun Ns
-.Op : Ns Ar remote_tun Oc
-.Oo Ar user Ns @ Oc Ns Ar hostname
-.Op Ar command
-.Ek
-.Sh DESCRIPTION
-.Nm
-(SSH client) is a program for logging into a remote machine and for
-executing commands on a remote machine.
-It is intended to replace rlogin and rsh,
-and provide secure encrypted communications between
-two untrusted hosts over an insecure network.
-X11 connections and arbitrary TCP ports
-can also be forwarded over the secure channel.
-.Pp
-.Nm
-connects and logs into the specified
-.Ar hostname
-(with optional
-.Ar user
-name).
-The user must prove
-his/her identity to the remote machine using one of several methods
-depending on the protocol version used (see below).
-.Pp
-If
-.Ar command
-is specified,
-it is executed on the remote host instead of a login shell.
-.Pp
-The options are as follows:
-.Bl -tag -width Ds
-.It Fl 1
-Forces
-.Nm
-to try protocol version 1 only.
-.It Fl 2
-Forces
-.Nm
-to try protocol version 2 only.
-.It Fl 4
-Forces
-.Nm
-to use IPv4 addresses only.
-.It Fl 6
-Forces
-.Nm
-to use IPv6 addresses only.
-.It Fl A
-Enables forwarding of the authentication agent connection.
-This can also be specified on a per-host basis in a configuration file.
-.Pp
-Agent forwarding should be enabled with caution.
-Users with the ability to bypass file permissions on the remote host
-(for the agent's Unix-domain socket)
-can access the local agent through the forwarded connection.
-An attacker cannot obtain key material from the agent,
-however they can perform operations on the keys that enable them to
-authenticate using the identities loaded into the agent.
-.It Fl a
-Disables forwarding of the authentication agent connection.
-.It Fl b Ar bind_address
-Use
-.Ar bind_address
-on the local machine as the source address
-of the connection.
-Only useful on systems with more than one address.
-.It Fl C
-Requests compression of all data (including stdin, stdout, stderr, and
-data for forwarded X11 and TCP connections).
-The compression algorithm is the same used by
-.Xr gzip 1 ,
-and the
-.Dq level
-can be controlled by the
-.Cm CompressionLevel
-option for protocol version 1.
-Compression is desirable on modem lines and other
-slow connections, but will only slow down things on fast networks.
-The default value can be set on a host-by-host basis in the
-configuration files; see the
-.Cm Compression
-option.
-.It Fl c Ar cipher_spec
-Selects the cipher specification for encrypting the session.
-.Pp
-Protocol version 1 allows specification of a single cipher.
-The supported values are
-.Dq 3des ,
-.Dq blowfish ,
-and
-.Dq des .
-.Ar 3des
-(triple-des) is an encrypt-decrypt-encrypt triple with three different keys.
-It is believed to be secure.
-.Ar blowfish
-is a fast block cipher; it appears very secure and is much faster than
-.Ar 3des .
-.Ar des
-is only supported in the
-.Nm
-client for interoperability with legacy protocol 1 implementations
-that do not support the
-.Ar 3des
-cipher.
-Its use is strongly discouraged due to cryptographic weaknesses.
-The default is
-.Dq 3des .
-.Pp
-For protocol version 2,
-.Ar cipher_spec
-is a comma-separated list of ciphers
-listed in order of preference.
-The supported ciphers are:
-3des-cbc,
-aes128-cbc,
-aes192-cbc,
-aes256-cbc,
-aes128-ctr,
-aes192-ctr,
-aes256-ctr,
-arcfour128,
-arcfour256,
-arcfour,
-blowfish-cbc,
-and
-cast128-cbc.
-The default is:
-.Bd -literal -offset indent
-aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
-arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
-aes192-ctr,aes256-ctr
-.Ed
-.It Fl D Xo
-.Sm off
-.Oo Ar bind_address : Oc
-.Ar port
-.Sm on
-.Xc
-Specifies a local
-.Dq dynamic
-application-level port forwarding.
-This works by allocating a socket to listen to
-.Ar port
-on the local side, optionally bound to the specified
-.Ar bind_address .
-Whenever a connection is made to this port, the
-connection is forwarded over the secure channel, and the application
-protocol is then used to determine where to connect to from the
-remote machine.
-Currently the SOCKS4 and SOCKS5 protocols are supported, and
-.Nm
-will act as a SOCKS server.
-Only root can forward privileged ports.
-Dynamic port forwardings can also be specified in the configuration file.
-.Pp
-IPv6 addresses can be specified with an alternative syntax:
-.Sm off
-.Xo
-.Op Ar bind_address No /
-.Ar port
-.Xc
-.Sm on
-or by enclosing the address in square brackets.
-Only the superuser can forward privileged ports.
-By default, the local port is bound in accordance with the
-.Cm GatewayPorts
-setting.
-However, an explicit
-.Ar bind_address
-may be used to bind the connection to a specific address.
-The
-.Ar bind_address
-of
-.Dq localhost
-indicates that the listening port be bound for local use only, while an
-empty address or
-.Sq *
-indicates that the port should be available from all interfaces.
-.It Fl e Ar escape_char
-Sets the escape character for sessions with a pty (default:
-.Ql ~ ) .
-The escape character is only recognized at the beginning of a line.
-The escape character followed by a dot
-.Pq Ql \&.
-closes the connection;
-followed by control-Z suspends the connection;
-and followed by itself sends the escape character once.
-Setting the character to
-.Dq none
-disables any escapes and makes the session fully transparent.
-.It Fl F Ar configfile
-Specifies an alternative per-user configuration file.
-If a configuration file is given on the command line,
-the system-wide configuration file
-.Pq Pa /etc/ssh/ssh_config
-will be ignored.
-The default for the per-user configuration file is
-.Pa ~/.ssh/config .
-.It Fl f
-Requests
-.Nm
-to go to background just before command execution.
-This is useful if
-.Nm
-is going to ask for passwords or passphrases, but the user
-wants it in the background.
-This implies
-.Fl n .
-The recommended way to start X11 programs at a remote site is with
-something like
-.Ic ssh -f host xterm .
-.It Fl g
-Allows remote hosts to connect to local forwarded ports.
-.It Fl I Ar smartcard_device
-Specify the device
-.Nm
-should use to communicate with a smartcard used for storing the user's
-private RSA key.
-This option is only available if support for smartcard devices
-is compiled in (default is no support).
-.It Fl i Ar identity_file
-Selects a file from which the identity (private key) for
-RSA or DSA authentication is read.
-The default is
-.Pa ~/.ssh/identity
-for protocol version 1, and
-.Pa ~/.ssh/id_rsa
-and
-.Pa ~/.ssh/id_dsa
-for protocol version 2.
-Identity files may also be specified on
-a per-host basis in the configuration file.
-It is possible to have multiple
-.Fl i
-options (and multiple identities specified in
-configuration files).
-.It Fl k
-Disables forwarding (delegation) of GSSAPI credentials to the server.
-.It Fl L Xo
-.Sm off
-.Oo Ar bind_address : Oc
-.Ar port : host : hostport
-.Sm on
-.Xc
-Specifies that the given port on the local (client) host is to be
-forwarded to the given host and port on the remote side.
-This works by allocating a socket to listen to
-.Ar port
-on the local side, optionally bound to the specified
-.Ar bind_address .
-Whenever a connection is made to this port, the
-connection is forwarded over the secure channel, and a connection is
-made to
-.Ar host
-port
-.Ar hostport
-from the remote machine.
-Port forwardings can also be specified in the configuration file.
-IPv6 addresses can be specified with an alternative syntax:
-.Sm off
-.Xo
-.Op Ar bind_address No /
-.Ar port No / Ar host No /
-.Ar hostport
-.Xc
-.Sm on
-or by enclosing the address in square brackets.
-Only the superuser can forward privileged ports.
-By default, the local port is bound in accordance with the
-.Cm GatewayPorts
-setting.
-However, an explicit
-.Ar bind_address
-may be used to bind the connection to a specific address.
-The
-.Ar bind_address
-of
-.Dq localhost
-indicates that the listening port be bound for local use only, while an
-empty address or
-.Sq *
-indicates that the port should be available from all interfaces.
-.It Fl l Ar login_name
-Specifies the user to log in as on the remote machine.
-This also may be specified on a per-host basis in the configuration file.
-.It Fl M
-Places the
-.Nm
-client into
-.Dq master
-mode for connection sharing.
-Multiple
-.Fl M
-options places
-.Nm
-into
-.Dq master
-mode with confirmation required before slave connections are accepted.
-Refer to the description of
-.Cm ControlMaster
-in
-.Xr ssh_config 5
-for details.
-.It Fl m Ar mac_spec
-Additionally, for protocol version 2 a comma-separated list of MAC
-(message authentication code) algorithms can
-be specified in order of preference.
-See the
-.Cm MACs
-keyword for more information.
-.It Fl N
-Do not execute a remote command.
-This is useful for just forwarding ports
-(protocol version 2 only).
-.It Fl n
-Redirects stdin from
-.Pa /dev/null
-(actually, prevents reading from stdin).
-This must be used when
-.Nm
-is run in the background.
-A common trick is to use this to run X11 programs on a remote machine.
-For example,
-.Ic ssh -n shadows.cs.hut.fi emacs &
-will start an emacs on shadows.cs.hut.fi, and the X11
-connection will be automatically forwarded over an encrypted channel.
-The
-.Nm
-program will be put in the background.
-(This does not work if
-.Nm
-needs to ask for a password or passphrase; see also the
-.Fl f
-option.)
-.It Fl O Ar ctl_cmd
-Control an active connection multiplexing master process.
-When the
-.Fl O
-option is specified, the
-.Ar ctl_cmd
-argument is interpreted and passed to the master process.
-Valid commands are:
-.Dq check
-(check that the master process is running) and
-.Dq exit
-(request the master to exit).
-.It Fl o Ar option
-Can be used to give options in the format used in the configuration file.
-This is useful for specifying options for which there is no separate
-command-line flag.
-For full details of the options listed below, and their possible values, see
-.Xr ssh_config 5 .
-.Pp
-.Bl -tag -width Ds -offset indent -compact
-.It AddressFamily
-.It BatchMode
-.It BindAddress
-.It ChallengeResponseAuthentication
-.It CheckHostIP
-.It Cipher
-.It Ciphers
-.It ClearAllForwardings
-.It Compression
-.It CompressionLevel
-.It ConnectionAttempts
-.It ConnectTimeout
-.It ControlMaster
-.It ControlPath
-.It DynamicForward
-.It EscapeChar
-.It ExitOnForwardFailure
-.It ForwardAgent
-.It ForwardX11
-.It ForwardX11Trusted
-.It GatewayPorts
-.It GlobalKnownHostsFile
-.It GSSAPIAuthentication
-.It GSSAPIDelegateCredentials
-.It HashKnownHosts
-.It Host
-.It HostbasedAuthentication
-.It HostKeyAlgorithms
-.It HostKeyAlias
-.It HostName
-.It IdentityFile
-.It IdentitiesOnly
-.It KbdInteractiveDevices
-.It LocalCommand
-.It LocalForward
-.It LogLevel
-.It MACs
-.It NoHostAuthenticationForLocalhost
-.It NumberOfPasswordPrompts
-.It PasswordAuthentication
-.It PermitLocalCommand
-.It Port
-.It PreferredAuthentications
-.It Protocol
-.It ProxyCommand
-.It PubkeyAuthentication
-.It RekeyLimit
-.It RemoteForward
-.It RhostsRSAAuthentication
-.It RSAAuthentication
-.It SendEnv
-.It ServerAliveInterval
-.It ServerAliveCountMax
-.It SmartcardDevice
-.It StrictHostKeyChecking
-.It TCPKeepAlive
-.It Tunnel
-.It TunnelDevice
-.It UsePrivilegedPort
-.It User
-.It UserKnownHostsFile
-.It VerifyHostKeyDNS
-.It XAuthLocation
-.El
-.It Fl p Ar port
-Port to connect to on the remote host.
-This can be specified on a
-per-host basis in the configuration file.
-.It Fl q
-Quiet mode.
-Causes all warning and diagnostic messages to be suppressed.
-.It Fl R Xo
-.Sm off
-.Oo Ar bind_address : Oc
-.Ar port : host : hostport
-.Sm on
-.Xc
-Specifies that the given port on the remote (server) host is to be
-forwarded to the given host and port on the local side.
-This works by allocating a socket to listen to
-.Ar port
-on the remote side, and whenever a connection is made to this port, the
-connection is forwarded over the secure channel, and a connection is
-made to
-.Ar host
-port
-.Ar hostport
-from the local machine.
-.Pp
-Port forwardings can also be specified in the configuration file.
-Privileged ports can be forwarded only when
-logging in as root on the remote machine.
-IPv6 addresses can be specified by enclosing the address in square braces or
-using an alternative syntax:
-.Sm off
-.Xo
-.Op Ar bind_address No /
-.Ar host No / Ar port No /
-.Ar hostport
-.Xc .
-.Sm on
-.Pp
-By default, the listening socket on the server will be bound to the loopback
-interface only.
-This may be overriden by specifying a
-.Ar bind_address .
-An empty
-.Ar bind_address ,
-or the address
-.Ql * ,
-indicates that the remote socket should listen on all interfaces.
-Specifying a remote
-.Ar bind_address
-will only succeed if the server's
-.Cm GatewayPorts
-option is enabled (see
-.Xr sshd_config 5 ) .
-.It Fl S Ar ctl_path
-Specifies the location of a control socket for connection sharing.
-Refer to the description of
-.Cm ControlPath
-and
-.Cm ControlMaster
-in
-.Xr ssh_config 5
-for details.
-.It Fl s
-May be used to request invocation of a subsystem on the remote system.
-Subsystems are a feature of the SSH2 protocol which facilitate the use
-of SSH as a secure transport for other applications (eg.\&
-.Xr sftp 1 ) .
-The subsystem is specified as the remote command.
-.It Fl T
-Disable pseudo-tty allocation.
-.It Fl t
-Force pseudo-tty allocation.
-This can be used to execute arbitrary
-screen-based programs on a remote machine, which can be very useful,
-e.g. when implementing menu services.
-Multiple
-.Fl t
-options force tty allocation, even if
-.Nm
-has no local tty.
-.It Fl V
-Display the version number and exit.
-.It Fl v
-Verbose mode.
-Causes
-.Nm
-to print debugging messages about its progress.
-This is helpful in
-debugging connection, authentication, and configuration problems.
-Multiple
-.Fl v
-options increase the verbosity.
-The maximum is 3.
-.It Fl w Xo
-.Ar local_tun Ns Op : Ns Ar remote_tun
-.Xc
-Requests
-tunnel
-device forwarding with the specified
-.Xr tun 4
-devices between the client
-.Pq Ar local_tun
-and the server
-.Pq Ar remote_tun .
-.Pp
-The devices may be specified by numerical ID or the keyword
-.Dq any ,
-which uses the next available tunnel device.
-If
-.Ar remote_tun
-is not specified, it defaults to
-.Dq any .
-See also the
-.Cm Tunnel
-and
-.Cm TunnelDevice
-directives in
-.Xr ssh_config 5 .
-If the
-.Cm Tunnel
-directive is unset, it is set to the default tunnel mode, which is
-.Dq point-to-point .
-.It Fl X
-Enables X11 forwarding.
-This can also be specified on a per-host basis in a configuration file.
-.Pp
-X11 forwarding should be enabled with caution.
-Users with the ability to bypass file permissions on the remote host
-(for the user's X authorization database)
-can access the local X11 display through the forwarded connection.
-An attacker may then be able to perform activities such as keystroke monitoring.
-.Pp
-For this reason, X11 forwarding is subjected to X11 SECURITY extension
-restrictions by default.
-Please refer to the
-.Nm
-.Fl Y
-option and the
-.Cm ForwardX11Trusted
-directive in
-.Xr ssh_config 5
-for more information.
-.It Fl x
-Disables X11 forwarding.
-.It Fl Y
-Enables trusted X11 forwarding.
-Trusted X11 forwardings are not subjected to the X11 SECURITY extension
-controls.
-.El
-.Pp
-.Nm
-may additionally obtain configuration data from
-a per-user configuration file and a system-wide configuration file.
-The file format and configuration options are described in
-.Xr ssh_config 5 .
-.Pp
-.Nm
-exits with the exit status of the remote command or with 255
-if an error occurred.
-.Sh AUTHENTICATION
-The OpenSSH SSH client supports SSH protocols 1 and 2.
-Protocol 2 is the default, with
-.Nm
-falling back to protocol 1 if it detects protocol 2 is unsupported.
-These settings may be altered using the
-.Cm Protocol
-option in
-.Xr ssh_config 5 ,
-or enforced using the
-.Fl 1
-and
-.Fl 2
-options (see above).
-Both protocols support similar authentication methods,
-but protocol 2 is preferred since
-it provides additional mechanisms for confidentiality
-(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour)
-and integrity (hmac-md5, hmac-sha1, hmac-ripemd160).
-Protocol 1 lacks a strong mechanism for ensuring the
-integrity of the connection.
-.Pp
-The methods available for authentication are:
-GSSAPI-based authentication,
-host-based authentication,
-public key authentication,
-challenge-response authentication,
-and password authentication.
-Authentication methods are tried in the order specified above,
-though protocol 2 has a configuration option to change the default order:
-.Cm PreferredAuthentications .
-.Pp
-Host-based authentication works as follows:
-If the machine the user logs in from is listed in
-.Pa /etc/hosts.equiv
-or
-.Pa /etc/shosts.equiv
-on the remote machine, and the user names are
-the same on both sides, or if the files
-.Pa ~/.rhosts
-or
-.Pa ~/.shosts
-exist in the user's home directory on the
-remote machine and contain a line containing the name of the client
-machine and the name of the user on that machine, the user is
-considered for login.
-Additionally, the server
-.Em must
-be able to verify the client's
-host key (see the description of
-.Pa /etc/ssh/ssh_known_hosts
-and
-.Pa ~/.ssh/known_hosts ,
-below)
-for login to be permitted.
-This authentication method closes security holes due to IP
-spoofing, DNS spoofing, and routing spoofing.
-[Note to the administrator:
-.Pa /etc/hosts.equiv ,
-.Pa ~/.rhosts ,
-and the rlogin/rsh protocol in general, are inherently insecure and should be
-disabled if security is desired.]
-.Pp
-Public key authentication works as follows:
-The scheme is based on public-key cryptography,
-using cryptosystems
-where encryption and decryption are done using separate keys,
-and it is unfeasible to derive the decryption key from the encryption key.
-The idea is that each user creates a public/private
-key pair for authentication purposes.
-The server knows the public key, and only the user knows the private key.
-.Nm
-implements public key authentication protocol automatically,
-using either the RSA or DSA algorithms.
-Protocol 1 is restricted to using only RSA keys,
-but protocol 2 may use either.
-The
-.Sx HISTORY
-section of
-.Xr ssl 8
-contains a brief discussion of the two algorithms.
-.Pp
-The file
-.Pa ~/.ssh/authorized_keys
-lists the public keys that are permitted for logging in.
-When the user logs in, the
-.Nm
-program tells the server which key pair it would like to use for
-authentication.
-The client proves that it has access to the private key
-and the server checks that the corresponding public key
-is authorized to accept the account.
-.Pp
-The user creates his/her key pair by running
-.Xr ssh-keygen 1 .
-This stores the private key in
-.Pa ~/.ssh/identity
-(protocol 1),
-.Pa ~/.ssh/id_dsa
-(protocol 2 DSA),
-or
-.Pa ~/.ssh/id_rsa
-(protocol 2 RSA)
-and stores the public key in
-.Pa ~/.ssh/identity.pub
-(protocol 1),
-.Pa ~/.ssh/id_dsa.pub
-(protocol 2 DSA),
-or
-.Pa ~/.ssh/id_rsa.pub
-(protocol 2 RSA)
-in the user's home directory.
-The user should then copy the public key
-to
-.Pa ~/.ssh/authorized_keys
-in his/her home directory on the remote machine.
-The
-.Pa authorized_keys
-file corresponds to the conventional
-.Pa ~/.rhosts
-file, and has one key
-per line, though the lines can be very long.
-After this, the user can log in without giving the password.
-.Pp
-The most convenient way to use public key authentication may be with an
-authentication agent.
-See
-.Xr ssh-agent 1
-for more information.
-.Pp
-Challenge-response authentication works as follows:
-The server sends an arbitrary
-.Qq challenge
-text, and prompts for a response.
-Protocol 2 allows multiple challenges and responses;
-protocol 1 is restricted to just one challenge/response.
-Examples of challenge-response authentication include
-BSD Authentication (see
-.Xr login.conf 5 )
-and PAM (some non-OpenBSD systems).
-.Pp
-Finally, if other authentication methods fail,
-.Nm
-prompts the user for a password.
-The password is sent to the remote
-host for checking; however, since all communications are encrypted,
-the password cannot be seen by someone listening on the network.
-.Pp
-.Nm
-automatically maintains and checks a database containing
-identification for all hosts it has ever been used with.
-Host keys are stored in
-.Pa ~/.ssh/known_hosts
-in the user's home directory.
-Additionally, the file
-.Pa /etc/ssh/ssh_known_hosts
-is automatically checked for known hosts.
-Any new hosts are automatically added to the user's file.
-If a host's identification ever changes,
-.Nm
-warns about this and disables password authentication to prevent
-server spoofing or man-in-the-middle attacks,
-which could otherwise be used to circumvent the encryption.
-The
-.Cm StrictHostKeyChecking
-option can be used to control logins to machines whose
-host key is not known or has changed.
-.Pp
-When the user's identity has been accepted by the server, the server
-either executes the given command, or logs into the machine and gives
-the user a normal shell on the remote machine.
-All communication with
-the remote command or shell will be automatically encrypted.
-.Pp
-If a pseudo-terminal has been allocated (normal login session), the
-user may use the escape characters noted below.
-.Pp
-If no pseudo-tty has been allocated,
-the session is transparent and can be used to reliably transfer binary data.
-On most systems, setting the escape character to
-.Dq none
-will also make the session transparent even if a tty is used.
-.Pp
-The session terminates when the command or shell on the remote
-machine exits and all X11 and TCP connections have been closed.
-.Sh ESCAPE CHARACTERS
-When a pseudo-terminal has been requested,
-.Nm
-supports a number of functions through the use of an escape character.
-.Pp
-A single tilde character can be sent as
-.Ic ~~
-or by following the tilde by a character other than those described below.
-The escape character must always follow a newline to be interpreted as
-special.
-The escape character can be changed in configuration files using the
-.Cm EscapeChar
-configuration directive or on the command line by the
-.Fl e
-option.
-.Pp
-The supported escapes (assuming the default
-.Ql ~ )
-are:
-.Bl -tag -width Ds
-.It Cm ~.
-Disconnect.
-.It Cm ~^Z
-Background
-.Nm .
-.It Cm ~#
-List forwarded connections.
-.It Cm ~&
-Background
-.Nm
-at logout when waiting for forwarded connection / X11 sessions to terminate.
-.It Cm ~?
-Display a list of escape characters.
-.It Cm ~B
-Send a BREAK to the remote system
-(only useful for SSH protocol version 2 and if the peer supports it).
-.It Cm ~C
-Open command line.
-Currently this allows the addition of port forwardings using the
-.Fl L
-and
-.Fl R
-options (see above).
-It also allows the cancellation of existing remote port-forwardings
-using
-.Sm off
-.Fl KR Oo Ar bind_address : Oc Ar port .
-.Sm on
-.Ic !\& Ns Ar command
-allows the user to execute a local command if the
-.Ic PermitLocalCommand
-option is enabled in
-.Xr ssh_config 5 .
-Basic help is available, using the
-.Fl h
-option.
-.It Cm ~R
-Request rekeying of the connection
-(only useful for SSH protocol version 2 and if the peer supports it).
-.El
-.Sh TCP FORWARDING
-Forwarding of arbitrary TCP connections over the secure channel can
-be specified either on the command line or in a configuration file.
-One possible application of TCP forwarding is a secure connection to a
-mail server; another is going through firewalls.
-.Pp
-In the example below, we look at encrypting communication between
-an IRC client and server, even though the IRC server does not directly
-support encrypted communications.
-This works as follows:
-the user connects to the remote host using
-.Nm ,
-specifying a port to be used to forward connections
-to the remote server.
-After that it is possible to start the service which is to be encrypted
-on the client machine,
-connecting to the same local port,
-and
-.Nm
-will encrypt and forward the connection.
-.Pp
-The following example tunnels an IRC session from client machine
-.Dq 127.0.0.1
-(localhost)
-to remote server
-.Dq server.example.com :
-.Bd -literal -offset 4n
-$ ssh -f -L 1234:localhost:6667 server.example.com sleep 10
-$ irc -c '#users' -p 1234 pinky 127.0.0.1
-.Ed
-.Pp
-This tunnels a connection to IRC server
-.Dq server.example.com ,
-joining channel
-.Dq #users ,
-nickname
-.Dq pinky ,
-using port 1234.
-It doesn't matter which port is used,
-as long as it's greater than 1023
-(remember, only root can open sockets on privileged ports)
-and doesn't conflict with any ports already in use.
-The connection is forwarded to port 6667 on the remote server,
-since that's the standard port for IRC services.
-.Pp
-The
-.Fl f
-option backgrounds
-.Nm
-and the remote command
-.Dq sleep 10
-is specified to allow an amount of time
-(10 seconds, in the example)
-to start the service which is to be tunnelled.
-If no connections are made within the time specified,
-.Nm
-will exit.
-.Sh X11 FORWARDING
-If the
-.Cm ForwardX11
-variable is set to
-.Dq yes
-(or see the description of the
-.Fl X ,
-.Fl x ,
-and
-.Fl Y
-options above)
-and the user is using X11 (the
-.Ev DISPLAY
-environment variable is set), the connection to the X11 display is
-automatically forwarded to the remote side in such a way that any X11
-programs started from the shell (or command) will go through the
-encrypted channel, and the connection to the real X server will be made
-from the local machine.
-The user should not manually set
-.Ev DISPLAY .
-Forwarding of X11 connections can be
-configured on the command line or in configuration files.
-.Pp
-The
-.Ev DISPLAY
-value set by
-.Nm
-will point to the server machine, but with a display number greater than zero.
-This is normal, and happens because
-.Nm
-creates a
-.Dq proxy
-X server on the server machine for forwarding the
-connections over the encrypted channel.
-.Pp
-.Nm
-will also automatically set up Xauthority data on the server machine.
-For this purpose, it will generate a random authorization cookie,
-store it in Xauthority on the server, and verify that any forwarded
-connections carry this cookie and replace it by the real cookie when
-the connection is opened.
-The real authentication cookie is never
-sent to the server machine (and no cookies are sent in the plain).
-.Pp
-If the
-.Cm ForwardAgent
-variable is set to
-.Dq yes
-(or see the description of the
-.Fl A
-and
-.Fl a
-options above) and
-the user is using an authentication agent, the connection to the agent
-is automatically forwarded to the remote side.
-.Sh VERIFYING HOST KEYS
-When connecting to a server for the first time,
-a fingerprint of the server's public key is presented to the user
-(unless the option
-.Cm StrictHostKeyChecking
-has been disabled).
-Fingerprints can be determined using
-.Xr ssh-keygen 1 :
-.Pp
-.Dl $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
-.Pp
-If the fingerprint is already known,
-it can be matched and verified,
-and the key can be accepted.
-If the fingerprint is unknown,
-an alternative method of verification is available:
-SSH fingerprints verified by DNS.
-An additional resource record (RR),
-SSHFP,
-is added to a zonefile
-and the connecting client is able to match the fingerprint
-with that of the key presented.
-.Pp
-In this example, we are connecting a client to a server,
-.Dq host.example.com .
-The SSHFP resource records should first be added to the zonefile for
-host.example.com:
-.Bd -literal -offset indent
-$ ssh-keygen -r host.example.com.
-.Ed
-.Pp
-The output lines will have to be added to the zonefile.
-To check that the zone is answering fingerprint queries:
-.Pp
-.Dl $ dig -t SSHFP host.example.com
-.Pp
-Finally the client connects:
-.Bd -literal -offset indent
-$ ssh -o "VerifyHostKeyDNS ask" host.example.com
-[...]
-Matching host key fingerprint found in DNS.
-Are you sure you want to continue connecting (yes/no)?
-.Ed
-.Pp
-See the
-.Cm VerifyHostKeyDNS
-option in
-.Xr ssh_config 5
-for more information.
-.Sh SSH-BASED VIRTUAL PRIVATE NETWORKS
-.Nm
-contains support for Virtual Private Network (VPN) tunnelling
-using the
-.Xr tun 4
-network pseudo-device,
-allowing two networks to be joined securely.
-The
-.Xr sshd_config 5
-configuration option
-.Cm PermitTunnel
-controls whether the server supports this,
-and at what level (layer 2 or 3 traffic).
-.Pp
-The following example would connect client network 10.0.50.0/24
-with remote network 10.0.99.0/24 using a point-to-point connection
-from 10.1.1.1 to 10.1.1.2,
-provided that the SSH server running on the gateway to the remote network,
-at 192.168.1.15, allows it.
-.Pp
-On the client:
-.Bd -literal -offset indent
-# ssh -f -w 0:1 192.168.1.15 true
-# ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252
-# route add 10.0.99.0/24 10.1.1.2
-.Ed
-.Pp
-On the server:
-.Bd -literal -offset indent
-# ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252
-# route add 10.0.50.0/24 10.1.1.1
-.Ed
-.Pp
-Client access may be more finely tuned via the
-.Pa /root/.ssh/authorized_keys
-file (see below) and the
-.Cm PermitRootLogin
-server option.
-The following entry would permit connections on
-.Xr tun 4
-device 1 from user
-.Dq jane
-and on tun device 2 from user
-.Dq john ,
-if
-.Cm PermitRootLogin
-is set to
-.Dq forced-commands-only :
-.Bd -literal -offset 2n
-tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... jane
-tunnel="2",command="sh /etc/netstart tun2" ssh-rsa ... john
-.Ed
-.Pp
-Since an SSH-based setup entails a fair amount of overhead,
-it may be more suited to temporary setups,
-such as for wireless VPNs.
-More permanent VPNs are better provided by tools such as
-.Xr ipsecctl 8
-and
-.Xr isakmpd 8 .
-.Sh ENVIRONMENT
-.Nm
-will normally set the following environment variables:
-.Bl -tag -width "SSH_ORIGINAL_COMMAND"
-.It Ev DISPLAY
-The
-.Ev DISPLAY
-variable indicates the location of the X11 server.
-It is automatically set by
-.Nm
-to point to a value of the form
-.Dq hostname:n ,
-where
-.Dq hostname
-indicates the host where the shell runs, and
-.Sq n
-is an integer \*(Ge 1.
-.Nm
-uses this special value to forward X11 connections over the secure
-channel.
-The user should normally not set
-.Ev DISPLAY
-explicitly, as that
-will render the X11 connection insecure (and will require the user to
-manually copy any required authorization cookies).
-.It Ev HOME
-Set to the path of the user's home directory.
-.It Ev LOGNAME
-Synonym for
-.Ev USER ;
-set for compatibility with systems that use this variable.
-.It Ev MAIL
-Set to the path of the user's mailbox.
-.It Ev PATH
-Set to the default
-.Ev PATH ,
-as specified when compiling
-.Nm .
-.It Ev SSH_ASKPASS
-If
-.Nm
-needs a passphrase, it will read the passphrase from the current
-terminal if it was run from a terminal.
-If
-.Nm
-does not have a terminal associated with it but
-.Ev DISPLAY
-and
-.Ev SSH_ASKPASS
-are set, it will execute the program specified by
-.Ev SSH_ASKPASS
-and open an X11 window to read the passphrase.
-This is particularly useful when calling
-.Nm
-from a
-.Pa .xsession
-or related script.
-(Note that on some machines it
-may be necessary to redirect the input from
-.Pa /dev/null
-to make this work.)
-.It Ev SSH_AUTH_SOCK
-Identifies the path of a
-.Ux Ns -domain
-socket used to communicate with the agent.
-.It Ev SSH_CONNECTION
-Identifies the client and server ends of the connection.
-The variable contains
-four space-separated values: client IP address, client port number,
-server IP address, and server port number.
-.It Ev SSH_ORIGINAL_COMMAND
-This variable contains the original command line if a forced command
-is executed.
-It can be used to extract the original arguments.
-.It Ev SSH_TTY
-This is set to the name of the tty (path to the device) associated
-with the current shell or command.
-If the current session has no tty,
-this variable is not set.
-.It Ev TZ
-This variable is set to indicate the present time zone if it
-was set when the daemon was started (i.e. the daemon passes the value
-on to new connections).
-.It Ev USER
-Set to the name of the user logging in.
-.El
-.Pp
-Additionally,
-.Nm
-reads
-.Pa ~/.ssh/environment ,
-and adds lines of the format
-.Dq VARNAME=value
-to the environment if the file exists and users are allowed to
-change their environment.
-For more information, see the
-.Cm PermitUserEnvironment
-option in
-.Xr sshd_config 5 .
-.Sh FILES
-.Bl -tag -width Ds -compact
-.It ~/.rhosts
-This file is used for host-based authentication (see above).
-On some machines this file may need to be
-world-readable if the user's home directory is on an NFS partition,
-because
-.Xr sshd 8
-reads it as root.
-Additionally, this file must be owned by the user,
-and must not have write permissions for anyone else.
-The recommended
-permission for most machines is read/write for the user, and not
-accessible by others.
-.Pp
-.It ~/.shosts
-This file is used in exactly the same way as
-.Pa .rhosts ,
-but allows host-based authentication without permitting login with
-rlogin/rsh.
-.Pp
-.It ~/.ssh/authorized_keys
-Lists the public keys (RSA/DSA) that can be used for logging in as this user.
-The format of this file is described in the
-.Xr sshd 8
-manual page.
-This file is not highly sensitive, but the recommended
-permissions are read/write for the user, and not accessible by others.
-.Pp
-.It ~/.ssh/config
-This is the per-user configuration file.
-The file format and configuration options are described in
-.Xr ssh_config 5 .
-Because of the potential for abuse, this file must have strict permissions:
-read/write for the user, and not accessible by others.
-.Pp
-.It ~/.ssh/environment
-Contains additional definitions for environment variables; see
-.Sx ENVIRONMENT ,
-above.
-.Pp
-.It ~/.ssh/identity
-.It ~/.ssh/id_dsa
-.It ~/.ssh/id_rsa
-Contains the private key for authentication.
-These files
-contain sensitive data and should be readable by the user but not
-accessible by others (read/write/execute).
-.Nm
-will simply ignore a private key file if it is accessible by others.
-It is possible to specify a passphrase when
-generating the key which will be used to encrypt the
-sensitive part of this file using 3DES.
-.Pp
-.It ~/.ssh/identity.pub
-.It ~/.ssh/id_dsa.pub
-.It ~/.ssh/id_rsa.pub
-Contains the public key for authentication.
-These files are not
-sensitive and can (but need not) be readable by anyone.
-.Pp
-.It ~/.ssh/known_hosts
-Contains a list of host keys for all hosts the user has logged into
-that are not already in the systemwide list of known host keys.
-See
-.Xr sshd 8
-for further details of the format of this file.
-.Pp
-.It ~/.ssh/rc
-Commands in this file are executed by
-.Nm
-when the user logs in, just before the user's shell (or command) is
-started.
-See the
-.Xr sshd 8
-manual page for more information.
-.Pp
-.It /etc/hosts.equiv
-This file is for host-based authentication (see above).
-It should only be writable by root.
-.Pp
-.It /etc/shosts.equiv
-This file is used in exactly the same way as
-.Pa hosts.equiv ,
-but allows host-based authentication without permitting login with
-rlogin/rsh.
-.Pp
-.It Pa /etc/ssh/ssh_config
-Systemwide configuration file.
-The file format and configuration options are described in
-.Xr ssh_config 5 .
-.Pp
-.It /etc/ssh/ssh_host_key
-.It /etc/ssh/ssh_host_dsa_key
-.It /etc/ssh/ssh_host_rsa_key
-These three files contain the private parts of the host keys
-and are used for host-based authentication.
-If protocol version 1 is used,
-.Nm
-must be setuid root, since the host key is readable only by root.
-For protocol version 2,
-.Nm
-uses
-.Xr ssh-keysign 8
-to access the host keys,
-eliminating the requirement that
-.Nm
-be setuid root when host-based authentication is used.
-By default
-.Nm
-is not setuid root.
-.Pp
-.It /etc/ssh/ssh_known_hosts
-Systemwide list of known host keys.
-This file should be prepared by the
-system administrator to contain the public host keys of all machines in the
-organization.
-It should be world-readable.
-See
-.Xr sshd 8
-for further details of the format of this file.
-.Pp
-.It /etc/ssh/sshrc
-Commands in this file are executed by
-.Nm
-when the user logs in, just before the user's shell (or command) is started.
-See the
-.Xr sshd 8
-manual page for more information.
-.El
-.Sh SEE ALSO
-.Xr scp 1 ,
-.Xr sftp 1 ,
-.Xr ssh-add 1 ,
-.Xr ssh-agent 1 ,
-.Xr ssh-keygen 1 ,
-.Xr ssh-keyscan 1 ,
-.Xr tun 4 ,
-.Xr hosts.equiv 5 ,
-.Xr ssh_config 5 ,
-.Xr ssh-keysign 8 ,
-.Xr sshd 8
-.Rs
-.%R RFC 4250
-.%T "The Secure Shell (SSH) Protocol Assigned Numbers"
-.%D 2006
-.Re
-.Rs
-.%R RFC 4251
-.%T "The Secure Shell (SSH) Protocol Architecture"
-.%D 2006
-.Re
-.Rs
-.%R RFC 4252
-.%T "The Secure Shell (SSH) Authentication Protocol"
-.%D 2006
-.Re
-.Rs
-.%R RFC 4253
-.%T "The Secure Shell (SSH) Transport Layer Protocol"
-.%D 2006
-.Re
-.Rs
-.%R RFC 4254
-.%T "The Secure Shell (SSH) Connection Protocol"
-.%D 2006
-.Re
-.Rs
-.%R RFC 4255
-.%T "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints"
-.%D 2006
-.Re
-.Rs
-.%R RFC 4256
-.%T "Generic Message Exchange Authentication for the Secure Shell Protocol (SSH)"
-.%D 2006
-.Re
-.Rs
-.%R RFC 4335
-.%T "The Secure Shell (SSH) Session Channel Break Extension"
-.%D 2006
-.Re
-.Rs
-.%R RFC 4344
-.%T "The Secure Shell (SSH) Transport Layer Encryption Modes"
-.%D 2006
-.Re
-.Rs
-.%R RFC 4345
-.%T "Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol"
-.%D 2006
-.Re
-.Rs
-.%R RFC 4419
-.%T "Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol"
-.%D 2006
-.Re
-.Sh AUTHORS
-OpenSSH is a derivative of the original and free
-ssh 1.2.12 release by Tatu Ylonen.
-Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
-Theo de Raadt and Dug Song
-removed many bugs, re-added newer features and
-created OpenSSH.
-Markus Friedl contributed the support for SSH
-protocol versions 1.5 and 2.0.
diff --git a/crypto/openssh/ssh.c b/crypto/openssh/ssh.c
deleted file mode 100644
index 47297ed..0000000
--- a/crypto/openssh/ssh.c
+++ /dev/null
@@ -1,1484 +0,0 @@
-/* $OpenBSD: ssh.c,v 1.294 2006/10/06 02:29:19 djm Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Ssh client program.  This program can be used to log into a remote machine.
- * The software supports strong authentication, encryption, and forwarding
- * of X11, TCP/IP, and authentication connections.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- * Copyright (c) 1999 Niels Provos.  All rights reserved.
- * Copyright (c) 2000, 2001, 2002, 2003 Markus Friedl.  All rights reserved.
- *
- * Modified to work with SSL by Niels Provos <provos@citi.umich.edu>
- * in Canada (German citizen).
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#ifdef HAVE_SYS_STAT_H
-# include <sys/stat.h>
-#endif
-#include <sys/resource.h>
-#include <sys/ioctl.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <netdb.h>
-#ifdef HAVE_PATHS_H
-#include <paths.h>
-#endif
-#include <pwd.h>
-#include <signal.h>
-#include <stdarg.h>
-#include <stddef.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include <openssl/evp.h>
-#include <openssl/err.h>
-
-#include "xmalloc.h"
-#include "ssh.h"
-#include "ssh1.h"
-#include "ssh2.h"
-#include "compat.h"
-#include "cipher.h"
-#include "packet.h"
-#include "buffer.h"
-#include "channels.h"
-#include "key.h"
-#include "authfd.h"
-#include "authfile.h"
-#include "pathnames.h"
-#include "dispatch.h"
-#include "clientloop.h"
-#include "log.h"
-#include "readconf.h"
-#include "sshconnect.h"
-#include "misc.h"
-#include "kex.h"
-#include "mac.h"
-#include "sshpty.h"
-#include "match.h"
-#include "msg.h"
-#include "monitor_fdpass.h"
-#include "uidswap.h"
-#include "version.h"
-
-#ifdef SMARTCARD
-#include "scard.h"
-#endif
-
-extern char *__progname;
-
-/* Flag indicating whether debug mode is on.  This can be set on the command line. */
-int debug_flag = 0;
-
-/* Flag indicating whether a tty should be allocated */
-int tty_flag = 0;
-int no_tty_flag = 0;
-int force_tty_flag = 0;
-
-/* don't exec a shell */
-int no_shell_flag = 0;
-
-/*
- * Flag indicating that nothing should be read from stdin.  This can be set
- * on the command line.
- */
-int stdin_null_flag = 0;
-
-/*
- * Flag indicating that ssh should fork after authentication.  This is useful
- * so that the passphrase can be entered manually, and then ssh goes to the
- * background.
- */
-int fork_after_authentication_flag = 0;
-
-/*
- * General data structure for command line options and options configurable
- * in configuration files.  See readconf.h.
- */
-Options options;
-
-/* optional user configfile */
-char *config = NULL;
-
-/*
- * Name of the host we are connecting to.  This is the name given on the
- * command line, or the HostName specified for the user-supplied name in a
- * configuration file.
- */
-char *host;
-
-/* socket address the host resolves to */
-struct sockaddr_storage hostaddr;
-
-/* Private host keys. */
-Sensitive sensitive_data;
-
-/* Original real UID. */
-uid_t original_real_uid;
-uid_t original_effective_uid;
-
-/* command to be executed */
-Buffer command;
-
-/* Should we execute a command or invoke a subsystem? */
-int subsystem_flag = 0;
-
-/* # of replies received for global requests */
-static int client_global_request_id = 0;
-
-/* pid of proxycommand child process */
-pid_t proxy_command_pid = 0;
-
-/* fd to control socket */
-int control_fd = -1;
-
-/* Multiplexing control command */
-static u_int mux_command = 0;
-
-/* Only used in control client mode */
-volatile sig_atomic_t control_client_terminate = 0;
-u_int control_server_pid = 0;
-
-/* Prints a help message to the user.  This function never returns. */
-
-static void
-usage(void)
-{
-	fprintf(stderr,
-"usage: ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n"
-"           [-D [bind_address:]port] [-e escape_char] [-F configfile]\n"
-"           [-i identity_file] [-L [bind_address:]port:host:hostport]\n"
-"           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n"
-"           [-R [bind_address:]port:host:hostport] [-S ctl_path]\n"
-"           [-w local_tun[:remote_tun]] [user@]hostname [command]\n"
-	);
-	exit(255);
-}
-
-static int ssh_session(void);
-static int ssh_session2(void);
-static void load_public_identity_files(void);
-static void control_client(const char *path);
-
-/*
- * Main program for the ssh client.
- */
-int
-main(int ac, char **av)
-{
-	int i, opt, exit_status;
-	char *p, *cp, *line, buf[256];
-	struct stat st;
-	struct passwd *pw;
-	int dummy;
-	extern int optind, optreset;
-	extern char *optarg;
-	struct servent *sp;
-	Forward fwd;
-
-	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
-	sanitise_stdfd();
-
-	__progname = ssh_get_progname(av[0]);
-	init_rng();
-
-	/*
-	 * Save the original real uid.  It will be needed later (uid-swapping
-	 * may clobber the real uid).
-	 */
-	original_real_uid = getuid();
-	original_effective_uid = geteuid();
-
-	/*
-	 * Use uid-swapping to give up root privileges for the duration of
-	 * option processing.  We will re-instantiate the rights when we are
-	 * ready to create the privileged port, and will permanently drop
-	 * them when the port has been created (actually, when the connection
-	 * has been made, as we may need to create the port several times).
-	 */
-	PRIV_END;
-
-#ifdef HAVE_SETRLIMIT
-	/* If we are installed setuid root be careful to not drop core. */
-	if (original_real_uid != original_effective_uid) {
-		struct rlimit rlim;
-		rlim.rlim_cur = rlim.rlim_max = 0;
-		if (setrlimit(RLIMIT_CORE, &rlim) < 0)
-			fatal("setrlimit failed: %.100s", strerror(errno));
-	}
-#endif
-	/* Get user data. */
-	pw = getpwuid(original_real_uid);
-	if (!pw) {
-		logit("You don't exist, go away!");
-		exit(255);
-	}
-	/* Take a copy of the returned structure. */
-	pw = pwcopy(pw);
-
-	/*
-	 * Set our umask to something reasonable, as some files are created
-	 * with the default umask.  This will make them world-readable but
-	 * writable only by the owner, which is ok for all files for which we
-	 * don't set the modes explicitly.
-	 */
-	umask(022);
-
-	/* Initialize option structure to indicate that no values have been set. */
-	initialize_options(&options);
-
-	/* Parse command-line arguments. */
-	host = NULL;
-
- again:
-	while ((opt = getopt(ac, av,
-	    "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:MNO:PR:S:TVw:XY")) != -1) {
-		switch (opt) {
-		case '1':
-			options.protocol = SSH_PROTO_1;
-			break;
-		case '2':
-			options.protocol = SSH_PROTO_2;
-			break;
-		case '4':
-			options.address_family = AF_INET;
-			break;
-		case '6':
-			options.address_family = AF_INET6;
-			break;
-		case 'n':
-			stdin_null_flag = 1;
-			break;
-		case 'f':
-			fork_after_authentication_flag = 1;
-			stdin_null_flag = 1;
-			break;
-		case 'x':
-			options.forward_x11 = 0;
-			break;
-		case 'X':
-			options.forward_x11 = 1;
-			break;
-		case 'Y':
-			options.forward_x11 = 1;
-			options.forward_x11_trusted = 1;
-			break;
-		case 'g':
-			options.gateway_ports = 1;
-			break;
-		case 'O':
-			if (strcmp(optarg, "check") == 0)
-				mux_command = SSHMUX_COMMAND_ALIVE_CHECK;
-			else if (strcmp(optarg, "exit") == 0)
-				mux_command = SSHMUX_COMMAND_TERMINATE;
-			else
-				fatal("Invalid multiplex command.");
-			break;
-		case 'P':	/* deprecated */
-			options.use_privileged_port = 0;
-			break;
-		case 'a':
-			options.forward_agent = 0;
-			break;
-		case 'A':
-			options.forward_agent = 1;
-			break;
-		case 'k':
-			options.gss_deleg_creds = 0;
-			break;
-		case 'i':
-			if (stat(optarg, &st) < 0) {
-				fprintf(stderr, "Warning: Identity file %s "
-				    "not accessible: %s.\n", optarg,
-				    strerror(errno));
-				break;
-			}
-			if (options.num_identity_files >=
-			    SSH_MAX_IDENTITY_FILES)
-				fatal("Too many identity files specified "
-				    "(max %d)", SSH_MAX_IDENTITY_FILES);
-			options.identity_files[options.num_identity_files++] =
-			    xstrdup(optarg);
-			break;
-		case 'I':
-#ifdef SMARTCARD
-			options.smartcard_device = xstrdup(optarg);
-#else
-			fprintf(stderr, "no support for smartcards.\n");
-#endif
-			break;
-		case 't':
-			if (tty_flag)
-				force_tty_flag = 1;
-			tty_flag = 1;
-			break;
-		case 'v':
-			if (debug_flag == 0) {
-				debug_flag = 1;
-				options.log_level = SYSLOG_LEVEL_DEBUG1;
-			} else {
-				if (options.log_level < SYSLOG_LEVEL_DEBUG3)
-					options.log_level++;
-				break;
-			}
-			/* FALLTHROUGH */
-		case 'V':
-			fprintf(stderr, "%s, %s\n",
-			    SSH_RELEASE, SSLeay_version(SSLEAY_VERSION));
-			if (opt == 'V')
-				exit(0);
-			break;
-		case 'w':
-			if (options.tun_open == -1)
-				options.tun_open = SSH_TUNMODE_DEFAULT;
-			options.tun_local = a2tun(optarg, &options.tun_remote);
-			if (options.tun_local == SSH_TUNID_ERR) {
-				fprintf(stderr, "Bad tun device '%s'\n", optarg);
-				exit(255);
-			}
-			break;
-		case 'q':
-			options.log_level = SYSLOG_LEVEL_QUIET;
-			break;
-		case 'e':
-			if (optarg[0] == '^' && optarg[2] == 0 &&
-			    (u_char) optarg[1] >= 64 &&
-			    (u_char) optarg[1] < 128)
-				options.escape_char = (u_char) optarg[1] & 31;
-			else if (strlen(optarg) == 1)
-				options.escape_char = (u_char) optarg[0];
-			else if (strcmp(optarg, "none") == 0)
-				options.escape_char = SSH_ESCAPECHAR_NONE;
-			else {
-				fprintf(stderr, "Bad escape character '%s'.\n",
-				    optarg);
-				exit(255);
-			}
-			break;
-		case 'c':
-			if (ciphers_valid(optarg)) {
-				/* SSH2 only */
-				options.ciphers = xstrdup(optarg);
-				options.cipher = SSH_CIPHER_INVALID;
-			} else {
-				/* SSH1 only */
-				options.cipher = cipher_number(optarg);
-				if (options.cipher == -1) {
-					fprintf(stderr,
-					    "Unknown cipher type '%s'\n",
-					    optarg);
-					exit(255);
-				}
-				if (options.cipher == SSH_CIPHER_3DES)
-					options.ciphers = "3des-cbc";
-				else if (options.cipher == SSH_CIPHER_BLOWFISH)
-					options.ciphers = "blowfish-cbc";
-				else
-					options.ciphers = (char *)-1;
-			}
-			break;
-		case 'm':
-			if (mac_valid(optarg))
-				options.macs = xstrdup(optarg);
-			else {
-				fprintf(stderr, "Unknown mac type '%s'\n",
-				    optarg);
-				exit(255);
-			}
-			break;
-		case 'M':
-			if (options.control_master == SSHCTL_MASTER_YES)
-				options.control_master = SSHCTL_MASTER_ASK;
-			else
-				options.control_master = SSHCTL_MASTER_YES;
-			break;
-		case 'p':
-			options.port = a2port(optarg);
-			if (options.port == 0) {
-				fprintf(stderr, "Bad port '%s'\n", optarg);
-				exit(255);
-			}
-			break;
-		case 'l':
-			options.user = optarg;
-			break;
-
-		case 'L':
-			if (parse_forward(&fwd, optarg))
-				add_local_forward(&options, &fwd);
-			else {
-				fprintf(stderr,
-				    "Bad local forwarding specification '%s'\n",
-				    optarg);
-				exit(255);
-			}
-			break;
-
-		case 'R':
-			if (parse_forward(&fwd, optarg)) {
-				add_remote_forward(&options, &fwd);
-			} else {
-				fprintf(stderr,
-				    "Bad remote forwarding specification "
-				    "'%s'\n", optarg);
-				exit(255);
-			}
-			break;
-
-		case 'D':
-			cp = p = xstrdup(optarg);
-			memset(&fwd, '\0', sizeof(fwd));
-			fwd.connect_host = "socks";
-			if ((fwd.listen_host = hpdelim(&cp)) == NULL) {
-				fprintf(stderr, "Bad dynamic forwarding "
-				    "specification '%.100s'\n", optarg);
-				exit(255);
-			}
-			if (cp != NULL) {
-				fwd.listen_port = a2port(cp);
-				fwd.listen_host = cleanhostname(fwd.listen_host);
-			} else {
-				fwd.listen_port = a2port(fwd.listen_host);
-				fwd.listen_host = NULL;
-			}
-
-			if (fwd.listen_port == 0) {
-				fprintf(stderr, "Bad dynamic port '%s'\n",
-				    optarg);
-				exit(255);
-			}
-			add_local_forward(&options, &fwd);
-			xfree(p);
-			break;
-
-		case 'C':
-			options.compression = 1;
-			break;
-		case 'N':
-			no_shell_flag = 1;
-			no_tty_flag = 1;
-			break;
-		case 'T':
-			no_tty_flag = 1;
-			break;
-		case 'o':
-			dummy = 1;
-			line = xstrdup(optarg);
-			if (process_config_line(&options, host ? host : "",
-			    line, "command-line", 0, &dummy) != 0)
-				exit(255);
-			xfree(line);
-			break;
-		case 's':
-			subsystem_flag = 1;
-			break;
-		case 'S':
-			if (options.control_path != NULL)
-				free(options.control_path);
-			options.control_path = xstrdup(optarg);
-			break;
-		case 'b':
-			options.bind_address = optarg;
-			break;
-		case 'F':
-			config = optarg;
-			break;
-		default:
-			usage();
-		}
-	}
-
-	ac -= optind;
-	av += optind;
-
-	if (ac > 0 && !host && **av != '-') {
-		if (strrchr(*av, '@')) {
-			p = xstrdup(*av);
-			cp = strrchr(p, '@');
-			if (cp == NULL || cp == p)
-				usage();
-			options.user = p;
-			*cp = '\0';
-			host = ++cp;
-		} else
-			host = *av;
-		if (ac > 1) {
-			optind = optreset = 1;
-			goto again;
-		}
-		ac--, av++;
-	}
-
-	/* Check that we got a host name. */
-	if (!host)
-		usage();
-
-	SSLeay_add_all_algorithms();
-	ERR_load_crypto_strings();
-
-	/* Initialize the command to execute on remote host. */
-	buffer_init(&command);
-
-	/*
-	 * Save the command to execute on the remote host in a buffer. There
-	 * is no limit on the length of the command, except by the maximum
-	 * packet size.  Also sets the tty flag if there is no command.
-	 */
-	if (!ac) {
-		/* No command specified - execute shell on a tty. */
-		tty_flag = 1;
-		if (subsystem_flag) {
-			fprintf(stderr,
-			    "You must specify a subsystem to invoke.\n");
-			usage();
-		}
-	} else {
-		/* A command has been specified.  Store it into the buffer. */
-		for (i = 0; i < ac; i++) {
-			if (i)
-				buffer_append(&command, " ", 1);
-			buffer_append(&command, av[i], strlen(av[i]));
-		}
-	}
-
-	/* Cannot fork to background if no command. */
-	if (fork_after_authentication_flag && buffer_len(&command) == 0 && !no_shell_flag)
-		fatal("Cannot fork into background without a command to execute.");
-
-	/* Allocate a tty by default if no command specified. */
-	if (buffer_len(&command) == 0)
-		tty_flag = 1;
-
-	/* Force no tty */
-	if (no_tty_flag)
-		tty_flag = 0;
-	/* Do not allocate a tty if stdin is not a tty. */
-	if ((!isatty(fileno(stdin)) || stdin_null_flag) && !force_tty_flag) {
-		if (tty_flag)
-			logit("Pseudo-terminal will not be allocated because stdin is not a terminal.");
-		tty_flag = 0;
-	}
-
-	/*
-	 * Initialize "log" output.  Since we are the client all output
-	 * actually goes to stderr.
-	 */
-	log_init(av[0], options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level,
-	    SYSLOG_FACILITY_USER, 1);
-
-	/*
-	 * Read per-user configuration file.  Ignore the system wide config
-	 * file if the user specifies a config file on the command line.
-	 */
-	if (config != NULL) {
-		if (!read_config_file(config, host, &options, 0))
-			fatal("Can't open user config file %.100s: "
-			    "%.100s", config, strerror(errno));
-	} else  {
-		snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir,
-		    _PATH_SSH_USER_CONFFILE);
-		(void)read_config_file(buf, host, &options, 1);
-
-		/* Read systemwide configuration file after use config. */
-		(void)read_config_file(_PATH_HOST_CONFIG_FILE, host,
-		    &options, 0);
-	}
-
-	/* Fill configuration defaults. */
-	fill_default_options(&options);
-
-	channel_set_af(options.address_family);
-
-	/* reinit */
-	log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 1);
-
-	seed_rng();
-
-	if (options.user == NULL)
-		options.user = xstrdup(pw->pw_name);
-
-	if (options.hostname != NULL)
-		host = options.hostname;
-
-	/* force lowercase for hostkey matching */
-	if (options.host_key_alias != NULL) {
-		for (p = options.host_key_alias; *p; p++)
-			if (isupper(*p))
-				*p = (char)tolower(*p);
-	}
-
-	/* Get default port if port has not been set. */
-	if (options.port == 0) {
-		sp = getservbyname(SSH_SERVICE_NAME, "tcp");
-		options.port = sp ? ntohs(sp->s_port) : SSH_DEFAULT_PORT;
-	}
-
-	if (options.proxy_command != NULL &&
-	    strcmp(options.proxy_command, "none") == 0)
-		options.proxy_command = NULL;
-	if (options.control_path != NULL &&
-	    strcmp(options.control_path, "none") == 0)
-		options.control_path = NULL;
-
-	if (options.control_path != NULL) {
-		char thishost[NI_MAXHOST];
-
-		if (gethostname(thishost, sizeof(thishost)) == -1)
-			fatal("gethostname: %s", strerror(errno));
-		snprintf(buf, sizeof(buf), "%d", options.port);
-		cp = tilde_expand_filename(options.control_path,
-		    original_real_uid);
-		options.control_path = percent_expand(cp, "p", buf, "h", host,
-		    "r", options.user, "l", thishost, (char *)NULL);
-		xfree(cp);
-	}
-	if (mux_command != 0 && options.control_path == NULL)
-		fatal("No ControlPath specified for \"-O\" command");
-	if (options.control_path != NULL)
-		control_client(options.control_path);
-
-	/* Open a connection to the remote host. */
-	if (ssh_connect(host, &hostaddr, options.port,
-	    options.address_family, options.connection_attempts,
-#ifdef HAVE_CYGWIN
-	    options.use_privileged_port,
-#else
-	    original_effective_uid == 0 && options.use_privileged_port,
-#endif
-	    options.proxy_command) != 0)
-		exit(255);
-
-	/*
-	 * If we successfully made the connection, load the host private key
-	 * in case we will need it later for combined rsa-rhosts
-	 * authentication. This must be done before releasing extra
-	 * privileges, because the file is only readable by root.
-	 * If we cannot access the private keys, load the public keys
-	 * instead and try to execute the ssh-keysign helper instead.
-	 */
-	sensitive_data.nkeys = 0;
-	sensitive_data.keys = NULL;
-	sensitive_data.external_keysign = 0;
-	if (options.rhosts_rsa_authentication ||
-	    options.hostbased_authentication) {
-		sensitive_data.nkeys = 3;
-		sensitive_data.keys = xcalloc(sensitive_data.nkeys,
-		    sizeof(Key));
-
-		PRIV_START;
-		sensitive_data.keys[0] = key_load_private_type(KEY_RSA1,
-		    _PATH_HOST_KEY_FILE, "", NULL, NULL);
-		sensitive_data.keys[1] = key_load_private_type(KEY_DSA,
-		    _PATH_HOST_DSA_KEY_FILE, "", NULL, NULL);
-		sensitive_data.keys[2] = key_load_private_type(KEY_RSA,
-		    _PATH_HOST_RSA_KEY_FILE, "", NULL, NULL);
-		PRIV_END;
-
-		if (options.hostbased_authentication == 1 &&
-		    sensitive_data.keys[0] == NULL &&
-		    sensitive_data.keys[1] == NULL &&
-		    sensitive_data.keys[2] == NULL) {
-			sensitive_data.keys[1] = key_load_public(
-			    _PATH_HOST_DSA_KEY_FILE, NULL);
-			sensitive_data.keys[2] = key_load_public(
-			    _PATH_HOST_RSA_KEY_FILE, NULL);
-			sensitive_data.external_keysign = 1;
-		}
-	}
-	/*
-	 * Get rid of any extra privileges that we may have.  We will no
-	 * longer need them.  Also, extra privileges could make it very hard
-	 * to read identity files and other non-world-readable files from the
-	 * user's home directory if it happens to be on a NFS volume where
-	 * root is mapped to nobody.
-	 */
-	if (original_effective_uid == 0) {
-		PRIV_START;
-		permanently_set_uid(pw);
-	}
-
-	/*
-	 * Now that we are back to our own permissions, create ~/.ssh
-	 * directory if it doesn't already exist.
-	 */
-	snprintf(buf, sizeof buf, "%.100s%s%.100s", pw->pw_dir, strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);
-	if (stat(buf, &st) < 0)
-		if (mkdir(buf, 0700) < 0)
-			error("Could not create directory '%.200s'.", buf);
-
-	/* load options.identity_files */
-	load_public_identity_files();
-
-	/* Expand ~ in known host file names. */
-	/* XXX mem-leaks: */
-	options.system_hostfile =
-	    tilde_expand_filename(options.system_hostfile, original_real_uid);
-	options.user_hostfile =
-	    tilde_expand_filename(options.user_hostfile, original_real_uid);
-	options.system_hostfile2 =
-	    tilde_expand_filename(options.system_hostfile2, original_real_uid);
-	options.user_hostfile2 =
-	    tilde_expand_filename(options.user_hostfile2, original_real_uid);
-
-	signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */
-
-	/* Log into the remote system.  This never returns if the login fails. */
-	ssh_login(&sensitive_data, host, (struct sockaddr *)&hostaddr, pw);
-
-	/* We no longer need the private host keys.  Clear them now. */
-	if (sensitive_data.nkeys != 0) {
-		for (i = 0; i < sensitive_data.nkeys; i++) {
-			if (sensitive_data.keys[i] != NULL) {
-				/* Destroys contents safely */
-				debug3("clear hostkey %d", i);
-				key_free(sensitive_data.keys[i]);
-				sensitive_data.keys[i] = NULL;
-			}
-		}
-		xfree(sensitive_data.keys);
-	}
-	for (i = 0; i < options.num_identity_files; i++) {
-		if (options.identity_files[i]) {
-			xfree(options.identity_files[i]);
-			options.identity_files[i] = NULL;
-		}
-		if (options.identity_keys[i]) {
-			key_free(options.identity_keys[i]);
-			options.identity_keys[i] = NULL;
-		}
-	}
-
-	exit_status = compat20 ? ssh_session2() : ssh_session();
-	packet_close();
-
-	if (options.control_path != NULL && control_fd != -1)
-		unlink(options.control_path);
-
-	/*
-	 * Send SIGHUP to proxy command if used. We don't wait() in
-	 * case it hangs and instead rely on init to reap the child
-	 */
-	if (proxy_command_pid > 1)
-		kill(proxy_command_pid, SIGHUP);
-
-	return exit_status;
-}
-
-static void
-ssh_init_forwarding(void)
-{
-	int success = 0;
-	int i;
-
-	/* Initiate local TCP/IP port forwardings. */
-	for (i = 0; i < options.num_local_forwards; i++) {
-		debug("Local connections to %.200s:%d forwarded to remote "
-		    "address %.200s:%d",
-		    (options.local_forwards[i].listen_host == NULL) ?
-		    (options.gateway_ports ? "*" : "LOCALHOST") :
-		    options.local_forwards[i].listen_host,
-		    options.local_forwards[i].listen_port,
-		    options.local_forwards[i].connect_host,
-		    options.local_forwards[i].connect_port);
-		success += channel_setup_local_fwd_listener(
-		    options.local_forwards[i].listen_host,
-		    options.local_forwards[i].listen_port,
-		    options.local_forwards[i].connect_host,
-		    options.local_forwards[i].connect_port,
-		    options.gateway_ports);
-	}
-	if (i > 0 && success != i && options.exit_on_forward_failure)
-		fatal("Could not request local forwarding.");
-	if (i > 0 && success == 0)
-		error("Could not request local forwarding.");
-
-	/* Initiate remote TCP/IP port forwardings. */
-	for (i = 0; i < options.num_remote_forwards; i++) {
-		debug("Remote connections from %.200s:%d forwarded to "
-		    "local address %.200s:%d",
-		    (options.remote_forwards[i].listen_host == NULL) ?
-		    "LOCALHOST" : options.remote_forwards[i].listen_host,
-		    options.remote_forwards[i].listen_port,
-		    options.remote_forwards[i].connect_host,
-		    options.remote_forwards[i].connect_port);
-		if (channel_request_remote_forwarding(
-		    options.remote_forwards[i].listen_host,
-		    options.remote_forwards[i].listen_port,
-		    options.remote_forwards[i].connect_host,
-		    options.remote_forwards[i].connect_port) < 0) {
-			if (options.exit_on_forward_failure)
-				fatal("Could not request remote forwarding.");
-			else
-				logit("Warning: Could not request remote "
-				    "forwarding.");
-		}
-	}
-}
-
-static void
-check_agent_present(void)
-{
-	if (options.forward_agent) {
-		/* Clear agent forwarding if we don't have an agent. */
-		if (!ssh_agent_present())
-			options.forward_agent = 0;
-	}
-}
-
-static int
-ssh_session(void)
-{
-	int type;
-	int interactive = 0;
-	int have_tty = 0;
-	struct winsize ws;
-	char *cp;
-	const char *display;
-
-	/* Enable compression if requested. */
-	if (options.compression) {
-		debug("Requesting compression at level %d.", options.compression_level);
-
-		if (options.compression_level < 1 || options.compression_level > 9)
-			fatal("Compression level must be from 1 (fast) to 9 (slow, best).");
-
-		/* Send the request. */
-		packet_start(SSH_CMSG_REQUEST_COMPRESSION);
-		packet_put_int(options.compression_level);
-		packet_send();
-		packet_write_wait();
-		type = packet_read();
-		if (type == SSH_SMSG_SUCCESS)
-			packet_start_compression(options.compression_level);
-		else if (type == SSH_SMSG_FAILURE)
-			logit("Warning: Remote host refused compression.");
-		else
-			packet_disconnect("Protocol error waiting for compression response.");
-	}
-	/* Allocate a pseudo tty if appropriate. */
-	if (tty_flag) {
-		debug("Requesting pty.");
-
-		/* Start the packet. */
-		packet_start(SSH_CMSG_REQUEST_PTY);
-
-		/* Store TERM in the packet.  There is no limit on the
-		   length of the string. */
-		cp = getenv("TERM");
-		if (!cp)
-			cp = "";
-		packet_put_cstring(cp);
-
-		/* Store window size in the packet. */
-		if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) < 0)
-			memset(&ws, 0, sizeof(ws));
-		packet_put_int((u_int)ws.ws_row);
-		packet_put_int((u_int)ws.ws_col);
-		packet_put_int((u_int)ws.ws_xpixel);
-		packet_put_int((u_int)ws.ws_ypixel);
-
-		/* Store tty modes in the packet. */
-		tty_make_modes(fileno(stdin), NULL);
-
-		/* Send the packet, and wait for it to leave. */
-		packet_send();
-		packet_write_wait();
-
-		/* Read response from the server. */
-		type = packet_read();
-		if (type == SSH_SMSG_SUCCESS) {
-			interactive = 1;
-			have_tty = 1;
-		} else if (type == SSH_SMSG_FAILURE)
-			logit("Warning: Remote host failed or refused to allocate a pseudo tty.");
-		else
-			packet_disconnect("Protocol error waiting for pty request response.");
-	}
-	/* Request X11 forwarding if enabled and DISPLAY is set. */
-	display = getenv("DISPLAY");
-	if (options.forward_x11 && display != NULL) {
-		char *proto, *data;
-		/* Get reasonable local authentication information. */
-		client_x11_get_proto(display, options.xauth_location,
-		    options.forward_x11_trusted, &proto, &data);
-		/* Request forwarding with authentication spoofing. */
-		debug("Requesting X11 forwarding with authentication spoofing.");
-		x11_request_forwarding_with_spoofing(0, display, proto, data);
-
-		/* Read response from the server. */
-		type = packet_read();
-		if (type == SSH_SMSG_SUCCESS) {
-			interactive = 1;
-		} else if (type == SSH_SMSG_FAILURE) {
-			logit("Warning: Remote host denied X11 forwarding.");
-		} else {
-			packet_disconnect("Protocol error waiting for X11 forwarding");
-		}
-	}
-	/* Tell the packet module whether this is an interactive session. */
-	packet_set_interactive(interactive);
-
-	/* Request authentication agent forwarding if appropriate. */
-	check_agent_present();
-
-	if (options.forward_agent) {
-		debug("Requesting authentication agent forwarding.");
-		auth_request_forwarding();
-
-		/* Read response from the server. */
-		type = packet_read();
-		packet_check_eom();
-		if (type != SSH_SMSG_SUCCESS)
-			logit("Warning: Remote host denied authentication agent forwarding.");
-	}
-
-	/* Initiate port forwardings. */
-	ssh_init_forwarding();
-
-	/* If requested, let ssh continue in the background. */
-	if (fork_after_authentication_flag)
-		if (daemon(1, 1) < 0)
-			fatal("daemon() failed: %.200s", strerror(errno));
-
-	/*
-	 * If a command was specified on the command line, execute the
-	 * command now. Otherwise request the server to start a shell.
-	 */
-	if (buffer_len(&command) > 0) {
-		int len = buffer_len(&command);
-		if (len > 900)
-			len = 900;
-		debug("Sending command: %.*s", len, (u_char *)buffer_ptr(&command));
-		packet_start(SSH_CMSG_EXEC_CMD);
-		packet_put_string(buffer_ptr(&command), buffer_len(&command));
-		packet_send();
-		packet_write_wait();
-	} else {
-		debug("Requesting shell.");
-		packet_start(SSH_CMSG_EXEC_SHELL);
-		packet_send();
-		packet_write_wait();
-	}
-
-	/* Enter the interactive session. */
-	return client_loop(have_tty, tty_flag ?
-	    options.escape_char : SSH_ESCAPECHAR_NONE, 0);
-}
-
-static void
-ssh_subsystem_reply(int type, u_int32_t seq, void *ctxt)
-{
-	int id, len;
-
-	id = packet_get_int();
-	len = buffer_len(&command);
-	if (len > 900)
-		len = 900;
-	packet_check_eom();
-	if (type == SSH2_MSG_CHANNEL_FAILURE)
-		fatal("Request for subsystem '%.*s' failed on channel %d",
-		    len, (u_char *)buffer_ptr(&command), id);
-}
-
-void
-client_global_request_reply_fwd(int type, u_int32_t seq, void *ctxt)
-{
-	int i;
-
-	i = client_global_request_id++;
-	if (i >= options.num_remote_forwards)
-		return;
-	debug("remote forward %s for: listen %d, connect %s:%d",
-	    type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure",
-	    options.remote_forwards[i].listen_port,
-	    options.remote_forwards[i].connect_host,
-	    options.remote_forwards[i].connect_port);
-	if (type == SSH2_MSG_REQUEST_FAILURE) {
-		if (options.exit_on_forward_failure)
-			fatal("Error: remote port forwarding failed for "
-			    "listen port %d",
-			    options.remote_forwards[i].listen_port);
-		else
-			logit("Warning: remote port forwarding failed for "
-			    "listen port %d",
-			    options.remote_forwards[i].listen_port);
-	}
-}
-
-static void
-ssh_control_listener(void)
-{
-	struct sockaddr_un addr;
-	mode_t old_umask;
-	int addr_len;
-
-	if (options.control_path == NULL ||
-	    options.control_master == SSHCTL_MASTER_NO)
-		return;
-
-	debug("setting up multiplex master socket");
-
-	memset(&addr, '\0', sizeof(addr));
-	addr.sun_family = AF_UNIX;
-	addr_len = offsetof(struct sockaddr_un, sun_path) +
-	    strlen(options.control_path) + 1;
-
-	if (strlcpy(addr.sun_path, options.control_path,
-	    sizeof(addr.sun_path)) >= sizeof(addr.sun_path))
-		fatal("ControlPath too long");
-
-	if ((control_fd = socket(PF_UNIX, SOCK_STREAM, 0)) < 0)
-		fatal("%s socket(): %s", __func__, strerror(errno));
-
-	old_umask = umask(0177);
-	if (bind(control_fd, (struct sockaddr *)&addr, addr_len) == -1) {
-		control_fd = -1;
-		if (errno == EINVAL || errno == EADDRINUSE)
-			fatal("ControlSocket %s already exists",
-			    options.control_path);
-		else
-			fatal("%s bind(): %s", __func__, strerror(errno));
-	}
-	umask(old_umask);
-
-	if (listen(control_fd, 64) == -1)
-		fatal("%s listen(): %s", __func__, strerror(errno));
-
-	set_nonblock(control_fd);
-}
-
-/* request pty/x11/agent/tcpfwd/shell for channel */
-static void
-ssh_session2_setup(int id, void *arg)
-{
-	extern char **environ;
-	const char *display;
-	int interactive = tty_flag;
-
-	display = getenv("DISPLAY");
-	if (options.forward_x11 && display != NULL) {
-		char *proto, *data;
-		/* Get reasonable local authentication information. */
-		client_x11_get_proto(display, options.xauth_location,
-		    options.forward_x11_trusted, &proto, &data);
-		/* Request forwarding with authentication spoofing. */
-		debug("Requesting X11 forwarding with authentication spoofing.");
-		x11_request_forwarding_with_spoofing(id, display, proto, data);
-		interactive = 1;
-		/* XXX wait for reply */
-	}
-
-	check_agent_present();
-	if (options.forward_agent) {
-		debug("Requesting authentication agent forwarding.");
-		channel_request_start(id, "auth-agent-req@openssh.com", 0);
-		packet_send();
-	}
-
-	if (options.tun_open != SSH_TUNMODE_NO) {
-		Channel *c;
-		int fd;
-
-		debug("Requesting tun.");
-		if ((fd = tun_open(options.tun_local,
-		    options.tun_open)) >= 0) {
-			c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
-			    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
-			    0, "tun", 1);
-			c->datagram = 1;
-#if defined(SSH_TUN_FILTER)
-			if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
-				channel_register_filter(c->self, sys_tun_infilter,
-				    sys_tun_outfilter);
-#endif
-			packet_start(SSH2_MSG_CHANNEL_OPEN);
-			packet_put_cstring("tun@openssh.com");
-			packet_put_int(c->self);
-			packet_put_int(c->local_window_max);
-			packet_put_int(c->local_maxpacket);
-			packet_put_int(options.tun_open);
-			packet_put_int(options.tun_remote);
-			packet_send();
-		}
-	}
-
-	client_session2_setup(id, tty_flag, subsystem_flag, getenv("TERM"),
-	    NULL, fileno(stdin), &command, environ, &ssh_subsystem_reply);
-
-	packet_set_interactive(interactive);
-}
-
-/* open new channel for a session */
-static int
-ssh_session2_open(void)
-{
-	Channel *c;
-	int window, packetmax, in, out, err;
-
-	if (stdin_null_flag) {
-		in = open(_PATH_DEVNULL, O_RDONLY);
-	} else {
-		in = dup(STDIN_FILENO);
-	}
-	out = dup(STDOUT_FILENO);
-	err = dup(STDERR_FILENO);
-
-	if (in < 0 || out < 0 || err < 0)
-		fatal("dup() in/out/err failed");
-
-	/* enable nonblocking unless tty */
-	if (!isatty(in))
-		set_nonblock(in);
-	if (!isatty(out))
-		set_nonblock(out);
-	if (!isatty(err))
-		set_nonblock(err);
-
-	window = CHAN_SES_WINDOW_DEFAULT;
-	packetmax = CHAN_SES_PACKET_DEFAULT;
-	if (tty_flag) {
-		window >>= 1;
-		packetmax >>= 1;
-	}
-	c = channel_new(
-	    "session", SSH_CHANNEL_OPENING, in, out, err,
-	    window, packetmax, CHAN_EXTENDED_WRITE,
-	    "client-session", /*nonblock*/0);
-
-	debug3("ssh_session2_open: channel_new: %d", c->self);
-
-	channel_send_open(c->self);
-	if (!no_shell_flag)
-		channel_register_confirm(c->self, ssh_session2_setup, NULL);
-
-	return c->self;
-}
-
-static int
-ssh_session2(void)
-{
-	int id = -1;
-
-	/* XXX should be pre-session */
-	ssh_init_forwarding();
-	ssh_control_listener();
-
-	if (!no_shell_flag || (datafellows & SSH_BUG_DUMMYCHAN))
-		id = ssh_session2_open();
-
-	/* Execute a local command */
-	if (options.local_command != NULL &&
-	    options.permit_local_command)
-		ssh_local_cmd(options.local_command);
-
-	/* If requested, let ssh continue in the background. */
-	if (fork_after_authentication_flag)
-		if (daemon(1, 1) < 0)
-			fatal("daemon() failed: %.200s", strerror(errno));
-
-	return client_loop(tty_flag, tty_flag ?
-	    options.escape_char : SSH_ESCAPECHAR_NONE, id);
-}
-
-static void
-load_public_identity_files(void)
-{
-	char *filename, *cp, thishost[NI_MAXHOST];
-	int i = 0;
-	Key *public;
-	struct passwd *pw;
-#ifdef SMARTCARD
-	Key **keys;
-
-	if (options.smartcard_device != NULL &&
-	    options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
-	    (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL) {
-		int count = 0;
-		for (i = 0; keys[i] != NULL; i++) {
-			count++;
-			memmove(&options.identity_files[1], &options.identity_files[0],
-			    sizeof(char *) * (SSH_MAX_IDENTITY_FILES - 1));
-			memmove(&options.identity_keys[1], &options.identity_keys[0],
-			    sizeof(Key *) * (SSH_MAX_IDENTITY_FILES - 1));
-			options.num_identity_files++;
-			options.identity_keys[0] = keys[i];
-			options.identity_files[0] = sc_get_key_label(keys[i]);
-		}
-		if (options.num_identity_files > SSH_MAX_IDENTITY_FILES)
-			options.num_identity_files = SSH_MAX_IDENTITY_FILES;
-		i = count;
-		xfree(keys);
-	}
-#endif /* SMARTCARD */
-	if ((pw = getpwuid(original_real_uid)) == NULL)
-		fatal("load_public_identity_files: getpwuid failed");
-	if (gethostname(thishost, sizeof(thishost)) == -1)
-		fatal("load_public_identity_files: gethostname: %s",
-		    strerror(errno));
-	for (; i < options.num_identity_files; i++) {
-		cp = tilde_expand_filename(options.identity_files[i],
-		    original_real_uid);
-		filename = percent_expand(cp, "d", pw->pw_dir,
-		    "u", pw->pw_name, "l", thishost, "h", host,
-		    "r", options.user, (char *)NULL);
-		xfree(cp);
-		public = key_load_public(filename, NULL);
-		debug("identity file %s type %d", filename,
-		    public ? public->type : -1);
-		xfree(options.identity_files[i]);
-		options.identity_files[i] = filename;
-		options.identity_keys[i] = public;
-	}
-}
-
-static void
-control_client_sighandler(int signo)
-{
-	control_client_terminate = signo;
-}
-
-static void
-control_client_sigrelay(int signo)
-{
-	if (control_server_pid > 1)
-		kill(control_server_pid, signo);
-}
-
-static int
-env_permitted(char *env)
-{
-	int i, ret;
-	char name[1024], *cp;
-
-	if ((cp = strchr(env, '=')) == NULL || cp == env)
-		return (0);
-	ret = snprintf(name, sizeof(name), "%.*s", (int)(cp - env), env);
-	if (ret <= 0 || (size_t)ret >= sizeof(name))
-		fatal("env_permitted: name '%.100s...' too long", env);
-
-	for (i = 0; i < options.num_send_env; i++)
-		if (match_pattern(name, options.send_env[i]))
-			return (1);
-
-	return (0);
-}
-
-static void
-control_client(const char *path)
-{
-	struct sockaddr_un addr;
-	int i, r, fd, sock, exitval, num_env, addr_len;
-	Buffer m;
-	char *term;
-	extern char **environ;
-	u_int  flags;
-
-	if (mux_command == 0)
-		mux_command = SSHMUX_COMMAND_OPEN;
-
-	switch (options.control_master) {
-	case SSHCTL_MASTER_AUTO:
-	case SSHCTL_MASTER_AUTO_ASK:
-		debug("auto-mux: Trying existing master");
-		/* FALLTHROUGH */
-	case SSHCTL_MASTER_NO:
-		break;
-	default:
-		return;
-	}
-
-	memset(&addr, '\0', sizeof(addr));
-	addr.sun_family = AF_UNIX;
-	addr_len = offsetof(struct sockaddr_un, sun_path) +
-	    strlen(path) + 1;
-
-	if (strlcpy(addr.sun_path, path,
-	    sizeof(addr.sun_path)) >= sizeof(addr.sun_path))
-		fatal("ControlPath too long");
-
-	if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0)
-		fatal("%s socket(): %s", __func__, strerror(errno));
-
-	if (connect(sock, (struct sockaddr *)&addr, addr_len) == -1) {
-		if (mux_command != SSHMUX_COMMAND_OPEN) {
-			fatal("Control socket connect(%.100s): %s", path,
-			    strerror(errno));
-		}
-		if (errno == ENOENT)
-			debug("Control socket \"%.100s\" does not exist", path);
-		else {
-			error("Control socket connect(%.100s): %s", path,
-			    strerror(errno));
-		}
-		close(sock);
-		return;
-	}
-
-	if (stdin_null_flag) {
-		if ((fd = open(_PATH_DEVNULL, O_RDONLY)) == -1)
-			fatal("open(/dev/null): %s", strerror(errno));
-		if (dup2(fd, STDIN_FILENO) == -1)
-			fatal("dup2: %s", strerror(errno));
-		if (fd > STDERR_FILENO)
-			close(fd);
-	}
-
-	term = getenv("TERM");
-
-	flags = 0;
-	if (tty_flag)
-		flags |= SSHMUX_FLAG_TTY;
-	if (subsystem_flag)
-		flags |= SSHMUX_FLAG_SUBSYS;
-	if (options.forward_x11)
-		flags |= SSHMUX_FLAG_X11_FWD;
-	if (options.forward_agent)
-		flags |= SSHMUX_FLAG_AGENT_FWD;
-
-	buffer_init(&m);
-
-	/* Send our command to server */
-	buffer_put_int(&m, mux_command);
-	buffer_put_int(&m, flags);
-	if (ssh_msg_send(sock, SSHMUX_VER, &m) == -1)
-		fatal("%s: msg_send", __func__);
-	buffer_clear(&m);
-
-	/* Get authorisation status and PID of controlee */
-	if (ssh_msg_recv(sock, &m) == -1)
-		fatal("%s: msg_recv", __func__);
-	if (buffer_get_char(&m) != SSHMUX_VER)
-		fatal("%s: wrong version", __func__);
-	if (buffer_get_int(&m) != 1)
-		fatal("Connection to master denied");
-	control_server_pid = buffer_get_int(&m);
-
-	buffer_clear(&m);
-
-	switch (mux_command) {
-	case SSHMUX_COMMAND_ALIVE_CHECK:
-		fprintf(stderr, "Master running (pid=%d)\r\n",
-		    control_server_pid);
-		exit(0);
-	case SSHMUX_COMMAND_TERMINATE:
-		fprintf(stderr, "Exit request sent.\r\n");
-		exit(0);
-	case SSHMUX_COMMAND_OPEN:
-		/* continue below */
-		break;
-	default:
-		fatal("silly mux_command %d", mux_command);
-	}
-
-	/* SSHMUX_COMMAND_OPEN */
-	buffer_put_cstring(&m, term ? term : "");
-	buffer_append(&command, "\0", 1);
-	buffer_put_cstring(&m, buffer_ptr(&command));
-
-	if (options.num_send_env == 0 || environ == NULL) {
-		buffer_put_int(&m, 0);
-	} else {
-		/* Pass environment */
-		num_env = 0;
-		for (i = 0; environ[i] != NULL; i++)
-			if (env_permitted(environ[i]))
-				num_env++; /* Count */
-
-		buffer_put_int(&m, num_env);
-
-		for (i = 0; environ[i] != NULL && num_env >= 0; i++)
-			if (env_permitted(environ[i])) {
-				num_env--;
-				buffer_put_cstring(&m, environ[i]);
-			}
-	}
-
-	if (ssh_msg_send(sock, SSHMUX_VER, &m) == -1)
-		fatal("%s: msg_send", __func__);
-
-	mm_send_fd(sock, STDIN_FILENO);
-	mm_send_fd(sock, STDOUT_FILENO);
-	mm_send_fd(sock, STDERR_FILENO);
-
-	/* Wait for reply, so master has a chance to gather ttymodes */
-	buffer_clear(&m);
-	if (ssh_msg_recv(sock, &m) == -1)
-		fatal("%s: msg_recv", __func__);
-	if (buffer_get_char(&m) != SSHMUX_VER)
-		fatal("%s: wrong version", __func__);
-	buffer_free(&m);
-
-	signal(SIGHUP, control_client_sighandler);
-	signal(SIGINT, control_client_sighandler);
-	signal(SIGTERM, control_client_sighandler);
-	signal(SIGWINCH, control_client_sigrelay);
-
-	if (tty_flag)
-		enter_raw_mode();
-
-	/* Stick around until the controlee closes the client_fd */
-	exitval = 0;
-	for (;!control_client_terminate;) {
-		r = read(sock, &exitval, sizeof(exitval));
-		if (r == 0) {
-			debug2("Received EOF from master");
-			break;
-		}
-		if (r > 0)
-			debug2("Received exit status from master %d", exitval);
-		if (r == -1 && errno != EINTR)
-			fatal("%s: read %s", __func__, strerror(errno));
-	}
-
-	if (control_client_terminate)
-		debug2("Exiting on signal %d", control_client_terminate);
-
-	close(sock);
-
-	leave_raw_mode();
-
-	if (tty_flag && options.log_level != SYSLOG_LEVEL_QUIET)
-		fprintf(stderr, "Connection to master closed.\r\n");
-
-	exit(exitval);
-}
diff --git a/crypto/openssh/ssh.h b/crypto/openssh/ssh.h
deleted file mode 100644
index 186cfff..0000000
--- a/crypto/openssh/ssh.h
+++ /dev/null
@@ -1,102 +0,0 @@
-/* $OpenBSD: ssh.h,v 1.78 2006/08/03 03:34:42 deraadt Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-/* Cipher used for encrypting authentication files. */
-#define SSH_AUTHFILE_CIPHER	SSH_CIPHER_3DES
-
-/* Default port number. */
-#define SSH_DEFAULT_PORT	22
-
-/* Maximum number of TCP/IP ports forwarded per direction. */
-#define SSH_MAX_FORWARDS_PER_DIRECTION	100
-
-/*
- * Maximum number of RSA authentication identity files that can be specified
- * in configuration files or on the command line.
- */
-#define SSH_MAX_IDENTITY_FILES		100
-
-/*
- * Maximum length of lines in authorized_keys file.
- * Current value permits 16kbit RSA and RSA1 keys and 8kbit DSA keys, with
- * some room for options and comments.
- */
-#define SSH_MAX_PUBKEY_BYTES		8192
-
-/*
- * Major protocol version.  Different version indicates major incompatibility
- * that prevents communication.
- *
- * Minor protocol version.  Different version indicates minor incompatibility
- * that does not prevent interoperation.
- */
-#define PROTOCOL_MAJOR_1	1
-#define PROTOCOL_MINOR_1	5
-
-/* We support both SSH1 and SSH2 */
-#define PROTOCOL_MAJOR_2	2
-#define PROTOCOL_MINOR_2	0
-
-/*
- * Name for the service.  The port named by this service overrides the
- * default port if present.
- */
-#define SSH_SERVICE_NAME	"ssh"
-
-/*
- * Name of the environment variable containing the process ID of the
- * authentication agent.
- */
-#define SSH_AGENTPID_ENV_NAME	"SSH_AGENT_PID"
-
-/*
- * Name of the environment variable containing the pathname of the
- * authentication socket.
- */
-#define SSH_AUTHSOCKET_ENV_NAME "SSH_AUTH_SOCK"
-
-/*
- * Environment variable for overwriting the default location of askpass
- */
-#define SSH_ASKPASS_ENV		"SSH_ASKPASS"
-
-/*
- * Force host key length and server key length to differ by at least this
- * many bits.  This is to make double encryption with rsaref work.
- */
-#define SSH_KEY_BITS_RESERVED		128
-
-/*
- * Length of the session key in bytes.  (Specified as 256 bits in the
- * protocol.)
- */
-#define SSH_SESSION_KEY_LENGTH		32
-
-/* Used to identify ``EscapeChar none'' */
-#define SSH_ESCAPECHAR_NONE		-2
-
-/*
- * unprivileged user when UsePrivilegeSeparation=yes;
- * sshd will change its privileges to this user and its
- * primary group.
- */
-#ifndef SSH_PRIVSEP_USER
-#define SSH_PRIVSEP_USER		"sshd"
-#endif
-
-/* Minimum modulus size (n) for RSA keys. */
-#define SSH_RSA_MINIMUM_MODULUS_SIZE	768
-
-/* Listen backlog for sshd, ssh-agent and forwarding sockets */
-#define SSH_LISTEN_BACKLOG		128
diff --git a/crypto/openssh/ssh/Makefile b/crypto/openssh/ssh/Makefile
deleted file mode 100644
index 80511de..0000000
--- a/crypto/openssh/ssh/Makefile
+++ /dev/null
@@ -1,40 +0,0 @@
-#	$OpenBSD: Makefile,v 1.42 2002/06/20 19:56:07 stevesk Exp $
-
-.PATH:		${.CURDIR}/..
-
-PROG=	ssh
-BINOWN=	root
-
-#BINMODE?=4555
-
-BINDIR=	/usr/bin
-MAN=	ssh.1 ssh_config.5
-LINKS=	${BINDIR}/ssh ${BINDIR}/slogin
-MLINKS=	ssh.1 slogin.1
-
-SRCS=	ssh.c readconf.c clientloop.c sshtty.c \
-	sshconnect.c sshconnect1.c sshconnect2.c
-
-.include <bsd.own.mk> # for AFS
-
-.if (${KERBEROS5:L} == "yes")
-CFLAGS+= -DKRB5 -I${DESTDIR}/usr/include/kerberosV
-LDADD+=  -lkrb5 -lasn1 -lcom_err
-DPADD+=  ${LIBKRB5} ${LIBASN1} ${LIBCOM_ERR}
-.endif # KERBEROS5
-
-.if (${KERBEROS:L} == "yes")
-CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV
-LDADD+=	 -lkrb
-DPADD+=	 ${LIBKRB}
-.if (${AFS:L} == "yes")
-CFLAGS+= -DAFS
-LDADD+=  -lkafs
-DPADD+=  ${LIBKAFS}
-.endif # AFS
-.endif # KERBEROS
-
-.include <bsd.prog.mk>
-
-LDADD+=	-lcrypto -lz -ldes
-DPADD+=	${LIBCRYPTO} ${LIBZ} ${LIBDES}
diff --git a/crypto/openssh/ssh1.h b/crypto/openssh/ssh1.h
deleted file mode 100644
index 353d930..0000000
--- a/crypto/openssh/ssh1.h
+++ /dev/null
@@ -1,92 +0,0 @@
-/* $OpenBSD: ssh1.h,v 1.6 2006/03/25 22:22:43 djm Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-/*
- * Definition of message types.  New values can be added, but old values
- * should not be removed or without careful consideration of the consequences
- * for compatibility.  The maximum value is 254; value 255 is reserved for
- * future extension.
- */
-/* Ranges */
-#define SSH_MSG_MIN				1
-#define SSH_MSG_MAX				254
-/* Message name */			/* msg code */	/* arguments */
-#define SSH_MSG_NONE				0	/* no message */
-#define SSH_MSG_DISCONNECT			1	/* cause (string) */
-#define SSH_SMSG_PUBLIC_KEY			2	/* ck,msk,srvk,hostk */
-#define SSH_CMSG_SESSION_KEY			3	/* key (BIGNUM) */
-#define SSH_CMSG_USER				4	/* user (string) */
-#define SSH_CMSG_AUTH_RHOSTS			5	/* user (string) */
-#define SSH_CMSG_AUTH_RSA			6	/* modulus (BIGNUM) */
-#define SSH_SMSG_AUTH_RSA_CHALLENGE		7	/* int (BIGNUM) */
-#define SSH_CMSG_AUTH_RSA_RESPONSE		8	/* int (BIGNUM) */
-#define SSH_CMSG_AUTH_PASSWORD			9	/* pass (string) */
-#define SSH_CMSG_REQUEST_PTY			10	/* TERM, tty modes */
-#define SSH_CMSG_WINDOW_SIZE			11	/* row,col,xpix,ypix */
-#define SSH_CMSG_EXEC_SHELL			12	/* */
-#define SSH_CMSG_EXEC_CMD			13	/* cmd (string) */
-#define SSH_SMSG_SUCCESS			14	/* */
-#define SSH_SMSG_FAILURE			15	/* */
-#define SSH_CMSG_STDIN_DATA			16	/* data (string) */
-#define SSH_SMSG_STDOUT_DATA			17	/* data (string) */
-#define SSH_SMSG_STDERR_DATA			18	/* data (string) */
-#define SSH_CMSG_EOF				19	/* */
-#define SSH_SMSG_EXITSTATUS			20	/* status (int) */
-#define SSH_MSG_CHANNEL_OPEN_CONFIRMATION	21	/* channel (int) */
-#define SSH_MSG_CHANNEL_OPEN_FAILURE		22	/* channel (int) */
-#define SSH_MSG_CHANNEL_DATA			23	/* ch,data (int,str) */
-#define SSH_MSG_CHANNEL_CLOSE			24	/* channel (int) */
-#define SSH_MSG_CHANNEL_CLOSE_CONFIRMATION	25	/* channel (int) */
-/*      SSH_CMSG_X11_REQUEST_FORWARDING		26	   OBSOLETE */
-#define SSH_SMSG_X11_OPEN			27	/* channel (int) */
-#define SSH_CMSG_PORT_FORWARD_REQUEST		28	/* p,host,hp (i,s,i) */
-#define SSH_MSG_PORT_OPEN			29	/* ch,h,p (i,s,i) */
-#define SSH_CMSG_AGENT_REQUEST_FORWARDING	30	/* */
-#define SSH_SMSG_AGENT_OPEN			31	/* port (int) */
-#define SSH_MSG_IGNORE				32	/* string */
-#define SSH_CMSG_EXIT_CONFIRMATION		33	/* */
-#define SSH_CMSG_X11_REQUEST_FORWARDING		34	/* proto,data (s,s) */
-#define SSH_CMSG_AUTH_RHOSTS_RSA		35	/* user,mod (s,mpi) */
-#define SSH_MSG_DEBUG				36	/* string */
-#define SSH_CMSG_REQUEST_COMPRESSION		37	/* level 1-9 (int) */
-#define SSH_CMSG_MAX_PACKET_SIZE		38	/* size 4k-1024k (int) */
-#define SSH_CMSG_AUTH_TIS			39	/* we use this for s/key */
-#define SSH_SMSG_AUTH_TIS_CHALLENGE		40	/* challenge (string) */
-#define SSH_CMSG_AUTH_TIS_RESPONSE		41	/* response (string) */
-#define SSH_CMSG_AUTH_KERBEROS			42	/* (KTEXT) */
-#define SSH_SMSG_AUTH_KERBEROS_RESPONSE		43	/* (KTEXT) */
-#define SSH_CMSG_HAVE_KERBEROS_TGT		44	/* credentials (s) */
-#define SSH_CMSG_HAVE_AFS_TOKEN			65	/* token (s) */
-
-/* protocol version 1.5 overloads some version 1.3 message types */
-#define SSH_MSG_CHANNEL_INPUT_EOF	SSH_MSG_CHANNEL_CLOSE
-#define SSH_MSG_CHANNEL_OUTPUT_CLOSE	SSH_MSG_CHANNEL_CLOSE_CONFIRMATION
-
-/*
- * Authentication methods.  New types can be added, but old types should not
- * be removed for compatibility.  The maximum allowed value is 31.
- */
-#define SSH_AUTH_RHOSTS		1
-#define SSH_AUTH_RSA		2
-#define SSH_AUTH_PASSWORD	3
-#define SSH_AUTH_RHOSTS_RSA	4
-#define SSH_AUTH_TIS		5
-#define SSH_AUTH_KERBEROS	6
-#define SSH_PASS_KERBEROS_TGT	7
-				/* 8 to 15 are reserved */
-#define SSH_PASS_AFS_TOKEN	21
-
-/* Protocol flags.  These are bit masks. */
-#define SSH_PROTOFLAG_SCREEN_NUMBER	1	/* X11 forwarding includes screen */
-#define SSH_PROTOFLAG_HOST_IN_FWD_OPEN	2	/* forwarding opens contain host */
diff --git a/crypto/openssh/ssh2.h b/crypto/openssh/ssh2.h
deleted file mode 100644
index cf56bc4..0000000
--- a/crypto/openssh/ssh2.h
+++ /dev/null
@@ -1,161 +0,0 @@
-/* $OpenBSD: ssh2.h,v 1.10 2006/03/25 22:22:43 djm Exp $ */
-
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * draft-ietf-secsh-architecture-05.txt
- *
- *   Transport layer protocol:
- *
- *     1-19     Transport layer generic (e.g. disconnect, ignore, debug,
- *              etc)
- *     20-29    Algorithm negotiation
- *     30-49    Key exchange method specific (numbers can be reused for
- *              different authentication methods)
- *
- *   User authentication protocol:
- *
- *     50-59    User authentication generic
- *     60-79    User authentication method specific (numbers can be reused
- *              for different authentication methods)
- *
- *   Connection protocol:
- *
- *     80-89    Connection protocol generic
- *     90-127   Channel related messages
- *
- *   Reserved for client protocols:
- *
- *     128-191  Reserved
- *
- *   Local extensions:
- *
- *     192-255  Local extensions
- */
-
-/* ranges */
-
-#define SSH2_MSG_TRANSPORT_MIN				1
-#define SSH2_MSG_TRANSPORT_MAX				49
-#define SSH2_MSG_USERAUTH_MIN				50
-#define SSH2_MSG_USERAUTH_MAX				79
-#define SSH2_MSG_USERAUTH_PER_METHOD_MIN		60
-#define SSH2_MSG_USERAUTH_PER_METHOD_MAX		SSH2_MSG_USERAUTH_MAX
-#define SSH2_MSG_CONNECTION_MIN				80
-#define SSH2_MSG_CONNECTION_MAX				127
-#define SSH2_MSG_RESERVED_MIN				128
-#define SSH2_MSG_RESERVED_MAX				191
-#define SSH2_MSG_LOCAL_MIN				192
-#define SSH2_MSG_LOCAL_MAX				255
-#define SSH2_MSG_MIN					1
-#define SSH2_MSG_MAX					255
-
-/* transport layer: generic */
-
-#define SSH2_MSG_DISCONNECT				1
-#define SSH2_MSG_IGNORE					2
-#define SSH2_MSG_UNIMPLEMENTED				3
-#define SSH2_MSG_DEBUG					4
-#define SSH2_MSG_SERVICE_REQUEST			5
-#define SSH2_MSG_SERVICE_ACCEPT				6
-
-/* transport layer: alg negotiation */
-
-#define SSH2_MSG_KEXINIT				20
-#define SSH2_MSG_NEWKEYS				21
-
-/* transport layer: kex specific messages, can be reused */
-
-#define SSH2_MSG_KEXDH_INIT				30
-#define SSH2_MSG_KEXDH_REPLY				31
-
-/* dh-group-exchange */
-#define SSH2_MSG_KEX_DH_GEX_REQUEST_OLD			30
-#define SSH2_MSG_KEX_DH_GEX_GROUP			31
-#define SSH2_MSG_KEX_DH_GEX_INIT			32
-#define SSH2_MSG_KEX_DH_GEX_REPLY			33
-#define SSH2_MSG_KEX_DH_GEX_REQUEST			34
-
-/* user authentication: generic */
-
-#define SSH2_MSG_USERAUTH_REQUEST			50
-#define SSH2_MSG_USERAUTH_FAILURE			51
-#define SSH2_MSG_USERAUTH_SUCCESS			52
-#define SSH2_MSG_USERAUTH_BANNER			53
-
-/* user authentication: method specific, can be reused */
-
-#define SSH2_MSG_USERAUTH_PK_OK				60
-#define SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ		60
-#define SSH2_MSG_USERAUTH_INFO_REQUEST			60
-#define SSH2_MSG_USERAUTH_INFO_RESPONSE			61
-
-/* connection protocol: generic */
-
-#define SSH2_MSG_GLOBAL_REQUEST				80
-#define SSH2_MSG_REQUEST_SUCCESS			81
-#define SSH2_MSG_REQUEST_FAILURE			82
-
-/* channel related messages */
-
-#define SSH2_MSG_CHANNEL_OPEN				90
-#define SSH2_MSG_CHANNEL_OPEN_CONFIRMATION		91
-#define SSH2_MSG_CHANNEL_OPEN_FAILURE			92
-#define SSH2_MSG_CHANNEL_WINDOW_ADJUST			93
-#define SSH2_MSG_CHANNEL_DATA				94
-#define SSH2_MSG_CHANNEL_EXTENDED_DATA			95
-#define SSH2_MSG_CHANNEL_EOF				96
-#define SSH2_MSG_CHANNEL_CLOSE				97
-#define SSH2_MSG_CHANNEL_REQUEST			98
-#define SSH2_MSG_CHANNEL_SUCCESS			99
-#define SSH2_MSG_CHANNEL_FAILURE			100
-
-/* disconnect reason code */
-
-#define SSH2_DISCONNECT_HOST_NOT_ALLOWED_TO_CONNECT	1
-#define SSH2_DISCONNECT_PROTOCOL_ERROR			2
-#define SSH2_DISCONNECT_KEY_EXCHANGE_FAILED		3
-#define SSH2_DISCONNECT_HOST_AUTHENTICATION_FAILED	4
-#define SSH2_DISCONNECT_RESERVED			4
-#define SSH2_DISCONNECT_MAC_ERROR			5
-#define SSH2_DISCONNECT_COMPRESSION_ERROR		6
-#define SSH2_DISCONNECT_SERVICE_NOT_AVAILABLE		7
-#define SSH2_DISCONNECT_PROTOCOL_VERSION_NOT_SUPPORTED	8
-#define SSH2_DISCONNECT_HOST_KEY_NOT_VERIFIABLE		9
-#define SSH2_DISCONNECT_CONNECTION_LOST			10
-#define SSH2_DISCONNECT_BY_APPLICATION			11
-#define SSH2_DISCONNECT_TOO_MANY_CONNECTIONS		12
-#define SSH2_DISCONNECT_AUTH_CANCELLED_BY_USER		13
-#define SSH2_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE	14
-#define SSH2_DISCONNECT_ILLEGAL_USER_NAME		15
-
-/* misc */
-
-#define SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED		1
-#define SSH2_OPEN_CONNECT_FAILED			2
-#define SSH2_OPEN_UNKNOWN_CHANNEL_TYPE			3
-#define SSH2_OPEN_RESOURCE_SHORTAGE			4
-
-#define SSH2_EXTENDED_DATA_STDERR			1
diff --git a/crypto/openssh/ssh_config b/crypto/openssh/ssh_config
deleted file mode 100644
index 177521c..0000000
--- a/crypto/openssh/ssh_config
+++ /dev/null
@@ -1,44 +0,0 @@
-#	$OpenBSD: ssh_config,v 1.22 2006/05/29 12:56:33 dtucker Exp $
-
-# This is the ssh client system-wide configuration file.  See
-# ssh_config(5) for more information.  This file provides defaults for
-# users, and the values can be changed in per-user configuration files
-# or on the command line.
-
-# Configuration data is parsed as follows:
-#  1. command line options
-#  2. user-specific file
-#  3. system-wide file
-# Any configuration value is only changed the first time it is set.
-# Thus, host-specific definitions should be at the beginning of the
-# configuration file, and defaults at the end.
-
-# Site-wide defaults for some commonly used options.  For a comprehensive
-# list of available options, their meanings and defaults, please see the
-# ssh_config(5) man page.
-
-# Host *
-#   ForwardAgent no
-#   ForwardX11 no
-#   RhostsRSAAuthentication no
-#   RSAAuthentication yes
-#   PasswordAuthentication yes
-#   HostbasedAuthentication no
-#   GSSAPIAuthentication no
-#   GSSAPIDelegateCredentials no
-#   BatchMode no
-#   CheckHostIP yes
-#   AddressFamily any
-#   ConnectTimeout 0
-#   StrictHostKeyChecking ask
-#   IdentityFile ~/.ssh/identity
-#   IdentityFile ~/.ssh/id_rsa
-#   IdentityFile ~/.ssh/id_dsa
-#   Port 22
-#   Protocol 2,1
-#   Cipher 3des
-#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
-#   EscapeChar ~
-#   Tunnel no
-#   TunnelDevice any:any
-#   PermitLocalCommand no
diff --git a/crypto/openssh/ssh_config.5 b/crypto/openssh/ssh_config.5
deleted file mode 100644
index 20c5893..0000000
--- a/crypto/openssh/ssh_config.5
+++ /dev/null
@@ -1,1105 +0,0 @@
-.\"  -*- nroff -*-
-.\"
-.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
-.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-.\"                    All rights reserved
-.\"
-.\" As far as I am concerned, the code I have written for this software
-.\" can be used freely for any purpose.  Any derived versions of this
-.\" software must be clearly marked as such, and if the derived work is
-.\" incompatible with the protocol description in the RFC file, it must be
-.\" called by a name other than "ssh" or "Secure Shell".
-.\"
-.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
-.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
-.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" $OpenBSD: ssh_config.5,v 1.97 2006/07/27 08:00:50 jmc Exp $
-.Dd September 25, 1999
-.Dt SSH_CONFIG 5
-.Os
-.Sh NAME
-.Nm ssh_config
-.Nd OpenSSH SSH client configuration files
-.Sh SYNOPSIS
-.Bl -tag -width Ds -compact
-.It Pa ~/.ssh/config
-.It Pa /etc/ssh/ssh_config
-.El
-.Sh DESCRIPTION
-.Xr ssh 1
-obtains configuration data from the following sources in
-the following order:
-.Pp
-.Bl -enum -offset indent -compact
-.It
-command-line options
-.It
-user's configuration file
-.Pq Pa ~/.ssh/config
-.It
-system-wide configuration file
-.Pq Pa /etc/ssh/ssh_config
-.El
-.Pp
-For each parameter, the first obtained value
-will be used.
-The configuration files contain sections separated by
-.Dq Host
-specifications, and that section is only applied for hosts that
-match one of the patterns given in the specification.
-The matched host name is the one given on the command line.
-.Pp
-Since the first obtained value for each parameter is used, more
-host-specific declarations should be given near the beginning of the
-file, and general defaults at the end.
-.Pp
-The configuration file has the following format:
-.Pp
-Empty lines and lines starting with
-.Ql #
-are comments.
-Otherwise a line is of the format
-.Dq keyword arguments .
-Configuration options may be separated by whitespace or
-optional whitespace and exactly one
-.Ql = ;
-the latter format is useful to avoid the need to quote whitespace
-when specifying configuration options using the
-.Nm ssh ,
-.Nm scp ,
-and
-.Nm sftp
-.Fl o
-option.
-Arguments may optionally be enclosed in double quotes
-.Pq \&"
-in order to represent arguments containing spaces.
-.Pp
-The possible
-keywords and their meanings are as follows (note that
-keywords are case-insensitive and arguments are case-sensitive):
-.Bl -tag -width Ds
-.It Cm Host
-Restricts the following declarations (up to the next
-.Cm Host
-keyword) to be only for those hosts that match one of the patterns
-given after the keyword.
-A single
-.Ql *
-as a pattern can be used to provide global
-defaults for all hosts.
-The host is the
-.Ar hostname
-argument given on the command line (i.e. the name is not converted to
-a canonicalized host name before matching).
-.Pp
-See
-.Sx PATTERNS
-for more information on patterns.
-.It Cm AddressFamily
-Specifies which address family to use when connecting.
-Valid arguments are
-.Dq any ,
-.Dq inet
-(use IPv4 only), or
-.Dq inet6
-(use IPv6 only).
-.It Cm BatchMode
-If set to
-.Dq yes ,
-passphrase/password querying will be disabled.
-This option is useful in scripts and other batch jobs where no user
-is present to supply the password.
-The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
-.It Cm BindAddress
-Use the specified address on the local machine as the source address of
-the connection.
-Only useful on systems with more than one address.
-Note that this option does not work if
-.Cm UsePrivilegedPort
-is set to
-.Dq yes .
-.It Cm ChallengeResponseAuthentication
-Specifies whether to use challenge-response authentication.
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq yes .
-.It Cm CheckHostIP
-If this flag is set to
-.Dq yes ,
-.Xr ssh 1
-will additionally check the host IP address in the
-.Pa known_hosts
-file.
-This allows ssh to detect if a host key changed due to DNS spoofing.
-If the option is set to
-.Dq no ,
-the check will not be executed.
-The default is
-.Dq yes .
-.It Cm Cipher
-Specifies the cipher to use for encrypting the session
-in protocol version 1.
-Currently,
-.Dq blowfish ,
-.Dq 3des ,
-and
-.Dq des
-are supported.
-.Ar des
-is only supported in the
-.Xr ssh 1
-client for interoperability with legacy protocol 1 implementations
-that do not support the
-.Ar 3des
-cipher.
-Its use is strongly discouraged due to cryptographic weaknesses.
-The default is
-.Dq 3des .
-.It Cm Ciphers
-Specifies the ciphers allowed for protocol version 2
-in order of preference.
-Multiple ciphers must be comma-separated.
-The supported ciphers are
-.Dq 3des-cbc ,
-.Dq aes128-cbc ,
-.Dq aes192-cbc ,
-.Dq aes256-cbc ,
-.Dq aes128-ctr ,
-.Dq aes192-ctr ,
-.Dq aes256-ctr ,
-.Dq arcfour128 ,
-.Dq arcfour256 ,
-.Dq arcfour ,
-.Dq blowfish-cbc ,
-and
-.Dq cast128-cbc .
-The default is:
-.Bd -literal -offset 3n
-aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
-arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
-aes192-ctr,aes256-ctr
-.Ed
-.It Cm ClearAllForwardings
-Specifies that all local, remote, and dynamic port forwardings
-specified in the configuration files or on the command line be
-cleared.
-This option is primarily useful when used from the
-.Xr ssh 1
-command line to clear port forwardings set in
-configuration files, and is automatically set by
-.Xr scp 1
-and
-.Xr sftp 1 .
-The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
-.It Cm Compression
-Specifies whether to use compression.
-The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
-.It Cm CompressionLevel
-Specifies the compression level to use if compression is enabled.
-The argument must be an integer from 1 (fast) to 9 (slow, best).
-The default level is 6, which is good for most applications.
-The meaning of the values is the same as in
-.Xr gzip 1 .
-Note that this option applies to protocol version 1 only.
-.It Cm ConnectionAttempts
-Specifies the number of tries (one per second) to make before exiting.
-The argument must be an integer.
-This may be useful in scripts if the connection sometimes fails.
-The default is 1.
-.It Cm ConnectTimeout
-Specifies the timeout (in seconds) used when connecting to the
-SSH server, instead of using the default system TCP timeout.
-This value is used only when the target is down or really unreachable,
-not when it refuses the connection.
-.It Cm ControlMaster
-Enables the sharing of multiple sessions over a single network connection.
-When set to
-.Dq yes ,
-.Xr ssh 1
-will listen for connections on a control socket specified using the
-.Cm ControlPath
-argument.
-Additional sessions can connect to this socket using the same
-.Cm ControlPath
-with
-.Cm ControlMaster
-set to
-.Dq no
-(the default).
-These sessions will try to reuse the master instance's network connection
-rather than initiating new ones, but will fall back to connecting normally
-if the control socket does not exist, or is not listening.
-.Pp
-Setting this to
-.Dq ask
-will cause ssh
-to listen for control connections, but require confirmation using the
-.Ev SSH_ASKPASS
-program before they are accepted (see
-.Xr ssh-add 1
-for details).
-If the
-.Cm ControlPath
-cannot be opened,
-ssh will continue without connecting to a master instance.
-.Pp
-X11 and
-.Xr ssh-agent 1
-forwarding is supported over these multiplexed connections, however the
-display and agent forwarded will be the one belonging to the master
-connection i.e. it is not possible to forward multiple displays or agents.
-.Pp
-Two additional options allow for opportunistic multiplexing: try to use a
-master connection but fall back to creating a new one if one does not already
-exist.
-These options are:
-.Dq auto
-and
-.Dq autoask .
-The latter requires confirmation like the
-.Dq ask
-option.
-.It Cm ControlPath
-Specify the path to the control socket used for connection sharing as described
-in the
-.Cm ControlMaster
-section above or the string
-.Dq none
-to disable connection sharing.
-In the path,
-.Ql %l
-will be substituted by the local host name,
-.Ql %h
-will be substituted by the target host name,
-.Ql %p
-the port, and
-.Ql %r
-by the remote login username.
-It is recommended that any
-.Cm ControlPath
-used for opportunistic connection sharing include
-at least %h, %p, and %r.
-This ensures that shared connections are uniquely identified.
-.It Cm DynamicForward
-Specifies that a TCP port on the local machine be forwarded
-over the secure channel, and the application
-protocol is then used to determine where to connect to from the
-remote machine.
-.Pp
-The argument must be
-.Sm off
-.Oo Ar bind_address : Oc Ar port .
-.Sm on
-IPv6 addresses can be specified by enclosing addresses in square brackets or
-by using an alternative syntax:
-.Oo Ar bind_address Ns / Oc Ns Ar port .
-By default, the local port is bound in accordance with the
-.Cm GatewayPorts
-setting.
-However, an explicit
-.Ar bind_address
-may be used to bind the connection to a specific address.
-The
-.Ar bind_address
-of
-.Dq localhost
-indicates that the listening port be bound for local use only, while an
-empty address or
-.Sq *
-indicates that the port should be available from all interfaces.
-.Pp
-Currently the SOCKS4 and SOCKS5 protocols are supported, and
-.Xr ssh 1
-will act as a SOCKS server.
-Multiple forwardings may be specified, and
-additional forwardings can be given on the command line.
-Only the superuser can forward privileged ports.
-.It Cm EnableSSHKeysign
-Setting this option to
-.Dq yes
-in the global client configuration file
-.Pa /etc/ssh/ssh_config
-enables the use of the helper program
-.Xr ssh-keysign 8
-during
-.Cm HostbasedAuthentication .
-The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
-This option should be placed in the non-hostspecific section.
-See
-.Xr ssh-keysign 8
-for more information.
-.It Cm EscapeChar
-Sets the escape character (default:
-.Ql ~ ) .
-The escape character can also
-be set on the command line.
-The argument should be a single character,
-.Ql ^
-followed by a letter, or
-.Dq none
-to disable the escape
-character entirely (making the connection transparent for binary
-data).
-.It Cm ExitOnForwardFailure
-Specifies whether
-.Xr ssh 1
-should terminate the connection if it cannot set up all requested
-dynamic, local, and remote port forwardings.
-The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
-.It Cm ForwardAgent
-Specifies whether the connection to the authentication agent (if any)
-will be forwarded to the remote machine.
-The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
-.Pp
-Agent forwarding should be enabled with caution.
-Users with the ability to bypass file permissions on the remote host
-(for the agent's Unix-domain socket)
-can access the local agent through the forwarded connection.
-An attacker cannot obtain key material from the agent,
-however they can perform operations on the keys that enable them to
-authenticate using the identities loaded into the agent.
-.It Cm ForwardX11
-Specifies whether X11 connections will be automatically redirected
-over the secure channel and
-.Ev DISPLAY
-set.
-The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
-.Pp
-X11 forwarding should be enabled with caution.
-Users with the ability to bypass file permissions on the remote host
-(for the user's X11 authorization database)
-can access the local X11 display through the forwarded connection.
-An attacker may then be able to perform activities such as keystroke monitoring
-if the
-.Cm ForwardX11Trusted
-option is also enabled.
-.It Cm ForwardX11Trusted
-If this option is set to
-.Dq yes ,
-remote X11 clients will have full access to the original X11 display.
-.Pp
-If this option is set to
-.Dq no ,
-remote X11 clients will be considered untrusted and prevented
-from stealing or tampering with data belonging to trusted X11
-clients.
-Furthermore, the
-.Xr xauth 1
-token used for the session will be set to expire after 20 minutes.
-Remote clients will be refused access after this time.
-.Pp
-The default is
-.Dq no .
-.Pp
-See the X11 SECURITY extension specification for full details on
-the restrictions imposed on untrusted clients.
-.It Cm GatewayPorts
-Specifies whether remote hosts are allowed to connect to local
-forwarded ports.
-By default,
-.Xr ssh 1
-binds local port forwardings to the loopback address.
-This prevents other remote hosts from connecting to forwarded ports.
-.Cm GatewayPorts
-can be used to specify that ssh
-should bind local port forwardings to the wildcard address,
-thus allowing remote hosts to connect to forwarded ports.
-The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
-.It Cm GlobalKnownHostsFile
-Specifies a file to use for the global
-host key database instead of
-.Pa /etc/ssh/ssh_known_hosts .
-.It Cm GSSAPIAuthentication
-Specifies whether user authentication based on GSSAPI is allowed.
-The default is
-.Dq no .
-Note that this option applies to protocol version 2 only.
-.It Cm GSSAPIDelegateCredentials
-Forward (delegate) credentials to the server.
-The default is
-.Dq no .
-Note that this option applies to protocol version 2 only.
-.It Cm HashKnownHosts
-Indicates that
-.Xr ssh 1
-should hash host names and addresses when they are added to
-.Pa ~/.ssh/known_hosts .
-These hashed names may be used normally by
-.Xr ssh 1
-and
-.Xr sshd 8 ,
-but they do not reveal identifying information should the file's contents
-be disclosed.
-The default is
-.Dq no .
-Note that existing names and addresses in known hosts files
-will not be converted automatically,
-but may be manually hashed using
-.Xr ssh-keygen 1 .
-.It Cm HostbasedAuthentication
-Specifies whether to try rhosts based authentication with public key
-authentication.
-The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
-This option applies to protocol version 2 only and
-is similar to
-.Cm RhostsRSAAuthentication .
-.It Cm HostKeyAlgorithms
-Specifies the protocol version 2 host key algorithms
-that the client wants to use in order of preference.
-The default for this option is:
-.Dq ssh-rsa,ssh-dss .
-.It Cm HostKeyAlias
-Specifies an alias that should be used instead of the
-real host name when looking up or saving the host key
-in the host key database files.
-This option is useful for tunneling SSH connections
-or for multiple servers running on a single host.
-.It Cm HostName
-Specifies the real host name to log into.
-This can be used to specify nicknames or abbreviations for hosts.
-The default is the name given on the command line.
-Numeric IP addresses are also permitted (both on the command line and in
-.Cm HostName
-specifications).
-.It Cm IdentitiesOnly
-Specifies that
-.Xr ssh 1
-should only use the authentication identity files configured in the
-.Nm
-files,
-even if
-.Xr ssh-agent 1
-offers more identities.
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
-This option is intended for situations where ssh-agent
-offers many different identities.
-The default is
-.Dq no .
-.It Cm IdentityFile
-Specifies a file from which the user's RSA or DSA authentication identity
-is read.
-The default is
-.Pa ~/.ssh/identity
-for protocol version 1, and
-.Pa ~/.ssh/id_rsa
-and
-.Pa ~/.ssh/id_dsa
-for protocol version 2.
-Additionally, any identities represented by the authentication agent
-will be used for authentication.
-.Pp
-The file name may use the tilde
-syntax to refer to a user's home directory or one of the following
-escape characters:
-.Ql %d
-(local user's home directory),
-.Ql %u
-(local user name),
-.Ql %l
-(local host name),
-.Ql %h
-(remote host name) or
-.Ql %r
-(remote user name).
-.Pp
-It is possible to have
-multiple identity files specified in configuration files; all these
-identities will be tried in sequence.
-.It Cm KbdInteractiveDevices
-Specifies the list of methods to use in keyboard-interactive authentication.
-Multiple method names must be comma-separated.
-The default is to use the server specified list.
-The methods available vary depending on what the server supports.
-For an OpenSSH server,
-it may be zero or more of:
-.Dq bsdauth ,
-.Dq pam ,
-and
-.Dq skey .
-.It Cm LocalCommand
-Specifies a command to execute on the local machine after successfully
-connecting to the server.
-The command string extends to the end of the line, and is executed with
-.Pa /bin/sh .
-This directive is ignored unless
-.Cm PermitLocalCommand
-has been enabled.
-.It Cm LocalForward
-Specifies that a TCP port on the local machine be forwarded over
-the secure channel to the specified host and port from the remote machine.
-The first argument must be
-.Sm off
-.Oo Ar bind_address : Oc Ar port
-.Sm on
-and the second argument must be
-.Ar host : Ns Ar hostport .
-IPv6 addresses can be specified by enclosing addresses in square brackets or
-by using an alternative syntax:
-.Oo Ar bind_address Ns / Oc Ns Ar port
-and
-.Ar host Ns / Ns Ar hostport .
-Multiple forwardings may be specified, and additional forwardings can be
-given on the command line.
-Only the superuser can forward privileged ports.
-By default, the local port is bound in accordance with the
-.Cm GatewayPorts
-setting.
-However, an explicit
-.Ar bind_address
-may be used to bind the connection to a specific address.
-The
-.Ar bind_address
-of
-.Dq localhost
-indicates that the listening port be bound for local use only, while an
-empty address or
-.Sq *
-indicates that the port should be available from all interfaces.
-.It Cm LogLevel
-Gives the verbosity level that is used when logging messages from
-.Xr ssh 1 .
-The possible values are:
-QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
-The default is INFO.
-DEBUG and DEBUG1 are equivalent.
-DEBUG2 and DEBUG3 each specify higher levels of verbose output.
-.It Cm MACs
-Specifies the MAC (message authentication code) algorithms
-in order of preference.
-The MAC algorithm is used in protocol version 2
-for data integrity protection.
-Multiple algorithms must be comma-separated.
-The default is:
-.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
-.It Cm NoHostAuthenticationForLocalhost
-This option can be used if the home directory is shared across machines.
-In this case localhost will refer to a different machine on each of
-the machines and the user will get many warnings about changed host keys.
-However, this option disables host authentication for localhost.
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
-The default is to check the host key for localhost.
-.It Cm NumberOfPasswordPrompts
-Specifies the number of password prompts before giving up.
-The argument to this keyword must be an integer.
-The default is 3.
-.It Cm PasswordAuthentication
-Specifies whether to use password authentication.
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq yes .
-.It Cm PermitLocalCommand
-Allow local command execution via the
-.Ic LocalCommand
-option or using the
-.Ic !\& Ns Ar command
-escape sequence in
-.Xr ssh 1 .
-The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
-.It Cm Port
-Specifies the port number to connect on the remote host.
-The default is 22.
-.It Cm PreferredAuthentications
-Specifies the order in which the client should try protocol 2
-authentication methods.
-This allows a client to prefer one method (e.g.\&
-.Cm keyboard-interactive )
-over another method (e.g.\&
-.Cm password )
-The default for this option is:
-.Do gssapi-with-mic ,
-hostbased,
-publickey,
-keyboard-interactive,
-password
-.Dc .
-.It Cm Protocol
-Specifies the protocol versions
-.Xr ssh 1
-should support in order of preference.
-The possible values are
-.Sq 1
-and
-.Sq 2 .
-Multiple versions must be comma-separated.
-The default is
-.Dq 2,1 .
-This means that ssh
-tries version 2 and falls back to version 1
-if version 2 is not available.
-.It Cm ProxyCommand
-Specifies the command to use to connect to the server.
-The command
-string extends to the end of the line, and is executed with
-.Pa /bin/sh .
-In the command string,
-.Ql %h
-will be substituted by the host name to
-connect and
-.Ql %p
-by the port.
-The command can be basically anything,
-and should read from its standard input and write to its standard output.
-It should eventually connect an
-.Xr sshd 8
-server running on some machine, or execute
-.Ic sshd -i
-somewhere.
-Host key management will be done using the
-HostName of the host being connected (defaulting to the name typed by
-the user).
-Setting the command to
-.Dq none
-disables this option entirely.
-Note that
-.Cm CheckHostIP
-is not available for connects with a proxy command.
-.Pp
-This directive is useful in conjunction with
-.Xr nc 1
-and its proxy support.
-For example, the following directive would connect via an HTTP proxy at
-192.0.2.0:
-.Bd -literal -offset 3n
-ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
-.Ed
-.It Cm PubkeyAuthentication
-Specifies whether to try public key authentication.
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq yes .
-This option applies to protocol version 2 only.
-.It Cm RekeyLimit
-Specifies the maximum amount of data that may be transmitted before the
-session key is renegotiated.
-The argument is the number of bytes, with an optional suffix of
-.Sq K ,
-.Sq M ,
-or
-.Sq G
-to indicate Kilobytes, Megabytes, or Gigabytes, respectively.
-The default is between
-.Sq 1G
-and
-.Sq 4G ,
-depending on the cipher.
-This option applies to protocol version 2 only.
-.It Cm RemoteForward
-Specifies that a TCP port on the remote machine be forwarded over
-the secure channel to the specified host and port from the local machine.
-The first argument must be
-.Sm off
-.Oo Ar bind_address : Oc Ar port
-.Sm on
-and the second argument must be
-.Ar host : Ns Ar hostport .
-IPv6 addresses can be specified by enclosing addresses in square brackets
-or by using an alternative syntax:
-.Oo Ar bind_address Ns / Oc Ns Ar port
-and
-.Ar host Ns / Ns Ar hostport .
-Multiple forwardings may be specified, and additional
-forwardings can be given on the command line.
-Only the superuser can forward privileged ports.
-.Pp
-If the
-.Ar bind_address
-is not specified, the default is to only bind to loopback addresses.
-If the
-.Ar bind_address
-is
-.Ql *
-or an empty string, then the forwarding is requested to listen on all
-interfaces.
-Specifying a remote
-.Ar bind_address
-will only succeed if the server's
-.Cm GatewayPorts
-option is enabled (see
-.Xr sshd_config 5 ) .
-.It Cm RhostsRSAAuthentication
-Specifies whether to try rhosts based authentication with RSA host
-authentication.
-The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
-This option applies to protocol version 1 only and requires
-.Xr ssh 1
-to be setuid root.
-.It Cm RSAAuthentication
-Specifies whether to try RSA authentication.
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
-RSA authentication will only be
-attempted if the identity file exists, or an authentication agent is
-running.
-The default is
-.Dq yes .
-Note that this option applies to protocol version 1 only.
-.It Cm SendEnv
-Specifies what variables from the local
-.Xr environ 7
-should be sent to the server.
-Note that environment passing is only supported for protocol 2.
-The server must also support it, and the server must be configured to
-accept these environment variables.
-Refer to
-.Cm AcceptEnv
-in
-.Xr sshd_config 5
-for how to configure the server.
-Variables are specified by name, which may contain wildcard characters.
-Multiple environment variables may be separated by whitespace or spread
-across multiple
-.Cm SendEnv
-directives.
-The default is not to send any environment variables.
-.Pp
-See
-.Sx PATTERNS
-for more information on patterns.
-.It Cm ServerAliveCountMax
-Sets the number of server alive messages (see below) which may be
-sent without
-.Xr ssh 1
-receiving any messages back from the server.
-If this threshold is reached while server alive messages are being sent,
-ssh will disconnect from the server, terminating the session.
-It is important to note that the use of server alive messages is very
-different from
-.Cm TCPKeepAlive
-(below).
-The server alive messages are sent through the encrypted channel
-and therefore will not be spoofable.
-The TCP keepalive option enabled by
-.Cm TCPKeepAlive
-is spoofable.
-The server alive mechanism is valuable when the client or
-server depend on knowing when a connection has become inactive.
-.Pp
-The default value is 3.
-If, for example,
-.Cm ServerAliveInterval
-(see below) is set to 15 and
-.Cm ServerAliveCountMax
-is left at the default, if the server becomes unresponsive,
-ssh will disconnect after approximately 45 seconds.
-This option applies to protocol version 2 only.
-.It Cm ServerAliveInterval
-Sets a timeout interval in seconds after which if no data has been received
-from the server,
-.Xr ssh 1
-will send a message through the encrypted
-channel to request a response from the server.
-The default
-is 0, indicating that these messages will not be sent to the server.
-This option applies to protocol version 2 only.
-.It Cm SmartcardDevice
-Specifies which smartcard device to use.
-The argument to this keyword is the device
-.Xr ssh 1
-should use to communicate with a smartcard used for storing the user's
-private RSA key.
-By default, no device is specified and smartcard support is not activated.
-.It Cm StrictHostKeyChecking
-If this flag is set to
-.Dq yes ,
-.Xr ssh 1
-will never automatically add host keys to the
-.Pa ~/.ssh/known_hosts
-file, and refuses to connect to hosts whose host key has changed.
-This provides maximum protection against trojan horse attacks,
-though it can be annoying when the
-.Pa /etc/ssh/ssh_known_hosts
-file is poorly maintained or when connections to new hosts are
-frequently made.
-This option forces the user to manually
-add all new hosts.
-If this flag is set to
-.Dq no ,
-ssh will automatically add new host keys to the
-user known hosts files.
-If this flag is set to
-.Dq ask ,
-new host keys
-will be added to the user known host files only after the user
-has confirmed that is what they really want to do, and
-ssh will refuse to connect to hosts whose host key has changed.
-The host keys of
-known hosts will be verified automatically in all cases.
-The argument must be
-.Dq yes ,
-.Dq no ,
-or
-.Dq ask .
-The default is
-.Dq ask .
-.It Cm TCPKeepAlive
-Specifies whether the system should send TCP keepalive messages to the
-other side.
-If they are sent, death of the connection or crash of one
-of the machines will be properly noticed.
-However, this means that
-connections will die if the route is down temporarily, and some people
-find it annoying.
-.Pp
-The default is
-.Dq yes
-(to send TCP keepalive messages), and the client will notice
-if the network goes down or the remote host dies.
-This is important in scripts, and many users want it too.
-.Pp
-To disable TCP keepalive messages, the value should be set to
-.Dq no .
-.It Cm Tunnel
-Request
-.Xr tun 4
-device forwarding between the client and the server.
-The argument must be
-.Dq yes ,
-.Dq point-to-point
-(layer 3),
-.Dq ethernet
-(layer 2),
-or
-.Dq no .
-Specifying
-.Dq yes
-requests the default tunnel mode, which is
-.Dq point-to-point .
-The default is
-.Dq no .
-.It Cm TunnelDevice
-Specifies the
-.Xr tun 4
-devices to open on the client
-.Pq Ar local_tun
-and the server
-.Pq Ar remote_tun .
-.Pp
-The argument must be
-.Sm off
-.Ar local_tun Op : Ar remote_tun .
-.Sm on
-The devices may be specified by numerical ID or the keyword
-.Dq any ,
-which uses the next available tunnel device.
-If
-.Ar remote_tun
-is not specified, it defaults to
-.Dq any .
-The default is
-.Dq any:any .
-.It Cm UsePrivilegedPort
-Specifies whether to use a privileged port for outgoing connections.
-The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
-If set to
-.Dq yes ,
-.Xr ssh 1
-must be setuid root.
-Note that this option must be set to
-.Dq yes
-for
-.Cm RhostsRSAAuthentication
-with older servers.
-.It Cm User
-Specifies the user to log in as.
-This can be useful when a different user name is used on different machines.
-This saves the trouble of
-having to remember to give the user name on the command line.
-.It Cm UserKnownHostsFile
-Specifies a file to use for the user
-host key database instead of
-.Pa ~/.ssh/known_hosts .
-.It Cm VerifyHostKeyDNS
-Specifies whether to verify the remote key using DNS and SSHFP resource
-records.
-If this option is set to
-.Dq yes ,
-the client will implicitly trust keys that match a secure fingerprint
-from DNS.
-Insecure fingerprints will be handled as if this option was set to
-.Dq ask .
-If this option is set to
-.Dq ask ,
-information on fingerprint match will be displayed, but the user will still
-need to confirm new host keys according to the
-.Cm StrictHostKeyChecking
-option.
-The argument must be
-.Dq yes ,
-.Dq no ,
-or
-.Dq ask .
-The default is
-.Dq no .
-Note that this option applies to protocol version 2 only.
-.Pp
-See also
-.Sx VERIFYING HOST KEYS
-in
-.Xr ssh 1 .
-.It Cm XAuthLocation
-Specifies the full pathname of the
-.Xr xauth 1
-program.
-The default is
-.Pa /usr/X11R6/bin/xauth .
-.El
-.Sh PATTERNS
-A
-.Em pattern
-consists of zero or more non-whitespace characters,
-.Sq *
-(a wildcard that matches zero or more characters),
-or
-.Sq ?\&
-(a wildcard that matches exactly one character).
-For example, to specify a set of declarations for any host in the
-.Dq .co.uk
-set of domains,
-the following pattern could be used:
-.Pp
-.Dl Host *.co.uk
-.Pp
-The following pattern
-would match any host in the 192.168.0.[0-9] network range:
-.Pp
-.Dl Host 192.168.0.?
-.Pp
-A
-.Em pattern-list
-is a comma-separated list of patterns.
-Patterns within pattern-lists may be negated
-by preceding them with an exclamation mark
-.Pq Sq !\& .
-For example,
-to allow a key to be used from anywhere within an organisation
-except from the
-.Dq dialup
-pool,
-the following entry (in authorized_keys) could be used:
-.Pp
-.Dl from=\&"!*.dialup.example.com,*.example.com\&"
-.Sh FILES
-.Bl -tag -width Ds
-.It Pa ~/.ssh/config
-This is the per-user configuration file.
-The format of this file is described above.
-This file is used by the SSH client.
-Because of the potential for abuse, this file must have strict permissions:
-read/write for the user, and not accessible by others.
-.It Pa /etc/ssh/ssh_config
-Systemwide configuration file.
-This file provides defaults for those
-values that are not specified in the user's configuration file, and
-for those users who do not have a configuration file.
-This file must be world-readable.
-.El
-.Sh SEE ALSO
-.Xr ssh 1
-.Sh AUTHORS
-OpenSSH is a derivative of the original and free
-ssh 1.2.12 release by Tatu Ylonen.
-Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
-Theo de Raadt and Dug Song
-removed many bugs, re-added newer features and
-created OpenSSH.
-Markus Friedl contributed the support for SSH
-protocol versions 1.5 and 2.0.
diff --git a/crypto/openssh/ssh_prng_cmds.in b/crypto/openssh/ssh_prng_cmds.in
deleted file mode 100644
index 0d29d49..0000000
--- a/crypto/openssh/ssh_prng_cmds.in
+++ /dev/null
@@ -1,75 +0,0 @@
-# entropy gathering commands
-
-# Format is: "program-name args" path rate
-
-# The "rate" represents the number of bits of usuable entropy per
-# byte of command output. Be conservative.
-#
-# $Id: ssh_prng_cmds.in,v 1.9 2003/11/21 12:48:56 djm Exp $
-
-"ls -alni /var/log"			@PROG_LS@	0.02
-"ls -alni /var/adm"			@PROG_LS@	0.02
-"ls -alni /usr/adm"                     @PROG_LS@       0.02
-"ls -alni /var/mail"			@PROG_LS@	0.02
-"ls -alni /usr/mail"                    @PROG_LS@       0.02
-"ls -alni /var/adm/syslog"		@PROG_LS@	0.02
-"ls -alni /usr/adm/syslog"		@PROG_LS@	0.02
-"ls -alni /var/spool/mail"		@PROG_LS@	0.02
-"ls -alni /proc"			@PROG_LS@	0.02
-"ls -alni /tmp"				@PROG_LS@	0.02
-"ls -alni /var/tmp"			@PROG_LS@	0.02
-"ls -alni /usr/tmp"			@PROG_LS@	0.02
-"ls -alTi /var/log"			@PROG_LS@	0.02
-"ls -alTi /var/adm"			@PROG_LS@	0.02
-"ls -alTi /var/mail"			@PROG_LS@	0.02
-"ls -alTi /var/adm/syslog"		@PROG_LS@	0.02
-"ls -alTi /var/spool/mail"		@PROG_LS@	0.02
-"ls -alTi /proc"			@PROG_LS@	0.02
-"ls -alTi /tmp"				@PROG_LS@	0.02
-"ls -alTi /var/tmp"			@PROG_LS@	0.02
-"ls -alTi /usr/tmp"			@PROG_LS@	0.02
-
-"netstat -an"				@PROG_NETSTAT@	0.05
-"netstat -in"				@PROG_NETSTAT@	0.05
-"netstat -rn"				@PROG_NETSTAT@	0.02
-"netstat -pn"				@PROG_NETSTAT@	0.02
-"netstat -ia"                           @PROG_NETSTAT@  0.05
-"netstat -s"				@PROG_NETSTAT@	0.02
-"netstat -is"				@PROG_NETSTAT@	0.07
-
-"arp -n -a"				@PROG_ARP@	0.02
-
-"ifconfig -a"				@PROG_IFCONFIG@	0.02
-
-"ps laxww"				@PROG_PS@	0.03
-"ps -al"				@PROG_PS@	0.03
-"ps -efl"				@PROG_PS@	0.03
-"jstat"				        @PROG_JSTAT@    0.07
-
-"w"					@PROG_W@	0.05
-
-"who -i"				@PROG_WHO@	0.01
-
-"last"					@PROG_LAST@	0.01
-
-"lastlog"				@PROG_LASTLOG@	0.01
-
-"df"					@PROG_DF@	0.01
-"df -i"					@PROG_DF@	0.01
-
-"sar -d"				@PROG_SAR@	0.04
-
-"vmstat"				@PROG_VMSTAT@	0.01
-"uptime"				@PROG_UPTIME@	0.01
-
-"ipcs -a"				@PROG_IPCS@	0.01
-
-"tail -200 /var/log/messages"		@PROG_TAIL@	0.01
-"tail -200 /var/log/syslog"		@PROG_TAIL@	0.01
-"tail -200 /var/adm/messages"		@PROG_TAIL@	0.01
-"tail -200 /var/adm/syslog"		@PROG_TAIL@	0.01
-"tail -200 /var/adm/syslog/syslog.log"	@PROG_TAIL@	0.01
-"tail -200 /var/log/maillog"		@PROG_TAIL@	0.01
-"tail -200 /var/adm/maillog"		@PROG_TAIL@	0.01
-"tail -200 /var/adm/syslog/mail.log"	@PROG_TAIL@	0.01
-
diff --git a/crypto/openssh/sshconnect.c b/crypto/openssh/sshconnect.c
deleted file mode 100644
index a222233..0000000
--- a/crypto/openssh/sshconnect.c
+++ /dev/null
@@ -1,1106 +0,0 @@
-/* $OpenBSD: sshconnect.c,v 1.200 2006/10/10 10:12:45 markus Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Code to connect to a remote host, and to perform the client side of the
- * login (authentication) dialog.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/wait.h>
-#include <sys/stat.h>
-#include <sys/socket.h>
-#ifdef HAVE_SYS_TIME_H
-# include <sys/time.h>
-#endif
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <netdb.h>
-#ifdef HAVE_PATHS_H
-#include <paths.h>
-#endif
-#include <pwd.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "xmalloc.h"
-#include "key.h"
-#include "hostfile.h"
-#include "ssh.h"
-#include "rsa.h"
-#include "buffer.h"
-#include "packet.h"
-#include "uidswap.h"
-#include "compat.h"
-#include "key.h"
-#include "sshconnect.h"
-#include "hostfile.h"
-#include "log.h"
-#include "readconf.h"
-#include "atomicio.h"
-#include "misc.h"
-#include "dns.h"
-#include "version.h"
-
-char *client_version_string = NULL;
-char *server_version_string = NULL;
-
-static int matching_host_key_dns = 0;
-
-/* import */
-extern Options options;
-extern char *__progname;
-extern uid_t original_real_uid;
-extern uid_t original_effective_uid;
-extern pid_t proxy_command_pid;
-
-#ifndef INET6_ADDRSTRLEN		/* for non IPv6 machines */
-#define INET6_ADDRSTRLEN 46
-#endif
-
-static int show_other_keys(const char *, Key *);
-static void warn_changed_key(Key *);
-
-/*
- * Connect to the given ssh server using a proxy command.
- */
-static int
-ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
-{
-	char *command_string, *tmp;
-	int pin[2], pout[2];
-	pid_t pid;
-	char strport[NI_MAXSERV];
-
-	/* Convert the port number into a string. */
-	snprintf(strport, sizeof strport, "%hu", port);
-
-	/*
-	 * Build the final command string in the buffer by making the
-	 * appropriate substitutions to the given proxy command.
-	 *
-	 * Use "exec" to avoid "sh -c" processes on some platforms
-	 * (e.g. Solaris)
-	 */
-	xasprintf(&tmp, "exec %s", proxy_command);
-	command_string = percent_expand(tmp, "h", host,
-	    "p", strport, (char *)NULL);
-	xfree(tmp);
-
-	/* Create pipes for communicating with the proxy. */
-	if (pipe(pin) < 0 || pipe(pout) < 0)
-		fatal("Could not create pipes to communicate with the proxy: %.100s",
-		    strerror(errno));
-
-	debug("Executing proxy command: %.500s", command_string);
-
-	/* Fork and execute the proxy command. */
-	if ((pid = fork()) == 0) {
-		char *argv[10];
-
-		/* Child.  Permanently give up superuser privileges. */
-		permanently_drop_suid(original_real_uid);
-
-		/* Redirect stdin and stdout. */
-		close(pin[1]);
-		if (pin[0] != 0) {
-			if (dup2(pin[0], 0) < 0)
-				perror("dup2 stdin");
-			close(pin[0]);
-		}
-		close(pout[0]);
-		if (dup2(pout[1], 1) < 0)
-			perror("dup2 stdout");
-		/* Cannot be 1 because pin allocated two descriptors. */
-		close(pout[1]);
-
-		/* Stderr is left as it is so that error messages get
-		   printed on the user's terminal. */
-		argv[0] = _PATH_BSHELL;
-		argv[1] = "-c";
-		argv[2] = command_string;
-		argv[3] = NULL;
-
-		/* Execute the proxy command.  Note that we gave up any
-		   extra privileges above. */
-		execv(argv[0], argv);
-		perror(argv[0]);
-		exit(1);
-	}
-	/* Parent. */
-	if (pid < 0)
-		fatal("fork failed: %.100s", strerror(errno));
-	else
-		proxy_command_pid = pid; /* save pid to clean up later */
-
-	/* Close child side of the descriptors. */
-	close(pin[0]);
-	close(pout[1]);
-
-	/* Free the command name. */
-	xfree(command_string);
-
-	/* Set the connection file descriptors. */
-	packet_set_connection(pout[0], pin[1]);
-
-	/* Indicate OK return */
-	return 0;
-}
-
-/*
- * Creates a (possibly privileged) socket for use as the ssh connection.
- */
-static int
-ssh_create_socket(int privileged, struct addrinfo *ai)
-{
-	int sock, gaierr;
-	struct addrinfo hints, *res;
-
-	/*
-	 * If we are running as root and want to connect to a privileged
-	 * port, bind our own socket to a privileged port.
-	 */
-	if (privileged) {
-		int p = IPPORT_RESERVED - 1;
-		PRIV_START;
-		sock = rresvport_af(&p, ai->ai_family);
-		PRIV_END;
-		if (sock < 0)
-			error("rresvport: af=%d %.100s", ai->ai_family,
-			    strerror(errno));
-		else
-			debug("Allocated local port %d.", p);
-		return sock;
-	}
-	sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
-	if (sock < 0)
-		error("socket: %.100s", strerror(errno));
-
-	/* Bind the socket to an alternative local IP address */
-	if (options.bind_address == NULL)
-		return sock;
-
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_family = ai->ai_family;
-	hints.ai_socktype = ai->ai_socktype;
-	hints.ai_protocol = ai->ai_protocol;
-	hints.ai_flags = AI_PASSIVE;
-	gaierr = getaddrinfo(options.bind_address, "0", &hints, &res);
-	if (gaierr) {
-		error("getaddrinfo: %s: %s", options.bind_address,
-		    gai_strerror(gaierr));
-		close(sock);
-		return -1;
-	}
-	if (bind(sock, res->ai_addr, res->ai_addrlen) < 0) {
-		error("bind: %s: %s", options.bind_address, strerror(errno));
-		close(sock);
-		freeaddrinfo(res);
-		return -1;
-	}
-	freeaddrinfo(res);
-	return sock;
-}
-
-static int
-timeout_connect(int sockfd, const struct sockaddr *serv_addr,
-    socklen_t addrlen, int timeout)
-{
-	fd_set *fdset;
-	struct timeval tv;
-	socklen_t optlen;
-	int optval, rc, result = -1;
-
-	if (timeout <= 0)
-		return (connect(sockfd, serv_addr, addrlen));
-
-	set_nonblock(sockfd);
-	rc = connect(sockfd, serv_addr, addrlen);
-	if (rc == 0) {
-		unset_nonblock(sockfd);
-		return (0);
-	}
-	if (errno != EINPROGRESS)
-		return (-1);
-
-	fdset = (fd_set *)xcalloc(howmany(sockfd + 1, NFDBITS),
-	    sizeof(fd_mask));
-	FD_SET(sockfd, fdset);
-	tv.tv_sec = timeout;
-	tv.tv_usec = 0;
-
-	for (;;) {
-		rc = select(sockfd + 1, NULL, fdset, NULL, &tv);
-		if (rc != -1 || errno != EINTR)
-			break;
-	}
-
-	switch (rc) {
-	case 0:
-		/* Timed out */
-		errno = ETIMEDOUT;
-		break;
-	case -1:
-		/* Select error */
-		debug("select: %s", strerror(errno));
-		break;
-	case 1:
-		/* Completed or failed */
-		optval = 0;
-		optlen = sizeof(optval);
-		if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval,
-		    &optlen) == -1) {
-			debug("getsockopt: %s", strerror(errno));
-			break;
-		}
-		if (optval != 0) {
-			errno = optval;
-			break;
-		}
-		result = 0;
-		unset_nonblock(sockfd);
-		break;
-	default:
-		/* Should not occur */
-		fatal("Bogus return (%d) from select()", rc);
-	}
-
-	xfree(fdset);
-	return (result);
-}
-
-/*
- * Opens a TCP/IP connection to the remote server on the given host.
- * The address of the remote host will be returned in hostaddr.
- * If port is 0, the default port will be used.  If needpriv is true,
- * a privileged port will be allocated to make the connection.
- * This requires super-user privileges if needpriv is true.
- * Connection_attempts specifies the maximum number of tries (one per
- * second).  If proxy_command is non-NULL, it specifies the command (with %h
- * and %p substituted for host and port, respectively) to use to contact
- * the daemon.
- */
-int
-ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
-    u_short port, int family, int connection_attempts,
-    int needpriv, const char *proxy_command)
-{
-	int gaierr;
-	int on = 1;
-	int sock = -1, attempt;
-	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
-	struct addrinfo hints, *ai, *aitop;
-
-	debug2("ssh_connect: needpriv %d", needpriv);
-
-	/* If a proxy command is given, connect using it. */
-	if (proxy_command != NULL)
-		return ssh_proxy_connect(host, port, proxy_command);
-
-	/* No proxy command. */
-
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_family = family;
-	hints.ai_socktype = SOCK_STREAM;
-	snprintf(strport, sizeof strport, "%u", port);
-	if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
-		fatal("%s: %.100s: %s", __progname, host,
-		    gai_strerror(gaierr));
-
-	for (attempt = 0; attempt < connection_attempts; attempt++) {
-		if (attempt > 0) {
-			/* Sleep a moment before retrying. */
-			sleep(1);
-			debug("Trying again...");
-		}
-		/*
-		 * Loop through addresses for this host, and try each one in
-		 * sequence until the connection succeeds.
-		 */
-		for (ai = aitop; ai; ai = ai->ai_next) {
-			if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-				continue;
-			if (getnameinfo(ai->ai_addr, ai->ai_addrlen,
-			    ntop, sizeof(ntop), strport, sizeof(strport),
-			    NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
-				error("ssh_connect: getnameinfo failed");
-				continue;
-			}
-			debug("Connecting to %.200s [%.100s] port %s.",
-				host, ntop, strport);
-
-			/* Create a socket for connecting. */
-			sock = ssh_create_socket(needpriv, ai);
-			if (sock < 0)
-				/* Any error is already output */
-				continue;
-
-			if (timeout_connect(sock, ai->ai_addr, ai->ai_addrlen,
-			    options.connection_timeout) >= 0) {
-				/* Successful connection. */
-				memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen);
-				break;
-			} else {
-				debug("connect to address %s port %s: %s",
-				    ntop, strport, strerror(errno));
-				close(sock);
-				sock = -1;
-			}
-		}
-		if (sock != -1)
-			break;	/* Successful connection. */
-	}
-
-	freeaddrinfo(aitop);
-
-	/* Return failure if we didn't get a successful connection. */
-	if (sock == -1) {
-		error("ssh: connect to host %s port %s: %s",
-		    host, strport, strerror(errno));
-		return (-1);
-	}
-
-	debug("Connection established.");
-
-	/* Set SO_KEEPALIVE if requested. */
-	if (options.tcp_keep_alive &&
-	    setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&on,
-	    sizeof(on)) < 0)
-		error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
-
-	/* Set the connection. */
-	packet_set_connection(sock, sock);
-
-	return 0;
-}
-
-/*
- * Waits for the server identification string, and sends our own
- * identification string.
- */
-static void
-ssh_exchange_identification(void)
-{
-	char buf[256], remote_version[256];	/* must be same size! */
-	int remote_major, remote_minor, mismatch;
-	int connection_in = packet_get_connection_in();
-	int connection_out = packet_get_connection_out();
-	int minor1 = PROTOCOL_MINOR_1;
-	u_int i, n;
-
-	/* Read other side's version identification. */
-	for (n = 0;;) {
-		for (i = 0; i < sizeof(buf) - 1; i++) {
-			size_t len = atomicio(read, connection_in, &buf[i], 1);
-
-			if (len != 1 && errno == EPIPE)
-				fatal("ssh_exchange_identification: Connection closed by remote host");
-			else if (len != 1)
-				fatal("ssh_exchange_identification: read: %.100s", strerror(errno));
-			if (buf[i] == '\r') {
-				buf[i] = '\n';
-				buf[i + 1] = 0;
-				continue;		/**XXX wait for \n */
-			}
-			if (buf[i] == '\n') {
-				buf[i + 1] = 0;
-				break;
-			}
-			if (++n > 65536)
-				fatal("ssh_exchange_identification: No banner received");
-		}
-		buf[sizeof(buf) - 1] = 0;
-		if (strncmp(buf, "SSH-", 4) == 0)
-			break;
-		debug("ssh_exchange_identification: %s", buf);
-	}
-	server_version_string = xstrdup(buf);
-
-	/*
-	 * Check that the versions match.  In future this might accept
-	 * several versions and set appropriate flags to handle them.
-	 */
-	if (sscanf(server_version_string, "SSH-%d.%d-%[^\n]\n",
-	    &remote_major, &remote_minor, remote_version) != 3)
-		fatal("Bad remote protocol version identification: '%.100s'", buf);
-	debug("Remote protocol version %d.%d, remote software version %.100s",
-	    remote_major, remote_minor, remote_version);
-
-	compat_datafellows(remote_version);
-	mismatch = 0;
-
-	switch (remote_major) {
-	case 1:
-		if (remote_minor == 99 &&
-		    (options.protocol & SSH_PROTO_2) &&
-		    !(options.protocol & SSH_PROTO_1_PREFERRED)) {
-			enable_compat20();
-			break;
-		}
-		if (!(options.protocol & SSH_PROTO_1)) {
-			mismatch = 1;
-			break;
-		}
-		if (remote_minor < 3) {
-			fatal("Remote machine has too old SSH software version.");
-		} else if (remote_minor == 3 || remote_minor == 4) {
-			/* We speak 1.3, too. */
-			enable_compat13();
-			minor1 = 3;
-			if (options.forward_agent) {
-				logit("Agent forwarding disabled for protocol 1.3");
-				options.forward_agent = 0;
-			}
-		}
-		break;
-	case 2:
-		if (options.protocol & SSH_PROTO_2) {
-			enable_compat20();
-			break;
-		}
-		/* FALLTHROUGH */
-	default:
-		mismatch = 1;
-		break;
-	}
-	if (mismatch)
-		fatal("Protocol major versions differ: %d vs. %d",
-		    (options.protocol & SSH_PROTO_2) ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
-		    remote_major);
-	/* Send our own protocol version identification. */
-	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n",
-	    compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
-	    compat20 ? PROTOCOL_MINOR_2 : minor1,
-	    SSH_VERSION);
-	if (atomicio(vwrite, connection_out, buf, strlen(buf)) != strlen(buf))
-		fatal("write: %.100s", strerror(errno));
-	client_version_string = xstrdup(buf);
-	chop(client_version_string);
-	chop(server_version_string);
-	debug("Local version string %.100s", client_version_string);
-}
-
-/* defaults to 'no' */
-static int
-confirm(const char *prompt)
-{
-	const char *msg, *again = "Please type 'yes' or 'no': ";
-	char *p;
-	int ret = -1;
-
-	if (options.batch_mode)
-		return 0;
-	for (msg = prompt;;msg = again) {
-		p = read_passphrase(msg, RP_ECHO);
-		if (p == NULL ||
-		    (p[0] == '\0') || (p[0] == '\n') ||
-		    strncasecmp(p, "no", 2) == 0)
-			ret = 0;
-		if (p && strncasecmp(p, "yes", 3) == 0)
-			ret = 1;
-		if (p)
-			xfree(p);
-		if (ret != -1)
-			return ret;
-	}
-}
-
-/*
- * check whether the supplied host key is valid, return -1 if the key
- * is not valid. the user_hostfile will not be updated if 'readonly' is true.
- */
-#define RDRW	0
-#define RDONLY	1
-#define ROQUIET	2
-static int
-check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
-    Key *host_key, int readonly, const char *user_hostfile,
-    const char *system_hostfile)
-{
-	Key *file_key;
-	const char *type = key_type(host_key);
-	char *ip = NULL, *host = NULL;
-	char hostline[1000], *hostp, *fp;
-	HostStatus host_status;
-	HostStatus ip_status;
-	int r, local = 0, host_ip_differ = 0;
-	int salen;
-	char ntop[NI_MAXHOST];
-	char msg[1024];
-	int len, host_line, ip_line;
-	const char *host_file = NULL, *ip_file = NULL;
-
-	/*
-	 * Force accepting of the host key for loopback/localhost. The
-	 * problem is that if the home directory is NFS-mounted to multiple
-	 * machines, localhost will refer to a different machine in each of
-	 * them, and the user will get bogus HOST_CHANGED warnings.  This
-	 * essentially disables host authentication for localhost; however,
-	 * this is probably not a real problem.
-	 */
-	/**  hostaddr == 0! */
-	switch (hostaddr->sa_family) {
-	case AF_INET:
-		local = (ntohl(((struct sockaddr_in *)hostaddr)->
-		    sin_addr.s_addr) >> 24) == IN_LOOPBACKNET;
-		salen = sizeof(struct sockaddr_in);
-		break;
-	case AF_INET6:
-		local = IN6_IS_ADDR_LOOPBACK(
-		    &(((struct sockaddr_in6 *)hostaddr)->sin6_addr));
-		salen = sizeof(struct sockaddr_in6);
-		break;
-	default:
-		local = 0;
-		salen = sizeof(struct sockaddr_storage);
-		break;
-	}
-	if (options.no_host_authentication_for_localhost == 1 && local &&
-	    options.host_key_alias == NULL) {
-		debug("Forcing accepting of host key for "
-		    "loopback/localhost.");
-		return 0;
-	}
-
-	/*
-	 * We don't have the remote ip-address for connections
-	 * using a proxy command
-	 */
-	if (options.proxy_command == NULL) {
-		if (getnameinfo(hostaddr, salen, ntop, sizeof(ntop),
-		    NULL, 0, NI_NUMERICHOST) != 0)
-			fatal("check_host_key: getnameinfo failed");
-		ip = put_host_port(ntop, port);
-	} else {
-		ip = xstrdup("<no hostip for proxy command>");
-	}
-	/*
-	 * Turn off check_host_ip if the connection is to localhost, via proxy
-	 * command or if we don't have a hostname to compare with
-	 */
-	if (options.check_host_ip && (local ||
-	    strcmp(hostname, ip) == 0 || options.proxy_command != NULL))
-		options.check_host_ip = 0;
-
-	/*
-	 * Allow the user to record the key under a different name or
-	 * differentiate a non-standard port.  This is useful for ssh
-	 * tunneling over forwarded connections or if you run multiple
-	 * sshd's on different ports on the same machine.
-	 */
-	if (options.host_key_alias != NULL) {
-		host = xstrdup(options.host_key_alias);
-		debug("using hostkeyalias: %s", host);
-	} else {
-		host = put_host_port(hostname, port);
-	}
-
-	/*
-	 * Store the host key from the known host file in here so that we can
-	 * compare it with the key for the IP address.
-	 */
-	file_key = key_new(host_key->type);
-
-	/*
-	 * Check if the host key is present in the user's list of known
-	 * hosts or in the systemwide list.
-	 */
-	host_file = user_hostfile;
-	host_status = check_host_in_hostfile(host_file, host, host_key,
-	    file_key, &host_line);
-	if (host_status == HOST_NEW) {
-		host_file = system_hostfile;
-		host_status = check_host_in_hostfile(host_file, host, host_key,
-		    file_key, &host_line);
-	}
-	/*
-	 * Also perform check for the ip address, skip the check if we are
-	 * localhost or the hostname was an ip address to begin with
-	 */
-	if (options.check_host_ip) {
-		Key *ip_key = key_new(host_key->type);
-
-		ip_file = user_hostfile;
-		ip_status = check_host_in_hostfile(ip_file, ip, host_key,
-		    ip_key, &ip_line);
-		if (ip_status == HOST_NEW) {
-			ip_file = system_hostfile;
-			ip_status = check_host_in_hostfile(ip_file, ip,
-			    host_key, ip_key, &ip_line);
-		}
-		if (host_status == HOST_CHANGED &&
-		    (ip_status != HOST_CHANGED || !key_equal(ip_key, file_key)))
-			host_ip_differ = 1;
-
-		key_free(ip_key);
-	} else
-		ip_status = host_status;
-
-	key_free(file_key);
-
-	switch (host_status) {
-	case HOST_OK:
-		/* The host is known and the key matches. */
-		debug("Host '%.200s' is known and matches the %s host key.",
-		    host, type);
-		debug("Found key in %s:%d", host_file, host_line);
-		if (options.check_host_ip && ip_status == HOST_NEW) {
-			if (readonly)
-				logit("%s host key for IP address "
-				    "'%.128s' not in list of known hosts.",
-				    type, ip);
-			else if (!add_host_to_hostfile(user_hostfile, ip,
-			    host_key, options.hash_known_hosts))
-				logit("Failed to add the %s host key for IP "
-				    "address '%.128s' to the list of known "
-				    "hosts (%.30s).", type, ip, user_hostfile);
-			else
-				logit("Warning: Permanently added the %s host "
-				    "key for IP address '%.128s' to the list "
-				    "of known hosts.", type, ip);
-		}
-		break;
-	case HOST_NEW:
-		if (options.host_key_alias == NULL && port != 0 &&
-		    port != SSH_DEFAULT_PORT) {
-			debug("checking without port identifier");
-			if (check_host_key(hostname, hostaddr, 0, host_key, 2,
-			    user_hostfile, system_hostfile) == 0) {
-				debug("found matching key w/out port");
-				break;
-			}
-		}
-		if (readonly)
-			goto fail;
-		/* The host is new. */
-		if (options.strict_host_key_checking == 1) {
-			/*
-			 * User has requested strict host key checking.  We
-			 * will not add the host key automatically.  The only
-			 * alternative left is to abort.
-			 */
-			error("No %s host key is known for %.200s and you "
-			    "have requested strict checking.", type, host);
-			goto fail;
-		} else if (options.strict_host_key_checking == 2) {
-			char msg1[1024], msg2[1024];
-
-			if (show_other_keys(host, host_key))
-				snprintf(msg1, sizeof(msg1),
-				    "\nbut keys of different type are already"
-				    " known for this host.");
-			else
-				snprintf(msg1, sizeof(msg1), ".");
-			/* The default */
-			fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
-			msg2[0] = '\0';
-			if (options.verify_host_key_dns) {
-				if (matching_host_key_dns)
-					snprintf(msg2, sizeof(msg2),
-					    "Matching host key fingerprint"
-					    " found in DNS.\n");
-				else
-					snprintf(msg2, sizeof(msg2),
-					    "No matching host key fingerprint"
-					    " found in DNS.\n");
-			}
-			snprintf(msg, sizeof(msg),
-			    "The authenticity of host '%.200s (%s)' can't be "
-			    "established%s\n"
-			    "%s key fingerprint is %s.\n%s"
-			    "Are you sure you want to continue connecting "
-			    "(yes/no)? ",
-			    host, ip, msg1, type, fp, msg2);
-			xfree(fp);
-			if (!confirm(msg))
-				goto fail;
-		}
-		/*
-		 * If not in strict mode, add the key automatically to the
-		 * local known_hosts file.
-		 */
-		if (options.check_host_ip && ip_status == HOST_NEW) {
-			snprintf(hostline, sizeof(hostline), "%s,%s",
-			    host, ip);
-			hostp = hostline;
-			if (options.hash_known_hosts) {
-				/* Add hash of host and IP separately */
-				r = add_host_to_hostfile(user_hostfile, host,
-				    host_key, options.hash_known_hosts) &&
-				    add_host_to_hostfile(user_hostfile, ip,
-				    host_key, options.hash_known_hosts);
-			} else {
-				/* Add unhashed "host,ip" */
-				r = add_host_to_hostfile(user_hostfile,
-				    hostline, host_key,
-				    options.hash_known_hosts);
-			}
-		} else {
-			r = add_host_to_hostfile(user_hostfile, host, host_key,
-			    options.hash_known_hosts);
-			hostp = host;
-		}
-
-		if (!r)
-			logit("Failed to add the host to the list of known "
-			    "hosts (%.500s).", user_hostfile);
-		else
-			logit("Warning: Permanently added '%.200s' (%s) to the "
-			    "list of known hosts.", hostp, type);
-		break;
-	case HOST_CHANGED:
-		if (readonly == ROQUIET)
-			goto fail;
-		if (options.check_host_ip && host_ip_differ) {
-			char *key_msg;
-			if (ip_status == HOST_NEW)
-				key_msg = "is unknown";
-			else if (ip_status == HOST_OK)
-				key_msg = "is unchanged";
-			else
-				key_msg = "has a different value";
-			error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
-			error("@       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @");
-			error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
-			error("The %s host key for %s has changed,", type, host);
-			error("and the key for the according IP address %s", ip);
-			error("%s. This could either mean that", key_msg);
-			error("DNS SPOOFING is happening or the IP address for the host");
-			error("and its host key have changed at the same time.");
-			if (ip_status != HOST_NEW)
-				error("Offending key for IP in %s:%d", ip_file, ip_line);
-		}
-		/* The host key has changed. */
-		warn_changed_key(host_key);
-		error("Add correct host key in %.100s to get rid of this message.",
-		    user_hostfile);
-		error("Offending key in %s:%d", host_file, host_line);
-
-		/*
-		 * If strict host key checking is in use, the user will have
-		 * to edit the key manually and we can only abort.
-		 */
-		if (options.strict_host_key_checking) {
-			error("%s host key for %.200s has changed and you have "
-			    "requested strict checking.", type, host);
-			goto fail;
-		}
-
-		/*
-		 * If strict host key checking has not been requested, allow
-		 * the connection but without MITM-able authentication or
-		 * forwarding.
-		 */
-		if (options.password_authentication) {
-			error("Password authentication is disabled to avoid "
-			    "man-in-the-middle attacks.");
-			options.password_authentication = 0;
-		}
-		if (options.kbd_interactive_authentication) {
-			error("Keyboard-interactive authentication is disabled"
-			    " to avoid man-in-the-middle attacks.");
-			options.kbd_interactive_authentication = 0;
-			options.challenge_response_authentication = 0;
-		}
-		if (options.challenge_response_authentication) {
-			error("Challenge/response authentication is disabled"
-			    " to avoid man-in-the-middle attacks.");
-			options.challenge_response_authentication = 0;
-		}
-		if (options.forward_agent) {
-			error("Agent forwarding is disabled to avoid "
-			    "man-in-the-middle attacks.");
-			options.forward_agent = 0;
-		}
-		if (options.forward_x11) {
-			error("X11 forwarding is disabled to avoid "
-			    "man-in-the-middle attacks.");
-			options.forward_x11 = 0;
-		}
-		if (options.num_local_forwards > 0 ||
-		    options.num_remote_forwards > 0) {
-			error("Port forwarding is disabled to avoid "
-			    "man-in-the-middle attacks.");
-			options.num_local_forwards =
-			    options.num_remote_forwards = 0;
-		}
-		if (options.tun_open != SSH_TUNMODE_NO) {
-			error("Tunnel forwarding is disabled to avoid "
-			    "man-in-the-middle attacks.");
-			options.tun_open = SSH_TUNMODE_NO;
-		}
-		/*
-		 * XXX Should permit the user to change to use the new id.
-		 * This could be done by converting the host key to an
-		 * identifying sentence, tell that the host identifies itself
-		 * by that sentence, and ask the user if he/she whishes to
-		 * accept the authentication.
-		 */
-		break;
-	case HOST_FOUND:
-		fatal("internal error");
-		break;
-	}
-
-	if (options.check_host_ip && host_status != HOST_CHANGED &&
-	    ip_status == HOST_CHANGED) {
-		snprintf(msg, sizeof(msg),
-		    "Warning: the %s host key for '%.200s' "
-		    "differs from the key for the IP address '%.128s'"
-		    "\nOffending key for IP in %s:%d",
-		    type, host, ip, ip_file, ip_line);
-		if (host_status == HOST_OK) {
-			len = strlen(msg);
-			snprintf(msg + len, sizeof(msg) - len,
-			    "\nMatching host key in %s:%d",
-			    host_file, host_line);
-		}
-		if (options.strict_host_key_checking == 1) {
-			logit("%s", msg);
-			error("Exiting, you have requested strict checking.");
-			goto fail;
-		} else if (options.strict_host_key_checking == 2) {
-			strlcat(msg, "\nAre you sure you want "
-			    "to continue connecting (yes/no)? ", sizeof(msg));
-			if (!confirm(msg))
-				goto fail;
-		} else {
-			logit("%s", msg);
-		}
-	}
-
-	xfree(ip);
-	xfree(host);
-	return 0;
-
-fail:
-	xfree(ip);
-	xfree(host);
-	return -1;
-}
-
-/* returns 0 if key verifies or -1 if key does NOT verify */
-int
-verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
-{
-	struct stat st;
-	int flags = 0;
-
-	if (options.verify_host_key_dns &&
-	    verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
-
-		if (flags & DNS_VERIFY_FOUND) {
-
-			if (options.verify_host_key_dns == 1 &&
-			    flags & DNS_VERIFY_MATCH &&
-			    flags & DNS_VERIFY_SECURE)
-				return 0;
-
-			if (flags & DNS_VERIFY_MATCH) {
-				matching_host_key_dns = 1;
-			} else {
-				warn_changed_key(host_key);
-				error("Update the SSHFP RR in DNS with the new "
-				    "host key to get rid of this message.");
-			}
-		}
-	}
-
-	/* return ok if the key can be found in an old keyfile */
-	if (stat(options.system_hostfile2, &st) == 0 ||
-	    stat(options.user_hostfile2, &st) == 0) {
-		if (check_host_key(host, hostaddr, options.port, host_key,
-		    RDONLY, options.user_hostfile2,
-		    options.system_hostfile2) == 0)
-			return 0;
-	}
-	return check_host_key(host, hostaddr, options.port, host_key,
-	    RDRW, options.user_hostfile, options.system_hostfile);
-}
-
-/*
- * Starts a dialog with the server, and authenticates the current user on the
- * server.  This does not need any extra privileges.  The basic connection
- * to the server must already have been established before this is called.
- * If login fails, this function prints an error and never returns.
- * This function does not require super-user privileges.
- */
-void
-ssh_login(Sensitive *sensitive, const char *orighost,
-    struct sockaddr *hostaddr, struct passwd *pw)
-{
-	char *host, *cp;
-	char *server_user, *local_user;
-
-	local_user = xstrdup(pw->pw_name);
-	server_user = options.user ? options.user : local_user;
-
-	/* Convert the user-supplied hostname into all lowercase. */
-	host = xstrdup(orighost);
-	for (cp = host; *cp; cp++)
-		if (isupper(*cp))
-			*cp = (char)tolower(*cp);
-
-	/* Exchange protocol version identification strings with the server. */
-	ssh_exchange_identification();
-
-	/* Put the connection into non-blocking mode. */
-	packet_set_nonblocking();
-
-	/* key exchange */
-	/* authenticate user */
-	if (compat20) {
-		ssh_kex2(host, hostaddr);
-		ssh_userauth2(local_user, server_user, host, sensitive);
-	} else {
-		ssh_kex(host, hostaddr);
-		ssh_userauth1(local_user, server_user, host, sensitive);
-	}
-	xfree(local_user);
-}
-
-void
-ssh_put_password(char *password)
-{
-	int size;
-	char *padded;
-
-	if (datafellows & SSH_BUG_PASSWORDPAD) {
-		packet_put_cstring(password);
-		return;
-	}
-	size = roundup(strlen(password) + 1, 32);
-	padded = xcalloc(1, size);
-	strlcpy(padded, password, size);
-	packet_put_string(padded, size);
-	memset(padded, 0, size);
-	xfree(padded);
-}
-
-static int
-show_key_from_file(const char *file, const char *host, int keytype)
-{
-	Key *found;
-	char *fp;
-	int line, ret;
-
-	found = key_new(keytype);
-	if ((ret = lookup_key_in_hostfile_by_type(file, host,
-	    keytype, found, &line))) {
-		fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
-		logit("WARNING: %s key found for host %s\n"
-		    "in %s:%d\n"
-		    "%s key fingerprint %s.",
-		    key_type(found), host, file, line,
-		    key_type(found), fp);
-		xfree(fp);
-	}
-	key_free(found);
-	return (ret);
-}
-
-/* print all known host keys for a given host, but skip keys of given type */
-static int
-show_other_keys(const char *host, Key *key)
-{
-	int type[] = { KEY_RSA1, KEY_RSA, KEY_DSA, -1};
-	int i, found = 0;
-
-	for (i = 0; type[i] != -1; i++) {
-		if (type[i] == key->type)
-			continue;
-		if (type[i] != KEY_RSA1 &&
-		    show_key_from_file(options.user_hostfile2, host, type[i])) {
-			found = 1;
-			continue;
-		}
-		if (type[i] != KEY_RSA1 &&
-		    show_key_from_file(options.system_hostfile2, host, type[i])) {
-			found = 1;
-			continue;
-		}
-		if (show_key_from_file(options.user_hostfile, host, type[i])) {
-			found = 1;
-			continue;
-		}
-		if (show_key_from_file(options.system_hostfile, host, type[i])) {
-			found = 1;
-			continue;
-		}
-		debug2("no key of type %d for host %s", type[i], host);
-	}
-	return (found);
-}
-
-static void
-warn_changed_key(Key *host_key)
-{
-	char *fp;
-	const char *type = key_type(host_key);
-
-	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
-
-	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
-	error("@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @");
-	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
-	error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
-	error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
-	error("It is also possible that the %s host key has just been changed.", type);
-	error("The fingerprint for the %s key sent by the remote host is\n%s.",
-	    type, fp);
-	error("Please contact your system administrator.");
-
-	xfree(fp);
-}
-
-/*
- * Execute a local command
- */
-int
-ssh_local_cmd(const char *args)
-{
-	char *shell;
-	pid_t pid;
-	int status;
-
-	if (!options.permit_local_command ||
-	    args == NULL || !*args)
-		return (1);
-
-	if ((shell = getenv("SHELL")) == NULL)
-		shell = _PATH_BSHELL;
-
-	pid = fork();
-	if (pid == 0) {
-		debug3("Executing %s -c \"%s\"", shell, args);
-		execl(shell, shell, "-c", args, (char *)NULL);
-		error("Couldn't execute %s -c \"%s\": %s",
-		    shell, args, strerror(errno));
-		_exit(1);
-	} else if (pid == -1)
-		fatal("fork failed: %.100s", strerror(errno));
-	while (waitpid(pid, &status, 0) == -1)
-		if (errno != EINTR)
-			fatal("Couldn't wait for child: %s", strerror(errno));
-
-	if (!WIFEXITED(status))
-		return (1);
-
-	return (WEXITSTATUS(status));
-}
diff --git a/crypto/openssh/sshconnect.h b/crypto/openssh/sshconnect.h
deleted file mode 100644
index 4e66bbf..0000000
--- a/crypto/openssh/sshconnect.h
+++ /dev/null
@@ -1,69 +0,0 @@
-/* $OpenBSD: sshconnect.h,v 1.23 2006/08/03 03:34:42 deraadt Exp $ */
-
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-typedef struct Sensitive Sensitive;
-struct Sensitive {
-	Key	**keys;
-	int	nkeys;
-	int	external_keysign;
-};
-
-int
-ssh_connect(const char *, struct sockaddr_storage *, u_short, int, int,
-    int, const char *);
-
-void
-ssh_login(Sensitive *, const char *, struct sockaddr *, struct passwd *);
-
-int	 verify_host_key(char *, struct sockaddr *, Key *);
-
-void	 ssh_kex(char *, struct sockaddr *);
-void	 ssh_kex2(char *, struct sockaddr *);
-
-void	 ssh_userauth1(const char *, const char *, char *, Sensitive *);
-void	 ssh_userauth2(const char *, const char *, char *, Sensitive *);
-
-void	 ssh_put_password(char *);
-int	 ssh_local_cmd(const char *);
-
-/*
- * Macros to raise/lower permissions.
- */
-#define PRIV_START do {					\
-	int save_errno = errno;				\
-	if (seteuid(original_effective_uid) != 0)	\
-		fatal("PRIV_START: seteuid: %s",	\
-		    strerror(errno));			\
-	errno = save_errno;				\
-} while (0)
-
-#define PRIV_END do {					\
-	int save_errno = errno;				\
-	if (seteuid(original_real_uid) != 0)		\
-		fatal("PRIV_END: seteuid: %s",		\
-		    strerror(errno));			\
-	errno = save_errno;				\
-} while (0)
diff --git a/crypto/openssh/sshconnect1.c b/crypto/openssh/sshconnect1.c
deleted file mode 100644
index fd07bbf..0000000
--- a/crypto/openssh/sshconnect1.c
+++ /dev/null
@@ -1,753 +0,0 @@
-/* $OpenBSD: sshconnect1.c,v 1.70 2006/11/06 21:25:28 markus Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Code to connect to a remote host, and to perform the client side of the
- * login (authentication) dialog.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <openssl/bn.h>
-#include <openssl/md5.h>
-
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <signal.h>
-#include <pwd.h>
-
-#include "xmalloc.h"
-#include "ssh.h"
-#include "ssh1.h"
-#include "rsa.h"
-#include "buffer.h"
-#include "packet.h"
-#include "key.h"
-#include "cipher.h"
-#include "kex.h"
-#include "uidswap.h"
-#include "log.h"
-#include "readconf.h"
-#include "authfd.h"
-#include "sshconnect.h"
-#include "authfile.h"
-#include "misc.h"
-#include "canohost.h"
-#include "hostfile.h"
-#include "auth.h"
-
-/* Session id for the current session. */
-u_char session_id[16];
-u_int supported_authentications = 0;
-
-extern Options options;
-extern char *__progname;
-
-/*
- * Checks if the user has an authentication agent, and if so, tries to
- * authenticate using the agent.
- */
-static int
-try_agent_authentication(void)
-{
-	int type;
-	char *comment;
-	AuthenticationConnection *auth;
-	u_char response[16];
-	u_int i;
-	Key *key;
-	BIGNUM *challenge;
-
-	/* Get connection to the agent. */
-	auth = ssh_get_authentication_connection();
-	if (!auth)
-		return 0;
-
-	if ((challenge = BN_new()) == NULL)
-		fatal("try_agent_authentication: BN_new failed");
-	/* Loop through identities served by the agent. */
-	for (key = ssh_get_first_identity(auth, &comment, 1);
-	    key != NULL;
-	    key = ssh_get_next_identity(auth, &comment, 1)) {
-
-		/* Try this identity. */
-		debug("Trying RSA authentication via agent with '%.100s'", comment);
-		xfree(comment);
-
-		/* Tell the server that we are willing to authenticate using this key. */
-		packet_start(SSH_CMSG_AUTH_RSA);
-		packet_put_bignum(key->rsa->n);
-		packet_send();
-		packet_write_wait();
-
-		/* Wait for server's response. */
-		type = packet_read();
-
-		/* The server sends failure if it doesn't like our key or
-		   does not support RSA authentication. */
-		if (type == SSH_SMSG_FAILURE) {
-			debug("Server refused our key.");
-			key_free(key);
-			continue;
-		}
-		/* Otherwise it should have sent a challenge. */
-		if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
-			packet_disconnect("Protocol error during RSA authentication: %d",
-					  type);
-
-		packet_get_bignum(challenge);
-		packet_check_eom();
-
-		debug("Received RSA challenge from server.");
-
-		/* Ask the agent to decrypt the challenge. */
-		if (!ssh_decrypt_challenge(auth, key, challenge, session_id, 1, response)) {
-			/*
-			 * The agent failed to authenticate this identifier
-			 * although it advertised it supports this.  Just
-			 * return a wrong value.
-			 */
-			logit("Authentication agent failed to decrypt challenge.");
-			memset(response, 0, sizeof(response));
-		}
-		key_free(key);
-		debug("Sending response to RSA challenge.");
-
-		/* Send the decrypted challenge back to the server. */
-		packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
-		for (i = 0; i < 16; i++)
-			packet_put_char(response[i]);
-		packet_send();
-		packet_write_wait();
-
-		/* Wait for response from the server. */
-		type = packet_read();
-
-		/* The server returns success if it accepted the authentication. */
-		if (type == SSH_SMSG_SUCCESS) {
-			ssh_close_authentication_connection(auth);
-			BN_clear_free(challenge);
-			debug("RSA authentication accepted by server.");
-			return 1;
-		}
-		/* Otherwise it should return failure. */
-		if (type != SSH_SMSG_FAILURE)
-			packet_disconnect("Protocol error waiting RSA auth response: %d",
-					  type);
-	}
-	ssh_close_authentication_connection(auth);
-	BN_clear_free(challenge);
-	debug("RSA authentication using agent refused.");
-	return 0;
-}
-
-/*
- * Computes the proper response to a RSA challenge, and sends the response to
- * the server.
- */
-static void
-respond_to_rsa_challenge(BIGNUM * challenge, RSA * prv)
-{
-	u_char buf[32], response[16];
-	MD5_CTX md;
-	int i, len;
-
-	/* Decrypt the challenge using the private key. */
-	/* XXX think about Bleichenbacher, too */
-	if (rsa_private_decrypt(challenge, challenge, prv) <= 0)
-		packet_disconnect(
-		    "respond_to_rsa_challenge: rsa_private_decrypt failed");
-
-	/* Compute the response. */
-	/* The response is MD5 of decrypted challenge plus session id. */
-	len = BN_num_bytes(challenge);
-	if (len <= 0 || (u_int)len > sizeof(buf))
-		packet_disconnect(
-		    "respond_to_rsa_challenge: bad challenge length %d", len);
-
-	memset(buf, 0, sizeof(buf));
-	BN_bn2bin(challenge, buf + sizeof(buf) - len);
-	MD5_Init(&md);
-	MD5_Update(&md, buf, 32);
-	MD5_Update(&md, session_id, 16);
-	MD5_Final(response, &md);
-
-	debug("Sending response to host key RSA challenge.");
-
-	/* Send the response back to the server. */
-	packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
-	for (i = 0; i < 16; i++)
-		packet_put_char(response[i]);
-	packet_send();
-	packet_write_wait();
-
-	memset(buf, 0, sizeof(buf));
-	memset(response, 0, sizeof(response));
-	memset(&md, 0, sizeof(md));
-}
-
-/*
- * Checks if the user has authentication file, and if so, tries to authenticate
- * the user using it.
- */
-static int
-try_rsa_authentication(int idx)
-{
-	BIGNUM *challenge;
-	Key *public, *private;
-	char buf[300], *passphrase, *comment, *authfile;
-	int i, perm_ok = 1, type, quit;
-
-	public = options.identity_keys[idx];
-	authfile = options.identity_files[idx];
-	comment = xstrdup(authfile);
-
-	debug("Trying RSA authentication with key '%.100s'", comment);
-
-	/* Tell the server that we are willing to authenticate using this key. */
-	packet_start(SSH_CMSG_AUTH_RSA);
-	packet_put_bignum(public->rsa->n);
-	packet_send();
-	packet_write_wait();
-
-	/* Wait for server's response. */
-	type = packet_read();
-
-	/*
-	 * The server responds with failure if it doesn't like our key or
-	 * doesn't support RSA authentication.
-	 */
-	if (type == SSH_SMSG_FAILURE) {
-		debug("Server refused our key.");
-		xfree(comment);
-		return 0;
-	}
-	/* Otherwise, the server should respond with a challenge. */
-	if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
-		packet_disconnect("Protocol error during RSA authentication: %d", type);
-
-	/* Get the challenge from the packet. */
-	if ((challenge = BN_new()) == NULL)
-		fatal("try_rsa_authentication: BN_new failed");
-	packet_get_bignum(challenge);
-	packet_check_eom();
-
-	debug("Received RSA challenge from server.");
-
-	/*
-	 * If the key is not stored in external hardware, we have to
-	 * load the private key.  Try first with empty passphrase; if it
-	 * fails, ask for a passphrase.
-	 */
-	if (public->flags & KEY_FLAG_EXT)
-		private = public;
-	else
-		private = key_load_private_type(KEY_RSA1, authfile, "", NULL,
-		    &perm_ok);
-	if (private == NULL && !options.batch_mode && perm_ok) {
-		snprintf(buf, sizeof(buf),
-		    "Enter passphrase for RSA key '%.100s': ", comment);
-		for (i = 0; i < options.number_of_password_prompts; i++) {
-			passphrase = read_passphrase(buf, 0);
-			if (strcmp(passphrase, "") != 0) {
-				private = key_load_private_type(KEY_RSA1,
-				    authfile, passphrase, NULL, NULL);
-				quit = 0;
-			} else {
-				debug2("no passphrase given, try next key");
-				quit = 1;
-			}
-			memset(passphrase, 0, strlen(passphrase));
-			xfree(passphrase);
-			if (private != NULL || quit)
-				break;
-			debug2("bad passphrase given, try again...");
-		}
-	}
-	/* We no longer need the comment. */
-	xfree(comment);
-
-	if (private == NULL) {
-		if (!options.batch_mode && perm_ok)
-			error("Bad passphrase.");
-
-		/* Send a dummy response packet to avoid protocol error. */
-		packet_start(SSH_CMSG_AUTH_RSA_RESPONSE);
-		for (i = 0; i < 16; i++)
-			packet_put_char(0);
-		packet_send();
-		packet_write_wait();
-
-		/* Expect the server to reject it... */
-		packet_read_expect(SSH_SMSG_FAILURE);
-		BN_clear_free(challenge);
-		return 0;
-	}
-
-	/* Compute and send a response to the challenge. */
-	respond_to_rsa_challenge(challenge, private->rsa);
-
-	/* Destroy the private key unless it in external hardware. */
-	if (!(private->flags & KEY_FLAG_EXT))
-		key_free(private);
-
-	/* We no longer need the challenge. */
-	BN_clear_free(challenge);
-
-	/* Wait for response from the server. */
-	type = packet_read();
-	if (type == SSH_SMSG_SUCCESS) {
-		debug("RSA authentication accepted by server.");
-		return 1;
-	}
-	if (type != SSH_SMSG_FAILURE)
-		packet_disconnect("Protocol error waiting RSA auth response: %d", type);
-	debug("RSA authentication refused.");
-	return 0;
-}
-
-/*
- * Tries to authenticate the user using combined rhosts or /etc/hosts.equiv
- * authentication and RSA host authentication.
- */
-static int
-try_rhosts_rsa_authentication(const char *local_user, Key * host_key)
-{
-	int type;
-	BIGNUM *challenge;
-
-	debug("Trying rhosts or /etc/hosts.equiv with RSA host authentication.");
-
-	/* Tell the server that we are willing to authenticate using this key. */
-	packet_start(SSH_CMSG_AUTH_RHOSTS_RSA);
-	packet_put_cstring(local_user);
-	packet_put_int(BN_num_bits(host_key->rsa->n));
-	packet_put_bignum(host_key->rsa->e);
-	packet_put_bignum(host_key->rsa->n);
-	packet_send();
-	packet_write_wait();
-
-	/* Wait for server's response. */
-	type = packet_read();
-
-	/* The server responds with failure if it doesn't admit our
-	   .rhosts authentication or doesn't know our host key. */
-	if (type == SSH_SMSG_FAILURE) {
-		debug("Server refused our rhosts authentication or host key.");
-		return 0;
-	}
-	/* Otherwise, the server should respond with a challenge. */
-	if (type != SSH_SMSG_AUTH_RSA_CHALLENGE)
-		packet_disconnect("Protocol error during RSA authentication: %d", type);
-
-	/* Get the challenge from the packet. */
-	if ((challenge = BN_new()) == NULL)
-		fatal("try_rhosts_rsa_authentication: BN_new failed");
-	packet_get_bignum(challenge);
-	packet_check_eom();
-
-	debug("Received RSA challenge for host key from server.");
-
-	/* Compute a response to the challenge. */
-	respond_to_rsa_challenge(challenge, host_key->rsa);
-
-	/* We no longer need the challenge. */
-	BN_clear_free(challenge);
-
-	/* Wait for response from the server. */
-	type = packet_read();
-	if (type == SSH_SMSG_SUCCESS) {
-		debug("Rhosts or /etc/hosts.equiv with RSA host authentication accepted by server.");
-		return 1;
-	}
-	if (type != SSH_SMSG_FAILURE)
-		packet_disconnect("Protocol error waiting RSA auth response: %d", type);
-	debug("Rhosts or /etc/hosts.equiv with RSA host authentication refused.");
-	return 0;
-}
-
-/*
- * Tries to authenticate with any string-based challenge/response system.
- * Note that the client code is not tied to s/key or TIS.
- */
-static int
-try_challenge_response_authentication(void)
-{
-	int type, i;
-	u_int clen;
-	char prompt[1024];
-	char *challenge, *response;
-
-	debug("Doing challenge response authentication.");
-
-	for (i = 0; i < options.number_of_password_prompts; i++) {
-		/* request a challenge */
-		packet_start(SSH_CMSG_AUTH_TIS);
-		packet_send();
-		packet_write_wait();
-
-		type = packet_read();
-		if (type != SSH_SMSG_FAILURE &&
-		    type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
-			packet_disconnect("Protocol error: got %d in response "
-			    "to SSH_CMSG_AUTH_TIS", type);
-		}
-		if (type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
-			debug("No challenge.");
-			return 0;
-		}
-		challenge = packet_get_string(&clen);
-		packet_check_eom();
-		snprintf(prompt, sizeof prompt, "%s%s", challenge,
-		    strchr(challenge, '\n') ? "" : "\nResponse: ");
-		xfree(challenge);
-		if (i != 0)
-			error("Permission denied, please try again.");
-		if (options.cipher == SSH_CIPHER_NONE)
-			logit("WARNING: Encryption is disabled! "
-			    "Response will be transmitted in clear text.");
-		response = read_passphrase(prompt, 0);
-		if (strcmp(response, "") == 0) {
-			xfree(response);
-			break;
-		}
-		packet_start(SSH_CMSG_AUTH_TIS_RESPONSE);
-		ssh_put_password(response);
-		memset(response, 0, strlen(response));
-		xfree(response);
-		packet_send();
-		packet_write_wait();
-		type = packet_read();
-		if (type == SSH_SMSG_SUCCESS)
-			return 1;
-		if (type != SSH_SMSG_FAILURE)
-			packet_disconnect("Protocol error: got %d in response "
-			    "to SSH_CMSG_AUTH_TIS_RESPONSE", type);
-	}
-	/* failure */
-	return 0;
-}
-
-/*
- * Tries to authenticate with plain passwd authentication.
- */
-static int
-try_password_authentication(char *prompt)
-{
-	int type, i;
-	char *password;
-
-	debug("Doing password authentication.");
-	if (options.cipher == SSH_CIPHER_NONE)
-		logit("WARNING: Encryption is disabled! Password will be transmitted in clear text.");
-	for (i = 0; i < options.number_of_password_prompts; i++) {
-		if (i != 0)
-			error("Permission denied, please try again.");
-		password = read_passphrase(prompt, 0);
-		packet_start(SSH_CMSG_AUTH_PASSWORD);
-		ssh_put_password(password);
-		memset(password, 0, strlen(password));
-		xfree(password);
-		packet_send();
-		packet_write_wait();
-
-		type = packet_read();
-		if (type == SSH_SMSG_SUCCESS)
-			return 1;
-		if (type != SSH_SMSG_FAILURE)
-			packet_disconnect("Protocol error: got %d in response to passwd auth", type);
-	}
-	/* failure */
-	return 0;
-}
-
-/*
- * SSH1 key exchange
- */
-void
-ssh_kex(char *host, struct sockaddr *hostaddr)
-{
-	int i;
-	BIGNUM *key;
-	Key *host_key, *server_key;
-	int bits, rbits;
-	int ssh_cipher_default = SSH_CIPHER_3DES;
-	u_char session_key[SSH_SESSION_KEY_LENGTH];
-	u_char cookie[8];
-	u_int supported_ciphers;
-	u_int server_flags, client_flags;
-	u_int32_t rnd = 0;
-
-	debug("Waiting for server public key.");
-
-	/* Wait for a public key packet from the server. */
-	packet_read_expect(SSH_SMSG_PUBLIC_KEY);
-
-	/* Get cookie from the packet. */
-	for (i = 0; i < 8; i++)
-		cookie[i] = packet_get_char();
-
-	/* Get the public key. */
-	server_key = key_new(KEY_RSA1);
-	bits = packet_get_int();
-	packet_get_bignum(server_key->rsa->e);
-	packet_get_bignum(server_key->rsa->n);
-
-	rbits = BN_num_bits(server_key->rsa->n);
-	if (bits != rbits) {
-		logit("Warning: Server lies about size of server public key: "
-		    "actual size is %d bits vs. announced %d.", rbits, bits);
-		logit("Warning: This may be due to an old implementation of ssh.");
-	}
-	/* Get the host key. */
-	host_key = key_new(KEY_RSA1);
-	bits = packet_get_int();
-	packet_get_bignum(host_key->rsa->e);
-	packet_get_bignum(host_key->rsa->n);
-
-	rbits = BN_num_bits(host_key->rsa->n);
-	if (bits != rbits) {
-		logit("Warning: Server lies about size of server host key: "
-		    "actual size is %d bits vs. announced %d.", rbits, bits);
-		logit("Warning: This may be due to an old implementation of ssh.");
-	}
-
-	/* Get protocol flags. */
-	server_flags = packet_get_int();
-	packet_set_protocol_flags(server_flags);
-
-	supported_ciphers = packet_get_int();
-	supported_authentications = packet_get_int();
-	packet_check_eom();
-
-	debug("Received server public key (%d bits) and host key (%d bits).",
-	    BN_num_bits(server_key->rsa->n), BN_num_bits(host_key->rsa->n));
-
-	if (verify_host_key(host, hostaddr, host_key) == -1)
-		fatal("Host key verification failed.");
-
-	client_flags = SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN;
-
-	derive_ssh1_session_id(host_key->rsa->n, server_key->rsa->n, cookie, session_id);
-
-	/* Generate a session key. */
-	arc4random_stir();
-
-	/*
-	 * Generate an encryption key for the session.   The key is a 256 bit
-	 * random number, interpreted as a 32-byte key, with the least
-	 * significant 8 bits being the first byte of the key.
-	 */
-	for (i = 0; i < 32; i++) {
-		if (i % 4 == 0)
-			rnd = arc4random();
-		session_key[i] = rnd & 0xff;
-		rnd >>= 8;
-	}
-
-	/*
-	 * According to the protocol spec, the first byte of the session key
-	 * is the highest byte of the integer.  The session key is xored with
-	 * the first 16 bytes of the session id.
-	 */
-	if ((key = BN_new()) == NULL)
-		fatal("ssh_kex: BN_new failed");
-	if (BN_set_word(key, 0) == 0)
-		fatal("ssh_kex: BN_set_word failed");
-	for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) {
-		if (BN_lshift(key, key, 8) == 0)
-			fatal("ssh_kex: BN_lshift failed");
-		if (i < 16) {
-			if (BN_add_word(key, session_key[i] ^ session_id[i])
-			    == 0)
-				fatal("ssh_kex: BN_add_word failed");
-		} else {
-			if (BN_add_word(key, session_key[i]) == 0)
-				fatal("ssh_kex: BN_add_word failed");
-		}
-	}
-
-	/*
-	 * Encrypt the integer using the public key and host key of the
-	 * server (key with smaller modulus first).
-	 */
-	if (BN_cmp(server_key->rsa->n, host_key->rsa->n) < 0) {
-		/* Public key has smaller modulus. */
-		if (BN_num_bits(host_key->rsa->n) <
-		    BN_num_bits(server_key->rsa->n) + SSH_KEY_BITS_RESERVED) {
-			fatal("respond_to_rsa_challenge: host_key %d < server_key %d + "
-			    "SSH_KEY_BITS_RESERVED %d",
-			    BN_num_bits(host_key->rsa->n),
-			    BN_num_bits(server_key->rsa->n),
-			    SSH_KEY_BITS_RESERVED);
-		}
-		rsa_public_encrypt(key, key, server_key->rsa);
-		rsa_public_encrypt(key, key, host_key->rsa);
-	} else {
-		/* Host key has smaller modulus (or they are equal). */
-		if (BN_num_bits(server_key->rsa->n) <
-		    BN_num_bits(host_key->rsa->n) + SSH_KEY_BITS_RESERVED) {
-			fatal("respond_to_rsa_challenge: server_key %d < host_key %d + "
-			    "SSH_KEY_BITS_RESERVED %d",
-			    BN_num_bits(server_key->rsa->n),
-			    BN_num_bits(host_key->rsa->n),
-			    SSH_KEY_BITS_RESERVED);
-		}
-		rsa_public_encrypt(key, key, host_key->rsa);
-		rsa_public_encrypt(key, key, server_key->rsa);
-	}
-
-	/* Destroy the public keys since we no longer need them. */
-	key_free(server_key);
-	key_free(host_key);
-
-	if (options.cipher == SSH_CIPHER_NOT_SET) {
-		if (cipher_mask_ssh1(1) & supported_ciphers & (1 << ssh_cipher_default))
-			options.cipher = ssh_cipher_default;
-	} else if (options.cipher == SSH_CIPHER_INVALID ||
-	    !(cipher_mask_ssh1(1) & (1 << options.cipher))) {
-		logit("No valid SSH1 cipher, using %.100s instead.",
-		    cipher_name(ssh_cipher_default));
-		options.cipher = ssh_cipher_default;
-	}
-	/* Check that the selected cipher is supported. */
-	if (!(supported_ciphers & (1 << options.cipher)))
-		fatal("Selected cipher type %.100s not supported by server.",
-		    cipher_name(options.cipher));
-
-	debug("Encryption type: %.100s", cipher_name(options.cipher));
-
-	/* Send the encrypted session key to the server. */
-	packet_start(SSH_CMSG_SESSION_KEY);
-	packet_put_char(options.cipher);
-
-	/* Send the cookie back to the server. */
-	for (i = 0; i < 8; i++)
-		packet_put_char(cookie[i]);
-
-	/* Send and destroy the encrypted encryption key integer. */
-	packet_put_bignum(key);
-	BN_clear_free(key);
-
-	/* Send protocol flags. */
-	packet_put_int(client_flags);
-
-	/* Send the packet now. */
-	packet_send();
-	packet_write_wait();
-
-	debug("Sent encrypted session key.");
-
-	/* Set the encryption key. */
-	packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, options.cipher);
-
-	/* We will no longer need the session key here.  Destroy any extra copies. */
-	memset(session_key, 0, sizeof(session_key));
-
-	/*
-	 * Expect a success message from the server.  Note that this message
-	 * will be received in encrypted form.
-	 */
-	packet_read_expect(SSH_SMSG_SUCCESS);
-
-	debug("Received encrypted confirmation.");
-}
-
-/*
- * Authenticate user
- */
-void
-ssh_userauth1(const char *local_user, const char *server_user, char *host,
-    Sensitive *sensitive)
-{
-	int i, type;
-
-	if (supported_authentications == 0)
-		fatal("ssh_userauth1: server supports no auth methods");
-
-	/* Send the name of the user to log in as on the server. */
-	packet_start(SSH_CMSG_USER);
-	packet_put_cstring(server_user);
-	packet_send();
-	packet_write_wait();
-
-	/*
-	 * The server should respond with success if no authentication is
-	 * needed (the user has no password).  Otherwise the server responds
-	 * with failure.
-	 */
-	type = packet_read();
-
-	/* check whether the connection was accepted without authentication. */
-	if (type == SSH_SMSG_SUCCESS)
-		goto success;
-	if (type != SSH_SMSG_FAILURE)
-		packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type);
-
-	/*
-	 * Try .rhosts or /etc/hosts.equiv authentication with RSA host
-	 * authentication.
-	 */
-	if ((supported_authentications & (1 << SSH_AUTH_RHOSTS_RSA)) &&
-	    options.rhosts_rsa_authentication) {
-		for (i = 0; i < sensitive->nkeys; i++) {
-			if (sensitive->keys[i] != NULL &&
-			    sensitive->keys[i]->type == KEY_RSA1 &&
-			    try_rhosts_rsa_authentication(local_user,
-			    sensitive->keys[i]))
-				goto success;
-		}
-	}
-	/* Try RSA authentication if the server supports it. */
-	if ((supported_authentications & (1 << SSH_AUTH_RSA)) &&
-	    options.rsa_authentication) {
-		/*
-		 * Try RSA authentication using the authentication agent. The
-		 * agent is tried first because no passphrase is needed for
-		 * it, whereas identity files may require passphrases.
-		 */
-		if (try_agent_authentication())
-			goto success;
-
-		/* Try RSA authentication for each identity. */
-		for (i = 0; i < options.num_identity_files; i++)
-			if (options.identity_keys[i] != NULL &&
-			    options.identity_keys[i]->type == KEY_RSA1 &&
-			    try_rsa_authentication(i))
-				goto success;
-	}
-	/* Try challenge response authentication if the server supports it. */
-	if ((supported_authentications & (1 << SSH_AUTH_TIS)) &&
-	    options.challenge_response_authentication && !options.batch_mode) {
-		if (try_challenge_response_authentication())
-			goto success;
-	}
-	/* Try password authentication if the server supports it. */
-	if ((supported_authentications & (1 << SSH_AUTH_PASSWORD)) &&
-	    options.password_authentication && !options.batch_mode) {
-		char prompt[80];
-
-		snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ",
-		    server_user, host);
-		if (try_password_authentication(prompt))
-			goto success;
-	}
-	/* All authentication methods have failed.  Exit with an error message. */
-	fatal("Permission denied.");
-	/* NOTREACHED */
-
- success:
-	return;	/* need statement after label */
-}
diff --git a/crypto/openssh/sshconnect2.c b/crypto/openssh/sshconnect2.c
deleted file mode 100644
index dd971a9..0000000
--- a/crypto/openssh/sshconnect2.c
+++ /dev/null
@@ -1,1497 +0,0 @@
-/* $OpenBSD: sshconnect2.c,v 1.162 2006/08/30 00:06:51 dtucker Exp $ */
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/wait.h>
-#include <sys/stat.h>
-
-#include <errno.h>
-#include <pwd.h>
-#include <signal.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "openbsd-compat/sys-queue.h"
-
-#include "xmalloc.h"
-#include "ssh.h"
-#include "ssh2.h"
-#include "buffer.h"
-#include "packet.h"
-#include "compat.h"
-#include "cipher.h"
-#include "key.h"
-#include "kex.h"
-#include "myproposal.h"
-#include "sshconnect.h"
-#include "authfile.h"
-#include "dh.h"
-#include "authfd.h"
-#include "log.h"
-#include "readconf.h"
-#include "misc.h"
-#include "match.h"
-#include "dispatch.h"
-#include "canohost.h"
-#include "msg.h"
-#include "pathnames.h"
-#include "uidswap.h"
-
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-
-/* import */
-extern char *client_version_string;
-extern char *server_version_string;
-extern Options options;
-
-/*
- * SSH2 key exchange
- */
-
-u_char *session_id2 = NULL;
-u_int session_id2_len = 0;
-
-char *xxx_host;
-struct sockaddr *xxx_hostaddr;
-
-Kex *xxx_kex = NULL;
-
-static int
-verify_host_key_callback(Key *hostkey)
-{
-	if (verify_host_key(xxx_host, xxx_hostaddr, hostkey) == -1)
-		fatal("Host key verification failed.");
-	return 0;
-}
-
-void
-ssh_kex2(char *host, struct sockaddr *hostaddr)
-{
-	Kex *kex;
-
-	xxx_host = host;
-	xxx_hostaddr = hostaddr;
-
-	if (options.ciphers == (char *)-1) {
-		logit("No valid ciphers for protocol version 2 given, using defaults.");
-		options.ciphers = NULL;
-	}
-	if (options.ciphers != NULL) {
-		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
-		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
-	}
-	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
-	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
-	myproposal[PROPOSAL_ENC_ALGS_STOC] =
-	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]);
-	if (options.compression) {
-		myproposal[PROPOSAL_COMP_ALGS_CTOS] =
-		myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib@openssh.com,zlib,none";
-	} else {
-		myproposal[PROPOSAL_COMP_ALGS_CTOS] =
-		myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com,zlib";
-	}
-	if (options.macs != NULL) {
-		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
-		myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
-	}
-	if (options.hostkeyalgorithms != NULL)
-		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
-		    options.hostkeyalgorithms;
-
-	if (options.rekey_limit)
-		packet_set_rekey_limit(options.rekey_limit);
-
-	/* start key exchange */
-	kex = kex_setup(myproposal);
-	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
-	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
-	kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
-	kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
-	kex->client_version_string=client_version_string;
-	kex->server_version_string=server_version_string;
-	kex->verify_host_key=&verify_host_key_callback;
-
-	xxx_kex = kex;
-
-	dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
-
-	session_id2 = kex->session_id;
-	session_id2_len = kex->session_id_len;
-
-#ifdef DEBUG_KEXDH
-	/* send 1st encrypted/maced/compressed message */
-	packet_start(SSH2_MSG_IGNORE);
-	packet_put_cstring("markus");
-	packet_send();
-	packet_write_wait();
-#endif
-}
-
-/*
- * Authenticate user
- */
-
-typedef struct Authctxt Authctxt;
-typedef struct Authmethod Authmethod;
-typedef struct identity Identity;
-typedef struct idlist Idlist;
-
-struct identity {
-	TAILQ_ENTRY(identity) next;
-	AuthenticationConnection *ac;	/* set if agent supports key */
-	Key	*key;			/* public/private key */
-	char	*filename;		/* comment for agent-only keys */
-	int	tried;
-	int	isprivate;		/* key points to the private key */
-};
-TAILQ_HEAD(idlist, identity);
-
-struct Authctxt {
-	const char *server_user;
-	const char *local_user;
-	const char *host;
-	const char *service;
-	Authmethod *method;
-	int success;
-	char *authlist;
-	/* pubkey */
-	Idlist keys;
-	AuthenticationConnection *agent;
-	/* hostbased */
-	Sensitive *sensitive;
-	/* kbd-interactive */
-	int info_req_seen;
-	/* generic */
-	void *methoddata;
-};
-struct Authmethod {
-	char	*name;		/* string to compare against server's list */
-	int	(*userauth)(Authctxt *authctxt);
-	int	*enabled;	/* flag in option struct that enables method */
-	int	*batch_flag;	/* flag in option struct that disables method */
-};
-
-void	input_userauth_success(int, u_int32_t, void *);
-void	input_userauth_failure(int, u_int32_t, void *);
-void	input_userauth_banner(int, u_int32_t, void *);
-void	input_userauth_error(int, u_int32_t, void *);
-void	input_userauth_info_req(int, u_int32_t, void *);
-void	input_userauth_pk_ok(int, u_int32_t, void *);
-void	input_userauth_passwd_changereq(int, u_int32_t, void *);
-
-int	userauth_none(Authctxt *);
-int	userauth_pubkey(Authctxt *);
-int	userauth_passwd(Authctxt *);
-int	userauth_kbdint(Authctxt *);
-int	userauth_hostbased(Authctxt *);
-int	userauth_kerberos(Authctxt *);
-
-#ifdef GSSAPI
-int	userauth_gssapi(Authctxt *authctxt);
-void	input_gssapi_response(int type, u_int32_t, void *);
-void	input_gssapi_token(int type, u_int32_t, void *);
-void	input_gssapi_hash(int type, u_int32_t, void *);
-void	input_gssapi_error(int, u_int32_t, void *);
-void	input_gssapi_errtok(int, u_int32_t, void *);
-#endif
-
-void	userauth(Authctxt *, char *);
-
-static int sign_and_send_pubkey(Authctxt *, Identity *);
-static void pubkey_prepare(Authctxt *);
-static void pubkey_cleanup(Authctxt *);
-static Key *load_identity_file(char *);
-
-static Authmethod *authmethod_get(char *authlist);
-static Authmethod *authmethod_lookup(const char *name);
-static char *authmethods_get(void);
-
-Authmethod authmethods[] = {
-#ifdef GSSAPI
-	{"gssapi-with-mic",
-		userauth_gssapi,
-		&options.gss_authentication,
-		NULL},
-#endif
-	{"hostbased",
-		userauth_hostbased,
-		&options.hostbased_authentication,
-		NULL},
-	{"publickey",
-		userauth_pubkey,
-		&options.pubkey_authentication,
-		NULL},
-	{"keyboard-interactive",
-		userauth_kbdint,
-		&options.kbd_interactive_authentication,
-		&options.batch_mode},
-	{"password",
-		userauth_passwd,
-		&options.password_authentication,
-		&options.batch_mode},
-	{"none",
-		userauth_none,
-		NULL,
-		NULL},
-	{NULL, NULL, NULL, NULL}
-};
-
-void
-ssh_userauth2(const char *local_user, const char *server_user, char *host,
-    Sensitive *sensitive)
-{
-	Authctxt authctxt;
-	int type;
-
-	if (options.challenge_response_authentication)
-		options.kbd_interactive_authentication = 1;
-
-	packet_start(SSH2_MSG_SERVICE_REQUEST);
-	packet_put_cstring("ssh-userauth");
-	packet_send();
-	debug("SSH2_MSG_SERVICE_REQUEST sent");
-	packet_write_wait();
-	type = packet_read();
-	if (type != SSH2_MSG_SERVICE_ACCEPT)
-		fatal("Server denied authentication request: %d", type);
-	if (packet_remaining() > 0) {
-		char *reply = packet_get_string(NULL);
-		debug2("service_accept: %s", reply);
-		xfree(reply);
-	} else {
-		debug2("buggy server: service_accept w/o service");
-	}
-	packet_check_eom();
-	debug("SSH2_MSG_SERVICE_ACCEPT received");
-
-	if (options.preferred_authentications == NULL)
-		options.preferred_authentications = authmethods_get();
-
-	/* setup authentication context */
-	memset(&authctxt, 0, sizeof(authctxt));
-	pubkey_prepare(&authctxt);
-	authctxt.server_user = server_user;
-	authctxt.local_user = local_user;
-	authctxt.host = host;
-	authctxt.service = "ssh-connection";		/* service name */
-	authctxt.success = 0;
-	authctxt.method = authmethod_lookup("none");
-	authctxt.authlist = NULL;
-	authctxt.methoddata = NULL;
-	authctxt.sensitive = sensitive;
-	authctxt.info_req_seen = 0;
-	if (authctxt.method == NULL)
-		fatal("ssh_userauth2: internal error: cannot send userauth none request");
-
-	/* initial userauth request */
-	userauth_none(&authctxt);
-
-	dispatch_init(&input_userauth_error);
-	dispatch_set(SSH2_MSG_USERAUTH_SUCCESS, &input_userauth_success);
-	dispatch_set(SSH2_MSG_USERAUTH_FAILURE, &input_userauth_failure);
-	dispatch_set(SSH2_MSG_USERAUTH_BANNER, &input_userauth_banner);
-	dispatch_run(DISPATCH_BLOCK, &authctxt.success, &authctxt);	/* loop until success */
-
-	pubkey_cleanup(&authctxt);
-	dispatch_range(SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
-
-	debug("Authentication succeeded (%s).", authctxt.method->name);
-}
-
-void
-userauth(Authctxt *authctxt, char *authlist)
-{
-	if (authctxt->methoddata) {
-		xfree(authctxt->methoddata);
-		authctxt->methoddata = NULL;
-	}
-	if (authlist == NULL) {
-		authlist = authctxt->authlist;
-	} else {
-		if (authctxt->authlist)
-			xfree(authctxt->authlist);
-		authctxt->authlist = authlist;
-	}
-	for (;;) {
-		Authmethod *method = authmethod_get(authlist);
-		if (method == NULL)
-			fatal("Permission denied (%s).", authlist);
-		authctxt->method = method;
-
-		/* reset the per method handler */
-		dispatch_range(SSH2_MSG_USERAUTH_PER_METHOD_MIN,
-		    SSH2_MSG_USERAUTH_PER_METHOD_MAX, NULL);
-
-		/* and try new method */
-		if (method->userauth(authctxt) != 0) {
-			debug2("we sent a %s packet, wait for reply", method->name);
-			break;
-		} else {
-			debug2("we did not send a packet, disable method");
-			method->enabled = NULL;
-		}
-	}
-}
-
-void
-input_userauth_error(int type, u_int32_t seq, void *ctxt)
-{
-	fatal("input_userauth_error: bad message during authentication: "
-	    "type %d", type);
-}
-
-void
-input_userauth_banner(int type, u_int32_t seq, void *ctxt)
-{
-	char *msg, *lang;
-
-	debug3("input_userauth_banner");
-	msg = packet_get_string(NULL);
-	lang = packet_get_string(NULL);
-	if (options.log_level >= SYSLOG_LEVEL_INFO)
-		fprintf(stderr, "%s", msg);
-	xfree(msg);
-	xfree(lang);
-}
-
-void
-input_userauth_success(int type, u_int32_t seq, void *ctxt)
-{
-	Authctxt *authctxt = ctxt;
-	if (authctxt == NULL)
-		fatal("input_userauth_success: no authentication context");
-	if (authctxt->authlist) {
-		xfree(authctxt->authlist);
-		authctxt->authlist = NULL;
-	}
-	if (authctxt->methoddata) {
-		xfree(authctxt->methoddata);
-		authctxt->methoddata = NULL;
-	}
-	authctxt->success = 1;			/* break out */
-}
-
-void
-input_userauth_failure(int type, u_int32_t seq, void *ctxt)
-{
-	Authctxt *authctxt = ctxt;
-	char *authlist = NULL;
-	int partial;
-
-	if (authctxt == NULL)
-		fatal("input_userauth_failure: no authentication context");
-
-	authlist = packet_get_string(NULL);
-	partial = packet_get_char();
-	packet_check_eom();
-
-	if (partial != 0)
-		logit("Authenticated with partial success.");
-	debug("Authentications that can continue: %s", authlist);
-
-	userauth(authctxt, authlist);
-}
-void
-input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
-{
-	Authctxt *authctxt = ctxt;
-	Key *key = NULL;
-	Identity *id = NULL;
-	Buffer b;
-	int pktype, sent = 0;
-	u_int alen, blen;
-	char *pkalg, *fp;
-	u_char *pkblob;
-
-	if (authctxt == NULL)
-		fatal("input_userauth_pk_ok: no authentication context");
-	if (datafellows & SSH_BUG_PKOK) {
-		/* this is similar to SSH_BUG_PKAUTH */
-		debug2("input_userauth_pk_ok: SSH_BUG_PKOK");
-		pkblob = packet_get_string(&blen);
-		buffer_init(&b);
-		buffer_append(&b, pkblob, blen);
-		pkalg = buffer_get_string(&b, &alen);
-		buffer_free(&b);
-	} else {
-		pkalg = packet_get_string(&alen);
-		pkblob = packet_get_string(&blen);
-	}
-	packet_check_eom();
-
-	debug("Server accepts key: pkalg %s blen %u", pkalg, blen);
-
-	if ((pktype = key_type_from_name(pkalg)) == KEY_UNSPEC) {
-		debug("unknown pkalg %s", pkalg);
-		goto done;
-	}
-	if ((key = key_from_blob(pkblob, blen)) == NULL) {
-		debug("no key from blob. pkalg %s", pkalg);
-		goto done;
-	}
-	if (key->type != pktype) {
-		error("input_userauth_pk_ok: type mismatch "
-		    "for decoded key (received %d, expected %d)",
-		    key->type, pktype);
-		goto done;
-	}
-	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-	debug2("input_userauth_pk_ok: fp %s", fp);
-	xfree(fp);
-
-	/*
-	 * search keys in the reverse order, because last candidate has been
-	 * moved to the end of the queue.  this also avoids confusion by
-	 * duplicate keys
-	 */
-	TAILQ_FOREACH_REVERSE(id, &authctxt->keys, idlist, next) {
-		if (key_equal(key, id->key)) {
-			sent = sign_and_send_pubkey(authctxt, id);
-			break;
-		}
-	}
-done:
-	if (key != NULL)
-		key_free(key);
-	xfree(pkalg);
-	xfree(pkblob);
-
-	/* try another method if we did not send a packet */
-	if (sent == 0)
-		userauth(authctxt, NULL);
-}
-
-#ifdef GSSAPI
-int
-userauth_gssapi(Authctxt *authctxt)
-{
-	Gssctxt *gssctxt = NULL;
-	static gss_OID_set gss_supported = NULL;
-	static u_int mech = 0;
-	OM_uint32 min;
-	int ok = 0;
-
-	/* Try one GSSAPI method at a time, rather than sending them all at
-	 * once. */
-
-	if (gss_supported == NULL)
-		gss_indicate_mechs(&min, &gss_supported);
-
-	/* Check to see if the mechanism is usable before we offer it */
-	while (mech < gss_supported->count && !ok) {
-		/* My DER encoding requires length<128 */
-		if (gss_supported->elements[mech].length < 128 &&
-		    ssh_gssapi_check_mechanism(&gssctxt, 
-		    &gss_supported->elements[mech], authctxt->host)) {
-			ok = 1; /* Mechanism works */
-		} else {
-			mech++;
-		}
-	}
-
-	if (!ok)
-		return 0;
-
-	authctxt->methoddata=(void *)gssctxt;
-
-	packet_start(SSH2_MSG_USERAUTH_REQUEST);
-	packet_put_cstring(authctxt->server_user);
-	packet_put_cstring(authctxt->service);
-	packet_put_cstring(authctxt->method->name);
-
-	packet_put_int(1);
-
-	packet_put_int((gss_supported->elements[mech].length) + 2);
-	packet_put_char(SSH_GSS_OIDTYPE);
-	packet_put_char(gss_supported->elements[mech].length);
-	packet_put_raw(gss_supported->elements[mech].elements,
-	    gss_supported->elements[mech].length);
-
-	packet_send();
-
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE, &input_gssapi_response);
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token);
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERROR, &input_gssapi_error);
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok);
-
-	mech++; /* Move along to next candidate */
-
-	return 1;
-}
-
-static OM_uint32
-process_gssapi_token(void *ctxt, gss_buffer_t recv_tok)
-{
-	Authctxt *authctxt = ctxt;
-	Gssctxt *gssctxt = authctxt->methoddata;
-	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
-	gss_buffer_desc mic = GSS_C_EMPTY_BUFFER;
-	gss_buffer_desc gssbuf;
-	OM_uint32 status, ms, flags;
-	Buffer b;
-
-	status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
-	    recv_tok, &send_tok, &flags);
-
-	if (send_tok.length > 0) {
-		if (GSS_ERROR(status))
-			packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK);
-		else
-			packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
-
-		packet_put_string(send_tok.value, send_tok.length);
-		packet_send();
-		gss_release_buffer(&ms, &send_tok);
-	}
-
-	if (status == GSS_S_COMPLETE) {
-		/* send either complete or MIC, depending on mechanism */
-		if (!(flags & GSS_C_INTEG_FLAG)) {
-			packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
-			packet_send();
-		} else {
-			ssh_gssapi_buildmic(&b, authctxt->server_user,
-			    authctxt->service, "gssapi-with-mic");
-
-			gssbuf.value = buffer_ptr(&b);
-			gssbuf.length = buffer_len(&b);
-
-			status = ssh_gssapi_sign(gssctxt, &gssbuf, &mic);
-
-			if (!GSS_ERROR(status)) {
-				packet_start(SSH2_MSG_USERAUTH_GSSAPI_MIC);
-				packet_put_string(mic.value, mic.length);
-
-				packet_send();
-			}
-
-			buffer_free(&b);
-			gss_release_buffer(&ms, &mic);
-		}
-	}
-
-	return status;
-}
-
-void
-input_gssapi_response(int type, u_int32_t plen, void *ctxt)
-{
-	Authctxt *authctxt = ctxt;
-	Gssctxt *gssctxt;
-	int oidlen;
-	char *oidv;
-
-	if (authctxt == NULL)
-		fatal("input_gssapi_response: no authentication context");
-	gssctxt = authctxt->methoddata;
-
-	/* Setup our OID */
-	oidv = packet_get_string(&oidlen);
-
-	if (oidlen <= 2 ||
-	    oidv[0] != SSH_GSS_OIDTYPE ||
-	    oidv[1] != oidlen - 2) {
-		xfree(oidv);
-		debug("Badly encoded mechanism OID received");
-		userauth(authctxt, NULL);
-		return;
-	}
-
-	if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2))
-		fatal("Server returned different OID than expected");
-
-	packet_check_eom();
-
-	xfree(oidv);
-
-	if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) {
-		/* Start again with next method on list */
-		debug("Trying to start again");
-		userauth(authctxt, NULL);
-		return;
-	}
-}
-
-void
-input_gssapi_token(int type, u_int32_t plen, void *ctxt)
-{
-	Authctxt *authctxt = ctxt;
-	gss_buffer_desc recv_tok;
-	OM_uint32 status;
-	u_int slen;
-
-	if (authctxt == NULL)
-		fatal("input_gssapi_response: no authentication context");
-
-	recv_tok.value = packet_get_string(&slen);
-	recv_tok.length = slen;	/* safe typecast */
-
-	packet_check_eom();
-
-	status = process_gssapi_token(ctxt, &recv_tok);
-
-	xfree(recv_tok.value);
-
-	if (GSS_ERROR(status)) {
-		/* Start again with the next method in the list */
-		userauth(authctxt, NULL);
-		return;
-	}
-}
-
-void
-input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
-{
-	Authctxt *authctxt = ctxt;
-	Gssctxt *gssctxt;
-	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
-	gss_buffer_desc recv_tok;
-	OM_uint32 status, ms;
-	u_int len;
-
-	if (authctxt == NULL)
-		fatal("input_gssapi_response: no authentication context");
-	gssctxt = authctxt->methoddata;
-
-	recv_tok.value = packet_get_string(&len);
-	recv_tok.length = len;
-
-	packet_check_eom();
-
-	/* Stick it into GSSAPI and see what it says */
-	status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
-	    &recv_tok, &send_tok, NULL);
-
-	xfree(recv_tok.value);
-	gss_release_buffer(&ms, &send_tok);
-
-	/* Server will be returning a failed packet after this one */
-}
-
-void
-input_gssapi_error(int type, u_int32_t plen, void *ctxt)
-{
-	OM_uint32 maj, min;
-	char *msg;
-	char *lang;
-
-	maj=packet_get_int();
-	min=packet_get_int();
-	msg=packet_get_string(NULL);
-	lang=packet_get_string(NULL);
-
-	packet_check_eom();
-
-	debug("Server GSSAPI Error:\n%s", msg);
-	xfree(msg);
-	xfree(lang);
-}
-#endif /* GSSAPI */
-
-int
-userauth_none(Authctxt *authctxt)
-{
-	/* initial userauth request */
-	packet_start(SSH2_MSG_USERAUTH_REQUEST);
-	packet_put_cstring(authctxt->server_user);
-	packet_put_cstring(authctxt->service);
-	packet_put_cstring(authctxt->method->name);
-	packet_send();
-	return 1;
-}
-
-int
-userauth_passwd(Authctxt *authctxt)
-{
-	static int attempt = 0;
-	char prompt[150];
-	char *password;
-
-	if (attempt++ >= options.number_of_password_prompts)
-		return 0;
-
-	if (attempt != 1)
-		error("Permission denied, please try again.");
-
-	snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ",
-	    authctxt->server_user, authctxt->host);
-	password = read_passphrase(prompt, 0);
-	packet_start(SSH2_MSG_USERAUTH_REQUEST);
-	packet_put_cstring(authctxt->server_user);
-	packet_put_cstring(authctxt->service);
-	packet_put_cstring(authctxt->method->name);
-	packet_put_char(0);
-	packet_put_cstring(password);
-	memset(password, 0, strlen(password));
-	xfree(password);
-	packet_add_padding(64);
-	packet_send();
-
-	dispatch_set(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ,
-	    &input_userauth_passwd_changereq);
-
-	return 1;
-}
-/*
- * parse PASSWD_CHANGEREQ, prompt user and send SSH2_MSG_USERAUTH_REQUEST
- */
-void
-input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
-{
-	Authctxt *authctxt = ctxt;
-	char *info, *lang, *password = NULL, *retype = NULL;
-	char prompt[150];
-
-	debug2("input_userauth_passwd_changereq");
-
-	if (authctxt == NULL)
-		fatal("input_userauth_passwd_changereq: "
-		    "no authentication context");
-
-	info = packet_get_string(NULL);
-	lang = packet_get_string(NULL);
-	if (strlen(info) > 0)
-		logit("%s", info);
-	xfree(info);
-	xfree(lang);
-	packet_start(SSH2_MSG_USERAUTH_REQUEST);
-	packet_put_cstring(authctxt->server_user);
-	packet_put_cstring(authctxt->service);
-	packet_put_cstring(authctxt->method->name);
-	packet_put_char(1);			/* additional info */
-	snprintf(prompt, sizeof(prompt),
-	    "Enter %.30s@%.128s's old password: ",
-	    authctxt->server_user, authctxt->host);
-	password = read_passphrase(prompt, 0);
-	packet_put_cstring(password);
-	memset(password, 0, strlen(password));
-	xfree(password);
-	password = NULL;
-	while (password == NULL) {
-		snprintf(prompt, sizeof(prompt),
-		    "Enter %.30s@%.128s's new password: ",
-		    authctxt->server_user, authctxt->host);
-		password = read_passphrase(prompt, RP_ALLOW_EOF);
-		if (password == NULL) {
-			/* bail out */
-			return;
-		}
-		snprintf(prompt, sizeof(prompt),
-		    "Retype %.30s@%.128s's new password: ",
-		    authctxt->server_user, authctxt->host);
-		retype = read_passphrase(prompt, 0);
-		if (strcmp(password, retype) != 0) {
-			memset(password, 0, strlen(password));
-			xfree(password);
-			logit("Mismatch; try again, EOF to quit.");
-			password = NULL;
-		}
-		memset(retype, 0, strlen(retype));
-		xfree(retype);
-	}
-	packet_put_cstring(password);
-	memset(password, 0, strlen(password));
-	xfree(password);
-	packet_add_padding(64);
-	packet_send();
-
-	dispatch_set(SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ,
-	    &input_userauth_passwd_changereq);
-}
-
-static int
-identity_sign(Identity *id, u_char **sigp, u_int *lenp,
-    u_char *data, u_int datalen)
-{
-	Key *prv;
-	int ret;
-
-	/* the agent supports this key */
-	if (id->ac)
-		return (ssh_agent_sign(id->ac, id->key, sigp, lenp,
-		    data, datalen));
-	/*
-	 * we have already loaded the private key or
-	 * the private key is stored in external hardware
-	 */
-	if (id->isprivate || (id->key->flags & KEY_FLAG_EXT))
-		return (key_sign(id->key, sigp, lenp, data, datalen));
-	/* load the private key from the file */
-	if ((prv = load_identity_file(id->filename)) == NULL)
-		return (-1);
-	ret = key_sign(prv, sigp, lenp, data, datalen);
-	key_free(prv);
-	return (ret);
-}
-
-static int
-sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
-{
-	Buffer b;
-	u_char *blob, *signature;
-	u_int bloblen, slen;
-	u_int skip = 0;
-	int ret = -1;
-	int have_sig = 1;
-
-	debug3("sign_and_send_pubkey");
-
-	if (key_to_blob(id->key, &blob, &bloblen) == 0) {
-		/* we cannot handle this key */
-		debug3("sign_and_send_pubkey: cannot handle key");
-		return 0;
-	}
-	/* data to be signed */
-	buffer_init(&b);
-	if (datafellows & SSH_OLD_SESSIONID) {
-		buffer_append(&b, session_id2, session_id2_len);
-		skip = session_id2_len;
-	} else {
-		buffer_put_string(&b, session_id2, session_id2_len);
-		skip = buffer_len(&b);
-	}
-	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
-	buffer_put_cstring(&b, authctxt->server_user);
-	buffer_put_cstring(&b,
-	    datafellows & SSH_BUG_PKSERVICE ?
-	    "ssh-userauth" :
-	    authctxt->service);
-	if (datafellows & SSH_BUG_PKAUTH) {
-		buffer_put_char(&b, have_sig);
-	} else {
-		buffer_put_cstring(&b, authctxt->method->name);
-		buffer_put_char(&b, have_sig);
-		buffer_put_cstring(&b, key_ssh_name(id->key));
-	}
-	buffer_put_string(&b, blob, bloblen);
-
-	/* generate signature */
-	ret = identity_sign(id, &signature, &slen,
-	    buffer_ptr(&b), buffer_len(&b));
-	if (ret == -1) {
-		xfree(blob);
-		buffer_free(&b);
-		return 0;
-	}
-#ifdef DEBUG_PK
-	buffer_dump(&b);
-#endif
-	if (datafellows & SSH_BUG_PKSERVICE) {
-		buffer_clear(&b);
-		buffer_append(&b, session_id2, session_id2_len);
-		skip = session_id2_len;
-		buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
-		buffer_put_cstring(&b, authctxt->server_user);
-		buffer_put_cstring(&b, authctxt->service);
-		buffer_put_cstring(&b, authctxt->method->name);
-		buffer_put_char(&b, have_sig);
-		if (!(datafellows & SSH_BUG_PKAUTH))
-			buffer_put_cstring(&b, key_ssh_name(id->key));
-		buffer_put_string(&b, blob, bloblen);
-	}
-	xfree(blob);
-
-	/* append signature */
-	buffer_put_string(&b, signature, slen);
-	xfree(signature);
-
-	/* skip session id and packet type */
-	if (buffer_len(&b) < skip + 1)
-		fatal("userauth_pubkey: internal error");
-	buffer_consume(&b, skip + 1);
-
-	/* put remaining data from buffer into packet */
-	packet_start(SSH2_MSG_USERAUTH_REQUEST);
-	packet_put_raw(buffer_ptr(&b), buffer_len(&b));
-	buffer_free(&b);
-	packet_send();
-
-	return 1;
-}
-
-static int
-send_pubkey_test(Authctxt *authctxt, Identity *id)
-{
-	u_char *blob;
-	u_int bloblen, have_sig = 0;
-
-	debug3("send_pubkey_test");
-
-	if (key_to_blob(id->key, &blob, &bloblen) == 0) {
-		/* we cannot handle this key */
-		debug3("send_pubkey_test: cannot handle key");
-		return 0;
-	}
-	/* register callback for USERAUTH_PK_OK message */
-	dispatch_set(SSH2_MSG_USERAUTH_PK_OK, &input_userauth_pk_ok);
-
-	packet_start(SSH2_MSG_USERAUTH_REQUEST);
-	packet_put_cstring(authctxt->server_user);
-	packet_put_cstring(authctxt->service);
-	packet_put_cstring(authctxt->method->name);
-	packet_put_char(have_sig);
-	if (!(datafellows & SSH_BUG_PKAUTH))
-		packet_put_cstring(key_ssh_name(id->key));
-	packet_put_string(blob, bloblen);
-	xfree(blob);
-	packet_send();
-	return 1;
-}
-
-static Key *
-load_identity_file(char *filename)
-{
-	Key *private;
-	char prompt[300], *passphrase;
-	int perm_ok, quit, i;
-	struct stat st;
-
-	if (stat(filename, &st) < 0) {
-		debug3("no such identity: %s", filename);
-		return NULL;
-	}
-	private = key_load_private_type(KEY_UNSPEC, filename, "", NULL, &perm_ok);
-	if (!perm_ok)
-		return NULL;
-	if (private == NULL) {
-		if (options.batch_mode)
-			return NULL;
-		snprintf(prompt, sizeof prompt,
-		    "Enter passphrase for key '%.100s': ", filename);
-		for (i = 0; i < options.number_of_password_prompts; i++) {
-			passphrase = read_passphrase(prompt, 0);
-			if (strcmp(passphrase, "") != 0) {
-				private = key_load_private_type(KEY_UNSPEC,
-				    filename, passphrase, NULL, NULL);
-				quit = 0;
-			} else {
-				debug2("no passphrase given, try next key");
-				quit = 1;
-			}
-			memset(passphrase, 0, strlen(passphrase));
-			xfree(passphrase);
-			if (private != NULL || quit)
-				break;
-			debug2("bad passphrase given, try again...");
-		}
-	}
-	return private;
-}
-
-/*
- * try keys in the following order:
- *	1. agent keys that are found in the config file
- *	2. other agent keys
- *	3. keys that are only listed in the config file
- */
-static void
-pubkey_prepare(Authctxt *authctxt)
-{
-	Identity *id;
-	Idlist agent, files, *preferred;
-	Key *key;
-	AuthenticationConnection *ac;
-	char *comment;
-	int i, found;
-
-	TAILQ_INIT(&agent);	/* keys from the agent */
-	TAILQ_INIT(&files);	/* keys from the config file */
-	preferred = &authctxt->keys;
-	TAILQ_INIT(preferred);	/* preferred order of keys */
-
-	/* list of keys stored in the filesystem */
-	for (i = 0; i < options.num_identity_files; i++) {
-		key = options.identity_keys[i];
-		if (key && key->type == KEY_RSA1)
-			continue;
-		options.identity_keys[i] = NULL;
-		id = xcalloc(1, sizeof(*id));
-		id->key = key;
-		id->filename = xstrdup(options.identity_files[i]);
-		TAILQ_INSERT_TAIL(&files, id, next);
-	}
-	/* list of keys supported by the agent */
-	if ((ac = ssh_get_authentication_connection())) {
-		for (key = ssh_get_first_identity(ac, &comment, 2);
-		    key != NULL;
-		    key = ssh_get_next_identity(ac, &comment, 2)) {
-			found = 0;
-			TAILQ_FOREACH(id, &files, next) {
-				/* agent keys from the config file are preferred */
-				if (key_equal(key, id->key)) {
-					key_free(key);
-					xfree(comment);
-					TAILQ_REMOVE(&files, id, next);
-					TAILQ_INSERT_TAIL(preferred, id, next);
-					id->ac = ac;
-					found = 1;
-					break;
-				}
-			}
-			if (!found && !options.identities_only) {
-				id = xcalloc(1, sizeof(*id));
-				id->key = key;
-				id->filename = comment;
-				id->ac = ac;
-				TAILQ_INSERT_TAIL(&agent, id, next);
-			}
-		}
-		/* append remaining agent keys */
-		for (id = TAILQ_FIRST(&agent); id; id = TAILQ_FIRST(&agent)) {
-			TAILQ_REMOVE(&agent, id, next);
-			TAILQ_INSERT_TAIL(preferred, id, next);
-		}
-		authctxt->agent = ac;
-	}
-	/* append remaining keys from the config file */
-	for (id = TAILQ_FIRST(&files); id; id = TAILQ_FIRST(&files)) {
-		TAILQ_REMOVE(&files, id, next);
-		TAILQ_INSERT_TAIL(preferred, id, next);
-	}
-	TAILQ_FOREACH(id, preferred, next) {
-		debug2("key: %s (%p)", id->filename, id->key);
-	}
-}
-
-static void
-pubkey_cleanup(Authctxt *authctxt)
-{
-	Identity *id;
-
-	if (authctxt->agent != NULL)
-		ssh_close_authentication_connection(authctxt->agent);
-	for (id = TAILQ_FIRST(&authctxt->keys); id;
-	    id = TAILQ_FIRST(&authctxt->keys)) {
-		TAILQ_REMOVE(&authctxt->keys, id, next);
-		if (id->key)
-			key_free(id->key);
-		if (id->filename)
-			xfree(id->filename);
-		xfree(id);
-	}
-}
-
-int
-userauth_pubkey(Authctxt *authctxt)
-{
-	Identity *id;
-	int sent = 0;
-
-	while ((id = TAILQ_FIRST(&authctxt->keys))) {
-		if (id->tried++)
-			return (0);
-		/* move key to the end of the queue */
-		TAILQ_REMOVE(&authctxt->keys, id, next);
-		TAILQ_INSERT_TAIL(&authctxt->keys, id, next);
-		/*
-		 * send a test message if we have the public key. for
-		 * encrypted keys we cannot do this and have to load the
-		 * private key instead
-		 */
-		if (id->key && id->key->type != KEY_RSA1) {
-			debug("Offering public key: %s", id->filename);
-			sent = send_pubkey_test(authctxt, id);
-		} else if (id->key == NULL) {
-			debug("Trying private key: %s", id->filename);
-			id->key = load_identity_file(id->filename);
-			if (id->key != NULL) {
-				id->isprivate = 1;
-				sent = sign_and_send_pubkey(authctxt, id);
-				key_free(id->key);
-				id->key = NULL;
-			}
-		}
-		if (sent)
-			return (sent);
-	}
-	return (0);
-}
-
-/*
- * Send userauth request message specifying keyboard-interactive method.
- */
-int
-userauth_kbdint(Authctxt *authctxt)
-{
-	static int attempt = 0;
-
-	if (attempt++ >= options.number_of_password_prompts)
-		return 0;
-	/* disable if no SSH2_MSG_USERAUTH_INFO_REQUEST has been seen */
-	if (attempt > 1 && !authctxt->info_req_seen) {
-		debug3("userauth_kbdint: disable: no info_req_seen");
-		dispatch_set(SSH2_MSG_USERAUTH_INFO_REQUEST, NULL);
-		return 0;
-	}
-
-	debug2("userauth_kbdint");
-	packet_start(SSH2_MSG_USERAUTH_REQUEST);
-	packet_put_cstring(authctxt->server_user);
-	packet_put_cstring(authctxt->service);
-	packet_put_cstring(authctxt->method->name);
-	packet_put_cstring("");					/* lang */
-	packet_put_cstring(options.kbd_interactive_devices ?
-	    options.kbd_interactive_devices : "");
-	packet_send();
-
-	dispatch_set(SSH2_MSG_USERAUTH_INFO_REQUEST, &input_userauth_info_req);
-	return 1;
-}
-
-/*
- * parse INFO_REQUEST, prompt user and send INFO_RESPONSE
- */
-void
-input_userauth_info_req(int type, u_int32_t seq, void *ctxt)
-{
-	Authctxt *authctxt = ctxt;
-	char *name, *inst, *lang, *prompt, *response;
-	u_int num_prompts, i;
-	int echo = 0;
-
-	debug2("input_userauth_info_req");
-
-	if (authctxt == NULL)
-		fatal("input_userauth_info_req: no authentication context");
-
-	authctxt->info_req_seen = 1;
-
-	name = packet_get_string(NULL);
-	inst = packet_get_string(NULL);
-	lang = packet_get_string(NULL);
-	if (strlen(name) > 0)
-		logit("%s", name);
-	if (strlen(inst) > 0)
-		logit("%s", inst);
-	xfree(name);
-	xfree(inst);
-	xfree(lang);
-
-	num_prompts = packet_get_int();
-	/*
-	 * Begin to build info response packet based on prompts requested.
-	 * We commit to providing the correct number of responses, so if
-	 * further on we run into a problem that prevents this, we have to
-	 * be sure and clean this up and send a correct error response.
-	 */
-	packet_start(SSH2_MSG_USERAUTH_INFO_RESPONSE);
-	packet_put_int(num_prompts);
-
-	debug2("input_userauth_info_req: num_prompts %d", num_prompts);
-	for (i = 0; i < num_prompts; i++) {
-		prompt = packet_get_string(NULL);
-		echo = packet_get_char();
-
-		response = read_passphrase(prompt, echo ? RP_ECHO : 0);
-
-		packet_put_cstring(response);
-		memset(response, 0, strlen(response));
-		xfree(response);
-		xfree(prompt);
-	}
-	packet_check_eom(); /* done with parsing incoming message. */
-
-	packet_add_padding(64);
-	packet_send();
-}
-
-static int
-ssh_keysign(Key *key, u_char **sigp, u_int *lenp,
-    u_char *data, u_int datalen)
-{
-	Buffer b;
-	struct stat st;
-	pid_t pid;
-	int to[2], from[2], status, version = 2;
-
-	debug2("ssh_keysign called");
-
-	if (stat(_PATH_SSH_KEY_SIGN, &st) < 0) {
-		error("ssh_keysign: no installed: %s", strerror(errno));
-		return -1;
-	}
-	if (fflush(stdout) != 0)
-		error("ssh_keysign: fflush: %s", strerror(errno));
-	if (pipe(to) < 0) {
-		error("ssh_keysign: pipe: %s", strerror(errno));
-		return -1;
-	}
-	if (pipe(from) < 0) {
-		error("ssh_keysign: pipe: %s", strerror(errno));
-		return -1;
-	}
-	if ((pid = fork()) < 0) {
-		error("ssh_keysign: fork: %s", strerror(errno));
-		return -1;
-	}
-	if (pid == 0) {
-		permanently_drop_suid(getuid());
-		close(from[0]);
-		if (dup2(from[1], STDOUT_FILENO) < 0)
-			fatal("ssh_keysign: dup2: %s", strerror(errno));
-		close(to[1]);
-		if (dup2(to[0], STDIN_FILENO) < 0)
-			fatal("ssh_keysign: dup2: %s", strerror(errno));
-		close(from[1]);
-		close(to[0]);
-		execl(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *) 0);
-		fatal("ssh_keysign: exec(%s): %s", _PATH_SSH_KEY_SIGN,
-		    strerror(errno));
-	}
-	close(from[1]);
-	close(to[0]);
-
-	buffer_init(&b);
-	buffer_put_int(&b, packet_get_connection_in()); /* send # of socket */
-	buffer_put_string(&b, data, datalen);
-	if (ssh_msg_send(to[1], version, &b) == -1)
-		fatal("ssh_keysign: couldn't send request");
-
-	if (ssh_msg_recv(from[0], &b) < 0) {
-		error("ssh_keysign: no reply");
-		buffer_free(&b);
-		return -1;
-	}
-	close(from[0]);
-	close(to[1]);
-
-	while (waitpid(pid, &status, 0) < 0)
-		if (errno != EINTR)
-			break;
-
-	if (buffer_get_char(&b) != version) {
-		error("ssh_keysign: bad version");
-		buffer_free(&b);
-		return -1;
-	}
-	*sigp = buffer_get_string(&b, lenp);
-	buffer_free(&b);
-
-	return 0;
-}
-
-int
-userauth_hostbased(Authctxt *authctxt)
-{
-	Key *private = NULL;
-	Sensitive *sensitive = authctxt->sensitive;
-	Buffer b;
-	u_char *signature, *blob;
-	char *chost, *pkalg, *p;
-	const char *service;
-	u_int blen, slen;
-	int ok, i, len, found = 0;
-
-	/* check for a useful key */
-	for (i = 0; i < sensitive->nkeys; i++) {
-		private = sensitive->keys[i];
-		if (private && private->type != KEY_RSA1) {
-			found = 1;
-			/* we take and free the key */
-			sensitive->keys[i] = NULL;
-			break;
-		}
-	}
-	if (!found) {
-		debug("No more client hostkeys for hostbased authentication.");
-		return 0;
-	}
-	if (key_to_blob(private, &blob, &blen) == 0) {
-		key_free(private);
-		return 0;
-	}
-	/* figure out a name for the client host */
-	p = get_local_name(packet_get_connection_in());
-	if (p == NULL) {
-		error("userauth_hostbased: cannot get local ipaddr/name");
-		key_free(private);
-		xfree(blob);
-		return 0;
-	}
-	len = strlen(p) + 2;
-	xasprintf(&chost, "%s.", p);
-	debug2("userauth_hostbased: chost %s", chost);
-	xfree(p);
-
-	service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
-	    authctxt->service;
-	pkalg = xstrdup(key_ssh_name(private));
-	buffer_init(&b);
-	/* construct data */
-	buffer_put_string(&b, session_id2, session_id2_len);
-	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
-	buffer_put_cstring(&b, authctxt->server_user);
-	buffer_put_cstring(&b, service);
-	buffer_put_cstring(&b, authctxt->method->name);
-	buffer_put_cstring(&b, pkalg);
-	buffer_put_string(&b, blob, blen);
-	buffer_put_cstring(&b, chost);
-	buffer_put_cstring(&b, authctxt->local_user);
-#ifdef DEBUG_PK
-	buffer_dump(&b);
-#endif
-	if (sensitive->external_keysign)
-		ok = ssh_keysign(private, &signature, &slen,
-		    buffer_ptr(&b), buffer_len(&b));
-	else
-		ok = key_sign(private, &signature, &slen,
-		    buffer_ptr(&b), buffer_len(&b));
-	key_free(private);
-	buffer_free(&b);
-	if (ok != 0) {
-		error("key_sign failed");
-		xfree(chost);
-		xfree(pkalg);
-		xfree(blob);
-		return 0;
-	}
-	packet_start(SSH2_MSG_USERAUTH_REQUEST);
-	packet_put_cstring(authctxt->server_user);
-	packet_put_cstring(authctxt->service);
-	packet_put_cstring(authctxt->method->name);
-	packet_put_cstring(pkalg);
-	packet_put_string(blob, blen);
-	packet_put_cstring(chost);
-	packet_put_cstring(authctxt->local_user);
-	packet_put_string(signature, slen);
-	memset(signature, 's', slen);
-	xfree(signature);
-	xfree(chost);
-	xfree(pkalg);
-	xfree(blob);
-
-	packet_send();
-	return 1;
-}
-
-/* find auth method */
-
-/*
- * given auth method name, if configurable options permit this method fill
- * in auth_ident field and return true, otherwise return false.
- */
-static int
-authmethod_is_enabled(Authmethod *method)
-{
-	if (method == NULL)
-		return 0;
-	/* return false if options indicate this method is disabled */
-	if  (method->enabled == NULL || *method->enabled == 0)
-		return 0;
-	/* return false if batch mode is enabled but method needs interactive mode */
-	if  (method->batch_flag != NULL && *method->batch_flag != 0)
-		return 0;
-	return 1;
-}
-
-static Authmethod *
-authmethod_lookup(const char *name)
-{
-	Authmethod *method = NULL;
-	if (name != NULL)
-		for (method = authmethods; method->name != NULL; method++)
-			if (strcmp(name, method->name) == 0)
-				return method;
-	debug2("Unrecognized authentication method name: %s", name ? name : "NULL");
-	return NULL;
-}
-
-/* XXX internal state */
-static Authmethod *current = NULL;
-static char *supported = NULL;
-static char *preferred = NULL;
-
-/*
- * Given the authentication method list sent by the server, return the
- * next method we should try.  If the server initially sends a nil list,
- * use a built-in default list.
- */
-static Authmethod *
-authmethod_get(char *authlist)
-{
-	char *name = NULL;
-	u_int next;
-
-	/* Use a suitable default if we're passed a nil list.  */
-	if (authlist == NULL || strlen(authlist) == 0)
-		authlist = options.preferred_authentications;
-
-	if (supported == NULL || strcmp(authlist, supported) != 0) {
-		debug3("start over, passed a different list %s", authlist);
-		if (supported != NULL)
-			xfree(supported);
-		supported = xstrdup(authlist);
-		preferred = options.preferred_authentications;
-		debug3("preferred %s", preferred);
-		current = NULL;
-	} else if (current != NULL && authmethod_is_enabled(current))
-		return current;
-
-	for (;;) {
-		if ((name = match_list(preferred, supported, &next)) == NULL) {
-			debug("No more authentication methods to try.");
-			current = NULL;
-			return NULL;
-		}
-		preferred += next;
-		debug3("authmethod_lookup %s", name);
-		debug3("remaining preferred: %s", preferred);
-		if ((current = authmethod_lookup(name)) != NULL &&
-		    authmethod_is_enabled(current)) {
-			debug3("authmethod_is_enabled %s", name);
-			debug("Next authentication method: %s", name);
-			return current;
-		}
-	}
-}
-
-static char *
-authmethods_get(void)
-{
-	Authmethod *method = NULL;
-	Buffer b;
-	char *list;
-
-	buffer_init(&b);
-	for (method = authmethods; method->name != NULL; method++) {
-		if (authmethod_is_enabled(method)) {
-			if (buffer_len(&b) > 0)
-				buffer_append(&b, ",", 1);
-			buffer_append(&b, method->name, strlen(method->name));
-		}
-	}
-	buffer_append(&b, "\0", 1);
-	list = xstrdup(buffer_ptr(&b));
-	buffer_free(&b);
-	return list;
-}
diff --git a/crypto/openssh/sshd.8 b/crypto/openssh/sshd.8
deleted file mode 100644
index 522279e..0000000
--- a/crypto/openssh/sshd.8
+++ /dev/null
@@ -1,857 +0,0 @@
-.\"  -*- nroff -*-
-.\"
-.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
-.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-.\"                    All rights reserved
-.\"
-.\" As far as I am concerned, the code I have written for this software
-.\" can be used freely for any purpose.  Any derived versions of this
-.\" software must be clearly marked as such, and if the derived work is
-.\" incompatible with the protocol description in the RFC file, it must be
-.\" called by a name other than "ssh" or "Secure Shell".
-.\"
-.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
-.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
-.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" $OpenBSD: sshd.8,v 1.234 2006/08/21 08:15:57 dtucker Exp $
-.Dd September 25, 1999
-.Dt SSHD 8
-.Os
-.Sh NAME
-.Nm sshd
-.Nd OpenSSH SSH daemon
-.Sh SYNOPSIS
-.Nm sshd
-.Bk -words
-.Op Fl 46Ddeiqt
-.Op Fl b Ar bits
-.Op Fl f Ar config_file
-.Op Fl g Ar login_grace_time
-.Op Fl h Ar host_key_file
-.Op Fl k Ar key_gen_time
-.Op Fl o Ar option
-.Op Fl p Ar port
-.Op Fl u Ar len
-.Ek
-.Sh DESCRIPTION
-.Nm
-(OpenSSH Daemon) is the daemon program for
-.Xr ssh 1 .
-Together these programs replace rlogin and rsh, and
-provide secure encrypted communications between two untrusted hosts
-over an insecure network.
-.Pp
-.Nm
-listens for connections from clients.
-It is normally started at boot from
-.Pa /etc/rc .
-It forks a new
-daemon for each incoming connection.
-The forked daemons handle
-key exchange, encryption, authentication, command execution,
-and data exchange.
-.Pp
-.Nm
-can be configured using command-line options or a configuration file
-(by default
-.Xr sshd_config 5 ) ;
-command-line options override values specified in the
-configuration file.
-.Nm
-rereads its configuration file when it receives a hangup signal,
-.Dv SIGHUP ,
-by executing itself with the name and options it was started with, e.g.\&
-.Pa /usr/sbin/sshd .
-.Pp
-The options are as follows:
-.Bl -tag -width Ds
-.It Fl 4
-Forces
-.Nm
-to use IPv4 addresses only.
-.It Fl 6
-Forces
-.Nm
-to use IPv6 addresses only.
-.It Fl b Ar bits
-Specifies the number of bits in the ephemeral protocol version 1
-server key (default 768).
-.It Fl D
-When this option is specified,
-.Nm
-will not detach and does not become a daemon.
-This allows easy monitoring of
-.Nm sshd .
-.It Fl d
-Debug mode.
-The server sends verbose debug output to the system
-log, and does not put itself in the background.
-The server also will not fork and will only process one connection.
-This option is only intended for debugging for the server.
-Multiple
-.Fl d
-options increase the debugging level.
-Maximum is 3.
-.It Fl e
-When this option is specified,
-.Nm
-will send the output to the standard error instead of the system log.
-.It Fl f Ar configuration_file
-Specifies the name of the configuration file.
-The default is
-.Pa /etc/ssh/sshd_config .
-.Nm
-refuses to start if there is no configuration file.
-.It Fl g Ar login_grace_time
-Gives the grace time for clients to authenticate themselves (default
-120 seconds).
-If the client fails to authenticate the user within
-this many seconds, the server disconnects and exits.
-A value of zero indicates no limit.
-.It Fl h Ar host_key_file
-Specifies a file from which a host key is read.
-This option must be given if
-.Nm
-is not run as root (as the normal
-host key files are normally not readable by anyone but root).
-The default is
-.Pa /etc/ssh/ssh_host_key
-for protocol version 1, and
-.Pa /etc/ssh/ssh_host_rsa_key
-and
-.Pa /etc/ssh/ssh_host_dsa_key
-for protocol version 2.
-It is possible to have multiple host key files for
-the different protocol versions and host key algorithms.
-.It Fl i
-Specifies that
-.Nm
-is being run from
-.Xr inetd 8 .
-.Nm
-is normally not run
-from inetd because it needs to generate the server key before it can
-respond to the client, and this may take tens of seconds.
-Clients would have to wait too long if the key was regenerated every time.
-However, with small key sizes (e.g. 512) using
-.Nm
-from inetd may
-be feasible.
-.It Fl k Ar key_gen_time
-Specifies how often the ephemeral protocol version 1 server key is
-regenerated (default 3600 seconds, or one hour).
-The motivation for regenerating the key fairly
-often is that the key is not stored anywhere, and after about an hour
-it becomes impossible to recover the key for decrypting intercepted
-communications even if the machine is cracked into or physically
-seized.
-A value of zero indicates that the key will never be regenerated.
-.It Fl o Ar option
-Can be used to give options in the format used in the configuration file.
-This is useful for specifying options for which there is no separate
-command-line flag.
-For full details of the options, and their values, see
-.Xr sshd_config 5 .
-.It Fl p Ar port
-Specifies the port on which the server listens for connections
-(default 22).
-Multiple port options are permitted.
-Ports specified in the configuration file with the
-.Cm Port
-option are ignored when a command-line port is specified.
-Ports specified using the
-.Cm ListenAddress
-option override command-line ports.
-.It Fl q
-Quiet mode.
-Nothing is sent to the system log.
-Normally the beginning,
-authentication, and termination of each connection is logged.
-.It Fl t
-Test mode.
-Only check the validity of the configuration file and sanity of the keys.
-This is useful for updating
-.Nm
-reliably as configuration options may change.
-.It Fl u Ar len
-This option is used to specify the size of the field
-in the
-.Li utmp
-structure that holds the remote host name.
-If the resolved host name is longer than
-.Ar len ,
-the dotted decimal value will be used instead.
-This allows hosts with very long host names that
-overflow this field to still be uniquely identified.
-Specifying
-.Fl u0
-indicates that only dotted decimal addresses
-should be put into the
-.Pa utmp
-file.
-.Fl u0
-may also be used to prevent
-.Nm
-from making DNS requests unless the authentication
-mechanism or configuration requires it.
-Authentication mechanisms that may require DNS include
-.Cm RhostsRSAAuthentication ,
-.Cm HostbasedAuthentication ,
-and using a
-.Cm from="pattern-list"
-option in a key file.
-Configuration options that require DNS include using a
-USER@HOST pattern in
-.Cm AllowUsers
-or
-.Cm DenyUsers .
-.El
-.Sh AUTHENTICATION
-The OpenSSH SSH daemon supports SSH protocols 1 and 2.
-Both protocols are supported by default,
-though this can be changed via the
-.Cm Protocol
-option in
-.Xr sshd_config 5 .
-Protocol 2 supports both RSA and DSA keys;
-protocol 1 only supports RSA keys.
-For both protocols,
-each host has a host-specific key,
-normally 2048 bits,
-used to identify the host.
-.Pp
-Forward security for protocol 1 is provided through
-an additional server key,
-normally 768 bits,
-generated when the server starts.
-This key is normally regenerated every hour if it has been used, and
-is never stored on disk.
-Whenever a client connects, the daemon responds with its public
-host and server keys.
-The client compares the
-RSA host key against its own database to verify that it has not changed.
-The client then generates a 256-bit random number.
-It encrypts this
-random number using both the host key and the server key, and sends
-the encrypted number to the server.
-Both sides then use this
-random number as a session key which is used to encrypt all further
-communications in the session.
-The rest of the session is encrypted
-using a conventional cipher, currently Blowfish or 3DES, with 3DES
-being used by default.
-The client selects the encryption algorithm
-to use from those offered by the server.
-.Pp
-For protocol 2,
-forward security is provided through a Diffie-Hellman key agreement.
-This key agreement results in a shared session key.
-The rest of the session is encrypted using a symmetric cipher, currently
-128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES.
-The client selects the encryption algorithm
-to use from those offered by the server.
-Additionally, session integrity is provided
-through a cryptographic message authentication code
-(hmac-sha1 or hmac-md5).
-.Pp
-Finally, the server and the client enter an authentication dialog.
-The client tries to authenticate itself using
-host-based authentication,
-public key authentication,
-challenge-response authentication,
-or password authentication.
-.Pp
-Regardless of the authentication type, the account is checked to
-ensure that it is accessible.  An account is not accessible if it is
-locked, listed in
-.Cm DenyUsers
-or its group is listed in
-.Cm DenyGroups
-\&.  The definition of a locked account is system dependant. Some platforms
-have their own account database (eg AIX) and some modify the passwd field (
-.Ql \&*LK\&*
-on Solaris and UnixWare,
-.Ql \&*
-on HP-UX, containing
-.Ql Nologin
-on Tru64,
-a leading
-.Ql \&*LOCKED\&*
-on FreeBSD and a leading
-.Ql \&!!
-on Linux).  If there is a requirement to disable password authentication
-for the account while allowing still public-key, then the passwd field
-should be set to something other than these values (eg
-.Ql NP
-or
-.Ql \&*NP\&*
-).
-.Pp
-If the client successfully authenticates itself, a dialog for
-preparing the session is entered.
-At this time the client may request
-things like allocating a pseudo-tty, forwarding X11 connections,
-forwarding TCP connections, or forwarding the authentication agent
-connection over the secure channel.
-.Pp
-After this, the client either requests a shell or execution of a command.
-The sides then enter session mode.
-In this mode, either side may send
-data at any time, and such data is forwarded to/from the shell or
-command on the server side, and the user terminal in the client side.
-.Pp
-When the user program terminates and all forwarded X11 and other
-connections have been closed, the server sends command exit status to
-the client, and both sides exit.
-.Sh LOGIN PROCESS
-When a user successfully logs in,
-.Nm
-does the following:
-.Bl -enum -offset indent
-.It
-If the login is on a tty, and no command has been specified,
-prints last login time and
-.Pa /etc/motd
-(unless prevented in the configuration file or by
-.Pa ~/.hushlogin ;
-see the
-.Sx FILES
-section).
-.It
-If the login is on a tty, records login time.
-.It
-Checks
-.Pa /etc/nologin ;
-if it exists, prints contents and quits
-(unless root).
-.It
-Changes to run with normal user privileges.
-.It
-Sets up basic environment.
-.It
-Reads the file
-.Pa ~/.ssh/environment ,
-if it exists, and users are allowed to change their environment.
-See the
-.Cm PermitUserEnvironment
-option in
-.Xr sshd_config 5 .
-.It
-Changes to user's home directory.
-.It
-If
-.Pa ~/.ssh/rc
-exists, runs it; else if
-.Pa /etc/ssh/sshrc
-exists, runs
-it; otherwise runs xauth.
-The
-.Dq rc
-files are given the X11
-authentication protocol and cookie in standard input.
-See
-.Sx SSHRC ,
-below.
-.It
-Runs user's shell or command.
-.El
-.Sh SSHRC
-If the file
-.Pa ~/.ssh/rc
-exists,
-.Xr sh 1
-runs it after reading the
-environment files but before starting the user's shell or command.
-It must not produce any output on stdout; stderr must be used
-instead.
-If X11 forwarding is in use, it will receive the "proto cookie" pair in
-its standard input (and
-.Ev DISPLAY
-in its environment).
-The script must call
-.Xr xauth 1
-because
-.Nm
-will not run xauth automatically to add X11 cookies.
-.Pp
-The primary purpose of this file is to run any initialization routines
-which may be needed before the user's home directory becomes
-accessible; AFS is a particular example of such an environment.
-.Pp
-This file will probably contain some initialization code followed by
-something similar to:
-.Bd -literal -offset 3n
-if read proto cookie && [ -n "$DISPLAY" ]; then
-	if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
-		# X11UseLocalhost=yes
-		echo add unix:`echo $DISPLAY |
-		    cut -c11-` $proto $cookie
-	else
-		# X11UseLocalhost=no
-		echo add $DISPLAY $proto $cookie
-	fi | xauth -q -
-fi
-.Ed
-.Pp
-If this file does not exist,
-.Pa /etc/ssh/sshrc
-is run, and if that
-does not exist either, xauth is used to add the cookie.
-.Sh AUTHORIZED_KEYS FILE FORMAT
-.Cm AuthorizedKeysFile
-specifies the file containing public keys for
-public key authentication;
-if none is specified, the default is
-.Pa ~/.ssh/authorized_keys .
-Each line of the file contains one
-key (empty lines and lines starting with a
-.Ql #
-are ignored as
-comments).
-Protocol 1 public keys consist of the following space-separated fields:
-options, bits, exponent, modulus, comment.
-Protocol 2 public key consist of:
-options, keytype, base64-encoded key, comment.
-The options field is optional;
-its presence is determined by whether the line starts
-with a number or not (the options field never starts with a number).
-The bits, exponent, modulus, and comment fields give the RSA key for
-protocol version 1; the
-comment field is not used for anything (but may be convenient for the
-user to identify the key).
-For protocol version 2 the keytype is
-.Dq ssh-dss
-or
-.Dq ssh-rsa .
-.Pp
-Note that lines in this file are usually several hundred bytes long
-(because of the size of the public key encoding) up to a limit of
-8 kilobytes, which permits DSA keys up to 8 kilobits and RSA
-keys up to 16 kilobits.
-You don't want to type them in; instead, copy the
-.Pa identity.pub ,
-.Pa id_dsa.pub ,
-or the
-.Pa id_rsa.pub
-file and edit it.
-.Pp
-.Nm
-enforces a minimum RSA key modulus size for protocol 1
-and protocol 2 keys of 768 bits.
-.Pp
-The options (if present) consist of comma-separated option
-specifications.
-No spaces are permitted, except within double quotes.
-The following option specifications are supported (note
-that option keywords are case-insensitive):
-.Bl -tag -width Ds
-.It Cm command="command"
-Specifies that the command is executed whenever this key is used for
-authentication.
-The command supplied by the user (if any) is ignored.
-The command is run on a pty if the client requests a pty;
-otherwise it is run without a tty.
-If an 8-bit clean channel is required,
-one must not request a pty or should specify
-.Cm no-pty .
-A quote may be included in the command by quoting it with a backslash.
-This option might be useful
-to restrict certain public keys to perform just a specific operation.
-An example might be a key that permits remote backups but nothing else.
-Note that the client may specify TCP and/or X11
-forwarding unless they are explicitly prohibited.
-The command originally supplied by the client is available in the
-.Ev SSH_ORIGINAL_COMMAND
-environment variable.
-Note that this option applies to shell, command or subsystem execution.
-.It Cm environment="NAME=value"
-Specifies that the string is to be added to the environment when
-logging in using this key.
-Environment variables set this way
-override other default environment values.
-Multiple options of this type are permitted.
-Environment processing is disabled by default and is
-controlled via the
-.Cm PermitUserEnvironment
-option.
-This option is automatically disabled if
-.Cm UseLogin
-is enabled.
-.It Cm from="pattern-list"
-Specifies that in addition to public key authentication, the canonical name
-of the remote host must be present in the comma-separated list of
-patterns.
-The purpose
-of this option is to optionally increase security: public key authentication
-by itself does not trust the network or name servers or anything (but
-the key); however, if somebody somehow steals the key, the key
-permits an intruder to log in from anywhere in the world.
-This additional option makes using a stolen key more difficult (name
-servers and/or routers would have to be compromised in addition to
-just the key).
-.Pp
-See
-.Sx PATTERNS
-in
-.Xr ssh_config 5
-for more information on patterns.
-.It Cm no-agent-forwarding
-Forbids authentication agent forwarding when this key is used for
-authentication.
-.It Cm no-port-forwarding
-Forbids TCP forwarding when this key is used for authentication.
-Any port forward requests by the client will return an error.
-This might be used, e.g. in connection with the
-.Cm command
-option.
-.It Cm no-pty
-Prevents tty allocation (a request to allocate a pty will fail).
-.It Cm no-X11-forwarding
-Forbids X11 forwarding when this key is used for authentication.
-Any X11 forward requests by the client will return an error.
-.It Cm permitopen="host:port"
-Limit local
-.Li ``ssh -L''
-port forwarding such that it may only connect to the specified host and
-port.
-IPv6 addresses can be specified with an alternative syntax:
-.Ar host Ns / Ns Ar port .
-Multiple
-.Cm permitopen
-options may be applied separated by commas.
-No pattern matching is performed on the specified hostnames,
-they must be literal domains or addresses.
-.It Cm tunnel="n"
-Force a
-.Xr tun 4
-device on the server.
-Without this option, the next available device will be used if
-the client requests a tunnel.
-.El
-.Pp
-An example authorized_keys file:
-.Bd -literal -offset 3n
-# Comments allowed at start of line
-ssh-rsa AAAAB3Nza...LiPk== user@example.net
-from="*.sales.example.net,!pc.sales.example.net" ssh-rsa
-AAAAB2...19Q== john@example.net
-command="dump /home",no-pty,no-port-forwarding ssh-dss
-AAAAC3...51R== example.net
-permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss
-AAAAB5...21S==
-tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==
-jane@example.net
-.Ed
-.Sh SSH_KNOWN_HOSTS FILE FORMAT
-The
-.Pa /etc/ssh/ssh_known_hosts
-and
-.Pa ~/.ssh/known_hosts
-files contain host public keys for all known hosts.
-The global file should
-be prepared by the administrator (optional), and the per-user file is
-maintained automatically: whenever the user connects from an unknown host,
-its key is added to the per-user file.
-.Pp
-Each line in these files contains the following fields: hostnames,
-bits, exponent, modulus, comment.
-The fields are separated by spaces.
-.Pp
-Hostnames is a comma-separated list of patterns
-.Pf ( Ql *
-and
-.Ql \&?
-act as
-wildcards); each pattern in turn is matched against the canonical host
-name (when authenticating a client) or against the user-supplied
-name (when authenticating a server).
-A pattern may also be preceded by
-.Ql \&!
-to indicate negation: if the host name matches a negated
-pattern, it is not accepted (by that line) even if it matched another
-pattern on the line.
-A hostname or address may optionally be enclosed within
-.Ql \&[
-and
-.Ql \&]
-brackets then followed by
-.Ql \&:
-and a non-standard port number.
-.Pp
-Alternately, hostnames may be stored in a hashed form which hides host names
-and addresses should the file's contents be disclosed.
-Hashed hostnames start with a
-.Ql |
-character.
-Only one hashed hostname may appear on a single line and none of the above
-negation or wildcard operators may be applied.
-.Pp
-Bits, exponent, and modulus are taken directly from the RSA host key; they
-can be obtained, for example, from
-.Pa /etc/ssh/ssh_host_key.pub .
-The optional comment field continues to the end of the line, and is not used.
-.Pp
-Lines starting with
-.Ql #
-and empty lines are ignored as comments.
-.Pp
-When performing host authentication, authentication is accepted if any
-matching line has the proper key.
-It is thus permissible (but not
-recommended) to have several lines or different host keys for the same
-names.
-This will inevitably happen when short forms of host names
-from different domains are put in the file.
-It is possible
-that the files contain conflicting information; authentication is
-accepted if valid information can be found from either file.
-.Pp
-Note that the lines in these files are typically hundreds of characters
-long, and you definitely don't want to type in the host keys by hand.
-Rather, generate them by a script
-or by taking
-.Pa /etc/ssh/ssh_host_key.pub
-and adding the host names at the front.
-.Pp
-An example ssh_known_hosts file:
-.Bd -literal -offset 3n
-# Comments allowed at start of line
-closenet,...,192.0.2.53 1024 37 159...93 closenet.example.net
-cvs.example.net,192.0.2.10 ssh-rsa AAAA1234.....=
-# A hashed hostname
-|1|JfKTdBh7rNbXkVAQCRp4OQoPfmI=|USECr3SWf1JUPsms5AqfD5QfxkM= ssh-rsa
-AAAA1234.....=
-.Ed
-.Sh FILES
-.Bl -tag -width Ds -compact
-.It ~/.hushlogin
-This file is used to suppress printing the last login time and
-.Pa /etc/motd ,
-if
-.Cm PrintLastLog
-and
-.Cm PrintMotd ,
-respectively,
-are enabled.
-It does not suppress printing of the banner specified by
-.Cm Banner .
-.Pp
-.It ~/.rhosts
-This file is used for host-based authentication (see
-.Xr ssh 1
-for more information).
-On some machines this file may need to be
-world-readable if the user's home directory is on an NFS partition,
-because
-.Nm
-reads it as root.
-Additionally, this file must be owned by the user,
-and must not have write permissions for anyone else.
-The recommended
-permission for most machines is read/write for the user, and not
-accessible by others.
-.Pp
-.It ~/.shosts
-This file is used in exactly the same way as
-.Pa .rhosts ,
-but allows host-based authentication without permitting login with
-rlogin/rsh.
-.Pp
-.It ~/.ssh/authorized_keys
-Lists the public keys (RSA/DSA) that can be used for logging in as this user.
-The format of this file is described above.
-The content of the file is not highly sensitive, but the recommended
-permissions are read/write for the user, and not accessible by others.
-.Pp
-If this file, the
-.Pa ~/.ssh
-directory, or the user's home directory are writable
-by other users, then the file could be modified or replaced by unauthorized
-users.
-In this case,
-.Nm
-will not allow it to be used unless the
-.Cm StrictModes
-option has been set to
-.Dq no .
-The recommended permissions can be set by executing
-.Dq chmod go-w ~/ ~/.ssh ~/.ssh/authorized_keys .
-.Pp
-.It ~/.ssh/environment
-This file is read into the environment at login (if it exists).
-It can only contain empty lines, comment lines (that start with
-.Ql # ) ,
-and assignment lines of the form name=value.
-The file should be writable
-only by the user; it need not be readable by anyone else.
-Environment processing is disabled by default and is
-controlled via the
-.Cm PermitUserEnvironment
-option.
-.Pp
-.It ~/.ssh/known_hosts
-Contains a list of host keys for all hosts the user has logged into
-that are not already in the systemwide list of known host keys.
-The format of this file is described above.
-This file should be writable only by root/the owner and
-can, but need not be, world-readable.
-.Pp
-.It ~/.ssh/rc
-Contains initialization routines to be run before
-the user's home directory becomes accessible.
-This file should be writable only by the user, and need not be
-readable by anyone else.
-.Pp
-.It /etc/hosts.allow
-.It /etc/hosts.deny
-Access controls that should be enforced by tcp-wrappers are defined here.
-Further details are described in
-.Xr hosts_access 5 .
-.Pp
-.It /etc/hosts.equiv
-This file is for host-based authentication (see
-.Xr ssh 1 ) .
-It should only be writable by root.
-.Pp
-.It /etc/moduli
-Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
-The file format is described in
-.Xr moduli 5 .
-.Pp
-.It /etc/motd
-See
-.Xr motd 5 .
-.Pp
-.It /etc/nologin
-If this file exists,
-.Nm
-refuses to let anyone except root log in.
-The contents of the file
-are displayed to anyone trying to log in, and non-root connections are
-refused.
-The file should be world-readable.
-.Pp
-.It /etc/shosts.equiv
-This file is used in exactly the same way as
-.Pa hosts.equiv ,
-but allows host-based authentication without permitting login with
-rlogin/rsh.
-.Pp
-.It /etc/ssh/ssh_known_hosts
-Systemwide list of known host keys.
-This file should be prepared by the
-system administrator to contain the public host keys of all machines in the
-organization.
-The format of this file is described above.
-This file should be writable only by root/the owner and
-should be world-readable.
-.Pp
-.It /etc/ssh/ssh_host_key
-.It /etc/ssh/ssh_host_dsa_key
-.It /etc/ssh/ssh_host_rsa_key
-These three files contain the private parts of the host keys.
-These files should only be owned by root, readable only by root, and not
-accessible to others.
-Note that
-.Nm
-does not start if these files are group/world-accessible.
-.Pp
-.It /etc/ssh/ssh_host_key.pub
-.It /etc/ssh/ssh_host_dsa_key.pub
-.It /etc/ssh/ssh_host_rsa_key.pub
-These three files contain the public parts of the host keys.
-These files should be world-readable but writable only by
-root.
-Their contents should match the respective private parts.
-These files are not
-really used for anything; they are provided for the convenience of
-the user so their contents can be copied to known hosts files.
-These files are created using
-.Xr ssh-keygen 1 .
-.Pp
-.It /etc/ssh/sshd_config
-Contains configuration data for
-.Nm sshd .
-The file format and configuration options are described in
-.Xr sshd_config 5 .
-.Pp
-.It /etc/ssh/sshrc
-Similar to
-.Pa ~/.ssh/rc ,
-it can be used to specify
-machine-specific login-time initializations globally.
-This file should be writable only by root, and should be world-readable.
-.Pp
-.It /var/empty
-.Xr chroot 2
-directory used by
-.Nm
-during privilege separation in the pre-authentication phase.
-The directory should not contain any files and must be owned by root
-and not group or world-writable.
-.Pp
-.It /var/run/sshd.pid
-Contains the process ID of the
-.Nm
-listening for connections (if there are several daemons running
-concurrently for different ports, this contains the process ID of the one
-started last).
-The content of this file is not sensitive; it can be world-readable.
-.El
-.Sh SEE ALSO
-.Xr scp 1 ,
-.Xr sftp 1 ,
-.Xr ssh 1 ,
-.Xr ssh-add 1 ,
-.Xr ssh-agent 1 ,
-.Xr ssh-keygen 1 ,
-.Xr chroot 2 ,
-.Xr hosts_access 5 ,
-.Xr login.conf 5 ,
-.Xr moduli 5 ,
-.Xr sshd_config 5 ,
-.Xr inetd 8 ,
-.Xr sftp-server 8
-.Sh AUTHORS
-OpenSSH is a derivative of the original and free
-ssh 1.2.12 release by Tatu Ylonen.
-Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
-Theo de Raadt and Dug Song
-removed many bugs, re-added newer features and
-created OpenSSH.
-Markus Friedl contributed the support for SSH
-protocol versions 1.5 and 2.0.
-Niels Provos and Markus Friedl contributed support
-for privilege separation.
-.Sh CAVEATS
-System security is not improved unless
-.Nm rshd ,
-.Nm rlogind ,
-and
-.Nm rexecd
-are disabled (thus completely disabling
-.Xr rlogin
-and
-.Xr rsh
-into the machine).
diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c
deleted file mode 100644
index 4aa1c98..0000000
--- a/crypto/openssh/sshd.c
+++ /dev/null
@@ -1,2156 +0,0 @@
-/* $OpenBSD: sshd.c,v 1.348 2006/11/06 21:25:28 markus Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * This program is the ssh daemon.  It listens for connections from clients,
- * and performs authentication, executes use commands or shell, and forwards
- * information to/from the application to the user client over an encrypted
- * connection.  This can also handle forwarding of X11, TCP/IP, and
- * authentication agent connections.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- * SSH2 implementation:
- * Privilege Separation:
- *
- * Copyright (c) 2000, 2001, 2002 Markus Friedl.  All rights reserved.
- * Copyright (c) 2002 Niels Provos.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/ioctl.h>
-#include <sys/socket.h>
-#ifdef HAVE_SYS_STAT_H
-# include <sys/stat.h>
-#endif
-#ifdef HAVE_SYS_TIME_H
-# include <sys/time.h>
-#endif
-#include "openbsd-compat/sys-tree.h"
-#include <sys/wait.h>
-
-#include <errno.h>
-#include <fcntl.h>
-#include <netdb.h>
-#ifdef HAVE_PATHS_H
-#include <paths.h>
-#endif
-#include <grp.h>
-#include <pwd.h>
-#include <signal.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <openssl/dh.h>
-#include <openssl/bn.h>
-#include <openssl/md5.h>
-#include <openssl/rand.h>
-#ifdef HAVE_SECUREWARE
-#include <sys/security.h>
-#include <prot.h>
-#endif
-
-#include "xmalloc.h"
-#include "ssh.h"
-#include "ssh1.h"
-#include "ssh2.h"
-#include "rsa.h"
-#include "sshpty.h"
-#include "packet.h"
-#include "log.h"
-#include "buffer.h"
-#include "servconf.h"
-#include "uidswap.h"
-#include "compat.h"
-#include "cipher.h"
-#include "key.h"
-#include "kex.h"
-#include "dh.h"
-#include "myproposal.h"
-#include "authfile.h"
-#include "pathnames.h"
-#include "atomicio.h"
-#include "canohost.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "misc.h"
-#include "msg.h"
-#include "dispatch.h"
-#include "channels.h"
-#include "session.h"
-#include "monitor_mm.h"
-#include "monitor.h"
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-#include "monitor_wrap.h"
-#include "monitor_fdpass.h"
-#include "version.h"
-
-#ifdef LIBWRAP
-#include <tcpd.h>
-#include <syslog.h>
-int allow_severity = LOG_INFO;
-int deny_severity = LOG_WARNING;
-#endif /* LIBWRAP */
-
-#ifndef O_NOCTTY
-#define O_NOCTTY	0
-#endif
-
-/* Re-exec fds */
-#define REEXEC_DEVCRYPTO_RESERVED_FD	(STDERR_FILENO + 1)
-#define REEXEC_STARTUP_PIPE_FD		(STDERR_FILENO + 2)
-#define REEXEC_CONFIG_PASS_FD		(STDERR_FILENO + 3)
-#define REEXEC_MIN_FREE_FD		(STDERR_FILENO + 4)
-
-extern char *__progname;
-
-/* Server configuration options. */
-ServerOptions options;
-
-/* Name of the server configuration file. */
-char *config_file_name = _PATH_SERVER_CONFIG_FILE;
-
-/*
- * Debug mode flag.  This can be set on the command line.  If debug
- * mode is enabled, extra debugging output will be sent to the system
- * log, the daemon will not go to background, and will exit after processing
- * the first connection.
- */
-int debug_flag = 0;
-
-/* Flag indicating that the daemon should only test the configuration and keys. */
-int test_flag = 0;
-
-/* Flag indicating that the daemon is being started from inetd. */
-int inetd_flag = 0;
-
-/* Flag indicating that sshd should not detach and become a daemon. */
-int no_daemon_flag = 0;
-
-/* debug goes to stderr unless inetd_flag is set */
-int log_stderr = 0;
-
-/* Saved arguments to main(). */
-char **saved_argv;
-int saved_argc;
-
-/* re-exec */
-int rexeced_flag = 0;
-int rexec_flag = 1;
-int rexec_argc = 0;
-char **rexec_argv;
-
-/*
- * The sockets that the server is listening; this is used in the SIGHUP
- * signal handler.
- */
-#define	MAX_LISTEN_SOCKS	16
-int listen_socks[MAX_LISTEN_SOCKS];
-int num_listen_socks = 0;
-
-/*
- * the client's version string, passed by sshd2 in compat mode. if != NULL,
- * sshd will skip the version-number exchange
- */
-char *client_version_string = NULL;
-char *server_version_string = NULL;
-
-/* for rekeying XXX fixme */
-Kex *xxx_kex;
-
-/*
- * Any really sensitive data in the application is contained in this
- * structure. The idea is that this structure could be locked into memory so
- * that the pages do not get written into swap.  However, there are some
- * problems. The private key contains BIGNUMs, and we do not (in principle)
- * have access to the internals of them, and locking just the structure is
- * not very useful.  Currently, memory locking is not implemented.
- */
-struct {
-	Key	*server_key;		/* ephemeral server key */
-	Key	*ssh1_host_key;		/* ssh1 host key */
-	Key	**host_keys;		/* all private host keys */
-	int	have_ssh1_key;
-	int	have_ssh2_key;
-	u_char	ssh1_cookie[SSH_SESSION_KEY_LENGTH];
-} sensitive_data;
-
-/*
- * Flag indicating whether the RSA server key needs to be regenerated.
- * Is set in the SIGALRM handler and cleared when the key is regenerated.
- */
-static volatile sig_atomic_t key_do_regen = 0;
-
-/* This is set to true when a signal is received. */
-static volatile sig_atomic_t received_sighup = 0;
-static volatile sig_atomic_t received_sigterm = 0;
-
-/* session identifier, used by RSA-auth */
-u_char session_id[16];
-
-/* same for ssh2 */
-u_char *session_id2 = NULL;
-u_int session_id2_len = 0;
-
-/* record remote hostname or ip */
-u_int utmp_len = MAXHOSTNAMELEN;
-
-/* options.max_startup sized array of fd ints */
-int *startup_pipes = NULL;
-int startup_pipe;		/* in child */
-
-/* variables used for privilege separation */
-int use_privsep = -1;
-struct monitor *pmonitor = NULL;
-
-/* global authentication context */
-Authctxt *the_authctxt = NULL;
-
-/* sshd_config buffer */
-Buffer cfg;
-
-/* message to be displayed after login */
-Buffer loginmsg;
-
-/* Unprivileged user */
-struct passwd *privsep_pw = NULL;
-
-/* Prototypes for various functions defined later in this file. */
-void destroy_sensitive_data(void);
-void demote_sensitive_data(void);
-
-static void do_ssh1_kex(void);
-static void do_ssh2_kex(void);
-
-/*
- * Close all listening sockets
- */
-static void
-close_listen_socks(void)
-{
-	int i;
-
-	for (i = 0; i < num_listen_socks; i++)
-		close(listen_socks[i]);
-	num_listen_socks = -1;
-}
-
-static void
-close_startup_pipes(void)
-{
-	int i;
-
-	if (startup_pipes)
-		for (i = 0; i < options.max_startups; i++)
-			if (startup_pipes[i] != -1)
-				close(startup_pipes[i]);
-}
-
-/*
- * Signal handler for SIGHUP.  Sshd execs itself when it receives SIGHUP;
- * the effect is to reread the configuration file (and to regenerate
- * the server key).
- */
-
-/*ARGSUSED*/
-static void
-sighup_handler(int sig)
-{
-	int save_errno = errno;
-
-	received_sighup = 1;
-	signal(SIGHUP, sighup_handler);
-	errno = save_errno;
-}
-
-/*
- * Called from the main program after receiving SIGHUP.
- * Restarts the server.
- */
-static void
-sighup_restart(void)
-{
-	logit("Received SIGHUP; restarting.");
-	close_listen_socks();
-	close_startup_pipes();
-	execv(saved_argv[0], saved_argv);
-	logit("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0],
-	    strerror(errno));
-	exit(1);
-}
-
-/*
- * Generic signal handler for terminating signals in the master daemon.
- */
-/*ARGSUSED*/
-static void
-sigterm_handler(int sig)
-{
-	received_sigterm = sig;
-}
-
-/*
- * SIGCHLD handler.  This is called whenever a child dies.  This will then
- * reap any zombies left by exited children.
- */
-/*ARGSUSED*/
-static void
-main_sigchld_handler(int sig)
-{
-	int save_errno = errno;
-	pid_t pid;
-	int status;
-
-	while ((pid = waitpid(-1, &status, WNOHANG)) > 0 ||
-	    (pid < 0 && errno == EINTR))
-		;
-
-	signal(SIGCHLD, main_sigchld_handler);
-	errno = save_errno;
-}
-
-/*
- * Signal handler for the alarm after the login grace period has expired.
- */
-/*ARGSUSED*/
-static void
-grace_alarm_handler(int sig)
-{
-	if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0)
-		kill(pmonitor->m_pid, SIGALRM);
-
-	/* Log error and exit. */
-	sigdie("Timeout before authentication for %s", get_remote_ipaddr());
-}
-
-/*
- * Signal handler for the key regeneration alarm.  Note that this
- * alarm only occurs in the daemon waiting for connections, and it does not
- * do anything with the private key or random state before forking.
- * Thus there should be no concurrency control/asynchronous execution
- * problems.
- */
-static void
-generate_ephemeral_server_key(void)
-{
-	u_int32_t rnd = 0;
-	int i;
-
-	verbose("Generating %s%d bit RSA key.",
-	    sensitive_data.server_key ? "new " : "", options.server_key_bits);
-	if (sensitive_data.server_key != NULL)
-		key_free(sensitive_data.server_key);
-	sensitive_data.server_key = key_generate(KEY_RSA1,
-	    options.server_key_bits);
-	verbose("RSA key generation complete.");
-
-	for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) {
-		if (i % 4 == 0)
-			rnd = arc4random();
-		sensitive_data.ssh1_cookie[i] = rnd & 0xff;
-		rnd >>= 8;
-	}
-	arc4random_stir();
-}
-
-/*ARGSUSED*/
-static void
-key_regeneration_alarm(int sig)
-{
-	int save_errno = errno;
-
-	signal(SIGALRM, SIG_DFL);
-	errno = save_errno;
-	key_do_regen = 1;
-}
-
-static void
-sshd_exchange_identification(int sock_in, int sock_out)
-{
-	u_int i;
-	int mismatch;
-	int remote_major, remote_minor;
-	int major, minor;
-	char *s;
-	char buf[256];			/* Must not be larger than remote_version. */
-	char remote_version[256];	/* Must be at least as big as buf. */
-
-	if ((options.protocol & SSH_PROTO_1) &&
-	    (options.protocol & SSH_PROTO_2)) {
-		major = PROTOCOL_MAJOR_1;
-		minor = 99;
-	} else if (options.protocol & SSH_PROTO_2) {
-		major = PROTOCOL_MAJOR_2;
-		minor = PROTOCOL_MINOR_2;
-	} else {
-		major = PROTOCOL_MAJOR_1;
-		minor = PROTOCOL_MINOR_1;
-	}
-	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION);
-	server_version_string = xstrdup(buf);
-
-	/* Send our protocol version identification. */
-	if (atomicio(vwrite, sock_out, server_version_string,
-	    strlen(server_version_string))
-	    != strlen(server_version_string)) {
-		logit("Could not write ident string to %s", get_remote_ipaddr());
-		cleanup_exit(255);
-	}
-
-	/* Read other sides version identification. */
-	memset(buf, 0, sizeof(buf));
-	for (i = 0; i < sizeof(buf) - 1; i++) {
-		if (atomicio(read, sock_in, &buf[i], 1) != 1) {
-			logit("Did not receive identification string from %s",
-			    get_remote_ipaddr());
-			cleanup_exit(255);
-		}
-		if (buf[i] == '\r') {
-			buf[i] = 0;
-			/* Kludge for F-Secure Macintosh < 1.0.2 */
-			if (i == 12 &&
-			    strncmp(buf, "SSH-1.5-W1.0", 12) == 0)
-				break;
-			continue;
-		}
-		if (buf[i] == '\n') {
-			buf[i] = 0;
-			break;
-		}
-	}
-	buf[sizeof(buf) - 1] = 0;
-	client_version_string = xstrdup(buf);
-
-	/*
-	 * Check that the versions match.  In future this might accept
-	 * several versions and set appropriate flags to handle them.
-	 */
-	if (sscanf(client_version_string, "SSH-%d.%d-%[^\n]\n",
-	    &remote_major, &remote_minor, remote_version) != 3) {
-		s = "Protocol mismatch.\n";
-		(void) atomicio(vwrite, sock_out, s, strlen(s));
-		close(sock_in);
-		close(sock_out);
-		logit("Bad protocol version identification '%.100s' from %s",
-		    client_version_string, get_remote_ipaddr());
-		cleanup_exit(255);
-	}
-	debug("Client protocol version %d.%d; client software version %.100s",
-	    remote_major, remote_minor, remote_version);
-
-	compat_datafellows(remote_version);
-
-	if (datafellows & SSH_BUG_PROBE) {
-		logit("probed from %s with %s.  Don't panic.",
-		    get_remote_ipaddr(), client_version_string);
-		cleanup_exit(255);
-	}
-
-	if (datafellows & SSH_BUG_SCANNER) {
-		logit("scanned from %s with %s.  Don't panic.",
-		    get_remote_ipaddr(), client_version_string);
-		cleanup_exit(255);
-	}
-
-	mismatch = 0;
-	switch (remote_major) {
-	case 1:
-		if (remote_minor == 99) {
-			if (options.protocol & SSH_PROTO_2)
-				enable_compat20();
-			else
-				mismatch = 1;
-			break;
-		}
-		if (!(options.protocol & SSH_PROTO_1)) {
-			mismatch = 1;
-			break;
-		}
-		if (remote_minor < 3) {
-			packet_disconnect("Your ssh version is too old and "
-			    "is no longer supported.  Please install a newer version.");
-		} else if (remote_minor == 3) {
-			/* note that this disables agent-forwarding */
-			enable_compat13();
-		}
-		break;
-	case 2:
-		if (options.protocol & SSH_PROTO_2) {
-			enable_compat20();
-			break;
-		}
-		/* FALLTHROUGH */
-	default:
-		mismatch = 1;
-		break;
-	}
-	chop(server_version_string);
-	debug("Local version string %.200s", server_version_string);
-
-	if (mismatch) {
-		s = "Protocol major versions differ.\n";
-		(void) atomicio(vwrite, sock_out, s, strlen(s));
-		close(sock_in);
-		close(sock_out);
-		logit("Protocol major versions differ for %s: %.200s vs. %.200s",
-		    get_remote_ipaddr(),
-		    server_version_string, client_version_string);
-		cleanup_exit(255);
-	}
-}
-
-/* Destroy the host and server keys.  They will no longer be needed. */
-void
-destroy_sensitive_data(void)
-{
-	int i;
-
-	if (sensitive_data.server_key) {
-		key_free(sensitive_data.server_key);
-		sensitive_data.server_key = NULL;
-	}
-	for (i = 0; i < options.num_host_key_files; i++) {
-		if (sensitive_data.host_keys[i]) {
-			key_free(sensitive_data.host_keys[i]);
-			sensitive_data.host_keys[i] = NULL;
-		}
-	}
-	sensitive_data.ssh1_host_key = NULL;
-	memset(sensitive_data.ssh1_cookie, 0, SSH_SESSION_KEY_LENGTH);
-}
-
-/* Demote private to public keys for network child */
-void
-demote_sensitive_data(void)
-{
-	Key *tmp;
-	int i;
-
-	if (sensitive_data.server_key) {
-		tmp = key_demote(sensitive_data.server_key);
-		key_free(sensitive_data.server_key);
-		sensitive_data.server_key = tmp;
-	}
-
-	for (i = 0; i < options.num_host_key_files; i++) {
-		if (sensitive_data.host_keys[i]) {
-			tmp = key_demote(sensitive_data.host_keys[i]);
-			key_free(sensitive_data.host_keys[i]);
-			sensitive_data.host_keys[i] = tmp;
-			if (tmp->type == KEY_RSA1)
-				sensitive_data.ssh1_host_key = tmp;
-		}
-	}
-
-	/* We do not clear ssh1_host key and cookie.  XXX - Okay Niels? */
-}
-
-static void
-privsep_preauth_child(void)
-{
-	u_int32_t rnd[256];
-	gid_t gidset[1];
-	int i;
-
-	/* Enable challenge-response authentication for privilege separation */
-	privsep_challenge_enable();
-
-	for (i = 0; i < 256; i++)
-		rnd[i] = arc4random();
-	RAND_seed(rnd, sizeof(rnd));
-
-	/* Demote the private keys to public keys. */
-	demote_sensitive_data();
-
-	/* Change our root directory */
-	if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
-		fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
-		    strerror(errno));
-	if (chdir("/") == -1)
-		fatal("chdir(\"/\"): %s", strerror(errno));
-
-	/* Drop our privileges */
-	debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid,
-	    (u_int)privsep_pw->pw_gid);
-#if 0
-	/* XXX not ready, too heavy after chroot */
-	do_setusercontext(privsep_pw);
-#else
-	gidset[0] = privsep_pw->pw_gid;
-	if (setgroups(1, gidset) < 0)
-		fatal("setgroups: %.100s", strerror(errno));
-	permanently_set_uid(privsep_pw);
-#endif
-}
-
-static int
-privsep_preauth(Authctxt *authctxt)
-{
-	int status;
-	pid_t pid;
-
-	/* Set up unprivileged child process to deal with network data */
-	pmonitor = monitor_init();
-	/* Store a pointer to the kex for later rekeying */
-	pmonitor->m_pkex = &xxx_kex;
-
-	pid = fork();
-	if (pid == -1) {
-		fatal("fork of unprivileged child failed");
-	} else if (pid != 0) {
-		debug2("Network child is on pid %ld", (long)pid);
-
-		close(pmonitor->m_recvfd);
-		pmonitor->m_pid = pid;
-		monitor_child_preauth(authctxt, pmonitor);
-		close(pmonitor->m_sendfd);
-
-		/* Sync memory */
-		monitor_sync(pmonitor);
-
-		/* Wait for the child's exit status */
-		while (waitpid(pid, &status, 0) < 0)
-			if (errno != EINTR)
-				break;
-		return (1);
-	} else {
-		/* child */
-
-		close(pmonitor->m_sendfd);
-
-		/* Demote the child */
-		if (getuid() == 0 || geteuid() == 0)
-			privsep_preauth_child();
-		setproctitle("%s", "[net]");
-	}
-	return (0);
-}
-
-static void
-privsep_postauth(Authctxt *authctxt)
-{
-#ifdef DISABLE_FD_PASSING
-	if (1) {
-#else
-	if (authctxt->pw->pw_uid == 0 || options.use_login) {
-#endif
-		/* File descriptor passing is broken or root login */
-		use_privsep = 0;
-		goto skip;
-	}
-
-	/* New socket pair */
-	monitor_reinit(pmonitor);
-
-	pmonitor->m_pid = fork();
-	if (pmonitor->m_pid == -1)
-		fatal("fork of unprivileged child failed");
-	else if (pmonitor->m_pid != 0) {
-		debug2("User child is on pid %ld", (long)pmonitor->m_pid);
-		close(pmonitor->m_recvfd);
-		buffer_clear(&loginmsg);
-		monitor_child_postauth(pmonitor);
-
-		/* NEVERREACHED */
-		exit(0);
-	}
-
-	close(pmonitor->m_sendfd);
-
-	/* Demote the private keys to public keys. */
-	demote_sensitive_data();
-
-	/* Drop privileges */
-	do_setusercontext(authctxt->pw);
-
- skip:
-	/* It is safe now to apply the key state */
-	monitor_apply_keystate(pmonitor);
-
-	/*
-	 * Tell the packet layer that authentication was successful, since
-	 * this information is not part of the key state.
-	 */
-	packet_set_authenticated();
-}
-
-static char *
-list_hostkey_types(void)
-{
-	Buffer b;
-	const char *p;
-	char *ret;
-	int i;
-
-	buffer_init(&b);
-	for (i = 0; i < options.num_host_key_files; i++) {
-		Key *key = sensitive_data.host_keys[i];
-		if (key == NULL)
-			continue;
-		switch (key->type) {
-		case KEY_RSA:
-		case KEY_DSA:
-			if (buffer_len(&b) > 0)
-				buffer_append(&b, ",", 1);
-			p = key_ssh_name(key);
-			buffer_append(&b, p, strlen(p));
-			break;
-		}
-	}
-	buffer_append(&b, "\0", 1);
-	ret = xstrdup(buffer_ptr(&b));
-	buffer_free(&b);
-	debug("list_hostkey_types: %s", ret);
-	return ret;
-}
-
-Key *
-get_hostkey_by_type(int type)
-{
-	int i;
-
-	for (i = 0; i < options.num_host_key_files; i++) {
-		Key *key = sensitive_data.host_keys[i];
-		if (key != NULL && key->type == type)
-			return key;
-	}
-	return NULL;
-}
-
-Key *
-get_hostkey_by_index(int ind)
-{
-	if (ind < 0 || ind >= options.num_host_key_files)
-		return (NULL);
-	return (sensitive_data.host_keys[ind]);
-}
-
-int
-get_hostkey_index(Key *key)
-{
-	int i;
-
-	for (i = 0; i < options.num_host_key_files; i++) {
-		if (key == sensitive_data.host_keys[i])
-			return (i);
-	}
-	return (-1);
-}
-
-/*
- * returns 1 if connection should be dropped, 0 otherwise.
- * dropping starts at connection #max_startups_begin with a probability
- * of (max_startups_rate/100). the probability increases linearly until
- * all connections are dropped for startups > max_startups
- */
-static int
-drop_connection(int startups)
-{
-	int p, r;
-
-	if (startups < options.max_startups_begin)
-		return 0;
-	if (startups >= options.max_startups)
-		return 1;
-	if (options.max_startups_rate == 100)
-		return 1;
-
-	p  = 100 - options.max_startups_rate;
-	p *= startups - options.max_startups_begin;
-	p /= options.max_startups - options.max_startups_begin;
-	p += options.max_startups_rate;
-	r = arc4random() % 100;
-
-	debug("drop_connection: p %d, r %d", p, r);
-	return (r < p) ? 1 : 0;
-}
-
-static void
-usage(void)
-{
-	fprintf(stderr, "%s, %s\n",
-	    SSH_RELEASE, SSLeay_version(SSLEAY_VERSION));
-	fprintf(stderr,
-"usage: sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time]\n"
-"            [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len]\n"
-	);
-	exit(1);
-}
-
-static void
-send_rexec_state(int fd, Buffer *conf)
-{
-	Buffer m;
-
-	debug3("%s: entering fd = %d config len %d", __func__, fd,
-	    buffer_len(conf));
-
-	/*
-	 * Protocol from reexec master to child:
-	 *	string	configuration
-	 *	u_int	ephemeral_key_follows
-	 *	bignum	e		(only if ephemeral_key_follows == 1)
-	 *	bignum	n			"
-	 *	bignum	d			"
-	 *	bignum	iqmp			"
-	 *	bignum	p			"
-	 *	bignum	q			"
-	 *	string rngseed		(only if OpenSSL is not self-seeded)
-	 */
-	buffer_init(&m);
-	buffer_put_cstring(&m, buffer_ptr(conf));
-
-	if (sensitive_data.server_key != NULL &&
-	    sensitive_data.server_key->type == KEY_RSA1) {
-		buffer_put_int(&m, 1);
-		buffer_put_bignum(&m, sensitive_data.server_key->rsa->e);
-		buffer_put_bignum(&m, sensitive_data.server_key->rsa->n);
-		buffer_put_bignum(&m, sensitive_data.server_key->rsa->d);
-		buffer_put_bignum(&m, sensitive_data.server_key->rsa->iqmp);
-		buffer_put_bignum(&m, sensitive_data.server_key->rsa->p);
-		buffer_put_bignum(&m, sensitive_data.server_key->rsa->q);
-	} else
-		buffer_put_int(&m, 0);
-
-#ifndef OPENSSL_PRNG_ONLY
-	rexec_send_rng_seed(&m);
-#endif
-
-	if (ssh_msg_send(fd, 0, &m) == -1)
-		fatal("%s: ssh_msg_send failed", __func__);
-
-	buffer_free(&m);
-
-	debug3("%s: done", __func__);
-}
-
-static void
-recv_rexec_state(int fd, Buffer *conf)
-{
-	Buffer m;
-	char *cp;
-	u_int len;
-
-	debug3("%s: entering fd = %d", __func__, fd);
-
-	buffer_init(&m);
-
-	if (ssh_msg_recv(fd, &m) == -1)
-		fatal("%s: ssh_msg_recv failed", __func__);
-	if (buffer_get_char(&m) != 0)
-		fatal("%s: rexec version mismatch", __func__);
-
-	cp = buffer_get_string(&m, &len);
-	if (conf != NULL)
-		buffer_append(conf, cp, len + 1);
-	xfree(cp);
-
-	if (buffer_get_int(&m)) {
-		if (sensitive_data.server_key != NULL)
-			key_free(sensitive_data.server_key);
-		sensitive_data.server_key = key_new_private(KEY_RSA1);
-		buffer_get_bignum(&m, sensitive_data.server_key->rsa->e);
-		buffer_get_bignum(&m, sensitive_data.server_key->rsa->n);
-		buffer_get_bignum(&m, sensitive_data.server_key->rsa->d);
-		buffer_get_bignum(&m, sensitive_data.server_key->rsa->iqmp);
-		buffer_get_bignum(&m, sensitive_data.server_key->rsa->p);
-		buffer_get_bignum(&m, sensitive_data.server_key->rsa->q);
-		rsa_generate_additional_parameters(
-		    sensitive_data.server_key->rsa);
-	}
-
-#ifndef OPENSSL_PRNG_ONLY
-	rexec_recv_rng_seed(&m);
-#endif
-
-	buffer_free(&m);
-
-	debug3("%s: done", __func__);
-}
-
-/* Accept a connection from inetd */
-static void
-server_accept_inetd(int *sock_in, int *sock_out)
-{
-	int fd;
-
-	startup_pipe = -1;
-	if (rexeced_flag) {
-		close(REEXEC_CONFIG_PASS_FD);
-		*sock_in = *sock_out = dup(STDIN_FILENO);
-		if (!debug_flag) {
-			startup_pipe = dup(REEXEC_STARTUP_PIPE_FD);
-			close(REEXEC_STARTUP_PIPE_FD);
-		}
-	} else {
-		*sock_in = dup(STDIN_FILENO);
-		*sock_out = dup(STDOUT_FILENO);
-	}
-	/*
-	 * We intentionally do not close the descriptors 0, 1, and 2
-	 * as our code for setting the descriptors won't work if
-	 * ttyfd happens to be one of those.
-	 */
-	if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) {
-		dup2(fd, STDIN_FILENO);
-		dup2(fd, STDOUT_FILENO);
-		if (fd > STDOUT_FILENO)
-			close(fd);
-	}
-	debug("inetd sockets after dupping: %d, %d", *sock_in, *sock_out);
-}
-
-/*
- * Listen for TCP connections
- */
-static void
-server_listen(void)
-{
-	int ret, listen_sock, on = 1;
-	struct addrinfo *ai;
-	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
-
-	for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
-		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-			continue;
-		if (num_listen_socks >= MAX_LISTEN_SOCKS)
-			fatal("Too many listen sockets. "
-			    "Enlarge MAX_LISTEN_SOCKS");
-		if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen,
-		    ntop, sizeof(ntop), strport, sizeof(strport),
-		    NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
-			error("getnameinfo failed: %.100s",
-			    (ret != EAI_SYSTEM) ? gai_strerror(ret) :
-			    strerror(errno));
-			continue;
-		}
-		/* Create socket for listening. */
-		listen_sock = socket(ai->ai_family, ai->ai_socktype,
-		    ai->ai_protocol);
-		if (listen_sock < 0) {
-			/* kernel may not support ipv6 */
-			verbose("socket: %.100s", strerror(errno));
-			continue;
-		}
-		if (set_nonblock(listen_sock) == -1) {
-			close(listen_sock);
-			continue;
-		}
-		/*
-		 * Set socket options.
-		 * Allow local port reuse in TIME_WAIT.
-		 */
-		if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR,
-		    &on, sizeof(on)) == -1)
-			error("setsockopt SO_REUSEADDR: %s", strerror(errno));
-
-		debug("Bind to port %s on %s.", strport, ntop);
-
-		/* Bind the socket to the desired port. */
-		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
-			error("Bind to port %s on %s failed: %.200s.",
-			    strport, ntop, strerror(errno));
-			close(listen_sock);
-			continue;
-		}
-		listen_socks[num_listen_socks] = listen_sock;
-		num_listen_socks++;
-
-		/* Start listening on the port. */
-		if (listen(listen_sock, SSH_LISTEN_BACKLOG) < 0)
-			fatal("listen on [%s]:%s: %.100s",
-			    ntop, strport, strerror(errno));
-		logit("Server listening on %s port %s.", ntop, strport);
-	}
-	freeaddrinfo(options.listen_addrs);
-
-	if (!num_listen_socks)
-		fatal("Cannot bind any address.");
-}
-
-/*
- * The main TCP accept loop. Note that, for the non-debug case, returns
- * from this function are in a forked subprocess.
- */
-static void
-server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
-{
-	fd_set *fdset;
-	int i, j, ret, maxfd;
-	int key_used = 0, startups = 0;
-	int startup_p[2] = { -1 , -1 };
-	struct sockaddr_storage from;
-	socklen_t fromlen;
-	pid_t pid;
-
-	/* setup fd set for accept */
-	fdset = NULL;
-	maxfd = 0;
-	for (i = 0; i < num_listen_socks; i++)
-		if (listen_socks[i] > maxfd)
-			maxfd = listen_socks[i];
-	/* pipes connected to unauthenticated childs */
-	startup_pipes = xcalloc(options.max_startups, sizeof(int));
-	for (i = 0; i < options.max_startups; i++)
-		startup_pipes[i] = -1;
-
-	/*
-	 * Stay listening for connections until the system crashes or
-	 * the daemon is killed with a signal.
-	 */
-	for (;;) {
-		if (received_sighup)
-			sighup_restart();
-		if (fdset != NULL)
-			xfree(fdset);
-		fdset = (fd_set *)xcalloc(howmany(maxfd + 1, NFDBITS),
-		    sizeof(fd_mask));
-
-		for (i = 0; i < num_listen_socks; i++)
-			FD_SET(listen_socks[i], fdset);
-		for (i = 0; i < options.max_startups; i++)
-			if (startup_pipes[i] != -1)
-				FD_SET(startup_pipes[i], fdset);
-
-		/* Wait in select until there is a connection. */
-		ret = select(maxfd+1, fdset, NULL, NULL, NULL);
-		if (ret < 0 && errno != EINTR)
-			error("select: %.100s", strerror(errno));
-		if (received_sigterm) {
-			logit("Received signal %d; terminating.",
-			    (int) received_sigterm);
-			close_listen_socks();
-			unlink(options.pid_file);
-			exit(255);
-		}
-		if (key_used && key_do_regen) {
-			generate_ephemeral_server_key();
-			key_used = 0;
-			key_do_regen = 0;
-		}
-		if (ret < 0)
-			continue;
-
-		for (i = 0; i < options.max_startups; i++)
-			if (startup_pipes[i] != -1 &&
-			    FD_ISSET(startup_pipes[i], fdset)) {
-				/*
-				 * the read end of the pipe is ready
-				 * if the child has closed the pipe
-				 * after successful authentication
-				 * or if the child has died
-				 */
-				close(startup_pipes[i]);
-				startup_pipes[i] = -1;
-				startups--;
-			}
-		for (i = 0; i < num_listen_socks; i++) {
-			if (!FD_ISSET(listen_socks[i], fdset))
-				continue;
-			fromlen = sizeof(from);
-			*newsock = accept(listen_socks[i],
-			    (struct sockaddr *)&from, &fromlen);
-			if (*newsock < 0) {
-				if (errno != EINTR && errno != EWOULDBLOCK)
-					error("accept: %.100s", strerror(errno));
-				continue;
-			}
-			if (unset_nonblock(*newsock) == -1) {
-				close(*newsock);
-				continue;
-			}
-			if (drop_connection(startups) == 1) {
-				debug("drop connection #%d", startups);
-				close(*newsock);
-				continue;
-			}
-			if (pipe(startup_p) == -1) {
-				close(*newsock);
-				continue;
-			}
-
-			if (rexec_flag && socketpair(AF_UNIX,
-			    SOCK_STREAM, 0, config_s) == -1) {
-				error("reexec socketpair: %s",
-				    strerror(errno));
-				close(*newsock);
-				close(startup_p[0]);
-				close(startup_p[1]);
-				continue;
-			}
-
-			for (j = 0; j < options.max_startups; j++)
-				if (startup_pipes[j] == -1) {
-					startup_pipes[j] = startup_p[0];
-					if (maxfd < startup_p[0])
-						maxfd = startup_p[0];
-					startups++;
-					break;
-				}
-
-			/*
-			 * Got connection.  Fork a child to handle it, unless
-			 * we are in debugging mode.
-			 */
-			if (debug_flag) {
-				/*
-				 * In debugging mode.  Close the listening
-				 * socket, and start processing the
-				 * connection without forking.
-				 */
-				debug("Server will not fork when running in debugging mode.");
-				close_listen_socks();
-				*sock_in = *newsock;
-				*sock_out = *newsock;
-				close(startup_p[0]);
-				close(startup_p[1]);
-				startup_pipe = -1;
-				pid = getpid();
-				if (rexec_flag) {
-					send_rexec_state(config_s[0],
-					    &cfg);
-					close(config_s[0]);
-				}
-				break;
-			}
-
-			/*
-			 * Normal production daemon.  Fork, and have
-			 * the child process the connection. The
-			 * parent continues listening.
-			 */
-			platform_pre_fork();
-			if ((pid = fork()) == 0) {
-				/*
-				 * Child.  Close the listening and
-				 * max_startup sockets.  Start using
-				 * the accepted socket. Reinitialize
-				 * logging (since our pid has changed).
-				 * We break out of the loop to handle
-				 * the connection.
-				 */
-				platform_post_fork_child();
-				startup_pipe = startup_p[1];
-				close_startup_pipes();
-				close_listen_socks();
-				*sock_in = *newsock;
-				*sock_out = *newsock;
-				log_init(__progname,
-				    options.log_level,
-				    options.log_facility,
-				    log_stderr);
-				if (rexec_flag)
-					close(config_s[0]);
-				break;
-			}
-
-			/* Parent.  Stay in the loop. */
-			platform_post_fork_parent(pid);
-			if (pid < 0)
-				error("fork: %.100s", strerror(errno));
-			else
-				debug("Forked child %ld.", (long)pid);
-
-			close(startup_p[1]);
-
-			if (rexec_flag) {
-				send_rexec_state(config_s[0], &cfg);
-				close(config_s[0]);
-				close(config_s[1]);
-			}
-
-			/*
-			 * Mark that the key has been used (it
-			 * was "given" to the child).
-			 */
-			if ((options.protocol & SSH_PROTO_1) &&
-			    key_used == 0) {
-				/* Schedule server key regeneration alarm. */
-				signal(SIGALRM, key_regeneration_alarm);
-				alarm(options.key_regeneration_time);
-				key_used = 1;
-			}
-
-			close(*newsock);
-
-			/*
-			 * Ensure that our random state differs
-			 * from that of the child
-			 */
-			arc4random_stir();
-		}
-
-		/* child process check (or debug mode) */
-		if (num_listen_socks < 0)
-			break;
-	}
-}
-
-
-/*
- * Main program for the daemon.
- */
-int
-main(int ac, char **av)
-{
-	extern char *optarg;
-	extern int optind;
-	int opt, i, on = 1;
-	int sock_in = -1, sock_out = -1, newsock = -1;
-	const char *remote_ip;
-	int remote_port;
-	char *line;
-	int config_s[2] = { -1 , -1 };
-	Key *key;
-	Authctxt *authctxt;
-
-#ifdef HAVE_SECUREWARE
-	(void)set_auth_parameters(ac, av);
-#endif
-	__progname = ssh_get_progname(av[0]);
-	init_rng();
-
-	/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
-	saved_argc = ac;
-	rexec_argc = ac;
-	saved_argv = xcalloc(ac + 1, sizeof(*saved_argv));
-	for (i = 0; i < ac; i++)
-		saved_argv[i] = xstrdup(av[i]);
-	saved_argv[i] = NULL;
-
-#ifndef HAVE_SETPROCTITLE
-	/* Prepare for later setproctitle emulation */
-	compat_init_setproctitle(ac, av);
-	av = saved_argv;
-#endif
-
-	if (geteuid() == 0 && setgroups(0, NULL) == -1)
-		debug("setgroups(): %.200s", strerror(errno));
-
-	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
-	sanitise_stdfd();
-
-	/* Initialize configuration options to their default values. */
-	initialize_server_options(&options);
-
-	/* Parse command-line arguments. */
-	while ((opt = getopt(ac, av, "f:p:b:k:h:g:u:o:dDeiqrtQR46")) != -1) {
-		switch (opt) {
-		case '4':
-			options.address_family = AF_INET;
-			break;
-		case '6':
-			options.address_family = AF_INET6;
-			break;
-		case 'f':
-			config_file_name = optarg;
-			break;
-		case 'd':
-			if (debug_flag == 0) {
-				debug_flag = 1;
-				options.log_level = SYSLOG_LEVEL_DEBUG1;
-			} else if (options.log_level < SYSLOG_LEVEL_DEBUG3)
-				options.log_level++;
-			break;
-		case 'D':
-			no_daemon_flag = 1;
-			break;
-		case 'e':
-			log_stderr = 1;
-			break;
-		case 'i':
-			inetd_flag = 1;
-			break;
-		case 'r':
-			rexec_flag = 0;
-			break;
-		case 'R':
-			rexeced_flag = 1;
-			inetd_flag = 1;
-			break;
-		case 'Q':
-			/* ignored */
-			break;
-		case 'q':
-			options.log_level = SYSLOG_LEVEL_QUIET;
-			break;
-		case 'b':
-			options.server_key_bits = (int)strtonum(optarg, 256,
-			    32768, NULL);
-			break;
-		case 'p':
-			options.ports_from_cmdline = 1;
-			if (options.num_ports >= MAX_PORTS) {
-				fprintf(stderr, "too many ports.\n");
-				exit(1);
-			}
-			options.ports[options.num_ports++] = a2port(optarg);
-			if (options.ports[options.num_ports-1] == 0) {
-				fprintf(stderr, "Bad port number.\n");
-				exit(1);
-			}
-			break;
-		case 'g':
-			if ((options.login_grace_time = convtime(optarg)) == -1) {
-				fprintf(stderr, "Invalid login grace time.\n");
-				exit(1);
-			}
-			break;
-		case 'k':
-			if ((options.key_regeneration_time = convtime(optarg)) == -1) {
-				fprintf(stderr, "Invalid key regeneration interval.\n");
-				exit(1);
-			}
-			break;
-		case 'h':
-			if (options.num_host_key_files >= MAX_HOSTKEYS) {
-				fprintf(stderr, "too many host keys.\n");
-				exit(1);
-			}
-			options.host_key_files[options.num_host_key_files++] = optarg;
-			break;
-		case 't':
-			test_flag = 1;
-			break;
-		case 'u':
-			utmp_len = (u_int)strtonum(optarg, 0, MAXHOSTNAMELEN+1, NULL);
-			if (utmp_len > MAXHOSTNAMELEN) {
-				fprintf(stderr, "Invalid utmp length.\n");
-				exit(1);
-			}
-			break;
-		case 'o':
-			line = xstrdup(optarg);
-			if (process_server_config_line(&options, line,
-			    "command-line", 0, NULL, NULL, NULL, NULL) != 0)
-				exit(1);
-			xfree(line);
-			break;
-		case '?':
-		default:
-			usage();
-			break;
-		}
-	}
-	if (rexeced_flag || inetd_flag)
-		rexec_flag = 0;
-	if (rexec_flag && (av[0] == NULL || *av[0] != '/'))
-		fatal("sshd re-exec requires execution with an absolute path");
-	if (rexeced_flag)
-		closefrom(REEXEC_MIN_FREE_FD);
-	else
-		closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
-
-	SSLeay_add_all_algorithms();
-
-	/*
-	 * Force logging to stderr until we have loaded the private host
-	 * key (unless started from inetd)
-	 */
-	log_init(__progname,
-	    options.log_level == SYSLOG_LEVEL_NOT_SET ?
-	    SYSLOG_LEVEL_INFO : options.log_level,
-	    options.log_facility == SYSLOG_FACILITY_NOT_SET ?
-	    SYSLOG_FACILITY_AUTH : options.log_facility,
-	    log_stderr || !inetd_flag);
-
-	/*
-	 * Unset KRB5CCNAME, otherwise the user's session may inherit it from
-	 * root's environment
-	 */
-	if (getenv("KRB5CCNAME") != NULL)
-		unsetenv("KRB5CCNAME");
-
-#ifdef _UNICOS
-	/* Cray can define user privs drop all privs now!
-	 * Not needed on PRIV_SU systems!
-	 */
-	drop_cray_privs();
-#endif
-
-	sensitive_data.server_key = NULL;
-	sensitive_data.ssh1_host_key = NULL;
-	sensitive_data.have_ssh1_key = 0;
-	sensitive_data.have_ssh2_key = 0;
-
-	/* Fetch our configuration */
-	buffer_init(&cfg);
-	if (rexeced_flag)
-		recv_rexec_state(REEXEC_CONFIG_PASS_FD, &cfg);
-	else
-		load_server_config(config_file_name, &cfg);
-
-	parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
-	    &cfg, NULL, NULL, NULL);
-
-	seed_rng();
-
-	/* Fill in default values for those options not explicitly set. */
-	fill_default_server_options(&options);
-
-	/* set default channel AF */
-	channel_set_af(options.address_family);
-
-	/* Check that there are no remaining arguments. */
-	if (optind < ac) {
-		fprintf(stderr, "Extra argument %s.\n", av[optind]);
-		exit(1);
-	}
-
-	debug("sshd version %.100s", SSH_RELEASE);
-
-	/* Store privilege separation user for later use if required. */
-	if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
-		if (use_privsep || options.kerberos_authentication)
-			fatal("Privilege separation user %s does not exist",
-			    SSH_PRIVSEP_USER);
-	} else {
-		memset(privsep_pw->pw_passwd, 0, strlen(privsep_pw->pw_passwd));
-		privsep_pw = pwcopy(privsep_pw);
-		xfree(privsep_pw->pw_passwd);
-		privsep_pw->pw_passwd = xstrdup("*");
-	}
-	endpwent();
-
-	/* load private host keys */
-	sensitive_data.host_keys = xcalloc(options.num_host_key_files,
-	    sizeof(Key *));
-	for (i = 0; i < options.num_host_key_files; i++)
-		sensitive_data.host_keys[i] = NULL;
-
-	for (i = 0; i < options.num_host_key_files; i++) {
-		key = key_load_private(options.host_key_files[i], "", NULL);
-		sensitive_data.host_keys[i] = key;
-		if (key == NULL) {
-			error("Could not load host key: %s",
-			    options.host_key_files[i]);
-			sensitive_data.host_keys[i] = NULL;
-			continue;
-		}
-		switch (key->type) {
-		case KEY_RSA1:
-			sensitive_data.ssh1_host_key = key;
-			sensitive_data.have_ssh1_key = 1;
-			break;
-		case KEY_RSA:
-		case KEY_DSA:
-			sensitive_data.have_ssh2_key = 1;
-			break;
-		}
-		debug("private host key: #%d type %d %s", i, key->type,
-		    key_type(key));
-	}
-	if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
-		logit("Disabling protocol version 1. Could not load host key");
-		options.protocol &= ~SSH_PROTO_1;
-	}
-	if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) {
-		logit("Disabling protocol version 2. Could not load host key");
-		options.protocol &= ~SSH_PROTO_2;
-	}
-	if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
-		logit("sshd: no hostkeys available -- exiting.");
-		exit(1);
-	}
-
-	/* Check certain values for sanity. */
-	if (options.protocol & SSH_PROTO_1) {
-		if (options.server_key_bits < 512 ||
-		    options.server_key_bits > 32768) {
-			fprintf(stderr, "Bad server key size.\n");
-			exit(1);
-		}
-		/*
-		 * Check that server and host key lengths differ sufficiently. This
-		 * is necessary to make double encryption work with rsaref. Oh, I
-		 * hate software patents. I dont know if this can go? Niels
-		 */
-		if (options.server_key_bits >
-		    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) -
-		    SSH_KEY_BITS_RESERVED && options.server_key_bits <
-		    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) +
-		    SSH_KEY_BITS_RESERVED) {
-			options.server_key_bits =
-			    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) +
-			    SSH_KEY_BITS_RESERVED;
-			debug("Forcing server key to %d bits to make it differ from host key.",
-			    options.server_key_bits);
-		}
-	}
-
-	if (use_privsep) {
-		struct stat st;
-
-		if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) ||
-		    (S_ISDIR(st.st_mode) == 0))
-			fatal("Missing privilege separation directory: %s",
-			    _PATH_PRIVSEP_CHROOT_DIR);
-
-#ifdef HAVE_CYGWIN
-		if (check_ntsec(_PATH_PRIVSEP_CHROOT_DIR) &&
-		    (st.st_uid != getuid () ||
-		    (st.st_mode & (S_IWGRP|S_IWOTH)) != 0))
-#else
-		if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
-#endif
-			fatal("%s must be owned by root and not group or "
-			    "world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
-	}
-
-	/* Configuration looks good, so exit if in test mode. */
-	if (test_flag)
-		exit(0);
-
-	/*
-	 * Clear out any supplemental groups we may have inherited.  This
-	 * prevents inadvertent creation of files with bad modes (in the
-	 * portable version at least, it's certainly possible for PAM
-	 * to create a file, and we can't control the code in every
-	 * module which might be used).
-	 */
-	if (setgroups(0, NULL) < 0)
-		debug("setgroups() failed: %.200s", strerror(errno));
-
-	if (rexec_flag) {
-		rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *));
-		for (i = 0; i < rexec_argc; i++) {
-			debug("rexec_argv[%d]='%s'", i, saved_argv[i]);
-			rexec_argv[i] = saved_argv[i];
-		}
-		rexec_argv[rexec_argc] = "-R";
-		rexec_argv[rexec_argc + 1] = NULL;
-	}
-
-	/* Initialize the log (it is reinitialized below in case we forked). */
-	if (debug_flag && (!inetd_flag || rexeced_flag))
-		log_stderr = 1;
-	log_init(__progname, options.log_level, options.log_facility, log_stderr);
-
-	/*
-	 * If not in debugging mode, and not started from inetd, disconnect
-	 * from the controlling terminal, and fork.  The original process
-	 * exits.
-	 */
-	if (!(debug_flag || inetd_flag || no_daemon_flag)) {
-#ifdef TIOCNOTTY
-		int fd;
-#endif /* TIOCNOTTY */
-		if (daemon(0, 0) < 0)
-			fatal("daemon() failed: %.200s", strerror(errno));
-
-		/* Disconnect from the controlling tty. */
-#ifdef TIOCNOTTY
-		fd = open(_PATH_TTY, O_RDWR | O_NOCTTY);
-		if (fd >= 0) {
-			(void) ioctl(fd, TIOCNOTTY, NULL);
-			close(fd);
-		}
-#endif /* TIOCNOTTY */
-	}
-	/* Reinitialize the log (because of the fork above). */
-	log_init(__progname, options.log_level, options.log_facility, log_stderr);
-
-	/* Initialize the random number generator. */
-	arc4random_stir();
-
-	/* Chdir to the root directory so that the current disk can be
-	   unmounted if desired. */
-	chdir("/");
-
-	/* ignore SIGPIPE */
-	signal(SIGPIPE, SIG_IGN);
-
-	/* Get a connection, either from inetd or a listening TCP socket */
-	if (inetd_flag) {
-		server_accept_inetd(&sock_in, &sock_out);
-
-		if ((options.protocol & SSH_PROTO_1) &&
-		    sensitive_data.server_key == NULL)
-			generate_ephemeral_server_key();
-	} else {
-		server_listen();
-
-		if (options.protocol & SSH_PROTO_1)
-			generate_ephemeral_server_key();
-
-		signal(SIGHUP, sighup_handler);
-		signal(SIGCHLD, main_sigchld_handler);
-		signal(SIGTERM, sigterm_handler);
-		signal(SIGQUIT, sigterm_handler);
-
-		/*
-		 * Write out the pid file after the sigterm handler
-		 * is setup and the listen sockets are bound
-		 */
-		if (!debug_flag) {
-			FILE *f = fopen(options.pid_file, "w");
-
-			if (f == NULL) {
-				error("Couldn't create pid file \"%s\": %s",
-				    options.pid_file, strerror(errno));
-			} else {
-				fprintf(f, "%ld\n", (long) getpid());
-				fclose(f);
-			}
-		}
-
-		/* Accept a connection and return in a forked child */
-		server_accept_loop(&sock_in, &sock_out,
-		    &newsock, config_s);
-	}
-
-	/* This is the child processing a new connection. */
-	setproctitle("%s", "[accepted]");
-
-	/*
-	 * Create a new session and process group since the 4.4BSD
-	 * setlogin() affects the entire process group.  We don't
-	 * want the child to be able to affect the parent.
-	 */
-#if !defined(SSHD_ACQUIRES_CTTY)
-	/*
-	 * If setsid is called, on some platforms sshd will later acquire a
-	 * controlling terminal which will result in "could not set
-	 * controlling tty" errors.
-	 */
-	if (!debug_flag && !inetd_flag && setsid() < 0)
-		error("setsid: %.100s", strerror(errno));
-#endif
-
-	if (rexec_flag) {
-		int fd;
-
-		debug("rexec start in %d out %d newsock %d pipe %d sock %d",
-		    sock_in, sock_out, newsock, startup_pipe, config_s[0]);
-		dup2(newsock, STDIN_FILENO);
-		dup2(STDIN_FILENO, STDOUT_FILENO);
-		if (startup_pipe == -1)
-			close(REEXEC_STARTUP_PIPE_FD);
-		else
-			dup2(startup_pipe, REEXEC_STARTUP_PIPE_FD);
-
-		dup2(config_s[1], REEXEC_CONFIG_PASS_FD);
-		close(config_s[1]);
-		if (startup_pipe != -1)
-			close(startup_pipe);
-
-		execv(rexec_argv[0], rexec_argv);
-
-		/* Reexec has failed, fall back and continue */
-		error("rexec of %s failed: %s", rexec_argv[0], strerror(errno));
-		recv_rexec_state(REEXEC_CONFIG_PASS_FD, NULL);
-		log_init(__progname, options.log_level,
-		    options.log_facility, log_stderr);
-
-		/* Clean up fds */
-		startup_pipe = REEXEC_STARTUP_PIPE_FD;
-		close(config_s[1]);
-		close(REEXEC_CONFIG_PASS_FD);
-		newsock = sock_out = sock_in = dup(STDIN_FILENO);
-		if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) {
-			dup2(fd, STDIN_FILENO);
-			dup2(fd, STDOUT_FILENO);
-			if (fd > STDERR_FILENO)
-				close(fd);
-		}
-		debug("rexec cleanup in %d out %d newsock %d pipe %d sock %d",
-		    sock_in, sock_out, newsock, startup_pipe, config_s[0]);
-	}
-
-	/*
-	 * Disable the key regeneration alarm.  We will not regenerate the
-	 * key since we are no longer in a position to give it to anyone. We
-	 * will not restart on SIGHUP since it no longer makes sense.
-	 */
-	alarm(0);
-	signal(SIGALRM, SIG_DFL);
-	signal(SIGHUP, SIG_DFL);
-	signal(SIGTERM, SIG_DFL);
-	signal(SIGQUIT, SIG_DFL);
-	signal(SIGCHLD, SIG_DFL);
-	signal(SIGINT, SIG_DFL);
-
-	/*
-	 * Register our connection.  This turns encryption off because we do
-	 * not have a key.
-	 */
-	packet_set_connection(sock_in, sock_out);
-	packet_set_server();
-
-	/* Set SO_KEEPALIVE if requested. */
-	if (options.tcp_keep_alive && packet_connection_is_on_socket() &&
-	    setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on)) < 0)
-		error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
-
-	if ((remote_port = get_remote_port()) < 0) {
-		debug("get_remote_port failed");
-		cleanup_exit(255);
-	}
-
-	/*
-	 * We use get_canonical_hostname with usedns = 0 instead of
-	 * get_remote_ipaddr here so IP options will be checked.
-	 */
-	(void) get_canonical_hostname(0);
-	/*
-	 * The rest of the code depends on the fact that
-	 * get_remote_ipaddr() caches the remote ip, even if
-	 * the socket goes away.
-	 */
-	remote_ip = get_remote_ipaddr();
-
-#ifdef SSH_AUDIT_EVENTS
-	audit_connection_from(remote_ip, remote_port);
-#endif
-#ifdef LIBWRAP
-	/* Check whether logins are denied from this host. */
-	if (packet_connection_is_on_socket()) {
-		struct request_info req;
-
-		request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
-		fromhost(&req);
-
-		if (!hosts_access(&req)) {
-			debug("Connection refused by tcp wrapper");
-			refuse(&req);
-			/* NOTREACHED */
-			fatal("libwrap refuse returns");
-		}
-	}
-#endif /* LIBWRAP */
-
-	/* Log the connection. */
-	verbose("Connection from %.500s port %d", remote_ip, remote_port);
-
-	/*
-	 * We don't want to listen forever unless the other side
-	 * successfully authenticates itself.  So we set up an alarm which is
-	 * cleared after successful authentication.  A limit of zero
-	 * indicates no limit. Note that we don't set the alarm in debugging
-	 * mode; it is just annoying to have the server exit just when you
-	 * are about to discover the bug.
-	 */
-	signal(SIGALRM, grace_alarm_handler);
-	if (!debug_flag)
-		alarm(options.login_grace_time);
-
-	sshd_exchange_identification(sock_in, sock_out);
-
-	packet_set_nonblocking();
-
-	/* allocate authentication context */
-	authctxt = xcalloc(1, sizeof(*authctxt));
-
-	authctxt->loginmsg = &loginmsg;
-
-	/* XXX global for cleanup, access from other modules */
-	the_authctxt = authctxt;
-
-	/* prepare buffer to collect messages to display to user after login */
-	buffer_init(&loginmsg);
-
-	if (use_privsep)
-		if (privsep_preauth(authctxt) == 1)
-			goto authenticated;
-
-	/* perform the key exchange */
-	/* authenticate user and start session */
-	if (compat20) {
-		do_ssh2_kex();
-		do_authentication2(authctxt);
-	} else {
-		do_ssh1_kex();
-		do_authentication(authctxt);
-	}
-	/*
-	 * If we use privilege separation, the unprivileged child transfers
-	 * the current keystate and exits
-	 */
-	if (use_privsep) {
-		mm_send_keystate(pmonitor);
-		exit(0);
-	}
-
- authenticated:
-	/*
-	 * Cancel the alarm we set to limit the time taken for
-	 * authentication.
-	 */
-	alarm(0);
-	signal(SIGALRM, SIG_DFL);
-	authctxt->authenticated = 1;
-	if (startup_pipe != -1) {
-		close(startup_pipe);
-		startup_pipe = -1;
-	}
-
-#ifdef SSH_AUDIT_EVENTS
-	audit_event(SSH_AUTH_SUCCESS);
-#endif
-
-	/*
-	 * In privilege separation, we fork another child and prepare
-	 * file descriptor passing.
-	 */
-	if (use_privsep) {
-		privsep_postauth(authctxt);
-		/* the monitor process [priv] will not return */
-		if (!compat20)
-			destroy_sensitive_data();
-	}
-
-	/* Start session. */
-	do_authenticated(authctxt);
-
-	/* The connection has been terminated. */
-	verbose("Closing connection to %.100s", remote_ip);
-
-#ifdef USE_PAM
-	if (options.use_pam)
-		finish_pam();
-#endif /* USE_PAM */
-
-#ifdef SSH_AUDIT_EVENTS
-	PRIVSEP(audit_event(SSH_CONNECTION_CLOSE));
-#endif
-
-	packet_close();
-
-	if (use_privsep)
-		mm_terminate();
-
-	exit(0);
-}
-
-/*
- * Decrypt session_key_int using our private server key and private host key
- * (key with larger modulus first).
- */
-int
-ssh1_session_key(BIGNUM *session_key_int)
-{
-	int rsafail = 0;
-
-	if (BN_cmp(sensitive_data.server_key->rsa->n,
-	    sensitive_data.ssh1_host_key->rsa->n) > 0) {
-		/* Server key has bigger modulus. */
-		if (BN_num_bits(sensitive_data.server_key->rsa->n) <
-		    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) +
-		    SSH_KEY_BITS_RESERVED) {
-			fatal("do_connection: %s: "
-			    "server_key %d < host_key %d + SSH_KEY_BITS_RESERVED %d",
-			    get_remote_ipaddr(),
-			    BN_num_bits(sensitive_data.server_key->rsa->n),
-			    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n),
-			    SSH_KEY_BITS_RESERVED);
-		}
-		if (rsa_private_decrypt(session_key_int, session_key_int,
-		    sensitive_data.server_key->rsa) <= 0)
-			rsafail++;
-		if (rsa_private_decrypt(session_key_int, session_key_int,
-		    sensitive_data.ssh1_host_key->rsa) <= 0)
-			rsafail++;
-	} else {
-		/* Host key has bigger modulus (or they are equal). */
-		if (BN_num_bits(sensitive_data.ssh1_host_key->rsa->n) <
-		    BN_num_bits(sensitive_data.server_key->rsa->n) +
-		    SSH_KEY_BITS_RESERVED) {
-			fatal("do_connection: %s: "
-			    "host_key %d < server_key %d + SSH_KEY_BITS_RESERVED %d",
-			    get_remote_ipaddr(),
-			    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n),
-			    BN_num_bits(sensitive_data.server_key->rsa->n),
-			    SSH_KEY_BITS_RESERVED);
-		}
-		if (rsa_private_decrypt(session_key_int, session_key_int,
-		    sensitive_data.ssh1_host_key->rsa) < 0)
-			rsafail++;
-		if (rsa_private_decrypt(session_key_int, session_key_int,
-		    sensitive_data.server_key->rsa) < 0)
-			rsafail++;
-	}
-	return (rsafail);
-}
-/*
- * SSH1 key exchange
- */
-static void
-do_ssh1_kex(void)
-{
-	int i, len;
-	int rsafail = 0;
-	BIGNUM *session_key_int;
-	u_char session_key[SSH_SESSION_KEY_LENGTH];
-	u_char cookie[8];
-	u_int cipher_type, auth_mask, protocol_flags;
-	u_int32_t rnd = 0;
-
-	/*
-	 * Generate check bytes that the client must send back in the user
-	 * packet in order for it to be accepted; this is used to defy ip
-	 * spoofing attacks.  Note that this only works against somebody
-	 * doing IP spoofing from a remote machine; any machine on the local
-	 * network can still see outgoing packets and catch the random
-	 * cookie.  This only affects rhosts authentication, and this is one
-	 * of the reasons why it is inherently insecure.
-	 */
-	for (i = 0; i < 8; i++) {
-		if (i % 4 == 0)
-			rnd = arc4random();
-		cookie[i] = rnd & 0xff;
-		rnd >>= 8;
-	}
-
-	/*
-	 * Send our public key.  We include in the packet 64 bits of random
-	 * data that must be matched in the reply in order to prevent IP
-	 * spoofing.
-	 */
-	packet_start(SSH_SMSG_PUBLIC_KEY);
-	for (i = 0; i < 8; i++)
-		packet_put_char(cookie[i]);
-
-	/* Store our public server RSA key. */
-	packet_put_int(BN_num_bits(sensitive_data.server_key->rsa->n));
-	packet_put_bignum(sensitive_data.server_key->rsa->e);
-	packet_put_bignum(sensitive_data.server_key->rsa->n);
-
-	/* Store our public host RSA key. */
-	packet_put_int(BN_num_bits(sensitive_data.ssh1_host_key->rsa->n));
-	packet_put_bignum(sensitive_data.ssh1_host_key->rsa->e);
-	packet_put_bignum(sensitive_data.ssh1_host_key->rsa->n);
-
-	/* Put protocol flags. */
-	packet_put_int(SSH_PROTOFLAG_HOST_IN_FWD_OPEN);
-
-	/* Declare which ciphers we support. */
-	packet_put_int(cipher_mask_ssh1(0));
-
-	/* Declare supported authentication types. */
-	auth_mask = 0;
-	if (options.rhosts_rsa_authentication)
-		auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA;
-	if (options.rsa_authentication)
-		auth_mask |= 1 << SSH_AUTH_RSA;
-	if (options.challenge_response_authentication == 1)
-		auth_mask |= 1 << SSH_AUTH_TIS;
-	if (options.password_authentication)
-		auth_mask |= 1 << SSH_AUTH_PASSWORD;
-	packet_put_int(auth_mask);
-
-	/* Send the packet and wait for it to be sent. */
-	packet_send();
-	packet_write_wait();
-
-	debug("Sent %d bit server key and %d bit host key.",
-	    BN_num_bits(sensitive_data.server_key->rsa->n),
-	    BN_num_bits(sensitive_data.ssh1_host_key->rsa->n));
-
-	/* Read clients reply (cipher type and session key). */
-	packet_read_expect(SSH_CMSG_SESSION_KEY);
-
-	/* Get cipher type and check whether we accept this. */
-	cipher_type = packet_get_char();
-
-	if (!(cipher_mask_ssh1(0) & (1 << cipher_type)))
-		packet_disconnect("Warning: client selects unsupported cipher.");
-
-	/* Get check bytes from the packet.  These must match those we
-	   sent earlier with the public key packet. */
-	for (i = 0; i < 8; i++)
-		if (cookie[i] != packet_get_char())
-			packet_disconnect("IP Spoofing check bytes do not match.");
-
-	debug("Encryption type: %.200s", cipher_name(cipher_type));
-
-	/* Get the encrypted integer. */
-	if ((session_key_int = BN_new()) == NULL)
-		fatal("do_ssh1_kex: BN_new failed");
-	packet_get_bignum(session_key_int);
-
-	protocol_flags = packet_get_int();
-	packet_set_protocol_flags(protocol_flags);
-	packet_check_eom();
-
-	/* Decrypt session_key_int using host/server keys */
-	rsafail = PRIVSEP(ssh1_session_key(session_key_int));
-
-	/*
-	 * Extract session key from the decrypted integer.  The key is in the
-	 * least significant 256 bits of the integer; the first byte of the
-	 * key is in the highest bits.
-	 */
-	if (!rsafail) {
-		(void) BN_mask_bits(session_key_int, sizeof(session_key) * 8);
-		len = BN_num_bytes(session_key_int);
-		if (len < 0 || (u_int)len > sizeof(session_key)) {
-			error("do_ssh1_kex: bad session key len from %s: "
-			    "session_key_int %d > sizeof(session_key) %lu",
-			    get_remote_ipaddr(), len, (u_long)sizeof(session_key));
-			rsafail++;
-		} else {
-			memset(session_key, 0, sizeof(session_key));
-			BN_bn2bin(session_key_int,
-			    session_key + sizeof(session_key) - len);
-
-			derive_ssh1_session_id(
-			    sensitive_data.ssh1_host_key->rsa->n,
-			    sensitive_data.server_key->rsa->n,
-			    cookie, session_id);
-			/*
-			 * Xor the first 16 bytes of the session key with the
-			 * session id.
-			 */
-			for (i = 0; i < 16; i++)
-				session_key[i] ^= session_id[i];
-		}
-	}
-	if (rsafail) {
-		int bytes = BN_num_bytes(session_key_int);
-		u_char *buf = xmalloc(bytes);
-		MD5_CTX md;
-
-		logit("do_connection: generating a fake encryption key");
-		BN_bn2bin(session_key_int, buf);
-		MD5_Init(&md);
-		MD5_Update(&md, buf, bytes);
-		MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
-		MD5_Final(session_key, &md);
-		MD5_Init(&md);
-		MD5_Update(&md, session_key, 16);
-		MD5_Update(&md, buf, bytes);
-		MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
-		MD5_Final(session_key + 16, &md);
-		memset(buf, 0, bytes);
-		xfree(buf);
-		for (i = 0; i < 16; i++)
-			session_id[i] = session_key[i] ^ session_key[i + 16];
-	}
-	/* Destroy the private and public keys. No longer. */
-	destroy_sensitive_data();
-
-	if (use_privsep)
-		mm_ssh1_session_id(session_id);
-
-	/* Destroy the decrypted integer.  It is no longer needed. */
-	BN_clear_free(session_key_int);
-
-	/* Set the session key.  From this on all communications will be encrypted. */
-	packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, cipher_type);
-
-	/* Destroy our copy of the session key.  It is no longer needed. */
-	memset(session_key, 0, sizeof(session_key));
-
-	debug("Received session key; encryption turned on.");
-
-	/* Send an acknowledgment packet.  Note that this packet is sent encrypted. */
-	packet_start(SSH_SMSG_SUCCESS);
-	packet_send();
-	packet_write_wait();
-}
-
-/*
- * SSH2 key exchange: diffie-hellman-group1-sha1
- */
-static void
-do_ssh2_kex(void)
-{
-	Kex *kex;
-
-	if (options.ciphers != NULL) {
-		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
-		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
-	}
-	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
-	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
-	myproposal[PROPOSAL_ENC_ALGS_STOC] =
-	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]);
-
-	if (options.macs != NULL) {
-		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
-		myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
-	}
-	if (options.compression == COMP_NONE) {
-		myproposal[PROPOSAL_COMP_ALGS_CTOS] =
-		myproposal[PROPOSAL_COMP_ALGS_STOC] = "none";
-	} else if (options.compression == COMP_DELAYED) {
-		myproposal[PROPOSAL_COMP_ALGS_CTOS] =
-		myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com";
-	}
-
-	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
-
-	/* start key exchange */
-	kex = kex_setup(myproposal);
-	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
-	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
-	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
-	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
-	kex->server = 1;
-	kex->client_version_string=client_version_string;
-	kex->server_version_string=server_version_string;
-	kex->load_host_key=&get_hostkey_by_type;
-	kex->host_key_index=&get_hostkey_index;
-
-	xxx_kex = kex;
-
-	dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
-
-	session_id2 = kex->session_id;
-	session_id2_len = kex->session_id_len;
-
-#ifdef DEBUG_KEXDH
-	/* send 1st encrypted/maced/compressed message */
-	packet_start(SSH2_MSG_IGNORE);
-	packet_put_cstring("markus");
-	packet_send();
-	packet_write_wait();
-#endif
-	debug("KEX done");
-}
-
-/* server specific fatal cleanup */
-void
-cleanup_exit(int i)
-{
-	if (the_authctxt)
-		do_cleanup(the_authctxt);
-#ifdef SSH_AUDIT_EVENTS
-	/* done after do_cleanup so it can cancel the PAM auth 'thread' */
-	if (!use_privsep || mm_is_monitor())
-		audit_event(SSH_CONNECTION_ABANDON);
-#endif
-	_exit(i);
-}
diff --git a/crypto/openssh/sshd/Makefile b/crypto/openssh/sshd/Makefile
deleted file mode 100644
index 14ef3e0..0000000
--- a/crypto/openssh/sshd/Makefile
+++ /dev/null
@@ -1,56 +0,0 @@
-#	$OpenBSD: Makefile,v 1.51 2002/06/20 19:56:07 stevesk Exp $
-
-.PATH:		${.CURDIR}/..
-
-PROG=	sshd
-BINOWN=	root
-BINMODE=555
-BINDIR=	/usr/sbin
-MAN=	sshd.8 sshd_config.5
-CFLAGS+=-DHAVE_LOGIN_CAP -DBSD_AUTH
-
-SRCS=	sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \
-	sshpty.c sshlogin.c servconf.c serverloop.c uidswap.c \
-	auth.c auth1.c auth2.c auth-options.c session.c \
-	auth-chall.c auth2-chall.c groupaccess.c \
-	auth-skey.c auth-bsdauth.c monitor_mm.c monitor.c \
-	auth2-none.c auth2-passwd.c auth2-pubkey.c \
-	auth2-hostbased.c auth2-kbdint.c
-
-.include <bsd.own.mk> # for KERBEROS and AFS
-
-.if (${KERBEROS5:L} == "yes")
-CFLAGS+=-DKRB5 -I${DESTDIR}/usr/include/kerberosV
-SRCS+=  auth-krb5.c
-LDADD+= -lkrb5 -lkafs -lasn1 -lcom_err
-DPADD+= ${LIBKRB5} ${LIBKAFS} ${LIBASN1} ${LIBCOM_ERR}
-.endif # KERBEROS5
-
-.if (${KERBEROS:L} == "yes")
-.if (${AFS:L} == "yes")
-CFLAGS+= -DAFS
-LDADD+=  -lkafs
-DPADD+=  ${LIBKAFS}
-.endif # AFS
-CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV
-SRCS+=	auth-krb4.c
-LDADD+=	 -lkrb
-DPADD+=	 ${LIBKRB}
-.endif # KERBEROS
-
-.include <bsd.prog.mk>
-
-LDADD+=	-lcrypto -lutil -lz -ldes
-DPADD+=	${LIBCRYPTO} ${LIBUTIL} ${LIBZ} ${LIBDES}
-
-.if (${TCP_WRAPPERS:L} == "yes")
-CFLAGS+= -DLIBWRAP
-LDADD+= -lwrap
-DPADD+= ${LIBWRAP}
-.endif
-
-#.if (${SKEY:L} == "yes")
-#CFLAGS+= -DSKEY
-#LDADD+= -lskey
-#DPADD+= ${SKEY}
-#.endif
diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config
deleted file mode 100644
index 6a3cad8..0000000
--- a/crypto/openssh/sshd_config
+++ /dev/null
@@ -1,112 +0,0 @@
-#	$OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $
-
-# This is the sshd server system-wide configuration file.  See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented.  Uncommented options change a
-# default value.
-
-#Port 22
-#Protocol 2,1
-#AddressFamily any
-#ListenAddress 0.0.0.0
-#ListenAddress ::
-
-# HostKey for protocol version 1
-#HostKey /etc/ssh/ssh_host_key
-# HostKeys for protocol version 2
-#HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_dsa_key
-
-# Lifetime and size of ephemeral version 1 server key
-#KeyRegenerationInterval 1h
-#ServerKeyBits 768
-
-# Logging
-# obsoletes QuietMode and FascistLogging
-#SyslogFacility AUTH
-#LogLevel INFO
-
-# Authentication:
-
-#LoginGraceTime 2m
-#PermitRootLogin yes
-#StrictModes yes
-#MaxAuthTries 6
-
-#RSAAuthentication yes
-#PubkeyAuthentication yes
-#AuthorizedKeysFile	.ssh/authorized_keys
-
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#RhostsRSAAuthentication no
-# similar for protocol version 2
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# RhostsRSAAuthentication and HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
-
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
-#PermitEmptyPasswords no
-
-# Change to no to disable s/key passwords
-#ChallengeResponseAuthentication yes
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-
-# Set this to 'yes' to enable PAM authentication, account processing, 
-# and session processing. If this is enabled, PAM authentication will 
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-#UsePAM no
-
-#AllowTcpForwarding yes
-#GatewayPorts no
-#X11Forwarding no
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PrintMotd yes
-#PrintLastLog yes
-#TCPKeepAlive yes
-#UseLogin no
-#UsePrivilegeSeparation yes
-#PermitUserEnvironment no
-#Compression delayed
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
-#UseDNS yes
-#PidFile /var/run/sshd.pid
-#MaxStartups 10
-#PermitTunnel no
-
-# no default banner path
-#Banner /some/path
-
-# override default of no subsystems
-Subsystem	sftp	/usr/libexec/sftp-server
-
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-#	X11Forwarding no
-#	AllowTcpForwarding no
-#	ForceCommand cvs server
diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5
deleted file mode 100644
index 2bcaf22..0000000
--- a/crypto/openssh/sshd_config.5
+++ /dev/null
@@ -1,962 +0,0 @@
-.\"  -*- nroff -*-
-.\"
-.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
-.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-.\"                    All rights reserved
-.\"
-.\" As far as I am concerned, the code I have written for this software
-.\" can be used freely for any purpose.  Any derived versions of this
-.\" software must be clearly marked as such, and if the derived work is
-.\" incompatible with the protocol description in the RFC file, it must be
-.\" called by a name other than "ssh" or "Secure Shell".
-.\"
-.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
-.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
-.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" $OpenBSD: sshd_config.5,v 1.70 2006/08/21 08:14:01 dtucker Exp $
-.Dd September 25, 1999
-.Dt SSHD_CONFIG 5
-.Os
-.Sh NAME
-.Nm sshd_config
-.Nd OpenSSH SSH daemon configuration file
-.Sh SYNOPSIS
-.Bl -tag -width Ds -compact
-.It Pa /etc/ssh/sshd_config
-.El
-.Sh DESCRIPTION
-.Xr sshd 8
-reads configuration data from
-.Pa /etc/ssh/sshd_config
-(or the file specified with
-.Fl f
-on the command line).
-The file contains keyword-argument pairs, one per line.
-Lines starting with
-.Ql #
-and empty lines are interpreted as comments.
-Arguments may optionally be enclosed in double quotes
-.Pq \&"
-in order to represent arguments containing spaces.
-.Pp
-The possible
-keywords and their meanings are as follows (note that
-keywords are case-insensitive and arguments are case-sensitive):
-.Bl -tag -width Ds
-.It Cm AcceptEnv
-Specifies what environment variables sent by the client will be copied into
-the session's
-.Xr environ 7 .
-See
-.Cm SendEnv
-in
-.Xr ssh_config 5
-for how to configure the client.
-Note that environment passing is only supported for protocol 2.
-Variables are specified by name, which may contain the wildcard characters
-.Ql *
-and
-.Ql \&? .
-Multiple environment variables may be separated by whitespace or spread
-across multiple
-.Cm AcceptEnv
-directives.
-Be warned that some environment variables could be used to bypass restricted
-user environments.
-For this reason, care should be taken in the use of this directive.
-The default is not to accept any environment variables.
-.It Cm AddressFamily
-Specifies which address family should be used by
-.Xr sshd 8 .
-Valid arguments are
-.Dq any ,
-.Dq inet
-(use IPv4 only), or
-.Dq inet6
-(use IPv6 only).
-The default is
-.Dq any .
-.It Cm AllowGroups
-This keyword can be followed by a list of group name patterns, separated
-by spaces.
-If specified, login is allowed only for users whose primary
-group or supplementary group list matches one of the patterns.
-Only group names are valid; a numerical group ID is not recognized.
-By default, login is allowed for all groups.
-The allow/deny directives are processed in the following order:
-.Cm DenyUsers ,
-.Cm AllowUsers ,
-.Cm DenyGroups ,
-and finally
-.Cm AllowGroups .
-.Pp
-See
-.Sx PATTERNS
-in
-.Xr ssh_config 5
-for more information on patterns.
-.It Cm AllowTcpForwarding
-Specifies whether TCP forwarding is permitted.
-The default is
-.Dq yes .
-Note that disabling TCP forwarding does not improve security unless
-users are also denied shell access, as they can always install their
-own forwarders.
-.It Cm AllowUsers
-This keyword can be followed by a list of user name patterns, separated
-by spaces.
-If specified, login is allowed only for user names that
-match one of the patterns.
-Only user names are valid; a numerical user ID is not recognized.
-By default, login is allowed for all users.
-If the pattern takes the form USER@HOST then USER and HOST
-are separately checked, restricting logins to particular
-users from particular hosts.
-The allow/deny directives are processed in the following order:
-.Cm DenyUsers ,
-.Cm AllowUsers ,
-.Cm DenyGroups ,
-and finally
-.Cm AllowGroups .
-.Pp
-See
-.Sx PATTERNS
-in
-.Xr ssh_config 5
-for more information on patterns.
-.It Cm AuthorizedKeysFile
-Specifies the file that contains the public keys that can be used
-for user authentication.
-.Cm AuthorizedKeysFile
-may contain tokens of the form %T which are substituted during connection
-setup.
-The following tokens are defined: %% is replaced by a literal '%',
-%h is replaced by the home directory of the user being authenticated, and
-%u is replaced by the username of that user.
-After expansion,
-.Cm AuthorizedKeysFile
-is taken to be an absolute path or one relative to the user's home
-directory.
-The default is
-.Dq .ssh/authorized_keys .
-.It Cm Banner
-In some jurisdictions, sending a warning message before authentication
-may be relevant for getting legal protection.
-The contents of the specified file are sent to the remote user before
-authentication is allowed.
-This option is only available for protocol version 2.
-By default, no banner is displayed.
-.It Cm ChallengeResponseAuthentication
-Specifies whether challenge-response authentication is allowed.
-All authentication styles from
-.Xr login.conf 5
-are supported.
-The default is
-.Dq yes .
-.It Cm Ciphers
-Specifies the ciphers allowed for protocol version 2.
-Multiple ciphers must be comma-separated.
-The supported ciphers are
-.Dq 3des-cbc ,
-.Dq aes128-cbc ,
-.Dq aes192-cbc ,
-.Dq aes256-cbc ,
-.Dq aes128-ctr ,
-.Dq aes192-ctr ,
-.Dq aes256-ctr ,
-.Dq arcfour128 ,
-.Dq arcfour256 ,
-.Dq arcfour ,
-.Dq blowfish-cbc ,
-and
-.Dq cast128-cbc .
-The default is:
-.Bd -literal -offset 3n
-aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
-arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
-aes192-ctr,aes256-ctr
-.Ed
-.It Cm ClientAliveCountMax
-Sets the number of client alive messages (see below) which may be
-sent without
-.Xr sshd 8
-receiving any messages back from the client.
-If this threshold is reached while client alive messages are being sent,
-sshd will disconnect the client, terminating the session.
-It is important to note that the use of client alive messages is very
-different from
-.Cm TCPKeepAlive
-(below).
-The client alive messages are sent through the encrypted channel
-and therefore will not be spoofable.
-The TCP keepalive option enabled by
-.Cm TCPKeepAlive
-is spoofable.
-The client alive mechanism is valuable when the client or
-server depend on knowing when a connection has become inactive.
-.Pp
-The default value is 3.
-If
-.Cm ClientAliveInterval
-(see below) is set to 15, and
-.Cm ClientAliveCountMax
-is left at the default, unresponsive SSH clients
-will be disconnected after approximately 45 seconds.
-This option applies to protocol version 2 only.
-.It Cm ClientAliveInterval
-Sets a timeout interval in seconds after which if no data has been received
-from the client,
-.Xr sshd 8
-will send a message through the encrypted
-channel to request a response from the client.
-The default
-is 0, indicating that these messages will not be sent to the client.
-This option applies to protocol version 2 only.
-.It Cm Compression
-Specifies whether compression is allowed, or delayed until
-the user has authenticated successfully.
-The argument must be
-.Dq yes ,
-.Dq delayed ,
-or
-.Dq no .
-The default is
-.Dq delayed .
-.It Cm DenyGroups
-This keyword can be followed by a list of group name patterns, separated
-by spaces.
-Login is disallowed for users whose primary group or supplementary
-group list matches one of the patterns.
-Only group names are valid; a numerical group ID is not recognized.
-By default, login is allowed for all groups.
-The allow/deny directives are processed in the following order:
-.Cm DenyUsers ,
-.Cm AllowUsers ,
-.Cm DenyGroups ,
-and finally
-.Cm AllowGroups .
-.Pp
-See
-.Sx PATTERNS
-in
-.Xr ssh_config 5
-for more information on patterns.
-.It Cm DenyUsers
-This keyword can be followed by a list of user name patterns, separated
-by spaces.
-Login is disallowed for user names that match one of the patterns.
-Only user names are valid; a numerical user ID is not recognized.
-By default, login is allowed for all users.
-If the pattern takes the form USER@HOST then USER and HOST
-are separately checked, restricting logins to particular
-users from particular hosts.
-The allow/deny directives are processed in the following order:
-.Cm DenyUsers ,
-.Cm AllowUsers ,
-.Cm DenyGroups ,
-and finally
-.Cm AllowGroups .
-.Pp
-See
-.Sx PATTERNS
-in
-.Xr ssh_config 5
-for more information on patterns.
-.It Cm ForceCommand
-Forces the execution of the command specified by
-.Cm ForceCommand ,
-ignoring any command supplied by the client.
-The command is invoked by using the user's login shell with the -c option.
-This applies to shell, command, or subsystem execution.
-It is most useful inside a
-.Cm Match
-block.
-The command originally supplied by the client is available in the
-.Ev SSH_ORIGINAL_COMMAND
-environment variable.
-.It Cm GatewayPorts
-Specifies whether remote hosts are allowed to connect to ports
-forwarded for the client.
-By default,
-.Xr sshd 8
-binds remote port forwardings to the loopback address.
-This prevents other remote hosts from connecting to forwarded ports.
-.Cm GatewayPorts
-can be used to specify that sshd
-should allow remote port forwardings to bind to non-loopback addresses, thus
-allowing other hosts to connect.
-The argument may be
-.Dq no
-to force remote port forwardings to be available to the local host only,
-.Dq yes
-to force remote port forwardings to bind to the wildcard address, or
-.Dq clientspecified
-to allow the client to select the address to which the forwarding is bound.
-The default is
-.Dq no .
-.It Cm GSSAPIAuthentication
-Specifies whether user authentication based on GSSAPI is allowed.
-The default is
-.Dq no .
-Note that this option applies to protocol version 2 only.
-.It Cm GSSAPICleanupCredentials
-Specifies whether to automatically destroy the user's credentials cache
-on logout.
-The default is
-.Dq yes .
-Note that this option applies to protocol version 2 only.
-.It Cm HostbasedAuthentication
-Specifies whether rhosts or /etc/hosts.equiv authentication together
-with successful public key client host authentication is allowed
-(host-based authentication).
-This option is similar to
-.Cm RhostsRSAAuthentication
-and applies to protocol version 2 only.
-The default is
-.Dq no .
-.It Cm HostbasedUsesNameFromPacketOnly
-Specifies whether or not the server will attempt to perform a reverse
-name lookup when matching the name in the
-.Pa ~/.shosts ,
-.Pa ~/.rhosts ,
-and
-.Pa /etc/hosts.equiv
-files during
-.Cm HostbasedAuthentication .
-A setting of
-.Dq yes
-means that
-.Xr sshd 8
-uses the name supplied by the client rather than
-attempting to resolve the name from the TCP connection itself.
-The default is
-.Dq no .
-.It Cm HostKey
-Specifies a file containing a private host key
-used by SSH.
-The default is
-.Pa /etc/ssh/ssh_host_key
-for protocol version 1, and
-.Pa /etc/ssh/ssh_host_rsa_key
-and
-.Pa /etc/ssh/ssh_host_dsa_key
-for protocol version 2.
-Note that
-.Xr sshd 8
-will refuse to use a file if it is group/world-accessible.
-It is possible to have multiple host key files.
-.Dq rsa1
-keys are used for version 1 and
-.Dq dsa
-or
-.Dq rsa
-are used for version 2 of the SSH protocol.
-.It Cm IgnoreRhosts
-Specifies that
-.Pa .rhosts
-and
-.Pa .shosts
-files will not be used in
-.Cm RhostsRSAAuthentication
-or
-.Cm HostbasedAuthentication .
-.Pp
-.Pa /etc/hosts.equiv
-and
-.Pa /etc/shosts.equiv
-are still used.
-The default is
-.Dq yes .
-.It Cm IgnoreUserKnownHosts
-Specifies whether
-.Xr sshd 8
-should ignore the user's
-.Pa ~/.ssh/known_hosts
-during
-.Cm RhostsRSAAuthentication
-or
-.Cm HostbasedAuthentication .
-The default is
-.Dq no .
-.It Cm KerberosAuthentication
-Specifies whether the password provided by the user for
-.Cm PasswordAuthentication
-will be validated through the Kerberos KDC.
-To use this option, the server needs a
-Kerberos servtab which allows the verification of the KDC's identity.
-The default is
-.Dq no .
-.It Cm KerberosGetAFSToken
-If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire
-an AFS token before accessing the user's home directory.
-The default is
-.Dq no .
-.It Cm KerberosOrLocalPasswd
-If password authentication through Kerberos fails then
-the password will be validated via any additional local mechanism
-such as
-.Pa /etc/passwd .
-The default is
-.Dq yes .
-.It Cm KerberosTicketCleanup
-Specifies whether to automatically destroy the user's ticket cache
-file on logout.
-The default is
-.Dq yes .
-.It Cm KeyRegenerationInterval
-In protocol version 1, the ephemeral server key is automatically regenerated
-after this many seconds (if it has been used).
-The purpose of regeneration is to prevent
-decrypting captured sessions by later breaking into the machine and
-stealing the keys.
-The key is never stored anywhere.
-If the value is 0, the key is never regenerated.
-The default is 3600 (seconds).
-.It Cm ListenAddress
-Specifies the local addresses
-.Xr sshd 8
-should listen on.
-The following forms may be used:
-.Pp
-.Bl -item -offset indent -compact
-.It
-.Cm ListenAddress
-.Sm off
-.Ar host No | Ar IPv4_addr No | Ar IPv6_addr
-.Sm on
-.It
-.Cm ListenAddress
-.Sm off
-.Ar host No | Ar IPv4_addr No : Ar port
-.Sm on
-.It
-.Cm ListenAddress
-.Sm off
-.Oo
-.Ar host No | Ar IPv6_addr Oc : Ar port
-.Sm on
-.El
-.Pp
-If
-.Ar port
-is not specified,
-sshd will listen on the address and all prior
-.Cm Port
-options specified.
-The default is to listen on all local addresses.
-Multiple
-.Cm ListenAddress
-options are permitted.
-Additionally, any
-.Cm Port
-options must precede this option for non-port qualified addresses.
-.It Cm LoginGraceTime
-The server disconnects after this time if the user has not
-successfully logged in.
-If the value is 0, there is no time limit.
-The default is 120 seconds.
-.It Cm LogLevel
-Gives the verbosity level that is used when logging messages from
-.Xr sshd 8 .
-The possible values are:
-QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
-The default is INFO.
-DEBUG and DEBUG1 are equivalent.
-DEBUG2 and DEBUG3 each specify higher levels of debugging output.
-Logging with a DEBUG level violates the privacy of users and is not recommended.
-.It Cm MACs
-Specifies the available MAC (message authentication code) algorithms.
-The MAC algorithm is used in protocol version 2
-for data integrity protection.
-Multiple algorithms must be comma-separated.
-The default is:
-.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
-.It Cm Match
-Introduces a conditional block.
-If all of the criteria on the
-.Cm Match
-line are satisfied, the keywords on the following lines override those
-set in the global section of the config file, until either another
-.Cm Match
-line or the end of the file.
-The arguments to
-.Cm Match
-are one or more criteria-pattern pairs.
-The available criteria are
-.Cm User ,
-.Cm Group ,
-.Cm Host ,
-and
-.Cm Address .
-Only a subset of keywords may be used on the lines following a
-.Cm Match
-keyword.
-Available keywords are
-.Cm AllowTcpForwarding ,
-.Cm ForceCommand ,
-.Cm GatewayPorts ,
-.Cm PermitOpen ,
-.Cm X11DisplayOffset ,
-.Cm X11Forwarding ,
-and
-.Cm X11UseLocalHost .
-.It Cm MaxAuthTries
-Specifies the maximum number of authentication attempts permitted per
-connection.
-Once the number of failures reaches half this value,
-additional failures are logged.
-The default is 6.
-.It Cm MaxStartups
-Specifies the maximum number of concurrent unauthenticated connections to the
-SSH daemon.
-Additional connections will be dropped until authentication succeeds or the
-.Cm LoginGraceTime
-expires for a connection.
-The default is 10.
-.Pp
-Alternatively, random early drop can be enabled by specifying
-the three colon separated values
-.Dq start:rate:full
-(e.g. "10:30:60").
-.Xr sshd 8
-will refuse connection attempts with a probability of
-.Dq rate/100
-(30%)
-if there are currently
-.Dq start
-(10)
-unauthenticated connections.
-The probability increases linearly and all connection attempts
-are refused if the number of unauthenticated connections reaches
-.Dq full
-(60).
-.It Cm PasswordAuthentication
-Specifies whether password authentication is allowed.
-The default is
-.Dq yes .
-.It Cm PermitEmptyPasswords
-When password authentication is allowed, it specifies whether the
-server allows login to accounts with empty password strings.
-The default is
-.Dq no .
-.It Cm PermitOpen
-Specifies the destinations to which TCP port forwarding is permitted.
-The forwarding specification must be one of the following forms:
-.Pp
-.Bl -item -offset indent -compact
-.It
-.Cm PermitOpen
-.Sm off
-.Ar host : port
-.Sm on
-.It
-.Cm PermitOpen
-.Sm off
-.Ar IPv4_addr : port
-.Sm on
-.It
-.Cm PermitOpen
-.Sm off
-.Ar \&[ IPv6_addr \&] : port
-.Sm on
-.El
-.Pp
-Multiple forwards may be specified by separating them with whitespace.
-An argument of
-.Dq any
-can be used to remove all restrictions and permit any forwarding requests.
-By default all port forwarding requests are permitted.
-.It Cm PermitRootLogin
-Specifies whether root can log in using
-.Xr ssh 1 .
-The argument must be
-.Dq yes ,
-.Dq without-password ,
-.Dq forced-commands-only ,
-or
-.Dq no .
-The default is
-.Dq yes .
-.Pp
-If this option is set to
-.Dq without-password ,
-password authentication is disabled for root.
-.Pp
-If this option is set to
-.Dq forced-commands-only ,
-root login with public key authentication will be allowed,
-but only if the
-.Ar command
-option has been specified
-(which may be useful for taking remote backups even if root login is
-normally not allowed).
-All other authentication methods are disabled for root.
-.Pp
-If this option is set to
-.Dq no ,
-root is not allowed to log in.
-.It Cm PermitTunnel
-Specifies whether
-.Xr tun 4
-device forwarding is allowed.
-The argument must be
-.Dq yes ,
-.Dq point-to-point
-(layer 3),
-.Dq ethernet
-(layer 2), or
-.Dq no .
-Specifying
-.Dq yes
-permits both
-.Dq point-to-point
-and
-.Dq ethernet .
-The default is
-.Dq no .
-.It Cm PermitUserEnvironment
-Specifies whether
-.Pa ~/.ssh/environment
-and
-.Cm environment=
-options in
-.Pa ~/.ssh/authorized_keys
-are processed by
-.Xr sshd 8 .
-The default is
-.Dq no .
-Enabling environment processing may enable users to bypass access
-restrictions in some configurations using mechanisms such as
-.Ev LD_PRELOAD .
-.It Cm PidFile
-Specifies the file that contains the process ID of the
-SSH daemon.
-The default is
-.Pa /var/run/sshd.pid .
-.It Cm Port
-Specifies the port number that
-.Xr sshd 8
-listens on.
-The default is 22.
-Multiple options of this type are permitted.
-See also
-.Cm ListenAddress .
-.It Cm PrintLastLog
-Specifies whether
-.Xr sshd 8
-should print the date and time of the last user login when a user logs
-in interactively.
-The default is
-.Dq yes .
-.It Cm PrintMotd
-Specifies whether
-.Xr sshd 8
-should print
-.Pa /etc/motd
-when a user logs in interactively.
-(On some systems it is also printed by the shell,
-.Pa /etc/profile ,
-or equivalent.)
-The default is
-.Dq yes .
-.It Cm Protocol
-Specifies the protocol versions
-.Xr sshd 8
-supports.
-The possible values are
-.Sq 1
-and
-.Sq 2 .
-Multiple versions must be comma-separated.
-The default is
-.Dq 2,1 .
-Note that the order of the protocol list does not indicate preference,
-because the client selects among multiple protocol versions offered
-by the server.
-Specifying
-.Dq 2,1
-is identical to
-.Dq 1,2 .
-.It Cm PubkeyAuthentication
-Specifies whether public key authentication is allowed.
-The default is
-.Dq yes .
-Note that this option applies to protocol version 2 only.
-.It Cm RhostsRSAAuthentication
-Specifies whether rhosts or /etc/hosts.equiv authentication together
-with successful RSA host authentication is allowed.
-The default is
-.Dq no .
-This option applies to protocol version 1 only.
-.It Cm RSAAuthentication
-Specifies whether pure RSA authentication is allowed.
-The default is
-.Dq yes .
-This option applies to protocol version 1 only.
-.It Cm ServerKeyBits
-Defines the number of bits in the ephemeral protocol version 1 server key.
-The minimum value is 512, and the default is 768.
-.It Cm StrictModes
-Specifies whether
-.Xr sshd 8
-should check file modes and ownership of the
-user's files and home directory before accepting login.
-This is normally desirable because novices sometimes accidentally leave their
-directory or files world-writable.
-The default is
-.Dq yes .
-.It Cm Subsystem
-Configures an external subsystem (e.g. file transfer daemon).
-Arguments should be a subsystem name and a command (with optional arguments)
-to execute upon subsystem request.
-The command
-.Xr sftp-server 8
-implements the
-.Dq sftp
-file transfer subsystem.
-By default no subsystems are defined.
-Note that this option applies to protocol version 2 only.
-.It Cm SyslogFacility
-Gives the facility code that is used when logging messages from
-.Xr sshd 8 .
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
-LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
-The default is AUTH.
-.It Cm TCPKeepAlive
-Specifies whether the system should send TCP keepalive messages to the
-other side.
-If they are sent, death of the connection or crash of one
-of the machines will be properly noticed.
-However, this means that
-connections will die if the route is down temporarily, and some people
-find it annoying.
-On the other hand, if TCP keepalives are not sent,
-sessions may hang indefinitely on the server, leaving
-.Dq ghost
-users and consuming server resources.
-.Pp
-The default is
-.Dq yes
-(to send TCP keepalive messages), and the server will notice
-if the network goes down or the client host crashes.
-This avoids infinitely hanging sessions.
-.Pp
-To disable TCP keepalive messages, the value should be set to
-.Dq no .
-.It Cm UseDNS
-Specifies whether
-.Xr sshd 8
-should look up the remote host name and check that
-the resolved host name for the remote IP address maps back to the
-very same IP address.
-The default is
-.Dq yes .
-.It Cm UseLogin
-Specifies whether
-.Xr login 1
-is used for interactive login sessions.
-The default is
-.Dq no .
-Note that
-.Xr login 1
-is never used for remote command execution.
-Note also, that if this is enabled,
-.Cm X11Forwarding
-will be disabled because
-.Xr login 1
-does not know how to handle
-.Xr xauth 1
-cookies.
-If
-.Cm UsePrivilegeSeparation
-is specified, it will be disabled after authentication.
-.It Cm UsePAM
-Enables the Pluggable Authentication Module interface.
-If set to
-.Dq yes
-this will enable PAM authentication using
-.Cm ChallengeResponseAuthentication
-and
-.Cm PasswordAuthentication
-in addition to PAM account and session module processing for all
-authentication types.
-.Pp
-Because PAM challenge-response authentication usually serves an equivalent
-role to password authentication, you should disable either
-.Cm PasswordAuthentication
-or
-.Cm ChallengeResponseAuthentication.
-.Pp
-If
-.Cm UsePAM
-is enabled, you will not be able to run
-.Xr sshd 8
-as a non-root user.
-The default is
-.Dq no .
-.It Cm UsePrivilegeSeparation
-Specifies whether
-.Xr sshd 8
-separates privileges by creating an unprivileged child process
-to deal with incoming network traffic.
-After successful authentication, another process will be created that has
-the privilege of the authenticated user.
-The goal of privilege separation is to prevent privilege
-escalation by containing any corruption within the unprivileged processes.
-The default is
-.Dq yes .
-.It Cm X11DisplayOffset
-Specifies the first display number available for
-.Xr sshd 8 Ns 's
-X11 forwarding.
-This prevents sshd from interfering with real X11 servers.
-The default is 10.
-.It Cm X11Forwarding
-Specifies whether X11 forwarding is permitted.
-The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq no .
-.Pp
-When X11 forwarding is enabled, there may be additional exposure to
-the server and to client displays if the
-.Xr sshd 8
-proxy display is configured to listen on the wildcard address (see
-.Cm X11UseLocalhost
-below), though this is not the default.
-Additionally, the authentication spoofing and authentication data
-verification and substitution occur on the client side.
-The security risk of using X11 forwarding is that the client's X11
-display server may be exposed to attack when the SSH client requests
-forwarding (see the warnings for
-.Cm ForwardX11
-in
-.Xr ssh_config 5 ) .
-A system administrator may have a stance in which they want to
-protect clients that may expose themselves to attack by unwittingly
-requesting X11 forwarding, which can warrant a
-.Dq no
-setting.
-.Pp
-Note that disabling X11 forwarding does not prevent users from
-forwarding X11 traffic, as users can always install their own forwarders.
-X11 forwarding is automatically disabled if
-.Cm UseLogin
-is enabled.
-.It Cm X11UseLocalhost
-Specifies whether
-.Xr sshd 8
-should bind the X11 forwarding server to the loopback address or to
-the wildcard address.
-By default,
-sshd binds the forwarding server to the loopback address and sets the
-hostname part of the
-.Ev DISPLAY
-environment variable to
-.Dq localhost .
-This prevents remote hosts from connecting to the proxy display.
-However, some older X11 clients may not function with this
-configuration.
-.Cm X11UseLocalhost
-may be set to
-.Dq no
-to specify that the forwarding server should be bound to the wildcard
-address.
-The argument must be
-.Dq yes
-or
-.Dq no .
-The default is
-.Dq yes .
-.It Cm XAuthLocation
-Specifies the full pathname of the
-.Xr xauth 1
-program.
-The default is
-.Pa /usr/X11R6/bin/xauth .
-.El
-.Sh TIME FORMATS
-.Xr sshd 8
-command-line arguments and configuration file options that specify time
-may be expressed using a sequence of the form:
-.Sm off
-.Ar time Op Ar qualifier ,
-.Sm on
-where
-.Ar time
-is a positive integer value and
-.Ar qualifier
-is one of the following:
-.Pp
-.Bl -tag -width Ds -compact -offset indent
-.It Aq Cm none
-seconds
-.It Cm s | Cm S
-seconds
-.It Cm m | Cm M
-minutes
-.It Cm h | Cm H
-hours
-.It Cm d | Cm D
-days
-.It Cm w | Cm W
-weeks
-.El
-.Pp
-Each member of the sequence is added together to calculate
-the total time value.
-.Pp
-Time format examples:
-.Pp
-.Bl -tag -width Ds -compact -offset indent
-.It 600
-600 seconds (10 minutes)
-.It 10m
-10 minutes
-.It 1h30m
-1 hour 30 minutes (90 minutes)
-.El
-.Sh FILES
-.Bl -tag -width Ds
-.It Pa /etc/ssh/sshd_config
-Contains configuration data for
-.Xr sshd 8 .
-This file should be writable by root only, but it is recommended
-(though not necessary) that it be world-readable.
-.El
-.Sh SEE ALSO
-.Xr sshd 8
-.Sh AUTHORS
-OpenSSH is a derivative of the original and free
-ssh 1.2.12 release by Tatu Ylonen.
-Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
-Theo de Raadt and Dug Song
-removed many bugs, re-added newer features and
-created OpenSSH.
-Markus Friedl contributed the support for SSH
-protocol versions 1.5 and 2.0.
-Niels Provos and Markus Friedl contributed support
-for privilege separation.
diff --git a/crypto/openssh/sshlogin.c b/crypto/openssh/sshlogin.c
deleted file mode 100644
index 0059ff8..0000000
--- a/crypto/openssh/sshlogin.c
+++ /dev/null
@@ -1,156 +0,0 @@
-/* $OpenBSD: sshlogin.c,v 1.25 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * This file performs some of the things login(1) normally does.  We cannot
- * easily use something like login -p -h host -f user, because there are
- * several different logins around, and it is hard to determined what kind of
- * login the current system has.  Also, we want to be able to execute commands
- * on a tty.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- * Copyright (c) 1999 Theo de Raadt.  All rights reserved.
- * Copyright (c) 1999 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-
-#include <errno.h>
-#include <fcntl.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <string.h>
-#include <time.h>
-#include <unistd.h>
-
-#include "loginrec.h"
-#include "log.h"
-#include "buffer.h"
-#include "servconf.h"
-
-extern Buffer loginmsg;
-extern ServerOptions options;
-
-/*
- * Returns the time when the user last logged in.  Returns 0 if the
- * information is not available.  This must be called before record_login.
- * The host the user logged in from will be returned in buf.
- */
-time_t
-get_last_login_time(uid_t uid, const char *logname,
-    char *buf, size_t bufsize)
-{
-	struct logininfo li;
-
-	login_get_lastlog(&li, uid);
-	strlcpy(buf, li.hostname, bufsize);
-	return (time_t)li.tv_sec;
-}
-
-/*
- * Generate and store last login message.  This must be done before
- * login_login() is called and lastlog is updated.
- */
-static void
-store_lastlog_message(const char *user, uid_t uid)
-{
-	char *time_string, hostname[MAXHOSTNAMELEN] = "", buf[512];
-	time_t last_login_time;
-
-#ifndef NO_SSH_LASTLOG
-	if (!options.print_lastlog)
-		return;
-
-	last_login_time = get_last_login_time(uid, user, hostname,
-	    sizeof(hostname));
-
-	if (last_login_time != 0) {
-		time_string = ctime(&last_login_time);
-		if (strchr(time_string, '\n'))
-		    *strchr(time_string, '\n') = '\0';
-		if (strcmp(hostname, "") == 0)
-			snprintf(buf, sizeof(buf), "Last login: %s\r\n",
-			    time_string);
-		else
-			snprintf(buf, sizeof(buf), "Last login: %s from %s\r\n",
-			    time_string, hostname);
-		buffer_append(&loginmsg, buf, strlen(buf));
-	}
-#endif /* NO_SSH_LASTLOG */
-}
-
-/*
- * Records that the user has logged in.  I wish these parts of operating
- * systems were more standardized.
- */
-void
-record_login(pid_t pid, const char *tty, const char *user, uid_t uid,
-    const char *host, struct sockaddr *addr, socklen_t addrlen)
-{
-	struct logininfo *li;
-
-	/* save previous login details before writing new */
-	store_lastlog_message(user, uid);
-
-	li = login_alloc_entry(pid, user, host, tty);
-	login_set_addr(li, addr, addrlen);
-	login_login(li);
-	login_free_entry(li);
-}
-
-#ifdef LOGIN_NEEDS_UTMPX
-void
-record_utmp_only(pid_t pid, const char *ttyname, const char *user,
-		 const char *host, struct sockaddr *addr, socklen_t addrlen)
-{
-	struct logininfo *li;
-
-	li = login_alloc_entry(pid, user, host, ttyname);
-	login_set_addr(li, addr, addrlen);
-	login_utmp_only(li);
-	login_free_entry(li);
-}
-#endif
-
-/* Records that the user has logged out. */
-void
-record_logout(pid_t pid, const char *tty, const char *user)
-{
-	struct logininfo *li;
-
-	li = login_alloc_entry(pid, user, NULL, tty);
-	login_logout(li);
-	login_free_entry(li);
-}
diff --git a/crypto/openssh/sshlogin.h b/crypto/openssh/sshlogin.h
deleted file mode 100644
index 500d3fe..0000000
--- a/crypto/openssh/sshlogin.h
+++ /dev/null
@@ -1,23 +0,0 @@
-/* $OpenBSD: sshlogin.h,v 1.8 2006/08/03 03:34:42 deraadt Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-void	record_login(pid_t, const char *, const char *, uid_t,
-    const char *, struct sockaddr *, socklen_t);
-void   record_logout(pid_t, const char *, const char *);
-time_t	get_last_login_time(uid_t, const char *, char *, u_int);
-
-#ifdef LOGIN_NEEDS_UTMPX
-void	record_utmp_only(pid_t, const char *, const char *, const char *,
-		struct sockaddr *, socklen_t);
-#endif
diff --git a/crypto/openssh/sshpty.c b/crypto/openssh/sshpty.c
deleted file mode 100644
index 79c62ee..0000000
--- a/crypto/openssh/sshpty.c
+++ /dev/null
@@ -1,249 +0,0 @@
-/* $OpenBSD: sshpty.c,v 1.26 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Allocating a pseudo-terminal, and making it the controlling tty.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/ioctl.h>
-#include <sys/stat.h>
-#include <signal.h>
-
-#include <errno.h>
-#include <fcntl.h>
-#include <grp.h>
-#ifdef HAVE_PATHS_H
-# include <paths.h>
-#endif
-#include <pwd.h>
-#include <stdarg.h>
-#include <string.h>
-#include <termios.h>
-#ifdef HAVE_UTIL_H
-# include <util.h>
-#endif
-#include <unistd.h>
-
-#include "sshpty.h"
-#include "log.h"
-#include "misc.h"
-
-#ifdef HAVE_PTY_H
-# include <pty.h>
-#endif
-
-#ifndef O_NOCTTY
-#define O_NOCTTY 0
-#endif
-
-/*
- * Allocates and opens a pty.  Returns 0 if no pty could be allocated, or
- * nonzero if a pty was successfully allocated.  On success, open file
- * descriptors for the pty and tty sides and the name of the tty side are
- * returned (the buffer must be able to hold at least 64 characters).
- */
-
-int
-pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen)
-{
-	/* openpty(3) exists in OSF/1 and some other os'es */
-	char *name;
-	int i;
-
-	i = openpty(ptyfd, ttyfd, NULL, NULL, NULL);
-	if (i < 0) {
-		error("openpty: %.100s", strerror(errno));
-		return 0;
-	}
-	name = ttyname(*ttyfd);
-	if (!name)
-		fatal("openpty returns device for which ttyname fails.");
-
-	strlcpy(namebuf, name, namebuflen);	/* possible truncation */
-	return 1;
-}
-
-/* Releases the tty.  Its ownership is returned to root, and permissions to 0666. */
-
-void
-pty_release(const char *tty)
-{
-	if (chown(tty, (uid_t) 0, (gid_t) 0) < 0)
-		error("chown %.100s 0 0 failed: %.100s", tty, strerror(errno));
-	if (chmod(tty, (mode_t) 0666) < 0)
-		error("chmod %.100s 0666 failed: %.100s", tty, strerror(errno));
-}
-
-/* Makes the tty the process's controlling tty and sets it to sane modes. */
-
-void
-pty_make_controlling_tty(int *ttyfd, const char *tty)
-{
-	int fd;
-#ifdef USE_VHANGUP
-	void *old;
-#endif /* USE_VHANGUP */
-
-#ifdef _UNICOS
-	if (setsid() < 0)
-		error("setsid: %.100s", strerror(errno));
-
-	fd = open(tty, O_RDWR|O_NOCTTY);
-	if (fd != -1) {
-		signal(SIGHUP, SIG_IGN);
-		ioctl(fd, TCVHUP, (char *)NULL);
-		signal(SIGHUP, SIG_DFL);
-		setpgid(0, 0);
-		close(fd);
-	} else {
-		error("Failed to disconnect from controlling tty.");
-	}
-
-	debug("Setting controlling tty using TCSETCTTY.");
-	ioctl(*ttyfd, TCSETCTTY, NULL);
-	fd = open("/dev/tty", O_RDWR);
-	if (fd < 0)
-		error("%.100s: %.100s", tty, strerror(errno));
-	close(*ttyfd);
-	*ttyfd = fd;
-#else /* _UNICOS */
-
-	/* First disconnect from the old controlling tty. */
-#ifdef TIOCNOTTY
-	fd = open(_PATH_TTY, O_RDWR | O_NOCTTY);
-	if (fd >= 0) {
-		(void) ioctl(fd, TIOCNOTTY, NULL);
-		close(fd);
-	}
-#endif /* TIOCNOTTY */
-	if (setsid() < 0)
-		error("setsid: %.100s", strerror(errno));
-
-	/*
-	 * Verify that we are successfully disconnected from the controlling
-	 * tty.
-	 */
-	fd = open(_PATH_TTY, O_RDWR | O_NOCTTY);
-	if (fd >= 0) {
-		error("Failed to disconnect from controlling tty.");
-		close(fd);
-	}
-	/* Make it our controlling tty. */
-#ifdef TIOCSCTTY
-	debug("Setting controlling tty using TIOCSCTTY.");
-	if (ioctl(*ttyfd, TIOCSCTTY, NULL) < 0)
-		error("ioctl(TIOCSCTTY): %.100s", strerror(errno));
-#endif /* TIOCSCTTY */
-#ifdef NEED_SETPGRP
-	if (setpgrp(0,0) < 0)
-		error("SETPGRP %s",strerror(errno));
-#endif /* NEED_SETPGRP */
-#ifdef USE_VHANGUP
-	old = signal(SIGHUP, SIG_IGN);
-	vhangup();
-	signal(SIGHUP, old);
-#endif /* USE_VHANGUP */
-	fd = open(tty, O_RDWR);
-	if (fd < 0) {
-		error("%.100s: %.100s", tty, strerror(errno));
-	} else {
-#ifdef USE_VHANGUP
-		close(*ttyfd);
-		*ttyfd = fd;
-#else /* USE_VHANGUP */
-		close(fd);
-#endif /* USE_VHANGUP */
-	}
-	/* Verify that we now have a controlling tty. */
-	fd = open(_PATH_TTY, O_WRONLY);
-	if (fd < 0)
-		error("open /dev/tty failed - could not set controlling tty: %.100s",
-		    strerror(errno));
-	else
-		close(fd);
-#endif /* _UNICOS */
-}
-
-/* Changes the window size associated with the pty. */
-
-void
-pty_change_window_size(int ptyfd, u_int row, u_int col,
-	u_int xpixel, u_int ypixel)
-{
-	struct winsize w;
-
-	/* may truncate u_int -> u_short */
-	w.ws_row = row;
-	w.ws_col = col;
-	w.ws_xpixel = xpixel;
-	w.ws_ypixel = ypixel;
-	(void) ioctl(ptyfd, TIOCSWINSZ, &w);
-}
-
-void
-pty_setowner(struct passwd *pw, const char *tty)
-{
-	struct group *grp;
-	gid_t gid;
-	mode_t mode;
-	struct stat st;
-
-	/* Determine the group to make the owner of the tty. */
-	grp = getgrnam("tty");
-	if (grp) {
-		gid = grp->gr_gid;
-		mode = S_IRUSR | S_IWUSR | S_IWGRP;
-	} else {
-		gid = pw->pw_gid;
-		mode = S_IRUSR | S_IWUSR | S_IWGRP | S_IWOTH;
-	}
-
-	/*
-	 * Change owner and mode of the tty as required.
-	 * Warn but continue if filesystem is read-only and the uids match/
-	 * tty is owned by root.
-	 */
-	if (stat(tty, &st))
-		fatal("stat(%.100s) failed: %.100s", tty,
-		    strerror(errno));
-
-#ifdef WITH_SELINUX
-	ssh_selinux_setup_pty(pw->pw_name, tty);
-#endif
-
-	if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
-		if (chown(tty, pw->pw_uid, gid) < 0) {
-			if (errno == EROFS &&
-			    (st.st_uid == pw->pw_uid || st.st_uid == 0))
-				debug("chown(%.100s, %u, %u) failed: %.100s",
-				    tty, (u_int)pw->pw_uid, (u_int)gid,
-				    strerror(errno));
-			else
-				fatal("chown(%.100s, %u, %u) failed: %.100s",
-				    tty, (u_int)pw->pw_uid, (u_int)gid,
-				    strerror(errno));
-		}
-	}
-
-	if ((st.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) != mode) {
-		if (chmod(tty, mode) < 0) {
-			if (errno == EROFS &&
-			    (st.st_mode & (S_IRGRP | S_IROTH)) == 0)
-				debug("chmod(%.100s, 0%o) failed: %.100s",
-				    tty, (u_int)mode, strerror(errno));
-			else
-				fatal("chmod(%.100s, 0%o) failed: %.100s",
-				    tty, (u_int)mode, strerror(errno));
-		}
-	}
-}
diff --git a/crypto/openssh/sshpty.h b/crypto/openssh/sshpty.h
deleted file mode 100644
index 7fac622..0000000
--- a/crypto/openssh/sshpty.h
+++ /dev/null
@@ -1,27 +0,0 @@
-/* $OpenBSD: sshpty.h,v 1.10 2006/08/03 03:34:42 deraadt Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Functions for allocating a pseudo-terminal and making it the controlling
- * tty.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include <termios.h>
-
-struct termios get_saved_tio(void);
-void	 leave_raw_mode(void);
-void	 enter_raw_mode(void);
-
-int	 pty_allocate(int *, int *, char *, size_t);
-void	 pty_release(const char *);
-void	 pty_make_controlling_tty(int *, const char *);
-void	 pty_change_window_size(int, u_int, u_int, u_int, u_int);
-void	 pty_setowner(struct passwd *, const char *);
diff --git a/crypto/openssh/sshtty.c b/crypto/openssh/sshtty.c
deleted file mode 100644
index 0456766..0000000
--- a/crypto/openssh/sshtty.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/* $OpenBSD: sshtty.c,v 1.12 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-/*
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- * Copyright (c) 2001 Kevin Steves.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <stdio.h>
-#include <termios.h>
-#include <pwd.h>
-
-#include "sshpty.h"
-
-static struct termios _saved_tio;
-static int _in_raw_mode = 0;
-
-struct termios
-get_saved_tio(void)
-{
-	return _saved_tio;
-}
-
-void
-leave_raw_mode(void)
-{
-	if (!_in_raw_mode)
-		return;
-	if (tcsetattr(fileno(stdin), TCSADRAIN, &_saved_tio) == -1)
-		perror("tcsetattr");
-	else
-		_in_raw_mode = 0;
-}
-
-void
-enter_raw_mode(void)
-{
-	struct termios tio;
-
-	if (tcgetattr(fileno(stdin), &tio) == -1) {
-		perror("tcgetattr");
-		return;
-	}
-	_saved_tio = tio;
-	tio.c_iflag |= IGNPAR;
-	tio.c_iflag &= ~(ISTRIP | INLCR | IGNCR | ICRNL | IXON | IXANY | IXOFF);
-#ifdef IUCLC
-	tio.c_iflag &= ~IUCLC;
-#endif
-	tio.c_lflag &= ~(ISIG | ICANON | ECHO | ECHOE | ECHOK | ECHONL);
-#ifdef IEXTEN
-	tio.c_lflag &= ~IEXTEN;
-#endif
-	tio.c_oflag &= ~OPOST;
-	tio.c_cc[VMIN] = 1;
-	tio.c_cc[VTIME] = 0;
-	if (tcsetattr(fileno(stdin), TCSADRAIN, &tio) == -1)
-		perror("tcsetattr");
-	else
-		_in_raw_mode = 1;
-}
diff --git a/crypto/openssh/survey.sh.in b/crypto/openssh/survey.sh.in
deleted file mode 100644
index d6075a6..0000000
--- a/crypto/openssh/survey.sh.in
+++ /dev/null
@@ -1,69 +0,0 @@
-#!/bin/sh
-#
-# Copyright (c) 2004, 2005 Darren Tucker
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-host="@host@"
-AWK="@AWK@"
-CC="@CC@"
-CPP="@CPP@"
-CFLAGS="@CFLAGS@"
-CPPFLAGS="@CPPFLAGS@"
-LDFLAGS="@LDFLAGS@"
-LIBS="@LIBS@"
-
-# Note format:
-# identifier: [data] CRCR
-
-echo "openssh-survey-version: 1"
-echo
-echo "openssh-version: `./ssh -V 2>&1`"
-echo
-configinv=`$AWK '/^  \\\$.*configure/' config.log | sed 's/^  \\\$ //g'`
-echo "configure-invocation: $configinv"
-echo
-echo "host: $host"
-echo
-echo "uname: `uname`"
-echo
-echo "uname-r: `uname -r`"
-echo
-echo "uname-m: `uname -m`"
-echo
-echo "uname-p: `uname -p`"
-echo
-echo "oslevel: `oslevel 2>/dev/null`"
-echo
-echo "oslevel-r: `oslevel -r 2>/dev/null`"
-echo
-echo "cc: $CC"
-echo
-echo "cflags: $CFLAGS"
-echo
-echo "cppflags: $CPPFLAGS"
-echo
-echo "ldflags: $LDFLAGS"
-echo
-echo "libs: $LIBS"
-echo
-echo "ccver-v: `$CC -v 2>&1 | sed '/^[ \t]*$/d'`"
-echo
-echo "ccver-V: `$CC -V 2>&1 | sed '/^[ \t]*$/d'`"
-echo
-echo "cppdefines:"
-${CPP} -dM - </dev/null
-echo
-echo "config.h:"
-egrep '#define|#undef' config.h
-echo
diff --git a/crypto/openssh/ttymodes.c b/crypto/openssh/ttymodes.c
deleted file mode 100644
index d8e2c55..0000000
--- a/crypto/openssh/ttymodes.c
+++ /dev/null
@@ -1,495 +0,0 @@
-/* $OpenBSD: ttymodes.c,v 1.26 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-/*
- * SSH2 tty modes support by Kevin Steves.
- * Copyright (c) 2001 Kevin Steves.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Encoding and decoding of terminal modes in a portable way.
- * Much of the format is defined in ttymodes.h; it is included multiple times
- * into this file with the appropriate macro definitions to generate the
- * suitable code.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <errno.h>
-#include <string.h>
-#include <termios.h>
-#include <stdarg.h>
-
-#include "packet.h"
-#include "log.h"
-#include "ssh1.h"
-#include "compat.h"
-#include "buffer.h"
-
-#define TTY_OP_END		0
-/*
- * uint32 (u_int) follows speed in SSH1 and SSH2
- */
-#define TTY_OP_ISPEED_PROTO1	192
-#define TTY_OP_OSPEED_PROTO1	193
-#define TTY_OP_ISPEED_PROTO2	128
-#define TTY_OP_OSPEED_PROTO2	129
-
-/*
- * Converts POSIX speed_t to a baud rate.  The values of the
- * constants for speed_t are not themselves portable.
- */
-static int
-speed_to_baud(speed_t speed)
-{
-	switch (speed) {
-	case B0:
-		return 0;
-	case B50:
-		return 50;
-	case B75:
-		return 75;
-	case B110:
-		return 110;
-	case B134:
-		return 134;
-	case B150:
-		return 150;
-	case B200:
-		return 200;
-	case B300:
-		return 300;
-	case B600:
-		return 600;
-	case B1200:
-		return 1200;
-	case B1800:
-		return 1800;
-	case B2400:
-		return 2400;
-	case B4800:
-		return 4800;
-	case B9600:
-		return 9600;
-
-#ifdef B19200
-	case B19200:
-		return 19200;
-#else /* B19200 */
-#ifdef EXTA
-	case EXTA:
-		return 19200;
-#endif /* EXTA */
-#endif /* B19200 */
-
-#ifdef B38400
-	case B38400:
-		return 38400;
-#else /* B38400 */
-#ifdef EXTB
-	case EXTB:
-		return 38400;
-#endif /* EXTB */
-#endif /* B38400 */
-
-#ifdef B7200
-	case B7200:
-		return 7200;
-#endif /* B7200 */
-#ifdef B14400
-	case B14400:
-		return 14400;
-#endif /* B14400 */
-#ifdef B28800
-	case B28800:
-		return 28800;
-#endif /* B28800 */
-#ifdef B57600
-	case B57600:
-		return 57600;
-#endif /* B57600 */
-#ifdef B76800
-	case B76800:
-		return 76800;
-#endif /* B76800 */
-#ifdef B115200
-	case B115200:
-		return 115200;
-#endif /* B115200 */
-#ifdef B230400
-	case B230400:
-		return 230400;
-#endif /* B230400 */
-	default:
-		return 9600;
-	}
-}
-
-/*
- * Converts a numeric baud rate to a POSIX speed_t.
- */
-static speed_t
-baud_to_speed(int baud)
-{
-	switch (baud) {
-	case 0:
-		return B0;
-	case 50:
-		return B50;
-	case 75:
-		return B75;
-	case 110:
-		return B110;
-	case 134:
-		return B134;
-	case 150:
-		return B150;
-	case 200:
-		return B200;
-	case 300:
-		return B300;
-	case 600:
-		return B600;
-	case 1200:
-		return B1200;
-	case 1800:
-		return B1800;
-	case 2400:
-		return B2400;
-	case 4800:
-		return B4800;
-	case 9600:
-		return B9600;
-
-#ifdef B19200
-	case 19200:
-		return B19200;
-#else /* B19200 */
-#ifdef EXTA
-	case 19200:
-		return EXTA;
-#endif /* EXTA */
-#endif /* B19200 */
-
-#ifdef B38400
-	case 38400:
-		return B38400;
-#else /* B38400 */
-#ifdef EXTB
-	case 38400:
-		return EXTB;
-#endif /* EXTB */
-#endif /* B38400 */
-
-#ifdef B7200
-	case 7200:
-		return B7200;
-#endif /* B7200 */
-#ifdef B14400
-	case 14400:
-		return B14400;
-#endif /* B14400 */
-#ifdef B28800
-	case 28800:
-		return B28800;
-#endif /* B28800 */
-#ifdef B57600
-	case 57600:
-		return B57600;
-#endif /* B57600 */
-#ifdef B76800
-	case 76800:
-		return B76800;
-#endif /* B76800 */
-#ifdef B115200
-	case 115200:
-		return B115200;
-#endif /* B115200 */
-#ifdef B230400
-	case 230400:
-		return B230400;
-#endif /* B230400 */
-	default:
-		return B9600;
-	}
-}
-
-/*
- * Encode a special character into SSH line format.
- */
-static u_int
-special_char_encode(cc_t c)
-{
-#ifdef _POSIX_VDISABLE
-	if (c == _POSIX_VDISABLE)
-		return 255;
-#endif /* _POSIX_VDISABLE */
-	return c;
-}
-
-/*
- * Decode a special character from SSH line format.
- */
-static cc_t
-special_char_decode(u_int c)
-{
-#ifdef _POSIX_VDISABLE
-	if (c == 255)
-		return _POSIX_VDISABLE;
-#endif /* _POSIX_VDISABLE */
-	return c;
-}
-
-/*
- * Encodes terminal modes for the terminal referenced by fd
- * or tiop in a portable manner, and appends the modes to a packet
- * being constructed.
- */
-void
-tty_make_modes(int fd, struct termios *tiop)
-{
-	struct termios tio;
-	int baud;
-	Buffer buf;
-	int tty_op_ospeed, tty_op_ispeed;
-	void (*put_arg)(Buffer *, u_int);
-
-	buffer_init(&buf);
-	if (compat20) {
-		tty_op_ospeed = TTY_OP_OSPEED_PROTO2;
-		tty_op_ispeed = TTY_OP_ISPEED_PROTO2;
-		put_arg = buffer_put_int;
-	} else {
-		tty_op_ospeed = TTY_OP_OSPEED_PROTO1;
-		tty_op_ispeed = TTY_OP_ISPEED_PROTO1;
-		put_arg = (void (*)(Buffer *, u_int)) buffer_put_char;
-	}
-
-	if (tiop == NULL) {
-		if (tcgetattr(fd, &tio) == -1) {
-			logit("tcgetattr: %.100s", strerror(errno));
-			goto end;
-		}
-	} else
-		tio = *tiop;
-
-	/* Store input and output baud rates. */
-	baud = speed_to_baud(cfgetospeed(&tio));
-	debug3("tty_make_modes: ospeed %d", baud);
-	buffer_put_char(&buf, tty_op_ospeed);
-	buffer_put_int(&buf, baud);
-	baud = speed_to_baud(cfgetispeed(&tio));
-	debug3("tty_make_modes: ispeed %d", baud);
-	buffer_put_char(&buf, tty_op_ispeed);
-	buffer_put_int(&buf, baud);
-
-	/* Store values of mode flags. */
-#define TTYCHAR(NAME, OP) \
-	debug3("tty_make_modes: %d %d", OP, tio.c_cc[NAME]); \
-	buffer_put_char(&buf, OP); \
-	put_arg(&buf, special_char_encode(tio.c_cc[NAME]));
-
-#define TTYMODE(NAME, FIELD, OP) \
-	debug3("tty_make_modes: %d %d", OP, ((tio.FIELD & NAME) != 0)); \
-	buffer_put_char(&buf, OP); \
-	put_arg(&buf, ((tio.FIELD & NAME) != 0));
-
-#include "ttymodes.h"
-
-#undef TTYCHAR
-#undef TTYMODE
-
-end:
-	/* Mark end of mode data. */
-	buffer_put_char(&buf, TTY_OP_END);
-	if (compat20)
-		packet_put_string(buffer_ptr(&buf), buffer_len(&buf));
-	else
-		packet_put_raw(buffer_ptr(&buf), buffer_len(&buf));
-	buffer_free(&buf);
-}
-
-/*
- * Decodes terminal modes for the terminal referenced by fd in a portable
- * manner from a packet being read.
- */
-void
-tty_parse_modes(int fd, int *n_bytes_ptr)
-{
-	struct termios tio;
-	int opcode, baud;
-	int n_bytes = 0;
-	int failure = 0;
-	u_int (*get_arg)(void);
-	int arg, arg_size;
-
-	if (compat20) {
-		*n_bytes_ptr = packet_get_int();
-		debug3("tty_parse_modes: SSH2 n_bytes %d", *n_bytes_ptr);
-		if (*n_bytes_ptr == 0)
-			return;
-		get_arg = packet_get_int;
-		arg_size = 4;
-	} else {
-		get_arg = packet_get_char;
-		arg_size = 1;
-	}
-
-	/*
-	 * Get old attributes for the terminal.  We will modify these
-	 * flags. I am hoping that if there are any machine-specific
-	 * modes, they will initially have reasonable values.
-	 */
-	if (tcgetattr(fd, &tio) == -1) {
-		logit("tcgetattr: %.100s", strerror(errno));
-		failure = -1;
-	}
-
-	for (;;) {
-		n_bytes += 1;
-		opcode = packet_get_char();
-		switch (opcode) {
-		case TTY_OP_END:
-			goto set;
-
-		/* XXX: future conflict possible */
-		case TTY_OP_ISPEED_PROTO1:
-		case TTY_OP_ISPEED_PROTO2:
-			n_bytes += 4;
-			baud = packet_get_int();
-			debug3("tty_parse_modes: ispeed %d", baud);
-			if (failure != -1 &&
-			    cfsetispeed(&tio, baud_to_speed(baud)) == -1)
-				error("cfsetispeed failed for %d", baud);
-			break;
-
-		/* XXX: future conflict possible */
-		case TTY_OP_OSPEED_PROTO1:
-		case TTY_OP_OSPEED_PROTO2:
-			n_bytes += 4;
-			baud = packet_get_int();
-			debug3("tty_parse_modes: ospeed %d", baud);
-			if (failure != -1 &&
-			    cfsetospeed(&tio, baud_to_speed(baud)) == -1)
-				error("cfsetospeed failed for %d", baud);
-			break;
-
-#define TTYCHAR(NAME, OP) \
-	case OP: \
-	  n_bytes += arg_size; \
-	  tio.c_cc[NAME] = special_char_decode(get_arg()); \
-	  debug3("tty_parse_modes: %d %d", OP, tio.c_cc[NAME]); \
-	  break;
-#define TTYMODE(NAME, FIELD, OP) \
-	case OP: \
-	  n_bytes += arg_size; \
-	  if ((arg = get_arg())) \
-	    tio.FIELD |= NAME; \
-	  else \
-	    tio.FIELD &= ~NAME;	\
-	  debug3("tty_parse_modes: %d %d", OP, arg); \
-	  break;
-
-#include "ttymodes.h"
-
-#undef TTYCHAR
-#undef TTYMODE
-
-		default:
-			debug("Ignoring unsupported tty mode opcode %d (0x%x)",
-			    opcode, opcode);
-			if (!compat20) {
-				/*
-				 * SSH1:
-				 * Opcodes 1 to 127 are defined to have
-				 * a one-byte argument.
-				 * Opcodes 128 to 159 are defined to have
-				 * an integer argument.
-				 */
-				if (opcode > 0 && opcode < 128) {
-					n_bytes += 1;
-					(void) packet_get_char();
-					break;
-				} else if (opcode >= 128 && opcode < 160) {
-					n_bytes += 4;
-					(void) packet_get_int();
-					break;
-				} else {
-					/*
-					 * It is a truly undefined opcode (160 to 255).
-					 * We have no idea about its arguments.  So we
-					 * must stop parsing.  Note that some data
-					 * may be left in the packet; hopefully there
-					 * is nothing more coming after the mode data.
-					 */
-					logit("parse_tty_modes: unknown opcode %d",
-					    opcode);
-					goto set;
-				}
-			} else {
-				/*
-				 * SSH2:
-				 * Opcodes 1 to 159 are defined to have
-				 * a uint32 argument.
-				 * Opcodes 160 to 255 are undefined and
-				 * cause parsing to stop.
-				 */
-				if (opcode > 0 && opcode < 160) {
-					n_bytes += 4;
-					(void) packet_get_int();
-					break;
-				} else {
-					logit("parse_tty_modes: unknown opcode %d",
-					    opcode);
-					goto set;
-				}
-			}
-		}
-	}
-
-set:
-	if (*n_bytes_ptr != n_bytes) {
-		*n_bytes_ptr = n_bytes;
-		logit("parse_tty_modes: n_bytes_ptr != n_bytes: %d %d",
-		    *n_bytes_ptr, n_bytes);
-		return;		/* Don't process bytes passed */
-	}
-	if (failure == -1)
-		return;		/* Packet parsed ok but tcgetattr() failed */
-
-	/* Set the new modes for the terminal. */
-	if (tcsetattr(fd, TCSANOW, &tio) == -1)
-		logit("Setting tty modes failed: %.100s", strerror(errno));
-}
diff --git a/crypto/openssh/ttymodes.h b/crypto/openssh/ttymodes.h
deleted file mode 100644
index 4d848fe..0000000
--- a/crypto/openssh/ttymodes.h
+++ /dev/null
@@ -1,175 +0,0 @@
-/* $OpenBSD: ttymodes.h,v 1.14 2006/03/25 22:22:43 djm Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-/*
- * SSH2 tty modes support by Kevin Steves.
- * Copyright (c) 2001 Kevin Steves.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * SSH1:
- * The tty mode description is a stream of bytes.  The stream consists of
- * opcode-arguments pairs.  It is terminated by opcode TTY_OP_END (0).
- * Opcodes 1-127 have one-byte arguments.  Opcodes 128-159 have integer
- * arguments.  Opcodes 160-255 are not yet defined, and cause parsing to
- * stop (they should only be used after any other data).
- *
- * SSH2:
- * Differences between SSH1 and SSH2 terminal mode encoding include:
- * 1. Encoded terminal modes are represented as a string, and a stream
- *    of bytes within that string.
- * 2. Opcode arguments are uint32 (1-159); 160-255 remain undefined.
- * 3. The values for TTY_OP_ISPEED and TTY_OP_OSPEED are different;
- *    128 and 129 vs. 192 and 193 respectively.
- *
- * The client puts in the stream any modes it knows about, and the
- * server ignores any modes it does not know about.  This allows some degree
- * of machine-independence, at least between systems that use a posix-like
- * tty interface.  The protocol can support other systems as well, but might
- * require reimplementing as mode names would likely be different.
- */
-
-/*
- * Some constants and prototypes are defined in packet.h; this file
- * is only intended for including from ttymodes.c.
- */
-
-/* termios macro */
-/* name, op */
-TTYCHAR(VINTR, 1)
-TTYCHAR(VQUIT, 2)
-TTYCHAR(VERASE, 3)
-#if defined(VKILL)
-TTYCHAR(VKILL, 4)
-#endif /* VKILL */
-TTYCHAR(VEOF, 5)
-#if defined(VEOL)
-TTYCHAR(VEOL, 6)
-#endif /* VEOL */
-#ifdef VEOL2
-TTYCHAR(VEOL2, 7)
-#endif /* VEOL2 */
-TTYCHAR(VSTART, 8)
-TTYCHAR(VSTOP, 9)
-#if defined(VSUSP)
-TTYCHAR(VSUSP, 10)
-#endif /* VSUSP */
-#if defined(VDSUSP)
-TTYCHAR(VDSUSP, 11)
-#endif /* VDSUSP */
-#if defined(VREPRINT)
-TTYCHAR(VREPRINT, 12)
-#endif /* VREPRINT */
-#if defined(VWERASE)
-TTYCHAR(VWERASE, 13)
-#endif /* VWERASE */
-#if defined(VLNEXT)
-TTYCHAR(VLNEXT, 14)
-#endif /* VLNEXT */
-#if defined(VFLUSH)
-TTYCHAR(VFLUSH, 15)
-#endif /* VFLUSH */
-#ifdef VSWTCH
-TTYCHAR(VSWTCH, 16)
-#endif /* VSWTCH */
-#if defined(VSTATUS)
-TTYCHAR(VSTATUS, 17)
-#endif /* VSTATUS */
-#ifdef VDISCARD
-TTYCHAR(VDISCARD, 18)
-#endif /* VDISCARD */
-
-/* name, field, op */
-TTYMODE(IGNPAR,	c_iflag, 30)
-TTYMODE(PARMRK,	c_iflag, 31)
-TTYMODE(INPCK,	c_iflag, 32)
-TTYMODE(ISTRIP,	c_iflag, 33)
-TTYMODE(INLCR,	c_iflag, 34)
-TTYMODE(IGNCR,	c_iflag, 35)
-TTYMODE(ICRNL,	c_iflag, 36)
-#if defined(IUCLC)
-TTYMODE(IUCLC,	c_iflag, 37)
-#endif
-TTYMODE(IXON,	c_iflag, 38)
-TTYMODE(IXANY,	c_iflag, 39)
-TTYMODE(IXOFF,	c_iflag, 40)
-#ifdef IMAXBEL
-TTYMODE(IMAXBEL,c_iflag, 41)
-#endif /* IMAXBEL */
-
-TTYMODE(ISIG,	c_lflag, 50)
-TTYMODE(ICANON,	c_lflag, 51)
-#ifdef XCASE
-TTYMODE(XCASE,	c_lflag, 52)
-#endif
-TTYMODE(ECHO,	c_lflag, 53)
-TTYMODE(ECHOE,	c_lflag, 54)
-TTYMODE(ECHOK,	c_lflag, 55)
-TTYMODE(ECHONL,	c_lflag, 56)
-TTYMODE(NOFLSH,	c_lflag, 57)
-TTYMODE(TOSTOP,	c_lflag, 58)
-#ifdef IEXTEN
-TTYMODE(IEXTEN, c_lflag, 59)
-#endif /* IEXTEN */
-#if defined(ECHOCTL)
-TTYMODE(ECHOCTL,c_lflag, 60)
-#endif /* ECHOCTL */
-#ifdef ECHOKE
-TTYMODE(ECHOKE,	c_lflag, 61)
-#endif /* ECHOKE */
-#if defined(PENDIN)
-TTYMODE(PENDIN,	c_lflag, 62)
-#endif /* PENDIN */
-
-TTYMODE(OPOST,	c_oflag, 70)
-#if defined(OLCUC)
-TTYMODE(OLCUC,	c_oflag, 71)
-#endif
-#ifdef ONLCR
-TTYMODE(ONLCR,	c_oflag, 72)
-#endif
-#ifdef OCRNL
-TTYMODE(OCRNL,	c_oflag, 73)
-#endif
-#ifdef ONOCR
-TTYMODE(ONOCR,	c_oflag, 74)
-#endif
-#ifdef ONLRET
-TTYMODE(ONLRET,	c_oflag, 75)
-#endif
-
-TTYMODE(CS7,	c_cflag, 90)
-TTYMODE(CS8,	c_cflag, 91)
-TTYMODE(PARENB,	c_cflag, 92)
-TTYMODE(PARODD,	c_cflag, 93)
diff --git a/crypto/openssh/uidswap.c b/crypto/openssh/uidswap.c
deleted file mode 100644
index 91d878c..0000000
--- a/crypto/openssh/uidswap.c
+++ /dev/null
@@ -1,278 +0,0 @@
-/* $OpenBSD: uidswap.c,v 1.35 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Code for uid-swapping.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-
-#include <sys/param.h>
-#include <errno.h>
-#include <pwd.h>
-#include <string.h>
-#include <unistd.h>
-#include <stdarg.h>
-
-#include <grp.h>
-
-#include "log.h"
-#include "uidswap.h"
-#include "xmalloc.h"
-
-/*
- * Note: all these functions must work in all of the following cases:
- *    1. euid=0, ruid=0
- *    2. euid=0, ruid!=0
- *    3. euid!=0, ruid!=0
- * Additionally, they must work regardless of whether the system has
- * POSIX saved uids or not.
- */
-
-#if defined(_POSIX_SAVED_IDS) && !defined(BROKEN_SAVED_UIDS)
-/* Lets assume that posix saved ids also work with seteuid, even though that
-   is not part of the posix specification. */
-#define SAVED_IDS_WORK_WITH_SETEUID
-/* Saved effective uid. */
-static uid_t 	saved_euid = 0;
-static gid_t	saved_egid = 0;
-#endif
-
-/* Saved effective uid. */
-static int	privileged = 0;
-static int	temporarily_use_uid_effective = 0;
-static gid_t	*saved_egroups = NULL, *user_groups = NULL;
-static int	saved_egroupslen = -1, user_groupslen = -1;
-
-/*
- * Temporarily changes to the given uid.  If the effective user
- * id is not root, this does nothing.  This call cannot be nested.
- */
-void
-temporarily_use_uid(struct passwd *pw)
-{
-	/* Save the current euid, and egroups. */
-#ifdef SAVED_IDS_WORK_WITH_SETEUID
-	saved_euid = geteuid();
-	saved_egid = getegid();
-	debug("temporarily_use_uid: %u/%u (e=%u/%u)",
-	    (u_int)pw->pw_uid, (u_int)pw->pw_gid,
-	    (u_int)saved_euid, (u_int)saved_egid);
-#ifndef HAVE_CYGWIN
-	if (saved_euid != 0) {
-		privileged = 0;
-		return;
-	}
-#endif
-#else
-	if (geteuid() != 0) {
-		privileged = 0;
-		return;
-	}
-#endif /* SAVED_IDS_WORK_WITH_SETEUID */
-
-	privileged = 1;
-	temporarily_use_uid_effective = 1;
-
-	saved_egroupslen = getgroups(0, NULL);
-	if (saved_egroupslen < 0)
-		fatal("getgroups: %.100s", strerror(errno));
-	if (saved_egroupslen > 0) {
-		saved_egroups = xrealloc(saved_egroups,
-		    saved_egroupslen, sizeof(gid_t));
-		if (getgroups(saved_egroupslen, saved_egroups) < 0)
-			fatal("getgroups: %.100s", strerror(errno));
-	} else { /* saved_egroupslen == 0 */
-		if (saved_egroups != NULL)
-			xfree(saved_egroups);
-	}
-
-	/* set and save the user's groups */
-	if (user_groupslen == -1) {
-		if (initgroups(pw->pw_name, pw->pw_gid) < 0)
-			fatal("initgroups: %s: %.100s", pw->pw_name,
-			    strerror(errno));
-
-		user_groupslen = getgroups(0, NULL);
-		if (user_groupslen < 0)
-			fatal("getgroups: %.100s", strerror(errno));
-		if (user_groupslen > 0) {
-			user_groups = xrealloc(user_groups,
-			    user_groupslen, sizeof(gid_t));
-			if (getgroups(user_groupslen, user_groups) < 0)
-				fatal("getgroups: %.100s", strerror(errno));
-		} else { /* user_groupslen == 0 */
-			if (user_groups)
-				xfree(user_groups);
-		}
-	}
-	/* Set the effective uid to the given (unprivileged) uid. */
-	if (setgroups(user_groupslen, user_groups) < 0)
-		fatal("setgroups: %.100s", strerror(errno));
-#ifndef SAVED_IDS_WORK_WITH_SETEUID
-	/* Propagate the privileged gid to all of our gids. */
-	if (setgid(getegid()) < 0)
-		debug("setgid %u: %.100s", (u_int) getegid(), strerror(errno));
-	/* Propagate the privileged uid to all of our uids. */
-	if (setuid(geteuid()) < 0)
-		debug("setuid %u: %.100s", (u_int) geteuid(), strerror(errno));
-#endif /* SAVED_IDS_WORK_WITH_SETEUID */
-	if (setegid(pw->pw_gid) < 0)
-		fatal("setegid %u: %.100s", (u_int)pw->pw_gid,
-		    strerror(errno));
-	if (seteuid(pw->pw_uid) == -1)
-		fatal("seteuid %u: %.100s", (u_int)pw->pw_uid,
-		    strerror(errno));
-}
-
-void
-permanently_drop_suid(uid_t uid)
-{
-	uid_t old_uid = getuid();
-
-	debug("permanently_drop_suid: %u", (u_int)uid);
-#if defined(HAVE_SETRESUID) && !defined(BROKEN_SETRESUID)
-	if (setresuid(uid, uid, uid) < 0)
-		fatal("setresuid %u: %.100s", (u_int)uid, strerror(errno));
-#elif defined(HAVE_SETREUID) && !defined(BROKEN_SETREUID)
-	if (setreuid(uid, uid) < 0)
-		fatal("setreuid %u: %.100s", (u_int)uid, strerror(errno));
-#else
-# ifndef SETEUID_BREAKS_SETUID
-	if (seteuid(uid) < 0)
-		fatal("seteuid %u: %.100s", (u_int)uid, strerror(errno));
-# endif
-	if (setuid(uid) < 0)
-		fatal("setuid %u: %.100s", (u_int)uid, strerror(errno));
-#endif
-
-#ifndef HAVE_CYGWIN
-	/* Try restoration of UID if changed (test clearing of saved uid) */
-	if (old_uid != uid &&
-	    (setuid(old_uid) != -1 || seteuid(old_uid) != -1))
-		fatal("%s: was able to restore old [e]uid", __func__);
-#endif
-
-	/* Verify UID drop was successful */
-	if (getuid() != uid || geteuid() != uid) {
-		fatal("%s: euid incorrect uid:%u euid:%u (should be %u)",
-		    __func__, (u_int)getuid(), (u_int)geteuid(), (u_int)uid);
-	}
-}
-
-/*
- * Restores to the original (privileged) uid.
- */
-void
-restore_uid(void)
-{
-	/* it's a no-op unless privileged */
-	if (!privileged) {
-		debug("restore_uid: (unprivileged)");
-		return;
-	}
-	if (!temporarily_use_uid_effective)
-		fatal("restore_uid: temporarily_use_uid not effective");
-
-#ifdef SAVED_IDS_WORK_WITH_SETEUID
-	debug("restore_uid: %u/%u", (u_int)saved_euid, (u_int)saved_egid);
-	/* Set the effective uid back to the saved privileged uid. */
-	if (seteuid(saved_euid) < 0)
-		fatal("seteuid %u: %.100s", (u_int)saved_euid, strerror(errno));
-	if (setegid(saved_egid) < 0)
-		fatal("setegid %u: %.100s", (u_int)saved_egid, strerror(errno));
-#else /* SAVED_IDS_WORK_WITH_SETEUID */
-	/*
-	 * We are unable to restore the real uid to its unprivileged value.
-	 * Propagate the real uid (usually more privileged) to effective uid
-	 * as well.
-	 */
-	setuid(getuid());
-	setgid(getgid());
-#endif /* SAVED_IDS_WORK_WITH_SETEUID */
-
-	if (setgroups(saved_egroupslen, saved_egroups) < 0)
-		fatal("setgroups: %.100s", strerror(errno));
-	temporarily_use_uid_effective = 0;
-}
-
-/*
- * Permanently sets all uids to the given uid.  This cannot be
- * called while temporarily_use_uid is effective.
- */
-void
-permanently_set_uid(struct passwd *pw)
-{
-	uid_t old_uid = getuid();
-	gid_t old_gid = getgid();
-
-	if (pw == NULL)
-		fatal("permanently_set_uid: no user given");
-	if (temporarily_use_uid_effective)
-		fatal("permanently_set_uid: temporarily_use_uid effective");
-	debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid,
-	    (u_int)pw->pw_gid);
-
-#if defined(HAVE_SETRESGID) && !defined(BROKEN_SETRESGID)
-	if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0)
-		fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
-#elif defined(HAVE_SETREGID) && !defined(BROKEN_SETREGID)
-	if (setregid(pw->pw_gid, pw->pw_gid) < 0)
-		fatal("setregid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
-#else
-	if (setegid(pw->pw_gid) < 0)
-		fatal("setegid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
-	if (setgid(pw->pw_gid) < 0)
-		fatal("setgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
-#endif
-
-#if defined(HAVE_SETRESUID) && !defined(BROKEN_SETRESUID)
-	if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) < 0)
-		fatal("setresuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
-#elif defined(HAVE_SETREUID) && !defined(BROKEN_SETREUID)
-	if (setreuid(pw->pw_uid, pw->pw_uid) < 0)
-		fatal("setreuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
-#else
-# ifndef SETEUID_BREAKS_SETUID
-	if (seteuid(pw->pw_uid) < 0)
-		fatal("seteuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
-# endif
-	if (setuid(pw->pw_uid) < 0)
-		fatal("setuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
-#endif
-
-#ifndef HAVE_CYGWIN
-	/* Try restoration of GID if changed (test clearing of saved gid) */
-	if (old_gid != pw->pw_gid && pw->pw_uid != 0 &&
-	    (setgid(old_gid) != -1 || setegid(old_gid) != -1))
-		fatal("%s: was able to restore old [e]gid", __func__);
-#endif
-
-	/* Verify GID drop was successful */
-	if (getgid() != pw->pw_gid || getegid() != pw->pw_gid) {
-		fatal("%s: egid incorrect gid:%u egid:%u (should be %u)",
-		    __func__, (u_int)getgid(), (u_int)getegid(),
-		    (u_int)pw->pw_gid);
-	}
-
-#ifndef HAVE_CYGWIN
-	/* Try restoration of UID if changed (test clearing of saved uid) */
-	if (old_uid != pw->pw_uid &&
-	    (setuid(old_uid) != -1 || seteuid(old_uid) != -1))
-		fatal("%s: was able to restore old [e]uid", __func__);
-#endif
-
-	/* Verify UID drop was successful */
-	if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) {
-		fatal("%s: euid incorrect uid:%u euid:%u (should be %u)",
-		    __func__, (u_int)getuid(), (u_int)geteuid(),
-		    (u_int)pw->pw_uid);
-	}
-}
diff --git a/crypto/openssh/uidswap.h b/crypto/openssh/uidswap.h
deleted file mode 100644
index 1c1163d..0000000
--- a/crypto/openssh/uidswap.h
+++ /dev/null
@@ -1,18 +0,0 @@
-/* $OpenBSD: uidswap.h,v 1.13 2006/08/03 03:34:42 deraadt Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-void	 temporarily_use_uid(struct passwd *);
-void	 restore_uid(void);
-void	 permanently_set_uid(struct passwd *);
-void	 permanently_drop_suid(uid_t);
diff --git a/crypto/openssh/util.c b/crypto/openssh/util.c
deleted file mode 100644
index 1a591a6..0000000
--- a/crypto/openssh/util.c
+++ /dev/null
@@ -1,96 +0,0 @@
-/*	$OpenBSD: util.c,v 1.6 2000/10/27 07:32:19 markus Exp $	*/
-
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: util.c,v 1.6 2000/10/27 07:32:19 markus Exp $");
-
-#include "ssh.h"
-
-char *
-chop(char *s)
-{
-	char *t = s;
-	while (*t) {
-		if(*t == '\n' || *t == '\r') {
-			*t = '\0';
-			return s;
-		}
-		t++;
-	}
-	return s;
-
-}
-
-void
-set_nonblock(int fd)
-{
-	int val;
-	val = fcntl(fd, F_GETFL, 0);
-	if (val < 0) {
-		error("fcntl(%d, F_GETFL, 0): %s", fd, strerror(errno));
-		return;
-	}
-	if (val & O_NONBLOCK) {
-		debug("fd %d IS O_NONBLOCK", fd);
-		return;
-	}
-	debug("fd %d setting O_NONBLOCK", fd);
-	val |= O_NONBLOCK;
-	if (fcntl(fd, F_SETFL, val) == -1)
-		if (errno != ENODEV)
-			error("fcntl(%d, F_SETFL, O_NONBLOCK): %s",
-			    fd, strerror(errno));
-}
-
-/* Characters considered whitespace in strsep calls. */
-#define WHITESPACE " \t\r\n"
-
-char *
-strdelim(char **s)
-{
-	char *old;
-	int wspace = 0;
-
-	if (*s == NULL)
-		return NULL;
-
-	old = *s;
-
-	*s = strpbrk(*s, WHITESPACE "=");
-	if (*s == NULL)
-		return (old);
-
-	/* Allow only one '=' to be skipped */
-	if (*s[0] == '=')
-		wspace = 1;
-	*s[0] = '\0';
-
-	*s += strspn(*s + 1, WHITESPACE) + 1;
-	if (*s[0] == '=' && !wspace)
-		*s += strspn(*s + 1, WHITESPACE) + 1;
-
-	return (old);
-}
diff --git a/crypto/openssh/uuencode.c b/crypto/openssh/uuencode.c
deleted file mode 100644
index a139495..0000000
--- a/crypto/openssh/uuencode.c
+++ /dev/null
@@ -1,83 +0,0 @@
-/* $OpenBSD: uuencode.c,v 1.24 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <resolv.h>
-#include <stdio.h>
-
-#include "xmalloc.h"
-#include "uuencode.h"
-
-int
-uuencode(const u_char *src, u_int srclength,
-    char *target, size_t targsize)
-{
-	return __b64_ntop(src, srclength, target, targsize);
-}
-
-int
-uudecode(const char *src, u_char *target, size_t targsize)
-{
-	int len;
-	char *encoded, *p;
-
-	/* copy the 'readonly' source */
-	encoded = xstrdup(src);
-	/* skip whitespace and data */
-	for (p = encoded; *p == ' ' || *p == '\t'; p++)
-		;
-	for (; *p != '\0' && *p != ' ' && *p != '\t'; p++)
-		;
-	/* and remove trailing whitespace because __b64_pton needs this */
-	*p = '\0';
-	len = __b64_pton(encoded, target, targsize);
-	xfree(encoded);
-	return len;
-}
-
-void
-dump_base64(FILE *fp, u_char *data, u_int len)
-{
-	char *buf;
-	int i, n;
-
-	if (len > 65536) {
-		fprintf(fp, "dump_base64: len > 65536\n");
-		return;
-	}
-	buf = xmalloc(2*len);
-	n = uuencode(data, len, buf, 2*len);
-	for (i = 0; i < n; i++) {
-		fprintf(fp, "%c", buf[i]);
-		if (i % 70 == 69)
-			fprintf(fp, "\n");
-	}
-	if (i % 70 != 69)
-		fprintf(fp, "\n");
-	xfree(buf);
-}
diff --git a/crypto/openssh/uuencode.h b/crypto/openssh/uuencode.h
deleted file mode 100644
index fec55b4..0000000
--- a/crypto/openssh/uuencode.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/* $OpenBSD: uuencode.h,v 1.13 2006/08/03 03:34:42 deraadt Exp $ */
-
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-int	 uuencode(const u_char *, u_int, char *, size_t);
-int	 uudecode(const char *, u_char *, size_t);
-void	 dump_base64(FILE *, u_char *, u_int);
diff --git a/crypto/openssh/version.h b/crypto/openssh/version.h
deleted file mode 100644
index d16990a..0000000
--- a/crypto/openssh/version.h
+++ /dev/null
@@ -1,6 +0,0 @@
-/* $OpenBSD: version.h,v 1.48 2006/11/07 10:31:31 markus Exp $ */
-
-#define SSH_VERSION	"OpenSSH_4.5"
-
-#define SSH_PORTABLE	"p1"
-#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
diff --git a/crypto/openssh/xmalloc.c b/crypto/openssh/xmalloc.c
deleted file mode 100644
index 9985b4c..0000000
--- a/crypto/openssh/xmalloc.c
+++ /dev/null
@@ -1,110 +0,0 @@
-/* $OpenBSD: xmalloc.c,v 1.27 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Versions of malloc and friends that check their results, and never return
- * failure (they call fatal if they encounter an error).
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-
-#include <sys/param.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "xmalloc.h"
-#include "log.h"
-
-void *
-xmalloc(size_t size)
-{
-	void *ptr;
-
-	if (size == 0)
-		fatal("xmalloc: zero size");
-	ptr = malloc(size);
-	if (ptr == NULL)
-		fatal("xmalloc: out of memory (allocating %lu bytes)", (u_long) size);
-	return ptr;
-}
-
-void *
-xcalloc(size_t nmemb, size_t size)
-{
-	void *ptr;
-
-	if (size == 0 || nmemb == 0)
-		fatal("xcalloc: zero size");
-	if (SIZE_T_MAX / nmemb < size)
-		fatal("xcalloc: nmemb * size > SIZE_T_MAX");
-	ptr = calloc(nmemb, size);
-	if (ptr == NULL)
-		fatal("xcalloc: out of memory (allocating %lu bytes)",
-		    (u_long)(size * nmemb));
-	return ptr;
-}
-
-void *
-xrealloc(void *ptr, size_t nmemb, size_t size)
-{
-	void *new_ptr;
-	size_t new_size = nmemb * size;
-
-	if (new_size == 0)
-		fatal("xrealloc: zero size");
-	if (SIZE_T_MAX / nmemb < size)
-		fatal("xrealloc: nmemb * size > SIZE_T_MAX");
-	if (ptr == NULL)
-		new_ptr = malloc(new_size);
-	else
-		new_ptr = realloc(ptr, new_size);
-	if (new_ptr == NULL)
-		fatal("xrealloc: out of memory (new_size %lu bytes)",
-		    (u_long) new_size);
-	return new_ptr;
-}
-
-void
-xfree(void *ptr)
-{
-	if (ptr == NULL)
-		fatal("xfree: NULL pointer given as argument");
-	free(ptr);
-}
-
-char *
-xstrdup(const char *str)
-{
-	size_t len;
-	char *cp;
-
-	len = strlen(str) + 1;
-	cp = xmalloc(len);
-	strlcpy(cp, str, len);
-	return cp;
-}
-
-int
-xasprintf(char **ret, const char *fmt, ...)
-{
-	va_list ap;
-	int i;
-
-	va_start(ap, fmt);
-	i = vasprintf(ret, fmt, ap);
-	va_end(ap);
-
-	if (i < 0 || *ret == NULL)
-		fatal("xasprintf: could not allocate memory");
-
-	return (i);
-}
diff --git a/crypto/openssh/xmalloc.h b/crypto/openssh/xmalloc.h
deleted file mode 100644
index fb217a4..0000000
--- a/crypto/openssh/xmalloc.h
+++ /dev/null
@@ -1,26 +0,0 @@
-/* $OpenBSD: xmalloc.h,v 1.13 2006/08/03 03:34:42 deraadt Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Created: Mon Mar 20 22:09:17 1995 ylo
- *
- * Versions of malloc and friends that check their results, and never return
- * failure (they call fatal if they encounter an error).
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-void	*xmalloc(size_t);
-void	*xcalloc(size_t, size_t);
-void	*xrealloc(void *, size_t, size_t);
-void     xfree(void *);
-char	*xstrdup(const char *);
-int	 xasprintf(char **, const char *, ...)
-                __attribute__((__format__ (printf, 2, 3)))
-                __attribute__((__nonnull__ (2)));